{
	"id": "ab1f9074-a630-4eb2-95eb-887d63e62dab",
	"created_at": "2026-04-06T00:11:29.9377Z",
	"updated_at": "2026-04-10T03:21:29.074572Z",
	"deleted_at": null,
	"sha1_hash": "e4220c66f8024651f9b88256da7afaf00f627d5c",
	"title": "Born This Way? Origins of LockerGoga",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 226975,
	"plain_text": "Born This Way? Origins of LockerGoga\r\nBy Mike Harbison\r\nPublished: 2019-03-26 · Archived: 2026-04-05 17:57:34 UTC\r\nThis Unit 42 blog provides insights into the ransomware attacks referred to as LockerGoga.\r\nThe LockerGoga ransomware was first publicly reported in January by Bleeping Computer, which tied the\r\nmalware to an attack against French engineering company Altran Technologies. Several variants have since been\r\nfound in the wild, where they were used in attacks against Norwegian aluminum manufacturer Norsk Hydro and\r\ntwo chemical companies: Hexion and Momentive. Unit 42 reviewed malware samples from these attacks and\r\nfound evidence that caused us to question the origin of the threat name.  “LockerGoga” was taken from a string\r\nthat did not exist anywhere in the code used in the original attack on Altran.  Bleeping Computer reported that the\r\nname came from this source code path discovered by MalwareHunterTeam:\r\nX:\\work\\Projects\\LockerGoga\\cl-src-last\\cryptopp\\src\\rijndael_simd.cpp for SHA256\r\nbdf36127817413f625d2625d3133760af724d6ad2410bea7297ddc116abc268f\r\nWe were able to find this string referenced in earlier ransomware variants identified as Ransom.GoGalocker by\r\nSymantec, but not in the sample identified in Bleeping Computer’s report. To avoid confusion, we will continue to\r\nuse the LockerGoga name to refence the initial variant and its predecessors. Palo Alto Networks has identified 31\r\nransomware samples that are similar in behavior and code to the initial variant. In this report we will attempt to\r\ntrace back to the origin of these samples, discuss their evolution, then expose some of their inner working\r\ncapabilities and even faults.\r\nFirst LockerGoga Sample\r\nThe earliest known sample of LockerGoga (SHA256:\r\nbdf36127817413f625d2625d3133760af724d6ad2410bea7297ddc116abc268f) we found was submitted to\r\nVirusTotal on January 24. We believe this sample was used in the attack on Altran.  We do not know how the\r\nransomware infected Altran’s networks or propagated once there.\r\nPropagation\r\nCurrently LockerGoga does not support any worm-like capabilities that would allow it to self-propagate by\r\ninfecting additional hosts on a target network.  We have observed LockerGoga moving around a network via the\r\nserver message block (SMB) protocol, which indicates the actors simply manually copy files from computer to\r\ncomputer.\r\nLockerGoga Characteristics\r\nhttps://unit42.paloaltonetworks.com/born-this-way-origins-of-lockergoga/\r\nPage 1 of 10\n\nThis sample requires administrative privileges in order to successfully execute, though the specific mechanism for\r\ninitial code execution is unknown.  Once it executes it seeks to encrypt files on the infected computer and any\r\nattached hard drives.  Once it’s fully executed, it leaves a ransom note on the user’s desktop containing an email\r\naddress to contact presumably for decryption and payment options.\r\nThe initial sample was written in the C++ programming language and employs publicly available libraries such as\r\nBoost, Cryptopp and regex.  