Analysis Overview
SHA256
46482511ca8cf232e2adf984dcd3d8624d52c391bd9a08a72c42cf828ed6c10b
Threat Level: Known bad
The file 2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi was found to be: Known bad.
Malicious Activity Summary
Sodinokibi family
Sodinokibi/Revil sample
Sodin,Sodinokibi,REvil
Deletes shadow copies
Checks computer location settings
Reads user/profile data of web browsers
Enumerates connected drives
Sets desktop wallpaper using registry
Drops file in Program Files directory
Drops file in Windows directory
System Location Discovery: System Language Discovery
Unsigned PE
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Modifies system certificate store
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Suspicious behavior: EnumeratesProcesses
Interacts with shadow copies
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-12-15 12:03
Signatures
Sodinokibi family
Sodinokibi/Revil sample
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-15 12:03
Reported
2024-12-15 12:06
Platform
win7-20240903-en
Max time kernel
146s
Max time network
150s
Command Line
Signatures
Sodin,Sodinokibi,REvil
Sodinokibi family
Deletes shadow copies
Reads user/profile data of web browsers
Enumerates connected drives
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8ex1j79o0.bmp" | C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe | N/A |
Drops file in Program Files directory
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_6.1.7601.17514_fi-fi_e80fbb8ab24365d6.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_6.1.7600.16385_ru-ru_68793793d8498bad_bootmgr.exe.mui_c434701f | C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-d2d_31bf3856ad364e35_7.1.7601.16492_none_9abc61e3455c511e_d2d1.dll_ef77984b | C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-e..gine-isam.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_6a51528581d60122.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-bitmap-system_31bf3856ad364e35_6.1.7600.16385_none_df4bbe8e10903104_j8514sys.fon_cfb116c0 | C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-wmpdui.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_1bf590f3721a2457.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_hid-user.resources_31bf3856ad364e35_6.1.7600.16385_de-de_18a6abaa160568df_hid.dll.mui_cccd5ae0 | C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..rvice_mof.resources_31bf3856ad364e35_6.1.7600.16385_en-us_812693c00b3677f4_iscsidsc.mfl_20ed5374 | C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-w..eservices.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_7bb0bd650e72abc4_sti.dll.mui_00a4f15b | C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-wininit.resources_31bf3856ad364e35_6.1.7600.16385_de-de_9c4b10f07cfccf53_wininit.exe.mui_997435f5 | C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-w..eservices.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_0a2f4680d5ae26b7_sti.dll.mui_00a4f15b | C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-winlogon-tools_31bf3856ad364e35_6.1.7600.16385_none_f0686b7ca6acde00.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\wow64_microsoft-windows-p..structure.resources_31bf3856ad364e35_6.1.7600.16385_de-de_227521a01b1e0f11_prflbmsg.dll.mui_4caa0054 | C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_6.1.7600.16385_et-ee_b849dde6b3c0da01.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-d..utoenroll.resources_31bf3856ad364e35_6.1.7600.16385_it-it_47b8ac96851475dc.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-dui70.resources_31bf3856ad364e35_6.1.7600.16385_en-us_bdbcaf727d38d49f_dui70.dll.mui_de5f27e2 | C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-msxml60.resources_31bf3856ad364e35_6.1.7600.16385_de-de_88976dfcb22dd55c_msxml6r.dll.mui_4516d602 | C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-shell32.resources_31bf3856ad364e35_6.1.7601.17514_de-de_0edef610009d2270.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-t..-msctfime.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_eb06c896b1e71881.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_6.1.7600.16385_zh-hk_38fe497fea9b41b8.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_6.1.7600.16385_el-gr_be640d0cafcb6896.