Analysis Date2018-05-20 02:13:46
MD5cfa538b5721a11e36dd859845ef02e0a
SHA12f0f96b7a46fcb3e4f474f950f154152c89bfc4b

Static Details:

AVArcabit (arcavir)Error Scanning File
AVAuthentiumW32/Trojan.FTIL-8035
AVGrisoft (avg)Error Scanning File
AVAvira (antivir)TR/BAS.Upatre.jwrbk
AVAlwil (avast)Trojan-gen
AVAlwil (avast)Win32:Trojan-gen
AVAd-AwareGen:Variant.Dropper.95
AVBitDefenderGen:Variant.Dropper.95
AVBullGuardGen:Variant.Dropper.95
AVClamAVWin.Trojan.Agent-1135852
AVDr. WebTrojan.Packed.3036
AVEmsisoftGen:Variant.Dropper.95
AVMicroWorld (escan)Gen:Variant.Dropper.95
AVCA (E-Trust Ino)Gen:Variant.Dropper.95
AVFortinetW32/Zbot.QNYM!tr
AVFrisk (f-prot)W32/Trojan3.GJF
AVF-SecureGen:Variant.Dropper.95
AVIkarusTrojan-Downloader.Win32.Upatre
AVK7Spyware ( 0040f78b1 )
AVKasperskyTrojan.Win32.Agent.ibbb
AVMalwareBytesBackdoor.Bot
AVMcafeeTrojan-FDFY!CFA538B5721A
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Upatre
AVNANOTrojan.Win32.Agent.cqjtkw
AVEset (nod32)Win32/TrojanDownloader.Small.AAB
AVPadvishNo Virus
AVCAT (quickheal)TrojanDownloader.Upatre.A6
AVRisingNo Virus
AV360 SafeBackdoor.Win32.Pushdo.J
AVSUPERAntiSpywareTrojan.Agent/Gen-Infector
AVSymantecDownloader
AVTrend MicroTROJ_UPATRE.SM37
AVTwisterTrojanDldr.Small.AAB.qsjc
AVVirusBlokAda (vba32)TrojanSpy.Zbot
AVWindows DefenderTrojanDownloader:Win32/Upatre
AVZillya!No Virus

Runtime Details:

Screenshot

Process
↳ C:\Windows\System32\lsass.exe

Process
↳ C:\Users\Phil\AppData\Local\Temp\2f0f96b7a46fcb3e4f474f950f154152c89bfc4b.exe

Creates FileC:\Windows\Globalization\Sorting\sortdefault.nls
Creates FileC:\Users\Phil\AppData\Local\Temp\wdmaud.drv
Creates FileC:\Windows\System32\wdmaud.drv
Creates FileC:\Users\Phil\AppData\Local\Temp\wdmaud.drv
Creates FileC:\Windows\System32\wdmaud.drv
Creates FileC:\Users\Phil\AppData\Local\Temp\wdmaud.drv
Creates FileC:\Windows\System32\wdmaud.drv
Creates FileC:\Users\Phil\AppData\Local\Temp\wdmaud.drv
Creates FileC:\Windows\System32\wdmaud.drv
Creates FileC:\Users\Phil\AppData\Local\Temp\wdmaud.drv
Creates FileC:\Windows\System32\wdmaud.drv
Creates FileC:\Users\Phil\AppData\Local\Temp\wdmaud.drv
Creates FileC:\Windows\System32\wdmaud.drv
Creates FileC:\Users\Phil\AppData\Local\Temp\2f0f96b7a46fcb3e4f474f950f154152c89bfc4b.exe
Creates FileC:\Users\Phil\AppData\Local\Temp\budha.exe
Creates Mutex
Creates Mutex
Creates Mutex
Creates Mutex
Creates Mutex
Creates Mutex
Creates MutexLocal\MidiMapper_modLongMessage_RefCnt
Creates Mutex

