{
	"id": "4c953d7d-d0ce-490a-8a6d-4171ad88880d",
	"created_at": "2026-04-06T00:16:17.814947Z",
	"updated_at": "2026-04-10T03:20:30.476292Z",
	"deleted_at": null,
	"sha1_hash": "0167228714b6706ce40c2109d7cbfdb1e4f7c62e",
	"title": "TrueBot Analysis Part IV - Config Extraction",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 287834,
	"plain_text": "TrueBot Analysis Part IV - Config Extraction\r\nBy Robert Giczewski\r\nPublished: 2023-07-13 · Archived: 2026-04-05 19:49:46 UTC\r\nIn the last post of the TrueBot series, I described some of TrueBot’s capabilities in more detail. In this post I will\r\nuse this information to write a config extractor and extract the RC4 key for the C2, the mutex and the C2\r\nIPs/domains.\r\nLike in all config extractors, I need to somehow find the relevant things I want to extract.\r\nUsually, I use YARA to navigate within the binary but this time, I wanted to try something different.\r\nTL;DR - It’s not easier than YARA and does not work in all cases, but only in a specific case.\r\nMy idea was to use SMDA from Daniel Plohmann to identify all RC4-/Base64 and CreateMutex calls based on\r\ntheir structure (amount of basic blocks, incoming/outgoing calls, etc.). This approach works for different sets of\r\nsamples but unfortunately not for all samples, so I found myself implementing a lot of exceptions for certain sets\r\nof samples.\r\nThe code thus became very unreadable and unnecessarily complicated. I therefore decided to use SMDA only for\r\nfinding the CreateMutex call and to find the other things in a more “simple” way. For the second RC4 key, the one\r\nused to decrypt downloaded payloads, I haven’t found an easy solution to extract it reliably for all samples. It is\r\neasy to find in the binary, but not easy to extract programmatically without implementing a lot of edge cases. I\r\nhave therefore decided to not extract the second RC4 key.\r\nCreateMutex() and arguments\r\nTo find the address of the call to CreateMutex , I use SMDA to get all API calls available in the binary and look\r\nfor the string kernel32.dll!CreateMutex . In all observed TrueBot samples, there is only one call to\r\nCreateMutex , so I don’t have to deal with multiple calls.\r\n disassembler = Disassembler()\r\n report = disassembler.disassembleFile(args.file)\r\n functions = report.getFunctions()\r\n \r\n for fn in functions:\r\n for addr, name in fn.apirefs.items():\r\n if 'kernel32.dll!CreateMutex' in name:\r\n # Find the argument for the CreateMutex call\r\n ...\r\nWhen found the address, I use YARA to find the push instruction nearby the call to CreateMutex and just read\r\nthe argument with Malduck.