Open MrAnde7son opened 7 years ago
williballenthin
commented
7 years ago Hi @MrAnde7son
This is an interesting use case, and one I hadn't considered before. I'm not very familiar with this remote interface. I'd be happy to take a look at a sample of your tool's output and see if it looks familiar. It would certainly be neat to parse this data source with minimal extra effort.
MrAnde7son
commented
7 years ago Hi,
Thanks for the quick reply! Here's the implementation of MS-EVEN6 interface with the use of Impacket (huge thanks to Alberto!):
from impacket.dcerpc.v5.rpcrt import DCERPCException
from impacket.dcerpc.v5.ndr import NDRCALL, NDRPOINTER, NDRUniConformantArray, NDRUniVaryingArray, NDRUNION, NDRSTRUCT
from impacket.dcerpc.v5.dtypes import WSTR, DWORD, LPWSTR, USHORT, UCHAR, ULONGLONG, ULONG, LARGE_INTEGER, GUID
from impacket import system_errors
from impacket.uuid import uuidtup_to_bin
MSRPC_UUID_EVENTLOG = uuidtup_to_bin(('F6BEAFF7-1E19-4FBB-9F8F-B89E2018337C', '1.0'))
class DCERPCSessionError(DCERPCException):
def __init__(self, error_string=None, error_code=None, packet=None):
DCERPCException.__init__(self, error_string, error_code, packet)
def __str__(self):
key = self.error_code
if system_errors.ERROR_MESSAGES.has_key(key):
error_msg_short = system_errors.ERROR_MESSAGES[key][0]
error_msg_verbose = system_errors.ERROR_MESSAGES[key][1]
return 'EVENTLOG SessionError: code: 0x%x - %s - %s' % (self.error_code, error_msg_short, error_msg_verbose)
else:
return 'EVENTLOG SessionError: unknown error code: 0x%x' % self.error_code
################################################################################
# CONSTANTS
################################################################################
# Evt Path Flags
EvtQueryChannelName = 0x00000001
EvtQueryFilePath = 0x00000002
EvtReadNewestToLowest = 0x00000100
EvtReadLowestToNewest = 0x00000200
################################################################################
# STRUCTURES
################################################################################
class CONTEXT_HANDLE_LOG_HANDLE(NDRSTRUCT):
align = 1
structure = (
('Data', '20s=""'),
)
class PCONTEXT_HANDLE_LOG_HANDLE(NDRPOINTER):
referent = (
('Data', CONTEXT_HANDLE_LOG_HANDLE),
)
class CONTEXT_HANDLE_LOG_QUERY(NDRSTRUCT):
align = 1
structure = (
('Data', '20s=""'),
)
class PCONTEXT_HANDLE_LOG_QUERY(NDRPOINTER):
referent = (
('Data', CONTEXT_HANDLE_LOG_QUERY),
)
class LPPCONTEXT_HANDLE_LOG_QUERY(NDRPOINTER):
referent = (
('Data', PCONTEXT_HANDLE_LOG_QUERY),
)
class CONTEXT_HANDLE_OPERATION_CONTROL(NDRSTRUCT):
align = 1
structure = (
('Data', '20s=""'),
)
class PCONTEXT_HANDLE_OPERATION_CONTROL(NDRPOINTER):
referent = (
('Data', CONTEXT_HANDLE_OPERATION_CONTROL),
)
class LPPCONTEXT_HANDLE_OPERATION_CONTROL(NDRPOINTER):
referent = (
('Data', PCONTEXT_HANDLE_OPERATION_CONTROL),
)
# 2.2.11 EvtRpcQueryChannelInfo
class EvtRpcQueryChannelInfo(NDRSTRUCT):
structure = (
('Name', LPWSTR),
('Status', DWORD),
)
class EvtRpcQueryChannelInfoArray(NDRUniVaryingArray):
item = EvtRpcQueryChannelInfo
class LPEvtRpcQueryChannelInfoArray(NDRPOINTER):
referent = (
('Data', EvtRpcQueryChannelInfoArray)
)
class RPC_INFO(NDRSTRUCT):
structure = (
('Error', DWORD),
('SubError', DWORD),
('SubErrorParam', DWORD),
)
class PRPC_INFO(NDRPOINTER):
referent = (
('Data', RPC_INFO)
)
class WSTR_ARRAY(NDRUniConformantArray):
item = WSTR
class DWORD_ARRAY(NDRUniVaryingArray):
item = DWORD
class LPDWORD_ARRAY(NDRPOINTER):
referent = (
('Data', DWORD_ARRAY)
)
class BYTE_ARRAY(NDRUniVaryingArray):
item = 'c'
class LPBYTE_ARRAY(NDRPOINTER):
referent = (
('Data', BYTE_ARRAY)
)
class ULONG_ARRAY(NDRUniConformantArray):
item = ULONG
# 2.3.1 EVENT_DESCRIPTOR
class EVENT_DESCRIPTOR(NDRSTRUCT):
structure = (
('Id', USHORT),
('Version', UCHAR),
('Channel', UCHAR),
('Level', UCHAR),
('Opcode', UCHAR),
('Task', USHORT),
('Keyword', ULONGLONG),
)
class PROCESSOR_TIME(NDRUNION):
commonHdr = (
('ProcessorTime', ULONGLONG),
)
structure = (
('KernelTime', ULONG),
('UserTime', ULONG),
)
# 2.3.2 EVENT_HEADER
class EVENT_HEADER(NDRSTRUCT):
structure = (
('Size', USHORT),
('HeaderType', USHORT),
('Flags', USHORT),
('EventProperty', USHORT),
('ThreadId', ULONG),
('TimeStamp', LARGE_INTEGER),
('ProviderId', GUID),
('EventDescriptor', EVENT_DESCRIPTOR),
('ProcessorTime', PROCESSOR_TIME),
('ActivityId', GUID),
)
#2.2.17 RESULT_SET
class RESULT_SET(NDRSTRUCT):
structure = (
('TotalSize', DWORD),
('HeaderSize', '<L=0x10'),
('EventOffset', '<L=0x10'),
('BookmarkOffset', DWORD),
('BinXmlSize', DWORD),
('EventData', BYTE_ARRAY),
('NumberOfSubqueryIDs', DWORD),
('SubqueryIDs', DWORD),
('BookMarkData', BYTE_ARRAY),
('BookmarkSize', DWORD),
('HeaderSize', '<L=0x18'),
('ChannelSize', DWORD),
('ReadDirection', DWORD),
('RecordIdsOffset', DWORD),
('LogRecordNumbers', ULONG_ARRAY),
)
#2.2.18 BinXmlVariant
class BinXmlVariant(NDRSTRUCT):
structure = (
('Union', BYTE_ARRAY),
('Count', DWORD),
('Type', DWORD),
)
################################################################################
# RPC CALLS
################################################################################
class EvtRpcRegisterLogQuery(NDRCALL):
opnum = 5
structure = (
('Path', LPWSTR),
('Query', WSTR),
('Flags', DWORD),
)
class EvtRpcRegisterLogQueryResponse(NDRCALL):
structure = (
('Handle', CONTEXT_HANDLE_LOG_QUERY),
('OpControl', CONTEXT_HANDLE_OPERATION_CONTROL),
('QueryChannelInfoSize', DWORD),
('QueryChannelInfo', EvtRpcQueryChannelInfoArray),
('Error', RPC_INFO),
)
class EvtRpcQueryNext(NDRCALL):
opnum = 11
structure = (
('LogQuery', CONTEXT_HANDLE_LOG_QUERY),
('NumRequestedRecords', DWORD),
('TimeOutEnd', DWORD),
('Flags', DWORD),
)
class EvtRpcQueryNextResponse(NDRCALL):
structure = (
('NumActualRecords', DWORD),
('EventDataIndices', DWORD_ARRAY),
('EventDataSizes', DWORD_ARRAY),
('ResultBufferSize', DWORD),
('ResultBuffer', BYTE_ARRAY),
('ErrorCode', ULONG),
)
class EvtRpcQuerySeek(NDRCALL):
opnum = 12
structure = (
('LogQuery', CONTEXT_HANDLE_LOG_QUERY),
('Pos', LARGE_INTEGER),
('BookmarkXML', LPWSTR),
('Flags', DWORD),
)
class EvtRpcQuerySeekResponse(NDRCALL):
structure = (
('Error', RPC_INFO),
)
class EvtRpcClose(NDRCALL):
opnum = 13
structure = (
("Handle", CONTEXT_HANDLE_LOG_HANDLE),
)
class EvtRpcCloseResponse(NDRCALL):
structure = (
("Handle", PCONTEXT_HANDLE_LOG_HANDLE),
('ErrorCode', ULONG),
)
class EvtRpcOpenLogHandle(NDRCALL):
opnum = 17
structure = (
('Channel', WSTR),
('Flags', DWORD),
)
class EvtRpcOpenLogHandleResponse(NDRCALL):
structure = (
('Handle', PCONTEXT_HANDLE_LOG_HANDLE),
('Error', RPC_INFO),
)
class EvtRpcGetChannelList(NDRCALL):
opnum = 19
structure = (
('Flags', DWORD),
)
class EvtRpcGetChannelListResponse(NDRCALL):
structure = (
('NumChannelPaths', DWORD),
('ChannelPaths', WSTR_ARRAY),
('ErrorCode', ULONG),
)
################################################################################
# OPNUMs and their corresponding structures
################################################################################
OPNUMS = {
5 : (EvtRpcRegisterLogQuery, EvtRpcRegisterLogQueryResponse),
11 : (EvtRpcQueryNext, EvtRpcQueryNextResponse),
12 : (EvtRpcQuerySeek, EvtRpcQuerySeekResponse),
13 : (EvtRpcClose, EvtRpcCloseResponse),
17 : (EvtRpcOpenLogHandle, EvtRpcOpenLogHandle),
19 : (EvtRpcGetChannelList, EvtRpcGetChannelListResponse),
}
################################################################################
# HELPER FUNCTIONS
################################################################################
def hEvtRpcGetChannelList(dce):
request = EvtRpcGetChannelList()
request['Flags'] = 0
status = system_errors.ERROR_MORE_DATA
resp = dce.request(request)
while status == system_errors.ERROR_MORE_DATA:
try:
resp = dce.request(request)
except DCERPCException, e:
if str(e).find('ERROR_MORE_DATA') < 0:
raise
resp = e.get_packet()
return resp
def hEvtRpcRegisterLogQuery(dce, path, flags, query='*\x00'):
request = EvtRpcRegisterLogQuery()
request['Path'] = path
request['Query'] = query
request['Flags'] = flags
resp = dce.request(request)
return resp
def hEvtRpcQueryNext(dce, handle, numRequestedRecords, timeOutEnd):
request = EvtRpcQueryNext()
request['LogQuery'] = handle
request['NumRequestedRecords'] = numRequestedRecords
request['TimeOutEnd'] = timeOutEnd
request['Flags'] = 0
resp = dce.request(request)
return resp
def hEvtRpcClose(dce, handle):
request = EvtRpcClose()
request['Handle'] = handle
resp = dce.request(request)
return resp
def hEvtRpcOpenLogHandle(dce, channel, flags):
request = EvtRpcOpenLogHandle()
request['Channel'] = channel
request['Flags'] = flags
return dce.request(request)And here's the actual connection and data collection, this code uses EvtRpcRegisterLogQuery function which returns a context handle, used to pull the actual events by using EvtRpcQueryNext function.
from impacket.dcerpc.v5 import transport, samr, srvs, wkst, scmr, drsuapi, dhcpm
import logging
from impacket.ldap import ldap
from impacket.dcerpc.v5.epm import hept_map
from impacket.dcerpc.v5.rpcrt import RPC_C_AUTHN_LEVEL_PKT_PRIVACY, RPC_C_AUTHN_GSS_NEGOTIATE
import eventlog
from socket import gethostbyaddr
import re
import mmap, hexdump
class Connection(object):
def __init__(self, target, username=str(), password=str(), domain=str(), krb=True):
self.target, self.username, self.password, self.domain = target, username, password, domain,
self.krb = krb
if re.match('\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}', self.target):
try:
if gethostbyaddr(self.target)[0] == self.domain:
self.target = gethostbyaddr(self.target)[1][-1] + "." + self.domain
else:
self.target = gethostbyaddr(self.target)[0]
except:
self.krb = False
class DCERPCConnection(Connection):
binding_strings = dict()
binding_strings['dhcpserver'] = dhcpm.MSRPC_UUID_DHCPSRV
binding_strings['eventlog'] = eventlog.MSRPC_UUID_EVENTLOG
def __init__(self, target, pipe, username=str(), password=str(), domain=str(), krb=True):
Connection.__init__(self, target=target, username=username, password=password, domain=domain,
krb=krb)
self.pipe = pipe
bind = self.binding_strings[self.pipe[1:]]
self.string_binding = hept_map(self.target, bind, protocol='ncacn_ip_tcp')
rpctransport = transport.DCERPCTransportFactory(self.string_binding)
rpctransport.set_credentials(self.username, self.password, self.domain)
self.dce = rpctransport.get_dce_rpc()
if krb:
rpctransport.set_kerberos(True, domain)
self.dce.set_auth_type(RPC_C_AUTHN_GSS_NEGOTIATE)
def connect(self):
try:
self.dce.set_auth_level(RPC_C_AUTHN_LEVEL_PKT_PRIVACY)
bind = self.binding_strings[self.pipe[1:]]
self.dce.connect()
self.dce.bind(bind)
except transport.DCERPCException, e:
logging.error("DCERPC Connection failed. Error: %s." % e.error_string)
return self.dce
username = 'Administrator'
password = 'Password'
domain = 'company.com'
address = 'dc.company.com'
connection = DCERPCConnection(address, '\eventlog', username, password, domain, True)
dce = connection.connect()
channel = 'Security\x00'
flags = eventlog.EvtQueryChannelName | eventlog.EvtReadNewestToLowest
query = '*\x00'
query = """<?xml version="1.0" encoding="UTF-8"?><QueryList><Query Id="0">
<Select Path="Security">*[System[(EventID=4624)]]</Select>
</Query></QueryList>\x00"""
resp = eventlog.hEvtRpcRegisterLogQuery(dce=dce, path=channel, flags=flags, query='*\x00')
log_handle = resp['Handle']
ctrl_handle = resp['OpControl']
resp = eventlog.hEvtRpcQueryNext(dce, log_handle, 5, 1000)
for i in range(resp['NumActualRecords']):
event_offset = resp['EventDataIndices'][i]['Data']
event_size = resp['EventDataSizes'][i]['Data']
event = resp['ResultBuffer'][event_offset:event_offset + event_size]
buff = ''.join([x.encode('hex') for x in event]).decode('hex')
print hexdump.hexdump(buff)
print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n"
resp = eventlog.hEvtRpcClose(dce, log_handle)
resp = eventlog.hEvtRpcClose(dce, ctrl_handle)Then, as you can see, I'm iterating through the results and print hexdump of each event. My goal is to get the actual XML representation of the event.
Thanks in advance!!!
williballenthin
commented
7 years ago Wow, this looks really neat!
Do you happen to have a sample of the output and binary data handy? Alternatively, I can install the the dependencies and get the above script working locally, but it'll take me a bit longer to get a quick triage back.
MrAnde7son
commented
7 years ago Sure, no problem!
00000000: 37 05 00 00 10 00 00 00 10 00 00 00 17 05 00 00 7...............
00000010: FF 04 00 00 0F 01 01 00 0C 00 EC C7 48 63 15 65 ............Hc.e
00000020: 54 86 95 DF 5E B5 B3 D3 27 DA C6 03 00 00 0F 01 T...^...'.......
00000030: 01 00 41 11 00 BA 03 00 00 BA 0C 05 00 45 00 76 ..A..........E.v
00000040: 00 65 00 6E 00 74 00 00 00 7F 00 00 00 06 BC 0F .e.n.t..........
00000050: 05 00 78 00 6D 00 6C 00 6E 00 73 00 00 00 05 01 ..x.m.l.n.s.....
00000060: 35 00 68 00 74 00 74 00 70 00 3A 00 2F 00 2F 00 5.h.t.t.p.:././.
00000070: 73 00 63 00 68 00 65 00 6D 00 61 00 73 00 2E 00 s.c.h.e.m.a.s...
00000080: 6D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 m.i.c.r.o.s.o.f.
00000090: 74 00 2E 00 63 00 6F 00 6D 00 2F 00 77 00 69 00 t...c.o.m./.w.i.
000000A0: 6E 00 2F 00 32 00 30 00 30 00 34 00 2F 00 30 00 n./.2.0.0.4./.0.
000000B0: 38 00 2F 00 65 00 76 00 65 00 6E 00 74 00 73 00 8./.e.v.e.n.t.s.
