{
	"id": "1ac5d61d-55d6-4c29-bfc5-d9d78787e624",
	"created_at": "2026-04-06T00:13:31.917454Z",
	"updated_at": "2026-04-10T13:12:07.356985Z",
	"deleted_at": null,
	"sha1_hash": "33d1985ac27ddaf96f910b506d2b7e6090432430",
	"title": "New Updates to ValleyRAT | ThreatLabz",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 400639,
	"plain_text": "New Updates to ValleyRAT | ThreatLabz\r\nBy Muhammed Irfan V A, Manisha Ramcharan Prajapati\r\nPublished: 2024-06-10 · Archived: 2026-04-05 14:07:49 UTC\r\nTechnical Analysis     \r\nThe campaign we analyzed delivers ValleyRAT as the payload in the final stage. The figure below illustrates the attack chain\r\nfor this particular campaign.\r\nFigure 1: Attack chain for the campaign, where ValleyRAT is delivered as the payload in the final stage.\r\nFirst stage \r\nDownloader\r\nValleyRAT uses an initial stage downloader that proceeds to retrieve five files from an HFS server (that is also used later for\r\nC2 communications), as shown in the figure below.\r\nhttps://www.zscaler.com/blogs/security-research/technical-analysis-latest-variant-valleyrat\r\nPage 1 of 12\n\nFigure 2: HFS server hosting second stage files for ValleyRAT.\r\nThe downloader first checks for the presence of the file NTUSER.DXM . If the file is not found, the malware downloads it from\r\nthe web and saves it to disk using the following APIs: \r\nURLOpenBlockingStreamW - Utilized to download the files as an IStream.\r\nSHCreateStreamOnFileEx - Used to create a file and write the downloaded IStream into it. \r\nThe downloaded file, NTUSER.DXM , is then decrypted using a combination of XOR decryption and RC4 decryption. The\r\nXOR key [9F 4B 27 D3 51 8E CD 2A BF 3C A1 56 E4 78 9A 3D] and RC4 key [21 72 53 14 85 96 A7 B8 C9 DA EB FC\r\n0D 1E 2F 30] are loaded as stack strings.\r\nThe code sample below shows the decryption algorithm replicated in Python.\r\nfrom Crypto.Cipher import ARC4\r\ndef xor_decrypt(ciphertext, xor_key, key_length):\r\n decrypted = bytearray()\r\n for i, byte in enumerate(ciphertext):\r\n decrypted.append(byte ^ xor_key[i % key_length])\r\n return bytes(decrypted)\r\ndef rc4_decrypt(ciphertext, rc4_key):\r\n cipher = ARC4.new(rc4_key)\r\n decrypted = cipher.decrypt(ciphertext)\r\n return decrypted\r\ndef decrypt_file(filename, xor_key, xor_key_length, rc4_key):\r\n with open(filename, 'rb') as file:\r\n ciphertext = file.read()\r\nhttps://www.zscaler.com/blogs/security-research/technical-analysis-latest-variant-valleyrat\r\nPage 2 of 12\n\nxor_decrypted = xor_decrypt(ciphertext, xor_key, xor_key_length)\r\n decrypted_payload = rc4_decrypt(xor_decrypted, rc4_key)\r\n with open(\"second_stage_sample.bin\", 'ab') as write_file:\r\n write_file.write(decrypted_payload)\r\n print(\"[+] Second stage successfully written to disk as second_stage_sample.bin\")\r\nThe file decrypted using the algorithm above is a DLL. Once the DLL is decrypted, the malware invokes the export function\r\n_MainLogic@0 from within the DLL file.\r\nThe decrypted DLL first checks for the existence of the path C:\\Program Files\\TCLS . If the path does not exist, it proceeds\r\nto download client.exe from the HFS server using the WinINet library, with Processkiller set as the UserAgent . \r\nAnti-AV checks\r\nThe decrypted DLL includes an anti-AV check to detect, and terminate Qihoo security software and the Winrar utility. It\r\nretrieves a list of all processes running on the system and compares the process names with the names below: \r\nZhuDongFangYu\r\nSoftMgrLite\r\nDumpUper\r\nWinrar\r\nsafesvr\r\nThe process names ZhuDongFangYu , SoftMgrLite , DumpUper , and safesvr are associated with Qihoo security software.