{
	"id": "a7599485-b8dc-4c99-b2da-50196f2ea367",
	"created_at": "2026-04-06T00:18:58.395544Z",
	"updated_at": "2026-04-10T13:12:22.019017Z",
	"deleted_at": null,
	"sha1_hash": "6de1511ac7653e977c07a46a4078b850d70628c6",
	"title": "CrashOverride Malware | CISA",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 128495,
	"plain_text": "CrashOverride Malware | CISA\r\nPublished: 2021-07-20 · Archived: 2026-04-05 22:57:04 UTC\r\nSystems Affected\r\nIndustrial Control Systems\r\nUpdated July 20, 2021: The U.S. Government attributes this activity to Russian nation-state cyber actors and\r\nassess that Russian nation-state cyber actors deployed CrashOverRide malware to conduct a cyberattack against\r\nUkrainian critical infrastructure. For more information on Russian malicious cyber activity, refer to us-cert.cisa.gov/Russia.\r\nOverview\r\nThe National Cybersecurity and Communications Integration Center (NCCIC) is aware of public reports from\r\nESET and Dragos outlining a new, highly capable Industrial Controls Systems (ICS) attack platform that was\r\nreportedly used in 2016 against critical infrastructure in Ukraine. As reported by ESET and Dragos , the\r\nCrashOverride malware is an extensible platform that could be used to target critical infrastructure sectors.\r\nNCCIC is working with its partners to validate the ESET and Dragos analysis, and develop a better understanding\r\nof the risk this new malware poses to U.S. critical infrastructure.\r\nAlthough this activity is still under investigation, NCCIC is sharing this report to provide organizations with\r\ndetection and mitigation recommendations to help prevent future compromises within their critical infrastructure\r\nnetworks. NCCIC continues to work with interagency and international partners on this activity and will provide\r\nupdates as information becomes available.\r\nFor a downloadable copy of indicators of compromise (IOCs), see:\r\nIOCs (.csv)\r\nIOCs (.stix)\r\nTo report activity related to this Alert, please contact CISA Central at SayCISA@cisa.dhs.gov or 1-844-Say-CISA\r\n.\r\nRisk Evaluation\r\nNCCIC Cyber Incident Scoring System (NCISS) Rating Priority Level (Color)\r\nYellow (Medium)\r\nA medium priority incident may affect public health or safety, national security, economic security, foreign\r\nrelations, civil liberties, or public confidence.\r\nhttps://us-cert.cisa.gov/ncas/alerts/TA17-163A\r\nPage 1 of 10\n\nDetails\r\nThere is no evidence to suggest this malware has affected U.S. critical infrastructure. However, the tactics,\r\ntechniques, and procedures (TTPs) described as part of the CrashOverride malware could be modified to target\r\nU.S. critical information networks and systems.\r\nTechnical Analysis\r\nCrashOverride malware represents a scalable, capable platform. The modules and capabilities publically reported\r\nappear to focus on organizations using ICS protocols IEC101, IEC104, and IEC61850, which are more commonly\r\nused outside the United States in electric power control systems. The platform fundamentally abuses the\r\nfunctionality of a targeted ICS system’s legitimate control system to achieve its intended effect. While the known\r\ncapabilities do not appear to be U.S.-focused, it is important to recognize that the general TTPs used in\r\nCrashOverride could be leveraged with modified technical implementations to affect U.S.-based critical\r\ninfrastructure. With further modification, CrashOverride or similar malware could have implications beyond\r\nelectric power so all critical infrastructure organizations should be evaluating their systems to susceptibilities in\r\nthe TTPs outlined. The malware has several reported capabilities:\r\n1. Issues valid commands directly to remote terminal units (RTUs) over ICS protocols. As reported by\r\nDragos, one such command sequence toggles circuit breakers in a rapid open-close-open-close pattern.