{ "id": "f4fb2956-fa0b-4af0-a635-bced7e399e3a", "created_at": "2026-04-06T00:18:40.17722Z", "updated_at": "2026-04-10T03:32:04.77409Z", "deleted_at": null, "sha1_hash": "eedc3d3ecfe8c445d2577210f7f0fe83e17d45ba", "title": "Updated Blackmoon banking Trojan stays focused on South Korean banking customers | Proofpoint US", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1466650, "plain_text": "Updated Blackmoon banking Trojan stays focused on South\r\nKorean banking customers | Proofpoint US\r\nBy January 19, 2016 Proofpoint Staff\r\nPublished: 2016-01-19 · Archived: 2026-04-05 17:45:42 UTC\r\nFirst analyzed in early 2014 [1] [2], the Blackmoon banking Trojan targets a user’s online banking credentials\r\nusing a type of pharming that involves modifying or replacing the local Hosts file with one that redirects online\r\nbanking domain lookups to an IP address controlled by the attacker. Blackmoon has been observed targeting\r\nprimarily customers of South Korean online banking sites and services, and is usually distributed via drive-by\r\ndownload.\r\nLike other banking Trojans targeting online banking users in other countries, Blackmoon continues to evolve both\r\ntheir distribution and delivery technique. Proofpoint threat researchers recently observed a sample of the\r\nBlackmoon Korean banking Trojan (7e67216628d9a171be0ce18c51fda8ce) retrieving encoded configuration\r\ninformation from the “lofter[.]com” blogging platform.\r\nFigure 1: Encoded configuration block found on the lofter[.]com blogging platform\r\nExecutable Process\r\nhttps://www.proofpoint.com/us/threat-insight/post/Updated-Blackmoon-Banking-Trojan\r\nPage 1 of 17\n\nThe malware arrives on the system as an executable. (The original delivery method of this sample is unknown, but\r\nprevious analyses have found it spreading via download from an infected site.)\r\nFigure 2: Information from PEStudio for 7e67216628d9a171be0ce18c51fda8ce\r\nOnce executed, the dropper extracts a DLL from itself and launches the DLL via rundll32.exe, calling the dropper\r\nfilename as a parameter that deletes the original dropper from disk. The DLL and the folder it resides in are named\r\nusing 6 random alphabetical characters.\r\nFigure 3: BlackMoon DLL (84E2D574085C77F47E801F5326E83D73) launching via rundll32.exe\r\nFigure 4: Blackmoon strings present in 84E2D574085C77F47E801F5326E83D73\r\nThe malware sets persistence by running the command\r\nFigure 5: Blackmoon DLL persistence setting in registry key\r\nhttps://www.proofpoint.com/us/threat-insight/post/Updated-Blackmoon-Banking-Trojan\r\nPage 2 of 17\n\nThe malware calls out to a hardcoded website address to retrieve the encoded configuration block. It parses the\r\npage looking for “###” and extracts the data until a subsequent “###”: this is the encoded configuration block\r\n(Fig. 6).\r\nFigure 6: The encoded Blackmoon configuration block.\r\nThe malware makes use of JavaScript to handle the encoding and decoding of strings. The decoding can be\r\ndescribed as case-swapped base64 with a substituted padding character of ‘@‘. (A python script for decoding is\r\nincluded at end of this post.).\r\nFigure 7: Calling decoding routine in malicious JavaScript\r\nFigure 8: Decoded Configuration Block\r\nThe malware also utilizes this encoding to register the infected host.