Parsing BinXML format #42

MrAnde7son · 2017-08-14T07:52:18Z

Hi,

I'm using python to pull event logs from remote machine using ms-even6 interface (https://msdn.microsoft.com/en-us/library/cc231282.aspx).
I used EvtRpcRegisterLogQuery and EvtRpcQueryNext functions which produce a byte array that contains the BinXml data of the event. While having some issues with the parsing, I came through your project. From my understanding, Evtx also contains the event as BinXml format, however, my code does not produce any chunk nor record, but only the actual BinXml format, I can't seem to understand how exactly to use your code in order to parse it correctly.
So my questions are:

Are these two binxml structures are indentical? (my guess is yes)
How can I use your code in order to parse BinXml byte array into the actual xml?

Thanks!

williballenthin · 2017-08-14T12:06:53Z

Hi @MrAnde7son

This is an interesting use case, and one I hadn't considered before. I'm not very familiar with this remote interface. I'd be happy to take a look at a sample of your tool's output and see if it looks familiar. It would certainly be neat to parse this data source with minimal extra effort.

MrAnde7son · 2017-08-14T13:51:05Z

Hi,

Thanks for the quick reply!
Here's the implementation of MS-EVEN6 interface with the use of Impacket (huge thanks to Alberto!):

from impacket.dcerpc.v5.rpcrt import DCERPCException
from impacket.dcerpc.v5.ndr import NDRCALL, NDRPOINTER, NDRUniConformantArray, NDRUniVaryingArray, NDRUNION, NDRSTRUCT
from impacket.dcerpc.v5.dtypes import WSTR, DWORD, LPWSTR, USHORT, UCHAR, ULONGLONG, ULONG, LARGE_INTEGER, GUID
from impacket import system_errors
from impacket.uuid import uuidtup_to_bin

MSRPC_UUID_EVENTLOG = uuidtup_to_bin(('F6BEAFF7-1E19-4FBB-9F8F-B89E2018337C', '1.0'))

class DCERPCSessionError(DCERPCException):
    def __init__(self, error_string=None, error_code=None, packet=None):
        DCERPCException.__init__(self, error_string, error_code, packet)

    def __str__(self):
        key = self.error_code
        if system_errors.ERROR_MESSAGES.has_key(key):
            error_msg_short = system_errors.ERROR_MESSAGES[key][0]
            error_msg_verbose = system_errors.ERROR_MESSAGES[key][1]
            return 'EVENTLOG SessionError: code: 0x%x - %s - %s' % (self.error_code, error_msg_short, error_msg_verbose)
        else:
            return 'EVENTLOG SessionError: unknown error code: 0x%x' % self.error_code

################################################################################
# CONSTANTS
################################################################################

# Evt Path Flags
EvtQueryChannelName = 0x00000001
EvtQueryFilePath = 0x00000002
EvtReadNewestToLowest = 0x00000100
EvtReadLowestToNewest = 0x00000200

################################################################################
# STRUCTURES
################################################################################

class CONTEXT_HANDLE_LOG_HANDLE(NDRSTRUCT):
    align = 1
    structure = (
        ('Data', '20s=""'),
    )

class PCONTEXT_HANDLE_LOG_HANDLE(NDRPOINTER):
    referent = (
        ('Data', CONTEXT_HANDLE_LOG_HANDLE),
    )

class CONTEXT_HANDLE_LOG_QUERY(NDRSTRUCT):
    align = 1
    structure = (
        ('Data', '20s=""'),
    )

class PCONTEXT_HANDLE_LOG_QUERY(NDRPOINTER):
    referent = (
        ('Data', CONTEXT_HANDLE_LOG_QUERY),
    )

class LPPCONTEXT_HANDLE_LOG_QUERY(NDRPOINTER):
    referent = (
        ('Data', PCONTEXT_HANDLE_LOG_QUERY),
    )

class CONTEXT_HANDLE_OPERATION_CONTROL(NDRSTRUCT):
    align = 1
    structure = (
        ('Data', '20s=""'),
    )

class PCONTEXT_HANDLE_OPERATION_CONTROL(NDRPOINTER):
    referent = (
        ('Data', CONTEXT_HANDLE_OPERATION_CONTROL),
    )

class LPPCONTEXT_HANDLE_OPERATION_CONTROL(NDRPOINTER):
    referent = (
        ('Data', PCONTEXT_HANDLE_OPERATION_CONTROL),
    )

# 2.2.11 EvtRpcQueryChannelInfo
class EvtRpcQueryChannelInfo(NDRSTRUCT):
    structure = (
        ('Name', LPWSTR),
        ('Status', DWORD),
    )

class EvtRpcQueryChannelInfoArray(NDRUniVaryingArray):
    item = EvtRpcQueryChannelInfo

class LPEvtRpcQueryChannelInfoArray(NDRPOINTER):
    referent = (
        ('Data', EvtRpcQueryChannelInfoArray)
    )

class RPC_INFO(NDRSTRUCT):
    structure = (
        ('Error', DWORD),
        ('SubError', DWORD),
        ('SubErrorParam', DWORD),
    )

class PRPC_INFO(NDRPOINTER):
    referent = (
        ('Data', RPC_INFO)
    )

class WSTR_ARRAY(NDRUniConformantArray):
    item = WSTR

class DWORD_ARRAY(NDRUniVaryingArray):
    item = DWORD

class LPDWORD_ARRAY(NDRPOINTER):
    referent = (
        ('Data', DWORD_ARRAY)
    )

class BYTE_ARRAY(NDRUniVaryingArray):
    item = 'c'

class LPBYTE_ARRAY(NDRPOINTER):
    referent = (
        ('Data', BYTE_ARRAY)
    )

class ULONG_ARRAY(NDRUniConformantArray):
    item = ULONG

# 2.3.1 EVENT_DESCRIPTOR
class EVENT_DESCRIPTOR(NDRSTRUCT):
    structure = (
        ('Id', USHORT),
        ('Version', UCHAR),
        ('Channel', UCHAR),
        ('Level', UCHAR),
        ('Opcode', UCHAR),
        ('Task', USHORT),
        ('Keyword', ULONGLONG),
    )

class PROCESSOR_TIME(NDRUNION):
    commonHdr = (
        ('ProcessorTime', ULONGLONG),
    )
    structure = (
        ('KernelTime', ULONG),
        ('UserTime', ULONG),
    )

# 2.3.2 EVENT_HEADER
class EVENT_HEADER(NDRSTRUCT):
    structure = (
        ('Size', USHORT),
        ('HeaderType', USHORT),
        ('Flags', USHORT),
        ('EventProperty', USHORT),
        ('ThreadId', ULONG),
        ('TimeStamp', LARGE_INTEGER),
        ('ProviderId', GUID),
        ('EventDescriptor', EVENT_DESCRIPTOR),
        ('ProcessorTime', PROCESSOR_TIME),
        ('ActivityId', GUID),
    )

#2.2.17 RESULT_SET
class RESULT_SET(NDRSTRUCT):
    structure = (
        ('TotalSize', DWORD),
        ('HeaderSize', '<L=0x10'),
        ('EventOffset', '<L=0x10'),
        ('BookmarkOffset', DWORD),
        ('BinXmlSize', DWORD),
        ('EventData', BYTE_ARRAY),
        ('NumberOfSubqueryIDs', DWORD),
        ('SubqueryIDs', DWORD),
        ('BookMarkData', BYTE_ARRAY),
        ('BookmarkSize', DWORD),
        ('HeaderSize', '<L=0x18'),
        ('ChannelSize', DWORD),
        ('ReadDirection', DWORD),
        ('RecordIdsOffset', DWORD),
        ('LogRecordNumbers', ULONG_ARRAY),
    )
#2.2.18 BinXmlVariant
class BinXmlVariant(NDRSTRUCT):
    structure = (
        ('Union', BYTE_ARRAY),
        ('Count', DWORD),
        ('Type', DWORD),
    )

################################################################################
# RPC CALLS
################################################################################

class EvtRpcRegisterLogQuery(NDRCALL):
    opnum = 5
    structure = (
        ('Path', LPWSTR),
        ('Query', WSTR),
        ('Flags', DWORD),
    )

class EvtRpcRegisterLogQueryResponse(NDRCALL):
    structure = (
        ('Handle', CONTEXT_HANDLE_LOG_QUERY),
        ('OpControl', CONTEXT_HANDLE_OPERATION_CONTROL),
        ('QueryChannelInfoSize', DWORD),
        ('QueryChannelInfo', EvtRpcQueryChannelInfoArray),
        ('Error', RPC_INFO),
        )

class EvtRpcQueryNext(NDRCALL):
    opnum = 11
    structure = (
        ('LogQuery', CONTEXT_HANDLE_LOG_QUERY),
        ('NumRequestedRecords', DWORD),
        ('TimeOutEnd', DWORD),
        ('Flags', DWORD),
    )

class EvtRpcQueryNextResponse(NDRCALL):
    structure = (
        ('NumActualRecords', DWORD),
        ('EventDataIndices', DWORD_ARRAY),
        ('EventDataSizes', DWORD_ARRAY),
        ('ResultBufferSize', DWORD),
        ('ResultBuffer', BYTE_ARRAY),
        ('ErrorCode', ULONG),
    )

class EvtRpcQuerySeek(NDRCALL):
    opnum = 12
    structure = (
        ('LogQuery', CONTEXT_HANDLE_LOG_QUERY),
        ('Pos', LARGE_INTEGER),
        ('BookmarkXML', LPWSTR),
        ('Flags', DWORD),
    )

class EvtRpcQuerySeekResponse(NDRCALL):
    structure = (
        ('Error', RPC_INFO),
    )

class EvtRpcClose(NDRCALL):
    opnum = 13
    structure = (
        ("Handle", CONTEXT_HANDLE_LOG_HANDLE),
    )

class EvtRpcCloseResponse(NDRCALL):
    structure = (
        ("Handle", PCONTEXT_HANDLE_LOG_HANDLE),
        ('ErrorCode', ULONG),
    )

class EvtRpcOpenLogHandle(NDRCALL):
    opnum = 17
    structure = (
        ('Channel', WSTR),
        ('Flags', DWORD),
    )

class EvtRpcOpenLogHandleResponse(NDRCALL):
    structure = (
        ('Handle', PCONTEXT_HANDLE_LOG_HANDLE),
        ('Error', RPC_INFO),
    )

class EvtRpcGetChannelList(NDRCALL):
    opnum = 19
    structure = (
        ('Flags', DWORD),
    )

class EvtRpcGetChannelListResponse(NDRCALL):
    structure = (
        ('NumChannelPaths', DWORD),
        ('ChannelPaths', WSTR_ARRAY),
        ('ErrorCode', ULONG),
    )

################################################################################
# OPNUMs and their corresponding structures
################################################################################

OPNUMS = {
    5   : (EvtRpcRegisterLogQuery, EvtRpcRegisterLogQueryResponse),
    11  : (EvtRpcQueryNext,  EvtRpcQueryNextResponse),
    12  : (EvtRpcQuerySeek, EvtRpcQuerySeekResponse),
    13  : (EvtRpcClose, EvtRpcCloseResponse),
    17  : (EvtRpcOpenLogHandle, EvtRpcOpenLogHandle),
    19  : (EvtRpcGetChannelList, EvtRpcGetChannelListResponse),
}

################################################################################
# HELPER FUNCTIONS
################################################################################

def hEvtRpcGetChannelList(dce):
    request = EvtRpcGetChannelList()

    request['Flags'] = 0
    status = system_errors.ERROR_MORE_DATA
    resp = dce.request(request)
    while status == system_errors.ERROR_MORE_DATA:
        try:
            resp = dce.request(request)
        except DCERPCException, e:
            if str(e).find('ERROR_MORE_DATA') < 0:
                raise
            resp = e.get_packet()
        return resp


def hEvtRpcRegisterLogQuery(dce, path, flags, query='*\x00'):
    request = EvtRpcRegisterLogQuery()

    request['Path'] = path
    request['Query'] = query
    request['Flags'] = flags
    resp = dce.request(request)
    return resp

def hEvtRpcQueryNext(dce, handle, numRequestedRecords, timeOutEnd):
    request = EvtRpcQueryNext()

    request['LogQuery'] = handle
    request['NumRequestedRecords'] = numRequestedRecords
    request['TimeOutEnd'] = timeOutEnd
    request['Flags'] = 0
    resp = dce.request(request)
    return resp

def hEvtRpcClose(dce, handle):
    request = EvtRpcClose()
    request['Handle'] = handle
    resp = dce.request(request)
    return resp

def hEvtRpcOpenLogHandle(dce, channel, flags):
    request = EvtRpcOpenLogHandle()

    request['Channel'] = channel
    request['Flags'] = flags
    return dce.request(request)

And here's the actual connection and data collection, this code uses EvtRpcRegisterLogQuery function which returns a context handle, used to pull the actual events by using EvtRpcQueryNext function.

from impacket.dcerpc.v5 import transport, samr, srvs, wkst, scmr, drsuapi, dhcpm
import logging
from impacket.ldap import ldap
from impacket.dcerpc.v5.epm import hept_map
from impacket.dcerpc.v5.rpcrt import RPC_C_AUTHN_LEVEL_PKT_PRIVACY, RPC_C_AUTHN_GSS_NEGOTIATE
import eventlog
from socket import gethostbyaddr
import re
import mmap, hexdump


class Connection(object):
    def __init__(self, target, username=str(), password=str(), domain=str(), krb=True):
        self.target, self.username, self.password, self.domain = target, username, password, domain,
        self.krb = krb
        if re.match('\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}', self.target):
            try:
                if gethostbyaddr(self.target)[0] == self.domain:
                    self.target = gethostbyaddr(self.target)[1][-1] + "." + self.domain
                else:
                    self.target = gethostbyaddr(self.target)[0]
            except:
                self.krb = False


class DCERPCConnection(Connection):
    binding_strings = dict()
    binding_strings['dhcpserver'] = dhcpm.MSRPC_UUID_DHCPSRV
    binding_strings['eventlog'] = eventlog.MSRPC_UUID_EVENTLOG

    def __init__(self, target, pipe, username=str(), password=str(), domain=str(), krb=True):
        Connection.__init__(self, target=target, username=username, password=password, domain=domain,
                            krb=krb)
        self.pipe = pipe
        bind = self.binding_strings[self.pipe[1:]]
        self.string_binding = hept_map(self.target, bind, protocol='ncacn_ip_tcp')
        rpctransport = transport.DCERPCTransportFactory(self.string_binding)
        rpctransport.set_credentials(self.username, self.password, self.domain)
        self.dce = rpctransport.get_dce_rpc()
        if krb:
            rpctransport.set_kerberos(True, domain)
            self.dce.set_auth_type(RPC_C_AUTHN_GSS_NEGOTIATE)

    def connect(self):
        try:
            self.dce.set_auth_level(RPC_C_AUTHN_LEVEL_PKT_PRIVACY)
            bind = self.binding_strings[self.pipe[1:]]
            self.dce.connect()
            self.dce.bind(bind)
        except transport.DCERPCException, e:
            logging.error("DCERPC Connection failed. Error: %s." % e.error_string)
        return self.dce


username = 'Administrator'
password = 'Password'
domain = 'company.com'
address = 'dc.company.com'
connection = DCERPCConnection(address, '\eventlog', username, password, domain, True)
dce = connection.connect()

channel = 'Security\x00'
flags = eventlog.EvtQueryChannelName | eventlog.EvtReadNewestToLowest
query = '*\x00'
query = """<?xml version="1.0" encoding="UTF-8"?><QueryList><Query Id="0">
<Select Path="Security">*[System[(EventID=4624)]]</Select>
</Query></QueryList>\x00"""
resp = eventlog.hEvtRpcRegisterLogQuery(dce=dce, path=channel, flags=flags, query='*\x00')
log_handle = resp['Handle']
ctrl_handle = resp['OpControl']
resp = eventlog.hEvtRpcQueryNext(dce, log_handle, 5, 1000)

for i in range(resp['NumActualRecords']):
    event_offset = resp['EventDataIndices'][i]['Data']
    event_size = resp['EventDataSizes'][i]['Data']
    event = resp['ResultBuffer'][event_offset:event_offset + event_size]
    buff = ''.join([x.encode('hex') for x in event]).decode('hex')
    print hexdump.hexdump(buff)
    print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n"

resp = eventlog.hEvtRpcClose(dce, log_handle)
resp = eventlog.hEvtRpcClose(dce, ctrl_handle)

Then, as you can see, I'm iterating through the results and print hexdump of each event. My goal is to get the actual XML representation of the event.

Thanks in advance!!!

williballenthin · 2017-08-14T14:03:07Z

Wow, this looks really neat!

Do you happen to have a sample of the output and binary data handy? Alternatively, I can install the the dependencies and get the above script working locally, but it'll take me a bit longer to get a quick triage back.

MrAnde7son · 2017-08-14T14:36:23Z

Sure, no problem!

