Sodinokibi | 05af0cf40590

Filters:

File Name	Category	Type	Verdict	Actions

C:\Users\kEecfMwgj\Desktop\Avaddon_09_06_2020_1054KB.exe

Sample File

Binary

Also Known As	C:\Users\kEecfMwgj\AppData\Roaming\Avaddon_09_06_2020_1054KB.exe (Dropped File)
MIME Type	application/vnd.microsoft.portable-executable
File Size	1.03 MB
MD5	c9ec0d9ff44f445ce5614cc87398b38d
SHA1	591ffe54bac2c50af61737a28749ff8435168182
SHA256	05af0cf40590aef24b28fa04c6b4998b7ab3b7f26e60c507adb84f3d837778f2
SSDeep	24576:Cs6JmdFn5KLOCgHWcAvcrOcEsKfR9uA7rmFbbbbpccf:Cs6JY5KLOCyWcDUfRAA3mFbbbbpc4
ImpHash	1156e59d43883136ef73eee451e94e3d

File Reputation Information

Verdict	malicious

PE Information

Image Base	0x400000
Entry Point	0x4481c7
Size Of Code	0x8e000
Size Of Initialized Data	0x7a800
File Type	FileType.executable
Subsystem	Subsystem.windows_gui
Machine Type	MachineType.i386
Compile Timestamp	2020-06-03 09:47:22+00:00

Sections (4)

Name	Virtual Address	Virtual Size	Raw Data Size	Raw Data Offset	Flags	Entropy
.text	0x401000	0x8df96	0x8e000	0x400	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ	6.62
.rdata	0x48f000	0x68cd8	0x68e00	0x8e400	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	5.63
.data	0x4f8000	0x8c70	0x7800	0xf7200	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	4.13
.reloc	0x501000	0x8a4c	0x8c00	0xfea00	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ	6.61

Imports (13)