\r\nhttps://www.proofpoint.com/us/threat-insight/post/Updated-Blackmoon-Banking-Trojan\r\nPage 3 of 17\n\nFigure 9: Blackmoon infected client check-in\r\nFigure 10: Decoded SID parameter for infected client\r\nThe malware clears the DNS resolver cache by running the command ipconfig.exe /flushdns, and then sets the\r\nvalues found in the [Dns] section of the config block to the infected client’s DNS server settings. In this case it is\r\n127.0.0.1 with the Google primary public DNS server of 8.8.8.8 as a backup.\r\nWith the primary DNS set to the loopback address, the malware rewrites the infected client’s Hosts file with\r\nsearch engine and banking sites that will resolve to the attacker's server. The list of domains to redirect is\r\nhardcoded in the malware. The value in the [Host] field of the configuration block replaces “IP#“ when it is\r\nwritten to the Hosts file.\r\nFigure 11: The Modified HOSTS file before (right) and after (left) the IP from the Configuration Block is replaced.\r\nThe malware also searches for a folder “\\NPKI\\” containing .cer or .der files on the infected client. If found, the\r\nmalware extracts a command line RAR executable from itself and saves it to “\\Documents and\r\nhttps://www.proofpoint.com/us/threat-insight/post/Updated-Blackmoon-Banking-Trojan\r\nPage 4 of 17\n\nSettings\\Administrator\\Local Settings\\Temp” as “zip.tmp”. Then the malware archives the NPKI folder with the\r\nfollowing command:\r\nzip.tmp a -hp@#@2016999# \"D:\\NPKI.z\" \"D:\\NPKI\"\r\nThe malware will then send the password protected archive to the value of the [Upload] field in the configuration\r\nblock via HTTP POST. It is likely that the content of the NPKI folder are used to impersonate an end-user in order\r\nto access their online banking information and accounts. [3] [4]\r\nFigure 12: The Blackmoon DLL sending NPKI RAR archive\r\nThe configuration block also includes a [Time] value that indicates how often the malware checks for a new\r\nconfiguration block.\r\nOnce the infected client’s Hosts file has been updated with the redirected domains, a user visiting any of the\r\nsearch engine sites with the infected client will often see the following message:\r\nhttps://www.proofpoint.com/us/threat-insight/post/Updated-Blackmoon-Banking-Trojan\r\nPage 5 of 17\n\nFigure 13: Message displayed when user of infected client visits a domain listed in modified Hosts file\r\nThis message roughly translates to:\r\nFinancial Supervisory Service is conducting an authentication process did you install the security certificate for\r\nthis PC?\r\n※ Certificate must verify the security and privacy of information leakage incidents in the auction using Internet\r\nbanking Guests prevent financial fraud, please see below.\r\n※ You cannot access the Internet Banking more safely receive the security certification process.\r\n※ Please click the bank name that you use to proceed to the secure authentication procedures.\r\nA user who clicks on one of these online banking site names in order to login would be presented with the\r\nfollowing sequence pages:\r\nhttps://www.proofpoint.com/us/threat-insight/post/Updated-Blackmoon-Banking-Trojan\r\nPage 6 of 17\n\nFigure 14: Fake online banking web site using stolen branding\r\nWhile this page appears legitimate, clicking on any element on the page brings up an alert.