{
	"id": "98fb13ae-3911-425b-bd27-d9dae0ba7fc5",
	"created_at": "2026-04-06T00:19:40.444216Z",
	"updated_at": "2026-04-10T03:30:57.305911Z",
	"deleted_at": null,
	"sha1_hash": "65d76a7b512b87f860aece885df15dbca1dbb077",
	"title": "Cardinal RAT Active for Over Two Years",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 5673473,
	"plain_text": "Cardinal RAT Active for Over Two Years\r\nBy Josh Grunzweig\r\nPublished: 2017-04-20 · Archived: 2026-04-05 17:26:24 UTC\r\nPalo Alto Networks has discovered a previously unknown remote access Trojan (RAT) that has been active for\r\nover two years. It has a very low volume in this two-year period, totaling roughly 27 total samples. The malware\r\nis delivered via an innovative and unique technique: a downloader we are calling Carp uses malicious macros in\r\nMicrosoft Excel documents to compile embedded C# (C Sharp) Programming Language source code into an\r\nexecutable that in turn is run to deploy the Cardinal RAT malware family. These malicious Excel files use a\r\nnumber of different lures, providing evidence of what attackers are using to entice victims into executing them.\r\nThe malware from start to finish exhibits the following high level operations as shown in Figure 1:\r\nFigure 1 Malware execution flow\r\nCarp Downloader\r\nAs previously mentioned, we have observed Cardinal RAT being delivered using a unique technique involving\r\nmalicious Excel macros. We are calling these delivery documents the Carp Downloader, as they make use of a\r\nspecific technique of compiling and executing embedded C# (CshARP) language source code that acts as a simple\r\ndownloader.\r\nWe observed the following example macro in the most recent sample. Note that we have prefixed the function\r\nnames with ‘xx_’ to make it easier for the reader to understand what is going on. Additionally, we have added\r\ncomments to explain what is happening, as well as the un-obfuscated strings that are found within the macro.\r\nhttp://researchcenter.paloaltonetworks.com/2017/04/unit42-cardinal-rat-active-two-years/?adbsc=social71702736\u0026adbid=855028404965433346\u0026adbpl=tw\u0026adbpr=4487645412\r\nPage 1 of 18\n\nFigure 2 Portion of malicious macro containing base64-encoded source code\r\nFigure 3 Portion of malicious macro responsible for compiling and executing embedded source code\r\nAs a quick recap of what the malicious macro is doing, it begins by generating two paths—a path to a randomly\r\nnamed executable, and randomly named C# file in the %APPDATA%\\\\Microsoft folder. It then base64-decodes\r\nthe embedded C# source code as shown in Figure 2 and writes it to the C# file path previously generated. Finally,\r\nas shown in Figure 3 it will compile and execute this C# source code using the Microsoft Windows built-in\r\ncsc.exe utility.\r\nThe decoded source code in this example looks like the following as shown in Figure 4.\r\nhttp://researchcenter.paloaltonetworks.com/2017/04/unit42-cardinal-rat-active-two-years/?adbsc=social71702736\u0026adbid=855028404965433346\u0026adbpl=tw\u0026adbpr=4487645412\r\nPage 2 of 18\n\nFigure 4 Decoded source code\r\nAs we can see, it simply downloads a file from secure.dropinbox[.]pw using HTTP on port 443 (not HTTPS), and\r\nproceeds to decrypt the file using AES-128 prior to executing it. At this point, Cardinal RAT has been downloaded\r\nhttp://researchcenter.paloaltonetworks.com/2017/04/unit42-cardinal-rat-active-two-years/?adbsc=social71702736\u0026adbid=855028404965433346\u0026adbpl=tw\u0026adbpr=4487645412\r\nPage 3 of 18\n\nand executed, and execution is directed to this sample. Of course, the Carp Downloader is not required to\r\ndownload Cardinal RAT, however, based on our visibility, it has exclusively done so.