{
	"id": "b06a7c90-9c5f-4ba7-948f-6c77a478a934",
	"created_at": "2026-04-10T03:22:02.31809Z",
	"updated_at": "2026-04-10T03:22:19.599522Z",
	"deleted_at": null,
	"sha1_hash": "3caf9d4c04dfe7a516b0be35c8c0091b0a9e65b3",
	"title": "Snatch Ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 840101,
	"plain_text": "Snatch Ransomware\r\nBy editor\r\nPublished: 2020-06-21 · Archived: 2026-04-10 02:45:36 UTC\r\nAnother RDP brute force ransomware strikes again, this time, Snatch Team! Snatch Team was able to go from brute forcing\r\na Domain Administrator (DA) account via RDP, to running a Meterpreter reverse shell and a RDP proxy via Tor on a\r\nDomain Controller (DC), to encrypting all Domain joined systems in under 5 hours.\r\nSnatch is a widely known variant due to it causing systems to reboot into safe mode before encrypting the system.\r\nSophosLabs has an excellent write up on Snatch which was very similar to what we witnessed.\r\nInitial Access:\r\nSnatch Team logged into a DA account from 193.70.12.240 around 0515 UTC. Initially with that access they performed a\r\nsimple arp -a.\r\nAt 0753 UTC the threat actors made the next move running ipconfig and quser. Just minutes later they began lateral\r\nmovement initiating an RDP session with a DC.\r\nLateral Movement and Persistence:\r\nOnce on the DC the threat actor moved quickly deploying a tool set in C:\\Windows. This tool set included 2 executable that\r\nmasqueraded as Windows Management Instrumentation files. One was executed with the following command parameters.\r\nhttps://thedfirreport.com/2020/06/21/snatch-ransomware/\r\nPage 1 of 10\n\nThe .dat file turned out to be a configuration file with the executable being TOR creating an RDP tunnel. (Wouldn’t this be\r\nreally really slow?)\r\nThe other executable file in the wmis folder was a Go executable of unknown providence potentially related to utorrent\r\ncapability?\r\nThe next thing they did was create a reverse shell using what we think is Meterpreter. C2 initiated over HTTPS/443 to\r\n91.229.77.161 via cplXen.exe\r\nThe presence of logs indicating the use of named pipe services also increases the likelihood of Meterpreter or possibly\r\nCobaltstrike. We didn’t see any ET Pro signatures fire for this activity but we also didn’t have SSL inspection on at the time.\r\nA separate executable was then dropped for stealthy persistence of cplXen.exe. X3.exe is a loader that uses the 3 DLLs\r\n(which are ini files) below to run cplXen.\r\njd4ob7162ns.dll: C:\\windows\\system32\\cplXen.exe /F\r\nfw0a53482aa.dll: 443\r\nhttps://thedfirreport.com/2020/06/21/snatch-ransomware/\r\nPage 2 of 10\n\nkb05987631s.dll: 91.229.77.161\r\nTwo Scheduled Tasks were created to launch the loader, which in turn persists the loading of cplXen.exe.\r\nx3.exe had a very low VT hit ratio. If anyone wants to investigate this further feel free to contact us to get the file or get it on\r\nMISP/VT.\r\nAction on Objectives:\r\nAbout a half hour after successful C2 we see this\r\nWe can conclude that ditsnap was most likely run on the DC to obtain a copy of ntds.dit by creating a snapshot.