This sample includes a denylist that excludes the following files and directories from\r\nencryption:\r\nreadme-now.txt\r\nfiles starting with ntsuser or usrclass\r\nFile extensions: .dll, .lnk, .sys, .locked\r\nMicrosoft\\Windows\\burn\r\ndat\r\nlog\r\nThe malware does not support any self-propagating code to infect other hosts on the network and is signed by a\r\ncertificate issued in the name MIKL LIMITED, which has been revoked.  The following command line arguments\r\nare also supported:\r\nCommand\r\nLine\r\nDescription\r\n-w\r\nWork:  This is the default command line parameter and encrypts all files on the host.  It also\r\nwipes all free space by creating the following file c:\\wipe and filling it with random data the\r\nsize of the free space available on the drive.  The file is then deleted.  This parameter can also\r\nbe used to encrypt a single file i.e. -w filename.exe\r\n-r Dry Run:  Does not encrypt any files on the host.\r\n-l Log:  Creates a log file off the root drive named cl.log.\r\n-f File:  Used to encrypt a single file.\r\nTable 1. Supported command line arguments\r\nEncryption\r\nLockerGoga uses the Cryptopp library to implement RSA, as implementing RSA from scratch would be very time\r\nconsuming and error prone.  To encrypt files, (Strong RSA) RSA-OAEP MGF1(SHA-1) is used.  The RSA public\r\nkey found in this sample is:\r\n00000000   4D 49 47 64 4D 41 30 47  43 53 71 47 53 49 62 33   MIGdMA0GCSqGSIb3\r\n00000016   44 51 45 42 41 51 55 41  41 34 47 4C 41 44 43 42   DQEBAQUAA4GLADCB\r\n00000032   68 77 4B 42 67 51 43 46  66 33 43 54 59 79 41 79   hwKBgQCFf3CTYyAy\r\nhttps://unit42.paloaltonetworks.com/born-this-way-origins-of-lockergoga/\r\nPage 2 of 10\n\n00000048   6F 79 5A 71 52 33 6E 48  63 4C 4A 2B 49 2F 71 69   oyZqR3nHcLJ+I/qi\r\n00000064   2F 50 57 77 57 54 75 6C  20 6C 4D 69 4E 32 54 47   /PWwWTul lMiN2TG\r\n00000080   4D 41 4D 62 34 39 75 58  51 32 79 43 34 4D 5A 76   MAMb49uXQ2yC4MZv\r\n00000096   5A 76 4B 53 50 55 44 6F  33 61 4D 67 5A 4A 71 30   ZvKSPUDo3aMgZJq0\r\n00000112   78 75 52 53 42 34 58 6F  73 6D 73 30 5A 39 51 4B   xuRSB4Xosms0Z9QK\r\n00000128   70 76 47 6C 6A 4E 48 36  79 34 50 59 4E 39 38 2F   pvGljNH6y4PYN98/\r\n00000144   76 20 79 31 7A 4F 6B 34  70 45 69 53 68 43 32 49   v y1zOk4pEiShC2I\r\n00000160   47 46 50 4A 32 47 71 33  4F 63 2B 41 78 4F 37 57   GFPJ2Gq3Oc+AxO7W\r\n00000176   6F 2F 62 42 76 35 34 32  52 51 30 67 50 55 77 7A   o/bBv542RQ0gPUwz\r\n00000192   79 54 53 66 71 6A 44 47  35 33 35 73 38 57 73 76   yTSfqjDG535s8Wsv\r\n00000208   4B 73 79 77 49 42 45 51  3D 3D                     KsywIBEQ==\r\nTable 2. RSA Public key found in initial LockerGoga sample\r\nAlthough RSA-OAEP MGF1 has features that make it more secure, the added computational overhead causes\r\nencryption to take longer and has difficulty handling large files.  To mitigate this, the developers launch multiple\r\nchild processes that work in parallel to maximize encryption speed.  To overcome large files, the developers\r\ndecided to encrypt chunks of a file every 80,000 bytes and skip the next 80,000 bytes of a file.  Example:\r\nFigure 1. Data encrypted in 80,000 byte chunks\r\nBecause of this, partial recovery of large files might be possible even without the decryption key.\r\nhttps://unit42.paloaltonetworks.com/born-this-way-origins-of-lockergoga/\r\nPage 3 of 10\n\nAlthough the developers attempt to use a denylist of files and directories to skip, it was observed encrypting core\r\nWindows operating system files, which caused the operating system to become unstable and crash. This was\r\nobserved when running the ransomware on a Windows 2012 machine.