Malware Analysis Report

2025-01-18 18:21

Sample ID 241215-n8c1qatkfz
Target 2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi
SHA256 46482511ca8cf232e2adf984dcd3d8624d52c391bd9a08a72c42cf828ed6c10b
Tags
sodinokibi 5 367 defense_evasion discovery execution impact ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

46482511ca8cf232e2adf984dcd3d8624d52c391bd9a08a72c42cf828ed6c10b

Threat Level: Known bad

The file 2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi was found to be: Known bad.

Malicious Activity Summary

sodinokibi 5 367 defense_evasion discovery execution impact ransomware spyware stealer

Sodinokibi family

Sodinokibi/Revil sample

Sodin,Sodinokibi,REvil

Deletes shadow copies

Checks computer location settings

Reads user/profile data of web browsers

Enumerates connected drives

Sets desktop wallpaper using registry

Drops file in Program Files directory

Drops file in Windows directory

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Modifies system certificate store

Suspicious use of WriteProcessMemory

Uses Volume Shadow Copy service COM API

Suspicious behavior: EnumeratesProcesses

Interacts with shadow copies

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-15 12:03

Signatures

Sodinokibi family

sodinokibi

Sodinokibi/Revil sample

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-15 12:03

Reported

2024-12-15 12:06

Platform

win7-20240903-en

Max time kernel

146s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe"

