Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample Name:file.exe
Analysis ID:756296
MD5:b285997d1fb1ed7ff9129e4e9566c2e5
SHA1:64fe09e86b2e6dc67bb85faf9d7a746976edb4a0
SHA256:8edce063ac9af61dd0b493b9dec7e959b93021ad55a07cfe6e2b5519b46581f2
Tags:exe
Infos:

Detection

RedLine
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected RedLine Stealer
Malicious sample detected (through community Yara rule)
Snort IDS alert for network traffic
Writes to foreign memory regions
Tries to steal Crypto Currency Wallets
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Contains functionality to inject code into remote processes
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
C2 URLs / IPs found in malware configuration
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Yara detected Credential Stealer
Contains long sleeps (>= 3 min)
Enables debug privileges
Is looking for software installed on the system
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Contains functionality to read the PEB
PE file contains more sections than normal
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 5316 cmdline: C:\Users\user\Desktop\file.exe MD5: B285997D1FB1ED7FF9129E4E9566C2E5)
    • conhost.exe (PID: 5332 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • vbc.exe (PID: 5384 cmdline: C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\vbc.exe MD5: B3A917344F5610BEEC562556F11300FA)
  • cleanup

Malware Configuration

Threatname: RedLine

{"C2 url": ["172.86.120.146:2819"], "Bot Id": "1kMixWorldTest", "Authorization Header": "7158f67354faaa79bd6ac126ef4cf20e"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_RedLineYara detected RedLine StealerJoe Security
    dump.pcapJoeSecurity_RedLine_1Yara detected RedLine StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000003.263012533.00000000010B2000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
        00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
          00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            00000000.00000002.263412439.00000000004A2000.00000004.00000001.01000000.00000003.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
              Process Memory Space: file.exe PID: 5316JoeSecurity_RedLineYara detected RedLine StealerJoe Security
                Click to see the 2 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                0.3.file.exe.10b0000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                  0.3.file.exe.10b0000.0.unpackMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
                  • 0x2104c:$pat14: , CommandLine:
                  • 0x18d58:$v2_1: ListOfProcesses
                  • 0x18aec:$v4_3: base64str
                  • 0x19b7f:$v4_4: stringKey
                  • 0x16708:$v4_5: BytesToStringConverted
                  • 0x15770:$v4_6: FromBase64
                  • 0x16edc:$v4_8: procName
                  • 0x1725f:$v5_1: DownloadAndExecuteUpdate
                  • 0x189fc:$v5_2: ITaskProcessor
                  • 0x1724d:$v5_3: CommandLineUpdate
                  • 0x1723e:$v5_4: DownloadUpdate
                  • 0x178f0:$v5_5: FileScanning
                  • 0x16a77:$v5_7: RecordHeaderField
                  • 0x16496:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
                  0.2.file.exe.4a17a0.1.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                    0.2.file.exe.4a17a0.1.unpackMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
                    • 0x1f44c:$pat14: , CommandLine:
                    • 0x17158:$v2_1: ListOfProcesses
                    • 0x16eec:$v4_3: base64str
                    • 0x17f7f:$v4_4: stringKey
                    • 0x14b08:$v4_5: BytesToStringConverted
                    • 0x13b70:$v4_6: FromBase64
                    • 0x152dc:$v4_8: procName
                    • 0x1565f:$v5_1: DownloadAndExecuteUpdate
                    • 0x16dfc:$v5_2: ITaskProcessor
                    • 0x1564d:$v5_3: CommandLineUpdate
                    • 0x1563e:$v5_4: DownloadUpdate
                    • 0x15cf0:$v5_5: FileScanning
                    • 0x14e77:$v5_7: RecordHeaderField
                    • 0x14896:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
                    0.2.file.exe.3e0000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                      Click to see the 1 entries

                      Sigma Signatures

                      No Sigma rule has matched

                      Snort Signatures

                      Timestamp:192.168.2.3172.86.120.1464968428192850286 11/30/22-00:11:55.241038
                      SID:2850286
                      Source Port:49684
                      Destination Port:2819
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:192.168.2.3172.86.120.1464968428192850027 11/30/22-00:11:30.935107
                      SID:2850027
                      Source Port:49684
                      Destination Port:2819
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:172.86.120.146192.168.2.32819496842850353 11/30/22-00:11:32.905229
                      SID:2850353
                      Source Port:2819
                      Destination Port:49684
                      Protocol:TCP
                      Classtype:A Network Trojan was detected

