{ "id": "9bf7115c-5741-4238-8f60-e57b0c02d1b0", "created_at": "2026-04-06T00:22:16.257941Z", "updated_at": "2026-04-10T03:36:11.265354Z", "deleted_at": null, "sha1_hash": "59b600d2309a4e88c632a3a1d1a22df2cd5e87e7", "title": "BumbleBee hunting with a Velociraptor", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 4179276, "plain_text": "BumbleBee hunting with a Velociraptor\r\nPublished: 2023-04-11 · Archived: 2026-04-05 17:40:05 UTC\r\n11.04.2023\r\nresearch\r\nBumbleBee, a malware which is mainly abused by threat actors in data exfiltration and ransomware incidents, was recently\r\nanalyzed by Angelo Violetti of SEC Defence - the SEC Consult Digital Forensics and Incident Response team.\r\nDuring his research, he used several tools and techniques to define ways to detect the presence of BumbleBee on a\r\ncompromised infrastructure.\r\nThe various detection opportunities described in the report can be useful for organizations to detect an infection in its first\r\nstages and, therefore, prevent further malicious activity starting from BumbleBee. The detection opportunities rely on open-source tools (e.g., Velociraptor) and rules (e.g., Yara, Sigma) so they can be used by any company or the wider community.\r\nSEC Defence offers Threat Hunting and Incident Response services to support clients in promptly detecting and responding\r\nto cyber threats such as BumbleBee. To request immediate support in case of a potential incident or breach, get in touch with\r\nSEC Defence. \r\nIntroduction\r\nRansomware attacks, combined with data exfiltration, are one of the most relevant cyber threats for companies\r\nworldwide, as reported by the Enisa Threat Landscape 2022. According to the NIST's Incident Handling guide, the\r\nprevention and detection phases of those types of attacks can be crucial to minimize the potential incident's impacts (e.g.,\r\noperational, legal, etc.).\r\nTo gain initial access into a victim’s infrastructure, ransomware operators abuse mostly the following techniques:\r\nPhishing campaigns, also conducted by initial access brokers1, that deliver malware which acts as a loader for\r\nsubsequent post-exploitation frameworks like Cobalt Strike or Meterpreter.\r\nhttps://sec-consult.com/blog/detail/bumblebee-hunting-with-a-velociraptor/\r\nPage 1 of 12\n\nExposed vulnerable services that can be exploited to execute arbitrary commands remotely.\r\nCompromised accounts that allow the threat actor to login into services like VPN.\r\nOne of the newest malware families, first discovered by the Google Threat Analysis Group in 2021, and delivered by initial\r\naccess brokers is called BumbleBee and it has been used by the well-known Russian group Wizard Spider which has been\r\nlinked to ransomware like Conti, Quantum, Royal, etc.\r\nIn this article, SEC Defence shows the analysis that has been performed of a BumbleBee sample and provides some threat\r\nhunting methods to detect BumbleBee techniques.\r\nBumbleBee\r\nBumbleBee is commonly distributed via malicious ISO images. and abuses thread-hijacking emails to induce the victims to\r\ndownload the ISO file and subsequently open it. When executed, BumbleBee performs mainly the following actions:\r\nVerifies if it is running in an analysis or sandboxing environment by performing various checks like enumerating the\r\nregistry keys and drivers related to VMware or VirtualBox.\r\nGathers information about the compromised system through WMI queries.