{ "id": "a6b8e3dc-f588-46ae-a350-9e0fa812ecfd", "created_at": "2026-04-06T00:08:52.999433Z", "updated_at": "2026-04-10T03:38:19.180792Z", "deleted_at": null, "sha1_hash": "aaf45c7eb732fb8209ed0e2a6c652eb3464d32ea", "title": "BLINDINGCAN - Malware Used by Lazarus - - JPCERT/CC Eyes", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 655776, "plain_text": "BLINDINGCAN - Malware Used by Lazarus - - JPCERT/CC Eyes\r\nBy 朝長 秀誠 (Shusei Tomonaga)\r\nPublished: 2020-09-28 · Archived: 2026-04-05 12:39:38 UTC\r\nLazarus\r\nIn the previous article, we introduced one type of malware that Lazarus (also known as Hidden Cobra) uses after\r\nnetwork intrusion. It is confirmed that this attack group uses multiple types of malware including\r\nBLINDINGCAN, which CISA recently introduced in its report [1].\r\nThis article summarises the result of our analysis on BLINDINGCAN.\r\nBLINDINGCAN overview\r\nThe malware runs when a loader loads a DLL file. Figure 1 shows the flow of events until BLINDINGCAN runs.\r\nJPCERT/CC has confirmed that the DLL file is encoded in some samples (which requires decoding by the loader\r\nbefore execution).\r\nFigure 1: BLINDINGCAN behaviour\r\nBLINDINGCAN shares some features with the aforementioned malware including its function and\r\ncommunication encoding algorithm. The following sections will explain its configuration and communication\r\nprotocol.\r\nConfiguration\r\nThe configuration of BLINDINGCAN(size: 0xA84) is stored in one of the following locations:\r\nhttps://blogs.jpcert.or.jp/en/2020/09/BLINDINGCAN.html\r\nPage 1 of 11\n\nHardcoded in the malware itself\r\nStored in a registry entry\r\nSaved as a file\r\nIn case it is saved as a file, it is stored in the same folder where BLINDINGCAN is located. We have confirmed\r\nthat the following directory is used if the configuration is stored in a registry entry.\r\nKey: HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\r\nValue: \"SM_Dev16[numeric string]\"\r\nThe configuration is encrypted using either XOR encoding, AES or RC4. The encryption key is either fixed or\r\ngenerated based on the environment of the infected device. JPCERT/CC has confirmed the following patterns of\r\nencryption keys:\r\n[File name][Export function name][Service name]\r\n[CPUID][Computer name][Processor name][Physical memory size]\r\nFigure 2 shows an example of decoded configuration. This includes proxy information as well as C\u0026C server\r\ninformation. (Please see Appendix A for details.)\r\nhttps://blogs.jpcert.or.jp/en/2020/09/BLINDINGCAN.html\r\nPage 2 of 11\n\nFigure 2: Configuration example\r\nObfuscation\r\nSome part of code in BLINDINGCAN is obfuscated using RC4. Figure 3 is an example of obfuscated code. The\r\nRC4 encryption key is hardcoded in the sample itself.\r\nhttps://blogs.jpcert.or.jp/en/2020/09/BLINDINGCAN.html\r\nPage 3 of 11\n\nFigure 3: Obfuscation\r\nCommunication with C\u0026C server\r\nBelow is an example HTTP POST request data that BLINDINGCAN sends in the beginning.\r\nPOST /[PATH] HTTP/1.1\r\nConnection: Keep-Alive\r\nCache-Control: no-cache\r\nContent-Type: application/x-www-form-urlencoded\r\nAccept: */*\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) Chrome/28.0.1500.95 Safari/537.36\r\nHost: [Server]\r\nContent-Length: [Length]\r\nid=d3Ztd3lod2t0Tqf42ux9uv3FGH+Y3oAc2w==\u0026bbs=HA==\u0026tbl=hzE4dlKcRq3gokgAGeMQug== \u0026bbs_form=4GQAAA==\r\nThe format of the data is as follows. (All the values except for the RC4 key is RC4-encrypted and Base64-\r\nencoded.) The param2 in the first HTTP POST request is the encoded value of a string \"T1B7D95256A2001E\".