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results
                      Source: 0.3.file.exe.10b0000.0.unpackMalware Configuration Extractor: RedLine {"C2 url": ["172.86.120.146:2819"], "Bot Id": "1kMixWorldTest", "Authorization Header": "7158f67354faaa79bd6ac126ef4cf20e"}
                      Source: file.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, 32BIT_MACHINE
                      Source: file.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT
                      Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov eax, dword ptr [ecx]
                      Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then push ebp
                      Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then push ebp
                      Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then push ebp
                      Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then push esi
                      Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov eax, dword ptr [ecx]
                      Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then jmp 00450450h
                      Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then push esi
                      Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov eax, dword ptr [ecx]
                      Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov eax, dword ptr [ecx+08h]
                      Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then push esi
                      Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov eax, dword ptr [ecx+08h]
                      Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov eax, dword ptr [ecx+08h]
                      Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov eax, 004C5050h
                      Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then push ebp
                      Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then push esi
                      Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov eax, dword ptr [ecx+08h]
                      Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then push ebp
                      Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then push edi
                      Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then push ebp
                      Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then push edi
                      Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then push edi
                      Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then push ebp
                      Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov eax, ecx
                      Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then push ebp
                      Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then push ebp
                      Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then push ebp
                      Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then movzx edx, byte ptr [esp+14h]
                      Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then movzx edx, byte ptr [esp+14h]
                      Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then movzx edx, byte ptr [esp+14h]

                      Networking

                      barindex
                      Snort IDS alert for network traffic
                      Source: TrafficSnort IDS: 2850027 ETPRO TROJAN RedLine Stealer TCP CnC net.tcp Init 192.168.2.3:49684 -> 172.86.120.146:2819
                      Source: TrafficSnort IDS: 2850286 ETPRO TROJAN Redline Stealer TCP CnC Activity 192.168.2.3:49684 -> 172.86.120.146:2819
                      Source: TrafficSnort IDS: 2850353 ETPRO MALWARE Redline Stealer TCP CnC - Id1Response 172.86.120.146:2819 -> 192.168.2.3:49684
                      C2 URLs / IPs found in malware configuration
                      Source: Malware configuration extractorURLs: 172.86.120.146:2819
                      Source: Joe Sandbox ViewASN Name: NETRANGEUS NETRANGEUS
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.86.120.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.86.120.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.86.120.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.86.120.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.86.120.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.86.120.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.86.120.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.86.120.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.86.120.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.86.120.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.86.120.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.86.120.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.86.120.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.86.120.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.86.120.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.86.120.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.86.120.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.86.120.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.86.120.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.86.120.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.86.120.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.86.120.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.86.120.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.86.120.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.86.120.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.86.120.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.86.120.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.86.120.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.86.120.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.86.120.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.86.120.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.86.120.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.86.120.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.86.120.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.86.120.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.86.120.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.86.120.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.86.120.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.86.120.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.86.120.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.86.120.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.86.120.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.86.120.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.86.120.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.86.120.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.86.120.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.86.120.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.86.120.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.86.120.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.86.120.146
                      Source: vbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
                      Source: vbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
                      Source: vbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
                      Source: vbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
                      Source: vbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
                      Source: vbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
                      Source: vbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
                      Source: vbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
                      Source: vbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
                      Source: vbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
                      Source: vbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
                      Source: vbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
                      Source: vbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
                      Source: vbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
                      Source: vbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
                      Source: vbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
                      Source: vbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
                      Source: vbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
                      Source: vbc.exe, 00000002.00000002.354699898.0000000004E86000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ns.adoboshop/$
                      Source: vbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
                      Source: vbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
                      Source: vbc.exe, 00000002.00000002.355948732.0000000006A21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                      Source: vbc.exe, 00000002.00000002.355948732.0000000006A21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                      Source: vbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
                      Source: vbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
                      Source: vbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
                      Source: vbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
                      Source: vbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
                      Source: vbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
                      Source: vbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
                      Source: vbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
                      Source: vbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
                      Source: vbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
                      Source: vbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
                      Source: vbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
                      Source: vbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
                      Source: vbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
                      Source: vbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
                      Source: vbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
                      Source: vbc.exe, 00000002.00000002.355948732.0000000006A21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                      Source: vbc.exe, 00000002.00000002.355948732.0000000006A21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultp
                      Source: vbc.exe, 00000002.00000002.355948732.0000000006A21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                      Source: vbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
                      Source: vbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
                      Source: vbc.exe, 00000002.00000002.356537948.0000000006AB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
                      Source: vbc.exe, 0