{ "id": "7f8ba0bd-55b4-4ac6-8f93-acf4c1550dd4", "created_at": "2026-04-06T00:14:00.537084Z", "updated_at": "2026-04-10T03:37:50.652452Z", "deleted_at": null, "sha1_hash": "3c7e6fb472788a2673d93bb5e4817fc23e614425", "title": "Korplug military targeted attacks: Afghanistan \u0026 Tajikistan", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 285530, "plain_text": "Korplug military targeted attacks: Afghanistan \u0026 Tajikistan\r\nBy Robert LipovskyAnton Cherepanov\r\nArchived: 2026-04-05 19:50:20 UTC\r\nAfter taking a look at recent Korplug (PlugX) detections, we identified two larger scale campaigns employing this\r\nwell-known Remote Access Trojan. This blog gives an overview of the first one, related to Afghanistan \u0026\r\nTajikistan. The other campaign, where the targets were a number of high-profile organizations in Russia, will be\r\nthe subject of Anton Cherepanov’s presentation at the ZeroNights security conference in Moscow this week.\r\nSometimes malware used in various attacks is unique enough to identify related incidents, which makes tracking\r\nindividual botnets simpler. An example is the BlackEnergy Lite variant (also known as BlackEnergy 3) used by a\r\ngroup of attackers (that was then given the name Quedagh, or Sandworm) against targets in Ukraine and other\r\ncountries. BlackEnergy Lite is clearly distinguishable from the numerous binaries of the more common\r\nBlackEnergy 2 also circulating in-the-wild.\r\nIn other cases, attackers use more common tools for accomplishing their criminal goals. For example, the Korplug\r\nRAT (a.k.a .PlugX) is a well-known toolkit associated with Chinese APT groups and used in a large number of\r\ntargeted attacks since 2012. For the past several weeks we have taken a closer look at a great number of detections\r\nof this malware in many unrelated incidents.\r\nAmong these, we were able to discover several successful infections where the employed Korplug samples were\r\nconnecting to the same C\u0026C domain.\r\nDOMAIN: www.notebookhk.net\r\nUpdated Date: 2013-11-12 18:03:45\r\nCreate Date: 2013-06-18 11:08:17\r\nRegistrant Name: lee stan\r\nRegistrant Organization: lee stan\r\nRegistrant Street: xianggangdiqu\r\nRegistrant City: xianggangdiqu\r\nRegistrant State: xianggang\r\nRegistrant Postal Code: 796373\r\nRegistrant Country: HK\r\nRegistrant Phone : +0.04375094543\r\nRegistrant Fax: +0.04375094543\r\nRegistrant Email:stanlee@gmail.com\r\nOther Korplug samples were connecting to a different domain name resolving to the same IPs as notebookhk.net:\r\nDOMAIN: www.dicemention.com\r\nUpdated Date: 2013-11-12 18:05:33\r\nCreate Date: 2013-09-10 14:35:11\r\nhttps://www.welivesecurity.com/2014/11/12/korplug-military-targeted-attacks-afghanistan-tajikistan/\r\nPage 1 of 8\n\nRegistrant Name: z x\r\nRegistrant Organization: z x\r\nRegistrant Street: xianggangdiqu\r\nRegistrant City: xianggangdiqu\r\nRegistrant State: xianggang\r\nRegistrant Postal Code: 123456\r\nRegistrant Country: HK\r\nRegistrant Phone : +0.0126324313\r\nRegistrant Fax: +0.0126324313\r\nRegistrant Email: 123@123.com\r\nDOMAIN: www.abudlrasul.com\r\nUpdated Date: 2014-10-16 14:16:27\r\nCreate Date: 2014-10-16 14:16:27\r\nRegistrant Name: gang xin\r\nRegistrant Organization: gang xin\r\nRegistrant Street: Argentina Argentina\r\nRegistrant City: Argentina\r\nRegistrant State: Argentina\r\nRegistrant Postal Code: 647902\r\nRegistrant Country: AR\r\nRegistrant Phone : +54.0899567089\r\nRegistrant Fax: +54.0899567089\r\nRegistrant Email: woffg89@yahoo.com\r\nTaking these C\u0026Cs as a starting point, we were able to locate a number of victims infected through various\r\nexploit-laden spear-phishing documents and cunningly-named archives.