\r\nWe suspect that ValleyRAT is terminating Winrar due to its ability to integrate with antivirus software to  scan archive files\r\nfor malicious content. Previous campaigns have utilized zipped executables as first stage downloaders, which may explain\r\nthis behavior. If a process name matches, the malware opens a handle to the process and sends a WM_QUIT message to all\r\nthe threads within the process, effectively terminating them.\r\nFollowing this, the malware downloads WINWORD2013.EXE , wwlib.dll , and xig.ppt from the HFS server, saving them\r\nto the disk at the location C:\\Users .\r\nThe malware deletes the directory C:\\Program Files\\TCLS and the file client.exe .\r\nFinally, the malware attempts to execute WINWORD2013.EXE with administrative privileges using the runas command,\r\nleading to the second stage.\r\nSecond stage \r\nLoader (wwlib.dll)\r\nThe file WINWORD2013.EX E is the legitimate Microsoft Word processor. However, the malware utilizes it to sideload a\r\nmalicious DLL called wwlib.dll . The wwlib.dll serves as a malicious loader, responsible for checking the presence of\r\nC:\\Users\\xig.ppt (an encrypted DLL) on the disk. If the file is found, the malware loads it into memory and decrypts it\r\nusing the same decryption algorithm mentioned in the first stage using the same XOR and RC4 keys. The malware copies\r\nthe decrypted xig.ppt DLL to another memory location with PAGE_EXECUTE_READ permission.\r\nProcess injection\r\nFrom here, the decrypted xig.ppt continues the execution process as a mechanism to decrypt and inject shellcode into\r\nsvchost.exe .\r\nhttps://www.zscaler.com/blogs/security-research/technical-analysis-latest-variant-valleyrat\r\nPage 3 of 12\n\nThe malware creates svchost.exe as a suspended process, allocates memory within the process, and writes shellcode\r\nthere. The malware uses the SetThreadContext API to change the instruction pointer to the address of the allocated\r\nshellcode.\r\nFinally, the malware calls the ResumeThread function, leading to the next stage of the process. The figure below shows the\r\ndecompiled code the malware uses for injection.\r\nFigure 3: Process injection used in the second stage.\r\nPersistence\r\nThe second stage is also responsible for establishing persistence. The malware accomplishes this by adding\r\nC:\\Users\\WINWORD2013.EXE to the autorun key Software\\Microsoft\\Windows\\CurrentVersion\\Run with the name\r\n“ WINWORD2013 ”.\r\nAdditionally, the malware sets the attributes of WINWORD2013.EXE , wwlib.dll , and xig.ppt to FILE_ATTRIBUTE_SYSTEM\r\n| FILE_ATTRIBUTE_HIDDEN .\r\nThird stage \r\nInjected shellcode\r\nThe shellcode injected contains essential configuration information and resolves APIs to establish a connection with the C2\r\nserver. This connection is utilized to download the next stage of the malware.\r\nDynamic API resolving\r\nThe shellcode injected into svchost.exe dynamically resolves APIs by traversing the Process Environment Block (PEB)\r\nand parsing PE headers using the BKDR hashing algorithm below.