{ "id": "fa4be029-1c8f-4253-a878-def48a37fe37", "created_at": "2026-04-06T00:16:14.765719Z", "updated_at": "2026-04-10T03:37:36.855816Z", "deleted_at": null, "sha1_hash": "b62dff1ab9fe630d6831b40a7cc226386edc139c", "title": "Striking Oil: A Closer Look at Adversary Infrastructure", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 410853, "plain_text": "Striking Oil: A Closer Look at Adversary Infrastructure\r\nBy Robert Falcone, Bryan Lee\r\nPublished: 2017-09-26 · Archived: 2026-04-05 12:57:50 UTC\r\nWhile expanding our research into the TwoFace webshell from this past July, we were able to uncover several IP\r\naddresses that logged in and directly interfaced with the shell we discovered and wrote about. Investigating deeper\r\ninto these potential adversary IPs revealed a much larger infrastructure used to execute the attacks. We found the\r\ninfrastructure was segregated into different functions for specific malicious objectives. We found some sites that\r\nwere set up as credential harvesters (likely used in phishing attacks), a compromised system that was used to\r\ninteract with a TwoFace webshell to hide the actor’s location, and finally systems that interact with TwoFace\r\nwebshell-compromised systems to provide command and control direction of those compromised systems.\r\nIn addition to uncovering the attack infrastructure for this adversary, we were able to determine a significant link\r\nbetween the operators of the set of attacks involving TwoFace and another attack campaign we have published on\r\nin detail: OilRig.\r\nSpoofing Sites and Credential Harvesters\r\nWe observed the IP address 137.74.131[.]208 interacting with the TwoFace webshell as described in our previous\r\nblog. Our investigation of the passive DNS entries for this IP revealed a potential link to a credential harvesting\r\ncampaign carried out by the threat group behind the TwoFace webshell attacks. Looking into passive DNS entries\r\nfor the IP gave us the following domain resolutions:\r\nowa-insss-org-ill-owa-authen[.]ml\r\nwebmaiil-tau-ac-il[.]ml\r\nmail-macroadvisorypartners[.]ml\r\nwebmail-tidhar-co-il[.]ml\r\nmy-mailcoil[.]ml\r\nlogn-micrsftonine-con[.]ml\r\nso-cc-hujii-ac-il[.]ml\r\nThese domain names, on initial inspection, appear to be emulating legitimate webmail login portals, indicating\r\nthat these are likely to be credential harvesters. We confirmed this as seen below:\r\nhttps://unit42.paloaltonetworks.com/unit42-striking-oil-closer-look-adversary-infrastructure/\r\nPage 1 of 8\n\nFigure 1a. Example of a credential harvester\r\nFigure 1 b. Example of a credential harvester\r\nOur further examination revealed that these credential harvesters were crafted to be exact replicas of the legitimate\r\nsites they were purporting to be. This is a common tactic deployed by adversaries leveraging credential harvesters\r\nto increase the chance that a user will input their credentials and decrease suspicion of nefarious activity.\r\nBreaking down the intended targeting for these credential harvesters reveals interesting target grouping.\r\nowa-insss-org-ill-owa-authen[.]ml is likely intended to mimic the INSSS or the Institute of National\r\nSecurity Studies, a thinktank for Israel’s national security agenda.\r\nhttps://unit42.paloaltonetworks.com/unit42-striking-oil-closer-look-adversary-infrastructure/\r\nPage 2 of 8\n\nwebmaiil-tau-ac-il[.]ml is likely intended to mimic Tel Aviv University, the largest university in Israel.\r\nmail-macroadvisorypartners[.]ml is likely intended to mimic Macro Advisory Partners, a prominent\r\nstrategic consulting firm that has published insights into the Israel region.\r\nwebmail-tidhar-co-il[.]ml is likely intended to mimic the Tidhar Group, an Israeli based real estate and\r\nproperty management company.