{
	"id": "611b5ab3-d9f8-41b3-ab98-82d8aea7fc88",
	"created_at": "2026-04-06T00:17:37.156523Z",
	"updated_at": "2026-04-10T13:12:40.737778Z",
	"deleted_at": null,
	"sha1_hash": "66e3d8ac5d5bd39e335f7248e045e2dd925e2503",
	"title": "Warzone: Behind the enemy lines - Check Point Research",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 146306,
	"plain_text": "Warzone: Behind the enemy lines - Check Point Research\r\nBy etal\r\nPublished: 2020-02-03 · Archived: 2026-04-05 14:54:32 UTC\r\nResearched by: Yaroslav Harakhavik\r\nSelling malware as a service (MaaS) is a reliable way for criminals to make money. Recently, various Remote Access Tools\r\n(RAT) have become increasingly popular. Though these RATs are marketed as malicious tools, their vendors like pretending\r\nthat they simply sell legitimate software for system administrators, and offer different subscription plans and customer\r\nsupport. Some of them even include a license agreement and terms of use. The developers of such tools are constantly\r\nimproving them and adding new features, resulting in increasingly sophisticated RATs.\r\nIn our report, we describe Warzone RAT, whose developers provide a wide range of different features.\r\nOSINT\r\nhttps://research.checkpoint.com/2020/warzone-behind-the-enemy-lines/\r\nPage 1 of 24\n\nThe first Warzone RAT advertisement publicly emerged during autumn 2018 on warzone[.]io (not accessible as of the\r\nwriting of this article). Currently, the selling service is hosted on warzone[.]pw.\r\nMalware actors also operate a dynamic DNS service at warzonedns[.]com.\r\nAccording to the description from the website, the malware boasts the following capabilities and features:\r\nDoes not require .NET.\r\nRemote desktop available via VNC.\r\nHidden Remote desktop available via RDPWrap.\r\nPrivilege escalation (even for the latest Win10 updates)\r\nRemote WebCam control.\r\nPassword grabber (Chrome, Firefox, IE, Edge, Outlook,\r\nThunderbird, Foxmail)\r\nDownload \u0026 Execute any files.\r\nLive Keylogger with Offline Keylogger.\r\nRemote Shell.\r\nhttps://research.checkpoint.com/2020/warzone-behind-the-enemy-lines/\r\nPage 2 of 24\n\nFile manager.\r\nProcess Manager.\r\nReverse Proxy\r\nFigure 1 – The advertisement on warzone[.]io.\r\nFigure 2 – The most recent advertisement on warzone[.]pw.\r\nThe web-site also offers different ways to contact the malware actor:\r\nsolmyr[@]xmpp[.]jp via XMPP.\r\nsolmyr[@]warzone[.]pw via email.\r\nlive:solmyr_12 and live:ebase03_1 via Skype.\r\nsolmyr#4699 and EBASE#6769 via Discord.\r\nBuyers can choose one of three subscription plans:\r\nhttps://research.checkpoint.com/2020/warzone-behind-the-enemy-lines/\r\nPage 3 of 24\n\nStarter: 1 month, with RAT only functionality.\r\nProfessional: 3 months, with premium DDNS and customer support.\r\nWARZONE RAT – POISON: 6 months, with premium DDNS, premium customer support and Rootkit which hides\r\nprocesses, files and startup.\r\nFigure 3 – Subscription plan selection on warzone[.]pw.\r\nIn addition, the creators offer two more options:\r\nExploit builder – Allows embedding malware to a DOC file.\r\nCrypter – Packs malware to hide it from AV scanners.\r\nFigure 4 – Exploit and Crypter subscription plans\r\nhttps://research.checkpoint.com/2020/warzone-behind-the-enemy-lines/\r\nPage 4 of 24\n\nThere is also a publicly available knowledge base, which contains guidelines for using the WarzoneRAT builder. The\r\nconfiguration guides include “Building a Client”, “HDRP lost password and username”, “Keylogger”, etc.