{
	"id": "104dc114-57ec-4bad-bf31-718e888b7417",
	"created_at": "2026-04-10T03:21:35.669093Z",
	"updated_at": "2026-04-10T03:22:18.160093Z",
	"deleted_at": null,
	"sha1_hash": "2db4ea110469ef23b8f48ef14d3fa27dfa8a3c70",
	"title": "Secrets of commercial RATs! NanoCore dissected",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2686937,
	"plain_text": "Secrets of commercial RATs! NanoCore dissected\r\nBy Shayan Ahmed Khan\r\nPublished: 2024-04-20 · Archived: 2026-04-10 02:45:08 UTC\r\n14 min read\r\nSep 21, 2023\r\nThis article includes the technical analysis of a commercial RAT which is easily available on black market for\r\ncheap price. NanoCore is a famous Remote Access Trojan malicious software that has its own client builder and\r\nmultiple delivery methods. In this article, I will not focus on the initial delivery method which could be a\r\nmalicious attachment or spear phishing. I will dive directly into the first stage malware sample.\r\nSHA256 Hash: 1605F0E74C7088B8A2CA7190B71C83F8DC0381E57D817DF3530BDA4AC5737511\r\nBuild: x86 and dotnet (multiple stages)\r\nCategory: RAT (Remote Access Trojan)\r\nFamily: NanoCore\r\nVersion: 1.2.20\r\nCheck out my Github Repo for Malware Analysis Series!!!\r\nAnalysis Environment:\r\nI use FlareVM as my base VM for malware analysis and detonation. I use REMnux Box Ubuntu machine as DNS\r\nserver and network simulator for the FlareVM.\r\n1. https://github.com/mandiant/flare-vm\r\n2. https://docs.remnux.org/install-distro/get-virtual-appliance\r\nTools:\r\nIDA Freeware\r\nDnspy\r\nInetsim\r\nProcess hacker\r\nProcmon\r\nTcpView\r\nWireshark\r\nHxD editor\r\nCff-Explorer\r\nhttps://medium.com/@shaddy43/secrets-of-commercial-rats-nanocore-dissected-69e1213b34c3\r\nPage 1 of 17\n\nResourceHacker\r\nNetcat\r\nDIE\r\nDe4Dot\r\nFloss\r\nPE Studio\r\nExeInfoPE\r\nSTAGE 1:\r\nGeneric methodology that i follow for malware analysis is:\r\n1. Basic Static Analysis\r\n2. Basic Dynamic Analysis (initial detonation)\r\n3. Advanced Static and Dynamic Analysis (TTP extraction)\r\nBasic static analysis involves looking at interesting strings and API calls. I use floss utility for string extraction\r\nprocess. It can also decode unicode strings and extract stack based strings which is helpful in some cases. For\r\nlooking at interesting API calls, I use PE Studio as it also provides red flags to potential malicious APIs.\r\nInteresting strings \u0026 APIs:\r\nSoftware\\Microsoft\\Windows\\CurrentVersion\r\nCreateProcessA, ShellExecuteA, RegSetValueExA, RegCreateKeyExA\r\nThe strings show that malware might be achieving persistence using Registry Run Keys technique as it is also\r\ncreating and setting registry keys using the APIs RegCreateKeyExA, RegSetValueExA. It is also executing\r\nsomething, maybe a next stage payload? using the APIs of CreateProcessA or ShellExecuteA.\r\nInitial Detonation:\r\nIn the basic dynamic analysis, i detonate the malware in presence of Procmon for host- based indicators and\r\nWireshark for network-based indicators. The prcomon is setup in the detonation FlareVM and the wireshark is\r\nsetup at REMnux box which is simulating the network traffic using inetsim.\r\nNetwork Indicators:\r\n1. Contacting malicious domain: stonecold.ddns.net\r\n2. Multiple TCP packets sent after DNS query.\r\n3. Creating socket connection on specified port: 2502\r\nIt looks like stage1 malware is extracting 3 files from its resources. The second stage malware is then executed\r\nwith the file passed as parameter. I have checked the process tree of malware and it shows that the original sample\r\nextracted the 2nd stage malware files in %temp% and executed it as shown in the picture below:\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@shaddy43/secrets-of-commercial-rats-nanocore-dissected-69e1213b34c3\r\nPage 2 of 17\n\nSTAGE 2:\r\nThe second stage malware is cckgcf.exe which makes use of encrypted files cmdkuqqy and\r\nka9zcqw3l6l48a1uuba for further malware execution. From the process tree above, it is visible that second stage\r\nsample (cckgcf.exe) launches another process of itself. This is common behavior in malware which employs\r\ndefense evasion techniques to deobfuscated/decrypt payloads at run-time.