\r\nConnects to the command and control (C2) servers embedded into the malware configuration that is RC4 encrypted.\r\nFurthermore, BumbleBee can also receive specific commands from the threat actors that can be useful for further malicious\r\nactions like achieving persistence and downloading other malware (e.g., Cobalt Strike).\r\nMalware Analysis \u0026 Detection\r\nThe BumbleBee sample analyzed is the following ISO file, which is available on Malware Bazaar.\r\nFile name Required Documents.img\r\nMD5 016eae588e2e565414259280ba4f6753\r\nSHA1 6983820a0d115bb78290ce9fbd6543623281d3d1\r\nSHA256 127b3506b7da4569cbdf23bb500bb95832e1a8d4fcec5e2ce6ec9e0c973ba36b\r\nBumbleBee Execution Process\r\nThe ISO file analyzed contained three files, two hidden and one visible LNK file.\r\nhttps://sec-consult.com/blog/detail/bumblebee-hunting-with-a-velociraptor/\r\nPage 2 of 12\n\nWhen opened, the LNK file launches cmd.exe to execute the hidden BAT file.\r\nC:\\Windows\\System32\\cmd.exe /c case_studies.bat\r\nThe threat actors slightly obfuscated the BAT file by assigning a unique string to every letter of the alphabet to hide the\r\nexecuted final command.\r\nObfuscated BAT file:\r\n@echo off\r\n:ywthnwxyyek\r\nset ugfmhz=a\r\n:dykxmzumupg\r\nset zjxchb=b\r\n:ibbnmbrapbc\r\nset c=c\r\n:ndtdmdoplmy\r\nset d=d\r\n:gnczycxqkhn\r\nset e=e\r\n:lqupyfuegsj\r\nset f=f\r\n:qslfyhrtbde\r\nset g=g\r\n:vvcvyjohxoa\r\nset h=h\r\n:ofmqjjxjwjp\r\nset i=i\r\n:thdgjluxsul\r\nset j=j\r\n:ykvwjnrlngh\r\nset k=k\r\n:dmmnjqpajrd\r\nset l=l\r\n:wxwivpxbimr\r\nset m=m\r\n:bznyurvpexn\r\nset n=n\r\n:gceoutseaij\r\nset o=o\r\n:leweuwpsvtf\r\nset p=p\r\n:eofagvytuou\r\nset q=q\r\n:jrxqgxviqzq\r\nset r=r\r\n:otoggaswmkl\r\nset s=s\r\n:twgwgcplhwh\r\nset t=t\r\n:lgprrbymgqw\r\nset u=u\r\n:rigirdvaccs\r\nhttps://sec-consult.com/blog/detail/bumblebee-hunting-with-a-velociraptor/\r\nPage 3 of 12\n\nset v=v\r\n:wlyyrgspyno\r\nset w=w\r\n:bnporipdtyk\r\nset x=x\r\n:txzjdhyestz\r\nset y=y\r\n:yaqzckvtoeu\r\nset z=z\r\n:zogksw\r\n%c%%m%%d%.%e%%x%%e% /%c% %s%%t%%a%%r%%t% /%b% /%m%%i%%n% %c%%o%%p%%y% /Y C:\\W%i%%n%%d%%o%%w%%s%\\S%y%%s%%t%%e%%m%32\\%r%%u%%\r\nBy de-obfuscating the BAT file, it is possible to see that it copies the rundll32 executable into the ProgramData directory and\r\nthen launches the BumbleBee DLL (network.dll).\r\nDe-obfuscated BAT file:\r\ncmd.exe /c start /b /min copy /Y C:\\Windows\\System32\\rundll32.exe C:\\ProgramData\\ESMS3uYsyNq2s.exe \u0026\u0026 start /b /min C:\\Pr\r\nDefense Evasion: Mark-of-the-Web Bypass\r\nBumbleBee abuses ISO images to evade a Windows mechanism called Mark-of-the-Web. Such a mechanism tracks, through\r\na hidden NTFS Alternate Data Stream (ADS) named Zone.Identifiers, files downloaded from the Internet which trigger\r\nsecurity measures on the tracked files.\r\nVelociraptor\r\nThe Velociraptor artifact called Windows.Detection.ISOMount can be used to search for ISO files mounted this activity is\r\ntracked in the Windows Event Logs with EventID 22.\r\nThe following image shows the identification of the BumbleBee ISO image mounting.\r\nMasquerading: Rename System Utilities Detection\r\nThe technique used by the BAT file is called Rename System Utilities and consists of copying itself into a specific folder,\r\nmodifying the name of the executable in order to evade security mechanisms.