{ "id": "cb64369b-e090-4598-804b-15165e66f9df", "created_at": "2026-04-06T00:11:09.97283Z", "updated_at": "2026-04-10T03:32:21.203705Z", "deleted_at": null, "sha1_hash": "e5da7bcfbc463031d214d9fb40b16eef7bf5ca2a", "title": "Winnti. More than just a game", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 534507, "plain_text": "Winnti. More than just a game\r\nBy GReAT\r\nPublished: 2013-04-11 · Archived: 2026-04-02 12:12:37 UTC\r\nKaspersky Lab began this ongoing research in the autumn of 2011. The subject is a series of targeted attacks\r\nagainst private companies around the world.\r\nIn the course of our research we uncovered the activity of a hacking group which has Chinese origins. This group\r\nwas named “Winnti”.\r\nAccording to our estimations, this group has been active for several years and specializes in cyberattacks against\r\nthe online video game industry. The group’s main objective is to steal source codes for online game projects as\r\nwell as the digital certificates of legitimate software vendors. In addition, they are very interested in how network\r\ninfrastructure (including the production of gaming servers) is set up, and new developments such as conceptual\r\nideas, design and more.\r\nWe weren’t the first to focus on this group and investigate their attacks. In 2010 US-based HBGary investigated an\r\ninformation security incident related to the Winnti group at one of HBGary’s customers – an American video\r\ngame company.\r\nIn the Beginning Was …\r\nIn the autumn of 2011, a Trojan was detected on a huge number of computers – all of them linked by the fact that\r\nthey were used by players of a popular online game. It emerged that the piece of malware landed on users’\r\ncomputers as part of a regular update from the game’s official update server. Some even suspected that the\r\npublisher itself was spying on players. However, it later became clear that the malicious program ended up on the\r\nusers’ computers by mistake: the cybercriminals were in fact targeting the companies that develop and release\r\ncomputer games.\r\nThe computer game publisher whose servers spread the Trojan asked Kaspersky Lab to analyze the malicious\r\nprogram that was found on its update server. It turned out to be a DLL library compiled for a 64-bit Windows\r\nenvironment and even had a properly signed malicious driver.\r\nThe malicious DLL landed on gamers’ computers running under either 32-bit or 64-bit operating systems. It\r\ncouldn’t start in 32-bit environments, but it could, under certain conditions, launch without the user’s knowledge\r\nor consent in 64-bit environments, though no such accidental launches have been detected.\r\nThe DLL contained a backdoor payload, or, to be exact, the functionality of a fully-fledged Remote\r\nAdministration Tool (RAT), which gave cybercriminals the ability to control the victim computer without the\r\nuser’s knowledge.\r\nhttps://securelist.com/winnti-more-than-just-a-game/37029/\r\nPage 1 of 11\n\nThe malicious module turned out to be the first time we saw Trojan applications for the 64-bit version of\r\nMicrosoft Windows with a valid digital signature. We had seen similar cases before, but all previous incidents\r\nwhere digital signatures were abused affected only 32-bit applications.\r\nAt an early stage of our research, we identified a fair number of similar backdoors, both 32-bit and 64-bit, in our\r\ncollection of malware samples that were detected under various verdicts. We grouped them together into a\r\nseparate family. Symantec appears to be the first to name these malicious programs; we kept Symantec’s name –\r\nWinnti – in the name of the malware family we created: Backdoor.Win32(Win64).Winnti. As for the people\r\nbehind these attacks involving this remote administration tool, we ended up calling them “the Winnti group”.\r\nInterestingly, the digital signature belonged to another video game vendor – a private company known as KOG,\r\nbased in South Korea. This company’s main business was MMRPG games, exactly the same area as the first\r\nvictim.