{ "id": "b07caef8-34d2-4c1b-996e-ef4174344b47", "created_at": "2026-04-06T00:13:38.066616Z", "updated_at": "2026-04-10T03:36:36.705467Z", "deleted_at": null, "sha1_hash": "195a8cef3adb01908fd241400b10d24bf0cfa745", "title": "Eager Beaver: A Short Overview of the Restless Threat Actor TA505", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 60065, "plain_text": "Eager Beaver: A Short Overview of the Restless Threat Actor\r\nTA505\r\nBy Deutsche Telekom AG\r\nPublished: 2020-10-06 · Archived: 2026-04-02 11:40:22 UTC\r\nTA505 is a very active – almost tireless - threat actor that prepares one campaign after another from Monday to\r\nFriday. They target organizations across industries / government in many countries around the world including\r\nCanada, Germany, South Korea, the UK, and the USA. A severe threat to a great number of organizations: on one\r\nside, they conduct Big Game Hunting operations, that is encrypting large parts of a corporate network to extort\r\nhigh ransom payouts. On the other side, they likely work on initial access development and hand over network\r\naccess to associated threat actors. \r\nRestless? TA505 prepares one campaign after another from Monday to Friday.\r\nIn my previous blog posts, I wrote about their tools and about their recent activity phase that started in June 2020.\r\nIn this blog post, I will summarize what I know about TA505 as of September 2020, leaving the past aside. I will\r\nanswer questions that we are frequently asked by customers and by the cyber security community in general.\r\nFinally, I will give recommendations to proactively fight them and share two generic ways to detect TA505\r\nintrusions in your network.\r\nOur Incident Response Service at Deutsche Telekom Security GmbH can quickly investigate and remediate\r\nongoing TA505 intrusions. Please contact security-info@t-systems.com for more information.\r\nWhat is TA505?\r\nTA505 is a very active threat actor whose history reaches back at least until 2014. It is believed that this threat\r\nactor resides in Eastern Europe (likely Russian-speaking country). It is natural that the objectives of threat actors\r\nchange over time. In this blog post, I will give an overview of its recent history starting in late Summer 2019,\r\nleaving the past aside.\r\nTA505’s activity pattern follows a classic workweek from Monday until Friday. Like a clockwork, they prepare\r\none daily campaign after another, hardly leaving one or two day gaps. They are one of the busiest but also loudest\r\n– due to their high spam volume - cybercrime gangs as of 2020. They primarily target enterprises across all\r\nindustries. But there are also reported cases of victims in Government agencies.\r\nAs of September 2020, I believe they primary engage in two different activities. First, TA505 likely works on\r\ninitial access development for other threat actors. The current consensus among analysts is that they gain access to\r\ncorporate networks, conduct the initial reconnaissance of these networks, likely including a first estimation of the\r\ntarget value. Afterwards, they sell the access to these networks on the underground. Finally, they hand over the\r\nnetwork access to a second threat actor, which continues to operate in these networks. Second, TA505 likely\r\nengages in Big Game Hunting operations: they exfiltrate corporate secrets, deploy the CL0P ransomware, demand\r\nhttps://www.telekom.com/en/blog/group/article/eager-beaver-a-short-overview-of-the-restless-threat-actor-ta505-609546\r\nPage 1 of 6\n\nransom, and threaten to publish said corporate secrets, if the ransom is not paid. Even though it is likely that\r\nTA505 only works in access development, there are several indications that TA505 (or a subset of it) runs the\r\nCL0P ransomware operations, e.g. they share the same custom packer.\r\nWhy are they so dangerous?\r\nTA505 seems to work on initial access development. They hand over the access to the networks that they\r\ncompromise to further threat actors. Therefore, you never know who is really compromising a network. Little is\r\npublicly known about TA505’s clients. We should keep in mind that many organizations are rather tight-lipped\r\nabout intrusions and we must expect that there are more than the publicly documented threat actors that follow an\r\ninitial TA505 intrusion.