\r\nhttps://sec-consult.com/blog/detail/bumblebee-hunting-with-a-velociraptor/\r\nPage 4 of 12\n\nVelociraptor\r\nVelociraptor natively offers an artifact named Windows.Detection.BinaryRename to hunt for known executables that are\r\ncopied and re-named by threat actors.\r\nSELECT * FROM source(artifact=\"Windows.Detection.BinaryRename\") WHERE VersionInformation.OriginalFilename =~ \"rundll32\"\r\nThe following image shows the identification of this technique through Velociraptor.\r\nWindows Event Logs\r\nBy looking at Sysmon2 Event ID 1, we notice that the OriginalFileName value does not match the executable name\r\nspecified in the Image value.\r\nTherefore, it is possible to hunt for this pattern also through the following Sigma rule:\r\n[…]\r\ndetection:\r\n selection:\r\n - Description: 'Execute processes remotely'\r\n - Product: 'Sysinternals PsExec'\r\n - Description|startswith:\r\n - 'Windows PowerShell'\r\n - 'pwsh'\r\n - OriginalFileName:\r\n - 'powershell.exe'\r\n - 'pwsh.dll'\r\n - 'powershell_ise.exe'\r\n - 'psexec.exe'\r\n - 'psexec.c' # old versions of psexec (2016 seen)\r\n - 'psexesvc.exe'\r\n - 'cscript.exe'\r\n - 'wscript.exe'\r\n - 'mshta.exe'\r\n - 'regsvr32.exe'\r\n - 'wmic.exe'\r\n - 'certutil.exe'\r\n - 'rundll32.exe'\r\n - 'cmstp.exe'\r\n - 'msiexec.exe'\r\n - 'reg.exe'\r\n[…]\r\nThe full Sigma rule can be found here.\r\nhttps://sec-consult.com/blog/detail/bumblebee-hunting-with-a-velociraptor/\r\nPage 5 of 12\n\nExecution: System Binary Proxy Execution Detection\r\nBumbleBee executes the malicious DLL through Rundll32 with the aim to hide the malware from security applications.\r\nVelociraptor\r\nSEC Defence has created the following Yara rule that can be used to detect running BumbleBee processes through the\r\nVelociraptor artifact Windows.Detection.Yara.Process.\r\nrule BumbleBee_Unpacked{\r\nmeta:\r\nauthor = \"Angelo Violetti (SEC Consult - SEC Defence)\"\r\ndate = \"2023-02-23\"\r\ndescription = \"Rule to detect BumbleBee in memory\"\r\nreference = \"https://sec-consult.com/incident-response/sec-defence/\"\r\nstrings:\r\n/*\r\n$s1\r\nmov rax, [rbx+10h]\r\ncmp qword ptr [rbx+18h], 10h\r\njb short loc_18000738F\r\nmov rbx, [rbx]\r\nmov r8d, eax\r\nmov rdx, rbx\r\nlea rcx, [rsp+148h+array]\r\ncall mw_rc4_ksa_wrapper\r\nnop\r\n$s2\r\nmov r8d, 0FFFh\r\nlea rdx, mw_encrypted_config\r\nlea rcx, [rsp+148h+array]\r\ncall mw_rc4_decrypt_wrapper\r\nnop\r\n$s3\r\nlea rcx, [rsp+148h+array]\r\ncall mw_return\r\n*/\r\n$s1 = {?? 83 ?? 18 10 72 03 ?? 8B ?? 44 8B ?? 48 8B ?? 48 8D 4C 24 30 E8 ?? ?? FF FF 90}\r\n$s2 = {48 8D 4C 24 30 E8 ?? ?? FF FF 90}\r\n$s3 = {48 8D 4C 24 30 E8 ?? ?? FF FF}\r\ncondition:\r\nall of ($s*)\r\n}\r\nhttps://sec-consult.com/blog/detail/bumblebee-hunting-with-a-velociraptor/\r\nPage 6 of 12\n\nThe Yara rule is based on the operations performed by the malware when decrypts its embedded configuration containing\r\nthe command and control servers.\r\nThe following image shows the identification of BumbleBee processes through SEC Defence Yara rule and Velociraptor.\r\nWindows Event Logs\r\nSince at time of execution BumbleBee DLL is located on the mounted ISO file, when rundll32.exe is executed, its current\r\ndirectory is set to the external drive, as shown by the following Sysmon Event ID 1.