Windows Analysis Report
SystemMechanic_Ultimate_Defense (1).exe

Overview

General Information

Sample name:	SystemMechanic_Ultimate_Defense (1).exe
Analysis ID:	1544768
MD5:	e0ed5e186b6e1c2dada474ad759a7d1a
SHA1:	118c52a2b2b6d1c176fb65d4a0dde49cccd8484d
SHA256:	6bc7edbf46ffe0fe87892ac7394dfeaa8ed7e128ee48a002aab896c8866488c6
Infos:

Detection

PureLog Stealer, zgRAT

Score:	54
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Yara detected PureLog Stealer

Yara detected zgRAT

.NET source code contains potential unpacker

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Detected potential crypto function

Enables debug privileges

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
zgRAT	zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.	No Attribution	https://bazaar.abuse.ch/browse/signature/zgRAT/ https://kcm.trellix.com/corporate/index?page=content&id=KB96190&locale=en_US https://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware https://www.difesaesicurezza.com/cyber/cybercrime-rfq-dalla-turchia-veicola-agenttesla-e-zgrat/ https://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities	https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Signatures

Source: SystemMechanic_Ultimate_Defense (1).exe

Static PE information: certificate valid

Source: SystemMechanic_Ultimate_Defense (1).exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Locale_de-de\obj\Release\Locale_de-de.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\STDHash\obj\Release\STDHash.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: /_/obj/Release/Microsoft.ApplicationInsights/net46/Microsoft.ApplicationInsights.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\InstallerCommon\obj\Release\InstallerCommon.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2958390586.000001FA1A1B0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2969260912.000001FA1AAA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2955769844.000001FA11AD9000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: D:\Workspace\TFS\MAINLINE\ioloCore\Dysnomia\PerceiveHUD\obj\Debug\PerceiveHUD.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2961294744.000001FA1A520000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Win32TaskScheduler\obj\Release\Win32TaskScheduler.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Cleanup\obj\Release\Cleanup.pdb source: SystemMechanic_Ultimate_Defense (1).exe
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Locale_pt-br\obj\Release\Locale_pt-br.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Bootstrap\obj\Release\Bootstrap.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2969260912.000001FA1AAA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2955769844.000001FA11AD9000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Bootstrap\obj\Release\Bootstrap.pdb( source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: c:\release\WorkingDir\PrismLibraryBuild\PrismLibrary\Desktop\Prism\obj\Release\Microsoft.Practices.Prism.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2968970128.000001FA1AA70000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2955769844.000001FA11A21000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Locale_ja-jp\obj\Release\Locale_ja-jp.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Locale_ja-jp\obj\Release\Locale_ja-jp.pdbN source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Locale_nl-nl\obj\Release\Locale_nl-nl.pdbj source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Win32TaskScheduler\obj\Release\Win32TaskScheduler.pdbz9 source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: /_/obj/Release/TelemetryChannel/net452/Microsoft.AI.ServerTelemetryChannel.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: D:\dd\NetFXDev1\binaries\x86ret\bin\i386\VSSetup\Utils\boxstub.pdb source: SystemMechanic_Ultimate_Defense (1).exe
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Locale_en-us\obj\Release\Locale_en-us.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2958498107.000001FA1A1C0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\InstallerSMUDUI\obj\Release\InstallerSMUDUI.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2963214249.000001FA1A770000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Telemetry\obj\Release\Telemetry.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Downloader\obj\Release\Downloader.pdb source: SystemMechanic_Ultimate_Defense (1).exe
Source:	Binary string: D:\Workspace\TFS\MAINLINE\ioloCore\Dysnomia\PerceiveSDK\obj\Debug\PerceiveSDK.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2961294744.000001FA1A520000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: SMCommon.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2961294744.000001FA1A520000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: c:\Users\dahall\Documents\Visual Studio 2010\Projects\TaskService\obj\Release\Microsoft.Win32.TaskScheduler.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Locale_nl-nl\obj\Release\Locale_nl-nl.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: D:\Projects\Personal\DeviceId\src\DeviceId\obj\Release\net40\DeviceId.pdb source: SystemMechanic_Ultimate_Defense (1).exe
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\STDHash\obj\Release\STDHash.pdb@=Z= L=_CorDllMainmscoree.dll source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Cleanup\obj\Release\Cleanup.pdbHfbf Tf_CorDllMainmscoree.dll source: SystemMechanic_Ultimate_Defense (1).exe
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Locale_de-de\obj\Release\Locale_de-de.pdbv source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: E:\A\_work\4417\s\bin\obj\Windows_NT.AnyCPU.Release\System.Net.Http\net46\System.Net.Http.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Locale_ko-kr\obj\Release\Locale_ko-kr.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Locale_zh-tw\obj\Release\Locale_zh-tw.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Locale_fr-fr\obj\Release\Locale_fr-fr.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Branding\obj\Release\Branding.pdbjD source: SystemMechanic_Ultimate_Defense (1).exe
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Branding\obj\Release\Branding.pdb source: SystemMechanic_Ultimate_Defense (1).exe
Source:	Binary string: EntitlementDefinitions.pdb source: SystemMechanic_Ultimate_Defense (1).exe
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Locale_it-it\obj\Release\Locale_it-it.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: D:\Projects\Personal\DeviceId\src\DeviceId\obj\Release\net40\DeviceId.pdbSHA256M$ source: SystemMechanic_Ultimate_Defense (1).exe
Source:	Binary string: D:\Workspace\TFS\MAINLINE\ioloCore\Dysnomia\Perceive\obj\Debug\Perceive.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2961294744.000001FA1A520000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Locale_es-es\obj\Release\Locale_es-es.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Locale_ko-kr\obj\Release\Locale_ko-kr.pdb6 source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Locale_pt-br\obj\Release\Locale_pt-br.pdb~ source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Locale_es-es\obj\Release\Locale_es-es.pdbv source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp

Networking

Yara detected Generic Downloader

Source: Yara match	File source: SystemMechanic_Ultimate_Defense (1).exe, type: SAMPLE
Source: Yara match	File source: 0.2.SystemMechanic_Ultimate_Defense (1).exe.1fa1a520000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.SystemMechanic_Ultimate_Defense (1).exe.1fa7e4a1678.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.SystemMechanic_Ultimate_Defense (1).exe.1fa7e456464.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.SystemMechanic_Ultimate_Defense (1).exe.1fa7e47d26e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2961294744.000001FA1A520000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Source: SystemMechanic_Ultimate_Defense (1).exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2969260912.000001FA1AAA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2955769844.000001FA11AD9000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertCSRSA4096RootG5.crt0E
Source: SystemMechanic_Ultimate_Defense (1).exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: SystemMechanic_Ultimate_Defense (1).exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: SystemMechanic_Ultimate_Defense (1).exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2969260912.000001FA1AAA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2955769844.000001FA11AD9000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA2.crt0
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2955769844.000001FA11A21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://compositewpf.codeplex.com/
Source: SystemMechanic_Ultimate_Defense (1).exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2969260912.000001FA1AAA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2955769844.000001FA11AD9000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertCSRSA4096RootG5.crl0
Source: SystemMechanic_Ultimate_Defense (1).exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: SystemMechanic_Ultimate_Defense (1).exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: SystemMechanic_Ultimate_Defense (1).exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2969260912.000001FA1AAA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2955769844.000001FA11AD9000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0F
Source: SystemMechanic_Ultimate_Defense (1).exe	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2969260912.000001FA1AAA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2955769844.000001FA11AD9000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0=
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2961294744.000001FA1A520000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://dejavu.sourceforge.net
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2961294744.000001FA1A520000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://dejavu.sourceforge.net/wiki/index.php/License
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2961294744.000001FA1A520000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://dejavu.sourceforge.net/wiki/index.php/Licensehttp://dejavu.sourceforge.net/wiki/index.php/Lic
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2961294744.000001FA1A520000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://dejavu.sourceforge.nethttp://dejavu.sourceforge.netFonts
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2942772740.000001FA01A01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://download.iolo.net/ds/4/en/images/dsUSB.imaRealDefense
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2955769844.000001FA11A21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://download.iolo.net/phoenix360/MalwareKillerSetup.exe
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2942772740.000001FA01A01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://download.iolo.net/phoenix360/MalwareKillerSetup.exeHq
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2955769844.000001FA11A21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://download.iolo.net/phoenix360/PrivacyGuardianSetup.exe
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2942772740.000001FA01A01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://download.iolo.net/phoenix360/PrivacyGuardianSetup.exeHq
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2955769844.000001FA11A21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://download.iolo.net/phoenix360/SystemMechanic_PRO.exe
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2942772740.000001FA01A01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://download.iolo.net/phoenix360/SystemMechanic_PRO.exeHq
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://james.newtonking.com/projects/json
Source: SystemMechanic_Ultimate_Defense (1).exe	String found in binary or memory: http://ocsp.digicert.com0
Source: SystemMechanic_Ultimate_Defense (1).exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: SystemMechanic_Ultimate_Defense (1).exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2969260912.000001FA1AAA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2955769844.000001FA11AD9000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://ocsp.digicert.com0O
Source: SystemMechanic_Ultimate_Defense (1).exe	String found in binary or memory: http://ocsp.digicert.com0X
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://svc.iolo.com/__svc/sbv/Uninstall.ashx
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2955769844.000001FA11A21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.codeplex.com/CompositeWPF
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2955769844.000001FA11A21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.codeplex.com/prism
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2968970128.000001FA1AA70000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2955769844.000001FA11A21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.codeplex.com/prism#Microsoft.Practices.Prism.ViewModel
Source: SystemMechanic_Ultimate_Defense (1).exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2955769844.000001FA11A21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.iolo.com/products/byepass/activation/
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2942772740.000001FA01A01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.iolo.com/products/byepass/activation/Hq
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2942772740.000001FA01A01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.iolo.com/products/byepass/welcome/?utm_source=bp&utm_medium=product&p=d59cc353-e8e4-4f42-
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2942772740.000001FA01A01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.iolo.net/ent/staging
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2942772740.000001FA01A01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.iolo.net/ent/v2
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://dc.services.visualstudio.com/Jhttps://rt.services.visualstudio.com/Fhttps://profiler.monitor
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://dc.services.visualstudio.com/api/profiles/
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://dc.services.visualstudio.com/f
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2942772740.000001FA01A01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://download.avira.com/download/
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2969260912.000001FA1AAA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2955769844.000001FA11AD9000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/JamesNK/Newtonsoft.Json
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/Microsoft/ApplicationInsights-dotnet
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/Microsoft/ApplicationInsights-dotnetw
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/itfoundry/Poppins)
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2963214249.000001FA1A770000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/itfoundry/Poppins)&&&&l
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2963214249.000001FA1A770000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/itfoundry/Poppins)&&&&m
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2963214249.000001FA1A770000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/itfoundry/Poppins)&&&&o
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2963214249.000001FA1A770000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/itfoundry/Poppins)&&&&r
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2963214249.000001FA1A770000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/itfoundry/Poppins)&&&&s
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/itfoundry/Poppins)&&&&v
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2963214249.000001FA1A770000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/itfoundry/Poppins)&&&&z
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/microsoft/ApplicationInsights-dotnet/issues/2560
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2975865942.000001FA1ED62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://indiantypefoundry.com
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2942772740.000001FA01A01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://iolo.comH42652B74-0AD8-4B60-B8FD-69ED38F7666B
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://monitor.azure.com//.default
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://profiler.monitor.azure.com/l
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://rt.services.visualstudio.com/l
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2975865942.000001FA1ED62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://scripts.sil.org/OFL
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://scripts.sil.org/OFLThis
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2975865942.000001FA1ED62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://scripts.sil.org/OFLX8
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://scripts.sil.org/OFLhttps://indiantypefoundry.comNinad
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://snapshot.monitor.azure.com/&
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2942772740.000001FA01A01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.iolo.com/support/solutions/articles/44001781185
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2963214249.000001FA1A770000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://support.iolo.com/support/solutions/articles/44001781185?
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://taskscheduler.codeplex.com/
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://taskscheduler.codeplex.com/H
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2942772740.000001FA01A01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://webhooklistenersfunc.azurewebsites.net/api/lookup/constella-dark-web-alerts
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2942772740.000001FA01A01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://westus2-2.in.applicationinsights.azure.com/;LiveEndpoint=https://westus2.livediagnostics.mon
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2942772740.000001FA01A01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.iolo.com/company/legal/eula/
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2963214249.000001FA1A770000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.iolo.com/company/legal/eula/?
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2942772740.000001FA01A01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.iolo.com/company/legal/privacy/
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2963214249.000001FA1A770000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.iolo.com/company/legal/privacy/?
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2942772740.000001FA01A01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.iolo.com/company/legal/sales-policy/
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2963214249.000001FA1A770000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.iolo.com/company/legal/sales-policy/?
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2969260912.000001FA1AAA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2955769844.000001FA11AD9000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.newtonsoft.com/json
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.newtonsoft.com/jsonschema
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2969260912.000001FA1AAA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2955769844.000001FA11AD9000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson

System Summary

Malicious sample detected (through community Yara rule)

Source: SystemMechanic_Ultimate_Defense (1).exe, type: SAMPLE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.0.SystemMechanic_Ultimate_Defense (1).exe.1fa7e4a1678.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.0.SystemMechanic_Ultimate_Defense (1).exe.1fa7e456464.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.0.SystemMechanic_Ultimate_Defense (1).exe.1fa7e47d26e.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen

Detected potential crypto function

Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Code function: 0_2_00007FFD9B889337	0_2_00007FFD9B889337
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Code function: 0_2_00007FFD9B888AA3	0_2_00007FFD9B888AA3
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Code function: 0_2_00007FFD9B8825AA	0_2_00007FFD9B8825AA
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Code function: 0_2_00007FFD9B884AE0	0_2_00007FFD9B884AE0
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Code function: 0_2_00007FFD9B88515E	0_2_00007FFD9B88515E

Sample file is different than original file name gathered from version info

Yara signature match

Source: SystemMechanic_Ultimate_Defense (1).exe, type: SAMPLE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.0.SystemMechanic_Ultimate_Defense (1).exe.1fa7e4a1678.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.0.SystemMechanic_Ultimate_Defense (1).exe.1fa7e456464.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.0.SystemMechanic_Ultimate_Defense (1).exe.1fa7e47d26e.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT

Source: classification engine

Classification label: mal54.troj.evad.winEXE@1/1@0/0

Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe

Mutant created: NULL

Source: SystemMechanic_Ultimate_Defense (1).exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: SystemMechanic_Ultimate_Defense (1).exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.91%

Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SystemMechanic_Ultimate_Defense (1).exe

String found in binary or memory: -start

Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: msvcp140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: d3d9.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: msctfui.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: uiautomationcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: d3dcompiler_47.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: winmm.dll	Jump to behavior

Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: SystemMechanic_Ultimate_Defense (1).exe

Static PE information: certificate valid

Source: SystemMechanic_Ultimate_Defense (1).exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: SystemMechanic_Ultimate_Defense (1).exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: SystemMechanic_Ultimate_Defense (1).exe

Static file information: File size 60747152 > 1048576

Source: SystemMechanic_Ultimate_Defense (1).exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x39a6c00

Source: SystemMechanic_Ultimate_Defense (1).exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: SystemMechanic_Ultimate_Defense (1).exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Locale_de-de\obj\Release\Locale_de-de.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\STDHash\obj\Release\STDHash.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: /_/obj/Release/Microsoft.ApplicationInsights/net46/Microsoft.ApplicationInsights.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\InstallerCommon\obj\Release\InstallerCommon.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2958390586.000001FA1A1B0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2969260912.000001FA1AAA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2955769844.000001FA11AD9000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: D:\Workspace\TFS\MAINLINE\ioloCore\Dysnomia\PerceiveHUD\obj\Debug\PerceiveHUD.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2961294744.000001FA1A520000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Win32TaskScheduler\obj\Release\Win32TaskScheduler.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Cleanup\obj\Release\Cleanup.pdb source: SystemMechanic_Ultimate_Defense (1).exe
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Locale_pt-br\obj\Release\Locale_pt-br.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Bootstrap\obj\Release\Bootstrap.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2969260912.000001FA1AAA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2955769844.000001FA11AD9000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Bootstrap\obj\Release\Bootstrap.pdb( source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: c:\release\WorkingDir\PrismLibraryBuild\PrismLibrary\Desktop\Prism\obj\Release\Microsoft.Practices.Prism.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2968970128.000001FA1AA70000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2955769844.000001FA11A21000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Locale_ja-jp\obj\Release\Locale_ja-jp.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Locale_ja-jp\obj\Release\Locale_ja-jp.pdbN source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Locale_nl-nl\obj\Release\Locale_nl-nl.pdbj source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Win32TaskScheduler\obj\Release\Win32TaskScheduler.pdbz9 source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: /_/obj/Release/TelemetryChannel/net452/Microsoft.AI.ServerTelemetryChannel.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: D:\dd\NetFXDev1\binaries\x86ret\bin\i386\VSSetup\Utils\boxstub.pdb source: SystemMechanic_Ultimate_Defense (1).exe
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Locale_en-us\obj\Release\Locale_en-us.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2958498107.000001FA1A1C0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\InstallerSMUDUI\obj\Release\InstallerSMUDUI.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2963214249.000001FA1A770000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Telemetry\obj\Release\Telemetry.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Downloader\obj\Release\Downloader.pdb source: SystemMechanic_Ultimate_Defense (1).exe
Source:	Binary string: D:\Workspace\TFS\MAINLINE\ioloCore\Dysnomia\PerceiveSDK\obj\Debug\PerceiveSDK.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2961294744.000001FA1A520000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: SMCommon.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2961294744.000001FA1A520000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: c:\Users\dahall\Documents\Visual Studio 2010\Projects\TaskService\obj\Release\Microsoft.Win32.TaskScheduler.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Locale_nl-nl\obj\Release\Locale_nl-nl.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: D:\Projects\Personal\DeviceId\src\DeviceId\obj\Release\net40\DeviceId.pdb source: SystemMechanic_Ultimate_Defense (1).exe
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\STDHash\obj\Release\STDHash.pdb@=Z= L=_CorDllMainmscoree.dll source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Cleanup\obj\Release\Cleanup.pdbHfbf Tf_CorDllMainmscoree.dll source: SystemMechanic_Ultimate_Defense (1).exe
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Locale_de-de\obj\Release\Locale_de-de.pdbv source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: E:\A\_work\4417\s\bin\obj\Windows_NT.AnyCPU.Release\System.Net.Http\net46\System.Net.Http.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Locale_ko-kr\obj\Release\Locale_ko-kr.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Locale_zh-tw\obj\Release\Locale_zh-tw.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Locale_fr-fr\obj\Release\Locale_fr-fr.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Branding\obj\Release\Branding.pdbjD source: SystemMechanic_Ultimate_Defense (1).exe
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Branding\obj\Release\Branding.pdb source: SystemMechanic_Ultimate_Defense (1).exe
Source:	Binary string: EntitlementDefinitions.pdb source: SystemMechanic_Ultimate_Defense (1).exe
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Locale_it-it\obj\Release\Locale_it-it.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: D:\Projects\Personal\DeviceId\src\DeviceId\obj\Release\net40\DeviceId.pdbSHA256M$ source: SystemMechanic_Ultimate_Defense (1).exe
Source:	Binary string: D:\Workspace\TFS\MAINLINE\ioloCore\Dysnomia\Perceive\obj\Debug\Perceive.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2961294744.000001FA1A520000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Locale_es-es\obj\Release\Locale_es-es.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Locale_ko-kr\obj\Release\Locale_ko-kr.pdb6 source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Locale_pt-br\obj\Release\Locale_pt-br.pdb~ source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Locale_es-es\obj\Release\Locale_es-es.pdbv source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.SystemMechanic_Ultimate_Defense (1).exe.1fa11adaa38.2.raw.unpack, DynamicUtils.cs	.Net Code: CreateSharpArgumentInfoArray
Source: 0.2.SystemMechanic_Ultimate_Defense (1).exe.1fa11adaa38.2.raw.unpack, LateBoundReflectionDelegateFactory.cs	.Net Code: CreateDefaultConstructor

Binary contains a suspicious time stamp

Source: SystemMechanic_Ultimate_Defense (1).exe

Static PE information: 0xF0708909 [Tue Oct 29 17:42:33 2097 UTC]