Process
↳ C:\Users\Phil\AppData\Local\Temp\budha.exe

Creates FileC:\Windows\Globalization\Sorting\sortdefault.nls
Creates FileC:\Users\Phil\AppData\Local\Temp\wdmaud.drv
Creates FileC:\Windows\System32\wdmaud.drv
Creates FileC:\Users\Phil\AppData\Local\Temp\wdmaud.drv
Creates FileC:\Windows\System32\wdmaud.drv
Creates FileC:\Users\Phil\AppData\Local\Temp\wdmaud.drv
Creates FileC:\Windows\System32\wdmaud.drv
Creates FileC:\Users\Phil\AppData\Local\Temp\wdmaud.drv
Creates FileC:\Windows\System32\wdmaud.drv
Creates FileC:\Users\Phil\AppData\Local\Temp\wdmaud.drv
Creates FileC:\Windows\System32\wdmaud.drv
Creates FileC:\Users\Phil\AppData\Local\Temp\wdmaud.drv
Creates FileC:\Windows\System32\wdmaud.drv
Creates FileC:\Users\Phil\AppData\Local\Temp\budha.exe
Creates Mutex
Creates Mutex
Creates Mutex
Creates Mutex
Creates Mutex
Creates Mutex
Creates MutexLocal\MidiMapper_modLongMessage_RefCnt
Creates Mutex

Network Details:


Raw Pcap
0x00000000 (00000)   47455420 2f4d4645 77547a42 4e4d4573   GET /MFEwTzBNMEs
0x00000010 (00016)   77535441 4a426755 7244674d 43476755   wSTAJBgUrDgMCGgU
0x00000020 (00032)   41424252 76394768 4e51784c 5353474b   ABBRv9GhNQxLSSGK
0x00000030 (00048)   426e4d41 72505563 7348596f 76706751   BnMArPUcsHYovpgQ
0x00000040 (00064)   55784b65 78704873 73636672 62345575   UxKexpHsscfrb4Uu
0x00000050 (00080)   51646625 32464546 57434669 52414345   Qdf%2FEFWCFiRACE
0x00000060 (00096)   416f4251 55494141 41465468 584e7143   AoBQUIAAAFThXNqC
0x00000070 (00112)   34587370 77672533 44204854 54502f31   4Xspwg%3D HTTP/1
0x00000080 (00128)   2e310d0a 436f6e6e 65637469 6f6e3a20   .1..Connection: 
0x00000090 (00144)   4b656570 2d416c69 76650d0a 41636365   Keep-Alive..Acce
0x000000a0 (00160)   70743a20 2a2f2a0d 0a557365 722d4167   pt: */*..User-Ag
0x000000b0 (00176)   656e743a 204d6963 726f736f 66742d43   ent: Microsoft-C
0x000000c0 (00192)   72797074 6f415049 2f362e31 0d0a486f   ryptoAPI/6.1..Ho
0x000000d0 (00208)   73743a20 69737267 2e747275 73746964   st: isrg.trustid
0x000000e0 (00224)   2e6f6373 702e6964 656e7472 7573742e   .ocsp.identrust.
0x000000f0 (00240)   636f6d0d 0a0d0a                       com....

0x00000000 (00000)   47455420 2f6d7364 6f776e6c 6f61642f   GET /msdownload/
0x00000010 (00016)   75706461 74652f76 332f7374 61746963   update/v3/static
0x00000020 (00032)   2f747275 73746564 722f656e 2f617574   /trustedr/en/aut
0x00000030 (00048)   68726f6f 7473746c 2e636162 20485454   hrootstl.cab HTT
0x00000040 (00064)   502f312e 310d0a43 61636865 2d436f6e   P/1.1..Cache-Con
0x00000050 (00080)   74726f6c 3a206d61 782d6167 65203d20   trol: max-age = 
0x00000060 (00096)   31303830 30310d0a 436f6e6e 65637469   108001..Connecti
0x00000070 (00112)   6f6e3a20 4b656570 2d416c69 76650d0a   on: Keep-Alive..
0x00000080 (00128)   41636365 70743a20 2a2f2a0d 0a557365   Accept: */*..Use
0x00000090 (00144)   722d4167 656e743a 204d6963 726f736f   r-Agent: Microso
0x000000a0 (00160)   66742d43 72797074 6f415049 2f362e31   ft-CryptoAPI/6.1
0x000000b0 (00176)   0d0a486f 73743a20 7777772e 646f776e   ..Host: www.down
0x000000c0 (00192)   6c6f6164 2e77696e 646f7773 75706461   load.windowsupda
0x000000d0 (00208)   74652e63 6f6d0d0a 0d0a0d              te.com.....