000000C0: 2F 00 65 00 76 00 65 00 6E 00 74 00 02 01 FF FF /.e.v.e.n.t.....
000000D0: 1A 03 00 00 6F 54 06 00 53 00 79 00 73 00 74 00 ....oT..S.y.s.t.
000000E0: 65 00 6D 00 00 00 02 41 FF FF 41 00 00 00 F1 7B e.m....A..A....{
000000F0: 08 00 50 00 72 00 6F 00 76 00 69 00 64 00 65 00 ..P.r.o.v.i.d.e.
00000100: 72 00 00 00 26 00 00 00 46 4B 95 04 00 4E 00 61 r...&...FK...N.a
00000110: 00 6D 00 65 00 00 00 0E 0E 00 01 06 29 15 04 00 .m.e........)...
00000120: 47 00 75 00 69 00 64 00 00 00 0E 0F 00 0F 03 41 G.u.i.d........A
00000130: 03 00 3D 00 00 00 F5 61 07 00 45 00 76 00 65 00 ..=....a..E.v.e.
00000140: 6E 00 74 00 49 00 44 00 00 00 1F 00 00 00 06 29 n.t.I.D........)
00000150: DA 0A 00 51 00 75 00 61 00 6C 00 69 00 66 00 69 ...Q.u.a.l.i.f.i
00000160: 00 65 00 72 00 73 00 00 00 0E 04 00 06 02 0E 03 .e.r.s..........
00000170: 00 06 04 01 0B 00 1A 00 00 00 18 09 07 00 56 00 ..............V.
00000180: 65 00 72 00 73 00 69 00 6F 00 6E 00 00 00 02 0E e.r.s.i.o.n.....
00000190: 0B 00 04 04 01 00 00 16 00 00 00 64 CE 05 00 4C ...........d...L
000001A0: 00 65 00 76 00 65 00 6C 00 00 00 02 0E 00 00 04 .e.v.e.l........
000001B0: 04 01 02 00 14 00 00 00 45 7B 04 00 54 00 61 00 ........E{..T.a.
000001C0: 73 00 6B 00 00 00 02 0E 02 00 06 04 01 01 00 18 s.k.............
000001D0: 00 00 00 AE 1E 06 00 4F 00 70 00 63 00 6F 00 64 .......O.p.c.o.d
000001E0: 00 65 00 00 00 02 0E 01 00 04 04 01 05 00 1C 00 .e..............
000001F0: 00 00 6A CF 08 00 4B 00 65 00 79 00 77 00 6F 00 ..j...K.e.y.w.o.
00000200: 72 00 64 00 73 00 00 00 02 0E 05 00 15 04 41 FF r.d.s.........A.
00000210: FF 40 00 00 00 3B 8E 0B 00 54 00 69 00 6D 00 65 .@...;...T.i.m.e
00000220: 00 43 00 72 00 65 00 61 00 74 00 65 00 64 00 00 .C.r.e.a.t.e.d..
00000230: 00 1F 00 00 00 06 3C 7B 0A 00 53 00 79 00 73 00 ......<{..S.y.s.
00000240: 74 00 65 00 6D 00 54 00 69 00 6D 00 65 00 00 00 t.e.m.T.i.m.e...
00000250: 0E 06 00 11 03 01 0A 00 26 00 00 00 46 03 0D 00 ........&...F...
00000260: 45 00 76 00 65 00 6E 00 74 00 52 00 65 00 63 00 E.v.e.n.t.R.e.c.
00000270: 6F 00 72 00 64 00 49 00 44 00 00 00 02 0E 0A 00 o.r.d.I.D.......
00000280: 0A 04 41 FF FF 6D 00 00 00 A2 F2 0B 00 43 00 6F ..A..m.......C.o
00000290: 00 72 00 72 00 65 00 6C 00 61 00 74 00 69 00 6F .r.r.e.l.a.t.i.o
000002A0: 00 6E 00 00 00 4C 00 00 00 46 0A F1 0A 00 41 00 .n...L...F....A.
000002B0: 63 00 74 00 69 00 76 00 69 00 74 00 79 00 49 00 c.t.i.v.i.t.y.I.
000002C0: 44 00 00 00 0E 07 00 0F 06 35 C5 11 00 52 00 65 D........5...R.e
000002D0: 00 6C 00 61 00 74 00 65 00 64 00 41 00 63 00 74 .l.a.t.e.d.A.c.t
000002E0: 00 69 00 76 00 69 00 74 00 79 00 49 00 44 00 00 .i.v.i.t.y.I.D..
000002F0: 00 0E 0D 00 0F 03 41 FF FF 55 00 00 00 B8 B5 09 ......A..U......
00000300: 00 45 00 78 00 65 00 63 00 75 00 74 00 69 00 6F .E.x.e.c.u.t.i.o
00000310: 00 6E 00 00 00 38 00 00 00 46 0A D7 09 00 50 00 .n...8...F....P.
00000320: 72 00 6F 00 63 00 65 00 73 00 73 00 49 00 44 00 r.o.c.e.s.s.I.D.
00000330: 00 00 0E 08 00 08 06 85 39 08 00 54 00 68 00 72 ........9..T.h.r
00000340: 00 65 00 61 00 64 00 49 00 44 00 00 00 0E 09 00 .e.a.d.I.D......
00000350: 08 03 01 10 00 1A 00 00 00 83 61 07 00 43 00 68 ..........a..C.h
00000360: 00 61 00 6E 00 6E 00 65 00 6C 00 00 00 02 0E 10 .a.n.n.e.l......
00000370: 00 01 04 01 FF FF 3A 00 00 00 3B 6E 08 00 43 00 ......:...;n..C.
00000380: 6F 00 6D 00 70 00 75 00 74 00 65 00 72 00 00 00 o.m.p.u.t.e.r...
00000390: 02 05 01 0F 00 57 00 49 00 4E 00 2D 00 44 00 36 .....W.I.N.-.D.6
000003A0: 00 43 00 39 00 53 00 4F 00 31 00 4F 00 34 00 51 .C.9.S.O.1.O.4.Q
000003B0: 00 53 00 04 41 FF FF 32 00 00 00 A0 2E 08 00 53 .S..A..2.......S
000003C0: 00 65 00 63 00 75 00 72 00 69 00 74 00 79 00 00 .e.c.u.r.i.t.y..
000003D0: 00 17 00 00 00 06 66 4C 06 00 55 00 73 00 65 00 ......fL..U.s.e.
000003E0: 72 00 49 00 44 00 00 00 0E 0C 00 13 03 04 0E 11 r.I.D...........
000003F0: 00 21 04 00 12 00 00 00 01 00 04 00 01 00 04 00 .!..............
00000400: 02 00 06 00 02 00 06 00 00 00 00 00 08 00 15 00 ................
00000410: 08 00 11 00 00 00 00 00 04 00 08 00 04 00 08 00 ................
00000420: 08 00 0A 00 01 00 04 00 00 00 00 00 00 00 00 00 ................
00000430: 46 00 01 00 10 00 0F 00 10 00 01 00 45 00 21 00 F...........E.!.
00000440: 00 00 00 30 00 12 00 00 00 00 00 00 20 80 4F E6 ...0........ .O.
00000450: BF 54 D6 F9 D2 01 0C 02 00 00 10 02 00 00 01 00 .T..............
00000460: 00 00 00 00 00 00 00 4D 00 69 00 63 00 72 00 6F .......M.i.c.r.o
00000470: 00 73 00 6F 00 66 00 74 00 2D 00 57 00 69 00 6E .s.o.f.t.-.W.i.n
00000480: 00 64 00 6F 00 77 00 73 00 2D 00 53 00 65 00 63 .d.o.w.s.-.S.e.c
00000490: 00 75 00 72 00 69 00 74 00 79 00 2D 00 41 00 75 .u.r.i.t.y.-.A.u
000004A0: 00 64 00 69 00 74 00 69 00 6E 00 67 00 25 96 84 .d.i.t.i.n.g.%..
000004B0: 54 78 54 94 49 A5 BA 3E 3B 03 28 C3 0D 53 00 65 TxT.I..>;.(..S.e
000004C0: 00 63 00 75 00 72 00 69 00 74 00 79 00 0F 01 01 .c.u.r.i.t.y....
000004D0: 00 0C 00 DD 26 CE EE CB 7C D6 0D 8E 03 70 1A 29 ....&...|....p.)
000004E0: B7 63 EE 26 00 00 00 0F 01 01 00 01 FF FF 1A 00 .c.&............
000004F0: 00 00 44 82 09 00 45 00 76 00 65 00 6E 00 74 00 ..D...E.v.e.n.t.
00000500: 44 00 61 00 74 00 61 00 00 00 02 04 00 00 00 00 D.a.t.a.........
00000510: 00 00 00 00 00 00 00 20 00 00 00 18 00 00 00 01 ....... ........
00000520: 00 00 00 00 00 00 00 00 00 00 00 18 00 00 00 01 ................
00000530: 00 00 00 00 00 00 00 .......
None
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
00000000: 5D 0C 00 00 10 00 00 00 10 00 00 00 3D 0C 00 00 ]...........=...
00000010: 25 0C 00 00 0F 01 01 00 0C 00 EC C7 48 63 15 65 %...........Hc.e
00000020: 54 86 95 DF 5E B5 B3 D3 27 DA C6 03 00 00 0F 01 T...^...'.......
00000030: 01 00 41 11 00 BA 03 00 00 BA 0C 05 00 45 00 76 ..A..........E.v
00000040: 00 65 00 6E 00 74 00 00 00 7F 00 00 00 06 BC 0F .e.n.t..........
00000050: 05 00 78 00 6D 00 6C 00 6E 00 73 00 00 00 05 01 ..x.m.l.n.s.....
00000060: 35 00 68 00 74 00 74 00 70 00 3A 00 2F 00 2F 00 5.h.t.t.p.:././.
00000070: 73 00 63 00 68 00 65 00 6D 00 61 00 73 00 2E 00 s.c.h.e.m.a.s...
00000080: 6D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 m.i.c.r.o.s.o.f.
00000090: 74 00 2E 00 63 00 6F 00 6D 00 2F 00 77 00 69 00 t...c.o.m./.w.i.
000000A0: 6E 00 2F 00 32 00 30 00 30 00 34 00 2F 00 30 00 n./.2.0.0.4./.0.
000000B0: 38 00 2F 00 65 00 76 00 65 00 6E 00 74 00 73 00 8./.e.v.e.n.t.s.
000000C0: 2F 00 65 00 76 00 65 00 6E 00 74 00 02 01 FF FF /.e.v.e.n.t.....
000000D0: 1A 03 00 00 6F 54 06 00 53 00 79 00 73 00 74 00 ....oT..S.y.s.t.
000000E0: 65 00 6D 00 00 00 02 41 FF FF 41 00 00 00 F1 7B e.m....A..A....{
000000F0: 08 00 50 00 72 00 6F 00 76 00 69 00 64 00 65 00 ..P.r.o.v.i.d.e.
00000100: 72 00 00 00 26 00 00 00 46 4B 95 04 00 4E 00 61 r...&...FK...N.a
00000110: 00 6D 00 65 00 00 00 0E 0E 00 01 06 29 15 04 00 .m.e........)...
00000120: 47 00 75 00 69 00 64 00 00 00 0E 0F 00 0F 03 41 G.u.i.d........A
00000130: 03 00 3D 00 00 00 F5 61 07 00 45 00 76 00 65 00 ..=....a..E.v.e.
00000140: 6E 00 74 00 49 00 44 00 00 00 1F 00 00 00 06 29 n.t.I.D........)
00000150: DA 0A 00 51 00 75 00 61 00 6C 00 69 00 66 00 69 ...Q.u.a.l.i.f.i
00000160: 00 65 00 72 00 73 00 00 00 0E 04 00 06 02 0E 03 .e.r.s..........
00000170: 00 06 04 01 0B 00 1A 00 00 00 18 09 07 00 56 00 ..............V.
00000180: 65 00 72 00 73 00 69 00 6F 00 6E 00 00 00 02 0E e.r.s.i.o.n.....
00000190: 0B 00 04 04 01 00 00 16 00 00 00 64 CE 05 00 4C ...........d...L
000001A0: 00 65 00 76 00 65 00 6C 00 00 00 02 0E 00 00 04 .e.v.e.l........
000001B0: 04 01 02 00 14 00 00 00 45 7B 04 00 54 00 61 00 ........E{..T.a.
000001C0: 73 00 6B 00 00 00 02 0E 02 00 06 04 01 01 00 18 s.k.............
000001D0: 00 00 00 AE 1E 06 00 4F 00 70 00 63 00 6F 00 64 .......O.p.c.o.d
000001E0: 00 65 00 00 00 02 0E 01 00 04 04 01 05 00 1C 00 .e..............
000001F0: 00 00 6A CF 08 00 4B 00 65 00 79 00 77 00 6F 00 ..j...K.e.y.w.o.
00000200: 72 00 64 00 73 00 00 00 02 0E 05 00 15 04 41 FF r.d.s.........A.
00000210: FF 40 00 00 00 3B 8E 0B 00 54 00 69 00 6D 00 65 .@...;...T.i.m.e
00000220: 00 43 00 72 00 65 00 61 00 74 00 65 00 64 00 00 .C.r.e.a.t.e.d..
00000230: 00 1F 00 00 00 06 3C 7B 0A 00 53 00 79 00 73 00 ......<{..S.y.s.
00000240: 74 00 65 00 6D 00 54 00 69 00 6D 00 65 00 00 00 t.e.m.T.i.m.e...
00000250: 0E 06 00 11 03 01 0A 00 26 00 00 00 46 03 0D 00 ........&...F...
00000260: 45 00 76 00 65 00 6E 00 74 00 52 00 65 00 63 00 E.v.e.n.t.R.e.c.
00000270: 6F 00 72 00 64 00 49 00 44 00 00 00 02 0E 0A 00 o.r.d.I.D.......
00000280: 0A 04 41 FF FF 6D 00 00 00 A2 F2 0B 00 43 00 6F ..A..m.......C.o
00000290: 00 72 00 72 00 65 00 6C 00 61 00 74 00 69 00 6F .r.r.e.l.a.t.i.o
000002A0: 00 6E 00 00 00 4C 00 00 00 46 0A F1 0A 00 41 00 .n...L...F....A.
000002B0: 63 00 74 00 69 00 76 00 69 00 74 00 79 00 49 00 c.t.i.v.i.t.y.I.
000002C0: 44 00 00 00 0E 07 00 0F 06 35 C5 11 00 52 00 65 D........5...R.e
000002D0: 00 6C 00 61 00 74 00 65 00 64 00 41 00 63 00 74 .l.a.t.e.d.A.c.t
000002E0: 00 69 00 76 00 69 00 74 00 79 00 49 00 44 00 00 .i.v.i.t.y.I.D..
000002F0: 00 0E 0D 00 0F 03 41 FF FF 55 00 00 00 B8 B5 09 ......A..U......
00000300: 00 45 00 78 00 65 00 63 00 75 00 74 00 69 00 6F .E.x.e.c.u.t.i.o
00000310: 00 6E 00 00 00 38 00 00 00 46 0A D7 09 00 50 00 .n...8...F....P.
00000320: 72 00 6F 00 63 00 65 00 73 00 73 00 49 00 44 00 r.o.c.e.s.s.I.D.
00000330: 00 00 0E 08 00 08 06 85 39 08 00 54 00 68 00 72 ........9..T.h.r
00000340: 00 65 00 61 00 64 00 49 00 44 00 00 00 0E 09 00 .e.a.d.I.D......
00000350: 08 03 01 10 00 1A 00 00 00 83 61 07 00 43 00 68 ..........a..C.h
00000360: 00 61 00 6E 00 6E 00 65 00 6C 00 00 00 02 0E 10 .a.n.n.e.l......
00000370: 00 01 04 01 FF FF 3A 00 00 00 3B 6E 08 00 43 00 ......:...;n..C.
00000380: 6F 00 6D 00 70 00 75 00 74 00 65 00 72 00 00 00 o.m.p.u.t.e.r...
00000390: 02 05 01 0F 00 57 00 49 00 4E 00 2D 00 44 00 36 .....W.I.N.-.D.6
000003A0: 00 43 00 39 00 53 00 4F 00 31 00 4F 00 34 00 51 .C.9.S.O.1.O.4.Q
000003B0: 00 53 00 04 41 FF FF 32 00 00 00 A0 2E 08 00 53 .S..A..2.......S
000003C0: 00 65 00 63 00 75 00 72 00 69 00 74 00 79 00 00 .e.c.u.r.i.t.y..
000003D0: 00 17 00 00 00 06 66 4C 06 00 55 00 73 00 65 00 ......fL..U.s.e.