\r\nA table with a selection of RTF documents and RAR self-extracting archives with a .SCR extension is shown\r\nbelow:\r\nFile name\r\nEnglish\r\ntranslation\r\nSHA1\r\nSituation Report about\r\nAfghan.doc\r\n36119221826D0290BC23371B55A8C0E6A84718DD\r\nAGREEMENT\r\nBETWEENTHE NATO\r\nAND AFGHANISTAN ON\r\nTHE STATUS OF NATO\r\nFORCES IN\r\nAFGHANISTAN.doc\r\nA6642BC9F3425F0AB93D462002456BE231BB5646\r\nhttps://www.welivesecurity.com/2014/11/12/korplug-military-targeted-attacks-afghanistan-tajikistan/\r\nPage 2 of 8\n\nFile name\r\nEnglish\r\ntranslation\r\nSHA1\r\nnews.doc 51CDC273B5638E06906BCB700335E288807744B5\r\nПлан деятельности\r\nсоединений и воинских\r\nчастей Приволжского\r\nрегиона на июль 2014 г.scr\r\nActivity plan for\r\nmilitary units in\r\nthe Volga region\r\nin July 2014\r\nEA6EE9EAB546FB9F93B75DCB650AF22A95486391\r\nтелефонный справочник \r\nструктуры МИД КР .scr\r\nTelephone\r\ndirectory of the\r\nMinistry of\r\nForeign Affairs\r\nof the Kyrgyz\r\nRepublic\r\nD297DC7D29E42E8D37C951B0B11629051EEBE9C0\r\nО Центре социальной\r\nадаптации\r\nвоеннослужащих.scr\r\nAbout the Center\r\nfor social\r\nadaptation of\r\nservicemen\r\n8E5E19EBE719EBF7F8BE4290931FFA173E658CB8\r\nПротокол встречи НГШ\r\nКНР.scr\r\nMeeting minutes\r\nof the General\r\nStaff of the PRC\r\n1F726E94B90034E7ABD148FE31EBA08774D1506F\r\nисправленный шаблон\r\nплана мероприятий.scr\r\nCorrected action\r\nplan template\r\nA9C627AA09B8CC50A83FF2728A3978492AEB79D8\r\nSituation Report about\r\nAfghan.scr\r\nA9C627AA09B8CC50A83FF2728A3978492AEB79D8\r\nВоенно-политическая\r\nобстановка в ИРА\r\nна04.10.2014.scr\r\nMilitary and\r\npolitical\r\nsituation in\r\nIslamic Republic\r\nof Afghanistan\r\n(IRA) on\r\n04.10.2014\r\nE32081C56F39EA14DFD1E449C28219D264D80B2F\r\nAfghan Air Force.scr E32081C56F39EA14DFD1E449C28219D264D80B2F\r\nплан мероприятий.scr Action plan 1F726E94B90034E7ABD148FE31EBA08774D1506F\r\nSome of the above-mentioned files also contained decoy documents:\r\nhttps://www.welivesecurity.com/2014/11/12/korplug-military-targeted-attacks-afghanistan-tajikistan/\r\nPage 3 of 8\n\nIn all of the cases, three binary files were dropped (apart from decoy documents) that led to the Korplug trojan\r\nbeing loading into memory.\r\nexe – a legitimate executable with a Kaspersky digital signature that would load a DLL with a specific file\r\nname\r\ndll – a small DLL loader that would pass execution to the Korplug raw binary code\r\ndll.avp – raw Korplug binary\r\nThe Korplug RAT is known to use this side-loading trick by abusing legitimate digitally signed executables and is\r\na way to stay under the radar, since a trusted application with a valid signature among startup items is less likely to\r\nraise suspicion.\r\nThe maliciously crafted documents are RTF files that successfully exploit the CVE-2012-0158 vulnerability in\r\nMicrosoft Word. The image below shows the beginning of the CVE-2012-0158 shellcode in ASCII encoding\r\nhttps://www.welivesecurity.com/2014/11/12/korplug-military-targeted-attacks-afghanistan-tajikistan/\r\nPage 4 of 8\n\nwithin the document (the opcodes 60, 55, 8bec disassemble to pusha; push ebp; mov ebp, esp).