\r\nhttps://malware.love/malware_analysis/reverse_engineering/config_extraction/2023/07/13/truebot-config-extractor.html\r\nPage 1 of 9\n\nBase64 decode calls and strings\r\nAs mentioned before, the usual idea was to find the Base64 decoding calls in the binary via SMDA. However, it\r\nturned out that this did not really work reliably for all samples available to me without implementing a number of\r\nexceptions.\r\nI therefore decided to use a trivial approach, which, however, works surprisingly reliably.\r\nTo find all Base64 strings, I just search for all strings in the binary and try to Base64 decode them. If this succeeds\r\nwithout an exception, I have found a base64 string and can use it later on.\r\n def extract_ascii_strings(data, min_len=16):\r\n chars = b\" !\\\"#\\$%\u0026\\'\\(\\)\\*\\+,-\\./0123456789:;\u003c=\u003e\\?@ABCDEFGHIJKLMNO\" \\\r\n b\"PQRSTUVWXYZ\\[\\]\\^_`abcdefghijklmnopqrstuvwxyz\\{\\|\\}\\\\\\~\\t\"\r\n \r\n string_list = []\r\n regexp = b'[%s]{%d,}' % (chars, min_len)\r\n pattern = re.compile(regexp)\r\n for s in pattern.finditer(data):\r\n string_list.append(s.group().decode())\r\n return string_list\r\n \r\n ...\r\n \r\nhttps://malware.love/malware_analysis/reverse_engineering/config_extraction/2023/07/13/truebot-config-extractor.html\r\nPage 2 of 9\n\nlazy_b64_pattern = re.compile('^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]'\r\n '[AQgw]==|[A-Za-z0-9+/]{2}[AEIMQUYcgkosw048]=)?$')\r\n \r\n b64_strings = []\r\n extracted_strings = extract_ascii_strings(data, min_len=16)\r\n \r\n for s in extracted_strings:\r\n for a in lazy_b64_pattern.finditer(s):\r\n tmp = a.group()\r\n try:\r\n decoded = base64.b64decode(tmp).decode(\"utf-8\")\r\n logger.info(f'Found {tmp} string.')\r\n b64_strings.append(decoded)\r\n except:\r\n # ignore all non base64 strings\r\n pass\r\nDecrypt the C2\r\nSimilar to the Base64 decode calls, finding the RC4 Calls with SMDA and then navigating to the key via YARA is\r\na pain because the structure is different in a lot of samples and it just does not work reliably. Since I already found\r\nthe Base64 strings before, I just need to b64decode them and then URL decode the result. Then I can bruteforce\r\nthe result with all strings I collected before. Since I know, how the decrypted string will look like (e.g. must be a\r\nvalid domain, always includes .php ), it’s quite easy to find the domain and the page.\r\n c2 = ''\r\n rc4_key = ''\r\n for item in extracted_strings:\r\n item = item.encode('utf-8')\r\n for decoded_b64_string in b64_strings:\r\n decoded = urllib.parse.unquote_to_bytes(decoded_b64_string)\r\n try:\r\n decrypted = malduck.rc4(item, decoded)\r\n if decrypted:\r\n decrypted = decrypted.decode('ascii')\r\n if c2:\r\n if '.php' in decrypted:\r\n c2 += decrypted\r\n break\r\n elif '.' in decrypted: # lazy check\r\n logger.debug(f'Successfully decrypted with key {item}: {decrypted}')\r\n c2 += decrypted\r\n rc4_key = item\r\nhttps://malware.love/malware_analysis/reverse_engineering/config_extraction/2023/07/13/truebot-config-extractor.html\r\nPage 3 of 9\n\nexcept:\r\n pass\r\nTesting\r\nI tested my code against the following hashes. Please note that the code is kinda slow because of SMDA. If you\r\ndon’t need the mutex, just comment it out and it will run much faster.