Source: C:\ProgramData\Mozilla\lvrslql.exe |
Avira: detection malicious, Label: TR/Dropper.Gen |
Source: C:\ProgramData\Mozilla\nnekebf.dll |
Avira: detection malicious, Label: TR/ATRAPS.Gen4 |
Source: C:\ProgramData\Mozilla\nnekebf.dll |
Virustotal: Detection: 76% |
Perma Link |
Source: C:\ProgramData\Mozilla\nnekebf.dll |
Metadefender: Detection: 52% |
Perma Link |
Source: C:\ProgramData\Mozilla\nnekebf.dll |
ReversingLabs: Detection: 84% |
Source: Incaseformat.exe |
Virustotal: Detection: 83% |
Perma Link |
Source: Incaseformat.exe |
ReversingLabs: Detection: 100% |
Source: C:\ProgramData\Mozilla\lvrslql.exe |
Joe Sandbox ML: detected |
Source: C:\ProgramData\Mozilla\nnekebf.dll |
Joe Sandbox ML: detected |
Source: 0.0.Incaseformat.exe.400000.0.unpack |
Avira: Label: TR/Dropper.Gen |
Source: 0.2.Incaseformat.exe.400000.0.unpack |
Avira: Label: TR/Gepys.aouma |
Source: 1.2.lvrslql.exe.df0000.1.unpack |
Avira: Label: TR/Gepys.aouma |
Source: 0.2.Incaseformat.exe.2150000.1.unpack |
Avira: Label: TR/Gepys.aouma |
Source: 1.0.lvrslql.exe.400000.0.unpack |
Avira: Label: TR/Dropper.Gen |
Source: 1.2.lvrslql.exe.400000.0.unpack |
Avira: Label: TR/Gepys.aouma |
Source: C:\Users\user\Desktop\Incaseformat.exe |
Unpacked PE file: 0.2.Incaseformat.exe.2150000.1.unpack |
Source: C:\Users\user\Desktop\Incaseformat.exe |
Unpacked PE file: 0.2.Incaseformat.exe.400000.0.unpack |
Source: C:\ProgramData\Mozilla\lvrslql.exe |
Unpacked PE file: 1.2.lvrslql.exe.400000.0.unpack |
Source: Incaseformat.exe |
Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED |
Source: C:\Users\user\Desktop\Incaseformat.exe |
Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} |
Jump to behavior |
Source: C:\Users\user\Desktop\Incaseformat.exe |
Key opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} |
Jump to behavior |
Source: C:\Users\user\Desktop\Incaseformat.exe |
Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs |
Jump to behavior |
Source: C:\Users\user\Desktop\Incaseformat.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs |
Jump to behavior |
Source: C:\Users\user\Desktop\Incaseformat.exe |
Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd} |
Jump to behavior |
Source: C:\Users\user\Desktop\Incaseformat.exe |
Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd} |
Jump to behavior |
Source: C:\Users\user\Desktop\Incaseformat.exe |
Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 |
Jump to behavior |
Source: C:\Users\user\Desktop\Incaseformat.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 |
Jump to behavior |
Source: C:\Users\user\Desktop\Incaseformat.exe |
Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 |
Jump to behavior |
Source: C:\Users\user\Desktop\Incaseformat.exe |
Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32 |
Jump to behavior |
Source: C:\Users\user\Desktop\Incaseformat.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32 |
Jump to behavior |
Source: C:\Users\user\Desktop\Incaseformat.exe |
Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler |
Jump to behavior |
Source: C:\Users\user\Desktop\Incaseformat.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler |
Jump to behavior |
Source: C:\Users\user\Desktop\Incaseformat.exe |
Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} |
Jump to behavior |
Source: C:\Users\user\Desktop\Incaseformat.exe |
Key opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} |
Jump to behavior |
Source: C:\Users\user\Desktop\Incaseformat.exe |
Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs |
Jump to behavior |
Source: C:\Users\user\Desktop\Incaseformat.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs |
Jump to behavior |
Source: C:\Users\user\Desktop\Incaseformat.exe |
Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd} |
Jump to behavior |
Source: C:\Users\user\Desktop\Incaseformat.exe |
Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 |
Jump to behavior |
Source: C:\Users\user\Desktop\Incaseformat.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 |
Jump to behavior |
Source: C:\Users\user\Desktop\Incaseformat.exe |
Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32 |
Jump to behavior |
Source: C:\Users\user\Desktop\Incaseformat.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32 |
Jump to behavior |
Source: C:\Users\user\Desktop\Incaseformat.exe |
Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler |
Jump to behavior |
Source: C:\Users\user\Desktop\Incaseformat.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler |
Jump to behavior |
Source: C:\Users\user\Desktop\Incaseformat.exe |
Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32 |
Jump to behavior |
