Malware Analysis Report

2025-01-18 18:20

Sample ID 241215-n14tgavndn
Target 2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi
SHA256 f5c11f20320dfc1be95d715260880695bc3e0fc76cc19664b3d6129c57fc80f7
Tags
sodinokibi 5 367 defense_evasion discovery execution impact ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f5c11f20320dfc1be95d715260880695bc3e0fc76cc19664b3d6129c57fc80f7

Threat Level: Known bad

The file 2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi was found to be: Known bad.

Malicious Activity Summary

sodinokibi 5 367 defense_evasion discovery execution impact ransomware spyware stealer

Sodinokibi family

Sodin,Sodinokibi,REvil

Sodinokibi/Revil sample

Deletes shadow copies

Checks computer location settings

Reads user/profile data of web browsers

Enumerates connected drives

Sets desktop wallpaper using registry

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Uses Volume Shadow Copy service COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Interacts with shadow copies

Modifies system certificate store

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-15 11:52

Signatures

Sodinokibi family

sodinokibi

Sodinokibi/Revil sample

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-15 11:52

Reported

2024-12-15 11:55

Platform

win7-20240708-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe"

Signatures

Sodin,Sodinokibi,REvil

ransomware sodinokibi

Sodinokibi family

sodinokibi

Deletes shadow copies

ransomware defense_evasion impact execution

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened (read-only) \??\D: C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ec20.bmp" C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification \??\c:\program files\SubmitShow.wax C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification \??\c:\program files\UnprotectStart.aiff C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\arkpt-readme.txt C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\desktop\d60dff40.lock C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification \??\c:\program files\CompressEdit.sql C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification \??\c:\program files\DisconnectGet.wmf C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification \??\c:\program files\GrantConfirm.WTV C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification \??\c:\program files\StartDismount.ini C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification \??\c:\program files\ShowExit.pps C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File created \??\c:\program files (x86)\microsoft sql server compact edition\arkpt-readme.txt C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\d60dff40.lock C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\desktop\arkpt-readme.txt C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File created \??\c:\program files\arkpt-readme.txt C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File created \??\c:\program files (x86)\arkpt-readme.txt C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification \??\c:\program files\EditOpen.mp4v C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification \??\c:\program files\InvokeUninstall.zip C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification \??\c:\program files\SubmitBackup.3gp2 C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification \??\c:\program files\WaitInvoke.pcx C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File created \??\c:\program files (x86)\d60dff40.lock C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification \??\c:\program files\FindSuspend.wmf C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification \??\c:\program files\RevokeSearch.xps C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification \??\c:\program files\SendStart.wax C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File created \??\c:\program files\d60dff40.lock C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification \??\c:\program files\ClearTest.wax C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File created \??\c:\program files (x86)\microsoft sql server compact edition\d60dff40.lock C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-themeservice.resources_31bf3856ad364e35_6.1.7600.16385_es-es_bd289c780c8805eb_themeservice.dll.mui_9e71f1ab C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-consolehost.resources_31bf3856ad364e35_6.1.7600.16385_de-de_c92bbd3b7c238f30.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-eventlog-api.resources_31bf3856ad364e35_6.1.7600.16385_it-it_0c765b843b5f5fca.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-object-picker_31bf3856ad364e35_6.1.7600.16385_none_6b8acc3d2645838d.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-s..pp-client.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_67f0b62b00a7235a_sppc.dll.mui_0a75786d C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-unimodem-voice_31bf3856ad364e35_6.1.7600.16385_none_44610425b014c1b0_serwvdrv.dll_874b1f23 C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..endencies.resources_31bf3856ad364e35_6.1.7600.16385_de-de_5dc34e0e1a4582e1.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-truetype-vani_31bf3856ad364e35_6.1.7601.17514_none_5a885c9b0fafaf30.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-rasbase.resources_31bf3856ad364e35_6.1.7600.16385_en-us_ba0c82eccf526351.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-a..structure.resources_31bf3856ad364e35_6.1.7600.16385_it-it_84a967f3c21f5562_sdbinst.exe.mui_258ad624 C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-d..irectdraw.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_9d5be3a38b80bebf.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-pshed.resources_31bf3856ad364e35_6.1.7600.16385_de-de_ea79c4c6eb99ea3d_pshed.dll.mui_d7f9a40f C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-setupapi.resources_31bf3856ad364e35_6.1.7600.16385_es-es_6a028059d8dcbea2.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-w..per-tcpip.resources_31bf3856ad364e35_6.1.7600.16385_en-us_63045bcb00602fc0.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-a..on-authui.resources_31bf3856ad364e35_6.1.7600.16385_de-de_e26217990f7f049a.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-newdev.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_718373162933d652_ndadmin.exe.mui_2e106c3e C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-u..em-config.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_9038f177d74f2f88_mdminst.dll.mui_19a87063 C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\wow64_microsoft-windows-n..