\r\nA total of 11 unique Carp Downloader samples have been observed to date. The following figures show lures that\r\nwe observed in these samples.\r\nFigure 5 Lure with a filename of Top10Binary_Sample_HotLeads_13.9.xls\r\nhttp://researchcenter.paloaltonetworks.com/2017/04/unit42-cardinal-rat-active-two-years/?adbsc=social71702736\u0026adbid=855028404965433346\u0026adbpl=tw\u0026adbpr=4487645412\r\nPage 4 of 18\n\nFigure 6 Lure with a filename of AC_Media_Leads_ReportGenerator_5.2.xls\r\nhttp://researchcenter.paloaltonetworks.com/2017/04/unit42-cardinal-rat-active-two-years/?adbsc=social71702736\u0026adbid=855028404965433346\u0026adbpl=tw\u0026adbpr=4487645412\r\nPage 5 of 18\n\nFigure 7 Lure with an unknown filename\r\nhttp://researchcenter.paloaltonetworks.com/2017/04/unit42-cardinal-rat-active-two-years/?adbsc=social71702736\u0026adbid=855028404965433346\u0026adbpl=tw\u0026adbpr=4487645412\r\nPage 6 of 18\n\nFigure 8 Lure with a filename of Arabic 22.12_Pre qualified.xls\r\nhttp://researchcenter.paloaltonetworks.com/2017/04/unit42-cardinal-rat-active-two-years/?adbsc=social71702736\u0026adbid=855028404965433346\u0026adbpl=tw\u0026adbpr=4487645412\r\nPage 7 of 18\n\nFigure 9 Lure with an unknown filename\r\nFigure 10 Lure with a filename of Hot_Leads_Export_09.03_EN.xls\r\nAs we can see from the above examples, the majority of these lures are financial-related, describing various fake\r\ncustomer lists for various organizations. Based on the similarities witnessed in some of these lures, it appears that\r\nhttp://researchcenter.paloaltonetworks.com/2017/04/unit42-cardinal-rat-active-two-years/?adbsc=social71702736\u0026adbid=855028404965433346\u0026adbpl=tw\u0026adbpr=4487645412\r\nPage 8 of 18\n\nthe attackers use some sort of template, where they simply swap specific cells with the pertinent images or\r\ninformation.\r\nCardinal RAT\r\nThe name Cardinal RAT comes from internal names used by the author within the observed Microsoft .NET\r\nFramework executables. To date, 27 unique samples of Cardinal RAT have been observed, dating back to\r\nDecember 2015. It is likely that the low volume of samples seen in the wild is partly responsible for the fact that\r\nthis malware family has remained under the radar for so long.\r\nAn unobfuscated copy of Cardinal RAT was identified, which allowed us to view the decompiled class and\r\nfunction names. A subset of these may be seen below in Figure 11. This allowed us to not only easily identify the\r\nfull functionality of the RAT, but also made it easier to identify and reverse-engineer various aspects of the\r\nmalware itself.