KERNEL32.dll (144)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
ReadFile	-	0x48f070	0xf6a8c	0xf5e8c	0x473
GetFileSizeEx	-	0x48f074	0xf6a90	0xf5e90	0x24c
GetFileAttributesW	-	0x48f078	0xf6a94	0xf5e94	0x245
SetFileAttributesW	-	0x48f07c	0xf6a98	0xf5e98	0x51d
SetFilePointerEx	-	0x48f080	0xf6a9c	0xf5e9c	0x523
MoveFileExW	-	0x48f084	0xf6aa0	0xf5ea0	0x3e8
FindFirstFileW	-	0x48f088	0xf6aa4	0xf5ea4	0x180
FindNextFileW	-	0x48f08c	0xf6aa8	0xf5ea8	0x18c
GetEnvironmentVariableW	-	0x48f090	0xf6aac	0xf5eac	0x239
FindClose	-	0x48f094	0xf6ab0	0xf5eb0	0x175
GetShortPathNameA	-	0x48f098	0xf6ab4	0xf5eb4	0x2cc
ReleaseMutex	-	0x48f09c	0xf6ab8	0xf5eb8	0x4b0
GetUserDefaultLCID	-	0x48f0a0	0xf6abc	0xf5ebc	0x312
GetCurrentThread	-	0x48f0a4	0xf6ac0	0xf5ec0	0x21b
GetThreadContext	-	0x48f0a8	0xf6ac4	0xf5ec4	0x2f7
IsDebuggerPresent	-	0x48f0ac	0xf6ac8	0xf5ec8	0x37f
QueryDepthSList	-	0x48f0b0	0xf6acc	0xf5ecc	0x443
InterlockedFlushSList	-	0x48f0b4	0xf6ad0	0xf5ed0	0x36c
InterlockedPushEntrySList	-	0x48f0b8	0xf6ad4	0xf5ed4	0x36f
InterlockedPopEntrySList	-	0x48f0bc	0xf6ad8	0xf5ed8	0x36e
GetCurrentProcess	-	0x48f0c0	0xf6adc	0xf5edc	0x217
GetTickCount	-	0x48f0c4	0xf6ae0	0xf5ee0	0x307
OpenMutexW	-	0x48f0c8	0xf6ae4	0xf5ee4	0x409
CopyFileW	-	0x48f0cc	0xf6ae8	0xf5ee8	0xad
CreateProcessW	-	0x48f0d0	0xf6aec	0xf5eec	0xe5
GetProcessHeap	-	0x48f0d4	0xf6af0	0xf5ef0	0x2b4
HeapAlloc	-	0x48f0d8	0xf6af4	0xf5ef4	0x345
CloseHandle	-	0x48f0dc	0xf6af8	0xf5ef8	0x86
Process32FirstW	-	0x48f0e0	0xf6afc	0xf5efc	0x42c
Process32NextW	-	0x48f0e4	0xf6b00	0xf5f00	0x42e
GetLastError	-	0x48f0e8	0xf6b04	0xf5f04	0x261
Sleep	-	0x48f0ec	0xf6b08	0xf5f08	0x57d
CreateToolhelp32Snapshot	-	0x48f0f0	0xf6b0c	0xf5f0c	0xfc
OpenProcess	-	0x48f0f4	0xf6b10	0xf5f10	0x40d
CreateFileW	-	0x48f0f8	0xf6b14	0xf5f14	0xcb
CreateMutexW	-	0x48f0fc	0xf6b18	0xf5f18	0xda
GetModuleFileNameW	-	0x48f100	0xf6b1c	0xf5f1c	0x274
TerminateProcess	-	0x48f104	0xf6b20	0xf5f20	0x58c
HeapFree	-	0x48f108	0xf6b24	0xf5f24	0x349
WideCharToMultiByte	-	0x48f10c	0xf6b28	0xf5f28	0x5fe
MultiByteToWideChar	-	0x48f110	0xf6b2c	0xf5f2c	0x3ef
FindNextVolumeW	-	0x48f114	0xf6b30	0xf5f30	0x191
GetVolumePathNamesForVolumeNameW	-	0x48f118	0xf6b34	0xf5f34	0x324
FindVolumeClose	-	0x48f11c	0xf6b38	0xf5f38	0x198
SetVolumeMountPointW	-	0x48f120	0xf6b3c	0xf5f3c	0x574
FindFirstVolumeW	-	0x48f124	0xf6b40	0xf5f40	0x186
WriteConsoleW	-	0x48f128	0xf6b44	0xf5f44	0x611
SetEndOfFile	-	0x48f12c	0xf6b48	0xf5f48	0x510
HeapSize	-	0x48f130	0xf6b4c	0xf5f4c	0x34e
ReadConsoleW	-	0x48f134	0xf6b50	0xf5f50	0x470
FlushFileBuffers	-	0x48f138	0xf6b54	0xf5f54	0x19f
SetEnvironmentVariableW	-	0x48f13c	0xf6b58	0xf5f58	0x514
FreeEnvironmentStringsW	-	0x48f140	0xf6b5c	0xf5f5c	0x1aa
GetEnvironmentStringsW	-	0x48f144	0xf6b60	0xf5f60	0x237
GetCommandLineW	-	0x48f148	0xf6b64	0xf5f64	0x1d7
GetCommandLineA	-	0x48f14c	0xf6b68	0xf5f68	0x1d6
GetOEMCP	-	0x48f150	0xf6b6c	0xf5f6c	0x297
GetACP	-	0x48f154	0xf6b70	0xf5f70	0x1b2
ReleaseSemaphore	-	0x48f158	0xf6b74	0xf5f74	0x4b4
DuplicateHandle	-	0x48f15c	0xf6b78	0xf5f78	0x12b
VirtualFree	-	0x48f160	0xf6b7c	0xf5f7c	0x5c9
VirtualProtect	-	0x48f164	0xf6b80	0xf5f80	0x5cc
VirtualAlloc	-	0x48f168	0xf6b84	0xf5f84	0x5c6
IsValidCodePage	-	0x48f16c	0xf6b88	0xf5f88	0x38b
GetVersionExW	-	0x48f170	0xf6b8c	0xf5f8c	0x31b
LoadLibraryExW	-	0x48f174	0xf6b90	0xf5f90	0x3c3
GetModuleHandleA	-	0x48f178	0xf6b94	0xf5f94	0x275
FreeLibraryAndExitThread	-	0x48f17c	0xf6b98	0xf5f98	0x1ac
UnregisterWaitEx	-	0x48f180	0xf6b9c	0xf5f9c	0x5b7
WaitForSingleObject	-	0x48f184	0xf6ba0	0xf5fa0	0x5d7
WriteFile	-	0x48f188	0xf6ba4	0xf5fa4	0x612
FindFirstFileExW	-	0x48f18c	0xf6ba8	0xf5fa8	0x17b
HeapReAlloc	-	0x48f190	0xf6bac	0xf5fac	0x34c
GetConsoleMode	-	0x48f194	0xf6bb0	0xf5fb0	0x1fc
GetConsoleCP	-	0x48f198	0xf6bb4	0xf5fb4	0x1ea
SetStdHandle	-	0x48f19c	0xf6bb8	0xf5fb8	0x54a
DeleteFileW	-	0x48f1a0	0xf6bbc	0xf5fbc	0x115
GetFileType	-	0x48f1a4	0xf6bc0	0xf5fc0	0x24e
EnumSystemLocalesW	-	0x48f1a8	0xf6bc4	0xf5fc4	0x154
IsValidLocale	-	0x48f1ac	0xf6bc8	0xf5fc8	0x38d
GetTimeFormatW	-	0x48f1b0	0xf6bcc	0xf5fcc	0x30c
GetDateFormatW	-	0x48f1b4	0xf6bd0	0xf5fd0	0x221
GetTimeZoneInformation	-	0x48f1b8	0xf6bd4	0xf5fd4	0x30e
QueryDosDeviceW	-	0x48f1bc	0xf6bd8	0xf5fd8	0x445
GetLogicalDrives	-	0x48f1c0	0xf6bdc	0xf5fdc	0x268
GetStdHandle	-	0x48f1c4	0xf6be0	0xf5fe0	0x2d2
FreeLibrary	-	0x48f1c8	0xf6be4	0xf5fe4	0x1ab
ExitProcess	-	0x48f1cc	0xf6be8	0xf5fe8	0x15e
RtlUnwind	-	0x48f1d0	0xf6bec	0xf5fec	0x4d3
LoadLibraryW	-	0x48f1d4	0xf6bf0	0xf5ff0	0x3c4
RaiseException	-	0x48f1d8	0xf6bf4	0xf5ff4	0x462
GetCurrentThreadId	-	0x48f1dc	0xf6bf8	0xf5ff8	0x21c
IsProcessorFeaturePresent	-	0x48f1e0	0xf6bfc	0xf5ffc	0x386
QueueUserWorkItem	-	0x48f1e4	0xf6c00	0xf6000	0x457
GetModuleHandleExW	-	0x48f1e8	0xf6c04	0xf6004	0x277
FormatMessageW	-	0x48f1ec	0xf6c08	0xf6008	0x1a7
EnterCriticalSection	-	0x48f1f0	0xf6c0c	0xf600c	0x131
LeaveCriticalSection	-	0x48f1f4	0xf6c10	0xf6010	0x3bd
TryEnterCriticalSection	-	0x48f1f8	0xf6c14	0xf6014	0x5a7
DeleteCriticalSection	-	0x48f1fc	0xf6c18	0xf6018	0x110
QueryPerformanceCounter	-	0x48f200	0xf6c1c	0xf601c	0x44d
QueryPerformanceFrequency	-	0x48f204	0xf6c20	0xf6020	0x44e
SetLastError	-	0x48f208	0xf6c24	0xf6024	0x532
InitializeCriticalSectionAndSpinCount	-	0x48f20c	0xf6c28	0xf6028	0x35f
CreateEventW	-	0x48f210	0xf6c2c	0xf602c	0xbf
SwitchToThread	-	0x48f214	0xf6c30	0xf6030	0x587
TlsAlloc	-	0x48f218	0xf6c34	0xf6034	0x59e
TlsGetValue	-	0x48f21c	0xf6c38	0xf6038	0x5a0
TlsSetValue	-	0x48f220	0xf6c3c	0xf603c	0x5a1
TlsFree	-	0x48f224	0xf6c40	0xf6040	0x59f
GetSystemTimeAsFileTime	-	0x48f228	0xf6c44	0xf6044	0x2e9
GetModuleHandleW	-	0x48f22c	0xf6c48	0xf6048	0x278
GetProcAddress	-	0x48f230	0xf6c4c	0xf604c	0x2ae
WaitForSingleObjectEx	-	0x48f234	0xf6c50	0xf6050	0x5d8
EncodePointer	-	0x48f238	0xf6c54	0xf6054	0x12d
DecodePointer	-	0x48f23c	0xf6c58	0xf6058	0x109
GetStringTypeW	-	0x48f240	0xf6c5c	0xf605c	0x2d7
CompareStringW	-	0x48f244	0xf6c60	0xf6060	0x9b
LCMapStringW	-	0x48f248	0xf6c64	0xf6064	0x3b1
GetLocaleInfoW	-	0x48f24c	0xf6c68	0xf6068	0x265
GetCPInfo	-	0x48f250	0xf6c6c	0xf606c	0x1c1
UnhandledExceptionFilter	-	0x48f254	0xf6c70	0xf6070	0x5ad
SetUnhandledExceptionFilter	-	0x48f258	0xf6c74	0xf6074	0x56d
SetEvent	-	0x48f25c	0xf6c78	0xf6078	0x516
ResetEvent	-	0x48f260	0xf6c7c	0xf607c	0x4c6
GetStartupInfoW	-	0x48f264	0xf6c80	0xf6080	0x2d0
GetCurrentProcessId	-	0x48f268	0xf6c84	0xf6084	0x218
InitializeSListHead	-	0x48f26c	0xf6c88	0xf6088	0x363
LocalFree	-	0x48f270	0xf6c8c	0xf608c	0x3cf
CreateTimerQueue	-	0x48f274	0xf6c90	0xf6090	0xfa
SignalObjectAndWait	-	0x48f278	0xf6c94	0xf6094	0x57b
CreateThread	-	0x48f27c	0xf6c98	0xf6098	0xf3
SetThreadPriority	-	0x48f280	0xf6c9c	0xf609c	0x55e
GetThreadPriority	-	0x48f284	0xf6ca0	0xf60a0	0x301
GetLogicalProcessorInformation	-	0x48f288	0xf6ca4	0xf60a4	0x269
CreateTimerQueueTimer	-	0x48f28c	0xf6ca8	0xf60a8	0xfb
ChangeTimerQueueTimer	-	0x48f290	0xf6cac	0xf60ac	0x78
DeleteTimerQueueTimer	-	0x48f294	0xf6cb0	0xf60b0	0x11a
GetNumaHighestNodeNumber	-	0x48f298	0xf6cb4	0xf60b4	0x289
GetProcessAffinityMask	-	0x48f29c	0xf6cb8	0xf60b8	0x2af
SetThreadAffinityMask	-	0x48f2a0	0xf6cbc	0xf60bc	0x553
RegisterWaitForSingleObject	-	0x48f2a4	0xf6cc0	0xf60c0	0x4a9
UnregisterWait	-	0x48f2a8	0xf6cc4	0xf60c4	0x5b6
GetThreadTimes	-	0x48f2ac	0xf6cc8	0xf60c8	0x305