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Code function: 0_2_00007FFD9B76D2A5 pushad ; iretd		0_2_00007FFD9B76D2A6
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Code function: 0_2_00007FFD9B884F14 push eax; iretd		0_2_00007FFD9B884F15

Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Memory allocated: 1FA01800000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Memory allocated: 1FA19A00000 memory reserve \| memory write watch			Jump to behavior

Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe

Process information queried: ProcessInformation

Jump to behavior

Enables debug privileges

Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe

Memory allocated: page read and write | page guard

Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Queries volume information: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationFramework-SystemXml\v4.0_4.0.0.0__b77a5c561934e089\PresentationFramework-SystemXml.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationTypes\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationTypes.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationProvider\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationProvider.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationFramework-SystemData\v4.0_4.0.0.0__b77a5c561934e089\PresentationFramework-SystemData.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected PureLog Stealer

Source: Yara match	File source: SystemMechanic_Ultimate_Defense (1).exe, type: SAMPLE
Source: Yara match	File source: 0.2.SystemMechanic_Ultimate_Defense (1).exe.1fa1a390000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SystemMechanic_Ultimate_Defense (1).exe.1fa1a390000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SystemMechanic_Ultimate_Defense (1).exe.1fa1a520000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SystemMechanic_Ultimate_Defense (1).exe.1fa1a520000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.SystemMechanic_Ultimate_Defense (1).exe.1fa7b074ec9.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.SystemMechanic_Ultimate_Defense (1).exe.1fa7b0648bf.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.SystemMechanic_Ultimate_Defense (1).exe.1fa7b055499.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.SystemMechanic_Ultimate_Defense (1).exe.1fa7e4a1678.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.SystemMechanic_Ultimate_Defense (1).exe.1fa7e456464.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.SystemMechanic_Ultimate_Defense (1).exe.1fa7e47d26e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2960322878.000001FA1A390000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2961294744.000001FA1A520000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1658325762.000001FA7AF92000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY

Yara detected zgRAT

Source: Yara match	File source: SystemMechanic_Ultimate_Defense (1).exe, type: SAMPLE
Source: Yara match	File source: 0.0.SystemMechanic_Ultimate_Defense (1).exe.1fa7e4a1678.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.SystemMechanic_Ultimate_Defense (1).exe.1fa7e456464.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.SystemMechanic_Ultimate_Defense (1).exe.1fa7e47d26e.2.raw.unpack, type: UNPACKEDPE

Remote Access Functionality

Yara detected PureLog Stealer

Source: Yara match	File source: SystemMechanic_Ultimate_Defense (1).exe, type: SAMPLE
Source: Yara match	File source: 0.2.SystemMechanic_Ultimate_Defense (1).exe.1fa1a390000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SystemMechanic_Ultimate_Defense (1).exe.1fa1a390000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SystemMechanic_Ultimate_Defense (1).exe.1fa1a520000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SystemMechanic_Ultimate_Defense (1).exe.1fa1a520000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.SystemMechanic_Ultimate_Defense (1).exe.1fa7b074ec9.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.SystemMechanic_Ultimate_Defense (1).exe.1fa7b0648bf.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.SystemMechanic_Ultimate_Defense (1).exe.1fa7b055499.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.SystemMechanic_Ultimate_Defense (1).exe.1fa7e4a1678.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.SystemMechanic_Ultimate_Defense (1).exe.1fa7e456464.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.SystemMechanic_Ultimate_Defense (1).exe.1fa7e47d26e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2960322878.000001FA1A390000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2961294744.000001FA1A520000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1658325762.000001FA7AF92000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY

Yara detected zgRAT

Source: Yara match	File source: SystemMechanic_Ultimate_Defense (1).exe, type: SAMPLE
Source: Yara match	File source: 0.0.SystemMechanic_Ultimate_Defense (1).exe.1fa7e4a1678.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.SystemMechanic_Ultimate_Defense (1).exe.1fa7e456464.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.SystemMechanic_Ultimate_Defense (1).exe.1fa7e47d26e.2.raw.unpack, type: UNPACKEDPE

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

Source: SystemMechanic_Ultimate_Defense (1).exe

Static PE information: certificate valid

Source: SystemMechanic_Ultimate_Defense (1).exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Locale_de-de\obj\Release\Locale_de-de.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\STDHash\obj\Release\STDHash.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: /_/obj/Release/Microsoft.ApplicationInsights/net46/Microsoft.ApplicationInsights.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\InstallerCommon\obj\Release\InstallerCommon.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2958390586.000001FA1A1B0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2969260912.000001FA1AAA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2955769844.000001FA11AD9000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: D:\Workspace\TFS\MAINLINE\ioloCore\Dysnomia\PerceiveHUD\obj\Debug\PerceiveHUD.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2961294744.000001FA1A520000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Win32TaskScheduler\obj\Release\Win32TaskScheduler.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Cleanup\obj\Release\Cleanup.pdb source: SystemMechanic_Ultimate_Defense (1).exe
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Locale_pt-br\obj\Release\Locale_pt-br.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Bootstrap\obj\Release\Bootstrap.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2969260912.000001FA1AAA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2955769844.000001FA11AD9000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Bootstrap\obj\Release\Bootstrap.pdb( source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: c:\release\WorkingDir\PrismLibraryBuild\PrismLibrary\Desktop\Prism\obj\Release\Microsoft.Practices.Prism.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2968970128.000001FA1AA70000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2955769844.000001FA11A21000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Locale_ja-jp\obj\Release\Locale_ja-jp.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Locale_ja-jp\obj\Release\Locale_ja-jp.pdbN source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Locale_nl-nl\obj\Release\Locale_nl-nl.pdbj source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Win32TaskScheduler\obj\Release\Win32TaskScheduler.pdbz9 source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: /_/obj/Release/TelemetryChannel/net452/Microsoft.AI.ServerTelemetryChannel.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: D:\dd\NetFXDev1\binaries\x86ret\bin\i386\VSSetup\Utils\boxstub.pdb source: SystemMechanic_Ultimate_Defense (1).exe
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Locale_en-us\obj\Release\Locale_en-us.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2958498107.000001FA1A1C0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\InstallerSMUDUI\obj\Release\InstallerSMUDUI.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2963214249.000001FA1A770000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Telemetry\obj\Release\Telemetry.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Downloader\obj\Release\Downloader.pdb source: SystemMechanic_Ultimate_Defense (1).exe
Source:	Binary string: D:\Workspace\TFS\MAINLINE\ioloCore\Dysnomia\PerceiveSDK\obj\Debug\PerceiveSDK.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2961294744.000001FA1A520000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: SMCommon.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2961294744.000001FA1A520000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: c:\Users\dahall\Documents\Visual Studio 2010\Projects\TaskService\obj\Release\Microsoft.Win32.TaskScheduler.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Locale_nl-nl\obj\Release\Locale_nl-nl.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: D:\Projects\Personal\DeviceId\src\DeviceId\obj\Release\net40\DeviceId.pdb source: SystemMechanic_Ultimate_Defense (1).exe
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\STDHash\obj\Release\STDHash.pdb@=Z= L=_CorDllMainmscoree.dll source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Cleanup\obj\Release\Cleanup.pdbHfbf Tf_CorDllMainmscoree.dll source: SystemMechanic_Ultimate_Defense (1).exe
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Locale_de-de\obj\Release\Locale_de-de.pdbv source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: E:\A\_work\4417\s\bin\obj\Windows_NT.AnyCPU.Release\System.Net.Http\net46\System.Net.Http.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Locale_ko-kr\obj\Release\Locale_ko-kr.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Locale_zh-tw\obj\Release\Locale_zh-tw.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Locale_fr-fr\obj\Release\Locale_fr-fr.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Branding\obj\Release\Branding.pdbjD source: SystemMechanic_Ultimate_Defense (1).exe
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Branding\obj\Release\Branding.pdb source: SystemMechanic_Ultimate_Defense (1).exe
Source:	Binary string: EntitlementDefinitions.pdb source: SystemMechanic_Ultimate_Defense (1).exe
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Locale_it-it\obj\Release\Locale_it-it.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: D:\Projects\Personal\DeviceId\src\DeviceId\obj\Release\net40\DeviceId.pdbSHA256M$ source: SystemMechanic_Ultimate_Defense (1).exe
Source:	Binary string: D:\Workspace\TFS\MAINLINE\ioloCore\Dysnomia\Perceive\obj\Debug\Perceive.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2961294744.000001FA1A520000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Locale_es-es\obj\Release\Locale_es-es.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Locale_ko-kr\obj\Release\Locale_ko-kr.pdb6 source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Locale_pt-br\obj\Release\Locale_pt-br.pdb~ source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Locale_es-es\obj\Release\Locale_es-es.pdbv source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp

Networking

Yara detected Generic Downloader

Source: Yara match	File source: SystemMechanic_Ultimate_Defense (1).exe, type: SAMPLE
Source: Yara match	File source: 0.2.SystemMechanic_Ultimate_Defense (1).exe.1fa1a520000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.SystemMechanic_Ultimate_Defense (1).exe.1fa7e4a1678.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.SystemMechanic_Ultimate_Defense (1).exe.1fa7e456464.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.SystemMechanic_Ultimate_Defense (1).exe.1fa7e47d26e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2961294744.000001FA1A520000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Source: SystemMechanic_Ultimate_Defense (1).exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2969260912.000001FA1AAA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2955769844.000001FA11AD9000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertCSRSA4096RootG5.crt0E
Source: SystemMechanic_Ultimate_Defense (1).exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: SystemMechanic_Ultimate_Defense (1).exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: SystemMechanic_Ultimate_Defense (1).exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2969260912.000001FA1AAA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2955769844.000001FA11AD9000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA2.crt0
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2955769844.000001FA11A21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://compositewpf.codeplex.com/
Source: SystemMechanic_Ultimate_Defense (1).exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2969260912.000001FA1AAA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2955769844.000001FA11AD9000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertCSRSA4096RootG5.crl0
Source: SystemMechanic_Ultimate_Defense (1).exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: SystemMechanic_Ultimate_Defense (1).exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: SystemMechanic_Ultimate_Defense (1).exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2969260912.000001FA1AAA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2955769844.000001FA11AD9000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0F
Source: SystemMechanic_Ultimate_Defense (1).exe	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2969260912.000001FA1AAA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2955769844.000001FA11AD9000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0=
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2961294744.000001FA1A520000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://dejavu.sourceforge.net
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2961294744.000001FA1A520000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://dejavu.sourceforge.net/wiki/index.php/License
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2961294744.000001FA1A520000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://dejavu.sourceforge.net/wiki/index.php/Licensehttp://dejavu.sourceforge.net/wiki/index.php/Lic
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2961294744.000001FA1A520000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://dejavu.sourceforge.nethttp://dejavu.sourceforge.netFonts
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2942772740.000001FA01A01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://download.iolo.net/ds/4/en/images/dsUSB.imaRealDefense
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2955769844.000001FA11A21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://download.iolo.net/phoenix360/MalwareKillerSetup.exe
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2942772740.000001FA01A01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://download.iolo.net/phoenix360/MalwareKillerSetup.exeHq
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2955769844.000001FA11A21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://download.iolo.net/phoenix360/PrivacyGuardianSetup.exe
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2942772740.000001FA01A01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://download.iolo.net/phoenix360/PrivacyGuardianSetup.exeHq
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2955769844.000001FA11A21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://download.iolo.net/phoenix360/SystemMechanic_PRO.exe
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2942772740.000001FA01A01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://download.iolo.net/phoenix360/SystemMechanic_PRO.exeHq
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://james.newtonking.com/projects/json
Source: SystemMechanic_Ultimate_Defense (1).exe	String found in binary or memory: http://ocsp.digicert.com0
Source: SystemMechanic_Ultimate_Defense (1).exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: SystemMechanic_Ultimate_Defense (1).exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2969260912.000001FA1AAA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2955769844.000001FA11AD9000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://ocsp.digicert.com0O
Source: SystemMechanic_Ultimate_Defense (1).exe	String found in binary or memory: http://ocsp.digicert.com0X
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://svc.iolo.com/__svc/sbv/Uninstall.ashx
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2955769844.000001FA11A21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.codeplex.com/CompositeWPF
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2955769844.000001FA11A21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.codeplex.com/prism
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2968970128.000001FA1AA70000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2955769844.000001FA11A21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.codeplex.com/prism#Microsoft.Practices.Prism.ViewModel
Source: SystemMechanic_Ultimate_Defense (1).exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2955769844.000001FA11A21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.iolo.com/products/byepass/activation/
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2942772740.000001FA01A01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.iolo.com/products/byepass/activation/Hq
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2942772740.000001FA01A01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.iolo.com/products/byepass/welcome/?utm_source=bp&utm_medium=product&p=d59cc353-e8e4-4f42-
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2942772740.000001FA01A01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.iolo.net/ent/staging
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2942772740.000001FA01A01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.iolo.net/ent/v2
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://dc.services.visualstudio.com/Jhttps://rt.services.visualstudio.com/Fhttps://profiler.monitor
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://dc.services.visualstudio.com/api/profiles/
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://dc.services.visualstudio.com/f
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2942772740.000001FA01A01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://download.avira.com/download/
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2969260912.000001FA1AAA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2955769844.000001FA11AD9000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/JamesNK/Newtonsoft.Json
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/Microsoft/ApplicationInsights-dotnet
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/Microsoft/ApplicationInsights-dotnetw
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/itfoundry/Poppins)
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2963214249.000001FA1A770000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/itfoundry/Poppins)&&&&l
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2963214249.000001FA1A770000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/itfoundry/Poppins)&&&&m
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2963214249.000001FA1A770000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/itfoundry/Poppins)&&&&o
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2963214249.000001FA1A770000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/itfoundry/Poppins)&&&&r
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2963214249.000001FA1A770000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/itfoundry/Poppins)&&&&s
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/itfoundry/Poppins)&&&&v
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2963214249.000001FA1A770000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/itfoundry/Poppins)&&&&z
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/microsoft/ApplicationInsights-dotnet/issues/2560
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2975865942.000001FA1ED62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://indiantypefoundry.com
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2942772740.000001FA01A01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://iolo.comH42652B74-0AD8-4B60-B8FD-69ED38F7666B
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://monitor.azure.com//.default
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://profiler.monitor.azure.com/l
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://rt.services.visualstudio.com/l
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2975865942.000001FA1ED62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://scripts.sil.org/OFL
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://scripts.sil.org/OFLThis
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2975865942.000001FA1ED62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://scripts.sil.org/OFLX8
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://scripts.sil.org/OFLhttps://indiantypefoundry.comNinad
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://snapshot.monitor.azure.com/&
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2942772740.000001FA01A01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.iolo.com/support/solutions/articles/44001781185
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2963214249.000001FA1A770000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://support.iolo.com/support/solutions/articles/44001781185?
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://taskscheduler.codeplex.com/
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://taskscheduler.codeplex.com/H
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2942772740.000001FA01A01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://webhooklistenersfunc.azurewebsites.net/api/lookup/constella-dark-web-alerts
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2942772740.000001FA01A01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://westus2-2.in.applicationinsights.azure.com/;LiveEndpoint=https://westus2.livediagnostics.mon
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2942772740.000001FA01A01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.iolo.com/company/legal/eula/
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2963214249.000001FA1A770000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.iolo.com/company/legal/eula/?
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2942772740.000001FA01A01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.iolo.com/company/legal/privacy/
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2963214249.000001FA1A770000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.iolo.com/company/legal/privacy/?
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2942772740.000001FA01A01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.iolo.com/company/legal/sales-policy/
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2963214249.000001FA1A770000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.iolo.com/company/legal/sales-policy/?
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2969260912.000001FA1AAA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2955769844.000001FA11AD9000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.newtonsoft.com/json
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.newtonsoft.com/jsonschema
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2969260912.000001FA1AAA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2955769844.000001FA11AD9000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson

System Summary

Malicious sample detected (through community Yara rule)

Source: SystemMechanic_Ultimate_Defense (1).exe, type: SAMPLE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.0.SystemMechanic_Ultimate_Defense (1).exe.1fa7e4a1678.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.0.SystemMechanic_Ultimate_Defense (1).exe.1fa7e456464.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.0.SystemMechanic_Ultimate_Defense (1).exe.1fa7e47d26e.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen

Detected potential crypto function

Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Code function: 0_2_00007FFD9B889337	0_2_00007FFD9B889337
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Code function: 0_2_00007FFD9B888AA3	0_2_00007FFD9B888AA3
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Code function: 0_2_00007FFD9B8825AA	0_2_00007FFD9B8825AA
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Code function: 0_2_00007FFD9B884AE0	0_2_00007FFD9B884AE0
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Code function: 0_2_00007FFD9B88515E	0_2_00007FFD9B88515E

Sample file is different than original file name gathered from version info

Yara signature match

Source: SystemMechanic_Ultimate_Defense (1).exe, type: SAMPLE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.0.SystemMechanic_Ultimate_Defense (1).exe.1fa7e4a1678.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.0.SystemMechanic_Ultimate_Defense (1).exe.1fa7e456464.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.0.SystemMechanic_Ultimate_Defense (1).exe.1fa7e47d26e.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT

Source: classification engine

Classification label: mal54.troj.evad.winEXE@1/1@0/0

Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe

Mutant created: NULL

Source: SystemMechanic_Ultimate_Defense (1).exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: SystemMechanic_Ultimate_Defense (1).exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.91%

Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SystemMechanic_Ultimate_Defense (1).exe

String found in binary or memory: -start

Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: msvcp140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: d3d9.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: msctfui.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: uiautomationcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: d3dcompiler_47.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: winmm.dll	Jump to behavior

Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: SystemMechanic_Ultimate_Defense (1).exe

Static PE information: certificate valid

Source: SystemMechanic_Ultimate_Defense (1).exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: SystemMechanic_Ultimate_Defense (1).exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: SystemMechanic_Ultimate_Defense (1).exe

Static file information: File size 60747152 > 1048576

Source: SystemMechanic_Ultimate_Defense (1).exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x39a6c00

