{ "id": "9a099fec-ddb6-4098-afe9-a426403b73a4", "created_at": "2026-04-06T00:22:02.413792Z", "updated_at": "2026-04-10T03:35:53.036302Z", "deleted_at": null, "sha1_hash": "1a9c90ddca563e2f3e6e745018b29c30b8faf27b", "title": "FIN8 is Back in Business, Targeting the Hospitality Industry", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1562505, "plain_text": "FIN8 is Back in Business, Targeting the Hospitality Industry\r\nBy Michael Gorelik\r\nArchived: 2026-04-05 19:49:20 UTC\r\nDuring the period of March to May 2019, Morphisec Labs observed a new, highly sophisticated variant of the\r\nShellTea / PunchBuggy backdoor malware that attempted to infiltrate a number of machines within the network of\r\na customer in the hotel-entertainment industry. It is believed that the fileless malware was deployed as a result of\r\nseveral phishing attempts.\r\nThe last documented version of ShellTea was in 2017, in a POS malware attack. Given the nature of the industry\r\ntargeted in the attack uncovered by Morphisec, we assume that this was also an attempted POS attack. As the\r\nattack was prevented by the Morphisec solution, the POS malware could not be downloaded to the machines.\r\nThis is the first cyberattack observed during 2019 that can be attributed to FIN8 with high probability, although\r\nthere are a few indicators that overlap with known FIN7 attacks , including URLs and infrastructure.\r\nIn this report, we investigate this latest variant of ShellTea, together with the artifacts it downloaded after the\r\nMorphisec Labs team detonated a sample in a safe environment.\r\nFIN8 – Technical Details\r\nWe begin by examining the different stages of the fileless dropper in detail.\r\nFileless execution\r\nFollowing successful infiltration, the malware persists through registry:\r\nHKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun\r\nThe command line execution leads to PowerShell code executed from a different registry value:\r\nHKEY_CURRENT_USER\\Software\\ [random name]. The attacker abuses the PowerShell wildcard mechanism\r\nwith the assumption that there are no additional keys in registry under HKCU the match the S???ware string\r\nbeside Software. This may minimize the effectiveness of certain detection or intro inspection tools when looking\r\nfor the next stage execution.\r\nhttp://blog.morphisec.com/security-alert-fin8-is-back\r\nPage 1 of 15\n\nThe code from the [random name] key executes an additional PowerShell command that decodes base64 assembly\r\nand invokes it within the memory while passing it as parameters an additional [random name] registry value – the\r\nShellTea shellcode:\r\n“Xshuzugewogazi”=”$null=\r\n[System.Reflection.Assembly]::Load([System.Convert]::FromBase64String(“TVq….”));\r\n[LExR.J9fL]::YHvszr((Get-ItemProperty -Path HKCU:Software\\Fpkakesude -Name Glyavonubafi).Glyavonubafi,\r\n0);”\r\nExecuting .NET assembly for shellcode execution\r\nThe base64 encoded assembly that we saw in the previous stage is a .NET stager that self-injects a shellcode (the\r\nparameter from the previous stage) by creating a new thread with the shellcode entry. The thread also needs a\r\nparameter (the same shellcode) for proper execution.\r\nShellcode\r\nCustom function resolution\r\nTo operate and evade standard analysis tools, most of the functions are hashed. The hashing algorithm has a high\r\ndegree of similarity to the previous ShellTea version, with a slight modification of the seeds and constants. In this\r\nversion, the attacker also utilizes functions from ole32 for stream processing.\r\nhttp://blog.morphisec.com/security-alert-fin8-is-back\r\nPage 2 of 15\n\nInject into Explorer\r\nAs in the previous version, ShellTea continues the operation after persisting through the explorer.exe process.\r\nWhile it includes multiple ways to find Explorer, the preferred method is to get the process id from the current\r\ndesktop window.