\r\nhttps://sec-consult.com/blog/detail/bumblebee-hunting-with-a-velociraptor/\r\nPage 7 of 12\n\nTo detect this behaviour, SEC Defence has defined the following Sigma rule:\r\ntitle: Suspicious Rundll32 with Current Directory an External Drive\r\nruletype: Sigma\r\nauthor: Angelo Violetti (SEC Consult - SEC Defence)\r\ndate: 2023/03/01\r\ndescription: Detects the execution of rundll32.exe and the current directory is not C\r\nreference: sec-consult.com/incident-response/sec-defence/\r\nid: aaff35da-bcee-11ed-afa1-0242ac120002\r\nstatus: experimental\r\ntags:\r\n - attack.defenseevasion\r\n - attack.T1553.005\r\nlogsource:\r\n category: process_creation\r\n product: windows\r\ndetection:\r\n SELECTION_1:\r\n OriginalFileName: 'rundll32.exe'\r\n SELECTION_2:\r\n CurrentDirectory|startswith: 'C:\\\\'\r\n condition: SELECTION_1 and not SELECTION_2\r\nlevel: medium\r\nhttps://sec-consult.com/blog/detail/bumblebee-hunting-with-a-velociraptor/\r\nPage 8 of 12\n\nCommand \u0026 Control: Application Layer Protocol\r\nAfter compromising the victim's workstation, BumbleBee contacts the C2 servers that are RC4 encrypted in the binary. By\r\nanalyzing the process memory, it is possible to notice various IP addresses followed by a destination port, however, only a\r\npart of them is associated with port 443 (HTTPS) and are actually used as a C2.\r\nVelociraptor\r\nTo automatically extract the C2 server addresses  from the malware, SEC Defence created  further Velociraptor artifacts that\r\nfirstly detects BumbleBee processes and secondly extracts the IP addresses which have port 443 associated.\r\nname: Custom.Windows.Carving.BumbleBee\r\nauthor: \"Angelo Violetti (SEC Consult - SEC Defence)\"\r\ntype: CLIENT\r\ndescription: |\r\n This artficat will detect running BumbleBee processes and subsequently extract the command and control servers wit\r\nreference: sec-consult.com/incident-response/sec-defence/\r\nparameters:\r\n - name: TargetFileGlob\r\n default:\r\n - name: PidRegex\r\n default: .\r\n - name: ProcessRegex\r\n default: .\r\n - name: DetectionYara\r\n default: |\r\n rule BumbleBee_Unpacked{\r\n meta:\r\n author = \"Angelo Violetti @ SEC Defence\"\r\n date = \"2023-02-23\"\r\n \r\n strings:\r\n $s1 = {?? 83 ?? 18 10 72 03 ?? 8B ?? 44 8B ?? 48 8B ?? 48 8D 4C 24 30 E8 ?? ?? FF FF 90}\r\n $s2 = {48 8D 4C 24 30 E8 ?? ?? FF FF 90}\r\n $s3 = {48 8d 4c 24 30 e8 ?? ?? FF FF}\r\n \r\n condition:\r\n all of ($s*)\r\n }\r\n \r\n - name: ExtractIPsYara\r\n default: |\r\n rule BumbleBee_IPs{\r\n meta:\r\n author = \"Angelo Violetti @ SEC Defence\"\r\n date = \"2023-02-23\"\r\n description = \"Extracts the IP addresses with the destination port equal to 443 from BumbleBee processes\"\r\nhttps://sec-consult.com/blog/detail/bumblebee-hunting-with-a-velociraptor/\r\nPage 9 of 12\n\nstrings:\r\n $IP = {?? ?? ?? 2e ?? ?? ?? 2e ?? ?? ?? 2e ?? ?? ?? 00 (?? | ?? ??) 00 00 00 00 00 00 00 0f 00 00 00 00 00 00\r\n condition:\r\n $IP\r\n }\r\nsources:\r\n - precondition:\r\n SELECT OS From info() where OS = 'windows'\r\n query: |\r\n -- Find velociraptor process\r\n LET me = SELECT Pid\r\n FROM pslist(pid=getpid())\r\n -- Find all processes and add filters\r\n LET processes = SELECT Name AS ProcessName, CommandLine, Pid\r\n FROM pslist()\r\n WHERE Name =~ ProcessRegex\r\n AND format(format=\"%d\", args=Pid) =~ PidRegex\r\n AND NOT Pid in me.Pid\r\n -- Scan processes in scope with our DetectionYara\r\n LET processDetections = SELECT * FROM foreach(row=processes,\r\n query={\r\n SELECT * FROM if(condition=TargetFileGlob=\"\",\r\n then={\r\n SELECT *, ProcessName, CommandLine, Pid, Rule AS