\r\nThis could create conditions where individual utilities may island from infected parties, potentially\r\nresulting in a degradation of grid reliability.\r\n2. Denies service to local serial COM ports on windows devices, therefore preventing legitimate\r\ncommunications with field equipment over serial from the affected device.\r\n3. Scans and maps ICS environment using a variety of protocols, including Open Platform Communications\r\n(OPC). This significantly improves the payload’s probability of success.\r\n4. Could exploit Siemens relay denial-of-service (DoS) vulnerability, leading to a shutdown of the relay. In\r\nthis instance, the relay would need to be manually reset to restore functionality.\r\n5. Includes a wiper module in the platform that renders windows systems inert, requiring a rebuild or backup\r\nrestoration.\r\nDetection\r\nAs CrashOverride is a second stage malware capability and has the ability to operate independent of initial C2,\r\ntraditional methods of detection may not be sufficient to detect infections prior to the malware executing. As a\r\nresult, organizations are encouraged to implement behavioral analysis techniques to attempt to identify precursor\r\nactivity to CrashOverride. As additional information becomes available on stage one infection vectors and TTPs,\r\nthis alert will be updated.\r\nNCCIC is providing a compilation of IOCs (see links above) from a variety of sources to aid in the detection of\r\nthis malware. The sources provided do not constitute an exhaustive list and the U.S. Government does not endorse\r\nor support any particular product or vendor’s information referenced in this report. However, NCCIC has included\r\nthis data to ensure wide distribution of the most comprehensive information available and will provide updates as\r\nwarranted.\r\nhttps://us-cert.cisa.gov/ncas/alerts/TA17-163A\r\nPage 2 of 10\n\nSignatures\r\nimport “pe”\r\nimport “hash”\r\nrule dragos_crashoverride_exporting_dlls\r\n{\r\nmeta:\r\ndescription = “CRASHOVERRIDE v1 Suspicious Export”\r\nauthor = “Dragos Inc”\r\ncondition:\r\npe.exports(“Crash”) \u0026 pe.characteristics\r\n}\r\nrule dragos_crashoverride_suspcious\r\n{\r\nmeta:\r\ndescription = “CRASHOVERRIDE v1 Wiper”\r\nauthor = “Dragos Inc”\r\nstrings:\r\n$s0 = “SYS_BASCON.COM” fullword nocase wide\r\n$s1 = “.pcmp” fullword nocase wide\r\n$s2 = “.pcmi” fullword nocase wide\r\n$s3 = “.pcmt” fullword nocase wide\r\n$s4 = “.cin” fullword nocase wide\r\ncondition:\r\npe.exports(“Crash”) and any of ($s*)\r\n}\r\nrule dragos_crashoverride_name_search {\r\nmeta:\r\ndescription = “CRASHOVERRIDE v1 Suspicious Strings and Export”\r\nauthor = “Dragos Inc”\r\nstrings:\r\n$s0 = “101.dll” fullword nocase wide\r\n$s1 = “Crash101.dll” fullword nocase wide\r\n$s2 = “104.dll” fullword nocase wide\r\n$s3 = “Crash104.dll” fullword nocase wide\r\n$s4 = “61850.dll” fullword nocase wide\r\n$s5 = “Crash61850.dll” fullword nocase wide\r\n$s6 = “OPCClientDemo.dll” fullword nocase wide\r\n$s7 = “OPC” fullword nocase wide\r\n$s8 = “CrashOPCClientDemo.dll” fullword nocase wide\r\n$s9 = “D2MultiCommService.exe” fullword nocase wide\r\nhttps://us-cert.cisa.gov/ncas/alerts/TA17-163A\r\nPage 3 of 10\n\n$s10 = “CrashD2MultiCommService.exe” fullword nocase wide\r\n$s11 = “61850.exe” fullword nocase wide\r\n$s12 = “OPC.exe” fullword nocase wide\r\n$s13 = “haslo.exe” fullword nocase wide\r\n$s14 = “haslo.dat” fullword nocase wide\r\ncondition:\r\nany of ($s*) and pe.exports(“Crash”)\r\n}\r\nrule dragos_crashoverride_hashes {\r\nmeta:\r\ndescription = “CRASHOVERRIDE Malware Hashes”\r\nauthor = “Dragos Inc”\r\ncondition:\r\nfilesize \u003c 1MB