Loading ...

Play interactive tourEdit tour

Analysis Report e92b274943f4a3a557881ee0dd57772d.exe

Overview

General Information

Sample Name:e92b274943f4a3a557881ee0dd57772d.exe
Analysis ID:356808
MD5:1f2b71c462d73dcdcc69a707a18c38d6
SHA1:98957c96b7c2dd066b6c5108f8ded53983427472
SHA256:c6e001729b8abc3d321756d6964e1a84148f19004f03606953ebba32081f4c75
Tags:exeNanoCoreRAT
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Yara detected AntiVM_3
Yara detected Nanocore RAT
.NET source code contains potential unpacker
.NET source code contains very large strings
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • e92b274943f4a3a557881ee0dd57772d.exe (PID: 5900 cmdline: 'C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exe' MD5: 1F2B71C462D73DCDCC69A707A18C38D6)
    • e92b274943f4a3a557881ee0dd57772d.exe (PID: 6108 cmdline: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exe MD5: 1F2B71C462D73DCDCC69A707A18C38D6)
      • schtasks.exe (PID: 2336 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp22EF.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 4012 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 2880 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp266B.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 4860 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • dhcpmon.exe (PID: 6296 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: 1F2B71C462D73DCDCC69A707A18C38D6)
    • dhcpmon.exe (PID: 6468 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: 1F2B71C462D73DCDCC69A707A18C38D6)
  • dhcpmon.exe (PID: 6720 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: 1F2B71C462D73DCDCC69A707A18C38D6)
    • dhcpmon.exe (PID: 7024 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: 1F2B71C462D73DCDCC69A707A18C38D6)
    • backgroundTaskHost.exe (PID: 7024 cmdline: 'C:\Windows\system32\backgroundTaskHost.exe' -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca MD5: B7FC4A29431D4F795BBAB1FB182B759A)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "94----", "Group": "V-HASH", "Domain1": "cloudhost.myfirewall.org", "Domain2": "cloudhost.myfirewall.org", "Port": 5654, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "cloudhost.myfirewall.org", "BackupDNSServer": "cloudhost.myfirewall.org", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000C.00000002.289277143.0000000002BF1000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000014.00000002.310042790.00000000033F1000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      00000000.00000002.252323083.0000000002BC7000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
        00000009.00000002.275215575.0000000002FD4000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
          00000009.00000002.275177741.0000000002FB1000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
            Click to see the 52 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            12.2.dhcpmon.exe.400000.0.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
            • 0x1018d:$x1: NanoCore.ClientPluginHost
            • 0x101ca:$x2: IClientNetworkHost
            • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
            12.2.dhcpmon.exe.400000.0.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
            • 0xff05:$x1: NanoCore Client.exe
            • 0x1018d:$x2: NanoCore.ClientPluginHost
            • 0x117c6:$s1: PluginCommand
            • 0x117ba:$s2: FileCommand
            • 0x1266b:$s3: PipeExists
            • 0x18422:$s4: PipeCreated
            • 0x101b7:$s5: IClientLoggingHost
            12.2.dhcpmon.exe.400000.0.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
              12.2.dhcpmon.exe.400000.0.unpackNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
              • 0xfef5:$a: NanoCore
              • 0xff05:$a: NanoCore
              • 0x10139:$a: NanoCore
              • 0x1014d:$a: NanoCore
              • 0x1018d:$a: NanoCore
              • 0xff54:$b: ClientPlugin
              • 0x10156:$b: ClientPlugin
              • 0x10196:$b: ClientPlugin
              • 0x1007b:$c: ProjectData
              • 0x10a82:$d: DESCrypto
              • 0x1844e:$e: KeepAlive
              • 0x1643c:$g: LogClientMessage
              • 0x12637:$i: get_Connected
              • 0x10db8:$j: #=q
              • 0x10de8:$j: #=q
              • 0x10e04:$j: #=q
              • 0x10e34:$j: #=q
              • 0x10e50:$j: #=q
              • 0x10e6c:$j: #=q
              • 0x10e9c:$j: #=q
              • 0x10eb8:$j: #=q
              12.2.dhcpmon.exe.3c430dd.6.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
              • 0xb184:$x1: NanoCore.ClientPluginHost
              • 0x241a0:$x1: NanoCore.ClientPluginHost
              • 0xb1b1:$x2: IClientNetworkHost
              • 0x241cd:$x2: IClientNetworkHost
              Click to see the 124 entries

              Sigma Overview

              System Summary:

              barindex
              Sigma detected: NanoCoreShow sources
              Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exe, ProcessId: 6108, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
              Sigma detected: Scheduled temp file as task from temp locationShow sources
              Source: Process startedAuthor: Joe Security: Data: Command: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp22EF.tmp', CommandLine: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp22EF.tmp', CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exe, ParentImage: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exe, ParentProcessId: 6108, ProcessCommandLine: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp22EF.tmp', ProcessId: 2336