\r\nid=[RC4 key][param1:param2:param3]\u0026[param1]=[Random value (between 1000 and 10000)]\u0026[param2]=[\"T1B7D9\r\nThe parameters in the POST data (param1, param2, param3) are randomly selected from the below:\r\nhttps://blogs.jpcert.or.jp/en/2020/09/BLINDINGCAN.html\r\nPage 4 of 11\n\nboardid,bbsNo,strBoardID,userid,bbs,filename,code,pid,seqNo,ReportID,v,PageNumber,num,view,read,actio\r\nThe RC4 encryption used here is different from the regular one. It has a process to shift the key stream for C00h\r\ntimes. The following is the RC4 encryption process written in Python. It does not apply to param3, which uses the\r\nregular RC4.\r\ndef custom_rc4(data, key):\r\n x = 0\r\n box = list(range(256))\r\n for i in range(256):\r\n x = (x + int(box[i]) + int(key[i % len(key)])) % 256\r\n box[i], box[x] = box[x], box[i]\r\n x = 0\r\n for i in range(0xC00):\r\n i = i + 1\r\n x = (x + int(box[i % 256])) % 256\r\n wow_x = x\r\n box[i % 256], box[x] = box[x], box[i % 256]\r\n wow_y = i % 256\r\n x = wow_y\r\n y = wow_x\r\n out = []\r\n for char in data:\r\n x = (x + 1) % 256\r\n y = (y + box[x]) % 256\r\n box[x], box[y] = box[y], box[x]\r\n out.append(chr(char ^ box[(box[x] + box[y]) % 256]))\r\n return ''.join(out)\r\nFigure 4 is the flow of communication from the beginning of its communication with a C\u0026C server until receiving\r\ncommands.\r\nhttps://blogs.jpcert.or.jp/en/2020/09/BLINDINGCAN.html\r\nPage 5 of 11\n\nFigure 4: BLINDINGCAN communication flow\r\nIf a Base64-encoded value of param3 ([Random binary data] in Figure 4) is received from the server as a response\r\nto the first request, the malware sends another request.\r\nThe next data is sent with empty param2 and a command request (Command request (0x2040) in Figure 4) in\r\nparam3. (Please see Appendix B for the details of param3 format.) The data in param3 is XOR-encoded, RC4-\r\nencrypted and then Base64-encoded.\r\nAfter that BLINDINGCAN receives a command from a C\u0026C server. (The format of the response data is the same\r\nas param3. Please see Appendix B). The response data is also XOR-encoded, RC4-encrypted and Base64-\r\nencoded. The only difference is that the \"+\" sign is replaced by a space.\r\nCommands\r\nBLINDINGCAN performs multiple functions including the following. (Please see Appendix C for details.)\r\nOperation on files (create a list, delete, move, modify timestamp, copy)\r\nOperation on processes (create a list, execute, kill)\r\nUpload/download files\r\nObtain disk information\r\nObtain a list of services\r\nExecute arbitrary shell command\r\nIn closing\r\nWe have introduced two kinds of malware used by Lazarus so far. However, they are known to use other types of\r\nmalware as well. We will provide an update if we observe any new kind of malware.\r\nThe C\u0026C server information of the samples mentioned in the article are listed in Appendix D. Please make sure\r\nthat none of your device is communicating with these hosts.\r\nhttps://blogs.jpcert.or.jp/en/2020/09/BLINDINGCAN.html\r\nPage 6 of 11\n\nShusei Tomonaga\r\n(Translated by Yukako Uchida)\r\nReference\r\n[1] CISA: Malware Analysis Report (AR20-232A)\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-232a\r\nAppendix A: Configuration\r\nTable A: List of configurations\r\nOffset Description Remarks\r\n0x000 Number of C\u0026C servers Up to 5\r\n0x004 C\u0026C server 1\r\n0x108 C\u0026C server 2\r\n0x20C C\u0026C server 3\r\n0x310 C\u0026C server 4\r\n0x414 C\u0026C server 5\r\n0x518 Flag for proxy\r\n0x51C Proxy IP address\r\n0x520 Proxy port number\r\n0x522 Flag for C\u0026C reply\r\n0x526 Flag for drive information\r\n0x52A Flag for session information\r\n0x52E Save configuration\r\n0x532 Communication interval\r\n0x534 Start time\r\n0x53C seed Used when generating random data to send\r\n0x59C File name File obtained by the command \"0x2039\"\r\n0x5FC Unknown\r\n0x65C Unknown\r\nhttps://blogs.jpcert.or.jp/en/2020/09/BLINDINGCAN.html\r\nPage 7 of 11\n\n0x660 Not assigned\r\n0x674 Execute process name Contains \"c:¥windows¥system32¥cmd.exe\"\r\n0x87C Temp folder Command execution result is stored\r\nAppendix B: Contents