Analysis Date2018-04-25 07:11:26
MD5e5e19bcfb3e393baa136defb3d722d9f
SHA190105dc04375dfd7c4255b255993c30aea421aff

Static Details:

File typePE32 executable (GUI) Intel 80386, for MS Windows
PEhash
AVWindows DefenderTrojanSpy:MSIL/Omaneat.B
AVFrisk (f-prot)W32/Sality.gen2
AVFortinetW32/Sality.BH
AVAvira (antivir)W32/Sality.AT
AVCAT (quickheal)W32.Sality.U
AVGrisoft (avg)Crypt_vb.ATZ
AVSUPERAntiSpywareNo Virus
AVEset (nod32)Win32/Sality.NBA virus
AVAlwil (avast)SaliCode
AVMalwareBytesBackdoor.Agent.Generic
AVK7Virus ( f10001071 )
AVMicrosoft Security EssentialsTrojanSpy:MSIL/Omaneat.B
AVRisingTrojan.Win32.Swisyn.f
AVIkarusTrojan.Win32.VB
AVBullGuardWin32.Sality.3
AVMcafeeW32/Sality.gen.z
AV360 SafeVirus.Win32.Sality.I
AVZillya!Virus.Sality.Win32.25
AVF-SecureWin32.Sality.3
AVVirusBlokAda (vba32)Virus.Win32.Sality.bakc
AVKasperskyError Scanning File
AVDr. WebWin32.Sector.30
AVAlwil (avast)Win32:SaliCode
AVSymantecW32.Gosys
AVPadvishVirus.Win32.Sality.3
AVCA (E-Trust Ino)Win32.Sality.3
AVBitDefenderWin32.Sality.3
AVAuthentiumW32/Sality.gen2
AVArcabit (arcavir)Win32.Sality.3
AVEmsisoftWin32.Sality.3
AVTrend MicroPE_SALITY.RL
AVMicroWorld (escan)Win32.Sality.3
AVTwisterVirus.FD81@2FF0000@2FF0F.mg
AVAd-AwareWin32.Sality.3
AVClamAVNo Virus
AVNANOVirus.Win32.Sality.beygb

Runtime Details:

Screenshot

Process
↳ C:\Windows\System32\lsass.exe

Process
↳ C:\Users\Phil\AppData\Local\Temp\90105dc04375dfd7c4255b255993c30aea421aff.exe