\r\n05c72e77d14cee079ac94706759dfe77c27fe51731a1eca22b03352190087e9e\r\n80b9c5ec798e7bbd71bbdfffab11653f36a7a30e51de3a72c5213eafe65965d9\r\n0e3a14638456f4451fe8d76fdc04e591fba942c2f16da31857ca66293a58a4c3\r\n894a7d13d4bd0925e4ec64a401b818ab11ddccac96111d54e10ec32b221d198a\r\n1415f335a0c29fecc3309c8370c8bebefab590de35f206aa9d83861e38d0b74b\r\n97bae3587f1d2fd35f24eb214b9dd6eed95744bed62468d998c7ef55ff8726d4\r\n20af4f3b3d38c770a6539ea716d505fe17962d26a7ad7fa9d5e15dae0838618d\r\n97d0844ce9928e32b11706e06bf2c4426204d998cb39964dd3c3de6c5223fff0\r\n22e3f4602a258e92a0b8deb5a2bd69c67f4ac3ca67362a745178848a9da7a3cc\r\na0dc543073acd80e4cd97aefb057f030d419787647c7d2a3adb3f32efa9c22a6\r\n32ae88cddeeeec255d6d9c827f6bffc7a95e9ea7b83a84a79ff793735a4b4ed7\r\na30e1f87b78d1cd529fbe2afdd679c8241d3baab175b2f083740263911a85304\r\n36d89f0455c95f9b00a8cea843003d0b53c4e33431fe57b5e6ec14a6c2e00e99\r\na67df0a8b32bdc5f9d224db118b3153f66518737e702314873b673c914b2bb5c\r\n3cd5c0ae2e8bb1397a8e89ad3539606f692d2570a50c7a282e47551dd801b3ab\r\naf21e8bbd82c03bf72dffc3ef14fcdce25f3b42aec57cf23812d402332ffeb2e\r\n459016820777fea8602b9a58c5f8d21b8fc4574aa5913390a843fedae2eac3e0\r\nb95a764820e918f42b664f3c9a96141e2d7d7d228da0edf151617fabdd9166cf\r\n47f962063b42de277cd8d22550ae47b1787a39aa6f537c5408a59b5b76ed0464\r\nc042ad2947caf4449295a51f9d640d722b5a6ec6957523ebf68cddb87ef3545c\r\n4862618fcf15ba4ad15df35a8dcb0bdb79647b455fea6c6937c7d050815494b0\r\nc0f8aeeb2d11c6e751ee87c40ee609aceb1c1036706a5af0d3d78738b6cc4125\r\n4e04e8b780acaf693f860184db29d3420f6b6d8176b8b3c73e3c813de4550e62\r\nc944a6a872f16a744ec3a83d1bb339ebc31313ad71eecc4784bb49abc97e0ba4\r\n51fa720e8789821ef57e31381ebae5b70999402320efe7f50b952ace6968f4a2\r\nc9b874d54c18e895face055eeb6faa2da7965a336d70303d0bd6047bec27a29d\r\n54f33d06e2898f0968cb7ba552bc71e4459832637f154e21a4825d22eb9336eb\r\nd408df352b4b9e27c217b8fecdf1136174e15c5164267eddf88e35094093bb36\r\n594ade1fb42e93e64afc96f13824b3dbd942a2cdbc877a7006c248a38425bbc1\r\ndfde0f94a69d0f68a8846e400748bb89bc8900059a64b1dd05e6a3226db2ca92\r\n5cc8c9f2c9cee543ebac306951e30e63eff3ee103c62dadcd2ce43ef68bc7487\r\ne0178ab0893a4f25c68ded11e74ad90403443e413413501d138e0b08a910471e\r\n6a565088c66a78dd0362af9766b8ddf424afcbee20e167c0aa1131f8a518baa7\r\ned38c454575879c2546e5fccace0b16a701c403dfe3c3833730d23b32e41f2fe\r\n6b646641c823414c2ee30ae8b91be3421e4f13fa98e2d99272956e61eecfc5a1\r\nf9f649cb5de27f720d58aa44aec6d0419e3e89f453730e155067506ad3ece638\r\n717beedcd2431785a0f59d194e47970e9544fbf398d462a305f6ad9a1b1100cb\r\nff3c79e793f5b803554542435d164867aa0d3672897e131832c3c3ba15bbe9ae\r\nhttps://malware.love/malware_analysis/reverse_engineering/config_extraction/2023/07/13/truebot-config-extractor.html\r\nPage 