0x00000000 (00000)   47455420 2f726f6f 74732f64 7374726f   GET /roots/dstro
0x00000010 (00016)   6f746361 78332e70 37632048 5454502f   otcax3.p7c HTTP/
0x00000020 (00032)   312e310d 0a436f6e 6e656374 696f6e3a   1.1..Connection:
0x00000030 (00048)   204b6565 702d416c 6976650d 0a416363    Keep-Alive..Acc
0x00000040 (00064)   6570743a 202a2f2a 0d0a5573 65722d41   ept: */*..User-A
0x00000050 (00080)   67656e74 3a204d69 63726f73 6f66742d   gent: Microsoft-
0x00000060 (00096)   43727970 746f4150 492f362e 310d0a48   CryptoAPI/6.1..H
0x00000070 (00112)   6f73743a 20617070 732e6964 656e7472   ost: apps.identr
0x00000080 (00128)   7573742e 636f6d0d 0a0d0a              ust.com....

0x00000000 (00000)   504f5354 202f3365 31363236 34372d63   POST /3e162647-c
0x00000010 (00016)   3364382d 34346333 2d393937 622d3061   3d8-44c3-997b-0a
0x00000020 (00032)   63396135 66363838 33322f20 48545450   c9a5f68832/ HTTP
0x00000030 (00048)   2f312e31 0d0a4361 6368652d 436f6e74   /1.1..Cache-Cont
0x00000040 (00064)   726f6c3a 206e6f2d 63616368 650d0a43   rol: no-cache..C
0x00000050 (00080)   6f6e6e65 6374696f 6e3a2043 6c6f7365   onnection: Close
0x00000060 (00096)   0d0a5072 61676d61 3a206e6f 2d636163   ..Pragma: no-cac
0x00000070 (00112)   68650d0a 436f6e74 656e742d 54797065   he..Content-Type
0x00000080 (00128)   3a206170 706c6963 6174696f 6e2f736f   : application/so
0x00000090 (00144)   61702b78 6d6c0d0a 55736572 2d416765   ap+xml..User-Age
0x000000a0 (00160)   6e743a20 57534441 50490d0a 436f6e74   nt: WSDAPI..Cont
0x000000b0 (00176)   656e742d 4c656e67 74683a20 3733330d   ent-Length: 733.
0x000000c0 (00192)   0a486f73 743a2031 39322e31 36382e31   .Host: 192.168.1
0x000000d0 (00208)   30302e31 39323a35 3335370d 0a0d0a3c   00.192:5357....<
0x000000e0 (00224)   3f786d6c 20766572 73696f6e 3d22312e   ?xml version="1.
0x000000f0 (00240)   30222065 6e636f64 696e673d 22757466   0" encoding="utf
0x00000100 (00256)   2d38223f 3e3c736f 61703a45 6e76656c   -8"?><soap:Envel
0x00000110 (00272)   6f706520 786d6c6e 733a736f 61703d22   ope xmlns:soap="
0x00000120 (00288)   68747470 3a2f2f77 77772e77 332e6f72   http://www.w3.or
0x00000130 (00304)   672f3230 30332f30 352f736f 61702d65   g/2003/05/soap-e
0x00000140 (00320)   6e76656c 6f706522 20786d6c 6e733a77   nvelope" xmlns:w
0x00000150 (00336)   73613d22 68747470 3a2f2f73 6368656d   sa="http://schem
0x00000160 (00352)   61732e78 6d6c736f 61702e6f 72672f77   as.xmlsoap.org/w
0x00000170 (00368)   732f3230 30342f30 382f6164 64726573   s/2004/08/addres
0x00000180 (00384)   73696e67 2220786d 6c6e733a 6c6d733d   sing" xmlns:lms=
0x00000190 (00400)   22687474 703a2f2f 73636865 6d61732e   "http://schemas.