\r\nmy-mailcoil[.]ml is likely intended to mimic Bezeq International’s webmail application. Bezeq\r\nInternational is an Israeli based telecommunications company providing consumer and enterprise services.\r\nso-cc-hujii-ac-il[.]ml is likely intended to mimic the Hebrew University of Jerusalem which is the second\r\noldest university in Israel.\r\nEach of these organizations appear to be either Israeli based or have strong Israeli connections and interests.\r\nCredential harvesters in general are not uncommon, but it is significant to have a grouping of region and company\r\nspecific harvesters. This grouping leads us to believe that this adversary is likely to have had a specific mission to\r\naccomplish, which involved breaching specific organizations. This is in contrast to more generic credential\r\nharvesting by targeting common applications such as Gmail or Facebook.\r\nThe relationship between the credential harvesters hosted on 137.74.131[.]208 and the interaction with TwoFace is\r\nstill unclear at this time. We do know the operator of TwoFace had access to both TwoFace and these spoofing\r\nsites. And it is highly unlikely that it is a coincidence that these specifically designed spoofing sites were on the\r\nsame infrastructure as TwoFace when both target the same geopolitical region.\r\nAdditional Webshells\r\nBy analyzing additional TwoFace samples, as well as the traffic seen associated with TwoFace, we were able to\r\nfind additional webshells used by this threat group. The additional webshells show that this threat group does not\r\nsolely rely on TwoFace when deploying a webshell on a compromised web server.\r\nRunningBee\r\nA second IP of high interest seen interacting with the TwoFace webshell was 192.155.x.x, which is owned by\r\nSoftLayer. This IP resolves to a domain owned by the Ministry of Oil of a nation-state in the Middle East. The use\r\nof this IP is interesting as there are only two possibilities as to why this specific IP would be directly interfacing\r\nwith the TwoFace shell: either it is the adversary themselves, or it has been compromised and is being used as part\r\nof the adversary infrastructure.\r\nBased upon additional telemetry found in AutoFocus, we believe it is highly likely that this IP was indeed\r\ncompromised and added to the adversary infrastructure. The telemetry revealed that this IP was not only used to\r\ninteract directly with the TwoFace shell discussed in our previous blog, but also used to upload post-exploitation\r\ntools to another shell hosted on a Middle Eastern educational institution. We have named this second webshell\r\n“RunningBee”.\r\nRunningBee is a webshell that requires an actor to enter a password before running commands or uploading files\r\nto the webserver much like TwoFace. However, the shell itself is different from a UI and code perspective. The\r\nsamples of RunningBee that we identified requires the password “NeshaNesha12” for interaction. This is notable\r\nhttps://unit42.paloaltonetworks.com/unit42-striking-oil-closer-look-adversary-infrastructure/\r\nPage 3 of 8\n\nbecause this same password was mentioned in Cylance’s Operation Cleaver report as a password for webshells\r\nused by one of the members of that operation.\r\nFigure 2 RunningBee webshell\r\nInvestigating RunningBee activity revealed that the 192.155.x.x IP uploaded at least four additional tools to that\r\ncompromised system with RunningBee on it, as seen in Table 1. Please reference the 'Post-exploitation Tools\r\nSHA256' section at the end of this blog for full hashes of the tools mentioned throughout in this blog.\r\nDate Uploaded SHA256 Filenames Tool\r\n10/06/2016,\r\n02/19/2017\r\n3b08535b4add194...