{
	"id": "29c764cf-e514-4faa-b0c6-0d05d0a78ef6",
	"created_at": "2026-04-06T00:18:29.788892Z",
	"updated_at": "2026-04-10T03:23:52.061058Z",
	"deleted_at": null,
	"sha1_hash": "11da23ef92f3edbfbe71bb07e09a31dcb5b2431e",
	"title": "Dancing With Shellcodes: Cracking the latest version of Guloader",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 8696089,
	"plain_text": "Dancing With Shellcodes: Cracking the latest version of Guloader\r\nBy Eli Salem\r\nPublished: 2021-04-19 · Archived: 2026-04-05 13:31:11 UTC\r\nGuloader is a downloader that has been active since 2019. It is known to deliver various malware, more notably:\r\nAgent-Tesla, Netwire, FormBook, Nanocore, and Parallax RAT.\r\nThe malware architecture consists of a VB wrapper and a shellcode that does all the malicious activities of\r\nGuloader. Although many malware use crypters that have shellcode in their initial droppers, the Guloader\r\nshellcode is notorious for its anti-analysis capabilities; thus making the unpacking mechanism of Guloader much\r\nmore challenging.\r\nThe majority of the anti-analysis functionality of Guloader is already published by several security researchers.\r\nHowever, for researchers who are not 100% familiar with the Guloader shellcode, it could be challenging to\r\npredict where these features are located, which might lead to failure in analysis.\r\nIn this article, I will present a step-by-step dynamic analysis of Guloader. As well, the malware anti-analysis\r\nfunctions, and how to overcome them.\r\nAlso, I will demonstrate the malware’s main objectives.\r\nNote- Guloader heavily uses time checks and other traditional anti-analysis techniques. Therefore, to save time, in\r\nthis analysis I will use the ScyllaHide plugin.\r\nhttps://elis531989.medium.com/dancing-with-shellcodes-cracking-the-latest-version-of-guloader-75083fb15cb4\r\nPage 1 of 25\n\nAlso, several of the Guloader’s anti-analysis techniques are impossible to evade without manual intervention. So I\r\nwill mainly (but not only) focus on them.\r\nFile metadata\r\nHash: d55259bcf47af7e645ab7b003aa2cd4071cb36c6\r\nPress enter or click to view image in full size\r\nSample metadata in Pestudio\r\nGetting into the shellcode\r\nIn its initial state, Guloader is wrapped with a VB. To overcome it, we’ll first reach the entry point and then set a\r\nbreakpoint on VirtualAlloc. Next, we will click Run 12 times (the VB wrapper calls several times to VirtualAlloc,\r\nbut we only care about the 12th time).\r\nAs we return to user code from the 12th VirtualAlloc, we will see the next image\r\nPress enter or click to view image in full size\r\nhttps://elis531989.medium.com/dancing-with-shellcodes-cracking-the-latest-version-of-guloader-75083fb15cb4\r\nPage 2 of 25\n\n12th VirtualAlloc\r\nNow, Guloader will write the shellcode to this newly allocated memory - The process consists of several JMP\r\ninstructions. Scroll down until you’ll see a CALL to the register EDI (the place where the shellcode is eventually\r\nstored). Taking this CALL will lead us to the shellcode itself.\r\nCall the shellcode\r\nImmediately after taking the CALL to EDI, we’ll see a jump to another location. Take this jump as well.\r\nTake the jump\r\nhttps://elis531989.medium.com/dancing-with-shellcodes-cracking-the-latest-version-of-guloader-75083fb15cb4\r\nPage 3 of 25\n\nThe shellcode\r\nAfter taking the initial jump, we see three different functions. For our unpacking tutorial, we can skip them and go\r\nstraight to the JMP 602766, located at the end.\r\nTake the jump\r\nAfter taking the jump, we see an immediate CALL to 600144, step into it.\r\nStep into\r\nNow, we see several functions and a JMP at the end. Also, we see that the first function is 6013A9.\r\nhttps://elis531989.medium.com/dancing-with-shellcodes-cracking-the-latest-version-of-guloader-75083fb15cb4\r\nPage 4 of 25\n\nAnti VM function\r\nAnti-Analysis 1: Anti-VM\r\nTo our surprise, when we will try to step over the CALL to function 6031A9 we encounter the following message\r\nbox.