\r\nInterestingly, though, the documents also contain the newer CVE-2014-1761 exploit that was extensively used in\r\ntargeted attacks carried out by a number other malware families this year (including BlackEnergy, Sednit,\r\nMiniDuke, and others). However, this exploit is not implemented correctly due to a wrong file offset in the 1st\r\nstage shellcode.\r\nBelow we see the disassembly of the 1st stage shellcode where it checks the presence of the tag “p!11” marking\r\nthe beginning of the 2nd stage shellcode and loads it into memory. Even though the tag and 2nd stage shellcode is\r\npresent in the RTF, it’s at a different offset, and thus never is loaded.\r\nSophos’ Gabor Szappanos gives a possible explanation how these malformed samples may have come into\r\nexistence.\r\nESET LiveGrid telemetry indicates that the attacks against these targets have been going on since at least June\r\n2014 and continue through today.\r\nWe were able to pinpoint the targets to residents of the following countries:\r\nAfghanistan\r\nTajikistan\r\nRussia\r\nKyrgyzstan\r\nKazakhstan\r\nhttps://www.welivesecurity.com/2014/11/12/korplug-military-targeted-attacks-afghanistan-tajikistan/\r\nPage 5 of 8\n\nFrom the topics of the files used to spread the malware, as well as from the affected targets, it appears that the\r\nattackers are interested in gathering intelligence related to Afghan, Tajik and Russian military and diplomatic\r\nsubjects.\r\nInterestingly, most of the affected victims have another thing in common – a number of other RATs, file stealing\r\ntrojans or keyloggers were detected on their systems on top of the Korplug RAT detection. One of these\r\n‘alternative RATs’ was connecting to a domain also used by the Korplug samples.\r\nSince the functionality of these tools was partly overlapping with that of Korplug, it left us wondering whether the\r\nattackers were just experimenting with different RATs or were they supplementing some functionality that they\r\nwere unable to accomplish.\r\nAdditional information about two malware families that were most often found accompanying Korplug infections\r\nis given below.\r\nAlternative Malware #1: DarkStRat\r\nA curious Remote Access Trojan, as research points to a Chinese connection but the commands it listens to are in\r\nSpanish (translation in English):\r\nCERRAR (close)\r\nDESINSTALAR (uninstall)\r\nSERVIDOR (server)\r\nINFO\r\nMAININFO\r\nPING\r\nREBOOT\r\nPOWEROFF\r\nPROC\r\nKILLPROC\r\nVERUNIDADES (see units)\r\nLISTARARCHIVOS (list files)\r\nEXEC\r\nDELFILE\r\nDELFOLDER\r\nRENAME\r\nMKDIR\r\nCAMBIOID (change ID)\r\nGETFILE/SENDFILE/RESUMETRANSFER\r\nSHELL\r\nSERVICIOSLISTAR (list service)\r\nINICIARSERVICIO (start service)\r\nDETENERSERVICIO (stop service)\r\nBORRARSERVICIO (erase service)\r\nhttps://www.welivesecurity.com/2014/11/12/korplug-military-targeted-attacks-afghanistan-tajikistan/\r\nPage 6 of 8\n\nINSTALARSERVICIO (install service)\r\nThe malware can manage processes and services on the infected machine, transfer files to and from the C\u0026C\r\nserver, run shell commands, and so on. It is written in Delphi and connects to www.dicemention.com. Some\r\nsamples contain a digital signature by \"Nanning weiwu Technology co.,ltd\".