00000000: 37 05 00 00 10 00 00 00  10 00 00 00 17 05 00 00  7...............
00000010: FF 04 00 00 0F 01 01 00  0C 00 EC C7 48 63 15 65  ............Hc.e
00000020: 54 86 95 DF 5E B5 B3 D3  27 DA C6 03 00 00 0F 01  T...^...'.......
00000030: 01 00 41 11 00 BA 03 00  00 BA 0C 05 00 45 00 76  ..A..........E.v
00000040: 00 65 00 6E 00 74 00 00  00 7F 00 00 00 06 BC 0F  .e.n.t..........
00000050: 05 00 78 00 6D 00 6C 00  6E 00 73 00 00 00 05 01  ..x.m.l.n.s.....
00000060: 35 00 68 00 74 00 74 00  70 00 3A 00 2F 00 2F 00  5.h.t.t.p.:././.
00000070: 73 00 63 00 68 00 65 00  6D 00 61 00 73 00 2E 00  s.c.h.e.m.a.s...
00000080: 6D 00 69 00 63 00 72 00  6F 00 73 00 6F 00 66 00  m.i.c.r.o.s.o.f.
00000090: 74 00 2E 00 63 00 6F 00  6D 00 2F 00 77 00 69 00  t...c.o.m./.w.i.
000000A0: 6E 00 2F 00 32 00 30 00  30 00 34 00 2F 00 30 00  n./.2.0.0.4./.0.
000000B0: 38 00 2F 00 65 00 76 00  65 00 6E 00 74 00 73 00  8./.e.v.e.n.t.s.
000000C0: 2F 00 65 00 76 00 65 00  6E 00 74 00 02 01 FF FF  /.e.v.e.n.t.....
000000D0: 1A 03 00 00 6F 54 06 00  53 00 79 00 73 00 74 00  ....oT..S.y.s.t.
000000E0: 65 00 6D 00 00 00 02 41  FF FF 41 00 00 00 F1 7B  e.m....A..A....{
000000F0: 08 00 50 00 72 00 6F 00  76 00 69 00 64 00 65 00  ..P.r.o.v.i.d.e.
00000100: 72 00 00 00 26 00 00 00  46 4B 95 04 00 4E 00 61  r...&...FK...N.a
00000110: 00 6D 00 65 00 00 00 0E  0E 00 01 06 29 15 04 00  .m.e........)...
00000120: 47 00 75 00 69 00 64 00  00 00 0E 0F 00 0F 03 41  G.u.i.d........A
00000130: 03 00 3D 00 00 00 F5 61  07 00 45 00 76 00 65 00  ..=....a..E.v.e.
00000140: 6E 00 74 00 49 00 44 00  00 00 1F 00 00 00 06 29  n.t.I.D........)
00000150: DA 0A 00 51 00 75 00 61  00 6C 00 69 00 66 00 69  ...Q.u.a.l.i.f.i
00000160: 00 65 00 72 00 73 00 00  00 0E 04 00 06 02 0E 03  .e.r.s..........
00000170: 00 06 04 01 0B 00 1A 00  00 00 18 09 07 00 56 00  ..............V.
00000180: 65 00 72 00 73 00 69 00  6F 00 6E 00 00 00 02 0E  e.r.s.i.o.n.....
00000190: 0B 00 04 04 01 00 00 16  00 00 00 64 CE 05 00 4C  ...........d...L
000001A0: 00 65 00 76 00 65 00 6C  00 00 00 02 0E 00 00 04  .e.v.e.l........
000001B0: 04 01 02 00 14 00 00 00  45 7B 04 00 54 00 61 00  ........E{..T.a.
000001C0: 73 00 6B 00 00 00 02 0E  02 00 06 04 01 01 00 18  s.k.............
000001D0: 00 00 00 AE 1E 06 00 4F  00 70 00 63 00 6F 00 64  .......O.p.c.o.d
000001E0: 00 65 00 00 00 02 0E 01  00 04 04 01 05 00 1C 00  .e..............
000001F0: 00 00 6A CF 08 00 4B 00  65 00 79 00 77 00 6F 00  ..j...K.e.y.w.o.
00000200: 72 00 64 00 73 00 00 00  02 0E 05 00 15 04 41 FF  r.d.s.........A.
00000210: FF 40 00 00 00 3B 8E 0B  00 54 00 69 00 6D 00 65  .@...;...T.i.m.e
00000220: 00 43 00 72 00 65 00 61  00 74 00 65 00 64 00 00  .C.r.e.a.t.e.d..
00000230: 00 1F 00 00 00 06 3C 7B  0A 00 53 00 79 00 73 00  ......<{..S.y.s.
00000240: 74 00 65 00 6D 00 54 00  69 00 6D 00 65 00 00 00  t.e.m.T.i.m.e...
00000250: 0E 06 00 11 03 01 0A 00  26 00 00 00 46 03 0D 00  ........&...F...
00000260: 45 00 76 00 65 00 6E 00  74 00 52 00 65 00 63 00  E.v.e.n.t.R.e.c.
00000270: 6F 00 72 00 64 00 49 00  44 00 00 00 02 0E 0A 00  o.r.d.I.D.......
00000280: 0A 04 41 FF FF 6D 00 00  00 A2 F2 0B 00 43 00 6F  ..A..m.......C.o
00000290: 00 72 00 72 00 65 00 6C  00 61 00 74 00 69 00 6F  .r.r.e.l.a.t.i.o
000002A0: 00 6E 00 00 00 4C 00 00  00 46 0A F1 0A 00 41 00  .n...L...F....A.
000002B0: 63 00 74 00 69 00 76 00  69 00 74 00 79 00 49 00  c.t.i.v.i.t.y.I.
000002C0: 44 00 00 00 0E 07 00 0F  06 35 C5 11 00 52 00 65  D........5...R.e
000002D0: 00 6C 00 61 00 74 00 65  00 64 00 41 00 63 00 74  .l.a.t.e.d.A.c.t
000002E0: 00 69 00 76 00 69 00 74  00 79 00 49 00 44 00 00  .i.v.i.t.y.I.D..
000002F0: 00 0E 0D 00 0F 03 41 FF  FF 55 00 00 00 B8 B5 09  ......A..U......
00000300: 00 45 00 78 00 65 00 63  00 75 00 74 00 69 00 6F  .E.x.e.c.u.t.i.o
00000310: 00 6E 00 00 00 38 00 00  00 46 0A D7 09 00 50 00  .n...8...F....P.
00000320: 72 00 6F 00 63 00 65 00  73 00 73 00 49 00 44 00  r.o.c.e.s.s.I.D.
00000330: 00 00 0E 08 00 08 06 85  39 08 00 54 00 68 00 72  ........9..T.h.r
00000340: 00 65 00 61 00 64 00 49  00 44 00 00 00 0E 09 00  .e.a.d.I.D......
00000350: 08 03 01 10 00 1A 00 00  00 83 61 07 00 43 00 68  ..........a..C.h
00000360: 00 61 00 6E 00 6E 00 65  00 6C 00 00 00 02 0E 10  .a.n.n.e.l......
00000370: 00 01 04 01 FF FF 3A 00  00 00 3B 6E 08 00 43 00  ......:...;n..C.
00000380: 6F 00 6D 00 70 00 75 00  74 00 65 00 72 00 00 00  o.m.p.u.t.e.r...
00000390: 02 05 01 0F 00 57 00 49  00 4E 00 2D 00 44 00 36  .....W.I.N.-.D.6
000003A0: 00 43 00 39 00 53 00 4F  00 31 00 4F 00 34 00 51  .C.9.S.O.1.O.4.Q
000003B0: 00 53 00 04 41 FF FF 32  00 00 00 A0 2E 08 00 53  .S..A..2.......S
000003C0: 00 65 00 63 00 75 00 72  00 69 00 74 00 79 00 00  .e.c.u.r.i.t.y..
000003D0: 00 17 00 00 00 06 66 4C  06 00 55 00 73 00 65 00  ......fL..U.s.e.
000003E0: 72 00 49 00 44 00 00 00  0E 0C 00 13 03 04 0E 11  r.I.D...........
000003F0: 00 21 04 00 12 00 00 00  01 00 04 00 01 00 04 00  .!..............
00000400: 02 00 06 00 02 00 06 00  00 00 00 00 08 00 15 00  ................
00000410: 08 00 11 00 00 00 00 00  04 00 08 00 04 00 08 00  ................
00000420: 08 00 0A 00 01 00 04 00  00 00 00 00 00 00 00 00  ................
00000430: 46 00 01 00 10 00 0F 00  10 00 01 00 45 00 21 00  F...........E.!.
00000440: 00 00 00 30 00 12 00 00  00 00 00 00 20 80 4F E6  ...0........ .O.
00000450: BF 54 D6 F9 D2 01 0C 02  00 00 10 02 00 00 01 00  .T..............
00000460: 00 00 00 00 00 00 00 4D  00 69 00 63 00 72 00 6F  .......M.i.c.r.o
00000470: 00 73 00 6F 00 66 00 74  00 2D 00 57 00 69 00 6E  .s.o.f.t.-.W.i.n
00000480: 00 64 00 6F 00 77 00 73  00 2D 00 53 00 65 00 63  .d.o.w.s.-.S.e.c
00000490: 00 75 00 72 00 69 00 74  00 79 00 2D 00 41 00 75  .u.r.i.t.y.-.A.u
000004A0: 00 64 00 69 00 74 00 69  00 6E 00 67 00 25 96 84  .d.i.t.i.n.g.%..
000004B0: 54 78 54 94 49 A5 BA 3E  3B 03 28 C3 0D 53 00 65  TxT.I..>;.(..S.e
000004C0: 00 63 00 75 00 72 00 69  00 74 00 79 00 0F 01 01  .c.u.r.i.t.y....
000004D0: 00 0C 00 DD 26 CE EE CB  7C D6 0D 8E 03 70 1A 29  ....&...|....p.)
000004E0: B7 63 EE 26 00 00 00 0F  01 01 00 01 FF FF 1A 00  .c.&............
000004F0: 00 00 44 82 09 00 45 00  76 00 65 00 6E 00 74 00  ..D...E.v.e.n.t.
00000500: 44 00 61 00 74 00 61 00  00 00 02 04 00 00 00 00  D.a.t.a.........
00000510: 00 00 00 00 00 00 00 20  00 00 00 18 00 00 00 01  ....... ........
00000520: 00 00 00 00 00 00 00 00  00 00 00 18 00 00 00 01  ................
00000530: 00 00 00 00 00 00 00                              .......
None
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