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-f..truetype-meiryobold_31bf3856ad364e35_6.1.7600.16385_none_2942916491573830.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..ional-codepage-1255_31bf3856ad364e35_6.1.7600.16385_none_7f65562923221762.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-t..cesframework-msimtf_31bf3856ad364e35_6.1.7600.16385_none_d15bda804befe6a3_msimtf.dll_e4ce9536 | C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_hid-user.resources_31bf3856ad364e35_6.1.7600.16385_it-it_f223af4916b0f0f3.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7601.17514_none_07f91de77125e78d.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-s..edstorage.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_fff3e41327434466_psbase.dll.mui_c28690ab | C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-s..subsystem.resources_31bf3856ad364e35_6.1.7600.16385_en-us_4fbac3e2381c9426_sccls.dll.mui_f104be47 | C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\wow64_microsoft-windows-session0viewer_31bf3856ad364e35_6.1.7600.16385_none_483083fb94bfc714_wls0wndh.dll_dbf333a5 | C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-f..ruetype-new_tai_lue_31bf3856ad364e35_6.1.7600.16385_none_325f57c8c0ee36a8_ntailu.ttf_c1891505 | C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-bitmap-small_31bf3856ad364e35_6.1.7600.16385_none_d7839341959a2de0_smae1255.fon_bf98786c | C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-s..edstorage.resources_31bf3856ad364e35_6.1.7600.16385_it-it_5b9d513e3739aef1.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-a..core-base.resources_31bf3856ad364e35_6.1.7600.16385_es-es_69cd279a554d50be.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-r..intmapper.resources_31bf3856ad364e35_6.1.7600.16385_de-de_9d9ce5902463654d_rpcepmap.dll.mui_349798e1 | C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-h..p-provsvc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_15d2dbee6e2bcc6d.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-w..cture-bsp.resources_31bf3856ad364e35_6.1.7600.16385_en-us_cdb792a8c509541e.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-s..ontroller.resources_31bf3856ad364e35_6.1.7600.16385_de-de_1d0162c550c828a3_services.exe.mui_86ea5e71 | C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\wow64_microsoft-windows-wmi-core-svc_31bf3856ad364e35_6.1.7601.17514_none_092d6b9141f16aca_wmiaprpl.dll_5d18a476 | C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-e..rtingcore.resources_31bf3856ad364e35_6.1.7600.16385_en-us_02e9e13998201d43_erofflps.txt_649e76ed | C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\wow64_microsoft-windows-win32k.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_56312c4d9f493698_win32k.sys.mui_c0d34fe8 | C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-p..structure.resources_31bf3856ad364e35_6.1.7601.17514_en-us_c342610ed289dc75_lodctr.exe.mui_4ac7d1a1 | C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-b..isc-tools.resources_31bf3856ad364e35_6.1.7600.16385_es-es_e2e88a7682b25068_bootfix.bin_ee6f205e | C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_6.1.7600.16385_zh-hk_c0d17ceadf33e739_comctl32.dll.mui_0da4e682 | C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-f..libraries.resources_31bf3856ad364e35_6.1.7600.16385_es-es_8fa512baf88959a1.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-bitmap-terminal_31bf3856ad364e35_6.1.7600.16385_none_70644a8bdb0d9303_app850.fon_e2e4776b | C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-uxtheme.resources_31bf3856ad364e35_6.1.7600.16385_it-it_febfba372a81d59f.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-shlwapi.resources_31bf3856ad364e35_6.1.7600.16385_de-de_aab4f8cb967e96d9.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-spp-main_31bf3856ad364e35_6.1.7601.17514_none_e64e60ad0b1ee918.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-s..pp-client.resources_31bf3856ad364e35_6.1.7600.16385_it-it_c5cb371e0d8c117f_slc.dll.mui_dc24f809 | C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-comdlg32.resources_31bf3856ad364e35_6.1.7601.17514_da-dk_a2ffc87595d912be.