\r\nAlternative Malware #2: File Stealer\r\nThis malware, written in C, and contains several functions for harvesting files off the victim’s hard drive\r\naccording to criteria set in the configuration file. Apart from doing a recursive sweep of all logical fixed and\r\nremote drives, it also continually monitors any attached removable media or network shares by listening to\r\nDBT_DEVICEARRIVAL events.\r\nIn addition to collecting files, the malware attempts to gather saved passwords, history of visited URLs, account\r\ninformation and proxy information from the following applications:\r\nMicrosoft Messenger\r\nMicrosoft Outlook\r\nMicrosoft Internet Explorer\r\nMozilla Firefox\r\nThe C\u0026C domains used by this malware are:\r\nnewvinta.com\r\nworksware.net\r\nSome samples of this file stealer detected in these campaigns also contain the signature by \"Nanning weiwu\r\nTechnology co.,ltd\" – another indicator that the infections are related.\r\nList of SHA1 hashes:\r\nKorplug:\r\n5DFA79EB89B3A8DDBC55252BD330D04D285F9189\r\n095550E3F0E5D24A59ADD9390E6E17120039355E\r\n5D760403108BDCDCE5C22403387E89EDC2694860\r\n05BFE122F207DF7806EB5E4CE69D3AEC26D74190\r\n548577598A670FFD7770F01B8C8EEFF853C222C7\r\n530D26A9BEEDCCED0C36C54C1BF3CDA28D2B6E62\r\nF6CB6DB20AA8F17769095042790AEB60EECD58B0\r\nEF17B7EC3111949CBDBDEB5E0E15BD2C6E90358F\r\n17CA3BBDDEF164E6493F32C952002E34C55A74F2\r\n973EA910EA3734E45FDE304F20AB6CF067456551\r\n47D78FBFB2EFC3AB9DDC653A0F03D560D972BF67\r\n0B5A7E49987EF2C320864CF205B7048F7032300D\r\nhttps://www.welivesecurity.com/2014/11/12/korplug-military-targeted-attacks-afghanistan-tajikistan/\r\nPage 7 of 8\n\nE81E0F416752B336396294D24E639AE86D9C6BAA\r\nE930D3A2E6B2FFDC7052D7E18F51BD5A765BDB90\r\nAlternative Malware #1:\r\nFDD41EB3CBB631F38AC415347E25926E3E3F09B6\r\n457F4FFA2FE1CACFEA53F8F5FF72C3FA61939CCD\r\n5B6D654EB16FC84A212ACF7D5A05A8E8A642CE20\r\n7D59B19BD56E1D2C742C39A2ABA9AC34F6BC58D4\r\nD7D130B8CC9BEA51143F28820F08068521763494\r\n01B4B92D5839ECF3130F5C69652295FE4F2DA0C5\r\n02C38EC1C67098E1F6854D1125D3AED6268540DE\r\nAlternative Malware #2:\r\n3A7FB6E819EEC52111693219E604239BD25629E9\r\nBF77D0BA7F3E60B45BD0801979B12BEA703B227B\r\n55EF67AFA2EC2F260B046A901868C48A76BC7B72\r\nA29F64CD7B78E51D0C9FDFBDCBC57CED43A157B2\r\n34754E8B410C9480E1ADFB31A4AA72419056B622\r\n17A2F18C9CCAAA714FD31BE2DE0BC62B2C310D8F\r\n6D99ACEA8323B8797560F7284607DB08ECA616D8\r\n1884A05409C7EF877E0E1AAAEC6BB9D59E065D7C\r\n1FC6FB0D35DCD0517C82ADAEF1A85FFE2AFAB4EE\r\n5860C99E5065A414C91F51B9E8B779D10F40ADC4\r\n7950D5B57FA651CA6FA9180E39B6E8CC1E65B746\r\nResearch by: Anton Cherepanov\r\nSource: https://www.welivesecurity.com/2014/11/12/korplug-military-targeted-attacks-afghanistan-tajikistan/\r\nhttps://www.welivesecurity.com/2014/11/12/korplug-military-targeted-attacks-afghanistan-tajikistan/\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.welivesecurity.com/2014/11/12/korplug-military-targeted-attacks-afghanistan-tajikistan/" ], "report_names": [ "korplug-military-targeted-attacks-afghanistan-tajikistan" ], "threat_actors": [ { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434440, "ts_updated_at": 1775792270, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/3c7e6fb472788a2673d93bb5e4817fc23e614425.pdf", "text": "https://archive.orkl.eu/3c7e6fb472788a2673d93bb5e4817fc23e614425.txt", "img": "https://archive.orkl.eu/3c7e6fb472788a2673d93bb5e4817fc23e614425.jpg" } }