\r\nWe contacted KOG, whose certificate was used to sign the malicious software, and notified Verisign, which issued\r\nthe certificate for KOG. As a result the certificate was revoked.\r\nDigital Certificates\r\nWhen we discovered the first stolen digital certificate we didn’t realize that stealing the certificates and signing\r\nmalware for future attacks against other targets was the preferred method of this group. Over the next 18 months\r\nwe discovered more than a dozen similar compromised digital certificates.\r\nMoreover, we found that those digital certificates seemed to have been used in attacks organized by other hacking\r\ngroups, presumably coming from China.\r\nFor example, in an attack against South Korean social networks Cyworld and Nate in 2011 the attackers used a\r\nTrojan that was digitally signed using a certificate of from the gaming company YNK Japan Inc.\r\nhttps://securelist.com/winnti-more-than-just-a-game/37029/\r\nPage 2 of 11\n\nA digital certificate of the same company was used recently (March 2013) in Trojans deployed against Tibetan and\r\nUyghur activists. In fact, this story dates back to 2011. We highly recommend this Norman blogpost about a\r\nsimilar incident: http://blogs.norman.com/2011/security-research/invisible-ynk-a-code-signing-conundrum .\r\nAt the same time, in March 2013, Uyghur activists were targeted by other malware, which was digitally signed by\r\nanother gaming company called MGAME Corp.\r\nWe believe that the source of all these stolen certificates could be the same Winnti group. Either this group has\r\nclose contacts with other Chinese hacker gangs, or it sells the certificates on the black market in China.\r\nBelow is the list of known compromised companies and digital certificates used by the Winnti group in different\r\ncampaigns:\r\nCompany Serial number Country\r\nESTsoft Corp 30 d3 fe 26 59 1d 8e ac 8c 30 66 7a c4 99 9b d7 South Korea\r\nKog Co., Ltd. 66 e3 f0 b4 45 9f 15 ac 7f 2a 2b 44 99 0d d7 09 South Korea\r\nLivePlex Corp 1c aa 0d 0d ad f3 2a 24 04 a7 51 95 ae 47 82 0a South Korea/ Philippines\r\nMGAME Corp 4e eb 08 05 55 f1 ab f7 09 bb a9 ca e3 2f 13 cd South Korea\r\nRosso Index KK 01 00 00 00 00 01 29 7d ba 69 dd Japan\r\nSesisoft 61 3e 2f a1 4e 32 3c 69 ee 3e 72 0c 27 af e4 ce South Korea\r\nWemade 61 00 39 d6 34 9e e5 31 e4 ca a3 a6 5d 10 0c 7d Japan/South Korea/US\r\nYNK Japan 67 24 34 0d db c7 25 2f 7f b7 14 b8 12 a5 c0 4d Japan\r\nGuangzhou YuanLuo 0b 72 79 06 8b eb 15 ff e8 06 0d 2c 56 15 3c 35 China\r\nFantasy Technology Corp 75 82 f3 34 85 aa 26 4d e0 3b 2b df 74 e0 bf 32 China\r\nNeowiz 5c 2f 97 a3 1a bc 32 b0 8c ac 01 00 59 8f 32 f6 South Korea\r\nVictims\r\nIt’s tempting to assume that Advanced Persistent Threats (APTs) primarily target high-level institutions:\r\ngovernment agencies, ministries, the military, political organizations, power stations, chemical plants, critical\r\ninfrastructure networks and so on. In this context it seems unlikely that a commercial company would be at risk\r\nunless it was operating on the scale of Google, Adobe or The New York Times, which was recently targeted by a\r\ncyberattack, and this perception is reinforced by the publicity that attacks on corporations and government\r\norganizations usually receive. However, any company with data that can be effectively monetized is at risk from\r\nAPTs. This is exactly what we encountered here: it was not a governmental, political, military, or industrial\r\norganization but gaming companies that were targeted.\r\nhttps://securelist.com/winnti-more-than-just-a-game/37029/\r\nPage 3 of 11\n\nIt’s difficult to name all the victims of the Winnti team. Judging by the information that we have at our disposal –\r\nnamely the tags within malicious programs, the names of the C\u0026C domains, the companies whose digital\r\ncertificates were stolen to sign malware, and the countries where detection notifications came from – we can say\r\nthat at least 35 companies have been infected by Winnti malware at some time.