000003E0: 72 00 49 00 44 00 00 00 0E 0C 00 13 03 04 0E 11 r.I.D...........
000003F0: 00 21 04 00 12 00 00 00 01 00 04 00 01 00 04 00 .!..............
00000400: 02 00 06 00 02 00 06 00 00 00 00 00 08 00 15 00 ................
00000410: 08 00 11 00 00 00 00 00 04 00 08 00 04 00 08 00 ................
00000420: 08 00 0A 00 01 00 04 00 00 00 00 00 00 00 00 00 ................
00000430: 46 00 01 00 10 00 0F 00 10 00 01 00 6B 07 21 00 F...........k.!.
00000440: 00 00 00 31 10 12 00 00 00 00 00 00 20 80 0B 43 ...1........ ..C
00000450: C2 54 D6 F9 D2 01 0C 02 00 00 10 02 00 00 02 00 .T..............
00000460: 00 00 00 00 00 00 01 4D 00 69 00 63 00 72 00 6F .......M.i.c.r.o
00000470: 00 73 00 6F 00 66 00 74 00 2D 00 57 00 69 00 6E .s.o.f.t.-.W.i.n
00000480: 00 64 00 6F 00 77 00 73 00 2D 00 53 00 65 00 63 .d.o.w.s.-.S.e.c
00000490: 00 75 00 72 00 69 00 74 00 79 00 2D 00 41 00 75 .u.r.i.t.y.-.A.u
000004A0: 00 64 00 69 00 74 00 69 00 6E 00 67 00 25 96 84 .d.i.t.i.n.g.%..
000004B0: 54 78 54 94 49 A5 BA 3E 3B 03 28 C3 0D 53 00 65 TxT.I..>;.(..S.e
000004C0: 00 63 00 75 00 72 00 69 00 74 00 79 00 0F 01 01 .c.u.r.i.t.y....
000004D0: 00 0C 00 C9 1A 65 C0 04 9A 4F 60 DE B0 F1 72 FF .....e...O`...r.
000004E0: 8F E0 E8 78 06 00 00 0F 01 01 00 01 FF FF 6C 06 ...x..........l.
000004F0: 00 00 44 82 09 00 45 00 76 00 65 00 6E 00 74 00 ..D...E.v.e.n.t.
00000500: 44 00 61 00 74 00 61 00 00 00 02 41 FF FF 47 00 D.a.t.a....A..G.
00000510: 00 00 8A 6F 04 00 44 00 61 00 74 00 61 00 00 00 ...o..D.a.t.a...
00000520: 2F 00 00 00 06 4B 95 04 00 4E 00 61 00 6D 00 65 /....K...N.a.m.e
00000530: 00 00 00 05 01 0E 00 53 00 75 00 62 00 6A 00 65 .......S.u.b.j.e
00000540: 00 63 00 74 00 55 00 73 00 65 00 72 00 53 00 69 .c.t.U.s.e.r.S.i
00000550: 00 64 00 02 0D 00 00 13 04 41 FF FF 49 00 00 00 .d.......A..I...
00000560: 8A 6F 04 00 44 00 61 00 74 00 61 00 00 00 31 00 .o..D.a.t.a...1.
00000570: 00 00 06 4B 95 04 00 4E 00 61 00 6D 00 65 00 00 ...K...N.a.m.e..
00000580: 00 05 01 0F 00 53 00 75 00 62 00 6A 00 65 00 63 .....S.u.b.j.e.c
00000590: 00 74 00 55 00 73 00 65 00 72 00 4E 00 61 00 6D .t.U.s.e.r.N.a.m
000005A0: 00 65 00 02 0D 01 00 01 04 41 FF FF 4D 00 00 00 .e.......A..M...
000005B0: 8A 6F 04 00 44 00 61 00 74 00 61 00 00 00 35 00 .o..D.a.t.a...5.
000005C0: 00 00 06 4B 95 04 00 4E 00 61 00 6D 00 65 00 00 ...K...N.a.m.e..
000005D0: 00 05 01 11 00 53 00 75 00 62 00 6A 00 65 00 63 .....S.u.b.j.e.c
000005E0: 00 74 00 44 00 6F 00 6D 00 61 00 69 00 6E 00 4E .t.D.o.m.a.i.n.N
000005F0: 00 61 00 6D 00 65 00 02 0D 02 00 01 04 41 FF FF .a.m.e.......A..
00000600: 47 00 00 00 8A 6F 04 00 44 00 61 00 74 00 61 00 G....o..D.a.t.a.
00000610: 00 00 2F 00 00 00 06 4B 95 04 00 4E 00 61 00 6D ../....K...N.a.m
00000620: 00 65 00 00 00 05 01 0E 00 53 00 75 00 62 00 6A .e.......S.u.b.j
00000630: 00 65 00 63 00 74 00 4C 00 6F 00 67 00 6F 00 6E .e.c.t.L.o.g.o.n
00000640: 00 49 00 64 00 02 0D 03 00 15 04 41 FF FF 45 00 .I.d.......A..E.
00000650: 00 00 8A 6F 04 00 44 00 61 00 74 00 61 00 00 00 ...o..D.a.t.a...
00000660: 2D 00 00 00 06 4B 95 04 00 4E 00 61 00 6D 00 65 -....K...N.a.m.e
00000670: 00 00 00 05 01 0D 00 54 00 61 00 72 00 67 00 65 .......T.a.r.g.e
00000680: 00 74 00 55 00 73 00 65 00 72 00 53 00 69 00 64 .t.U.s.e.r.S.i.d
00000690: 00 02 0D 04 00 13 04 41 FF FF 47 00 00 00 8A 6F .......A..G....o
000006A0: 04 00 44 00 61 00 74 00 61 00 00 00 2F 00 00 00 ..D.a.t.a.../...
000006B0: 06 4B 95 04 00 4E 00 61 00 6D 00 65 00 00 00 05 .K...N.a.m.e....
000006C0: 01 0E 00 54 00 61 00 72 00 67 00 65 00 74 00 55 ...T.a.r.g.e.t.U
000006D0: 00 73 00 65 00 72 00 4E 00 61 00 6D 00 65 00 02 .s.e.r.N.a.m.e..
000006E0: 0D 05 00 01 04 41 FF FF 4B 00 00 00 8A 6F 04 00 .....A..K....o..
000006F0: 44 00 61 00 74 00 61 00 00 00 33 00 00 00 06 4B D.a.t.a...3....K
00000700: 95 04 00 4E 00 61 00 6D 00 65 00 00 00 05 01 10 ...N.a.m.e......
00000710: 00 54 00 61 00 72 00 67 00 65 00 74 00 44 00 6F .T.a.r.g.e.t.D.o
00000720: 00 6D 00 61 00 69 00 6E 00 4E 00 61 00 6D 00 65 .m.a.i.n.N.a.m.e
00000730: 00 02 0D 06 00 01 04 41 FF FF 45 00 00 00 8A 6F .......A..E....o
00000740: 04 00 44 00 61 00 74 00 61 00 00 00 2D 00 00 00 ..D.a.t.a...-...
00000750: 06 4B 95 04 00 4E 00 61 00 6D 00 65 00 00 00 05 .K...N.a.m.e....
00000760: 01 0D 00 54 00 61 00 72 00 67 00 65 00 74 00 4C ...T.a.r.g.e.t.L
00000770: 00 6F 00 67 00 6F 00 6E 00 49 00 64 00 02 0D 07 .o.g.o.n.I.d....
00000780: 00 15 04 41 FF FF 3D 00 00 00 8A 6F 04 00 44 00 ...A..=....o..D.
00000790: 61 00 74 00 61 00 00 00 25 00 00 00 06 4B 95 04 a.t.a...%....K..
000007A0: 00 4E 00 61 00 6D 00 65 00 00 00 05 01 09 00 4C .N.a.m.e.......L
000007B0: 00 6F 00 67 00 6F 00 6E 00 54 00 79 00 70 00 65 .o.g.o.n.T.y.p.e
000007C0: 00 02 0D 08 00 08 04 41 FF FF 4B 00 00 00 8A 6F .......A..K....o
000007D0: 04 00 44 00 61 00 74 00 61 00 00 00 33 00 00 00 ..D.a.t.a...3...
000007E0: 06 4B 95 04 00 4E 00 61 00 6D 00 65 00 00 00 05 .K...N.a.m.e....
000007F0: 01 10 00 4C 00 6F 00 67 00 6F 00 6E 00 50 00 72 ...L.o.g.o.n.P.r
00000800: 00 6F 00 63 00 65 00 73 00 73 00 4E 00 61 00 6D .o.c.e.s.s.N.a.m
00000810: 00 65 00 02 0D 09 00 01 04 41 FF FF 5D 00 00 00 .e.......A..]...
00000820: 8A 6F 04 00 44 00 61 00 74 00 61 00 00 00 45 00 .o..D.a.t.a...E.
00000830: 00 00 06 4B 95 04 00 4E 00 61 00 6D 00 65 00 00 ...K...N.a.m.e..
00000840: 00 05 01 19 00 41 00 75 00 74 00 68 00 65 00 6E .....A.u.t.h.e.n
00000850: 00 74 00 69 00 63 00 61 00 74 00 69 00 6F 00 6E .t.i.c.a.t.i.o.n
00000860: 00 50 00 61 00 63 00 6B 00 61 00 67 00 65 00 4E .P.a.c.k.a.g.e.N
00000870: 00 61 00 6D 00 65 00 02 0D 0A 00 01 04 41 FF FF .a.m.e.......A..
00000880: 49 00 00 00 8A 6F 04 00 44 00 61 00 74 00 61 00 I....o..D.a.t.a.
00000890: 00 00 31 00 00 00 06 4B 95 04 00 4E 00 61 00 6D ..1....K...N.a.m
000008A0: 00 65 00 00 00 05 01 0F 00 57 00 6F 00 72 00 6B .e.......W.o.r.k
000008B0: 00 73 00 74 00 61 00 74 00 69 00 6F 00 6E 00 4E .s.t.a.t.i.o.n.N
000008C0: 00 61 00 6D 00 65 00 02 0D 0B 00 01 04 41 FF FF .a.m.e.......A..
000008D0: 3D 00 00 00 8A 6F 04 00 44 00 61 00 74 00 61 00 =....o..D.a.t.a.
000008E0: 00 00 25 00 00 00 06 4B 95 04 00 4E 00 61 00 6D ..%....K...N.a.m
000008F0: 00 65 00 00 00 05 01 09 00 4C 00 6F 00 67 00 6F .e.......L.o.g.o
00000900: 00 6E 00 47 00 75 00 69 00 64 00 02 0D 0C 00 0F .n.G.u.i.d......
00000910: 04 41 FF FF 51 00 00 00 8A 6F 04 00 44 00 61 00 .A..Q....o..D.a.
00000920: 74 00 61 00 00 00 39 00 00 00 06 4B 95 04 00 4E t.a...9....K...N
00000930: 00 61 00 6D 00 65 00 00 00 05 01 13 00 54 00 72 .a.m.e.......T.r
00000940: 00 61 00 6E 00 73 00 6D 00 69 00 74 00 74 00 65 .a.n.s.m.i.t.t.e
00000950: 00 64 00 53 00 65 00 72 00 76 00 69 00 63 00 65 .d.S.e.r.v.i.c.e
00000960: 00 73 00 02 0D 0D 00 01 04 41 FF FF 45 00 00 00 .s.......A..E...
00000970: 8A 6F 04 00 44 00 61 00 74 00 61 00 00 00 2D 00 .o..D.a.t.a...-.
00000980: 00 00 06 4B 95 04 00 4E 00 61 00 6D 00 65 00 00 ...K...N.a.m.e..
00000990: 00 05 01 0D 00 4C 00 6D 00 50 00 61 00 63 00 6B .....L.m.P.a.c.k
000009A0: 00 61 00 67 00 65 00 4E 00 61 00 6D 00 65 00 02 .a.g.e.N.a.m.e..
000009B0: 0D 0E 00 01 04 41 FF FF 3D 00 00 00 8A 6F 04 00 .....A..=....o..
000009C0: 44 00 61 00 74 00 61 00 00 00 25 00 00 00 06 4B D.a.t.a...%....K
000009D0: 95 04 00 4E 00 61 00 6D 00 65 00 00 00 05 01 09 ...N.a.m.e......
000009E0: 00 4B 00 65 00 79 00 4C 00 65 00 6E 00 67 00 74 .K.e.y.L.e.n.g.t
000009F0: 00 68 00 02 0D 0F 00 08 04 41 FF FF 3D 00 00 00 .h.......A..=...
00000A00: 8A 6F 04 00 44 00 61 00 74 00 61 00 00 00 25 00 .o..D.a.t.a...%.
00000A10: 00 00 06 4B 95 04 00 4E 00 61 00 6D 00 65 00 00 ...K...N.a.m.e..
00000A20: 00 05 01 09 00 50 00 72 00 6F 00 63 00 65 00 73 .....P.r.o.c.e.s
00000A30: 00 73 00 49 00 64 00 02 0D 10 00 10 04 41 FF FF .s.I.d.......A..
00000A40: 41 00 00 00 8A 6F 04 00 44 00 61 00 74 00 61 00 A....o..D.a.t.a.
00000A50: 00 00 29 00 00 00 06 4B 95 04 00 4E 00 61 00 6D ..)....K...N.a.m
00000A60: 00 65 00 00 00 05 01 0B 00 50 00 72 00 6F 00 63 .e.......P.r.o.c
00000A70: 00 65 00 73 00 73 00 4E 00 61 00 6D 00 65 00 02 .e.s.s.N.a.m.e..
00000A80: 0D 11 00 01 04 41 FF FF 3D 00 00 00 8A 6F 04 00 .....A..=....o..
00000A90: 44 00 61 00 74 00 61 00 00 00 25 00 00 00 06 4B D.a.t.a...%....K
00000AA0: 95 04 00 4E 00 61 00 6D 00 65 00 00 00 05 01 09 ...N.a.m.e......
00000AB0: 00 49 00 70 00 41 00 64 00 64 00 72 00 65 00 73 .I.p.A.d.d.r.e.s
00000AC0: 00 73 00 02 0D 12 00 01 04 41 FF FF 37 00 00 00 .s.......A..7...
00000AD0: 8A 6F 04 00 44 00 61 00 74 00 61 00 00 00 1F 00 .o..D.a.t.a.....
00000AE0: 00 00 06 4B 95 04 00 4E 00 61 00 6D 00 65 00 00 ...K...N.a.m.e..
00000AF0: 00 05 01 06 00 49 00 70 00 50 00 6F 00 72 00 74 .....I.p.P.o.r.t
00000B00: 00 02 0D 13 00 01 04 41 FF FF 4F 00 00 00 8A 6F .......A..O....o
00000B10: 04 00 44 00 61 00 74 00 61 00 00 00 37 00 00 00 ..D.a.t.a...7...
00000B20: 06 4B 95 04 00 4E 00 61 00 6D 00 65 00 00 00 05 .K...N.a.m.e....
00000B30: 01 12 00 49 00 6D 00 70 00 65 00 72 00 73 00 6F ...I.m.p.e.r.s.o
00000B40: 00 6E 00 61 00 74 00 69 00 6F 00 6E 00 4C 00 65 .n.a.t.i.o.n.L.e
00000B50: 00 76 00 65 00 6C 00 02 0D 14 00 01 04 04 00 15 .v.e.l..........
00000B60: 00 00 00 0C 00 13 00 02 00 01 00 02 00 01 00 08 ................
00000B70: 00 15 00 0C 00 13 00 0C 00 01 00 18 00 01 00 08 ................
00000B80: 00 15 00 04 00 08 00 02 00 01 00 02 00 01 00 02 ................
00000B90: 00 01 00 10 00 0F 00 02 00 01 00 02 00 01 00 04 ................
00000BA0: 00 08 00 08 00 15 00 00 00 01 00 02 00 01 00 02 ................
00000BB0: 00 01 00 02 00 01 00 01 01 00 00 00 00 00 00 00 ................
00000BC0: 00 00 00 2D 00 2D 00 00 00 00 00 00 00 00 00 01 ...-.-..........
00000BD0: 01 00 00 00 00 00 05 12 00 00 00 53 00 59 00 53 ...........S.Y.S
00000BE0: 00 54 00 45 00 4D 00 4E 00 54 00 20 00 41 00 55 .T.E.M.N.T. .A.U
00000BF0: 00 54 00 48 00 4F 00 52 00 49 00 54 00 59 00 E7 .T.H.O.R.I.T.Y..
00000C00: 03 00 00 00 00 00 00 00 00 00 00 2D 00 2D 00 2D ...........-.-.-
00000C10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000C20: 00 2D 00 2D 00 00 00 00 00 04 00 00 00 00 00 00 .-.-............