YaraRule\r\n FROM proc_yara(pid=Pid, rules=DetectionYara)\r\n })\r\n })\r\n \r\n -- Scan the process for the IP addresses\r\n LET ipaddressDetections = SELECT ProcessName, CommandLine, Pid, Strings.Data AS IPAddresses FROM foreach(row=proce\r\n \r\n -- Extract the command and control servers\r\n LET CommandandControlServers = SELECT * FROM foreach(row=ipaddressDetections, query={SELECT ProcessName, CommandLi\r\n -- Output the command and control servers\r\n SELECT ProcessName, CommandLine, Pid, str(str=g1) AS BumbleBeeC2 FROM CommandandControlServers\r\nThe following image shows the output produced by the SEC Defence Velociraptor artifact.\r\nhttps://sec-consult.com/blog/detail/bumblebee-hunting-with-a-velociraptor/\r\nPage 10 of 12\n\nNetwork Traffic Analysis\r\nAnother method to detect connections to C2 servers is by integrating and constantly updating Cyber Threat Intelligence\r\nfeeds and detection rules with network security technologies.\r\nIn this specific case, the following Proofpoint Emerging Threat Rules were triggered:\r\nET CNC Feodo Tracker Reported CnC Server group 1: 103[.]144[.]139[.]146\r\nET CNC Feodo Tracker Reported CnC Server group 10: 205[.]185[.]113[.]34\r\nET CNC Feodo Tracker Reported CnC Server group 11: 23[.]106[.]223[.]222\r\nET CNC Feodo Tracker Reported CnC Server group 25: 95[.]168[.]191[.]248\r\nSuggested Remediation / Other Actions\r\nProactively hunt at scale for the subsequent actions that could have been performed by the threat actors after having\r\ncompromised the patient zero (e.g., discovery, credential access, lateral movement, etc.).\r\nIsolate, where possible, the compromised systems to contain the incident and prevent the spread of the infection.\r\nBlock the indicators of compromise (IoCs) identified during the analysis and, eventually, insert in blacklists also the\r\nindicators reported on OSINT sources like Malware Bazaar, Feodo Tracker, etc.\r\nIf support in handling the incident is needed, contact the incident response team.\r\nConclusion\r\nBy analyzing the tactics, techniques and procedures adopted by BumbleBee, SEC Defence identified and created\r\nmechanisms to detect the malware in the early stages of the attack with the aim objective to minimize further potential\r\nimpacts such as data exfiltration and/or encryption.\r\nAs stated by other companies (Mandiant, Intrisec), the threat actors behind BumbleBee have a strong relationship with other\r\nmalware families like Emotet or IcedID and ransomware groups. Therefore, proactively hunting for BumbleBee activities or\r\napplying the right remediation actions in time can prevent the execution of other malicious executables that could cause\r\nservice unavailability or impact the confidentiality and integrity of data.\r\n1\r\n Initial access brokers are cyber-criminals that sell access to compromised infrastructures to other groups with the aim to\r\nobtain a financial gain.\r\n2\r\n Sysmon (System Monitor) is a Windows service that allows logging a wide range of activities performed on a system such\r\nas process creation, network connections or file changes.\r\nRepositories:\r\nSigma: https://github.com/angelovioletti/sigma/blob/master/rules/windows/process_creation/proc_creation_win_rundll32_ext_drive\r\nVelociraptor: https://github.com/Velocidex/velociraptor-docs/blob/d891bf8671230437b2b4497649c28b9a6045252b/content/exchange/artifacts/BumbleBee.yaml\r\nYara: https://github.com/sec-consult/SD-BumbleBee-Hunting-Rules/blob/main/BumbleBee_Unpacked.yara\r\nThis research has been conducted by Angelo Violetti and published on behalf of  SEC Defence. \r\nAre you interested in working at SEC Consult?