\r\nCountries where the affected companies are located:\r\nAsia Europa South America North America\r\nVietnam Belarus Brazil USA\r\nIndia Germany Peru\r\nIndonesia Russia\r\nChina\r\nTaiwan\r\nThailand\r\nPhillipines\r\nS. Korea\r\nJapan\r\nThis data demonstrates that the Winnti team is targeting gaming companies located in various parts of the world,\r\nalbeit with a strong focus on SE Asia.\r\nCountries where gaming companies have been affected\r\nhttps://securelist.com/winnti-more-than-just-a-game/37029/\r\nPage 4 of 11\n\nSuch geographic diversity is hardly surprising. Often, gaming companies (both publishers and developers) are\r\ninternational, having representatives and offices worldwide. Also, it is common practice for gaming companies\r\nfrom various regions to cooperate. The developers of a game may be located in a different country from its\r\npublisher. When a game later reaches markets in regions away from its initial ‘home’, it is often localized and\r\npublished by other publishers. In the course of this cooperation, the partner companies often grant each other\r\naccess to network resources to exchange data associated with the gaming content, including distribution kits,\r\ngaming resources, resource assembly kits, etc. If one company in the network gets infected, it’s easy for the\r\ncybercriminals to spread the infection throughout the partnership chain.\r\nWinnti C\u0026Cs Structure\r\nDuring the investigation, we identified over a hundred malicious programs, every single one compiled to attack a\r\nparticular company. Typically, separate C\u0026C domains were assigned to each targeted company. Virtually all the\r\nC\u0026C domains were arranged as follows: a second-level domain was created without a DNS A-record, i.e., there\r\nwas no IP address assigned to it.\r\nIn case there was an A-record, the assigned IP address was typically 127.0.0.1. It is also noteworthy that some of\r\nthe second-level domains that the cybercriminals created for their C\u0026C had very similar names to the domain\r\nhosting the site of a certain real gaming company. And the malicious users’ domain was resolved to the same IP\r\naddress which the site of the real gaming company used. In any case, the third-level domains resolved to IP\r\naddresses assigned to the attackers’ actual C\u0026C servers.\r\nC\u0026C\r\ndomain naming and resolution\r\nSometimes the Winnti team registered their C\u0026C units with public hosts. Judging by the samples identified, these\r\nC\u0026C centers were subdomains of such domains as 6600.org, 8866.org, 9966.org or ddns.net.\r\nFrom the names of the C\u0026C domains or subdomains, the attack targets or countries of residence could be guessed,\r\nas in:\r\nru.gcgame.info\r\nkr.zzsoft.info\r\njp.xxoo.co\r\nus.nhntech.com\r\nhttps://securelist.com/winnti-more-than-just-a-game/37029/\r\nPage 5 of 11\n\nfs.nhntech.com\r\nas.cjinternet.us\r\nThe subdomains “ru”, “kr”, “jp” and “us” most probably mean that these C\u0026C servers manage bots hosted on the\r\ncomputers of companies located in Russia, South Korea, Japan and the US respectively, while “fs” and “as” are\r\nacronyms for the names of the companies being attacked.\r\nSometimes Winnti’s malicious programs had a local IP address, such as 192.168.1.136, specified in their settings\r\nfor the C\u0026C. This could mean that at some point of time there was an infected computer that did not have a\r\nconnection to the Internet, but the cybercriminals needed control over it (it may have been infected while malware\r\nwas spread via a corporate network). In this case, the cybercriminals deployed a dedicated local C\u0026C server on\r\nanother compromised computer within the same local network which did have an Internet connection; via that\r\nC\u0026C, the first victim computer could be controlled. System administrators often try to isolate critical computers\r\nfrom the outside world. This decreases the probability of haphazard infection, but, apparently, does not always\r\nhelp in a targeted attack.