Creates MutexuxJLpe1m
Creates Mutex
Creates Mutex
Creates Mutexsmss.exeM_252_
Creates Mutexsmss.exeM_252_
Creates Mutexcsrss.exeM_328_
Creates Mutexcsrss.exeM_328_
Creates Mutexwininit.exeM_376_
Creates Mutexwininit.exeM_376_
Creates Mutexcsrss.exeM_388_
Creates Mutexcsrss.exeM_388_
Creates Mutexwinlogon.exeM_428_
Creates Mutexwinlogon.exeM_428_
Creates Mutexservices.exeM_472_
Creates Mutexservices.exeM_472_
Creates Mutexlsass.exeM_480_
Creates Mutexlsass.exeM_480_
Creates Mutexlsm.exeM_488_
Creates Mutexlsm.exeM_488_
Creates Mutexsvchost.exeM_600_
Creates Mutexsvchost.exeM_600_
Creates Mutexsvchost.exeM_664_
Creates Mutexsvchost.exeM_664_
Creates Mutexsvchost.exeM_716_
Creates Mutexsvchost.exeM_716_
Creates FileC:\Users\Phil\AppData\Local\Temp\~DF9F5945BE5D05D7A1.TMP
Creates Filec:\Users\Phil\AppData\Local\Temp\90105dc04375dfd7c4255b255993c30aea421aff.exe
Creates FileC:\Windows\system.ini
Creates Filec:\Users\Phil\AppData\Local\Temp\90105dc04375dfd7c4255b255993c30aea421aff.exe
Creates Filec:\Windows\system\explorer.exe
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride ➝
1
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify ➝
1
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify ➝
1
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride ➝
1
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify ➝
1
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify ➝
1
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\AntiVirusOverride ➝
1
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\AntiVirusDisableNotify ➝
1
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\FirewallDisableNotify ➝
1
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\FirewallOverride ➝
1
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\UpdatesDisableNotify ➝
1
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\UacDisableNotify ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\GlobalUserOffline ➝
0
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
0
RegistryHKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall ➝
0
RegistryHKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions ➝
0
RegistryHKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications ➝
1
RegistryHKEY_CURRENT_USER\Software\Aeky\-521103104\1818847312 ➝
350
RegistryHKEY_CURRENT_USER\Software\Aeky\-521103104\-657272672 ➝
0
RegistryHKEY_CURRENT_USER\Software\Aeky\-521103104\1161574640 ➝
0
RegistryHKEY_CURRENT_USER\Software\Aeky\-521103104\-1314545344 ➝
35
RegistryHKEY_CURRENT_USER\Software\Aeky\-521103104\504301968 ➝
250
RegistryHKEY_CURRENT_USER\Software\Aeky\-521103104\-1971818016 ➝
0700687474703A2F2F7069736F63686E652E6E65742F626F74746F6D2E67696600687474703A2F2F707261626875696E666F746563682E636F6D2F696D616765732F626F74746F6D2E67696600687474703A2F2F77696E6D61726B2E636F2E696E2F696D6167652E67696600687474703A2F2F646F6D2E6C61706F6B2E68752F7064662F696D6167652E67696600687474703A2F2F6167727573652E636F6D2F696D6167652E67696600687474703A2F2F74616E676E68756E672E3530776562732E636F6D2F616E682F696D6167652E67696600687474703A2F2F36372E3232352E3134342E34322F696D616765732F696D6167652E676966
RegistryHKEY_CURRENT_USER\Software\Aeky\-521103104\-152970704 ➝
6CBD6BF3C5AA7FED2DC32A004BB7AA3C95DA67801F6D8F4992454DB02D667618AE6F6ACCDFB52CDDBFC9CAEC403DE9952B153C4F8A9968E05943CAF9F382673079DF960E9E0688302D69F2B5EE2551D4ED814C979EDA48A689DEB98EE9156AE24845054AE92E0C953BF4BBCFBB2A87EF01BD5C1EEBFC6691B757872CE34DBE05
RegistryHKEY_CURRENT_USER\Software\Aeky\P1_0 ➝
2089599813
RegistryHKEY_CURRENT_USER\Software\Aeky\P2_0 ➝
9674
RegistryHKEY_CURRENT_USER\Software\Aeky\P3_0 ➝
17001001
RegistryHKEY_CURRENT_USER\Software\Aeky\P4_0 ➝
0
RegistryHKEY_CURRENT_USER\Software\Aeky\P1_1 ➝
3601096030
RegistryHKEY_CURRENT_USER\Software\Aeky\P2_1 ➝
1818850431
RegistryHKEY_CURRENT_USER\Software\Aeky\P3_1 ➝
1835663993
RegistryHKEY_CURRENT_USER\Software\Aeky\P4_1 ➝
1818847312
RegistryHKEY_CURRENT_USER\Software\Aeky\P1_2 ➝
2564668921
RegistryHKEY_CURRENT_USER\Software\Aeky\P2_2 ➝
3637691375
RegistryHKEY_CURRENT_USER\Software\Aeky\P3_2 ➝
3654400649
RegistryHKEY_CURRENT_USER\Software\Aeky\P4_2 ➝
3637694624
RegistryHKEY_CURRENT_USER\Software\Aeky\P1_3 ➝
3883578878
RegistryHKEY_CURRENT_USER\Software\Aeky\P2_3 ➝
1161566875
RegistryHKEY_CURRENT_USER\Software\Aeky\P3_3 ➝
1145000665
RegistryHKEY_CURRENT_USER\Software\Aeky\P4_3 ➝
1161574640
RegistryHKEY_CURRENT_USER\Software\Aeky\P1_4 ➝
1570838933
RegistryHKEY_CURRENT_USER\Software\Aeky\P2_4 ➝
2980426971
RegistryHKEY_CURRENT_USER\Software\Aeky\P3_4 ➝
2963721065
RegistryHKEY_CURRENT_USER\Software\Aeky\P4_4 ➝
2980421952
RegistryHKEY_CURRENT_USER\Software\Aeky\P1_5 ➝
185412852
RegistryHKEY_CURRENT_USER\Software\Aeky\P2_5 ➝
504304527
RegistryHKEY_CURRENT_USER\Software\Aeky\P3_5 ➝
520905657
RegistryHKEY_CURRENT_USER\Software\Aeky\P4_5 ➝
504301968
RegistryHKEY_CURRENT_USER\Software\Aeky\P1_6 ➝
4175300530
RegistryHKEY_CURRENT_USER\Software\Aeky\P2_6 ➝
2323146687
RegistryHKEY_CURRENT_USER\Software\Aeky\P3_6 ➝
2340101065
RegistryHKEY_CURRENT_USER\Software\Aeky\P4_6 ➝
2323149280
RegistryHKEY_CURRENT_USER\Software\Aeky\P1_7 ➝
4109298061
RegistryHKEY_CURRENT_USER\Software\Aeky\P2_7 ➝
4141993394
RegistryHKEY_CURRENT_USER\Software\Aeky\P3_7 ➝
4158828569
RegistryHKEY_CURRENT_USER\Software\Aeky\P4_7 ➝
4141996592
RegistryHKEY_CURRENT_USER\Software\Aeky\P1_8 ➝
3718356464
RegistryHKEY_CURRENT_USER\Software\Aeky\P2_8 ➝
1665884589
RegistryHKEY_CURRENT_USER\Software\Aeky\P3_8 ➝
1648896169
RegistryHKEY_CURRENT_USER\Software\Aeky\P4_8 ➝
1665876608