4 of 9\n\n7c607eca4005ba6415e09135ef38033bb0b0e0ff3e46d60253fc420af7519347\r\nff8c8c8bfba5f2ba2f8003255949678df209dbff95e16f2f3c338cfa0fd1b885\r\n7c79ec3f5c1a280ffdf19d0000b4bfe458a3b9380c152c1e130a89de3fe04b63\r\nResults:\r\nsha256:05c72e77d14cee079ac94706759dfe77c27fe51731a1eca22b03352190087e9e\r\nc2:nefosferta.com/gate.php\r\nrc4_key_c2:OumaOyIuRymuZyOi\r\nmutex:xUjfUjUtazdabr325\r\nsha256:0e3a14638456f4451fe8d76fdc04e591fba942c2f16da31857ca66293a58a4c3\r\nc2:qweastradoc.com/gate.php\r\nrc4_key_c2:duwureLycirifysy\r\nmutex:IFjwi312fu321321rfewfew\r\nsha256:1415f335a0c29fecc3309c8370c8bebefab590de35f206aa9d83861e38d0b74b\r\nc2:midnigthwaall.com/gate.php\r\nrc4_key_c2:NevucyNyUaXyraIy\r\nmutex:FuckingShitonAllEarth#666\r\nsha256:20af4f3b3d38c770a6539ea716d505fe17962d26a7ad7fa9d5e15dae0838618d\r\nc2:nefosferta.com/gate.php\r\nrc4_key_c2:OumaOyIuRymuZyOi\r\nmutex:GLOIUTWISPFKr2tfsg432\r\nsha256:22e3f4602a258e92a0b8deb5a2bd69c67f4ac3ca67362a745178848a9da7a3cc\r\nc2:nefosferta.com/gate.php\r\nrc4_key_c2:OumaOyIuRymuZyOi\r\nmutex:xUjfUjUtazdabr325\r\nsha256:32ae88cddeeeec255d6d9c827f6bffc7a95e9ea7b83a84a79ff793735a4b4ed7\r\nc2:nefosferta.com/gate.php\r\nrc4_key_c2:OumaOyIuRymuZyOi\r\nmutex:xUjfUjUtazdabr325\r\nsha256:36d89f0455c95f9b00a8cea843003d0b53c4e33431fe57b5e6ec14a6c2e00e99\r\nc2:ronoliffuion.com/dns.php\r\nrc4_key_c2:TiCacyTumoQifixu\r\nmutex:LjdDlkfdslkfj328ewfujsifj32oirew\r\nsha256:3cd5c0ae2e8bb1397a8e89ad3539606f692d2570a50c7a282e47551dd801b3ab\r\nc2:nefosferta.com/gate.php\r\nrc4_key_c2:OumaOyIuRymuZyOi\r\nmutex:xUjfUjUtazdabr325\r\nhttps://malware.love/malware_analysis/reverse_engineering/config_extraction/2023/07/13/truebot-config-extractor.html\r\nPage 5 of 9\n\nsha256:459016820777fea8602b9a58c5f8d21b8fc4574aa5913390a843fedae2eac3e0\r\nc2:nefosferta.com/gate.php\r\nrc4_key_c2:OumaOyIuRymuZyOi\r\nmutex:xUjfUjUtazdabr325\r\nsha256:47f962063b42de277cd8d22550ae47b1787a39aa6f537c5408a59b5b76ed0464\r\nc2:dremmfyttrred.com/dns.php\r\nrc4_key_c2:WoOoHequZeMyNusa\r\nmutex:KisujIIs3fsfsSOFldsfds\r\nsha256:4862618fcf15ba4ad15df35a8dcb0bdb79647b455fea6c6937c7d050815494b0\r\nc2:essadonio.com/538332.php\r\nrc4_key_c2:qaTuMuseBaMuQoNe\r\nmutex:OrionStartWorld#666\r\nsha256:4e04e8b780acaf693f860184db29d3420f6b6d8176b8b3c73e3c813de4550e62\r\nc2:185.55.243.110/gate.php\r\nrc4_key_c2:HirisuTiZoKaMyEe\r\nmutex:GLOIUTWISPFKr2tfsg432\r\nsha256:51fa720e8789821ef57e31381ebae5b70999402320efe7f50b952ace6968f4a2\r\nc2:nefosferta.com/gate.php\r\nrc4_key_c2:OumaOyIuRymuZyOi\r\nmutex:xUjfUjUtazdabr325\r\nsha256:54f33d06e2898f0968cb7ba552bc71e4459832637f154e21a4825d22eb9336eb\r\nc2:nefosferta.com/gate.php\r\nrc4_key_c2:OumaOyIuRymuZyOi\r\nmutex:xUjfUjUtazdabr325\r\nsha256:594ade1fb42e93e64afc96f13824b3dbd942a2cdbc877a7006c248a38425bbc1\r\nc2:dremmfyttrred.com/dns.php