\r\nPsExec.exe, kb-11.exe\r\nPsExec\r\n02/19/2017 28a0db561ff5a52... kb.exe Mimikatz\r\n02/19/2017 450ebd66ba67bb4... Local.exe\r\nLocal.Exe of Microsoft Windows NT\r\nResource Kit\r\n02/19/2017 5b7eb534a852c18... kbs.exe Mimikatz\r\nTable 1 Post-exploitation tools found on RunningBee\r\nThe uploaded files were common examples of tools often found during the post-exploitation phase.\r\nPsexec – a lightweight application part of the SysInternals package designed to execute processes on other\r\nsystems and allow for interactive console access\r\nMimikatz – an open source tool designed to extract and use credential information from Windows systems\r\nlocal.exe – a command line tool part of the NT Resource Kit to view members of local groups on remote\r\nservers or domains\r\nhttps://unit42.paloaltonetworks.com/unit42-striking-oil-closer-look-adversary-infrastructure/\r\nPage 4 of 8\n\nOur analysis showed the specific hashes of these tools were placed on multiple other sites also containing\r\nTwoFace related webshells, leading us to believe that they are related to one specific adversary.\r\nBased on the post-exploitation tools uploaded to RunningBee and common IP addresses interacting with the\r\nshells, we found four other related webshells hosted on webservers belonging to organizations in the Middle East.\r\nThe tools listed in Table 2 include the same tools that were uploaded to RunningBee such as PsExec, Mimikatz\r\nand Local.exe. In addition to these tools, we also discovered the existence of the remote connection tool known as\r\nPuTTY Link (plink) and a custom Microsoft IIS (Internet Information Services) web server backdoor that we\r\ntrack as RGDoor. We believe the threat actors may have used plink to connect to additional systems on the\r\ncompromised network after obtaining legitimate credentials using a tool such as mimikatz. RGDoor is an HTTP\r\nmodule that the threat actors are likely loading into the IIS web server to maintain an additional, backup access\r\npoint should the compromised organization detect and remediate the installed webshell (e.g. TwoFace,\r\nRunningBee) from the server.\r\nSHA256 Filename Tool Shells IP addresses uploading\r\n744e0ce108598aa... S64.exe 1 138.201.209.162\r\nbb9b4e088eb9910... z64.exe 1 89.163.206.0\r\n28a0db561ff5a52... mom64.exe Mimikatz 2 137.74.131.208\r\n6e623311768f1c4... s64.exe 3, 4\r\n51.254.50.153, 212.16.80.102,\r\n37.59.229.231,\r\n91.121.237.227\r\n3b08535b4add194... ps.exe PsExec 3, 4 51.254.50.153\r\n6ae32cd3b5a8a1d... pl.exe PuTTY Link 3, 4\r\n51.254.50.153,\r\n91.121.237.227,\r\n37.59.229.231, 176.9.164.252\r\n450ebd66ba67bb4... Local.exe\r\nLocal.Exe of\r\nMicrosoft Windows\r\nNT Resource Kit\r\n3 91.121.237.227\r\nd3b03c0da854102... O6.exe Mimikatz 1 92.222.209.48, 94.23.172.49\r\n5ead94f12c30743... O64.exe Mimikatz 1 92.222.209.51\r\ncaf5f9791ab3049... i64.exe 1\r\n138.201.209.182, 5.39.59.97,\r\n91.121.237.224\r\n497e6965120a7ca... HTTPParser.dll RGDoor 1 5.39.59.97\r\nTable 2 Post-exploitation tools and associated IPs\r\nhttps://unit42.paloaltonetworks.com/unit42-striking-oil-closer-look-adversary-infrastructure/\r\nPage 5 of 8\n\nFigure 3 Visualization of relationships of webshell and tools\r\nLittleFace\r\nAs we reported in our TwoFace blog, the TwoFace shell was unique in that it was actually two webshells, where\r\nafter initial authentication to a loader webshell, a secondary webshell with additional functionality was unpacked\r\nand made accessible to the operator. After gathering additional TwoFace loader shells, we noticed that some of\r\nthese TwoFace loaders contained an embedded shell that differed from the TwoFace payload we originally found\r\nand published in our previous blog. This different shell, which we call LittleFace, contains much less functionality\r\nand is relatively simple compared to its TwoFace payload counterpart. LittleFace also differs from the previous\r\nTwoFace payloads as once it is saved to the system, it no longer requires authentication.