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-w..eservices.resources_31bf3856ad364e35_6.1.7600.16385_it-it_c1f74f2f9e020278_sti.dll.mui_00a4f15b | C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-i..tional-codepage-861_31bf3856ad364e35_6.1.7600.16385_none_cebf7c64fc8468dc.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-setupapi.resources_31bf3856ad364e35_6.1.7600.16385_it-it_f6e1ec9fa2e0ba82.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-bitmap-terminal_31bf3856ad364e35_6.1.7600.16385_none_70644a8bdb0d9303_app932.fon_e93b0656 | C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-h..p-listsvc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_494dd8c9f3f02706_listsvc.dll.mui_27f0fc85 | C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\wow64_microsoft-windows-htmlhelp.resources_31bf3856ad364e35_6.1.7600.16385_de-de_72a70ca7e03b9b86.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\wow64_microsoft-windows-rasserver_31bf3856ad364e35_6.1.7601.17514_none_1423e918b2cd2d4b_rasmanservice-repl.man_a7b7d1f1 | C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-d..lient-dll.resources_31bf3856ad364e35_6.1.7600.16385_it-it_e2681fa3e58ee969_dhcpcore.dll.mui_8b901fc3 | C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-c..ityclient.resources_31bf3856ad364e35_6.1.7600.16385_de-de_17c37298caa7b415_certcli.dll.mui_1b6822cf | C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-pshed.resources_31bf3856ad364e35_6.1.7600.16385_es-es_ef54932792fc58dd.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-w..ure-ws232.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_0c87415f91a2fd6b.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-s..ive-blackbox-driver_31bf3856ad364e35_6.1.7600.16385_none_656773dac187bca2_spsys.sys_95b9c9e3 | C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-user32.resources_31bf3856ad364e35_6.1.7601.17514_en-us_9c23fd3941bcc44e_user32.dll.mui_14652dbb | C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_6.1.7600.16385_el-gr_da723e1e02d551df_bootmgfw.efi.mui_a6e78cfa | C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\vssadmin.exe | N/A |
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\vssadmin.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 | C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 | C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | craftingalegacy.com | udp |
| US | 50.87.137.113:443 | craftingalegacy.com | tcp |
| US | 50.87.137.113:443 | craftingalegacy.com | tcp |
| US | 8.8.8.8:53 | g2mediainc.com | udp |
| DE | 78.46.1.42:443 | g2mediainc.com | tcp |
| US | 8.8.8.8:53 | brinkdoepke.eu | udp |
| DE | 92.205.192.141:443 | brinkdoepke.eu | tcp |
| DE | 92.205.192.141:443 | brinkdoepke.eu | tcp |
| US | 8.8.8.8:53 | vipcarrental.ae | udp |
| US | 104.21.40.147:443 | vipcarrental.ae | tcp |
| US | 8.8.8.8:53 | autoteamlast.de | udp |
| DE | 37.202.7.169:443 | autoteamlast.de | tcp |
| DE | 37.202.7.169:443 | autoteamlast.de | tcp |
| US | 8.8.8.8:53 | hostastay.com | udp |
| SG | 13.229.198.152:443 | hostastay.com | tcp |
| US | 8.8.8.8:53 | gavelmasters.com | udp |
| US | 8.8.8.8:53 | ronaldhendriks.nl | udp |
| NL | 185.103.16.188:443 | ronaldhendriks.nl | tcp |
| NL | 185.103.16.188:443 | ronaldhendriks.nl | tcp |
| US | 8.8.8.8:53 | successcolony.com.ng | udp |
| US | 8.8.8.8:53 | medicalsupportco.com | udp |
| US | 15.197.225.128:443 | medicalsupportco.com | tcp |
| US | 15.197.225.128:443 | medicalsupportco.com | tcp |
| US | 8.8.8.8:53 | kompresory-opravy.com | udp |
| SK | 37.9.175.133:443 | kompresory-opravy.com | tcp |
| SK | 37.9.175.133:443 | kompresory-opravy.com | tcp |
| US | 8.8.8.8:53 | sveneulberg.de | udp |
| DE | 89.110.179.179:443 | sveneulberg.de | tcp |
| DE | 89.110.179.179:443 | sveneulberg.de | tcp |
| US | 8.8.8.8:53 | oththukaruva.com | udp |
| US | 8.8.8.8:53 | voetbalhoogeveen.nl | udp |
| US | 8.8.8.8:53 | selected-minds.de | udp |
| DE | 217.160.0.92:443 | selected-minds.de | tcp |
| DE | 217.160.0.92:443 | selected-minds.de | tcp |
| US | 8.8.8.8:53 | log-barn.co.uk | udp |
| GB | 213.175.208.90:443 | log-barn.co.uk | tcp |
| GB | 213.175.208.90:443 | log-barn.co.uk | tcp |
| US | 8.8.8.8:53 | fsbforsale.com | udp |
| US | 8.8.8.8:53 | jobkiwi.com.ng | udp |
| US | 8.8.8.8:53 | ivancacu.com | udp |