\r\nhttp://blog.morphisec.com/security-alert-fin8-is-back\r\nPage 3 of 15\n\nAfter finding the process id, the shellcode uses standard functions to allocate and write memory within Explorer\r\nand then uses low-level API RtlCreateUserThread for thread injection.\r\nVirtual Environment and Sandbox Bypass\r\nShellTea utilizes a number of techniques to identify if it is running within a virtual environment or is being\r\nmonitored.\r\nVirtual environment by firmware\r\nShellTea extracts the firmware string information using NtQuerySystenInformation with the\r\nSystemFirmwareTableInformation flag. Then it searches for a set of known strings as described in this article by\r\nCheckpoint (additional strings have been added in this case, e.g. Visual studio).\r\nhttp://blog.morphisec.com/security-alert-fin8-is-back\r\nPage 4 of 15\n\nLooking for monitoring processes\r\nAs part of the anti-debugging or anti-monitoring techniques, ShellTea iterates over all the running processes,\r\napplies CRC32 on each process name (after converting the string to capital letters), and then compares the value\r\nagainst a predefined set of CRCs. Note that a bug in the previous version has been fixed and more CRCs were\r\nadded.\r\nhttp://blog.morphisec.com/security-alert-fin8-is-back\r\nPage 5 of 15\n\nWe wrote a python script which is based on a set of known processes and identified the list of the processes that\r\nare being searched for. These are:\r\nWINDBG.EXE, WIRESHARK.EXE, PROCEXP.EXE, PROCMON.EXE, TCPVIEW.EXE, OLLYDBG.EXE,\r\nIDAG.EXE, IDAG64.EXE, DUMPCAP.EXE, FILEMON.EXE, IDAQ64.EXE, IDAQ.EXE,\r\nIMMUNITYDEBUGGER.EXE, PETOOLS.EXE, REGMON.EXE, SYSER.EXE, TCPDUMP.EXE,\r\nWINDUMP.EXE, APIMONITOR.EXE, APISPY32.EXE, IRIS.EXE, NETSNIFFER.EXE,\r\nWINAPIOVERRIDE32.EXE, WINSPY.EXE\r\nValidate Hard Disk Volume\r\nThe hard disk volume name is hashed with SHA1 and compared to a preconfigured SHA1.\r\nhttp://blog.morphisec.com/security-alert-fin8-is-back\r\nPage 6 of 15\n\nFIN8 Persistency\r\nUpon successful bypassing of sandboxes, the shellcode executes a persistency module. If the attack is yet to be\r\npersistent (validates beforehand), it decrypts the PowerShell base64 command, then decrypts the CMD command\r\nfor persistency and writes those into the registry as described in the first step. Note that every string is decrypted\r\nwith different XOR parameter which may fail some of the automatic analyzers.\r\nC2 protocol\r\nCommands\r\nhttp://blog.morphisec.com/security-alert-fin8-is-back\r\nPage 7 of 15\n\nThe ShellTea backdoor communicates on top of HTTPS and supports a number of commands based on what is\r\nreturned from the C2 server.\r\nIt may write data/shellcode it received from the C2 into the registry\r\nIt may reflectively load the delivered executable into the process (and then execute it)\r\nIt may create a file and execute it as a process, then mark it as deleted (after restart)\r\nIt may execute the shellcode as is by creating additional thread\r\nIt may execute any PowerShell command using downloaded native Empire ReflectivePicker (will be\r\ndescribed later).\r\nCommunication\r\nShellTea is proxy aware malware – if direct communication fails it will try to execute the proxy aware API. Most\r\nof the API are standard and are mapped from wininet. Following a decryption of the embedded domains we get\r\nthe following list:\r\ntelemerty-cdn-cloud[.]host, reservecdn[.]pro, wsuswin10[.]us, telemetry[.]host\r\nhttp://blog.morphisec.com/security-alert-fin8-is-back\r\nPage 8 of 15\n\nAt the time of the investigation, telemerty-cdn-cloud[.]host was used and mapped to 104.193.252[.]162.\r\nNote that cdn substrings are also used in recent Fin7 attacks and it is a convenient method to bypass some of the\r\nnetwork filters and DLP solutions.\r\nShellTea also uses ole32 Stream object functions (e.g. CMemStm::Write) to manipulate the downloaded memory\r\nstream (downloaded by InternetReadFile directly into the stream).\r\nThe C2 identifies the post request using the additional optional data that is sent immediately after the headers\r\nrequest using HttpSendRequestA.