00000000: 5D 0C 00 00 10 00 00 00  10 00 00 00 3D 0C 00 00  ]...........=...
00000010: 25 0C 00 00 0F 01 01 00  0C 00 EC C7 48 63 15 65  %...........Hc.e
00000020: 54 86 95 DF 5E B5 B3 D3  27 DA C6 03 00 00 0F 01  T...^...'.......
00000030: 01 00 41 11 00 BA 03 00  00 BA 0C 05 00 45 00 76  ..A..........E.v
00000040: 00 65 00 6E 00 74 00 00  00 7F 00 00 00 06 BC 0F  .e.n.t..........
00000050: 05 00 78 00 6D 00 6C 00  6E 00 73 00 00 00 05 01  ..x.m.l.n.s.....
00000060: 35 00 68 00 74 00 74 00  70 00 3A 00 2F 00 2F 00  5.h.t.t.p.:././.
00000070: 73 00 63 00 68 00 65 00  6D 00 61 00 73 00 2E 00  s.c.h.e.m.a.s...
00000080: 6D 00 69 00 63 00 72 00  6F 00 73 00 6F 00 66 00  m.i.c.r.o.s.o.f.
00000090: 74 00 2E 00 63 00 6F 00  6D 00 2F 00 77 00 69 00  t...c.o.m./.w.i.
000000A0: 6E 00 2F 00 32 00 30 00  30 00 34 00 2F 00 30 00  n./.2.0.0.4./.0.
000000B0: 38 00 2F 00 65 00 76 00  65 00 6E 00 74 00 73 00  8./.e.v.e.n.t.s.
000000C0: 2F 00 65 00 76 00 65 00  6E 00 74 00 02 01 FF FF  /.e.v.e.n.t.....
000000D0: 1A 03 00 00 6F 54 06 00  53 00 79 00 73 00 74 00  ....oT..S.y.s.t.
000000E0: 65 00 6D 00 00 00 02 41  FF FF 41 00 00 00 F1 7B  e.m....A..A....{
000000F0: 08 00 50 00 72 00 6F 00  76 00 69 00 64 00 65 00  ..P.r.o.v.i.d.e.
00000100: 72 00 00 00 26 00 00 00  46 4B 95 04 00 4E 00 61  r...&...FK...N.a
00000110: 00 6D 00 65 00 00 00 0E  0E 00 01 06 29 15 04 00  .m.e........)...
00000120: 47 00 75 00 69 00 64 00  00 00 0E 0F 00 0F 03 41  G.u.i.d........A
00000130: 03 00 3D 00 00 00 F5 61  07 00 45 00 76 00 65 00  ..=....a..E.v.e.
00000140: 6E 00 74 00 49 00 44 00  00 00 1F 00 00 00 06 29  n.t.I.D........)
00000150: DA 0A 00 51 00 75 00 61  00 6C 00 69 00 66 00 69  ...Q.u.a.l.i.f.i
00000160: 00 65 00 72 00 73 00 00  00 0E 04 00 06 02 0E 03  .e.r.s..........
00000170: 00 06 04 01 0B 00 1A 00  00 00 18 09 07 00 56 00  ..............V.
00000180: 65 00 72 00 73 00 69 00  6F 00 6E 00 00 00 02 0E  e.r.s.i.o.n.....
00000190: 0B 00 04 04 01 00 00 16  00 00 00 64 CE 05 00 4C  ...........d...L
000001A0: 00 65 00 76 00 65 00 6C  00 00 00 02 0E 00 00 04  .e.v.e.l........
000001B0: 04 01 02 00 14 00 00 00  45 7B 04 00 54 00 61 00  ........E{..T.a.
000001C0: 73 00 6B 00 00 00 02 0E  02 00 06 04 01 01 00 18  s.k.............
000001D0: 00 00 00 AE 1E 06 00 4F  00 70 00 63 00 6F 00 64  .......O.p.c.o.d
000001E0: 00 65 00 00 00 02 0E 01  00 04 04 01 05 00 1C 00  .e..............
000001F0: 00 00 6A CF 08 00 4B 00  65 00 79 00 77 00 6F 00  ..j...K.e.y.w.o.
00000200: 72 00 64 00 73 00 00 00  02 0E 05 00 15 04 41 FF  r.d.s.........A.
00000210: FF 40 00 00 00 3B 8E 0B  00 54 00 69 00 6D 00 65  .@...;...T.i.m.e
00000220: 00 43 00 72 00 65 00 61  00 74 00 65 00 64 00 00  .C.r.e.a.t.e.d..
00000230: 00 1F 00 00 00 06 3C 7B  0A 00 53 00 79 00 73 00  ......<{..S.y.s.
00000240: 74 00 65 00 6D 00 54 00  69 00 6D 00 65 00 00 00  t.e.m.T.i.m.e...
00000250: 0E 06 00 11 03 01 0A 00  26 00 00 00 46 03 0D 00  ........&...F...
00000260: 45 00 76 00 65 00 6E 00  74 00 52 00 65 00 63 00  E.v.e.n.t.R.e.c.
00000270: 6F 00 72 00 64 00 49 00  44 00 00 00 02 0E 0A 00  o.r.d.I.D.......
00000280: 0A 04 41 FF FF 6D 00 00  00 A2 F2 0B 00 43 00 6F  ..A..m.......C.o
00000290: 00 72 00 72 00 65 00 6C  00 61 00 74 00 69 00 6F  .r.r.e.l.a.t.i.o
000002A0: 00 6E 00 00 00 4C 00 00  00 46 0A F1 0A 00 41 00  .n...L...F....A.
000002B0: 63 00 74 00 69 00 76 00  69 00 74 00 79 00 49 00  c.t.i.v.i.t.y.I.
000002C0: 44 00 00 00 0E 07 00 0F  06 35 C5 11 00 52 00 65  D........5...R.e
000002D0: 00 6C 00 61 00 74 00 65  00 64 00 41 00 63 00 74  .l.a.t.e.d.A.c.t
000002E0: 00 69 00 76 00 69 00 74  00 79 00 49 00 44 00 00  .i.v.i.t.y.I.D..
000002F0: 00 0E 0D 00 0F 03 41 FF  FF 55 00 00 00 B8 B5 09  ......A..U......
00000300: 00 45 00 78 00 65 00 63  00 75 00 74 00 69 00 6F  .E.x.e.c.u.t.i.o
00000310: 00 6E 00 00 00 38 00 00  00 46 0A D7 09 00 50 00  .n...8...F....P.
00000320: 72 00 6F 00 63 00 65 00  73 00 73 00 49 00 44 00  r.o.c.e.s.s.I.D.
00000330: 00 00 0E 08 00 08 06 85  39 08 00 54 00 68 00 72  ........9..T.h.r
00000340: 00 65 00 61 00 64 00 49  00 44 00 00 00 0E 09 00  .e.a.d.I.D......
00000350: 08 03 01 10 00 1A 00 00  00 83 61 07 00 43 00 68  ..........a..C.h
00000360: 00 61 00 6E 00 6E 00 65  00 6C 00 00 00 02 0E 10  .a.n.n.e.l......
00000370: 00 01 04 01 FF FF 3A 00  00 00 3B 6E 08 00 43 00  ......:...;n..C.
00000380: 6F 00 6D 00 70 00 75 00  74 00 65 00 72 00 00 00  o.m.p.u.t.e.r...
00000390: 02 05 01 0F 00 57 00 49  00 4E 00 2D 00 44 00 36  .....W.I.N.-.D.6
000003A0: 00 43 00 39 00 53 00 4F  00 31 00 4F 00 34 00 51  .C.9.S.O.1.O.4.Q
000003B0: 00 53 00 04 41 FF FF 32  00 00 00 A0 2E 08 00 53  .S..A..2.......S
000003C0: 00 65 00 63 00 75 00 72  00 69 00 74 00 79 00 00  .e.c.u.r.i.t.y..
000003D0: 00 17 00 00 00 06 66 4C  06 00 55 00 73 00 65 00  ......fL..U.s.e.
000003E0: 72 00 49 00 44 00 00 00  0E 0C 00 13 03 04 0E 11  r.I.D...........
000003F0: 00 21 04 00 12 00 00 00  01 00 04 00 01 00 04 00  .!..............
00000400: 02 00 06 00 02 00 06 00  00 00 00 00 08 00 15 00  ................
00000410: 08 00 11 00 00 00 00 00  04 00 08 00 04 00 08 00  ................
00000420: 08 00 0A 00 01 00 04 00  00 00 00 00 00 00 00 00  ................
00000430: 46 00 01 00 10 00 0F 00  10 00 01 00 6B 07 21 00  F...........k.!.
00000440: 00 00 00 31 10 12 00 00  00 00 00 00 20 80 0B 43  ...1........ ..C
00000450: C2 54 D6 F9 D2 01 0C 02  00 00 10 02 00 00 02 00  .T..............
00000460: 00 00 00 00 00 00 01 4D  00 69 00 63 00 72 00 6F  .......M.i.c.r.o
00000470: 00 73 00 6F 00 66 00 74  00 2D 00 57 00 69 00 6E  .s.o.f.t.-.W.i.n
00000480: 00 64 00 6F 00 77 00 73  00 2D 00 53 00 65 00 63  .d.o.w.s.-.S.e.c
00000490: 00 75 00 72 00 69 00 74  00 79 00 2D 00 41 00 75  .u.r.i.t.y.-.A.u
000004A0: 00 64 00 69 00 74 00 69  00 6E 00 67 00 25 96 84  .d.i.t.i.n.g.%..
000004B0: 54 78 54 94 49 A5 BA 3E  3B 03 28 C3 0D 53 00 65  TxT.I..>;.(..S.e
000004C0: 00 63 00 75 00 72 00 69  00 74 00 79 00 0F 01 01  .c.u.r.i.t.y....
000004D0: 00 0C 00 C9 1A 65 C0 04  9A 4F 60 DE B0 F1 72 FF  .....e...O`...r.
000004E0: 8F E0 E8 78 06 00 00 0F  01 01 00 01 FF FF 6C 06  ...x..........l.
000004F0: 00 00 44 82 09 00 45 00  76 00 65 00 6E 00 74 00  ..D...E.v.e.n.t.
00000500: 44 00 61 00 74 00 61 00  00 00 02 41 FF FF 47 00  D.a.t.a....A..G.
00000510: 00 00 8A 6F 04 00 44 00  61 00 74 00 61 00 00 00  ...o..D.a.t.a...
00000520: 2F 00 00 00 06 4B 95 04  00 4E 00 61 00 6D 00 65  /....K...N.a.m.e
00000530: 00 00 00 05 01 0E 00 53  00 75 00 62 00 6A 00 65  .......S.u.b.j.e
00000540: 00 63 00 74 00 55 00 73  00 65 00 72 00 53 00 69  .c.t.U.s.e.r.S.i
00000550: 00 64 00 02 0D 00 00 13  04 41 FF FF 49 00 00 00  .d.......A..I...
00000560: 8A 6F 04 00 44 00 61 00  74 00 61 00 00 00 31 00  .o..D.a.t.a...1.
00000570: 00 00 06 4B 95 04 00 4E  00 61 00 6D 00 65 00 00  ...K...N.a.m.e..
00000580: 00 05 01 0F 00 53 00 75  00 62 00 6A 00 65 00 63  .....S.u.b.j.e.c
00000590: 00 74 00 55 00 73 00 65  00 72 00 4E 00 61 00 6D  .t.U.s.e.r.N.a.m
000005A0: 00 65 00 02 0D 01 00 01  04 41 FF FF 4D 00 00 00  .e.......A..M...
000005B0: 8A 6F 04 00 44 00 61 00  74 00 61 00 00 00 35 00  .o..D.a.t.a...5.
000005C0: 00 00 06 4B 95 04 00 4E  00 61 00 6D 00 65 00 00  ...K...N.a.m.e..
000005D0: 00 05 01 11 00 53 00 75  00 62 00 6A 00 65 00 63  .....S.u.b.j.e.c
000005E0: 00 74 00 44 00 6F 00 6D  00 61 00 69 00 6E 00 4E  .t.D.o.m.a.i.n.N
000005F0: 00 61 00 6D 00 65 00 02  0D 02 00 01 04 41 FF FF  .a.m.e.......A..
00000600: 47 00 00 00 8A 6F 04 00  44 00 61 00 74 00 61 00  G....o..D.a.t.a.
00000610: 00 00 2F 00 00 00 06 4B  95 04 00 4E 00 61 00 6D  ../....K...N.a.m
00000620: 00 65 00 00 00 05 01 0E  00 53 00 75 00 62 00 6A  .e.......S.u.b.j
00000630: 00 65 00 63 00 74 00 4C  00 6F 00 67 00 6F 00 6E  .e.c.t.L.o.g.o.n
00000640: 00 49 00 64 00 02 0D 03  00 15 04 41 FF FF 45 00  .I.d.......A..E.
00000650: 00 00 8A 6F 04 00 44 00  61 00 74 00 61 00 00 00  ...o..D.a.t.a...
00000660: 2D 00 00 00 06 4B 95 04  00 4E 00 61 00 6D 00 65  -....K...N.a.m.e
00000670: 00 00 00 05 01 0D 00 54  00 61 00 72 00 67 00 65  .......T.a.r.g.e
00000680: 00 74 00 55 00 73 00 65  00 72 00 53 00 69 00 64  .t.U.s.e.r.S.i.d
00000690: 00 02 0D 04 00 13 04 41  FF FF 47 00 00 00 8A 6F  .......A..G....o
000006A0: 04 00 44 00 61 00 74 00  61 00 00 00 2F 00 00 00  ..D.a.t.a.../...
000006B0: 06 4B 95 04 00 4E 00 61  00 6D 00 65 00 00 00 05  .K...N.a.m.e....
000006C0: 01 0E 00 54 00 61 00 72  00 67 00 65 00 74 00 55  ...T.a.r.g.e.t.U
000006D0: 00 73 00 65 00 72 00 4E  00 61 00 6D 00 65 00 02  .s.e.r.N.a.m.e..
000006E0: 0D 05 00 01 04 41 FF FF  4B 00 00 00 8A 6F 04 00  .....A..K....o..
000006F0: 44 00 61 00 74 00 61 00  00 00 33 00 00 00 06 4B  D.a.t.a...3....K
00000700: 95 04 00 4E 00 61 00 6D  00 65 00 00 00 05 01 10  ...N.a.m.e......
00000710: 00 54 00 61 00 72 00 67  00 65 00 74 00 44 00 6F  .T.a.r.g.e.t.D.o
00000720: 00 6D 00 61 00 69 00 6E  00 4E 00 61 00 6D 00 65  .m.a.i.n.N.a.m.e
00000730: 00 02 0D 06 00 01 04 41  FF FF 45 00 00 00 8A 6F  .......A..E....o
00000740: 04 00 44 00 61 00 74 00  61 00 00 00 2D 00 00 00  ..D.a.t.a...-...
00000750: 06 4B 95 04 00 4E 00 61  00 6D 00 65 00 00 00 05  .K...N.a.m.e....
00000760: 01 0D 00 54 00 61 00 72  00 67 00 65 00 74 00 4C  ...T.a.r.g.e.t.L
00000770: 00 6F 00 67 00 6F 00 6E  00 49 00 64 00 02 0D 07  .o.g.o.n.I.d....
00000780: 00 15 04 41 FF FF 3D 00  00 00 8A 6F 04 00 44 00  ...A..=....o..D.
00000790: 61 00 74 00 61 00 00 00  25 00 00 00 06 4B 95 04  a.t.a...%....K..
000007A0: 00 4E 00 61 00 6D 00 65  00 00 00 05 01 09 00 4C  .N.a.m.e.......L
000007B0: 00 6F 00 67 00 6F 00 6E  00 54 00 79 00 70 00 65  .o.g.o.n.T.y.p.e
000007C0: 00 02 0D 08 00 08 04 41  FF FF 4B 00 00 00 8A 6F  .......A..K....o
000007D0: 04 00 44 00 61 00 74 00  61 00 00 00 33 00 00 00  ..D.a.t.a...3...
000007E0: 06 4B 95 04 00 4E 00 61  00 6D 00 65 00 00 00 05  .K...N.a.m.e....
000007F0: 01 10 00 4C 00 6F 00 67  00 6F 00 6E 00 50 00 72  ...L.o.g.o.n.P.r
00000800: 00 6F 00 63 00 65 00 73  00 73 00 4E 00 61 00 6D  .o.c.e.s.s.N.a.m
00000810: 00 65 00 02 0D 09 00 01  04 41 FF FF 5D 00 00 00  .e.......A..]...
00000820: 8A 6F 04 00 44 00 61 00  74 00 61 00 00 00 45 00  .o..D.a.t.a...E.
00000830: 00 00 06 4B 95 04 00 4E  00 61 00 6D 00 65 00 00  ...K...N.a.m.e..
00000840: 00 05 01 19 00 41 00 75  00 74 00 68 00 65 00 6E  .....A.u.t.h.e.n
00000850: 00 74 00 69 00 63 00 61  00 74 00 69 00 6F 00 6E  .t.i.c.a.t.i.o.n
00000860: 00 50 00 61 00 63 00 6B  00 61 00 67 00 65 00 4E  .P.a.c.k.a.g.e.N
00000870: 00 61 00 6D 00 65 00 02  0D 0A 00 01 04 41 FF FF  .a.m.e.......A..
00000880: 49 00 00 00 8A 6F 04 00  44 00 61 00 74 00 61 00  I....o..D.a.t.a.
00000890: 00 00 31 00 00 00 06 4B  95 04 00 4E 00 61 00 6D  ..1....K...N.a.m
000008A0: 00 65 00 00 00 05 01 0F  00 57 00 6F 00 72 00 6B  .e.......W.o.r.k
000008B0: 00 73 00 74 00 61 00 74  00 69 00 6F 00 6E 00 4E  .s.t.a.t.i.o.n.N
000008C0: 00 61 00 6D 00 65 00 02  0D 0B 00 01 04 41 FF FF  .a.m.e.......A..
000008D0: 3D 00 00 00 8A 6F 04 00  44 00 61 00 74 00 61 00  =....o..D.a.t.a.
000008E0: 00 00 25 00 00 00 06 4B  95 04 00 4E 00 61 00 6D  ..%....K...N.a.m
000008F0: 00 65 00 00 00 05 01 09  00 4C 00 6F 00 67 00 6F  .e.......L.o.g.o
00000900: 00 6E 00 47 00 75 00 69  00 64 00 02 0D 0C 00 0F  .n.G.u.i.d......
00000910: 04 41 FF FF 51 00 00 00  8A 6F 04 00 44 00 61 00  .A..Q....o..D.a.
00000920: 74 00 61 00 00 00 39 00  00 00 06 4B 95 04 00 4E  t.a...9....K...N
00000930: 00 61 00 6D 00 65 00 00  00 05 01 13 00 54 00 72  .a.m.e.......T.r
00000940: 00 61 00 6E 00 73 00 6D  00 69 00 74 00 74 00 65  .a.n.s.m.i.t.t.e
00000950: 00 64 00 53 00 65 00 72  00 76 00 69 00 63 00 65  .d.S.e.r.v.i.c.e
00000960: 00 73 00 02 0D 0D 00 01  04 41 FF FF 45 00 00 00  .s.......A..E...
00000970: 8A 6F 04 00 44 00 61 00  74 00 61 00 00 00 2D 00  .o..D.a.t.a...-.
00000980: 00 00 06 4B 95 04 00 4E  00 61 00 6D 00 65 00 00  ...K...N.a.m.e..
00000990: 00 05 01 0D 00 4C 00 6D  00 50 00 61 00 63 00 6B  .....L.m.P.a.c.k
000009A0: 00 61 00 67 00 65 00 4E  00 61 00 6D 00 65 00 02  .a.g.e.N.a.m.e..
000009B0: 0D 0E 00 01 04 41 FF FF  3D 00 00 00 8A 6F 04 00  .....A..=....o..
000009C0: 44 00 61 00 74 00 61 00  00 00 25 00 00 00 06 4B  D.a.t.a...%....K
000009D0: 95 04 00 4E 00 61 00 6D  00 65 00 00 00 05 01 09  ...N.a.m.e......
000009E0: 00 4B 00 65 00 79 00 4C  00 65 00 6E 00 67 00 74  .K.e.y.L.e.n.g.t
000009F0: 00 68 00 02 0D 0F 00 08  04 41 FF FF 3D 00 00 00  .h.......A..=...
00000A00: 8A 6F 04 00 44 00 61 00  74 00 61 00 00 00 25 00  .o..D.a.t.a...%.
00000A10: 00 00 06 4B 95 04 00 4E  00 61 00 6D 00 65 00 00  ...K...N.a.m.e..
00000A20: 00 05 01 09 00 50 00 72  00 6F 00 63 00 65 00 73  .....P.r.o.c.e.s
00000A30: 00 73 00 49 00 64 00 02  0D 10 00 10 04 41 FF FF  .s.I.d.......A..
00000A40: 41 00 00 00 8A 6F 04 00  44 00 61 00 74 00 61 00  A....o..D.a.t.a.
00000A50: 00 00 29 00 00 00 06 4B  95 04 00 4E 00 61 00 6D  ..)....K...N.a.m
00000A60: 00 65 00 00 00 05 01 0B  00 50 00 72 00 6F 00 63  .e.......P.r.o.c
00000A70: 00 65 00 73 00 73 00 4E  00 61 00 6D 00 65 00 02  .e.s.s.N.a.m.e..
00000A80: 0D 11 00 01 04 41 FF FF  3D 00 00 00 8A 6F 04 00  .....A..=....o..
00000A90: 44 00 61 00 74 00 61 00  00 00 25 00 00 00 06 4B  D.a.t.a...%....K
00000AA0: 95 04 00 4E 00 61 00 6D  00 65 00 00 00 05 01 09  ...N.a.m.e......
00000AB0: 00 49 00 70 00 41 00 64  00 64 00 72 00 65 00 73  .I.p.A.d.d.r.e.s
00000AC0: 00 73 00 02 0D 12 00 01  04 41 FF FF 37 00 00 00  .s.......A..7...
00000AD0: 8A 6F 04 00 44 00 61 00  74 00 61 00 00 00 1F 00  .o..D.a.t.a.....
00000AE0: 00 00 06 4B 95 04 00 4E  00 61 00 6D 00 65 00 00  ...K...N.a.m.e..
00000AF0: 00 05 01 06 00 49 00 70  00 50 00 6F 00 72 00 74  .....I.p.P.o.r.t
00000B00: 00 02 0D 13 00 01 04 41  FF FF 4F 00 00 00 8A 6F  .......A..O....o
00000B10: 04 00 44 00 61 00 74 00  61 00 00 00 37 00 00 00  ..D.a.t.a...7...
00000B20: 06 4B 95 04 00 4E 00 61  00 6D 00 65 00 00 00 05  .K...N.a.m.e....
00000B30: 01 12 00 49 00 6D 00 70  00 65 00 72 00 73 00 6F  ...I.m.p.e.r.s.o
00000B40: 00 6E 00 61 00 74 00 69  00 6F 00 6E 00 4C 00 65  .n.a.t.i.o.n.L.e
00000B50: 00 76 00 65 00 6C 00 02  0D 14 00 01 04 04 00 15  .v.e.l..........
00000B60: 00 00 00 0C 00 13 00 02  00 01 00 02 00 01 00 08  ................
00000B70: 00 15 00 0C 00 13 00 0C  00 01 00 18 00 01 00 08  ................
00000B80: 00 15 00 04 00 08 00 02  00 01 00 02 00 01 00 02  ................
00000B90: 00 01 00 10 00 0F 00 02  00 01 00 02 00 01 00 04  ................
00000BA0: 00 08 00 08 00 15 00 00  00 01 00 02 00 01 00 02  ................
00000BB0: 00 01 00 02 00 01 00 01  01 00 00 00 00 00 00 00  ................
00000BC0: 00 00 00 2D 00 2D 00 00  00 00 00 00 00 00 00 01  ...-.-..........
00000BD0: 01 00 00 00 00 00 05 12  00 00 00 53 00 59 00 53  ...........S.Y.S
00000BE0: 00 54 00 45 00 4D 00 4E  00 54 00 20 00 41 00 55  .T.E.M.N.T. .A.U
00000BF0: 00 54 00 48 00 4F 00 52  00 49 00 54 00 59 00 E7  .T.H.O.R.I.T.Y..
00000C00: 03 00 00 00 00 00 00 00  00 00 00 2D 00 2D 00 2D  ...........-.-.-
00000C10: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
00000C20: 00 2D 00 2D 00 00 00 00  00 04 00 00 00 00 00 00  .-.-............
00000C30: 00 2D 00 2D 00 2D 00 00  00 00 00 00 00 20 00 00  .-.-.-....... ..
00000C40: 00 18 00 00 00 01 00 00  00 00 00 00 00 00 00 00  ................
00000C50: 00 18 00 00 00 02 00 00  00 00 00 00 00           .............
None
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