\r\nThe LittleFace shell does not display a web-based user interface like most webshells. Instead, it is a webshell that\r\nallows the threat actor to pass commands to Windows command prompt by issuing HTTP POST requests with the\r\ndesired command within the “c” field of the posted data, as seen in the following code block that is the command\r\nhandler on the webshell. The webshell will receive the commands embedded in the HTTP POST requests and\r\nhand them off to another function (“r” function in the following code block) for processing.\r\nvoid Page_Load(object sender, EventArgs e)\r\n{\r\n    try\r\n    {\r\n        string cmd = Request[\"c\"];\r\nhttps://unit42.paloaltonetworks.com/unit42-striking-oil-closer-look-adversary-infrastructure/\r\nPage 6 of 8\n\nr(cmd);\r\n    }\r\n    catch (Exception)\r\n    {\r\n    }\r\n}\r\nThe LittleFace shell will execute the command (‘r’ function seen in code block above) by creating a “cmd.exe”\r\nprocess and writing the desired command to the process’ standard input. The result of the command is provided\r\nback to the actor directly within the HTTP response to the POST request.\r\nOilRig Link\r\nWhile examining each of the tools that were found on the compromised sites, one specific sample of Mimikatz\r\nshowed evidence of a potential relationship with the OilRig campaign.\r\nAs detailed in our April 2017 blog \"OilRig Actors Provide a Glimpse into Development and Testing Efforts\", we\r\nwere able to track an entity that appeared to be testing and iterating through different variations and versions of\r\ntools associated with the OilRig campaign. This same entity was found submitting a specific sample of Mimikatz\r\na day after testing multiple Helminth samples. We observed actors uploading this specific sample of Mimikatz to\r\nthe TwoFace webshell hosted at the Saudi education institution mentioned earlier in this blog, leading us to\r\nbelieve that there is a likely relationship between the OilRig campaign and the TwoFace campaign. The extent of\r\nthis relationship is unknown at this time. While we cannot be absolutely certain that this is the same adversary in\r\nboth attacks, we are able to ascertain that this specific entity does have access to OilRig tools and also has access\r\nto a very specific sample of Mimikatz only found in this attack infrastructure.\r\nExpanding on the possible relationship between TwoFace and OilRig, examining the tactical overlap of both\r\nattacks may also provide additional data points to link them. Specifically, significant targeting overlap exists with\r\nboth attacks, with multiple organizations in multiple nation states throughout the Middle East region being\r\ntargeted either as a final target or added as part of the attack infrastructure. One possible scenario of how TwoFace\r\nand OilRig are used in conjunction could be where the adversary uses the ClaySlide documents to deliver\r\nHelminth, which is then used as an initial landing point or beachhead into the target’s network. From there, the\r\nadversary may use the initial ingress point and its corresponding permissions to install the TwoFace webshell on\r\naccessible systems. Additional post-exploitation tools such as the ones we discovered may then have been\r\nuploaded to the now compromised systems via the TwoFace file upload function.