RegistryHKEY_CURRENT_USER\Software\Aeky\P1_9 ➝
3571013635
RegistryHKEY_CURRENT_USER\Software\Aeky\P2_9 ➝
3484716826
RegistryHKEY_CURRENT_USER\Software\Aeky\P3_9 ➝
3468148985
RegistryHKEY_CURRENT_USER\Software\Aeky\P4_9 ➝
3484723920
RegistryHKEY_CURRENT_USER\Software\Aeky\P1_10 ➝
3728402972
RegistryHKEY_CURRENT_USER\Software\Aeky\P2_10 ➝
1008600067
RegistryHKEY_CURRENT_USER\Software\Aeky\P3_10 ➝
1025341705
RegistryHKEY_CURRENT_USER\Software\Aeky\P4_10 ➝
1008603936
RegistryHKEY_CURRENT_USER\Software\Aeky\P1_11 ➝
3943342157
RegistryHKEY_CURRENT_USER\Software\Aeky\P2_11 ➝
2827444367
RegistryHKEY_CURRENT_USER\Software\Aeky\P3_11 ➝
2844004697
RegistryHKEY_CURRENT_USER\Software\Aeky\P4_11 ➝
2827451248
RegistryHKEY_CURRENT_USER\Software\Aeky\P1_12 ➝
4008851716
RegistryHKEY_CURRENT_USER\Software\Aeky\P2_12 ➝
351337176
RegistryHKEY_CURRENT_USER\Software\Aeky\P3_12 ➝
368282089
RegistryHKEY_CURRENT_USER\Software\Aeky\P4_12 ➝
351331264
RegistryHKEY_CURRENT_USER\Software\Aeky\P1_13 ➝
2993304237
RegistryHKEY_CURRENT_USER\Software\Aeky\P2_13 ➝
2170181351
RegistryHKEY_CURRENT_USER\Software\Aeky\P3_13 ➝
2153326137
RegistryHKEY_CURRENT_USER\Software\Aeky\P4_13 ➝
2170178576
RegistryHKEY_CURRENT_USER\Software\Aeky\P1_14 ➝
3620899840
RegistryHKEY_CURRENT_USER\Software\Aeky\P2_14 ➝
3989021582
RegistryHKEY_CURRENT_USER\Software\Aeky\P3_14 ➝
3972062793
RegistryHKEY_CURRENT_USER\Software\Aeky\P4_14 ➝
3989025888
RegistryHKEY_CURRENT_USER\Software\Aeky\P1_15 ➝
239748747
RegistryHKEY_CURRENT_USER\Software\Aeky\P2_15 ➝
1512899495
RegistryHKEY_CURRENT_USER\Software\Aeky\P3_15 ➝
1529771673
RegistryHKEY_CURRENT_USER\Software\Aeky\P4_15 ➝
1512905904
RegistryHKEY_CURRENT_USER\Software\Aeky\P1_16 ➝
2153024216
RegistryHKEY_CURRENT_USER\Software\Aeky\P2_16 ➝
3331761668
RegistryHKEY_CURRENT_USER\Software\Aeky\P3_16 ➝
3348492073
RegistryHKEY_CURRENT_USER\Software\Aeky\P4_16 ➝
3331753216
RegistryHKEY_CURRENT_USER\Software\Aeky\P1_17 ➝
3234163426
RegistryHKEY_CURRENT_USER\Software\Aeky\P2_17 ➝
855634601
RegistryHKEY_CURRENT_USER\Software\Aeky\P3_17 ➝
872187769
RegistryHKEY_CURRENT_USER\Software\Aeky\P4_17 ➝
855633232
RegistryHKEY_CURRENT_USER\Software\Aeky\P1_18 ➝
1936657638
RegistryHKEY_CURRENT_USER\Software\Aeky\P2_18 ➝
2674477066
RegistryHKEY_CURRENT_USER\Software\Aeky\P3_18 ➝
2657763209
RegistryHKEY_CURRENT_USER\Software\Aeky\P4_18 ➝
2674480544
RegistryHKEY_CURRENT_USER\Software\Aeky\P1_19 ➝
1331652301
RegistryHKEY_CURRENT_USER\Software\Aeky\P2_19 ➝
198354447
RegistryHKEY_CURRENT_USER\Software\Aeky\P3_19 ➝
181524441
RegistryHKEY_CURRENT_USER\Software\Aeky\P4_19 ➝
198360560
RegistryHKEY_CURRENT_USER\Software\Aeky\P1_20 ➝
772379930
RegistryHKEY_CURRENT_USER\Software\Aeky\P2_20 ➝
2017198986
RegistryHKEY_CURRENT_USER\Software\Aeky\P3_20 ➝
2034191465
RegistryHKEY_CURRENT_USER\Software\Aeky\P4_20 ➝
2017207872
RegistryHKEY_CURRENT_USER\Software\Aeky\P1_21 ➝
2961471661
RegistryHKEY_CURRENT_USER\Software\Aeky\P2_21 ➝
3836055990
RegistryHKEY_CURRENT_USER\Software\Aeky\P3_21 ➝
3852919993
RegistryHKEY_CURRENT_USER\Software\Aeky\P4_21 ➝
3836055184
RegistryHKEY_CURRENT_USER\Software\Aeky\P1_22 ➝
751504860
RegistryHKEY_CURRENT_USER\Software\Aeky\P2_22 ➝
1359929794
RegistryHKEY_CURRENT_USER\Software\Aeky\P3_22 ➝
1343069385
RegistryHKEY_CURRENT_USER\Software\Aeky\P4_22 ➝
1359935200
RegistryHKEY_CURRENT_USER\Software\Aeky\P1_23 ➝
2952236701
RegistryHKEY_CURRENT_USER\Software\Aeky\P2_23 ➝
3178775852
RegistryHKEY_CURRENT_USER\Software\Aeky\P3_23 ➝
3162191129
RegistryHKEY_CURRENT_USER\Software\Aeky\P4_23 ➝
3178782512
RegistryHKEY_CURRENT_USER\Software\Aeky\P1_24 ➝
3187809625
RegistryHKEY_CURRENT_USER\Software\Aeky\P2_24 ➝
702669813
RegistryHKEY_CURRENT_USER\Software\Aeky\P3_24 ➝
685944233
RegistryHKEY_CURRENT_USER\Software\VB and VBA Program Settings\Explorer\Process\LO ➝
1
RegistryHKEY_CURRENT_USER\Software\Aeky\P4_24 ➝
702662528
RegistryHKEY_CURRENT_USER\Software\Aeky\P1_25 ➝
1430484334
RegistryHKEY_CURRENT_USER\Software\Aeky\P2_25 ➝
2521510094
RegistryHKEY_CURRENT_USER\Software\Aeky\P3_25 ➝
2538096121
RegistryHKEY_CURRENT_USER\Software\Aeky\P4_25 ➝
2521509840
RegistryHKEY_CURRENT_USER\Software\Aeky\P1_26 ➝
1342393236
RegistryHKEY_CURRENT_USER\Software\Aeky\P2_26 ➝
45398797
RegistryHKEY_CURRENT_USER\Software\Aeky\P3_26 ➝
62386697
RegistryHKEY_CURRENT_USER\Software\Aeky\P4_26 ➝
45389856
RegistryHKEY_CURRENT_USER\Software\Aeky\P1_27 ➝
2640967745
RegistryHKEY_CURRENT_USER\Software\Aeky\P2_27 ➝
1864242749
RegistryHKEY_CURRENT_USER\Software\Aeky\P3_27 ➝
1847421529
RegistryHKEY_CURRENT_USER\Software\Aeky\P4_27 ➝
1864237168
RegistryHKEY_CURRENT_USER\Software\Aeky\P1_28 ➝
1113399664
RegistryHKEY_CURRENT_USER\Software\Aeky\P2_28 ➝
3683087158
RegistryHKEY_CURRENT_USER\Software\Aeky\P3_28 ➝
3666084585
RegistryHKEY_CURRENT_USER\Software\Aeky\P4_28 ➝
3683084480
RegistryHKEY_CURRENT_USER\Software\Aeky\P1_29 ➝
4241179147
RegistryHKEY_CURRENT_USER\Software\Aeky\P2_29 ➝
1206961892
RegistryHKEY_CURRENT_USER\Software\Aeky\P3_29 ➝
1190378297
RegistryHKEY_CURRENT_USER\Software\Aeky\P4_29 ➝
1206964496
RegistryHKEY_CURRENT_USER\Software\Aeky\P1_30 ➝
590011199
RegistryHKEY_CURRENT_USER\Software\Aeky\P2_30 ➝
3025806974
RegistryHKEY_CURRENT_USER\Software\Aeky\P3_30 ➝
3042530121
RegistryHKEY_CURRENT_USER\Software\Aeky\P4_30 ➝
3025811808
RegistryHKEY_CURRENT_USER\Software\Aeky\P1_31 ➝
12314489
RegistryHKEY_CURRENT_USER\Software\Aeky\P2_31 ➝
549699552
RegistryHKEY_CURRENT_USER\Software\Aeky\P3_31 ➝
566283161
RegistryHKEY_CURRENT_USER\Software\Aeky\P4_31 ➝
549691824
RegistryHKEY_CURRENT_USER\Software\Aeky\P1_32 ➝
3300919611
