{ "id": "53b6bf64-8e15-4227-b8dd-d59c6dea080e", "created_at": "2026-04-06T00:07:32.524368Z", "updated_at": "2026-04-10T13:11:44.393761Z", "deleted_at": null, "sha1_hash": "3ab65d4a2a006403474d0471441ac295955e31dd", "title": "Carbanak gang is back and packing new guns", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 359880, "plain_text": "Carbanak gang is back and packing new guns\r\nBy Anton Cherepanov\r\nArchived: 2026-04-02 12:14:18 UTC\r\nThe Carbanak financial APT group made the headlines when Group-IB and Fox-IT broke the news in December\r\n2014, followed by the Kaspersky report in February 2015. The two reports describe the same cybercriminal gang\r\nwhich stole up to several hundreds of millions of dollars from various financial institutions.\r\nHowever, the story is interesting not only because of the large amount of money stolen but also from a technical\r\npoint of view. The Carbanak team does not just blindly compromise large numbers of computers and try to ‘milk\r\nthe cow’ as other actors do, instead they act like a mature APT-group. They only compromise specific high-value\r\ntargets and once inside the company networks, move laterally to hosts that can be monetized.\r\nA few days ago CSIS published details about new Carbanak samples found in the wild.\r\nIn this blog we will describe the latest developments in the Carbanak story.\r\nCasino hotel hack\r\nAt the end of August, we detected an attempt to compromise the network of a casino hotel in the USA. The\r\ninfection vector used in this attack may have been a spearphishing e-mail with a malicious attachment using an\r\nRTF-exploit or .SCR file. The attackers' aim was to compromise PoS servers used in payment processing.\r\nThe main backdoor used by attackers was the open-source Tiny Meterpreter. In this case, however, the source was\r\nmodified – the process injection to svchost.exe was added to its functionality.\r\nThis Tiny Meterpreter backdoor dropped two different malware families:\r\nWin32/Spy.Sekur – well known malware used by the Carbanak gang\r\nWin32/Wemosis – a PoS RAM Scraper backdoor\r\nAs mentioned here by our colleagues from TrendMicro, Carbanak malware is capable of targeting Epicor/NSB\r\nPoS systems, while Win32/Wemosis is a general-purpose PoS RAM Scraper which targets any PoS that stores\r\ncard data in the memory. The Wemosis backdoor is written in Delphi and allows the attacker to control an infected\r\ncomputer remotely.\r\nBoth executables were digitally signed with the same certificate:\r\nhttps://www.welivesecurity.com/2015/09/08/carbanak-gang-is-back-and-packing-new-guns/\r\nPage 1 of 14\n\nThe certificate details:\r\nCompany name: Blik\r\nValidity: from 02 October 2014 to 03 October 2015\r\nThumbprint: 0d0971b6735265b28f39c1f015518768e375e2a3\r\nSerial number: 00d95d2caa093bf43a029f7e2916eae7fb\r\nSubject: CN = Blik\r\nO = Blik\r\nSTREET = Berzarina, 7, 1\r\nL = Moscow\r\nS = Moscow\r\nPostalCode = 123298\r\nC = RU\r\nThis certificate was also used in the digital signature of a third malware family used by the same gang:\r\nWin32/Spy.Agent.ORM.