-domain-clients-svc_31bf3856ad364e35_6.1.7600.16385_none_aa5813cb3a17070e_winipsec.mof_abfff45a C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..eprotocol.resources_31bf3856ad364e35_6.1.7600.16385_it-it_fd4cc85296b4e888.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-tcpip.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_caba3de2d9ce0d4b_netiougc.exe.mui_ad7a9e4d C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-rasserver_31bf3856ad364e35_6.1.7601.17514_none_09cf3ec67e6c6b50_rasmigplugin-mig.dll_e9d0eb3e C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-searchfolder.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_081caacce2fe65aa.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-s..edstorage.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_a3d5488f6ee5d330.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_7d4fb966f596fd1d_bootmgfw.efi.mui_a6e78cfa C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-lsa.resources_31bf3856ad364e35_6.1.7600.16385_de-de_39abefffc16e5209_lsasrv.dll.mui_d47f7e1c C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-sens-client_31bf3856ad364e35_6.1.7600.16385_none_011904ea1e74d196.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-appid.resources_31bf3856ad364e35_6.1.7601.17514_it-it_20fb579c8da53c8f.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..t-windows.resources_31bf3856ad364e35_6.1.7600.16385_en-us_7871ea5b49da50fd_winload.efi.mui_35ee487d C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-dhcp-client-dll_31bf3856ad364e35_6.1.7601.17514_none_d961938b8cd1e885_dhcpcsvc6.dll_39c77c46 C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-m..ditevtlog.resources_31bf3856ad364e35_6.1.7600.16385_it-it_e686c340855ae9c3_auditpol.exe.mui_df4767d7 C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-shdocvw.resources_31bf3856ad364e35_6.1.7600.16385_de-de_7ac6dd35850e9985.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-p..ndprintui.resources_31bf3856ad364e35_6.1.7600.16385_de-de_29d825a7cbfe7e81_puiobj.dll.mui_b9c0c4d6 C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..structure.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_82ed82846d97d873_sdbinst.exe.mui_258ad624 C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-w..r-webclnt.resources_31bf3856ad364e35_6.1.7600.16385_es-es_9b2b4319ea764ed4.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-legacyhwui.resources_31bf3856ad364e35_6.1.7600.16385_en-us_50eb7c559b1066a6_hdwwiz.exe.mui_b4acc7bc C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-i..tional-codepage-858_31bf3856ad364e35_6.1.7600.16385_none_cebddca2fc8602ec_c_858.nls_a9f5a762 C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-ntlanman.resources_31bf3856ad364e35_6.1.7600.16385_es-es_3b633a5aa9d7cdbc_ntlanman.dll.mui_690e687e C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-audio-mmecore-base_31bf3856ad364e35_6.1.7600.16385_none_11d4ade16b61222e.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-coreusermodepnp_31bf3856ad364e35_6.1.7601.17514_none_d527b0a5438b8346_umpnpmgr.mof_112f9e6c C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-rasserver.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_083761eb9020e571_rtm.dll.mui_55e4e990 C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-e..estorageengine-isam_31bf3856ad364e35_6.1.7601.17514_none_f3ebb0cc8a4dd814_esent.dll_35f49bdd C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-p..ndprintui.resources_31bf3856ad364e35_6.1.7600.16385_de-de_29d825a7cbfe7e81_puiapi.dll.mui_e94aeb19 C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-sendmail_31bf3856ad364e35_6.1.7600.16385_none_b6de6c0835b43484_mailrecipient.mapimail_d3a49bc0 C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-shell32.resources_31bf3856ad364e35_6.1.7601.17514_es-es_b79b28ecefa21fda.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-i..r_service.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b28bd85e0d0ff6f1_iscsicli.exe.mui_64c0a23c C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-w..ure-ws232.resources_31bf3856ad364e35_6.1.7600.16385_es-es_69cfcb609ed0e709.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..isc-tools.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_6e0c114cf82ecf59_expand.exe.mui_3f54e013 C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-basic-misc-tools_31bf3856ad364e35_6.1.7600.16385_none_7351a917d91c961e.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-u..erservice.resources_31bf3856ad364e35_6.1.7600.16385_de-de_a3cb925fbca77833_umpo.dll.mui_cac12e54 C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-u..em-config.resources_31bf3856ad364e35_6.1.7600.16385_it-it_1e424c3af623a3d0_uicom.dll.mui_4fdc61f8 C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-spp-main.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_4b7a745f30be28bb_sxproxy.dll.mui_f9d8f818 C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-t..stringime.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_882de4394e753398.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-cryptui-dll.resources_31bf3856ad364e35_6.1.7601.17514_de-de_5c78c2290dbd5640.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-truetype-segoeui_31bf3856ad364e35_6.1.7600.16385_none_2cb0f5602bedb50f_segoeuil.ttf_ea38f4ef C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-c..ermodepnp.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_1a2f0b6630a66a2f_drvinst.exe.mui_e88f4c73 C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-u..erservice.resources_31bf3856ad364e35_6.1.7600.16385_en-us_f09dccd4f32812c2.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\wow64_microsoft-windows-m..ents-mdac.resources_31bf3856ad364e35_6.1.7600.16385_es-es_37da4de470bd3352_odbcjet.chm_2a003207 C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-sendmail.resources_31bf3856ad364e35_6.1.7600.16385_de-de_46584364f4c4d556_sendmail.dll.mui_cbac108c C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-webservices_31bf3856ad364e35_6.1.7601.17514_none_1083c2248cf458dd.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..t-windows.resources_31bf3856ad364e35_6.1.7600.16385_es-es_783d473f4a0142a2_winresume.exe.mui_ff8b5358 C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_6.1.7601.17514_en-us_a547f57d755ff33d.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-o..inefiles-win32-apis_31bf3856ad364e35_6.1.7601.17514_none_0990ff400fc4c431_cscapi.dll_f718286f C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-w..ure-ws232.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_0c87415f91a2fd6b_ws2_32.dll.mui_f13ef3a5 C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-h..p-listsvc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_030746ff6460d052.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\vssadmin.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe

"C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\SysWOW64\vssadmin.exe

vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 craftingalegacy.com udp
US 50.87.137.113:443 craftingalegacy.com tcp
US 50.87.137.113:443 craftingalegacy.com tcp
US 8.8.8.8:53 g2mediainc.com udp
DE 78.46.1.42:443 g2mediainc.com tcp
US 8.8.8.8:53 brinkdoepke.eu udp
DE 92.205.192.141:443 brinkdoepke.eu tcp
DE 92.205.192.141:443 brinkdoepke.eu tcp
US 8.8.8.8:53 vipcarrental.ae udp
US 172.67.153.12:443 vipcarrental.ae tcp
US 8.8.8.8:53 autoteamlast.de udp
DE 37.202.7.169:443 autoteamlast.de tcp
DE 37.202.7.169:443 autoteamlast.de tcp
US 8.8.8.8:53 hostastay.com udp
SG 13.229.198.152:443 hostastay.com tcp
US 8.8.8.8:53 gavelmasters.com udp
US 8.8.8.8:53 ronaldhendriks.nl udp
NL 185.103.16.188:443 ronaldhendriks.nl tcp
NL 185.103.16.188:443 ronaldhendriks.nl tcp
US 8.8.8.8:53 successcolony.com.ng udp
US 8.8.8.8:53 medicalsupportco.com udp
US 15.197.225.128:443 medicalsupportco.com tcp
US 15.197.225.128:443 medicalsupportco.com tcp
US 8.8.8.8:53 kompresory-opravy.com udp
SK 37.9.175.133:443 kompresory-opravy.com tcp
SK 37.9.175.133:443 kompresory-opravy.com tcp
US 8.8.8.8:53 sveneulberg.de udp
DE 89.110.179.179:443 sveneulberg.de tcp
DE 89.110.179.179:443 sveneulberg.de tcp
US 8.8.8.8:53 oththukaruva.com udp
US 8.8.8.8:53 voetbalhoogeveen.nl udp
US 8.8.8.8:53 selected-minds.de udp
DE 217.160.0.92:443 selected-minds.de tcp
DE 217.160.0.92:443 selected-minds.de tcp
US 8.8.8.8:53 log-barn.co.uk udp
GB 213.175.208.90:443 log-barn.co.uk tcp
GB 213.175.208.90:443 log-barn.co.uk tcp
US 8.8.8.8:53 fsbforsale.com udp
US 8.8.8.8:53 jobkiwi.com.ng udp
DE 217.160.0.237:443 ivancacu.com tcp
DE 217.160.0.237:443 ivancacu.com tcp
US 8.8.8.8:53 11.in.ua udp
UA 91.225.81.9:443 11.in.ua tcp
US 8.8.8.8:53 irizar.com udp
ES 194.30.99.95:443 irizar.com tcp
ES 194.30.99.95:443 irizar.com tcp
US 8.8.8.8:53 colored-shelves.com udp
US 8.8.8.8:53 soundseeing.net udp
DE 85.13.155.183:443 soundseeing.net tcp
DE 85.13.155.183:443 soundseeing.net tcp
US 8.8.8.8:53 scotlandsroute66.co.uk udp
US 172.67.204.127:443 scotlandsroute66.co.uk tcp
US 8.8.8.8:53 hawaiisteelbuilding.com udp
US 199.16.172.213:443 hawaiisteelbuilding.com tcp
US 199.16.172.213:443 hawaiisteelbuilding.com tcp
US 8.8.8.8:53 mindfuelers.com udp
US 172.67.183.252:443 mindfuelers.com tcp
US 172.67.183.252:443 mindfuelers.com tcp
US 8.8.8.8:53 dentourage.com udp
US 8.8.8.8:53 hekecrm.com udp
CN 38.14.23.10:443 hekecrm.com tcp
US 8.8.8.8:53 finsahome.co.uk udp
DE 217.160.0.87:443 finsahome.co.uk tcp
DE 217.160.0.87:443 finsahome.co.uk tcp
US 8.8.8.8:53 cormanmarketing.com udp
US 34.174.215.122:443 cormanmarketing.com tcp
US 34.174.215.122:443 cormanmarketing.com tcp
US 8.8.8.8:53 morgansconsult.com udp
GB 35.214.25.158:443 morgansconsult.com tcp
GB 35.214.25.158:443 morgansconsult.com tcp
US 8.8.8.8:53 dnqa.co.uk udp
US 107.178.223.183:443 dnqa.co.uk tcp
US 8.8.8.8:53 frimec-international.es udp
FR 188.165.33.133:443 frimec-international.es tcp
US 8.8.8.8:53 worldproskitour.com udp
US 143.198.7.126:443 worldproskitour.com tcp
US 143.198.7.126:443 worldproskitour.com tcp
US 8.8.8.8:53 csaballoons.com udp
CA 149.56.43.78:443 csaballoons.com tcp
CA 149.56.43.78:443 csaballoons.com tcp
US 8.8.8.8:53 krishnabrawijaya.com udp
US 8.8.8.8:53 tatyanakopieva.ru udp
RU 77.222.40.195:443 tatyanakopieva.ru tcp
RU 77.222.40.195:443 tatyanakopieva.ru tcp
US 8.8.8.8:53 silkeight.com udp
RO 188.213.19.166:443 silkeight.com tcp
RO 188.213.19.166:443 silkeight.com tcp
US 8.8.8.8:53 publicompserver.de udp
DE 195.3.195.201:443 publicompserver.de tcp
DE 195.3.195.201:443 publicompserver.de tcp
US 8.8.8.8:53 letsstopsmoking.co.uk udp
GB 62.182.18.149:443 letsstopsmoking.co.uk tcp
GB 62.182.18.149:443 letsstopsmoking.co.uk tcp
US 8.8.8.8:53 anleggsregisteret.no udp
NO 185.157.56.11:443 anleggsregisteret.no tcp
NO 185.157.56.11:443 anleggsregisteret.no tcp
US 8.8.8.8:53 arearugcleaningnyc.com udp
US 108.178.17.142:443 arearugcleaningnyc.com tcp
US 108.178.17.142:443 arearugcleaningnyc.com tcp
US 8.8.8.8:53 diverfiestas.com.es udp
FR 176.31.163.21:443 diverfiestas.com.es tcp
US 8.8.8.8:53 lovcase.com udp
US 8.8.8.8:53 alltagsrassismus-entknoten.de udp
DE 91.210.225.23:443 alltagsrassismus-entknoten.de tcp