\r\nFor example, in the case of ReflectivePicker download, the optional data will consist of embedded cookie and\r\nbyte ‘b’ as a command.\r\nhttp://blog.morphisec.com/security-alert-fin8-is-back\r\nPage 9 of 15\n\nIn case a buffer needs to be sent back (in case of recon data collected on the endpoint), a magic header cookie is\r\nattached to the data and sent as is (encrypted of course) through the optional buffer.\r\nRecon stage\r\nOne of the first artifacts the shellcode downloads is a PowerShell code and a .NET native ReflectivePicker.\r\nBecause PowerShell was executed outside PowerShell (from within the Explorer process) it will bypass many of\r\nthe blacklisting defenses.\r\nPowerShell download\r\nThe PowerShell script collects all possible information on the user and the network, including snapshots,\r\ncomputer and user names, emails from registry, tasks in task scheduler, system information, AVs registered in the\r\nsystem, privileges, domain and workgroup information.\r\nhttp://blog.morphisec.com/security-alert-fin8-is-back\r\nPage 10 of 15\n\nThe results are Gzipped and saved under random file in the temp folder. Following successful collection of\r\ninformation, the data is send back to the C2 and the file is deleted.\r\nEmpire ReflectivePicker\r\nAs mentioned previously, the PowerShell is executed using reflectively loaded ReflectivePicker from the Empire\r\nproject – it loads CLR by using CorBindToRuntime that is loaded dynamically within the shellcode.\r\nhttp://blog.morphisec.com/security-alert-fin8-is-back\r\nPage 11 of 15\n\nConclusion\r\nThe hospitality industry, and particularly their POS networks, continues to be one of the industries most targeted\r\nby cybercrime groups. In addition to this attack by FIN8, we’ve seen multiple attacks by FIN6, FIN7, and others.\r\nMany POS networks are running on the POS version of Windows 7, making them more susceptible to\r\nvulnerabilities. What’s more, attackers know that many POS systems run with only rudimentary security as\r\ntraditional antivirus is too heavy and requires constant updating that can interfere with system availability.\r\nAs we see here, attack syndicates are constantly innovating and learn from their mistakes – the numerous\r\nimprovements and bug fixes from the previous version of ShellTea are evident. The techniques implemented can\r\neasily evade standard POS defenses.\r\nMorphisec immediately prevented this attack from ever getting to the point where it could access POS endpoints.\r\nMorphisec is lightweight, with no need for updates, and does not need to be online to provide full protection.\r\nhttp://blog.morphisec.com/security-alert-fin8-is-back\r\nPage 12 of 15\n\nMoreover, it serves as a compensating control for Windows 7 systems, providing a virtual patch that protects\r\nvulnerabilities.\r\nArtifacts\r\nShellTea backdoor:\r\n6353D7B18EE795969659C2372CD57C3D\r\n4B9EFD882C49EF7525370FFB5197AD86\r\nReflectivePicker:\r\nDC162908E580762F17175BE8CCA25CF3\r\nPowerShell recon script:\r\n4BEB10043D5A1FBD089AA53BC35C58CA\r\nDomains:\r\ntelemerty-cdn-cloud[.]host\r\ncdn-amaznet.club\r\nreservecdn[.]pro\r\nwsuswin10[.]us\r\ntelemetry[.]host\r\nIPs:\r\n104.193.252[.]162:443\r\n37.1.204[.]87:443\r\nAbout the author\r\nhttp://blog.morphisec.com/security-alert-fin8-is-back\r\nPage 13 of 15\n\nMichael Gorelik\r\nChief Technology Officer\r\nMorphisec CTO Michael Gorelik leads the malware research operation and sets technology strategy. He has\r\nextensive experience in the software industry and leading diverse cybersecurity software development projects.\r\nPrior to Morphisec, Michael was VP of R\u0026D at MotionLogic GmbH, and previously served in senior leadership\r\npositions at Deutsche Telekom Labs. Michael has extensive experience as a red teamer, reverse engineer, and\r\ncontributor to the MITRE CVE database. He has worked extensively with the FBI and US Department of\r\nHomeland Security on countering global cybercrime. Michael is a noted speaker, having presented at multiple\r\nindustry conferences, such as SANS, BSides, and RSA. Michael holds Bsc and Msc degrees from the Computer\r\nhttp://blog.morphisec.com/security-alert-fin8-is-back\r\nPage 14 of 15\n\nScience department at Ben-Gurion University, focusing on synchronization in different OS architectures. He also\r\njointly holds seven patents in the IT space.