{ "id": "0d20283e-caf9-43cb-b86b-426b92dd282e", "created_at": "2026-04-06T00:15:04.994346Z", "updated_at": "2026-04-10T03:36:11.34145Z", "deleted_at": null, "sha1_hash": "9b5d6cd83682ca52388a3b686512bbd3e67c8df5", "title": "Bumblebee: New Loader Rapidly Assuming Central Position in Cyber-crime Ecosystem", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 63522, "plain_text": "Bumblebee: New Loader Rapidly Assuming Central Position in\r\nCyber-crime Ecosystem\r\nBy About the Author\r\nArchived: 2026-04-05 19:06:39 UTC\r\nBumblebee, a recently developed malware loader, has quickly become a key component in a wide range of cyber-crime attacks and appears to have replaced a number of older loaders, which suggests that it is the work of\r\nestablished actors and that the transition to Bumblebee was pre-planned.\r\nBy analysis of three other tools used in recent attacks involving Bumblebee, Symantec’s Threat Hunter team, a\r\npart of Broadcom Software, has linked this tool to a number of ransomware operations including Conti, Quantum,\r\nand Mountlocker. The tactics, techniques, and procedures (TTPs) used in these older attacks support the\r\nhypothesis that Bumblebee may have been introduced as a replacement loader for Trickbot and BazarLoader,\r\nsince there is some overlap between recent activity involving Bumblebee and older attacks linked to these loaders.\r\nBumblebee and Quantum: Bumblebee’s role in ransomware delivery\r\nA recent attack involving the Quantum ransomware demonstrates how Bumblebee is now being leveraged by\r\nattackers to deliver ransomware.\r\nThe initial infection vector was a spear-phishing email with an attachment containing an ISO file. This ISO file\r\ncontained a Bumblebee DLL file and an LNK file, which loaded the Bumblebee DLL file using rundll32.exe.\r\nrundll32.exe teas.dll,kXlNkCKgFC\r\nBumblebee supports multiple commands like “Ins” for bot persistence, “Dij” for DLL injection, and “Dex” for\r\ndownloading executables.\r\nBumblebee contacted a command-and-control (C\u0026C) server (45.153.243.93) and created a copy in the\r\n%APPDATA% folder with a random name, and also created a VBS file at the same location to load the\r\n%APPDATA% DLL file.\r\nA scheduled task was created using the Bumblebee “Ins” command to run a VBS file every 15 minutes.\r\nwscript.exe CSIDL_COMMON_APPDATA\\e147c18f9167cd0f\\f30b25c870238567.vbs\r\nCSIDL_SYSTEM\\rundll32.exe\"\r\nCSIDL_COMMON_APPDATA\\e147c18f9167cd0f\\f30b25c870238567.dll\r\nAfter a couple of hours, Bumblebee used the “Dex” command to drop and run a Cobalt Strike payload named\r\n“wab.exe” in the %APPDATA% location. It also ran the “systeminfo” command.\r\nwmiprvse.exe --\u003e wab.exe\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime\r\nPage 1 of 7\n\nwmiprvse.exe --\u003e wab.exe --\u003e cmd.exe /C systeminfo\r\nUsing the “Dij” command, Bumblebee then injected the Metasploit DLL into the legitimate process\r\n“ImagingDevices.exe”, which is a Windows Photo Viewer executable file.\r\nIn addition to this, using the “Dij” command Bumblebee injected the Cobalt Strike payload into the legitimate\r\n“wab.exe”, which is a Windows Mail executable file.\r\nBumblebee then dropped the AdFind tool using the “Dij” command and tried to enumerate domain-related\r\ninformation like domain trust, domain users, domain groups, and group permissions, etc.