Source: C:\Users\user\Desktop\Incaseformat.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32 |
Jump to behavior |
Source: C:\Users\user\Desktop\Incaseformat.exe |
Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd} |
Jump to behavior |
Source: C:\Users\user\Desktop\Incaseformat.exe |
Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer |
Jump to behavior |
Source: C:\Users\user\Desktop\Incaseformat.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer |
Jump to behavior |
Source: C:\Users\user\Desktop\Incaseformat.exe |
Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} |
Jump to behavior |
Source: C:\Users\user\Desktop\Incaseformat.exe |
Key opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} |
Jump to behavior |
Source: C:\Users\user\Desktop\Incaseformat.exe |
Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation |
Jump to behavior |
Source: C:\Users\user\Desktop\Incaseformat.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation |
Jump to behavior |
Source: C:\Users\user\Desktop\Incaseformat.exe |
Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} |
Jump to behavior |
Source: C:\Users\user\Desktop\Incaseformat.exe |
Key opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} |
Jump to behavior |
Source: C:\Users\user\Desktop\Incaseformat.exe |
Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs |
Jump to behavior |
Source: C:\Users\user\Desktop\Incaseformat.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs |
Jump to behavior |
Source: Incaseformat.exe, 00000000.00000002.216899225.00000000007BA000.00000004.00000020.sdmp |
Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/> |
|
Source: Incaseformat.exe |
Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED |
Source: Incaseformat.exe |
Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: lvrslql.exe.0.dr |
Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: nnekebf.dll.1.dr |
Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: classification engine |
Classification label: mal100.evad.winEXE@2/2@0/0 |
Source: C:\Users\user\Desktop\Incaseformat.exe |
Code function: 0_2_00401830 CoInitializeEx,CoInitializeSecurity,CoCreateInstance,GetUserNameW,SysAllocString,CoUninitialize,CoUninitialize, |
0_2_00401830 |
Source: Incaseformat.exe |
Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\Incaseformat.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: Incaseformat.exe |
Virustotal: Detection: 83% |
Source: Incaseformat.exe |
ReversingLabs: Detection: 100% |
Source: C:\Users\user\Desktop\Incaseformat.exe |
File read: C:\Users\user\Desktop\Incaseformat.exe |
Jump to behavior |
Source: unknown |
Process created: C:\Users\user\Desktop\Incaseformat.exe 'C:\Users\user\Desktop\Incaseformat.exe' |
Source: unknown |
Process created: C:\ProgramData\Mozilla\lvrslql.exe C:\PROGRA~3\Mozilla\lvrslql.exe -ddeznal |
Source: C:\Users\user\Desktop\Incaseformat.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 |
Jump to behavior |
Source: C:\Users\user\Desktop\Incaseformat.exe |
Unpacked PE file: 0.2.Incaseformat.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R; |
Source: C:\ProgramData\Mozilla\lvrslql.exe |
Unpacked PE file: 1.2.lvrslql.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R; |
Source: C:\Users\user\Desktop\Incaseformat.exe |
Unpacked PE file: 0.2.Incaseformat.exe.2150000.1.unpack |
Source: C:\Users\user\Desktop\Incaseformat.exe |
Unpacked PE file: 0.2.Incaseformat.exe.400000.0.unpack |
Source: C:\ProgramData\Mozilla\lvrslql.exe |
Unpacked PE file: 1.2.lvrslql.exe.400000.0.unpack |
Source: C:\Users\user\Desktop\Incaseformat.exe |
Code function: 0_2_0040488B LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, |
0_2_0040488B |
Source: C:\Users\user\Desktop\Incaseformat.exe |
Code function: 0_2_00403CB5 push ecx; ret |
0_2_00403CC8 |
Source: C:\ProgramData\Mozilla\lvrslql.exe |
Code function: 1_2_0040E03D push edi; ret |
1_2_0040E048 |
Source: C:\ProgramData\Mozilla\lvrslql.exe |
Code function: 1_2_0040F03F push ecx; iretd |
1_2_0040F04C |
Source: C:\ProgramData\Mozilla\lvrslql.exe |
Code function: 1_2_0040D8DF pushad ; ret |
1_2_0040D8E0 |
Source: C:\ProgramData\Mozilla\lvrslql.exe |
Code function: 1_2_00403CB5 push ecx; ret |
1_2_00403CC8 |
Source: C:\ProgramData\Mozilla\lvrslql.exe |
Code function: 1_2_0040EA1F push ebp; retf |
1_2_0040EA20 |
Source: C:\ProgramData\Mozilla\lvrslql.exe |
Code function: 1_2_0040DAC9 push ecx; iretd |
1_2_0040DACA |
Source: C:\ProgramData\Mozilla\lvrslql.exe |
Code function: 1_2_0040D2F0 push ebp; iretd |
1_2_0040D2F2 |
Source: C:\ProgramData\Mozilla\lvrslql.exe |
Code function: 1_2_0040BE88 push ecx; ret |
1_2_0040BEE7 |
Source: C:\ProgramData\Mozilla\lvrslql.exe |