\r\nWin32/Spy.Agent.ORM - overview\r\nWin32/Spy.Agent.ORM (also known as Win32/Toshliph) is a trojan used as one of their first-stage payloads by the\r\nCarbanak gang. The binary of the testing version was signed with a Blik certificate: moreover, Spy.Agent.ORM\r\nshares some similarities in the code with “the regular” Carbanak malware.\r\nThe Win32/Spy.Agent.ORM malware family is already known in the industry because of two blogposts. In July\r\n2015 security company Cyphort reported the compromise of a news portal and a banking site – rbc.ua and\r\nhttps://www.welivesecurity.com/2015/09/08/carbanak-gang-is-back-and-packing-new-guns/\r\nPage 2 of 14\n\nunicredit.ua. It turns out that the compromised sites served Win32/Spy.Agent.ORM. After that, Blue Coat reported\r\na spearphishing attempt targeting Central Bank of Armenia employees, the payload being the same.\r\nThis malware appeared on our radar at the beginning of summer 2015, and afterwards we started to track it.\r\nWe have seen attempts to attack various companies in Russia and Ukraine using spearphishing e-mails that have\r\nmalicious attachments consisting of .SCR files or .RTF exploits.\r\nHere is an example of a spearphishing email sent to one of the biggest Forex-trading companies:\r\nRoughly translated from Russian to English, it says:\r\n\"Due to the high volatility of the ruble exchange rate the Bank of Russia sends rules of trading on the currency\r\nmarket. Password the attached document: cbr\"\r\nHere is another example of a spear phishing attempt. Email with this text was sent to the largest electronic\r\npayment service in Russia:\r\nПостановлением Роскомнадзора от 04.08.2015г. Вам необходимо заблокировать материалы попадающие\r\nпод Федеральный закон от 27.07.2006 N 152-ФЗ (ред. от 21.07.2014) \"О персональных данных\". Перечень\r\nматериалов в документе.\r\nПароль roscomnadzor\r\nAnother rough translation from Russian to English:\r\nhttps://www.welivesecurity.com/2015/09/08/carbanak-gang-is-back-and-packing-new-guns/\r\nPage 3 of 14\n\n\"According to Roscomnadzor prescript you should block the materials, which you can find in the attachment.\r\nPassword is roscomnadzor\"\r\nWe have seen similar .SCR files with following filenames:\r\nАО «АЛЬФА-БАНК» ДОГОВОР.scr (Alfabank contract)\r\nПеречень материалов для блокировки от 04.08.2015г.scr (List to block)\r\nPostanovlene_ob_ustranenii_18.08.2015.pdf %LOTS_OF_SPACES% ..scr\r\nПравила Банка России от 06.08.2015.pdf %LOTS_OF_SPACES% .scr (Rules of Bank of Russia)\r\nAll these attachments contained a password protected archive with .SCR file. The files had Adobe Acrobat reader\r\nicon or MS Word icons.\r\nIn other cases attackers used RTF files with different exploits, including an exploit for one of the latest Microsoft\r\nOffice vulnerabilities, CVE-2015-1770, which was patched by Microsoft in June 2015 in MS15-059.