| DE | 217.160.0.237:443 | ivancacu.com | tcp |
| DE | 217.160.0.237:443 | ivancacu.com | tcp |
| US | 8.8.8.8:53 | 11.in.ua | udp |
| UA | 91.225.81.9:443 | 11.in.ua | tcp |
| US | 8.8.8.8:53 | irizar.com | udp |
| ES | 194.30.99.95:443 | irizar.com | tcp |
| ES | 194.30.99.95:443 | irizar.com | tcp |
| US | 8.8.8.8:53 | colored-shelves.com | udp |
| US | 8.8.8.8:53 | soundseeing.net | udp |
| DE | 85.13.155.183:443 | soundseeing.net | tcp |
| DE | 85.13.155.183:443 | soundseeing.net | tcp |
| US | 8.8.8.8:53 | scotlandsroute66.co.uk | udp |
| US | 172.67.204.127:443 | scotlandsroute66.co.uk | tcp |
| US | 8.8.8.8:53 | hawaiisteelbuilding.com | udp |
| US | 199.16.172.213:443 | hawaiisteelbuilding.com | tcp |
| US | 199.16.172.213:443 | hawaiisteelbuilding.com | tcp |
| US | 8.8.8.8:53 | mindfuelers.com | udp |
| US | 172.67.183.252:443 | mindfuelers.com | tcp |
| US | 172.67.183.252:443 | mindfuelers.com | tcp |
| US | 8.8.8.8:53 | dentourage.com | udp |
| US | 8.8.8.8:53 | hekecrm.com | udp |
| CN | 38.14.23.10:443 | hekecrm.com | tcp |
| US | 8.8.8.8:53 | finsahome.co.uk | udp |
| DE | 217.160.0.87:443 | finsahome.co.uk | tcp |
| DE | 217.160.0.87:443 | finsahome.co.uk | tcp |
| US | 8.8.8.8:53 | cormanmarketing.com | udp |
| US | 34.174.215.122:443 | cormanmarketing.com | tcp |
| US | 34.174.215.122:443 | cormanmarketing.com | tcp |
| US | 8.8.8.8:53 | morgansconsult.com | udp |
| GB | 35.214.25.158:443 | morgansconsult.com | tcp |
| GB | 35.214.25.158:443 | morgansconsult.com | tcp |
| US | 8.8.8.8:53 | dnqa.co.uk | udp |
| US | 107.178.223.183:443 | dnqa.co.uk | tcp |
| US | 8.8.8.8:53 | frimec-international.es | udp |
| FR | 188.165.33.133:443 | frimec-international.es | tcp |
| US | 8.8.8.8:53 | worldproskitour.com | udp |
| US | 143.198.7.126:443 | worldproskitour.com | tcp |
| US | 143.198.7.126:443 | worldproskitour.com | tcp |
| US | 8.8.8.8:53 | csaballoons.com | udp |
| CA | 149.56.43.78:443 | csaballoons.com | tcp |
| CA | 149.56.43.78:443 | csaballoons.com | tcp |
| US | 8.8.8.8:53 | krishnabrawijaya.com | udp |
| US | 8.8.8.8:53 | tatyanakopieva.ru | udp |
| RU | 77.222.40.195:443 | tatyanakopieva.ru | tcp |
| RU | 77.222.40.195:443 | tatyanakopieva.ru | tcp |
| US | 8.8.8.8:53 | silkeight.com | udp |
| RO | 188.213.19.166:443 | silkeight.com | tcp |
| RO | 188.213.19.166:443 | silkeight.com | tcp |
| US | 8.8.8.8:53 | publicompserver.de | udp |
| DE | 195.3.195.201:443 | publicompserver.de | tcp |
| DE | 195.3.195.201:443 | publicompserver.de | tcp |
| US | 8.8.8.8:53 | letsstopsmoking.co.uk | udp |
| GB | 62.182.18.149:443 | letsstopsmoking.co.uk | tcp |
| GB | 62.182.18.149:443 | letsstopsmoking.co.uk | tcp |
| US | 8.8.8.8:53 | anleggsregisteret.no | udp |
| NO | 185.157.56.11:443 | anleggsregisteret.no | tcp |
| NO | 185.157.56.11:443 | anleggsregisteret.no | tcp |
| US | 8.8.8.8:53 | arearugcleaningnyc.com | udp |
| US | 108.178.17.142:443 | arearugcleaningnyc.com | tcp |
| US | 108.178.17.142:443 | arearugcleaningnyc.com | tcp |
| US | 8.8.8.8:53 | diverfiestas.com.es | udp |
| FR | 176.31.163.21:443 | diverfiestas.com.es | tcp |
| US | 8.8.8.8:53 | lovcase.com | udp |
| US | 8.8.8.8:53 | alltagsrassismus-entknoten.de | udp |
| DE | 91.210.225.23:443 | alltagsrassismus-entknoten.de | tcp |
| DE | 91.210.225.23:443 | alltagsrassismus-entknoten.de | tcp |
| US | 8.8.8.8:53 | lassocrm.com | udp |
| US | 209.87.149.78:443 | lassocrm.com | tcp |
| US | 209.87.149.78:443 | lassocrm.com | tcp |
| US | 8.8.8.8:53 | boyfriendsgoal.site | udp |
| US | 8.8.8.8:53 | mbuildinghomes.com | udp |
| US | 104.21.96.1:443 | mbuildinghomes.com | tcp |
| US | 8.8.8.8:53 | santastoy.store | udp |
| US | 8.8.8.8:53 | citiscapes-art.com | udp |
| US | 104.21.21.241:443 | citiscapes-art.com | tcp |
| US | 8.8.8.8:53 | unislaw-narty.pl | udp |
| PL | 91.185.184.170:443 | unislaw-narty.pl | tcp |
| US | 8.8.8.8:53 | envomask.com | udp |
| US | 172.81.116.97:443 | envomask.com | tcp |
| US | 172.81.116.97:443 | envomask.com | tcp |
| US | 8.8.8.8:53 | patassociation.com | udp |
| FR | 109.234.160.199:443 | patassociation.com | tcp |
| FR | 109.234.160.199:443 | patassociation.com | tcp |
| US | 8.8.8.8:53 | luvbec.com | udp |
| US | 172.232.25.148:443 | luvbec.com | tcp |