\r\nFigure 15: Fraudulent security notification to end user\r\nhttps://www.proofpoint.com/us/threat-insight/post/Updated-Blackmoon-Banking-Trojan\r\nPage 7 of 17\n\nThis roughly translates to:\r\nSafer internet 03.24.2014 (Will) for banking using internet banking, smart Banking, Phone Banking To The use of\r\nall services (private. Company) can then use additional authentication.\r\nClicking the OK button brings up a brief loading message:\r\nFigure 16: Loading message displayed when user accepts warning\r\nWhich is then followed by a two-stage credential theft phish.\r\nhttps://www.proofpoint.com/us/threat-insight/post/Updated-Blackmoon-Banking-Trojan\r\nPage 8 of 17\n\nFigure 17: First page of credential theft phishing, with stolen branding\r\nFigure 18: Second page of credential theft phishing, with stolen branding\r\nThe phishing pages include user input validation capabilities that surpass those typically found in phishing pages,\r\nsuch as validating that the user has entered their name using the proper character set, as well as numerous checks\r\nto ensure that a valid “Social Security number” (officially called a Resident Registration Number in South Korea)\r\nhas been entered.\r\nFigure 19: Phishing page form input validation for character set\r\nhttps://www.proofpoint.com/us/threat-insight/post/Updated-Blackmoon-Banking-Trojan\r\nPage 9 of 17\n\nFigure 20: Phishing page form input validation for South Korean equivalent of Social Security Number  \r\nhttps://www.proofpoint.com/us/threat-insight/post/Updated-Blackmoon-Banking-Trojan\r\nPage 10 of 17\n\nThis infection chain is consistent with examples documented in early 2014, with two noteworthy updates to\r\ndistribution and delivery technique:\r\nDistribution via the lofter[.]com blogging platform, with frequent changes to the backend web servers.\r\nAddition of encoding for C2 information in payload download.\r\nThese changes are consistent with updates Proofpoint researchers have recently observed in other malware, from\r\nhighly targeted malware such as the Operation Arid Viper payload [5] to broad-based campaigns such as those\r\ndistributing Dridex [6]. Organizations can expect to see continued variation in obfuscation techniques and\r\ndistribution as attackers attempt to stay ahead of evolving defenses.\r\nReferences\r\n[1] http://training.nshc.net/ENG/Document/virus/20140305_Internet_Bank_Pharming_-\r\n_BlackMoon_Ver_1.0_External_ENG.pdf\r\n[2] https://zairon.wordpress.com/2014/04/15/trojan-banking-47d18761d46d8e7c4ad49cc575b0acc2bb3f49bb56a3d29fb1ec600447cb89a4/\r\n[3] http://www.hikorea.go.kr/pt/PublicCertificate_en.pt\r\n[4] http://grrrltraveler.com/countries/asia/korea/expat-life/online-banking-korea/\r\n[5] http://www.proofpoint.com/us/threat-insight/post/Operation-Arid-Viper-Slithers-Back-Into-View\r\n[6] http://www.proofpoint.com/us/threat-insight/post/Not-Yet-Dead\r\nBlackmoon DLLs\r\nName: yQkUz.dll\r\nMD5: 84e2d574085c77f47e801f5326e83d73\r\nSHA256: ad062b7cba8f149a585018938b45f65698dde3a049a6f50fd4e355e68b562fc3\r\nCompile Time: 2016-01-07 18:08:45\r\nName: pkNQy.dll\r\nMD5: 9be8a5edc5f0a57d09b733c18a3740c7\r\nSHA256: 4e94d38c1939ca7c6928da062b01e381e7a925ae4c66945f598f090c8d79a6a0\r\nCompile Time: 2016-01-10 