\r\n def BKDRHashing(apiName):\r\n finalHash = 0\r\n for i in apiName:\r\n finalHash = (finalHash* 0x83) \u0026 0xFFFFFFFF\r\n finalHash = (finalHash + ord(i)) \u0026 0xFFFFFFFF\r\n finalHash = finalHash \u0026 0x7FFFFFFF\r\n print(hex(finalHash))\r\n \r\n\u003e\u003e\u003eBKDRHashing(\"GetProcAddress\")\r\n0x1ab9b854\r\nConfiguration format\r\nhttps://www.zscaler.com/blogs/security-research/technical-analysis-latest-variant-valleyrat\r\nPage 4 of 12\n\nAfter resolving the APIs for kernel32.dll and ntdll.dll , the code checks for the string codemark in the memory of\r\nthe shellcode. This string serves as a placeholder to store the configuration of the malware. The configuration we observed is\r\nshown in the code sample below.\r\nHex ASCII\r\n63 6F 64 65 6D 61 72 6B 00 00 00 00 00 00 00 00 codemark........\r\n00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n0F 00 00 00 0A 1A 00 00 01 00 00 00 0F 00 00 00 ................\r\nB8 22 00 00 01 00 00 00 31 30 31 2E 33 33 2E 31 ¸\"......101.33.1\r\n31 37 2E 32 30 30 00 31 30 31 2E 33 33 2E 31 31 17.200.101.33.11\r\n37 2E 32 30 30 00 7C 00 30 00 3A 00 64 00 62 00 7.200.|.0.:.d.b.\r\n7C 00 30 00 3A 00 6C 00 6B 00 7C 00 30 00 3A 00 |.0.:.l.k.|.0.:.\r\n68 00 73 00 7C 00 30 00 3A 00 6C 00 64 00 7C 00 h.s.|.0.:.l.d.|.\r\n30 00 3A 00 6C 00 6C 00 7C 00 30 00 3A 00 68 00 0.:.l.l.|.0.:.h.\r\n62 00 7C 00 30 00 3A 00 70 00 6A 00 7C 00 30 00 b.|.0.:.p.j.|.0.\r\n32 00 2E 00 33 00 20 00 2E 00 34 00 32 00 30 00 2...3. ...4.2.0.\r\n32 00 3A 00 7A 00 62 00 7C 00 30 00 2E 00 31 00 2.:.z.b.|.0...1.\r\n3A 00 62 00 62 00 7C 00 A4 8B D8 9E 3A 00 7A 00 :.b.b.|.¤.Ø.:.z.\r\n66 00 7C 00 31 00 3A 00 6C 00 63 00 7C 00 31 00 f.|.1.:.l.c.|.1.\r\n3A 00 64 00 64 00 7C 00 31 00 3A 00 33 00 74 00 :.d.d.|.1.:.3.t.\r\n7C 00 30 00 38 00 3A 00 33 00 6F 00 7C 00 31 00 |.0.8.:.3.o.|.1.\r\n2E 00 30 00 2E 00 30 00 2E 00 37 00 32 00 31 00 ..0...0...7.2.1.\r\n3A 00 33 00 70 00 7C 00 31 00 3A 00 32 00 74 00 :.3.p.|.1.:.2.t.\r\n7C 00 38 00 38 00 38 00 38 00 3A 00 32 00 6F 00 |.8.8.8.8.:.2.o.\r\n7C 00 30 00 30 00 32 00 2E 00 37 00 31 00 31 00 |.0.0.2...7.1.1.\r\n2E 00 33 00 33 00 2E 00 31 00 30 00 31 00 3A 00 ..3.3...1.0.1.:.\r\n32 00 70 00 7C 00 31 00 3A 00 31 00 74 00 7C 00 2.p.|.1.:.1.t.|.\r\n36 00 36 00 36 00 36 00 3A 00 31 00 6F 00 7C 00 6.6.6.6.:.1.o.|.\r\n30 00 30 00 32 00 2E 00 37 00 31 00 31 00 2E 00 0.0.2...7.1.1...\r\n33 00 33 00 2E 00 31 00 30 00 31 00 3A 00 31 00 3.3...1.0.1.:.1.\r\n70 00 7C 00 00 00 00 00 00 00 00 00 00 00 00 00 p.|.............\r\nDescription of configuration options\r\nThe table below lists and describes the configuration format used for C2 communication. \r\nOffset Description Example Value\r\n0x0 Placeholder codemark\r\n0x20\r\nC2 IP length\r\n[Option 1].\r\n0xF\r\n0x24\r\nC2 port\r\n[Option 1]\r\nstored as 16-bit\r\nnumber in host\r\nbyte order.\r\n0x1A0A (6666)\r\nhttps://www.zscaler.com/blogs/security-research/technical-analysis-latest-variant-valleyrat\r\nPage 5 of 12\n\nOffset Description Example Value\r\n0x28\r\nBoolean value.\r\nIf the value is\r\n0, ValleyRAT\r\nutilizes UDP\r\nfor C2\r\ncommunication\r\n[Option 1]. If\r\nthe value is 1,\r\nit employs\r\nTCP for C2\r\ncommunication\r\n[Option 1].\r\n0x1 \r\n0x2c\r\nC2 IP length\r\n[Option 2].\r\n0xF\r\n0x30\r\nC2 port\r\n[Option 2]\r\nstored as 16-bit\r\nnumber in host\r\nbyte order.\r\n0x22B8 (8888)\r\n0x34\r\nBoolean value.\r\nIf the value is\r\n0, ValleyRAT\r\nutilizes UDP\r\nfor C2\r\ncommunication\r\n[Option 2]. If\r\nthe value is 1,\r\nit employs\r\nTCP for C2\r\ncommunication\r\n[Option 2].\r\n0x1\r\n0x38\r\nC2 IP data\r\nbuffer [Option\r\n1].