| US | 172.232.25.148:443 | luvbec.com | tcp |
| US | 8.8.8.8:53 | keuken-prijs.nl | udp |
| US | 8.8.8.8:53 | therapybusinessacademy.com | udp |
| DE | 217.160.0.95:443 | therapybusinessacademy.com | tcp |
| DE | 217.160.0.95:443 | therapybusinessacademy.com | tcp |
| US | 8.8.8.8:53 | baikalflot.ru | udp |
| US | 8.8.8.8:53 | piestar.com | udp |
| US | 35.170.173.134:443 | piestar.com | tcp |
| US | 35.170.173.134:443 | piestar.com | tcp |
| US | 8.8.8.8:53 | diakonie-weitramsdorf-sesslach.de | udp |
| N/A | 78.46.133.97:443 | tcp | |
| N/A | 78.46.133.97:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 77.222.40.14:443 | tcp | |
| N/A | 77.222.40.14:443 | tcp |
Files
memory/2236-0-0x0000000000ED0000-0x0000000000EFE000-memory.dmp
memory/2236-1-0x0000000000220000-0x000000000022A000-memory.dmp
memory/2236-2-0x0000000000220000-0x000000000022A000-memory.dmp
memory/2236-12-0x00000000002E0000-0x00000000002E6000-memory.dmp
memory/2236-11-0x00000000026E0000-0x00000000027E9000-memory.dmp
memory/2236-10-0x00000000002E0000-0x00000000002E6000-memory.dmp
memory/2236-9-0x0000000000830000-0x000000000084F000-memory.dmp
memory/2236-7-0x0000000000AB0000-0x0000000000B4F000-memory.dmp
memory/2236-4-0x0000000000BB0000-0x0000000000C79000-memory.dmp
memory/2236-6-0x00000000002D0000-0x00000000002D1000-memory.dmp
memory/2236-5-0x00000000002C0000-0x00000000002C1000-memory.dmp
memory/2236-3-0x00000000002B0000-0x00000000002B1000-memory.dmp
memory/2236-8-0x0000000002300000-0x000000000242D000-memory.dmp
memory/2236-13-0x00000000002E0000-0x00000000002E6000-memory.dmp
memory/2236-15-0x0000000003080000-0x0000000003090000-memory.dmp
memory/2236-16-0x0000000000ED0000-0x0000000000EFE000-memory.dmp
memory/2236-17-0x00000000002D0000-0x00000000002D1000-memory.dmp
memory/2236-19-0x0000000003080000-0x0000000003090000-memory.dmp
C:\Users\2tq16v09vd-readme.txt
| MD5 | bd6afb6df434ae38151cfc3adb4f9277 |
| SHA1 | 671f103eda9f9ab3a757223efc867fde87304c38 |
| SHA256 | 11d6361c60c0a5d8a2ee314d0ca9b247b45195213e017c367a7d1fb4ebed8e2d |
| SHA512 | be36fa1d27c9f9cd3725becfe35ed8eb635296695d46d01560db6c98fa5dc01aeccda21bf148afd3638104fc8c920d53f8f398b5d2e9c33cf633a1237d075936 |
C:\Users\Admin\AppData\Local\Temp\Cab4F2.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\Tar505.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
Analysis: behavioral2
Detonation Overview
Submitted
2024-12-15 12:03
Reported
2024-12-15 12:06
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
Sodin,Sodinokibi,REvil
Sodinokibi family
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe | N/A |
Reads user/profile data of web browsers
Enumerates connected drives
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\x60i9h.bmp" | C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe | N/A |
Drops file in Program Files directory
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_0f5d37c71d62a4d7_memtest.efi.mui_71e15c22 | C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-oem_31bf3856ad364e35_10.0.19041.1_none_b3552a6f4dc424b4_8514oeme.fon_dbdae0a9 | C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_windows-defender-nis-service_31bf3856ad364e35_10.0.19041.1_none_d3e3ad84b24cfdfe_nissrv.exe_f967cd63 | C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_de-de_6a1d8de098c92d1a.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.964_lt-lt_ce47d201c53c798b.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..-usermode.resources_31bf3856ad364e35_10.0.19041.1_es-es_7ca0f0fcf72fec95_wudfplatform.dll.mui_d815d31a | C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-ucrt_31bf3856ad364e35_10.0.19041.1_none_61b242cab8dd7003.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-networkbridge_31bf3856ad364e35_10.0.19041.746_none_e5e33ba764e4ddec_bridgeunattend.exe_60b7e340 | C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..os-loader.resources_31bf3856ad364e35_10.0.19041.1_en-us_2c89c78983615cee_winresume.exe.mui_ff8b5358 | C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..os-loader.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_cf0c9a6c765a64f5_winresume.exe.mui_ff8b5358 | C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..opactivitymoderator_31bf3856ad364e35_10.0.19041.1_none_bfdba9ed0ba30611.