{ "id": "ba761a80-f954-47ea-a656-06c13b222610", "created_at": "2026-04-06T02:11:48.150533Z", "updated_at": "2026-04-10T13:11:40.979616Z", "deleted_at": null, "sha1_hash": "b5a337c61100747a0e213d9d87284c00ac457b5c", "title": "Unveiling Phemedrone Stealer: Threat Analysis and Detections | Splunk", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3849559, "plain_text": "Unveiling Phemedrone Stealer: Threat Analysis and Detections |\r\nSplunk\r\nBy Splunk Threat Research Team, Teoderick Contreras\r\nPublished: 2024-02-27 · Archived: 2026-04-06 01:37:16 UTC\r\nRecently, the cybersecurity world has been abuzz with discussions about Phemedrone, a newly emerged stealer\r\nexploiting the CVE-2023-36025 vulnerability in Microsoft Windows Defender SmartScreen. The project was\r\nmost recently available on GitHub; however, the project was taken down, and the associated account was\r\nremoved. Active development still occurs via Telegram.\r\nPhemedrone distinguishes itself as a sophisticated stealer, adept at extracting sensitive data from platforms such as\r\nSteam and Discord, retrieving browser data (particularly from Chrome) and extracting details from various\r\ncryptocurrency wallets. Its proficiency in evading traditional defense mechanisms and its organized approach to\r\ndata collection and exfiltration underscore its significance as a noteworthy stealer.\r\nIn the following blog, the Splunk Threat Research Team will dissect the Phemedrone Stealer. We'll explore the\r\nstealer's configuration settings and its associated tactics and techniques, including those it uses for data harvesting\r\nevading detection. Additionally, we'll highlight the indicators and detection opportunities our team has identified,\r\noffering insights into the stealer's operational patterns.\r\nPhemedrome Stealer's Configuration Settings\r\nPhemedrone Stealer, like other .NET Trojan Stealers, employs configuration settings stored within its .cctor class,\r\ninitialized first and utilized throughout its codebase. To extract these settings, the Splunk Threat Research Team\r\nwrote a Python script, phemdrone_extractor_s.py, tailored to extract configuration data from this malware strain.\r\nWe also extracted 150+ Phemedrome malware configuration settings to identify common tags that might be\r\nrelated to its campaign, the common C2 framework it uses, files it tries to collect and many more. Below is a short\r\ndemo and presentation of this tool.\r\nhttps://www.splunk.com/en_us/blog/security/unveiling-phemedrone-stealer-threat-analysis-and-detections.html\r\nPage 1 of 14\n\nFigure 1: configuration extraction\r\n(For a larger resolution of this diagram visit this link)\r\nAfter ingesting the extracted JSON-formatted configuration settings and creating a simple Splunk dashboard, our\r\nanalysis revealed that the most common tag among the extracted samples is \"default.\" Additionally, we observed\r\nthat the primary command and control (C2) framework identified across our dataset is Telegram.\r\nhttps://www.splunk.com/en_us/blog/security/unveiling-phemedrone-stealer-threat-analysis-and-detections.html\r\nPage 2 of 14\n\nFigure 2.1: Phemedrone Tag Statistic\r\n(For a larger resolution of this diagram visit this link)\r\nIn addition to the configuration settings, the malware targets various file types on the compromised host, including\r\n.txt files, Windows documents, PDFs, DAT files, KeePass databases, images, and more. This comprehensive\r\napproach indicates the malware's ability to harvest a wide range of sensitive data formats from the victim's system.\r\nFigure 2.2: Phemedrone File Collection Statistic\r\n(For a larger resolution of this diagram visit this link)\r\nPhemedrome Stealer’s Tactics and Techniques\r\nDefense Evasion\r\nThis .NET Compiled Trojan Stealer employs a series of defense evasion techniques upon execution, tailored to its\r\nconfiguration settings. The Phemedrone Trojan Stealer employs a mutex checker to ensure singular execution and\r\nincorporates three distinct methods to circumvent analysis or sandbox environments.\r\nThe initial technique involves a Virtual Machine Check, achieved through the execution of a WMI command:\r\nSELECT * FROM Win32_VideoController\r\nIt retrieves the \"Name\" field and checks if it matches any recognized virtual machine identifiers, including\r\n\"Virtualbox,\" \"Vbox,\" \"VMware Virtual,\" \"VMware,\" and \"Hyper-V Video.