\r\nThe indicators for stage2 malware are as follow:\r\n1. Starts itself as child process\r\n2. Keeps sending SYN packets to the remote C2 server on port 2502\r\n3. Creates a dat file (run.dat) in %Appdata% folder\r\n4. Creates persistence of itself by using Registry Run keys procedure.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@shaddy43/secrets-of-commercial-rats-nanocore-dissected-69e1213b34c3\r\nPage 3 of 17\n\nNetwork indicators stage2\r\nPress enter or click to view image in full size\r\nHost indicators stage2\r\nAdvanced Static Analysis:\r\nI use advanced static analysis by looking at the assembly of malware in IDA freeware. From the initial analysis, it\r\nlooks like the stage2 malware accepts a cmdline argument for execution. If the argument is passed, then it process\r\nfurther, else it exits.\r\nIDA freeware stage2 malware analysis\r\nAll the API calls in stage2 malware are resolved dynamically, so static analysis doesn’t help here. Therefore, i’ve\r\nstarted advance dynamic analysis. I use IDA local debugger for advance dynamic analysis.\r\nAdvanced Dynamic Analysis:\r\nhttps://medium.com/@shaddy43/secrets-of-commercial-rats-nanocore-dissected-69e1213b34c3\r\nPage 4 of 17\n\nAdvanced dynamic analysis revealed that, there are multiple modules that are loaded into the stage2 malware\r\nwhich are not added by default. The libraries like shlwapi.dll and wininet.dll are included at run-time. The API\r\ncalls are all obfuscated and resolved at run-time to avoid detection by anti-malware systems. The combination of\r\nLoadLibraryA and GetProcAddress is used to achieve dynamic API resolution.\r\nI resolved the API calls while debugging malware and located the shellcode that is being decrypted and then\r\ninjected into the process space of malware itself. The shellcode is another portable executable binary bytes that\r\nare executed in a separate thread. The starting bytes of 4D 5A (MZ) are the identifier of a portable executable\r\nwhich is shown in the screenshot below:\r\nThe process injection technique that is being used is called process hollowing, in which a process is started in a\r\nsuspended state which in this case is malware itself. Then a memory is allocated in the suspended process and\r\nshellcode is written into that memory. Finally the address of image base is changed to the starting address of\r\nshellcode and process is resumed from suspended state. Now it will start it’s execution from the injected\r\nshellcode.\r\nTo verify memory related modification, I use process hacker which is an excellent resource to monitor the\r\nprocesses. Injected bytes could be found easily by looking at the memory protections of running process. For\r\ninjection, a memory protection with permission of all READ, WRITE and EXECUTE are required, therefore i\r\nlook for RWX memory protections which shows the injected memory bytes in a process. In the screenshot, the\r\ninjected bytes are shown which are equal to the ones that i have debugged using IDA.\r\nOne cool feature of process hacker is that we can directly dump shellcode from the memory to a file and since in\r\nthis case, the shellcode is a whole portable executable and not a position independent shellcode therefore, i could\r\nanalyze it separately as a next stage3 malware.\r\nAnother indicator of stage2 malware is that is persists itself by registry keys. The stage2 malware creates\r\npersistence by adding a registry key value to a binary named: ratotpvvsmo.exe in the %Appdata% folder called\r\ngswccl.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@shaddy43/secrets-of-commercial-rats-nanocore-dissected-69e1213b34c3\r\nPage 5 of 17\n\nPersistence stage2\r\nSTAGE 3:\r\nStage3 malware that was Portable executable shellcode injected into the process space of stage2 malware is\r\nanother resource extractor stage. It just repeats the cycle, extract and decode shellcode bytes from its resources\r\nand injects in itself again. This process just adds another layer of defense evasion technique.