of data exchanged\r\nTable B: Data format of param3 and response data\r\nOffset Length Contents\r\n0x00 2 Not assigned\r\n0x02 2 Command\r\n0x04 4 Not assigned\r\n0x08 4 Parameter length\r\n0x0C - Parameter (Base64 + RC4)\r\nAppendix C: Commands\r\nTable C: List of commands\r\nValue Contents\r\n0x2009 Get system information\r\n0x2010 Get drive information\r\n0x2011 Get directory list\r\n0x2012 Execute command (Regular output)\r\n0x2013 Upload file (compressed in zlib)\r\n0x2014 Download file\r\n0x2015 Execute process\r\n0x2016 Execute process (CreateProcessAsUser)\r\n0x2019 Get process list\r\n0x2020 Kill process\r\n0x2021 Delete file (sdelete)\r\n0x2022 Check connection\r\nhttps://blogs.jpcert.or.jp/en/2020/09/BLINDINGCAN.html\r\nPage 8 of 11\n\n0x2023 Change current directory\r\n0x2027 Modify file creation time\r\n0x2028 Change communication interval with C\u0026C server\r\n0x2029 End session with C\u0026C server\r\n0x2030 Uninstall\r\n0x2031 Get configuration\r\n0x2032 Overwrite configuration\r\n0x2033 Get directory information\r\n0x2034 Get drive available space\r\n0x2037 -\r\n0x2038 Sleep\r\n0x2039 Get file name\r\n0x2046 Write file\r\n0x2048 Copy file\r\n0x2049 Move file\r\n0x2050 Delete file\r\nAppendix D: C\u0026C server\r\nhttps://www.automercado.co.cr/empleo/css/main.jsp\r\nhttps://www.curiofirenze.com/include/inc-site.asp\r\nhttps://www.ne-ba.org/files/news/thumbs/thumbs.asp\r\nhttps://www.sanlorenzoyacht.com/newsl/include/inc-map.asp\r\nAppendix E: Sample hash value\r\n8db272ea1100996a8a0ed0da304610964dc8ca576aa114391d1be9d4c5dab02e\r\n58027c80c6502327863ddca28c31d352e5707f5903340b9e6ccc0997fcb9631d\r\nhttps://blogs.jpcert.or.jp/en/2020/09/BLINDINGCAN.html\r\nPage 9 of 11\n\n朝長 秀誠 (Shusei Tomonaga)\r\nSince December 2012, he has been engaged in malware analysis and forensics investigation, and is especially\r\ninvolved in analyzing incidents of targeted attacks. Prior to joining JPCERT/CC, he was engaged in security\r\nmonitoring and analysis operations at a foreign-affiliated IT vendor. He presented at CODE BLUE, BsidesLV,\r\nBlackHat USA Arsenal, Botconf, PacSec and FIRST Conference. JSAC organizer.\r\nRelated articles\r\nUpdate on Attacks by Threat Group APT-C-60\r\nCrossC2 Expanding Cobalt Strike Beacon to Cross-Platform Attacks\r\nhttps://blogs.jpcert.or.jp/en/2020/09/BLINDINGCAN.html\r\nPage 10 of 11\n\nMalware Identified in Attacks Exploiting Ivanti Connect Secure Vulnerabilities\r\nDslogdRAT Malware Installed in Ivanti Connect Secure\r\nTempted to Classifying APT Actors: Practical Challenges of Attribution in the Case of Lazarus’s Subgroup\r\nSource: https://blogs.jpcert.or.jp/en/2020/09/BLINDINGCAN.html\r\nhttps://blogs.jpcert.or.jp/en/2020/09/BLINDINGCAN.html\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY" ], "references": [ "https://blogs.jpcert.or.jp/en/2020/09/BLINDINGCAN.html" ], "report_names": [ "BLINDINGCAN.html" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "15b8d5d8-32cf-408b-91b1-5d6ac1de9805", "created_at": "2023-07-20T02:00:08.724751Z", "updated_at": "2026-04-10T02:00:03.341845Z", "deleted_at": null, "main_name": "APT-C-60", "aliases": [ "APT-Q-12" ], "source_name": "MISPGALAXY:APT-C-60", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ab47428c-7a8e-4ee8-9c8e-4e55c94d2854", "created_at": "2024-12-28T02:01:54.668462Z", "updated_at": "2026-04-10T02:00:04.564201Z", "deleted_at": null, "main_name": "APT-C-60", "aliases": [ "APT-Q-12" ], "source_name": "ETDA:APT-C-60", "tools": [ "SpyGlace" ], "source_id": "ETDA", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434132, "ts_updated_at": 1775792299, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/aaf45c7eb732fb8209ed0e2a6c652eb3464d32ea.pdf", "text": "https://archive.orkl.eu/aaf45c7eb732fb8209ed0e2a6c652eb3464d32ea.txt", "img": "https://archive.orkl.eu/aaf45c7eb732fb8209ed0e2a6c652eb3464d32ea.jpg" } }