\r\nhttps://research.checkpoint.com/2020/warzone-behind-the-enemy-lines/\r\nPage 5 of 24\n\nFigure 5 – Knowledge Base of warzone[.]pw.\r\nIt is possible to find Warzone bundles on VirusTotal. Probably they were leaked by the customers themselves.\r\nFigure 6 – Leaked Warzone Bundles search\r\nhttps://research.checkpoint.com/2020/warzone-behind-the-enemy-lines/\r\nPage 6 of 24\n\nTechnical Details\r\nWarzone is a RAT which is written in C++ and compatible with all Windows releases.\r\nThe malware developers have a dynamic DNS service at warzonedns[.]com, which means buyers aren’t affected by IP\r\naddress changes.\r\nWarzone bypasses UAC (User Account Control) to disarm Windows Defender and puts itself into the list of startup\r\nprograms. Finally, it runs a routine to handle C\u0026C commands. In our report, we focus on each of these actions.\r\nThere are several different versions of Warzone and the malware is constantly being improved. Some of the described\r\nfeatures can differ according to version\r\nBypassing UAC\r\nIf Warzone RAT runs with elevated privileges, it adds a whole C:\\ path to exclusions of Windows Defender, utilizing the\r\nfollowing PowerShell command:\r\npowershell Add-MpPreference -ExclusionPath C:\\\r\nOtherwise, the malware bypasses UAC and escalates privileges with two different approaches – one for Windows 10 and the\r\nother for older versions:\r\nFor the versions below Windows 10, it uses a UAC bypass module which is stored in its resources.\r\nFor Windows 10, it abuses the auto-elevation feature of sdclt.exe which is used in the context of Windows backup\r\nand restore mechanisms.\r\nhttps://research.checkpoint.com/2020/warzone-behind-the-enemy-lines/\r\nPage 7 of 24\n\nFigure 7 – Beginning of Warzone workflow.\r\nFigure 8 – UAC bypass strategies.\r\nhttps://research.checkpoint.com/2020/warzone-behind-the-enemy-lines/\r\nPage 8 of 24\n\nWindows 10 UAC bypass\r\nWhen sdclt.exe is called from a medium integrity process (i.e. the process with standard user rights), the following\r\nevents occur:\r\n1. It runs another process, sdclt.exe , with high privilege.\r\n2. The high privilege sdclt process calls C:\\Windows\\System32\\control.exe.\r\n3. The control.exe process runs with high privilege and tries to open\r\nHKCU\\Software\\Classes\\Folder\\shell\\open\\command registry value which is not found.\r\nThe malware performs COM hijacking by setting the path to itself to the\r\nHKCU\\Software\\Classes\\Folder\\shell\\open\\command key with a DelegateExecute parameter.\r\nBasically, these actions can be substituted with the following commands:\r\nreg add \"HKCU\\Software\\Classes\\Folder\\shell\\open\\command\" /d \"\u003cPATH_TO_MALWARE\u003e\" /f\r\nreg add HKCU\\Software\\Classes\\Folder\\shell\\open\\command /v \"DelegateExecute\" /f\r\nFinally, the malware terminates itself. It will be run with elevated privileges by sdclt.exe.\r\nFigure 9 – Windows 10 UAC bypass.\r\nUAC bypass in OS versions prior to Windows 10\r\nFor Windows versions below Windows 10, the malware performs an IFileOperation exploit by Leo Davidson.\r\nFirst, it creates a registry hive _rptls in HKCU\\SOFTWARE. This includes a value Install with the path to itself\r\nhttps://research.checkpoint.com/2020/warzone-behind-the-enemy-lines/\r\nPage 9 of 24\n\nFigure 10 – HKCU\\SOFTWARE\\Install.\r\nThen, the malware loads an executable file from WM_DSP resource and runs a shellcode that contains approximately1500\r\nbytes (after decrypting it with XOR 0x45).\r\nThe shellcode resolves some functions, runs an instance of cmd.exe in a suspended state and performs a process replacement\r\n(ZwUnmapViewOfSection – VirtualAllocEx – GetThreadContext – WriteProcessMemory – SetThreadContext).