\r\nTwo intrusion sets have been repeatedly and publicly linked to TA505 over the last months. First, the threat actor\r\noperating the CL0P ransomware. This threat actor engages in Big Game Hunting operations. On the one side, they\r\nencrypt large parts of a corporate network in order to extort ransom. On the other side, they exfiltrate corporate\r\nsecrets. Subsequently, they threaten victims to publish these secrets to their leak portal, which they run on the\r\ndarknet. \r\nCL0P^-LEAKS website announcing the publication of files and customer data of several victims.\r\nSecond, another threat actor that is said to cooperate with TA505 is Lazarus / APT38. This nation-state backed\r\nthreat actor conducts espionage as well as bank robbing. \r\nWhile I tend to believe that CL0P is run by TA505 or a subgroup of it, there are opposing voices suggesting the\r\nCL0P gang is just another customer of them. As of September 2020, there are further hypotheses of possible\r\nclients like Silence that are still to be corroborated. \r\nFurthermore, TA505 is dangerous because their spamming volume is high. On heavy campaign days, one\r\norganization alone may receive up to several thousand spam mails. While I do not have any global numbers,\r\ninformal exchanges with other analysts seem to confirm this. Given this sheer number of spam emails, it is likely\r\nthat one employee downloads the malicious document and executes the macro. And this is all this threat actor\r\nneeds: just one infection to get a foothold in an organization. Above all, this brings medium-sized enterprises into\r\nthe focus that normally would not be in the focus of such targeted cybercrime: throw enough mud at the wall,\r\nsome of it will stick.\r\nHow does TA505 operate?\r\nTA505 runs campaigns on almost all weekdays. They move very fast and setup the campaign infrastructure just a\r\ncouple of hours before the daily campaign starts. These campaigns may target one or several specific countries\r\n(e.g. German-speaking countries). In this case, they restrict access to their command and control servers by the\r\ngeographical position of the infected client (geofencing). But sometimes they target a broader set of countries in\r\none campaign. A campaign does normally not last longer than one afternoon. I get the feeling that the campaigns\r\nare timed to start after lunch time, when many employees tend to check their emails again. Furthermore, most\r\ncampaign domains and artefacts like malware are created or generated just in time for one campaign. This all\r\nhttps://www.telekom.com/en/blog/group/article/eager-beaver-a-short-overview-of-the-restless-threat-actor-ta505-609546\r\nPage 2 of 6\n\nensures a tactical advantage of this threat actor and it is a reason why, for instance, commercial feeds may lag\r\nbehind. \r\nTA505 utilizes spam as initial attack vector. Targets receive an email with subjects that are money-themed (e.g.\r\n“billing”, “payroll”, “sales forecast”) or human-resources-related (e.g. “sick note”). The emails often carry a link\r\nthat redirects via a compromised blog website to a sharehoster-themed domain (e.g.  onedrives-live[.]com).\r\nSometimes they attach an HTML file to the email instead of the redirection link. The HTML files mimic known\r\nservices (e.g. Cloudflare, Mozilla, …) and also redirect via a compromised blog website to a sharehoster-themed\r\ndomain.\r\nExample HTML file mimicking a known service to distribute malicious documents.\r\nAt this sharehoster-themed domain, TA505 serves the target a Microsoft Office Excel Worksheet that contains a\r\nmacro. Since TA505 does not utilize any zero day attacks, they rely on the user to enable the macro in order to\r\ncontinue the infection process. They lure the user into enabling the macro by telling them, for instance, that the\r\ndocument is protected and requires macro execution in order to be fully rendered.\r\nIf the user enables macro execution then the macro drops and executes TA505’s downloader Get2. This simple\r\ndownloader exfiltrates information about the local machine to its command and control server such as computer\r\nname, user name, and the list of running processes. Based on this information as well as its geographic location,\r\nthe command and control server decides whether or not the third stage payload should be served to the target.\r\nThe Get2 command and control server distributes the third stage of the attack: TA505’s RAT (Remote\r\nAdministration Tool) SDBBot. They use this RAT to conduct an initial reconnaissance of the target system. First,\r\nSDBBot automatically sends information to its command and control server including the computer name,\r\nWindows domain name, the Windows version, and whether the target system utilizes a proxy to connect to the\r\nInternet. Promising targets are then checked by manual operators, likely for a first estimation of the target value.