\r\nAt this point, Bumblebee dropped the Quantum ransomware using the “Dij” command. The attacker used both\r\nDLL and EXE payloads to encrypt files.\r\nrundll32.exe CSIDL_COMMON_APPDATA\\2429189468.dll,start \\shareall  \\nolog\r\nCSIDL_COMMON_APPDATA\\2431789750.exe /shareall /NOLOG\r\nQuantum collects system information and user information using WMI. It also checks for SQL-related services\r\nand stops them if found running. Quantum also checks for some processes related to malware analysis like\r\nprocmon, wireshark, cmd, task manager, and notepad, and terminates them if found running.\r\nLink 1: The AdFind connection\r\nTools used in recent Bumblebee attacks have appeared in older attacks, pre-dating Bumblebee’s appearance. In a\r\nnumber of attacks involving Bumblebee beginning in mid-May 2022, a version of AdFind (SHA256:\r\nb1102ed4bca6dae6f2f498ade2f73f76af527fa803f0e0b46e100d4cf5150682) was also deployed by the attackers.\r\nAdFind is a publicly available tool for querying Active Directory and has been widely used by a range of threat\r\nactors in recent years.\r\nSimilar to the previously mentioned example, malicious ISO files attached to phishing emails were the initial\r\ninfection vector, with the attackers deploying legitimate ConnectWise remote desktop software (formerly known\r\nas ScreenConnect), along with Atera, another legitimate remote access tool, and Meterpreter, a Metasploit in-memory payload that provides a reverse shell to the attacker. In all cases, the attacks never reached the payload\r\nstage. However, similarities TTPs used in other attacks suggest that ransomware was the intended payload.\r\nThis version of AdFind used in these recent Bumblebee attacks has appeared in attacks dating back as far as June\r\n2021, where it was being used in conjunction with Cobalt Strike to deliver the Avaddon ransomware.\r\nIn August 2021, it reappeared during an unsuccessful ransomware attack when it was used alongside a number of\r\nother legitimate software packages including AnyDesk, a publicly available remote desktop tool; Splashtop,\r\nanother remote desktop tool; and 7-Zip, the publicly available archiving tool. The attack was halted before a\r\nransomware payload could be deployed.\r\nDuring another abortive ransomware attack in May 2022, this variant of AdFind was also deployed. Again, the\r\nattackers used Atera in conjunction with Splashtop and AnyDesk. The widely used credential dumping tools\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime\r\nPage 2 of 7\n\nMimikatz and LaZagne were deployed, along with the NetScan network scanner. The attackers also made use of a\r\nPowerShell script named cve-2021-34527.ps1 that has previously been linked to Conti’s leaked attack playbook.\r\nThis version of AdFind also appeared in attacks involving Quantum ransomware during May 2022. The attackers\r\nalso used Cobalt Strike; Ligolo, a publicly available tunneling tool created for penetration testing purposes, but\r\nwhich has been used by a number of espionage and ransomware actors; ProcDump for credential dumping; along\r\nwith Rclone, a legitimate open-source tool that can legitimately be used to manage content in the cloud, but is\r\nfrequently used by ransomware actors to exfiltrate data.