\r\nFigure 11 – Resolving functions in the shellcode\r\nThe code which is responsible for UAC bypass is taken from AVE_MARIA malware.\r\nThe following snippets show how the privilege escalation is performed in the context of cmd.exe .\r\nhttps://research.checkpoint.com/2020/warzone-behind-the-enemy-lines/\r\nPage 10 of 24\n\nFigure 12 – New entry point of cmd.exe after process replacement\r\nThe malware extracts dismcore.dll from its WM_DISM resource and drops it to %TEMP% directory along with the xml\r\nfile ellocnak.xml .\r\nFigure 13 – Dropping ellocnak.xml with a configuration.\r\nThen it masquerades PEB (Process Environment Block) to invoke IFileOperation at a high integrity level.\r\nhttps://research.checkpoint.com/2020/warzone-behind-the-enemy-lines/\r\nPage 11 of 24\n\nFigure 14 – Masquerading PEB.\r\nIn the next step, it uses pkgmgr.exe to load a dismcore.dll with elevated privileges.\r\nFigure 15 – Privilege elevation.\r\nThe loaded DLL retrieves the path to the Warzone malicious file from HKCU\\SOFTWARE\\_rptls\\Install , iterates through\r\nrunning processes and kills the Warzone process if it already exists. Then it runs the Warzone executable again, this time\r\nwith Admin privileges.\r\nPersistence\r\nThe malware copies itself to C:\\Users\\User\\AppData\\Roaming\\\u003cINSTALL_NAME\u003e.exe and adds this path to\r\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run . By default the \u003cINSTALL_NAME\u003e is images.exe, but\r\nWarzone’s builder allows specifying any name of this executable file.\r\nhttps://research.checkpoint.com/2020/warzone-behind-the-enemy-lines/\r\nPage 12 of 24\n\nIt also creates a registry hive HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UIF2IS2OVK and puts a pseudo-random generated sequence of 256 bytes under the inst value there.\r\nIf the malware was run without Admin privilege and it hasn’t been already terminated by its elevated instance, it copies itself\r\nto C:\\ProgramData\\\u003cPREDEFINED_NAME\u003e and simply runs itself again from the new location.\r\nNetwork Communication\r\nThe malware communicates with its C\u0026C server via TCP over the 5200 port. The packets’ payload is encrypted with RC4\r\nusing the password “warzone160\\x00” (the final null terminator is used as a part of the encryption key).\r\nThe layout of an unencrypted packet:\r\nFigure 16 – Unencrypted packet structure.\r\nExample: unencrypted response packet:\r\nFigure 17 – A response from the Warzone server.\r\nTable 1 – Response packet fields\r\nOffset Size Info\r\n0x00 4 bytes Magic number\r\n0x04 4 bytes Payload size\r\n0x08 4 bytes Packet ID\r\n0x0C [Payload size] Payload data\r\nEven though Warzone is supposed to encrypt its TCP packets, some versions use non-encrypted communication.\r\nhttps://research.checkpoint.com/2020/warzone-behind-the-enemy-lines/\r\nPage 13 of 24\n\nFigure 18 – Encrypted and Non-encrypted Warzone TCP streams.\r\nThe strings in packet payload are stored in the following format:\r\nFigure 19 – BSTR structure layout.\r\nThe malware decrypts the C\u0026C server domain and tries to connect to it. After the server accepts the connection, it sends a\r\npacket with the message ID = 0 and an empty payload to the client. In return, the malware collects information about the\r\ninfiltrated computer and sends it back to the server in a response packet. This packet contains the following data:\r\nSHA-1 of MachineGUID\r\nCampaign ID.\r\nOS version.\r\nAdmin status.\r\nIs WOW64 process.\r\nPC name.