\r\nPress enter or click to view image in full size\r\nResource extraction stage3\r\nhttps://medium.com/@shaddy43/secrets-of-commercial-rats-nanocore-dissected-69e1213b34c3\r\nPage 6 of 17\n\nI located the shellcode again while debugging and extracting it out using process hacker.\r\nTo locate the shellcode in the memory, I analyzed the registers and found the handle to the shellcode\r\nmemory\r\nFrom then on, I only had to find the length of shellcode to copy from hex\r\nI used the value returned by API SizeofResource to calculate the size of shellcode as shown in the register\r\neax which is 32A00\r\nNext part is simple, I just added the value to the address space where the shellcode is starting\r\nI dumped the shellcode from IDA freeware hex view in a binary file. It is another portable executable which could\r\nbe labelled as stage4 or final stage malware.\r\nHowever, extracting shellcode from resources using IDA freeware sometimes causes unknown problems, like the\r\nconfigurations are not being decrypted into the final stage payload. So i used, Resource hacker tool to dump the\r\nlast stage malware and started analyzing it.\r\nSTAGE 4: NanoCore v1.2.2.0\r\nFinal stage malware is a dotNet build binary. It is a NanoCore Client binary of version v1.2.2.0 which is highly\r\nobfuscated. I used ExeInfoPE to identify the obfuscation. Eazfuscator has been used to obfuscate the final stage\r\ndotent malware. Luckily there are open-source deobfuscators available for this type of obfuscation.\r\nSimilar to all RATs, NanoCore extracts its configuration file and adjust its settings to the specified configuration.\r\nIt extracts the configurations and extra malware plugins from the resources. The resource is encrypted for defense\r\nevasion purposes.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@shaddy43/secrets-of-commercial-rats-nanocore-dissected-69e1213b34c3\r\nPage 7 of 17\n\nMalicious resource extraction\r\nIt reads first 4 bytes of this encrypted resource and gets size of decryption key in those 4 bytes from the encrypted\r\nresource. It also creates a GUID of the executing malicious PE binary and initiates a decryption routine to\r\ndecrypt the key that is used to encrypt rest of the resource.\r\nFor example, the first 4 bytes are 10 00 00 00 (0x00000010), which in decimal means the value is 16 and that\r\nmeans the encrypted key is next 16 bytes in the encrypted resource. The parameters that are passed to decryption\r\nroutine are:\r\n16 bytes encrypted key\r\nGUID of itself\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@shaddy43/secrets-of-commercial-rats-nanocore-dissected-69e1213b34c3\r\nPage 8 of 17\n\nStage4 decryption routine\r\nThe HxD editor is displayed for easy understanding of how this decryption routine works. In the screenshot above,\r\nit is shown that first 4 bytes provides the length of encrypted key bytes that are highlighted. Those key bytes are\r\ndecrypted using Rijndael decyptor and the key for decrypting these bytes is the GUID of malware stage4 binary.\r\nGet Shayan Ahmed Khan’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nNext we get the 8 byte decrypted key for DES encryptor, which is the key used to decrypt rest of the resource.\r\nSo the malware uses GUID of itself to decrypt the first 16 bytes (with rijndael) and use the decrypted 8 bytes as\r\nkey and salt for DES encryption algorithm to decrypt rest of resource. As shown in the screenshot below: it will\r\ninitiate encryptor and decryptor of DES using the decrypted bytes from the resource file.\r\nIt continues by reading the next 4 bytes and again take it as a parameter of length for reading next number of bytes\r\nfor DES decryption routine. Next 4 bytes are 15D08 which is equivalent to 89352 number of bytes. Means it is\r\nthen reading to the end of encrypted resource file.