\r\nrc4_key_c2:WoOoHequZeMyNusa\r\nmutex:KisujIIs3fsfsSOFldsfds\r\nsha256:5cc8c9f2c9cee543ebac306951e30e63eff3ee103c62dadcd2ce43ef68bc7487\r\nc2:jirostrogud.com/gate.php\r\nrc4_key_c2:KuXoZowywoCyKawi\r\nmutex:IFjwi312fu321321rfewfew\r\nsha256:6a565088c66a78dd0362af9766b8ddf424afcbee20e167c0aa1131f8a518baa7\r\nc2:nefosferta.com/gate.php\r\nrc4_key_c2:OumaOyIuRymuZyOi\r\nmutex:xUjfUjUtazdabr325\r\nsha256:6b646641c823414c2ee30ae8b91be3421e4f13fa98e2d99272956e61eecfc5a1\r\nc2:nomoresense.com/checkinfo.php\r\nhttps://malware.love/malware_analysis/reverse_engineering/config_extraction/2023/07/13/truebot-config-extractor.html\r\nPage 6 of 9\n\nrc4_key_c2:HeSaXuEyfoEaKiTy\r\nmutex:vxzcsdbfhk523wfesfFESRSUDHD\r\nsha256:717beedcd2431785a0f59d194e47970e9544fbf398d462a305f6ad9a1b1100cb\r\nc2:essadonio.com/538332.php\r\nrc4_key_c2:qaTuMuseBaMuQoNe\r\nmutex:OrionStartWorld#666\r\nsha256:7c607eca4005ba6415e09135ef38033bb0b0e0ff3e46d60253fc420af7519347\r\nc2:nefosferta.com/gate.php\r\nrc4_key_c2:OumaOyIuRymuZyOi\r\nmutex:GLOIUTWISPFKr2tfsg432\r\nsha256:7c79ec3f5c1a280ffdf19d0000b4bfe458a3b9380c152c1e130a89de3fe04b63\r\nc2:nefosferta.com/gate.php\r\nrc4_key_c2:OumaOyIuRymuZyOi\r\nmutex:GLOIUTWISPFKr2tfsg432\r\nsha256:80b9c5ec798e7bbd71bbdfffab11653f36a7a30e51de3a72c5213eafe65965d9\r\nc2:jirostrogud.com/gate.php\r\nrc4_key_c2:KuXoZowywoCyKawi\r\nmutex:dsdf2tr325r32wgt32\r\nsha256:894a7d13d4bd0925e4ec64a401b818ab11ddccac96111d54e10ec32b221d198a\r\nc2:nefosferta.com/gate.php\r\nrc4_key_c2:OumaOyIuRymuZyOi\r\nmutex:xUjfUjUtazdabr325\r\nsha256:97bae3587f1d2fd35f24eb214b9dd6eed95744bed62468d998c7ef55ff8726d4\r\nc2:nefosferta.com/gate.php\r\nrc4_key_c2:OumaOyIuRymuZyOi\r\nmutex:kknfexkseiK\r\nsha256:97d0844ce9928e32b11706e06bf2c4426204d998cb39964dd3c3de6c5223fff0\r\nc2:nefosferta.com/gate.php\r\nrc4_key_c2:OumaOyIuRymuZyOi\r\nmutex:xUjfUjUtazdabr325\r\nsha256:a0dc543073acd80e4cd97aefb057f030d419787647c7d2a3adb3f32efa9c22a6\r\nc2:midnigthwaall.com/gate.php\r\nrc4_key_c2:NevucyNyUaXyraIy\r\nmutex:FuckingShitonAllEarth#666\r\nsha256:a30e1f87b78d1cd529fbe2afdd679c8241d3baab175b2f083740263911a85304\r\nc2:hiperfdhaus.com/gate.php\r\nrc4_key_c2:mufaKanuIuKoQiCy\r\nmutex:LKJFggwithj24ikjofw23\r\nhttps://malware.love/malware_analysis/reverse_engineering/config_extraction/2023/07/13/truebot-config-extractor.html\r\nPage 7 of 9\n\nsha256:a67df0a8b32bdc5f9d224db118b3153f66518737e702314873b673c914b2bb5c\r\nc2:dremmfyttrred.com/dns.php\r\nrc4_key_c2:WoOoHequZeMyNusa\r\nmutex:LjdDlkfdslkfj328ewfujsifj32oirew\r\nsha256:af21e8bbd82c03bf72dffc3ef14fcdce25f3b42aec57cf23812d402332ffeb2e\r\nc2:nefosferta.com/gate.php\r\nrc4_key_c2:OumaOyIuRymuZyOi\r\nmutex:xUjfUjUtazdabr325\r\nsha256:b95a764820e918f42b664f3c9a96141e2d7d7d228da0edf151617fabdd9166cf\r\nc2:hiperfdhaus.com/gate.php\r\nrc4_key_c2:mufaKanuIuKoQiCy\r\nmutex:LKJFggwithj24ikjofw23\r\nsha256:c042ad2947