\r\nWe have seen RTF files with the following names used in attacks:\r\nprikaz-451.doc\r\nREMITTANCE ADVICE ON REJECTION.doc\r\nPROOF OF REMITTANCE ADVICE .doc\r\nHDHS739_230715_010711_A17C7148_INTERNAL.doc\r\nԲանկերի և բանկային գործունեության մասին ՀՀ օրենք 27.07.2015.doc (Armenian: The Law on\r\nBanks and Banking 27.07.2015)\r\nPAYMENT DETAILS.doc\r\nАО «АЛЬФА-БАНК» ДОГОВОР.doc (Russian: Alpha-bank contract)\r\nAML REPORTS_20082015_APPLICATION FORM-USD-MR VYDIAR.doc\r\nAnti-Money Laudering \u0026 Suspicious cases.doc\r\nApplicationXformXUSDXduplicateXpayment.doc\r\nAML USD \u0026 Suspicious cases.doc\r\nAmendment inquiry ( reference TF1518869100.doc\r\nInformation 2.doc\r\nHere is example of a spearphishing message that was sent to a bank in the United Arab Emirates:\r\nhttps://www.welivesecurity.com/2015/09/08/carbanak-gang-is-back-and-packing-new-guns/\r\nPage 4 of 14\n\nHere is example of a spearphishing email that was sent to a German bank:\r\nhttps://www.welivesecurity.com/2015/09/08/carbanak-gang-is-back-and-packing-new-guns/\r\nPage 5 of 14\n\nWin32/Spy.Agent.ORM - Technical details\r\nWin32/Spy.Agent.ORM is a small and simple backdoor that enables the attackers to assess the victim. When\r\nexecuted the trojan connects to a C\u0026C server and receives commands to grab screenshots, enumerate running\r\nprocesses and get information about the system and campaign ID. Based on that information malware operator\r\ndecides whether the infected computer is useful: that is, whether it's the intended target or just a system that was\r\naccidentally infected.\r\nHere is list of commands that it can receive from C\u0026C server:\r\nCommand Purpose\r\n0x02\r\nCollects information about computer: Computer Name, User Name, Windows Version,\r\nArchitecture (32/64 bit) and campaign ID\r\nhttps://www.welivesecurity.com/2015/09/08/carbanak-gang-is-back-and-packing-new-guns/\r\nPage 6 of 14\n\n0x03 Collects list of running processes\r\n0x04 Downloads binary to %TEMP% and executes\r\n0x05 Updates itself\r\n0x06 Deletes itself\r\n0x07 Makes screenshot\r\n0x08 Loads binary in the memory, without dropping to the disk\r\nThe latest sample of this malware family found in the wild is also digitally signed with a different certificate:\r\nThe certificate details:\r\nCompany name: In travel TOV\r\nValidity: from 21 July 2015 to 21 July 2016\r\nThumbprint: 7809fbd8d24949124283b9ff14d12da497d9c724\r\nSerial number: 00dfd915e32c5f3181a0cdf0aff50f8052\r\nSubject: CN = In travel TOV\r\nO = In travel TOV\r\nSTREET = prospekt Pravdi 33\r\nL = Kiev\r\nS = Kievskaja\r\nhttps://www.welivesecurity.com/2015/09/08/carbanak-gang-is-back-and-packing-new-guns/\r\nPage 7 of 14\n\nPostalCode = 04108\r\nC = UA\r\nAlso, the latest sample is able to gain system privileges via an exploit and install itself as a system service. The\r\ntrojan attempts to exploit a vulnerability – CVE-2015-2426 in the OpenType manager module (ATMFD.dll) –\r\nwhich was patched by Microsoft in MS15-078. The exploit for this vulnerability was leaked in a Hacking Team\r\ndump.\r\nThe digital certificate for Blik used in this case is not the only link between Win32/Spy.Agent.ORM and\r\nWin32/Spy.Sekur (Carbanak malware). They share similarities in code – take a look at the function that generates\r\nthe BOTID-value, for example:\r\nhttps://www.welivesecurity.com/2015/09/08/carbanak-gang-is-back-and-packing-new-guns/\r\nPage 8 of 14\n\nhttps://www.welivesecurity.com/2015/09/08/carbanak-gang-is-back-and-packing-new-guns/\r\nPage 9 of 14\n\nThe BOTID-value is a unique value generated on the basis of the hardware parameters of infected computer, and\r\nit’s used by attackers for computer identification. In both cases generation is based on the MAC-address and\r\ncomputer name and the resulting value is formatted using the wsprintf –function.