Code function: 1_2_00DB8720 push edx; ret |
1_2_00DB894D |
Source: C:\ProgramData\Mozilla\lvrslql.exe |
Code function: 1_2_00D919CE push edx; iretd |
1_2_00D919F5 |
Source: C:\ProgramData\Mozilla\lvrslql.exe |
Code function: 1_2_00D932C2 push FFFFFFDFh; ret |
1_2_00D93307 |
Source: C:\ProgramData\Mozilla\lvrslql.exe |
Code function: 1_2_00D93FE0 push ss; retn 0003h |
1_2_00D93FEA |
Source: initial sample |
Static PE information: section name: .text entropy: 7.66572568976 |
Source: initial sample |
Static PE information: section name: .text entropy: 7.66572568976 |
Source: initial sample |
Static PE information: section name: .text entropy: 7.08580926417 |
Source: C:\Users\user\Desktop\Incaseformat.exe |
File written: C:\ProgramData\Mozilla\lvrslql.exe |
Jump to behavior |
Source: C:\ProgramData\Mozilla\lvrslql.exe |
File written: C:\ProgramData\Mozilla\nnekebf.dll |
Jump to behavior |
Source: C:\ProgramData\Mozilla\lvrslql.exe |
File created: C:\ProgramData\Mozilla\nnekebf.dll |
Jump to dropped file |
Source: C:\Users\user\Desktop\Incaseformat.exe |
File created: C:\ProgramData\Mozilla\lvrslql.exe |
Jump to dropped file |
Source: C:\ProgramData\Mozilla\lvrslql.exe |
File created: C:\ProgramData\Mozilla\nnekebf.dll |
Jump to dropped file |
Source: C:\Users\user\Desktop\Incaseformat.exe |
File created: C:\ProgramData\Mozilla\lvrslql.exe |
Jump to dropped file |
Source: C:\ProgramData\Mozilla\lvrslql.exe |
Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Windows AppInit_DLLs |
Jump to behavior |
Source: C:\Users\user\Desktop\Incaseformat.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\ProgramData\Mozilla\lvrslql.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\ProgramData\Mozilla\lvrslql.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\ProgramData\Mozilla\lvrslql.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\ProgramData\Mozilla\lvrslql.exe |
Dropped PE file which has not been started: C:\ProgramData\Mozilla\nnekebf.dll |
Jump to dropped file |
Source: C:\Users\user\Desktop\Incaseformat.exe |
Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep |
Source: C:\ProgramData\Mozilla\lvrslql.exe |
Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep |
Source: C:\Users\user\Desktop\Incaseformat.exe |
Code function: 0_2_0040281C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
0_2_0040281C |
Source: C:\Users\user\Desktop\Incaseformat.exe |
Code function: 0_2_0040488B LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, |
0_2_0040488B |
Source: C:\Users\user\Desktop\Incaseformat.exe |
Code function: 0_2_004022D0 GetProcessHeap,GetTickCount,GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,RegOpenKeyExW,RegOpenKeyExW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,CreateDirectoryW,GetShortPathNameW,RegOpenKeyExW,_memset,RegQueryValueExW,RegCloseKey,GetCommandLineW,GetVersion, |
0_2_004022D0 |
Source: C:\Users\user\Desktop\Incaseformat.exe |
Code function: 0_2_0040281C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
0_2_0040281C |
Source: C:\Users\user\Desktop\Incaseformat.exe |
Code function: 0_2_0040432D _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
0_2_0040432D |
Source: C:\ProgramData\Mozilla\lvrslql.exe |
Code function: 1_2_0040281C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
1_2_0040281C |
Source: C:\ProgramData\Mozilla\lvrslql.exe |
Code function: 1_2_0040432D _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
1_2_0040432D |
Source: C:\Users\user\Desktop\Incaseformat.exe |
Code function: 0_2_00402179 GetTickCount,CreateFileW,WriteFile,CloseHandle,HeapFree,_memset,ShellExecuteExW,Sleep,DeleteFileW, |
0_2_00402179 |
Source: C:\Users\user\Desktop\Incaseformat.exe |
Code function: 0_2_004022D0 GetProcessHeap,GetTickCount,GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,RegOpenKeyExW,RegOpenKeyExW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,CreateDirectoryW,GetShortPathNameW,RegOpenKeyExW,_memset,RegQueryValueExW,RegCloseKey,GetCommandLineW,GetVersion, |
0_2_004022D0 |
Source: C:\Users\user\Desktop\Incaseformat.exe |
Code function: 0_2_00401830 CoInitializeEx,CoInitializeSecurity,CoCreateInstance,GetUserNameW,SysAllocString,CoUninitialize,CoUninitialize, |
0_2_00401830 |
Source: C:\Users\user\Desktop\Incaseformat.exe |
Code function: 0_2_004022D0 GetProcessHeap,GetTickCount,GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,RegOpenKeyExW,RegOpenKeyExW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,CreateDirectoryW,GetShortPathNameW,RegOpenKeyExW,_memset,RegQueryValueExW,RegCloseKey,GetCommandLineW,GetVersion, |
0_2_004022D0 |
Source: C:\Users\user\Desktop\Incaseformat.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid |
Jump to behavior |