Signatures

Sodin,Sodinokibi,REvil

ransomware sodinokibi

Sodinokibi family

sodinokibi

Deletes shadow copies

ransomware defense_evasion impact execution

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened (read-only) \??\D: C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8ex1j79o0.bmp" C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created \??\c:\program files\2tq16v09vd-readme.txt C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File created \??\c:\program files (x86)\d60dff40.lock C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification \??\c:\program files\RepairMount.mpe C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification \??\c:\program files\RequestDismount.mp4 C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File created \??\c:\program files (x86)\microsoft sql server compact edition\2tq16v09vd-readme.txt C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\d60dff40.lock C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification \??\c:\program files\ApproveProtect.wax C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification \??\c:\program files\ImportNew.dib C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification \??\c:\program files\InitializeSkip.DVR C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification \??\c:\program files\OutConfirm.xps C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification \??\c:\program files\StepStart.cr2 C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File created \??\c:\program files (x86)\microsoft sql server compact edition\d60dff40.lock C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File created \??\c:\program files (x86)\2tq16v09vd-readme.txt C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\2tq16v09vd-readme.txt C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\desktop\2tq16v09vd-readme.txt C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\desktop\d60dff40.lock C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File created \??\c:\program files\d60dff40.lock C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification \??\c:\program files\JoinConvert.m4v C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification \??\c:\program files\ResolveUninstall.mpv2 C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_6.1.7601.17514_fi-fi_e80fbb8ab24365d6.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_6.1.7600.16385_ru-ru_68793793d8498bad_bootmgr.exe.mui_c434701f C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-d2d_31bf3856ad364e35_7.1.7601.16492_none_9abc61e3455c511e_d2d1.dll_ef77984b C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-e..gine-isam.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_6a51528581d60122.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-bitmap-system_31bf3856ad364e35_6.1.7600.16385_none_df4bbe8e10903104_j8514sys.fon_cfb116c0 C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-wmpdui.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_1bf590f3721a2457.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_hid-user.resources_31bf3856ad364e35_6.1.7600.16385_de-de_18a6abaa160568df_hid.dll.mui_cccd5ae0 C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..rvice_mof.resources_31bf3856ad364e35_6.1.7600.16385_en-us_812693c00b3677f4_iscsidsc.mfl_20ed5374 C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-w..eservices.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_7bb0bd650e72abc4_sti.dll.mui_00a4f15b C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-wininit.resources_31bf3856ad364e35_6.1.7600.16385_de-de_9c4b10f07cfccf53_wininit.exe.mui_997435f5 C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-w..eservices.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_0a2f4680d5ae26b7_sti.dll.mui_00a4f15b C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-winlogon-tools_31bf3856ad364e35_6.1.7600.16385_none_f0686b7ca6acde00.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\wow64_microsoft-windows-p..structure.resources_31bf3856ad364e35_6.1.7600.16385_de-de_227521a01b1e0f11_prflbmsg.dll.mui_4caa0054 C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_6.1.7600.16385_et-ee_b849dde6b3c0da01.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-d..utoenroll.resources_31bf3856ad364e35_6.1.7600.16385_it-it_47b8ac96851475dc.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-dui70.resources_31bf3856ad364e35_6.1.7600.16385_en-us_bdbcaf727d38d49f_dui70.dll.mui_de5f27e2 C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-msxml60.resources_31bf3856ad364e35_6.1.7600.16385_de-de_88976dfcb22dd55c_msxml6r.dll.mui_4516d602 C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-shell32.resources_31bf3856ad364e35_6.1.7601.17514_de-de_0edef610009d2270.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-t..-msctfime.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_eb06c896b1e71881.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_6.1.7600.16385_zh-hk_38fe497fea9b41b8.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_6.1.7600.16385_el-gr_be640d0cafcb6896.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-f..truetype-meiryobold_31bf3856ad364e35_6.1.7600.16385_none_2942916491573830.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..ional-codepage-1255_31bf3856ad364e35_6.1.7600.16385_none_7f65562923221762.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-t..cesframework-msimtf_31bf3856ad364e35_6.1.7600.16385_none_d15bda804befe6a3_msimtf.dll_e4ce9536 C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_hid-user.resources_31bf3856ad364e35_6.1.7600.16385_it-it_f223af4916b0f0f3.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7601.17514_none_07f91de77125e78d.