Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
CrowdStrike.exe

Overview

General Information

Sample name:CrowdStrike.exe
Analysis ID:1477426
MD5:755c0350038daefb29b888b6f8739e81
SHA1:5b2f56953b3c925693386cae5974251479f03928
SHA256:4491901eff338ab52c85a77a3fbd3ce80fda738046ee3b7da7be468da5b331a3
Tags:exe
Infos:

Detection

Hatef Wiper
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Sigma detected: Search for Antivirus process
Yara detected Hatef Wiper
AI detected suspicious sample
Drops PE files with a suspicious file extension
Found stalling execution ending in API Sleep call
Injects a PE file into a foreign processes
Sample is not signed and drops a device driver
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality for read data from the clipboard
Contains functionality to dynamically determine API calls
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates driver files
Deletes files inside the Windows folder
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains an invalid checksum
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location
Sigma detected: Suspicious Copy From or To System Directory
Uses 32bit PE files

Classification

  • System is w10x64
  • CrowdStrike.exe (PID: 7312 cmdline: "C:\Users\user\Desktop\CrowdStrike.exe" MD5: 755C0350038DAEFB29B888B6F8739E81)
    • cmd.exe (PID: 7384 cmdline: "C:\Windows\System32\cmd.exe" /k copy Carroll Carroll.cmd & Carroll.cmd & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7392 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • tasklist.exe (PID: 7432 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)
      • findstr.exe (PID: 7440 cmdline: findstr /I "wrsa.exe opssvc.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
      • tasklist.exe (PID: 7484 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)
      • findstr.exe (PID: 7492 cmdline: findstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
      • cmd.exe (PID: 7532 cmdline: cmd /c md 564784 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • findstr.exe (PID: 7544 cmdline: findstr /V "locatedflatrendsoperating" Ukraine MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
      • cmd.exe (PID: 7556 cmdline: cmd /c copy /b Treating + Viagra + Vision + Jul + Str 564784\L MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Champion.pif (PID: 7572 cmdline: 564784\Champion.pif 564784\L MD5: 6EE7DDEBFF0A2B78C7AC30F6E00D1D11)
        • RegAsm.exe (PID: 7904 cmdline: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exe MD5: 0D5DF43AF2916F47D00C1573797C1A13)
      • timeout.exe (PID: 7588 cmdline: timeout 15 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
0000000F.00000002.3703692097.0000000000702000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_HatefWiperYara detected Hatef WiperJoe Security
    Process Memory Space: RegAsm.exe PID: 7904JoeSecurity_HatefWiperYara detected Hatef WiperJoe Security
      SourceRuleDescriptionAuthorStrings
      15.2.RegAsm.exe.700000.2.unpackJoeSecurity_HatefWiperYara detected Hatef WiperJoe Security

        System Summary

        barindex
        Source: Process startedAuthor: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth (Nextron Systems), Christian Burkard (Nextron Systems): Data: Command: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exe, CommandLine: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exe, ParentCommandLine: 564784\Champion.pif 564784\L, ParentImage: C:\Users\user\AppData\Local\Temp\564784\Champion.pif, ParentProcessId: 7572, ParentProcessName: Champion.pif, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exe, ProcessId: 7904, ProcessName: RegAsm.exe
        Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: 564784\Champion.pif 564784\L, CommandLine: 564784\Champion.pif 564784\L, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\564784\Champion.pif, NewProcessName: C:\Users\user\AppData\Local\Temp\564784\Champion.pif, OriginalFileName: C:\Users\user\AppData\Local\Temp\564784\Champion.pif, ParentCommandLine: "C:\Windows\System32\cmd.exe" /k copy Carroll Carroll.cmd & Carroll.cmd & exit, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7384, ParentProcessName: cmd.exe, ProcessCommandLine: 564784\Champion.pif 564784\L, ProcessId: 7572, ProcessName: Champion.pif
        Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exe, CommandLine: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exe, ParentCommandLine: 564784\Champion.pif 564784\L, ParentImage: C:\Users\user\AppData\Local\Temp\564784\Champion.pif, ParentProcessId: 7572, ParentProcessName: Champion.pif, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exe, ProcessId: 7904, ProcessName: RegAsm.exe
        Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /k copy Carroll Carroll.cmd & Carroll.cmd & exit, CommandLine: "C:\Windows\System32\cmd.exe" /k copy Carroll Carroll.cmd & Carroll.cmd & exit, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\CrowdStrike.exe", ParentImage: C:\Users\user\Desktop\CrowdStrike.exe, ParentProcessId: 7312, ParentProcessName: CrowdStrike.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /k copy Carroll Carroll.cmd & Carroll.cmd & exit, ProcessId: 7384, ProcessName: cmd.exe

        HIPS / PFW / Operating System Protection Evasion

        barindex
        Source: Process startedAuthor: Joe Security: Data: Command: findstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe" , CommandLine: findstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe" , CommandLine|base64offset|contains: ~), Image: C:\Windows\SysWOW64\findstr.exe, NewProcessName: C:\Windows\SysWOW64\findstr.exe, OriginalFileName: C:\Windows\SysWOW64\findstr.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /k copy Carroll Carroll.cmd & Carroll.cmd & exit, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7384, ParentProcessName: cmd.exe, ProcessCommandLine: findstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe" , ProcessId: 7492, ProcessName: findstr.exe
        No Snort rule has matched