\r\nSource: http://blog.morphisec.com/security-alert-fin8-is-back\r\nhttp://blog.morphisec.com/security-alert-fin8-is-back\r\nPage 15 of 15\n\n http://blog.morphisec.com/security-alert-fin8-is-back \nThe results are Gzipped and saved under random file in the temp folder. Following successful collection of\ninformation, the data is send back to the C2 and the file is deleted. \nEmpire ReflectivePicker \nAs mentioned previously, the PowerShell is executed using reflectively loaded ReflectivePicker from the Empire\nproject-it loads CLR by using CorBindToRuntime that is loaded dynamically within the shellcode.\n Page 11 of 15", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE", "ETDA" ], "references": [ "http://blog.morphisec.com/security-alert-fin8-is-back" ], "report_names": [ "security-alert-fin8-is-back" ], "threat_actors": [ { "id": "3150bf4f-288a-44b8-ab48-0ced9b052a0c", "created_at": "2025-08-07T02:03:24.910023Z", "updated_at": "2026-04-10T02:00:03.713077Z", "deleted_at": null, "main_name": "GOLD HUXLEY", "aliases": [ "CTG-6969 ", "FIN8 " ], "source_name": "Secureworks:GOLD HUXLEY", "tools": [ "Gozi ISFB", "Powersniff" ], "source_id": "Secureworks", "reports": null }, { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "12517c87-040a-4627-a3df-86ca95e5c13f", "created_at": "2022-10-25T16:07:23.61665Z", "updated_at": "2026-04-10T02:00:04.689Z", "deleted_at": null, "main_name": "FIN6", "aliases": [ "ATK 88", "Camouflage Tempest", "FIN6", "G0037", "Gold Franklin", "ITG08", "Skeleton Spider", "Storm-0538", "TAAL", "TAG-CR2", "White Giant" ], "source_name": "ETDA:FIN6", "tools": [ "AbaddonPOS", "Agentemis", "AmmyyRAT", "Anchor_DNS", "BlackPOS", "CmdSQL", "Cobalt Strike", "CobaltStrike", "FlawedAmmyy", "FrameworkPOS", "Grateful POS", "JSPSPY", "Kaptoxa", "LOLBAS", "LOLBins", "Living off the Land", "LockerGoga", "MMon", "Magecart", "Meterpreter", "Mimikatz", "More_eggs", "NeverQuest", "POSWDS", "Reedum", "Ryuk", "SCRAPMINT", "SONE", "SpicyOmelette", "StealerOne", "Taurus Loader Stealer Module", "Terra Loader", "TerraStealer", "Vawtrak", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "cobeacon", "grabnew" ], "source_id": "ETDA", "reports": null }, { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null }, { "id": "5bdde906-0416-42ee-9100-5ebd95dda77a", "created_at": "2023-01-06T13:46:38.601977Z", "updated_at": "2026-04-10T02:00:03.035842Z", "deleted_at": null, "main_name": "FIN8", "aliases": [ "ATK113", "G0061" ], "source_name": "MISPGALAXY:FIN8", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2864e40a-f233-4618-ac61-b03760a41cbb", "created_at": "2023-12-01T02:02:34.272108Z", "updated_at": "2026-04-10T02:00:04.97558Z", "deleted_at": null, "main_name": "WildCard", "aliases": [], "source_name": "ETDA:WildCard", "tools": [ "RustDown", "SysJoker" ], "source_id": "ETDA", "reports": null }, { "id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf", "created_at": "2023-01-06T13:46:38.405479Z", "updated_at": "2026-04-10T02:00:02.961112Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "ATK32", "G0046", "G0008", "Sangria Tempest", "ELBRUS", "GOLD NIAGARA", "Coreid", "Carbanak", "Carbon Spider", "JokerStash", "CARBON SPIDER" ], "source_name": "MISPGALAXY:FIN7", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ea7bfe06-7c23-481d-b8ba-eafa6cda3bc9", "created_at": "2022-10-25T15:50:23.317961Z", "updated_at": "2026-04-10T02:00:05.280403Z", "deleted_at": null, "main_name": "FIN6", "aliases": [ "FIN6", "Magecart Group 6", "ITG08", "Skeleton Spider", "TAAL", "Camouflage Tempest" ], "source_name": "MITRE:FIN6", "tools": [ "FlawedAmmyy", "GrimAgent", "FrameworkPOS", "More_eggs", "Cobalt