USER32.dll (2)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
GetKeyboardLayout	-	0x48f308	0xf6d24	0xf6124	0x167
SystemParametersInfoW	-	0x48f30c	0xf6d28	0xf6128	0x390

ADVAPI32.dll (23)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
ControlService	-	0x48f000	0xf6a1c	0xf5e1c	0x6a
OpenServiceW	-	0x48f004	0xf6a20	0xf5e20	0x219
CryptSetKeyParam	-	0x48f008	0xf6a24	0xf5e24	0xde
CryptDestroyKey	-	0x48f00c	0xf6a28	0xf5e28	0xc8
CryptAcquireContextW	-	0x48f010	0xf6a2c	0xf5e2c	0xc2
CryptEncrypt	-	0x48f014	0xf6a30	0xf5e30	0xcb
CryptDuplicateKey	-	0x48f018	0xf6a34	0xf5e34	0xca
CryptExportKey	-	0x48f01c	0xf6a38	0xf5e38	0xd0
CryptImportKey	-	0x48f020	0xf6a3c	0xf5e3c	0xdb
CryptGenKey	-	0x48f024	0xf6a40	0xf5e40	0xd1
CryptReleaseContext	-	0x48f028	0xf6a44	0xf5e44	0xdc
OpenProcessToken	-	0x48f02c	0xf6a48	0xf5e48	0x215
GetTokenInformation	-	0x48f030	0xf6a4c	0xf5e4c	0x170
RegCloseKey	-	0x48f034	0xf6a50	0xf5e50	0x25b
CloseServiceHandle	-	0x48f038	0xf6a54	0xf5e54	0x65
OpenSCManagerW	-	0x48f03c	0xf6a58	0xf5e58	0x217
DeleteService	-	0x48f040	0xf6a5c	0xf5e5c	0xec
RegCreateKeyW	-	0x48f044	0xf6a60	0xf5e60	0x267
EnumDependentServicesW	-	0x48f048	0xf6a64	0xf5e64	0x10f
RegSetValueExW	-	0x48f04c	0xf6a68	0xf5e68	0x2a9
StartServiceW	-	0x48f050	0xf6a6c	0xf5e6c	0x2fb
RegOpenKeyExW	-	0x48f054	0xf6a70	0xf5e70	0x28c
QueryServiceStatusEx	-	0x48f058	0xf6a74	0xf5e74	0x251

SHELL32.dll (2)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
SHGetSpecialFolderPathA	-	0x48f2fc	0xf6d18	0xf6118	0x175
SHEmptyRecycleBinW	-	0x48f300	0xf6d1c	0xf611c	0x13a

ole32.dll (8)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
CoUninitialize	-	0x48f350	0xf6d6c	0xf616c	0x8d
CoInitializeEx	-	0x48f354	0xf6d70	0xf6170	0x5e
CoInitialize	-	0x48f358	0xf6d74	0xf6174	0x5d
IIDFromString	-	0x48f35c	0xf6d78	0xf6178	0x102
CLSIDFromString	-	0x48f360	0xf6d7c	0xf617c	0xc
CoGetObject	-	0x48f364	0xf6d80	0xf6180	0x51
CoCreateInstance	-	0x48f368	0xf6d84	0xf6184	0x28
CoInitializeSecurity	-	0x48f36c	0xf6d88	0xf6188	0x5f

OLEAUT32.dll (6)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
SysFreeString	0x6	0x48f2c8	0xf6ce4	0xf60e4	-
VariantInit	0x8	0x48f2cc	0xf6ce8	0xf60e8	-
SysAllocStringByteLen	0x96	0x48f2d0	0xf6cec	0xf60ec	-
SysAllocString	0x2	0x48f2d4	0xf6cf0	0xf60f0	-
VariantClear	0x9	0x48f2d8	0xf6cf4	0xf60f4	-
SysStringByteLen	0x95	0x48f2dc	0xf6cf8	0xf60f8	-

MPR.dll (1)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
WNetGetConnectionW	-	0x48f2b4	0xf6cd0	0xf60d0	0x2b

NETAPI32.dll (2)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
NetShareEnum	-	0x48f2bc	0xf6cd8	0xf60d8	0xde
NetApiBufferFree	-	0x48f2c0	0xf6cdc	0xf60dc	0x51

IPHLPAPI.DLL (1)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
SendARP	-	0x48f068	0xf6a84	0xf5e84	0xf7

WS2_32.dll (6)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
WSACleanup	0x74	0x48f334	0xf6d50	0xf6150	-
gethostbyname	0x34	0x48f338	0xf6d54	0xf6154	-
WSAStartup	0x73	0x48f33c	0xf6d58	0xf6158	-
inet_addr	0xb	0x48f340	0xf6d5c	0xf615c	-
gethostname	0x39	0x48f344	0xf6d60	0xf6160	-
inet_ntoa	0xc	0x48f348	0xf6d64	0xf6164	-

RstrtMgr.DLL (5)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
RmRegisterResources	-	0x48f2e4	0xf6d00	0xf6100	0x6
RmGetList	-	0x48f2e8	0xf6d04	0xf6104	0x4
RmStartSession	-	0x48f2ec	0xf6d08	0xf6108	0xb
RmShutdown	-	0x48f2f0	0xf6d0c	0xf610c	0xa
RmEndSession	-	0x48f2f4	0xf6d10	0xf6110	0x2