0x000001a0 (00416)   6d696372 6f736f66 742e636f 6d2f7769   microsoft.com/wi
0x000001b0 (00432)   6e646f77 732f6c6d 732f3230 30372f30   ndows/lms/2007/0
0x000001c0 (00448)   38223e3c 736f6170 3a486561 6465723e   8"><soap:Header>
0x000001d0 (00464)   3c777361 3a546f3e 75726e3a 75756964   <wsa:To>urn:uuid
0x000001e0 (00480)   3a336531 36323634 372d6333 64382d34   :3e162647-c3d8-4
0x000001f0 (00496)   3463332d 39393762 2d306163 39613566   4c3-997b-0ac9a5f
0x00000200 (00512)   36383833 323c2f77 73613a54 6f3e3c77   68832</wsa:To><w
0x00000210 (00528)   73613a41 6374696f 6e3e6874 74703a2f   sa:Action>http:/
0x00000220 (00544)   2f736368 656d6173 2e786d6c 736f6170   /schemas.xmlsoap
0x00000230 (00560)   2e6f7267 2f77732f 32303034 2f30392f   .org/ws/2004/09/
0x00000240 (00576)   7472616e 73666572 2f476574 3c2f7773   transfer/Get</ws
0x00000250 (00592)   613a4163 74696f6e 3e3c7773 613a4d65   a:Action><wsa:Me
0x00000260 (00608)   73736167 6549443e 75726e3a 75756964   ssageID>urn:uuid
0x00000270 (00624)   3a336331 36393938 632d3936 65342d34   :3c16998c-96e4-4
0x00000280 (00640)   3536382d 61636135 2d316638 30343432   568-aca5-1f80442
0x00000290 (00656)   64353030 353c2f77 73613a4d 65737361   d5005</wsa:Messa
0x000002a0 (00672)   67654944 3e3c7773 613a5265 706c7954   geID><wsa:ReplyT
0x000002b0 (00688)   6f3e3c77 73613a41 64647265 73733e68   o><wsa:Address>h
0x000002c0 (00704)   7474703a 2f2f7363 68656d61 732e786d   ttp://schemas.xm
0x000002d0 (00720)   6c736f61 702e6f72 672f7773 2f323030   lsoap.org/ws/200
0x000002e0 (00736)   342f3038 2f616464 72657373 696e672f   4/08/addressing/
0x000002f0 (00752)   726f6c65 2f616e6f 6e796d6f 75733c2f   role/anonymous</
0x00000300 (00768)   7773613a 41646472 6573733e 3c2f7773   wsa:Address></ws
0x00000310 (00784)   613a5265 706c7954 6f3e3c77 73613a46   a:ReplyTo><wsa:F
0x00000320 (00800)   726f6d3e 3c777361 3a416464 72657373   rom><wsa:Address
0x00000330 (00816)   3e75726e 3a757569 643a3061 32306630   >urn:uuid:0a20f0
0x00000340 (00832)   33362d37 3464332d 34393361 2d383337   36-74d3-493a-837
0x00000350 (00848)   322d6433 34383833 66303963 61323c2f   2-d34883f09ca2</
0x00000360 (00864)   7773613a 41646472 6573733e 3c2f7773   wsa:Address></ws
0x00000370 (00880)   613a4672 6f6d3e3c 6c6d733a 4c617267   a:From><lms:Larg
0x00000380 (00896)   654d6574 61646174 61537570 706f7274   eMetadataSupport
0x00000390 (00912)   2f3e3c2f 736f6170 3a486561 6465723e   /></soap:Header>
0x000003a0 (00928)   3c736f61 703a426f 64792f3e 3c2f736f   <soap:Body/></so
0x000003b0 (00944)   61703a45 6e76656c 6f70653e            ap:Envelope>

0x00000000 (00000)   160301                                ...