\" Upon detecting a match with any of\r\nthese names, the process execution is promptly terminated.\r\nhttps://www.splunk.com/en_us/blog/security/unveiling-phemedrone-stealer-threat-analysis-and-detections.html\r\nPage 3 of 14\n\nFigure 3: Virtual Machine Check\r\nSimilarly, if the “InstalledInputLanguages” of the compromised host's operating system matches any of the\r\nlanguages associated with the Commonwealth of Independent States (CIS), as indicated in Figure 4, the process\r\nwill be terminated.\r\nhttps://www.splunk.com/en_us/blog/security/unveiling-phemedrone-stealer-threat-analysis-and-detections.html\r\nPage 4 of 14\n\nFigure 4: is CIS\r\nThen lastly, if \"wireshark\" and \"httpdebbugerui\" processes are running in the compromised host, the process\r\nexecution will be terminated.\r\nSystem Information Discovery\r\nAfter the execution of Phemedrone Stealer defense evasion function, it will prepare a MemoryStream\r\nDynamically that will be used for transferring all system information and collected data from the compromised\r\nhost back to its server side.\r\nFigure 5 illustrates the system information targeted for collection, which will subsequently be sent to its C2 server.\r\nFigure 5: System Information\r\nhttps://www.splunk.com/en_us/blog/security/unveiling-phemedrone-stealer-threat-analysis-and-detections.html\r\nPage 5 of 14\n\nThe majority of this information collection relies on executing WMI commands or parsing the registry, as detailed\r\nin the table below.\r\nFigure 6 displays the formatted \"information.txt\" data that was transmitted to the C2 panel server during our\r\ntesting and analysis conducted in the Splunk Attack Range.\r\nFigure 6: Information.txt\r\nData Collection Tactics\r\nDiscord and Steam\r\nSimilar to other Trojan Stealers, Phemedrone Stealer targets sensitive information associated with the Steam\r\napplication. Steam, developed by Valve Corporation, serves as a digital platform predominantly utilized for\r\npurchasing, downloading, and engaging in video games.\r\nThis particular Trojan Stealer employs various tactics to gather Steam account data and activities. It begins by\r\nquerying the registry key \"HKEY_CURRENT_USER\\Software\\Valve\\Steam,\" that contains crucial configuration\r\nand user data pertaining to the Steam client. This data can encompass login credentials, game library details,\r\nsettings, and more.\r\nFurthermore, this malware attempts to harvest files with specific substrings in their names, such as \"ssfn\" and\r\n\"\\config\\*.vdf.\" These files, once located, are read and streamed into memory for subsequent transmission to the\r\nC2 server. Among these files are configurations vital for Steam's operation, including user preferences, game\r\nsettings, and potentially sensitive account-related information.\r\nhttps://www.splunk.com/en_us/blog/security/unveiling-phemedrone-stealer-threat-analysis-and-detections.html\r\nPage 6 of 14\n\nFigure 7: Steam Information Collection\r\nThis malware also endeavors to harvest and decrypt Discord database files typically situated in the Discord\r\ndirectory \"\\discord\\Local Storage\" or \"\\Discord\\Local State.\" These files contain valuable information like\r\nusernames and passwords, which the malware seeks to steal for malicious purposes.\r\nBrowser Information\r\nThis malware is equipped with a class tailored to extract sensitive data from web browsers, particularly Chrome or\r\nChromium. It commences by locating two critical files from Chrome profiles: namely,\r\n\"%userprofile%\\Appdata\\Local\\Google\\Chrome\\User data\\Local State\" and\r\n\"%userprofile%\\Appdata\\Local\\Google\\Chrome\\User data\\Default\\Login Data\". Subsequently, it parses the\r\n\"Local State\" file to acquire the encoded and encrypted master key necessary for decrypting the stored passwords\r\nwithin the \"Login Data\" file. The master key undergoes Base64 encoding and is then encrypted using the\r\nWindows CryptProtectData() API.\r\nhttps://www.splunk.com/en_us/blog/security/unveiling-phemedrone-stealer-threat-analysis-and-detections.html\r\nPage 7 of 14\n\nThis technique has been observed in various Trojan Stealers, including the Amadey malware, which has been\r\nanalyzed by the Splunk Threat Research Team in our blog.