CRYPT32.dll (1)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
CryptStringToBinaryA	-	0x48f060	0xf6a7c	0xf5e7c	0xe3

WININET.dll (7)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
InternetConnectW	-	0x48f314	0xf6d30	0xf6130	0x9c
HttpOpenRequestW	-	0x48f318	0xf6d34	0xf6134	0x79
InternetCloseHandle	-	0x48f31c	0xf6d38	0xf6138	0x95
HttpSendRequestW	-	0x48f320	0xf6d3c	0xf613c	0x82
InternetReadFile	-	0x48f324	0xf6d40	0xf6140	0xce
HttpSendRequestA	-	0x48f328	0xf6d44	0xf6144	0x7f
InternetOpenW	-	0x48f32c	0xf6d48	0xf6148	0xc9

Memory Dumps (34)

Name	Process ID	Start VA	End VA	Dump Reason	Bitness	Entry Point	Actions
avaddon_09_06_2020_1054kb.exe	1	0x01160000	0x01269FFF	Relevant Image	32-bit	0x011A7C06	... Memory Dump Actions Go to Process Download Dump
buffer	1	0x003AB000	0x003AFFFF	First Network Behavior	32-bit	-	... Memory Dump Actions Go to Process Download Dump
buffer	1	0x0048ECE0	0x0048EEFF	First Network Behavior	32-bit	-	... Memory Dump Actions Go to Process Download Dump
buffer	1	0x0048F7F8	0x0048FB5B	First Network Behavior	32-bit	-	... Memory Dump Actions Go to Process Download Dump
buffer	1	0x0048FB68	0x00490967	First Network Behavior	32-bit	-	... Memory Dump Actions Go to Process Download Dump
buffer	1	0x004911F8	0x00491283	First Network Behavior	32-bit	-	... Memory Dump Actions Go to Process Download Dump
buffer	1	0x00491290	0x00491A8F	First Network Behavior	32-bit	-	... Memory Dump Actions Go to Process Download Dump
buffer	1	0x004925D8	0x0049268F	First Network Behavior	32-bit	-	... Memory Dump Actions Go to Process Download Dump
buffer	1	0x00492698	0x00492817	First Network Behavior	32-bit	-	... Memory Dump Actions Go to Process Download Dump
buffer	1	0x00492828	0x004928BF	First Network Behavior	32-bit	-	... Memory Dump Actions Go to Process Download Dump
buffer	1	0x00492A98	0x00492BC1	First Network Behavior	32-bit	-	... Memory Dump Actions Go to Process Download Dump
buffer	1	0x00492C98	0x00492D27	First Network Behavior	32-bit	-	... Memory Dump Actions Go to Process Download Dump
buffer	1	0x00492DD0	0x00492EA5	First Network Behavior	32-bit	-	... Memory Dump Actions Go to Process Download Dump
buffer	1	0x004937C8	0x00493AC7	First Network Behavior	32-bit	-	... Memory Dump Actions Go to Process Download Dump
buffer	1	0x00496BD0	0x004973CF	First Network Behavior	32-bit	-	... Memory Dump Actions Go to Process Download Dump
buffer	1	0x004973D8	0x00497557	First Network Behavior	32-bit	-	... Memory Dump Actions Go to Process Download Dump
buffer	1	0x00497960	0x00497AC3	First Network Behavior	32-bit	-	... Memory Dump Actions Go to Process Download Dump
buffer	1	0x00498350	0x0049854F	First Network Behavior	32-bit	-	... Memory Dump Actions Go to Process Download Dump
buffer	1	0x00498558	0x004985F7	First Network Behavior	32-bit	-	... Memory Dump Actions Go to Process Download Dump
buffer	1	0x004986E0	0x0049878B	First Network Behavior	32-bit	-	... Memory Dump Actions Go to Process Download Dump
buffer	1	0x004997A0	0x00499826	First Network Behavior	32-bit	-	... Memory Dump Actions Go to Process Download Dump
buffer	1	0x004998C0	0x00499D4B	First Network Behavior	32-bit	-	... Memory Dump Actions Go to Process Download Dump
buffer	1	0x0049A818	0x0049A8A3	First Network Behavior	32-bit	-	... Memory Dump Actions Go to Process Download Dump
buffer	1	0x0049A8D0	0x0049A9DD	First Network Behavior	32-bit	-	... Memory Dump Actions Go to Process Download Dump
buffer	1	0x0049A9E8	0x0049AAE3	First Network Behavior	32-bit	-	... Memory Dump Actions Go to Process Download Dump
buffer	1	0x0049AB00	0x0049AF8B	First Network Behavior	32-bit	-	... Memory Dump Actions Go to Process Download Dump
buffer	1	0x0049B2F8	0x0049B783	First Network Behavior	32-bit	-	... Memory Dump Actions Go to Process Download Dump
buffer	1	0x0049CD58	0x0049CED7	First Network Behavior	32-bit	-	... Memory Dump Actions Go to Process Download Dump
buffer	1	0x0049CF60	0x0049D097	First Network Behavior	32-bit	-	... Memory Dump Actions Go to Process Download Dump
buffer	1	0x0049D318	0x0049D528	First Network Behavior	32-bit	-	... Memory Dump Actions Go to Process Download Dump
buffer	1	0x0049DFE8	0x0049E287	First Network Behavior	32-bit	-	... Memory Dump Actions Go to Process Download Dump
buffer	1	0x0049E290	0x0049E52F	First Network Behavior	32-bit	-	... Memory Dump Actions Go to Process Download Dump
buffer	1	0x004BAAD8	0x004BACE7	First Network Behavior	32-bit	-	... Memory Dump Actions Go to Process Download Dump
avaddon_09_06_2020_1054kb.exe	1	0x01160000	0x01269FFF	First Network Behavior	32-bit	0x01179151	... Memory Dump Actions Go to Process Download Dump

C:\\Users\Default\Contacts\Administrator.contact

Modified File

Stream

Also Known As	C:\\Users\Default\Contacts\Administrator.contact.avdn (Dropped File) C:\\Users\kEecfMwgj\Contacts\Administrator.contact (Modified File) C:\\Users\kEecfMwgj\Contacts\Administrator.contact.avdn (Dropped File)
MIME Type	application/octet-stream
File Size	72.52 KB
MD5	016112fff583329510dd393961441fb6
SHA1	f51496152788645a979eb8cc91754a3b364a4101
SHA256	d9ecb29f3ef3f7d967c6c6118cda547b5bb9c99b45294b5979e2ab7aa694109a
SSDeep	1536:e/m7sxZv22X4xow5DcO97yhDM7F1eiB4YH9b2dQvIZhQUD:g08dYDLy1MRRB4u2CIUu
ImpHash	-

YARA Matches (1)

Rule Name	Rule Description	Classification	Score	Actions
SodinokibiEncryptedFile	File encrypted by Sodinokibi Ransomware	Ransomware	5/5	... YARA Actions Show Ruleset Show Match