DE 91.210.225.23:443 alltagsrassismus-entknoten.de tcp
US 8.8.8.8:53 lassocrm.com udp
US 209.87.149.78:443 lassocrm.com tcp
US 209.87.149.78:443 lassocrm.com tcp
US 8.8.8.8:53 boyfriendsgoal.site udp
US 8.8.8.8:53 mbuildinghomes.com udp
US 104.21.112.1:443 mbuildinghomes.com tcp
US 8.8.8.8:53 santastoy.store udp
US 8.8.8.8:53 citiscapes-art.com udp
US 172.67.201.110:443 citiscapes-art.com tcp
US 8.8.8.8:53 unislaw-narty.pl udp
PL 91.185.184.170:443 unislaw-narty.pl tcp
US 8.8.8.8:53 envomask.com udp
US 172.81.116.97:443 envomask.com tcp
US 172.81.116.97:443 envomask.com tcp
US 8.8.8.8:53 patassociation.com udp
FR 109.234.160.199:443 patassociation.com tcp
FR 109.234.160.199:443 patassociation.com tcp
US 8.8.8.8:53 luvbec.com udp
US 172.232.25.148:443 luvbec.com tcp
US 172.232.25.148:443 luvbec.com tcp
US 8.8.8.8:53 keuken-prijs.nl udp
US 8.8.8.8:53 therapybusinessacademy.com udp
DE 217.160.0.95:443 therapybusinessacademy.com tcp
DE 217.160.0.95:443 therapybusinessacademy.com tcp
US 8.8.8.8:53 baikalflot.ru udp
US 35.170.173.134:443 piestar.com tcp
US 35.170.173.134:443 piestar.com tcp
US 8.8.8.8:53 diakonie-weitramsdorf-sesslach.de udp
DE 78.46.133.97:443 diakonie-weitramsdorf-sesslach.de tcp
DE 78.46.133.97:443 diakonie-weitramsdorf-sesslach.de tcp
US 8.8.8.8:53 klapanvent.ru udp
RU 77.222.40.14:443 klapanvent.ru tcp
RU 77.222.40.14:443 klapanvent.ru tcp
US 8.8.8.8:53 fysiotherapierijnmond.nl udp
NL 178.128.138.113:443 fysiotherapierijnmond.nl tcp
NL 178.128.138.113:443 fysiotherapierijnmond.nl tcp
US 8.8.8.8:53 avis.mantova.it udp
IT 217.64.195.176:443 avis.mantova.it tcp
IT 217.64.195.176:443 avis.mantova.it tcp
US 8.8.8.8:53 fla.se udp
SE 91.201.63.7:443 fla.se tcp
SE 91.201.63.7:443 fla.se tcp
US 8.8.8.8:53 sjtpo.org udp
US 65.60.10.226:443 sjtpo.org tcp
US 65.60.10.226:443 sjtpo.org tcp
US 8.8.8.8:53 kroophold-sjaelland.dk udp
DK 178.20.216.245:443 kroophold-sjaelland.dk tcp
DK 178.20.216.245:443 kroophold-sjaelland.dk tcp
US 8.8.8.8:53 alharsunindo.com udp
SG 45.90.230.13:443 alharsunindo.com tcp
SG 45.90.230.13:443 alharsunindo.com tcp
US 8.8.8.8:53 tothebackofthemoon.com udp
US 162.241.217.186:443 tothebackofthemoon.com tcp
US 162.241.217.186:443 tothebackofthemoon.com tcp
US 8.8.8.8:53 chainofhopeeurope.eu udp
FR 51.15.159.75:443 chainofhopeeurope.eu tcp
FR 51.15.159.75:443 chainofhopeeurope.eu tcp
US 8.8.8.8:53 smartmind.net udp
ES 82.98.154.79:443 smartmind.net tcp
US 8.8.8.8:53 akcadagofis.com udp
TR 5.180.184.153:443 akcadagofis.com tcp
TR 5.180.184.153:443 akcadagofis.com tcp
US 8.8.8.8:53 bundan.com udp
NL 35.214.211.239:443 bundan.com tcp
NL 35.214.211.239:443 bundan.com tcp
US 8.8.8.8:53 graygreenbiomedservices.com udp
US 8.8.8.8:53 dogsunlimitedguide.com udp
US 8.8.8.8:53 rvside.com udp
US 172.67.196.85:443 rvside.com tcp
US 8.8.8.8:53 davedavisphotos.com udp
US 8.8.8.8:53 johnstonmingmanning.com udp
US 162.159.136.54:443 johnstonmingmanning.com tcp
US 162.159.136.54:443 johnstonmingmanning.com tcp
US 8.8.8.8:53 mangimirossana.it udp
DE 80.240.20.142:443 mangimirossana.it tcp
DE 80.240.20.142:443 mangimirossana.it tcp
US 8.8.8.8:53 welovecustomers.fr udp
FR 51.15.236.35:443 welovecustomers.fr tcp
US 8.8.8.8:53 kenmccallum.com udp
US 172.67.196.62:443 kenmccallum.com tcp
US 172.67.196.62:443 kenmccallum.com tcp
US 8.8.8.8:53 glas-kuck.de udp
DE 51.195.6.20:443 glas-kuck.de tcp
DE 51.195.6.20:443 glas-kuck.de tcp
US 8.8.8.8:53 theboardroomafrica.com udp
FR 160.153.133.193:443 theboardroomafrica.com tcp
FR 160.153.133.193:443 theboardroomafrica.com tcp
US 8.8.8.8:53 slideevents.be udp
DE 94.237.96.23:443 slideevents.be tcp
DE 94.237.96.23:443 slideevents.be tcp
US 8.8.8.8:53 omegamarbella.com udp
NL 35.214.249.33:443 omegamarbella.com tcp
NL 35.214.249.33:443 omegamarbella.com tcp
US 8.8.8.8:53 zdrowieszczecin.pl udp
PL 195.78.67.66:443 zdrowieszczecin.pl tcp
US 8.8.8.8:53 fotoslubna.com udp
US 8.8.8.8:53 mursall.de udp
DE 95.130.22.108:443 mursall.de tcp
DE 95.130.22.108:443 mursall.de tcp
US 8.8.8.8:53 forextimes.ru udp
RU 37.228.89.36:443 forextimes.ru tcp
RU 37.228.89.36:443 forextimes.ru tcp
US 8.8.8.8:53 hiddensee-buhne11.de udp
DE 217.160.0.84:443 hiddensee-buhne11.de tcp
DE 217.160.0.84:443 hiddensee-buhne11.de tcp
US 8.8.8.8:53 girlish.ae udp
US 162.241.244.73:443 girlish.ae tcp
US 162.241.244.73:443 tcp