and\r\nhash.sha1(0, filesize) == “f6c21f8189ced6ae150f9ef2e82a3a57843b587d” or\r\nhash.sha1(0, filesize) == “cccce62996d578b984984426a024d9b250237533” or\r\nhash.sha1(0, filesize) == “8e39eca1e48240c01ee570631ae8f0c9a9637187” or\r\nhash.sha1(0, filesize) == “2cb8230281b86fa944d3043ae906016c8b5984d9” or\r\nhash.sha1(0, filesize) == “79ca89711cdaedb16b0ccccfdcfbd6aa7e57120a” or\r\nhash.sha1(0, filesize) == “94488f214b165512d2fc0438a581f5c9e3bd4d4c” or\r\nhash.sha1(0, filesize) == “5a5fafbc3fec8d36fd57b075ebf34119ba3bff04” or\r\nhash.sha1(0, filesize) == “b92149f046f00bb69de329b8457d32c24726ee00” or\r\nhash.sha1(0, filesize) == “b335163e6eb854df5e08e85026b2c3518891eda8”\r\n}\r\nrule dragos_crashoverride_moduleStrings {\r\nmeta:\r\ndescription = “IEC-104 Interaction Module Program Strings”\r\nauthor = “Dragos Inc”\r\nstrings:\r\n$s1 = “IEC-104 client: ip=%s; port=%s; ASDU=%u” nocase wide ascii\r\n$s2 = “ MSTR -\u003e\u003e SLV” nocase wide ascii\r\n$s3 = “ MSTR \u003c\u003c- SLV” nocase wide ascii\r\n$s4 = “Unknown APDU format !!!” nocase wide ascii\r\n$s5 = “iec104.log” nocase wide ascii\r\ncondition:\r\nany of ($s*)\r\n}\r\nrule dragos_crashoverride_configReader\r\n{\r\nmeta:\r\nhttps://us-cert.cisa.gov/ncas/alerts/TA17-163A\r\nPage 4 of 10\n\ndescription = “CRASHOVERRIDE v1 Config File Parsing”\r\nauthor = “Dragos Inc”\r\nstrings:\r\n$s0 = { 68 e8 ?? ?? ?? 6a 00 e8 a3 ?? ?? ?? 8b f8 83 c4 ?8 }\r\n$s1 = { 8a 10 3a 11 75 ?? 84 d2 74 12 }\r\n$s2 = { 33 c0 eb ?? 1b c0 83 c8 ?? }\r\n$s3 = { 85 c0 75 ?? 8d 95 ?? ?? ?? ?? 8b cf ?? ?? }\r\ncondition:\r\nall of them\r\n}\r\nrule dragos_crashoverride_configReader\r\n{\r\nmeta:\r\ndescription = “CRASHOVERRIDE v1 Config File Parsing”\r\nauthor = “Dragos Inc”\r\nstrings:\r\n$s0 = { 68 e8 ?? ?? ?? 6a 00 e8 a3 ?? ?? ?? 8b f8 83 c4 ?8 }\r\n$s1 = { 8a 10 3a 11 75 ?? 84 d2 74 12 }\r\n$s2 = { 33 c0 eb ?? 1b c0 83 c8 ?? }\r\n$s3 = { 85 c0 75 ?? 8d 95 ?? ?? ?? ?? 8b cf ?? ?? }\r\ncondition:\r\nall of them\r\n}\r\nrule dragos_crashoverride_weirdMutex\r\n{\r\nmeta:\r\ndescription = “Blank mutex creation assoicated with CRASHOVERRIDE”\r\nauthor = “Dragos Inc”\r\nstrings:\r\n$s1 = { 81 ec 08 02 00 00 57 33 ff 57 57 57 ff 15 ?? ?? 40 00 a3 ?? ?? ?? 00 85 c0 }\r\n$s2 = { 8d 85 ?? ?? ?? ff 50 57 57 6a 2e 57 ff 15 ?? ?? ?? 00 68 ?? ?? 40 00}\r\ncondition:\r\nall of them\r\n}\r\nrule dragos_crashoverride_serviceStomper\r\n{\r\nmeta:\r\ndescription = “Identify service hollowing and persistence setting”\r\nauthor = “Dragos Inc”\r\nhttps://us-cert.cisa.gov/ncas/alerts/TA17-163A\r\nPage 5 of 10\n\nstrings:\r\n$s0 = { 33 c9 51 51 51 51 51 51 ?? ?? ?? }\r\n$s1 = { 6a ff 6a ff 6a ff 50 ff 15 24 ?? 40 00 ff ?? ?? ff 15 20 ?? 40 00 }\r\ncondition:\r\nall of them\r\n}\r\nrule dragos_crashoverride_wiperModuleRegistry\r\n{\r\nmeta:\r\ndescription = “Registry Wiper functionality assoicated with CRASHOVERRIDE”\r\nauthor = “Dragos Inc”\r\nstrings:\r\n$s0 = { 8d 85 a0 ?? ?? ?? 46 50 8d 85 a0 ?? ?? ?? 68 68 0d ?? ?? 50 }\r\n$s1 = { 6a 02 68 78 0b ?? ?? 6a 02 50 68 b4 0d ?? ?? ff b5 98 ?? ?? ?? ff 15 04 ?? ?? ?? }\r\n$s2 = { 68 00 02 00 00 8d 85 a0 ?? ?? ?? 50 56 ff b5 9c ?? ?? ?? ff 15 00 ?? ?? ?? 85 c0 }\r\ncondition:\r\nall of them\r\n}\r\nrule dragos_crashoverride_wiperFileManipulation\r\n{\r\nmeta:\r\ndescription = “File manipulation actions associated with CRASHOVERRIDE wip¬er”\r\nauthor = “Dragos Inc”\r\nstrings:\r\n$s0 = { 6a 00 68 80 00 00 00 6a 03 6a 00 6a 02 8b f9 68 00 00 00 40 57 ff 15 1c ?? ?? ?? 8b d8 }\r\n$s2 = { 6a 00 50 57 56 53 ff 15 4c ?? ?? ?? 56 }\r\ncondition:\r\nall of them\r\n}\r\nImpact\r\nA successful network intrusion can have severe impacts, particularly if the compromise becomes public and\r\nsensitive information is exposed. Possible impacts include:\r\ntemporary or permanent loss of sensitive or proprietary information,\r\ndisruption to regular operations,\r\nfinancial losses incurred to restore systems and files, and\r\npotential harm to an organization’s reputation.\r\n \r\nSolution\r\nhttps://us-cert.cisa.gov/ncas/alerts/TA17-163A\r\nPage 6 of 10\n\nProperly implemented defensive techniques and common cyber hygiene practices increase the complexity of\r\nbarriers that adversaries must overcome to gain unauthorized access to critical information networks and systems.