\r\nhttps://thedfirreport.com/2020/06/21/snatch-ransomware/\r\nPage 3 of 10\n\nForty-five minutes later Snatch Team had their first blood. They RDP’ed into the backup server, turned off Windows\r\nDefender, and executed safe.exe. They did this for every machine in the domain and within 15 minutes all machines were\r\nransomed including the DCs. All machines rebooted into safe mode before encrypting causing all logging and remote tools\r\nto fail (Damn you safe mode!).\r\nOn all machines we are left with the following:\r\nSnatch Team requested 40k USD for the decryptor but with negotiations we were able to talk them down to less than 15k.\r\nRecovery:\r\nLet’s take a minute to think about what recovery would look like in a large organization. Every server and online machine\r\nwas rebooted into safe mode without networking which causes you to lose complete visibility. This gets very painful\r\nquickly.\r\nhttps://thedfirreport.com/2020/06/21/snatch-ransomware/\r\nPage 4 of 10\n\nConclusion:\r\nAs we’ve seen time and time again, RDP is being brute forced to gain access into the network and then the threat actor\r\nmoves laterally quickly to install ransomware. Although we were surprised that the threat actors manually RDPed into each\r\nsystem rather than using GPO or PsExec. Even though this attacker did not seem highly skilled they were productive,\r\nefficient and in less than 5 hours could have earned 40k (8k per hour).\r\nEnjoy our report? Please consider donating $1 or more to the project using Patreon. Thank you for your support!\r\nAnalysis of Safe.exe:\r\nSafe.exe is a Go based executable, it drops 4 bat files that kick off the ransom process. It creates a new service to run\r\nsafe.exe and then sets the system to reboot into safe mode on next boot and then executes a shutdown of the system ASAP.\r\nWhen the system comes back up its in Safe Mode without networking.\r\nhttps://www.hybrid-analysis.com/sample/3160b4308dd9434ebb99e5747ec90d63722a640d329384b1ed536b59352dace6/5ee67d6c3156821df34f7f4d\r\nIOCs:\r\nAll IOCs in MISPPRiv EID 68226 or UUID 5ee65855-3320-456d-b704-4878950d210f\r\nC2\r\n91.229.77.161\r\nRDP Access IP’s\r\n193.70.12.240\r\n178.162.209.135\r\nsafe.exe|2bbff2111232d73a93cd435300d0a07e\r\n2bbff2111232d73a93cd435300d0a07e\r\nb93d633d379052f0a15b0f9c7094829461a86dbb\r\n3160b4308dd9434ebb99e5747ec90d63722a640d329384b1ed536b59352dace6\r\nhttps://www.virustotal.com/gui/file/3160b4308dd9434ebb99e5747ec90d63722a640d329384b1ed536b59352dace6/detection\r\nhttps://thedfirreport.com/2020/06/21/snatch-ransomware/\r\nPage 5 of 10\n\nx3.exe|1422dae0330c713935d50773680fcb39\r\n1422dae0330c713935d50773680fcb39\r\nd5a0c796032eda2fe20d1f39bae3fbc4e6407e8c\r\nb9e4299239880961a88875e1265db0ec62a8c4ad6baf7a5de6f02ff4c31fcdb1\r\nhttps://www.virustotal.com/gui/file/b9e4299239880961a88875e1265db0ec62a8c4ad6baf7a5de6f02ff4c31fcdb1/details\r\ncplXen.exe|c9a728aa3f5b6f48b68df4bb66b41a5c\r\n90035ab418033b39d584c7bc609cab1664460069\r\nc305b75a4333c7fca9d1d71b660530cc98197b171856bf433e4e8f3af0424b11\r\nhttps://www.virustotal.com/gui/file/c305b75a4333c7fca9d1d71b660530cc98197b171856bf433e4e8f3af0424b11/detection\r\n116EBE27202905AFFB94F5C1597D511ABCB5B381411431956A03E47B388582BF.bat|1f7b17cacb0263b84cf3e9d4a5429ef9\r\n1f7b17cacb0263b84cf3e9d4a5429ef9\r\n14b2948a28d16c05fa7237dd8823592a735ef43f\r\n116ebe27202905affb94f5c1597d511abcb5b381411431956a03e47b388582bf\r\n2155A029A024A2FFA4EFF9108AC15C7DB527CA1C8F89CCFD94CC3A70B77CFC57.bat|6d9d31414ee2c175255b092440377a88\r\n6d9d31414ee2c175255b092440377a88\r\nc24aee8fa0a81a82fe73bf60e0282b1038d6ea80\r\n2155a029a024a2ffa4eff9108ac15c7db527ca1c8f89ccfd94cc3a70b77cfc57\r\n3295F5029F9C9549A584FA13BC6C25520B4FF9A4B2FEB1D9E935CC9E4E0F0924.bat|3d33a19bb489dd5857b515882b43de12\r\n3d33a19bb489dd5857b515882b43de12\r\n0882f2e72f1ca4410fe8ae0fa1138800c3d1561d\r\n3295f5029f9c9549a584fa13bc6c25520b4ff9a4b2feb1d9e935cc9e4e0f0924\r\n251427C578EAA814F07037FBE6E388B3BC86ED3800D7887C9D24E7B94176E30D.bat|3e36d3dc132e3a076539acc9fcd5535c\r\n3e36d3dc132e3a076539acc9fcd5535c\r\n89be35c19a65b9e6f7a277e1a9f66ab76d024378\r\n251427c578eaa814f07037fbe6e388b3bc86ed3800d7887c9d24e7b94176e30d\r\nsafe.exe|2bbff2111232d73a93cd435300d0a07e\r\n2bbff2111232d73a93cd435300d0a07e\r\nb93d633d379052f0a15b0f9c7094829461a86dbb\r\n3160b4308dd9434ebb99e5747ec90d63722a640d329384b1ed536b59352dace6\r\n6C9D8C577DDDF9CC480F330617E263A6EE4461651B4DEC1F7215BDA77DF911E7.bat|54fe4d49d7b4471104c897f187e07f91\r\n54fe4d49d7b4471104c897f187e07f91\r\n18f963dbee830e64828991d26a06d058326c1ddb\r\n6c9d8c577dddf9cc480f330617e263a6ee4461651b4dec1f7215bda77df911e7\r\nA80C7FE1F88CF24AD4C55910A9F2189F1EEDAD25D7D0FD53DBFE6BDD68912A84.bat|891708936393b69c212b97604a982fed\r\n891708936393b69c212b97604a982fed\r\n5b86cf095fe515b590d18b2e976d9e544c43f6ca\r\na80c7fe1f88cf24ad4c55910a9f2189f1eedad25d7d0fd53dbfe6bdd68912a84\r\nYARA:\r\n/*\r\n YARA Rule Set\r\n Author: The DFIR Report\r\n Date: 2020-06-17\r\n Identifier: snatch-ransomware\r\nhttps://thedfirreport.com/2020/06/21/snatch-ransomware/\r\nPage 6 of 10\n\nReference: https://thedfirreport.com/\r\n*/\r\n/* Rule Set ----------------------------------------------------------------- */\r\nimport \"pe\"\r\nrule snatch_ransomware_x3_loader {\r\n meta:\r\n description = \"snatch-ransomware - file x3.exe\"\r\n author = \"DFIR Report\"\r\n reference = \"https://thedfirreport.com/\"\r\n date = \"2020-06-17\"\r\n hash1 = \"b9e4299239880961a88875e1265db0ec62a8c4ad6baf7a5de6f02ff4c31fcdb1\"\r\n strings:\r\n $s1 = \"jd4ob7162ns.dll\" fullword wide\r\n $s2 = \"kb05987631s.dll\" fullword wide\r\n $s3 = \"fw0a53482aa.dll\" fullword wide\r\n $s4 = \"C:\\\\Builds\\\\TP\\\\rtl\\\\common\\\\TypInfo.pas\" fullword wide\r\n $s5 = \"C:\\\\Builds\\\\TP\\\\rtl\\\\sys\\\\SysUtils.pas\" fullword wide\r\n $s6 = \"C:\\\\Builds\\\\TP\\\\rtl\\\\common\\\\Classes.pas\" fullword wide\r\n $s7 = \"/K schtasks /Create /RU SYSTEM /SC DAILY /ST 00:00 /TN \\\"Regular Idle Maintenance\\\" /TR \\\"\" fullw\r\n $s8 = \"/K schtasks /Create /RU SYSTEM /SC ONSTART /TN \\\"Regular Idle Maintenances\\\" /TR \\\"\" fullword wid\r\n $s9 = \"RootP0C\" fullword ascii\r\n $s10 = \"Component already destroyed: \" fullword wide\r\n $s11 = \"Stream write error The specified file was not found2Length of Strings and Objects arrays must be\r\n $s12 = \"PPackageTypeInfo$\\\"@\" fullword ascii\r\n $s13 = \"PositionP0C\" fullword ascii\r\n $s14 = \"DesignInfoP0C\" fullword ascii\r\n $s15 = \"OwnerP0C\" fullword ascii\r\n $s16 = \"3\\\"4\\\\4~4\" fullword ascii /* hex encoded string '4D' */\r\n $s17 = \"TComponentClassP0C\" fullword ascii\r\n $s18 = \":$:2:6:L:\\\\:l:t:x:|:\" fullword ascii\r\n $s19 = \":P:T:X:\\\\:t:\" fullword ascii\r\n $s20 = \":,:\u003c:@:L:T:X:\\\\:`:d:h:l:p:t:x:|:\" fullword ascii\r\n condition:\r\n uint16(0) == 0x5a4d and filesize \u003c 900KB and\r\n ( pe.imphash() == \"d6136298ea7484a715d40720221233be\" or 8 of them )\r\n}\r\nrule snatch_ransomware_safe_go_ransomware {\r\n meta:\r\n description = \"snatch-ransomware - file safe.exe\"\r\n author = \"DFIR Report\"\r\n reference = \"https://thedfirreport.com/\"\r\n date = \"2020-06-17\"\r\n hash1 = \"3160b4308dd9434ebb99e5747ec90d63722a640d329384b1ed536b59352dace6\"\r\n strings:\r\n $s1 = \"dumpcb\" fullword ascii\r\n $s2 = \"dfmaftpgc\" fullword ascii\r\n $s3 = \"ngtrunw\" fullword ascii\r\n $s4 = \"_dumpV\" fullword ascii\r\n $s5 = \".dll3u^\" fullword ascii\r\nhttps://thedfirreport.com/2020/06/21/snatch-ransomware/\r\nPage 7 of 10\n\n$s6 = \"D0s[Host#\\\"0\" fullword ascii\r\n $s7 = \"CPUIRC32D,OPg\" fullword ascii\r\n $s8 = \"WSAGetOv\" fullword ascii\r\n $s9 = \"Head9iuA\" fullword ascii\r\n $s10 = \"SpyL]ZIo\" fullword ascii\r\n $s11 = \"cmpbody\" fullword ascii\r\n $s12 = \"necwnamep\" fullword ascii\r\n $s13 = \"ZonK+ pW\" fullword ascii\r\n $s14 = \"printabl\" fullword ascii\r\n $s15 = \"atomicn\" fullword ascii\r\n $s16 = \"powrprof\" fullword ascii\r\n $s17 = \"recdvoc\" fullword ascii\r\n $s18 = \"nopqrsx\" fullword ascii\r\n $s19 = \"ghijklm\" fullword ascii\r\n $s20 = \"spdelta\" fullword ascii\r\n condition:\r\n uint16(0) == 0x5a4d and filesize \u003c 8000KB and\r\n ( pe.imphash() == \"6ed4f5f04d62b18d96b26d6db7c18840\" or 8 of them )\r\n}\r\nrule snatch_ransomware_cplXen {\r\n meta:\r\n description = \"snatch-ransomware - file cplXen.exe\"\r\n author = \"DFIR Report\"\r\n reference = \"https://thedfirreport.com/\"\r\n date = \"2020-06-17\"\r\n hash1 = \"c305b75a4333c7fca9d1d71b660530cc98197b171856bf433e4e8f3af0424b11\"\r\n strings:\r\n $x1 = \"C:\\\\Users\\\\Administrator\\\\source\\\\repos\\\\tmt\\\\Release\\\\TMT.pdb\" fullword ascii\r\n $s2 = \"curity\u003e\u003crequestedPrivileges\u003e\u003crequestedExecutionLevel level=\\\"asInvoker\\\" uiAccess=\\\"false\\\"\u003e\u003c/req\r\n $s3 = \"AppPolicyGetProcessTerminationMethod\" fullword ascii\r\n $s4 = \"hemas.microsoft.com/SMI/2005/WindowsSettings\\\"\u003etrue\u003c/dpiAware\u003e\u003c/windowsSettings\u003e\u003c/application\u003e\u003c/a\r\n $s5 = \"Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko\" fullword wide\r\n $s6 = \"operator\u003c=\u003e\" fullword ascii\r\n $s7 = \"operator co_await\" fullword ascii\r\n $s8 = \"api-ms-win-appmodel-runtime-l1-1-2\" fullword wide\r\n $s9 = \"91.229.77.71\" fullword wide\r\n $s10 = \"\u003cassembly xmlns=\\\"urn:schemas-microsoft-com:asm.v1\\\" manifestVersion=\\\"1.0\\\"\u003e\u003ctrustInfo xmlns=\\\"\r\n $s11 = \"vileges\u003e\u003c/security\u003e\u003c/trustInfo\u003e\u003capplication xmlns=\\\"urn:schemas-microsoft-com:asm.v3\\\"\u003e\u003cwindowsS\r\n $s12 = \"Aapi-ms-win-core-datetime-l1-1-1\" fullword wide\r\n $s13 = \"Aapi-ms-win-core-fibers-l1-1-1\" fullword wide\r\n $s14 = \"api-ms-win-core-file-l1-2-2\" fullword wide /* Goodware String - occured 1 times */\r\n $s15 = \"__swift_2\" fullword ascii\r\n $s16 = \"__swift_1\" fullword ascii\r\n $s17 = \"\u003e6?V?f?