0x00000000 (00000)   47455420 2f4d464d 77555442 504d4530   GET /MFMwUTBPME0
0x00000010 (00016)   77537a41 4a426755 7244674d 43476755   wSzAJBgUrDgMCGgU
0x00000020 (00032)   41424252 25324235 6d726e63 70717a25   ABBR%2B5mrncpqz%
0x00000030 (00048)   32465069 69494752 73467145 74594845   2FPiiIGRsFqEtYHE
0x00000040 (00064)   49585151 55714570 71597752 39336272   IXQQUqEpqYwR93br
0x00000050 (00080)   6d30546d 33706b56 6c372532 464f6f37   m0Tm3pkVl7%2FOo7
0x00000060 (00096)   4b454345 67506e52 46714a34 57503753   KECEgPnRFqJ4WP7S
0x00000070 (00112)   39787479 37456e65 514e736f 67253344   9xty7EneQNsog%3D
0x00000080 (00128)   25334420 48545450 2f312e31 0d0a436f   %3D HTTP/1.1..Co
0x00000090 (00144)   6e6e6563 74696f6e 3a204b65 65702d41   nnection: Keep-A
0x000000a0 (00160)   6c697665 0d0a4163 63657074 3a202a2f   live..Accept: */
0x000000b0 (00176)   2a0d0a55 7365722d 4167656e 743a204d   *..User-Agent: M
0x000000c0 (00192)   6963726f 736f6674 2d437279 70746f41   icrosoft-CryptoA
0x000000d0 (00208)   50492f36 2e310d0a 486f7374 3a206f63   PI/6.1..Host: oc
0x000000e0 (00224)   73702e69 6e742d78 332e6c65 7473656e   sp.int-x3.letsen
0x000000f0 (00240)   63727970 742e6f72 670d0a0d 0a         crypt.org....

0x00000000 (00000)   160301                                ...