\r\nFinally we get the decrypted config file for NanoCore RAT. All the configuration setting are provided below:\r\nThere are two dlls that have also been decrypted, that are:\r\nClientPlugin\r\nSurveillanceExClientPlugin\r\nDecrypted resource is divided into two arrays:\r\n1st array holds the decrypted binaries (dlls)\r\n2nd array holds the configuration settings\r\nConfiguration settings:\r\nhttps://medium.com/@shaddy43/secrets-of-commercial-rats-nanocore-dissected-69e1213b34c3\r\nPage 9 of 17\n\nBuildTime: {3/23/2022 12:26:29 AM}\r\nVersion: {1.2.2.0}\r\nMutex: {639f1c3f-4bc5–44fa-9234–8471b84f363c}\r\nDefaultGroup: EDGE\r\nPrimaryConnectionHost: stonecold.ddns.net\r\nBackupConnectionHost: stonecold.ddns.net\r\nConnectionPort: 0x09C6\r\nRunOnStartup: false\r\nRequestElevation: false\r\nBypassUserAccountControl: false\r\nClearZoneIdentifier: true\r\nClearAccessControl: false\r\nSetCriticalProcess: false\r\nPreventSystemSleep: true\r\nActivateAwayMode: false\r\nEnableDebugMode: false\r\nRunDelay: 0x00000000\r\nConnectionDelay: 0x00000FA0\r\nRestartDelay:0x00001388\r\nTimeoutInterval: 0x00001388\r\nKeepAliveTimeout: 0x00007530\r\nMutexTimeout: 0x00001388\r\nLanTimeout: 0x000009C4\r\nWanTimeout: 0x00001F40\r\nBufferSize: 0x0000FFFF\r\nMaxPacketSize: 0x00A00000\r\nGCThreshold: 0x00A00000\r\nUseCustomDnsServer: true\r\nPrimaryDnsServer: 8.8.8.8\r\nBackupDnsServer: 8.8.4.4\r\nThe malware adjust its settings based on the configuration file above and then performs a series of steps as\r\nprovided in RAT configuration. It then moves on to create mutex, queries the machine GUID from registries and\r\ncreate a folder in %appdata% with machine GUID value. This folder is the main working directory of malware.\r\nOne of the indicators that i found above, which is the creation of a “run.dat” file in the system is achieved in the\r\nnext method. It gets current DateTime and save those values as bytes in Run.dat file. This might be used as an\r\nindicator for when the infection started in the particular system. Also i am assuming the value of run.dat is being\r\nsent as heartbeat packet to the c2 server.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@shaddy43/secrets-of-commercial-rats-nanocore-dissected-69e1213b34c3\r\nPage 10 of 17\n\nIndicator of NanoCore\r\nMalware is totally dynamic. It sets up most of the strings at run-time for the malicious files. It combines different\r\nstrings dynamically to avoid detection. The malware has pre-defined values in its structures based on the LOL\r\nbins (living of the land binaries) names and paths. It combines these values at run-time and sets up its malicious\r\nfiles and processes masquerading as windows native binaries.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@shaddy43/secrets-of-commercial-rats-nanocore-dissected-69e1213b34c3\r\nPage 11 of 17\n\nLOL bins masquerading\r\nIn the screenshot above, it is visible that the malware picked DNS Monitor and dnsmon.exe from the structures\r\nthat are available. Next time it could pick NTFS Manager and ntfsmgr.exe as the next target.\r\nIn this sample, the RAT doesn’t have everything enabled in its configuration. Therefore, it skips most of the really\r\ncritical steps:\r\nRunOnStartup: false\r\nRequestElevation: false\r\nBypassUserAccountControl: false\r\nClearZoneIdentifier: true\r\nClearAccessControl: false\r\nSetCriticalProcess: false\r\nPreventSystemSleep: true\r\nActivateAwayMode: false\r\nEnableDebugMode: false\r\nAll of the above mentioned steps are being skipped as I further debug the malware. I later patched the malware to\r\nexecute these steps as well for TTP extraction process, which i will discuss later on.\r\nI debugged the code further. There were so many dynamic changes, like setting variable values, setting the\r\nplugins, setting Client Connection values, The connection IPs, the timeout values and much more. Finally it was\r\nable to configure all settings and resolve the C2 server. The Domain name and the port number are being resolved\r\nto create the connection. Port number is 2502 and C2 server is stonecold.ddns.net.