00000C30: 00 2D 00 2D 00 2D 00 00 00 00 00 00 00 20 00 00 .-.-.-....... ..
00000C40: 00 18 00 00 00 01 00 00 00 00 00 00 00 00 00 00 ................
00000C50: 00 18 00 00 00 02 00 00 00 00 00 00 00 .............
None
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
00000000: D5 05 00 00 10 00 00 00 10 00 00 00 B5 05 00 00 ................
00000010: 9D 05 00 00 0F 01 01 00 0C 00 EC C7 48 63 15 65 ............Hc.e
00000020: 54 86 95 DF 5E B5 B3 D3 27 DA C6 03 00 00 0F 01 T...^...'.......
00000030: 01 00 41 11 00 BA 03 00 00 BA 0C 05 00 45 00 76 ..A..........E.v
00000040: 00 65 00 6E 00 74 00 00 00 7F 00 00 00 06 BC 0F .e.n.t..........
00000050: 05 00 78 00 6D 00 6C 00 6E 00 73 00 00 00 05 01 ..x.m.l.n.s.....
00000060: 35 00 68 00 74 00 74 00 70 00 3A 00 2F 00 2F 00 5.h.t.t.p.:././.
00000070: 73 00 63 00 68 00 65 00 6D 00 61 00 73 00 2E 00 s.c.h.e.m.a.s...
00000080: 6D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 m.i.c.r.o.s.o.f.
00000090: 74 00 2E 00 63 00 6F 00 6D 00 2F 00 77 00 69 00 t...c.o.m./.w.i.
000000A0: 6E 00 2F 00 32 00 30 00 30 00 34 00 2F 00 30 00 n./.2.0.0.4./.0.
000000B0: 38 00 2F 00 65 00 76 00 65 00 6E 00 74 00 73 00 8./.e.v.e.n.t.s.
000000C0: 2F 00 65 00 76 00 65 00 6E 00 74 00 02 01 FF FF /.e.v.e.n.t.....
000000D0: 1A 03 00 00 6F 54 06 00 53 00 79 00 73 00 74 00 ....oT..S.y.s.t.
000000E0: 65 00 6D 00 00 00 02 41 FF FF 41 00 00 00 F1 7B e.m....A..A....{
000000F0: 08 00 50 00 72 00 6F 00 76 00 69 00 64 00 65 00 ..P.r.o.v.i.d.e.
00000100: 72 00 00 00 26 00 00 00 46 4B 95 04 00 4E 00 61 r...&...FK...N.a
00000110: 00 6D 00 65 00 00 00 0E 0E 00 01 06 29 15 04 00 .m.e........)...
00000120: 47 00 75 00 69 00 64 00 00 00 0E 0F 00 0F 03 41 G.u.i.d........A
00000130: 03 00 3D 00 00 00 F5 61 07 00 45 00 76 00 65 00 ..=....a..E.v.e.
00000140: 6E 00 74 00 49 00 44 00 00 00 1F 00 00 00 06 29 n.t.I.D........)
00000150: DA 0A 00 51 00 75 00 61 00 6C 00 69 00 66 00 69 ...Q.u.a.l.i.f.i
00000160: 00 65 00 72 00 73 00 00 00 0E 04 00 06 02 0E 03 .e.r.s..........
00000170: 00 06 04 01 0B 00 1A 00 00 00 18 09 07 00 56 00 ..............V.
00000180: 65 00 72 00 73 00 69 00 6F 00 6E 00 00 00 02 0E e.r.s.i.o.n.....
00000190: 0B 00 04 04 01 00 00 16 00 00 00 64 CE 05 00 4C ...........d...L
000001A0: 00 65 00 76 00 65 00 6C 00 00 00 02 0E 00 00 04 .e.v.e.l........
000001B0: 04 01 02 00 14 00 00 00 45 7B 04 00 54 00 61 00 ........E{..T.a.
000001C0: 73 00 6B 00 00 00 02 0E 02 00 06 04 01 01 00 18 s.k.............
000001D0: 00 00 00 AE 1E 06 00 4F 00 70 00 63 00 6F 00 64 .......O.p.c.o.d
000001E0: 00 65 00 00 00 02 0E 01 00 04 04 01 05 00 1C 00 .e..............
000001F0: 00 00 6A CF 08 00 4B 00 65 00 79 00 77 00 6F 00 ..j...K.e.y.w.o.
00000200: 72 00 64 00 73 00 00 00 02 0E 05 00 15 04 41 FF r.d.s.........A.
00000210: FF 40 00 00 00 3B 8E 0B 00 54 00 69 00 6D 00 65 .@...;...T.i.m.e
00000220: 00 43 00 72 00 65 00 61 00 74 00 65 00 64 00 00 .C.r.e.a.t.e.d..
00000230: 00 1F 00 00 00 06 3C 7B 0A 00 53 00 79 00 73 00 ......<{..S.y.s.
00000240: 74 00 65 00 6D 00 54 00 69 00 6D 00 65 00 00 00 t.e.m.T.i.m.e...
00000250: 0E 06 00 11 03 01 0A 00 26 00 00 00 46 03 0D 00 ........&...F...
00000260: 45 00 76 00 65 00 6E 00 74 00 52 00 65 00 63 00 E.v.e.n.t.R.e.c.
00000270: 6F 00 72 00 64 00 49 00 44 00 00 00 02 0E 0A 00 o.r.d.I.D.......
00000280: 0A 04 41 FF FF 6D 00 00 00 A2 F2 0B 00 43 00 6F ..A..m.......C.o
00000290: 00 72 00 72 00 65 00 6C 00 61 00 74 00 69 00 6F .r.r.e.l.a.t.i.o
000002A0: 00 6E 00 00 00 4C 00 00 00 46 0A F1 0A 00 41 00 .n...L...F....A.
000002B0: 63 00 74 00 69 00 76 00 69 00 74 00 79 00 49 00 c.t.i.v.i.t.y.I.
000002C0: 44 00 00 00 0E 07 00 0F 06 35 C5 11 00 52 00 65 D........5...R.e
000002D0: 00 6C 00 61 00 74 00 65 00 64 00 41 00 63 00 74 .l.a.t.e.d.A.c.t
000002E0: 00 69 00 76 00 69 00 74 00 79 00 49 00 44 00 00 .i.v.i.t.y.I.D..
000002F0: 00 0E 0D 00 0F 03 41 FF FF 55 00 00 00 B8 B5 09 ......A..U......
00000300: 00 45 00 78 00 65 00 63 00 75 00 74 00 69 00 6F .E.x.e.c.u.t.i.o
00000310: 00 6E 00 00 00 38 00 00 00 46 0A D7 09 00 50 00 .n...8...F....P.
00000320: 72 00 6F 00 63 00 65 00 73 00 73 00 49 00 44 00 r.o.c.e.s.s.I.D.
00000330: 00 00 0E 08 00 08 06 85 39 08 00 54 00 68 00 72 ........9..T.h.r
00000340: 00 65 00 61 00 64 00 49 00 44 00 00 00 0E 09 00 .e.a.d.I.D......
00000350: 08 03 01 10 00 1A 00 00 00 83 61 07 00 43 00 68 ..........a..C.h
00000360: 00 61 00 6E 00 6E 00 65 00 6C 00 00 00 02 0E 10 .a.n.n.e.l......
00000370: 00 01 04 01 FF FF 3A 00 00 00 3B 6E 08 00 43 00 ......:...;n..C.
00000380: 6F 00 6D 00 70 00 75 00 74 00 65 00 72 00 00 00 o.m.p.u.t.e.r...
00000390: 02 05 01 0F 00 57 00 49 00 4E 00 2D 00 44 00 36 .....W.I.N.-.D.6
000003A0: 00 43 00 39 00 53 00 4F 00 31 00 4F 00 34 00 51 .C.9.S.O.1.O.4.Q
000003B0: 00 53 00 04 41 FF FF 32 00 00 00 A0 2E 08 00 53 .S..A..2.......S
000003C0: 00 65 00 63 00 75 00 72 00 69 00 74 00 79 00 00 .e.c.u.r.i.t.y..
000003D0: 00 17 00 00 00 06 66 4C 06 00 55 00 73 00 65 00 ......fL..U.s.e.
000003E0: 72 00 49 00 44 00 00 00 0E 0C 00 13 03 04 0E 11 r.I.D...........
000003F0: 00 21 04 00 12 00 00 00 01 00 04 00 01 00 04 00 .!..............
00000400: 02 00 06 00 02 00 06 00 00 00 00 00 08 00 15 00 ................
00000410: 08 00 11 00 00 00 00 00 04 00 08 00 04 00 08 00 ................
00000420: 08 00 0A 00 01 00 04 00 00 00 00 00 00 00 00 00 ................
00000430: 46 00 01 00 10 00 0F 00 10 00 01 00 E3 00 21 00 F.............!.
00000440: 00 00 00 35 26 13 00 00 00 00 00 00 20 80 6F CA ...5&....... .o.
00000450: CB 54 D6 F9 D2 01 0C 02 00 00 30 02 00 00 03 00 .T........0.....
00000460: 00 00 00 00 00 00 00 4D 00 69 00 63 00 72 00 6F .......M.i.c.r.o
00000470: 00 73 00 6F 00 66 00 74 00 2D 00 57 00 69 00 6E .s.o.f.t.-.W.i.n
00000480: 00 64 00 6F 00 77 00 73 00 2D 00 53 00 65 00 63 .d.o.w.s.-.S.e.c
00000490: 00 75 00 72 00 69 00 74 00 79 00 2D 00 41 00 75 .u.r.i.t.y.-.A.u
000004A0: 00 64 00 69 00 74 00 69 00 6E 00 67 00 25 96 84 .d.i.t.i.n.g.%..
000004B0: 54 78 54 94 49 A5 BA 3E 3B 03 28 C3 0D 53 00 65 TxT.I..>;.(..S.e
000004C0: 00 63 00 75 00 72 00 69 00 74 00 79 00 0F 01 01 .c.u.r.i.t.y....
000004D0: 00 0C 00 BA EC 90 C7 27 31 B0 97 1B 60 41 97 96 .......'1...`A..
000004E0: 97 F9 0A B0 00 00 00 0F 01 01 00 01 FF FF A4 00 ................
000004F0: 00 00 44 82 09 00 45 00 76 00 65 00 6E 00 74 00 ..D...E.v.e.n.t.
00000500: 44 00 61 00 74 00 61 00 00 00 02 41 FF FF 3B 00 D.a.t.a....A..;.
00000510: 00 00 8A 6F 04 00 44 00 61 00 74 00 61 00 00 00 ...o..D.a.t.a...
00000520: 23 00 00 00 06 4B 95 04 00 4E 00 61 00 6D 00 65 #....K...N.a.m.e
00000530: 00 00 00 05 01 08 00 50 00 75 00 61 00 43 00 6F .......P.u.a.C.o
00000540: 00 75 00 6E 00 74 00 02 0D 00 00 08 04 41 FF FF .u.n.t.......A..
00000550: 41 00 00 00 8A 6F 04 00 44 00 61 00 74 00 61 00 A....o..D.a.t.a.
00000560: 00 00 29 00 00 00 06 4B 95 04 00 4E 00 61 00 6D ..)....K...N.a.m
00000570: 00 65 00 00 00 05 01 0B 00 50 00 75 00 61 00 50 .e.......P.u.a.P
00000580: 00 6F 00 6C 00 69 00 63 00 79 00 49 00 64 00 02 .o.l.i.c.y.I.d..
00000590: 0D 01 00 15 04 04 00 02 00 00 00 04 00 08 00 08 ................
000005A0: 00 15 00 00 00 00 00 3A 13 04 00 00 00 00 00 00 .......:........
000005B0: 00 00 00 00 00 20 00 00 00 18 00 00 00 01 00 00 ..... ..........
000005C0: 00 00 00 00 00 00 00 00 00 18 00 00 00 03 00 00 ................
000005D0: 00 00 00 00 00 .....
None
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
00000000: F1 0C 00 00 10 00 00 00 10 00 00 00 D1 0C 00 00 ................
00000010: B9 0C 00 00 0F 01 01 00 0C 00 EC C7 48 63 15 65 ............Hc.e
00000020: 54 86 95 DF 5E B5 B3 D3 27 DA C6 03 00 00 0F 01 T...^...'.......
00000030: 01 00 41 11 00 BA 03 00 00 BA 0C 05 00 45 00 76 ..A..........E.v
00000040: 00 65 00 6E 00 74 00 00 00 7F 00 00 00 06 BC 0F .e.n.t..........
00000050: 05 00 78 00 6D 00 6C 00 6E 00 73 00 00 00 05 01 ..x.m.l.n.s.....
00000060: 35 00 68 00 74 00 74 00 70 00 3A 00 2F 00 2F 00 5.h.t.t.p.:././.
00000070: 73 00 63 00 68 00 65 00 6D 00 61 00 73 00 2E 00 s.c.h.e.m.a.s...
00000080: 6D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 m.i.c.r.o.s.o.f.
00000090: 74 00 2E 00 63 00 6F 00 6D 00 2F 00 77 00 69 00 t...c.o.m./.w.i.
000000A0: 6E 00 2F 00 32 00 30 00 30 00 34 00 2F 00 30 00 n./.2.0.0.4./.0.
000000B0: 38 00 2F 00 65 00 76 00 65 00 6E 00 74 00 73 00 8./.e.v.e.n.t.s.
000000C0: 2F 00 65 00 76 00 65 00 6E 00 74 00 02 01 FF FF /.e.v.e.n.t.....
000000D0: 1A 03 00 00 6F 54 06 00 53 00 79 00 73 00 74 00 ....oT..S.y.s.t.
000000E0: 65 00 6D 00 00 00 02 41 FF FF 41 00 00 00 F1 7B e.m....A..A....{
000000F0: 08 00 50 00 72 00 6F 00 76 00 69 00 64 00 65 00 ..P.r.o.v.i.d.e.
00000100: 72 00 00 00 26 00 00 00 46 4B 95 04 00 4E 00 61 r...&...FK...N.a
00000110: 00 6D 00 65 00 00 00 0E 0E 00 01 06 29 15 04 00 .m.e........)...
00000120: 47 00 75 00 69 00 64 00 00 00 0E 0F 00 0F 03 41 G.u.i.d........A
00000130: 03 00 3D 00 00 00 F5 61 07 00 45 00 76 00 65 00 ..=....a..E.v.e.
00000140: 6E 00 74 00 49 00 44 00 00 00 1F 00 00 00 06 29 n.t.I.D........)
00000150: DA 0A 00 51 00 75 00 61 00 6C 00 69 00 66 00 69 ...Q.u.a.l.i.f.i
00000160: 00 65 00 72 00 73 00 00 00 0E 04 00 06 02 0E 03 .e.r.s..........
00000170: 00 06 04 01 0B 00 1A 00 00 00 18 09 07 00 56 00 ..............V.
00000180: 65 00 72 00 73 00 69 00 6F 00 6E 00 00 00 02 0E e.r.s.i.o.n.....
00000190: 0B 00 04 04 01 00 00 16 00 00 00 64 CE 05 00 4C ...........d...L
000001A0: 00 65 00 76 00 65 00 6C 00 00 00 02 0E 00 00 04 .e.v.e.l........
000001B0: 04 01 02 00 14 00 00 00 45 7B 04 00 54 00 61 00 ........E{..T.a.
000001C0: 73 00 6B 00 00 00 02 0E 02 00 06 04 01 01 00 18 s.k.............
000001D0: 00 00 00 AE 1E 06 00 4F 00 70 00 63 00 6F 00 64 .......O.p.c.o.d
000001E0: 00 65 00 00 00 02 0E 01 00 04 04 01 05 00 1C 00 .e..............
000001F0: 00 00 6A CF 08 00 4B 00 65 00 79 00 77 00 6F 00 ..j...K.e.y.w.o.
00000200: 72 00 64 00 73 00 00 00 02 0E 05 00 15 04 41 FF r.d.s.........A.
00000210: FF 40 00 00 00 3B 8E 0B 00 54 00 69 00 6D 00 65 .@...;...T.i.m.e
00000220: 00 43 00 72 00 65 00 61 00 74 00 65 00 64 00 00 .C.r.e.a.t.e.d..
00000230: 00 1F 00 00 00 06 3C 7B 0A 00 53 00 79 00 73 00 ......<{..S.y.s.
00000240: 74 00 65 00 6D 00 54 00 69 00 6D 00 65 00 00 00 t.e.m.T.i.m.e...
00000250: 0E 06 00 11 03 01 0A 00 26 00 00 00 46 03 0D 00 ........&...F...
00000260: 45 00 76 00 65 00 6E 00 74 00 52 00 65 00 63 00 E.v.e.n.t.R.e.c.