RegistryHKEY_CURRENT_USER\Software\Aeky\P2_32 ➝
2368541791
RegistryHKEY_CURRENT_USER\Software\Aeky\P3_32 ➝
2351849513
RegistryHKEY_CURRENT_USER\Software\Aeky\P4_32 ➝
2368539136
RegistryHKEY_CURRENT_USER\Software\Aeky\P1_33 ➝
3166234009
RegistryHKEY_CURRENT_USER\Software\Aeky\P2_33 ➝
4187383223
RegistryHKEY_CURRENT_USER\Software\Aeky\P3_33 ➝
4170520697
RegistryHKEY_CURRENT_USER\Software\Aeky\P4_33 ➝
4187386448
RegistryHKEY_CURRENT_USER\Software\Aeky\P1_34 ➝
1063049756
RegistryHKEY_CURRENT_USER\Software\Aeky\P2_34 ➝
1711259729
RegistryHKEY_CURRENT_USER\Software\Aeky\P3_34 ➝
1694281865
RegistryHKEY_CURRENT_USER\Software\Aeky\P4_34 ➝
1711266464
RegistryHKEY_CURRENT_USER\Software\Aeky\P1_35 ➝
1002535202
RegistryHKEY_CURRENT_USER\Software\Aeky\P2_35 ➝
3530121255
RegistryHKEY_CURRENT_USER\Software\Aeky\P3_35 ➝
3546949849
RegistryHKEY_CURRENT_USER\Software\Aeky\P4_35 ➝
3530113776
RegistryHKEY_CURRENT_USER\Software\Aeky\P1_36 ➝
2621592188
RegistryHKEY_CURRENT_USER\Software\Aeky\P2_36 ➝
1053995814
RegistryHKEY_CURRENT_USER\Software\Aeky\P3_36 ➝
1070711145
RegistryHKEY_CURRENT_USER\Software\Aeky\P4_36 ➝
1053993792
RegistryHKEY_CURRENT_USER\Software\Aeky\P1_37 ➝
947022022
RegistryHKEY_CURRENT_USER\Software\Aeky\P2_37 ➝
2872849307
RegistryHKEY_CURRENT_USER\Software\Aeky\P3_37 ➝
2856286649
RegistryHKEY_CURRENT_USER\Software\Aeky\P4_37 ➝
2872841104
RegistryHKEY_CURRENT_USER\Software\Aeky\P1_38 ➝
1081340094
RegistryHKEY_CURRENT_USER\Software\Aeky\P2_38 ➝
396712712
RegistryHKEY_CURRENT_USER\Software\Aeky\P3_38 ➝
379982281
RegistryHKEY_CURRENT_USER\Software\Aeky\P4_38 ➝
396721120
RegistryHKEY_CURRENT_USER\Software\Aeky\P1_39 ➝
2433184132
RegistryHKEY_CURRENT_USER\Software\Aeky\P2_39 ➝
2215573943
RegistryHKEY_CURRENT_USER\Software\Aeky\P3_39 ➝
2232258073
RegistryHKEY_CURRENT_USER\Software\Aeky\P4_39 ➝
2215568432
RegistryHKEY_CURRENT_USER\Software\Aeky\P1_40 ➝
3335357768
RegistryHKEY_CURRENT_USER\Software\Aeky\P2_40 ➝
4034417914
RegistryHKEY_CURRENT_USER\Software\Aeky\P3_40 ➝
4051379881
RegistryHKEY_CURRENT_USER\Software\Aeky\P4_40 ➝
4034415744
RegistryHKEY_CURRENT_USER\Software\Aeky\P1_41 ➝
1897589345
RegistryHKEY_CURRENT_USER\Software\Aeky\P2_41 ➝
1558293120
RegistryHKEY_CURRENT_USER\Software\Aeky\P3_41 ➝
1575149305
RegistryHKEY_CURRENT_USER\Software\Aeky\P4_41 ➝
1558295760
RegistryHKEY_CURRENT_USER\Software\Aeky\P1_42 ➝
4197412587
RegistryHKEY_CURRENT_USER\Software\Aeky\P2_42 ➝
3377136986
RegistryHKEY_CURRENT_USER\Software\Aeky\P3_42 ➝
3360192265
RegistryHKEY_CURRENT_USER\Software\Aeky\P4_42 ➝
3377143072
RegistryHKEY_CURRENT_USER\Software\Aeky\P1_43 ➝
3341745246
RegistryHKEY_CURRENT_USER\Software\Aeky\P2_43 ➝
901031468
RegistryHKEY_CURRENT_USER\Software\Aeky\P3_43 ➝
884469593
RegistryHKEY_CURRENT_USER\Software\Aeky\P4_43 ➝
901023088
RegistryHKEY_CURRENT_USER\Software\Aeky\P1_44 ➝
2363824370
RegistryHKEY_CURRENT_USER\Software\Aeky\P2_44 ➝
2719871903
RegistryHKEY_CURRENT_USER\Software\Aeky\P3_44 ➝
2736687081
RegistryHKEY_CURRENT_USER\Software\Aeky\P4_44 ➝
2719870400
RegistryHKEY_CURRENT_USER\Software\Aeky\P1_45 ➝
2871251916
RegistryHKEY_CURRENT_USER\Software\Aeky\P2_45 ➝
243747735
RegistryHKEY_CURRENT_USER\Software\Aeky\P3_45 ➝
260324409
RegistryHKEY_CURRENT_USER\Software\Aeky\P4_45 ➝
243750416
RegistryHKEY_CURRENT_USER\Software\Aeky\P1_46 ➝
1108957107
RegistryHKEY_CURRENT_USER\Software\Aeky\P2_46 ➝
2062592393
RegistryHKEY_CURRENT_USER\Software\Aeky\P3_46 ➝
2079577161
RegistryHKEY_CURRENT_USER\Software\Aeky\P4_46 ➝
2062597728
RegistryHKEY_CURRENT_USER\Software\Aeky\P1_47 ➝
205894523
RegistryHKEY_CURRENT_USER\Software\Aeky\P2_47 ➝
3881451063
RegistryHKEY_CURRENT_USER\Software\Aeky\P3_47 ➝
3864611993
RegistryHKEY_CURRENT_USER\Software\Aeky\P4_47 ➝
3881445040
RegistryHKEY_CURRENT_USER\Software\Aeky\P1_48 ➝
379577453
RegistryHKEY_CURRENT_USER\Software\Aeky\P2_48 ➝
1405325782
RegistryHKEY_CURRENT_USER\Software\Aeky\P3_48 ➝
1388373289
RegistryHKEY_CURRENT_USER\Software\Aeky\P4_48 ➝
1405325056
RegistryHKEY_CURRENT_USER\Software\Aeky\P1_49 ➝
3780076803
RegistryHKEY_CURRENT_USER\Software\Aeky\P2_49 ➝
3224164343
RegistryHKEY_CURRENT_USER\Software\Aeky\P3_49 ➝
3241123193
RegistryHKEY_CURRENT_USER\Software\Aeky\P4_49 ➝
3224172368
RegistryHKEY_CURRENT_USER\Software\Aeky\P1_50 ➝
1385953241
RegistryHKEY_CURRENT_USER\Software\Aeky\P2_50 ➝
748044384
RegistryHKEY_CURRENT_USER\Software\Aeky\P3_50 ➝
764753289
RegistryHKEY_CURRENT_USER\Software\Aeky\P4_50 ➝
748052384
RegistryHKEY_CURRENT_USER\Software\Aeky\P1_51 ➝
3068834406
RegistryHKEY_CURRENT_USER\Software\Aeky\P2_51 ➝
2566901967
RegistryHKEY_CURRENT_USER\Software\Aeky\P3_51 ➝
2583473625
RegistryHKEY_CURRENT_USER\Software\Aeky\P4_51 ➝
2566899696
RegistryHKEY_CURRENT_USER\Software\Aeky\P1_52 ➝
2374228371
RegistryHKEY_CURRENT_USER\Software\Aeky\P2_52 ➝
90777791
RegistryHKEY_CURRENT_USER\Software\Aeky\P3_52 ➝
74078825
RegistryHKEY_CURRENT_USER\Software\Aeky\P4_52 ➝
90779712
RegistryHKEY_CURRENT_USER\Software\Aeky\P1_53 ➝
115147822
RegistryHKEY_CURRENT_USER\Software\Aeky\P2_53 ➝
1909624625
RegistryHKEY_CURRENT_USER\Software\Aeky\P3_53 ➝
1892807353
RegistryHKEY_CURRENT_USER\Software\Aeky\P4_53 ➝
1909627024
RegistryHKEY_CURRENT_USER\Software\Aeky\P1_54 ➝
2935226833
RegistryHKEY_CURRENT_USER\Software\Aeky\P2_54 ➝
3728483626
RegistryHKEY_CURRENT_USER\Software\Aeky\P3_54 ➝
3745475273
RegistryHKEY_CURRENT_USER\Software\Aeky\P4_54 ➝
3728474336
RegistryHKEY_CURRENT_USER\Software\Aeky\P1_55 ➝
2882816578
RegistryHKEY_CURRENT_USER\Software\Aeky\P2_55 ➝
1252357063
RegistryHKEY_CURRENT_USER\Software\Aeky\P3_55 ➝
1269170969