\r\nIn addition, detection and prevention mechanisms can expose malicious network activity, enabling organizations\r\nto contain and respond to intrusions more rapidly. There is no set of defensive techniques or programs that will\r\ncompletely avert all attacks however, layered cybersecurity defenses will aid in reducing an organization’s attack\r\nsurface and will increase the likelihood of detection. This layered mitigation approach is known as defense-in-depth.\r\nNCCIC has based its mitigations and recommendations on its analysis of the public reporting of this malware and\r\nwill be provide updates as more information becomes available.\r\nCritical infrastructure companies should ensure that they are following best practices, which are outlined in the\r\nSeven Steps to Effectively Defend Industrial Control Systems document produced jointly by DHS, NSA, and FBI.\r\nApplication Whitelisting\r\nApplication whitelisting (AWL) can detect and prevent attempted execution of malware uploaded by adversaries.\r\nApplication whitelisting hardens operating systems and prevents the execution of unauthorized software. The\r\nstatic nature of some systems, such as database servers and human-machine interface (HMI) computers make\r\nthese ideal candidates to run AWL. NCCIC encourages operators to work with their vendors to baseline and\r\ncalibrate AWL deployments.\r\nOperators may choose to implement directory whitelisting rather than trying to list every possible permutation of\r\napplications in an environment. Operators may implement application or application directory whitelisting\r\nthrough Microsoft Software Restriction Policy (SRP), AppLocker, or similar application whitelisting software.\r\nSafe defaults allow applications to run from PROGRAMFILES, PROGRAMFILES(X86), SYSTEM32, and any\r\nICS software folders. All other locations should be disallowed unless an exception is granted.\r\nManage Authentication and Authorization\r\nThis malware exploits the lack of authentication and authorization in common ICS protocols to issue unauthorized\r\ncommands to field devices. Asset owners/operators should implement authentication and authorization protocols\r\nto ensure field devices verify the authenticity of commands before they are actioned. In some instances, legacy\r\nhardware may not be capable of implementing these protections. In these cases, asset owners can either leverage\r\nICS firewalls to do stateful inspection and authentication of commands, or upgrade their control field devices.\r\nAdversaries are increasingly focused on gaining control of legitimate credentials, especially those associated with\r\nhighly privileged accounts. Compromising these credentials allows adversaries to masquerade as legitimate users,\r\nleaving less evidence of compromise than more traditional attack options (i.e., exploiting vulnerabilities or\r\nuploading malware). For this reason, operators should implement multi-factor authentication where possible and\r\nreduce privileges to only those needed for a user’s duties. If passwords are necessary, operators should implement\r\nsecure password policies, stressing length over complexity. For all accounts, including system and non-interactive\r\naccounts, operators should ensure credentials are unique, and changed, at a minimum, every 90 days.\r\nNCCIC also recommends that operators require separate credentials for corporate and control network zones and\r\nstore them in separate trust stores. Operators should never share Active Directory, RSA ACE servers, or other trust\r\nstores between corporate and control networks. Specifically, operators should:\r\nhttps://us-cert.cisa.gov/ncas/alerts/TA17-163A\r\nPage 7 of 10\n\nDecrease a threat actor’s ability to access key network resources by implementing the principle of least\r\nprivilege;\r\nLimit the ability of a local administrator account to login from a local interactive session (e.g., “Deny\r\naccess to this computer from the network”) and prevent access via a remote desktop protocol session;\r\nRemove unnecessary accounts, groups, and restrict root access;\r\nControl and limit local administration; and\r\nMake use of the Protected Users Active Directory group in Windows Domains to further secure privileged\r\nuser accounts against pass-the-hash attacks.