\r\nEarly Development\r\nBased on our analysis, we believe this variant is an early release of LockerGoga ransomware. The developers left\r\nbehind command line parameters such as -r which allows the malware to run without encrypting anything.  This\r\ncan be used in conjunction with -l (log) to test how the ransomware behaves.  Both of these parameters are\r\nsuggestive of an initial, or test, build.  The -r specifically was not observed in later variants.\r\nAccording to the Bleeping Computer report, the ransomware appeared to encrypt only the following specific file\r\nextensions: doc|dot|wbk|docx|dotx|docb|xlm|xlsx|xltx|xlsb|xlw|ppt|pot|pps|pptx|potx|ppsx|sldx|pdf.\r\nOur analysis found that the malware does not use the code block that checks for specific file extensions.  Instead,\r\nwe observed that the malware encrypts all files except those in the denylist. It also has issues with large files,\r\nwhich is addressed in later variants.\r\nDevelopment Cycle\r\nLike other active software projects, the LockerGoga ransomware is under constant development with new variants\r\nbeing developed and used to attack victims.  All these variants share similar characteristics and just like other\r\nprofessional development, each release contains improvements or new capabilities.\r\nTo counter this ongoing development cycle, security researchers have to focus on identifying new variants.\r\nTo that end, we highlight some of the evolutionary changes we have observed since the malware surfaced in\r\nJanuary:\r\nDropped the -r and -f command line arguments\r\nLog file renamed from cl.log to .log\r\nRansomware note is no longer encoded in the binary\r\nRansomware note renamed from README_NOW.txt to README_LOCKED.TXT\r\nAdded the following command line parameters:\r\nParameter Description\r\n-i Inter process communication (IPC)\r\n-s Slave (child process)\r\n-m Master Process\r\nBegan using mutexes (example: SM-zzbdrimp) to identify processes for inter-process communication.\r\nStopped using svch0st[numeric value].exe as a process name and began using distinct hard-coded names\r\nfor each sample.\r\nhttps://unit42.paloaltonetworks.com/born-this-way-origins-of-lockergoga/\r\nPage 4 of 10\n\nUses undocumented Windows API calls (for example NtQuerySection)\r\nChanges administrator password to HuHuHUHoHo283283@dJD\r\nStopped creating a wipe file to erase free space and instead uses Windows cipher.exe with command\r\nparameter /w to wipe free space on the host\r\nAdded importation of WS2_32.dll, possibly to support network communications\r\nChanged the format and collection of data recorded in the log file\r\nUpdated encryption of files and directories. No longer encrypts all files on the host: instead targets specific\r\nfile extensions and directories\r\nCalls into Windows Restart Manager session for possible token elevation to overwrite trusted installer files\r\nUses the following digital signers:\r\nALISA LTD\r\nKITTY'S LTD\r\nMIKL LIMITED\r\nLogs off the current user\r\nThe inclusion of the word “Goga” in the binary and encrypted files\r\nConclusion\r\nLockerGoga’s developers continue to add capabilities and launch new attacks.  The addition of WS2_32.dll and\r\nuse of undocumented Windows API calls indicates a level of sophistication beyond typical ransomware authors.\r\nThe former could lead to the eventual inclusion of C2 communication or automated propagation, and the latter\r\nrequires some working knowledge of Windows internals.\r\nThese features raise more questions about the actor’s intent as ransomware is typically one of the least advanced\r\nforms of malware:  Are they motivated by profits or something else? Has the motive change over time?  