\r\nSDBBot offers many commands to manipulate the file system, download and execute payloads, enabling of RDP,\r\nand so on.\r\nIn addition to their RAT SDBBot, Get2 frequently downloads PuTTY SFTP client. Since months I observe the\r\nsame and by now outdated version 0.73, which is vulnerable to a man-in-the-middle-attack (CVE-2020-14002). It\r\nis likely that TA505 operators exfiltrate documents from the target system with the help of PuTTY SFTP client\r\nand not SDBBot. One reason could be that this exfiltration process is more comfortable with PuTTY SFTP client\r\nthan with SDBBot.\r\nThe current understanding of TA505 is that they also work on initial access development. Hence, after the initial\r\nreconnaissance, they hand over the network access to another threat actor. Therefore, the modus operandi from\r\nthis point in time may differ from intrusion to intrusion.\r\nIt is important to understand what is static and what is dynamic during a campaign. Note that a campaign lasts just\r\none day. There are typically four important domains during each campaign. First, a sharehoster-themed domain\r\nthat they utilize to serve malicious documents. Second, a domain for the Get2 command and control server. Third,\r\ntwo domains for the SDBBot command and control server. The first two domains change between each (daily)\r\nhttps://www.telekom.com/en/blog/group/article/eager-beaver-a-short-overview-of-the-restless-threat-actor-ta505-609546\r\nPage 3 of 6\n\ncampaign. The latter two SDBBot domains typically change every seven to ten days. Furthermore, there are\r\ndozens of domains of compromised Wordpress websites that they utilize for traffic redirection.\r\nMost other artefacts change from campaign to campaign. Some may even change during one campaign. The\r\ntheme of the spam mail and its subject line may change a couple of times during one campaign. The malicious\r\ndocuments that the sharehoster-themed server serves change their hash value as well as their file name\r\nperiodically. I observed changes every couple of seconds. Even though the maldocs and the spam mails may\r\nchange during one day, they still follow a certain pattern. For instance, the file name of the maldocs is just\r\nincremented during a campaign: Angebot_09082020_XXX.xls, where XXX stands for a three-digit integer that is\r\nincremented continuously. The payloads Get2 and SDBBot are repacked for each campaign. However, TA505\r\ntends to serve the same PuTTY SFTP client since months. \r\nIs there innovation?\r\nWhile the TTPs of their current intrusion set are stable since late Summer 2019, they experiment with new\r\ntechniques every now and then. They rely mostly on the same modus operandi but they adapt slowly and steadily.\r\nTheir experimentation likely shows them the way to go.\r\nFor instance, at the beginning of September 2020, TA505 modified their malicious documents in order to evade\r\ndetection. Their documents still rely on human interaction; the user must enable macros. But these documents\r\nused to have two PE files embedded (Get2 x86 and x64 version), which should ring a bell in many heuristics.\r\nThen, at the beginning of September 2020, they embedded these two files as two separate ZIP archives with\r\nobvious filenames like str_join1.dll that the aforementioned macro unpacks and executes. Since mid-September\r\nthere are no obvious signs of PE files or zipped PE files in the malicious documents.\r\nFurthermore, TA505 continues to update their tools on which they rely for more than a year by now. While\r\nSDBBot’s version was 2.0 in September 2019, it is version 3.11b as of September 2020. For instance, they\r\ncontinue to add new features like certificate pinning. This feature was added in version 3.9 in June 2020.\r\nAt this point in time, the (public) analysis and detection of their tools as well as infrastructure continues. I expect\r\nTA505 to continue their experiments and to consequently innovate while maintaining the high velocity of their\r\ncampaigns, which is the key to their success. I would say that we are not yet ready to see a complete retooling\r\nwithin the next couple of months.\r\nWhat can your organization do about them?\r\nThere are several proactive and reactive steps that you can take to prevent significant damage to your\r\norganization.