\r\nMore recently, this same version of AdFind was used in an attack attempting to deliver the Diavol payload. The\r\ninitial loader used by the attackers was not discovered, but the AdFind link with Bumblebee activity suggests it\r\nmay have been used by the attackers.\r\nLink 2: adf.bat\r\nIn early June 2022, Bumblebee was used in a thwarted attack. Although the payload wasn’t deployed, the TTPs\r\nused suggested ransomware. The attackers made use of a batch script called adf.bat (SHA256:\r\n1e7737a57552b0b32356f5e54dd84a9ae85bb3acff05ef5d52aabaa996282dfb) along the previously mentioned\r\nversion of AdFind (SHA256: b1102ed4bca6dae6f2f498ade2f73f76af527fa803f0e0b46e100d4cf5150682) and\r\nanother version of AdFind (SHA256:\r\n9d0fa4b88e5b36b8801b55508ab7bc7cda9909d639d70436e972cb3761d34eda).\r\nThis adf.bat script has been used in attacks since at least 2021. In September 2021, for example, the file was\r\ndeployed in what appeared to be an attempted ransomware attack. It was used in conjunction with the previously\r\nmentioned version of AdFind (SHA256:\r\nb1102ed4bca6dae6f2f498ade2f73f76af527fa803f0e0b46e100d4cf5150682); Cobalt Strike; and PowerSploit, an\r\nexploitation framework originally developed for penetration testing.\r\nThe script was also used in another thwarted ransomware attack in November 2021, again alongside the\r\npreviously mentioned version of AdFind. Once again the attackers used a number of publicly available tools,\r\nincluding Atera agent and Splashtop, along with Cobalt Strike. While the delivery mechanism wasn’t uncovered,\r\nsome of the infrastructure used had been previously linked to infrastructure used by BazarLoader, which along\r\nwith Trickbot, was one of the primary pieces of malware used by the Miner cyber-crime group (aka Wizard\r\nSpider). Both were frequently used as part of the delivery mechanism for the group’s ransomware families: Ryuk\r\nand Conti.\r\nLink 3: find.exe/adfind.exe\r\nA third version of AdFind (SHA256:\r\n9d0fa4b88e5b36b8801b55508ab7bc7cda9909d639d70436e972cb3761d34eda) has also been used in recent\r\nattacks involving Bumblebee. This tool has been used in ransomware attacks for at least a year.\r\nIn May 2021, it was used alongside Cobalt Strike in an attempted ransomware attack against a large electronics\r\norganization. One feature of this attack was that the attackers installed a VirtualBox VM on some compromised\r\ncomputers. While a VM image was not retrieved, it appeared that the ransomware payload was located on the VM\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime\r\nPage 3 of 7\n\nand ran once the operating system was fully booted. The VM likely had access to the host computer’s files and\r\ndirectories (via \"SharedFolders\" set up by runner.exe), allowing it to encrypt files on the host computer. While the\r\npayload wasn’t identified, there were some links to both the Conti and Mountlocker ransomware operations.\r\nIn another May 2021 attack it was again used in conjunction with Cobalt Strike in another abortive ransomware\r\nattack against an organization in the U.S. While the payload was not deployed, some of the TTPs had links to\r\nearlier Conti attacks.\r\nAlso in May 2021, this version of AdFind was leveraged along with Cobalt Strike in an attack against an\r\norganization in Canada. In this case, the Conti ransomware was used.