\r\nIn the Winnti samples that were detected and analyzed, we found 36 unique C\u0026C domains. Most probably, this is\r\nonly a small portion of all existing Winnti C\u0026C domains, as we only managed to obtain some of the samples from\r\nthis malware family. This is hardly surprising since these malicious programs are used to execute targeted attacks,\r\nso no information is available about many instances of infection; for this reason, we have no way of obtaining\r\nsamples of the malware used in these undisclosed attacks.\r\nDomain names used in the attacks we discovered:\r\nnewpic.dyndns.tv lp.zzsoft.info ru.gcgame.info\r\nupdate.ddns.net lp.gasoft.us kr.jcrsoft.com\r\nnd.jcrsoft.com eya.jcrsoft.com wm.ibm-support.net\r\ncc.nexoncorp.us ftpd.9966.org fs.nhntech.com\r\nkr.zzsoft.info kr.xxoo.co docs.nhnclass.com\r\nas.cjinternet.us wi.gcgame.info rh.jcrsoft.com\r\nca.zzsoft.info tcp.nhntech.com wm.nhntech.com\r\nsn.jcrsoft.com ka.jcrsoft.com wm.myxxoo.com\r\nlp.apanku.com my.zzsoft.info ka.zzsoft.info\r\nsshd.8866.org jp.jcrsoft.com ad.jcrsoft.com\r\nftpd.6600.org su.cjinternet.us my.gasoft.us\r\ntcpiah.googleclick.net vn.gcgame.info\r\nrss.6600.org ap.nhntech.com\r\nhttps://securelist.com/winnti-more-than-just-a-game/37029/\r\nPage 6 of 11\n\nKnowing the 2nd\r\n level domains used by Winnti, we brute forced through all 3rd level subdomains up to 4 symbols\r\nlong, and identified those that have the IP addresses of real servers assigned to them. Having searched through\r\nsubdomains for a total of 12 2nd level domains, we identified 227 “live” 3rd level domains. Many of them are\r\nC\u0026C servers for Winnti-class malware that have hitherto remained unidentified.\r\nAnalyzing the WHOIS data for the 12 2nd level domains, we found the following list of email addresses used for\r\nregistration:\r\nevilsex@gmail.com\r\njslee.jcr@gmail.com\r\nwhoismydns@gmail.com\r\ngoogl3@live.com\r\nwzcc@cnkker.com\r\napanku2009@gmail.com\r\nFor some of these domains, registration data proved to be the same as those for the domain google.com:\r\nRegistrant: Google Inc.\r\n1600 Amphitheatre Parkwa\r\nMountain Vie, California 94043\r\nUnited States\r\n+1.6503300100\r\nJudging by the domain registration data, the Winnti team started their criminal activities at least in 2007. Their\r\nearly domains were involved in spreading rogue antiviruses (FakeAV). From 2009 onwards, domains began to\r\nemerge hosting C\u0026C servers for bots used to infect gaming companies. Apparently, the cybercriminals graduated\r\nto relatively large-scale penetrations into the corporate networks of gaming companies starting from 2010.\r\nKnown Malware\r\nThe attackers’ favorite tool is the malicious program we called “Winnti”. It has evolved since its first use, but all\r\nvariants can be divided into two generations: 1.x and 2.x. Our publication describes both variants of this tool.\r\nIn our report we publish an analysis of the first generation of Winnti.\r\nThe second generation (2.x) was used in one of the attacks which we investigated during its active stage, helping\r\nthe victim to interrupt data transfer and isolate infections in the corporate network. This incident and our\r\ninvestigation is described in detail here.\r\nIn addition to that, we have observed the use of a popular backdoor known as PlugX, which is believed to have\r\nChinese origins. Previously, this had only been used in attacks against Tibetan activists.\r\nThe Commercial Interest\r\nAs has been stated above, APTs can target any commercial company if cybercriminals find a way to make a profit\r\nfrom the attack.\r\nhttps://securelist.com/winnti-more-than-just-a-game/37029/\r\nPage 7 of 11\n\nSo which methods do cybercriminals use to generate illicit earnings from attacks on gaming companies?\r\nBased on the available information, we have singled out three main monetization schemes that could be used by\r\nthe Winnti team.\r\nThe unfair accumulation of in-game currency/”gold” in online games and the conversion of virtual\r\nfunds into real money.\r\nTheft of source code from the online games server to search for vulnerabilities in games – often\r\nlinked to point 1.\r\nTheft of source code from the server part of popular online games to further deploy pirate servers.