\r\nhttps://medium.com/@shaddy43/secrets-of-commercial-rats-nanocore-dissected-69e1213b34c3\r\nPage 12 of 17\n\nPress enter or click to view image in full size\r\nResolving c2 server\r\nCreates and establishes asyn sockets for the connection. Since all the code is dynamic therefore the values are\r\nbeing received from different methods. Then it forwards the program to asynchronously send heartbeat messages\r\nto the c2 server again and again until the connection is created. The c2 server is down, therefore the malware\r\ndoesn’t move forward with its execution.\r\nUsing the internet simulator, we can fool the malware by showing c2 server as live, but it has some sort of\r\nauthentication mechanism in place and waits for sever response to create socket. I used netcat to listen on the\r\nspecified port and it keeps sending heartbeat packets as shown:\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@shaddy43/secrets-of-commercial-rats-nanocore-dissected-69e1213b34c3\r\nPage 13 of 17\n\nAsync sockets\r\nPress enter or click to view image in full size\r\nNetcat listening on malicious port\r\nSo C2 server is basically a DuckDNS domain. Duck DNS is a free Dynamic DNS service that associates domain\r\nnames with changing IP addresses, primarily used for legitimate purposes like remote access to devices. However,\r\nmalicious actors can exploit it for command and control (C2) in malware. They do this to hide the C2 server’s\r\nlocation, maintain anonymity, evade detection, and quickly adapt to takedowns.\r\nTTP Extraction\r\nMy work is related to TTP extraction and recreation process after the initial analysis. The project that i am\r\nworking on is Breach and attack simulation and my job is to enrich its threat library with latest malware recreated\r\nin a safe exploitation manner for security testing.\r\nhttps://medium.com/@shaddy43/secrets-of-commercial-rats-nanocore-dissected-69e1213b34c3\r\nPage 14 of 17\n\nFrom NanoCore i have identified these TTPs in my initial analysis:\r\n1. Defense Evasion: Obfuscated Files or Information: Embedded Payloads\r\n2. Defense Evasion: Obfuscated Files or Information: Dynamic API Resolution\r\n3. Defense Evasion: Process Injection: Process Hollowing\r\n4. Persistence: Boot or Logon Autostart Execution: Registry Run keys/startup folder\r\n5. Defense Evasion: Hide Artifacts: Resource Forking\r\n6. Defense Evasion: Subvert Trust Controls: Mark-of-the-web Bypass\r\n7. Privilege Escalation: Scheduled Task/Job: Scheduled Task\r\n8. Defense Evasion: Files and Directory Permissions Modifications: Windows File and Directory Permissions\r\nModifications\r\n9. Defense Evasion: Masquerading: Masquerade Task or Service\r\n10. Defense Evasion: Hide Artifacts: Hidden Window\r\n11. Command and Control: Non-Application Layer Protocol\r\n12. Collection: Input Capture: Keylogging\r\n13. Collection: Clipboard Data\r\n14. Collection: Automated Collection\r\n15. Exfiltration: Exfiltration over C2 channel\r\nNanoCore SurveillanceExClientPlugin\r\nAnother dynamic link library that has been decrypted from the resources and being used for spying on victim is\r\ncalled the SurveillanceExClientPlugin. I dumped this module separately for static analysis and found very\r\nexciting and organized malicious code used for spying and logging user’s activity.\r\nThe SurveillaneExClientPlugin does following:\r\nExtracts further resources: Lzma and TLD, first one is a custom Lzma compression plugin and the other\r\none is Undefined\r\nProcess Hollowing: There is a whole section of process hollowing code inside surveillance plugin\r\nKeylogging: Organized code for recording all types of data, including keys, clipboards, dns records etc\r\nC\u0026C: Executes basic commands like enabling/disabling keylogging, application logging, dnslogging, get\r\nlogs, delete logs, export or view logs.