\" fullword ascii /* Goodware String - occured 1 times */\r\n $s18 = \"7K7P7T7X7\\\\7\" fullword ascii /* Goodware String - occured 1 times */\r\n $s19 = \"Wininet.dll\" fullword ascii /* Goodware String - occured 1 times */\r\n $s20 = \"QQSVj8j@\" fullword ascii\r\n condition:\r\n uint16(0) == 0x5a4d and filesize \u003c 300KB and\r\n ( pe.imphash() == \"ec348684b8d3fbd21669529c6e5cef8b\" or ( 1 of ($x*) or 4 of them ) )\r\n}\r\nhttps://thedfirreport.com/2020/06/21/snatch-ransomware/\r\nPage 8 of 10\n\nrule WmiPrvSystemES_TOR_exe {\r\n meta:\r\n description = \"snatch-ransomware - file WmiPrvSystemES.exe\"\r\n author = \"DFIR Report\"\r\n reference = \"https://thedfirreport.com/\"\r\n date = \"2020-06-17\"\r\n hash1 = \"0cd166b12f8d0f4b620a5819995bbcc2d15385117799fafbc76efd8c1e906662\"\r\n strings:\r\n $x1 = \"Unsupported command (--list-fingerprint, --hash-password, --keygen, --dump-config, --verify-confi\r\n $x2 = \"Unsupported command (--list-fingerprint, --hash-password, --keygen, --dump-config, --verify-confi\r\n $x3 = \"Tor is currently configured as a relay and a hidden service. That's not very secure: you should p\r\n $x4 = \"Failed to open handle to monitored process %d, and error code %lu (%s) is not 'invalid parameter\r\n $x5 = \"Failed to open handle to monitored process %d, and error code %lu (%s) is not 'invalid parameter\r\n $x6 = \"Unable to parse descriptor of type %s with hash %s and length %lu. Descriptor not dumped because\r\n $x7 = \"Unable to parse descriptor of type %s with hash %s and length %lu. Descriptor not dumped because\r\n $s8 = \"Doesn't look like we'll be able to create descriptor dump directory %s; dumps will be disabled.\"\r\n $s9 = \"dumping a microdescriptor\" fullword ascii\r\n $s10 = \"in a separate Tor process, at least -- see https://trac.torproject.org/8742\" fullword ascii\r\n $s11 = \"SR: Commit from authority %s decoded length doesn't match the expected length (%d vs %u).\" fullw\r\n $s12 = \"Unable to parse descriptor of type %s with hash %s and length %lu. Descriptor not dumped because\r\n $s13 = \"You are running a new relay. Thanks for helping the Tor network! If you wish to know what will h\r\n $s14 = \"Unable to get contents of unparseable descriptor dump directory %s\" fullword ascii\r\n $s15 = \"Uploading hidden service descriptor: http status 400 (%s) response from dirserver '%s:%d'. Malfo\r\n $s16 = \"Uploading hidden service descriptor: http status %d (%s) response unexpected (server '%s:%d').\"\r\n $s17 = \"Your server (%s:%d) has not managed to confirm that its DirPort is reachable. Relays do not publ\r\n $s18 = \"Your server (%s:%d) has not managed to confirm that its ORPort is reachable. Relays do not publi\r\n $s19 = \"Dumping statistics about %d channel listeners:\" fullword ascii\r\n $s20 = \"\\\\\\\\.