\r\nMalware storage path.\r\nMurmurHash3 of the malicious file.\r\nRAM size.\r\nCPU information.\r\nVideo controller information.\r\nThe bot ID is a SHA-1 hash of MachineGUID registry value in HKLM\\Software\\Microsoft\\Cryptography.\r\nThe bot then waits for further commands from the server. Server message IDs are even numbers from 0x00 to 0x3C. The\r\nbot’s packets are represented by add IDs from 0x01 to 0x3B. Some commands (such as a command to terminate the bot) are\r\nnot supposed to have an answer in the response or else contain an empty payload.\r\nBasically, the bot provides the attacker with an ability to control an infected PC using a remote shell, RDP or VNC console.\r\nIt provides remote task and file managers, streams the desktop to the attacker, allows using a web camera, and more.\r\nNetwork communication messages:\r\nhttps://research.checkpoint.com/2020/warzone-behind-the-enemy-lines/\r\nPage 14 of 24\n\nThe following table contains the majority of message codes that a client and a server exchange with each other. The codes\r\ncan be slightly different across Warzone versions.\r\nID Source Info\r\n0x00 C\u0026C Machine Info Request\r\n0x01 BOT Machine Info Response\r\n0x02 C\u0026C Enumerate Processes Request\r\n0x03 BOT Enumerate Processes Response\r\n0x04 C\u0026C Enumerate Disks Request\r\n0x05 BOT Enumerate Disks Response\r\n0x06 C\u0026C List Directory\r\n0x07 BOT List Directory\r\n0x08 C\u0026C Read File\r\n0x09 BOT Read File\r\n0x0A C\u0026C Delete File Request\r\n0x0B BOT Delete File Response\r\n0x0C C\u0026C Kill Process\r\n0x0E C\u0026C Remote Shell Request\r\n0x0F BOT Remote Shell Response\r\n0x11 BOT Get Connected Cameras Response\r\n0x12 C\u0026C Get Connected Cameras Request\r\n0x13 C\u0026C Camera BMP Frame Transmission\r\n0x14 C\u0026C Start Camera\r\n0x15 BOT Heartbeat (per 20 sec)\r\n0x16 C\u0026C Stop Camera\r\n0x17 BOT VNC port setup Response\r\n0x18 C\u0026C Heartbeat (per 20 sec)\r\n0x19 BOT Browsers’ Passwords Recovery Response\r\n0x1A C\u0026C Uninstall Bot\r\n0x1C C\u0026C Upload File\r\n0x1D BOT RDP Response\r\nhttps://research.checkpoint.com/2020/warzone-behind-the-enemy-lines/\r\nPage 15 of 24\n\n0x1E C\u0026C Send Executable File to a Client\r\n0x20 C\u0026C Browsers’ Passwords Recovery\r\n0x22 C\u0026C Download \u0026 Execute Request\r\n0x24 C\u0026C Keylogger (Online)\r\n0x25 BOT Download \u0026 Execute Response\r\n0x26 C\u0026C Keylogger (Offline)\r\n0x28 C\u0026C RDP\r\n0x2A C\u0026C Reverse Proxy Start\r\n0x2C C\u0026C Reverse Proxy Stop\r\n0x30 C\u0026C VNC port setup Request\r\n0x32 C\u0026C VNC Stop\r\n0x33 C\u0026C Escalate Privileges\r\n0x38 C\u0026C Reverse Sock Port Setup Request\r\n0x3A C\u0026C Run file (cmd /c open \u003cfile_path\u003e)\r\n0x3B BOT Get Log storage path Response\r\n0x3C C\u0026C Get Log storage path Request\r\nSome examples of C\u0026C-to-Bot communication\r\nRequest information about an infected machine\r\nC\u0026C Request ID: 0x00\r\nBOT Response ID: 0x01\r\nRequest Payload Layout: None\r\nResponse Payload Layout\r\nEnumerate Processes\r\nC\u0026C Request ID: 0x02\r\nhttps://research.checkpoint.com/2020/warzone-behind-the-enemy-lines/\r\nPage 16 of 24\n\nBOT Response ID: 0x03\r\nRequest Layout: None\r\nResponse Payload Layout:\r\nEnumerate Drives\r\nC\u0026C Request ID: 0x04\r\nBOT Response ID: 0x05\r\nRequest Payload Layout: None\r\nResponse Payload Layout:\r\nRequest example:\r\nResponse example:\r\nList Directory\r\nhttps://research.checkpoint.com/2020/warzone-behind-the-enemy-lines/\r\nPage 17 of 24\n\nC\u0026C Request ID: 0x06\r\nBOT Response ID: 