Process
↳ C:\Windows\System32\taskhost.exe

Process
↳ C:\Windows\System32\dwm.exe

Process
↳ C:\Windows\explorer.exe

Creates FileC:\Windows\System32\ieframe.dll

Process
↳ c:\Windows\system\explorer.exe

Creates MutexuxJLpe1m
Creates Mutex
Creates Mutex
Creates FileC:\Users\Phil\AppData\Local\Temp\~DFC3CDD35E59DE33BC.TMP
Creates Filec:\Windows\system\explorer.exe
Creates Filec:\Windows\system\spoolsv.exe
Creates Filec:\Windows\system\explorer.exe
Creates Filec:\Windows\system\spoolsv.exe
Creates FileC:\Users\Phil\AppData\Roaming\mrsys.exe
Creates Filec:\Windows\system\explorer.exe
Creates FileC:\Users\Phil\AppData\Roaming\mrsys.exe
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer ➝
c:\windows\system\explorer.exe RO
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost ➝
c:\windows\system\svchost.exe RO

Process
↳ c:\Windows\system\spoolsv.exe

Creates MutexuxJLpe1m
Creates Mutex
Creates Mutex
Creates FileC:\Users\Phil\AppData\Local\Temp\~DF5CDC9114984E150F.TMP
Creates Filec:\Windows\system\spoolsv.exe
Creates Filec:\Windows\system\svchost.exe
Creates Filec:\Windows\system\spoolsv.exe
Creates Filec:\Windows\system\svchost.exe

Process
↳ c:\Windows\system\svchost.exe

Creates MutexuxJLpe1m
Creates Mutex
Creates Mutex
Creates FileC:\Users\Phil\AppData\Local\Temp\~DF131BED1CFDBD2012.TMP
Creates Filec:\Windows\system\svchost.exe
Creates Filec:\Windows\system\spoolsv.exe
Creates FileC:\Users\Phil\AppData\Roaming\mrsys.exe
Creates FileC:\Windows\system\cmsys.cmn
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer ➝
c:\windows\system\explorer.exe RO
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost ➝
c:\windows\system\svchost.exe RO
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath ➝
C:\Users\Phil\AppData\Roaming\mrsys.exe MR
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden ➝
0

Process
↳ c:\Windows\system\spoolsv.exe

Creates MutexuxJLpe1m
Creates FileC:\Users\Phil\AppData\Local\Temp\~DF3EB6B6F98DB3655B.TMP

Process
↳ C:\Windows\SysWOW64\at.exe

Creates File\\?\PIPE\atsvc

Network Details:


Raw Pcap
0x00000000 (00000)   47455420 2f6e6373 692e7478 74204854   GET /ncsi.txt HT
0x00000010 (00016)   54502f31 2e310d0a 436f6e6e 65637469   TP/1.1..Connecti
0x00000020 (00032)   6f6e3a20 436c6f73 650d0a55 7365722d   on: Close..User-
0x00000030 (00048)   4167656e 743a204d 6963726f 736f6674   Agent: Microsoft
0x00000040 (00064)   204e4353 490d0a48 6f73743a 20777777    NCSI..Host: www
0x00000050 (00080)   2e6d7366 746e6373 692e636f 6d0d0a0d   .msftncsi.com...
0x00000060 (00096)   0a                                    .

0x00000000 (00000)   47455420 2f6e6373 692e7478 74204854   GET /ncsi.txt HT
0x00000010 (00016)   54502f31 2e310d0a 436f6e6e 65637469   TP/1.1..Connecti
0x00000020 (00032)   6f6e3a20 436c6f73 650d0a55 7365722d   on: Close..User-
0x00000030 (00048)   4167656e 743a204d 6963726f 736f6674   Agent: Microsoft
0x00000040 (00064)   204e4353 490d0a48 6f73743a 20777777    NCSI..Host: www
0x00000050 (00080)   2e6d7366 746e6373 692e636f 6d0d0a0d   .msftncsi.com...
0x00000060 (00096)   0a                                    .

0x00000000 (00000)   47455420 2f6e6373 692e7478 74204854   GET /ncsi.txt HT
0x00000010 (00016)   54502f31 2e310d0a 436f6e6e 65637469   TP/1.1..Connecti
0x00000020 (00032)   6f6e3a20 436c6f73 650d0a55 7365722d   on: Close..User-
0x00000030 (00048)   4167656e 743a204d 6963726f 736f6674   Agent: Microsoft
0x00000040 (00064)   204e4353 490d0a48 6f73743a 20777777    NCSI..Host: www
0x00000050 (00080)   2e6d7366 746e6373 692e636f 6d0d0a0d   .msftncsi.com...
0x00000060 (00096)   0a                                    .

0x00000000 (00000)   504f5354 202f3365 31363236 34372d63   POST /3e162647-c
0x00000010 (00016)   3364382d 34346333 2d393937 622d3061   3d8-44c3-997b-0a
0x00000020 (00032)   63396135 66363838 33322f20 48545450   c9a5f68832/ HTTP
0x00000030 (00048)   2f312e31 0d0a4361 6368652d 436f6e74   /1.1..Cache-Cont
0x00000040 (00064)   726f6c3a 206e6f2d 63616368 650d0a43   rol: no-cache..C
0x00000050 (00080)   6f6e6e65 6374696f 6e3a2043 6c6f7365   onnection: Close
0x00000060 (00096)   0d0a5072 61676d61 3a206e6f 2d636163   ..Pragma: no-cac
0x00000070 (00112)   68650d0a 436f6e74 656e742d 54797065   he..Content-Type
0x00000080 (00128)   3a206170 706c6963 6174696f 6e2f736f   : application/so
0x00000090 (00144)   61702b78 6d6c0d0a 55736572 2d416765   ap+xml..User-Age
0x000000a0 (00160)   6e743a20 57534441 50490d0a 436f6e74   nt: WSDAPI..Cont
0x000000b0 (00176)   656e742d 4c656e67 74683a20 3733330d   ent-Length: 733.
0x000000c0 (00192)   0a486f73 743a2031 39322e31 36382e31   .Host: 192.168.1
0x000000d0 (00208)   30302e31 35323a35 3335370d 0a0d0a3c   00.152:5357....<
0x000000e0 (00224)   3f786d6c 20766572 73696f6e 3d22312e   ?xml version="1.
0x000000f0 (00240)   30222065 6e636f64 696e673d 22757466   0" encoding="utf
0x00000100 (00256)   2d38223f 3e3c736f 61703a45 6e76656c   -8"?><soap:Envel
0x00000110 (00272)   6f706520 786d6c6e 733a736f 61703d22   ope xmlns:soap="
0x00000120 (00288)   68747470 3a2f2f77 77772e77 332e6f72   http://www.w3.or
0x00000130 (00304)   672f3230 30332f30 352f736f 61702d65   g/2003/05/soap-e
0x00000140 (00320)   6e76656c 6f706522 20786d6c 6e733a77   nvelope" xmlns:w
0x00000150 (00336)   73613d22 68747470 3a2f2f73 6368656d   sa="http://schem
0x00000160 (00352)   61732e78 6d6c736f 61702e6f 72672f77   as.xmlsoap.org/w
0x00000170 (00368)   732f3230 30342f30 382f6164 64726573   s/2004/08/addres
0x00000180 (00384)   73696e67 2220786d 6c6e733a 6c6d733d   sing" xmlns:lms=
0x00000190 (00400)   22687474 703a2f2f 73636865 6d61732e   "http://schemas.
0x000001a0 (00416)   6d696372 6f736f66 742e636f 6d2f7769   microsoft.com/wi
0x000001b0 (00432)   6e646f77 732f6c6d 732f3230 30372f30   ndows/lms/2007/0
0x000001c0 (00448)   38223e3c 736f6170 3a486561 6465723e   8"><soap:Header>
0x000001d0 (00464)   3c777361 3a546f3e 75726e3a 75756964   <wsa:To>urn:uuid
0x000001e0 (00480)   3a336531 36323634 372d6333 64382d34   :3e162647-c3d8-4
0x000001f0 (00496)   3463332d 39393762 2d306163 39613566   4c3-997b-0ac9a5f
0x00000200 (00512)   36383833 323c2f77 73613a54 6f3e3c77   68832</wsa:To><w
0x00000210 (00528)   73613a41 6374696f 6e3e6874 74703a2f   sa:Action>http:/
0x00000220 (00544)   2f736368 656d6173 2e786d6c 736f6170   /schemas.xmlsoap
0x00000230 (00560)   2e6f7267 2f77732f 32303034 2f30392f   .org/ws/2004/09/
0x00000240 (00576)   7472616e 73666572 2f476574 3c2f7773   transfer/Get</ws
0x00000250 (00592)   613a4163 74696f6e 3e3c7773 613a4d65   a:Action><wsa:Me
0x00000260 (00608)   73736167 6549443e 75726e3a 75756964   ssageID>urn:uuid
0x00000270 (00624)   3a613335 64613565 632d3635 63342d34   :a35da5ec-65c4-4
0x00000280 (00640)   3431352d 61633437 2d383062 35313565   415-ac47-80b515e
0x00000290 (00656)   35326338 383c2f77 73613a4d 65737361   52c88</wsa:Messa
0x000002a0 (00672)   67654944 3e3c7773 613a5265 706c7954   geID><wsa:ReplyT
0x000002b0 (00688)   6f3e3c77 73613a41 64647265 73733e68   o><wsa:Address>h
0x000002c0 (00704)   7474703a 2f2f7363 68656d61 732e786d   ttp://schemas.xm
0x000002d0 (00720)   6c736f61 702e6f72 672f7773 2f323030   lsoap.org/ws/200
0x000002e0 (00736)   342f3038 2f616464 72657373 696e672f   4/08/addressing/
0x000002f0 (00752)   726f6c65 2f616e6f 6e796d6f 75733c2f   role/anonymous</
0x00000300 (00768)   7773613a 41646472 6573733e 3c2f7773   wsa:Address></ws
0x00000310 (00784)   613a5265 706c7954 6f3e3c77 73613a46   a:ReplyTo><wsa:F
0x00000320 (00800)   726f6d3e 3c777361 3a416464 72657373   rom><wsa:Address
0x00000330 (00816)   3e75726e 3a757569 643a3733 61363236   >urn:uuid:73a626
0x00000340 (00832)   38372d62 3539662d 34333136 2d613063   87-b59f-4316-a0c
0x00000350 (00848)   392d3738 65633965 35306261 64633c2f   9-78ec9e50badc</
0x00000360 (00864)   7773613a 41646472 6573733e 3c2f7773   wsa:Address></ws
0x00000370 (00880)   613a4672 6f6d3e3c 6c6d733a 4c617267   a:From><lms:Larg
0x00000380 (00896)   654d6574 61646174 61537570 706f7274   eMetadataSupport
0x00000390 (00912)   2f3e3c2f 736f6170 3a486561 6465723e   /></soap:Header>
0x000003a0 (00928)   3c736f61 703a426f 64792f3e 3c2f736f   <soap:Body/></so
0x000003b0 (00944)   61703a45 6e76656c 6f70653e            ap:Envelope>