00000000: D5 05 00 00 10 00 00 00  10 00 00 00 B5 05 00 00  ................
00000010: 9D 05 00 00 0F 01 01 00  0C 00 EC C7 48 63 15 65  ............Hc.e
00000020: 54 86 95 DF 5E B5 B3 D3  27 DA C6 03 00 00 0F 01  T...^...'.......
00000030: 01 00 41 11 00 BA 03 00  00 BA 0C 05 00 45 00 76  ..A..........E.v
00000040: 00 65 00 6E 00 74 00 00  00 7F 00 00 00 06 BC 0F  .e.n.t..........
00000050: 05 00 78 00 6D 00 6C 00  6E 00 73 00 00 00 05 01  ..x.m.l.n.s.....
00000060: 35 00 68 00 74 00 74 00  70 00 3A 00 2F 00 2F 00  5.h.t.t.p.:././.
00000070: 73 00 63 00 68 00 65 00  6D 00 61 00 73 00 2E 00  s.c.h.e.m.a.s...
00000080: 6D 00 69 00 63 00 72 00  6F 00 73 00 6F 00 66 00  m.i.c.r.o.s.o.f.
00000090: 74 00 2E 00 63 00 6F 00  6D 00 2F 00 77 00 69 00  t...c.o.m./.w.i.
000000A0: 6E 00 2F 00 32 00 30 00  30 00 34 00 2F 00 30 00  n./.2.0.0.4./.0.
000000B0: 38 00 2F 00 65 00 76 00  65 00 6E 00 74 00 73 00  8./.e.v.e.n.t.s.
000000C0: 2F 00 65 00 76 00 65 00  6E 00 74 00 02 01 FF FF  /.e.v.e.n.t.....
000000D0: 1A 03 00 00 6F 54 06 00  53 00 79 00 73 00 74 00  ....oT..S.y.s.t.
000000E0: 65 00 6D 00 00 00 02 41  FF FF 41 00 00 00 F1 7B  e.m....A..A....{
000000F0: 08 00 50 00 72 00 6F 00  76 00 69 00 64 00 65 00  ..P.r.o.v.i.d.e.
00000100: 72 00 00 00 26 00 00 00  46 4B 95 04 00 4E 00 61  r...&...FK...N.a
00000110: 00 6D 00 65 00 00 00 0E  0E 00 01 06 29 15 04 00  .m.e........)...
00000120: 47 00 75 00 69 00 64 00  00 00 0E 0F 00 0F 03 41  G.u.i.d........A
00000130: 03 00 3D 00 00 00 F5 61  07 00 45 00 76 00 65 00  ..=....a..E.v.e.
00000140: 6E 00 74 00 49 00 44 00  00 00 1F 00 00 00 06 29  n.t.I.D........)
00000150: DA 0A 00 51 00 75 00 61  00 6C 00 69 00 66 00 69  ...Q.u.a.l.i.f.i
00000160: 00 65 00 72 00 73 00 00  00 0E 04 00 06 02 0E 03  .e.r.s..........
00000170: 00 06 04 01 0B 00 1A 00  00 00 18 09 07 00 56 00  ..............V.
00000180: 65 00 72 00 73 00 69 00  6F 00 6E 00 00 00 02 0E  e.r.s.i.o.n.....
00000190: 0B 00 04 04 01 00 00 16  00 00 00 64 CE 05 00 4C  ...........d...L
000001A0: 00 65 00 76 00 65 00 6C  00 00 00 02 0E 00 00 04  .e.v.e.l........
000001B0: 04 01 02 00 14 00 00 00  45 7B 04 00 54 00 61 00  ........E{..T.a.
000001C0: 73 00 6B 00 00 00 02 0E  02 00 06 04 01 01 00 18  s.k.............
000001D0: 00 00 00 AE 1E 06 00 4F  00 70 00 63 00 6F 00 64  .......O.p.c.o.d
000001E0: 00 65 00 00 00 02 0E 01  00 04 04 01 05 00 1C 00  .e..............
000001F0: 00 00 6A CF 08 00 4B 00  65 00 79 00 77 00 6F 00  ..j...K.e.y.w.o.
00000200: 72 00 64 00 73 00 00 00  02 0E 05 00 15 04 41 FF  r.d.s.........A.
00000210: FF 40 00 00 00 3B 8E 0B  00 54 00 69 00 6D 00 65  .@...;...T.i.m.e
00000220: 00 43 00 72 00 65 00 61  00 74 00 65 00 64 00 00  .C.r.e.a.t.e.d..
00000230: 00 1F 00 00 00 06 3C 7B  0A 00 53 00 79 00 73 00  ......<{..S.y.s.
00000240: 74 00 65 00 6D 00 54 00  69 00 6D 00 65 00 00 00  t.e.m.T.i.m.e...
00000250: 0E 06 00 11 03 01 0A 00  26 00 00 00 46 03 0D 00  ........&...F...
00000260: 45 00 76 00 65 00 6E 00  74 00 52 00 65 00 63 00  E.v.e.n.t.R.e.c.
00000270: 6F 00 72 00 64 00 49 00  44 00 00 00 02 0E 0A 00  o.r.d.I.D.......
00000280: 0A 04 41 FF FF 6D 00 00  00 A2 F2 0B 00 43 00 6F  ..A..m.......C.o
00000290: 00 72 00 72 00 65 00 6C  00 61 00 74 00 69 00 6F  .r.r.e.l.a.t.i.o
000002A0: 00 6E 00 00 00 4C 00 00  00 46 0A F1 0A 00 41 00  .n...L...F....A.
000002B0: 63 00 74 00 69 00 76 00  69 00 74 00 79 00 49 00  c.t.i.v.i.t.y.I.
000002C0: 44 00 00 00 0E 07 00 0F  06 35 C5 11 00 52 00 65  D........5...R.e
000002D0: 00 6C 00 61 00 74 00 65  00 64 00 41 00 63 00 74  .l.a.t.e.d.A.c.t
000002E0: 00 69 00 76 00 69 00 74  00 79 00 49 00 44 00 00  .i.v.i.t.y.I.D..
000002F0: 00 0E 0D 00 0F 03 41 FF  FF 55 00 00 00 B8 B5 09  ......A..U......
00000300: 00 45 00 78 00 65 00 63  00 75 00 74 00 69 00 6F  .E.x.e.c.u.t.i.o
00000310: 00 6E 00 00 00 38 00 00  00 46 0A D7 09 00 50 00  .n...8...F....P.
00000320: 72 00 6F 00 63 00 65 00  73 00 73 00 49 00 44 00  r.o.c.e.s.s.I.D.
00000330: 00 00 0E 08 00 08 06 85  39 08 00 54 00 68 00 72  ........9..T.h.r
00000340: 00 65 00 61 00 64 00 49  00 44 00 00 00 0E 09 00  .e.a.d.I.D......
00000350: 08 03 01 10 00 1A 00 00  00 83 61 07 00 43 00 68  ..........a..C.h
00000360: 00 61 00 6E 00 6E 00 65  00 6C 00 00 00 02 0E 10  .a.n.n.e.l......
00000370: 00 01 04 01 FF FF 3A 00  00 00 3B 6E 08 00 43 00  ......:...;n..C.
00000380: 6F 00 6D 00 70 00 75 00  74 00 65 00 72 00 00 00  o.m.p.u.t.e.r...
00000390: 02 05 01 0F 00 57 00 49  00 4E 00 2D 00 44 00 36  .....W.I.N.-.D.6
000003A0: 00 43 00 39 00 53 00 4F  00 31 00 4F 00 34 00 51  .C.9.S.O.1.O.4.Q
000003B0: 00 53 00 04 41 FF FF 32  00 00 00 A0 2E 08 00 53  .S..A..2.......S
000003C0: 00 65 00 63 00 75 00 72  00 69 00 74 00 79 00 00  .e.c.u.r.i.t.y..
000003D0: 00 17 00 00 00 06 66 4C  06 00 55 00 73 00 65 00  ......fL..U.s.e.
000003E0: 72 00 49 00 44 00 00 00  0E 0C 00 13 03 04 0E 11  r.I.D...........
000003F0: 00 21 04 00 12 00 00 00  01 00 04 00 01 00 04 00  .!..............
00000400: 02 00 06 00 02 00 06 00  00 00 00 00 08 00 15 00  ................
00000410: 08 00 11 00 00 00 00 00  04 00 08 00 04 00 08 00  ................
00000420: 08 00 0A 00 01 00 04 00  00 00 00 00 00 00 00 00  ................
00000430: 46 00 01 00 10 00 0F 00  10 00 01 00 E3 00 21 00  F.............!.
00000440: 00 00 00 35 26 13 00 00  00 00 00 00 20 80 6F CA  ...5&....... .o.
00000450: CB 54 D6 F9 D2 01 0C 02  00 00 30 02 00 00 03 00  .T........0.....
00000460: 00 00 00 00 00 00 00 4D  00 69 00 63 00 72 00 6F  .......M.i.c.r.o
00000470: 00 73 00 6F 00 66 00 74  00 2D 00 57 00 69 00 6E  .s.o.f.t.-.W.i.n
00000480: 00 64 00 6F 00 77 00 73  00 2D 00 53 00 65 00 63  .d.o.w.s.-.S.e.c
00000490: 00 75 00 72 00 69 00 74  00 79 00 2D 00 41 00 75  .u.r.i.t.y.-.A.u
000004A0: 00 64 00 69 00 74 00 69  00 6E 00 67 00 25 96 84  .d.i.t.i.n.g.%..
000004B0: 54 78 54 94 49 A5 BA 3E  3B 03 28 C3 0D 53 00 65  TxT.I..>;.(..S.e
000004C0: 00 63 00 75 00 72 00 69  00 74 00 79 00 0F 01 01  .c.u.r.i.t.y....
000004D0: 00 0C 00 BA EC 90 C7 27  31 B0 97 1B 60 41 97 96  .......'1...`A..
000004E0: 97 F9 0A B0 00 00 00 0F  01 01 00 01 FF FF A4 00  ................
000004F0: 00 00 44 82 09 00 45 00  76 00 65 00 6E 00 74 00  ..D...E.v.e.n.t.
00000500: 44 00 61 00 74 00 61 00  00 00 02 41 FF FF 3B 00  D.a.t.a....A..;.
00000510: 00 00 8A 6F 04 00 44 00  61 00 74 00 61 00 00 00  ...o..D.a.t.a...
00000520: 23 00 00 00 06 4B 95 04  00 4E 00 61 00 6D 00 65  #....K...N.a.m.e
00000530: 00 00 00 05 01 08 00 50  00 75 00 61 00 43 00 6F  .......P.u.a.C.o
00000540: 00 75 00 6E 00 74 00 02  0D 00 00 08 04 41 FF FF  .u.n.t.......A..
00000550: 41 00 00 00 8A 6F 04 00  44 00 61 00 74 00 61 00  A....o..D.a.t.a.
00000560: 00 00 29 00 00 00 06 4B  95 04 00 4E 00 61 00 6D  ..)....K...N.a.m
00000570: 00 65 00 00 00 05 01 0B  00 50 00 75 00 61 00 50  .e.......P.u.a.P
00000580: 00 6F 00 6C 00 69 00 63  00 79 00 49 00 64 00 02  .o.l.i.c.y.I.d..
00000590: 0D 01 00 15 04 04 00 02  00 00 00 04 00 08 00 08  ................
000005A0: 00 15 00 00 00 00 00 3A  13 04 00 00 00 00 00 00  .......:........
000005B0: 00 00 00 00 00 20 00 00  00 18 00 00 00 01 00 00  ..... ..........
000005C0: 00 00 00 00 00 00 00 00  00 18 00 00 00 03 00 00  ................
000005D0: 00 00 00 00 00                                    .....
None
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