\r\nFirst, you have to keep the gateway closed and your best defense here are security-aware employees. Explain the\r\ntypical attack chains via email that other threat actors like the Emotet gang also follow. Especially, explain the\r\nproblem with macros in documents coming from an external source. If possible then disable macros globally in\r\nyour organization. Unfortunately, there are groups of employees that have to deal with many documents from\r\nexternal sources every day. \r\nhttps://www.telekom.com/en/blog/group/article/eager-beaver-a-short-overview-of-the-restless-threat-actor-ta505-609546\r\nPage 4 of 6\n\nSecond, block SDBBot domains at your perimeter network. As simple as it sounds, this ensures that there will not\r\nbe any manual reconnaissance and further downloads of payloads (e.g. CobaltStrike). This should prevent a full\r\ncompromise of your network, though you will have infected machines that require a cleanup.\r\nThird, act quickly on detected TA505 intrusions since it may be a matter of hours or days until a full compromise\r\nof your infrastructure. Keep in mind that TA505 likely acts as a door opener and that you may have further threat\r\nactors in your network. Each of them may have further backdoors installed (e.g. CobaltStrike, TinyMet, etc.) that\r\nrequire a special treatment.\r\nHow can you detect an TA505 intrusion in your organization?\r\nThere are two ways to generically detect a possible TA505 intrusion. Generic detection means that it does not\r\nmatter from which campaign the intrusion originated. The first way is host-based and you have to check it on your\r\nnetwork clients. The second way is network-based and you can check it at your SIEM / in your proxy logs.\r\nFirst, you can check the presence of PuTTY SFTP client in version 0.73. TA505 distributes this version in close to\r\nall daily campaigns. Get2 drops PuTTY SFTP client in the %APPDATA% directory. Hence, a recursive search on\r\na supposedly infected network client for the MD5 hash bc59fa5dbb11f5d286fc41e8f25c6cc0 could reveal a\r\npossible TA505 intrusion. While this does not replace a full forensic investigation, it can help you to quickly\r\nnarrow down on clients where a possible TA505 intrusion may have started, if you get a match. \r\nSecond, SDBBot conducts a check of its geographic position on each start. It utilizes a third-party service for it: IP\r\nGeolocation API. It sends a HTTP GET request to the URL http://ip-api.com/json using the hard-coded user agent\r\n“Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)\r\nChrome/60.0.3112.113 Safari/537.36”. If you detect such requests by a local network client, for instance, at your\r\nproxy, then this might be a good sign of a live SDBBot infection. Consequently, you should start a forensic\r\ninvestigation on this client. \r\nHard-coded user agent string that SDBBot utilizes when contacting IP Geolocation API.\r\nAppendix: IoCs\r\nIoc Description\r\n98d01979e1020baa9a8e6af2c14da0da maldoc (embedded PE files, visible)\r\n077f697d9c6eb89baf98ecdd479e9c02 maldoc (embedded PE files in ZIP archives, visible)\r\nbb0ae6a1edcdfe74efe5bf275deaf943 maldoc (invisible PE files)\r\nhttps://www.telekom.com/en/blog/group/article/eager-beaver-a-short-overview-of-the-restless-threat-actor-ta505-609546\r\nPage 5 of 6\n\n2a343a9c588ab2478d64457873b12d54 test maldoc (without macro)\r\nac43b411b9bd455a8cde89face9ea9b9 Get2 x86\r\n9cab3a1e56303949b7b54897d84c77fe Get2 x64\r\nb27b040dec41bb9cb1df456a7949ee5b SDBBot x86 installer (version 3.11b)\r\n7732577a4db34389a7cc93b08bdba714 SDBBot x86 installer (version 3.11b)\r\nbc59fa5dbb11f5d286fc41e8f25c6cc0 PuTTY SFTP client (version 0.73)\r\nnews-37876-mshome[.]com SDBBot domain (since 2020-09-11) \r\nnews-389767-mshome[.]com SDBBot domain (since 2020-09-11) \r\nSource: https://www.telekom.com/en/blog/group/article/eager-beaver-a-short-overview-of-the-restless-threat-actor-ta505-609546\r\nhttps://www.telekom.com/en/blog/group/article/eager-beaver-a-short-overview-of-the-restless-threat-actor-ta505-609546\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://www.telekom.com/en/blog/group/article/eager-beaver-a-short-overview-of-the-restless-threat-actor-ta505-609546" ], "report_names": [ "eager-beaver-a-short-overview-of-the-restless-threat-actor-ta505-609546" ], "threat_actors": [ { "id": "42a6a29d-6b98-4fd6-a742-a45a0306c7b0", "created_at": "2022-10-25T15:50:23.710403Z", "updated_at": "2026-04-10T02:00:05.281246Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "Whisper