0x00000000 (00000)   504f5354 202f3365 31363236 34372d63   POST /3e162647-c
0x00000010 (00016)   3364382d 34346333 2d393937 622d3061   3d8-44c3-997b-0a
0x00000020 (00032)   63396135 66363838 33322f20 48545450   c9a5f68832/ HTTP
0x00000030 (00048)   2f312e31 0d0a4361 6368652d 436f6e74   /1.1..Cache-Cont
0x00000040 (00064)   726f6c3a 206e6f2d 63616368 650d0a43   rol: no-cache..C
0x00000050 (00080)   6f6e6e65 6374696f 6e3a2043 6c6f7365   onnection: Close
0x00000060 (00096)   0d0a5072 61676d61 3a206e6f 2d636163   ..Pragma: no-cac
0x00000070 (00112)   68650d0a 436f6e74 656e742d 54797065   he..Content-Type
0x00000080 (00128)   3a206170 706c6963 6174696f 6e2f736f   : application/so
0x00000090 (00144)   61702b78 6d6c0d0a 55736572 2d416765   ap+xml..User-Age
0x000000a0 (00160)   6e743a20 57534441 50490d0a 436f6e74   nt: WSDAPI..Cont
0x000000b0 (00176)   656e742d 4c656e67 74683a20 3733330d   ent-Length: 733.
0x000000c0 (00192)   0a486f73 743a2031 39322e31 36382e31   .Host: 192.168.1
0x000000d0 (00208)   30302e31 33363a35 3335370d 0a0d0a3c   00.136:5357....<
0x000000e0 (00224)   3f786d6c 20766572 73696f6e 3d22312e   ?xml version="1.
0x000000f0 (00240)   30222065 6e636f64 696e673d 22757466   0" encoding="utf
0x00000100 (00256)   2d38223f 3e3c736f 61703a45 6e76656c   -8"?><soap:Envel
0x00000110 (00272)   6f706520 786d6c6e 733a736f 61703d22   ope xmlns:soap="
0x00000120 (00288)   68747470 3a2f2f77 77772e77 332e6f72   http://www.w3.or
0x00000130 (00304)   672f3230 30332f30 352f736f 61702d65   g/2003/05/soap-e
0x00000140 (00320)   6e76656c 6f706522 20786d6c 6e733a77   nvelope" xmlns:w
0x00000150 (00336)   73613d22 68747470 3a2f2f73 6368656d   sa="http://schem
0x00000160 (00352)   61732e78 6d6c736f 61702e6f 72672f77   as.xmlsoap.org/w
0x00000170 (00368)   732f3230 30342f30 382f6164 64726573   s/2004/08/addres
0x00000180 (00384)   73696e67 2220786d 6c6e733a 6c6d733d   sing" xmlns:lms=
0x00000190 (00400)   22687474 703a2f2f 73636865 6d61732e   "http://schemas.
0x000001a0 (00416)   6d696372 6f736f66 742e636f 6d2f7769   microsoft.com/wi
0x000001b0 (00432)   6e646f77 732f6c6d 732f3230 30372f30   ndows/lms/2007/0
0x000001c0 (00448)   38223e3c 736f6170 3a486561 6465723e   8"><soap:Header>
0x000001d0 (00464)   3c777361 3a546f3e 75726e3a 75756964   <wsa:To>urn:uuid
0x000001e0 (00480)   3a336531 36323634 372d6333 64382d34   :3e162647-c3d8-4
0x000001f0 (00496)   3463332d 39393762 2d306163 39613566   4c3-997b-0ac9a5f
0x00000200 (00512)   36383833 323c2f77 73613a54 6f3e3c77   68832</wsa:To><w
0x00000210 (00528)   73613a41 6374696f 6e3e6874 74703a2f   sa:Action>http:/
0x00000220 (00544)   2f736368 656d6173 2e786d6c 736f6170   /schemas.xmlsoap
0x00000230 (00560)   2e6f7267 2f77732f 32303034 2f30392f   .org/ws/2004/09/
0x00000240 (00576)   7472616e 73666572 2f476574 3c2f7773   transfer/Get</ws
0x00000250 (00592)   613a4163 74696f6e 3e3c7773 613a4d65   a:Action><wsa:Me
0x00000260 (00608)   73736167 6549443e 75726e3a 75756964   ssageID>urn:uuid
0x00000270 (00624)   3a346234 64336163 622d6464 64372d34   :4b4d3acb-ddd7-4
0x00000280 (00640)   3030352d 38346662 2d366136 32643133   005-84fb-6a62d13
0x00000290 (00656)   33393133 623c2f77 73613a4d 65737361   3913b</wsa:Messa
0x000002a0 (00672)   67654944 3e3c7773 613a5265 706c7954   geID><wsa:ReplyT
0x000002b0 (00688)   6f3e3c77 73613a41 64647265 73733e68   o><wsa:Address>h
0x000002c0 (00704)   7474703a 2f2f7363 68656d61 732e786d   ttp://schemas.xm
0x000002d0 (00720)   6c736f61 702e6f72 672f7773 2f323030   lsoap.org/ws/200
0x000002e0 (00736)   342f3038 2f616464 72657373 696e672f   4/08/addressing/
0x000002f0 (00752)   726f6c65 2f616e6f 6e796d6f 75733c2f   role/anonymous</
0x00000300 (00768)   7773613a 41646472 6573733e 3c2f7773   wsa:Address></ws
0x00000310 (00784)   613a5265 706c7954 6f3e3c77 73613a46   a:ReplyTo><wsa:F
0x00000320 (00800)   726f6d3e 3c777361 3a416464 72657373   rom><wsa:Address
0x00000330 (00816)   3e75726e 3a757569 643a3061 32306630   >urn:uuid:0a20f0
0x00000340 (00832)   33362d37 3464332d 34393361 2d383337   36-74d3-493a-837
0x00000350 (00848)   322d6433 34383833 66303963 61323c2f   2-d34883f09ca2</
0x00000360 (00864)   7773613a 41646472 6573733e 3c2f7773   wsa:Address></ws
0x00000370 (00880)   613a4672 6f6d3e3c 6c6d733a 4c617267   a:From><lms:Larg
0x00000380 (00896)   654d6574 61646174 61537570 706f7274   eMetadataSupport
0x00000390 (00912)   2f3e3c2f 736f6170 3a486561 6465723e   /></soap:Header>
0x000003a0 (00928)   3c736f61 703a426f 64792f3e 3c2f736f   <soap:Body/></so
0x000003b0 (00944)   61703a45 6e76656c 6f70653e            ap:Envelope>