0x00000000 (00000)   504f5354 202f3365 31363236 34372d63   POST /3e162647-c
0x00000010 (00016)   3364382d 34346333 2d393937 622d3061   3d8-44c3-997b-0a
0x00000020 (00032)   63396135 66363838 33322f20 48545450   c9a5f68832/ HTTP
0x00000030 (00048)   2f312e31 0d0a4361 6368652d 436f6e74   /1.1..Cache-Cont
0x00000040 (00064)   726f6c3a 206e6f2d 63616368 650d0a43   rol: no-cache..C
0x00000050 (00080)   6f6e6e65 6374696f 6e3a2043 6c6f7365   onnection: Close
0x00000060 (00096)   0d0a5072 61676d61 3a206e6f 2d636163   ..Pragma: no-cac
0x00000070 (00112)   68650d0a 436f6e74 656e742d 54797065   he..Content-Type
0x00000080 (00128)   3a206170 706c6963 6174696f 6e2f736f   : application/so
0x00000090 (00144)   61702b78 6d6c0d0a 55736572 2d416765   ap+xml..User-Age
0x000000a0 (00160)   6e743a20 57534441 50490d0a 436f6e74   nt: WSDAPI..Cont
0x000000b0 (00176)   656e742d 4c656e67 74683a20 3733330d   ent-Length: 733.
0x000000c0 (00192)   0a486f73 743a2031 39322e31 36382e31   .Host: 192.168.1
0x000000d0 (00208)   30302e31 36313a35 3335370d 0a0d0a3c   00.161:5357....<
0x000000e0 (00224)   3f786d6c 20766572 73696f6e 3d22312e   ?xml version="1.
0x000000f0 (00240)   30222065 6e636f64 696e673d 22757466   0" encoding="utf
0x00000100 (00256)   2d38223f 3e3c736f 61703a45 6e76656c   -8"?><soap:Envel
0x00000110 (00272)   6f706520 786d6c6e 733a736f 61703d22   ope xmlns:soap="
0x00000120 (00288)   68747470 3a2f2f77 77772e77 332e6f72   http://www.w3.or
0x00000130 (00304)   672f3230 30332f30 352f736f 61702d65   g/2003/05/soap-e
0x00000140 (00320)   6e76656c 6f706522 20786d6c 6e733a77   nvelope" xmlns:w
0x00000150 (00336)   73613d22 68747470 3a2f2f73 6368656d   sa="http://schem
0x00000160 (00352)   61732e78 6d6c736f 61702e6f 72672f77   as.xmlsoap.org/w
0x00000170 (00368)   732f3230 30342f30 382f6164 64726573   s/2004/08/addres
0x00000180 (00384)   73696e67 2220786d 6c6e733a 6c6d733d   sing" xmlns:lms=
0x00000190 (00400)   22687474 703a2f2f 73636865 6d61732e   "http://schemas.
0x000001a0 (00416)   6d696372 6f736f66 742e636f 6d2f7769   microsoft.com/wi
0x000001b0 (00432)   6e646f77 732f6c6d 732f3230 30372f30   ndows/lms/2007/0
0x000001c0 (00448)   38223e3c 736f6170 3a486561 6465723e   8"><soap:Header>
0x000001d0 (00464)   3c777361 3a546f3e 75726e3a 75756964   <wsa:To>urn:uuid
0x000001e0 (00480)   3a336531 36323634 372d6333 64382d34   :3e162647-c3d8-4
0x000001f0 (00496)   3463332d 39393762 2d306163 39613566   4c3-997b-0ac9a5f
0x00000200 (00512)   36383833 323c2f77 73613a54 6f3e3c77   68832</wsa:To><w
0x00000210 (00528)   73613a41 6374696f 6e3e6874 74703a2f   sa:Action>http:/
0x00000220 (00544)   2f736368 656d6173 2e786d6c 736f6170   /schemas.xmlsoap
0x00000230 (00560)   2e6f7267 2f77732f 32303034 2f30392f   .org/ws/2004/09/
0x00000240 (00576)   7472616e 73666572 2f476574 3c2f7773   transfer/Get</ws
0x00000250 (00592)   613a4163 74696f6e 3e3c7773 613a4d65   a:Action><wsa:Me
0x00000260 (00608)   73736167 6549443e 75726e3a 75756964   ssageID>urn:uuid
0x00000270 (00624)   3a343131 34633165 332d6538 63632d34   :4114c1e3-e8cc-4
0x00000280 (00640)   3635322d 39326638 2d353364 35313539   652-92f8-53d5159
0x00000290 (00656)   61383731 633c2f77 73613a4d 65737361   a871c</wsa:Messa
0x000002a0 (00672)   67654944 3e3c7773 613a5265 706c7954   geID><wsa:ReplyT
0x000002b0 (00688)   6f3e3c77 73613a41 64647265 73733e68   o><wsa:Address>h
0x000002c0 (00704)   7474703a 2f2f7363 68656d61 732e786d   ttp://schemas.xm
0x000002d0 (00720)   6c736f61 702e6f72 672f7773 2f323030   lsoap.org/ws/200
0x000002e0 (00736)   342f3038 2f616464 72657373 696e672f   4/08/addressing/
0x000002f0 (00752)   726f6c65 2f616e6f 6e796d6f 75733c2f   role/anonymous</
0x00000300 (00768)   7773613a 41646472 6573733e 3c2f7773   wsa:Address></ws
0x00000310 (00784)   613a5265 706c7954 6f3e3c77 73613a46   a:ReplyTo><wsa:F
0x00000320 (00800)   726f6d3e 3c777361 3a416464 72657373   rom><wsa:Address
0x00000330 (00816)   3e75726e 3a757569 643a3837 37656436   >urn:uuid:877ed6
0x00000340 (00832)   34342d66 3362362d 34633832 2d616131   44-f3b6-4c82-aa1
0x00000350 (00848)   622d3336 36376439 64373135 39323c2f   b-3667d9d71592</
0x00000360 (00864)   7773613a 41646472 6573733e 3c2f7773   wsa:Address></ws
0x00000370 (00880)   613a4672 6f6d3e3c 6c6d733a 4c617267   a:From><lms:Larg
0x00000380 (00896)   654d6574 61646174 61537570 706f7274   eMetadataSupport
0x00000390 (00912)   2f3e3c2f 736f6170 3a486561 6465723e   /></soap:Header>
0x000003a0 (00928)   3c736f61 703a426f 64792f3e 3c2f736f   <soap:Body/></so
0x000003b0 (00944)   61703a45 6e76656c 6f70653e            ap:Envelope>