\r\nhttp://researchcenter.paloaltonetworks.com/2017/04/unit42-cardinal-rat-active-two-years/?adbsc=social71702736\u0026adbid=855028404965433346\u0026adbpl=tw\u0026adbpr=4487645412\r\nPage 9 of 18\n\nhttp://researchcenter.paloaltonetworks.com/2017/04/unit42-cardinal-rat-active-two-years/?adbsc=social71702736\u0026adbid=855028404965433346\u0026adbpl=tw\u0026adbpr=4487645412\r\nPage 10 of 18\n\nFigure 11 Decompiled Cardinal RAT classes\r\nWhen initially executed, the malware will check its current working directory. Should it not match the expected\r\npath, Cardinal will enter its installation routine. Cardinal RAT will copy itself to a randomly named executable in\r\nthe specified directory. It will then compile and execute embedded source code that contains watchdog\r\nfunctionality. Specifically, this newly spawned executable will ensure that the following registry key is set:\r\nHKCU\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\Load\r\nThis specific key is set to point towards the path of the previously copied Cardinal RAT executable path. The\r\nexecutable will periodically query this registry key to ensure it is set appropriately. If the executable finds the\r\nregistry key has been deleted, it will re-set it. The Load registry key acts as a persistence mechanism, ensuring that\r\nthis Cardinal RAT executes every time a user logs on. More information about the Load registry key may be found\r\nhere.\r\nThis watchdog process also ensures that the Cardinal RAT process is always running, as well as ensures that the\r\nexecutable is located in the correct path. Should either of these conditions not be met, the watchdog process will\r\nspawn a new instance of Cardinal RAT, or write Cardinal RAT to the correct location, respectively.\r\nAfter the installation routine, Cardinal RAT will inject itself into a newly spawned process. It will attempt to use\r\none of the following installed executables for the newly spawned process:\r\nRegAsm.exe\r\nRegSvcs.exe\r\nvbc.exe\r\ncsc.exe\r\nAppLaunch.exe\r\ncvtres.exe\r\nCardinal RAT will continue to parse an embedded configuration. This configuration, named internally as\r\n‘GreyCardinalConfig’, is a binary blob that contains a mixture of base64-encoded data, DWORDs, and Boolean\r\nvalues. Using a custom written Python script, we parsed the configuration of an example sample:\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n$ python decode_parse_config.py GreyCardinalConfig\r\nMutex: cpS3H2NSA65T67mUqB3a\r\nGUID: 952407f889285547985aa2fcf35c5383\r\nCampaign: 04/04/2016 Public\r\nNumber of C2 Servers: 1\r\nC2 Server: secure[.]affiliatetoday[.]xyz\r\nPort: 4425\r\nhttp://researchcenter.paloaltonetworks.com/2017/04/unit42-cardinal-rat-active-two-years/?adbsc=social71702736\u0026adbid=855028404965433346\u0026adbpl=tw\u0026adbpr=4487645412\r\nPage 11 of 18\n\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\nCommunication Key: H7sVBirLvGwVfLSLSeI2\r\nConnection Delay: 3500\r\nBuffer Size: 20480\r\nMax Buffer Size: 40960000\r\nUnknown Integer: 70000\r\nPrevent System Sleeping: 0\r\nHide File: 0\r\nDie on Sandbox Detection: 0\r\nKeylogging: 1\r\nInstall Name: None\r\nAs we can see, this particular sample is configured with a single command and control (C2) server, however, we\r\nhave seen other samples with multiple host and port combinations. We can also identify a communication key in\r\nit, which is crucial when discussing network communications.\r\nAfter the configuration is parsed, Cardinal RAT will proceed with making attempts at connecting with the C2.\r\nUsing an example request and response from a C2 server, we can see how this traffic is configured.