0x00000000 (00000)   160301                                ...

0x00000000 (00000)   160301                                ...

0x00000000 (00000)   504f5354 202f3365 31363236 34372d63   POST /3e162647-c
0x00000010 (00016)   3364382d 34346333 2d393937 622d3061   3d8-44c3-997b-0a
0x00000020 (00032)   63396135 66363838 33322f20 48545450   c9a5f68832/ HTTP
0x00000030 (00048)   2f312e31 0d0a4361 6368652d 436f6e74   /1.1..Cache-Cont
0x00000040 (00064)   726f6c3a 206e6f2d 63616368 650d0a43   rol: no-cache..C
0x00000050 (00080)   6f6e6e65 6374696f 6e3a2043 6c6f7365   onnection: Close
0x00000060 (00096)   0d0a5072 61676d61 3a206e6f 2d636163   ..Pragma: no-cac
0x00000070 (00112)   68650d0a 436f6e74 656e742d 54797065   he..Content-Type
0x00000080 (00128)   3a206170 706c6963 6174696f 6e2f736f   : application/so
0x00000090 (00144)   61702b78 6d6c0d0a 55736572 2d416765   ap+xml..User-Age
0x000000a0 (00160)   6e743a20 57534441 50490d0a 436f6e74   nt: WSDAPI..Cont
0x000000b0 (00176)   656e742d 4c656e67 74683a20 3733330d   ent-Length: 733.
0x000000c0 (00192)   0a486f73 743a2031 39322e31 36382e31   .Host: 192.168.1
0x000000d0 (00208)   30302e32 30373a35 3335370d 0a0d0a3c   00.207:5357....<
0x000000e0 (00224)   3f786d6c 20766572 73696f6e 3d22312e   ?xml version="1.
0x000000f0 (00240)   30222065 6e636f64 696e673d 22757466   0" encoding="utf
0x00000100 (00256)   2d38223f 3e3c736f 61703a45 6e76656c   -8"?><soap:Envel
0x00000110 (00272)   6f706520 786d6c6e 733a736f 61703d22   ope xmlns:soap="
0x00000120 (00288)   68747470 3a2f2f77 77772e77 332e6f72   http://www.w3.or
0x00000130 (00304)   672f3230 30332f30 352f736f 61702d65   g/2003/05/soap-e
0x00000140 (00320)   6e76656c 6f706522 20786d6c 6e733a77   nvelope" xmlns:w
0x00000150 (00336)   73613d22 68747470 3a2f2f73 6368656d   sa="http://schem
0x00000160 (00352)   61732e78 6d6c736f 61702e6f 72672f77   as.xmlsoap.org/w
0x00000170 (00368)   732f3230 30342f30 382f6164 64726573   s/2004/08/addres
0x00000180 (00384)   73696e67 2220786d 6c6e733a 6c6d733d   sing" xmlns:lms=
0x00000190 (00400)   22687474 703a2f2f 73636865 6d61732e   "http://schemas.
0x000001a0 (00416)   6d696372 6f736f66 742e636f 6d2f7769   microsoft.com/wi
0x000001b0 (00432)   6e646f77 732f6c6d 732f3230 30372f30   ndows/lms/2007/0
0x000001c0 (00448)   38223e3c 736f6170 3a486561 6465723e   8"><soap:Header>