00000270: 6F 00 72 00 64 00 49 00 44 00 00 00 02 0E 0A 00 o.r.d.I.D.......
00000280: 0A 04 41 FF FF 6D 00 00 00 A2 F2 0B 00 43 00 6F ..A..m.......C.o
00000290: 00 72 00 72 00 65 00 6C 00 61 00 74 00 69 00 6F .r.r.e.l.a.t.i.o
000002A0: 00 6E 00 00 00 4C 00 00 00 46 0A F1 0A 00 41 00 .n...L...F....A.
000002B0: 63 00 74 00 69 00 76 00 69 00 74 00 79 00 49 00 c.t.i.v.i.t.y.I.
000002C0: 44 00 00 00 0E 07 00 0F 06 35 C5 11 00 52 00 65 D........5...R.e
000002D0: 00 6C 00 61 00 74 00 65 00 64 00 41 00 63 00 74 .l.a.t.e.d.A.c.t
000002E0: 00 69 00 76 00 69 00 74 00 79 00 49 00 44 00 00 .i.v.i.t.y.I.D..
000002F0: 00 0E 0D 00 0F 03 41 FF FF 55 00 00 00 B8 B5 09 ......A..U......
00000300: 00 45 00 78 00 65 00 63 00 75 00 74 00 69 00 6F .E.x.e.c.u.t.i.o
00000310: 00 6E 00 00 00 38 00 00 00 46 0A D7 09 00 50 00 .n...8...F....P.
00000320: 72 00 6F 00 63 00 65 00 73 00 73 00 49 00 44 00 r.o.c.e.s.s.I.D.
00000330: 00 00 0E 08 00 08 06 85 39 08 00 54 00 68 00 72 ........9..T.h.r
00000340: 00 65 00 61 00 64 00 49 00 44 00 00 00 0E 09 00 .e.a.d.I.D......
00000350: 08 03 01 10 00 1A 00 00 00 83 61 07 00 43 00 68 ..........a..C.h
00000360: 00 61 00 6E 00 6E 00 65 00 6C 00 00 00 02 0E 10 .a.n.n.e.l......
00000370: 00 01 04 01 FF FF 3A 00 00 00 3B 6E 08 00 43 00 ......:...;n..C.
00000380: 6F 00 6D 00 70 00 75 00 74 00 65 00 72 00 00 00 o.m.p.u.t.e.r...
00000390: 02 05 01 0F 00 57 00 49 00 4E 00 2D 00 44 00 36 .....W.I.N.-.D.6
000003A0: 00 43 00 39 00 53 00 4F 00 31 00 4F 00 34 00 51 .C.9.S.O.1.O.4.Q
000003B0: 00 53 00 04 41 FF FF 32 00 00 00 A0 2E 08 00 53 .S..A..2.......S
000003C0: 00 65 00 63 00 75 00 72 00 69 00 74 00 79 00 00 .e.c.u.r.i.t.y..
000003D0: 00 17 00 00 00 06 66 4C 06 00 55 00 73 00 65 00 ......fL..U.s.e.
000003E0: 72 00 49 00 44 00 00 00 0E 0C 00 13 03 04 0E 11 r.I.D...........
000003F0: 00 21 04 00 12 00 00 00 01 00 04 00 01 00 04 00 .!..............
00000400: 02 00 06 00 02 00 06 00 00 00 00 00 08 00 15 00 ................
00000410: 08 00 11 00 00 00 00 00 04 00 08 00 04 00 08 00 ................
00000420: 08 00 0A 00 01 00 04 00 00 00 00 00 00 00 00 00 ................
00000430: 46 00 01 00 10 00 0F 00 10 00 01 00 FF 07 21 00 F.............!.
00000440: 00 00 00 31 10 12 00 00 00 00 00 00 20 80 F7 B6 ...1........ ...
00000450: D7 54 D6 F9 D2 01 0C 02 00 00 24 02 00 00 04 00 .T........$.....
00000460: 00 00 00 00 00 00 01 4D 00 69 00 63 00 72 00 6F .......M.i.c.r.o
00000470: 00 73 00 6F 00 66 00 74 00 2D 00 57 00 69 00 6E .s.o.f.t.-.W.i.n
00000480: 00 64 00 6F 00 77 00 73 00 2D 00 53 00 65 00 63 .d.o.w.s.-.S.e.c
00000490: 00 75 00 72 00 69 00 74 00 79 00 2D 00 41 00 75 .u.r.i.t.y.-.A.u
000004A0: 00 64 00 69 00 74 00 69 00 6E 00 67 00 25 96 84 .d.i.t.i.n.g.%..
000004B0: 54 78 54 94 49 A5 BA 3E 3B 03 28 C3 0D 53 00 65 TxT.I..>;.(..S.e
000004C0: 00 63 00 75 00 72 00 69 00 74 00 79 00 0F 01 01 .c.u.r.i.t.y....
000004D0: 00 0C 00 C9 1A 65 C0 04 9A 4F 60 DE B0 F1 72 FF .....e...O`...r.
000004E0: 8F E0 E8 78 06 00 00 0F 01 01 00 01 FF FF 6C 06 ...x..........l.
000004F0: 00 00 44 82 09 00 45 00 76 00 65 00 6E 00 74 00 ..D...E.v.e.n.t.
00000500: 44 00 61 00 74 00 61 00 00 00 02 41 FF FF 47 00 D.a.t.a....A..G.
00000510: 00 00 8A 6F 04 00 44 00 61 00 74 00 61 00 00 00 ...o..D.a.t.a...
00000520: 2F 00 00 00 06 4B 95 04 00 4E 00 61 00 6D 00 65 /....K...N.a.m.e
00000530: 00 00 00 05 01 0E 00 53 00 75 00 62 00 6A 00 65 .......S.u.b.j.e
00000540: 00 63 00 74 00 55 00 73 00 65 00 72 00 53 00 69 .c.t.U.s.e.r.S.i
00000550: 00 64 00 02 0D 00 00 13 04 41 FF FF 49 00 00 00 .d.......A..I...
00000560: 8A 6F 04 00 44 00 61 00 74 00 61 00 00 00 31 00 .o..D.a.t.a...1.
00000570: 00 00 06 4B 95 04 00 4E 00 61 00 6D 00 65 00 00 ...K...N.a.m.e..
00000580: 00 05 01 0F 00 53 00 75 00 62 00 6A 00 65 00 63 .....S.u.b.j.e.c
00000590: 00 74 00 55 00 73 00 65 00 72 00 4E 00 61 00 6D .t.U.s.e.r.N.a.m
000005A0: 00 65 00 02 0D 01 00 01 04 41 FF FF 4D 00 00 00 .e.......A..M...
000005B0: 8A 6F 04 00 44 00 61 00 74 00 61 00 00 00 35 00 .o..D.a.t.a...5.
000005C0: 00 00 06 4B 95 04 00 4E 00 61 00 6D 00 65 00 00 ...K...N.a.m.e..
000005D0: 00 05 01 11 00 53 00 75 00 62 00 6A 00 65 00 63 .....S.u.b.j.e.c
000005E0: 00 74 00 44 00 6F 00 6D 00 61 00 69 00 6E 00 4E .t.D.o.m.a.i.n.N
000005F0: 00 61 00 6D 00 65 00 02 0D 02 00 01 04 41 FF FF .a.m.e.......A..
00000600: 47 00 00 00 8A 6F 04 00 44 00 61 00 74 00 61 00 G....o..D.a.t.a.
00000610: 00 00 2F 00 00 00 06 4B 95 04 00 4E 00 61 00 6D ../....K...N.a.m
00000620: 00 65 00 00 00 05 01 0E 00 53 00 75 00 62 00 6A .e.......S.u.b.j
00000630: 00 65 00 63 00 74 00 4C 00 6F 00 67 00 6F 00 6E .e.c.t.L.o.g.o.n
00000640: 00 49 00 64 00 02 0D 03 00 15 04 41 FF FF 45 00 .I.d.......A..E.
00000650: 00 00 8A 6F 04 00 44 00 61 00 74 00 61 00 00 00 ...o..D.a.t.a...
00000660: 2D 00 00 00 06 4B 95 04 00 4E 00 61 00 6D 00 65 -....K...N.a.m.e
00000670: 00 00 00 05 01 0D 00 54 00 61 00 72 00 67 00 65 .......T.a.r.g.e
00000680: 00 74 00 55 00 73 00 65 00 72 00 53 00 69 00 64 .t.U.s.e.r.S.i.d
00000690: 00 02 0D 04 00 13 04 41 FF FF 47 00 00 00 8A 6F .......A..G....o
000006A0: 04 00 44 00 61 00 74 00 61 00 00 00 2F 00 00 00 ..D.a.t.a.../...
000006B0: 06 4B 95 04 00 4E 00 61 00 6D 00 65 00 00 00 05 .K...N.a.m.e....
000006C0: 01 0E 00 54 00 61 00 72 00 67 00 65 00 74 00 55 ...T.a.r.g.e.t.U
000006D0: 00 73 00 65 00 72 00 4E 00 61 00 6D 00 65 00 02 .s.e.r.N.a.m.e..
000006E0: 0D 05 00 01 04 41 FF FF 4B 00 00 00 8A 6F 04 00 .....A..K....o..
000006F0: 44 00 61 00 74 00 61 00 00 00 33 00 00 00 06 4B D.a.t.a...3....K
00000700: 95 04 00 4E 00 61 00 6D 00 65 00 00 00 05 01 10 ...N.a.m.e......
00000710: 00 54 00 61 00 72 00 67 00 65 00 74 00 44 00 6F .T.a.r.g.e.t.D.o
00000720: 00 6D 00 61 00 69 00 6E 00 4E 00 61 00 6D 00 65 .m.a.i.n.N.a.m.e
00000730: 00 02 0D 06 00 01 04 41 FF FF 45 00 00 00 8A 6F .......A..E....o
00000740: 04 00 44 00 61 00 74 00 61 00 00 00 2D 00 00 00 ..D.a.t.a...-...
00000750: 06 4B 95 04 00 4E 00 61 00 6D 00 65 00 00 00 05 .K...N.a.m.e....
00000760: 01 0D 00 54 00 61 00 72 00 67 00 65 00 74 00 4C ...T.a.r.g.e.t.L
00000770: 00 6F 00 67 00 6F 00 6E 00 49 00 64 00 02 0D 07 .o.g.o.n.I.d....
00000780: 00 15 04 41 FF FF 3D 00 00 00 8A 6F 04 00 44 00 ...A..=....o..D.
00000790: 61 00 74 00 61 00 00 00 25 00 00 00 06 4B 95 04 a.t.a...%....K..
000007A0: 00 4E 00 61 00 6D 00 65 00 00 00 05 01 09 00 4C .N.a.m.e.......L
000007B0: 00 6F 00 67 00 6F 00 6E 00 54 00 79 00 70 00 65 .o.g.o.n.T.y.p.e
000007C0: 00 02 0D 08 00 08 04 41 FF FF 4B 00 00 00 8A 6F .......A..K....o
000007D0: 04 00 44 00 61 00 74 00 61 00 00 00 33 00 00 00 ..D.a.t.a...3...
000007E0: 06 4B 95 04 00 4E 00 61 00 6D 00 65 00 00 00 05 .K...N.a.m.e....
000007F0: 01 10 00 4C 00 6F 00 67 00 6F 00 6E 00 50 00 72 ...L.o.g.o.n.P.r
00000800: 00 6F 00 63 00 65 00 73 00 73 00 4E 00 61 00 6D .o.c.e.s.s.N.a.m
00000810: 00 65 00 02 0D 09 00 01 04 41 FF FF 5D 00 00 00 .e.......A..]...
00000820: 8A 6F 04 00 44 00 61 00 74 00 61 00 00 00 45 00 .o..D.a.t.a...E.
00000830: 00 00 06 4B 95 04 00 4E 00 61 00 6D 00 65 00 00 ...K...N.a.m.e..
00000840: 00 05 01 19 00 41 00 75 00 74 00 68 00 65 00 6E .....A.u.t.h.e.n
00000850: 00 74 00 69 00 63 00 61 00 74 00 69 00 6F 00 6E .t.i.c.a.t.i.o.n
00000860: 00 50 00 61 00 63 00 6B 00 61 00 67 00 65 00 4E .P.a.c.k.a.g.e.N
00000870: 00 61 00 6D 00 65 00 02 0D 0A 00 01 04 41 FF FF .a.m.e.......A..
00000880: 49 00 00 00 8A 6F 04 00 44 00 61 00 74 00 61 00 I....o..D.a.t.a.
00000890: 00 00 31 00 00 00 06 4B 95 04 00 4E 00 61 00 6D ..1....K...N.a.m
000008A0: 00 65 00 00 00 05 01 0F 00 57 00 6F 00 72 00 6B .e.......W.o.r.k
000008B0: 00 73 00 74 00 61 00 74 00 69 00 6F 00 6E 00 4E .s.t.a.t.i.o.n.N
000008C0: 00 61 00 6D 00 65 00 02 0D 0B 00 01 04 41 FF FF .a.m.e.......A..
000008D0: 3D 00 00 00 8A 6F 04 00 44 00 61 00 74 00 61 00 =....o..D.a.t.a.
000008E0: 00 00 25 00 00 00 06 4B 95 04 00 4E 00 61 00 6D ..%....K...N.a.m
000008F0: 00 65 00 00 00 05 01 09 00 4C 00 6F 00 67 00 6F .e.......L.o.g.o
00000900: 00 6E 00 47 00 75 00 69 00 64 00 02 0D 0C 00 0F .n.G.u.i.d......
00000910: 04 41 FF FF 51 00 00 00 8A 6F 04 00 44 00 61 00 .A..Q....o..D.a.
00000920: 74 00 61 00 00 00 39 00 00 00 06 4B 95 04 00 4E t.a...9....K...N
00000930: 00 61 00 6D 00 65 00 00 00 05 01 13 00 54 00 72 .a.m.e.......T.r
00000940: 00 61 00 6E 00 73 00 6D 00 69 00 74 00 74 00 65 .a.n.s.m.i.t.t.e
00000950: 00 64 00 53 00 65 00 72 00 76 00 69 00 63 00 65 .d.S.e.r.v.i.c.e
00000960: 00 73 00 02 0D 0D 00 01 04 41 FF FF 45 00 00 00 .s.......A..E...
00000970: 8A 6F 04 00 44 00 61 00 74 00 61 00 00 00 2D 00 .o..D.a.t.a...-.
00000980: 00 00 06 4B 95 04 00 4E 00 61 00 6D 00 65 00 00 ...K...N.a.m.e..
00000990: 00 05 01 0D 00 4C 00 6D 00 50 00 61 00 63 00 6B .....L.m.P.a.c.k
000009A0: 00 61 00 67 00 65 00 4E 00 61 00 6D 00 65 00 02 .a.g.e.N.a.m.e..
000009B0: 0D 0E 00 01 04 41 FF FF 3D 00 00 00 8A 6F 04 00 .....A..=....o..
000009C0: 44 00 61 00 74 00 61 00 00 00 25 00 00 00 06 4B D.a.t.a...%....K
000009D0: 95 04 00 4E 00 61 00 6D 00 65 00 00 00 05 01 09 ...N.a.m.e......
000009E0: 00 4B 00 65 00 79 00 4C 00 65 00 6E 00 67 00 74 .K.e.y.L.e.n.g.t
000009F0: 00 68 00 02 0D 0F 00 08 04 41 FF FF 3D 00 00 00 .h.......A..=...
00000A00: 8A 6F 04 00 44 00 61 00 74 00 61 00 00 00 25 00 .o..D.a.t.a...%.
00000A10: 00 00 06 4B 95 04 00 4E 00 61 00 6D 00 65 00 00 ...K...N.a.m.e..
00000A20: 00 05 01 09 00 50 00 72 00 6F 00 63 00 65 00 73 .....P.r.o.c.e.s
00000A30: 00 73 00 49 00 64 00 02 0D 10 00 10 04 41 FF FF .s.I.d.......A..
00000A40: 41 00 00 00 8A 6F 04 00 44 00 61 00 74 00 61 00 A....o..D.a.t.a.
00000A50: 00 00 29 00 00 00 06 4B 95 04 00 4E 00 61 00 6D ..)....K...N.a.m
00000A60: 00 65 00 00 00 05 01 0B 00 50 00 72 00 6F 00 63 .e.......P.r.o.c
00000A70: 00 65 00 73 00 73 00 4E 00 61 00 6D 00 65 00 02 .e.s.s.N.a.m.e..
00000A80: 0D 11 00 01 04 41 FF FF 3D 00 00 00 8A 6F 04 00 .....A..=....o..