Files

memory/1508-1-0x0000000000070000-0x000000000007A000-memory.dmp

memory/1508-0-0x0000000000500000-0x000000000052E000-memory.dmp

memory/1508-6-0x0000000000220000-0x000000000023F000-memory.dmp

memory/1508-11-0x00000000001D0000-0x00000000001D1000-memory.dmp

memory/1508-10-0x00000000001C0000-0x00000000001C1000-memory.dmp

memory/1508-9-0x0000000000170000-0x0000000000171000-memory.dmp

memory/1508-8-0x00000000001E0000-0x00000000001E6000-memory.dmp

memory/1508-7-0x0000000002670000-0x0000000002779000-memory.dmp

memory/1508-5-0x0000000002240000-0x000000000236D000-memory.dmp

memory/1508-4-0x00000000021A0000-0x000000000223F000-memory.dmp

memory/1508-3-0x00000000020D0000-0x0000000002199000-memory.dmp

memory/1508-2-0x0000000000070000-0x000000000007A000-memory.dmp

memory/1508-12-0x00000000001E0000-0x00000000001E6000-memory.dmp

memory/1508-14-0x0000000002AC0000-0x0000000002AD0000-memory.dmp

memory/1508-15-0x0000000000500000-0x000000000052E000-memory.dmp

memory/1508-16-0x00000000001D0000-0x00000000001D1000-memory.dmp

memory/1508-17-0x0000000002AC0000-0x0000000002AD0000-memory.dmp

C:\Users\arkpt-readme.txt

MD5 f6a9d552440a06aaa3ea5c12436b8742
SHA1 f221aef87dfd6846804ba14230687f64ed4ce5a2
SHA256 d44ed1cd434bae2cc49c9e4f04bccc614151ab2b5e072d63aa28b73a01854635
SHA512 77d1f6889a4f732da76a5d83701969cf70e1a0e1f3c26a9082d5086f8a42001f904dd9fb60b1f76450bfb04902074a4997807b6618bf1906063192fcfd4ef6f5

C:\Users\Admin\AppData\Local\Temp\CabBC11.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarBC14.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-15 11:52

Reported

2024-12-15 11:55

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe"