\r\nIncrease in use of legitimate software\r\nAside from Bumblebee’s links to a range of ransomware attacks, another commonality between many of the\r\nattacks investigated is the preponderance of legitimate software tools now being deployed during ransomware\r\nattacks. Remote desktop tools such as ConnectWise, Atera, Splashtop, and AnyDesk frequently feature in\r\nransomware investigations, in addition to Rclone, which is now widely leveraged for data exfiltration purposes. \r\nMore recently, Symantec has seen attackers using the AvosLocker ransomware leveraging PDQ Deploy in their\r\nattacks. PDQ Deploy is a legitimate software package that allows users to manage patching on multiple software\r\npackages in addition to deploying custom scripts. At least one affiliate of AvosLocker is now using it to execute\r\nmalicious PowerShell commands on multiple computers on victims’ networks using PowerShell Empire to deploy\r\nthe AvosLocker payload.\r\nThe Bumblebee threat\r\nBumblebee’s links to a number of high-profile ransomware operations suggest that it is now at the epicenter of the\r\ncyber-crime ecosystem. Any organization that discovers a Bumblebee infection on its network should treat this\r\nincident with high priority since it could be the pathway to several dangerous ransomware threats.\r\nIndicators of Compromise\r\nIf an IOC is malicious and the file is available to us, Symantec Endpoint products will detect and block that file.\r\n6804cff68d9824efeb087e1d6ff3f98ed947f002626f04cf8ae7ef26b51e394b – Bumblebee\r\ndaf055e5c7f843a3dbe34c3c7b848e5bbe9c53b65df2556b4b450390154af3bb - Bumblebee\r\n7259b7a91df7c9bc78b0830808fe58c6ff66aa79bb856cf1bf50a107875b3651 – Bumblebee\r\nac20f3f9ed0c1e6b2160976a1dc4167e53fbb8c71b4824a640131acf24c71bfd - Bumblebee\r\n71f91acc6a9162b600ff5191cc22f84a2b726050a5f6d9de292a4deeea0d9803 – Bumblebee\r\nf06566e1e309123e03a6a65cdfa06ce5a95fdd276fb7fcbcb33f5560c0a3cd8c – Cobalt Strike\r\n2e349b3224cc0d958e6945623098c2d28cc8977e0d45480c0188febbf7b8aa78 – Bumblebee\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime\r\nPage 4 of 7\n\n302a25e21eea9ab5bc12d1c5f9e5c119619e617677b307fe0e3044c19581faea – Likely Bumblebee\r\n65e205b500160cbec44911080621d25f02ad7fcfcf2c3e75ce33f6f821a808b8 - Bumblebee-related DLL\r\n905e87d8433fa58f3006ee685bb347024b46550a3ceda0777016f39e88519142 - Bumblebee-related DLL\r\n6727d493d4ecc8cca83ed8bf7af63941175decff7218e599355065ae6c9563c4 - Bumblebee-related DLL\r\nc8db63bfab805179a1297f8b70a90a043581c9260e8c97725f4920ab93c03344 - Bumblebee-related DLL\r\n261b06e30a4a9960e0b0ae173486a4e456c9bd7d188d0f1c9c109bb9e2281b59- Bumblebee-related DLL\r\n24bf01c1a39c6fcab26173e285d226e0c2dcd8ebf86f820f2ba5339ac29086e5 - Bumblebee-related DLL\r\n86d7f7b265aae9eedb36bc6a8a3f0e8ec5fa08071e2e0d21774a9a8e3d4ed9e7 - Bumblebee-related DLL\r\n4c3d85e7c49928af0f43623dcbed474a157ef50af3cba40b7fd7ac3fe3df2f15 – Unconfirmed, possible VM detection\r\ntool\r\nb1102ed4bca6dae6f2f498ade2f73f76af527fa803f0e0b46e100d4cf5150682 - AdFind\r\n9d0fa4b88e5b36b8801b55508ab7bc7cda9909d639d70436e972cb3761d34eda - AdFind\r\naf.bat 1e7737a57552b0b32356f5e54dd84a9ae85bb3acff05ef5d52aabaa996282dfb – af.bat\r\nadf.bat 5a1b3f9589b468a06e9427eae6b0a855d1df6cb35ab71ddbfa05279579e9cda3 – adf.bat\r\nee5fbc193f875a2b8859229508ca79a2ffe19d8a120ae8c5ca77b1d17233d268 - wab.exe\r\n5ad4fa74e71fb4ce0a885b1efb912a00c2ce3c7b4ad251ae67e6c3a8676ede02 - wabmig.exe\r\n02ea7b9948dfc54980fd86dc40b38575c1f401a5a466e5f9fbf9ded33eb1f6a7 - wabmig.exe\r\nb722655b93bcb804802f6a20d17492f9c0f08b197b09e8cd57cf3b087ca5a347 - imagingdevices.exe\r\na60136d7377bc1ba8c161021459e9fe9f49c692bf7b397fea676211a2da4444d – Malicious MSI file\r\n86c564e9fb7e45a7b0e03dd5a6e1c72b7d7a4eb42ebe6aa2e8f8a7894bed4cb5 – VBS file\r\n1825e14e1ea19756b55b5ccec5afbb9c2dba0591403c553a83c842bb0dd14432 - ConnectWise\r\n3dea930cfb0ea48c2ce9f7a8bd98ee37e2feca5fb4da8844890fa2d4f62dd105 - Atera\r\n52f145a4ccc0f540a130bedbf04370a842daff1ee8d8361c75a8e0d21a88cf5a - Atera\r\nupdate.exe 3b7512cfa21bd65bd5beecc8cb859ab4f7f5538f3caaf0703a68ec14389b357a - ConnectWise\r\n4c6a865771fdb400456b1e8bc9198134ac9d2f66f1654af42b4b8fc67ae018f2 - ConnectWise\r\nfef7d54d6c09a317d95300d10ffcc6c366dbb8f5ebf563dec13b509fff361dc1 - ConnectWise\r\n165b491e5b9e273a61c16de0f592e5047740658c7a2e3047f6bf518a17e59eca - ConnectWise\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime\r\nPage 5 of 7\n\na8faf08997e11a53f9d38797d997c51c1a3fcf89412c3da8dcca6631c6f314a8 - ConnectWise\r\n01e22210e07708c0b9a0061d0f912041808e48bb8d59f960b545d0b9e11d42d2 - ConnectWise\r\nf5218aaa046776a12b3683c8da4945a0c4c0934e54802640a15152d9dae15d43 - ConnectWise\r\nbc41569c4c9b61f526c78f55993203806d09bb8c3b09dbbeaded61cd1dc2fcc2 - caexec.exe (likely similar to\r\nPAExec)\r\n29767c912919cb38903f12c7f41cdd1c5f39fccb9641302c97b981e4b5e31ee5 - vSphere PowerCLI component\r\n911c152d4e37f55bd1544794cc324364b6f03aff118cdf328127355ccc25282a - vSphere PowerCLI component\r\nf5cd44f1d72ef8fc734c76ca62879e1f1cb4c0603cfdc0b85b5ad6ad8326f503 - vSphere PowerCLI component\r\n0650722822e984da41d77b90fbd445f28e96a90af87043581896465c06ed1e44 – ConnectWise\r\nf01a3f2186e77251acfac9d53122a1579182bde65e694487b292a8e09cf8d465 – Cobalt Strike\r\n290b698d41525c4c74836ca934c0169a989a5eafde7208d90300a17a3f5bd408 – Ransom.Quantum\r\n3d41a002c09448d74070a7eb7c44d49da68b2790b17337686d6dd018012db89d – Ransom.Quantum\r\n51.68.146.200 - AS16276 OVH SAS\r\n154.56.0.221 - AS60602 Inovare-Prim SRL\r\n3.85.198.66 - AS14618 AMAZON-AES\r\n3.144.143.242 - AS16509 AMAZON-02\r\nadaptivenet[.]hostedrmm[.]com\r\nhxxp://127.0.0[.]1:[high-ephemeral-port]/\r\nhxxps://ec2-3-144-143-242.us-east-2.compute.amazonaws[.]com\r\nhxxps://ec2-3-85-198-66[.]compute-1.amazonaws[.]com\r\nadaptivenet[.]hostedrmm[.]com / 52.53.233.237 - AS16509 AMAZON-02\r\nhxxp://adaptivenet[.]hostedrmm[.]com/LabTech/Updates/LabtechUpdate_220.124.zip\r\nhxxp://adaptivenet[.]hostedrmm[.]com/LabTech/Updates/LabtechUpdate_220.77.zip\r\nhxxp://adaptivenet[.]hostedrmm[.]com/LabTech/transfer/tools/caexec.exe\r\nhxxp://adaptivenet[.]hostedrmm[.]com/LabTech/Deployment.aspx?\r\nProbe=79EA559BB87BF3C8403C40586993D4AC\u0026ID=660\r\nURLs containing URI string \"/LabTech/\"\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime\r\nPage 6 of 7\n\n45.153.243.93 – Bumblebee C\u0026C\r\nProtection\r\nSymantec Endpoint Protection (SEP) protects against ransomware attacks using multiple static and dynamic\r\ntechnologies.