0x07\r\nRequest Payload Layout:\r\nResponse Payload Layout:\r\nIf empty: None;\r\nIf not empty:\r\nRequest example:\r\nResponse example:\r\nDelete File\r\nC\u0026C Request ID: 0x0A\r\nBOT Response ID: 0x0B\r\nRequest Payload Layout:\r\nhttps://research.checkpoint.com/2020/warzone-behind-the-enemy-lines/\r\nPage 18 of 24\n\nResponse Payload Layout:\r\nRequest example:\r\nResponse example:\r\nBrowsers’ Passwords Recovery\r\nC\u0026C Request ID: 0x20\r\nBOT Response ID: 0x19\r\nRequest Payload Layout: None\r\nResponse Payload Layout:\r\nRequest example:\r\nhttps://research.checkpoint.com/2020/warzone-behind-the-enemy-lines/\r\nPage 19 of 24\n\nResponse example:\r\nDownload \u0026 Execute\r\nC\u0026C Request ID: 0x22\r\nBOT Response ID: None\r\nRequest Payload Layout:\r\nResponse Payload Layout: None\r\nTerminate Bot\r\nC\u0026C Request ID: 0x1A\r\nBOT Response ID: None\r\nRequest Payload Layout: None\r\nResponse Payload Layout: None\r\nAdministration Panel \u0026 Builder\r\nOne of the leaked Warzone panels/builders represents Warzone version 1.84. It is written in .NET and is obfuscated by a\r\ncustom obfuscator.\r\nhttps://research.checkpoint.com/2020/warzone-behind-the-enemy-lines/\r\nPage 20 of 24\n\nFigure 20 – Warzone panel.\r\nThe code is obfuscated by numerous arithmetical calculations and switch constructions that do not influence the control flow\r\nand are supposed to hide the useful instructions.\r\nFor example, the constructor of the class in Figure 21 (below) has 365 lines of code which do only one thing: assign the\r\nconstructor argument to a class member.\r\nFigure 21 – Decompiled panel code.\r\nFrom the context menu of the corresponding bot, the buyer can fully control the infected machine using remote command\r\nline, process/file manager and other features.\r\nhttps://research.checkpoint.com/2020/warzone-behind-the-enemy-lines/\r\nPage 21 of 24\n\nFigure 22 – Context menu of a bot record.\r\nThe panel bundle contains the following items:\r\nWarzone RAT*.exe and Warzone RAT*.exe.config .NET assembly and configuration file of the panel.\r\nLegitimate libraries license.dll and PETools.dll.\r\nLicense file license.dat .\r\nClient stub cratclient.bin (cb6d6f17c102a8288704fe38dd9e2cf9) for the builder.\r\nDirectory Clients contains data which is specific for each client: downloaded files, logs, RDP passwords, etc.\r\nDirectory Datas contains mostly legitimate software such as RDPWrap libraries, SQLite library, VNC clients\r\n(TightVNC and TigerVNC clients) and so on. These files are transferred to a client when the corresponding feature is\r\ntriggered.\r\nFigure 23 – Content of the panel bundle.\r\nConclusion\r\nThough Warzone is represented as a legitimate tool, similar to other popular RATs, it is practically an ordinary Trojan with\r\nfunctionality similar to other RATs. It can be distributed by other malicious software or via spam mail.\r\nOn the other hand, unlike many other popular RATs (e.g. NanoCore, Remcos, etc.) which are developed using .NET,\r\nWarzone was written with object-oriented C++ code. Warzone also has its own network protocol over TCP instead of using\r\nHTTP communication. In addition to a custom network protocol and a nice network infrastructure, Warzone includes 2\r\ndifferent UAC bypass approaches which are quite reliable for Windows 10 and prior versions.\r\nhttps://research.checkpoint.com/2020/warzone-behind-the-enemy-lines/\r\nPage 22 of 24\n\nIn general, the malware-as-a-service approach is currently very popular.  