\\\\Pipe\\\\Tor-Process-Pipe-%lu-%lu\" fullword ascii\r\n condition:\r\n uint16(0) == 0x5a4d and filesize \u003c 12000KB and\r\n ( pe.imphash() == \"3fce013d4eb45a62bfe5b4ed33268491\" or ( 1 of ($x*) or 4 of them ) )\r\n}\r\nrule WmiPrvSystem_utorrent_exe {\r\n meta:\r\n description = \"snatch-ransomware - file WmiPrvSystem.exe\"\r\n author = \"DFIR Report\"\r\n reference = \"https://thedfirreport.com/\"\r\n date = \"2020-06-17\"\r\n hash1 = \"97bc0e2add9be985aeb5c0b4ca654a6a9e6fca6a6bf712dc26fc454b773212b7\"\r\n strings:\r\n $x1 = \"VirtualQuery for stack base failedadding nil Certificate to CertPoolcrypto/aes: invalid buffer ov\r\n $x2 = \"\u003e (den\u003c\u003cshift)/2unexpected end of JSON inputunexpected protocol version cannot be converted to t\r\n $x3 = \"sync: WaitGroup misuse: Add called concurrently with Waittls: Ed25519 public keys are not support\r\n $x4 = \"slice bounds out of range [:%x] with length %ystopTheWorld: not stopped (status != _Pgcstop)tls:\r\n $x5 = \"Pakistan Standard TimeParaguay Standard TimePrint version and exitSakhalin Standard TimeTOR_PT_SE\r\n $x6 = \"0123456789ABCDEFGHIJKLMNOPQRSTUV28421709430404007434844970703125: day-of-year does not match dayA\r\n $x7 = \"unknown network workbuf is emptywww-authenticate initialHeapLive= spinningthreads=%%!%c(big.Int=%\r\n $x8 = \"unixpacketunknown pcuser-agentws2_32.dll of size (targetpc= ErrCode=%v [scrubbed] a.npages= b\r\n $x9 = \"attempt to execute system stack code on user stackcrypto/cipher: incorrect nonce length given to\r\n $x10 = \"streamSafe was not resetstructure needs cleaningtext/html; charset=utf-8unexpected buffer len=%v\r\n $x11 = \"100-continue152587890625762939453125:key_extractBidi_ControlCIDR addressCONTINUATIONContent Type\r\nhttps://thedfirreport.com/2020/06/21/snatch-ransomware/\r\nPage 9 of 10\n\n$x12 = \"IP addressKeep-AliveKharoshthiLockFileExManichaeanMessage-IdNo ContentOld_ItalicOld_PermicOld_Tu\r\n $x13 = \"tls: ECDSA signature contained zero or negative valuestls: client indicated early data in second\r\n $x14 = \"to unallocated span%%!%c(*big.Float=%s)37252902984619140625Arabic Standard TimeAzores Standard T\r\n $x15 = \"CertEnumCertificatesInStoreDATA frame with stream ID 0Easter Island Standard TimeG waiting list\r\n $x16 = \".lib section in a.out corrupted11368683772161602973937988281255684341886080801486968994140625CLI\r\n $x17 = \"Saint Pierre Standard TimeSouth Africa Standard TimeTOR_PT_EXIT_ON_STDIN_CLOSEW. Australia Stand\r\n $x18 = \"Temporary RedirectUNKNOWN_SETTING_%dVariation_Selectorajax.aspnetcdn.combad Content-Lengthbad ma\r\n $x19 = \"request rejected because the client program and identd report different user-idstls: either Serv\r\n $x20 = \"invalid network interface nameinvalid pointer found on stacklooking for beginning of valuemeek_l\r\n condition:\r\n uint16(0) == 0x5a4d and filesize \u003c 26000KB and\r\n ( pe.imphash() == \"f0070935b15a909b9dc00be7997e6112\" or 1 of ($x*) )\r\n}\r\nSource: https://thedfirreport.com/2020/06/21/snatch-ransomware/\r\nhttps://thedfirreport.com/2020/06/21/snatch-ransomware/\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://thedfirreport.com/2020/06/21/snatch-ransomware/"
	],
	"report_names": [
		"snatch-ransomware"
	],
	"threat_actors": [],
	"ts_created_at": 1775791322,
	"ts_updated_at": 1775791339,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3caf9d4c04dfe7a516b0be35c8c0091b0a9e65b3.pdf",
		"text": "https://archive.orkl.eu/3caf9d4c04dfe7a516b0be35c8c0091b0a9e65b3.txt",
		"img": "https://archive.orkl.eu/3caf9d4c04dfe7a516b0be35c8c0091b0a9e65b3.jpg"
	}
}