\r\nFigure 12 Parsed network traffic communication\r\nData is transmitted in two pieces—a DWORD specifying the data length, as well as the data itself. The data is\r\nencrypted using a series of XOR and addition operations, followed by decompression using the ZLIB library.\r\nRepresented in Python, this may be implemented as follows:\r\ndef decrypt(md5_key, data):\r\n  key = data[-1]\r\nhttp://researchcenter.paloaltonetworks.com/2017/04/unit42-cardinal-rat-active-two-years/?adbsc=social71702736\u0026adbid=855028404965433346\u0026adbpl=tw\u0026adbpr=4487645412\r\nPage 12 of 18\n\nremaining = data[0:-1]\r\n  c = 0\r\n  out = \"\"\r\n  for x in remaining:\r\n    b = md5_key[c%len(md5_key)]\r\n    out += chr(ord(x) ^ ord(b) + ord(key) \u0026 255)\r\n    c+=1\r\n  if len(out) \u003e 15:\r\n    if ord(out[0]) == 1:\r\n      out = zlib.decompress(out[1:], -15)\r\n  return out\r\nThe ‘md5_key’ argument in the function above is the MD5 hash of the previously defined\r\n‘H7sVBirLvGwVfLSLSeI2’ string that was contained within Cardinal RAT’s embedded configuration. Now that\r\nwe know how to decrypt the data, we can look at the previously shown PCAP data and determine what is being\r\nsent. The first message decrypts to the following:\r\n$ python decrypt_cardinal_pcap.py\r\nData Length: 3\r\n00000000: 00 00\r\nFollowed by the Cardinal RAT’s response:\r\n$ python decrypt_cardinal_pcap.py\r\nData Length: 148\r\n00000000: 00 95 24 07 F8 89 28 55  47 98 5A A2 FC F3 5C 53  ..$...(UG.Z...\\S\r\n00000010: 83 4A 00 61 00 73 00 6F  00 6E 00 20 00 42 00 6F  .J.a.s.o.n. .B.o\r\n00000020: 00 72 00 6E 00 00 00 4A  00 41 00 53 00 4F 00 4E  .r.n...J.A.S.O.N\r\n00000030: 00 42 00 4F 00 52 00 4E  00 2D 00 50 00 43 00 00  .B.O.R.N.-.P.C..\r\nhttp://researchcenter.paloaltonetworks.com/2017/04/unit42-cardinal-rat-active-two-years/?adbsc=social71702736\u0026adbid=855028404965433346\u0026adbpl=tw\u0026adbpr=4487645412\r\nPage 13 of 18\n\n00000040: 00 30 00 34 00 2F 00 30  00 34 00 2F 00 32 00 30  .0.4./.0.4./.2.0\r\n00000050: 00 31 00 36 00 20 00 50  00 75 00 62 00 6C 00 69  .1.6. .P.u.b.l.i\r\n00000060: 00 63 00 00 00 57 00 69  00 6E 00 64 00 6F 00 77  .c...W.i.n.d.o.w\r\n00000070: 00 73 00 20 00 37 00 20  00 55 00 6C 00 74 00 69  .s. .7. .U.l.t.i\r\n00000080: 00 6D 00 61 00 74 00 65  00 20 00 00 00 00 00 00  .m.a.t.e. ......\r\n00000090: 00 00 31 00 2E 00 34 00  00 00 30 00 37 00 38 00  ..1...4...0.7.8.\r\n000000A0: 42 00 46 00 42 00 46 00  44 00 30 00 30 00 30 00  B.F.B.F.D.0.0.0.\r\n000000B0: 33 00 30 00 36 00 44 00  32 00 00 00              3.0.6.D.2...\r\nThis communication represents the C2 server asking the Cardinal RAT to retrieve and upload victim information\r\n(‘\\x00\\x00’), to which the malware responds accordingly. As we can see in the above decrypted stream, the\r\nmalware returns a wealth of information, including the following:\r\nUsername\r\nHostname\r\nCampaign Identifier\r\nMicrosoft Windows version\r\nVictim unique identifier\r\nProcesser architecture\r\nMalware version (1.4)\r\nThe malware itself is equipped with a number of features, including the following:\r\nCollect victim information\r\nUpdate settings\r\nAct as a reverse proxy\r\nExecute command\r\nUninstall itself\r\nRecover passwords\r\nDownload and Execute new files\r\nKeylogging\r\nCapture screenshots\r\nUpdate Cardinal RAT\r\nClean cookies from browsers\r\nConclusion\r\nCardinal RAT is deployed using an interesting technique of compiling and executing