C:\\Users\Default\Favorites\Microsoft Websites\IE Add-on site.url

Modified File

Stream

Also Known As	C:\\Users\Default\Favorites\Microsoft Websites\IE Add-on site.url.avdn (Dropped File)
MIME Type	application/octet-stream
File Size	8.52 KB
MD5	0c86d286f551cf33d32d749e9f6a1935
SHA1	670217260f3389e3aff44fe59f3c1278c8fbb2a6
SHA256	257d60bf2fde40d0282bb05aeb69a0c350a82a03a96156b7d76c23441d2140d9
SSDeep	192:itVXEGCk6QF81BBO8VyoHbNnjCNDlA1ClZAbWxaPUP7Pqb+Bu:AXEi6Smu8JCN5nlabWoMP7PqyBu
ImpHash	-

YARA Matches (1)

Rule Name	Rule Description	Classification	Score	Actions
SodinokibiEncryptedFile	File encrypted by Sodinokibi Ransomware	Ransomware	5/5	... YARA Actions Show Ruleset Show Match

C:\\Users\Default\Favorites\Microsoft Websites\IE site on Microsoft.com.url

Modified File

Stream

Also Known As	C:\\Users\Default\Favorites\Microsoft Websites\IE site on Microsoft.com.url.avdn (Dropped File)
MIME Type	application/octet-stream
File Size	8.52 KB
MD5	59482199086cb0a054bb96bc6030b0cc
SHA1	ceda7ce1a08550aedf360064581df4cd45630f77
SHA256	5a64312c449747496728127ca6ca53bbea2a7c883020a46db87aaf7b53d5c3f1
SSDeep	192:/eQHbblJxqW4T4edfxdUuQxofBbrQNtGeJVHlSU35+SMV3Bu:jHbx34T4edxd3Aur6bJVD356hBu
ImpHash	-

YARA Matches (1)

Rule Name	Rule Description	Classification	Score	Actions
SodinokibiEncryptedFile	File encrypted by Sodinokibi Ransomware	Ransomware	5/5	... YARA Actions Show Ruleset Show Match

C:\\Users\Default\Favorites\Microsoft Websites\Microsoft At Home.url

Modified File

Stream

Also Known As	C:\\Users\Default\Favorites\Microsoft Websites\Microsoft At Home.url.avdn (Dropped File)
MIME Type	application/octet-stream
File Size	8.52 KB
MD5	4d0e3895d5298b8787320e37c0601a5a
SHA1	4162af9f92dddbe4a3ac0d5a521eb06b6d8cfb1f
SHA256	e04f6b8910d36f6096d6afa4f57bd3d347a7810caa4ffe6773e20c5a047269c0
SSDeep	192:7WBG4ZwJPeAGbzBxLwg/KEGbt+vSRsIya6XtteRCBu:7WUSye5uSyGY0URCBu
ImpHash	-

YARA Matches (1)

Rule Name	Rule Description	Classification	Score	Actions
SodinokibiEncryptedFile	File encrypted by Sodinokibi Ransomware	Ransomware	5/5	... YARA Actions Show Ruleset Show Match

C:\\Users\Default\Favorites\Microsoft Websites\Microsoft At Work.url

Modified File

Stream

Also Known As	C:\\Users\Default\Favorites\Microsoft Websites\Microsoft At Work.url.avdn (Dropped File)
MIME Type	application/octet-stream
File Size	8.52 KB
MD5	5f06a8dd431579dc267103c3a14480e2
SHA1	0ad6861d11b143635601c437b7ce034e754f0f03
SHA256	192956dd8bc9fbd3819c47db66713e6fcc5fcaea3c0beedf8833067b6cb4780b
SSDeep	192:jir/S8YCpLS8W3W3nL4zAXyZUxEtKd4iSGb+oOwrnBu:q/S8YKG8GW3EjZUxld4bPoBnBu
ImpHash	-

YARA Matches (1)

Rule Name	Rule Description	Classification	Score	Actions
SodinokibiEncryptedFile	File encrypted by Sodinokibi Ransomware	Ransomware	5/5	... YARA Actions Show Ruleset Show Match

C:\\Users\Default\Favorites\Microsoft Websites\Microsoft Store.url

Modified File

Stream

Also Known As	C:\\Users\Default\Favorites\Microsoft Websites\Microsoft Store.url.avdn (Dropped File)
MIME Type	application/octet-stream
File Size	8.52 KB
MD5	dce6128624c4793e0df67fcf44222512
SHA1	a2d63d118007536e61bc67670b514853fd4a54bc
SHA256	83567f9f7aba5b25d18788e4553a368f6620ec3e81982fb6e1acf07dd0fcdd72
SSDeep	192:hAOBJWK27QxqJs9kd4jMDH0mpQH6uWbWzzixdzr7UCjBP:1rWKUppxDHtuCWzziDzr7UmBP
ImpHash	-

YARA Matches (1)

Rule Name	Rule Description	Classification	Score	Actions
SodinokibiEncryptedFile	File encrypted by Sodinokibi Ransomware	Ransomware	5/5	... YARA Actions Show Ruleset Show Match

C:\\Users\Default\Favorites\MSN Websites\MSN Autos.url

Modified File

Stream

Also Known As	C:\\Users\Default\Favorites\MSN Websites\MSN Autos.url.avdn (Dropped File)
MIME Type	application/octet-stream
File Size	8.52 KB
MD5	6b84634092f7f558b27adc11beb5bb09
SHA1	29e8a12a1ef8686446c9b0a348bc72c8f63d565f
SHA256	7faa30db6ec952b6f101b4843ab04c2a1c5ca0ebcf5d8846ffdc0b5c2401b91d
SSDeep	192:UKC2CZjjvZByGoUioVUwZg6npZ9jTmCwbIR0nBDrBu:XC2QBQoVngAZ9jTmCiBnZrBu
ImpHash	-

YARA Matches (1)

Rule Name	Rule Description	Classification	Score	Actions
SodinokibiEncryptedFile	File encrypted by Sodinokibi Ransomware	Ransomware	5/5	... YARA Actions Show Ruleset Show Match

C:\\Users\Default\Favorites\MSN Websites\MSN Entertainment.url

Modified File

Stream

Also Known As	C:\\Users\Default\Favorites\MSN Websites\MSN Entertainment.url.avdn (Dropped File)
MIME Type	application/octet-stream
File Size	8.52 KB
MD5	b9eff89e0d9700f647e74c2661ccd2e7
SHA1	08586ec08cd5125073a62a4d85747fc5614f5fc3
SHA256	a026e99e2b81985eaf24a559f7b94021e4678a89d4b6d9cdb465bff598d98e45
SSDeep	192:Vp8Ch9AxWYsnQ0avfxzIdpG3SFpDultR8xC8R07ACL7K9Bu:V9zJnQzHxsdp7FMlYC807TC9Bu
ImpHash	-

YARA Matches (1)