Why\r\nwould developers put such effort into their work only to partially encrypt files. Why do they include an email\r\naddress and not seek payment through more frequently used cryptocurrencies?\r\nWe do not know if any of the victims have paid the ransom and were able to successfully retrieve their data. We\r\ndo know that this ransomware has caused significant harm. The damage could increase significantly if  the\r\nattackers continue to refine this ransomware. Unit 42 will continue to monitor LockerGoga and report on new\r\nactivity.\r\nWildFire properly identifies all of the malware samples listed in this report as malicious. Traps prevents execution\r\nof LockerGoga samples and AutoFocus customers can view LockerGoga samples using the LockerGoga tag.\r\nPalo Alto Networks has shared our findings, including file samples and indicators of compromise, in this report\r\nwith our fellow Cyber Threat Alliance members. CTA members use this intelligence to rapidly deploy protections\r\nto their customers and to systematically disrupt malicious cyber actors. For more information on the Cyber Threat\r\nAlliance, visit www.cyberthreatalliance.org.\r\nIndicators of Compromise\r\nLockerGoga Samples\r\nhttps://unit42.paloaltonetworks.com/born-this-way-origins-of-lockergoga/\r\nPage 5 of 10\n\nae7e9839b7fb750128147a9227d3733dde2faacd13c478e8f4d8d6c6c2fc1a55\r\nf474a8c0f66dee3d504fff1e49342ee70dd6f402c3fa0687b15ea9d0dd15613a\r\nffab69deafa647e2b54d8daf8c740b559a7982c3c7c1506ac6efc8de30c37fd5\r\nc1670e190409619b5a541706976e5a649bef75c75b4b82caf00e9d85afc91881\r\n65d5dd067e5550867b532f4e52af47b320bd31bc906d7bf5db889d0ff3f73041\r\n31fdce53ee34dbc8e7a9f57b30a0fbb416ab1b3e0c145edd28b65bd6794047c1\r\n32d959169ab8ad7e9d4bd046cdb585036c71380d9c45e7bb9513935cd1e225b5\r\ne00a36f4295bb3ba17d36d75ee27f7d2c20646b6e0352e6d765b7ac738ebe5ee\r\n6d8f1a20dc0b67eb1c3393c6c7fc859f99a12abbca9c45dcbc0efd4dc712fb7c\r\n79c11575f0495a3daaf93392bc8134c652360c5561e6f32d002209bc41471a07\r\n050b4028b76cd907aabce3d07ebd9f38e56c48c991378d1c65442f9f5628aa9e\r\n1f9b5fa30fd8835815270f7951f624698529332931725c1e17c41fd3dd040afe\r\n276104ba67006897630a7bdaa22343944983d9397a538504935f2ec7ac10b534\r\n88d149f3e47dc337695d76da52b25660e3a454768af0d7e59c913995af496a0f\r\nc97d9bbc80b573bdeeda3812f4d00e5183493dd0d5805e2508728f65977dda15\r\n06e3924a863f12f57e903ae565052271740c4096bd4b47c38a9604951383bcd1\r\na845c34b0f675827444d6c502c0c461ed4445a00d83b31d5769646b88d7bbedf\r\n7bcd69b3085126f7e97406889f78ab74e87230c11812b79406d723a80c08dd26\r\nba15c27f26265f4b063b65654e9d7c248d0d651919fafb68cb4765d1e057f93f\r\neda26a1cd80aac1c42cdbba9af813d9c4bc81f6052080bc33435d1e076e75aa0\r\n7852b47e7a9e3f792755395584c64dd81b68ab3cbcdf82f60e50dc5fa7385125\r\n14e8a8095426245633cd6c3440afc5b29d0c8cd4acefd10e16f82eb3295077ca\r\n47f5a231f7cd0e36508ca6ff8c21c08a7248f0f2bd79c1e772b73443597b09b4\r\nf3c58f6de17d2ef3e894c09bc68c0afcce23254916c182e44056db3cad710192\r\n9128e1c56463b3ce7d4578ef14ccdfdba15ccc2d73545cb541ea3e80344b173c\r\nc3d334cb7f6007c9ebee1a68c4f3f72eac9b3c102461d39f2a0a4b32a053843a\r\nhttps://unit42.paloaltonetworks.com/born-this-way-origins-of-lockergoga/\r\nPage 6 of 10\n\n6e69548b1ae61d951452b65db15716a5ee2f9373be05011e897c61118c239a77\r\n8cfbd38855d2d6033847142fdfa74710b796daf465ab94216fbbbe85971aee29\r\nbdf36127817413f625d2625d3133760af724d6ad2410bea7297ddc116abc268f\r\n5b0b972713cd8611b04e4673676cdff70345ac7301b2c23173cdfeaff564225c\r\nc7a69dcfb6a3fe433a52a71d85a7e90df25b1db1bc843a541eb08ea2fd1052a4\r\nAppendix\r\nThe latest variant of LockerGoga uses memory mapped files to communicate between processes.  