00000A90: 44 00 61 00 74 00 61 00 00 00 25 00 00 00 06 4B D.a.t.a...%....K
00000AA0: 95 04 00 4E 00 61 00 6D 00 65 00 00 00 05 01 09 ...N.a.m.e......
00000AB0: 00 49 00 70 00 41 00 64 00 64 00 72 00 65 00 73 .I.p.A.d.d.r.e.s
00000AC0: 00 73 00 02 0D 12 00 01 04 41 FF FF 37 00 00 00 .s.......A..7...
00000AD0: 8A 6F 04 00 44 00 61 00 74 00 61 00 00 00 1F 00 .o..D.a.t.a.....
00000AE0: 00 00 06 4B 95 04 00 4E 00 61 00 6D 00 65 00 00 ...K...N.a.m.e..
00000AF0: 00 05 01 06 00 49 00 70 00 50 00 6F 00 72 00 74 .....I.p.P.o.r.t
00000B00: 00 02 0D 13 00 01 04 41 FF FF 4F 00 00 00 8A 6F .......A..O....o
00000B10: 04 00 44 00 61 00 74 00 61 00 00 00 37 00 00 00 ..D.a.t.a...7...
00000B20: 06 4B 95 04 00 4E 00 61 00 6D 00 65 00 00 00 05 .K...N.a.m.e....
00000B30: 01 12 00 49 00 6D 00 70 00 65 00 72 00 73 00 6F ...I.m.p.e.r.s.o
00000B40: 00 6E 00 61 00 74 00 69 00 6F 00 6E 00 4C 00 65 .n.a.t.i.o.n.L.e
00000B50: 00 76 00 65 00 6C 00 02 0D 14 00 01 04 04 00 15 .v.e.l..........
00000B60: 00 00 00 0C 00 13 00 20 00 01 00 12 00 01 00 08 ....... ........
00000B70: 00 15 00 0C 00 13 00 0C 00 01 00 18 00 01 00 08 ................
00000B80: 00 15 00 04 00 08 00 10 00 01 00 12 00 01 00 00 ................
00000B90: 00 01 00 10 00 0F 00 02 00 01 00 02 00 01 00 04 ................
00000BA0: 00 08 00 08 00 15 00 40 00 01 00 02 00 01 00 02 .......@........
00000BB0: 00 01 00 0C 00 01 00 01 01 00 00 00 00 00 05 12 ................
00000BC0: 00 00 00 57 00 49 00 4E 00 2D 00 44 00 36 00 43 ...W.I.N.-.D.6.C
00000BD0: 00 39 00 53 00 4F 00 31 00 4F 00 34 00 51 00 53 .9.S.O.1.O.4.Q.S
00000BE0: 00 24 00 57 00 4F 00 52 00 4B 00 47 00 52 00 4F .$.W.O.R.K.G.R.O
00000BF0: 00 55 00 50 00 E7 03 00 00 00 00 00 00 01 01 00 .U.P............
00000C00: 00 00 00 00 05 12 00 00 00 53 00 59 00 53 00 54 .........S.Y.S.T
00000C10: 00 45 00 4D 00 4E 00 54 00 20 00 41 00 55 00 54 .E.M.N.T. .A.U.T
00000C20: 00 48 00 4F 00 52 00 49 00 54 00 59 00 E7 03 00 .H.O.R.I.T.Y....
00000C30: 00 00 00 00 00 05 00 00 00 41 00 64 00 76 00 61 .........A.d.v.a
00000C40: 00 70 00 69 00 20 00 20 00 4E 00 65 00 67 00 6F .p.i. . .N.e.g.o
00000C50: 00 74 00 69 00 61 00 74 00 65 00 00 00 00 00 00 .t.i.a.t.e......
00000C60: 00 00 00 00 00 00 00 00 00 00 00 2D 00 2D 00 00 ...........-.-..
00000C70: 00 00 00 04 02 00 00 00 00 00 00 43 00 3A 00 5C ...........C.:.\
00000C80: 00 57 00 69 00 6E 00 64 00 6F 00 77 00 73 00 5C .W.i.n.d.o.w.s.\
00000C90: 00 53 00 79 00 73 00 74 00 65 00 6D 00 33 00 32 .S.y.s.t.e.m.3.2
00000CA0: 00 5C 00 73 00 65 00 72 00 76 00 69 00 63 00 65 .\.s.e.r.v.i.c.e
00000CB0: 00 73 00 2E 00 65 00 78 00 65 00 2D 00 2D 00 25 .s...e.x.e.-.-.%
00000CC0: 00 25 00 31 00 38 00 33 00 33 00 00 00 00 00 00 .%.1.8.3.3......
00000CD0: 00 20 00 00 00 18 00 00 00 01 00 00 00 00 00 00 . ..............
00000CE0: 00 00 00 00 00 18 00 00 00 04 00 00 00 00 00 00 ................
00000CF0: 00 .
None
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
00000000: 33 09 00 00 10 00 00 00 10 00 00 00 13 09 00 00 3...............
00000010: FB 08 00 00 0F 01 01 00 0C 00 EC C7 48 63 15 65 ............Hc.e
00000020: 54 86 95 DF 5E B5 B3 D3 27 DA C6 03 00 00 0F 01 T...^...'.......
00000030: 01 00 41 11 00 BA 03 00 00 BA 0C 05 00 45 00 76 ..A..........E.v
00000040: 00 65 00 6E 00 74 00 00 00 7F 00 00 00 06 BC 0F .e.n.t..........
00000050: 05 00 78 00 6D 00 6C 00 6E 00 73 00 00 00 05 01 ..x.m.l.n.s.....
00000060: 35 00 68 00 74 00 74 00 70 00 3A 00 2F 00 2F 00 5.h.t.t.p.:././.
00000070: 73 00 63 00 68 00 65 00 6D 00 61 00 73 00 2E 00 s.c.h.e.m.a.s...
00000080: 6D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 m.i.c.r.o.s.o.f.
00000090: 74 00 2E 00 63 00 6F 00 6D 00 2F 00 77 00 69 00 t...c.o.m./.w.i.
000000A0: 6E 00 2F 00 32 00 30 00 30 00 34 00 2F 00 30 00 n./.2.0.0.4./.0.
000000B0: 38 00 2F 00 65 00 76 00 65 00 6E 00 74 00 73 00 8./.e.v.e.n.t.s.
000000C0: 2F 00 65 00 76 00 65 00 6E 00 74 00 02 01 FF FF /.e.v.e.n.t.....
000000D0: 1A 03 00 00 6F 54 06 00 53 00 79 00 73 00 74 00 ....oT..S.y.s.t.
000000E0: 65 00 6D 00 00 00 02 41 FF FF 41 00 00 00 F1 7B e.m....A..A....{
000000F0: 08 00 50 00 72 00 6F 00 76 00 69 00 64 00 65 00 ..P.r.o.v.i.d.e.
00000100: 72 00 00 00 26 00 00 00 46 4B 95 04 00 4E 00 61 r...&...FK...N.a
00000110: 00 6D 00 65 00 00 00 0E 0E 00 01 06 29 15 04 00 .m.e........)...
00000120: 47 00 75 00 69 00 64 00 00 00 0E 0F 00 0F 03 41 G.u.i.d........A
00000130: 03 00 3D 00 00 00 F5 61 07 00 45 00 76 00 65 00 ..=....a..E.v.e.
00000140: 6E 00 74 00 49 00 44 00 00 00 1F 00 00 00 06 29 n.t.I.D........)
00000150: DA 0A 00 51 00 75 00 61 00 6C 00 69 00 66 00 69 ...Q.u.a.l.i.f.i
00000160: 00 65 00 72 00 73 00 00 00 0E 04 00 06 02 0E 03 .e.r.s..........
00000170: 00 06 04 01 0B 00 1A 00 00 00 18 09 07 00 56 00 ..............V.
00000180: 65 00 72 00 73 00 69 00 6F 00 6E 00 00 00 02 0E e.r.s.i.o.n.....
00000190: 0B 00 04 04 01 00 00 16 00 00 00 64 CE 05 00 4C ...........d...L
000001A0: 00 65 00 76 00 65 00 6C 00 00 00 02 0E 00 00 04 .e.v.e.l........
000001B0: 04 01 02 00 14 00 00 00 45 7B 04 00 54 00 61 00 ........E{..T.a.
000001C0: 73 00 6B 00 00 00 02 0E 02 00 06 04 01 01 00 18 s.k.............
000001D0: 00 00 00 AE 1E 06 00 4F 00 70 00 63 00 6F 00 64 .......O.p.c.o.d
000001E0: 00 65 00 00 00 02 0E 01 00 04 04 01 05 00 1C 00 .e..............
000001F0: 00 00 6A CF 08 00 4B 00 65 00 79 00 77 00 6F 00 ..j...K.e.y.w.o.
00000200: 72 00 64 00 73 00 00 00 02 0E 05 00 15 04 41 FF r.d.s.........A.
00000210: FF 40 00 00 00 3B 8E 0B 00 54 00 69 00 6D 00 65 .@...;...T.i.m.e
00000220: 00 43 00 72 00 65 00 61 00 74 00 65 00 64 00 00 .C.r.e.a.t.e.d..
00000230: 00 1F 00 00 00 06 3C 7B 0A 00 53 00 79 00 73 00 ......<{..S.y.s.
00000240: 74 00 65 00 6D 00 54 00 69 00 6D 00 65 00 00 00 t.e.m.T.i.m.e...
00000250: 0E 06 00 11 03 01 0A 00 26 00 00 00 46 03 0D 00 ........&...F...
00000260: 45 00 76 00 65 00 6E 00 74 00 52 00 65 00 63 00 E.v.e.n.t.R.e.c.
00000270: 6F 00 72 00 64 00 49 00 44 00 00 00 02 0E 0A 00 o.r.d.I.D.......
00000280: 0A 04 41 FF FF 6D 00 00 00 A2 F2 0B 00 43 00 6F ..A..m.......C.o
00000290: 00 72 00 72 00 65 00 6C 00 61 00 74 00 69 00 6F .r.r.e.l.a.t.i.o
000002A0: 00 6E 00 00 00 4C 00 00 00 46 0A F1 0A 00 41 00 .n...L...F....A.
000002B0: 63 00 74 00 69 00 76 00 69 00 74 00 79 00 49 00 c.t.i.v.i.t.y.I.
000002C0: 44 00 00 00 0E 07 00 0F 06 35 C5 11 00 52 00 65 D........5...R.e
000002D0: 00 6C 00 61 00 74 00 65 00 64 00 41 00 63 00 74 .l.a.t.e.d.A.c.t
000002E0: 00 69 00 76 00 69 00 74 00 79 00 49 00 44 00 00 .i.v.i.t.y.I.D..
000002F0: 00 0E 0D 00 0F 03 41 FF FF 55 00 00 00 B8 B5 09 ......A..U......
00000300: 00 45 00 78 00 65 00 63 00 75 00 74 00 69 00 6F .E.x.e.c.u.t.i.o
00000310: 00 6E 00 00 00 38 00 00 00 46 0A D7 09 00 50 00 .n...8...F....P.
00000320: 72 00 6F 00 63 00 65 00 73 00 73 00 49 00 44 00 r.o.c.e.s.s.I.D.
00000330: 00 00 0E 08 00 08 06 85 39 08 00 54 00 68 00 72 ........9..T.h.r
00000340: 00 65 00 61 00 64 00 49 00 44 00 00 00 0E 09 00 .e.a.d.I.D......
00000350: 08 03 01 10 00 1A 00 00 00 83 61 07 00 43 00 68 ..........a..C.h
00000360: 00 61 00 6E 00 6E 00 65 00 6C 00 00 00 02 0E 10 .a.n.n.e.l......
00000370: 00 01 04 01 FF FF 3A 00 00 00 3B 6E 08 00 43 00 ......:...;n..C.
00000380: 6F 00 6D 00 70 00 75 00 74 00 65 00 72 00 00 00 o.m.p.u.t.e.r...
00000390: 02 05 01 0F 00 57 00 49 00 4E 00 2D 00 44 00 36 .....W.I.N.-.D.6
000003A0: 00 43 00 39 00 53 00 4F 00 31 00 4F 00 34 00 51 .C.9.S.O.1.O.4.Q
000003B0: 00 53 00 04 41 FF FF 32 00 00 00 A0 2E 08 00 53 .S..A..2.......S
000003C0: 00 65 00 63 00 75 00 72 00 69 00 74 00 79 00 00 .e.c.u.r.i.t.y..
000003D0: 00 17 00 00 00 06 66 4C 06 00 55 00 73 00 65 00 ......fL..U.s.e.
000003E0: 72 00 49 00 44 00 00 00 0E 0C 00 13 03 04 0E 11 r.I.D...........
000003F0: 00 21 04 00 12 00 00 00 01 00 04 00 01 00 04 00 .!..............
00000400: 02 00 06 00 02 00 06 00 00 00 00 00 08 00 15 00 ................
00000410: 08 00 11 00 00 00 00 00 04 00 08 00 04 00 08 00 ................
00000420: 08 00 0A 00 01 00 04 00 00 00 00 00 00 00 00 00 ................
00000430: 46 00 01 00 10 00 0F 00 10 00 01 00 41 04 21 00 F...........A.!.
00000440: 00 00 04 31 40 12 00 00 00 00 00 00 20 80 F7 B6 ...1@....... ...
00000450: D7 54 D6 F9 D2 01 0C 02 00 00 24 02 00 00 05 00 .T........$.....
00000460: 00 00 00 00 00 00 00 4D 00 69 00 63 00 72 00 6F .......M.i.c.r.o
00000470: 00 73 00 6F 00 66 00 74 00 2D 00 57 00 69 00 6E .s.o.f.t.-.W.i.n
00000480: 00 64 00 6F 00 77 00 73 00 2D 00 53 00 65 00 63 .d.o.w.s.-.S.e.c
00000490: 00 75 00 72 00 69 00 74 00 79 00 2D 00 41 00 75 .u.r.i.t.y.-.A.u
000004A0: 00 64 00 69 00 74 00 69 00 6E 00 67 00 25 96 84 .d.i.t.i.n.g.%..
000004B0: 54 78 54 94 49 A5 BA 3E 3B 03 28 C3 0D 53 00 65 TxT.I..>;.(..S.e
000004C0: 00 63 00 75 00 72 00 69 00 74 00 79 00 0F 01 01 .c.u.r.i.t.y....
000004D0: 00 0C 00 AE 0F 78 AB 43 1F 82 08 C5 93 C2 2D 02 .....x.C......-.
000004E0: 05 9E 1C B2 01 00 00 0F 01 01 00 01 FF FF A6 01 ................
000004F0: 00 00 44 82 09 00 45 00 76 00 65 00 6E 00 74 00 ..D...E.v.e.n.t.
00000500: 44 00 61 00 74 00 61 00 00 00 02 41 FF FF 47 00 D.a.t.a....A..G.
00000510: 00 00 8A 6F 04 00 44 00 61 00 74 00 61 00 00 00 ...o..D.a.t.a...
00000520: 2F 00 00 00 06 4B 95 04 00 4E 00 61 00 6D 00 65 /....K...N.a.m.e
00000530: 00 00 00 05 01 0E 00 53 00 75 00 62 00 6A 00 65 .......S.u.b.j.e
00000540: 00 63 00 74 00 55 00 73 00 65 00 72 00 53 00 69 .c.t.U.s.e.r.S.i
00000550: 00 64 00 02 0D 00 00 13 04 41 FF FF 49 00 00 00 .d.......A..I...
00000560: 8A 6F 04 00 44 00 61 00 74 00 61 00 00 00 31 00 .o..D.a.t.a...1.
00000570: 00 00 06 4B 95 04 00 4E 00 61 00 6D 00 65 00 00 ...K...N.a.m.e..
00000580: 00 05 01 0F 00 53 00 75 00 62 00 6A 00 65 00 63 .....S.u.b.j.e.c
00000590: 00 74 00 55 00 73 00 65 00 72 00 4E 00 61 00 6D .t.U.s.e.r.N.a.m
000005A0: 00 65 00 02 0D 01 00 01 04 41 FF FF 4D 00 00 00 .e.......A..M...
000005B0: 8A 6F 04 00 44 00 61 00 74 00 61 00 00 00 35 00 .o..D.a.t.a...5.
000005C0: 00 00 06 4B 95 04 00 4E 00 61 00 6D 00 65 00 00 ...K...N.a.m.e..
000005D0: 00 05 01 11 00 53 00 75 00 62 00 6A 00 65 00 63 .....S.u.b.j.e.c
000005E0: 00 74 00 44 00 6F 00 6D 00 61 00 69 00 6E 00 4E .t.D.o.m.a.i.n.N
000005F0: 00 61 00 6D 00 65 00 02 0D 02 00 01 04 41 FF FF .a.m.e.......A..