Source: SystemMechanic_Ultimate_Defense (1).exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: SystemMechanic_Ultimate_Defense (1).exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Locale_de-de\obj\Release\Locale_de-de.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\STDHash\obj\Release\STDHash.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: /_/obj/Release/Microsoft.ApplicationInsights/net46/Microsoft.ApplicationInsights.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\InstallerCommon\obj\Release\InstallerCommon.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2958390586.000001FA1A1B0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2969260912.000001FA1AAA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2955769844.000001FA11AD9000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: D:\Workspace\TFS\MAINLINE\ioloCore\Dysnomia\PerceiveHUD\obj\Debug\PerceiveHUD.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2961294744.000001FA1A520000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Win32TaskScheduler\obj\Release\Win32TaskScheduler.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Cleanup\obj\Release\Cleanup.pdb source: SystemMechanic_Ultimate_Defense (1).exe
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Locale_pt-br\obj\Release\Locale_pt-br.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Bootstrap\obj\Release\Bootstrap.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2969260912.000001FA1AAA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2955769844.000001FA11AD9000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Bootstrap\obj\Release\Bootstrap.pdb( source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: c:\release\WorkingDir\PrismLibraryBuild\PrismLibrary\Desktop\Prism\obj\Release\Microsoft.Practices.Prism.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2968970128.000001FA1AA70000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2955769844.000001FA11A21000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Locale_ja-jp\obj\Release\Locale_ja-jp.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Locale_ja-jp\obj\Release\Locale_ja-jp.pdbN source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Locale_nl-nl\obj\Release\Locale_nl-nl.pdbj source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Win32TaskScheduler\obj\Release\Win32TaskScheduler.pdbz9 source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: /_/obj/Release/TelemetryChannel/net452/Microsoft.AI.ServerTelemetryChannel.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: D:\dd\NetFXDev1\binaries\x86ret\bin\i386\VSSetup\Utils\boxstub.pdb source: SystemMechanic_Ultimate_Defense (1).exe
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Locale_en-us\obj\Release\Locale_en-us.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2958498107.000001FA1A1C0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\InstallerSMUDUI\obj\Release\InstallerSMUDUI.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2963214249.000001FA1A770000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Telemetry\obj\Release\Telemetry.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Downloader\obj\Release\Downloader.pdb source: SystemMechanic_Ultimate_Defense (1).exe
Source:	Binary string: D:\Workspace\TFS\MAINLINE\ioloCore\Dysnomia\PerceiveSDK\obj\Debug\PerceiveSDK.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2961294744.000001FA1A520000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: SMCommon.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2961294744.000001FA1A520000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: c:\Users\dahall\Documents\Visual Studio 2010\Projects\TaskService\obj\Release\Microsoft.Win32.TaskScheduler.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Locale_nl-nl\obj\Release\Locale_nl-nl.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: D:\Projects\Personal\DeviceId\src\DeviceId\obj\Release\net40\DeviceId.pdb source: SystemMechanic_Ultimate_Defense (1).exe
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\STDHash\obj\Release\STDHash.pdb@=Z= L=_CorDllMainmscoree.dll source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Cleanup\obj\Release\Cleanup.pdbHfbf Tf_CorDllMainmscoree.dll source: SystemMechanic_Ultimate_Defense (1).exe
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Locale_de-de\obj\Release\Locale_de-de.pdbv source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: E:\A\_work\4417\s\bin\obj\Windows_NT.AnyCPU.Release\System.Net.Http\net46\System.Net.Http.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Locale_ko-kr\obj\Release\Locale_ko-kr.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Locale_zh-tw\obj\Release\Locale_zh-tw.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Locale_fr-fr\obj\Release\Locale_fr-fr.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Branding\obj\Release\Branding.pdbjD source: SystemMechanic_Ultimate_Defense (1).exe
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Branding\obj\Release\Branding.pdb source: SystemMechanic_Ultimate_Defense (1).exe
Source:	Binary string: EntitlementDefinitions.pdb source: SystemMechanic_Ultimate_Defense (1).exe
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Locale_it-it\obj\Release\Locale_it-it.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: D:\Projects\Personal\DeviceId\src\DeviceId\obj\Release\net40\DeviceId.pdbSHA256M$ source: SystemMechanic_Ultimate_Defense (1).exe
Source:	Binary string: D:\Workspace\TFS\MAINLINE\ioloCore\Dysnomia\Perceive\obj\Debug\Perceive.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2961294744.000001FA1A520000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Locale_es-es\obj\Release\Locale_es-es.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Locale_ko-kr\obj\Release\Locale_ko-kr.pdb6 source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Locale_pt-br\obj\Release\Locale_pt-br.pdb~ source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Locale_es-es\obj\Release\Locale_es-es.pdbv source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.SystemMechanic_Ultimate_Defense (1).exe.1fa11adaa38.2.raw.unpack, DynamicUtils.cs	.Net Code: CreateSharpArgumentInfoArray
Source: 0.2.SystemMechanic_Ultimate_Defense (1).exe.1fa11adaa38.2.raw.unpack, LateBoundReflectionDelegateFactory.cs	.Net Code: CreateDefaultConstructor

Binary contains a suspicious time stamp

Source: SystemMechanic_Ultimate_Defense (1).exe

Static PE information: 0xF0708909 [Tue Oct 29 17:42:33 2097 UTC]

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Code function: 0_2_00007FFD9B76D2A5 pushad ; iretd		0_2_00007FFD9B76D2A6
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Code function: 0_2_00007FFD9B884F14 push eax; iretd		0_2_00007FFD9B884F15

Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Memory allocated: 1FA01800000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Memory allocated: 1FA19A00000 memory reserve \| memory write watch			Jump to behavior

Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe

Process information queried: ProcessInformation

Jump to behavior

Enables debug privileges

Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe

Memory allocated: page read and write | page guard

Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Queries volume information: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationFramework-SystemXml\v4.0_4.0.0.0__b77a5c561934e089\PresentationFramework-SystemXml.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationTypes\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationTypes.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationProvider\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationProvider.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationFramework-SystemData\v4.0_4.0.0.0__b77a5c561934e089\PresentationFramework-SystemData.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected PureLog Stealer

Source: Yara match	File source: SystemMechanic_Ultimate_Defense (1).exe, type: SAMPLE
Source: Yara match	File source: 0.2.SystemMechanic_Ultimate_Defense (1).exe.1fa1a390000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SystemMechanic_Ultimate_Defense (1).exe.1fa1a390000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SystemMechanic_Ultimate_Defense (1).exe.1fa1a520000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SystemMechanic_Ultimate_Defense (1).exe.1fa1a520000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.SystemMechanic_Ultimate_Defense (1).exe.1fa7b074ec9.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.SystemMechanic_Ultimate_Defense (1).exe.1fa7b0648bf.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.SystemMechanic_Ultimate_Defense (1).exe.1fa7b055499.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.SystemMechanic_Ultimate_Defense (1).exe.1fa7e4a1678.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.SystemMechanic_Ultimate_Defense (1).exe.1fa7e456464.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.SystemMechanic_Ultimate_Defense (1).exe.1fa7e47d26e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2960322878.000001FA1A390000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2961294744.000001FA1A520000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1658325762.000001FA7AF92000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY

Yara detected zgRAT

Source: Yara match	File source: SystemMechanic_Ultimate_Defense (1).exe, type: SAMPLE
Source: Yara match	File source: 0.0.SystemMechanic_Ultimate_Defense (1).exe.1fa7e4a1678.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.SystemMechanic_Ultimate_Defense (1).exe.1fa7e456464.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.SystemMechanic_Ultimate_Defense (1).exe.1fa7e47d26e.2.raw.unpack, type: UNPACKEDPE

Remote Access Functionality

Yara detected PureLog Stealer

Source: Yara match	File source: SystemMechanic_Ultimate_Defense (1).exe, type: SAMPLE
Source: Yara match	File source: 0.2.SystemMechanic_Ultimate_Defense (1).exe.1fa1a390000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SystemMechanic_Ultimate_Defense (1).exe.1fa1a390000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SystemMechanic_Ultimate_Defense (1).exe.1fa1a520000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SystemMechanic_Ultimate_Defense (1).exe.1fa1a520000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.SystemMechanic_Ultimate_Defense (1).exe.1fa7b074ec9.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.SystemMechanic_Ultimate_Defense (1).exe.1fa7b0648bf.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.SystemMechanic_Ultimate_Defense (1).exe.1fa7b055499.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.SystemMechanic_Ultimate_Defense (1).exe.1fa7e4a1678.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.SystemMechanic_Ultimate_Defense (1).exe.1fa7e456464.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.SystemMechanic_Ultimate_Defense (1).exe.1fa7e47d26e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2960322878.000001FA1A390000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2961294744.000001FA1A520000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1658325762.000001FA7AF92000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY

Yara detected zgRAT

Source: Yara match	File source: SystemMechanic_Ultimate_Defense (1).exe, type: SAMPLE
Source: Yara match	File source: 0.0.SystemMechanic_Ultimate_Defense (1).exe.1fa7e4a1678.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.SystemMechanic_Ultimate_Defense (1).exe.1fa7e456464.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.SystemMechanic_Ultimate_Defense (1).exe.1fa7e47d26e.2.raw.unpack, type: UNPACKEDPE

ID:	1544768
Product:	CloudBasic
Start time:	18:15:41
Start date:	29.10.2024
Sample:	SystemMechanic_Ultimate_Defense (1).exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	e0ed5e186b6e1c2dada474ad759a7d1a
SHA1:	118c52a2b2b6d1c176fb65d4a0dde49cccd8484d
SHA256:	6bc7edbf46ffe0fe87892ac7394dfeaa8ed7e128ee48a002aab896c8866488c6
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.91%

Windows Analysis Report
SystemMechanic_Ultimate_Defense (1).exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2958498107.000001FA1A1C0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameLocale_en-us.dll: vs SystemMechanic_Ultimate_Defense (1).exe
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2969260912.000001FA1AAA0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs SystemMechanic_Ultimate_Defense (1).exe
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2968970128.000001FA1AA70000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Practices.Prism.dll, vs SystemMechanic_Ultimate_Defense (1).exe
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2942709784.000001FA019E0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameDownloader.dll6 vs SystemMechanic_Ultimate_Defense (1).exe
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2955769844.000001FA11AD9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs SystemMechanic_Ultimate_Defense (1).exe
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2961294744.000001FA1A520000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenamePerceive.dll2 vs SystemMechanic_Ultimate_Defense (1).exe
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2961294744.000001FA1A520000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenamePerceiveHUD.dll8 vs SystemMechanic_Ultimate_Defense (1).exe
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2961294744.000001FA1A520000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenamePerceiveSDK.dll8 vs SystemMechanic_Ultimate_Defense (1).exe
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2961294744.000001FA1A520000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSMCommon.dll@ vs SystemMechanic_Ultimate_Defense (1).exe
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1700909403.000001FA7E93A000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameBootstrap.exe@ vs SystemMechanic_Ultimate_Defense (1).exe
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2963214249.000001FA1A770000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameInstallerSMUDUI.dll@ vs SystemMechanic_Ultimate_Defense (1).exe
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2942669851.000001FA019D0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameBranding.dll2 vs SystemMechanic_Ultimate_Defense (1).exe
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2960322878.000001FA1A390000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameEntitlementDefinitions.dllN vs SystemMechanic_Ultimate_Defense (1).exe
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2942772740.000001FA01A01000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs SystemMechanic_Ultimate_Defense (1).exe
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2958607900.000001FA1A1D0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCleanup.dll0 vs SystemMechanic_Ultimate_Defense (1).exe
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2958390586.000001FA1A1B0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameInstallerCommon.dll@ vs SystemMechanic_Ultimate_Defense (1).exe
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameInstallerSMUDUI.dll@ vs SystemMechanic_Ultimate_Defense (1).exe
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameLocale_de-de.dll: vs SystemMechanic_Ultimate_Defense (1).exe
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameLocale_en-us.dll: vs SystemMechanic_Ultimate_Defense (1).exe
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameLocale_es-es.dll: vs SystemMechanic_Ultimate_Defense (1).exe
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameLocale_fr-fr.dll: vs SystemMechanic_Ultimate_Defense (1).exe
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameLocale_it-it.dll: vs SystemMechanic_Ultimate_Defense (1).exe
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameLocale_ja-jp.dll: vs SystemMechanic_Ultimate_Defense (1).exe
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameLocale_ko-kr.dll: vs SystemMechanic_Ultimate_Defense (1).exe
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameLocale_nl-nl.dll: vs SystemMechanic_Ultimate_Defense (1).exe
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameLocale_pt-br.dll: vs SystemMechanic_Ultimate_Defense (1).exe
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameLocale_zh-tw.dll: vs SystemMechanic_Ultimate_Defense (1).exe
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameMicrosoft.AI.ServerTelemetryChannel.dllh$ vs SystemMechanic_Ultimate_Defense (1).exe
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameMicrosoft.ApplicationInsights.dll\ vs SystemMechanic_Ultimate_Defense (1).exe
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Practices.Prism.dll, vs SystemMechanic_Ultimate_Defense (1).exe
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll8 vs SystemMechanic_Ultimate_Defense (1).exe
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs SystemMechanic_Ultimate_Defense (1).exe
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamePerceive.dll2 vs SystemMechanic_Ultimate_Defense (1).exe
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamePerceiveHUD.dll8 vs SystemMechanic_Ultimate_Defense (1).exe
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamePerceiveSDK.dll8 vs SystemMechanic_Ultimate_Defense (1).exe
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameSMCommon.dll@ vs SystemMechanic_Ultimate_Defense (1).exe
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameSTDHash.dll0 vs SystemMechanic_Ultimate_Defense (1).exe
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameSystem.Net.Http.dllT vs SystemMechanic_Ultimate_Defense (1).exe
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameTelemetry.dll4 vs SystemMechanic_Ultimate_Defense (1).exe
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameWin32TaskScheduler.dllF vs SystemMechanic_Ultimate_Defense (1).exe
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2955769844.000001FA11A21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Practices.Prism.dll, vs SystemMechanic_Ultimate_Defense (1).exe
Source: SystemMechanic_Ultimate_Defense (1).exe	Binary or memory string: get_OriginalFilename vs SystemMechanic_Ultimate_Defense (1).exe
Source: SystemMechanic_Ultimate_Defense (1).exe	Binary or memory string: OriginalFilenameBranding.dll2 vs SystemMechanic_Ultimate_Defense (1).exe
Source: SystemMechanic_Ultimate_Defense (1).exe	Binary or memory string: OriginalFilenameCleanup.dll0 vs SystemMechanic_Ultimate_Defense (1).exe
Source: SystemMechanic_Ultimate_Defense (1).exe	Binary or memory string: OriginalFilenameDeviceId.dll2 vs SystemMechanic_Ultimate_Defense (1).exe
Source: SystemMechanic_Ultimate_Defense (1).exe	Binary or memory string: OriginalFilenameNDP462-KB3151802-Web.exe^ vs SystemMechanic_Ultimate_Defense (1).exe
Source: SystemMechanic_Ultimate_Defense (1).exe	Binary or memory string: OriginalFilenameBoxStub.exeT vs SystemMechanic_Ultimate_Defense (1).exe
Source: SystemMechanic_Ultimate_Defense (1).exe	Binary or memory string: OriginalFilenameDownloader.dll6 vs SystemMechanic_Ultimate_Defense (1).exe
Source: SystemMechanic_Ultimate_Defense (1).exe	Binary or memory string: OriginalFilenameEntitlementDefinitions.dllN vs SystemMechanic_Ultimate_Defense (1).exe

Windows Analysis Report SystemMechanic_Ultimate_Defense (1).exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Windows Analysis Report
SystemMechanic_Ultimate_Defense (1).exe

Malware Threat Intel
Provided by