00000000: F1 0C 00 00 10 00 00 00  10 00 00 00 D1 0C 00 00  ................
00000010: B9 0C 00 00 0F 01 01 00  0C 00 EC C7 48 63 15 65  ............Hc.e
00000020: 54 86 95 DF 5E B5 B3 D3  27 DA C6 03 00 00 0F 01  T...^...'.......
00000030: 01 00 41 11 00 BA 03 00  00 BA 0C 05 00 45 00 76  ..A..........E.v
00000040: 00 65 00 6E 00 74 00 00  00 7F 00 00 00 06 BC 0F  .e.n.t..........
00000050: 05 00 78 00 6D 00 6C 00  6E 00 73 00 00 00 05 01  ..x.m.l.n.s.....
00000060: 35 00 68 00 74 00 74 00  70 00 3A 00 2F 00 2F 00  5.h.t.t.p.:././.
00000070: 73 00 63 00 68 00 65 00  6D 00 61 00 73 00 2E 00  s.c.h.e.m.a.s...
00000080: 6D 00 69 00 63 00 72 00  6F 00 73 00 6F 00 66 00  m.i.c.r.o.s.o.f.
00000090: 74 00 2E 00 63 00 6F 00  6D 00 2F 00 77 00 69 00  t...c.o.m./.w.i.
000000A0: 6E 00 2F 00 32 00 30 00  30 00 34 00 2F 00 30 00  n./.2.0.0.4./.0.
000000B0: 38 00 2F 00 65 00 76 00  65 00 6E 00 74 00 73 00  8./.e.v.e.n.t.s.
000000C0: 2F 00 65 00 76 00 65 00  6E 00 74 00 02 01 FF FF  /.e.v.e.n.t.....
000000D0: 1A 03 00 00 6F 54 06 00  53 00 79 00 73 00 74 00  ....oT..S.y.s.t.
000000E0: 65 00 6D 00 00 00 02 41  FF FF 41 00 00 00 F1 7B  e.m....A..A....{
000000F0: 08 00 50 00 72 00 6F 00  76 00 69 00 64 00 65 00  ..P.r.o.v.i.d.e.
00000100: 72 00 00 00 26 00 00 00  46 4B 95 04 00 4E 00 61  r...&...FK...N.a
00000110: 00 6D 00 65 00 00 00 0E  0E 00 01 06 29 15 04 00  .m.e........)...
00000120: 47 00 75 00 69 00 64 00  00 00 0E 0F 00 0F 03 41  G.u.i.d........A
00000130: 03 00 3D 00 00 00 F5 61  07 00 45 00 76 00 65 00  ..=....a..E.v.e.
00000140: 6E 00 74 00 49 00 44 00  00 00 1F 00 00 00 06 29  n.t.I.D........)
00000150: DA 0A 00 51 00 75 00 61  00 6C 00 69 00 66 00 69  ...Q.u.a.l.i.f.i
00000160: 00 65 00 72 00 73 00 00  00 0E 04 00 06 02 0E 03  .e.r.s..........
00000170: 00 06 04 01 0B 00 1A 00  00 00 18 09 07 00 56 00  ..............V.
00000180: 65 00 72 00 73 00 69 00  6F 00 6E 00 00 00 02 0E  e.r.s.i.o.n.....
00000190: 0B 00 04 04 01 00 00 16  00 00 00 64 CE 05 00 4C  ...........d...L
000001A0: 00 65 00 76 00 65 00 6C  00 00 00 02 0E 00 00 04  .e.v.e.l........
000001B0: 04 01 02 00 14 00 00 00  45 7B 04 00 54 00 61 00  ........E{..T.a.
000001C0: 73 00 6B 00 00 00 02 0E  02 00 06 04 01 01 00 18  s.k.............
000001D0: 00 00 00 AE 1E 06 00 4F  00 70 00 63 00 6F 00 64  .......O.p.c.o.d
000001E0: 00 65 00 00 00 02 0E 01  00 04 04 01 05 00 1C 00  .e..............
000001F0: 00 00 6A CF 08 00 4B 00  65 00 79 00 77 00 6F 00  ..j...K.e.y.w.o.
00000200: 72 00 64 00 73 00 00 00  02 0E 05 00 15 04 41 FF  r.d.s.........A.
00000210: FF 40 00 00 00 3B 8E 0B  00 54 00 69 00 6D 00 65  .@...;...T.i.m.e
00000220: 00 43 00 72 00 65 00 61  00 74 00 65 00 64 00 00  .C.r.e.a.t.e.d..
00000230: 00 1F 00 00 00 06 3C 7B  0A 00 53 00 79 00 73 00  ......<{..S.y.s.
00000240: 74 00 65 00 6D 00 54 00  69 00 6D 00 65 00 00 00  t.e.m.T.i.m.e...
00000250: 0E 06 00 11 03 01 0A 00  26 00 00 00 46 03 0D 00  ........&...F...
00000260: 45 00 76 00 65 00 6E 00  74 00 52 00 65 00 63 00  E.v.e.n.t.R.e.c.
00000270: 6F 00 72 00 64 00 49 00  44 00 00 00 02 0E 0A 00  o.r.d.I.D.......
00000280: 0A 04 41 FF FF 6D 00 00  00 A2 F2 0B 00 43 00 6F  ..A..m.......C.o
00000290: 00 72 00 72 00 65 00 6C  00 61 00 74 00 69 00 6F  .r.r.e.l.a.t.i.o
000002A0: 00 6E 00 00 00 4C 00 00  00 46 0A F1 0A 00 41 00  .n...L...F....A.
000002B0: 63 00 74 00 69 00 76 00  69 00 74 00 79 00 49 00  c.t.i.v.i.t.y.I.
000002C0: 44 00 00 00 0E 07 00 0F  06 35 C5 11 00 52 00 65  D........5...R.e
000002D0: 00 6C 00 61 00 74 00 65  00 64 00 41 00 63 00 74  .l.a.t.e.d.A.c.t
000002E0: 00 69 00 76 00 69 00 74  00 79 00 49 00 44 00 00  .i.v.i.t.y.I.D..
000002F0: 00 0E 0D 00 0F 03 41 FF  FF 55 00 00 00 B8 B5 09  ......A..U......
00000300: 00 45 00 78 00 65 00 63  00 75 00 74 00 69 00 6F  .E.x.e.c.u.t.i.o
00000310: 00 6E 00 00 00 38 00 00  00 46 0A D7 09 00 50 00  .n...8...F....P.
00000320: 72 00 6F 00 63 00 65 00  73 00 73 00 49 00 44 00  r.o.c.e.s.s.I.D.
00000330: 00 00 0E 08 00 08 06 85  39 08 00 54 00 68 00 72  ........9..T.h.r
00000340: 00 65 00 61 00 64 00 49  00 44 00 00 00 0E 09 00  .e.a.d.I.D......
00000350: 08 03 01 10 00 1A 00 00  00 83 61 07 00 43 00 68  ..........a..C.h
00000360: 00 61 00 6E 00 6E 00 65  00 6C 00 00 00 02 0E 10  .a.n.n.e.l......
00000370: 00 01 04 01 FF FF 3A 00  00 00 3B 6E 08 00 43 00  ......:...;n..C.
00000380: 6F 00 6D 00 70 00 75 00  74 00 65 00 72 00 00 00  o.m.p.u.t.e.r...
00000390: 02 05 01 0F 00 57 00 49  00 4E 00 2D 00 44 00 36  .....W.I.N.-.D.6
000003A0: 00 43 00 39 00 53 00 4F  00 31 00 4F 00 34 00 51  .C.9.S.O.1.O.4.Q
000003B0: 00 53 00 04 41 FF FF 32  00 00 00 A0 2E 08 00 53  .S..A..2.......S
000003C0: 00 65 00 63 00 75 00 72  00 69 00 74 00 79 00 00  .e.c.u.r.i.t.y..
000003D0: 00 17 00 00 00 06 66 4C  06 00 55 00 73 00 65 00  ......fL..U.s.e.
000003E0: 72 00 49 00 44 00 00 00  0E 0C 00 13 03 04 0E 11  r.I.D...........
000003F0: 00 21 04 00 12 00 00 00  01 00 04 00 01 00 04 00  .!..............
00000400: 02 00 06 00 02 00 06 00  00 00 00 00 08 00 15 00  ................
00000410: 08 00 11 00 00 00 00 00  04 00 08 00 04 00 08 00  ................
00000420: 08 00 0A 00 01 00 04 00  00 00 00 00 00 00 00 00  ................
00000430: 46 00 01 00 10 00 0F 00  10 00 01 00 FF 07 21 00  F.............!.
00000440: 00 00 00 31 10 12 00 00  00 00 00 00 20 80 F7 B6  ...1........ ...
00000450: D7 54 D6 F9 D2 01 0C 02  00 00 24 02 00 00 04 00  .T........$.....
00000460: 00 00 00 00 00 00 01 4D  00 69 00 63 00 72 00 6F  .......M.i.c.r.o
00000470: 00 73 00 6F 00 66 00 74  00 2D 00 57 00 69 00 6E  .s.o.f.t.-.W.i.n
00000480: 00 64 00 6F 00 77 00 73  00 2D 00 53 00 65 00 63  .d.o.w.s.-.S.e.c
00000490: 00 75 00 72 00 69 00 74  00 79 00 2D 00 41 00 75  .u.r.i.t.y.-.A.u
000004A0: 00 64 00 69 00 74 00 69  00 6E 00 67 00 25 96 84  .d.i.t.i.n.g.%..
000004B0: 54 78 54 94 49 A5 BA 3E  3B 03 28 C3 0D 53 00 65  TxT.I..>;.(..S.e
000004C0: 00 63 00 75 00 72 00 69  00 74 00 79 00 0F 01 01  .c.u.r.i.t.y....
000004D0: 00 0C 00 C9 1A 65 C0 04  9A 4F 60 DE B0 F1 72 FF  .....e...O`...r.
000004E0: 8F E0 E8 78 06 00 00 0F  01 01 00 01 FF FF 6C 06  ...x..........l.
000004F0: 00 00 44 82 09 00 45 00  76 00 65 00 6E 00 74 00  ..D...E.v.e.n.t.
00000500: 44 00 61 00 74 00 61 00  00 00 02 41 FF FF 47 00  D.a.t.a....A..G.
00000510: 00 00 8A 6F 04 00 44 00  61 00 74 00 61 00 00 00  ...o..D.a.t.a...
00000520: 2F 00 00 00 06 4B 95 04  00 4E 00 61 00 6D 00 65  /....K...N.a.m.e
00000530: 00 00 00 05 01 0E 00 53  00 75 00 62 00 6A 00 65  .......S.u.b.j.e
00000540: 00 63 00 74 00 55 00 73  00 65 00 72 00 53 00 69  .c.t.U.s.e.r.S.i
00000550: 00 64 00 02 0D 00 00 13  04 41 FF FF 49 00 00 00  .d.......A..I...
00000560: 8A 6F 04 00 44 00 61 00  74 00 61 00 00 00 31 00  .o..D.a.t.a...1.
00000570: 00 00 06 4B 95 04 00 4E  00 61 00 6D 00 65 00 00  ...K...N.a.m.e..
00000580: 00 05 01 0F 00 53 00 75  00 62 00 6A 00 65 00 63  .....S.u.b.j.e.c
00000590: 00 74 00 55 00 73 00 65  00 72 00 4E 00 61 00 6D  .t.U.s.e.r.N.a.m
000005A0: 00 65 00 02 0D 01 00 01  04 41 FF FF 4D 00 00 00  .e.......A..M...
000005B0: 8A 6F 04 00 44 00 61 00  74 00 61 00 00 00 35 00  .o..D.a.t.a...5.
000005C0: 00 00 06 4B 95 04 00 4E  00 61 00 6D 00 65 00 00  ...K...N.a.m.e..
000005D0: 00 05 01 11 00 53 00 75  00 62 00 6A 00 65 00 63  .....S.u.b.j.e.c
000005E0: 00 74 00 44 00 6F 00 6D  00 61 00 69 00 6E 00 4E  .t.D.o.m.a.i.n.N
000005F0: 00 61 00 6D 00 65 00 02  0D 02 00 01 04 41 FF FF  .a.m.e.......A..
00000600: 47 00 00 00 8A 6F 04 00  44 00 61 00 74 00 61 00  G....o..D.a.t.a.
00000610: 00 00 2F 00 00 00 06 4B  95 04 00 4E 00 61 00 6D  ../....K...N.a.m
00000620: 00 65 00 00 00 05 01 0E  00 53 00 75 00 62 00 6A  .e.......S.u.b.j
00000630: 00 65 00 63 00 74 00 4C  00 6F 00 67 00 6F 00 6E  .e.c.t.L.o.g.o.n
00000640: 00 49 00 64 00 02 0D 03  00 15 04 41 FF FF 45 00  .I.d.......A..E.
00000650: 00 00 8A 6F 04 00 44 00  61 00 74 00 61 00 00 00  ...o..D.a.t.a...
00000660: 2D 00 00 00 06 4B 95 04  00 4E 00 61 00 6D 00 65  -....K...N.a.m.e
00000670: 00 00 00 05 01 0D 00 54  00 61 00 72 00 67 00 65  .......T.a.r.g.e
00000680: 00 74 00 55 00 73 00 65  00 72 00 53 00 69 00 64  .t.U.s.e.r.S.i.d
00000690: 00 02 0D 04 00 13 04 41  FF FF 47 00 00 00 8A 6F  .......A..G....o
000006A0: 04 00 44 00 61 00 74 00  61 00 00 00 2F 00 00 00  ..D.a.t.a.../...
000006B0: 06 4B 95 04 00 4E 00 61  00 6D 00 65 00 00 00 05  .K...N.a.m.e....
000006C0: 01 0E 00 54 00 61 00 72  00 67 00 65 00 74 00 55  ...T.a.r.g.e.t.U
000006D0: 00 73 00 65 00 72 00 4E  00 61 00 6D 00 65 00 02  .s.e.r.N.a.m.e..
000006E0: 0D 05 00 01 04 41 FF FF  4B 00 00 00 8A 6F 04 00  .....A..K....o..
000006F0: 44 00 61 00 74 00 61 00  00 00 33 00 00 00 06 4B  D.a.t.a...3....K
00000700: 95 04 00 4E 00 61 00 6D  00 65 00 00 00 05 01 10  ...N.a.m.e......
00000710: 00 54 00 61 00 72 00 67  00 65 00 74 00 44 00 6F  .T.a.r.g.e.t.D.o
00000720: 00 6D 00 61 00 69 00 6E  00 4E 00 61 00 6D 00 65  .m.a.i.n.N.a.m.e
00000730: 00 02 0D 06 00 01 04 41  FF FF 45 00 00 00 8A 6F  .......A..E....o
00000740: 04 00 44 00 61 00 74 00  61 00 00 00 2D 00 00 00  ..D.a.t.a...-...
00000750: 06 4B 95 04 00 4E 00 61  00 6D 00 65 00 00 00 05  .K...N.a.m.e....
00000760: 01 0D 00 54 00 61 00 72  00 67 00 65 00 74 00 4C  ...T.a.r.g.e.t.L
00000770: 00 6F 00 67 00 6F 00 6E  00 49 00 64 00 02 0D 07  .o.g.o.n.I.d....
00000780: 00 15 04 41 FF FF 3D 00  00 00 8A 6F 04 00 44 00  ...A..=....o..D.
00000790: 61 00 74 00 61 00 00 00  25 00 00 00 06 4B 95 04  a.t.a...%....K..
000007A0: 00 4E 00 61 00 6D 00 65  00 00 00 05 01 09 00 4C  .N.a.m.e.......L
000007B0: 00 6F 00 67 00 6F 00 6E  00 54 00 79 00 70 00 65  .o.g.o.n.T.y.p.e
000007C0: 00 02 0D 08 00 08 04 41  FF FF 4B 00 00 00 8A 6F  .......A..K....o
000007D0: 04 00 44 00 61 00 74 00  61 00 00 00 33 00 00 00  ..D.a.t.a...3...
000007E0: 06 4B 95 04 00 4E 00 61  00 6D 00 65 00 00 00 05  .K...N.a.m.e....
000007F0: 01 10 00 4C 00 6F 00 67  00 6F 00 6E 00 50 00 72  ...L.o.g.o.n.P.r
00000800: 00 6F 00 63 00 65 00 73  00 73 00 4E 00 61 00 6D  .o.c.e.s.s.N.a.m
00000810: 00 65 00 02 0D 09 00 01  04 41 FF FF 5D 00 00 00  .e.......A..]...
00000820: 8A 6F 04 00 44 00 61 00  74 00 61 00 00 00 45 00  .o..D.a.t.a...E.
00000830: 00 00 06 4B 95 04 00 4E  00 61 00 6D 00 65 00 00  ...K...N.a.m.e..
00000840: 00 05 01 19 00 41 00 75  00 74 00 68 00 65 00 6E  .....A.u.t.h.e.n
00000850: 00 74 00 69 00 63 00 61  00 74 00 69 00 6F 00 6E  .t.i.c.a.t.i.o.n
00000860: 00 50 00 61 00 63 00 6B  00 61 00 67 00 65 00 4E  .P.a.c.k.a.g.e.N
00000870: 00 61 00 6D 00 65 00 02  0D 0A 00 01 04 41 FF FF  .a.m.e.......A..
00000880: 49 00 00 00 8A 6F 04 00  44 00 61 00 74 00 61 00  I....o..D.a.t.a.
00000890: 00 00 31 00 00 00 06 4B  95 04 00 4E 00 61 00 6D  ..1....K...N.a.m
000008A0: 00 65 00 00 00 05 01 0F  00 57 00 6F 00 72 00 6B  .e.......W.o.r.k
000008B0: 00 73 00 74 00 61 00 74  00 69 00 6F 00 6E 00 4E  .s.t.a.t.i.o.n.N
000008C0: 00 61 00 6D 00 65 00 02  0D 0B 00 01 04 41 FF FF  .a.m.e.......A..
000008D0: 3D 00 00 00 8A 6F 04 00  44 00 61 00 74 00 61 00  =....o..D.a.t.a.
000008E0: 00 00 25 00 00 00 06 4B  95 04 00 4E 00 61 00 6D  ..%....K...N.a.m
000008F0: 00 65 00 00 00 05 01 09  00 4C 00 6F 00 67 00 6F  .e.......L.o.g.o
00000900: 00 6E 00 47 00 75 00 69  00 64 00 02 0D 0C 00 0F  .n.G.u.i.d......
00000910: 04 41 FF FF 51 00 00 00  8A 6F 04 00 44 00 61 00  .A..Q....o..D.a.
00000920: 74 00 61 00 00 00 39 00  00 00 06 4B 95 04 00 4E  t.a...9....K...N
00000930: 00 61 00 6D 00 65 00 00  00 05 01 13 00 54 00 72  .a.m.e.......T.r
00000940: 00 61 00 6E 00 73 00 6D  00 69 00 74 00 74 00 65  .a.n.s.m.i.t.t.e
00000950: 00 64 00 53 00 65 00 72  00 76 00 69 00 63 00 65  .d.S.e.r.v.i.c.e
00000960: 00 73 00 02 0D 0D 00 01  04 41 FF FF 45 00 00 00  .s.......A..E...
00000970: 8A 6F 04 00 44 00 61 00  74 00 61 00 00 00 2D 00  .o..D.a.t.a...-.
00000980: 00 00 06 4B 95 04 00 4E  00 61 00 6D 00 65 00 00  ...K...N.a.m.e..
00000990: 00 05 01 0D 00 4C 00 6D  00 50 00 61 00 63 00 6B  .....L.m.P.a.c.k
000009A0: 00 61 00 67 00 65 00 4E  00 61 00 6D 00 65 00 02  .a.g.e.N.a.m.e..
000009B0: 0D 0E 00 01 04 41 FF FF  3D 00 00 00 8A 6F 04 00  .....A..=....o..
000009C0: 44 00 61 00 74 00 61 00  00 00 25 00 00 00 06 4B  D.a.t.a...%....K
000009D0: 95 04 00 4E 00 61 00 6D  00 65 00 00 00 05 01 09  ...N.a.m.e......
000009E0: 00 4B 00 65 00 79 00 4C  00 65 00 6E 00 67 00 74  .K.e.y.L.e.n.g.t
000009F0: 00 68 00 02 0D 0F 00 08  04 41 FF FF 3D 00 00 00  .h.......A..=...
00000A00: 8A 6F 04 00 44 00 61 00  74 00 61 00 00 00 25 00  .o..D.a.t.a...%.
00000A10: 00 00 06 4B 95 04 00 4E  00 61 00 6D 00 65 00 00  ...K...N.a.m.e..
00000A20: 00 05 01 09 00 50 00 72  00 6F 00 63 00 65 00 73  .....P.r.o.c.e.s
00000A30: 00 73 00 49 00 64 00 02  0D 10 00 10 04 41 FF FF  .s.I.d.......A..
00000A40: 41 00 00 00 8A 6F 04 00  44 00 61 00 74 00 61 00  A....o..D.a.t.a.
00000A50: 00 00 29 00 00 00 06 4B  95 04 00 4E 00 61 00 6D  ..)....K...N.a.m
00000A60: 00 65 00 00 00 05 01 0B  00 50 00 72 00 6F 00 63  .e.......P.r.o.c
00000A70: 00 65 00 73 00 73 00 4E  00 61 00 6D 00 65 00 02  .e.s.s.N.a.m.e..
00000A80: 0D 11 00 01 04 41 FF FF  3D 00 00 00 8A 6F 04 00  .....A..=....o..
00000A90: 44 00 61 00 74 00 61 00  00 00 25 00 00 00 06 4B  D.a.t.a...%....K
00000AA0: 95 04 00 4E 00 61 00 6D  00 65 00 00 00 05 01 09  ...N.a.m.e......
00000AB0: 00 49 00 70 00 41 00 64  00 64 00 72 00 65 00 73  .I.p.A.d.d.r.e.s
00000AC0: 00 73 00 02 0D 12 00 01  04 41 FF FF 37 00 00 00  .s.......A..7...
00000AD0: 8A 6F 04 00 44 00 61 00  74 00 61 00 00 00 1F 00  .o..D.a.t.a.....
00000AE0: 00 00 06 4B 95 04 00 4E  00 61 00 6D 00 65 00 00  ...K...N.a.m.e..
00000AF0: 00 05 01 06 00 49 00 70  00 50 00 6F 00 72 00 74  .....I.p.P.o.r.t
00000B00: 00 02 0D 13 00 01 04 41  FF FF 4F 00 00 00 8A 6F  .......A..O....o
00000B10: 04 00 44 00 61 00 74 00  61 00 00 00 37 00 00 00  ..D.a.t.a...7...
00000B20: 06 4B 95 04 00 4E 00 61  00 6D 00 65 00 00 00 05  .K...N.a.m.e....
00000B30: 01 12 00 49 00 6D 00 70  00 65 00 72 00 73 00 6F  ...I.m.p.e.r.s.o
00000B40: 00 6E 00 61 00 74 00 69  00 6F 00 6E 00 4C 00 65  .n.a.t.i.o.n.L.e
00000B50: 00 76 00 65 00 6C 00 02  0D 14 00 01 04 04 00 15  .v.e.l..........
00000B60: 00 00 00 0C 00 13 00 20  00 01 00 12 00 01 00 08  ....... ........
00000B70: 00 15 00 0C 00 13 00 0C  00 01 00 18 00 01 00 08  ................
00000B80: 00 15 00 04 00 08 00 10  00 01 00 12 00 01 00 00  ................
00000B90: 00 01 00 10 00 0F 00 02  00 01 00 02 00 01 00 04  ................
00000BA0: 00 08 00 08 00 15 00 40  00 01 00 02 00 01 00 02  .......@........
00000BB0: 00 01 00 0C 00 01 00 01  01 00 00 00 00 00 05 12  ................
00000BC0: 00 00 00 57 00 49 00 4E  00 2D 00 44 00 36 00 43  ...W.I.N.-.D.6.C
00000BD0: 00 39 00 53 00 4F 00 31  00 4F 00 34 00 51 00 53  .9.S.O.1.O.4.Q.S
00000BE0: 00 24 00 57 00 4F 00 52  00 4B 00 47 00 52 00 4F  .$.W.O.R.K.G.R.O
00000BF0: 00 55 00 50 00 E7 03 00  00 00 00 00 00 01 01 00  .U.P............
00000C00: 00 00 00 00 05 12 00 00  00 53 00 59 00 53 00 54  .........S.Y.S.T
00000C10: 00 45 00 4D 00 4E 00 54  00 20 00 41 00 55 00 54  .E.M.N.T. .A.U.T
00000C20: 00 48 00 4F 00 52 00 49  00 54 00 59 00 E7 03 00  .H.O.R.I.T.Y....
00000C30: 00 00 00 00 00 05 00 00  00 41 00 64 00 76 00 61  .........A.d.v.a
00000C40: 00 70 00 69 00 20 00 20  00 4E 00 65 00 67 00 6F  .p.i. . .N.e.g.o
00000C50: 00 74 00 69 00 61 00 74  00 65 00 00 00 00 00 00  .t.i.a.t.e......
00000C60: 00 00 00 00 00 00 00 00  00 00 00 2D 00 2D 00 00  ...........-.-..
00000C70: 00 00 00 04 02 00 00 00  00 00 00 43 00 3A 00 5C  ...........C.:.\
00000C80: 00 57 00 69 00 6E 00 64  00 6F 00 77 00 73 00 5C  .W.i.n.d.o.w.s.\
00000C90: 00 53 00 79 00 73 00 74  00 65 00 6D 00 33 00 32  .S.y.s.t.e.m.3.2
00000CA0: 00 5C 00 73 00 65 00 72  00 76 00 69 00 63 00 65  .\.s.e.r.v.i.c.e
00000CB0: 00 73 00 2E 00 65 00 78  00 65 00 2D 00 2D 00 25  .s...e.x.e.-.-.%
00000CC0: 00 25 00 31 00 38 00 33  00 33 00 00 00 00 00 00  .%.1.8.3.3......
00000CD0: 00 20 00 00 00 18 00 00  00 01 00 00 00 00 00 00  . ..............
00000CE0: 00 00 00 00 00 18 00 00  00 04 00 00 00 00 00 00  ................
00000CF0: 00                                                .
None
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