05:09:38\r\nName: OUikm.dll\r\nMD5: 255fd48dd681058d9cb84e4c6dbd92f6\r\nSHA256: 8fbacfa948ba95cbe7e6f44a7974f621259a0c23c43a4a4c3d8e3e163604388a\r\nhttps://www.proofpoint.com/us/threat-insight/post/Updated-Blackmoon-Banking-Trojan\r\nPage 11 of 17\n\nCompile Time: 2016-01-09 09:43:13\r\nName: uyonu.dll\r\nMD5: 949482b0aa3ecc019d63d10a46539302\r\nSHA256: df821948e3362a5accdefc444b4bdf8e370f77af65fabbbd371cd95d1c181347\r\nCompile Time: 2016-01-07 18:08:45\r\nBlackmoon EXE Droppers\r\nName: sa.exe (Analyzed)\r\nMD5: 7e67216628d9a171be0ce18c51fda8ce\r\nSHA256: f0dd2eeaaeb85ab98f0d2d04151b7a56fa3d0c427e9356049cbc4f41bcfabf72\r\nCompile Time: 2016-01-07 18:25:05\r\nName: smss.exe\r\nMD5: 86a16809fe21cc389740866dfc73abe3\r\nSHA256: 6f250727e69716776f3bb594715a7e10bea65e35556f1dc3a922b63f40611b39\r\nCompile Time: 2016-01-11 06:09:40\r\nName: smss.exe\r\nMD5: 091bb8f755f7eda753e53b0b6501dcb2\r\nSHA256: af777fe3a147a48185c65ecd750be0863caa6fbcc51a75a4fb944a651c875006\r\nCompile Time: 2016-01-11 06:09:40\r\nName: smss.exe\r\nMD5: b67e98a8c3f2b46207e9b9d4785bbe4cSHA256:\r\nSHA256: fa2ddd90683ddcc968d5349edfd85d81dd0035daf7f0d2d7556c8c609fb78554\r\nCompile Time: 2016-01-11 06:09:40\r\nName: smss.exe\r\nMD5: 80abc3ad344c4999f33948c8a241223c\r\nSHA256: c52c5dde2071754b54414fe0035d28145e212aa116917f8d2794169b5def2966\r\nCompile Time: 2016-01-11 06:09:40\r\nhttps://www.proofpoint.com/us/threat-insight/post/Updated-Blackmoon-Banking-Trojan\r\nPage 12 of 17\n\nName:\r\nMD5: 3fe1d163b22c619d8e9dd865d83d9b05\r\nSHA256: 8189b3e021be392d4a731d68c5c73d2bafb8168b70351be7475806b8978304aa\r\nCompile Time: 2016-01-11 06:09:40\r\nName: smss.exe\r\nMD5: c973ac06f36f1b52a08c51faf79fade2\r\nSHA256: e3ccb1c511a18b0b95f51ca54b2bde109eb689b9ef23ad9325ab7c58fd3bd857\r\nCompile Time: 2016-01-11 06:09:40\r\nName: smss.exe\r\nMD5: 34f4257bba25546aaf486132c27c40d5\r\nSHA256: 5881f66242ceb03f85731dafbab272e88545609bb2542a4328a2060c4ecedc85\r\nCompile Time: 2016-01-11 06:09:40\r\nName: smss.exe\r\nMD5: 79fee38ebc1c6db755f3da38287349f9\r\nSHA256: c5d95003eb571199ddb6f5c181ab6fc326115c55ff2637673657d946bf314f87\r\nCompile Time: 2016-01-11 06:09:40\r\nName:\r\nMD5: 7d091ae970c41b85e9a281308fab6985\r\nSHA256: 8b36c161d720926a91e1d2324fe075b740b782100833d01c7905e4ccef5befc6\r\nCompile Time: 2016-01-11 06:09:40\r\nName:\r\nMD5: 4f21078383c7fff2ad3dbe8b77de7f3d\r\nSHA256: 43bac8196a8410b09e0ab1a2926ad9419b32ea7caa8371585db26748f09418b0\r\nCompile Time: 2016-01-09 09:26:10\r\nName:\r\nMD5: dd01534e1a78913f440d30bf03d99462\r\nhttps://www.proofpoint.com/us/threat-insight/post/Updated-Blackmoon-Banking-Trojan\r\nPage 13 of 17\n\nSHA256: f07d0ceb105b5454d8037283667f4103e19413b3297885d38db94031cc14c258\r\nCompile Time: 2016-01-09 09:26:10\r\nName:\r\nMD5: fe0fca87d2a1ef1b7d0c57414dee32be\r\nSHA256: b6340b9f2433bd20246719e92870e3f1ec01d42a0e22606f27ee53b7fe0adafe\r\nCompile Time: 2016-01-09 09:26:10\r\nName:\r\nMD5: 371b63fb512513c066e541a13f3ed79a\r\nSHA256: e4b8adcf2974abbe236813b02b507280bca61f8a0795e3901c8718999c661cd5\r\nCompile Time: 2016-01-09 09:26:10\r\nName: dll.exe\r\nMD5: a4a2d0a47aa3c1bc4382997a197e3aeb\r\nSHA256: 437c8a5639149fd97943f01ee88aa96f131b9755172c77a42a57c014d0158fbe\r\nCompile Time: 2016-01-09 09:26:10\r\nName: ser.exe\r\nMD5: 4c8f4bd321ebde0698576c4b1a788773\r\nSHA256: f8aa625dd544f3e49412f9a2acea411c8cb4b6f346e04800ff711c9cd9a45d92\r\nCompile Time: 2016-01-09 09:26:10\r\nName: dll.exe\r\nMD5: 59596e9c4c94ebd7d5a692a782623560\r\nSHA256: 16e922193fb53d58c44e8cb012fe1d19bfba391807db964fe2c6cde06a436aa1\r\nCompile Time: 2016-01-09 09:26:10\r\nName: sa.exe\r\nMD5: 255e5a9dfc352e9abdfe67e00e6d34ef\r\nSHA256: 8d6b2be9180972274d8111a47e0a15d5158bfd352cd5738a665d14c71a8406e9\r\nCompile Time: 2016-01-07 18:25:05\r\nhttps://www.proofpoint.com/us/threat-insight/post/Updated-Blackmoon-Banking-Trojan\r\nPage 14 of 17\n\nName: sa.exe\r\nMD5: 5fac43273dc8a7bed3a005220d32da1d\r\nSHA256: ada60b73629c135592fef0f7257cd1dac8e0cb4a448141b2b2e3e1bba02c5eab\r\nCompile Time: 2016-01-07 18:25:05\r\nName: sa.exe\r\nMD5: 35732507edc006ce63066f59cee041b8\r\nSHA256: 0fc932e2dae7219cc5a14a224e76385ba7e15e15fa0fb4054206efbf983cea00\r\nCompile Time: 2016-01-07 18:25:05\r\nName:\r\nMD5: ab9278dbc583d4829524e68f101c0de1\r\nSHA256: 46e572338ea5c1c691ab60984abfc38007c7cfd7b6e77adf26a6bbaa22451d73\r\nCompile Time: 2016-01-07 18:25:05\r\nName:\r\nMD5: 25e02fe76649535abed4c3f1340ba88c\r\nSHA256: abe2f051bc9339d2e0c29ee75027879d465d644de8a3159ada1db72412a551b8\r\nCompile Time: 2016-01-07 18:25:05\r\nName: sa.exe\r\nMD5: c967d619404bd371a75ba4c5ca2a650a\r\nSHA256: eb6e0e39bc2c379e18076cae7da2dbfb23233294ebd24b40a01180dc768e092e\r\nCompile Time: 2016-01-07 18:25:05\r\nIP Addresses\r\n100.43.129[.]107\r\n98.126.19[.]178\r\n174.139.200[.]164\r\n174.139.200[.]165\r\n174.139.203[.]180\r\nhttps://www.proofpoint.com/us/threat-insight/post/Updated-Blackmoon-Banking-Trojan\r\nPage 15 of 17\n\nEmerging Threats Coverage\r\n2815665 - ETPRO TROJAN W32.Blackmoon Checkin 1\r\n2815676 - ETPRO TROJAN W32.Blackmoon Checkin 2\r\n2815733 - ETPRO TROJAN W32.Blackmoon Bank Phishing Page - Compromised Host M1\r\n2815734 - ETPRO TROJAN W32.Blackmoon Bank Phishing Page - Compromised Host M2\r\n2815735 - ETPRO TROJAN W32.Blackmoon Bank Phishing Page - Compromised Host M3\r\n2815736 - ETPRO TROJAN W32.Blackmoon Bank Phishing Page - Compromised Host M4\r\n2815737 - ETPRO TROJAN W32.Blackmoon Bank Phishing Page - Compromised Host M5\r\n2815738 - ETPRO TROJAN W32.Blackmoon Bank Phishing Page - Compromised Host M6\r\n2815769 - ETPRO TROJAN W32.Blackmoon Uploading Stolen Certificates\r\nYara Rule\r\nrule BLACKMOON_BANKER {\r\n    meta:\r\n        author = \"Proofpoint Staff\"\r\n        info = \"blackmoon update\"\r\n        strings:\r\n                $s1 = \"BlackMoon RunTime Error:\" nocase wide ascii\r\n                $s2 = \"\\\\system32\\\\rundll32.exe\" wide ascii\r\n                $s3 = \"cmd.exe /c ipconfig /flushdns\" wide ascii\r\n                $s4 = \"\\\\system32\\\\drivers\\\\etc\\\\hosts.ics\" wide ascii\r\n        condition:\r\n                all of them\r\n}\r\nPython Script to Decode\r\n#!/usr/bin/env python2\r\nfrom base64 import b64decode\r\nhttps://www.proofpoint.com/us/threat-insight/post/Updated-Blackmoon-Banking-Trojan\r\nPage 16 of 17\n\nfrom binascii import unhexlify\r\nimport sys\r\ndef main():\r\n    if len(sys.argv) \u003c 2:\r\n        print 'Usage: ' + sys.argv[0] + ' [data_to_decode]'\r\n        exit(-1)\r\n    data = sys.argv[1].strip('#')\r\n    data = data.replace('@','=')\r\n    data = data.swapcase()\r\n    data = b64decode(data)\r\n    try:\r\n        int(data, 