\r\nSinkhole statistics\r\nOur sinkhole of some C\u0026C domains used by the Win32/Wemosis has resulted in hits from bots in the following\r\ncountries.\r\nAs the attacks are highly targeted, the total number of victims is low in absolute numbers. Victims in the USA are\r\nsituated in several states, including Nevada (Las Vegas), California, and New York, and include casinos and\r\nhotels.\r\nConclusions\r\nEven after it has reportedly stolen hundreds of millions of dollars, the infamous Carbanak APT group isn’t resting\r\non its laurels. On the contrary, it is very active and keeps attacking specific targets related to the finance industry,\r\nincluding banks, Forex-trading companies, and even an American casino hotel. Recently, we have detected\r\nmalware used by the Carbanak group in the following countries, among others:\r\nUnited States of America\r\nhttps://www.welivesecurity.com/2015/09/08/carbanak-gang-is-back-and-packing-new-guns/\r\nPage 10 of 14\n\nGermany\r\nUnited Arab Emirates\r\nAs described in this blog post, the gang doesn’t use just one malware family to carry out its operations but several.\r\nWhile the code in the different families – Carbanak (Win32/Spy.Sekur), Win32/Spy.Agent.ORM, and\r\nWin32/Wemosis – is different it does contain similar traits, including the same digital certificate.\r\nFurthermore, the attackers are updating their arsenal with the latest exploits, such as the Microsoft Office remote\r\ncode execution vulnerability, CVE-2015-1770, or the zero-day exploit leaked in the Hacking Team dumps, CVE-2015-2426.\r\nWe continue to monitor the Carbanak threats. For any enquiries or sample submissions related to the subject,\r\ncontact as at: threatintel@eset.com.\r\nIndicators of Compromise (IoC)\r\nTrojan.Win32/Spy.Sekur (Carbanak malware) SHA-1:\r\nA048C093C5DA06AF148CA75299960F618F878B3A\r\n3552338D471B7A406D8F7E264E93B848075235C0\r\n3A9A23C01393A4046A5F38FDBAC371D5D4A282F1\r\n8D5F2BF805A9047D58309788A3C9E8DE395469A8\r\nBCF9E4DCE910E94739728158C98578A8D145BE56\r\n8330BC5A3DCC52A22E50187080A60D6DBF23E7E6\r\nE838004A216E58C44553A168760100B497E514E8\r\nCF1F97879A6EB26FEDC7207D6679DFA221DD2D45\r\n7267791340204020727923CC7C8D65AFC18F6F5B\r\nF8CBF647A64028CAE835A750EF3F8D1AA216E46C\r\n33870482BA7DE041587D4B809574B458C0673E94\r\n3927835C620058EFCADF76642489FC13AACE305B\r\nD678BD90257CF859C055A82B4A082F9182EB3437\r\n0B8605D0293D04BBF610103039768CBE62E2FAAE\r\n7A9BE31078BC9B5FECE94BC1A9F45B7DBF0FCE12\r\nRTF-exploits SHA-1:\r\nD71E310ADF183F02E36B06D166F8E3AD54FDBCC9\r\n5B6ABA51215A9662987F59AEF6CAE0A9E3A720B8\r\n1AD84A244B7D4FBB4D89D023B21715B346027E49\r\nE8514BF4C4E1F35FB1737C2F28A4A4CED07AA649\r\n68EA12CDCCEE01D50C23EBC29CAA96BF40925DC6\r\nAC95F01487B4F179A1F10684B1E0A5656940A005\r\nB4A94A214FC664B8D184154431E1C5A73CA0AE63\r\nTrojan.Win32/Spy.Sekur C2 