Edit tour

Windows Analysis Report
SystemMechanic_Ultimate_Defense (1).exe

Overview

General Information

Sample name:	SystemMechanic_Ultimate_Defense (1).exe
Analysis ID:	1544768
MD5:	e0ed5e186b6e1c2dada474ad759a7d1a
SHA1:	118c52a2b2b6d1c176fb65d4a0dde49cccd8484d
SHA256:	6bc7edbf46ffe0fe87892ac7394dfeaa8ed7e128ee48a002aab896c8866488c6
Infos:

Detection

PureLog Stealer, zgRAT

Score:	54
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Yara detected PureLog Stealer

Yara detected zgRAT

.NET source code contains potential unpacker

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Detected potential crypto function

Enables debug privileges

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

SystemMechanic_Ultimate_Defense (1).exe (PID: 6880 cmdline: "C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe" MD5: E0ED5E186B6E1C2DADA474AD759A7D1A)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
zgRAT	zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.	No Attribution	https://bazaar.abuse.ch/browse/signature/zgRAT/ https://kcm.trellix.com/corporate/index?page=content&id=KB96190&locale=en_US https://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware https://www.difesaesicurezza.com/cyber/cybercrime-rfq-dalla-turchia-veicola-agenttesla-e-zgrat/ https://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities	https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

⊘No configs have been found

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
SystemMechanic_Ultimate_Defense (1).exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
SystemMechanic_Ultimate_Defense (1).exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
SystemMechanic_Ultimate_Defense (1).exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
SystemMechanic_Ultimate_Defense (1).exe	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x26b16d:$s1: file:/// 0x382b84f:$s1: file:/// 0x26b079:$s2: {11111-22222-10009-11112} 0x382b75f:$s2: {11111-22222-10009-11112} 0x26b0fd:$s3: {11111-22222-50001-00000} 0x382b7df:$s3: {11111-22222-50001-00000} 0x2694c2:$s4: get_Module 0x369df56:$s4: get_Module 0x37a3168:$s4: get_Module 0x38298b4:$s4: get_Module 0x2697ef:$s5: Reverse 0x369f3a9:$s5: Reverse 0x36df81d:$s5: Reverse 0x3829b9a:$s5: Reverse 0x266524:$s6: BlockCopy 0x37af481:$s6: BlockCopy 0x3849022:$s6: BlockCopy 0x37a564c:$s7: ReadByte 0x3904439:$s7: ReadByte 0x26b17f:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ... 0x382b861:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.2960322878.000001FA1A390000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000002.2961294744.000001FA1A520000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
00000000.00000002.2961294744.000001FA1A520000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000000.1658325762.000001FA7AF92000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.SystemMechanic_Ultimate_Defense (1).exe.1fa1a390000.7.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.SystemMechanic_Ultimate_Defense (1).exe.1fa1a390000.7.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.SystemMechanic_Ultimate_Defense (1).exe.1fa1a520000.9.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.SystemMechanic_Ultimate_Defense (1).exe.1fa1a520000.9.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.SystemMechanic_Ultimate_Defense (1).exe.1fa1a520000.9.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.0.SystemMechanic_Ultimate_Defense (1).exe.1fa7b074ec9.6.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.0.SystemMechanic_Ultimate_Defense (1).exe.1fa7b0648bf.8.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.0.SystemMechanic_Ultimate_Defense (1).exe.1fa7b055499.7.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.0.SystemMechanic_Ultimate_Defense (1).exe.1fa7e4a1678.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.0.SystemMechanic_Ultimate_Defense (1).exe.1fa7e4a1678.1.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.0.SystemMechanic_Ultimate_Defense (1).exe.1fa7e4a1678.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.0.SystemMechanic_Ultimate_Defense (1).exe.1fa7e4a1678.1.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x31bfd7:$s1: file:/// 0x31bee7:$s2: {11111-22222-10009-11112} 0x31bf67:$s3: {11111-22222-50001-00000} 0x18e6de:$s4: get_Module 0x2938f0:$s4: get_Module 0x31a03c:$s4: get_Module 0x18fb31:$s5: Reverse 0x1cffa5:$s5: Reverse 0x31a322:$s5: Reverse 0x29fc09:$s6: BlockCopy 0x3397aa:$s6: BlockCopy 0x295dd4:$s7: ReadByte 0x3f4bc1:$s7: ReadByte 0x31bfe9:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
0.0.SystemMechanic_Ultimate_Defense (1).exe.1fa7e456464.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.0.SystemMechanic_Ultimate_Defense (1).exe.1fa7e456464.3.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.0.SystemMechanic_Ultimate_Defense (1).exe.1fa7e456464.3.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.0.SystemMechanic_Ultimate_Defense (1).exe.1fa7e456464.3.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x3671eb:$s1: file:/// 0x3670fb:$s2: {11111-22222-10009-11112} 0x36717b:$s3: {11111-22222-50001-00000} 0x1d98f2:$s4: get_Module 0x2deb04:$s4: get_Module 0x365250:$s4: get_Module 0x1dad45:$s5: Reverse 0x21b1b9:$s5: Reverse 0x365536:$s5: Reverse 0x2eae1d:$s6: BlockCopy 0x3849be:$s6: BlockCopy 0x2e0fe8:$s7: ReadByte 0x43fdd5:$s7: ReadByte 0x3671fd:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
0.0.SystemMechanic_Ultimate_Defense (1).exe.1fa7e47d26e.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.0.SystemMechanic_Ultimate_Defense (1).exe.1fa7e47d26e.2.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.0.SystemMechanic_Ultimate_Defense (1).exe.1fa7e47d26e.2.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.0.SystemMechanic_Ultimate_Defense (1).exe.1fa7e47d26e.2.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x3403e1:$s1: file:/// 0x3402f1:$s2: {11111-22222-10009-11112} 0x340371:$s3: {11111-22222-50001-00000} 0x1b2ae8:$s4: get_Module 0x2b7cfa:$s4: get_Module 0x33e446:$s4: get_Module 0x1b3f3b:$s5: Reverse 0x1f43af:$s5: Reverse 0x33e72c:$s5: Reverse 0x2c4013:$s6: BlockCopy 0x35dbb4:$s6: BlockCopy 0x2ba1de:$s7: ReadByte 0x418fcb:$s7: ReadByte 0x3403f3:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
Click to see the 15 entries

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: SystemMechanic_Ultimate_Defense (1).exe

Static PE information: certificate valid

Source: SystemMechanic_Ultimate_Defense (1).exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Locale_de-de\obj\Release\Locale_de-de.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\STDHash\obj\Release\STDHash.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: /_/obj/Release/Microsoft.ApplicationInsights/net46/Microsoft.ApplicationInsights.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\InstallerCommon\obj\Release\InstallerCommon.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2958390586.000001FA1A1B0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2969260912.000001FA1AAA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2955769844.000001FA11AD9000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: D:\Workspace\TFS\MAINLINE\ioloCore\Dysnomia\PerceiveHUD\obj\Debug\PerceiveHUD.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2961294744.000001FA1A520000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Win32TaskScheduler\obj\Release\Win32TaskScheduler.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Cleanup\obj\Release\Cleanup.pdb source: SystemMechanic_Ultimate_Defense (1).exe
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Locale_pt-br\obj\Release\Locale_pt-br.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Bootstrap\obj\Release\Bootstrap.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2969260912.000001FA1AAA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2955769844.000001FA11AD9000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Bootstrap\obj\Release\Bootstrap.pdb( source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: c:\release\WorkingDir\PrismLibraryBuild\PrismLibrary\Desktop\Prism\obj\Release\Microsoft.Practices.Prism.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2968970128.000001FA1AA70000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2955769844.000001FA11A21000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Locale_ja-jp\obj\Release\Locale_ja-jp.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Locale_ja-jp\obj\Release\Locale_ja-jp.pdbN source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Locale_nl-nl\obj\Release\Locale_nl-nl.pdbj source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Win32TaskScheduler\obj\Release\Win32TaskScheduler.pdbz9 source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: /_/obj/Release/TelemetryChannel/net452/Microsoft.AI.ServerTelemetryChannel.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: D:\dd\NetFXDev1\binaries\x86ret\bin\i386\VSSetup\Utils\boxstub.pdb source: SystemMechanic_Ultimate_Defense (1).exe
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Locale_en-us\obj\Release\Locale_en-us.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2958498107.000001FA1A1C0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\InstallerSMUDUI\obj\Release\InstallerSMUDUI.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2963214249.000001FA1A770000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Telemetry\obj\Release\Telemetry.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Downloader\obj\Release\Downloader.pdb source: SystemMechanic_Ultimate_Defense (1).exe
Source:	Binary string: D:\Workspace\TFS\MAINLINE\ioloCore\Dysnomia\PerceiveSDK\obj\Debug\PerceiveSDK.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2961294744.000001FA1A520000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: SMCommon.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2961294744.000001FA1A520000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: c:\Users\dahall\Documents\Visual Studio 2010\Projects\TaskService\obj\Release\Microsoft.Win32.TaskScheduler.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Locale_nl-nl\obj\Release\Locale_nl-nl.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: D:\Projects\Personal\DeviceId\src\DeviceId\obj\Release\net40\DeviceId.pdb source: SystemMechanic_Ultimate_Defense (1).exe
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\STDHash\obj\Release\STDHash.pdb@=Z= L=_CorDllMainmscoree.dll source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Cleanup\obj\Release\Cleanup.pdbHfbf Tf_CorDllMainmscoree.dll source: SystemMechanic_Ultimate_Defense (1).exe
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Locale_de-de\obj\Release\Locale_de-de.pdbv source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: E:\A\_work\4417\s\bin\obj\Windows_NT.AnyCPU.Release\System.Net.Http\net46\System.Net.Http.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Locale_ko-kr\obj\Release\Locale_ko-kr.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Locale_zh-tw\obj\Release\Locale_zh-tw.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Locale_fr-fr\obj\Release\Locale_fr-fr.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Branding\obj\Release\Branding.pdbjD source: SystemMechanic_Ultimate_Defense (1).exe
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Branding\obj\Release\Branding.pdb source: SystemMechanic_Ultimate_Defense (1).exe
Source:	Binary string: EntitlementDefinitions.pdb source: SystemMechanic_Ultimate_Defense (1).exe
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Locale_it-it\obj\Release\Locale_it-it.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: D:\Projects\Personal\DeviceId\src\DeviceId\obj\Release\net40\DeviceId.pdbSHA256M$ source: SystemMechanic_Ultimate_Defense (1).exe
Source:	Binary string: D:\Workspace\TFS\MAINLINE\ioloCore\Dysnomia\Perceive\obj\Debug\Perceive.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2961294744.000001FA1A520000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Locale_es-es\obj\Release\Locale_es-es.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Locale_ko-kr\obj\Release\Locale_ko-kr.pdb6 source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Locale_pt-br\obj\Release\Locale_pt-br.pdb~ source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Locale_es-es\obj\Release\Locale_es-es.pdbv source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp

Networking

Yara detected Generic Downloader

Source: Yara match	File source: SystemMechanic_Ultimate_Defense (1).exe, type: SAMPLE
Source: Yara match	File source: 0.2.SystemMechanic_Ultimate_Defense (1).exe.1fa1a520000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.SystemMechanic_Ultimate_Defense (1).exe.1fa7e4a1678.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.SystemMechanic_Ultimate_Defense (1).exe.1fa7e456464.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.SystemMechanic_Ultimate_Defense (1).exe.1fa7e47d26e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2961294744.000001FA1A520000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Source: SystemMechanic_Ultimate_Defense (1).exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2969260912.000001FA1AAA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2955769844.000001FA11AD9000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertCSRSA4096RootG5.crt0E
Source: SystemMechanic_Ultimate_Defense (1).exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: SystemMechanic_Ultimate_Defense (1).exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: SystemMechanic_Ultimate_Defense (1).exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2969260912.000001FA1AAA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2955769844.000001FA11AD9000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA2.crt0
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2955769844.000001FA11A21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://compositewpf.codeplex.com/
Source: SystemMechanic_Ultimate_Defense (1).exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2969260912.000001FA1AAA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2955769844.000001FA11AD9000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertCSRSA4096RootG5.crl0
Source: SystemMechanic_Ultimate_Defense (1).exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: SystemMechanic_Ultimate_Defense (1).exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: SystemMechanic_Ultimate_Defense (1).exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2969260912.000001FA1AAA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2955769844.000001FA11AD9000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0F
Source: SystemMechanic_Ultimate_Defense (1).exe	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2969260912.000001FA1AAA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2955769844.000001FA11AD9000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0=
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2961294744.000001FA1A520000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://dejavu.sourceforge.net
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2961294744.000001FA1A520000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://dejavu.sourceforge.net/wiki/index.php/License
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2961294744.000001FA1A520000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://dejavu.sourceforge.net/wiki/index.php/Licensehttp://dejavu.sourceforge.net/wiki/index.php/Lic
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2961294744.000001FA1A520000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://dejavu.sourceforge.nethttp://dejavu.sourceforge.netFonts
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2942772740.000001FA01A01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://download.iolo.net/ds/4/en/images/dsUSB.imaRealDefense
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2955769844.000001FA11A21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://download.iolo.net/phoenix360/MalwareKillerSetup.exe
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2942772740.000001FA01A01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://download.iolo.net/phoenix360/MalwareKillerSetup.exeHq
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2955769844.000001FA11A21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://download.iolo.net/phoenix360/PrivacyGuardianSetup.exe
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2942772740.000001FA01A01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://download.iolo.net/phoenix360/PrivacyGuardianSetup.exeHq
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2955769844.000001FA11A21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://download.iolo.net/phoenix360/SystemMechanic_PRO.exe
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2942772740.000001FA01A01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://download.iolo.net/phoenix360/SystemMechanic_PRO.exeHq
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://james.newtonking.com/projects/json
Source: SystemMechanic_Ultimate_Defense (1).exe	String found in binary or memory: http://ocsp.digicert.com0
Source: SystemMechanic_Ultimate_Defense (1).exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: SystemMechanic_Ultimate_Defense (1).exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2969260912.000001FA1AAA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2955769844.000001FA11AD9000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://ocsp.digicert.com0O
Source: SystemMechanic_Ultimate_Defense (1).exe	String found in binary or memory: http://ocsp.digicert.com0X
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://svc.iolo.com/__svc/sbv/Uninstall.ashx
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2955769844.000001FA11A21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.codeplex.com/CompositeWPF
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2955769844.000001FA11A21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.codeplex.com/prism
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2968970128.000001FA1AA70000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2955769844.000001FA11A21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.codeplex.com/prism#Microsoft.Practices.Prism.ViewModel
Source: SystemMechanic_Ultimate_Defense (1).exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2955769844.000001FA11A21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.iolo.com/products/byepass/activation/
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2942772740.000001FA01A01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.iolo.com/products/byepass/activation/Hq
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2942772740.000001FA01A01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.iolo.com/products/byepass/welcome/?utm_source=bp&utm_medium=product&p=d59cc353-e8e4-4f42-
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2942772740.000001FA01A01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.iolo.net/ent/staging
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2942772740.000001FA01A01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.iolo.net/ent/v2
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://dc.services.visualstudio.com/Jhttps://rt.services.visualstudio.com/Fhttps://profiler.monitor
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://dc.services.visualstudio.com/api/profiles/
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://dc.services.visualstudio.com/f
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2942772740.000001FA01A01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://download.avira.com/download/
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2969260912.000001FA1AAA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2955769844.000001FA11AD9000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/JamesNK/Newtonsoft.Json
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/Microsoft/ApplicationInsights-dotnet
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/Microsoft/ApplicationInsights-dotnetw
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/itfoundry/Poppins)
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2963214249.000001FA1A770000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/itfoundry/Poppins)&&&&l
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2963214249.000001FA1A770000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/itfoundry/Poppins)&&&&m
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2963214249.000001FA1A770000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/itfoundry/Poppins)&&&&o
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2963214249.000001FA1A770000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/itfoundry/Poppins)&&&&r
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2963214249.000001FA1A770000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/itfoundry/Poppins)&&&&s
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/itfoundry/Poppins)&&&&v
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2963214249.000001FA1A770000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/itfoundry/Poppins)&&&&z
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/microsoft/ApplicationInsights-dotnet/issues/2560
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2975865942.000001FA1ED62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://indiantypefoundry.com
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2942772740.000001FA01A01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://iolo.comH42652B74-0AD8-4B60-B8FD-69ED38F7666B
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://monitor.azure.com//.default
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://profiler.monitor.azure.com/l
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://rt.services.visualstudio.com/l
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2975865942.000001FA1ED62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://scripts.sil.org/OFL
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://scripts.sil.org/OFLThis
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2975865942.000001FA1ED62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://scripts.sil.org/OFLX8
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://scripts.sil.org/OFLhttps://indiantypefoundry.comNinad
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://snapshot.monitor.azure.com/&
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2942772740.000001FA01A01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.iolo.com/support/solutions/articles/44001781185
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2963214249.000001FA1A770000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://support.iolo.com/support/solutions/articles/44001781185?
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://taskscheduler.codeplex.com/
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://taskscheduler.codeplex.com/H
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2942772740.000001FA01A01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://webhooklistenersfunc.azurewebsites.net/api/lookup/constella-dark-web-alerts
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2942772740.000001FA01A01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://westus2-2.in.applicationinsights.azure.com/;LiveEndpoint=https://westus2.livediagnostics.mon
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2942772740.000001FA01A01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.iolo.com/company/legal/eula/
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2963214249.000001FA1A770000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.iolo.com/company/legal/eula/?
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2942772740.000001FA01A01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.iolo.com/company/legal/privacy/
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2963214249.000001FA1A770000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.iolo.com/company/legal/privacy/?
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2942772740.000001FA01A01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.iolo.com/company/legal/sales-policy/
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2963214249.000001FA1A770000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.iolo.com/company/legal/sales-policy/?
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2969260912.000001FA1AAA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2955769844.000001FA11AD9000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.newtonsoft.com/json
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.newtonsoft.com/jsonschema
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2969260912.000001FA1AAA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2955769844.000001FA11AD9000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson

System Summary

Malicious sample detected (through community Yara rule)

Source: SystemMechanic_Ultimate_Defense (1).exe, type: SAMPLE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.0.SystemMechanic_Ultimate_Defense (1).exe.1fa7e4a1678.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.0.SystemMechanic_Ultimate_Defense (1).exe.1fa7e456464.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.0.SystemMechanic_Ultimate_Defense (1).exe.1fa7e47d26e.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen

Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Code function: 0_2_00007FFD9B889337	0_2_00007FFD9B889337
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Code function: 0_2_00007FFD9B888AA3	0_2_00007FFD9B888AA3
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Code function: 0_2_00007FFD9B8825AA	0_2_00007FFD9B8825AA
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Code function: 0_2_00007FFD9B884AE0	0_2_00007FFD9B884AE0
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Code function: 0_2_00007FFD9B88515E	0_2_00007FFD9B88515E

Source: SystemMechanic_Ultimate_Defense (1).exe, type: SAMPLE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.0.SystemMechanic_Ultimate_Defense (1).exe.1fa7e4a1678.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.0.SystemMechanic_Ultimate_Defense (1).exe.1fa7e456464.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.0.SystemMechanic_Ultimate_Defense (1).exe.1fa7e47d26e.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT

Source: classification engine

Classification label: mal54.troj.evad.winEXE@1/1@0/0

Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe

Mutant created: NULL

Source: SystemMechanic_Ultimate_Defense (1).exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: SystemMechanic_Ultimate_Defense (1).exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.91%

Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SystemMechanic_Ultimate_Defense (1).exe

String found in binary or memory: -start

Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: msvcp140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: d3d9.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: msctfui.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: uiautomationcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: d3dcompiler_47.dll	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Section loaded: winmm.dll	Jump to behavior

Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: SystemMechanic_Ultimate_Defense (1).exe

Static PE information: certificate valid

Source: SystemMechanic_Ultimate_Defense (1).exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: SystemMechanic_Ultimate_Defense (1).exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: SystemMechanic_Ultimate_Defense (1).exe

Static file information: File size 60747152 > 1048576

Source: SystemMechanic_Ultimate_Defense (1).exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x39a6c00

Source: SystemMechanic_Ultimate_Defense (1).exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: SystemMechanic_Ultimate_Defense (1).exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Locale_de-de\obj\Release\Locale_de-de.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\STDHash\obj\Release\STDHash.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: /_/obj/Release/Microsoft.ApplicationInsights/net46/Microsoft.ApplicationInsights.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\InstallerCommon\obj\Release\InstallerCommon.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2958390586.000001FA1A1B0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2969260912.000001FA1AAA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2955769844.000001FA11AD9000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: D:\Workspace\TFS\MAINLINE\ioloCore\Dysnomia\PerceiveHUD\obj\Debug\PerceiveHUD.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2961294744.000001FA1A520000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Win32TaskScheduler\obj\Release\Win32TaskScheduler.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Cleanup\obj\Release\Cleanup.pdb source: SystemMechanic_Ultimate_Defense (1).exe
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Locale_pt-br\obj\Release\Locale_pt-br.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Bootstrap\obj\Release\Bootstrap.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2969260912.000001FA1AAA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2955769844.000001FA11AD9000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Bootstrap\obj\Release\Bootstrap.pdb( source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: c:\release\WorkingDir\PrismLibraryBuild\PrismLibrary\Desktop\Prism\obj\Release\Microsoft.Practices.Prism.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2968970128.000001FA1AA70000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2955769844.000001FA11A21000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Locale_ja-jp\obj\Release\Locale_ja-jp.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Locale_ja-jp\obj\Release\Locale_ja-jp.pdbN source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Locale_nl-nl\obj\Release\Locale_nl-nl.pdbj source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Win32TaskScheduler\obj\Release\Win32TaskScheduler.pdbz9 source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: /_/obj/Release/TelemetryChannel/net452/Microsoft.AI.ServerTelemetryChannel.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: D:\dd\NetFXDev1\binaries\x86ret\bin\i386\VSSetup\Utils\boxstub.pdb source: SystemMechanic_Ultimate_Defense (1).exe
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Locale_en-us\obj\Release\Locale_en-us.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2958498107.000001FA1A1C0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\InstallerSMUDUI\obj\Release\InstallerSMUDUI.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2963214249.000001FA1A770000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Telemetry\obj\Release\Telemetry.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Downloader\obj\Release\Downloader.pdb source: SystemMechanic_Ultimate_Defense (1).exe
Source:	Binary string: D:\Workspace\TFS\MAINLINE\ioloCore\Dysnomia\PerceiveSDK\obj\Debug\PerceiveSDK.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2961294744.000001FA1A520000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: SMCommon.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2961294744.000001FA1A520000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: c:\Users\dahall\Documents\Visual Studio 2010\Projects\TaskService\obj\Release\Microsoft.Win32.TaskScheduler.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Locale_nl-nl\obj\Release\Locale_nl-nl.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: D:\Projects\Personal\DeviceId\src\DeviceId\obj\Release\net40\DeviceId.pdb source: SystemMechanic_Ultimate_Defense (1).exe
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\STDHash\obj\Release\STDHash.pdb@=Z= L=_CorDllMainmscoree.dll source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Cleanup\obj\Release\Cleanup.pdbHfbf Tf_CorDllMainmscoree.dll source: SystemMechanic_Ultimate_Defense (1).exe
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Locale_de-de\obj\Release\Locale_de-de.pdbv source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: E:\A\_work\4417\s\bin\obj\Windows_NT.AnyCPU.Release\System.Net.Http\net46\System.Net.Http.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Locale_ko-kr\obj\Release\Locale_ko-kr.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Locale_zh-tw\obj\Release\Locale_zh-tw.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Locale_fr-fr\obj\Release\Locale_fr-fr.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Branding\obj\Release\Branding.pdbjD source: SystemMechanic_Ultimate_Defense (1).exe
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Branding\obj\Release\Branding.pdb source: SystemMechanic_Ultimate_Defense (1).exe
Source:	Binary string: EntitlementDefinitions.pdb source: SystemMechanic_Ultimate_Defense (1).exe
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Locale_it-it\obj\Release\Locale_it-it.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: D:\Projects\Personal\DeviceId\src\DeviceId\obj\Release\net40\DeviceId.pdbSHA256M$ source: SystemMechanic_Ultimate_Defense (1).exe
Source:	Binary string: D:\Workspace\TFS\MAINLINE\ioloCore\Dysnomia\Perceive\obj\Debug\Perceive.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2961294744.000001FA1A520000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Locale_es-es\obj\Release\Locale_es-es.pdb source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Locale_ko-kr\obj\Release\Locale_ko-kr.pdb6 source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Locale_pt-br\obj\Release\Locale_pt-br.pdb~ source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.7\BuildTools\Bootstrap\Locale_es-es\obj\Release\Locale_es-es.pdbv source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.SystemMechanic_Ultimate_Defense (1).exe.1fa11adaa38.2.raw.unpack, DynamicUtils.cs	.Net Code: CreateSharpArgumentInfoArray
Source: 0.2.SystemMechanic_Ultimate_Defense (1).exe.1fa11adaa38.2.raw.unpack, LateBoundReflectionDelegateFactory.cs	.Net Code: CreateDefaultConstructor

Source: SystemMechanic_Ultimate_Defense (1).exe

Static PE information: 0xF0708909 [Tue Oct 29 17:42:33 2097 UTC]

Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Code function: 0_2_00007FFD9B76D2A5 pushad ; iretd		0_2_00007FFD9B76D2A6
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Code function: 0_2_00007FFD9B884F14 push eax; iretd		0_2_00007FFD9B884F15

Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Memory allocated: 1FA01800000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Memory allocated: 1FA19A00000 memory reserve \| memory write watch			Jump to behavior

Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Queries volume information: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationFramework-SystemXml\v4.0_4.0.0.0__b77a5c561934e089\PresentationFramework-SystemXml.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationTypes\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationTypes.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationProvider\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationProvider.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationFramework-SystemData\v4.0_4.0.0.0__b77a5c561934e089\PresentationFramework-SystemData.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected PureLog Stealer

Source: Yara match	File source: SystemMechanic_Ultimate_Defense (1).exe, type: SAMPLE
Source: Yara match	File source: 0.2.SystemMechanic_Ultimate_Defense (1).exe.1fa1a390000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SystemMechanic_Ultimate_Defense (1).exe.1fa1a390000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SystemMechanic_Ultimate_Defense (1).exe.1fa1a520000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SystemMechanic_Ultimate_Defense (1).exe.1fa1a520000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.SystemMechanic_Ultimate_Defense (1).exe.1fa7b074ec9.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.SystemMechanic_Ultimate_Defense (1).exe.1fa7b0648bf.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.SystemMechanic_Ultimate_Defense (1).exe.1fa7b055499.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.SystemMechanic_Ultimate_Defense (1).exe.1fa7e4a1678.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.SystemMechanic_Ultimate_Defense (1).exe.1fa7e456464.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.SystemMechanic_Ultimate_Defense (1).exe.1fa7e47d26e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2960322878.000001FA1A390000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2961294744.000001FA1A520000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1658325762.000001FA7AF92000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY

Yara detected zgRAT

Source: Yara match	File source: SystemMechanic_Ultimate_Defense (1).exe, type: SAMPLE
Source: Yara match	File source: 0.0.SystemMechanic_Ultimate_Defense (1).exe.1fa7e4a1678.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.SystemMechanic_Ultimate_Defense (1).exe.1fa7e456464.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.SystemMechanic_Ultimate_Defense (1).exe.1fa7e47d26e.2.raw.unpack, type: UNPACKEDPE

Remote Access Functionality

Yara detected PureLog Stealer

Source: Yara match	File source: SystemMechanic_Ultimate_Defense (1).exe, type: SAMPLE
Source: Yara match	File source: 0.2.SystemMechanic_Ultimate_Defense (1).exe.1fa1a390000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SystemMechanic_Ultimate_Defense (1).exe.1fa1a390000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SystemMechanic_Ultimate_Defense (1).exe.1fa1a520000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SystemMechanic_Ultimate_Defense (1).exe.1fa1a520000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.SystemMechanic_Ultimate_Defense (1).exe.1fa7b074ec9.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.SystemMechanic_Ultimate_Defense (1).exe.1fa7b0648bf.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.SystemMechanic_Ultimate_Defense (1).exe.1fa7b055499.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.SystemMechanic_Ultimate_Defense (1).exe.1fa7e4a1678.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.SystemMechanic_Ultimate_Defense (1).exe.1fa7e456464.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.SystemMechanic_Ultimate_Defense (1).exe.1fa7e47d26e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2960322878.000001FA1A390000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2961294744.000001FA1A520000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1658325762.000001FA7AF92000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY

Yara detected zgRAT

Source: Yara match	File source: SystemMechanic_Ultimate_Defense (1).exe, type: SAMPLE
Source: Yara match	File source: 0.0.SystemMechanic_Ultimate_Defense (1).exe.1fa7e4a1678.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.SystemMechanic_Ultimate_Defense (1).exe.1fa7e456464.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.SystemMechanic_Ultimate_Defense (1).exe.1fa7e47d26e.2.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 DLL Side-Loading	1 Virtualization/Sandbox Evasion	OS Credential Dumping	1 Virtualization/Sandbox Evasion	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Software Packing	Security Account Manager	12 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Timestomp	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Obfuscated Files or Information	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
SystemMechanic_Ultimate_Defense (1).exe	8%	ReversingLabs

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://james.newtonking.com/projects/json	0%	URL Reputation	safe
https://www.newtonsoft.com/jsonschema	0%	URL Reputation	safe
https://www.nuget.org/packages/Newtonsoft.Json.Bson	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://scripts.sil.org/OFLThis	SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	false		unknown
https://github.com/itfoundry/Poppins)&&&&z	SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2963214249.000001FA1A770000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	false		unknown
https://github.com/itfoundry/Poppins)	SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	false		unknown
https://monitor.azure.com//.default	SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	false		unknown
https://github.com/itfoundry/Poppins)&&&&v	SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	false		unknown
https://snapshot.monitor.azure.com/&	SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	false		unknown
https://api.iolo.net/ent/v2	SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2942772740.000001FA01A01000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.iolo.com/company/legal/eula/	SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2942772740.000001FA01A01000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.newtonsoft.com/json	SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2969260912.000001FA1AAA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2955769844.000001FA11AD9000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	false		unknown
https://scripts.sil.org/OFLhttps://indiantypefoundry.comNinad	SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	false		unknown
https://www.iolo.com/company/legal/sales-policy/	SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2942772740.000001FA01A01000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://download.iolo.net/phoenix360/MalwareKillerSetup.exe	SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2955769844.000001FA11A21000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://download.iolo.net/phoenix360/SystemMechanic_PRO.exeHq	SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2942772740.000001FA01A01000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://www.iolo.com/products/byepass/activation/Hq	SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2942772740.000001FA01A01000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://support.iolo.com/support/solutions/articles/44001781185?	SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2963214249.000001FA1A770000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	false		unknown
http://www.codeplex.com/prism	SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2955769844.000001FA11A21000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://taskscheduler.codeplex.com/	SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	false		unknown
https://www.iolo.com/company/legal/privacy/?	SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2963214249.000001FA1A770000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	false		unknown
http://download.iolo.net/phoenix360/MalwareKillerSetup.exeHq	SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2942772740.000001FA01A01000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://www.codeplex.com/CompositeWPF	SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2955769844.000001FA11A21000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://support.iolo.com/support/solutions/articles/44001781185	SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2942772740.000001FA01A01000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://scripts.sil.org/OFL	SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2975865942.000001FA1ED62000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://taskscheduler.codeplex.com/H	SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	false		unknown
https://westus2-2.in.applicationinsights.azure.com/;LiveEndpoint=https://westus2.livediagnostics.mon	SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2942772740.000001FA01A01000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://compositewpf.codeplex.com/	SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2955769844.000001FA11A21000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.iolo.com/company/legal/sales-policy/?	SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2963214249.000001FA1A770000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	false		unknown
https://scripts.sil.org/OFLX8	SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2975865942.000001FA1ED62000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://dc.services.visualstudio.com/Jhttps://rt.services.visualstudio.com/Fhttps://profiler.monitor	SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	false		unknown
http://dejavu.sourceforge.net/wiki/index.php/Licensehttp://dejavu.sourceforge.net/wiki/index.php/Lic	SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2961294744.000001FA1A520000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	false		unknown
https://webhooklistenersfunc.azurewebsites.net/api/lookup/constella-dark-web-alerts	SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2942772740.000001FA01A01000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://indiantypefoundry.com	SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2975865942.000001FA1ED62000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://download.avira.com/download/	SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2942772740.000001FA01A01000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://www.codeplex.com/prism#Microsoft.Practices.Prism.ViewModel	SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2968970128.000001FA1AA70000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2955769844.000001FA11A21000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://github.com/JamesNK/Newtonsoft.Json	SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2969260912.000001FA1AAA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2955769844.000001FA11AD9000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	false		unknown
http://dejavu.sourceforge.net	SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2961294744.000001FA1A520000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	false		unknown
http://download.iolo.net/phoenix360/PrivacyGuardianSetup.exe	SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2955769844.000001FA11A21000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.iolo.com/company/legal/privacy/	SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2942772740.000001FA01A01000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://github.com/microsoft/ApplicationInsights-dotnet/issues/2560	SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	false		unknown
http://download.iolo.net/ds/4/en/images/dsUSB.imaRealDefense	SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2942772740.000001FA01A01000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://rt.services.visualstudio.com/l	SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	false		unknown
http://dejavu.sourceforge.nethttp://dejavu.sourceforge.netFonts	SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2961294744.000001FA1A520000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	false		unknown
https://iolo.comH42652B74-0AD8-4B60-B8FD-69ED38F7666B	SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2942772740.000001FA01A01000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://james.newtonking.com/projects/json	SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	false	URL Reputation: safe	unknown
http://www.iolo.com/products/byepass/welcome/?utm_source=bp&utm_medium=product&p=d59cc353-e8e4-4f42-	SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2942772740.000001FA01A01000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://profiler.monitor.azure.com/l	SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	false		unknown
http://www.iolo.com/products/byepass/activation/	SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2955769844.000001FA11A21000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://dc.services.visualstudio.com/f	SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	false		unknown
https://github.com/Microsoft/ApplicationInsights-dotnetw	SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	false		unknown
https://dc.services.visualstudio.com/api/profiles/	SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	false		unknown
https://api.iolo.net/ent/staging	SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2942772740.000001FA01A01000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://github.com/Microsoft/ApplicationInsights-dotnet	SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	false		unknown
http://svc.iolo.com/__svc/sbv/Uninstall.ashx	SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	false		unknown
https://www.newtonsoft.com/jsonschema	SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	false	URL Reputation: safe	unknown
http://download.iolo.net/phoenix360/SystemMechanic_PRO.exe	SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2955769844.000001FA11A21000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://github.com/itfoundry/Poppins)&&&&l	SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2963214249.000001FA1A770000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	false		unknown
https://www.nuget.org/packages/Newtonsoft.Json.Bson	SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2969260912.000001FA1AAA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2955769844.000001FA11AD9000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	false	URL Reputation: safe	unknown
https://www.iolo.com/company/legal/eula/?	SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2963214249.000001FA1A770000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	false		unknown
https://github.com/itfoundry/Poppins)&&&&s	SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2963214249.000001FA1A770000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	false		unknown
http://dejavu.sourceforge.net/wiki/index.php/License	SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2961294744.000001FA1A520000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	false		unknown
https://github.com/itfoundry/Poppins)&&&&r	SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2963214249.000001FA1A770000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	false		unknown
http://download.iolo.net/phoenix360/PrivacyGuardianSetup.exeHq	SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2942772740.000001FA01A01000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://github.com/itfoundry/Poppins)&&&&o	SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2963214249.000001FA1A770000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	false		unknown
https://github.com/itfoundry/Poppins)&&&&m	SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2963214249.000001FA1A770000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	false		unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1544768
Start date and time:	2024-10-29 18:15:41 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 2s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SystemMechanic_Ultimate_Defense (1).exe
Detection:	MAL
Classification:	mal54.troj.evad.winEXE@1/1@0/0
EGA Information:	Failed
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target SystemMechanic_Ultimate_Defense (1).exe, PID 6880 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: SystemMechanic_Ultimate_Defense (1).exe

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\iolo technologies\logs\bootstrap.log

Download File

Process:	C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	231
Entropy (8bit):	5.1693249472105975
Encrypted:	false
SSDEEP:	3:RwCMKCIkZKUgFBQ+3IV2cYEW4DkPk3jb5dAPaQV2T/7UHmIE4LUgFBQ+0Ze3UmkO:BMKLXr3stBkcXAja/7umI5drxHB1JCk
MD5:	E1441D8AA7E019D145798C895E623E09
SHA1:	B1E6AE6B3C86B8E299B70D57129435A0F3CD0F7D
SHA-256:	000BC89CDE29962A6A720537EFE6846B3AEBBECB0C67A9784E5857A932E52D11
SHA-512:	E5585EF550F323DB6C5A6FE8F5B583F5691A88742AD1E399E3F9BEA55F645124B191833FA0FA8282B4FA28071A3976749804AB4AB3045795CB9749F8EB131158
Malicious:	false
Reputation:	low
Preview:	Bootstrap LogFile..-----------------..[29/10/2024 13:16:35]: Product System Mechanic Ultimate Defense Determined From A50DE83F-EFEC-48D0-B4DC-3E98620FC509..[29/10/2024 13:16:36]: No Supported Products Were Detected On This System..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.900191729879699
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.91% Win32 Executable (generic) a (10002005/4) 49.86% InstallShield setup (43055/19) 0.21% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	SystemMechanic_Ultimate_Defense (1).exe
File size:	60'747'152 bytes
MD5:	e0ed5e186b6e1c2dada474ad759a7d1a
SHA1:	118c52a2b2b6d1c176fb65d4a0dde49cccd8484d
SHA256:	6bc7edbf46ffe0fe87892ac7394dfeaa8ed7e128ee48a002aab896c8866488c6
SHA512:	8e6e7c806911f5683f1b39483adb94f721724ea7cfb6d4b4a67eccdaeea143ba125f3142ce2fba555e515c375f6fc5fe5c1ff000772b39fa95c6efb7601a2af0
SSDEEP:	786432:r3yoi5DRwTvGbU21jsZNKsO9x0yErMarVhOuqkK2QA3GfcaL/hKygwZ7m8Yhdh+q:GoisDGbZsKbx0yrqvQFc2JKBd8y+zfe
TLSH:	6FD71246F7E3C979E62B0638BBB6071505FDED6515AAC30F9944B0EDBCB26408ED3242
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....p..........."...0..l...V......R.... ........@.. ....................... ............`................................

File Icon


Icon Hash:	50b26954d46c310c

Static PE Info

General

Entrypoint:	0x3da8a52
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xF0708909 [Tue Oct 29 17:42:33 2097 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	24/03/2023 00:00:00 03/08/2025 00:59:59
Subject Chain	CN=RealDefense LLC, O=RealDefense LLC, L=Pasadena, S=California, C=US, SERIALNUMBER=6551435, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.2=Delaware, OID.1.3.6.1.4.1.311.60.2.1.3=US
Version:	3
Thumbprint MD5:	3554BC41474EE51B8F99F803526F7B81
Thumbprint SHA-1:	FB0589419D0F6E20EECFEEC7F996F551123707E0
Thumbprint SHA-256:	4D108B1C0701F14515DD9C6203DC622A47AFFB71B37454B0D044728422B7D2A3
Serial:	056FE4BB7A7A9EF25F1C356656FFBE91

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x39a8a00	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x39aa000	0x4537c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x39ec400	0x2990	.rsrc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x39f0000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x39a8954	0x38	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x39a6a58	0x39a6c00	76264571a181f98db6487f8c1c4b2cd6	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x39aa000	0x4537c	0x45400	2ef977f95e08796a463f4ab7fba38754	False	0.2644016527527076	data	5.37218358095362	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x39f0000	0xc	0x200	fe8e871f4f32f8079cc74ae4d2e75244	False	0.044921875	data	0.12227588125913882	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x39aa360	0x258b	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9699302882114245
RT_ICON	0x39ac8fc	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	0.27132196162046907
RT_ICON	0x39ad7b4	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	0.3312274368231047
RT_ICON	0x39ae06c	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	0.31336405529953915
RT_ICON	0x39ae744	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	0.3041907514450867
RT_ICON	0x39aecbc	0x5ade	PNG image data, 768 x 768, 8-bit/color RGBA, non-interlaced	0.8834150116069126
RT_ICON	0x39b47ac	0x42c0	PNG image data, 512 x 512, 8-bit/color RGBA, non-interlaced	0.9204705056179775
RT_ICON	0x39b8a7c	0x1c3e	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9677731673582296
RT_ICON	0x39ba6cc	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	0.04057730983082929
RT_ICON	0x39caf04	0x94a8	Device independent bitmap graphic, 96 x 192 x 32, image size 38016	0.05326361151986546
RT_ICON	0x39d43bc	0x67e8	Device independent bitmap graphic, 80 x 160 x 32, image size 26560	0.09285714285714286
RT_ICON	0x39dabb4	0x5488	Device independent bitmap graphic, 72 x 144 x 32, image size 21600	0.10628465804066543
RT_ICON	0x39e004c	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	0.08284128483703354
RT_ICON	0x39e4284	0x3a48	Device independent bitmap graphic, 60 x 120 x 32, image size 14880	0.128485254691689
RT_ICON	0x39e7cdc	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	0.11556016597510374
RT_ICON	0x39ea294	0x1a68	Device independent bitmap graphic, 40 x 80 x 32, image size 6720	0.19571005917159764
RT_ICON	0x39ebd0c	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	0.18409943714821764
RT_ICON	0x39ecdc4	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	0.2520491803278688
RT_ICON	0x39ed75c	0x6b8	Device independent bitmap graphic, 20 x 40 x 32, image size 1680	0.3319767441860465
RT_ICON	0x39ede24	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	0.34574468085106386
RT_GROUP_ICON	0x39ee29c	0x11e	data	0.6188811188811189
RT_VERSION	0x39ee3cc	0x35a	data	0.4417249417249417
RT_MANIFEST	0x39ee738	0xc3d	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.3945100542610916

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

⊘No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

Analysis Process: SystemMechanic_Ultimate_Defense (1).exePID: 6880, Parent PID: 2580

General

Target ID:	0
Start time:	13:16:30
Start date:	29/10/2024
Path:	C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\SystemMechanic_Ultimate_Defense (1).exe"
Imagebase:	0x1fa7af90000
File size:	60'747'152 bytes
MD5 hash:	E0ED5E186B6E1C2DADA474AD759A7D1A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2960322878.000001FA1A390000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000000.00000002.2961294744.000001FA1A520000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2961294744.000001FA1A520000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000000.1658325762.000001FA7AF92000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: SystemMechanic_Ultimate_Defense (1).exePID: 6880, Parent PID: 2580COMMON

Executed Functions

Function 00007FFD9B888AA3 Relevance: 1.7, Strings: 1, Instructions: 461COMMON

Download Yara Rule

Strings

NJ;, xrefs: 00007FFD9B888E5D

Memory Dump Source

Source File: 00000000.00000002.2979795311.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_SystemMechanic_Ultimate_Defense (1).jbxd

Similarity

API ID:
String ID: NJ;
API String ID: 0-917330885
Opcode ID: 5dece809a1f7042a7776a434b5f5f1ba8ef0fbc6a33ac76b5286b7049e77c9b5
Instruction ID: 1bf9c7902c2a1a86924a507c0b215c3abd9cca3fbe47a8ff2f07339cd2277f43
Opcode Fuzzy Hash: 5dece809a1f7042a7776a434b5f5f1ba8ef0fbc6a33ac76b5286b7049e77c9b5
Instruction Fuzzy Hash: AEC1AE21A6EE5E0BE32D4A684C920B57382EF96205B16837CCDFB83497DD34691386C5

Function 00007FFD9B889337 Relevance: 1.4, Strings: 1, Instructions: 117COMMON

Download Yara Rule

Strings

9^H, xrefs: 00007FFD9B8893C2

Memory Dump Source

Source File: 00000000.00000002.2979795311.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_SystemMechanic_Ultimate_Defense (1).jbxd

Similarity

API ID:
String ID: 9^H
API String ID: 0-1557816849
Opcode ID: 47fcaa4e6b96481df9a8abc14352e56161f4d31e26b0bcc3e65c5dae56878d05
Instruction ID: cd3b4f270f43495f80879fcc413b6e22d02f6dd2cd17079aaf71c68eb763e052
Opcode Fuzzy Hash: 47fcaa4e6b96481df9a8abc14352e56161f4d31e26b0bcc3e65c5dae56878d05
Instruction Fuzzy Hash: 7A41197061EB865FF746E7B4887A6AD7BE2EF45220B8504FEC04ACF1E6D92C5806C741

Function 00007FFD9B8825AA Relevance: .4, Instructions: 371COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2979795311.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_SystemMechanic_Ultimate_Defense (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5ec8a86beef040fd978a7328c48f2d88027d0a4ad7c212eda153affa2f75d53
Instruction ID: 577da4f2fbc6aa7478c89bef946a18497931c9ca3eb66fbc86de14cd85de0c80
Opcode Fuzzy Hash: e5ec8a86beef040fd978a7328c48f2d88027d0a4ad7c212eda153affa2f75d53
Instruction Fuzzy Hash: 72C1E67160AB894FE792DBB898697E87FE1FF45320F4500BFD089CB1A6DA681806C751

Function 00007FFD9B8821D1 Relevance: 2.8, Strings: 2, Instructions: 329COMMON

Download Yara Rule

Strings

!O_^, xrefs: 00007FFD9B882301
"O_^, xrefs: 00007FFD9B882201

Memory Dump Source

Source File: 00000000.00000002.2979795311.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_SystemMechanic_Ultimate_Defense (1).jbxd

Similarity

API ID:
String ID: !O_^$"O_^
API String ID: 0-2490088242
Opcode ID: d445cb679fcedc86e4fe9fa0808924d64825bb84f4aaef2eba09696e2c0990da
Instruction ID: b1687000ab6b14527684f8a951b8b25d530521401f31b5167642c23dafde4088
Opcode Fuzzy Hash: d445cb679fcedc86e4fe9fa0808924d64825bb84f4aaef2eba09696e2c0990da
Instruction Fuzzy Hash: DCA12867B0D6A28BD71AAB6CB8B64E57F90DF4223870801F7D098CF0E3ED1864468395

Function 00007FFD9B88BB15 Relevance: 1.6, Strings: 1, Instructions: 366COMMON

Download Yara Rule

Strings

gN_H, xrefs: 00007FFD9B88BDEF

Memory Dump Source

Source File: 00000000.00000002.2979795311.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_SystemMechanic_Ultimate_Defense (1).jbxd

Similarity

API ID:
String ID: gN_H
API String ID: 0-3096787029
Opcode ID: c18477459f7fde9cd101ca980587e7d74ab874617b54b2b6cb910169de47c625
Instruction ID: 7e074b2ba8fa871af97fd3b41ee603a656f9e23d279f01543c55455f54ddfed9
Opcode Fuzzy Hash: c18477459f7fde9cd101ca980587e7d74ab874617b54b2b6cb910169de47c625
Instruction Fuzzy Hash: A9B13A62A0FFDA1FF7669B7858764A53FA0FF9666570A00FAC0D48B0A3DC1969078311

Function 00007FFD9B88C13E Relevance: 1.6, Strings: 1, Instructions: 326COMMON

Download Yara Rule

Strings

`, xrefs: 00007FFD9B88C254

Memory Dump Source

Source File: 00000000.00000002.2979795311.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_SystemMechanic_Ultimate_Defense (1).jbxd

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: 706291edc10b8fc65cef76c375c87258c2418e1369d44a3172197c1e192da3be
Instruction ID: eab7b0cc880c4ba81a1bdf85c6b2c9790028ec9a6175510623ca849a703c7437
Opcode Fuzzy Hash: 706291edc10b8fc65cef76c375c87258c2418e1369d44a3172197c1e192da3be
Instruction Fuzzy Hash: 02A13C31A0EF8E4FE775A7B4542A5E97BE0EF49310B0501BED0AAC71E7ED3869068741

Function 00007FFD9B88A039 Relevance: 1.3, Strings: 1, Instructions: 55COMMON

Download Yara Rule

Strings

GP_H, xrefs: 00007FFD9B88A0A3

Memory Dump Source

Source File: 00000000.00000002.2979795311.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_SystemMechanic_Ultimate_Defense (1).jbxd

Similarity

API ID:
String ID: GP_H
API String ID: 0-236919057
Opcode ID: d31699861f7b39cfe4936062ae17866acd3e4df6c67da17487fa65b9b9a3ec59
Instruction ID: 42ce0ae0221cc5b7087c2d351ebbb41460e7789eaae6f69bc08818e5d1dcce79
Opcode Fuzzy Hash: d31699861f7b39cfe4936062ae17866acd3e4df6c67da17487fa65b9b9a3ec59
Instruction Fuzzy Hash: A201A211F0D9494FE7A8E77D94696607BD1EF99310B0601FAE4ADC72E7EC789C428340

Function 00007FFD9B880840 Relevance: 1.3, Strings: 1, Instructions: 40COMMON

Download Yara Rule

Strings

GP_H, xrefs: 00007FFD9B88A0A3

Memory Dump Source

Source File: 00000000.00000002.2979795311.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_SystemMechanic_Ultimate_Defense (1).jbxd

Similarity

API ID:
String ID: GP_H
API String ID: 0-236919057
Opcode ID: 9622bd691d900f77f0ba292062dfdbff23caf26a30b01b87fd90e34f09ff0f14
Instruction ID: 1cbb4ac43659a570bc0a9c1afacf3a73af0b9d6d3bde474a3da337d347fbd32e
Opcode Fuzzy Hash: 9622bd691d900f77f0ba292062dfdbff23caf26a30b01b87fd90e34f09ff0f14
Instruction Fuzzy Hash: EFF0FE21B19C1D4FEBA8EB6CA46977562C6EF9C311B5104B6A42DC73E6ED38AC424780

Function 00007FFD9B88A0B9 Relevance: 1.3, Strings: 1, Instructions: 40COMMON

Download Yara Rule

Strings

GP_H, xrefs: 00007FFD9B88A0A3

Memory Dump Source

Source File: 00000000.00000002.2979795311.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_SystemMechanic_Ultimate_Defense (1).jbxd

Similarity

API ID:
String ID: GP_H
API String ID: 0-236919057
Opcode ID: d98304505b92f283885da1106b329211527887fdf8e267a6b498f529c1a67a84
Instruction ID: 772dbb000c66d8191c0e7180126e90f2d17be383acefb7cd34b0efefaacf21af
Opcode Fuzzy Hash: d98304505b92f283885da1106b329211527887fdf8e267a6b498f529c1a67a84
Instruction Fuzzy Hash: 65F01D11B0EB894FD796A77858795A43BB19F5A20074A00E3D459CB2E3ED2D9C468351

Function 00007FFD9B883D05 Relevance: .4, Instructions: 393COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2979795311.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_SystemMechanic_Ultimate_Defense (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6da93a1c26c28d630468ff145bafde2cc2cc329c9513a05c942aee037ffdff61
Instruction ID: df8943a0a64d46d87583d161188b93b0890b293b56f43e2e95eef8173aefb321
Opcode Fuzzy Hash: 6da93a1c26c28d630468ff145bafde2cc2cc329c9513a05c942aee037ffdff61
Instruction Fuzzy Hash: 44E1D46150FBCA5FE35397B898756A9BFF0AF47220B0A41FAD084CB1E3D66C1806C752

Function 00007FFD9B881161 Relevance: .3, Instructions: 325COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2979795311.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_SystemMechanic_Ultimate_Defense (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1017ec051a0d03213283da992bf63095bf74a20125d817d09a24ae541bd5c368
Instruction ID: 4a8239b523cb46096ec7cff6e54221fc06b78cc8b0ea3cab1625def53950ace6
Opcode Fuzzy Hash: 1017ec051a0d03213283da992bf63095bf74a20125d817d09a24ae541bd5c368
Instruction Fuzzy Hash: 10A12970B0EE8A4FEB95EB7884669A97BE1EF59310B0500F9D49DC72A7DE285C02C741

Function 00007FFD9B8894EA Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2979795311.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_SystemMechanic_Ultimate_Defense (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed5f999a8fa4c4d22e27399ab6a41ce2163712b8c4660310f557583239a85ceb
Instruction ID: 92c5d09e770f8ab102f29d4f541427aabf2317a146b31008f69a26bdd3e3f801
Opcode Fuzzy Hash: ed5f999a8fa4c4d22e27399ab6a41ce2163712b8c4660310f557583239a85ceb
Instruction Fuzzy Hash: F2B10630A0EA8A4FDB65EBB884291BD7BE1EF4D314F1504BDD06DD72E3C93999018741

Function 00007FFD9B885BC3 Relevance: .3, Instructions: 271COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2979795311.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_SystemMechanic_Ultimate_Defense (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b708050cdf7c6e6c66654dbe652161a95589c5f205c5530dadb69791c727211
Instruction ID: 11aa7805d2d1f285ff437feb932850ef79f94f10bdc3f20ee9365f5cd7a1ac9c
Opcode Fuzzy Hash: 6b708050cdf7c6e6c66654dbe652161a95589c5f205c5530dadb69791c727211
Instruction Fuzzy Hash: 8581FA7060EF894FE756A7B8846A5E97FE1EF49310B4600FEC099CB1A6D92C5942C781

Function 00007FFD9B8811BC Relevance: .3, Instructions: 263COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2979795311.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_SystemMechanic_Ultimate_Defense (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 953a97541ac28d6c4974effad49dbcf0402a382d1855ee87139ffea791003c5f
Instruction ID: 89264d9249f24159c25dac7e96e0c50d4a02b2ffc2eac9908e9bfd4a7ba26e94
Opcode Fuzzy Hash: 953a97541ac28d6c4974effad49dbcf0402a382d1855ee87139ffea791003c5f
Instruction Fuzzy Hash: D5810A70B0EE4A4FEB95EB788475AA97BE1EF4931074500F9D49DC72A7DE285C02C741

Function 00007FFD9B88BF01 Relevance: .2, Instructions: 213COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2979795311.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_SystemMechanic_Ultimate_Defense (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b38321aa4b6f382cdfc879d1fe9812718f827a55b46ce19fe6910f9ee93eeda2
Instruction ID: 6387ef4959191b872d1bcee90e10565e6e83a384f32cee72ebcbcb2a8ceffb01
Opcode Fuzzy Hash: b38321aa4b6f382cdfc879d1fe9812718f827a55b46ce19fe6910f9ee93eeda2
Instruction Fuzzy Hash: 0071D67150FBC65FE357A7B8543A59EBFE0AF46220B4944FEC0C58B1A7E62C484AC742

Function 00007FFD9B889EA6 Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2979795311.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_SystemMechanic_Ultimate_Defense (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e19971033c604c798cbe9cafe431064a45a33280d21b4fd39478028e717f9c15
Instruction ID: ae45f307676a9368eba3f714acd203902526667803161c12e0acee8ab35120fb
Opcode Fuzzy Hash: e19971033c604c798cbe9cafe431064a45a33280d21b4fd39478028e717f9c15
Instruction Fuzzy Hash: 3051E83060DE891FE799EB78985AA767BE1EF4A210B0501FAE49DC71A7DD28DC42C341

Function 00007FFD9B882338 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2979795311.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_SystemMechanic_Ultimate_Defense (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c26b56c5f2af62230b3ac7100ad4e7f2149bf94e6a08ed97a664837636392da9
Instruction ID: 6b0f446ecb5f7f2968c3e4213294061db7fe282ea318431dd8562192790919dd
Opcode Fuzzy Hash: c26b56c5f2af62230b3ac7100ad4e7f2149bf94e6a08ed97a664837636392da9
Instruction Fuzzy Hash: C1412722B0DAA64BE71DAABC78665F57FD0DF4622870801FBD09DCB1E7DD04A8478381

Function 00007FFD9B883F23 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2979795311.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_SystemMechanic_Ultimate_Defense (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a69e62748c7ddadecb8ec28a23aa41800e1ccac854abdf8df14787b7625ac20
Instruction ID: 79514db0ef62ad37ab354ff2e19c2cee1df68d7282b337d3828be442d2120b77
Opcode Fuzzy Hash: 6a69e62748c7ddadecb8ec28a23aa41800e1ccac854abdf8df14787b7625ac20
Instruction Fuzzy Hash: BA51E47150EBC65FE34297B8686A1EEBFE0EF4622074A40FAC099CB1ABD56C1C438751

Function 00007FFD9B882360 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2979795311.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_SystemMechanic_Ultimate_Defense (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f2d2ab066d0d5b00902da191f4de574d4dd419b65e590f2653ee5d4afb1e64d
Instruction ID: 3f0fe5baa0a8cba4c55a4302be91c92ce5230ac12f0934aba5db973c784eee27
Opcode Fuzzy Hash: 7f2d2ab066d0d5b00902da191f4de574d4dd419b65e590f2653ee5d4afb1e64d
Instruction Fuzzy Hash: 0F412A1170DAA64BE71DBA7C786A5F97FD0DF4522870801FBE09DC71D7DD04A8468381

Function 00007FFD9B76E2D4 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2979324021.00007FFD9B76D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B76D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b76d000_SystemMechanic_Ultimate_Defense (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8dd183ed074044eef4b51f65da561c594b432218b0ca38945bef7a0f1d8f064e
Instruction ID: ea47443f025958bd6299d6a6b0f070b532b2bc6882267ca299b6e224edbe0164
Opcode Fuzzy Hash: 8dd183ed074044eef4b51f65da561c594b432218b0ca38945bef7a0f1d8f064e
Instruction Fuzzy Hash: ED414A7150EBC88FE3568B28D8559523FF0EF56320B1602EFD088CB1B3D625A846C7A3

Function 00007FFD9B88C52A Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2979795311.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_SystemMechanic_Ultimate_Defense (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bf469900f626140cadcf7abcd97f1a8ccdad7a22f2328f6127cd7b99ea544b2
Instruction ID: f34931e65978ffe15fc4c2b3d1387958ffebab4f78462643454601bb38192f0f
Opcode Fuzzy Hash: 2bf469900f626140cadcf7abcd97f1a8ccdad7a22f2328f6127cd7b99ea544b2
Instruction Fuzzy Hash: A6411D70A09E4D8FDF90EFA8C469AADB7F1FF58301B1100BAD00DD7266DA35E8818B40

Function 00007FFD9B885CA1 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2979795311.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_SystemMechanic_Ultimate_Defense (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5247f95cf8d86f84b4e0e49debfaf9d15cca2b921a2b684efbf9eb85270fbfdb
Instruction ID: bf217f25cb185d22f440001f91dda03ddeb0c6bff93bf655f15933e51b1e3157
Opcode Fuzzy Hash: 5247f95cf8d86f84b4e0e49debfaf9d15cca2b921a2b684efbf9eb85270fbfdb
Instruction Fuzzy Hash: 1631F77160FBC90FE752A778482A2A97FF1EF4A21470A04FED489CB1A3DA2C5D06C741

Function 00007FFD9B8823FF Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2979795311.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_SystemMechanic_Ultimate_Defense (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a90a5c80bad20fe1874f4c7c3ad8669d50e17114f59c6427803ae7688e940ea5
Instruction ID: 467e21a0fb4f3e0128126967c0efd7a3bb8e8dc91df80d338ae7d145a0d249d0
Opcode Fuzzy Hash: a90a5c80bad20fe1874f4c7c3ad8669d50e17114f59c6427803ae7688e940ea5
Instruction Fuzzy Hash: B5314B1170DA964BE71DABBC68665F97FD0EF59224B0801BBE09DC71D7DD0498468381

Function 00007FFD9B889BB6 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2979795311.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_SystemMechanic_Ultimate_Defense (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d8e20cf50721e1e8316428a7b5d27188f7c5509df9b9aa8179b90b0d0083243
Instruction ID: 736bf1559c6a2096cb02998848dea5f2f3df10e187cbd2cfc725f394d2696372
Opcode Fuzzy Hash: 6d8e20cf50721e1e8316428a7b5d27188f7c5509df9b9aa8179b90b0d0083243
Instruction Fuzzy Hash: 1231E470A0DA8A5FEB86FBB494669EEBBF0EF05300F0504F5C09AC7097CA3C98468341

Function 00007FFD9B88901B Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2979795311.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_SystemMechanic_Ultimate_Defense (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21fdba93a348e54c83139c80766a8e720bcc80677ff19b41efe1b371c283531f
Instruction ID: cbefd5230d8ee85d0fc522eae7ff64e2150851d5d714b03d360dc0379235d0f2
Opcode Fuzzy Hash: 21fdba93a348e54c83139c80766a8e720bcc80677ff19b41efe1b371c283531f
Instruction Fuzzy Hash: 4831B47024EB895FE746EB78886A59D7FE1EF4621078504FED08ACB596C92C4807C781

Function 00007FFD9B885CE0 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2979795311.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_SystemMechanic_Ultimate_Defense (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e75d56c738e3442d1ba9c18dc35704cbd317d4022b9d8f9b448372794efe4129
Instruction ID: b8ef3bc280734ed895d458e594eb6272f4f034968bc3593462ce426f807ff7b9
Opcode Fuzzy Hash: e75d56c738e3442d1ba9c18dc35704cbd317d4022b9d8f9b448372794efe4129
Instruction Fuzzy Hash: 75312D7060AE8A0FF796A778442A6E97FE2EF4926070504FED489CB1A6DA2C1C02C740

Function 00007FFD9B889D65 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2979795311.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_SystemMechanic_Ultimate_Defense (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dff9e99b1c788b6fe4ac778a9dcf5335cbff2b6fe29876b52e4fb400765bdab6
Instruction ID: b2c3ec6f326453dbdbe7036e3df7447ab6abd63fe6cb9df46d601997ea464223
Opcode Fuzzy Hash: dff9e99b1c788b6fe4ac778a9dcf5335cbff2b6fe29876b52e4fb400765bdab6
Instruction Fuzzy Hash: 2621807194FAD80FD71797749C269E67FB0EF06210B0A06FBD099CB4A3C51C694AC392

Function 00007FFD9B8823C8 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2979795311.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_SystemMechanic_Ultimate_Defense (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89af013878654b087e1fe6cf3b443279bbac08118f55fa227c0b8924722ff0c8
Instruction ID: 08975b952a06e8ad59b4fe12da6be68fec6480d8b8fd94fa7aa82b4b65a2c1bf
Opcode Fuzzy Hash: 89af013878654b087e1fe6cf3b443279bbac08118f55fa227c0b8924722ff0c8
Instruction Fuzzy Hash: 5921372170DE590FE75D9E7C6C25AB6BBD1EF99220B0541BEE04DC32E6DD14AC418381

Function 00007FFD9B882135 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2979795311.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_SystemMechanic_Ultimate_Defense (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bb0cc46b873b745da62e70e03732246702d22fae18468c585402689085ab150
Instruction ID: 30525963efec69ca1fc3dac2ac0ccb0879b02c96b1904188eba42ba8923de39d
Opcode Fuzzy Hash: 0bb0cc46b873b745da62e70e03732246702d22fae18468c585402689085ab150
Instruction Fuzzy Hash: 8F11DB1BB1EAA61BE7237BAD68B51E53B60EF86225B0905B3C194CE0D7EC14294B4251

Function 00007FFD9B884A1D Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2979795311.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_SystemMechanic_Ultimate_Defense (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 328ff595a40baac5389cc2e19b5e26cb942377187c23d51e66e1efdf661f975e
Instruction ID: 0f630883b6b9c4724d48fc364434b02eef4729fe92a65826e951d54858d34f8f
Opcode Fuzzy Hash: 328ff595a40baac5389cc2e19b5e26cb942377187c23d51e66e1efdf661f975e
Instruction Fuzzy Hash: 0D21E76160FFC55FE392A7B8486A269BFD1EF16210B4905EFD096CF1E7DA6C1806C342

Function 00007FFD9B882140 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2979795311.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_SystemMechanic_Ultimate_Defense (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51b4f8e1cc7967b81433fbe5ed9bbb54a37135a9f65a2b339675538b953fb6f8
Instruction ID: b3b19c3457535ccbbafad960282b0cafa601f50fb1b6a29747ab6f7f485a105f
Opcode Fuzzy Hash: 51b4f8e1cc7967b81433fbe5ed9bbb54a37135a9f65a2b339675538b953fb6f8
Instruction Fuzzy Hash: CC11BC17B0EAE65BE71777AD68B50D53B20DF86214B0905F3C1E8CE0D7EC14294B4251

Function 00007FFD9B88BF62 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2979795311.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_SystemMechanic_Ultimate_Defense (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e111046a0d5f1427902e2cf733a76889daa3e531ff181a8f3b87ba1fda548077
Instruction ID: b9a98bb084ad289283236f49307c036f60d72ad12bb0bc76b7765f0a114fadfc
Opcode Fuzzy Hash: e111046a0d5f1427902e2cf733a76889daa3e531ff181a8f3b87ba1fda548077
Instruction Fuzzy Hash: 3D21387060DF864FE386D778442555ABFE0EF86220B4545FEC089C71E6EA2C58068741

Function 00007FFD9B880848 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2979795311.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_SystemMechanic_Ultimate_Defense (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd10e82501b9da5f1095022ebc8767f2881e3742128d736f4cce066ff4ec71f7
Instruction ID: fe7a499f1d57e7c033c0f14e267a336de67a5d449f6c0467ca68346f142d4534
Opcode Fuzzy Hash: dd10e82501b9da5f1095022ebc8767f2881e3742128d736f4cce066ff4ec71f7
Instruction Fuzzy Hash: AE110606B0D6A90FE316237D78751E82F60DF42720B0A41FBD089CA0E7DD18198B8381

Function 00007FFD9B882148 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2979795311.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_SystemMechanic_Ultimate_Defense (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5b9cd11aa6b60f318bc6566792d6a0ff76b35d183b17939afeb1c5f3a0e7ae3
Instruction ID: 6ad33e1fa9d9f034888eb92d2b09199991145cefb63ada86cefb00a4df094dff
Opcode Fuzzy Hash: e5b9cd11aa6b60f318bc6566792d6a0ff76b35d183b17939afeb1c5f3a0e7ae3
Instruction Fuzzy Hash: A0119416A0EAE65FE72777A868B60E53F60EF47214B0A05F3C1E8CE0D7EC14294B4252

Function 00007FFD9B882158 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2979795311.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_SystemMechanic_Ultimate_Defense (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98ec6db0d633bce6098ae3e5910e321f4fe67310e91e633f31b78df5b05d0d2e
Instruction ID: 2c7791149516e7339353b2537cb0b8b5ce0cd26236cda40237a76107bcb5a64a
Opcode Fuzzy Hash: 98ec6db0d633bce6098ae3e5910e321f4fe67310e91e633f31b78df5b05d0d2e
Instruction Fuzzy Hash: 2F018816A0E6EA5FE72777A868750E53F60DF47114B0E05F3D5E88F0D7EC14294A4352

Function 00007FFD9B88B792 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2979795311.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_SystemMechanic_Ultimate_Defense (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7cb335600cf89b43e82dc66f5f74897a64ae00f8c8e40d779d65ec1328952c6
Instruction ID: 3058e599248ee2cb51a18f6a286f2594e41155a8a1cafb7ac98b6182bc42ccab
Opcode Fuzzy Hash: f7cb335600cf89b43e82dc66f5f74897a64ae00f8c8e40d779d65ec1328952c6
Instruction Fuzzy Hash: D4017534A0AE0E9FDB91EBE484656ED7BF0EF5D311F1141A5C019D7161DA3C5981CB40

Function 00007FFD9B88BE2E Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2979795311.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_SystemMechanic_Ultimate_Defense (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb269091d8c87fee3b3658056f23fb95867891d01b407cd3076aeeec066eb032
Instruction ID: 0133a003b28d1b2eecd77962f24fccbb61be71bbb3cbe2bd07d599d71bcf26df
Opcode Fuzzy Hash: cb269091d8c87fee3b3658056f23fb95867891d01b407cd3076aeeec066eb032
Instruction Fuzzy Hash: EF01F53070FE894FE3A6AB7854752A9BBE1DF4A240F1545FEC09ACB1B2DD295806C340

Function 00007FFD9B88942C Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2979795311.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_SystemMechanic_Ultimate_Defense (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87cfb28394c895557e0a153b65fbf0225797a61f1c4762a5e968f4e94b3078ae
Instruction ID: 3913d289a980b746251a6c5a01cce1739015b83dfe9cad7c6586f0725fd22cfb
Opcode Fuzzy Hash: 87cfb28394c895557e0a153b65fbf0225797a61f1c4762a5e968f4e94b3078ae
Instruction Fuzzy Hash: CB016130B19A5E4FEB5AABB4483666D6AE1EF49314B8004F9905ACB2DADD788801C742

Function 00007FFD9B88B7BB Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2979795311.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_SystemMechanic_Ultimate_Defense (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ebc039e98e180f76691cfc2a698863b34a97f91176d9ee8eb135929b4fc9712
Instruction ID: bf823a507454b96a26bc93c8df3e52c409f4c30577ca90f094a20ebcc2022eeb
Opcode Fuzzy Hash: 2ebc039e98e180f76691cfc2a698863b34a97f91176d9ee8eb135929b4fc9712
Instruction Fuzzy Hash: A801D631F0994DCBD7A49B94A4152E977A4EF8C344F454076D02DC31A2DE7969418780

Function 00007FFD9B88081A Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2979795311.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_SystemMechanic_Ultimate_Defense (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e95573bf2d87dde9a410622430120c8d56932b4d80c273bd9243c1c8f5cf65c
Instruction ID: 29ac1bd81094b664305a7c2acb0b8b2f9c888b74803f1ac6354f58b26c3a7c8b
Opcode Fuzzy Hash: 9e95573bf2d87dde9a410622430120c8d56932b4d80c273bd9243c1c8f5cf65c
Instruction Fuzzy Hash: 98F0C231B19E5C8FDB65EB69D855EEA7BB4EF99300F010576E00EC3592CA21A805C791

Function 00007FFD9B88B58D Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2979795311.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_SystemMechanic_Ultimate_Defense (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4db88d19b7ff94922b7f72913d65f7e20576b8abc54456d7f94c6012c0bf25ed
Instruction ID: c805b6d4fb1073347480ff4924fe1c933ac0c505c9613cd03260b0e108a985e5
Opcode Fuzzy Hash: 4db88d19b7ff94922b7f72913d65f7e20576b8abc54456d7f94c6012c0bf25ed
Instruction Fuzzy Hash: 4601A231A0EB844FD766AB7888659953BB1EF5630074601FAC054CB1E7EA2DE845C302

Function 00007FFD9B88BE9C Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2979795311.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_SystemMechanic_Ultimate_Defense (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 969cc484477ed176e3940ad61a8677b4292e210f9a1aedda6e1abd69408fb377
Instruction ID: 182de7da4d0bb1b17b7f73685bb541ef24acca2e7c6bbfef355441bac7accdbc
Opcode Fuzzy Hash: 969cc484477ed176e3940ad61a8677b4292e210f9a1aedda6e1abd69408fb377
Instruction Fuzzy Hash: 6FF0123150BB859FE347AB7468B60897FE0FF8617435A04DEC0C6CB571D52919468B51

Function 00007FFD9B889558 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2979795311.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_SystemMechanic_Ultimate_Defense (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efb622e8450daada11cffa5980ab726ca877406365052a60dc42259fc993b730
Instruction ID: 282f7ed62eb5a036930ffef5e727b0598095b21e1eef1154c783890c16c78c5b
Opcode Fuzzy Hash: efb622e8450daada11cffa5980ab726ca877406365052a60dc42259fc993b730
Instruction Fuzzy Hash: A8F0B431A0DB894BD7545FA854261A97BD0BF4D264F0506BEF5A9C32E3CE3994014706

Function 00007FFD9B88B835 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2979795311.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_SystemMechanic_Ultimate_Defense (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 806aeeb95bd3baae2095688336afdf78fb05dc14b787734e9dab3d4f54799064
Instruction ID: 05bcf75c7ffb4f9578e033abe824103386f840bbef203b37a2fb543b16386caa
Opcode Fuzzy Hash: 806aeeb95bd3baae2095688336afdf78fb05dc14b787734e9dab3d4f54799064
Instruction Fuzzy Hash: B8E0267190EE4C8BCF14AB99AC642D437A4FF8D348F02016EE09CD3291D73A6A55C741

Function 00007FFD9B8840A5 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2979795311.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_SystemMechanic_Ultimate_Defense (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb4990d8341234dfb120e9d177012280593a6b6b841761e6197c7f1a07cdbfa9
Instruction ID: 5f52be825181289a262d6d78c4a5df332e267a8f84d46b9488beaa251e1c88d3
Opcode Fuzzy Hash: eb4990d8341234dfb120e9d177012280593a6b6b841761e6197c7f1a07cdbfa9
Instruction Fuzzy Hash: 5CE0ED2254FBCA8FD72367E04C614A63F70AF4A140B0A42E7E0A9C71A3D918561983A3

Function 00007FFD9B8898CA Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2979795311.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_SystemMechanic_Ultimate_Defense (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 268dccee63dca05fda113ccc2169047cbecffe6ee804f50136c9174f0fbf7477
Instruction ID: 2c7dc28a464d3e9446eb3bc9f16758f11375ce8ddf02211de38918b88d8d746f
Opcode Fuzzy Hash: 268dccee63dca05fda113ccc2169047cbecffe6ee804f50136c9174f0fbf7477
Instruction Fuzzy Hash: 2FE0C25065AF861FF38663F9387B0EABBD0EF4A12078640F9C08AC7196D86C0CC38380

Function 00007FFD9B8894BF Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2979795311.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_SystemMechanic_Ultimate_Defense (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adb7b99b679e176e4bcf073a06d4e5ef91e34ff3e1c6f59deb881d1ba6d9e08e
Instruction ID: 926bb4bf672f03ac1b7a6cfc1799d52a9109e42940034d957adbdf6e4e9050cb
Opcode Fuzzy Hash: adb7b99b679e176e4bcf073a06d4e5ef91e34ff3e1c6f59deb881d1ba6d9e08e
Instruction Fuzzy Hash: E2D05E36648B589FDB91AAA494156C9BBF0DB4A131F1040DAC4CDC7102C57809CD8B51

Function 00007FFD9B8868C9 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2979795311.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_SystemMechanic_Ultimate_Defense (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 834622472499fb056e6ea8d745b48ee08d012e95c2a3cca9e242db82923dd5e1
Instruction ID: 14d5a74e7fa09ff5a2236f63bb3e708e0743fbe3f300fcc1d64433bb6d354022
Opcode Fuzzy Hash: 834622472499fb056e6ea8d745b48ee08d012e95c2a3cca9e242db82923dd5e1
Instruction Fuzzy Hash: 08D0A7A1B1DB4D07E1249649986326433C1E79CB80F410136D6ADC23A3DD197D414702

Non-executed Functions

Function 00007FFD9B884AE0 Relevance: 1.4, Strings: 1, Instructions: 132COMMON

Download Yara Rule

Strings

NJ;, xrefs: 00007FFD9B884B8C

Memory Dump Source

Source File: 00000000.00000002.2979795311.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_SystemMechanic_Ultimate_Defense (1).jbxd

Similarity

API ID:
String ID: NJ;
API String ID: 0-917330885
Opcode ID: 4fd195e745f37a3653a3ccdbf0b8c4e104fbb3e693cb7a53501f0ff2f2c23dd1
Instruction ID: fa1798da37aaa320348d5075ba6c837298b33b1bc424b5120b05a140e8ec11d8
Opcode Fuzzy Hash: 4fd195e745f37a3653a3ccdbf0b8c4e104fbb3e693cb7a53501f0ff2f2c23dd1
Instruction Fuzzy Hash: 9B41A67020EB956FE782A7B8486A59DBFE2EF4622038504DFC086CF5E6DA5C5C07C791

Function 00007FFD9B88515E Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2979795311.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_SystemMechanic_Ultimate_Defense (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63b4338d1161c87e74a5209eaa777c7c4f23af532b2ba86bd656fcdc97b1e5d3
Instruction ID: 783ac35abd3cd9a985b5083d2dbe81d8dab8925695e88bb53bb3d7784cb185c4
Opcode Fuzzy Hash: 63b4338d1161c87e74a5209eaa777c7c4f23af532b2ba86bd656fcdc97b1e5d3
Instruction Fuzzy Hash: 9731722024EB815FE387A7B8446A5A97FE1EF5712038600EEC0C6CF5A7D95C6807C392

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2958498107.000001FA1A1C0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameLocale_en-us.dll: vs SystemMechanic_Ultimate_Defense (1).exe
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2969260912.000001FA1AAA0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs SystemMechanic_Ultimate_Defense (1).exe
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2968970128.000001FA1AA70000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Practices.Prism.dll, vs SystemMechanic_Ultimate_Defense (1).exe
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2942709784.000001FA019E0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameDownloader.dll6 vs SystemMechanic_Ultimate_Defense (1).exe
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2955769844.000001FA11AD9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs SystemMechanic_Ultimate_Defense (1).exe
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2961294744.000001FA1A520000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenamePerceive.dll2 vs SystemMechanic_Ultimate_Defense (1).exe
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2961294744.000001FA1A520000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenamePerceiveHUD.dll8 vs SystemMechanic_Ultimate_Defense (1).exe
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2961294744.000001FA1A520000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenamePerceiveSDK.dll8 vs SystemMechanic_Ultimate_Defense (1).exe
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2961294744.000001FA1A520000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSMCommon.dll@ vs SystemMechanic_Ultimate_Defense (1).exe
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1700909403.000001FA7E93A000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameBootstrap.exe@ vs SystemMechanic_Ultimate_Defense (1).exe
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2963214249.000001FA1A770000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameInstallerSMUDUI.dll@ vs SystemMechanic_Ultimate_Defense (1).exe
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2942669851.000001FA019D0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameBranding.dll2 vs SystemMechanic_Ultimate_Defense (1).exe
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2960322878.000001FA1A390000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameEntitlementDefinitions.dllN vs SystemMechanic_Ultimate_Defense (1).exe
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2942772740.000001FA01A01000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs SystemMechanic_Ultimate_Defense (1).exe
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2958607900.000001FA1A1D0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCleanup.dll0 vs SystemMechanic_Ultimate_Defense (1).exe
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2958390586.000001FA1A1B0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameInstallerCommon.dll@ vs SystemMechanic_Ultimate_Defense (1).exe
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameInstallerSMUDUI.dll@ vs SystemMechanic_Ultimate_Defense (1).exe
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameLocale_de-de.dll: vs SystemMechanic_Ultimate_Defense (1).exe
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameLocale_en-us.dll: vs SystemMechanic_Ultimate_Defense (1).exe
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameLocale_es-es.dll: vs SystemMechanic_Ultimate_Defense (1).exe
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameLocale_fr-fr.dll: vs SystemMechanic_Ultimate_Defense (1).exe
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameLocale_it-it.dll: vs SystemMechanic_Ultimate_Defense (1).exe
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameLocale_ja-jp.dll: vs SystemMechanic_Ultimate_Defense (1).exe
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameLocale_ko-kr.dll: vs SystemMechanic_Ultimate_Defense (1).exe
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameLocale_nl-nl.dll: vs SystemMechanic_Ultimate_Defense (1).exe
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameLocale_pt-br.dll: vs SystemMechanic_Ultimate_Defense (1).exe
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameLocale_zh-tw.dll: vs SystemMechanic_Ultimate_Defense (1).exe
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameMicrosoft.AI.ServerTelemetryChannel.dllh$ vs SystemMechanic_Ultimate_Defense (1).exe
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameMicrosoft.ApplicationInsights.dll\ vs SystemMechanic_Ultimate_Defense (1).exe
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Practices.Prism.dll, vs SystemMechanic_Ultimate_Defense (1).exe
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll8 vs SystemMechanic_Ultimate_Defense (1).exe
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs SystemMechanic_Ultimate_Defense (1).exe
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamePerceive.dll2 vs SystemMechanic_Ultimate_Defense (1).exe
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamePerceiveHUD.dll8 vs SystemMechanic_Ultimate_Defense (1).exe
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamePerceiveSDK.dll8 vs SystemMechanic_Ultimate_Defense (1).exe
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameSMCommon.dll@ vs SystemMechanic_Ultimate_Defense (1).exe
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameSTDHash.dll0 vs SystemMechanic_Ultimate_Defense (1).exe
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameSystem.Net.Http.dllT vs SystemMechanic_Ultimate_Defense (1).exe
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameTelemetry.dll4 vs SystemMechanic_Ultimate_Defense (1).exe
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000000.1658325762.000001FA7E192000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameWin32TaskScheduler.dllF vs SystemMechanic_Ultimate_Defense (1).exe
Source: SystemMechanic_Ultimate_Defense (1).exe, 00000000.00000002.2955769844.000001FA11A21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Practices.Prism.dll, vs SystemMechanic_Ultimate_Defense (1).exe
Source: SystemMechanic_Ultimate_Defense (1).exe	Binary or memory string: get_OriginalFilename vs SystemMechanic_Ultimate_Defense (1).exe
Source: SystemMechanic_Ultimate_Defense (1).exe	Binary or memory string: OriginalFilenameBranding.dll2 vs SystemMechanic_Ultimate_Defense (1).exe
Source: SystemMechanic_Ultimate_Defense (1).exe	Binary or memory string: OriginalFilenameCleanup.dll0 vs SystemMechanic_Ultimate_Defense (1).exe
Source: SystemMechanic_Ultimate_Defense (1).exe	Binary or memory string: OriginalFilenameDeviceId.dll2 vs SystemMechanic_Ultimate_Defense (1).exe
Source: SystemMechanic_Ultimate_Defense (1).exe	Binary or memory string: OriginalFilenameNDP462-KB3151802-Web.exe^ vs SystemMechanic_Ultimate_Defense (1).exe
Source: SystemMechanic_Ultimate_Defense (1).exe	Binary or memory string: OriginalFilenameBoxStub.exeT vs SystemMechanic_Ultimate_Defense (1).exe
Source: SystemMechanic_Ultimate_Defense (1).exe	Binary or memory string: OriginalFilenameDownloader.dll6 vs SystemMechanic_Ultimate_Defense (1).exe
Source: SystemMechanic_Ultimate_Defense (1).exe	Binary or memory string: OriginalFilenameEntitlementDefinitions.dllN vs SystemMechanic_Ultimate_Defense (1).exe

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SystemMechanic_Ultimate_Defense (1).exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\iolo technologies\logs\bootstrap.log

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: SystemMechanic_Ultimate_Defense (1).exePID: 6880, Parent PID: 2580

General

Chronological Activities

Windows Analysis Report
SystemMechanic_Ultimate_Defense (1).exe