{ "id": "39453558-3f3b-4dfe-b9ef-d2b99435c35d", "created_at": "2026-04-06T00:08:37.943159Z", "updated_at": "2026-04-10T03:36:48.106035Z", "deleted_at": null, "sha1_hash": "f36c9432be4129eeb2b193b5d70c6c847ef1a98d", "title": "Hexalocker-v2-being-proliferated-by-Skuld-Stealer", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1070645, "plain_text": "Hexalocker-v2-being-proliferated-by-Skuld-Stealer\r\nPublished: 2025-01-09 · Archived: 2026-04-05 18:58:08 UTC\r\nCRIL analyzes the return of Hexalocker Ransomware in a new version that leverages the Skuld Stealer and other\r\nadvanced capabilities.\r\nKey Takeaways\r\nHexaLocker was first discovered in mid-2024, with version 2 introducing significant updates and enhanced\r\nfunctionalities.\r\nHexaLocker V2 includes a persistence mechanism that modifies registry keys to ensure continued execution\r\nafter the affected system reboots.\r\nThe updated version downloads Skuld Stealer, which extracts sensitive information from the victim’s system\r\nbefore encryption.\r\nUnlike its predecessor, HexaLocker V2 exfiltrates victim files before encrypting them, following the double\r\nextortion method of data theft and file encryption.\r\nHexaLocker V2 utilizes a combination of advanced encryption algorithms, including AES-GCM for string\r\nencryption, Argon2 for key derivation, and ChaCha20 for file encryption.\r\nHexaLocker V2 replaces the TOXID communication method with a unique hash, enabling victims to\r\ncommunicate with the Threat Actors’ (TA’s) site. \r\nExecutive Summary\r\nOn August 9th, the HexaLocker ransomware group announced a new Windows-based ransomware on their Telegram\r\nchannel. The post highlighted that the ransomware was developed in the Go programming language and claimed that\r\ntheir team included members from notable groups like LAPSUS$ and others. Following this announcement,\r\nresearchers from Synacktiv analyzed this ransomware variant and published their findings shortly after.\r\nOn October 21st, cybersecurity researcher PJ04857920 shared a post on X, revealing that the admin behind\r\nHexaLocker had decided to shut down the operation and put the ransomware’s source code and web panel up for sale\r\nbased on information from the HexaLocker group’s Telegram channel.\r\nLater, on December 12th, they provided another update on X, stating that the HexaLocker ransomware had been\r\nrevived, with signs of ongoing development and activity. The Telegram post also mentioned that the upgraded\r\nversion of HexaLocker would feature enhanced encryption algorithms, stronger encryption passwords, and new\r\npersistence mechanisms.\r\nWorld's Best AI-Native Threat Intelligence\r\nhttps://cyble.com/blog/hexalocker-v2-being-proliferated-by-skuld-stealer/\r\nPage 1 of 12\n\nCyble Research and Intelligence Labs (CRIL) came across a new version of the HexaLocker ransomware. Upon\r\nexecution, it copies itself to the %appdata% directory, creates a run entry for persistence, encrypts files, and appends\r\nthe “HexaLockerv2” extension to them.\r\nPrior to encryption, the ransomware also steals the victim’s files and exfiltrates them to a remote server. Notably, in\r\nthis new version, the ransomware downloads an open-source stealer named Skuld to collect sensitive information\r\nfrom the victim’s machine before encryption. The figure below shows the Hexalocker Ransomware Site used for\r\nVictim’s communication.\r\nFigure 1 – Ransomware login page\r\nTechnical Details\r\nPersistence\r\nUpon execution, the HexaLocker ransomware creates a self-copy named “myapp.exe” in the “%appdata%\\MyApp”\r\ndirectory and establishes persistence by adding an AutoRun entry at\r\nhttps://cyble.com/blog/hexalocker-v2-being-proliferated-by-skuld-stealer/\r\nPage 2 of 12\n\n“HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run” with the value “MyAppAutostart” ensuring the\r\nransomware binary executes upon system reboot.