servers:\r\nhttps://www.welivesecurity.com/2015/09/08/carbanak-gang-is-back-and-packing-new-guns/\r\nPage 11 of 14\n\nweekend-service.com:80\r\nseven-sky.org:80\r\ncomixed.org:80\r\n91.207.60.68:80\r\n89.144.14.65:80\r\n87.98.217.9:443\r\n82.163.78.188:443\r\n50.62.171.62:700\r\n31.3.155.123:443\r\n216.170.116.120:80\r\n216.170.116.120:700\r\n216.170.116.120:443\r\n194.146.180.58:80\r\n193.203.48.41:700\r\n185.29.9.28:443\r\n178.209.50.245:443\r\n162.221.183.11:80\r\n162.221.183.11:443\r\n162.221.183.109:443\r\n141.255.167.28:443\r\n104.232.32.62:443\r\n104.232.32.61:443\r\nTrojan.Win32/Spy.Agent.ORM SHA-1:\r\n2DD485729E0402FD652CF613E172EA834B5C9077\r\n5E8B566095FD6A98949EF5C479CE290F520DD9E2\r\n8C2C08111F76C84C7573CF07C3D319A43180E734\r\n36093A6004A9502079B054041BADC43C69A0BDEB\r\n6F452C76F7AC00FE1463314F5AA0A80EC4F7360C\r\n850E9A10E6D20D33C8D2C765E22771E8919FC3EE\r\nA09F520DDED0D5292A5FA48E80DE02F9AF718D06\r\n3707029DC5CBBE17FD4DE34134847F92E7324C45\r\n905D0842CC246A772C595B8CF4A4E9E517683EB7\r\n237784574AFB8868213C900C18A114D3FA528B95\r\n6090853934833D0814F9239E6746161491CCCB44\r\n3672C9F4E7F647F2AF9AE6D5EA8D9C7FF16FAF40\r\nEC5DADAACAE763D0E55CE6A78C9A5F57B01A5135\r\n4E8EE08FF4F8DC06AFF8DE2E476AFAFBA58BDC11\r\nA734193F550DDA5C1FFD9FEC3A0186A0A793449C\r\nEFC0555418A6ED641047D29178D0DA3AEFA7ADEB\r\nB79E6A21D8C2813EC2279727746BDB685180751A\r\n4DB58E7D0FCA8D6748E17087EB34E562B78E1FDE\r\nhttps://www.welivesecurity.com/2015/09/08/carbanak-gang-is-back-and-packing-new-guns/\r\nPage 12 of 14\n\n567749B4F2330F02DD181C6C0840191CEE2186D9\r\n3ACEA9477B219FC6B8C0A734E67339AE2EB2AA5B\r\n2896814E5F8860E620AC633AF53A55D9AA21F8C0\r\n84CC02B3C10306BFCECE8BF274B57475B056C6D6\r\n207FF65543DAC6D1D9F86DFFD891C507AD24018B\r\nD627DD4E3850CBD571AFC4799A331054C7080B0D\r\nDCC932B878B374D47540D43A2DEE97F37D68267F\r\n983D33F547588A59B53D7F794768B264454446D5\r\n19E7C7A78C5D58945B615D98FF0990389485933F\r\nDED83A1E3B6630D69077976CC01321FBC946DCE2\r\n170142C042BF32FF86AF680EAD86CD1AF075B0CB\r\nA77336620DF96642691C1E5B6C91511BFA76A5BE\r\n3CEF1CA36A78CBA308FB29A46B20E5CA22D03289\r\nDD01331ABFF03525506CDCBAC4D76CB4EFD602A4\r\nRTF-exploits SHA-1:\r\n1F9462AA39645376C74566D55866F7921BD848F7\r\n81E43D653ACD2B55C8D3107E5B50007870D84D76\r\nAC68AD2E5F5802A6AB9E7E1C1EC7FAB3C6BDBAA4\r\nF869C7EA683337A2249908C21B9D3283CC2DD780\r\n7162BB61CD36ED8B7EE98CBD0BFFEC33D34DD3E7\r\n5943ABCF662DC9634B714B1358164B65E5651D15\r\nA40BDF005B4B469D2C7BED1766C9DA9823E1CFB7\r\n833A8D88BE11807BAE966D56B28AF7B3CC34DBCD\r\nAF7564EE7959142C3B0D9EB8129605C2AE582CB7\r\nDCC932B878B374D47540D43A2DEE97F37D68267F\r\n6FF3AE5BA4E9A312602CBD44A398A02AB0437378\r\n32AA4911BC6AB8098E496CD88790FF7147EC6AC3\r\nTrojan.Win32/Spy.Agent.ORM - C2 Servers:\r\n192.52.166.66\r\n84.200.4.226\r\n78.128.92.117\r\n176.31.157.62\r\nclients4-google.com (192.169.82.86)\r\nadobe-dns-3-adobe.com (78.128.92.112)\r\nimg.in-travelusa.com (192.169.82.86)\r\nTiny meterpreter SHA-1:\r\n28D514FE46D8B5720FE27C40C3889F3B45967CC7\r\n0B0884992F28A3C1439DBA60007076B22831CE51\r\nhttps://www.welivesecurity.com/2015/09/08/carbanak-gang-is-back-and-packing-new-guns/\r\nPage 13 of 14\n\nWin32/Wemosis (PoS RAM