\r\nLet’s look at an example. During our investigation of an infection at a computer game company, we found that\r\nmalware had been created for a particular service on the company’s server. The malicious program was looking\r\nfor a specific process running on the server, injected code into it, and then sought out two places in the process\r\ncode where it could conceal call commands for its function interceptors. Using these function interceptors, the\r\nmalicious programs modified process data which was processed in those two places, and returned control back.\r\nThus, the attackers change the normal execution of the server processes. Unfortunately, the company was not able\r\nto share its targeted application with us, and we cannot say exactly how this malicious interference affected\r\ngaming processes. The company concerned told us that the attackers’ aim was to acquire gaming “gold” illegally.\r\nMalicious activity like this has an adverse impact on the game itself, tilting the balance in favor of cheats. But any\r\nchanges the Winnti team introduces into the game experience are unlikely to be very noticeable. After all,\r\nmaintaining a skillful balance is the main attribute of online games! Users will simply stop playing if they feel that\r\nother players are using non-standard methods to create an advantage beyond normal gameplay or if the game loses\r\nits intrinsic competitiveness due to resources or artifacts appearing in the game without the developers’\r\nknowledge. At the same time the attackers are keen for the game to remain popular; otherwise, they would be\r\nunable to effectively turn all the time and effort of infecting a gaming company into financial gain.\r\nMembers of the Winnti team are patient and cautious. Cybercriminals have affected the processes of the online\r\ngames from the infected companies and stolen money from them for years, but they have found ways of doing this\r\nwithout attracting attention to themselves.\r\nSource of Attacks\r\nSo, who is behind Winnti? While analyzing the malicious files that we detected during our investigation we found\r\nsome details which may cast some light on the source of the attacks.\r\nAs part of our investigation, we monitored exactly what the cybercriminals did on an infected PC. In particular,\r\nthey they downloaded an auxiliary program ff._exe to the Config.Msi folder on the infected machine. This code\r\nsearches for HTML, MS Excel, MS Word, Adobe, PowerPoint and MS Works documents and text files (.txt) on\r\nthe hard drive.\r\nDebugging lines were found in ff._exe_ that possibly point to the nationality of the cybercriminals. They were not\r\nimmediately noticeable because they looked like this in the editor:\r\nhttps://securelist.com/winnti-more-than-just-a-game/37029/\r\nPage 8 of 11\n\nHowever, during a detailed analysis it emerged that the text is in Chinese Simplified GBK coding. This is what\r\nthese lines look in Chinese:\r\nBelow is a machine translation of this text into English:\r\nNot identify the type of file system\r\nBelow is a translation of the text by interpreter\r\nOpen the volume failed\r\nFailed to get the file system type\r\nFailed to read volume\r\nVolumes do not open or open failed\r\nNavigate to the root directory of the error\r\nError memory read pointer\r\nMemory is too small\r\nFile does not exist\r\nFailed to get the file mft index sector\r\nAccess to file data fail\r\nVolume and open volumes are not the same\r\nThe same volume and open volume\r\nhttps://securelist.com/winnti-more-than-just-a-game/37029/\r\nPage 9 of 11\n\nIn addition, cybercriminals used the AheadLib program to create malicious libraries (for details, see the second\r\npart of the article). This is a program with a Chinese interface.\r\nChinese text was also found in one of the components of the malicious program CmdPlus.dll plug-in:\r\nTranslation: The process is complete!!