00000600: 47 00 00 00 8A 6F 04 00 44 00 61 00 74 00 61 00 G....o..D.a.t.a.
00000610: 00 00 2F 00 00 00 06 4B 95 04 00 4E 00 61 00 6D ../....K...N.a.m
00000620: 00 65 00 00 00 05 01 0E 00 53 00 75 00 62 00 6A .e.......S.u.b.j
00000630: 00 65 00 63 00 74 00 4C 00 6F 00 67 00 6F 00 6E .e.c.t.L.o.g.o.n
00000640: 00 49 00 64 00 02 0D 03 00 15 04 41 FF FF 45 00 .I.d.......A..E.
00000650: 00 00 8A 6F 04 00 44 00 61 00 74 00 61 00 00 00 ...o..D.a.t.a...
00000660: 2D 00 00 00 06 4B 95 04 00 4E 00 61 00 6D 00 65 -....K...N.a.m.e
00000670: 00 00 00 05 01 0D 00 50 00 72 00 69 00 76 00 69 .......P.r.i.v.i
00000680: 00 6C 00 65 00 67 00 65 00 4C 00 69 00 73 00 74 .l.e.g.e.L.i.s.t
00000690: 00 02 0D 04 00 01 04 04 00 05 00 00 00 0C 00 13 ................
000006A0: 00 0C 00 01 00 18 00 01 00 08 00 15 00 24 02 01 .............$..
000006B0: 00 01 01 00 00 00 00 00 05 12 00 00 00 53 00 59 .............S.Y
000006C0: 00 53 00 54 00 45 00 4D 00 4E 00 54 00 20 00 41 .S.T.E.M.N.T. .A
000006D0: 00 55 00 54 00 48 00 4F 00 52 00 49 00 54 00 59 .U.T.H.O.R.I.T.Y
000006E0: 00 E7 03 00 00 00 00 00 00 53 00 65 00 41 00 73 .........S.e.A.s
000006F0: 00 73 00 69 00 67 00 6E 00 50 00 72 00 69 00 6D .s.i.g.n.P.r.i.m
00000700: 00 61 00 72 00 79 00 54 00 6F 00 6B 00 65 00 6E .a.r.y.T.o.k.e.n
00000710: 00 50 00 72 00 69 00 76 00 69 00 6C 00 65 00 67 .P.r.i.v.i.l.e.g
00000720: 00 65 00 0D 00 0A 00 09 00 09 00 09 00 53 00 65 .e...........S.e
00000730: 00 54 00 63 00 62 00 50 00 72 00 69 00 76 00 69 .T.c.b.P.r.i.v.i
00000740: 00 6C 00 65 00 67 00 65 00 0D 00 0A 00 09 00 09 .l.e.g.e........
00000750: 00 09 00 53 00 65 00 53 00 65 00 63 00 75 00 72 ...S.e.S.e.c.u.r
00000760: 00 69 00 74 00 79 00 50 00 72 00 69 00 76 00 69 .i.t.y.P.r.i.v.i
00000770: 00 6C 00 65 00 67 00 65 00 0D 00 0A 00 09 00 09 .l.e.g.e........
00000780: 00 09 00 53 00 65 00 54 00 61 00 6B 00 65 00 4F ...S.e.T.a.k.e.O
00000790: 00 77 00 6E 00 65 00 72 00 73 00 68 00 69 00 70 .w.n.e.r.s.h.i.p
000007A0: 00 50 00 72 00 69 00 76 00 69 00 6C 00 65 00 67 .P.r.i.v.i.l.e.g
000007B0: 00 65 00 0D 00 0A 00 09 00 09 00 09 00 53 00 65 .e...........S.e
000007C0: 00 4C 00 6F 00 61 00 64 00 44 00 72 00 69 00 76 .L.o.a.d.D.r.i.v
000007D0: 00 65 00 72 00 50 00 72 00 69 00 76 00 69 00 6C .e.r.P.r.i.v.i.l
000007E0: 00 65 00 67 00 65 00 0D 00 0A 00 09 00 09 00 09 .e.g.e..........
000007F0: 00 53 00 65 00 42 00 61 00 63 00 6B 00 75 00 70 .S.e.B.a.c.k.u.p
00000800: 00 50 00 72 00 69 00 76 00 69 00 6C 00 65 00 67 .P.r.i.v.i.l.e.g
00000810: 00 65 00 0D 00 0A 00 09 00 09 00 09 00 53 00 65 .e...........S.e
00000820: 00 52 00 65 00 73 00 74 00 6F 00 72 00 65 00 50 .R.e.s.t.o.r.e.P
00000830: 00 72 00 69 00 76 00 69 00 6C 00 65 00 67 00 65 .r.i.v.i.l.e.g.e
00000840: 00 0D 00 0A 00 09 00 09 00 09 00 53 00 65 00 44 ...........S.e.D
00000850: 00 65 00 62 00 75 00 67 00 50 00 72 00 69 00 76 .e.b.u.g.P.r.i.v
00000860: 00 69 00 6C 00 65 00 67 00 65 00 0D 00 0A 00 09 .i.l.e.g.e......
00000870: 00 09 00 09 00 53 00 65 00 41 00 75 00 64 00 69 .....S.e.A.u.d.i
00000880: 00 74 00 50 00 72 00 69 00 76 00 69 00 6C 00 65 .t.P.r.i.v.i.l.e
00000890: 00 67 00 65 00 0D 00 0A 00 09 00 09 00 09 00 53 .g.e...........S
000008A0: 00 65 00 53 00 79 00 73 00 74 00 65 00 6D 00 45 .e.S.y.s.t.e.m.E
000008B0: 00 6E 00 76 00 69 00 72 00 6F 00 6E 00 6D 00 65 .n.v.i.r.o.n.m.e
000008C0: 00 6E 00 74 00 50 00 72 00 69 00 76 00 69 00 6C .n.t.P.r.i.v.i.l
000008D0: 00 65 00 67 00 65 00 0D 00 0A 00 09 00 09 00 09 .e.g.e..........
000008E0: 00 53 00 65 00 49 00 6D 00 70 00 65 00 72 00 73 .S.e.I.m.p.e.r.s
000008F0: 00 6F 00 6E 00 61 00 74 00 65 00 50 00 72 00 69 .o.n.a.t.e.P.r.i
00000900: 00 76 00 69 00 6C 00 65 00 67 00 65 00 00 00 00 .v.i.l.e.g.e....
00000910: 00 00 00 20 00 00 00 18 00 00 00 01 00 00 00 00 ... ............
00000920: 00 00 00 00 00 00 00 18 00 00 00 05 00 00 00 00 ................
00000930: 00 00 00 ...
None
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~here's the raw data from an evtx event entry:
00000000: 2A 2A 00 00 80 08 00 00 11 2F 00 00 00 00 00 00 **......./......
00000010: 9B E7 03 67 99 01 CD 01 0F 01 01 00 0C 01 20 EE ...g.......... .
00000020: 2A F3 26 02 00 00 00 00 00 00 20 EE 2A F3 D7 AC *.&....... .*...
00000030: 9A B4 F8 46 1F 9B D8 E4 C1 D0 69 05 00 00 0F 01 ...F......i.....
00000040: 01 00 41 FF FF 5D 05 00 00 4D 02 00 00 00 00 00 ..A..]...M......
00000050: 00 BA 0C 05 00 45 00 76 00 65 00 6E 00 74 00 00 .....E.v.e.n.t..
00000060: 00 87 00 00 00 06 6A 02 00 00 00 00 00 00 BC 0F ......j.........
00000070: 05 00 78 00 6D 00 6C 00 6E 00 73 00 00 00 05 01 ..x.m.l.n.s.....
00000080: 35 00 68 00 74 00 74 00 70 00 3A 00 2F 00 2F 00 5.h.t.t.p.:././.
00000090: 73 00 63 00 68 00 65 00 6D 00 61 00 73 00 2E 00 s.c.h.e.m.a.s...
000000A0: 6D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 m.i.c.r.o.s.o.f.
000000B0: 74 00 2E 00 63 00 6F 00 6D 00 2F 00 77 00 69 00 t...c.o.m./.w.i.
000000C0: 6E 00 2F 00 32 00 30 00 30 00 34 00 2F 00 30 00 n./.2.0.0.4./.0.
000000D0: 38 00 2F 00 65 00 76 00 65 00 6E 00 74 00 73 00 8./.e.v.e.n.t.s.
000000E0: 2F 00 65 00 76 00 65 00 6E 00 74 00 02 01 FF FF /.e.v.e.n.t.....
000000F0: 86 04 00 00 F8 02 00 00 00 00 00 00 6F 54 06 00 ............oT..
00000100: 53 00 79 00 73 00 74 00 65 00 6D 00 00 00 02 41 S.y.s.t.e.m....A
00000110: FF FF D9 00 00 00 1A 03 00 00 00 00 00 00 F1 7B ...............{
00000120: 08 00 50 00 72 00 6F 00 76 00 69 00 64 00 65 00 ..P.r.o.v.i.d.e.
00000130: 72 00 00 00 B6 00 00 00 46 3D 03 00 00 00 00 00 r.......F=......
00000140: 00 4B 95 04 00 4E 00 61 00 6D 00 65 00 00 00 05 .K...N.a.m.e....
00000150: 01 1A 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F ...M.i.c.r.o.s.o
00000160: 00 66 00 74 00 2D 00 57 00 69 00 6E 00 64 00 6F .f.t.-.W.i.n.d.o
00000170: 00 77 00 73 00 2D 00 45 00 76 00 65 00 6E 00 74 .w.s.-.E.v.e.n.t
00000180: 00 6C 00 6F 00 67 00 06 8C 03 00 00 00 00 00 00 .l.o.g..........
00000190: 29 15 04 00 47 00 75 00 69 00 64 00 00 00 05 01 )...G.u.i.d.....
000001A0: 26 00 7B 00 66 00 63 00 36 00 35 00 64 00 64 00 &.{.f.c.6.5.d.d.
000001B0: 64 00 38 00 2D 00 64 00 36 00 65 00 66 00 2D 00 d.8.-.d.6.e.f.-.
000001C0: 34 00 39 00 36 00 32 00 2D 00 38 00 33 00 64 00 4.9.6.2.-.8.3.d.
000001D0: 35 00 2D 00 36 00 65 00 35 00 63 00 66 00 65 00 5.-.6.e.5.c.f.e.
000001E0: 39 00 63 00 65 00 31 00 34 00 38 00 7D 00 03 41 9.c.e.1.4.8.}..A
000001F0: 03 00 4D 00 00 00 FA 03 00 00 00 00 00 00 F5 61 ..M............a
00000200: 07 00 45 00 76 00 65 00 6E 00 74 00 49 00 44 00 ..E.v.e.n.t.I.D.
00000210: 00 00 27 00 00 00 06 1B 04 00 00 8C 03 00 00 29 ..'............)
00000220: DA 0A 00 51 00 75 00 61 00 6C 00 69 00 66 00 69 ...Q.u.a.l.i.f.i
00000230: 00 65 00 72 00 73 00 00 00 0E 04 00 06 02 0E 03 .e.r.s..........
00000240: 00 06 04 01 0B 00 22 00 00 00 4E 04 00 00 00 00 ......"...N.....
00000250: 00 00 18 09 07 00 56 00 65 00 72 00 73 00 69 00 ......V.e.r.s.i.
00000260: 6F 00 6E 00 00 00 02 0E 0B 00 04 04 01 00 00 1E o.n.............
00000270: 00 00 00 77 04 00 00 00 00 00 00 64 CE 05 00 4C ...w.......d...L
00000280: 00 65 00 76 00 65 00 6C 00 00 00 02 0E 00 00 04 .e.v.e.l........
00000290: 04 01 02 00 1C 00 00 00 9C 04 00 00 00 00 00 00 ................
000002A0: 45 7B 04 00 54 00 61 00 73 00 6B 00 00 00 02 0E E{..T.a.s.k.....
000002B0: 02 00 06 04 01 01 00 20 00 00 00 BF 04 00 00 00 ....... ........
000002C0: 00 00 00 AE 1E 06 00 4F 00 70 00 63 00 6F 00 64 .......O.p.c.o.d
000002D0: 00 65 00 00 00 02 0E 01 00 04 04 01 05 00 24 00 .e............$.
000002E0: 00 00 E6 04 00 00 00 00 00 00 6A CF 08 00 4B 00 ..........j...K.
000002F0: 65 00 79 00 77 00 6F 00 72 00 64 00 73 00 00 00 e.y.w.o.r.d.s...
00000300: 02 0E 05 00 15 04 41 FF FF 50 00 00 00 11 05 00 ......A..P......
00000310: 00 00 00 00 00 3B 8E 0B 00 54 00 69 00 6D 00 65 .....;...T.i.m.e
00000320: 00 43 00 72 00 65 00 61 00 74 00 65 00 64 00 00 .C.r.e.a.t.e.d..
00000330: 00 27 00 00 00 06 3A 05 00 00 6A 02 00 00 3C 7B .'....:...j...<{
00000340: 0A 00 53 00 79 00 73 00 74 00 65 00 6D 00 54 00 ..S.y.s.t.e.m.T.
00000350: 69 00 6D 00 65 00 00 00 0E 06 00 11 03 01 0A 00 i.m.e...........
00000360: 2E 00 00 00 68 05 00 00 00 00 00 00 46 03 0D 00 ....h.......F...
00000370: 45 00 76 00 65 00 6E 00 74 00 52 00 65 00 63 00 E.v.e.n.t.R.e.c.
00000380: 6F 00 72 00 64 00 49 00 44 00 00 00 02 0E 0A 00 o.r.d.I.D.......
00000390: 0A 04 41 FF FF 85 00 00 00 9D 05 00 00 00 00 00 ..A.............
000003A0: 00 A2 F2 0B 00 43 00 6F 00 72 00 72 00 65 00 6C .....C.o.r.r.e.l
000003B0: 00 61 00 74 00 69 00 6F 00 6E 00 00 00 5C 00 00 .a.t.i.o.n...\..
000003C0: 00 46 C6 05 00 00 00 00 00 00 0A F1 0A 00 41 00 .F............A.
000003D0: 63 00 74 00 69 00 76 00 69 00 74 00 79 00 49 00 c.t.i.v.i.t.y.I.
000003E0: 44 00 00 00 0E 07 00 0F 06 ED 05 00 00 FA 03 00 D...............
000003F0: 00 35 C5 11 00 52 00 65 00 6C 00 61 00 74 00 65 .5...R.e.l.a.t.e
00000400: 00 64 00 41 00 63 00 74 00 69 00 76 00 69 00 74 .d.A.c.t.i.v.i.t
00000410: 00 79 00 49 00 44 00 00 00 0E 12 00 0F 03 41 FF .y.I.D........A.
00000420: FF 6D 00 00 00 29 06 00 00 00 00 00 00 B8 B5 09 .m...)..........
00000430: 00 45 00 78 00 65 00 63 00 75 00 74 00 69 00 6F .E.x.e.c.u.t.i.o
00000440: 00 6E 00 00 00 48 00 00 00 46 4E 06 00 00 C6 05 .n...H...FN.....
00000450: 00 00 0A D7 09 00 50 00 72 00 6F 00 63 00 65 00 ......P.r.o.c.e.
00000460: 73 00 73 00 49 00 44 00 00 00 0E 08 00 08 06 73 s.s.I.D........s
00000470: 06 00 00 9C 04 00 00 85 39 08 00 54 00 68 00 72 ........9..T.h.r
00000480: 00 65 00 61 00 64 00 49 00 44 00 00 00 0E 09 00 .e.a.d.I.D......
00000490: 08 03 01 FF FF 2E 00 00 00 9D 06 00 00 00 00 00 ................
000004A0: 00 83 61 07 00 43 00 68 00 61 00 6E 00 6E 00 65 ..a..C.h.a.n.n.e
000004B0: 00 6C 00 00 00 02 05 01 06 00 53 00 79 00 73 00 .l........S.y.s.
000004C0: 74 00 65 00 6D 00 04 01 FF FF 62 00 00 00 D2 06 t.e.m.....b.....
000004D0: 00 00 11 05 00 00 3B 6E 08 00 43 00 6F 00 6D 00 ......;n..C.o.m.
000004E0: 70 00 75 00 74 00 65 00 72 00 00 00 02 05 01 1F p.u.t.e.r.......
000004F0: 00 57 00 4B 00 53 00 2D 00 57 00 49 00 4E 00 37 .W.K.S.-.W.I.N.7
00000500: 00 36 00 34 00 42 00 49 00 54 00 42 00 2E 00 73 .6.4.B.I.T.B...s
00000510: 00 68 00 69 00 65 00 6C 00 64 00 62 00 61 00 73 .h.i.e.l.d.b.a.s
00000520: 00 65 00 2E 00 6C 00 6F 00 63 00 61 00 6C 00 04 .e...l.o.c.a.l..