More and more frequently, many ordinary Trojans\r\nare sold with an existing infrastructure and constant support from their developers. Such a centralized architecture makes it\r\neasier and more convenient for threat actors to reinforce new malicious campaigns.\r\nCheck Point protections keep our customers secure from attacks by Warzone and other remote access tools.\r\nIOCs\r\nSample examples\r\nSHA256\r\n531d967b9204291e70e3aab161a5b7f1001339311ece4f2eed8e52e91559c755\r\na03764da06bbf52678d65500fa266609d45b972709b3213a8f83f52347524cf2\r\n263433966d28f1e6e5f6ae389ca3694495dd8fcc08758ea113dddc45fe6b3741\r\nStrings\r\nString Type\r\nwarzone160 ASCII\r\nAVE_MARIA ASCII\r\nWM_DSP ASCII\r\nWM_DISP ASCII\r\nProcesses\r\nCommand Line\r\npowershell Add-MpPreference -ExclusionPath C:\\\r\nRegistry Detection\r\nRegistry Path Registry Key Values\r\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet\r\nSettings\r\nMaxConnectionsPer1_0Server 10\r\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet\r\nSettings\r\nMaxConnectionsPerServer 10\r\nHKCU\\Software\\_rptls Install \u003cPATH_TO_MALWARE\u003e\r\nFile System Detection\r\nFile Name Comments\r\n%LOCALAPPDATA%\\Microsoft Vision\\ Directory\r\nhttps://research.checkpoint.com/2020/warzone-behind-the-enemy-lines/\r\nPage 23 of 24\n\n%LOCALAPPDATA%\\Microsoft Vision\\([0-2][0-9]|(3)[0-1])(-)(((0)[0-9])|((1)\r\n[0-2]))(-)\\d{4}_(?:[01]\\d|2[0123])\\.(?:[012345]\\d)\\.(?:[012345]\\d)\r\nRegex for datetime in format: DD-MM-YYYY_HH.mm.SS\r\nC\u0026C servers\r\nDomains Communication Type\r\n*.warzonedns[.]com TCP over 5200\r\nCheck Point Signatures\r\nProduct Detect Name\r\nAnti-Bot Trojan.Win32.Warzone.E\r\nSource: https://research.checkpoint.com/2020/warzone-behind-the-enemy-lines/\r\nhttps://research.checkpoint.com/2020/warzone-behind-the-enemy-lines/\r\nPage 24 of 24\n\n  https://research.checkpoint.com/2020/warzone-behind-the-enemy-lines/    \nThere is also a publicly available knowledge base, which contains guidelines for using the WarzoneRAT builder. The\nconfiguration guides include “Building a Client”, “HDRP lost password and username”, “Keylogger”, etc.\n   Page 5 of 24   \n\n  https://research.checkpoint.com/2020/warzone-behind-the-enemy-lines/ \n0x1E C\u0026C Send Executable File to a Client\n0x20 C\u0026C Browsers’ Passwords Recovery\n0x22 C\u0026C Download \u0026 Execute Request\n0x24 C\u0026C Keylogger (Online) \n0x25 BOT Download \u0026 Execute Response\n0x26 C\u0026C Keylogger (Offline) \n0x28 C\u0026C RDP \n0x2A C\u0026C Reverse Proxy Start\n0x2C C\u0026C Reverse Proxy Stop\n0x30 C\u0026C VNC port setup Request\n0x32 C\u0026C VNC Stop \n0x33 C\u0026C Escalate Privileges \n0x38 C\u0026C Reverse Sock Port Setup Request\n0x3A C\u0026C Run file (cmd /c open \u003cfile_path\u003e)\n0x3B BOT Get Log storage path Response\n0x3C C\u0026C Get Log storage path Request\nSome examples of C\u0026C-to-Bot communication \nRequest information about an infected machine \nC\u0026C Request ID: 0x00  \nBOT Response ID: 0x01  \nRequest Payload Layout: None  \nResponse Payload Layout  \nEnumerate Processes  \nC\u0026C Request ID: 0x02  \n   Page 16 of 24",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://research.checkpoint.com/2020/warzone-behind-the-enemy-lines/"
	],
	"report_names": [
		"warzone-behind-the-enemy-lines"
	],
	"threat_actors": [],
	"ts_created_at": 1775434657,
	"ts_updated_at": 1775826760,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/66e3d8ac5d5bd39e335f7248e045e2dd925e2503.pdf",
		"text": "https://archive.orkl.eu/66e3d8ac5d5bd39e335f7248e045e2dd925e2503.txt",
		"img": "https://archive.orkl.eu/66e3d8ac5d5bd39e335f7248e045e2dd925e2503.jpg"
	}
}