00000000: 33 09 00 00 10 00 00 00  10 00 00 00 13 09 00 00  3...............
00000010: FB 08 00 00 0F 01 01 00  0C 00 EC C7 48 63 15 65  ............Hc.e
00000020: 54 86 95 DF 5E B5 B3 D3  27 DA C6 03 00 00 0F 01  T...^...'.......
00000030: 01 00 41 11 00 BA 03 00  00 BA 0C 05 00 45 00 76  ..A..........E.v
00000040: 00 65 00 6E 00 74 00 00  00 7F 00 00 00 06 BC 0F  .e.n.t..........
00000050: 05 00 78 00 6D 00 6C 00  6E 00 73 00 00 00 05 01  ..x.m.l.n.s.....
00000060: 35 00 68 00 74 00 74 00  70 00 3A 00 2F 00 2F 00  5.h.t.t.p.:././.
00000070: 73 00 63 00 68 00 65 00  6D 00 61 00 73 00 2E 00  s.c.h.e.m.a.s...
00000080: 6D 00 69 00 63 00 72 00  6F 00 73 00 6F 00 66 00  m.i.c.r.o.s.o.f.
00000090: 74 00 2E 00 63 00 6F 00  6D 00 2F 00 77 00 69 00  t...c.o.m./.w.i.
000000A0: 6E 00 2F 00 32 00 30 00  30 00 34 00 2F 00 30 00  n./.2.0.0.4./.0.
000000B0: 38 00 2F 00 65 00 76 00  65 00 6E 00 74 00 73 00  8./.e.v.e.n.t.s.
000000C0: 2F 00 65 00 76 00 65 00  6E 00 74 00 02 01 FF FF  /.e.v.e.n.t.....
000000D0: 1A 03 00 00 6F 54 06 00  53 00 79 00 73 00 74 00  ....oT..S.y.s.t.
000000E0: 65 00 6D 00 00 00 02 41  FF FF 41 00 00 00 F1 7B  e.m....A..A....{
000000F0: 08 00 50 00 72 00 6F 00  76 00 69 00 64 00 65 00  ..P.r.o.v.i.d.e.
00000100: 72 00 00 00 26 00 00 00  46 4B 95 04 00 4E 00 61  r...&...FK...N.a
00000110: 00 6D 00 65 00 00 00 0E  0E 00 01 06 29 15 04 00  .m.e........)...
00000120: 47 00 75 00 69 00 64 00  00 00 0E 0F 00 0F 03 41  G.u.i.d........A
00000130: 03 00 3D 00 00 00 F5 61  07 00 45 00 76 00 65 00  ..=....a..E.v.e.
00000140: 6E 00 74 00 49 00 44 00  00 00 1F 00 00 00 06 29  n.t.I.D........)
00000150: DA 0A 00 51 00 75 00 61  00 6C 00 69 00 66 00 69  ...Q.u.a.l.i.f.i
00000160: 00 65 00 72 00 73 00 00  00 0E 04 00 06 02 0E 03  .e.r.s..........
00000170: 00 06 04 01 0B 00 1A 00  00 00 18 09 07 00 56 00  ..............V.
00000180: 65 00 72 00 73 00 69 00  6F 00 6E 00 00 00 02 0E  e.r.s.i.o.n.....
00000190: 0B 00 04 04 01 00 00 16  00 00 00 64 CE 05 00 4C  ...........d...L
000001A0: 00 65 00 76 00 65 00 6C  00 00 00 02 0E 00 00 04  .e.v.e.l........
000001B0: 04 01 02 00 14 00 00 00  45 7B 04 00 54 00 61 00  ........E{..T.a.
000001C0: 73 00 6B 00 00 00 02 0E  02 00 06 04 01 01 00 18  s.k.............
000001D0: 00 00 00 AE 1E 06 00 4F  00 70 00 63 00 6F 00 64  .......O.p.c.o.d
000001E0: 00 65 00 00 00 02 0E 01  00 04 04 01 05 00 1C 00  .e..............
000001F0: 00 00 6A CF 08 00 4B 00  65 00 79 00 77 00 6F 00  ..j...K.e.y.w.o.
00000200: 72 00 64 00 73 00 00 00  02 0E 05 00 15 04 41 FF  r.d.s.........A.
00000210: FF 40 00 00 00 3B 8E 0B  00 54 00 69 00 6D 00 65  .@...;...T.i.m.e
00000220: 00 43 00 72 00 65 00 61  00 74 00 65 00 64 00 00  .C.r.e.a.t.e.d..
00000230: 00 1F 00 00 00 06 3C 7B  0A 00 53 00 79 00 73 00  ......<{..S.y.s.
00000240: 74 00 65 00 6D 00 54 00  69 00 6D 00 65 00 00 00  t.e.m.T.i.m.e...
00000250: 0E 06 00 11 03 01 0A 00  26 00 00 00 46 03 0D 00  ........&...F...
00000260: 45 00 76 00 65 00 6E 00  74 00 52 00 65 00 63 00  E.v.e.n.t.R.e.c.
00000270: 6F 00 72 00 64 00 49 00  44 00 00 00 02 0E 0A 00  o.r.d.I.D.......
00000280: 0A 04 41 FF FF 6D 00 00  00 A2 F2 0B 00 43 00 6F  ..A..m.......C.o
00000290: 00 72 00 72 00 65 00 6C  00 61 00 74 00 69 00 6F  .r.r.e.l.a.t.i.o
000002A0: 00 6E 00 00 00 4C 00 00  00 46 0A F1 0A 00 41 00  .n...L...F....A.
000002B0: 63 00 74 00 69 00 76 00  69 00 74 00 79 00 49 00  c.t.i.v.i.t.y.I.
000002C0: 44 00 00 00 0E 07 00 0F  06 35 C5 11 00 52 00 65  D........5...R.e
000002D0: 00 6C 00 61 00 74 00 65  00 64 00 41 00 63 00 74  .l.a.t.e.d.A.c.t
000002E0: 00 69 00 76 00 69 00 74  00 79 00 49 00 44 00 00  .i.v.i.t.y.I.D..
000002F0: 00 0E 0D 00 0F 03 41 FF  FF 55 00 00 00 B8 B5 09  ......A..U......
00000300: 00 45 00 78 00 65 00 63  00 75 00 74 00 69 00 6F  .E.x.e.c.u.t.i.o
00000310: 00 6E 00 00 00 38 00 00  00 46 0A D7 09 00 50 00  .n...8...F....P.
00000320: 72 00 6F 00 63 00 65 00  73 00 73 00 49 00 44 00  r.o.c.e.s.s.I.D.
00000330: 00 00 0E 08 00 08 06 85  39 08 00 54 00 68 00 72  ........9..T.h.r
00000340: 00 65 00 61 00 64 00 49  00 44 00 00 00 0E 09 00  .e.a.d.I.D......
00000350: 08 03 01 10 00 1A 00 00  00 83 61 07 00 43 00 68  ..........a..C.h
00000360: 00 61 00 6E 00 6E 00 65  00 6C 00 00 00 02 0E 10  .a.n.n.e.l......
00000370: 00 01 04 01 FF FF 3A 00  00 00 3B 6E 08 00 43 00  ......:...;n..C.
00000380: 6F 00 6D 00 70 00 75 00  74 00 65 00 72 00 00 00  o.m.p.u.t.e.r...
00000390: 02 05 01 0F 00 57 00 49  00 4E 00 2D 00 44 00 36  .....W.I.N.-.D.6
000003A0: 00 43 00 39 00 53 00 4F  00 31 00 4F 00 34 00 51  .C.9.S.O.1.O.4.Q
000003B0: 00 53 00 04 41 FF FF 32  00 00 00 A0 2E 08 00 53  .S..A..2.......S
000003C0: 00 65 00 63 00 75 00 72  00 69 00 74 00 79 00 00  .e.c.u.r.i.t.y..
000003D0: 00 17 00 00 00 06 66 4C  06 00 55 00 73 00 65 00  ......fL..U.s.e.
000003E0: 72 00 49 00 44 00 00 00  0E 0C 00 13 03 04 0E 11  r.I.D...........
000003F0: 00 21 04 00 12 00 00 00  01 00 04 00 01 00 04 00  .!..............
00000400: 02 00 06 00 02 00 06 00  00 00 00 00 08 00 15 00  ................
00000410: 08 00 11 00 00 00 00 00  04 00 08 00 04 00 08 00  ................
00000420: 08 00 0A 00 01 00 04 00  00 00 00 00 00 00 00 00  ................
00000430: 46 00 01 00 10 00 0F 00  10 00 01 00 41 04 21 00  F...........A.!.
00000440: 00 00 04 31 40 12 00 00  00 00 00 00 20 80 F7 B6  ...1@....... ...
00000450: D7 54 D6 F9 D2 01 0C 02  00 00 24 02 00 00 05 00  .T........$.....
00000460: 00 00 00 00 00 00 00 4D  00 69 00 63 00 72 00 6F  .......M.i.c.r.o
00000470: 00 73 00 6F 00 66 00 74  00 2D 00 57 00 69 00 6E  .s.o.f.t.-.W.i.n
00000480: 00 64 00 6F 00 77 00 73  00 2D 00 53 00 65 00 63  .d.o.w.s.-.S.e.c
00000490: 00 75 00 72 00 69 00 74  00 79 00 2D 00 41 00 75  .u.r.i.t.y.-.A.u
000004A0: 00 64 00 69 00 74 00 69  00 6E 00 67 00 25 96 84  .d.i.t.i.n.g.%..
000004B0: 54 78 54 94 49 A5 BA 3E  3B 03 28 C3 0D 53 00 65  TxT.I..>;.(..S.e
000004C0: 00 63 00 75 00 72 00 69  00 74 00 79 00 0F 01 01  .c.u.r.i.t.y....
000004D0: 00 0C 00 AE 0F 78 AB 43  1F 82 08 C5 93 C2 2D 02  .....x.C......-.
000004E0: 05 9E 1C B2 01 00 00 0F  01 01 00 01 FF FF A6 01  ................
000004F0: 00 00 44 82 09 00 45 00  76 00 65 00 6E 00 74 00  ..D...E.v.e.n.t.
00000500: 44 00 61 00 74 00 61 00  00 00 02 41 FF FF 47 00  D.a.t.a....A..G.
00000510: 00 00 8A 6F 04 00 44 00  61 00 74 00 61 00 00 00  ...o..D.a.t.a...
00000520: 2F 00 00 00 06 4B 95 04  00 4E 00 61 00 6D 00 65  /....K...N.a.m.e
00000530: 00 00 00 05 01 0E 00 53  00 75 00 62 00 6A 00 65  .......S.u.b.j.e
00000540: 00 63 00 74 00 55 00 73  00 65 00 72 00 53 00 69  .c.t.U.s.e.r.S.i
00000550: 00 64 00 02 0D 00 00 13  04 41 FF FF 49 00 00 00  .d.......A..I...
00000560: 8A 6F 04 00 44 00 61 00  74 00 61 00 00 00 31 00  .o..D.a.t.a...1.
00000570: 00 00 06 4B 95 04 00 4E  00 61 00 6D 00 65 00 00  ...K...N.a.m.e..
00000580: 00 05 01 0F 00 53 00 75  00 62 00 6A 00 65 00 63  .....S.u.b.j.e.c
00000590: 00 74 00 55 00 73 00 65  00 72 00 4E 00 61 00 6D  .t.U.s.e.r.N.a.m
000005A0: 00 65 00 02 0D 01 00 01  04 41 FF FF 4D 00 00 00  .e.......A..M...
000005B0: 8A 6F 04 00 44 00 61 00  74 00 61 00 00 00 35 00  .o..D.a.t.a...5.
000005C0: 00 00 06 4B 95 04 00 4E  00 61 00 6D 00 65 00 00  ...K...N.a.m.e..
000005D0: 00 05 01 11 00 53 00 75  00 62 00 6A 00 65 00 63  .....S.u.b.j.e.c
000005E0: 00 74 00 44 00 6F 00 6D  00 61 00 69 00 6E 00 4E  .t.D.o.m.a.i.n.N
000005F0: 00 61 00 6D 00 65 00 02  0D 02 00 01 04 41 FF FF  .a.m.e.......A..
00000600: 47 00 00 00 8A 6F 04 00  44 00 61 00 74 00 61 00  G....o..D.a.t.a.
00000610: 00 00 2F 00 00 00 06 4B  95 04 00 4E 00 61 00 6D  ../....K...N.a.m
00000620: 00 65 00 00 00 05 01 0E  00 53 00 75 00 62 00 6A  .e.......S.u.b.j
00000630: 00 65 00 63 00 74 00 4C  00 6F 00 67 00 6F 00 6E  .e.c.t.L.o.g.o.n
00000640: 00 49 00 64 00 02 0D 03  00 15 04 41 FF FF 45 00  .I.d.......A..E.
00000650: 00 00 8A 6F 04 00 44 00  61 00 74 00 61 00 00 00  ...o..D.a.t.a...
00000660: 2D 00 00 00 06 4B 95 04  00 4E 00 61 00 6D 00 65  -....K...N.a.m.e
00000670: 00 00 00 05 01 0D 00 50  00 72 00 69 00 76 00 69  .......P.r.i.v.i
00000680: 00 6C 00 65 00 67 00 65  00 4C 00 69 00 73 00 74  .l.e.g.e.L.i.s.t
00000690: 00 02 0D 04 00 01 04 04  00 05 00 00 00 0C 00 13  ................
000006A0: 00 0C 00 01 00 18 00 01  00 08 00 15 00 24 02 01  .............$..
000006B0: 00 01 01 00 00 00 00 00  05 12 00 00 00 53 00 59  .............S.Y
000006C0: 00 53 00 54 00 45 00 4D  00 4E 00 54 00 20 00 41  .S.T.E.M.N.T. .A
000006D0: 00 55 00 54 00 48 00 4F  00 52 00 49 00 54 00 59  .U.T.H.O.R.I.T.Y
000006E0: 00 E7 03 00 00 00 00 00  00 53 00 65 00 41 00 73  .........S.e.A.s
000006F0: 00 73 00 69 00 67 00 6E  00 50 00 72 00 69 00 6D  .s.i.g.n.P.r.i.m
00000700: 00 61 00 72 00 79 00 54  00 6F 00 6B 00 65 00 6E  .a.r.y.T.o.k.e.n
00000710: 00 50 00 72 00 69 00 76  00 69 00 6C 00 65 00 67  .P.r.i.v.i.l.e.g
00000720: 00 65 00 0D 00 0A 00 09  00 09 00 09 00 53 00 65  .e...........S.e
00000730: 00 54 00 63 00 62 00 50  00 72 00 69 00 76 00 69  .T.c.b.P.r.i.v.i
00000740: 00 6C 00 65 00 67 00 65  00 0D 00 0A 00 09 00 09  .l.e.g.e........
00000750: 00 09 00 53 00 65 00 53  00 65 00 63 00 75 00 72  ...S.e.S.e.c.u.r
00000760: 00 69 00 74 00 79 00 50  00 72 00 69 00 76 00 69  .i.t.y.P.r.i.v.i
00000770: 00 6C 00 65 00 67 00 65  00 0D 00 0A 00 09 00 09  .l.e.g.e........
00000780: 00 09 00 53 00 65 00 54  00 61 00 6B 00 65 00 4F  ...S.e.T.a.k.e.O
00000790: 00 77 00 6E 00 65 00 72  00 73 00 68 00 69 00 70  .w.n.e.r.s.h.i.p
000007A0: 00 50 00 72 00 69 00 76  00 69 00 6C 00 65 00 67  .P.r.i.v.i.l.e.g
000007B0: 00 65 00 0D 00 0A 00 09  00 09 00 09 00 53 00 65  .e...........S.e
000007C0: 00 4C 00 6F 00 61 00 64  00 44 00 72 00 69 00 76  .L.o.a.d.D.r.i.v
000007D0: 00 65 00 72 00 50 00 72  00 69 00 76 00 69 00 6C  .e.r.P.r.i.v.i.l
000007E0: 00 65 00 67 00 65 00 0D  00 0A 00 09 00 09 00 09  .e.g.e..........
000007F0: 00 53 00 65 00 42 00 61  00 63 00 6B 00 75 00 70  .S.e.B.a.c.k.u.p
00000800: 00 50 00 72 00 69 00 76  00 69 00 6C 00 65 00 67  .P.r.i.v.i.l.e.g
00000810: 00 65 00 0D 00 0A 00 09  00 09 00 09 00 53 00 65  .e...........S.e
00000820: 00 52 00 65 00 73 00 74  00 6F 00 72 00 65 00 50  .R.e.s.t.o.r.e.P
00000830: 00 72 00 69 00 76 00 69  00 6C 00 65 00 67 00 65  .r.i.v.i.l.e.g.e
00000840: 00 0D 00 0A 00 09 00 09  00 09 00 53 00 65 00 44  ...........S.e.D
00000850: 00 65 00 62 00 75 00 67  00 50 00 72 00 69 00 76  .e.b.u.g.P.r.i.v
00000860: 00 69 00 6C 00 65 00 67  00 65 00 0D 00 0A 00 09  .i.l.e.g.e......
00000870: 00 09 00 09 00 53 00 65  00 41 00 75 00 64 00 69  .....S.e.A.u.d.i
00000880: 00 74 00 50 00 72 00 69  00 76 00 69 00 6C 00 65  .t.P.r.i.v.i.l.e
00000890: 00 67 00 65 00 0D 00 0A  00 09 00 09 00 09 00 53  .g.e...........S
000008A0: 00 65 00 53 00 79 00 73  00 74 00 65 00 6D 00 45  .e.S.y.s.t.e.m.E
000008B0: 00 6E 00 76 00 69 00 72  00 6F 00 6E 00 6D 00 65  .n.v.i.r.o.n.m.e
000008C0: 00 6E 00 74 00 50 00 72  00 69 00 76 00 69 00 6C  .n.t.P.r.i.v.i.l
000008D0: 00 65 00 67 00 65 00 0D  00 0A 00 09 00 09 00 09  .e.g.e..........
000008E0: 00 53 00 65 00 49 00 6D  00 70 00 65 00 72 00 73  .S.e.I.m.p.e.r.s
000008F0: 00 6F 00 6E 00 61 00 74  00 65 00 50 00 72 00 69  .o.n.a.t.e.P.r.i
00000900: 00 76 00 69 00 6C 00 65  00 67 00 65 00 00 00 00  .v.i.l.e.g.e....
00000910: 00 00 00 20 00 00 00 18  00 00 00 01 00 00 00 00  ... ............
00000920: 00 00 00 00 00 00 00 18  00 00 00 05 00 00 00 00  ................
00000930: 00 00 00                                          ...
None
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