0x00000000 (00000)   504f5354 202f3365 31363236 34372d63   POST /3e162647-c
0x00000010 (00016)   3364382d 34346333 2d393937 622d3061   3d8-44c3-997b-0a
0x00000020 (00032)   63396135 66363838 33322f20 48545450   c9a5f68832/ HTTP
0x00000030 (00048)   2f312e31 0d0a4361 6368652d 436f6e74   /1.1..Cache-Cont
0x00000040 (00064)   726f6c3a 206e6f2d 63616368 650d0a43   rol: no-cache..C
0x00000050 (00080)   6f6e6e65 6374696f 6e3a2043 6c6f7365   onnection: Close
0x00000060 (00096)   0d0a5072 61676d61 3a206e6f 2d636163   ..Pragma: no-cac
0x00000070 (00112)   68650d0a 436f6e74 656e742d 54797065   he..Content-Type
0x00000080 (00128)   3a206170 706c6963 6174696f 6e2f736f   : application/so
0x00000090 (00144)   61702b78 6d6c0d0a 55736572 2d416765   ap+xml..User-Age
0x000000a0 (00160)   6e743a20 57534441 50490d0a 436f6e74   nt: WSDAPI..Cont
0x000000b0 (00176)   656e742d 4c656e67 74683a20 3733330d   ent-Length: 733.
0x000000c0 (00192)   0a486f73 743a2031 39322e31 36382e31   .Host: 192.168.1
0x000000d0 (00208)   30302e32 30393a35 3335370d 0a0d0a3c   00.209:5357....<
0x000000e0 (00224)   3f786d6c 20766572 73696f6e 3d22312e   ?xml version="1.
0x000000f0 (00240)   30222065 6e636f64 696e673d 22757466   0" encoding="utf
0x00000100 (00256)   2d38223f 3e3c736f 61703a45 6e76656c   -8"?><soap:Envel
0x00000110 (00272)   6f706520 786d6c6e 733a736f 61703d22   ope xmlns:soap="
0x00000120 (00288)   68747470 3a2f2f77 77772e77 332e6f72   http://www.w3.or
0x00000130 (00304)   672f3230 30332f30 352f736f 61702d65   g/2003/05/soap-e
0x00000140 (00320)   6e76656c 6f706522 20786d6c 6e733a77   nvelope" xmlns:w
0x00000150 (00336)   73613d22 68747470 3a2f2f73 6368656d   sa="http://schem
0x00000160 (00352)   61732e78 6d6c736f 61702e6f 72672f77   as.xmlsoap.org/w
0x00000170 (00368)   732f3230 30342f30 382f6164 64726573   s/2004/08/addres
0x00000180 (00384)   73696e67 2220786d 6c6e733a 6c6d733d   sing" xmlns:lms=
0x00000190 (00400)   22687474 703a2f2f 73636865 6d61732e   "http://schemas.
0x000001a0 (00416)   6d696372 6f736f66 742e636f 6d2f7769   microsoft.com/wi
0x000001b0 (00432)   6e646f77 732f6c6d 732f3230 30372f30   ndows/lms/2007/0
0x000001c0 (00448)   38223e3c 736f6170 3a486561 6465723e   8"><soap:Header>
0x000001d0 (00464)   3c777361 3a546f3e 75726e3a 75756964   <wsa:To>urn:uuid
0x000001e0 (00480)   3a336531 36323634 372d6333 64382d34   :3e162647-c3d8-4
0x000001f0 (00496)   3463332d 39393762 2d306163 39613566   4c3-997b-0ac9a5f
0x00000200 (00512)   36383833 323c2f77 73613a54 6f3e3c77   68832</wsa:To><w
0x00000210 (00528)   73613a41 6374696f 6e3e6874 74703a2f   sa:Action>http:/
0x00000220 (00544)   2f736368 656d6173 2e786d6c 736f6170   /schemas.xmlsoap
0x00000230 (00560)   2e6f7267 2f77732f 32303034 2f30392f   .org/ws/2004/09/
0x00000240 (00576)   7472616e 73666572 2f476574 3c2f7773   transfer/Get</ws
0x00000250 (00592)   613a4163 74696f6e 3e3c7773 613a4d65   a:Action><wsa:Me
0x00000260 (00608)   73736167 6549443e 75726e3a 75756964   ssageID>urn:uuid
0x00000270 (00624)   3a323734 33623333 652d6433 31322d34   :2743b33e-d312-4
0x00000280 (00640)   3762612d 38396134 2d383436 33306637   7ba-89a4-84630f7
0x00000290 (00656)   35653265 613c2f77 73613a4d 65737361   5e2ea</wsa:Messa
0x000002a0 (00672)   67654944 3e3c7773 613a5265 706c7954   geID><wsa:ReplyT
0x000002b0 (00688)   6f3e3c77 73613a41 64647265 73733e68   o><wsa:Address>h
0x000002c0 (00704)   7474703a 2f2f7363 68656d61 732e786d   ttp://schemas.xm
0x000002d0 (00720)   6c736f61 702e6f72 672f7773 2f323030   lsoap.org/ws/200
0x000002e0 (00736)   342f3038 2f616464 72657373 696e672f   4/08/addressing/
0x000002f0 (00752)   726f6c65 2f616e6f 6e796d6f 75733c2f   role/anonymous</
0x00000300 (00768)   7773613a 41646472 6573733e 3c2f7773   wsa:Address></ws
0x00000310 (00784)   613a5265 706c7954 6f3e3c77 73613a46   a:ReplyTo><wsa:F
0x00000320 (00800)   726f6d3e 3c777361 3a416464 72657373   rom><wsa:Address
0x00000330 (00816)   3e75726e 3a757569 643a3733 61363236   >urn:uuid:73a626
0x00000340 (00832)   38372d62 3539662d 34333136 2d613063   87-b59f-4316-a0c
0x00000350 (00848)   392d3738 65633965 35306261 64633c2f   9-78ec9e50badc</
0x00000360 (00864)   7773613a 41646472 6573733e 3c2f7773   wsa:Address></ws
0x00000370 (00880)   613a4672 6f6d3e3c 6c6d733a 4c617267   a:From><lms:Larg
0x00000380 (00896)   654d6574 61646174 61537570 706f7274   eMetadataSupport
0x00000390 (00912)   2f3e3c2f 736f6170 3a486561 6465723e   /></soap:Header>
0x000003a0 (00928)   3c736f61 703a426f 64792f3e 3c2f736f   <soap:Body/></so
0x000003b0 (00944)   61703a45 6e76656c 6f70653e            ap:Envelope>