16)\r\n        print \"\\n\" + unhexlify(data)\r\n    except ValueError:\r\n        print \"\\n\" + data + \"\\n\"\r\nif __name__ == '__main__':\r\n    main()\r\nSource: https://www.proofpoint.com/us/threat-insight/post/Updated-Blackmoon-Banking-Trojan\r\nhttps://www.proofpoint.com/us/threat-insight/post/Updated-Blackmoon-Banking-Trojan\r\nPage 17 of 17", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://www.proofpoint.com/us/threat-insight/post/Updated-Blackmoon-Banking-Trojan" ], "report_names": [ "Updated-Blackmoon-Banking-Trojan" ], "threat_actors": [ { "id": "9ff60d4d-153b-4ed5-a2f7-18a21d2fa05d", "created_at": "2022-10-25T16:07:23.539852Z", "updated_at": "2026-04-10T02:00:04.647734Z", "deleted_at": null, "main_name": "Desert Falcons", "aliases": [ "APT-C-23", "ATK 66", "Arid Viper", "Niobium", "Operation Arid Viper", "Operation Bearded Barbie", "Operation Rebound", "Pinstripe Lightning", "Renegade Jackal", "TAG-63", "TAG-CT1", "Two-tailed Scorpion" ], "source_name": "ETDA:Desert Falcons", "tools": [ "AridSpy", "Barb(ie) Downloader", "BarbWire", "Desert Scorpion", "FrozenCell", "GlanceLove", "GnatSpy", "KasperAgent", "Micropsia", "PyMICROPSIA", "SpyC23", "Viper RAT", "ViperRAT", "VolatileVenom", "WinkChat", "android.micropsia" ], "source_id": "ETDA", "reports": null }, { "id": "b1979c55-037a-415f-b0a3-cab7933f5cd4", "created_at": "2024-04-24T02:00:49.561432Z", "updated_at": "2026-04-10T02:00:05.416794Z", "deleted_at": null, "main_name": "APT-C-23", "aliases": [ "APT-C-23", "Arid Viper", "Desert Falcon", "TAG-63", "Grey Karkadann", "Big Bang APT", "Two-tailed Scorpion" ], "source_name": "MITRE:APT-C-23", "tools": [ "Micropsia" ], "source_id": "MITRE", "reports": null }, { "id": "929d794b-0e1d-4d10-93a6-29408a527cc2", "created_at": "2023-01-06T13:46:38.70844Z", "updated_at": "2026-04-10T02:00:03.075002Z", "deleted_at": null, "main_name": "AridViper", "aliases": [ "Desert Falcon", "Arid Viper", "APT-C-23", "Bearded Barbie", "Two-tailed Scorpion" ], "source_name": "MISPGALAXY:AridViper", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e5cad6bf-fa91-4128-ba0d-2bf3ff3c6c6b", "created_at": "2025-08-07T02:03:24.53077Z", "updated_at": "2026-04-10T02:00:03.680525Z", "deleted_at": null, "main_name": "ALUMINUM SARATOGA", "aliases": [ "APT-C-23", "Arid Viper", "Desert Falcon", "Extreme Jackal ", "Gaza Cybergang", "Molerats ", "Operation DustySky ", "TA402" ], "source_name": "Secureworks:ALUMINUM SARATOGA", "tools": [ "BlackShades", "BrittleBush", "DarkComet", "LastConn", "Micropsia", "NimbleMamba", "PoisonIvy", "QuasarRAT", "XtremeRat" ], "source_id": "Secureworks", "reports": null }, { "id": "35b3e533-7483-4f07-894e-2bb3ac855207", "created_at": "2025-08-07T02:03:24.540035Z", "updated_at": "2026-04-10T02:00:03.69627Z", "deleted_at": null, "main_name": "ALUMINUM SHADYSIDE", "aliases": [ "APT-C-23 ", "Arid Viper ", "Desert Falcon " ], "source_name": "Secureworks:ALUMINUM SHADYSIDE", "tools": [ "Micropsia", "SpyC23" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434720, "ts_updated_at": 1775791924, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/eedc3d3ecfe8c445d2577210f7f0fe83e17d45ba.pdf", "text": "https://archive.orkl.eu/eedc3d3ecfe8c445d2577210f7f0fe83e17d45ba.txt", "img": "https://archive.orkl.eu/eedc3d3ecfe8c445d2577210f7f0fe83e17d45ba.jpg" } }