Scraper) SHA-1:\r\n5E31DB305A97736C0F419A3F2F8F093FF6A1F56F\r\nWin32/Wemosis - C2 server:\r\n198.100.119.14\r\nSource: https://www.welivesecurity.com/2015/09/08/carbanak-gang-is-back-and-packing-new-guns/\r\nhttps://www.welivesecurity.com/2015/09/08/carbanak-gang-is-back-and-packing-new-guns/\r\nPage 14 of 14", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.welivesecurity.com/2015/09/08/carbanak-gang-is-back-and-packing-new-guns/" ], "report_names": [ "carbanak-gang-is-back-and-packing-new-guns" ], "threat_actors": [ { "id": "c9617bb6-45c8-495e-9759-2177e61a8e91", "created_at": "2022-10-25T15:50:23.405039Z", "updated_at": "2026-04-10T02:00:05.387643Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Carbanak", "Anunak" ], "source_name": "MITRE:Carbanak", "tools": [ "Carbanak", "Mimikatz", "PsExec", "netsh" ], "source_id": "MITRE", "reports": null }, { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "a3687241-9876-477b-aa13-a7c368ffda58", "created_at": "2022-10-25T16:07:24.496902Z", "updated_at": "2026-04-10T02:00:05.010744Z", "deleted_at": null, "main_name": "Hacking Team", "aliases": [], "source_name": "ETDA:Hacking Team", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "e90c06e4-e3e0-4f46-a3b5-17b84b31da62", "created_at": "2023-01-06T13:46:39.018236Z", "updated_at": "2026-04-10T02:00:03.183123Z", "deleted_at": null, "main_name": "Hacking Team", "aliases": [], "source_name": "MISPGALAXY:Hacking Team", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf", "created_at": "2023-01-06T13:46:38.405479Z", "updated_at": "2026-04-10T02:00:02.961112Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "ATK32", "G0046", "G0008", "Sangria Tempest", "ELBRUS", "GOLD NIAGARA", "Coreid", "Carbanak", "Carbon Spider", "JokerStash", "CARBON SPIDER" ], "source_name": "MISPGALAXY:FIN7", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ed3810b7-141a-4ed0-8a01-6a972b80458d", "created_at": "2022-10-25T16:07:23.443259Z", "updated_at": "2026-04-10T02:00:04.602946Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Anunak", "Carbanak", "Carbon Spider", "ELBRUS", "G0008", "Gold Waterfall", "Sangria Tempest" ], "source_name": "ETDA:Carbanak", "tools": [ "AVE_MARIA", "Agentemis", "AmmyyRAT", "Antak", "Anunak", "Ave Maria", "AveMariaRAT", "BABYMETAL", "BIRDDOG", "Backdoor Batel", "Batel", "Bateleur", "BlackMatter", "Boostwrite", "Cain \u0026 Abel", "Carbanak", "Cl0p", "Cobalt Strike", "CobaltStrike", "DNSMessenger", "DNSRat", "DNSbot", "DRIFTPIN", "DarkSide", "FOXGRABBER", "FlawedAmmyy", "HALFBAKED", "JS Flash", "KLRD", "MBR Eraser", "Mimikatz", "Nadrac", "Odinaff", "POWERPIPE", "POWERSOURCE", "PsExec", "SQLRAT", "Sekur", "Sekur RAT", "SocksBot", "SoftPerfect Network Scanner", "Spy.Agent.ORM", "TEXTMATE", "TeamViewer", "TiniMet", "TinyMet", "Toshliph", "VB Flash", "WARPRISM", "avemaria", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434052, "ts_updated_at": 1775826704, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/3ab65d4a2a006403474d0471441ac295955e31dd.pdf", "text": "https://archive.orkl.eu/3ab65d4a2a006403474d0471441ac295955e31dd.txt", "img": "https://archive.orkl.eu/3ab65d4a2a006403474d0471441ac295955e31dd.jpg" } }