{ "id": "d284fb97-34dc-4d3a-b4d1-f0447542e398", "created_at": "2026-04-06T00:21:58.656737Z", "updated_at": "2026-04-10T03:36:47.647641Z", "deleted_at": null, "sha1_hash": "411c6b855812064d2f62aa189667e2ace2bb9151", "title": "PennyWise Stealer: YouTube's Evasive Infostealer", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2348523, "plain_text": "PennyWise Stealer: YouTube's Evasive Infostealer\r\nPublished: 2022-06-30 · Archived: 2026-04-05 18:30:13 UTC\r\nCyble analyzes Pennywise, an infostealer that targets over 30 browsers and cold crypto-wallets and leverages\r\nYouTube to spread itself.\r\nDuring our routine Threat-Hunting exercise, Cyble Research Labs came across a new stealer named “PennyWise”\r\nshared by a researcher. The stealer appears to have been developed recently. Though this stealer is fresh, the Threat\r\nActor(s) (TA) has already rolled an updated version, 1.3.4.\r\nOur investigation indicates that the stealer is an emerging threat, and we have witnessed multiple samples of this\r\nstealer active in the wild. In its current iteration, this stealer can target over 30 browsers and cryptocurrency\r\napplications such as cold crypto wallets, crypto-browser extensions, etc.\r\nThe stealer is built using an unknown crypter which makes the debugging process tedious. It uses multithreading to\r\nsteal user data and creates over 10 threads, enabling faster execution and stealing. The below figure shows the\r\nPennywise stealer’s C\u0026C panel.\r\nWorld's Best AI-Native Threat Intelligence\r\nhttps://blog.cyble.com/2022/06/30/infostealer/\r\nPage 1 of 17\n\nFigure 1 – Command and Control Server\r\nInitial Infection: Spreading via YouTube\r\nThe TA spreads this PennyWise stealer as free Bitcoin mining software. The TA has created a video on YouTube\r\ncontaining the link to download the malware. In this campaign, the users who look for Bitcoin mining software\r\nmay become victims of Pennywise stealer.\r\nFigure 2 – Hosting Malware Campaign on YouTube\r\nWhen a user visits the link, the TA instructs them to download the malware hosted on the file hosting service. The\r\nmalware file is zipped and password protected. To appear legitimate, the TA has shared a VirusTotal link of a clean\r\nhttps://blog.cyble.com/2022/06/30/infostealer/\r\nPage 2 of 17\n\nfile that is not related to the file available for download. The TA also tricks the users into disabling their antivirus\r\nfor successful malware execution, as shown below.\r\nFigure 3 – Manipulating User\r\nThe zip file contains an installer that drops the Pennywise stealer, executes it, and finally, the stealer exfiltrates the\r\nvictim’s data to the C\u0026C server. The figure below shows the network communication.\r\nFigure 4 – Network Communication\r\nAs per our observations, the TA has created over 80 Videos on their YouTube channel for mass infection. We have\r\nalso observed a few download links from the TA’s YouTube Channel that spread Pennywise stealer. The below\r\nhttps://blog.cyble.com/2022/06/30/infostealer/\r\nPage 3 of 17\n\nfigure shows the videos created for spreading malware via YouTube.\r\nFigure 5 – Over 80 videos created on the TA’s YouTube Channel\r\nTechnical Analysis\r\nThe infection starts with the loader (SHA256:\r\ne43b83bf5f7ed17b0f24e3fb7e95f3e7eb644dbda1977e5d2f33e1d8f71f5da0) which injects the Pennywise stealer into\r\na legitimate .NET binary named “AppLaunch.exe” using a technique called “process hollowing”.