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-s..edstorage.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_fff3e41327434466_psbase.dll.mui_c28690ab C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-s..subsystem.resources_31bf3856ad364e35_6.1.7600.16385_en-us_4fbac3e2381c9426_sccls.dll.mui_f104be47 C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\wow64_microsoft-windows-session0viewer_31bf3856ad364e35_6.1.7600.16385_none_483083fb94bfc714_wls0wndh.dll_dbf333a5 C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-f..ruetype-new_tai_lue_31bf3856ad364e35_6.1.7600.16385_none_325f57c8c0ee36a8_ntailu.ttf_c1891505 C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-bitmap-small_31bf3856ad364e35_6.1.7600.16385_none_d7839341959a2de0_smae1255.fon_bf98786c C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-s..edstorage.resources_31bf3856ad364e35_6.1.7600.16385_it-it_5b9d513e3739aef1.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-a..core-base.resources_31bf3856ad364e35_6.1.7600.16385_es-es_69cd279a554d50be.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-r..intmapper.resources_31bf3856ad364e35_6.1.7600.16385_de-de_9d9ce5902463654d_rpcepmap.dll.mui_349798e1 C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-h..p-provsvc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_15d2dbee6e2bcc6d.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-w..cture-bsp.resources_31bf3856ad364e35_6.1.7600.16385_en-us_cdb792a8c509541e.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-s..ontroller.resources_31bf3856ad364e35_6.1.7600.16385_de-de_1d0162c550c828a3_services.exe.mui_86ea5e71 C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\wow64_microsoft-windows-wmi-core-svc_31bf3856ad364e35_6.1.7601.17514_none_092d6b9141f16aca_wmiaprpl.dll_5d18a476 C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-e..rtingcore.resources_31bf3856ad364e35_6.1.7600.16385_en-us_02e9e13998201d43_erofflps.txt_649e76ed C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\wow64_microsoft-windows-win32k.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_56312c4d9f493698_win32k.sys.mui_c0d34fe8 C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-p..structure.resources_31bf3856ad364e35_6.1.7601.17514_en-us_c342610ed289dc75_lodctr.exe.mui_4ac7d1a1 C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-b..isc-tools.resources_31bf3856ad364e35_6.1.7600.16385_es-es_e2e88a7682b25068_bootfix.bin_ee6f205e C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_6.1.7600.16385_zh-hk_c0d17ceadf33e739_comctl32.dll.mui_0da4e682 C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-f..libraries.resources_31bf3856ad364e35_6.1.7600.16385_es-es_8fa512baf88959a1.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-bitmap-terminal_31bf3856ad364e35_6.1.7600.16385_none_70644a8bdb0d9303_app850.fon_e2e4776b C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-uxtheme.resources_31bf3856ad364e35_6.1.7600.16385_it-it_febfba372a81d59f.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-shlwapi.resources_31bf3856ad364e35_6.1.7600.16385_de-de_aab4f8cb967e96d9.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-spp-main_31bf3856ad364e35_6.1.7601.17514_none_e64e60ad0b1ee918.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-s..pp-client.resources_31bf3856ad364e35_6.1.7600.16385_it-it_c5cb371e0d8c117f_slc.dll.mui_dc24f809 C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-comdlg32.resources_31bf3856ad364e35_6.1.7601.17514_da-dk_a2ffc87595d912be.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-w..eservices.resources_31bf3856ad364e35_6.1.7600.16385_it-it_c1f74f2f9e020278_sti.dll.mui_00a4f15b C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-i..tional-codepage-861_31bf3856ad364e35_6.1.7600.16385_none_cebf7c64fc8468dc.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-setupapi.resources_31bf3856ad364e35_6.1.7600.16385_it-it_f6e1ec9fa2e0ba82.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-bitmap-terminal_31bf3856ad364e35_6.1.7600.16385_none_70644a8bdb0d9303_app932.fon_e93b0656 C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-h..p-listsvc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_494dd8c9f3f02706_listsvc.dll.mui_27f0fc85 C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\wow64_microsoft-windows-htmlhelp.resources_31bf3856ad364e35_6.1.7600.16385_de-de_72a70ca7e03b9b86.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\wow64_microsoft-windows-rasserver_31bf3856ad364e35_6.1.7601.17514_none_1423e918b2cd2d4b_rasmanservice-repl.man_a7b7d1f1 C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-d..lient-dll.resources_31bf3856ad364e35_6.1.7600.16385_it-it_e2681fa3e58ee969_dhcpcore.dll.mui_8b901fc3 C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-c..ityclient.resources_31bf3856ad364e35_6.1.7600.16385_de-de_17c37298caa7b415_certcli.dll.mui_1b6822cf C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-pshed.resources_31bf3856ad364e35_6.1.7600.16385_es-es_ef54932792fc58dd.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-w..ure-ws232.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_0c87415f91a2fd6b.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-s..ive-blackbox-driver_31bf3856ad364e35_6.1.7600.16385_none_656773dac187bca2_spsys.sys_95b9c9e3 C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-user32.resources_31bf3856ad364e35_6.1.7601.17514_en-us_9c23fd3941bcc44e_user32.dll.mui_14652dbb C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_6.1.7600.16385_el-gr_da723e1e02d551df_bootmgfw.efi.mui_a6e78cfa C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\vssadmin.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe

"C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\SysWOW64\vssadmin.exe

vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 craftingalegacy.com udp
US 50.87.137.113:443 craftingalegacy.com tcp
US 50.87.137.113:443 craftingalegacy.com tcp
US 8.8.8.8:53 g2mediainc.com udp
DE 78.46.1.42:443 g2mediainc.com tcp
US 8.8.8.8:53 brinkdoepke.eu udp
DE 92.205.192.141:443 brinkdoepke.eu tcp
DE 92.205.192.141:443 brinkdoepke.eu tcp
US 8.8.8.8:53 vipcarrental.ae udp
US 104.21.40.147:443 vipcarrental.ae tcp
US 8.8.8.8:53 autoteamlast.de udp
DE 37.202.7.169:443 autoteamlast.de tcp
DE 37.202.7.169:443 autoteamlast.de tcp
US 8.8.8.8:53 hostastay.com udp
SG 13.229.198.152:443 hostastay.com tcp
US 8.8.8.8:53 gavelmasters.com udp
US 8.8.8.8:53 ronaldhendriks.nl udp
NL 185.103.16.188:443 ronaldhendriks.nl tcp
NL 185.103.16.188:443 ronaldhendriks.nl tcp
US 8.8.8.8:53 successcolony.com.ng udp
US 8.8.8.8:53 medicalsupportco.com udp
US 15.197.225.128:443 medicalsupportco.com tcp
US 15.197.225.128:443 medicalsupportco.com tcp
US 8.8.8.8:53 kompresory-opravy.com udp
SK 37.9.175.133:443 kompresory-opravy.com tcp
SK 37.9.175.133:443 kompresory-opravy.com tcp
US 8.8.8.8:53 sveneulberg.de udp
DE 89.110.179.179:443 sveneulberg.de tcp
DE 89.110.179.179:443 sveneulberg.de tcp
US 8.8.8.8:53 oththukaruva.com udp
US 8.8.8.8:53 voetbalhoogeveen.nl udp
US 8.8.8.8:53 selected-minds.de udp
DE 217.160.0.92:443 selected-minds.de tcp
DE 217.160.0.92:443 selected-minds.de tcp
US 8.8.8.8:53 log-barn.co.uk udp
GB 213.175.208.90:443 log-barn.co.uk tcp
GB 213.175.208.90:443 log-barn.co.uk tcp
US 8.8.8.8:53 fsbforsale.com udp
US 8.8.8.8:53 jobkiwi.com.ng udp
US 8.8.8.8:53 ivancacu.com udp
DE 217.160.0.237:443 ivancacu.com tcp
DE 217.160.0.237:443 ivancacu.com tcp
US 8.8.8.8:53 11.in.ua udp
UA 91.225.81.9:443 11.in.ua tcp
US 8.8.8.8:53 irizar.com udp
ES 194.30.99.95:443 irizar.com tcp
ES 194.30.99.95:443 irizar.com tcp
US 8.8.8.8:53 colored-shelves.com udp
US 8.8.8.8:53 soundseeing.net udp
DE 85.13.155.183:443 soundseeing.net tcp
DE 85.13.155.183:443 soundseeing.net tcp
US 8.8.8.8:53 scotlandsroute66.co.uk udp
US 172.67.204.127:443 scotlandsroute66.co.uk tcp
US 8.8.8.8:53 hawaiisteelbuilding.com udp
US 199.16.172.213:443 hawaiisteelbuilding.com tcp
US 199.16.172.213:443 hawaiisteelbuilding.com tcp
US 8.8.8.8:53 mindfuelers.com udp
US 172.67.183.252:443 mindfuelers.com tcp
US 172.67.183.252:443 mindfuelers.com tcp
US 8.8.8.8:53 dentourage.com udp
US 8.8.8.8:53 hekecrm.com udp
CN 38.14.23.10:443 hekecrm.com tcp
US 8.8.8.8:53 finsahome.co.uk udp
DE 217.160.0.87:443 finsahome.co.uk tcp
DE 217.160.0.87:443 finsahome.co.uk tcp
US 8.8.8.8:53 cormanmarketing.com udp
US 34.174.215.122:443 cormanmarketing.com tcp
US 34.174.215.122:443 cormanmarketing.com tcp
US 8.8.8.8:53 morgansconsult.com udp
GB 35.214.25.158:443 morgansconsult.com tcp
GB 35.214.25.158:443 morgansconsult.com tcp
US 8.8.8.8:53 dnqa.co.uk udp
US 107.178.223.183:443 dnqa.co.uk tcp
US 8.8.8.8:53 frimec-international.es udp
FR 188.165.33.133:443 frimec-international.es tcp
US 8.8.8.8:53 worldproskitour.com udp
US 143.198.7.126:443 worldproskitour.com tcp
US 143.198.7.126:443 worldproskitour.com tcp
US 8.8.8.8:53 csaballoons.com udp
CA 149.56.43.78:443 csaballoons.com tcp
CA 149.56.43.78:443 csaballoons.com tcp
US 8.8.8.8:53 krishnabrawijaya.com udp
US 8.8.8.8:53 tatyanakopieva.ru udp
RU 77.222.40.195:443 tatyanakopieva.ru tcp
RU 77.222.40.195:443 tatyanakopieva.ru tcp
US 8.8.8.8:53 silkeight.com udp
RO 188.213.19.166:443 silkeight.com tcp
RO 188.213.19.166:443 silkeight.com tcp
US 8.8.8.8:53 publicompserver.de udp
DE 195.3.195.201:443 publicompserver.de tcp
DE 195.3.195.201:443 publicompserver.de tcp
US 8.8.8.8:53 letsstopsmoking.co.uk udp
GB 62.182.18.149:443 letsstopsmoking.co.uk tcp
GB 62.182.18.149:443 letsstopsmoking.co.uk tcp
US 8.8.8.8:53 anleggsregisteret.no udp
NO 185.157.56.11:443 anleggsregisteret.no tcp
NO 185.157.56.11:443 anleggsregisteret.no tcp
US 8.8.8.8:53 arearugcleaningnyc.com udp
US 108.178.17.142:443 arearugcleaningnyc.com tcp
US 108.178.17.142:443 arearugcleaningnyc.com tcp
US 8.8.8.8:53 diverfiestas.com.es udp
FR 176.31.163.21:443 diverfiestas.com.es tcp
US 8.8.8.8:53 lovcase.com udp
US 8.8.8.8:53 alltagsrassismus-entknoten.de udp
DE 91.210.225.23:443 alltagsrassismus-entknoten.de tcp
DE 91.210.225.23:443 alltagsrassismus-entknoten.de tcp
US 8.8.8.8:53 lassocrm.com udp
US 209.87.149.78:443 lassocrm.com tcp
US 209.87.149.78:443 lassocrm.com tcp
US 8.8.8.8:53 boyfriendsgoal.site udp
US 8.8.8.8:53 mbuildinghomes.com udp
US 104.21.96.1:443 mbuildinghomes.com tcp
US 8.8.8.8:53 santastoy.store udp
US 8.8.8.8:53 citiscapes-art.com udp
US 104.21.21.241:443 citiscapes-art.com tcp
US 8.8.8.8:53 unislaw-narty.pl udp
PL 91.185.184.170:443 unislaw-narty.pl tcp
US 8.8.8.8:53 envomask.com udp
US 172.81.116.97:443 envomask.com tcp
US 172.81.116.97:443 envomask.com tcp
US 8.8.8.8:53 patassociation.com udp
FR 109.234.160.199:443 patassociation.com tcp
FR 109.234.160.199:443 patassociation.com tcp
US 8.8.8.8:53 luvbec.com udp
US 172.232.25.148:443 luvbec.com tcp
US 172.232.25.148:443 luvbec.com tcp
US 8.8.8.8:53 keuken-prijs.nl udp
US 8.8.8.8:53 therapybusinessacademy.com udp
DE 217.160.0.95:443 therapybusinessacademy.com tcp
DE 217.160.0.95:443 therapybusinessacademy.com tcp
US 8.8.8.8:53 baikalflot.ru udp
US 8.8.8.8:53 piestar.com udp
US 35.170.173.134:443 piestar.com tcp
US 35.170.173.134:443 piestar.com tcp
US 8.8.8.8:53 diakonie-weitramsdorf-sesslach.de udp
N/A 78.46.133.97:443 tcp
N/A 78.46.133.97:443 tcp
US 8.8.8.8:53 udp
N/A 77.222.40.14:443 tcp
N/A 77.222.40.14:443 tcp