Strike", "Windows Credential Editor", "AdFind", "PsExec", "LockerGoga", "Ryuk", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "b3acfb48-b04d-4d3d-88a8-836d7376fa2e", "created_at": "2024-06-19T02:03:08.052814Z", "updated_at": "2026-04-10T02:00:03.659971Z", "deleted_at": null, "main_name": "GOLD FRANKLIN", "aliases": [ "FIN6 ", "ITG08 ", "MageCart Group 6 ", "Skeleton Spider ", "Storm-0538 ", "White Giant " ], "source_name": "Secureworks:GOLD FRANKLIN", "tools": [ "FrameWorkPOS", "Metasploit", "Meterpreter", "Mimikatz", "PowerSploit", "PowerUpSQL", "RemCom" ], "source_id": "Secureworks", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "72d09c17-e33e-4c2f-95db-f204848cc797", "created_at": "2022-10-25T15:50:23.832551Z", "updated_at": "2026-04-10T02:00:05.336787Z", "deleted_at": null, "main_name": "FIN8", "aliases": [ "FIN8", "Syssphinx" ], "source_name": "MITRE:FIN8", "tools": [ "BADHATCH", "PUNCHBUGGY", "Ragnar Locker", "PUNCHTRACK", "dsquery", "Nltest", "Sardonic", "PsExec", "Impacket" ], "source_id": "MITRE", "reports": null }, { "id": "ee3363a4-e807-4f95-97d8-b603c31b9de1", "created_at": "2023-01-06T13:46:38.485884Z", "updated_at": "2026-04-10T02:00:02.99385Z", "deleted_at": null, "main_name": "FIN6", "aliases": [ "SKELETON SPIDER", "ITG08", "MageCart Group 6", "ATK88", "TA4557", "Storm-0538", "White Giant", "GOLD FRANKLIN", "G0037", "Camouflage Tempest" ], "source_name": "MISPGALAXY:FIN6", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "fc80a724-e567-457c-82bb-70147435e129", "created_at": "2022-10-25T16:07:23.624289Z", "updated_at": "2026-04-10T02:00:04.691643Z", "deleted_at": null, "main_name": "FIN8", "aliases": [ "ATK 113", "G0061", "Storm-0288", "Syssphinx" ], "source_name": "ETDA:FIN8", "tools": [ "ALPHV", "ALPHVM", "BadHatch", "BlackCat", "Noberus", "PSVC", "PUNCHTRACK", "PoSlurp", "Powersniff", "PunchBuggy", "Ragnar Loader", "Ragnar Locker", "RagnarLocker", "Sardonic", "ShellTea" ], "source_id": "ETDA", "reports": null }, { "id": "256a6a2d-e8a2-4497-b399-628a7fad4b3e", "created_at": "2023-11-30T02:00:07.299845Z", "updated_at": "2026-04-10T02:00:03.484788Z", "deleted_at": null, "main_name": "WildCard", "aliases": [], "source_name": "MISPGALAXY:WildCard", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bfded1cf-be73-44f9-a391-0751c9996f9a", "created_at": "2022-10-25T15:50:23.337107Z", "updated_at": "2026-04-10T02:00:05.252413Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "FIN7", "GOLD NIAGARA", "ITG14", "Carbon Spider", "ELBRUS", "Sangria Tempest" ], "source_name": "MITRE:FIN7", "tools": [ "Mimikatz", "AdFind", "JSS Loader", "HALFBAKED", "REvil", "PowerSploit", "CrackMapExec", "Carbanak", "Pillowmint", "Cobalt Strike", "POWERSOURCE", "RDFSNIFFER", "SQLRat", "Lizar", "TEXTMATE", "BOOSTWRITE" ], "source_id": "MITRE", "reports": null }, { "id": "d85adfe3-e1c3-40b0-b8bb-d1bacadc4d82", "created_at": "2022-10-25T16:07:23.619566Z", "updated_at": "2026-04-10T02:00:04.690061Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "APT-C-11", "ATK 32", "G0046", "Gold Niagara", "GrayAlpha", "ITG14", "TAG-CR1" ], "source_name": "ETDA:FIN7", "tools": [ "7Logger", "Agentemis", "Anubis Backdoor", "Anunak", "Astra", "BIOLOAD", "BIRDWATCH", "Bateleur", "Boostwrite", "CROWVIEW", "Carbanak", "Cobalt Strike", "CobaltStrike", "DICELOADER", "DNSMessenger", "FOWLGAZE", "HALFBAKED", "JSSLoader", "KillACK", "LOADOUT", "Lizar", "Meterpreter", "Mimikatz", "NetSupport", "NetSupport Manager", "NetSupport Manager RAT", "NetSupport RAT", "NetSupportManager RAT", "POWERPLANT", "POWERSOURCE", "RDFSNIFFER", "Ragnar Loader", "SQLRAT", "Sardonic", "Sekur", "Sekur RAT", "TEXTMATE", "Tirion", "VB Flash", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434922, "ts_updated_at": 1775792153, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1a9c90ddca563e2f3e6e745018b29c30b8faf27b.pdf", "text": "https://archive.orkl.eu/1a9c90ddca563e2f3e6e745018b29c30b8faf27b.txt", "img": "https://archive.orkl.eu/1a9c90ddca563e2f3e6e745018b29c30b8faf27b.jpg" } }