Rule Name	Rule Description	Classification	Score	Actions
SodinokibiEncryptedFile	File encrypted by Sodinokibi Ransomware	Ransomware	5/5	... YARA Actions Show Ruleset Show Match

C:\\Users\Default\Favorites\MSN Websites\MSN Money.url

Modified File

Stream

Also Known As	C:\\Users\Default\Favorites\MSN Websites\MSN Money.url.avdn (Dropped File)
MIME Type	application/octet-stream
File Size	8.52 KB
MD5	ff4d4077e83f6631f9c83e75ae81aa5c
SHA1	a6564a92d80ef743a002bdf52793f94568e735a4
SHA256	921d4eb5eb76a3175ec4751ad417bbc50d828becfe375cd7b6a8c555267ea361
SSDeep	192:qXFgManxuFFskLR/dRver58uAmwaBjbUcjF+FlnaMXisxWks7H2MMBu:zManxuFFsk5guFybU0F+XnaMXrxWV6hs
ImpHash	-

YARA Matches (1)

Rule Name	Rule Description	Classification	Score	Actions
SodinokibiEncryptedFile	File encrypted by Sodinokibi Ransomware	Ransomware	5/5	... YARA Actions Show Ruleset Show Match

C:\\Users\Default\Favorites\MSN Websites\MSN Sports.url

Modified File

Stream

Also Known As	C:\\Users\Default\Favorites\MSN Websites\MSN Sports.url.avdn (Dropped File)
MIME Type	application/octet-stream
File Size	8.52 KB
MD5	51367c834143de19f7a57c4857ce1883
SHA1	c534de18a56c756ebbef60121f6dd53ac45002be
SHA256	f098125e203baa7ab39f64487d8f4bd1563d16244c66e5cfa9d391dad952f6a3
SSDeep	192:h6ZJ8kFfjBF6qwwATOPdXdJhoDMZcaX3lkgJVBqzoyCtESCE8wBu:AZJx7+jweON7ho4pQEyCtEzjwBu
ImpHash	-

YARA Matches (1)

Rule Name	Rule Description	Classification	Score	Actions
SodinokibiEncryptedFile	File encrypted by Sodinokibi Ransomware	Ransomware	5/5	... YARA Actions Show Ruleset Show Match

C:\\Users\Default\Favorites\MSN Websites\MSN.url

Modified File

Stream

Also Known As	C:\\Users\Default\Favorites\MSN Websites\MSN.url.avdn (Dropped File)
MIME Type	application/octet-stream
File Size	8.52 KB
MD5	46ff316edcbbe0ffe76f41037ca8f3f9
SHA1	019f89a52a950fafabf4386bccbbeba8fbf59bcf
SHA256	d65df7c29218553d712f4da24708790c7885796d4c7425ed1268c14e0c89248c
SSDeep	192:Dlw+Jyrkf0doWnCmPHaVbZaM2SzHwX29GNdNmZiD1WZ9F6IGHmuitS8Bu:DlwXkfM/n+eXSzQXcGnog5+RI8Bu
ImpHash	-

YARA Matches (1)

Rule Name	Rule Description	Classification	Score	Actions
SodinokibiEncryptedFile	File encrypted by Sodinokibi Ransomware	Ransomware	5/5	... YARA Actions Show Ruleset Show Match

C:\\Users\Default\Favorites\MSN Websites\MSNBC News.url

Modified File

Stream

Also Known As	C:\\Users\Default\Favorites\MSN Websites\MSNBC News.url.avdn (Dropped File)
MIME Type	application/octet-stream
File Size	8.52 KB
MD5	f2515163f46e7b43eec19a6347fca852
SHA1	72493c65ab2d5adcdb0b1221bc4cc462e7145a2b
SHA256	d9dfa3a6665b8bd39d0f0d3f80a3afc907d63e7d49c798b8e1504b225badd0f0
SSDeep	192:3j9qzeVjxWLF9uWu8+cOjCPlhMis03ib2WEiTfd2Lu/Bu:3j98QjqHu8JXlbBpbQ2CBu
ImpHash	-

YARA Matches (1)

Rule Name	Rule Description	Classification	Score	Actions
SodinokibiEncryptedFile	File encrypted by Sodinokibi Ransomware	Ransomware	5/5	... YARA Actions Show Ruleset Show Match

C:\\Users\Default\NTUSER.DAT.LOG

Modified File

Stream

Also Known As	C:\\Users\Default\NTUSER.DAT.LOG.avdn (Dropped File)
MIME Type	application/octet-stream
File Size	8.52 KB
MD5	c1095f2245814398b75381624170da02
SHA1	fda6ce0b388ead23c7af11617fecb227ad77f3ea
SHA256	ea49d66b62cfe879946ba63bfced7501c660c2ec03da7a3051765367fcba5546
SSDeep	192:dLGjhczIEfGME6qBuU5mAFKVUcHKD2hxhjJEBV:Z6czIEJ1hYmYKVUcHKD2/zEBV
ImpHash	-

YARA Matches (1)

Rule Name	Rule Description	Classification	Score	Actions
SodinokibiEncryptedFile	File encrypted by Sodinokibi Ransomware	Ransomware	5/5	... YARA Actions Show Ruleset Show Match

C:\\Users\Default\NTUSER.DAT.LOG1

Modified File

Stream

Also Known As	C:\\Users\Default\NTUSER.DAT.LOG1.avdn (Dropped File)
MIME Type	application/octet-stream
File Size	192.52 KB
MD5	8305a050330eaa46f18cf374c2645111
SHA1	f3b89875fa8af14c1b8ef4ea01d443ff6bf436b3
SHA256	d3be08dd25b5915e412c1132de55a2f330a358afb446cb926627b9b9b4788982
SSDeep	3072:S1n1yADXWIV95xEmRBx+YAPNBjwun1oC/0RyPWevFCH/Hcd0Q8Bzmv:i1yAjWIT5C8BkYAnwQ1//qqrUa0Q8Byv
ImpHash	-

YARA Matches (1)

Rule Name	Rule Description	Classification	Score	Actions
SodinokibiEncryptedFile	File encrypted by Sodinokibi Ransomware	Ransomware	5/5	... YARA Actions Show Ruleset Show Match

C:\\Users\Default\NTUSER.DAT.LOG2

Modified File

Stream

Also Known As	C:\\Users\Default\NTUSER.DAT.LOG2.avdn (Dropped File)
MIME Type	application/octet-stream
File Size	536 Bytes
MD5	68cc3b2a710cfd6a846483765284346f
SHA1	849dbc366c99f163e2474d8ae925f67907db73b5
SHA256	57c69af0f317ccc0aa33cd947c31f9b02c8b0f833add27f9e5cc477771033302
SSDeep	12:xze7mnwLOUDAa7T8ayv+/WhRgOPgCBI6QRotBIuOSTSrQLAqc7Up/2Qmy:xaS8O2DjyUWhRgoguI5RotiuOSTSaAgh
ImpHash	-

YARA Matches (1)