0x000001d0 (00464)   3c777361 3a546f3e 75726e3a 75756964   <wsa:To>urn:uuid
0x000001e0 (00480)   3a336531 36323634 372d6333 64382d34   :3e162647-c3d8-4
0x000001f0 (00496)   3463332d 39393762 2d306163 39613566   4c3-997b-0ac9a5f
0x00000200 (00512)   36383833 323c2f77 73613a54 6f3e3c77   68832</wsa:To><w
0x00000210 (00528)   73613a41 6374696f 6e3e6874 74703a2f   sa:Action>http:/
0x00000220 (00544)   2f736368 656d6173 2e786d6c 736f6170   /schemas.xmlsoap
0x00000230 (00560)   2e6f7267 2f77732f 32303034 2f30392f   .org/ws/2004/09/
0x00000240 (00576)   7472616e 73666572 2f476574 3c2f7773   transfer/Get</ws
0x00000250 (00592)   613a4163 74696f6e 3e3c7773 613a4d65   a:Action><wsa:Me
0x00000260 (00608)   73736167 6549443e 75726e3a 75756964   ssageID>urn:uuid
0x00000270 (00624)   3a633463 62626166 302d3036 66302d34   :c4cbbaf0-06f0-4
0x00000280 (00640)   6466662d 62313339 2d393465 65303134   dff-b139-94ee014
0x00000290 (00656)   33343265 323c2f77 73613a4d 65737361   342e2</wsa:Messa
0x000002a0 (00672)   67654944 3e3c7773 613a5265 706c7954   geID><wsa:ReplyT
0x000002b0 (00688)   6f3e3c77 73613a41 64647265 73733e68   o><wsa:Address>h
0x000002c0 (00704)   7474703a 2f2f7363 68656d61 732e786d   ttp://schemas.xm
0x000002d0 (00720)   6c736f61 702e6f72 672f7773 2f323030   lsoap.org/ws/200
0x000002e0 (00736)   342f3038 2f616464 72657373 696e672f   4/08/addressing/
0x000002f0 (00752)   726f6c65 2f616e6f 6e796d6f 75733c2f   role/anonymous</
0x00000300 (00768)   7773613a 41646472 6573733e 3c2f7773   wsa:Address></ws
0x00000310 (00784)   613a5265 706c7954 6f3e3c77 73613a46   a:ReplyTo><wsa:F
0x00000320 (00800)   726f6d3e 3c777361 3a416464 72657373   rom><wsa:Address
0x00000330 (00816)   3e75726e 3a757569 643a3061 32306630   >urn:uuid:0a20f0
0x00000340 (00832)   33362d37 3464332d 34393361 2d383337   36-74d3-493a-837
0x00000350 (00848)   322d6433 34383833 66303963 61323c2f   2-d34883f09ca2</
0x00000360 (00864)   7773613a 41646472 6573733e 3c2f7773   wsa:Address></ws
0x00000370 (00880)   613a4672 6f6d3e3c 6c6d733a 4c617267   a:From><lms:Larg
0x00000380 (00896)   654d6574 61646174 61537570 706f7274   eMetadataSupport
0x00000390 (00912)   2f3e3c2f 736f6170 3a486561 6465723e   /></soap:Header>
0x000003a0 (00928)   3c736f61 703a426f 64792f3e 3c2f736f   <soap:Body/></so
0x000003b0 (00944)   61703a45 6e76656c 6f70653e            ap:Envelope>


Strings