\r\nHandling Destructive Malware\r\nDestructive malware continues to be a threat to both critical infrastructure and business systems. NCCIC\r\nencourages organizations to review the ICS-CERT destructive malware white paper for detailed mitigation\r\nguidance. It is important for organizations to maintain backups of key data, systems, and configurations such as:\r\nServer gold images,\r\nICS Workstation gold configurations,\r\nEngineering workstation images,\r\nPLC/RTU configurations,\r\nPasswords and configuration information, and\r\nOffline copies of install media for operating systems and control applications.\r\nEnsure Proper Configuration/Patch Management\r\nAdversaries often target unpatched systems. A configuration/patch management program centered on the safe\r\nimportation and implementation of trusted patches will help render control systems more secure.\r\nSuch a program will start with an accurate baseline and asset inventory to track what patches are needed. The\r\nprogram will prioritize patching and configuration management of “PC-architecture” machines used in HMI,\r\ndatabase server, and engineering workstation roles, as current adversaries have significant cyber capabilities\r\nagainst these systems. Infected laptops are a significant malware vector. Such a program will limit the connection\r\nof external laptops to the control network and ideally supply vendors with known-good company laptops. The\r\nprogram will also encourage initial installation of any updates onto a test system that includes malware detection\r\nfeatures before the updates are installed on operational systems.\r\nNCCIC recommends that operators:\r\nUse best practices when downloading software and patches destined for their control network;\r\nTake measures to avoid watering hole attacks;\r\nUse a web Domain Name System (DNS) reputation system;\r\nObtain and apply updates from authenticated vendor sites;\r\nValidate the authenticity of downloads;\r\nInsist that vendors digitally sign updates, and/or publish hashes via an out-of-bound communications path,\r\nand only use this path to authenticate;\r\nhttps://us-cert.cisa.gov/ncas/alerts/TA17-163A\r\nPage 8 of 10\n\nNever load updates from unverified sources; and\r\nReduce your attack surface area.\r\nTo the greatest extent possible, NCCIC recommends that operators:\r\nIsolate ICS networks from any untrusted networks, especially the Internet;\r\nLock down all unused ports;\r\nTurn off all unused services; and\r\nOnly allow real-time connectivity to external networks if there is a defined business requirement or control\r\nfunction.\r\nIf one-way communication can accomplish a task, operators should use optical separation (“data\r\ndiode”).\r\nIf bidirectional communication is necessary, operators should use a single open port over a\r\nrestricted network path.\r\nBuild a Defendable Environment\r\nBuilding a defendable environment will help limit the impact from network perimeter breaches. NCCIC\r\nrecommends operators segment networks into logical enclaves and restrict host-to-host communications paths.\r\nThis can prevent adversaries from expanding their access, while allowing the normal system communications to\r\ncontinue operating. Enclaving limits possible damage, as threat actors cannot use compromised systems to reach\r\nand contaminate systems in other enclaves. Containment provided by enclaving also makes incident cleanup\r\nsignificantly less costly.