Rule Name	Rule Description	Classification	Score	Actions
SodinokibiEncryptedFile	File encrypted by Sodinokibi Ransomware	Ransomware	5/5	... YARA Actions Show Ruleset Show Match

C:\\Users\Default\Searches\Everywhere.search-ms

Modified File

Stream

Also Known As	C:\\Users\Default\Searches\Everywhere.search-ms.avdn (Dropped File)
MIME Type	application/octet-stream
File Size	8.52 KB
MD5	cbcb93310292f27e1ab6ebd6bafac565
SHA1	a473c186f647a47eff2a351cf0678a2c3ed226d6
SHA256	666045045b6042fcc9f374704a927943774577f52387b0183d618d348768f5a1
SSDeep	192:iXfzwdpO66R2QZ5wSnvT7O+gJM+Mk6O6fa4cBrBp:OfsXO66ROu6+gVM7O74cBrBp
ImpHash	-

YARA Matches (1)

Rule Name	Rule Description	Classification	Score	Actions
SodinokibiEncryptedFile	File encrypted by Sodinokibi Ransomware	Ransomware	5/5	... YARA Actions Show Ruleset Show Match

C:\\Users\Default\Searches\Indexed Locations.search-ms

Modified File

Stream

Also Known As	C:\\Users\Default\Searches\Indexed Locations.search-ms.avdn (Dropped File)
MIME Type	application/octet-stream
File Size	8.52 KB
MD5	e17e33a2e243597918479981c788ade0
SHA1	f24c7d24de4b5dbc4d457dc271da3cc2463e13db
SHA256	0721be5c78a690aad8495b4ca997cba2f3b6626f6d389a69dd59dfe1993486ef
SSDeep	192:iXczsDFnFsc0NvYQd+eT9L3aJn1pT7TqIDQPfbc/Dw+UHBp:OczsDeVd2vJDQnKDwlBp
ImpHash	-

YARA Matches (1)

Rule Name	Rule Description	Classification	Score	Actions
SodinokibiEncryptedFile	File encrypted by Sodinokibi Ransomware	Ransomware	5/5	... YARA Actions Show Ruleset Show Match

C:\\Users\kEecfMwgj\Desktop\-Czpv.mp3

Modified File

Stream

Also Known As	C:\\Users\kEecfMwgj\Desktop\-Czpv.mp3.avdn (Dropped File)
MIME Type	application/octet-stream
File Size	8.52 KB
MD5	8d2d2c4657ce0d04588eee98ef6b56fa
SHA1	e0471abeabcafa8e9d67c43a5595d1ecfd2d950a
SHA256	13e398b5049ecb6db494eb9231bfc0de8e804e74b82a51837abffbf43a8f25a3
SSDeep	192:rzpXnxhajJrC/cu88qQpWRg76dglrSsQcBVJHgbXUB1:fpXxhadr4m8qQpWREUghSZcNAEB1
ImpHash	-

YARA Matches (1)

Rule Name	Rule Description	Classification	Score	Actions
SodinokibiEncryptedFile	File encrypted by Sodinokibi Ransomware	Ransomware	5/5	... YARA Actions Show Ruleset Show Match

C:\\Users\kEecfMwgj\Desktop\-ozBRluaHqu9LIfa7.flv

Modified File

Stream

Also Known As	C:\\Users\kEecfMwgj\Desktop\-ozBRluaHqu9LIfa7.flv.avdn (Dropped File)
MIME Type	application/octet-stream
File Size	40.52 KB
MD5	4ee4a8bdcce1be35c045ce9ffaed35b9
SHA1	6fdccdadc8204eea06da02db4dbc9688bb4365fb
SHA256	2f7215137d9585f448e8e51e6424ad1feb93b870a9683450fce796aa906da4f6
SSDeep	768:UXFiocQil6Jndqo4saNrVnyIK8C2vtJCYh3PY0Nj3dpN+yN2DEV4:QVf54surNKIvtJCg3P5zvQ1EV4
ImpHash	-

YARA Matches (1)

Rule Name	Rule Description	Classification	Score	Actions
SodinokibiEncryptedFile	File encrypted by Sodinokibi Ransomware	Ransomware	5/5	... YARA Actions Show Ruleset Show Match

C:\\Users\kEecfMwgj\Desktop\05Gh.mkv

Modified File

Stream

Also Known As	C:\\Users\kEecfMwgj\Desktop\05Gh.mkv.avdn (Dropped File)
MIME Type	application/octet-stream
File Size	48.52 KB
MD5	cb1d8f2b35c9d4105748329a0021d7f0
SHA1	f8c8610c268898b43597221f04cb47d78b859c10
SHA256	99c21e95839b9755fa2c23442f00d989812d6d71384f9e4ddba6d24019838d43
SSDeep	1536:Z85IgvWvFSU8sIHfmXxUEtyK8+/ygeYGPm24Q:adW9YfaUEo+/pmPm2J
ImpHash	-

YARA Matches (1)

Rule Name	Rule Description	Classification	Score	Actions
SodinokibiEncryptedFile	File encrypted by Sodinokibi Ransomware	Ransomware	5/5	... YARA Actions Show Ruleset Show Match

C:\\Users\kEecfMwgj\Desktop\3NR2RNc6BbR\aFqKTEVkXz4.pps

Modified File

Stream

Also Known As	C:\\Users\kEecfMwgj\Desktop\3NR2RNc6BbR\aFqKTEVkXz4.pps.avdn (Dropped File)
MIME Type	application/octet-stream
File Size	72.52 KB
MD5	2cece877d7b8fba998280ceb8fcedc9a
SHA1	f516ff89174a4f73384e117a76346a8cbdabfc10
SHA256	7a08f1c46d158cf559e79b4d5834328c84ff3c1ba831cf8bd87040ec82b75c95
SSDeep	1536:57R8UszDB9j5tMWqfXb69HzFs06JuNH+dbFrYerxgy2x6KhL2wezAq:5F8ZDvjHMXuR/sjbFrLrxd25hL2/P
ImpHash	-

YARA Matches (1)

Rule Name	Rule Description	Classification	Score	Actions
SodinokibiEncryptedFile	File encrypted by Sodinokibi Ransomware	Ransomware	5/5	... YARA Actions Show Ruleset Show Match

C:\\Users\kEecfMwgj\Desktop\3NR2RNc6BbR\JGMjgzsvl.swf

Modified File

Stream

Also Known As	C:\\Users\kEecfMwgj\Desktop\3NR2RNc6BbR\JGMjgzsvl.swf.avdn (Dropped File)
MIME Type	application/octet-stream
File Size	8.52 KB
MD5	4b58d124c120365d9e8abe8521d7988e
SHA1	291b7ae354e775e274e4dce6b240fd53f04fef15
SHA256	155c3781ec3c88ec5be0243ed682b7ba578f05df47c7e869ecfa30281af9d9e4
SSDeep	192:Y07NCnEskE1MA5qoKuegK5Zd4ErmDboT1B9S9u5Uz/3hVeKjmFB+:YoNCZF135qoXkDhrmDboTj9c38B+
ImpHash	-