\r\n101.33.117.200\r\nhttps://www.zscaler.com/blogs/security-research/technical-analysis-latest-variant-valleyrat\r\nPage 6 of 12\n\nOffset Description Example Value\r\n0x38 +\r\nValue Stored\r\nin offset\r\n0x20\r\nC2 IP data\r\nbuffer [Option\r\n2].\r\n101.33.117.200\r\n0x38 +( (\r\nvalue stored\r\nin offset\r\n0x20\r\nvalue\r\nstored\r\nin\r\noffset\r\n0x2C\r\n) * 2) \r\nThe\r\nconfiguration\r\nstring is stored\r\nin  reverse ,\r\nwhere  p1 ,\r\no1 ,  p2 ,\r\nand  o2 are\r\nrelated to C2\r\ncommunication\r\n(explained in\r\nthe next\r\nsection). The\r\nvalues of  cl\r\nand  dd are\r\nmultiplied by\r\n1000 and used\r\nas arguments\r\nfor the sleep\r\nfunction.\r\n|0:db|0:lk|0:hs|0:ld|0:ll|0:hb|0:pj|02.3.4202:zb|0.1:bb|认\r\n默:zf|1:lc|1:dd|1:3t|08:3o|1.0.0.721:3p|1:2t|8888:2o|002.711.33.101:2p|1:1t|6666:1o|002.711.33.10\r\nTable 1: The configuration format used for ValleyRAT C2 communication.\r\nThe sample analyzed utilizes TCP for communication with the C2 server. Subsequently, the malware sends the data 32 to\r\nthe C2 in order to receive a 32-bit shellcode. We confirmed this by sending data as 64 and receiving a 64-bit shellcode.\r\nThe 32-bit shellcode is received as encrypted data with a size of 0x4B00E. The encrypted data is decrypted using a simple\r\nXOR operation with the key value 0x36. The decrypted 32-bit shellcode is then executed, leading to the next stage.\r\nFourth stage \r\nDLL received from the C2\r\nThe shellcode employs the same BKDR hashing algorithm mentioned in the third stage to dynamically resolve the APIs. It\r\nproceeds to reflectively load an embedded DLL (using the dynamically resolved APIs) from the decrypted C2 data into\r\nmemory. The DLL contains four exports, DLL entrypoint , load , run , and zidingyixiugaidaochuhanshu . Among\r\nthese, the DLL entrypoint and load functions are executed.\r\nThe load export function copies the observed configuration string in a specific format, reverses the string, and proceeds to\r\nparse it. The string is stored in the format |key:value| , where the key represents the configuration attribute and the value\r\nrepresents its corresponding value.\r\nBelow is an example: \r\nhttps://www.zscaler.com/blogs/security-research/technical-analysis-latest-variant-valleyrat\r\nPage 7 of 12\n\n|p1:101.33.117.200|o1:6666|t1:1|p2:101.33.117.200|o2:8888|t2:1|p3:127.0.0.1|o3:80|t3:1|dd:1|cl:1|fz:默认|bb:1.0|bz:2024.3\r\nKeys p1 | o1 stores the value C2 IP [Option 1] | C2 port [Option 1].\r\nKeys p2 | o2 stores the value C2 IP [Option 2] | C2 port [Option 2].\r\nKeys cl | dd stores the value of how many times the process sleeps, in seconds.\r\nThe objective of this stage is to download and execute the final payload. After parsing the C2 configuration and\r\nimplementing the sleep duration specified in the configuration data, the malware checks if the final payload is already\r\npresent on the victim host. This is done by opening the registry key HKEY_CURRENT_USER\\Console\\0 and querying for the\r\nvalue with the name d33f351a4aeea5e608853d1a56661059 . \r\nIf the size of the value is greater than 0xA44, it indicates that the final payload is already on the victim host. In such cases,\r\nthe malware proceeds to allocate a PAGE_EXECUTE_READWRITE memory section and copies the data from the value of\r\nd33f351a4aeea5e608853d1a56661059 into it.