williballenthin · 2017-08-14T16:15:40Z

here's the raw data from an evtx event entry:

00000000: 2A 2A 00 00 80 08 00 00  11 2F 00 00 00 00 00 00  **......./......
00000010: 9B E7 03 67 99 01 CD 01  0F 01 01 00 0C 01 20 EE  ...g.......... .
00000020: 2A F3 26 02 00 00 00 00  00 00 20 EE 2A F3 D7 AC  *.&....... .*...
00000030: 9A B4 F8 46 1F 9B D8 E4  C1 D0 69 05 00 00 0F 01  ...F......i.....
00000040: 01 00 41 FF FF 5D 05 00  00 4D 02 00 00 00 00 00  ..A..]...M......
00000050: 00 BA 0C 05 00 45 00 76  00 65 00 6E 00 74 00 00  .....E.v.e.n.t..
00000060: 00 87 00 00 00 06 6A 02  00 00 00 00 00 00 BC 0F  ......j.........
00000070: 05 00 78 00 6D 00 6C 00  6E 00 73 00 00 00 05 01  ..x.m.l.n.s.....
00000080: 35 00 68 00 74 00 74 00  70 00 3A 00 2F 00 2F 00  5.h.t.t.p.:././.
00000090: 73 00 63 00 68 00 65 00  6D 00 61 00 73 00 2E 00  s.c.h.e.m.a.s...
000000A0: 6D 00 69 00 63 00 72 00  6F 00 73 00 6F 00 66 00  m.i.c.r.o.s.o.f.
000000B0: 74 00 2E 00 63 00 6F 00  6D 00 2F 00 77 00 69 00  t...c.o.m./.w.i.
000000C0: 6E 00 2F 00 32 00 30 00  30 00 34 00 2F 00 30 00  n./.2.0.0.4./.0.
000000D0: 38 00 2F 00 65 00 76 00  65 00 6E 00 74 00 73 00  8./.e.v.e.n.t.s.
000000E0: 2F 00 65 00 76 00 65 00  6E 00 74 00 02 01 FF FF  /.e.v.e.n.t.....
000000F0: 86 04 00 00 F8 02 00 00  00 00 00 00 6F 54 06 00  ............oT..
00000100: 53 00 79 00 73 00 74 00  65 00 6D 00 00 00 02 41  S.y.s.t.e.m....A
00000110: FF FF D9 00 00 00 1A 03  00 00 00 00 00 00 F1 7B  ...............{
00000120: 08 00 50 00 72 00 6F 00  76 00 69 00 64 00 65 00  ..P.r.o.v.i.d.e.
00000130: 72 00 00 00 B6 00 00 00  46 3D 03 00 00 00 00 00  r.......F=......
00000140: 00 4B 95 04 00 4E 00 61  00 6D 00 65 00 00 00 05  .K...N.a.m.e....
00000150: 01 1A 00 4D 00 69 00 63  00 72 00 6F 00 73 00 6F  ...M.i.c.r.o.s.o
00000160: 00 66 00 74 00 2D 00 57  00 69 00 6E 00 64 00 6F  .f.t.-.W.i.n.d.o
00000170: 00 77 00 73 00 2D 00 45  00 76 00 65 00 6E 00 74  .w.s.-.E.v.e.n.t
00000180: 00 6C 00 6F 00 67 00 06  8C 03 00 00 00 00 00 00  .l.o.g..........
00000190: 29 15 04 00 47 00 75 00  69 00 64 00 00 00 05 01  )...G.u.i.d.....
000001A0: 26 00 7B 00 66 00 63 00  36 00 35 00 64 00 64 00  &.{.f.c.6.5.d.d.
000001B0: 64 00 38 00 2D 00 64 00  36 00 65 00 66 00 2D 00  d.8.-.d.6.e.f.-.
000001C0: 34 00 39 00 36 00 32 00  2D 00 38 00 33 00 64 00  4.9.6.2.-.8.3.d.
000001D0: 35 00 2D 00 36 00 65 00  35 00 63 00 66 00 65 00  5.-.6.e.5.c.f.e.
000001E0: 39 00 63 00 65 00 31 00  34 00 38 00 7D 00 03 41  9.c.e.1.4.8.}..A
000001F0: 03 00 4D 00 00 00 FA 03  00 00 00 00 00 00 F5 61  ..M............a
00000200: 07 00 45 00 76 00 65 00  6E 00 74 00 49 00 44 00  ..E.v.e.n.t.I.D.
00000210: 00 00 27 00 00 00 06 1B  04 00 00 8C 03 00 00 29  ..'............)
00000220: DA 0A 00 51 00 75 00 61  00 6C 00 69 00 66 00 69  ...Q.u.a.l.i.f.i
00000230: 00 65 00 72 00 73 00 00  00 0E 04 00 06 02 0E 03  .e.r.s..........
00000240: 00 06 04 01 0B 00 22 00  00 00 4E 04 00 00 00 00  ......"...N.....
00000250: 00 00 18 09 07 00 56 00  65 00 72 00 73 00 69 00  ......V.e.r.s.i.
00000260: 6F 00 6E 00 00 00 02 0E  0B 00 04 04 01 00 00 1E  o.n.............
00000270: 00 00 00 77 04 00 00 00  00 00 00 64 CE 05 00 4C  ...w.......d...L
00000280: 00 65 00 76 00 65 00 6C  00 00 00 02 0E 00 00 04  .e.v.e.l........
00000290: 04 01 02 00 1C 00 00 00  9C 04 00 00 00 00 00 00  ................
000002A0: 45 7B 04 00 54 00 61 00  73 00 6B 00 00 00 02 0E  E{..T.a.s.k.....
000002B0: 02 00 06 04 01 01 00 20  00 00 00 BF 04 00 00 00  ....... ........
000002C0: 00 00 00 AE 1E 06 00 4F  00 70 00 63 00 6F 00 64  .......O.p.c.o.d
000002D0: 00 65 00 00 00 02 0E 01  00 04 04 01 05 00 24 00  .e............$.
000002E0: 00 00 E6 04 00 00 00 00  00 00 6A CF 08 00 4B 00  ..........j...K.
000002F0: 65 00 79 00 77 00 6F 00  72 00 64 00 73 00 00 00  e.y.w.o.r.d.s...
00000300: 02 0E 05 00 15 04 41 FF  FF 50 00 00 00 11 05 00  ......A..P......
00000310: 00 00 00 00 00 3B 8E 0B  00 54 00 69 00 6D 00 65  .....;...T.i.m.e
00000320: 00 43 00 72 00 65 00 61  00 74 00 65 00 64 00 00  .C.r.e.a.t.e.d..
00000330: 00 27 00 00 00 06 3A 05  00 00 6A 02 00 00 3C 7B  .'....:...j...<{
00000340: 0A 00 53 00 79 00 73 00  74 00 65 00 6D 00 54 00  ..S.y.s.t.e.m.T.
00000350: 69 00 6D 00 65 00 00 00  0E 06 00 11 03 01 0A 00  i.m.e...........
00000360: 2E 00 00 00 68 05 00 00  00 00 00 00 46 03 0D 00  ....h.......F...
00000370: 45 00 76 00 65 00 6E 00  74 00 52 00 65 00 63 00  E.v.e.n.t.R.e.c.
00000380: 6F 00 72 00 64 00 49 00  44 00 00 00 02 0E 0A 00  o.r.d.I.D.......
00000390: 0A 04 41 FF FF 85 00 00  00 9D 05 00 00 00 00 00  ..A.............
000003A0: 00 A2 F2 0B 00 43 00 6F  00 72 00 72 00 65 00 6C  .....C.o.r.r.e.l
000003B0: 00 61 00 74 00 69 00 6F  00 6E 00 00 00 5C 00 00  .a.t.i.o.n...\..
000003C0: 00 46 C6 05 00 00 00 00  00 00 0A F1 0A 00 41 00  .F............A.
000003D0: 63 00 74 00 69 00 76 00  69 00 74 00 79 00 49 00  c.t.i.v.i.t.y.I.
000003E0: 44 00 00 00 0E 07 00 0F  06 ED 05 00 00 FA 03 00  D...............
000003F0: 00 35 C5 11 00 52 00 65  00 6C 00 61 00 74 00 65  .5...R.e.l.a.t.e
00000400: 00 64 00 41 00 63 00 74  00 69 00 76 00 69 00 74  .d.A.c.t.i.v.i.t
00000410: 00 79 00 49 00 44 00 00  00 0E 12 00 0F 03 41 FF  .y.I.D........A.
00000420: FF 6D 00 00 00 29 06 00  00 00 00 00 00 B8 B5 09  .m...)..........
00000430: 00 45 00 78 00 65 00 63  00 75 00 74 00 69 00 6F  .E.x.e.c.u.t.i.o
00000440: 00 6E 00 00 00 48 00 00  00 46 4E 06 00 00 C6 05  .n...H...FN.....
00000450: 00 00 0A D7 09 00 50 00  72 00 6F 00 63 00 65 00  ......P.r.o.c.e.
00000460: 73 00 73 00 49 00 44 00  00 00 0E 08 00 08 06 73  s.s.I.D........s
00000470: 06 00 00 9C 04 00 00 85  39 08 00 54 00 68 00 72  ........9..T.h.r
00000480: 00 65 00 61 00 64 00 49  00 44 00 00 00 0E 09 00  .e.a.d.I.D......
00000490: 08 03 01 FF FF 2E 00 00  00 9D 06 00 00 00 00 00  ................
000004A0: 00 83 61 07 00 43 00 68  00 61 00 6E 00 6E 00 65  ..a..C.h.a.n.n.e
000004B0: 00 6C 00 00 00 02 05 01  06 00 53 00 79 00 73 00  .l........S.y.s.
000004C0: 74 00 65 00 6D 00 04 01  FF FF 62 00 00 00 D2 06  t.e.m.....b.....
000004D0: 00 00 11 05 00 00 3B 6E  08 00 43 00 6F 00 6D 00  ......;n..C.o.m.
000004E0: 70 00 75 00 74 00 65 00  72 00 00 00 02 05 01 1F  p.u.t.e.r.......
000004F0: 00 57 00 4B 00 53 00 2D  00 57 00 49 00 4E 00 37  .W.K.S.-.W.I.N.7
00000500: 00 36 00 34 00 42 00 49  00 54 00 42 00 2E 00 73  .6.4.B.I.T.B...s
00000510: 00 68 00 69 00 65 00 6C  00 64 00 62 00 61 00 73  .h.i.e.l.d.b.a.s
00000520: 00 65 00 2E 00 6C 00 6F  00 63 00 61 00 6C 00 04  .e...l.o.c.a.l..
00000530: 41 FF FF 42 00 00 00 3B  07 00 00 00 00 00 00 A0  A..B...;........
00000540: 2E 08 00 53 00 65 00 63  00 75 00 72 00 69 00 74  ...S.e.c.u.r.i.t
00000550: 00 79 00 00 00 1F 00 00  00 06 5E 07 00 00 00 00  .y........^.....
00000560: 00 00 66 4C 06 00 55 00  73 00 65 00 72 00 49 00  ..fL..U.s.e.r.I.
00000570: 44 00 00 00 0E 0C 00 13  03 04 01 13 00 24 00 00  D............$..
00000580: 00 85 07 00 00 ED 05 00  00 35 44 08 00 55 00 73  .........5D..U.s
00000590: 00 65 00 72 00 44 00 61  00 74 00 61 00 00 00 02  .e.r.D.a.t.a....
000005A0: 0E 13 00 21 04 04 00 14  00 00 00 01 00 04 00 01  ...!............
000005B0: 00 04 00 02 00 06 00 02  00 06 00 00 00 00 00 08  ................
000005C0: 00 15 00 08 00 11 00 00  00 00 00 04 00 08 00 04  ................
000005D0: 00 08 00 08 00 0A 00 01  00 04 00 00 00 00 00 00  ................
000005E0: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
000005F0: 00 00 00 00 00 00 00 55  02 21 00 04 00 69 00 69  .......U.!...i.i
00000600: 00 00 00 00 00 00 00 00  80 9B E7 03 67 99 01 CD  ............g...
00000610: 01 34 03 00 00 34 0B 00  00 11 2F 00 00 00 00 00  .4...4..../.....
00000620: 00 00 0F 01 01 00 0C 01  28 CA CA 44 30 08 00 00  ........(..D0...
00000630: 00 00 00 00 28 CA CA 44  8C 1E C6 67 B3 01 57 E2  ....(..D...g..W.
00000640: 1E 10 B5 7B 80 01 00 00  0F 01 01 00 41 FF FF 74  ...{........A..t
00000650: 01 00 00 57 08 00 00 00  00 00 00 91 80 0A 00 41  ...W...........A
00000660: 00 75 00 74 00 6F 00 42  00 61 00 63 00 6B 00 75  .u.t.o.B.a.c.k.u
00000670: 00 70 00 00 00 0C 01 00  00 46 7E 08 00 00 00 00  .p.......F~.....
00000680: 00 00 4E 77 0E 00 78 00  6D 00 6C 00 6E 00 73 00  ..Nw..x.m.l.n.s.
00000690: 3A 00 61 00 75 00 74 00  6F 00 2D 00 6E 00 73 00  :.a.u.t.o.-.n.s.
000006A0: 33 00 00 00 05 01 2F 00  68 00 74 00 74 00 70 00  3...../.h.t.t.p.
000006B0: 3A 00 2F 00 2F 00 73 00  63 00 68 00 65 00 6D 00  :././.s.c.h.e.m.
000006C0: 61 00 73 00 2E 00 6D 00  69 00 63 00 72 00 6F 00  a.s...m.i.c.r.o.
000006D0: 73 00 6F 00 66 00 74 00  2E 00 63 00 6F 00 6D 00  s.o.f.t...c.o.m.
000006E0: 2F 00 77 00 69 00 6E 00  2F 00 32 00 30 00 30 00  /.w.i.n./.2.0.0.
000006F0: 34 00 2F 00 30 00 38 00  2F 00 65 00 76 00 65 00  4./.0.8./.e.v.e.
00000700: 6E 00 74 00 73 00 06 6A  02 00 00 05 01 3B 00 68  n.t.s..j.....;.h
00000710: 00 74 00 74 00 70 00 3A  00 2F 00 2F 00 6D 00 61  .t.t.p.:././.m.a
00000720: 00 6E 00 69 00 66 00 65  00 73 00 74 00 73 00 2E  .n.i.f.e.s.t.s..
00000730: 00 6D 00 69 00 63 00 72  00 6F 00 73 00 6F 00 66  .m.i.c.r.o.s.o.f
00000740: 00 74 00 2E 00 63 00 6F  00 6D 00 2F 00 77 00 69  .t...c.o.m./.w.i
00000750: 00 6E 00 2F 00 32 00 30  00 30 00 34 00 2F 00 30  .n./.2.0.0.4./.0
00000760: 00 38 00 2F 00 77 00 69  00 6E 00 64 00 6F 00 77  .8./.w.i.n.d.o.w
00000770: 00 73 00 2F 00 65 00 76  00 65 00 6E 00 74 00 6C  .s./.e.v.e.n.t.l
00000780: 00 6F 00 67 00 02 01 FF  FF 0A 00 00 00 9D 06 00  .o.g............
00000790: 00 02 0D 00 00 01 04 01  FF FF 28 00 00 00 A2 09  ..........(.....
000007A0: 00 00 00 00 00 00 27 BA  0A 00 42 00 61 00 63 00  ......'...B.a.c.
000007B0: 6B 00 75 00 70 00 50 00  61 00 74 00 68 00 00 00  k.u.p.P.a.t.h...
000007C0: 02 0D 01 00 01 04 04 00  02 00 00 00 0C 00 01 00  ................
000007D0: 96 00 01 00 53 00 79 00  73 00 74 00 65 00 6D 00  ....S.y.s.t.e.m.
000007E0: 43 00 3A 00 5C 00 57 00  69 00 6E 00 64 00 6F 00  C.:.\.W.i.n.d.o.
000007F0: 77 00 73 00 5C 00 53 00  79 00 73 00 74 00 65 00  w.s.\.S.y.s.t.e.
00000800: 6D 00 33 00 32 00 5C 00  57 00 69 00 6E 00 65 00  m.3.2.\.W.i.n.e.
00000810: 76 00 74 00 5C 00 4C 00  6F 00 67 00 73 00 5C 00  v.t.\.L.o.g.s.\.
00000820: 41 00 72 00 63 00 68 00  69 00 76 00 65 00 2D 00  A.r.c.h.i.v.e.-.
00000830: 53 00 79 00 73 00 74 00  65 00 6D 00 2D 00 32 00  S.y.s.t.e.m.-.2.
00000840: 30 00 31 00 32 00 2D 00  30 00 33 00 2D 00 31 00  0.1.2.-.0.3.-.1.
00000850: 34 00 2D 00 30 00 34 00  2D 00 31 00 37 00 2D 00  4.-.0.4.-.1.7.-.
00000860: 33 00 39 00 2D 00 39 00  33 00 32 00 2E 00 65 00  3.9.-.9.3.2...e.
00000870: 76 00 74 00 78 00 00 00  00 04 00 00 80 08 00 00  v.t.x...........