\r\nSEC Consult is always searching for talented security professionals to work in our team.\r\nhttps://sec-consult.com/blog/detail/bumblebee-hunting-with-a-velociraptor/\r\nPage 11 of 12\n\nSource: https://sec-consult.com/blog/detail/bumblebee-hunting-with-a-velociraptor/\r\nhttps://sec-consult.com/blog/detail/bumblebee-hunting-with-a-velociraptor/\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://sec-consult.com/blog/detail/bumblebee-hunting-with-a-velociraptor/" ], "report_names": [ "bumblebee-hunting-with-a-velociraptor" ], "threat_actors": [ { "id": "f6f91e1c-9202-4497-bf22-9cd5ef477600", "created_at": "2023-01-06T13:46:38.86765Z", "updated_at": "2026-04-10T02:00:03.12735Z", "deleted_at": null, "main_name": "WIZARD SPIDER", "aliases": [ "TEMP.MixMaster", "GOLD BLACKBURN", "DEV-0193", "UNC2053", "Pistachio Tempest", "DEV-0237", "Storm-0230", "FIN12", "Periwinkle Tempest", "Storm-0193", "Trickbot LLC" ], "source_name": "MISPGALAXY:WIZARD SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bc119938-a79c-4e5f-9d4d-dc96835dfe2e", "created_at": "2024-06-04T02:03:07.799286Z", "updated_at": "2026-04-10T02:00:03.606456Z", "deleted_at": null, "main_name": "GOLD BLACKBURN", "aliases": [ "ITG23 ", "Periwinkle Tempest ", "Wizard Spider " ], "source_name": "Secureworks:GOLD BLACKBURN", "tools": [ "BazarLoader", "Buer Loader", "Bumblebee", "Dyre", "Team9", "TrickBot" ], "source_id": "Secureworks", "reports": null }, { "id": "63061658-5810-4f01-9620-7eada7e9ae2e", "created_at": "2022-10-25T15:50:23.752974Z", "updated_at": "2026-04-10T02:00:05.244531Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "Wizard Spider", "UNC1878", "TEMP.MixMaster", "Grim Spider", "FIN12", "GOLD BLACKBURN", "ITG23", "Periwinkle Tempest", "DEV-0193" ], "source_name": "MITRE:Wizard Spider", "tools": [ "TrickBot", "AdFind", "BITSAdmin", "Bazar", "LaZagne", "Nltest", "GrimAgent", "Dyre", "Ryuk", "Conti", "Emotet", "Rubeus", "Mimikatz", "Diavol", "PsExec", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "e6a21528-2999-4e2e-aaf4-8b6af14e17f3", "created_at": "2022-10-25T16:07:24.422115Z", "updated_at": "2026-04-10T02:00:04.983298Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "DEV-0193", "G0102", "Gold Blackburn", "Gold Ulrick", "Grim Spider", "ITG23", "Operation BazaFlix", "Periwinkle Tempest", "Storm-0230", "TEMP.MixMaster", "Wizard Spider" ], "source_name": "ETDA:Wizard Spider", "tools": [ "AdFind", "Agentemis", "Anchor_DNS", "BEERBOT", "BazarBackdoor", "BazarCall", "BazarLoader", "Cobalt Strike", "CobaltStrike", "Conti", "Diavol", "Dyranges", "Dyre", "Dyreza", "Dyzap", "Gophe", "Invoke-SMBAutoBrute", "KEGTAP", "LaZagne", "LightBot", "PowerSploit", "PowerTrick", "PsExec", "Ryuk", "SessionGopher", "TSPY_TRICKLOAD", "Team9Backdoor", "The Trick", "TheTrick", "Totbrick", "TrickBot", "TrickLoader", "TrickMo", "Upatre", "bazaloader", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434936, "ts_updated_at": 1775792171, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/59b600d2309a4e88c632a3a1d1a22df2cd5e87e7.pdf", "text": "https://archive.orkl.eu/59b600d2309a4e88c632a3a1d1a22df2cd5e87e7.txt", "img": "https://archive.orkl.eu/59b600d2309a4e88c632a3a1d1a22df2cd5e87e7.jpg" } }