\r\nIf the final payload does not already exist on the victim host, the malware proceeds to send a DLL named “ (登录模\r\n块.dll_bin ( Login module.dll_bin) ” to the C2 to download the final payload. The DLL name is encrypted by performing\r\nan XOR operation with the same key (0x36) used in the third stage. \r\nThe response to this request contains the final payload embedded within it. This data is then copied to a\r\nPAGE_EXECUTE_READWRITE memory section and saved in the registry as a value with the name\r\nd33f351a4aeea5e608853d1a56661059 within the key HKEY_CURRENT_USER\\Console\\0 .\r\nThe embedded DLL is subsequently loaded into memory and executed, serving as the final payload.\r\nFinal Payload \r\nThe final payload delivered is ValleyRAT, which was initially identified by Qi An Xin and attributed to the threat actor The\r\nGreat Thief of Valley, also known as Silver Fox. In this section, we discuss the changes we observed in ValleyRAT, as\r\ncompared to the previously documented version.\r\nDevice fingerprinting\r\nIn the latest version of ValleyRAT, the malware developers added new data fields for improved device fingerprinting. The\r\nnew data collected and sent to the C2 server is bolded in the table below.\r\nOffset Description Format (if any)\r\n0x0 Hard coded value (set to 0x06)\r\n0x2 System IP address\r\n0x278 Idle time %d min\r\n0x296 Computer name\r\n0x2FA Windows version\r\nhttps://www.zscaler.com/blogs/security-research/technical-analysis-latest-variant-valleyrat\r\nPage 8 of 12\n\nOffset Description Format (if any)\r\n0x35E ntdll.dll version\r\n0x39A Number of processors %d\r\n0x412 HDD \u0026 storage device info\r\nHDD:%d WW  %d Gb Free %d Gb  Mem: %d Gb\r\n%sFree%d Gb\r\n0x5A2 GPU info %s%s %d %d\r\n0x6CE Foreground window name\r\n0x8CC\r\nValue of name GROUP of reg\r\nkey  Network/AppEvents (默认 by default)\r\n0x930 Hardcoded value (set to 1.0)\r\n0x994\r\nValue of name REMARK of reg\r\nkey  Network/AppEvents (2024.3.6 by default)\r\n0x9F8 System uptime 运:%s 开:%d.%d.%d %d:%d:%d\r\n0xA5C\r\nRAT architecture (hardcoded X86) followed by\r\nvictim system architecture.\r\nX86 %s\r\n0xA70\r\nIntegrity level to check privilege followed by\r\nvictim system username.\r\n低/%s (Low), 中/%s (Medium), 高/%s(High), 系\r\n统/%s(System)[one of this values]\r\n0xAD4 Full path of the current process.\r\n0xCDC Is camera available 有(have), “X”[one of this values]\r\n0xCE4 Tencent QQ data\r\n0xEE2 Anti-virus data\r\nhttps://www.zscaler.com/blogs/security-research/technical-analysis-latest-variant-valleyrat\r\nPage 9 of 12\n\nOffset Description Format (if any)\r\n0xF46 System language\r\n0xF86 Monitor resolution\r\n0x1184 System directory\r\n0x11E8 System ID\r\nTable 2: Device fingerprinting information collected by ValleyRAT.\r\nBot ID generation\r\nThe malware developers also made changes to the bot ID generation process. While the hashing algorithm remained the\r\nsame, the data utilized for the algorithm was modified. The malware now creates an MD5 hash with the following values as\r\narguments: \r\ncomputerName\r\nnumberOfProcessors\r\nntdllVersion\r\nsystemIP\r\nintegrityLevelfollwedbyUsername\r\nprofileGuid\r\nThe code sample below shows the algorithm written in Python.\r\nimport hashlib\r\ndef botIDGeneration(computerName, numberOfProcessors, ntdllVersion, systemIP, integrityLevelfollwedbyUsername, profileGuid\r\n data = computerName.encode(\"utf-16le\")\r\n data += ntdllVersion.encode(\"utf-16le\")\r\n data += systemIP.encode(\"utf-16le\")\r\n data += b'\\x20\\x00'\r\n data += numberOfProcessors.encode(\"utf-16le\")\r\n data += \"X86\".encode(\"utf-16le\")\r\n data += integrityLevelfollwedbyUsername.encode(\"utf-16le\")\r\n data += profileGuid.encode(\"utf-16le\")\r\n data += b'\\x00\\x00'\r\n result = hashlib.md5(data).hexdigest()\r\n print(result)\r\nNew commands\r\nFinally, the malware developers introduced new commands, which are bolded in the table below.