Files

memory/2236-0-0x0000000000ED0000-0x0000000000EFE000-memory.dmp

memory/2236-1-0x0000000000220000-0x000000000022A000-memory.dmp

memory/2236-2-0x0000000000220000-0x000000000022A000-memory.dmp

memory/2236-12-0x00000000002E0000-0x00000000002E6000-memory.dmp

memory/2236-11-0x00000000026E0000-0x00000000027E9000-memory.dmp

memory/2236-10-0x00000000002E0000-0x00000000002E6000-memory.dmp

memory/2236-9-0x0000000000830000-0x000000000084F000-memory.dmp

memory/2236-7-0x0000000000AB0000-0x0000000000B4F000-memory.dmp

memory/2236-4-0x0000000000BB0000-0x0000000000C79000-memory.dmp

memory/2236-6-0x00000000002D0000-0x00000000002D1000-memory.dmp

memory/2236-5-0x00000000002C0000-0x00000000002C1000-memory.dmp

memory/2236-3-0x00000000002B0000-0x00000000002B1000-memory.dmp

memory/2236-8-0x0000000002300000-0x000000000242D000-memory.dmp

memory/2236-13-0x00000000002E0000-0x00000000002E6000-memory.dmp

memory/2236-15-0x0000000003080000-0x0000000003090000-memory.dmp

memory/2236-16-0x0000000000ED0000-0x0000000000EFE000-memory.dmp

memory/2236-17-0x00000000002D0000-0x00000000002D1000-memory.dmp

memory/2236-19-0x0000000003080000-0x0000000003090000-memory.dmp

C:\Users\2tq16v09vd-readme.txt

MD5 bd6afb6df434ae38151cfc3adb4f9277
SHA1 671f103eda9f9ab3a757223efc867fde87304c38
SHA256 11d6361c60c0a5d8a2ee314d0ca9b247b45195213e017c367a7d1fb4ebed8e2d
SHA512 be36fa1d27c9f9cd3725becfe35ed8eb635296695d46d01560db6c98fa5dc01aeccda21bf148afd3638104fc8c920d53f8f398b5d2e9c33cf633a1237d075936

C:\Users\Admin\AppData\Local\Temp\Cab4F2.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar505.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-15 12:03

Reported

2024-12-15 12:06

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe"