\r\nhttps://blog.cyble.com/2022/06/30/infostealer/\r\nPage 4 of 17\n\nFigure 6 – Process Hollowing\r\nThe .NET binary  (SHA256: 3bbd6cdbc70a5517e5f39ed9dfad0897d5b200feecd73d666299876e35fa4c90) is\r\ninjected into AppLaunch.exe which is the actual payload of Pennywise stealer. The Pennywise stealer has encoded\r\nstrings that are decoded during the initial execution of malware. The figure below shows the function\r\n“Class84.method_0“, which is responsible for decoding these strings.\r\nFigure 7 – Function for Decoding Strings\r\nhttps://blog.cyble.com/2022/06/30/infostealer/\r\nPage 5 of 17\n\nUpon execution, the stealer initializes the variables that support the stealing functionality. The values are decoded\r\nand assigned to these variables during run time, as shown in the below table.\r\nName Value Description\r\nstring_0 1.3.4\r\nStealer\r\nVersion\r\nstring_1 0 Flag\r\nstring_2 CRYPTED:ygBdfUqyTjr827lyAL47dg==\r\nEncrypted\r\nTA name\r\nstring_3 9D16FBEF0D8A8F87529DE06A1C43C737 Mutex name\r\nstring_4 0 Flag\r\nstring_5 1 Flag\r\nstring_6 7 Integer Value\r\nstring_7 1 Flag\r\nstring_8 0 Flag\r\nstring_9 1 Flag\r\nstring_10 0 Flag\r\nstring_11 — CreateChannel — String\r\nstring_12 1 Flag\r\nstring_13\r\nCRYPTED:vuw8jLF2e/Ljzrqrw2oAEBJLqFB8KtttiM5T7ns\r\n2bs4Dsnmons6Ixd82gskRZISF\r\nEncrypted\r\nC2 URL\r\ndictionary_0 Document:  RTF,  Doc,  Docx,  txt, json\r\nFiles stealer\r\nwill be\r\nstealing\r\nThe stealer then creates a mutex named “9D16FBEF0D8A8F87529DE06A1C43C737” to ensure that only one\r\ninstance of malware is running at any given time on the victims’ machine. The malware terminates its execution if\r\nthe mutex is already present.\r\nhttps://blog.cyble.com/2022/06/30/infostealer/\r\nPage 6 of 17\n\nFigure 8 – Running a Single Instance\r\nThe malware then gets the path of the targeted browsers for stealing user data. It targets the following browsers:\r\n30+ Chrome-based browsers\r\n5+ Mozilla-based browsers\r\nOpera\r\nMicrosoft Edge\r\nFigure 9 – Targeted browsers\r\nOnce the browser path is obtained, the malware fetches username, machine name, system language, and timezone\r\ndetails from the victim’s system. In this case, the malware converts the timezone into Russian Standard Time\r\n(RST), as shown below.\r\nhttps://blog.cyble.com/2022/06/30/infostealer/\r\nPage 7 of 17\n\nFigure 10 – Converting date-time to Russian Standard Time\r\nThe malware then retrieves the system language code using the CultureInfo class and gets the graphic driver and\r\nprocessor names of the victim’s machine using a WMI query. After this, it creates a string in the below format to\r\ngenerate an MD5 hash.  \r\n“mutex_name-Username-Machine_Name-Loanguage_code-Processor_name-Graphics_Driver_Name”\r\nThe hash value will be used to name a folder created with hidden attributes in the AppData\\Local directory and\r\nsave the stolen data.\r\nFigure 11 – Creating a folder with hidden attributes\r\nThe malware tries to identify the victim’s country using the CultureInfo class and terminates its execution if the\r\nvictim is based outside the following locations.\r\nRussia\r\nUkraine\r\nBelarus\r\nKazakhstan\r\nThis could indicate that the TA is trying to avoid scrutiny by Law Enforcement Agencies in these particular\r\ncountries.\r\nhttps://blog.cyble.com/2022/06/30/infostealer/\r\nPage 8 of 17\n\nFigure 12 – Preventing Execution in certain countries\r\nThe malware performs multiple Anti-Analysis and Anti-Detection checks to prevent the execution of the malware\r\nin a controlled environment. It uses Win32_ComputerSystem class to detect any virtual machine.\r\nThen, it checks for the following Dynamic-Link Library (DLL) files to identify the presence of antivirus\r\napplications and sandbox environments.