\r\nExfiltration: Recorded logs are exfiltrated over to different hosts defined by malware dynamically\r\nI have recreated most of the keylogging code used by NanoCore. It is registering a RAW input device and receives\r\nRAW input data, then maps those RAW inputs to unicode characters and logs it in a .dat file. A chunk of the\r\nsimplified code is provided below:\r\nprivate void HandleRawInput(IntPtr hRawInput)\r\n {\r\n RAWINPUT input = new RAWINPUT();\r\nhttps://medium.com/@shaddy43/secrets-of-commercial-rats-nanocore-dissected-69e1213b34c3\r\nPage 15 of 17\n\nuint size = (uint)Marshal.SizeOf(typeof(RAWINPUT));\r\n if (GetRawInputData(hRawInput, RID_INPUT, IntPtr.Zero, ref size, (uint)Marshal.SizeOf(typeof\r\n {\r\n IntPtr buffer = Marshal.AllocHGlobal((int)size);\r\n if (GetRawInputData(hRawInput, RID_INPUT, buffer, ref size, (uint)Marshal.SizeOf(typeof(R\r\n {\r\n input = (RAWINPUT)Marshal.PtrToStructure(buffer, typeof(RAWINPUT));\r\n if (input.header.dwType == INPUT_KEYBOARD \u0026\u0026 (input.keyboard.Flags \u0026 1) == 0)\r\n {\r\n LogKey(input.keyboard.VKey);\r\n }\r\n }\r\n Marshal.FreeHGlobal(buffer);\r\n }\r\n }\r\nSimilarly for logging clipboard data I have defined a different method:\r\nprivate void HandleClipboardChange()\r\n {\r\n try\r\n {\r\n if (Clipboard.ContainsText())\r\n {\r\n string text = Clipboard.GetText();\r\n if (text.Length \u003e 128000)\r\n {\r\n text = text.Substring(0, 128000);\r\n }\r\n Log_clipboard(text);\r\n }\r\n }\r\n catch (Exception ex)\r\n {\r\n \r\n }\r\n }\r\nSimilarly, the DNS records are being logged by using the API of DNSGetCacheDataTable. I’ve created multiple\r\ntest cases for each TTP listed above. However, for security purposes and to avoid the abuse of my code, i will not\r\npost it publicly.\r\nIn conclusion, the detailed analysis of the NanoCore Remote Access Trojan (RAT) underscores the evolving\r\nsophistication of malicious tools in the digital landscape. NanoCore RAT’s multifaceted capabilities, including\r\nhttps://medium.com/@shaddy43/secrets-of-commercial-rats-nanocore-dissected-69e1213b34c3\r\nPage 16 of 17\n\nremote control, keylogging, file manipulation, and data exfiltration, make it a potent threat to both individuals and\r\norganizations. However, traditional signature-based detection methods often fall short in identifying such\r\npolymorphic malware due to its ability to quickly morph and evade detection.\r\nThis analysis emphasizes the urgent need for behavioral detection mechanisms in modern cybersecurity strategies.\r\nBehavioral detection, powered by machine learning and artificial intelligence, focuses on identifying patterns of\r\nbehavior rather than relying solely on known signatures. This approach enables security systems to adapt and\r\nrecognize novel threats like NanoCore RAT, even as they evolve to avoid traditional defenses. By continually\r\nmonitoring and analyzing system behavior, security solutions equipped with behavioral detection can provide a\r\nproactive defense, offering a crucial layer of protection against emerging threats that traditional methods may\r\nmiss. As cyber adversaries continue to innovate, embracing behavioral detection becomes imperative to stay one\r\nstep ahead and safeguard digital assets effectively.\r\nSource: https://medium.com/@shaddy43/secrets-of-commercial-rats-nanocore-dissected-69e1213b34c3\r\nhttps://medium.com/@shaddy43/secrets-of-commercial-rats-nanocore-dissected-69e1213b34c3\r\nPage 17 of 17",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://medium.com/@shaddy43/secrets-of-commercial-rats-nanocore-dissected-69e1213b34c3"
	],
	"report_names": [
		"secrets-of-commercial-rats-nanocore-dissected-69e1213b34c3"
	],
	"threat_actors": [],
	"ts_created_at": 1775791295,
	"ts_updated_at": 1775791338,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2db4ea110469ef23b8f48ef14d3fa27dfa8a3c70.pdf",
		"text": "https://archive.orkl.eu/2db4ea110469ef23b8f48ef14d3fa27dfa8a3c70.txt",
		"img": "https://archive.orkl.eu/2db4ea110469ef23b8f48ef14d3fa27dfa8a3c70.jpg"
	}
}