To illustrate\r\nthis, we captured the memory of a section created by a child process.\r\n00000000   02 00 00 00 00 00 00 00  00 00 00 00 01 00 00 00                  \r\n00000016   D0 02 01 00 CC 02 01 00  C8 02 01 00 30 00 00 00   Р  Ì   È   0  \r\n00000032   80 02 01 00 F8 FF 0F 00  00 00 00 00 00 00 00 00   €   øÿ         \r\n00000048   FF FF FF FF 00 00 00 00  01 00 00 00 24 00 00 00   ÿÿÿÿ        $  \r\n00000064   20 00 00 00 1C 00 00 00  00 00 00 00 01 00 00 00                  \r\n00000080   FC FF FF FF F8 FF FF FF  F4 FF 01 00 0B 20 00 C0   üÿÿÿøÿÿÿôÿ     À\r\n00000096   DE FF FF FF 01 00 00 00  01 00 00 00 38 00 01 00   Þÿÿÿ        8  \r\n00000112   01 00 04 21 10 01 00 00  00 00 00 00 00 7A 70 63      !         zpc\r\n00000128   55 48 4A 76 5A 33 4A 68  62 53 42 47 61 57 78 6C   UHJvZ3JhbSBGaWxl\r\n00000144   63 31 78 57 54 58 64 68  63 6D 56 63 56 6B 31 33   c1xWTXdhcmVcVk13\r\n00000160   59 58 4A 6C 49 46 52 76  62 32 78 7A 58 47 64 73   YXJlIFRvb2xzXGds\r\n00000176   61 57 49 74 4D 69 34 77  4C 6D 52 73 62 41 3D 3D   aWItMi4wLmRsbA==\r\n00000192   64 48 42 6A 63 48 4D 75  5A 47 78 73 63 6D 56 7A   dHBjcHMuZGxscmVz\r\n00000208   65 43 35 6B 62 47 77 75  62 58 56 70 4E 46 39 66   eC5kbGwubXVpNF9f\r\n00000224   4F 48 64 6C 61 33 6C 69  4D 32 51 34 59 6D 4A 33   OHdla3liM2Q4YmJ3\r\n00000240   5A 54 68 68 5A 44 46 68  4E 7A 51 77 4C 54 52 68   ZThhZDFhNzQwLTRh\r\n00000256   4E 32 59 74 4E 47 45 78  59 53 30 35 4F 54 45 78   N2YtNGExYS05OTEx\r\n00000272   4C 54 51 79 4D 57 51 30  4D 6A 49 34 4D 7A 52 6C   LTQyMWQ0MjI4MzRl\r\nhttps://unit42.paloaltonetworks.com/born-this-way-origins-of-lockergoga/\r\nPage 7 of 10\n\n00000288   5A 46 78 42 63 33 4E 6C  64 48 4E 63 55 6D 56 7A   ZFxBc3NldHNcUmVz\r\n00000304   62 33 56 79 59 32 56 7A  58 46 4A 6C 63 58 56 70   b3VyY2VzXFJlcXVp\r\n00000320   63 6D 56 6B 55 48 4A 70  62 6E 52 44 59 58 42 68   cmVkUHJpbnRDYXBh\r\n00000336   59 6D 6C 73 61 58 52 70  5A 58 4D 75 65 47 31 73   YmlsaXRpZXMueG1s\r\n00000352   65 6D 55 74 4E 44 68 66  59 57 78 30 5A 6D 39 79   emUtNDhfYWx0Zm9y\r\n00000368   62 53 31 31 62 6E 42 73  59 58 52 6C 5A 43 35 77   bS11bnBsYXRlZC5w\r\n00000384   62 6D 63 3D 62 53 31 31  62 6E 42 73 59 58 52 6C   bmc=bS11bnBsYXRl\r\n00000400   5A 43 35 77 62 6D 63 3D  00 00 00 00 00 00 00 00   ZC5wbmc=       \r\nTable 3. Child process mapped file\r\nThe 1st byte (02) instructs the master process to process the data below. The data is base64 encoded in three parts\r\nand decodes to the following:\r\nPart 1:\r\nUnknown value\r\nPart 2:\r\ntpcps.dllresx.dll.mui4__8wekyb3d8bbwe8ad1a740-4a7f-4a1a-9911-\r\n421d422834ed\\Assets\\Resources\\RequiredPrintCapabilities.xmlze-48_altform-unplated.png\r\nPart 3:\r\nm-unplated.png\r\nExample of initial variant of LockerGoga running on a host:\r\nFigure  2. Initial LockerGoga running\r\nInitial LockerGoga Ransom Note:\r\nGreetings!\r\nhttps://unit42.paloaltonetworks.com/born-this-way-origins-of-lockergoga/\r\nPage 8 of 10\n\nThere was a significant flaw in the security system of your company.\r\nYou should be thankful that the flaw was exploited by serious people and not some rookies.\r\nThey would have damaged all of your data by mistake or for fun.\r\nYour files are encrypted with the strongest military algorithms RSA4096 and AES-256.\r\nWithout our special decoder it is impossible to restore the data.\r\nAttempts to restore your data with third party software as Photorec, RannohDecryptor etc.\r\nwill lead to irreversible destruction of your data.\r\nTo confirm our honest intentions.\r\nSend us 2-3 different random files and you will get them decrypted.