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\wow64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_19b1e21951c366d2_memtest.exe.mui_77b8cbcc | C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-eventlog-api_31bf3856ad364e35_10.0.19041.1_none_62220fa004a7b8e2.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-security-spp.resources_31bf3856ad364e35_10.0.19041.1_es-es_52846179d65f136f.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-sens-service.resources_31bf3856ad364e35_10.0.19041.1_it-it_57ddbaad8b8daad0.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-userenv_31bf3856ad364e35_10.0.19041.1_none_463177f6eaa0601d.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\wow64_microsoft-windows-u..istration.resources_31bf3856ad364e35_10.0.19041.1_de-de_7b16fe6b5fbc6858_userdeviceregistration.ngc.dll.mui_d2c6ca95 | C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft.windows.gdiplus.systemcopy_31bf3856ad364e35_10.0.19041.1288_none_5ba23d0eab3d4017_gdiplus.dll_423f7010 | C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-shacct-profile_31bf3856ad364e35_10.0.19041.1_none_603504816df8a341.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1_none_b555e41d4684ddec.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..ty-kerbclientshared_31bf3856ad364e35_10.0.19041.1288_none_56c05939711f0938_kerbclientshared.dll_1fa7b356 | C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wmpdui.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_5996a487eb463b99_wmpdui.dll.mui_92411657 | C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\wow64_microsoft-windows-u..istration.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_52d81c9b0be0737d_userdeviceregistration.ngc.dll.mui_d2c6ca95 | C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-w..r-webclnt.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_97ded4f562f4e50a_webclnt.dll.mui_e8f04040 | C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-atl_31bf3856ad364e35_10.0.19041.746_none_89198a92b881b1ac_atl.dll_0c7220db | C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-crypt32-dll_31bf3856ad364e35_10.0.19041.1202_none_d02feec5930a1e75_crypt32.dll.mun_4268f83d | C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-os-kernel-minwin_31bf3856ad364e35_10.0.19041.1_none_edeab141cae009ac.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\wow64_microsoft-windows-mpr_31bf3856ad364e35_10.0.19041.1_none_6e1b81482baf9a17.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1_pt-pt_ab6fe027e9d42c19.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_es-es_12d9c0bd87ce2a84.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_it-it_9fb92d0351d22664_comctl32.dll.mui_0da4e682 | C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-a..llservice.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_428f67dbffd4ce03_axinstsv.dll.mui_be092a2d | C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasbase-raspppoe_31bf3856ad364e35_10.0.19041.1_none_0c2491a439f55f8f_raspppoe.sys_5bc9d88d | C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-sechost_31bf3856ad364e35_10.0.19041.1_none_3db3ea616c53bd3a.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-windowsuiimmersive_31bf3856ad364e35_10.0.19041.1202_none_a690000a893f966b_windows.ui.immersive.dll.mun_6e49d10e | C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\wow64_microsoft-windows-directui_31bf3856ad364e35_10.0.19041.1151_none_361ab30ed820622a_windows.ui.xaml.dll_9c9d9ec9 | C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\wow64_microsoft-windows-ucrt_31bf3856ad364e35_10.0.19041.789_none_93e6eb93accdac11_msvcp_win.dll_48149df4 | C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.19041.906_ar-sa_90a6dad6f86cae6b_msimsg.dll.mui_72e8994f | C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-w..e-ws2ifsl.resources_31bf3856ad364e35_10.0.19041.1_es-es_df71bede6e43d9f6_ws2ifsl.sys.mui_b672c7b4 | C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\x86_microsoft.windows.i..utomation.proxystub_6595b64144ccf1df_1.0.19041.1_none_a6e297e0a15a1f88_sxsoaps.dll_7db29e61 | C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\wow64_microsoft-windows-u..istration.resources_31bf3856ad364e35_10.0.19041.1_en-us_2407d4644e9a741d.