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Found malware configurationShow sources
              Source: 0000000C.00000002.289384974.0000000003BF1000.00000004.00000001.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "94----", "Group": "V-HASH", "Domain1": "cloudhost.myfirewall.org", "Domain2": "cloudhost.myfirewall.org", "Port": 5654, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "cloudhost.myfirewall.org", "BackupDNSServer": "cloudhost.myfirewall.org", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}
              Multi AV Scanner detection for dropped fileShow sources
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeReversingLabs: Detection: 10%
              Yara detected Nanocore RATShow sources
              Source: Yara matchFile source: 0000000C.00000002.289277143.0000000002BF1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000014.00000002.310042790.00000000033F1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000002.289384974.0000000003BF1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.499071538.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.290065986.0000000003EF1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.289889933.0000000002EF1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.287315536.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000014.00000002.304832264.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000002.293020224.0000000003A01000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.252610124.0000000003BA1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000014.00000002.310443660.00000000043F1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000002.276093432.00000000043B1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000002.287530922.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000002.275575320.0000000003FB1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: e92b274943f4a3a557881ee0dd57772d.exe PID: 6108, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 7024, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: e92b274943f4a3a557881ee0dd57772d.exe PID: 6460, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6468, type: MEMORY
              Source: Yara matchFile source: 12.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 12.2.dhcpmon.exe.3c430dd.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 20.2.dhcpmon.exe.44430dd.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.e92b274943f4a3a557881ee0dd57772d.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 12.2.dhcpmon.exe.3c39c7e.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.e92b274943f4a3a557881ee0dd57772d.exe.3f430dd.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 9.2.e92b274943f4a3a557881ee0dd57772d.exe.4260830.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.e92b274943f4a3a557881ee0dd57772d.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 10.2.dhcpmon.exe.4660830.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 20.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 10.2.dhcpmon.exe.4660830.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 20.2.dhcpmon.exe.443eab4.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.e92b274943f4a3a557881ee0dd57772d.exe.3d04760.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.e92b274943f4a3a557881ee0dd57772d.exe.3e50830.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 9.2.e92b274943f4a3a557881ee0dd57772d.exe.4114760.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.e92b274943f4a3a557881ee0dd57772d.exe.3f3eab4.6.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.dhcpmon.exe.3bbe580.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.dhcpmon.exe.3b64760.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.e92b274943f4a3a557881ee0dd57772d.exe.3d5e580.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 9.2.e92b274943f4a3a557881ee0dd57772d.exe.4260830.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.dhcpmon.exe.3cb0830.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.e92b274943f4a3a557881ee0dd57772d.exe.3e50830.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.e92b274943f4a3a557881ee0dd57772d.exe.3f39c7e.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 12.2.dhcpmon.exe.3c3eab4.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 20.2.dhcpmon.exe.443eab4.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.dhcpmon.exe.3cb0830.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 10.2.dhcpmon.exe.4514760.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 20.2.dhcpmon.exe.4439c7e.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.e92b274943f4a3a557881ee0dd57772d.exe.3f3eab4.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 12.2.dhcpmon.exe.3c3eab4.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 9.2.e92b274943f4a3a557881ee0dd57772d.exe.416e580.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 10.2.dhcpmon.exe.456e580.2.raw.unpack, type: UNPACKEDPE
              Source: 20.2.dhcpmon.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
              Source: 2.2.e92b274943f4a3a557881ee0dd57772d.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
              Source: 12.2.dhcpmon.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
              Source: 11.2.e92b274943f4a3a557881ee0dd57772d.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7

              Compliance:

              barindex
              Uses 32bit PE filesShow sources
              Source: e92b274943f4a3a557881ee0dd57772d.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
              Uses new MSVCR DllsShow sources
              Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
              Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
              Source: e92b274943f4a3a557881ee0dd57772d.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
              Binary contains paths to debug symbolsShow sources
              Source: Binary string: indows\mscorlib.pdbpdblib.pdb source: e92b274943f4a3a557881ee0dd57772d.exe, 00000002.00000002.500217236.0000000000955000.00000004.00000040.sdmp
              Source: Binary string: mscorrc.pdb source: e92b274943f4a3a557881ee0dd57772d.exe, 00000000.00000002.257690003.0000000006680000.00000002.00000001.sdmp, e92b274943f4a3a557881ee0dd57772d.exe, 00000009.00000002.279859695.00000000066E0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.281624150.0000000006B30000.00000002.00000001.sdmp, dhcpmon.exe, 00000010.00000002.296987366.00000000077D0000.00000002.00000001.sdmp