\r\nGotcha\r\nWhy did it happen?\r\nhttps://elis531989.medium.com/dancing-with-shellcodes-cracking-the-latest-version-of-guloader-75083fb15cb4\r\nPage 5 of 25\n\nWithout paying attention, the shellcode pushed 8 pre-computed hashes into the stack, in the following order:\r\npush 0xB314751D\r\npush 0xA7C53F01\r\npush 0x7F21185B\r\npush 0x3E17ADE6\r\npush 0xF21FD920\r\npush 0x27AA3188\r\npush 0xDFCB8F12\r\npush 0x2D9CC76C\r\nThese hashes will be used by the function 6031A9 in the following manner:\r\n1) The function will use the API call ZwQueryVirtualMemory (the kernel equivalent of VirtualQuery) to scan the\r\nprocess’s memory.\r\n2) The pre-computed hashes will be calculated using the djb2 algorithm. Each one of them will represent a string\r\nthat is related to a Virtual Machine product (for example 0xB314751D represents “vmtoolsdControlWndClass”).\r\n3) If one of these strings will be found by the ZwQueryVirtualMemory, the process will create the previously\r\nmentioned message box.\r\nHow we overcome this anti-VM technique?\r\nThere are three different approaches we can take:\r\n1) The first approach is to change the pre-computed hashes on the stack before the call to 6031A9.\r\n2) Fill the CALL line with no operation (NOP)\r\n3) Change the control flow by redirecting the EIP register to contain the address of the next instruction (after the\r\nCALL to 6031A9)\r\nFor this example, I took the first approach and changed the hashes suffix to “22”.\r\nPress enter or click to view image in full size\r\nChanging the hashes on the stack\r\nhttps://elis531989.medium.com/dancing-with-shellcodes-cracking-the-latest-version-of-guloader-75083fb15cb4\r\nPage 6 of 25\n\nAs we continue to step over to the next functions, we encounter the function 601F28, which is 2 functions below\r\n6031A9 (the anti-VM function).\r\nAnti-Analysis 2: Time checks \u0026 CPUID\r\nIf we will try to step over this function, we’ll see that we are stuck and can't move forward.\r\nAnti-Analysis function\r\nWhy did it happen?\r\nInside the function 601F28, there is another routine that consists of two anti-analysis mechanisms. Time cheks\r\nusing RDTSC (Read Time-Stamp Counter), and anti-VM using CPUID.\r\nAnti-Analysis function\r\nHow we overcome this anti-analysis?\r\nSimilar to the first anti-VM, we can change the control flow with the EIP register, or fill the line of the CALL to\r\n601F28 with NOPS.\r\nAfter choosing our preferred method, we can go to the next JMP instruction.\r\nhttps://elis531989.medium.com/dancing-with-shellcodes-cracking-the-latest-version-of-guloader-75083fb15cb4\r\nPage 7 of 25\n\nNOP the function\r\nAfter taking the jump, we immediately find ourselves in another CALL to a function called 6001C2, step into it.\r\nStep Into\r\nNext, we see a function named 602F54 that will take a big role in the main functionality of the shellcode.\r\nThis function is responsible for accessing the process environment block (PEB) and returning an API call.\r\nWe also see a direct call to the register EAX - something that is always interesting to inspect when we are dealing\r\nwith shellcodes.\r\nhttps://elis531989.medium.com/dancing-with-shellcodes-cracking-the-latest-version-of-guloader-75083fb15cb4\r\nPage 8 of 25\n\nResolving API Calls\r\nWhen we step over 602F54, we see that it returns the API call TerminateProcess. Then, we’ll take a jump to\r\n6027A0.\r\nPress enter or click to view image in full size\r\nTake the jump\r\nAfter taking the jump, we find ourselves in a call to the function 6001ED.\r\nStep Into\r\nhttps://elis531989.medium.com/dancing-with-shellcodes-cracking-the-latest-version-of-guloader-75083fb15cb4\r\nPage 9 of 25\n\nAfter stepping into this function, we see that we in a location that will call directly to the register EAX.\r\nNow, this register holds the API call EnumWindows (Enumerates all top-level windows on the screen).