Signatures

Sodin,Sodinokibi,REvil

ransomware sodinokibi

Sodinokibi family

sodinokibi

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened (read-only) \??\D: C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\394n3k572k55y.bmp" C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created \??\c:\program files (x86)\937nc6-readme.txt C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification \??\c:\program files\DenyWrite.dwfx C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification \??\c:\program files\ResetFind.mpeg3 C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification \??\c:\program files\RestoreUnpublish.zip C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification \??\c:\program files\WaitTest.zip C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification \??\c:\program files\SearchHide.rle C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification \??\c:\program files\SearchLock.wma C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification \??\c:\program files\StopRemove.rar C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification \??\c:\program files\SwitchImport.mov C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification \??\c:\program files\UnpublishConfirm.pdf C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification \??\c:\program files\AddCompress.m3u C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification \??\c:\program files\AssertDeny.xml C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification \??\c:\program files\EnterAssert.html C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification \??\c:\program files\UseGrant.doc C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File created \??\c:\program files\d60dff40.lock C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification \??\c:\program files\OpenConnect.xht C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification \??\c:\program files\RedoNew.html C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification \??\c:\program files\UpdateEnable.tif C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File created \??\c:\program files (x86)\d60dff40.lock C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification \??\c:\program files\ConvertToUninstall.DVR-MS C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification \??\c:\program files\FindResize.docm C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification \??\c:\program files\HideExport.ppsm C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification \??\c:\program files\OutConvertFrom.001 C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification \??\c:\program files\ResumeSend.png C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification \??\c:\program files\TraceRestart.js C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File created \??\c:\program files\937nc6-readme.txt C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification \??\c:\program files\ConvertResume.jpg C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification \??\c:\program files\OpenConvertTo.tiff C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification \??\c:\program files\InvokeExpand.m3u C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification \??\c:\program files\LimitPop.pcx C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification \??\c:\program files\PopLock.vsx C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification \??\c:\program files\RestartSave.xlsb C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification \??\c:\program files\SubmitSuspend.ods C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification \??\c:\program files\UninstallMerge.ppsx C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification \??\c:\program files\UseBackup.temp C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-ui-xaml-controls_31bf3856ad364e35_10.0.19041.1023_none_95090027c7abbbb9.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-terminal_31bf3856ad364e35_10.0.19041.1_none_ca60666860ba12d7_ega40869.fon_5e8f5479 C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasserver.resources_31bf3856ad364e35_10.0.19041.1_it-it_bddceaf325c3cfd0_rtm.dll.mui_55e4e990 C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1_fi-fi_002b04f15e757967.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..r_service.resources_31bf3856ad364e35_10.0.19041.1_es-es_6871eca24b40d9a0_iscsiexe.dll.mui_7d81b1cc C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_10.0.19041.1_es-es_8a83f8a2672d374c_wmiapres.dll.mui_c1b8803f C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-h..p-listsvc.resources_31bf3856ad364e35_10.0.19041.1_it-it_a349f4a6799ca6da_listsvc.dll.mui_27f0fc85 C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.19041.1_de-de_542227990f3fe3b2.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-p..ne-client-overrides_31bf3856ad364e35_10.0.19041.1052_none_a74b8f64d78e3b2f_power.energyestimationengine.telemetry.ppkg_8b58160d C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..-webauthn.resources_31bf3856ad364e35_10.0.19041.1_it-it_63d59ac645c938b0.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-s..ty-cng-keyisolation_31bf3856ad364e35_10.0.19041.388_none_ac614ad689688c59_keyiso.dll_897976dc C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..ore-bootmanager-efi_31bf3856ad364e35_10.0.19041.1_none_3d71f65b3bbd6193.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-efs-service.resources_31bf3856ad364e35_10.0.19041.1_es-es_029f7959ec5608b5.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-g..licy-base.resources_31bf3856ad364e35_10.0.19041.1_en-us_7725a91f1043b62d_gpapi.dll.mui_ef0a9748 C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..-configuration-data_31bf3856ad364e35_10.0.19041.1_none_b85d7ef5bf4cc5c7.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-setupapi_31bf3856ad364e35_10.0.19041.1237_none_b40cbfe2afd2c015.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1023_ru-ru_2005a287b66c44a0.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-n..orkconnectionbroker_31bf3856ad364e35_10.0.19041.1202_none_d16f7d1b7a182564_sbservicetrigger.dll_b5ff30d2 C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-network-security_31bf3856ad364e35_10.0.19041.1_none_83157d6cc9e85e84.