\r\nIt can be from different computers on your network to be sure that our decoder decrypts everything.\r\nSample files we unlock for free (files should not be related to any kind of backups).\r\nWe exclusively have decryption software for your situation\r\nDO NOT RESET OR SHUTDOWN - files may be damaged.\r\nDO NOT RENAME the encrypted files.\r\nDO NOT MOVE the encrypted files.\r\nThis may lead to the impossibility of recovery of the certain files.\r\nTo get information on the price of the decoder contact us at:\r\nCottleAkela@protonmail.com;QyavauZehyco1994@o2.pl\r\nThe payment has to be made in Bitcoins.\r\nThe final price depends on how fast you contact us.\r\nAs soon as we receive the payment you will get the decryption tool and\r\ninstructions on how to improve your systems security\r\nFigure 3. Initial LockerGoga ransom note\r\nLatest LockerGoga Ransom Note:\r\nGreetings!\r\nThere was a significant flaw in the security system of your company.\r\nhttps://unit42.paloaltonetworks.com/born-this-way-origins-of-lockergoga/\r\nPage 9 of 10\n\nYou should be thankful that the flaw was exploited by serious people and not some rookies.\r\nThey would have damaged all of your data by mistake or for fun.\r\nYour files are encrypted with the strongest military algorithms RSA4096 and AES-256.\r\nWithout our special decoder it is impossible to restore the data.\r\nAttempts to restore your data with third party software as Photorec, RannohDecryptor etc.\r\nwill lead to irreversible destruction of your data.\r\nTo confirm our honest intentions.\r\nSend us 2-3 different random files and you will get them decrypted.\r\nIt can be from different computers on your network to be sure that our decoder decrypts everything.\r\nSample files we unlock for free (files should not be related to any kind of backups).\r\nWe exclusively have decryption software for your situation\r\nDO NOT RESET OR SHUTDOWN - files may be damaged.\r\nDO NOT RENAME the encrypted files.\r\nDO NOT MOVE the encrypted files.\r\nThis may lead to the impossibility of recovery of the certain files.\r\nThe payment has to be made in Bitcoins.\r\nThe final price depends on how fast you contact us.\r\nAs soon as we receive the payment you will get the decryption tool and\r\ninstructions on how to improve your systems security\r\nTo get information on the price of the decoder contact us at:\r\nMayarChenot@protonmail.com\r\nQicifomuEjijika@o2.pl\r\nFigure 4. Latest LockerGoga ransom note\r\nSource: https://unit42.paloaltonetworks.com/born-this-way-origins-of-lockergoga/\r\nhttps://unit42.paloaltonetworks.com/born-this-way-origins-of-lockergoga/\r\nPage 10 of 10\n\nconsuming and key found in error prone. this sample is: To encrypt files, (Strong RSA) RSA-OAEP MGF1(SHA-1) is used. The RSA public\n00000000 4D 49 47 64 4D 41 30 47 43 53 71 47 53 49 62 33 MIGdMA0GCSqGSIb3\n00000016 44 51 45 42 41 51 55 41 41 34 47 4C 41 44 43 42 DQEBAQUAA4GLADCB\n00000032 68 77 4B 42 67 51 43 46 66 33 43 54 59 79 41 79 hwKBgQCFf3CTYyAy\n   Page 2 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE",
		"Malpedia"
	],
	"references": [
		"https://unit42.paloaltonetworks.com/born-this-way-origins-of-lockergoga/"
	],
	"report_names": [
		"born-this-way-origins-of-lockergoga"
	],
	"threat_actors": [],
	"ts_created_at": 1775434289,
	"ts_updated_at": 1775791289,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e4220c66f8024651f9b88256da7afaf00f627d5c.pdf",
		"text": "https://archive.orkl.eu/e4220c66f8024651f9b88256da7afaf00f627d5c.txt",
		"img": "https://archive.orkl.eu/e4220c66f8024651f9b88256da7afaf00f627d5c.jpg"
	}
}