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-security-lsatrustlet_31bf3856ad364e35_10.0.19041.1_none_9a8a77811e17322b.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-t..nalservices-runtime_31bf3856ad364e35_10.0.19041.1_none_92d0fce86b5e6c76.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\wow64_microsoft-windows-basedependencies_31bf3856ad364e35_10.0.19041.1_none_c2e7a999fc8db0b6.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-lsa.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_66a210ec64140be1_lsasrv.dll.mui_d47f7e1c | C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-p..ne-client-overrides_31bf3856ad364e35_10.0.19041.1052_none_a74b8f64d78e3b2f_power.energyestimationengine.standbyactivation.ppkg_21aafe77 | C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-kernelbase_31bf3856ad364e35_10.0.19041.1202_none_9bc2a53d69ca6835.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1_bg-bg_72e4e16994b25d0f_comctl32.dll.mui_0da4e682 | C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\wow64_microsoft-windows-netio-infrastructure_31bf3856ad364e35_10.0.19041.1_none_16e124ab890bcfd5.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_hr-hr_fbcd913e5fc2ae9a.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-client-li..m-service.resources_31bf3856ad364e35_10.0.19041.1_it-it_84eb9b0a52fd6f78_clipsvc.dll.mui_18823613 | C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-oem_31bf3856ad364e35_10.0.19041.1_none_b3552a6f4dc424b4_vga950.fon_09ed4d3d | C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_10.0.19041.1_en-us_8ab89bbe670645a7_wmiapsrv.exe.mui_b1567840 | C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_10.0.19041.1_de-de_e1c7c5c5782839e2_ncprov.dll.mui_40240de1 | C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-a..on-authui-component_31bf3856ad364e35_10.0.19041.1_none_92c85869af354084.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-a..on-authui-component_31bf3856ad364e35_10.0.19041.906_none_bafbd92e6e868958_authui.dll_05ff9fd2 | C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-directmanipulation_31bf3856ad364e35_10.0.19041.1202_none_c1dc44cb56c475d7_directmanipulation.dll_07c179b4 | C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-directory-services-sam_31bf3856ad364e35_10.0.19041.1202_none_26ae8647562ae5ff.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\wow64_microsoft-windows-windowsuiimmersive_31bf3856ad364e35_10.0.19041.264_none_1a061e55674b5901.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-u..erservice.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_493b5718242b0bd3_umpo.dll.mui_cac12e54 | C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\wow64_microsoft-windows-appidcore_31bf3856ad364e35_10.0.19041.1_none_ef1691668a233417.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-onecore-pnp-drvinst_31bf3856ad364e35_10.0.19041.1_none_0b4eeb140948562c.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..os-loader.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_5b5a0fc040a75c4e_winload.efi.mui_35ee487d | C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.19041.906_lv-lv_9c193dc75ecc0b4e_msimsg.dll.mui_72e8994f | C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1116 wrote to memory of 944 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 1116 wrote to memory of 944 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 1116 wrote to memory of 944 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe | C:\Windows\SysWOW64\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.179.15.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | craftingalegacy.com | udp |
| US | 50.87.137.113:443 | craftingalegacy.com | tcp |
| US | 8.8.8.8:53 | g2mediainc.com | udp |
| DE | 78.46.1.42:443 | g2mediainc.com | tcp |
| US | 8.8.8.8:53 | brinkdoepke.eu | udp |
| DE | 92.205.192.141:443 | brinkdoepke.eu | tcp |
| US | 8.8.8.8:53 | vipcarrental.ae | udp |
| US | 172.67.153.12:443 | vipcarrental.ae | tcp |
| US | 8.8.8.8:53 | 113.137.87.50.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 141.192.205.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 42.1.46.78.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 12.153.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.254.1.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | autoteamlast.de | udp |