Spider" ], "source_name": "MITRE:Silence", "tools": [ "Winexe", "SDelete" ], "source_id": "MITRE", "reports": null }, { "id": "5e6b31a6-80e3-4e7d-8b0a-d94897ce9b59", "created_at": "2024-06-19T02:03:08.128175Z", "updated_at": "2026-04-10T02:00:03.636663Z", "deleted_at": null, "main_name": "GOLD TAHOE", "aliases": [ "Cl0P Group Identity", "FIN11 ", "GRACEFUL SPIDER ", "SectorJ04 ", "Spandex Tempest ", "TA505 " ], "source_name": "Secureworks:GOLD TAHOE", "tools": [ "Clop", "Cobalt Strike", "FlawedAmmy", "Get2", "GraceWire", "Malichus", "SDBbot", "ServHelper", "TrueBot" ], "source_id": "Secureworks", "reports": null }, { "id": "75d4d6a9-b5d1-4087-a7a0-e4a9587c45f4", "created_at": "2022-10-25T15:50:23.5188Z", "updated_at": "2026-04-10T02:00:05.26565Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "TA505", "Hive0065", "Spandex Tempest", "CHIMBORAZO" ], "source_name": "MITRE:TA505", "tools": [ "AdFind", "Azorult", "FlawedAmmyy", "Mimikatz", "Dridex", "TrickBot", "Get2", "FlawedGrace", "Cobalt Strike", "ServHelper", "Amadey", "SDBbot", "PowerSploit" ], "source_id": "MITRE", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "eb5915d6-49a0-464d-9e4e-e1e2d3d31bc7", "created_at": "2025-03-29T02:05:20.764715Z", "updated_at": "2026-04-10T02:00:03.851829Z", "deleted_at": null, "main_name": "GOLD WYMAN", "aliases": [ "Silence " ], "source_name": "Secureworks:GOLD WYMAN", "tools": [ "Silence" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f426f0a0-faef-4c0e-bcf8-88974116c9d0", "created_at": "2022-10-25T15:50:23.240383Z", "updated_at": "2026-04-10T02:00:05.299433Z", "deleted_at": null, "main_name": "APT38", "aliases": [ "APT38", "NICKEL GLADSTONE", "BeagleBoyz", "Bluenoroff", "Stardust Chollima", "Sapphire Sleet", "COPERNICIUM" ], "source_name": "MITRE:APT38", "tools": [ "ECCENTRICBANDWAGON", "HOPLIGHT", "Mimikatz", "KillDisk", "DarkComet" ], "source_id": "MITRE", "reports": null }, { "id": "88e53203-891a-46f8-9ced-81d874a271c4", "created_at": "2022-10-25T16:07:24.191982Z", "updated_at": "2026-04-10T02:00:04.895327Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "ATK 86", "Contract Crew", "G0091", "TAG-CR8", "TEMP.TruthTeller", "Whisper Spider" ], "source_name": "ETDA:Silence", "tools": [ "EDA", "EmpireDNSAgent", "Farse", "Ivoke", "Kikothac", "LOLBAS", "LOLBins", "Living off the Land", "Meterpreter", "ProxyBot", "ReconModule", "Silence.Downloader", "TiniMet", "TinyMet", "TrueBot", "xfs-disp.exe" ], "source_id": "ETDA", "reports": null }, { "id": "99cb4e5b-8071-4f9e-aa1d-45bfbb6197e3", "created_at": "2023-01-06T13:46:38.860754Z", "updated_at": "2026-04-10T02:00:03.125179Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "SectorJ04", "SectorJ04 Group", "ATK103", "GRACEFUL SPIDER", "GOLD TAHOE", "Dudear", "G0092", "Hive0065", "CHIMBORAZO", "Spandex Tempest" ], "source_name": "MISPGALAXY:TA505", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e447d393-c259-46e2-9932-19be2ba67149", "created_at": "2022-10-25T16:07:24.28282Z", "updated_at": "2026-04-10T02:00:04.921616Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "ATK 103", "Chimborazo", "G0092", "Gold Evergreen", "Gold Tahoe", "Graceful Spider", "Hive0065", "Operation Tovar", "Operation Trident Breach", "SectorJ04", "Spandex Tempest", "TA505", "TEMP.Warlock" ], "source_name": "ETDA:TA505", "tools": [ "Amadey", "AmmyyRAT", "AndroMut", "Azer", "Bart", "Bugat v5", "CryptFile2", "CryptoLocker", "CryptoMix", "CryptoShield", "Dridex", "Dudear", "EmailStealer", "FRIENDSPEAK", "Fake Globe", "Fareit", "FlawedAmmyy", "FlawedGrace", "FlowerPippi", "GOZ", "GameOver Zeus", "GazGolder", "Gelup", "Get2", "GetandGo", "GlobeImposter", "Gorhax", "GraceWire", "Gussdoor", "Jaff", "Kasidet", "Kegotip", "Kneber", "LOLBAS", "LOLBins", "Living off the Land", "Locky", "MINEBRIDGE", "MINEBRIDGE RAT", "MirrorBlast", "Neutrino Bot", "Neutrino Exploit Kit", "P2P Zeus", "Peer-to-Peer Zeus", "Philadelphia", "Philadephia Ransom", "Pony Loader", "Rakhni", "ReflectiveGnome", "Remote Manipulator System", "RockLoader", "RuRAT", "SDBbot", "ServHelper", "Shifu", "Siplog", "TeslaGun", "TiniMet", "TinyMet", "Trojan.Zbot", "Wsnpoem", "Zbot", "Zeta", "ZeuS", "Zeus" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434418, "ts_updated_at": 1775792196, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/195a8cef3adb01908fd241400b10d24bf0cfa745.pdf", "text": "https://archive.orkl.eu/195a8cef3adb01908fd241400b10d24bf0cfa745.txt", "img": "https://archive.orkl.eu/195a8cef3adb01908fd241400b10d24bf0cfa745.jpg" } }