a downloader via a malicious\r\nmacro embedded within a Microsoft Excel file. The Excel files themselves contain lures that have financial\r\nhttp://researchcenter.paloaltonetworks.com/2017/04/unit42-cardinal-rat-active-two-years/?adbsc=social71702736\u0026adbid=855028404965433346\u0026adbpl=tw\u0026adbpr=4487645412\r\nPage 14 of 18\n\nthemes. This threat has had a low volume of samples in the past two years, with 11 instances of Carp Downloader\r\nand 27 instances of Cardinal RAT observed. Palo Alto Networks customers are protected by these threats in the\r\nfollowing ways:\r\nAll samples discussed are classified as malicious by the WildFire sandbox platform\r\nAll identified domains have been classified as malicious\r\nAutoFocus users can track the malware described in this report using the CarpDownloader and\r\nCardinalRAT\r\nAppendix\r\nCarp Downloader SHA256 Hashes\r\na52ba498d304906d6c060e8c56ad7db50e1af0a781616c0aa35447c50c28bae9\r\n5025aa0fc6d4ac6daa2d9a6452263dcc20d6906149fc0995d458ed38e7e57b61\r\n1181f97071d8f96f9cdfb0f39b697204413cc0a715aa4935fe8964209289b331\r\n84e705341a48c8c6552a7d3dd97b7cd968d2a9bc281a70c287df70813f5dca52\r\nae1a6c4f917772100e3a5dc1fab7de4a277876a6e626da114baf8179b13b0031\r\ne49e61da52430011f1a22084a601cc08005865fe9a76abf503a4a9d2e11a5450\r\n192b204dbc702d3762c953544975b61db8347a7739c6d8884bb4594bd816bf91\r\n571b58ba655463705f45d2541f0fde049c83389a69552f98e41ece734a59f8d4\r\n10f53502922bf837900935892fb1da28fc712848471bf4afcdd08440d3bd037f\r\n8bea55d2e35a2281ed71a59f1feb4c1cf6af1c053a94781c033a94d8e4c853e5\r\n057965e8b6638f0264d89872e80366b23255f1a0a30fd4efb7884c71b4104235\r\nCardinal RAT SHA256 Hashes\r\ne017651dd9e9419a7f1714f8f2cdc3d8e75aebbe6d3cfbb2de3f042f39aec3bd\r\n778090182a10fde1b4c1571d1e853e123f6ab1682e17dabe2e83468b518c01df\r\n8fababb509ad8230e4d6fa1e6403602a97e60dc8ef517016f86195143cf50f4e\r\n1977cedcfb8726dea5e915b47e1479256674551bc0fe0b55ddd3fa3b15eb82b2\r\n16aab89d74c1eaaf1e94028c8ccceef442eb2cd5b052cba3562d2b1b1a3a4ba6\r\n9c47b2af8b8c5f3c25f237dcc375b41835904f7cd99221c7489fb3563c34c9ab\r\n211b7b7a4c4a07b9c65fae361570dbb94666e26f0cc0fa0b32df4b09fcee6de2\r\nhttp://researchcenter.paloaltonetworks.com/2017/04/unit42-cardinal-rat-active-two-years/?adbsc=social71702736\u0026adbid=855028404965433346\u0026adbpl=tw\u0026adbpr=4487645412\r\nPage 15 of 18\n\nfd61a5cd1a83f68b75d47c8b6041f8640e47510925caee8176d5d81afac29134\r\n84f822d9cf575aeea867e9b73f88ad4d9244293e52208644e12ff2cf13b6b537\r\n855cf3a6422b0bf680d505720fd07c396508f67518670b493dba902c3c2e5dfa\r\n4b4c6b36938c3de0623feb92c0e1cb399d2dc338d2095b8ba84e862ef6d11772\r\n5dd162ab66f0c819ee73868c26ecd82408422e2b6366805631eab95ae32516f3\r\n6e2991e02d3cf17d77173d50cdaa766661a89721c3cc4050fba98bea0dbdb1a9\r\n1e8ed6e8d0b6fc47d8176c874ed40fb09644c058042f34d987878fa644f493cc\r\n647e379517fed71682423b0192da453ec1d61a633c154fdd55bab762bcc404f3\r\nebd4f45cbb272bcc4954cf1bd0a5b8802a6e501688f2a1abdb6143ba616aea82\r\nedc49bf7ec508becb088d5082c78d360f1a7cad520f6de6d8b93759b67aac305\r\n7482f8c86b63ce53edcb62fc2ff2dd8e584e2164451ae0c6f2b1f4d6d0cb6d9c\r\n2fbd3d2362acd1c8f0963b48d01f94c7a07aeac52d23415d0498c8c9e23554db\r\n154e3a12404202fd25e29e754ff78703d4edd7da73cb4c283c9910fd526d47db\r\nfc5f7a21d953c394968647df6a37e1f61db04968ad1aca65ad8f261b363fa842\r\na1d5b7d69d85b1be31d9e1cb0686094cc7b1213079b2a66ace01be4bfe3fb7c3\r\n4b0203492a95257707