Signatures

Sodin,Sodinokibi,REvil

ransomware sodinokibi

Sodinokibi family

sodinokibi

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened (read-only) \??\D: C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\x60i9h.bmp" C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created \??\c:\program files (x86)\d60dff40.lock C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification \??\c:\program files\SaveCopy.wma C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification \??\c:\program files\FindLimit.gif C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification \??\c:\program files\ResizeRename.clr C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification \??\c:\program files\UnprotectLock.png C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File created \??\c:\program files (x86)\m52e7d3-readme.txt C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification \??\c:\program files\CompareRestore.xlsm C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification \??\c:\program files\SearchReset.nfo C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification \??\c:\program files\SkipMeasure.iso C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification \??\c:\program files\UninstallConvertTo.dwg C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification \??\c:\program files\ClearResume.wps C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification \??\c:\program files\PingShow.pptx C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification \??\c:\program files\AssertSearch.m4v C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification \??\c:\program files\JoinUndo.wmf C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification \??\c:\program files\UndoSuspend.dib C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File created \??\c:\program files\m52e7d3-readme.txt C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File created \??\c:\program files\d60dff40.lock C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_0f5d37c71d62a4d7_memtest.efi.mui_71e15c22 C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-oem_31bf3856ad364e35_10.0.19041.1_none_b3552a6f4dc424b4_8514oeme.fon_dbdae0a9 C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_windows-defender-nis-service_31bf3856ad364e35_10.0.19041.1_none_d3e3ad84b24cfdfe_nissrv.exe_f967cd63 C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_de-de_6a1d8de098c92d1a.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.964_lt-lt_ce47d201c53c798b.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..-usermode.resources_31bf3856ad364e35_10.0.19041.1_es-es_7ca0f0fcf72fec95_wudfplatform.dll.mui_d815d31a C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-ucrt_31bf3856ad364e35_10.0.19041.1_none_61b242cab8dd7003.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-networkbridge_31bf3856ad364e35_10.0.19041.746_none_e5e33ba764e4ddec_bridgeunattend.exe_60b7e340 C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..os-loader.resources_31bf3856ad364e35_10.0.19041.1_en-us_2c89c78983615cee_winresume.exe.mui_ff8b5358 C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..os-loader.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_cf0c9a6c765a64f5_winresume.exe.mui_ff8b5358 C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..opactivitymoderator_31bf3856ad364e35_10.0.19041.1_none_bfdba9ed0ba30611.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_19b1e21951c366d2_memtest.exe.mui_77b8cbcc C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-eventlog-api_31bf3856ad364e35_10.0.19041.1_none_62220fa004a7b8e2.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-security-spp.resources_31bf3856ad364e35_10.0.19041.1_es-es_52846179d65f136f.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-sens-service.resources_31bf3856ad364e35_10.0.19041.1_it-it_57ddbaad8b8daad0.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-userenv_31bf3856ad364e35_10.0.19041.1_none_463177f6eaa0601d.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-u..istration.resources_31bf3856ad364e35_10.0.19041.1_de-de_7b16fe6b5fbc6858_userdeviceregistration.ngc.dll.mui_d2c6ca95 C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft.windows.gdiplus.systemcopy_31bf3856ad364e35_10.0.19041.1288_none_5ba23d0eab3d4017_gdiplus.dll_423f7010 C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-shacct-profile_31bf3856ad364e35_10.0.19041.1_none_603504816df8a341.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1_none_b555e41d4684ddec.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..ty-kerbclientshared_31bf3856ad364e35_10.0.19041.1288_none_56c05939711f0938_kerbclientshared.dll_1fa7b356 C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wmpdui.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_5996a487eb463b99_wmpdui.dll.mui_92411657 C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-u..istration.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_52d81c9b0be0737d_userdeviceregistration.ngc.dll.mui_d2c6ca95 C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-w..r-webclnt.