\r\nIt would appear that the attackers can at least speak Chinese. However, not everything is so clear cut: because the\r\nfile transfer plug-in has not been implemented entirely safely, a command which includes the attackers’ local path\r\n(where the file comes from and where it is saved to) arrives during the process of downloading/uploading files on\r\nthe infected system. While monitoring the cybercriminals’ activity on the infected machine, we noticed they\r\nuploaded the certificate they found in the infected system, and the network traffic reflected the local path\r\nindicating the place where they saved the file on their computer:\r\nThese characters appear to be Korean, meaning “desktop”. This means the attackers were working on a Korean\r\nWindows operating system. Therefore, we can presume that the attack is not the exclusive work of Chinese-speaking cybercriminals.\r\nConclusions\r\nOur research revealed long-term oriented large scale cyberespionage campaign of a criminal group with Chinese\r\norigins. These attacks are not new, many other security researchers have published details of various cybercriminal\r\ngroups coming from China. However, current hacking group has distinguishable features that make it stand out\r\namong others:\r\nmassive abuse of digital signatures; the attackers used digital signatures of one victim company to attack\r\nother companies and steal more digital certificates;\r\nusage of kernel level 64-bit signed rootkit;\r\nabusing great variety of public Internet resources to store control commands for the malware in an\r\nencrypted form;\r\nsharing/selling stolen certificates to other groups that had different objectives (attacks against Uyghur and\r\nTibetan activists);\r\nstealing source codes and other intellectual property of software developers in online gaming industry.\r\nThe malicious program which we call “Winnti” has evolved significantly since it first emerged; however we\r\nclassify all its variants in two main generations: 1.x and 2.x.\r\nWe have published the technical description of the first generation of Winnti in a separate article .\r\nhttps://securelist.com/winnti-more-than-just-a-game/37029/\r\nPage 10 of 11\n\nThe second generation (2.x) was used to conduct an attack which we investigated during its active stage. We\r\nsuccessfully prevented data transfer to the cybercriminals’ server and isolated the infected systems in the\r\ncompany’s local network. The incidents, as well as results of our investigation, are described in the full report on\r\nthe Winnti group (PDF).\r\nIn addition, we discovered that the Winnti group uses a popular backdoor known as PlugX which also has Chinese\r\norigins. This backdoor had previously been seen almost exclusively in attacks targeting Tibetan activists.\r\nRead further\r\nSource: https://securelist.com/winnti-more-than-just-a-game/37029/\r\nhttps://securelist.com/winnti-more-than-just-a-game/37029/\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "ETDA", "Malpedia", "MITRE" ], "references": [ "https://securelist.com/winnti-more-than-just-a-game/37029/" ], "report_names": [ "37029" ], "threat_actors": [ { "id": "5bbced13-72f7-40dc-8c41-dcce75bf885e", "created_at": "2022-10-25T15:50:23.695735Z", "updated_at": "2026-04-10T02:00:05.335976Z", "deleted_at": null, "main_name": "Winnti Group", "aliases": [ "Winnti Group" ], "source_name": "MITRE:Winnti Group", "tools": [ "PipeMon", "Winnti for Windows", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "945a572f-ebe3-4e2f-a288-512fe751cfa8", "created_at": "2022-10-25T16:07:24.413971Z", "updated_at": "2026-04-10T02:00:04.97924Z", "deleted_at": null, "main_name": "Winnti Group", "aliases": [ "G0044", "Leopard Typhoon", "Wicked Panda", "Winnti Group" ], "source_name": "ETDA:Winnti Group", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "FunnySwitch", "RbDoor", "RibDoor", "RouterGod", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434269, "ts_updated_at": 1775791941, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e5da7bcfbc463031d214d9fb40b16eef7bf5ca2a.pdf", "text": "https://archive.orkl.eu/e5da7bcfbc463031d214d9fb40b16eef7bf5ca2a.txt", "img": "https://archive.orkl.eu/e5da7bcfbc463031d214d9fb40b16eef7bf5ca2a.jpg" } }