\r\nSbieDll: Sandboxie\r\nSxIn: 360 Total Security\r\nSf2: Avast Antivirus\r\nSnxhk: Avast Antivirus\r\ncmdvrt32: COMODO\r\nIt also checks the running processes in the victims’ machine and terminates its execution if the following processes\r\nare running.\r\nprocesshacker\r\nnetstat\r\nnetmon\r\ntcpview\r\nwireshark\r\nfilemon\r\nregmon\r\ncain\r\nhttpanalyzerstdv7\r\nfiddler\r\nfiddler everywhere\r\nhttpdebuggersvc\r\nhttps://blog.cyble.com/2022/06/30/infostealer/\r\nPage 9 of 17\n\nAfter this, the malware decrypts string_2 and string_13 in Table 1, which are encrypted using the Rijndael\r\nalgorithm. These strings possibly contain the TA’s user name and Command \u0026 Control (C\u0026C) URL. \r\nFigure 13 – Decrypted Strings\r\nThe malware then creates a folder under the folder which was created initially in the Appdata\\Local directory in the\r\nfollowing format:\r\n“UserName@MachineName_Loanguage_code_Year_Month_Date_Hour_Minute_Second@StealerVersion”\r\nThe malware uses multithreading to steal data from the victim’s system. Every individual thread is responsible for\r\nperforming a different operation, such as stealing the victim’s files, harvesting Chromium/Mozilla browser data,\r\nstealing the browser’s cryptocurrency extension data, taking screenshots, stealing sessions of chat applications, etc.\r\nThe malware creates over 10 threads and executes them using Thread.Start() method.\r\nFigure 14 – Use of multithreading by the TA\r\nThe malware only steals files smaller than 20KB and has RTF,  Doc,  Docx,  txt, and JSON extensions which are\r\nsaved in a folder named “grabber.”\r\nhttps://blog.cyble.com/2022/06/30/infostealer/\r\nPage 10 of 17\n\nUsing the Directory.Exists() method, the malware identifies whether a targeted browser is present in the victims’\r\nmachine and steals data if these browsers are found. The malware steals data from Chromium and Mozilla-based\r\nbrowsers using the following method:\r\nThe sensitive user data, such as login credentials and cookies, stored in Chromium-based browsers is present\r\nin an encrypted form.\r\nThe malware enumerates and gets the names of all files in the “Browser-name\\User Data\\” folder and checks for\r\nthe “Local State” file, which stores the encrypted key. The CryptUnprotectData() function decrypts the encrypted\r\nkey, which will now be used to decrypt the login data file containing all users’ credentials.\r\nIn Mozilla-based browsers, the malware targets certain SQLite files named “cookies.sqlite”, “key4.db,” etc.,\r\nwhich store data such as encryption keys and master passwords for login.json. The login.json file will be\r\ndecrypted using these keys containing user credentials. The stolen cookies from browsers are saved into a\r\nfile named “[browser name_Default]_Cookies.txt”.\r\nFigure 15 – Checking whether a targeted browser exists on the victim system\r\nFor stealing Discord tokens, the malware targets the following directories:\r\nDiscord\\Local Storage\\leveldb\r\nDiscord PTB\\Local Storage\\leveldb\r\nDiscord Canary\\leveldb\r\nThe malware steals Telegram sessions by copying files from the “Telegram Desktop\\tdata” folder.\r\nIt also fetches the list of running processes using the Process.GetProcesses method and writes the data, including\r\nProcess Name, PID, and execution path, to the “Processes.txt” file.\r\nFigure 16 – Fetching all running processes data\r\nThe malware takes a screenshot of the victim’s system and stores it as a file named “Screenshot.jpg.” It creates a\r\nfile named “Information.txt” that saves data such as location, details of the victim’s system, hardware details,\r\nhttps://blog.cyble.com/2022/06/30/infostealer/\r\nPage 11 of 17\n\nantivirus, stealer version, victim’s unique ID, and date.