\r\nPress enter or click to view image in full size\r\nEnumWindows\r\nAnti-Analysis 3: Anti-VM\\Anti-Sandbox\r\nAfter we step over the call to EnumWindows, we see the line: cmp eax,c.\r\nUsing this line the shellcode determines if there are at least 12 (C in hexadecimal) windows in the machine. If not,\r\nthe process will be terminated using the previously mentioned API call - TerminateProcess.\r\nCheck for at least 12 windows\r\nHow we overcome this anti-sandbox?\r\nSwitch the flag in the JGE jump if necessary, however, I did not have any issues with it.\r\nAs we continue with the normal execution of the shellcode, we see more instances of the function 602F54, one of\r\nthese instances resolves the function ZwProtectVirtualMemory (the kernel equivalent of VirtualProtect).\r\nRight after, we’ll see multiple Push 0 instructions and a CALL to the function 6034F4.\r\nPress enter or click to view image in full size\r\nhttps://elis531989.medium.com/dancing-with-shellcodes-cracking-the-latest-version-of-guloader-75083fb15cb4\r\nPage 10 of 25\n\nGetting into the Anti-breakpoint function\r\nAnti-Analysis 4: Anti breakpoints\r\nWhen we step into this function, we observe an interesting anti-debugging technique. In its first lines, the\r\nshellcode gets the function DbgBreakPoint and store it on esp+18.\r\nGetting DbgBreakPoint\r\nThen, it gets the function DbgUiRemoteBreaking, and store its address in esp+1C\r\nGetting DbgUiRemoteBreakin\r\nNext, the shellcode gets the address of DbgBreakingPoint (esp+18) moves it to the EAX register, and writes the\r\nbyte 90 into it.\r\nAs we remember, 90 represent NOP, which means that each time a breakpoint will occur it will not break because\r\nof the NOP.\r\nPress enter or click to view image in full size\r\nhttps://elis531989.medium.com/dancing-with-shellcodes-cracking-the-latest-version-of-guloader-75083fb15cb4\r\nPage 11 of 25\n\nPatching DbgBreakPoint\r\nThen, the shellcode will do the same with DbgUiRemoteBreaking. However, it will patch its beginning with 6A,\r\n0, B8, and then add the function ExitProcess after. So every time a breakpoint will be happening the process will\r\nbe terminated.\r\nFunny enough, this anti-breakpoint mechanism is under another Anti-analysis mechanism using the RDTSC time\r\nchecks.\r\nPatching DbgUiRemoteBreakin\r\nIn the end, from the disassembler point of view, the changes will look like this:\r\nhttps://elis531989.medium.com/dancing-with-shellcodes-cracking-the-latest-version-of-guloader-75083fb15cb4\r\nPage 12 of 25\n\nBefore and after patch\r\nHow we overcome this anti-breakpoint?\r\nThe best way is to bypass the function that responsible for this anti-analysis mechanism, which is 6034F4. Either\r\nNOP or Control flow solutions are fine here.\r\nPress enter or click to view image in full size\r\nNOP Anti-Analysis function\r\nAnti-Analysis 5: Anti-VM\r\nNext, we see the function 602038, if we step over it and we’ll see the string “C:\\Program Files\\qqa\\qqa.exe”. This\r\nis because 602038 functionality is to search whether the Qemu gues agent is located on the machine. This is\r\nanother anti-VM feature of Guloader.\r\nPress enter or click to view image in full size\r\nhttps://elis531989.medium.com/dancing-with-shellcodes-cracking-the-latest-version-of-guloader-75083fb15cb4\r\nPage 13 of 25\n\nQemu gues agent\r\n—\r\nGet Eli Salem’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nIn the next two calls, we see a call to 602F54 which resolves NtSetInformationThread. This API call will be stored\r\nin the EAX register and will be executed several instructions later. However, in this case, we need to pay attention\r\nto the argument NtSetInformationThread gets.\r\nAnti-Analysis 6: NtSetInformationThread\r\nThe second argument is ThreadHideFromDebugger (11), which in this case will cause the process to crash if it's\r\nworking under a debugger.\r\nPress enter or click to view image in full size\r\nNtSetInformationThread Anti-Analysis\r\nhttps://elis531989.medium.com/dancing-with-shellcodes-cracking-the-latest-version-of-guloader-75083fb15cb4\r\nPage 14 of 25\n\nHow we overcome this anti-debugger technique?