0x00000000 (00000)   504f5354 202f3365 31363236 34372d63   POST /3e162647-c
0x00000010 (00016)   3364382d 34346333 2d393937 622d3061   3d8-44c3-997b-0a
0x00000020 (00032)   63396135 66363838 33322f20 48545450   c9a5f68832/ HTTP
0x00000030 (00048)   2f312e31 0d0a4361 6368652d 436f6e74   /1.1..Cache-Cont
0x00000040 (00064)   726f6c3a 206e6f2d 63616368 650d0a43   rol: no-cache..C
0x00000050 (00080)   6f6e6e65 6374696f 6e3a2043 6c6f7365   onnection: Close
0x00000060 (00096)   0d0a5072 61676d61 3a206e6f 2d636163   ..Pragma: no-cac
0x00000070 (00112)   68650d0a 436f6e74 656e742d 54797065   he..Content-Type
0x00000080 (00128)   3a206170 706c6963 6174696f 6e2f736f   : application/so
0x00000090 (00144)   61702b78 6d6c0d0a 55736572 2d416765   ap+xml..User-Age
0x000000a0 (00160)   6e743a20 57534441 50490d0a 436f6e74   nt: WSDAPI..Cont
0x000000b0 (00176)   656e742d 4c656e67 74683a20 3733330d   ent-Length: 733.
0x000000c0 (00192)   0a486f73 743a2031 39322e31 36382e31   .Host: 192.168.1
0x000000d0 (00208)   30302e31 38363a35 3335370d 0a0d0a3c   00.186:5357....<
0x000000e0 (00224)   3f786d6c 20766572 73696f6e 3d22312e   ?xml version="1.
0x000000f0 (00240)   30222065 6e636f64 696e673d 22757466   0" encoding="utf
0x00000100 (00256)   2d38223f 3e3c736f 61703a45 6e76656c   -8"?><soap:Envel
0x00000110 (00272)   6f706520 786d6c6e 733a736f 61703d22   ope xmlns:soap="
0x00000120 (00288)   68747470 3a2f2f77 77772e77 332e6f72   http://www.w3.or
0x00000130 (00304)   672f3230 30332f30 352f736f 61702d65   g/2003/05/soap-e
0x00000140 (00320)   6e76656c 6f706522 20786d6c 6e733a77   nvelope" xmlns:w
0x00000150 (00336)   73613d22 68747470 3a2f2f73 6368656d   sa="http://schem
0x00000160 (00352)   61732e78 6d6c736f 61702e6f 72672f77   as.xmlsoap.org/w
0x00000170 (00368)   732f3230 30342f30 382f6164 64726573   s/2004/08/addres
0x00000180 (00384)   73696e67 2220786d 6c6e733a 6c6d733d   sing" xmlns:lms=
0x00000190 (00400)   22687474 703a2f2f 73636865 6d61732e   "http://schemas.
0x000001a0 (00416)   6d696372 6f736f66 742e636f 6d2f7769   microsoft.com/wi
0x000001b0 (00432)   6e646f77 732f6c6d 732f3230 30372f30   ndows/lms/2007/0
0x000001c0 (00448)   38223e3c 736f6170 3a486561 6465723e   8"><soap:Header>
0x000001d0 (00464)   3c777361 3a546f3e 75726e3a 75756964   <wsa:To>urn:uuid
0x000001e0 (00480)   3a336531 36323634 372d6333 64382d34   :3e162647-c3d8-4
0x000001f0 (00496)   3463332d 39393762 2d306163 39613566   4c3-997b-0ac9a5f
0x00000200 (00512)   36383833 323c2f77 73613a54 6f3e3c77   68832</wsa:To><w
0x00000210 (00528)   73613a41 6374696f 6e3e6874 74703a2f   sa:Action>http:/
0x00000220 (00544)   2f736368 656d6173 2e786d6c 736f6170   /schemas.xmlsoap
0x00000230 (00560)   2e6f7267 2f77732f 32303034 2f30392f   .org/ws/2004/09/
0x00000240 (00576)   7472616e 73666572 2f476574 3c2f7773   transfer/Get</ws
0x00000250 (00592)   613a4163 74696f6e 3e3c7773 613a4d65   a:Action><wsa:Me
0x00000260 (00608)   73736167 6549443e 75726e3a 75756964   ssageID>urn:uuid
0x00000270 (00624)   3a396564 31633463 642d3436 32652d34   :9ed1c4cd-462e-4
0x00000280 (00640)   3663642d 39383836 2d313436 64323430   6cd-9886-146d240
0x00000290 (00656)   31323836 363c2f77 73613a4d 65737361   12866</wsa:Messa
0x000002a0 (00672)   67654944 3e3c7773 613a5265 706c7954   geID><wsa:ReplyT
0x000002b0 (00688)   6f3e3c77 73613a41 64647265 73733e68   o><wsa:Address>h
0x000002c0 (00704)   7474703a 2f2f7363 68656d61 732e786d   ttp://schemas.xm
0x000002d0 (00720)   6c736f61 702e6f72 672f7773 2f323030   lsoap.org/ws/200
0x000002e0 (00736)   342f3038 2f616464 72657373 696e672f   4/08/addressing/
0x000002f0 (00752)   726f6c65 2f616e6f 6e796d6f 75733c2f   role/anonymous</
0x00000300 (00768)   7773613a 41646472 6573733e 3c2f7773   wsa:Address></ws
0x00000310 (00784)   613a5265 706c7954 6f3e3c77 73613a46   a:ReplyTo><wsa:F
0x00000320 (00800)   726f6d3e 3c777361 3a416464 72657373   rom><wsa:Address
0x00000330 (00816)   3e75726e 3a757569 643a3733 61363236   >urn:uuid:73a626
0x00000340 (00832)   38372d62 3539662d 34333136 2d613063   87-b59f-4316-a0c
0x00000350 (00848)   392d3738 65633965 35306261 64633c2f   9-78ec9e50badc</
0x00000360 (00864)   7773613a 41646472 6573733e 3c2f7773   wsa:Address></ws
0x00000370 (00880)   613a4672 6f6d3e3c 6c6d733a 4c617267   a:From><lms:Larg
0x00000380 (00896)   654d6574 61646174 61537570 706f7274   eMetadataSupport
0x00000390 (00912)   2f3e3c2f 736f6170 3a486561 6465723e   /></soap:Header>
0x000003a0 (00928)   3c736f61 703a426f 64792f3e 3c2f736f   <soap:Body/></so
0x000003b0 (00944)   61703a45 6e76656c 6f70653e            ap:Envelope>


Strings