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_97ded4f562f4e50a_webclnt.dll.mui_e8f04040 C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-atl_31bf3856ad364e35_10.0.19041.746_none_89198a92b881b1ac_atl.dll_0c7220db C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-crypt32-dll_31bf3856ad364e35_10.0.19041.1202_none_d02feec5930a1e75_crypt32.dll.mun_4268f83d C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-os-kernel-minwin_31bf3856ad364e35_10.0.19041.1_none_edeab141cae009ac.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-mpr_31bf3856ad364e35_10.0.19041.1_none_6e1b81482baf9a17.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1_pt-pt_ab6fe027e9d42c19.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_es-es_12d9c0bd87ce2a84.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_it-it_9fb92d0351d22664_comctl32.dll.mui_0da4e682 C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-a..llservice.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_428f67dbffd4ce03_axinstsv.dll.mui_be092a2d C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasbase-raspppoe_31bf3856ad364e35_10.0.19041.1_none_0c2491a439f55f8f_raspppoe.sys_5bc9d88d C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-sechost_31bf3856ad364e35_10.0.19041.1_none_3db3ea616c53bd3a.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-windowsuiimmersive_31bf3856ad364e35_10.0.19041.1202_none_a690000a893f966b_windows.ui.immersive.dll.mun_6e49d10e C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-directui_31bf3856ad364e35_10.0.19041.1151_none_361ab30ed820622a_windows.ui.xaml.dll_9c9d9ec9 C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-ucrt_31bf3856ad364e35_10.0.19041.789_none_93e6eb93accdac11_msvcp_win.dll_48149df4 C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.19041.906_ar-sa_90a6dad6f86cae6b_msimsg.dll.mui_72e8994f C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-w..e-ws2ifsl.resources_31bf3856ad364e35_10.0.19041.1_es-es_df71bede6e43d9f6_ws2ifsl.sys.mui_b672c7b4 C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft.windows.i..utomation.proxystub_6595b64144ccf1df_1.0.19041.1_none_a6e297e0a15a1f88_sxsoaps.dll_7db29e61 C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-u..istration.resources_31bf3856ad364e35_10.0.19041.1_en-us_2407d4644e9a741d.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-security-lsatrustlet_31bf3856ad364e35_10.0.19041.1_none_9a8a77811e17322b.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-t..nalservices-runtime_31bf3856ad364e35_10.0.19041.1_none_92d0fce86b5e6c76.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-basedependencies_31bf3856ad364e35_10.0.19041.1_none_c2e7a999fc8db0b6.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-lsa.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_66a210ec64140be1_lsasrv.dll.mui_d47f7e1c C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-p..ne-client-overrides_31bf3856ad364e35_10.0.19041.1052_none_a74b8f64d78e3b2f_power.energyestimationengine.standbyactivation.ppkg_21aafe77 C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-kernelbase_31bf3856ad364e35_10.0.19041.1202_none_9bc2a53d69ca6835.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1_bg-bg_72e4e16994b25d0f_comctl32.dll.mui_0da4e682 C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-netio-infrastructure_31bf3856ad364e35_10.0.19041.1_none_16e124ab890bcfd5.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_hr-hr_fbcd913e5fc2ae9a.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-client-li..m-service.resources_31bf3856ad364e35_10.0.19041.1_it-it_84eb9b0a52fd6f78_clipsvc.dll.mui_18823613 C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-oem_31bf3856ad364e35_10.0.19041.1_none_b3552a6f4dc424b4_vga950.fon_09ed4d3d C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_10.0.19041.1_en-us_8ab89bbe670645a7_wmiapsrv.exe.mui_b1567840 C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_10.0.19041.1_de-de_e1c7c5c5782839e2_ncprov.dll.mui_40240de1 C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-a..on-authui-component_31bf3856ad364e35_10.0.19041.1_none_92c85869af354084.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-a..on-authui-component_31bf3856ad364e35_10.0.19041.906_none_bafbd92e6e868958_authui.dll_05ff9fd2 C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-directmanipulation_31bf3856ad364e35_10.0.19041.1202_none_c1dc44cb56c475d7_directmanipulation.dll_07c179b4 C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-directory-services-sam_31bf3856ad364e35_10.0.19041.1202_none_26ae8647562ae5ff.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-windowsuiimmersive_31bf3856ad364e35_10.0.19041.264_none_1a061e55674b5901.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-u..erservice.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_493b5718242b0bd3_umpo.dll.mui_cac12e54 C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-appidcore_31bf3856ad364e35_10.0.19041.1_none_ef1691668a233417.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-onecore-pnp-drvinst_31bf3856ad364e35_10.0.19041.1_none_0b4eeb140948562c.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..os-loader.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_5b5a0fc040a75c4e_winload.efi.mui_35ee487d C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.19041.906_lv-lv_9c193dc75ecc0b4e_msimsg.dll.mui_72e8994f C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe

"C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 64.179.15.23.in-addr.arpa udp
US 8.8.8.8:53 craftingalegacy.com udp
US 50.87.137.113:443 craftingalegacy.com tcp
US 8.8.8.8:53 g2mediainc.com udp
DE 78.46.1.42:443 g2mediainc.com tcp
US 8.8.8.8:53 brinkdoepke.eu udp
DE 92.205.192.141:443 brinkdoepke.eu tcp
US 8.8.8.8:53 vipcarrental.ae udp
US 172.67.153.12:443 vipcarrental.ae tcp
US 8.8.8.8:53 113.137.87.50.in-addr.arpa udp
US 8.8.8.8:53 141.192.205.92.in-addr.arpa udp
US 8.8.8.8:53 42.1.46.78.in-addr.arpa udp
US 8.8.8.8:53 12.153.67.172.in-addr.arpa udp
US 8.8.8.8:53 200.254.1.23.in-addr.arpa udp
US 8.8.8.8:53 autoteamlast.de udp
DE 37.202.7.169:443 autoteamlast.de tcp
US 8.8.8.8:53 169.7.202.37.in-addr.arpa udp
US 8.8.8.8:53 hostastay.com udp
SG 13.229.198.152:443 hostastay.com tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 gavelmasters.com udp
US 8.8.8.8:53 ronaldhendriks.nl udp
NL 185.103.16.188:443 ronaldhendriks.nl tcp
US 8.8.8.8:53 successcolony.com.ng udp
US 8.8.8.8:53 medicalsupportco.com udp
US 15.197.225.128:443 medicalsupportco.com tcp
US 15.197.225.128:443 medicalsupportco.com tcp
US 15.197.225.128:443 medicalsupportco.com tcp
US 8.8.8.8:53 kompresory-opravy.com udp
SK 37.9.175.133:443 kompresory-opravy.com tcp
US 8.8.8.8:53 188.16.103.185.in-addr.arpa udp
US 8.8.8.8:53 128.225.197.15.in-addr.arpa udp
US 8.8.8.8:53 sveneulberg.de udp
DE 89.110.179.179:443 sveneulberg.de tcp
US 8.8.8.8:53 www.sveneulberg.de udp
DE 89.110.179.179:443 www.sveneulberg.de tcp
US 8.8.8.8:53 133.175.9.37.in-addr.arpa udp
US 8.8.8.8:53 oththukaruva.com udp
US 8.8.8.8:53 voetbalhoogeveen.nl udp
US 8.8.8.8:53 selected-minds.de udp
DE 217.160.0.92:443 selected-minds.de tcp
US 8.8.8.8:53 179.179.110.89.in-addr.arpa udp
US 8.8.8.8:53 92.0.160.217.in-addr.arpa udp
US 8.8.8.8:53 log-barn.co.uk udp
GB 213.175.208.90:443 log-barn.co.uk tcp
US 8.8.8.8:53 fsbforsale.com udp
US 8.8.8.8:53 jobkiwi.com.ng udp
US 8.8.8.8:53 ivancacu.com udp
DE 217.160.0.237:443 ivancacu.com tcp
US 8.8.8.8:53 11.in.ua udp
US 8.8.8.8:53 90.208.175.213.in-addr.arpa udp
UA 91.225.81.9:443 11.in.ua tcp
US 8.8.8.8:53 irizar.com udp
ES 194.30.99.95:443 irizar.com tcp
US 8.8.8.8:53 www.irizar.com udp
ES 194.30.99.95:443 www.irizar.com tcp
US 8.8.8.8:53 237.0.160.217.in-addr.arpa udp
US 8.8.8.8:53 95.99.30.194.in-addr.arpa udp
US 8.8.8.8:53 9.81.225.91.in-addr.arpa udp
US 8.8.8.8:53 colored-shelves.com udp
US 8.8.8.8:53 soundseeing.net udp
DE 85.13.155.183:443 soundseeing.net tcp
US 8.8.8.8:53 scotlandsroute66.co.uk udp
US 172.67.204.127:443 scotlandsroute66.co.uk tcp
US 8.8.8.8:53 hawaiisteelbuilding.com udp
US 199.16.172.213:443 hawaiisteelbuilding.com tcp
US 8.8.8.8:53 183.155.13.85.in-addr.arpa udp
US 8.8.8.8:53 127.204.67.172.in-addr.arpa udp
US 8.8.8.8:53 mindfuelers.com udp
US 172.67.183.252:443 mindfuelers.com tcp
US 8.8.8.8:53 213.172.16.199.in-addr.arpa udp
US 8.8.8.8:53 dentourage.com udp
US 8.8.8.8:53 252.183.67.172.in-addr.arpa udp
US 8.8.8.8:53 hekecrm.com udp
CN 38.14.23.10:443 hekecrm.com tcp
US 8.8.8.8:53 finsahome.co.uk udp
DE 217.160.0.87:443 finsahome.co.uk tcp
US 8.8.8.8:53 cormanmarketing.com udp
US 34.174.215.122:443 cormanmarketing.com tcp
US 8.8.8.8:53 87.0.160.217.in-addr.arpa udp
US 8.8.8.8:53 morgansconsult.com udp
GB 35.214.25.158:443 morgansconsult.com tcp
US 8.8.8.8:53 122.215.174.34.in-addr.arpa udp
US 8.8.8.8:53 dnqa.co.uk udp
US 104.155.138.21:443 dnqa.co.uk tcp
US 8.8.8.8:53 158.25.214.35.in-addr.arpa udp

Files

memory/1116-0-0x00000000009D0000-0x00000000009FE000-memory.dmp

memory/1116-1-0x00000000009D0000-0x00000000009FE000-memory.dmp

C:\Users\m52e7d3-readme.txt

MD5 fc0638e6838ef88eb95371e3225bcda9
SHA1 d1886282b9ac5525a0c2a2213157381a7b90ea0d
SHA256 017f84beedc2e0cef63c96714cb0dac1b8d9a498bcc760b9ce504c3472dc6163
SHA512 396aba06a91b698f24fd2e1e74e07ab1610306e049eaad1d0986fb7ba8cf5053174138f288d1a39487174bf16aa3732f1ec8cdb088fab790581f31c3f1d9dc97