\r\nScyllaHide covers this technique, however, we can just change the control flow or insert NOPs.\r\nAfter bypassing NtSetInformationThread, we will keep step-over until we will reach a JMP at the end of this large\r\nroutine, In my case, it is 602773\r\nTake the jump\r\nRight after we took the jump, we see a call to another function, step into it.\r\nStep into\r\nAfter stepping into the function, we found ourselves in a unique location. Using other pre-computed hashes, the\r\nshellcode searches for installed products with the API MsiEnumProducA and MsiGetProductInfo (again with the\r\ndjb2 algorithm).\r\nI will not focus on this technique, but it is explained in detail here.\r\nPress enter or click to view image in full size\r\nhttps://elis531989.medium.com/dancing-with-shellcodes-cracking-the-latest-version-of-guloader-75083fb15cb4\r\nPage 15 of 25\n\nMsiEnumProducA and MsiGetProductInfo\r\nAfter the execution of MsiEnumProductsA, we see the instruction JNE 6004C8, by default we will not take this\r\njump, but for the sake of bypassing this anti-analysis, we will change the ZF (zero flag) from 1 to 0, and take the\r\njump.\r\nPress enter or click to view image in full size\r\nChange the flag\r\nShellcode main function\r\nOnce we took the jump, we will reach one of the most important functions in the shellcode. This function will\r\nmainly consist of two important functions.\r\nThe first one is the already mentioned 602F54 which will resolve API calls. The second one is 603B93 which will\r\nbe responsible to execute them (except few cases). This function will be the main execution function, where the\r\nmost important API calls will be executed.\r\nhttps://elis531989.medium.com/dancing-with-shellcodes-cracking-the-latest-version-of-guloader-75083fb15cb4\r\nPage 16 of 25\n\nThese two functions will be used multiple times during the final stages of the shellcode. Set a breakpoint on\r\n603B93 and step into it.\r\nPress enter or click to view image in full size\r\nTwo important functions\r\nBecause of the fact that this function will be responsible for the majority of the API calls execution, we’ll want to\r\nset a breakpoint in strategic locations so we’ll have the option to hit Run and speed things up.\r\nMy preferred locations are the call to EAX, which is the location when the API call will be executed, and JMP\r\nECX, which is the location where the function will return to the core parent function.\r\nHowever, before we’ll reach these important functions we need to bypass multiple anti-analysis checks that\r\nhappened right before.\r\nPress enter or click to view image in full size\r\nhttps://elis531989.medium.com/dancing-with-shellcodes-cracking-the-latest-version-of-guloader-75083fb15cb4\r\nPage 17 of 25\n\nExecution function architecture\r\nAnti-analysis 7: Hardware breakpoints\r\nThe DR (debug registers) are located in the following locations:\r\n[eax+4] = DR 0\r\n[eax+8] = DR 1\r\n[eax+C] = DR 2\r\n[eax+10] = DR 3\r\n[eax+14] = DR 4\r\n[eax+18] = DR 5\r\nThe shellcode will compare any of these registers to the number 0, if one of them is not 0 that means there is a\r\nhardware breakpoint. In this case, the shellcode will jump using the JNE 603C97 and the process will be\r\nterminated.\r\nIf we want to observe how this anti-analysis mechanism works, we can click “follow in dump” on one of these DR\r\nlocations (for example eax+4), and see it has the same address of the chronological number we set the hardware\r\nbreakpoint.\r\nPress enter or click to view image in full size\r\nhttps://elis531989.medium.com/dancing-with-shellcodes-cracking-the-latest-version-of-guloader-75083fb15cb4\r\nPage 18 of 25\n\nHardware breakpoint example\r\nHow we overcome this technique?\r\nIf you set a hardware breakpoint, you can change the flag so the JNE jump will not be taken.\r\nThe easiest solution will be to use the ScyllaHide plugin.