\r\nConclusion\r\nAs we have continued our research into operations in the Middle East, we are beginning to uncover more and\r\nmore overlaps between the various adversary groups and campaigns outlined by us and others in the public\r\nhttps://unit42.paloaltonetworks.com/unit42-striking-oil-closer-look-adversary-infrastructure/\r\nPage 7 of 8\n\ndomain. In this incident, we were able to follow a trail starting from a single webshell to a bevy of compromised\r\nsites, credential harvesters, post-exploitation tools, and even an operational overlap with what we originally\r\nthought was an unrelated attack campaign. The Middle East region has proven to be a hotbed of threat activity in\r\nrecent times, with continued acceleration of pacing as well as development in the tactics and techniques used.\r\nThere is no indication that this type of threat activity will cease, but with continued discovery of the adversary’s\r\nplaybooks, implementation of strong security policies, and effective deployment of technology, we can make it far\r\nless worthwhile for the adversary to execute their attacks.\r\nPost-exploitation Tools SHA256 Hashes\r\n28a0db561ff5a525bc2696cf98d96f443f528afe63c5097c5e0ccad071fcb8c2\r\n744e0ce108598aaa8994f211e00769ac8a3f05324d3f07f7705277b9af7a7497\r\ncaf5f9791ab3049811e16971b4673ec6d4baf35ffaadd7486ea4c5e318d10696\r\n6ae32cd3b5a8a1dbb5464372ded370f31802fd1f5031795b43d662c64fc5b301\r\n3b08535b4add194f5661e1131c8e81af373ca322cf669674cf1272095e5cab95\r\n450ebd66ba67bb46bf18d122823ff07ef4a7b11afe63b6f269aec9236a1790cd\r\n5b7eb534a852c187eee7eb729056082eec7a028819191fc2bc3ba4d1127fbd12\r\n6e623311768f1c419b3f755248a3b3d4bf80d26606a74ed4cfd25547a67734c7\r\n497e6965120a7ca6644da9b8291c65901e78d302139d221fcf0a3ec6c5cf9de3\r\nd3b03c0da854102802c21c0fa8736910ea039bbe93a140c09689fc802435ea31\r\n5ead94f12c307438e6475e49f02bedaee0cd09ce6cebb7939f9a2830f913212c\r\nbb9b4e088eb99100156f56bbd35a21ff7e96981ffe78ca9132781e9b3f064f44\r\nCredential Harvesting Domains\r\nowa-insss-org-ill-owa-authen[.]ml\r\nwebmaiil-tau-ac-il[.]ml\r\nmail-macroadvisorypartners[.]ml\r\nwebmail-tidhar-co-il[.]ml\r\nmy-mailcoil[.]ml\r\nlogn-micrsftonine-con[.]ml\r\nso-cc-hujii-ac-il[.]ml\r\nSource: https://unit42.paloaltonetworks.com/unit42-striking-oil-closer-look-adversary-infrastructure/\r\nhttps://unit42.paloaltonetworks.com/unit42-striking-oil-closer-look-adversary-infrastructure/\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia", "ETDA" ], "references": [ "https://unit42.paloaltonetworks.com/unit42-striking-oil-closer-look-adversary-infrastructure/" ], "report_names": [ "unit42-striking-oil-closer-look-adversary-infrastructure" ], "threat_actors": [ { "id": "49f1ada0-181f-4e89-a449-e6bc13c8c6b1", "created_at": "2022-10-25T15:50:23.561511Z", "updated_at": "2026-04-10T02:00:05.382592Z", "deleted_at": null, "main_name": "Cleaver", "aliases": [ "Threat Group 2889", "TG-2889" ], "source_name": "MITRE:Cleaver", "tools": [ "Net Crawler", "PsExec", "TinyZBot", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "cffb3c01-038f-4527-9cfd-57ad5a035c22", "created_at": "2022-10-25T15:50:23.38055Z", "updated_at": "2026-04-10T02:00:05.258283Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "COBALT GYPSY", "IRN2", "APT34", "Helix Kitten", "Evasive Serpens", "Hazel Sandstorm", "EUROPIUM", "ITG13", "Earth Simnavaz", "Crambus", "TA452" ], "source_name": "MITRE:OilRig", "tools": [ "ISMInjector", "ODAgent", "RDAT", "Systeminfo", "QUADAGENT", "OopsIE", "ngrok", "Tasklist", "certutil", "ZeroCleare", "POWRUNER", "netstat", "Solar", "ipconfig", "LaZagne", "BONDUPDATER", "SideTwist", "OilBooster", "SampleCheck5000", "PsExec", "SEASHARPEE", "Mimikatz", "PowerExchange", "OilCheck", "RGDoor", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "81dde5cc-c29f-430d-8c6e-e5e92d5015e7", "created_at": "2022-10-25T16:07:23.704358Z", "updated_at": "2026-04-10T02:00:04.718034Z", "deleted_at": null, "main_name": "Harvester", "aliases": [], "source_name": "ETDA:Harvester", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "Graphon", "Metasploit", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "c786e025-c267-40bd-9491-328da70811a5", "created_at": "2025-08-07T02:03:24.736817Z", "updated_at": "2026-04-10T02:00:03.752071Z", "deleted_at": null, "main_name": "COBALT