caf4449295a51f9d640d722b5a6ec6957523ebf68cddb87ef3545c\r\nc2:qweastradoc.com/gate.php\r\nrc4_key_c2:duwureLycirifysy\r\nmutex:IFjwi312fu321321rfewfew\r\nsha256:c0f8aeeb2d11c6e751ee87c40ee609aceb1c1036706a5af0d3d78738b6cc4125\r\nc2:ber6vjyb.com/dns.php\r\nrc4_key_c2:QimuKexufeUeDoti\r\nmutex:ASPODIKAFLKJoieLUFESJFuiewr\r\nsha256:c944a6a872f16a744ec3a83d1bb339ebc31313ad71eecc4784bb49abc97e0ba4\r\nc2:nefosferta.com/gate.php\r\nrc4_key_c2:OumaOyIuRymuZyOi\r\nmutex:xUjfUjUtazdabr325\r\nsha256:c9b874d54c18e895face055eeb6faa2da7965a336d70303d0bd6047bec27a29d\r\nc2:qweastradoc.com/gate.php\r\nrc4_key_c2:duwureLycirifysy\r\nmutex:IFjwi312fu321321rfewfew\r\nsha256:d408df352b4b9e27c217b8fecdf1136174e15c5164267eddf88e35094093bb36\r\nc2:nefosferta.com/gate.php\r\nrc4_key_c2:OumaOyIuRymuZyOi\r\nmutex:kknfexkseiK\r\nsha256:dfde0f94a69d0f68a8846e400748bb89bc8900059a64b1dd05e6a3226db2ca92\r\nc2:nefosferta.com/gate.php\r\nrc4_key_c2:OumaOyIuRymuZyOi\r\nmutex:xUjfUjUtazdabr325\r\nsha256:e0178ab0893a4f25c68ded11e74ad90403443e413413501d138e0b08a910471e\r\nhttps://malware.love/malware_analysis/reverse_engineering/config_extraction/2023/07/13/truebot-config-extractor.html\r\nPage 8 of 9\n\nc2:dragonetzone.com/gate_info.php\r\nrc4_key_c2:NacuMydaguxoleba\r\nmutex:FuckingShitonAllEarth#666\r\nsha256:ed38c454575879c2546e5fccace0b16a701c403dfe3c3833730d23b32e41f2fe\r\nc2:nefosferta.com/gate.php\r\nrc4_key_c2:OumaOyIuRymuZyOi\r\nmutex:kknfexkseiK\r\nsha256:f9f649cb5de27f720d58aa44aec6d0419e3e89f453730e155067506ad3ece638\r\nc2:nomoresense.com/checkinfo.php\r\nrc4_key_c2:HeSaXuEyfoEaKiTy\r\nmutex:vxzcsdbfhk523wfesfFESRSUDHD\r\nsha256:ff3c79e793f5b803554542435d164867aa0d3672897e131832c3c3ba15bbe9ae\r\nc2:nefosferta.com/gate.php\r\nrc4_key_c2:OumaOyIuRymuZyOi\r\nmutex:xUjfUjUtazdabr325\r\nsha256:ff8c8c8bfba5f2ba2f8003255949678df209dbff95e16f2f3c338cfa0fd1b885\r\nc2:qweastradoc.com/gate.php\r\nrc4_key_c2:duwureLycirifysy\r\nmutex:(u3qkfewi3ujrk32lqpti32ofwq\r\nCode can be found here.\r\nIf you find bugs or other samples, you know the drill ;-).\r\nSource: https://malware.love/malware_analysis/reverse_engineering/config_extraction/2023/07/13/truebot-config-extractor.html\r\nhttps://malware.love/malware_analysis/reverse_engineering/config_extraction/2023/07/13/truebot-config-extractor.html\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://malware.love/malware_analysis/reverse_engineering/config_extraction/2023/07/13/truebot-config-extractor.html"
	],
	"report_names": [
		"truebot-config-extractor.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434577,
	"ts_updated_at": 1775791230,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0167228714b6706ce40c2109d7cbfdb1e4f7c62e.pdf",
		"text": "https://archive.orkl.eu/0167228714b6706ce40c2109d7cbfdb1e4f7c62e.txt",
		"img": "https://archive.orkl.eu/0167228714b6706ce40c2109d7cbfdb1e4f7c62e.jpg"
	}
}