\r\nThe malware queries the registry key\r\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall to find the list of installed\r\napplications and write this data to a file named “Software.txt” in the following format:\r\nApplication\r\nVersion\r\nLocation\r\nThe stealer queries the registry to identify the location of cryptocurrencies such as Litecoin, Dash, and Bitcoin, as\r\nshown in the figure below. It obtains the path from registry data “strDataDir” in\r\nthe HKEY_CURRENT_USER\\Software\\Blockchain_name\\ Blockchain_name-Qt registry key.\r\nFigure 17 – Querying Registry\r\nIt targets cold crypto-wallets such as Zcash, Armory, Bytecoin, Jaxx, Exodus, Ethereum, Electreum, Atomic Wallet,\r\nGuarda, and Coinomi. To steal data from these wallets, the malware looks for wallet files in the directory shown in\r\nthe figure below and copies them for exfiltration.\r\nhttps://blog.cyble.com/2022/06/30/infostealer/\r\nPage 12 of 17\n\nFigure 18 – Stealing data from cold crypto-wallets\r\nThis malware also targets crypto extensions of Chromium-based browsers for stealing data. The figure below\r\nshows the crypto extensions, along with their ID. It enumerates all files in the Browser_name\\User Data folder and\r\nchecks for the “Local Extension Settings” folder where extension-related data is stored. This folder finds the crypto\r\nbrowser extension using their extension ID.\r\nhttps://blog.cyble.com/2022/06/30/infostealer/\r\nPage 13 of 17\n\nFigure 19 – Stealing data from crypto browser extensions\r\nThe malware then compiles the count for harvested data, as shown in Figure 16. Additionally, it compresses the\r\nfolder in which the stolen data was saved and exfiltrates it to “http[:]//185[.]246.116.237[:]5001/getfile“. This\r\nfolder is then deleted, removing all traces.\r\nFigure 20 – Exfiltration of data\r\nConclusion\r\nPennywise is an emerging stealer which is already making a name for itself. We have witnessed multiple samples of\r\nPennywise out in the wild, indicating that Threat Actors may already be deploying it. Though there is not much\r\ninformation regarding its adoption by cybercriminals at the moment, in the future, we may see new variants of this\r\nstealer and observe further samples in the wild.\r\nOur Recommendations \r\nAvoid downloading pirated software from unverified sites.\r\nUse strong passwords and enforce multi-factor authentication wherever possible. \r\nKeep updating your passwords after certain intervals.\r\nUse a reputed anti-virus and internet security software package on your connected devices, including PC,\r\nlaptop, and mobile.  \r\nRefrain from opening untrusted links and email attachments without first verifying their authenticity.   \r\nBlock URLs that could be used to spread the malware, e.g., Torrent/Warez.  \r\nMonitor the beacon on the network level to block data exfiltration by malware or TAs.  \r\nEnable Data Loss Prevention (DLP) Solutions on employees’ systems. \r\nMITRE ATT\u0026CK® Techniques \r\nTactic   Technique ID   Technique Name  \r\nhttps://blog.cyble.com/2022/06/30/infostealer/\r\nPage 14 of 17\n\nExecution    T1204   User Execution  \r\nDefense Evasion\r\nT1140\r\nT1497\r\nT1055.012\r\nDeobfuscate/Decode Files or Information\r\nVirtualization/Sandbox Evasion\r\nProcess Injection: Process Hollowing\r\nCredential Access  \r\nT1555  \r\nT1539  \r\nT1552  \r\nT1528  \r\nCredentials from Password Stores  \r\nSteal Web Session Cookies  \r\nUnsecured Credentials  \r\nSteal Application Access Token  \r\nCollection   T1113   Screen Capture  \r\nDiscovery  \r\nT1518  \r\nT1124  \r\nT1007  \r\nSoftware Discovery  \r\nSystem Time Discovery  \r\nSystem Service