\r\nAnti-analysis 8: Software breakpoints\r\nIn this technique, the shellcode will get the API call to be executed from the EAX register, move one byte to the bl\r\nportion of the EBX register, and will inspect if any software breakpoints assign to it.\r\nIf it has any software breakpoint, it will have one of the breakpoint opcodes(for example, 0xCC which means INT\r\n3, and as we know, the INT 3 opcode represents a software breakpoint).\r\nhttps://elis531989.medium.com/dancing-with-shellcodes-cracking-the-latest-version-of-guloader-75083fb15cb4\r\nPage 19 of 25\n\nSoftware breakpoint example\r\nAs expected, if a software breakpoint is present, the shellcode will go to the location that will terminate the\r\nprocess.\r\nPress enter or click to view image in full size\r\nSoftware breakpoint example\r\nHow we overcome this technique?\r\nChange the ZF to be 0, or change the instruction to be NOP. As mentioned before, the easiest solution is the\r\nScyllaHide plugin.\r\nhttps://elis531989.medium.com/dancing-with-shellcodes-cracking-the-latest-version-of-guloader-75083fb15cb4\r\nPage 20 of 25\n\nFinally, we bypass all of the anti-analysis mechanisms and we can focus on Guloader’s main goal. Because we\r\nalready set a breakpoint on the call to EAX, and JMP ECX we can click Run, and observe the functions that bein\r\nexecuted.\r\nThe first API call that is interesting for us is CreateProcessInternalW (which is the kernel equivalent to\r\nCreateProcessA). In this case, the process to be created is RegAsm.exe, this is also a hint for us that the malware\r\nto be downloaded will probably be written in .NET (In this case, it’s Agent-Tesla).\r\nPress enter or click to view image in full size\r\nCreating process\r\nThe RegAsm process will be spawned in a suspend mode which indicates process hollowing injection, this\r\nvariation of process hollowing is a bit unique, but because we only care about unpacking the final payload I will\r\nnot cover it here, however, you can read here for more details.\r\nRegAsm in suspend state\r\nAs we continue to observe the API calls that being executed, we see NtMapViewOfSection. When we encounter\r\nthis function, click step over on JMP ECX, to return to the parent function. Then, continue to step over\r\ninstructions manually until you see an instruction that calls for a function stored in the location [ebp+30]. This line\r\nwill execute the API call NtWriteVirtualMemory (which is the kernel equivalent to WriteProcessMemory).\r\nThis instruction will write a second shellcode to the RegAsm process.\r\nhttps://elis531989.medium.com/dancing-with-shellcodes-cracking-the-latest-version-of-guloader-75083fb15cb4\r\nPage 21 of 25\n\nWrite the second shellcode\r\nNow, we can go to the third argument of NtWriteVirtualMemory and click “follow in dump” to observe the new\r\nshellcode that will be written.\r\nPress enter or click to view image in full size\r\nObserving the second shellcode\r\nNext, we can copy and dump the entire buffer that contains the second shellcode. In this way, we can debug it\r\nwithout any dependency on RegAsm.\r\nWrap the first shellcode\r\nAfter the first shellcode creates the RegAsm process and injects a second shellcode into it, it will execute the API\r\ncall NtResumeThread to activate the second shellcode within the RegAsm memory.\r\nNow, we basically have two options, we can open a new debugger and attach it to RegAsm, or, we can debug the\r\ndumped second shellcode as a stand-alone shellcode using tools such as BlobRunner.\r\nhttps://elis531989.medium.com/dancing-with-shellcodes-cracking-the-latest-version-of-guloader-75083fb15cb4\r\nPage 22 of 25\n\nMy preferred option is to debug it using the BlobRunner tool because I don't want to be dependent on RegAsm.\r\nAlso, I want to have the option to debug it over and over again as quickly as possible.\r\nFor those of you who are not familiar with the BlobRunner tool, please look at the following video.