\r\nFigure 7: Decrypt Chrome Database\r\nIn addition to decrypting Chrome credentials and potentially extracting credit card information, this malware also\r\ntargets specific Chrome file extensions associated with second-factor authentication, cryptocurrency management,\r\nand password management. These extensions may contain sensitive data crucial for securing accounts, managing\r\ndigital assets, and storing passwords. The table below lists the targeted chrome extensions it attempts to collect\r\ninformation from and send back to its C2 server.\r\nDuring our testing, we installed certain targeted Chrome extensions within the Splunk Attack Range environment\r\nand populated them with dummy autofill credentials. This allowed us to observe how the Phemedrone Stealer\r\nparses this information. By configuring the C2 panel and executing the client-side Phemedrone stealer, we\r\nreceived two files: \"password.txt\" and \"Cookies_Chrome[Default].txt\". These files contain the extracted\r\nusernames and passwords from the Chrome database, as well as information pertaining to all installed targeted\r\nChrome extensions.\r\nhttps://www.splunk.com/en_us/blog/security/unveiling-phemedrone-stealer-threat-analysis-and-detections.html\r\nPage 8 of 14\n\nFigure 8.1: Password.txt\r\nFigure 8.2: Cookies_Chrome[Default].txt\r\nScreenshots\r\nPhemedrone Stealer has a screenshot capability, allowing it to discreetly capture images of the victim's screen and\r\nsend it to its C2 server named as “screenshot.png”. This functionality enables this malware to gather visual\r\ninformation from the infected device, potentially revealing sensitive data or user activities.\r\nhttps://www.splunk.com/en_us/blog/security/unveiling-phemedrone-stealer-threat-analysis-and-detections.html\r\nPage 9 of 14\n\nFigure 9: Phemedrone Stealer Screenshot Function\r\nCrypto Wallets\r\nIn addition to its capabilities mentioned in previous sub-heading, Phemedrone Stealer targets sensitive data and\r\nfiles associated with various cryptocurrencies, including Armory, Atomic, Bytecoin, Coinomi, Jaxx, Electrum,\r\nExodus, and Guarda wallets. For instance, it attempts to extract data from specific directories such as\r\n\"atomic\\Local Storage\\leveldb\" for Atomic wallet and \"Coinomi\\Coinomi\\wallets\" for Coinomi wallet, among\r\nothers. These database files are typically used by cryptocurrency wallets to store various kinds of data, including\r\ntransaction records, account information, and cryptographic keys.\r\nhttps://www.splunk.com/en_us/blog/security/unveiling-phemedrone-stealer-threat-analysis-and-detections.html\r\nPage 10 of 14\n\nFigure 10: Phemedrone Stealer Targeted Crypto Wallet\r\nCommand and Control\r\nOnce Phemedrone Stealer has gathered and formatted all desired data and sensitive information, such as\r\ninformation.txt and password.txt, it proceeds to archive it into a zip file. The archive is named following a specific\r\nformat:\r\n\u003cip-address\u003e-\u003cactive-user\u003e-Phemedrone-Report.zip\r\nThis systematic naming convention aids in organizing and identifying the archived data.\r\nFigure 11: Phemedrone Stealer Archiving Steal Data\r\nOn the C2 server, we can observe how Phemedrone Stealer formats the stolen files from the compromised host.\r\nFigure 12 displays the file tree of the .zip archive received by the server from the Phemedrone Stealer client agent.\r\nhttps://www.splunk.com/en_us/blog/security/unveiling-phemedrone-stealer-threat-analysis-and-detections.html\r\nPage 11 of 14\n\nThis visualization illustrates the organized structure of the stolen data, aiding in analysis and understanding of the\r\ncompromised system's contents.\r\nFigure 12: report.zip file tree\r\nIndicators and Detection Opportunities\r\nAtomic Indicators\r\nWhile researching Phomedrone, we were able to capture many publicly available hashes that we’d like to share\r\nwith the community here.\r\nSplunk Security Content\r\nThe Splunk Threat Research Team has created relevant detections and tagged them to the Phemedrone Stealer\r\nAnalytic Story to help security analysts detect adversaries leveraging the Phemedrone malware.\r\nFor these analytic stories, we used and considered relevant data endpoint telemetry sources such as:\r\nProcess Execution \u0026 Command Line Logging\r\nWindows Security SACL Event ID, Sysmon, or any Common Information Model-compliant EDR\r\ntechnology\r\nWindows Security Event Log\r\nWindows System Event Log\r\nWindows PowerShell Script Block Logging\r\nOverall, the Phemedrone Stealer analytic story introduces 13 detections across MITRE ATT\u0026CK techniques.