\r\nhttps://www.zscaler.com/blogs/security-research/technical-analysis-latest-variant-valleyrat\r\nPage 10 of 12\n\nOpcode Description\r\n0x1 Load plugin.\r\n0x3\r\nCapture a screenshot of the desktop window and retrieve the name of the foreground window and last\r\ninput time.\r\n0x4 Capture a screenshot of the entire desktop window.\r\n0x5 Drop and execute a file. \r\n0x6 Download and execute a file from a specified URL using  InternetReadFile .\r\n0x7 Set the values of the names  GROUP and  REMARK in the registry key  Network/AppEvents .\r\n0x8 Process filtering using  CreateToolhelp32Snapshot .\r\n0xA\r\nCapture a screenshot of the desktop window, where the x and y coordinates of the upper-left corner of\r\nthe destination rectangle used by the StretchBlt API are determined by C2.\r\n0xB Clear the Windows event log using the  ClearEventLogW function.\r\n0xC\r\nRestart the current process by creating the same process as a child process and subsequently terminating the\r\ncurrent process.\r\n0xD Exit the current process.\r\n0xE Forced logoff.\r\n0xF Forced reboot.\r\n0x10 Forced shutdown.\r\n0x11 Change the loading method to a puppet process or an exported function.\r\n0x12 Configuration migration.\r\nhttps://www.zscaler.com/blogs/security-research/technical-analysis-latest-variant-valleyrat\r\nPage 11 of 12\n\nOpcode Description\r\n0x64 Set the value of the name \" IpDatespecial \" in the registry key  HKEY_CURRENT_USER\\Console .\r\n0x65 Delete the value named \" IpDatespecial \" from the registry key  HKEY_CURRENT_USER\\Console .\r\n0xC9 Retrieve the name of the foreground window and last input time.\r\nTable 3: Commands implemented by ValleyRAT.\r\nExplore more Zscaler blogs\r\nSource: https://www.zscaler.com/blogs/security-research/technical-analysis-latest-variant-valleyrat\r\nhttps://www.zscaler.com/blogs/security-research/technical-analysis-latest-variant-valleyrat\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.zscaler.com/blogs/security-research/technical-analysis-latest-variant-valleyrat"
	],
	"report_names": [
		"technical-analysis-latest-variant-valleyrat"
	],
	"threat_actors": [
		{
			"id": "8f68387a-aced-4c99-b2a6-aa85071a0ca3",
			"created_at": "2024-06-25T02:00:05.030976Z",
			"updated_at": "2026-04-10T02:00:03.656871Z",
			"deleted_at": null,
			"main_name": "Void Arachne",
			"aliases": [
				"Silver Fox"
			],
			"source_name": "MISPGALAXY:Void Arachne",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "a7805d1a-b8d0-4a42-ae86-1d8711e0b2b9",
			"created_at": "2024-08-28T02:02:09.729503Z",
			"updated_at": "2026-04-10T02:00:04.967533Z",
			"deleted_at": null,
			"main_name": "Void Arachne",
			"aliases": [
				"Silver Fox"
			],
			"source_name": "ETDA:Void Arachne",
			"tools": [
				"Gh0stBins",
				"Gh0stCringe",
				"HoldingHands RAT",
				"Winos"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434411,
	"ts_updated_at": 1775826727,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/33d1985ac27ddaf96f910b506d2b7e6090432430.pdf",
		"text": "https://archive.orkl.eu/33d1985ac27ddaf96f910b506d2b7e6090432430.txt",
		"img": "https://archive.orkl.eu/33d1985ac27ddaf96f910b506d2b7e6090432430.jpg"
	}
}