\r\nDebugging the second shellcode\r\nWhen we start to debug the second shellcode, we notice that to our surprise this shellcode starts the same as the\r\nfirst one, In fact, this is the almost same shellcode. This resembles give us the advantage to bypass all the anti-analysis mechanism that we already see in the first shellcode.\r\nDifferences from the first shellcode\r\nAfter we reach the main function we saw in the first shellcode, we will set the same breakpoints. Then, as we click\r\nRun and step over functions, we start to see indications of additional capabilities that we have not seen in the first\r\nshellcode.\r\nFirst, we see a call to a location in the stack (in this case, [ebp+D8]), that will execute the function\r\nInternetOpenUrlA, we also see the C2 it will use.\r\nPress enter or click to view image in full size\r\nObserving the C2\r\nThen, in the function that executes API calls, we see other wininet API calls being executed.\r\nPress enter or click to view image in full size\r\nhttps://elis531989.medium.com/dancing-with-shellcodes-cracking-the-latest-version-of-guloader-75083fb15cb4\r\nPage 23 of 25\n\nObserving the C2\r\nAt this point I decided to finalize my analysis because we achieve the two goals of this article:\r\n1) We learn how to crack the two shellcode stages of the Guloader malware.\r\n2) We observe how to find the C2 that will be responsible for downloading the additional malware.\r\nRecap\r\nWhen we sum up the entire architecture of Guloader, we observe several stages and key features:\r\n1) The malware initially come wrapped with a VB layer\r\n2) After the VB part ends, the entire malware activity is executed by a shellcode.\r\n3) The shellcode contains multiple anti-analysis mechanisms, some of them are inescapable without manual\r\nintervention.\r\n4) The shellcode creates the process RegAsm and injects a second shellcode into it with a unique variation of the\r\nProcess Hollowing injection.\r\n5) The second shellcode downloads further malware\r\nThe Guloader mechanism is depicted in the following diagram:\r\nPress enter or click to view image in full size\r\nGuloader architecture\r\nhttps://elis531989.medium.com/dancing-with-shellcodes-cracking-the-latest-version-of-guloader-75083fb15cb4\r\nPage 24 of 25\n\nConclusion\r\nIn this article, I covered the entire process of the Guloader malware and presented several anti-analysis\r\nmechanisms from this shellcode-based downloader.\r\nDuring this step-by-step observation, we saw how this malware's unique characteristic challenges security\r\nresearches, and also how untraditional is Guloader in the current cybercrime landscape.\r\nReferences:\r\nhttps://kienmanowar.wordpress.com/2020/06/27/quick-analysis-note-about-guloader-or-cloudeye/\r\nhttps://www.crowdstrike.com/blog/guloader-malware-analysis/\r\nhttps://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/research/playing-with-guloader-anti-vm-techniques-malware/\r\nhttps://blog.vincss.net/2020/05/re014-guloader-antivm-techniques.html\r\nhttps://labs.k7computing.com/?p=21725\r\nhttps://github.com/OALabs/BlobRunner\r\nSource: https://elis531989.medium.com/dancing-with-shellcodes-cracking-the-latest-version-of-guloader-75083fb15cb4\r\nhttps://elis531989.medium.com/dancing-with-shellcodes-cracking-the-latest-version-of-guloader-75083fb15cb4\r\nPage 25 of 25",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MITRE"
	],
	"references": [
		"https://elis531989.medium.com/dancing-with-shellcodes-cracking-the-latest-version-of-guloader-75083fb15cb4"
	],
	"report_names": [
		"dancing-with-shellcodes-cracking-the-latest-version-of-guloader-75083fb15cb4"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434709,
	"ts_updated_at": 1775791432,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/11da23ef92f3edbfbe71bb07e09a31dcb5b2431e.pdf",
		"text": "https://archive.orkl.eu/11da23ef92f3edbfbe71bb07e09a31dcb5b2431e.txt",
		"img": "https://archive.orkl.eu/11da23ef92f3edbfbe71bb07e09a31dcb5b2431e.jpg"
	}
}