\r\nExample is Suspicious Process DNS Query Known Abuse Web Services, an analytic detects a suspicious\r\nprocess making a DNS query via known, abused text-paste web services, VoIP, instant messaging, and digital\r\ndistribution platforms used to download external files.This technique is abused by adversaries, malware actors,\r\nand red teams to download a malicious file or serve as a C2 server.\r\nhttps://www.splunk.com/en_us/blog/security/unveiling-phemedrone-stealer-threat-analysis-and-detections.html\r\nPage 12 of 14\n\n`sysmon` EventCode=22 QueryName IN (\"*pastebin*\", \"*discord*\",\r\n\"*api.telegram*\",\"*t.me*\")\r\n process_name IN (\"cmd.exe\", \"*powershell*\", \"pwsh.exe\",\r\n\"wscript.exe\",\"cscript.exe\") OR Image IN (\"*\\\\users\\\\public\\\\*\",\r\n\"*\\\\programdata\\\\*\", \"*\\\\temp\\\\*\", \"*\\\\Windows\\\\Tasks\\\\*\", \"*\\\\appdata\\\\*\",\r\n\"*\\\\perflogs\\\\*\")\r\n | stats count min(_time) as firstTime max(_time) as lastTime by Image QueryName QueryStatus process_name Query\r\n | rename Computer as dest\r\n | `security_content_ctime(firstTime)`\r\n | `security_content_ctime(lastTime)`\r\n | `suspicious_process_dns_query_known_abuse_web_services_filter`'\r\nFigure 12: telegram DNS access\r\nPlaybooks\r\nNon-hunting detections associated with this analytic story create entries by default in Splunk Enterprise Security’s\r\nrisk index, which can be used seamlessly with risk notables and playbooks in the Risk Notable Playbook Pack and\r\nthe Automated Enrichment Playbook Pack for Splunk SOAR.\r\nWhy Should You Care?\r\nBy understanding Phemedrone Trojan Stealer behaviors, the Splunk Threat Research Team was able to generate\r\ntelemetry and datasets to develop and test Splunk detections to help defend against and respond to this threat.\r\nSecurity analysts, blue teamers and Splunk customers can use the insights and detections described in this blog to\r\ndiscover Phemedrone tactics, techniques and procedures potentially being used by threat actors and adversaries in\r\ntheir environments.\r\nEarly detection of Phemedrone activities enables prompt containment and remediation, mitigating potential\r\ndamage and preventing further propagation. Collaborative sharing of threat intelligence across security\r\ncommunities is crucial to enhance collective defense strategies. Continuous monitoring, alongside updated\r\ndefense mechanisms, is essential to keep pace with Phemedrone's evolving tactics and ensure robust protection\r\nagainst its threats.\r\nLearn More\r\nhttps://www.splunk.com/en_us/blog/security/unveiling-phemedrone-stealer-threat-analysis-and-detections.html\r\nPage 13 of 14\n\nYou can find the latest content about security analytic stories on GitHub and in the Splunk ES Content Update\r\napp. Splunk Security Essentials also has all these detections now available via push update.\r\nFor a full list of security content, check out the release notes on Splunk Docs.\r\nFeedback\r\nAny feedback or requests? Feel free to put in an issue on Github and we’ll follow up. Alternatively, join us on the\r\nSlack channel #security-research. Follow these instructions If you need an invitation to our Splunk user groups on\r\nSlack.\r\nContributors\r\nWe would like to thank Teoderick Contreras and Michael Haag for authoring this post and the entire Splunk\r\nThreat Research Team for their contributions: Mauricio Velazco, Lou Stella, Bhavin Patel, Rod Soto, Eric\r\nMcGinnis, Jose Hernandez and Patrick Bareiss.\r\nSource: https://www.splunk.com/en_us/blog/security/unveiling-phemedrone-stealer-threat-analysis-and-detections.html\r\nhttps://www.splunk.com/en_us/blog/security/unveiling-phemedrone-stealer-threat-analysis-and-detections.html\r\nPage 14 of 14", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.splunk.com/en_us/blog/security/unveiling-phemedrone-stealer-threat-analysis-and-detections.html" ], "report_names": [ "unveiling-phemedrone-stealer-threat-analysis-and-detections.html" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775441508, "ts_updated_at": 1775826700, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b5a337c61100747a0e213d9d87284c00ac457b5c.pdf", "text": "https://archive.orkl.eu/b5a337c61100747a0e213d9d87284c00ac457b5c.txt", "img": "https://archive.orkl.eu/b5a337c61100747a0e213d9d87284c00ac457b5c.jpg" } }