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_zh-tw_2ee3d4c657bdc65b.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-keyiso.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_62fee1a8066741a1.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasserver.resources_31bf3856ad364e35_10.0.19041.1_de-de_88414bd06cbad686.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-shacct-profile_31bf3856ad364e35_10.0.19041.1_none_603504816df8a341_shacctprofile.dll_c91e31f3 C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-dui70_31bf3856ad364e35_10.0.19041.746_none_35adfa9d5cea0bbc_dui70.dll_5f097b0b C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..-webauthn.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_05fb19d338e44a8b.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1_lv-lv_d81762d10a91689b_comctl32.dll.mui_0da4e682 C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-directui-resources19h1_31bf3856ad364e35_10.0.19041.1_none_a747a941ec33876b_windows.ui.xaml.resources.19h1.dll_9d12b64b C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-gdi_31bf3856ad364e35_10.0.19041.1165_none_1ea3d2b20faf7de3_fontdrvhost.exe_94bdc76d C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-netbios_31bf3856ad364e35_10.0.19041.1_none_0fd2c5ae0a7cd53b_netbios.sys_6f23c4df C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-hal_31bf3856ad364e35_10.0.19041.1151_none_1ff907b40ed3d811_hal.dll_f279be4d C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-directcomposition_31bf3856ad364e35_10.0.19041.1266_none_1c8f1f932b553c89_dcomp.dll_a2e93a7d C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-rasserver_31bf3856ad364e35_10.0.19041.1081_none_2adbc983514c73da.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-twinapi-appcore_31bf3856ad364e35_10.0.19041.746_none_9be9f1245111722d_twinapi.appcore.dll_8d6512dc C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-client-li..m-service.resources_31bf3856ad364e35_10.0.19041.1_es-es_f80c2ec488f97398_clipsvc.dll.mui_18823613 C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-a..llservice.resources_31bf3856ad364e35_10.0.19041.1_it-it_a069e8cf0cb9bc28_axinstui.exe.mui_aea34130 C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-f..ype-segoeui_regular_31bf3856ad364e35_10.0.19041.1_none_2a7c063d36b96ac8_segoeui.ttf_b39275ad C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_10.0.19041.1_en-us_8ab89bbe670645a7_wmiapres.dll.mui_c1b8803f C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.19041.1288_none_a254f4e433806f5f_gdiplus.dll_423f7010 C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-onecore-ras-base-vpn_31bf3856ad364e35_10.0.19041.1266_none_9b77d25cc7b8e67d.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-cng_31bf3856ad364e35_10.0.19041.1202_none_1dab520e105346c7.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-oem_31bf3856ad364e35_10.0.19041.1_none_b3552a6f4dc424b4_8514oeme.fon_dbdae0a9 C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.19041.906_it-it_b1f14780879a25d0.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wbiosrvc_31bf3856ad364e35_10.0.19041.1081_none_e07df81d711ca0d9.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-w..-infrastructure-bsp_31bf3856ad364e35_10.0.19041.546_none_a0a14858c07bcb00.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-g..licy-base.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_19a87c02033cbe34_gpapi.dll.mui_ef0a9748 C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-shlwapi_31bf3856ad364e35_10.0.19041.1023_none_6eb1689259d35752_shlwapi.dll_1eec0a2e C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-t..localsessionmanager_31bf3856ad364e35_10.0.19041.1266_none_1a0aa046bfbc05b6_lagcounterdef.ini_328543a1 C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..subsystem.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_4c39b2a1b0c21c01_scdeviceenum.dll.mui_815e7662 C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.19041.1_es-es_76fa6c1a5ef15070.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..-netlogon.resources_31bf3856ad364e35_10.0.19041.1_it-it_725f5b9788589dd0_netlogon.dll.mui_ecbeb9bd C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-tm_31bf3856ad364e35_10.0.19041.1202_none_c1d5764939090b5e_tm.sys_d7defcbe C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-u..istration.resources_31bf3856ad364e35_10.0.19041.1202_en-us_e2d6f3ca6473453d.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-u..istration.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_48837248d77fb182_dsregtask.dll.mui_5e1b9353 C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-w..sition-coreservices_31bf3856ad364e35_10.0.19041.450_none_107cae8412302d3e_wiaservc.dll_08fa1e78 C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1023_fr-fr_79675db658605100.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..ontroller.resources_31bf3856ad364e35_10.0.19041.1_it-it_ac991dc48f7da1c1_services.exe.mui_86ea5e71 C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-u..n-cmdline.resources_31bf3856ad364e35_10.0.19041.906_en-us_adc1f5c62c383715_dsregcmd.exe.mui_8ce2c638 C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_379018f38e600fa9_mofd.dll.mui_793ef98d C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_hid-user.resources_31bf3856ad364e35_10.0.19041.1_es-es_1b5efa638ab6e61d_hidserv.dll.mui_561adfc8 C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-system-user-service_31bf3856ad364e35_10.0.19041.906_none_697cd7dad1ab7e2e_usermgr.dll_015952d1 C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..istration.resources_31bf3856ad364e35_10.0.19041.1_es-es_9f4b9bda672e080a.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-directmanipulation_31bf3856ad364e35_10.0.19041.1202_none_cc30ef1d8b2537d2.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-transactionmanagerapi_31bf3856ad364e35_10.0.19041.546_none_3f25415e6728280f_ktmw32.dll_835a43ee C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_10.0.19041.1_es-es_94d8a2f49b8df947.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe

"C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 24.125.209.23.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 craftingalegacy.com udp
US 50.87.137.113:443 craftingalegacy.com tcp
US 8.8.8.8:53 g2mediainc.com udp
US 8.8.8.8:53 113.137.87.50.in-addr.arpa udp
DE 78.46.1.42:443 g2mediainc.com tcp
US 8.8.8.8:53 brinkdoepke.eu udp
DE 92.205.192.141:443 brinkdoepke.eu tcp
US 8.8.8.8:53 vipcarrental.ae udp
US 172.67.153.12:443 vipcarrental.ae tcp
US 8.8.8.8:53 141.192.205.92.in-addr.arpa udp
US 8.8.8.8:53 42.1.46.78.in-addr.arpa udp
US 8.8.8.8:53 12.153.67.172.in-addr.arpa udp
US 8.8.8.8:53 autoteamlast.de udp
DE 37.202.7.169:443 autoteamlast.de tcp
US 8.8.8.8:53 169.7.202.37.in-addr.arpa udp
US 8.8.8.8:53 hostastay.com udp
SG 13.229.198.152:443 hostastay.com tcp
US 8.8.8.8:53 gavelmasters.com udp
US 8.8.8.8:53 ronaldhendriks.nl udp
NL 185.103.16.188:443 ronaldhendriks.nl tcp
US 8.8.8.8:53 successcolony.com.ng udp
US 8.8.8.8:53 medicalsupportco.com udp
US 15.197.225.128:443 medicalsupportco.com tcp
US 8.8.8.8:53 188.16.103.185.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 15.197.225.128:443 medicalsupportco.com tcp
US 15.197.225.128:443 medicalsupportco.com tcp
US 8.8.8.8:53 kompresory-opravy.com udp
SK 37.9.175.133:443 kompresory-opravy.com tcp
US 8.8.8.8:53 128.225.197.15.in-addr.arpa udp
US 8.8.8.8:53 133.175.9.37.in-addr.arpa udp
US 8.8.8.8:53 sveneulberg.de udp
DE 89.110.179.179:443 sveneulberg.de tcp
US 8.8.8.8:53 www.sveneulberg.de udp
DE 89.110.179.179:443 www.sveneulberg.de tcp
US 8.8.8.8:53 oththukaruva.com udp
US 8.8.8.8:53 voetbalhoogeveen.nl udp
US 8.8.8.8:53 selected-minds.de udp
DE 217.160.0.92:443 selected-minds.de tcp
US 8.8.8.8:53 179.179.110.89.in-addr.arpa udp
US 8.8.8.8:53 92.0.160.217.in-addr.arpa udp
US 8.8.8.8:53 log-barn.co.uk udp
GB 213.175.208.90:443 log-barn.co.uk tcp
US 8.8.8.8:53 fsbforsale.com udp
US 8.8.8.8:53 jobkiwi.com.ng udp
US 8.8.8.8:53 ivancacu.com udp
DE 217.160.0.237:443 ivancacu.com tcp
US 8.8.8.8:53 90.208.175.213.in-addr.arpa udp
US 8.8.8.8:53 11.in.ua udp
UA 91.225.81.9:443 11.in.ua tcp
US 8.8.8.8:53 irizar.com udp
US 8.8.8.8:53 237.0.160.217.in-addr.arpa udp
US 8.8.8.8:53 9.81.225.91.in-addr.arpa udp
ES 194.30.99.95:443 irizar.com tcp
ES 194.30.99.95:443 irizar.com tcp
US 8.8.8.8:53 colored-shelves.com udp
US 8.8.8.8:53 95.99.30.194.in-addr.arpa udp
US 8.8.8.8:53 soundseeing.net udp
DE 85.13.155.183:443 soundseeing.net tcp
US 8.8.8.8:53 scotlandsroute66.co.uk udp
US 104.21.58.148:443 scotlandsroute66.co.uk tcp
US 8.8.8.8:53 hawaiisteelbuilding.com udp
US 8.8.8.8:53 148.58.21.104.in-addr.arpa udp
US 8.8.8.8:53 183.155.13.85.in-addr.arpa udp
US 199.16.172.213:443 hawaiisteelbuilding.com tcp
US 8.8.8.8:53 mindfuelers.com udp
US 104.21.96.155:443 mindfuelers.com tcp
US 8.8.8.8:53 dentourage.com udp
US 8.8.8.8:53 213.172.16.199.in-addr.arpa udp
US 8.8.8.8:53 155.96.21.104.in-addr.arpa udp
US 8.8.8.8:53 hekecrm.com udp
CN 38.14.23.10:443 hekecrm.com tcp
US 8.8.8.8:53 finsahome.co.uk udp
DE 217.160.0.87:443 finsahome.co.uk tcp
US 8.8.8.8:53 87.0.160.217.in-addr.arpa udp
US 8.8.8.8:53 cormanmarketing.com udp
US 34.174.215.122:443 cormanmarketing.com tcp
US 8.8.8.8:53 morgansconsult.com udp
US 8.8.8.8:53 122.215.174.34.in-addr.arpa udp
GB 35.214.25.158:443 morgansconsult.com tcp
US 8.8.8.8:53 dnqa.co.uk udp
US 107.178.223.183:443 dnqa.co.uk tcp
US 8.8.8.8:53 158.25.214.35.in-addr.arpa udp
US 8.8.8.8:53 frimec-international.es udp
FR 188.165.33.133:443 frimec-international.es tcp
US 8.8.8.8:53 www.frimec-international.es udp
FR 188.165.33.133:443 www.frimec-international.es tcp
US 8.8.8.8:53 183.223.178.107.in-addr.arpa udp
US 8.8.8.8:53 133.33.165.188.in-addr.arpa udp
US 8.8.8.8:53 worldproskitour.com udp
US 143.198.7.126:443 worldproskitour.com tcp
US 8.8.8.8:53 126.7.198.143.in-addr.arpa udp
US 8.8.8.8:53 csaballoons.com udp
CA 149.56.43.78:443 csaballoons.com tcp
US 8.8.8.8:53 78.43.56.149.in-addr.arpa udp
US 8.8.8.8:53 krishnabrawijaya.com udp
US 8.8.8.8:53 tatyanakopieva.ru udp
RU 77.222.40.195:443 tatyanakopieva.ru tcp
US 8.8.8.8:53 195.40.222.77.in-addr.arpa udp
US 8.8.8.8:53 silkeight.com udp
RO 188.213.19.166:443 silkeight.com tcp
US 8.8.8.8:53 166.19.213.188.in-addr.arpa udp
US 8.8.8.8:53 publicompserver.de udp
DE 195.3.195.201:443 publicompserver.de tcp
US 8.8.8.8:53 letsstopsmoking.co.uk udp
GB 62.182.18.149:443 letsstopsmoking.co.uk tcp
US 8.8.8.8:53 anleggsregisteret.no udp
NO 185.157.56.11:443 anleggsregisteret.no tcp
US 8.8.8.8:53 201.195.3.195.in-addr.arpa udp
US 8.8.8.8:53 149.18.182.62.in-addr.arpa udp
US 8.8.8.8:53 arearugcleaningnyc.com udp
US 108.178.17.142:443 arearugcleaningnyc.com tcp

Files

memory/2524-0-0x00000000008B0000-0x00000000008DE000-memory.dmp

memory/2524-1-0x00000000008B0000-0x00000000008DE000-memory.dmp

C:\Users\937nc6-readme.txt

MD5 e61886cea16d24e5b71931b458873d63
SHA1 8d91660ddb7705fb9c4ba086a1b92ab92c0760ee
SHA256 a5d89cb7537cf984c7a7362c59acbcc3d4feb38c08279316771a0557dc8611cb
SHA512 67e1236b2d674f422a69b714001dd37f14ff406c6976e1424e27db8492fb370462ce9c7cb35a28e187ae63b1d9fc72fa875bffc25e4a9c62bc3f9cb63c29d0f3