YARA Matches (1)

Rule Name	Rule Description	Classification	Score	Actions
SodinokibiEncryptedFile	File encrypted by Sodinokibi Ransomware	Ransomware	5/5	... YARA Actions Show Ruleset Show Match

C:\\Users\kEecfMwgj\Desktop\3NR2RNc6BbR\MfvhZsjFMLaQe 59.mp3

Modified File

Stream

Also Known As	C:\\Users\kEecfMwgj\Desktop\3NR2RNc6BbR\MfvhZsjFMLaQe 59.mp3.avdn (Dropped File)
MIME Type	application/octet-stream
File Size	8.52 KB
MD5	46605d733b45df6c596ca6f889ca478a
SHA1	7b605817ee787f1731bc0ead69d3ff355f342ee2
SHA256	c8adffad1f7f529380208fa82c75535ead186b0e51c15f6dace5562452c21460
SSDeep	192:1SDiyfMxC0WzZRoRpR1TxrPLJnsNCrjuB1sMnNIyhSLA8Bp:1ikQNR2p7xLNjAbnNIyhSPBp
ImpHash	-

YARA Matches (1)

Rule Name	Rule Description	Classification	Score	Actions
SodinokibiEncryptedFile	File encrypted by Sodinokibi Ransomware	Ransomware	5/5	... YARA Actions Show Ruleset Show Match

C:\\Users\kEecfMwgj\Desktop\3NR2RNc6BbR\N5gxiC7mfninX7I.wav

Modified File

Stream

Also Known As	C:\\Users\kEecfMwgj\Desktop\3NR2RNc6BbR\N5gxiC7mfninX7I.wav.avdn (Dropped File)
MIME Type	application/octet-stream
File Size	88.52 KB
MD5	721c18a4e8713fd1761854f74fe39bbc
SHA1	e2ae7ce1fb3b2de331674fdffae0bcb26bace9eb
SHA256	47bdaf781b239e7ada8caa09ac1144e581c94eb1f47dd03eacc4a2f15c19942c
SSDeep	1536:KvsXMIxD4BhMfOiykSItxpRJibXucSDgA0eN6Che8Jd+FEYHgVShgyZv:+sVm62ixSItloyoA0w6C7Jd+m8ZhTh
ImpHash	-

YARA Matches (1)

Rule Name	Rule Description	Classification	Score	Actions
SodinokibiEncryptedFile	File encrypted by Sodinokibi Ransomware	Ransomware	5/5	... YARA Actions Show Ruleset Show Match

C:\\Users\Default\Favorites\Links\Web Slice Gallery.url

Modified File

Stream

Also Known As	C:\\Users\Default\Favorites\Links\Web Slice Gallery.url.avdn (Dropped File)
MIME Type	application/octet-stream
File Size	8.52 KB
MD5	246be7204e949b3f19457b2f63839e58
SHA1	c7076072497476b574c32c31366bb0ff89ca8592
SHA256	d04199b8d17f90a3663a721add9b20f4d1f07d8f4714e45644cf3c38ce810fc4
SSDeep	192:dSpe4ccIJEDVepVD5Hkka2R/KC2qRC1bBXmhXsly3YioAprWVSUgTTm+ufhydJ69:r4chJEDyDFkkao2qsBBXmiOrWwUhXuJw
ImpHash	-

c:\users\keecfmwgj\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-4219442223-4223814209-3835049652-1000\4fe4574abf1bcb0f6ed6a78aa750fb2c_b9c8f16e-2e51-4052-9ecb-f86ae5d96ef6

Dropped File

Stream

MIME Type	application/octet-stream
File Size	50 Bytes
MD5	bbe4a6fe547225203dffbf784b4b8086
SHA1	9393217e27903a99d5a36b630becf408c05b85ad
SHA256	2d970fea1e7ebc4c9bae287309fa032cb2ac90323c0cdb49ca9593dc7d074c98
SSDeep	3:/lvlPoSMl:QJl
ImpHash	-

C:\\Users\Default\Contacts\041656-readme.html

Dropped File

HTML

Also Known As	C:\\Users\Default\Favorites\Links\041656-readme.html (Dropped File) C:\\Users\kEecfMwgj\Contacts\041656-readme.html (Dropped File) C:\\Users\Default\Favorites\Microsoft Websites\041656-readme.html (Dropped File) C:\\Users\Default\Favorites\MSN Websites\041656-readme.html (Dropped File) C:\\Users\Default\041656-readme.html (Dropped File) C:\\Users\Default\Searches\041656-readme.html (Dropped File) C:\\Users\kEecfMwgj\Desktop\041656-readme.html (Dropped File) C:\\Users\kEecfMwgj\Desktop\3NR2RNc6BbR\041656-readme.html (Dropped File)
MIME Type	text/html
File Size	49.89 KB
MD5	a73b8ba51760dcbaf5a82dbcf1c711b9
SHA1	b58fc4fc68431420402dbe8cff26d7ea41e436a5
SHA256	e6327db35ddc7e174a160187944432f8ea2da6283c4bbeb96e2e50491b694412
SSDeep	1536:2vZIf9/RWnN6c2sq6LxDF2EVnUBhnKRXdvH:2hIf9YN6xsdLxh2ERUB8tvH
ImpHash	-
Parser Error Remark	Static engine was unable to completely parse the analyzed file

Extracted URLs (1)

URL	WHOIS Data	Reputation Status	Recursively Submitted	Actions
https://www.torproject.org	Show WHOIS	suspicious	-	... Actions Show URL Submit URL

Extracted JavaScripts (1)

JavaScript #1


                 function copy(identity) {
    if (document.selection) { // IE
        var range = document.body.createTextRange();
        range.moveToElementText(document.getElementById(identity));
        range.select();
    } else if (window.getSelection) {
        var range = document.createRange();
        range.selectNode(document.getElementById(identity));
        window.getSelection().removeAllRanges();
        window.getSelection().addRange(range);
    }
    document.execCommand('copy');
}
function copyLink() {
    copy('link');
}
function copyID() {
    copy('identity');
}

c:\users\keecfmwgj\appdata\roaming\microsoft\windows\cookies\keecfmwgj@myip[1].txt

Dropped File

Text

MIME Type	text/plain
File Size	208 Bytes
MD5	d766f7e85dd3f6074131758e839e1eda
SHA1	2dac427597ccb4050641952c121b512dea6c8218
SHA256	6a4a2c79766c3189f448cf9e5466cf16bcad560680e5e5b2dc5fae580fca6da4
SSDeep	6:1n0iZc93Xr/6q+qUqZyozGGfmYJMVyRVPk+ldA6Xv:1n63XT6JqUqZyuGKRMVettdXv
ImpHash	-

Remarks (2/2)

There are no files for this filter

There are no files in this analysis

Classifications

Threat Names

WHOIS Domain Information

Before

After