and the parsed structure:

record(absolute_offset=4608)
RootNode(offset=0x18)
  StreamStartNode(offset=0x18)
  TemplateInstanceNode(offset=0x1c, resident=True, length=0x569)
    TemplateNode(offset=0x26)
      StreamStartNode(offset=0x3e)
      OpenStartElementNode(offset=0x42)
        AttributeNode(offset=0x65)
          ValueNode(offset=0x7e)
            WstringTypeNode(offset=0x80) --> http://schemas.microsoft.com/win/2004/08/events/event
        CloseStartElementNode(offset=0xec)
        OpenStartElementNode(offset=0xed)
          CloseStartElementNode(offset=0x10e)
          OpenStartElementNode(offset=0x10f)
            AttributeNode(offset=0x138)
              ValueNode(offset=0x14f)
                WstringTypeNode(offset=0x151) --> Microsoft-Windows-Eventlog
            AttributeNode(offset=0x187)
              ValueNode(offset=0x19e)
                WstringTypeNode(offset=0x1a0) --> {fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}
            CloseEmptyElementNode(offset=0x1ee)
          OpenStartElementNode(offset=0x1ef)
            AttributeNode(offset=0x216)
              ConditionalSubstitutionNode(offset=0x239)
            CloseStartElementNode(offset=0x23d)
            ConditionalSubstitutionNode(offset=0x23e)
            CloseElementNode(offset=0x242)
          OpenStartElementNode(offset=0x243)
            CloseStartElementNode(offset=0x266)
            ConditionalSubstitutionNode(offset=0x267)
            CloseElementNode(offset=0x26b)
          OpenStartElementNode(offset=0x26c)
            CloseStartElementNode(offset=0x28b)
            ConditionalSubstitutionNode(offset=0x28c)
            CloseElementNode(offset=0x290)
          OpenStartElementNode(offset=0x291)
            CloseStartElementNode(offset=0x2ae)
            ConditionalSubstitutionNode(offset=0x2af)
            CloseElementNode(offset=0x2b3)
          OpenStartElementNode(offset=0x2b4)
            CloseStartElementNode(offset=0x2d5)
            ConditionalSubstitutionNode(offset=0x2d6)
            CloseElementNode(offset=0x2da)
          OpenStartElementNode(offset=0x2db)
            CloseStartElementNode(offset=0x300)
            ConditionalSubstitutionNode(offset=0x301)
            CloseElementNode(offset=0x305)
          OpenStartElementNode(offset=0x306)
            AttributeNode(offset=0x335)
              ConditionalSubstitutionNode(offset=0x358)
            CloseEmptyElementNode(offset=0x35c)
          OpenStartElementNode(offset=0x35d)
            CloseStartElementNode(offset=0x38c)
            ConditionalSubstitutionNode(offset=0x38d)
            CloseElementNode(offset=0x391)
          OpenStartElementNode(offset=0x392)
            AttributeNode(offset=0x3c1)
              ConditionalSubstitutionNode(offset=0x3e4)
            AttributeNode(offset=0x3e8)
              ConditionalSubstitutionNode(offset=0x419)
            CloseEmptyElementNode(offset=0x41d)
          OpenStartElementNode(offset=0x41e)
            AttributeNode(offset=0x449)
              ConditionalSubstitutionNode(offset=0x46a)
            AttributeNode(offset=0x46e)
              ConditionalSubstitutionNode(offset=0x48d)
            CloseEmptyElementNode(offset=0x491)
          OpenStartElementNode(offset=0x492)
            CloseStartElementNode(offset=0x4b5)
            ValueNode(offset=0x4b6)
              WstringTypeNode(offset=0x4b8) --> System
            CloseElementNode(offset=0x4c6)
          OpenStartElementNode(offset=0x4c7)
            CloseStartElementNode(offset=0x4ec)
            ValueNode(offset=0x4ed)
              WstringTypeNode(offset=0x4ef) --> WKS-WIN764BITB.shieldbase.local
            CloseElementNode(offset=0x52f)
          OpenStartElementNode(offset=0x530)
            AttributeNode(offset=0x559)
              ConditionalSubstitutionNode(offset=0x574)
            CloseEmptyElementNode(offset=0x578)
          CloseElementNode(offset=0x579)
        OpenStartElementNode(offset=0x57a)
          CloseStartElementNode(offset=0x59f)
          ConditionalSubstitutionNode(offset=0x5a0)
          CloseElementNode(offset=0x5a4)
        CloseElementNode(offset=0x5a5)
      EndOfStreamNode(offset=0x5a6)
  Substitutions(offset=0x5a7)
    UnsignedByteTypeNode(offset=0x5fb) --> 4
    UnsignedByteTypeNode(offset=0x5fc) --> 0
    UnsignedWordTypeNode(offset=0x5fd) --> 105
    UnsignedWordTypeNode(offset=0x5ff) --> 105
    NullTypeNode(offset=0x601)
    Hex64TypeNode(offset=0x601) --> 0x8000000000000000
    FiletimeTypeNode(offset=0x609) --> 2012-03-14 04:17:43.354563
    NullTypeNode(offset=0x611)
    UnsignedDwordTypeNode(offset=0x611) --> 820
    UnsignedDwordTypeNode(offset=0x615) --> 2868
    UnsignedQwordTypeNode(offset=0x619) --> 12049
    UnsignedByteTypeNode(offset=0x621) --> 0
    NullTypeNode(offset=0x622)
    NullTypeNode(offset=0x622)
    NullTypeNode(offset=0x622)
    NullTypeNode(offset=0x622)
    NullTypeNode(offset=0x622)
    NullTypeNode(offset=0x622)
    NullTypeNode(offset=0x622)
    BXmlTypeNode(offset=0x622) --> 
      RootNode(offset=0x622)
        StreamStartNode(offset=0x622)
        TemplateInstanceNode(offset=0x626, resident=True, length=0x180)
          TemplateNode(offset=0x630)
            StreamStartNode(offset=0x648)
            OpenStartElementNode(offset=0x64c)
              AttributeNode(offset=0x679)
                ValueNode(offset=0x6a4)
                  WstringTypeNode(offset=0x6a6) --> http://schemas.microsoft.com/win/2004/08/events
              AttributeNode(offset=0x706)
                ValueNode(offset=0x70b)
                  WstringTypeNode(offset=0x70d) --> http://manifests.microsoft.com/win/2004/08/windows/eventlog
              CloseStartElementNode(offset=0x785)
              OpenStartElementNode(offset=0x786)
                CloseStartElementNode(offset=0x791)
                NormalSubstitutionNode(offset=0x792)
                CloseElementNode(offset=0x796)
              OpenStartElementNode(offset=0x797)
                CloseStartElementNode(offset=0x7c0)
                NormalSubstitutionNode(offset=0x7c1)
                CloseElementNode(offset=0x7c5)
              CloseElementNode(offset=0x7c6)
            EndOfStreamNode(offset=0x7c7)
        Substitutions(offset=0x7c8)
          WstringTypeNode(offset=0x7d4) --> System
          WstringTypeNode(offset=0x7e0) --> C:\Windows\System32\Winevt\Logs\Archive-System-2012-03-14-04-17-39-932.evtx

and the rendered record:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Eventlog" Guid="{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}"></Provider>
<EventID Qualifiers="">105</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>105</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2012-03-14 04:17:43.354563"></TimeCreated>
<EventRecordID>12049</EventRecordID>
<Correlation ActivityID="" RelatedActivityID=""></Correlation>
<Execution ProcessID="820" ThreadID="2868"></Execution>
<Channel>System</Channel>
<Computer>WKS-WIN764BITB.shieldbase.local</Computer>
<Security UserID=""></Security>
</System>
<UserData><AutoBackup xmlns:auto-ns3="http://schemas.microsoft.com/win/2004/08/events" xmlns="http://manifests.microsoft.com/win/2004/08/windows/eventlog"><Channel>System</Channel>
<BackupPath>C:\Windows\System32\Winevt\Logs\Archive-System-2012-03-14-04-17-39-932.evtx</BackupPath>
</AutoBackup>
</UserData>
</Event>

williballenthin · 2017-08-14T16:18:43Z

looks like offset 0x14 from the RPC data matches offset 0x18 from the evtx file data, which is the start of the bxml root node. this is good news!

let me see what happens when i try to blindly parse the RPC data using the evtx file parser.

williballenthin · 2017-08-14T20:00:24Z

hi @MrAnde7son

It looks like these two data sources use the same serialization format to encode the XML data. I think it will be possible to extend python-evtx to support the flags used by the RPC data. unfortunately, since i hadn't seen these flags before, the parser doesn't support them yet. i'll need to spend a bit of time to get everything working together.

as a bit of background... the evtx file format allows records to share sub-structures and lets messages that re-use strings reference one another. i presume this helps with memory usage and file sizes. in the format used by the RPC service, the data is stored self-contained and in-line. i need to tweak the way the library tracks possibly shared resources such as sub-structure and strings to support this in-line mechanism.

MrAnde7son · 2017-08-15T19:49:50Z

Awesome! Thanks @williballenthin . Looking forward..

Mikkgn · 2017-10-25T05:15:13Z

hi @williballenthin

I encountered with the same problem and didnt find any python library, wich can be helpful me. Can I expect a function to be implemented in your library?

spinenkoia · 2021-10-05T12:48:39Z

@MrAnde7son did you manage to use the library ? There is a ready-made solution
https://github.com/irtimmer/tivan/blob/master/tivan/parser/binxml.py

Sankgreall · 2022-07-12T23:04:13Z

If I can, I'd like to re-open this. My use case is slightly different, where I am using data lakes to carve event logs from super high fidelity storage in a memory efficient way. Currently I am able to map out all the chunks and records using all the available documentation on the event log specification, but the BinXML issue I am finding more challenging.

Like @MrAnde7son, I have raw byte array, except mine has just been carved from the event log file.

@spinenkoia, I have been looking at your script you linked interest, but the data I have doesn't match the specification. Although I pass the BinXML instantiation, I error out due to having an unknown template token.

Any advice anyone can offer?

williballenthin added the enhancement label Aug 14, 2017

williballenthin mentioned this issue Aug 14, 2017

for your information: other uses of binary xml libyal/libevtx#11

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Parsing BinXML format #42

Parsing BinXML format #42

MrAnde7son commented Aug 14, 2017

williballenthin commented Aug 14, 2017

MrAnde7son commented Aug 14, 2017 •

edited

Loading

williballenthin commented Aug 14, 2017

MrAnde7son commented Aug 14, 2017

williballenthin commented Aug 14, 2017

williballenthin commented Aug 14, 2017

williballenthin commented Aug 14, 2017 •

edited

Loading

MrAnde7son commented Aug 15, 2017 •

edited

Loading

Mikkgn commented Oct 25, 2017

spinenkoia commented Oct 5, 2021

Sankgreall commented Jul 12, 2022 •

edited

Loading

Parsing BinXML format #42

Parsing BinXML format #42

Comments

MrAnde7son commented Aug 14, 2017

williballenthin commented Aug 14, 2017

MrAnde7son commented Aug 14, 2017 • edited Loading

williballenthin commented Aug 14, 2017

MrAnde7son commented Aug 14, 2017

williballenthin commented Aug 14, 2017

williballenthin commented Aug 14, 2017

williballenthin commented Aug 14, 2017 • edited Loading

MrAnde7son commented Aug 15, 2017 • edited Loading

Mikkgn commented Oct 25, 2017

spinenkoia commented Oct 5, 2021

Sankgreall commented Jul 12, 2022 • edited Loading

MrAnde7son commented Aug 14, 2017 •

edited

Loading

williballenthin commented Aug 14, 2017 •

edited

Loading

MrAnde7son commented Aug 15, 2017 •

edited

Loading

Sankgreall commented Jul 12, 2022 •

edited

Loading