00000530: 41 FF FF 42 00 00 00 3B 07 00 00 00 00 00 00 A0 A..B...;........
00000540: 2E 08 00 53 00 65 00 63 00 75 00 72 00 69 00 74 ...S.e.c.u.r.i.t
00000550: 00 79 00 00 00 1F 00 00 00 06 5E 07 00 00 00 00 .y........^.....
00000560: 00 00 66 4C 06 00 55 00 73 00 65 00 72 00 49 00 ..fL..U.s.e.r.I.
00000570: 44 00 00 00 0E 0C 00 13 03 04 01 13 00 24 00 00 D............$..
00000580: 00 85 07 00 00 ED 05 00 00 35 44 08 00 55 00 73 .........5D..U.s
00000590: 00 65 00 72 00 44 00 61 00 74 00 61 00 00 00 02 .e.r.D.a.t.a....
000005A0: 0E 13 00 21 04 04 00 14 00 00 00 01 00 04 00 01 ...!............
000005B0: 00 04 00 02 00 06 00 02 00 06 00 00 00 00 00 08 ................
000005C0: 00 15 00 08 00 11 00 00 00 00 00 04 00 08 00 04 ................
000005D0: 00 08 00 08 00 0A 00 01 00 04 00 00 00 00 00 00 ................
000005E0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000005F0: 00 00 00 00 00 00 00 55 02 21 00 04 00 69 00 69 .......U.!...i.i
00000600: 00 00 00 00 00 00 00 00 80 9B E7 03 67 99 01 CD ............g...
00000610: 01 34 03 00 00 34 0B 00 00 11 2F 00 00 00 00 00 .4...4..../.....
00000620: 00 00 0F 01 01 00 0C 01 28 CA CA 44 30 08 00 00 ........(..D0...
00000630: 00 00 00 00 28 CA CA 44 8C 1E C6 67 B3 01 57 E2 ....(..D...g..W.
00000640: 1E 10 B5 7B 80 01 00 00 0F 01 01 00 41 FF FF 74 ...{........A..t
00000650: 01 00 00 57 08 00 00 00 00 00 00 91 80 0A 00 41 ...W...........A
00000660: 00 75 00 74 00 6F 00 42 00 61 00 63 00 6B 00 75 .u.t.o.B.a.c.k.u
00000670: 00 70 00 00 00 0C 01 00 00 46 7E 08 00 00 00 00 .p.......F~.....
00000680: 00 00 4E 77 0E 00 78 00 6D 00 6C 00 6E 00 73 00 ..Nw..x.m.l.n.s.
00000690: 3A 00 61 00 75 00 74 00 6F 00 2D 00 6E 00 73 00 :.a.u.t.o.-.n.s.
000006A0: 33 00 00 00 05 01 2F 00 68 00 74 00 74 00 70 00 3...../.h.t.t.p.
000006B0: 3A 00 2F 00 2F 00 73 00 63 00 68 00 65 00 6D 00 :././.s.c.h.e.m.
000006C0: 61 00 73 00 2E 00 6D 00 69 00 63 00 72 00 6F 00 a.s...m.i.c.r.o.
000006D0: 73 00 6F 00 66 00 74 00 2E 00 63 00 6F 00 6D 00 s.o.f.t...c.o.m.
000006E0: 2F 00 77 00 69 00 6E 00 2F 00 32 00 30 00 30 00 /.w.i.n./.2.0.0.
000006F0: 34 00 2F 00 30 00 38 00 2F 00 65 00 76 00 65 00 4./.0.8./.e.v.e.
00000700: 6E 00 74 00 73 00 06 6A 02 00 00 05 01 3B 00 68 n.t.s..j.....;.h
00000710: 00 74 00 74 00 70 00 3A 00 2F 00 2F 00 6D 00 61 .t.t.p.:././.m.a
00000720: 00 6E 00 69 00 66 00 65 00 73 00 74 00 73 00 2E .n.i.f.e.s.t.s..
00000730: 00 6D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 .m.i.c.r.o.s.o.f
00000740: 00 74 00 2E 00 63 00 6F 00 6D 00 2F 00 77 00 69 .t...c.o.m./.w.i
00000750: 00 6E 00 2F 00 32 00 30 00 30 00 34 00 2F 00 30 .n./.2.0.0.4./.0
00000760: 00 38 00 2F 00 77 00 69 00 6E 00 64 00 6F 00 77 .8./.w.i.n.d.o.w
00000770: 00 73 00 2F 00 65 00 76 00 65 00 6E 00 74 00 6C .s./.e.v.e.n.t.l
00000780: 00 6F 00 67 00 02 01 FF FF 0A 00 00 00 9D 06 00 .o.g............
00000790: 00 02 0D 00 00 01 04 01 FF FF 28 00 00 00 A2 09 ..........(.....
000007A0: 00 00 00 00 00 00 27 BA 0A 00 42 00 61 00 63 00 ......'...B.a.c.
000007B0: 6B 00 75 00 70 00 50 00 61 00 74 00 68 00 00 00 k.u.p.P.a.t.h...
000007C0: 02 0D 01 00 01 04 04 00 02 00 00 00 0C 00 01 00 ................
000007D0: 96 00 01 00 53 00 79 00 73 00 74 00 65 00 6D 00 ....S.y.s.t.e.m.
000007E0: 43 00 3A 00 5C 00 57 00 69 00 6E 00 64 00 6F 00 C.:.\.W.i.n.d.o.
000007F0: 77 00 73 00 5C 00 53 00 79 00 73 00 74 00 65 00 w.s.\.S.y.s.t.e.
00000800: 6D 00 33 00 32 00 5C 00 57 00 69 00 6E 00 65 00 m.3.2.\.W.i.n.e.
00000810: 76 00 74 00 5C 00 4C 00 6F 00 67 00 73 00 5C 00 v.t.\.L.o.g.s.\.
00000820: 41 00 72 00 63 00 68 00 69 00 76 00 65 00 2D 00 A.r.c.h.i.v.e.-.
00000830: 53 00 79 00 73 00 74 00 65 00 6D 00 2D 00 32 00 S.y.s.t.e.m.-.2.
00000840: 30 00 31 00 32 00 2D 00 30 00 33 00 2D 00 31 00 0.1.2.-.0.3.-.1.
00000850: 34 00 2D 00 30 00 34 00 2D 00 31 00 37 00 2D 00 4.-.0.4.-.1.7.-.
00000860: 33 00 39 00 2D 00 39 00 33 00 32 00 2E 00 65 00 3.9.-.9.3.2...e.
00000870: 76 00 74 00 78 00 00 00 00 04 00 00 80 08 00 00 v.t.x...........and the parsed structure:
record(absolute_offset=4608)
RootNode(offset=0x18)
StreamStartNode(offset=0x18)
TemplateInstanceNode(offset=0x1c, resident=True, length=0x569)
TemplateNode(offset=0x26)
StreamStartNode(offset=0x3e)
OpenStartElementNode(offset=0x42)
AttributeNode(offset=0x65)
ValueNode(offset=0x7e)
WstringTypeNode(offset=0x80) --> http://schemas.microsoft.com/win/2004/08/events/event
CloseStartElementNode(offset=0xec)
OpenStartElementNode(offset=0xed)
CloseStartElementNode(offset=0x10e)
OpenStartElementNode(offset=0x10f)
AttributeNode(offset=0x138)
ValueNode(offset=0x14f)
WstringTypeNode(offset=0x151) --> Microsoft-Windows-Eventlog
AttributeNode(offset=0x187)
ValueNode(offset=0x19e)
WstringTypeNode(offset=0x1a0) --> {fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}
CloseEmptyElementNode(offset=0x1ee)
OpenStartElementNode(offset=0x1ef)
AttributeNode(offset=0x216)
ConditionalSubstitutionNode(offset=0x239)
CloseStartElementNode(offset=0x23d)
ConditionalSubstitutionNode(offset=0x23e)
CloseElementNode(offset=0x242)
OpenStartElementNode(offset=0x243)
CloseStartElementNode(offset=0x266)
ConditionalSubstitutionNode(offset=0x267)
CloseElementNode(offset=0x26b)
OpenStartElementNode(offset=0x26c)
CloseStartElementNode(offset=0x28b)
ConditionalSubstitutionNode(offset=0x28c)
CloseElementNode(offset=0x290)
OpenStartElementNode(offset=0x291)
CloseStartElementNode(offset=0x2ae)
ConditionalSubstitutionNode(offset=0x2af)
CloseElementNode(offset=0x2b3)
OpenStartElementNode(offset=0x2b4)
CloseStartElementNode(offset=0x2d5)
ConditionalSubstitutionNode(offset=0x2d6)
CloseElementNode(offset=0x2da)
OpenStartElementNode(offset=0x2db)
CloseStartElementNode(offset=0x300)
ConditionalSubstitutionNode(offset=0x301)
CloseElementNode(offset=0x305)
OpenStartElementNode(offset=0x306)
AttributeNode(offset=0x335)
ConditionalSubstitutionNode(offset=0x358)
CloseEmptyElementNode(offset=0x35c)
OpenStartElementNode(offset=0x35d)
CloseStartElementNode(offset=0x38c)
ConditionalSubstitutionNode(offset=0x38d)
CloseElementNode(offset=0x391)
OpenStartElementNode(offset=0x392)
AttributeNode(offset=0x3c1)
ConditionalSubstitutionNode(offset=0x3e4)
AttributeNode(offset=0x3e8)
ConditionalSubstitutionNode(offset=0x419)
CloseEmptyElementNode(offset=0x41d)
OpenStartElementNode(offset=0x41e)
AttributeNode(offset=0x449)
ConditionalSubstitutionNode(offset=0x46a)
AttributeNode(offset=0x46e)
ConditionalSubstitutionNode(offset=0x48d)
CloseEmptyElementNode(offset=0x491)
OpenStartElementNode(offset=0x492)
CloseStartElementNode(offset=0x4b5)
ValueNode(offset=0x4b6)
WstringTypeNode(offset=0x4b8) --> System
CloseElementNode(offset=0x4c6)
OpenStartElementNode(offset=0x4c7)
CloseStartElementNode(offset=0x4ec)
ValueNode(offset=0x4ed)
WstringTypeNode(offset=0x4ef) --> WKS-WIN764BITB.shieldbase.local
CloseElementNode(offset=0x52f)
OpenStartElementNode(offset=0x530)
AttributeNode(offset=0x559)
ConditionalSubstitutionNode(offset=0x574)
CloseEmptyElementNode(offset=0x578)
CloseElementNode(offset=0x579)
OpenStartElementNode(offset=0x57a)
CloseStartElementNode(offset=0x59f)
ConditionalSubstitutionNode(offset=0x5a0)
CloseElementNode(offset=0x5a4)
CloseElementNode(offset=0x5a5)
EndOfStreamNode(offset=0x5a6)
Substitutions(offset=0x5a7)
UnsignedByteTypeNode(offset=0x5fb) --> 4
UnsignedByteTypeNode(offset=0x5fc) --> 0
UnsignedWordTypeNode(offset=0x5fd) --> 105
UnsignedWordTypeNode(offset=0x5ff) --> 105
NullTypeNode(offset=0x601)
Hex64TypeNode(offset=0x601) --> 0x8000000000000000
FiletimeTypeNode(offset=0x609) --> 2012-03-14 04:17:43.354563
NullTypeNode(offset=0x611)
UnsignedDwordTypeNode(offset=0x611) --> 820
UnsignedDwordTypeNode(offset=0x615) --> 2868
UnsignedQwordTypeNode(offset=0x619) --> 12049
UnsignedByteTypeNode(offset=0x621) --> 0
NullTypeNode(offset=0x622)
NullTypeNode(offset=0x622)
NullTypeNode(offset=0x622)
NullTypeNode(offset=0x622)
NullTypeNode(offset=0x622)
NullTypeNode(offset=0x622)
NullTypeNode(offset=0x622)
BXmlTypeNode(offset=0x622) -->
RootNode(offset=0x622)
StreamStartNode(offset=0x622)
TemplateInstanceNode(offset=0x626, resident=True, length=0x180)
TemplateNode(offset=0x630)
StreamStartNode(offset=0x648)
OpenStartElementNode(offset=0x64c)
AttributeNode(offset=0x679)
ValueNode(offset=0x6a4)
WstringTypeNode(offset=0x6a6) --> http://schemas.microsoft.com/win/2004/08/events
AttributeNode(offset=0x706)
ValueNode(offset=0x70b)
WstringTypeNode(offset=0x70d) --> http://manifests.microsoft.com/win/2004/08/windows/eventlog
CloseStartElementNode(offset=0x785)
OpenStartElementNode(offset=0x786)
CloseStartElementNode(offset=0x791)
NormalSubstitutionNode(offset=0x792)
CloseElementNode(offset=0x796)
OpenStartElementNode(offset=0x797)
CloseStartElementNode(offset=0x7c0)
NormalSubstitutionNode(offset=0x7c1)
CloseElementNode(offset=0x7c5)
CloseElementNode(offset=0x7c6)
EndOfStreamNode(offset=0x7c7)
Substitutions(offset=0x7c8)
WstringTypeNode(offset=0x7d4) --> System
WstringTypeNode(offset=0x7e0) --> C:\Windows\System32\Winevt\Logs\Archive-System-2012-03-14-04-17-39-932.evtxand the rendered record:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Eventlog" Guid="{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}"></Provider>
<EventID Qualifiers="">105</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>105</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2012-03-14 04:17:43.354563"></TimeCreated>
<EventRecordID>12049</EventRecordID>
<Correlation ActivityID="" RelatedActivityID=""></Correlation>
<Execution ProcessID="820" ThreadID="2868"></Execution>
<Channel>System</Channel>
<Computer>WKS-WIN764BITB.shieldbase.local</Computer>
<Security UserID=""></Security>
</System>
<UserData><AutoBackup xmlns:auto-ns3="http://schemas.microsoft.com/win/2004/08/events" xmlns="http://manifests.microsoft.com/win/2004/08/windows/eventlog"><Channel>System</Channel>
<BackupPath>C:\Windows\System32\Winevt\Logs\Archive-System-2012-03-14-04-17-39-932.evtx</BackupPath>
</AutoBackup>
</UserData>
</Event>looks like offset 0x14 from the RPC data matches offset 0x18 from the evtx file data, which is the start of the bxml root node. this is good news!
let me see what happens when i try to blindly parse the RPC data using the evtx file parser.
williballenthin
commented
7 years ago hi @MrAnde7son
It looks like these two data sources use the same serialization format to encode the XML data. I think it will be possible to extend python-evtx to support the flags used by the RPC data. unfortunately, since i hadn't seen these flags before, the parser doesn't support them yet. i'll need to spend a bit of time to get everything working together.
as a bit of background... the evtx file format allows records to share sub-structures and lets messages that re-use strings reference one another. i presume this helps with memory usage and file sizes. in the format used by the RPC service, the data is stored self-contained and in-line. i need to tweak the way the library tracks possibly shared resources such as sub-structure and strings to support this in-line mechanism.
MrAnde7son
commented
7 years ago Awesome! Thanks @williballenthin . Looking forward..
Mikkgn
commented
7 years ago hi @williballenthin
I encountered with the same problem and didnt find any python library, wich can be helpful me. Can I expect a function to be implemented in your library?
spinenkoia
commented
3 years ago @MrAnde7son did you manage to use the library ? There is a ready-made solution https://github.com/irtimmer/tivan/blob/master/tivan/parser/binxml.py
Sankgreall
commented
2 years ago If I can, I'd like to re-open this. My use case is slightly different, where I am using data lakes to carve event logs from super high fidelity storage in a memory efficient way. Currently I am able to map out all the chunks and records using all the available documentation on the event log specification, but the BinXML issue I am finding more challenging.
Like @MrAnde7son, I have raw byte array, except mine has just been carved from the event log file.
@spinenkoia, I have been looking at your script you linked interest, but the data I have doesn't match the specification. Although I pass the BinXML instantiation, I error out due to having an unknown template token.
Any advice anyone can offer?
Hi,
I'm using python to pull event logs from remote machine using ms-even6 interface (https://msdn.microsoft.com/en-us/library/cc231282.aspx). I used EvtRpcRegisterLogQuery and EvtRpcQueryNext functions which produce a byte array that contains the BinXml data of the event. While having some issues with the parsing, I came through your project. From my understanding, Evtx also contains the event as BinXml format, however, my code does not produce any chunk nor record, but only the actual BinXml format, I can't seem to understand how exactly to use your code in order to parse it correctly. So my questions are:
Thanks!