| DE | 37.202.7.169:443 | autoteamlast.de | tcp |
| US | 8.8.8.8:53 | 169.7.202.37.in-addr.arpa | udp |
| US | 8.8.8.8:53 | hostastay.com | udp |
| SG | 13.229.198.152:443 | hostastay.com | tcp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gavelmasters.com | udp |
| US | 8.8.8.8:53 | ronaldhendriks.nl | udp |
| NL | 185.103.16.188:443 | ronaldhendriks.nl | tcp |
| US | 8.8.8.8:53 | successcolony.com.ng | udp |
| US | 8.8.8.8:53 | medicalsupportco.com | udp |
| US | 15.197.225.128:443 | medicalsupportco.com | tcp |
| US | 15.197.225.128:443 | medicalsupportco.com | tcp |
| US | 15.197.225.128:443 | medicalsupportco.com | tcp |
| US | 8.8.8.8:53 | kompresory-opravy.com | udp |
| SK | 37.9.175.133:443 | kompresory-opravy.com | tcp |
| US | 8.8.8.8:53 | 188.16.103.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 128.225.197.15.in-addr.arpa | udp |
| US | 8.8.8.8:53 | sveneulberg.de | udp |
| DE | 89.110.179.179:443 | sveneulberg.de | tcp |
| US | 8.8.8.8:53 | www.sveneulberg.de | udp |
| DE | 89.110.179.179:443 | www.sveneulberg.de | tcp |
| US | 8.8.8.8:53 | 133.175.9.37.in-addr.arpa | udp |
| US | 8.8.8.8:53 | oththukaruva.com | udp |
| US | 8.8.8.8:53 | voetbalhoogeveen.nl | udp |
| US | 8.8.8.8:53 | selected-minds.de | udp |
| DE | 217.160.0.92:443 | selected-minds.de | tcp |
| US | 8.8.8.8:53 | 179.179.110.89.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.0.160.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | log-barn.co.uk | udp |
| GB | 213.175.208.90:443 | log-barn.co.uk | tcp |
| US | 8.8.8.8:53 | fsbforsale.com | udp |
| US | 8.8.8.8:53 | jobkiwi.com.ng | udp |
| US | 8.8.8.8:53 | ivancacu.com | udp |
| DE | 217.160.0.237:443 | ivancacu.com | tcp |
| US | 8.8.8.8:53 | 11.in.ua | udp |
| US | 8.8.8.8:53 | 90.208.175.213.in-addr.arpa | udp |
| UA | 91.225.81.9:443 | 11.in.ua | tcp |
| US | 8.8.8.8:53 | irizar.com | udp |
| ES | 194.30.99.95:443 | irizar.com | tcp |
| US | 8.8.8.8:53 | www.irizar.com | udp |
| ES | 194.30.99.95:443 | www.irizar.com | tcp |
| US | 8.8.8.8:53 | 237.0.160.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.99.30.194.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.81.225.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | colored-shelves.com | udp |
| US | 8.8.8.8:53 | soundseeing.net | udp |
| DE | 85.13.155.183:443 | soundseeing.net | tcp |
| US | 8.8.8.8:53 | scotlandsroute66.co.uk | udp |
| US | 172.67.204.127:443 | scotlandsroute66.co.uk | tcp |
| US | 8.8.8.8:53 | hawaiisteelbuilding.com | udp |
| US | 199.16.172.213:443 | hawaiisteelbuilding.com | tcp |
| US | 8.8.8.8:53 | 183.155.13.85.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 127.204.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mindfuelers.com | udp |
| US | 172.67.183.252:443 | mindfuelers.com | tcp |
| US | 8.8.8.8:53 | 213.172.16.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | dentourage.com | udp |
| US | 8.8.8.8:53 | 252.183.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | hekecrm.com | udp |
| CN | 38.14.23.10:443 | hekecrm.com | tcp |
| US | 8.8.8.8:53 | finsahome.co.uk | udp |
| DE | 217.160.0.87:443 | finsahome.co.uk | tcp |
| US | 8.8.8.8:53 | cormanmarketing.com | udp |
| US | 34.174.215.122:443 | cormanmarketing.com | tcp |
| US | 8.8.8.8:53 | 87.0.160.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | morgansconsult.com | udp |
| GB | 35.214.25.158:443 | morgansconsult.com | tcp |
| US | 8.8.8.8:53 | 122.215.174.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | dnqa.co.uk | udp |
| US | 104.155.138.21:443 | dnqa.co.uk | tcp |
| US | 8.8.8.8:53 | 158.25.214.35.in-addr.arpa | udp |
Files
memory/1116-0-0x00000000009D0000-0x00000000009FE000-memory.dmp
memory/1116-1-0x00000000009D0000-0x00000000009FE000-memory.dmp
C:\Users\m52e7d3-readme.txt
| MD5 | fc0638e6838ef88eb95371e3225bcda9 |
| SHA1 | d1886282b9ac5525a0c2a2213157381a7b90ea0d |
| SHA256 | 017f84beedc2e0cef63c96714cb0dac1b8d9a498bcc760b9ce504c3472dc6163 |
| SHA512 | 396aba06a91b698f24fd2e1e74e07ab1610306e049eaad1d0986fb7ba8cf5053174138f288d1a39487174bf16aa3732f1ec8cdb088fab790581f31c3f1d9dc97 |