\r\nAV-Protection\r\nBackdoor.Cobalt!gm1\r\nBackdoor.Cobalt!gm5\r\nRansom.Quantum\r\nRansom.Quantum!gm1\r\nTrojan Horse\r\nTrojan.Bumblebee\r\nTrojan.Bumblebee!g1\r\nTrojan.Gen.2\r\nTrojan.Gen.9\r\nTrojan.Gen.MBT\r\nBehavior Protection\r\nSONAR.SuspLoad!g12\r\nSONAR.Module!gen3\r\nSONAR.WMIC!gen13\r\nSONAR.WMIC!gen10\r\nSONAR.RansomGen!gen1\r\nSONAR.Ransomware!g13\r\nSONAR.RansomQuantm!g1\r\nSONAR.Dropper\r\nSONAR.Ransomware!g1\r\nSONAR.Ransomware!g3\r\nSONAR.Ransomware!g7\r\nIntrusion Prevention System Protection\r\n28589: Attack: Meterpreter Reverse HTTPS\r\nSystem Infected: Trojan.Backdoor Activity 373\r\n32721: Audit: ADFind Tool Activity\r\nFor the latest protection updates, please visit the Symantec Protection Bulletin.\r\nSource: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MITRE" ], "references": [ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime" ], "report_names": [ "bumblebee-loader-cybercrime" ], "threat_actors": [ { "id": "f6f91e1c-9202-4497-bf22-9cd5ef477600", "created_at": "2023-01-06T13:46:38.86765Z", "updated_at": "2026-04-10T02:00:03.12735Z", "deleted_at": null, "main_name": "WIZARD SPIDER", "aliases": [ "TEMP.MixMaster", "GOLD BLACKBURN", "DEV-0193", "UNC2053", "Pistachio Tempest", "DEV-0237", "Storm-0230", "FIN12", "Periwinkle Tempest", "Storm-0193", "Trickbot LLC" ], "source_name": "MISPGALAXY:WIZARD SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bc119938-a79c-4e5f-9d4d-dc96835dfe2e", "created_at": "2024-06-04T02:03:07.799286Z", "updated_at": "2026-04-10T02:00:03.606456Z", "deleted_at": null, "main_name": "GOLD BLACKBURN", "aliases": [ "ITG23 ", "Periwinkle Tempest ", "Wizard Spider " ], "source_name": "Secureworks:GOLD BLACKBURN", "tools": [ "BazarLoader", "Buer Loader", "Bumblebee", "Dyre", "Team9", "TrickBot" ], "source_id": "Secureworks", "reports": null }, { "id": "63061658-5810-4f01-9620-7eada7e9ae2e", "created_at": "2022-10-25T15:50:23.752974Z", "updated_at": "2026-04-10T02:00:05.244531Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "Wizard Spider", "UNC1878", "TEMP.MixMaster", "Grim Spider", "FIN12", "GOLD BLACKBURN", "ITG23", "Periwinkle Tempest", "DEV-0193" ], "source_name": "MITRE:Wizard Spider", "tools": [ "TrickBot", "AdFind", "BITSAdmin", "Bazar", "LaZagne", "Nltest", "GrimAgent", "Dyre", "Ryuk", "Conti", "Emotet", "Rubeus", "Mimikatz", "Diavol", "PsExec", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "e6a21528-2999-4e2e-aaf4-8b6af14e17f3", "created_at": "2022-10-25T16:07:24.422115Z", "updated_at": "2026-04-10T02:00:04.983298Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "DEV-0193", "G0102", "Gold Blackburn", "Gold Ulrick", "Grim Spider", "ITG23", "Operation BazaFlix", "Periwinkle Tempest", "Storm-0230", "TEMP.MixMaster", "Wizard Spider" ], "source_name": "ETDA:Wizard Spider", "tools": [ "AdFind", "Agentemis", "Anchor_DNS", "BEERBOT", "BazarBackdoor", "BazarCall", "BazarLoader", "Cobalt Strike", "CobaltStrike", "Conti", "Diavol", "Dyranges", "Dyre", "Dyreza", "Dyzap", "Gophe", "Invoke-SMBAutoBrute", "KEGTAP", "LaZagne", "LightBot", "PowerSploit", "PowerTrick", "PsExec", "Ryuk", "SessionGopher", "TSPY_TRICKLOAD", "Team9Backdoor", "The Trick", "TheTrick", "Totbrick", "TrickBot", "TrickLoader", "TrickMo", "Upatre", "bazaloader", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434504, "ts_updated_at": 1775792171, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/9b5d6cd83682ca52388a3b686512bbd3e67c8df5.pdf", "text": "https://archive.orkl.eu/9b5d6cd83682ca52388a3b686512bbd3e67c8df5.txt", "img": "https://archive.orkl.eu/9b5d6cd83682ca52388a3b686512bbd3e67c8df5.jpg" } }