\r\nIf one-way data transfer from a secure zone to a less secure zone is required, operators should consider using\r\napproved removable media instead of a network connection. If real-time data transfer is required, operators should\r\nconsider using optical separation technologies. This allows replication of data without placing the control system\r\nat risk.\r\nAdditional details on effective strategies for building a defendable ICS network can be found in the ICS-CERT\r\nDefense-in-Depth Recommended Practice.\r\nImplement Secure Remote Access\r\nSome adversaries are effective at gaining remote access into control systems, finding obscure access vectors, even\r\n“hidden back doors” intentionally created by system operators. Operators should remove such accesses wherever\r\npossible, especially modems, as these are fundamentally insecure.\r\nOperators should:\r\nLimit any accesses that remain;\r\nWhere possible, implement “monitoring only” access enforced by data diodes, and not rely on “read only”\r\naccess enforced by software configurations or permissions;\r\nNot allow remote persistent vendor connections into the control network;\r\nRequire any remote access to be operator controlled, time limited, and procedurally similar to “lock out,\r\ntag out”;\r\nhttps://us-cert.cisa.gov/ncas/alerts/TA17-163A\r\nPage 9 of 10\n\nUse the same remote access paths for vendor and employee connections; do not allow double standards;\r\nand\r\nUse two-factor authentication if possible, avoiding schemes where both tokens are similar and can be\r\neasily stolen (e.g., password and soft certificate).\r\nMonitor and Respond\r\nDefending a network against modern threats requires actively monitoring for adversarial penetration and quickly\r\nexecuting a prepared response. Operators should:\r\nConsider establishing monitoring programs in the following key places: at the Internet boundary; at the\r\nbusiness to Control DMZ boundary; at the Control DMZ to control LAN boundary; and inside the Control\r\nLAN;\r\nWatch IP traffic on ICS boundaries for abnormal or suspicious communications;\r\nMonitor IP traffic within the control network for malicious connections or content;\r\nUse host-based products to detect malicious software and attack attempts;\r\nUse login analysis (e.g., time and place) to detect stolen credential usage or improper access,\r\nverifying all anomalies with quick phone calls;\r\nWatch account and user administration actions to detect access control manipulation;\r\nHave a response plan for when adversarial activity is detected; and\r\nSuch a plan may include disconnecting all Internet connections, running a properly scoped search\r\nfor malware, disabling affected user accounts, isolating suspect systems, and immediately resetting\r\n100 percent of passwords.\r\nSuch a plan may also define escalation triggers and actions, including incident response,\r\ninvestigation, and public affairs activities.\r\nHave a restoration plan, including “gold disks” ready to restore systems to known good states.\r\n \r\nReferences\r\n[1] ESET: WIN32/INDUSTROYER – A New Threat for Industrial Control Systems\r\n[2] Dragos: CRASHOVERRIDE\r\nRevisions\r\nJune 12, 2017: Initial Release|June 13, 2017: Updated IOCs (both STIX and CSV formats)|July 7, 2017: Updated\r\nIOCs (both STIX and CSV formats)|July 21, 2017: Corrected typographical error|July 24, 2017: Corrected links to\r\ndownloadable IOC files\r\nSource: https://us-cert.cisa.gov/ncas/alerts/TA17-163A\r\nhttps://us-cert.cisa.gov/ncas/alerts/TA17-163A\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://us-cert.cisa.gov/ncas/alerts/TA17-163A"
	],
	"report_names": [
		"TA17-163A"
	],
	"threat_actors": [],
	"ts_created_at": 1775434738,
	"ts_updated_at": 1775826742,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6de1511ac7653e977c07a46a4078b850d70628c6.pdf",
		"text": "https://archive.orkl.eu/6de1511ac7653e977c07a46a4078b850d70628c6.txt",
		"img": "https://archive.orkl.eu/6de1511ac7653e977c07a46a4078b850d70628c6.jpg"
	}
}