a86992e84b5085ce9e11810a26920dbb085005081e32d3\r\na05805bcec72fb76b997c456e0fd6c4b219fdc51cad70d4a58c16b0b0e2d9ba1\r\n4e953ea82b0406a5b95e31554628ad6821b1d91e9ada0d26179977f227cf01ad\r\n6272ed2a9b69509ac16162158729762d30f9ca06146a1828ae17afedd5c243ef\r\n440504899b7af6f352cfaad6cdef1642c66927ecce0cf2f7e65d563a78be1b29\r\nDomains\r\nns1[.]squidmilk[.]com\r\nns2[.]squidmilk[.]com\r\nz[.]realnigger[.]xyz\r\nns1[.]tconvulsit[.]com\r\nns1[.]fresweepy[.]com\r\nhttp://researchcenter.paloaltonetworks.com/2017/04/unit42-cardinal-rat-active-two-years/?adbsc=social71702736\u0026adbid=855028404965433346\u0026adbpl=tw\u0026adbpr=4487645412\r\nPage 16 of 18\n\nns2[.]iexogyrarax[.]com\r\nns1[.]xraisermz[.]com\r\nsecure[.]affiliatetoday[.]xyz\r\nsecure[.]gayporndownload[.]xyz\r\nsecure[.]gameofthrone[.]club\r\nsecure[.]dropinbox[.]pw\r\nsecure[.]mailserver02[.]xyz\r\nwe[.]niggerporn[.]xyz\r\nz[.]noplacelikehome[.]xyz\r\nns1[.]stackreports[.]com\r\nns2[.]stackreports[.]com\r\nns[.]liveupdate1[.]com\r\nns[.]nortonsecurity[.]in\r\nwe[.]letsdosomefun[.]xyz\r\nwe[.]be-smart[.]xyz\r\nz[.]newblood[.]xyz\r\nns2[.]ibandagerk[.]com\r\nns1[.]rmacutecompw[.]com\r\nns1[.]pholothud[.]com\r\nns1[.]athermoforw[.]com\r\nns1[.]lclownerymor[.]com\r\nns2[.]xunderfeatuv[.]com\r\nns3[.]ssaddlegirv[.]com\r\nns1[.]qcytasicspc[.]com\r\nns[.]7ni7[.]com\r\nhttp://researchcenter.paloaltonetworks.com/2017/04/unit42-cardinal-rat-active-two-years/?adbsc=social71702736\u0026adbid=855028404965433346\u0026adbpl=tw\u0026adbpr=4487645412\r\nPage 17 of 18\n\nIgnite ’17 Security Conference: Vancouver, BC June 12–15, 2017\r\nIgnite ’17 Security Conference is a live, four-day conference designed for today’s security professionals. Hear\r\nfrom innovators and experts, gain real-world skills through hands-on sessions and interactive workshops, and find\r\nout how breach prevention is changing the security industry. Visit the Ignite website for more information on\r\ntracks, workshops and marquee sessions.\r\nSource: http://researchcenter.paloaltonetworks.com/2017/04/unit42-cardinal-rat-active-two-years/?adbsc=social71702736\u0026adbid=8550284049\r\n65433346\u0026adbpl=tw\u0026adbpr=4487645412\r\nhttp://researchcenter.paloaltonetworks.com/2017/04/unit42-cardinal-rat-active-two-years/?adbsc=social71702736\u0026adbid=855028404965433346\u0026adbpl=tw\u0026adbpr=4487645412\r\nPage 18 of 18",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"http://researchcenter.paloaltonetworks.com/2017/04/unit42-cardinal-rat-active-two-years/?adbsc=social71702736\u0026adbid=855028404965433346\u0026adbpl=tw\u0026adbpr=4487645412"
	],
	"report_names": [
		"?adbsc=social71702736\u0026adbid=855028404965433346\u0026adbpl=tw\u0026adbpr=4487645412"
	],
	"threat_actors": [
		{
			"id": "f9806b99-e392-46f1-9c13-885e376b239f",
			"created_at": "2023-01-06T13:46:39.431871Z",
			"updated_at": "2026-04-10T02:00:03.325163Z",
			"deleted_at": null,
			"main_name": "Watchdog",
			"aliases": [
				"Thief Libra"
			],
			"source_name": "MISPGALAXY:Watchdog",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434780,
	"ts_updated_at": 1775791857,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/65d76a7b512b87f860aece885df15dbca1dbb077.pdf",
		"text": "https://archive.orkl.eu/65d76a7b512b87f860aece885df15dbca1dbb077.txt",
		"img": "https://archive.orkl.eu/65d76a7b512b87f860aece885df15dbca1dbb077.jpg"
	}
}