Discovery  \r\nCommand and Control   T1071   Application Layer Protocol  \r\nExfiltration   T1041     Exfiltration Over C2 Channel  \r\nIndicators of Compromise (IOCs) \r\nIndicators  \r\nIndicator\r\ntype  \r\nDescription  \r\nhttp[:]//185[.]246.116.237[:]5001/getfile URL   C2 URL  \r\neef01a6152c5a7ecd4e952e8086abdb3\r\nfd3c1844af6af1552ff08e88c1553cc6565fe455\r\ne43b83bf5f7ed17b0f24e3fb7e95f3e7eb644dbda1977e5d2f33e1d8f71f5da0\r\nMd5\r\nSHA-1  \r\nSHA-256  \r\nLoader\r\n66502250f78c6f61e7725a3daa0f4220\r\n8cfc5d40a8008e91464fd89a1d6cb3a7b3b7a282\r\n05854ea1958ef0969a2c717ce6cb0c67cd3bcd327badac6aa7925d95a0b11232\r\nMd5   \r\nSHA-1\r\nSHA-256  \r\nStealer\r\nPayload  \r\na1249d31ea72e00055286c94592bc0e3\r\n8644ac0cc1a805f1682a0b0f65052a1835e599b1\r\n01c83c32ab5c2f0fda5c04aee7b02dc30d59c91c1db70e168a6cc1215cc53ab7\r\nMd5   \r\nSHA-1\r\nSHA-256  \r\nStealer\r\nPayload  \r\nhttps://blog.cyble.com/2022/06/30/infostealer/\r\nPage 15 of 17\n\ne062fedb25bbf55894711100c35130c1\r\nb28568c19eaafd0e8212b81ea7b87340554e1340\r\nc5e9d0aa26ca6255559708bcf957d79e3adb4d2b08146cd765182f7b834227f4\r\nMd5   \r\nSHA-1\r\n   SHA-256\r\nStealer\r\nPayload  \r\nf71d077c9889d005c8c71f3a2fe20fd0\r\n2ba8275af7b7708a7f79bb442c980ec3d3c04b91\r\ndcd2c2073c227e5b496ca0cb13e31d18b45899dca0de1633f2eeb25d264258de\r\nMd5   \r\nSHA-1\r\nSHA-256  \r\nStealer\r\nPayload  \r\na6064cd1760ea08973b20bdc0e7ea699\r\nc5f3342e9fcc159eef81a459d54eb7b6ce80feb1\r\nbc709e3aea5732c3d07c7f59ea22f8a5c026e45558d0e2aa3fb35ac78f39d9f4\r\nMd5   \r\nSHA-1\r\nSHA-256  \r\nStealer\r\nPayload  \r\nc9ac6deb0ef78785d469033117411e3d\r\n15622e8ec3ec4c29f09b3871678199599d285e43\r\n0eb43cef2e674aa72b24cccd36b349ce0e4eb347c0fbf373bc53c97713e8e94f\r\nMd5   \r\nSHA-1\r\nSHA-256  \r\nStealer\r\nPayload  \r\nda9f8ec6d3337315435fa9d9d7868980\r\nebf6edd68e97bd13d4ed3e878c7bd11dfb5a628c\r\n117d5155fe3659a816f10faf859ff68c6094457eb1902d6699df74fac309befd\r\nMd5   \r\nSHA-1\r\nSHA-256  \r\nStealer\r\nPayload  \r\nd72619b4ededa0f8cfe9554557bf2c7f\r\nee456a4b32eff2eddf14c6ae5385d977081308b4\r\n4da90f77a26a16eee48cb73ca920e681974554be0d87a225e7ad9416adbf34c6\r\nMd5   \r\nSHA-1\r\nSHA-256  \r\nStealer\r\nPayload  \r\n215c203f7f3e3f63c5ae9e35d8625463\r\nb6bfbbd9c49cc94e4fcab413f62a12bb23485cdf\r\nbc51e019e91bbb8e704ee4b7027dab4f7168b3b4e947e83d43bf4c488aa2b612\r\nMd5   \r\nSHA-1\r\nSHA-256  \r\nStealer\r\nPayload  \r\nece1ffba058735ab9521ee1ed5cf969c\r\n35a06ba7f2cffaf5c2f97c7fe02d235c6317ebf2\r\n6dbeb13c7efbd62561bf2fea3b1e3d36021e701b80a993e28498182d0884ce6f\r\nMd5   \r\nSHA-1  \r\nSHA-256  \r\nStealer\r\nPayload  \r\nf0807f8ec6349d726b19713ece98c57b\r\ne341cd9abfca8e02bef0d0af94343949a23ce6c4\r\nbf46b901e1899533629b751f28bd4adab3f11f0ddf8b509c9f90af25a1a73b5b\r\nMd5   \r\nSHA-1  \r\nSHA-256  \r\nStealer\r\nPayload  \r\nhttps://blog.cyble.com/2022/06/30/infostealer/\r\nPage 16 of 17\n\n88facb451a849d37a272ab9a7a83a47c\r\n27c66fa23f8af20be0234f95b35e64ccea7d73ae\r\n5b11938d67a8a0c629bf4ec1f8b77c6ba0910546984d4d983f43a25d4e7b72ac\r\nMd5   \r\nSHA-1\r\nSHA-256  \r\nStealer\r\nPayload  \r\nSource: https://blog.cyble.com/2022/06/30/infostealer/\r\nhttps://blog.cyble.com/2022/06/30/infostealer/\r\nPage 17 of 17", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://blog.cyble.com/2022/06/30/infostealer/" ], "report_names": [ "infostealer" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434918, "ts_updated_at": 1775792207, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/411c6b855812064d2f62aa189667e2ace2bb9151.pdf", "text": "https://archive.orkl.eu/411c6b855812064d2f62aa189667e2ace2bb9151.txt", "img": "https://archive.orkl.eu/411c6b855812064d2f62aa189667e2ace2bb9151.jpg" } }