GYPSY", "aliases": [ "APT34 ", "CHRYSENE ", "Crambus ", "EUROPIUM ", "Hazel Sandstorm ", "Helix Kitten ", "ITG13 ", "OilRig ", "Yellow Maero " ], "source_name": "Secureworks:COBALT GYPSY", "tools": [ "Glimpse", "Helminth", "Jason", "MacDownloader", "PoisonFrog", "RGDoor", "ThreeDollars", "TinyZbot", "Toxocara", "Trichuris", "TwoFace" ], "source_id": "Secureworks", "reports": null }, { "id": "3fff98c9-ad02-401d-9d4b-f78b5b634f31", "created_at": "2023-01-06T13:46:38.376868Z", "updated_at": "2026-04-10T02:00:02.949077Z", "deleted_at": null, "main_name": "Cleaver", "aliases": [ "G0003", "Operation Cleaver", "Op Cleaver", "Tarh Andishan", "Alibaba", "TG-2889", "Cobalt Gypsy" ], "source_name": "MISPGALAXY:Cleaver", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "67709937-2186-4a32-b64c-a5693d40ac77", "created_at": "2023-01-06T13:46:38.495593Z", "updated_at": "2026-04-10T02:00:02.999196Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "Crambus", "Helix Kitten", "APT34", "IRN2", "ATK40", "G0049", "EUROPIUM", "TA452", "Twisted Kitten", "Cobalt Gypsy", "APT 34", "Evasive Serpens", "Hazel Sandstorm", "Earth Simnavaz" ], "source_name": "MISPGALAXY:OilRig", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "217c588a-5896-4335-b9ec-a516ae2f9a7e", "created_at": "2022-10-25T16:07:23.513775Z", "updated_at": "2026-04-10T02:00:04.635263Z", "deleted_at": null, "main_name": "Cutting Kitten", "aliases": [ "Cutting Kitten", "G0003", "Operation Cleaver", "TG-2889" ], "source_name": "ETDA:Cutting Kitten", "tools": [ "CsExt", "DistTrack", "IvizTech", "Jasus", "KAgent", "Logger Module", "MANGOPUNCH", "MPK", "MPKBot", "Net Crawler", "NetC", "PVZ-In", "PVZ-Out", "Pupy", "PupyRAT", "PvzOut", "Shamoon", "SynFlooder", "SysKit", "TinyZBot", "WndTest", "pupy", "zhCat", "zhMimikatz" ], "source_id": "ETDA", "reports": null }, { "id": "b6436f7b-6012-4969-aed1-d440e2e8b238", "created_at": "2022-10-25T16:07:23.91517Z", "updated_at": "2026-04-10T02:00:04.788408Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "APT 34", "ATK 40", "Chrysene", "Cobalt Gypsy", "Crambus", "DEV-0861", "EUROPIUM", "Earth Simnavaz", "Evasive Serpens", "G0049", "Hazel Sandstorm", "Helix Kitten", "IRN2", "ITG13", "Scarred Manticore", "Storm-0861", "TA452", "Twisted Kitten", "UNC1860", "Yellow Maero" ], "source_name": "ETDA:OilRig", "tools": [ "AMATIAS", "Agent Drable", "Agent Injector", "AgentDrable", "Alma Communicator", "BONDUPDATER", "CACTUSPIPE", "Clayslide", "CypherRat", "DNSExfitrator", "DNSpionage", "DROPSHOT", "DistTrack", "DropperBackdoor", "Fox Panel", "GREYSTUFF", "GoogleDrive RAT", "HighShell", "HyperShell", "ISMAgent", "ISMDoor", "ISMInjector", "Jason", "Karkoff", "LIONTAIL", "LOLBAS", "LOLBins", "LONGWATCH", "LaZagne", "Living off the Land", "MailDropper", "Mimikatz", "MrPerfectInstaller", "OILYFACE", "OopsIE", "POWBAT", "POWRUNER", "Plink", "Poison Frog", "PowerExchange", "PsList", "PuTTY Link", "QUADAGENT", "RDAT", "RGDoor", "SEASHARPEE", "Saitama", "Saitama Backdoor", "Shamoon", "SideTwist", "SpyNote", "SpyNote RAT", "StoneDrill", "TONEDEAF", "TONEDEAF 2.0", "ThreeDollars", "TwoFace", "VALUEVAULT", "Webmask", "WinRAR", "ZEROCLEAR", "ZeroCleare", "certutil", "certutil.exe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434574, "ts_updated_at": 1775792256, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b62dff1ab9fe630d6831b40a7cc226386edc139c.pdf", "text": "https://archive.orkl.eu/b62dff1ab9fe630d6831b40a7cc226386edc139c.txt", "img": "https://archive.orkl.eu/b62dff1ab9fe630d6831b40a7cc226386edc139c.jpg" } }