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Source: CrowdStrike.exeVirustotal: Detection: 20%Perma Link
        Source: CrowdStrike.exeReversingLabs: Detection: 15%
        Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.5% probability
        Source: CrowdStrike.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
        Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49739 version: TLS 1.2
        Source: CrowdStrike.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
        Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: RegAsm.exe, 0000000F.00000002.3718011977.00000000077E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: RegAsm.exe, 0000000F.00000002.3732977075.0000000008AA1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: t:\naveen\pgms\cpp\openfilefinder_src_vc8\listfiledrv\objfre_wxp_x86\i386\ListOpenedFileDrv.pdb` source: RegAsm.exe, 0000000F.00000002.3703692097.0000000000702000.00000040.00000400.00020000.00000000.sdmp
        Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb source: RegAsm.exe, 0000000F.00000002.3816270828.000000000BE11000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: RegAsm.exe, 0000000F.00000002.3866776503.000000000D811000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb source: RegAsm.exe, 0000000F.00000002.3816270828.000000000C811000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: RegAsm.exe, 0000000F.00000002.3753665442.0000000009E11000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: $^qyC:\Documents and Settings\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: RegAsm.exe, 0000000F.00000002.3753665442.0000000009E11000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: RegAsm.exe, 0000000F.00000002.3816270828.000000000C811000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: G:\Gaza Hackers Team\Handala WP\SecureDeleteFilesConsole\obj\Debug\SecureDeleteFilesConsole.pdb source: RegAsm.exe, 0000000F.00000002.3703692097.00000000007D9000.00000040.00000400.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: RegAsm.exe, 0000000F.00000002.3705258200.00000000030E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: RegAsm.exe, 0000000F.00000002.3753665442.0000000009E11000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: RegAsm.exe, 0000000F.00000002.3732977075.00000000094A1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: RegAsm.exe, 0000000F.00000002.3705258200.00000000030E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: $^qiC:\Documents and Settings\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: RegAsm.exe, 0000000F.00000002.3732977075.0000000008AA1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb source: RegAsm.exe, 0000000F.00000002.3732977075.00000000094A1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: RegAsm.exe, 0000000F.00000002.3718011977.00000000077E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: RegAsm.exe, 0000000F.00000002.3732977075.0000000008AA1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: RegAsm.exe, 0000000F.00000002.3718011977.00000000081E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: RegAsm.exe, 0000000F.00000002.3718011977.00000000077E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: RegAsm.exe, 0000000F.00000002.3816270828.000000000BE11000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: $^qmC:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: RegAsm.exe, 0000000F.00000002.3718011977.00000000081E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: RegAsm.exe, 0000000F.00000002.3866776503.000000000D811000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: RegAsm.exe, 0000000F.00000002.3816270828.000000000C811000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: RegAsm.exe, 0000000F.00000002.3816270828.000000000BE11000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: $^qnC:\Documents and Settings\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: RegAsm.exe, 0000000F.00000002.3753665442.0000000009E11000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: RegAsm.exe, 0000000F.00000002.3753665442.0000000009E11000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb source: RegAsm.exe, 0000000F.00000002.3753665442.0000000009E11000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: RegAsm.exe, 0000000F.00000002.3718011977.00000000077E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb source: RegAsm.exe, 0000000F.00000002.3816270828.000000000BE11000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: RegAsm.exe, 0000000F.00000002.3866776503.000000000D811000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb source: RegAsm.exe, 0000000F.00000002.3816270828.000000000BE11000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: RegAsm.exe, 0000000F.00000002.3732977075.00000000094A1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: RegAsm.exe, 0000000F.00000002.3732977075.0000000008AA1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: RegAsm.exe, 0000000F.00000002.3718011977.00000000077E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: RegAsm.exe, 0000000F.00000002.3718011977.00000000077E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb source: RegAsm.exe, 0000000F.00000002.3732977075.0000000008AA1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: RegAsm.exe, 0000000F.00000002.3753665442.0000000009E11000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: $^qjC:\Documents and Settings\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: RegAsm.exe, 0000000F.00000002.3753665442.0000000009E11000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: RegAsm.exe, 0000000F.00000002.3718011977.00000000077E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: RegAsm.exe, 0000000F.00000002.3718011977.00000000077E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: RegAsm.exe, 0000000F.00000002.3718011977.00000000077E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: RegAsm.exe, 0000000F.00000002.3753665442.0000000009E11000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: RegAsm.exe, 0000000F.00000002.3732977075.0000000008AA1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: RegAsm.exe, 0000000F.00000002.3866776503.000000000D811000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: $^qiC:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb source: RegAsm.exe, 0000000F.00000002.3718011977.00000000081E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: RegAsm.exe, 0000000F.00000002.3718011977.00000000077E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: RegAsm.exe, 0000000F.00000002.3753665442.0000000009E11000.00000004.00000800.00020000.00000000.sdmp
        Source: