top title background image
flash

2U32GERoxl.exe

Status: finished
Submission Time: 2020-09-11 10:27:09 +02:00
Malicious
Ransomware
Adware
Evader
Crysis Wadhrama

Comments

Tags

  • Crysis
  • Dharma
  • Ransomware

Details

  • Analysis ID:
    284397
  • API (Web) ID:
    463972
  • Analysis Started:
    2020-09-11 10:51:52 +02:00
  • Analysis Finished:
    2020-09-11 11:02:19 +02:00
  • MD5:
    40d778624057e93cb98a8ff89d74baeb
  • SHA1:
    c5ed829367c08aa36597e77c20f1ae1b8020f0e2
  • SHA256:
    553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb
  • Technologies:

Joe Sandbox

Engine Download Report Detection Info
malicious
malicious
Score: 100
System: Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01

Third Party Analysis Engines

malicious
Score: 58/68
malicious
Score: 30/38
malicious
Score: 47/48
malicious

Dropped files

Name File Type Hashes Detection
C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe.id-ECF18699.[backdata@qbmail.biz].back
data
#
C:\ProgramData\Microsoft\Diagnosis\DownloadedScenarios\windows.uif_ondemand.xml.inbox.id-ECF18699.[backdata@qbmail.biz].back
data
#
C:\ProgramData\Microsoft\Network\Downloader\edb.log.id-ECF18699.[backdata@qbmail.biz].back
data
#
Click to see the 97 hidden entries
C:\ProgramData\Microsoft\Network\Downloader\edbres00001.jrs.id-ECF18699.[backdata@qbmail.biz].back
data
#
C:\ProgramData\Microsoft\Network\Downloader\edbres00002.jrs.id-ECF18699.[backdata@qbmail.biz].back
data
#
C:\ProgramData\Microsoft\Network\Downloader\edbtmp.log.id-ECF18699.[backdata@qbmail.biz].back
data
#
C:\ProgramData\Microsoft\Network\Downloader\qmgr.db.id-ECF18699.[backdata@qbmail.biz].back
data
#
C:\$Recycle.Bin\S-1-5-18\desktop.ini.id-ECF18699.[backdata@qbmail.biz].back
data
#
C:\ProgramData\Microsoft\OFFICE\DocumentRepository.ico.id-ECF18699.[backdata@qbmail.biz].back
data
#
C:\ProgramData\Microsoft\OFFICE\MySharePoints.ico.id-ECF18699.[backdata@qbmail.biz].back
data
#
C:\ProgramData\Microsoft\OFFICE\MySite.ico.id-ECF18699.[backdata@qbmail.biz].back
data
#
C:\ProgramData\Microsoft\OFFICE\SharePointPortalSite.ico.id-ECF18699.[backdata@qbmail.biz].back
data
#
C:\ProgramData\Microsoft\OFFICE\SharePointTeamSite.ico.id-ECF18699.[backdata@qbmail.biz].back
data
#
C:\ProgramData\Microsoft\Provisioning\{23cb517f-5073-4e96-a202-7fe6122a2271}\Prov\RunTime.xml.id-ECF18699.[backdata@qbmail.biz].back
data
#
C:\ProgramData\Microsoft\Provisioning\{23cb517f-5073-4e96-a202-7fe6122a2271}\Prov\RunTime\0__Power_Policy.provxml.id-ECF18699.[backdata@qbmail.biz].back
data
#
C:\ProgramData\Microsoft\Provisioning\{23cb517f-5073-4e96-a202-7fe6122a2271}\customizations.xml.id-ECF18699.[backdata@qbmail.biz].back
data
#
C:\ProgramData\Microsoft\Provisioning\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\customizations.xml.id-ECF18699.[backdata@qbmail.biz].back
data
#
C:\ProgramData\Microsoft\Provisioning\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\MasterDatastore.xml.id-ECF18699.[backdata@qbmail.biz].back
data
#
C:\ProgramData\Microsoft\Provisioning\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\Prov\RunTime.xml.id-ECF18699.[backdata@qbmail.biz].back
data
#
C:\ProgramData\Microsoft\Provisioning\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\Prov\RunTime\0__Power_Policy.provxml.id-ECF18699.[backdata@qbmail.biz].back
data
#
C:\ProgramData\Microsoft\Provisioning\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\Prov\RunTime.xml.id-ECF18699.[backdata@qbmail.biz].back
data
#
C:\ProgramData\Microsoft\Provisioning\{23cb517f-5073-4e96-a202-7fe6122a2271}\MasterDatastore.xml.id-ECF18699.[backdata@qbmail.biz].back
data
#
C:\ProgramData\Microsoft\Provisioning\{1e05dd5d-a022-46c5-963c-b20de341170f}\customizations.xml.id-ECF18699.[backdata@qbmail.biz].back
data
#
C:\ProgramData\Microsoft\Provisioning\{1e05dd5d-a022-46c5-963c-b20de341170f}\Prov\RunTime\0__Power_Controls.provxml.id-ECF18699.[backdata@qbmail.biz].back
data
#
C:\ProgramData\Microsoft\Provisioning\{1e05dd5d-a022-46c5-963c-b20de341170f}\Prov\RunTime.xml.id-ECF18699.[backdata@qbmail.biz].back
data
#
C:\ProgramData\Microsoft\Provisioning\{1e05dd5d-a022-46c5-963c-b20de341170f}\MasterDatastore.xml.id-ECF18699.[backdata@qbmail.biz].back
data
#
C:\ProgramData\Microsoft\Provisioning\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\customizations.xml.id-ECF18699.[backdata@qbmail.biz].back
data
#
C:\ProgramData\Microsoft\Provisioning\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\Prov\RunTime\0__Power_Policy.provxml.id-ECF18699.[backdata@qbmail.biz].back
data
#
C:\ProgramData\Microsoft\Provisioning\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\Prov\RunTime.xml.id-ECF18699.[backdata@qbmail.biz].back
data
#
C:\ProgramData\Microsoft\Provisioning\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\Prov\RunTime.xml.id-ECF18699.[backdata@qbmail.biz].back
data
#
C:\ProgramData\Microsoft\Provisioning\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\Prov\RunTime\0__Power_EnergyEstimationEngine.provxml.id-ECF18699.[backdata@qbmail.biz].back
data
#
C:\ProgramData\Microsoft\Provisioning\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\Prov\RunTime.xml.id-ECF18699.[backdata@qbmail.biz].back
data
#
C:\ProgramData\Microsoft\Provisioning\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\MasterDatastore.xml.id-ECF18699.[backdata@qbmail.biz].back
data
#
C:\ProgramData\Microsoft\Provisioning\{99b095d8-5959-4820-bea7-7448c8427b4e}\customizations.xml.id-ECF18699.[backdata@qbmail.biz].back
data
#
C:\ProgramData\Microsoft\Provisioning\{99b095d8-5959-4820-bea7-7448c8427b4e}\Prov\RunTime\0__Power_EnergyEstimationEngine.provxml.id-ECF18699.[backdata@qbmail.biz].back
data
#
C:\ProgramData\Microsoft\Provisioning\{99b095d8-5959-4820-bea7-7448c8427b4e}\Prov\RunTime.xml.id-ECF18699.[backdata@qbmail.biz].back
data
#
C:\ProgramData\Microsoft\Provisioning\{99b095d8-5959-4820-bea7-7448c8427b4e}\MasterDatastore.xml.id-ECF18699.[backdata@qbmail.biz].back
data
#
C:\ProgramData\Microsoft\Provisioning\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\customizations.xml.id-ECF18699.[backdata@qbmail.biz].back
data
#
C:\ProgramData\Microsoft\Provisioning\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\Prov\RunTime\0__Power_EnergyEstimationEngine.provxml.id-ECF18699.[backdata@qbmail.biz].back
data
#
C:\ProgramData\Microsoft\Provisioning\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\Prov\RunTime.xml.id-ECF18699.[backdata@qbmail.biz].back
data
#
C:\ProgramData\Microsoft\Provisioning\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\MasterDatastore.xml.id-ECF18699.[backdata@qbmail.biz].back
data
#
C:\ProgramData\Microsoft\Provisioning\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\customizations.xml.id-ECF18699.[backdata@qbmail.biz].back
data
#
C:\ProgramData\Microsoft\Provisioning\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\Prov\RunTime\0__Power_EnergyEstimationEngine.provxml.id-ECF18699.[backdata@qbmail.biz].back
data
#
C:\ProgramData\Microsoft\Provisioning\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\MasterDatastore.xml.id-ECF18699.[backdata@qbmail.biz].back
data
#
C:\ProgramData\Microsoft\Provisioning\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\MasterDatastore.xml.id-ECF18699.[backdata@qbmail.biz].back
data
#
C:\ProgramData\Microsoft\Provisioning\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\customizations.xml.id-ECF18699.[backdata@qbmail.biz].back
data
#
C:\ProgramData\Microsoft\Provisioning\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\Prov\RunTime\0__Power_Policy.provxml.id-ECF18699.[backdata@qbmail.biz].back
data
#
C:\ProgramData\Microsoft\Provisioning\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\Prov\RunTime.xml.id-ECF18699.[backdata@qbmail.biz].back
data
#
C:\ProgramData\Microsoft\Provisioning\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\MasterDatastore.xml.id-ECF18699.[backdata@qbmail.biz].back
data
#
C:\ProgramData\Microsoft\Provisioning\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\customizations.xml.id-ECF18699.[backdata@qbmail.biz].back
data
#
C:\ProgramData\Microsoft\Provisioning\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\Prov\RunTime\1__Power_Policy.provxml.id-ECF18699.[backdata@qbmail.biz].back
data
#
C:\ProgramData\Microsoft\Provisioning\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\Prov\RunTime\0__Power_Policy.provxml.id-ECF18699.[backdata@qbmail.biz].back
data
#
C:\ProgramData\Microsoft\Provisioning\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\Prov\RunTime.xml.id-ECF18699.[backdata@qbmail.biz].back
data
#
C:\ProgramData\Microsoft\Provisioning\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\MasterDatastore.xml.id-ECF18699.[backdata@qbmail.biz].back
data
#
C:\ProgramData\Microsoft\Provisioning\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\customizations.xml.id-ECF18699.[backdata@qbmail.biz].back
data
#
C:\ProgramData\Microsoft\Provisioning\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\Prov\RunTime\0__Power_Policy.provxml.id-ECF18699.[backdata@qbmail.biz].back
data
#
C:\ProgramData\Microsoft\OFFICE\AssetLibrary.ico.id-ECF18699.[backdata@qbmail.biz].back
data
#
C:\ProgramData\Microsoft Help\MS.GRAPH.16.1033.hxn.id-ECF18699.[backdata@qbmail.biz].back
data
#
C:\ProgramData\Microsoft Help\MS.POWERPNT.16.1033.hxn.id-ECF18699.[backdata@qbmail.biz].back
data
#
C:\ProgramData\Microsoft Help\MS.OUTLOOK.16.1033.hxn.id-ECF18699.[backdata@qbmail.biz].back
data
#
C:\ProgramData\Microsoft Help\MS.ONENOTE.16.1033.hxn.id-ECF18699.[backdata@qbmail.biz].back
data
#
C:\ProgramData\Microsoft Help\MS.MSPUB.16.1033.hxn.id-ECF18699.[backdata@qbmail.biz].back
data
#
C:\ProgramData\Microsoft Help\MS.MSOUC.16.1033.hxn.id-ECF18699.[backdata@qbmail.biz].back
data
#
C:\ProgramData\Microsoft Help\MS.MSACCESS.16.1033.hxn.id-ECF18699.[backdata@qbmail.biz].back
data
#
C:\ProgramData\Microsoft Help\MS.LYNC_ONLINE.16.1033.hxn.id-ECF18699.[backdata@qbmail.biz].back
data
#
C:\ProgramData\Microsoft Help\MS.LYNC_BASIC.16.1033.hxn.id-ECF18699.[backdata@qbmail.biz].back
data
#
C:\ProgramData\Microsoft Help\MS.LYNC.16.1033.hxn.id-ECF18699.[backdata@qbmail.biz].back
data
#
C:\ProgramData\Microsoft Help\MS.GROOVE.16.1033.hxn.id-ECF18699.[backdata@qbmail.biz].back
data
#
C:\ProgramData\Microsoft Help\MS.SETLANG.16.1033.hxn.id-ECF18699.[backdata@qbmail.biz].back
data
#
C:\ProgramData\Microsoft Help\MS.EXCEL.16.1033.hxn.id-ECF18699.[backdata@qbmail.biz].back
data
#
C:\ProgramData\Microsoft Help\MS.DATABASECOMPARE.16.1033.hxn.id-ECF18699.[backdata@qbmail.biz].back
data
#
C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.ini.id-ECF18699.[backdata@qbmail.biz].back
data
#
C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\abcpy.ini.id-ECF18699.[backdata@qbmail.biz].back
data
#
C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\Data1.cab.id-ECF18699.[backdata@qbmail.biz].back
data
#
C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\AcroRead.msi.id-ECF18699.[backdata@qbmail.biz].back
data
#
C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\AcroRdrDCUpd1901220034.msp.id-ECF18699.[backdata@qbmail.biz].back
data
#
C:\$Recycle.Bin\S-1-5-21-3853321935-2125563209-4053062332-1002\desktop.ini.id-ECF18699.[backdata@qbmail.biz].back
data
#
C:\$Recycle.Bin\S-1-5-21-3853321935-2125563209-4053062332-1001\desktop.ini.id-ECF18699.[backdata@qbmail.biz].back
data
#
C:\$Recycle.Bin\S-1-5-21-3853321935-2125563209-4053062332-1000\desktop.ini.id-ECF18699.[backdata@qbmail.biz].back
data
#
C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\telemetry.ASM-WindowsDefault.json.bk.id-ECF18699.[backdata@qbmail.biz].back
data
#
C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm.id-ECF18699.[backdata@qbmail.biz].back
data
#
C:\ProgramData\Microsoft\Network\Downloader\edb.chk.id-ECF18699.[backdata@qbmail.biz].back
data
#
C:\ProgramData\Microsoft\MF\Pending.GRL.id-ECF18699.[backdata@qbmail.biz].back
data
#
C:\ProgramData\Microsoft\MF\Active.GRL.id-ECF18699.[backdata@qbmail.biz].back
data
#
C:\ProgramData\Microsoft\IdentityCRL\production\wlidsvcconfig.xml.id-ECF18699.[backdata@qbmail.biz].back
data
#
C:\ProgramData\Microsoft\IdentityCRL\INT\wlidsvcconfig.xml.id-ECF18699.[backdata@qbmail.biz].back
data
#
C:\ProgramData\Microsoft\Diagnosis\WindowsAnalytics\analyticsevents.dat.id-ECF18699.[backdata@qbmail.biz].back
data
#
C:\ProgramData\Microsoft\Diagnosis\OfflineSettings\offlineblocklist.json.id-ECF18699.[backdata@qbmail.biz].back
data
#
C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\utc.privacy.diffbase.id-ECF18699.[backdata@qbmail.biz].back
data
#
C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\utc.app.json.bk.id-ECF18699.[backdata@qbmail.biz].back
data
#
C:\ProgramData\Microsoft\Provisioning\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\MasterDatastore.xml.id-ECF18699.[backdata@qbmail.biz].back
data
#
C:\ProgramData\Microsoft\Crypto\SystemKeys\8161c532f4be2453f4e2b357fecb49ca_d06ed635-68f6-4e9a-955c-4899f5f57b9a.id-ECF18699.[backdata@qbmail.biz].back
data
#
C:\ProgramData\Microsoft OneDrive\setup\refcount.ini.id-ECF18699.[backdata@qbmail.biz].back
data
#
C:\ProgramData\Microsoft Help\nslist.hxl.id-ECF18699.[backdata@qbmail.biz].back
data
#
C:\ProgramData\Microsoft Help\MS.WINWORD.16.1033.hxn.id-ECF18699.[backdata@qbmail.biz].back
data
#
C:\ProgramData\Microsoft Help\MS.SPREADSHEETCOMPARE.16.1033.hxn.id-ECF18699.[backdata@qbmail.biz].back
data
#
C:\ProgramData\Microsoft Help\MS.SKYPEFB_ONLINEG.16.1033.hxn.id-ECF18699.[backdata@qbmail.biz].back
data
#
C:\ProgramData\Microsoft Help\MS.SKYPEFB_ONLINE.16.1033.hxn.id-ECF18699.[backdata@qbmail.biz].back
data
#
C:\ProgramData\Microsoft Help\MS.SKYPEFB_BASIC.16.1033.hxn.id-ECF18699.[backdata@qbmail.biz].back
data
#
C:\ProgramData\Microsoft Help\MS.SKYPEFB.16.1033.hxn.id-ECF18699.[backdata@qbmail.biz].back
data
#