\r\nFigure 2  – AutoRun entry\r\nObfuscation\r\nAll string references, including the Stealer URL, file paths, folder names, environment variable names, WMIC\r\ncommands, and ransom notes, are generated during runtime through multiple layers of AES-GCM decryption. This\r\napproach effectively obfuscates the strings, making them harder to detect by security solutions. In contrast, all strings\r\nin the previous version were statically visible.\r\nFigure 3 – String Decryption\r\nStealer\r\nPrior to initiating the encryption process, the ransomware downloads a stealer binary, a Go-compiled program, from\r\nthe URL hxxps[:]//hexalocker.xyz/SGDYSRE67T43TVD6E5RD[.]exe and executes it from the current directory.\r\nThis stealer functionality was absent in the previous version of HexaLocker.\r\nThe downloaded stealer, identified as Skuld, is an open-source tool designed to target Windows systems and steal\r\nuser data from various applications such as Discord, browsers, crypto wallets, and more.\r\nhttps://cyble.com/blog/hexalocker-v2-being-proliferated-by-skuld-stealer/\r\nPage 3 of 12\n\nFigure 4 – Skuld Stealer’s features\r\nIn this case, the TA has utilized only the browser module from the many available in the open-source Skuld Stealer.\r\nThe image below shows function names corresponding only to the browser module from the Skuld project.\r\nhttps://cyble.com/blog/hexalocker-v2-being-proliferated-by-skuld-stealer/\r\nPage 4 of 12\n\nFigure 5 – Browser modules\r\nThe stealer collects various sensitive data stored by Chromium and Gecko-based browsers, such as cookies, saved\r\ncredit card information, downloads, browsing history, and login credentials. Skuld Stealer targets the following web\r\nbrowsers in this campaign.\r\nGecko-based browsers\r\nFirefox SeaMonkey\r\nWaterfox K-Meleon\r\nThunderbird IceDragon\r\nCyberfox BlackHaw\r\nPale Moon mercury\r\nChromium browsers\r\nChrome SxS ChromePlus 7Star\r\nChrome Chedot Vivaldi\r\nKometa Elements Browser Epic Privacy Browser\r\nhttps://cyble.com/blog/hexalocker-v2-being-proliferated-by-skuld-stealer/\r\nPage 5 of 12\n\nUran Fenrir Inc Citrio\r\nCoowon liebao QIP Surf\r\nOrbitum Dragon 360Browser\r\nMaxthon3 K-Melon CocCoc\r\nBraveSoftware Amigo Torch\r\nSputnik Edge DCBrowser\r\nYandexBrowser UR Browser Slimjet\r\nOpera    \r\nThe stolen data is compressed into a ZIP archive named ‘BrowsersData-*.zip’ and stored in the AppData\\Local\\Temp\r\ndirectory before being exfiltrated to the remote server “hxxps://hexalocker[.]xyz/upload.php”. The image below\r\nshows the console output of the stealer upon completing each stage.\r\nFigure 6 – Stealer Console Output\r\nExfiltration\r\nUpon executing the stealer payload, the ransomware exfiltrates the victims’ files by scanning all folders starting from\r\n“C:\\” to find files with extensions matching those listed in the table below. The identified files are compiled into a\r\nsingle ZIP archive named “data_*.zip”, stored in the “%localappdata%\\DataHexaLocker” directory, and\r\nsubsequently transmitted to the attacker’s remote server via “hxxps[:]//hexalocker.xyz/receive.php”.\r\nCategory File Types\r\nDocuments .pdf, .doc, .docx, .rtf, .txt, .wps, .xls, .xlsx, .csv, .ppt, .pot, .xps, .xsd, .xml\r\nImages .jpg, .jpeg, .png, .bmp, .gif, .tif, .tiff, .ico, .jpe, .dib, .raw, .psd, .exr, .bay\r\nAudio .mp3, .wav, .wma, .m4a, .m4p, .flac, .aac, .amr, .ogg, .adp\r\nVideo .mp4, .mkv, .avi, .mov, .wmv, .flv, .3gp, .m4v, .amv, .swf\r\nCompressed Files .zip, .rar, .7z, .tar, .gz, .bz2, .cab, .iso, .lzh, .ace, .arj\r\nCode \u0026 Scripts\r\n.php, .asp, .htm, .html, .js, .jsp, .css, .py, .java, .c, .cpp, .asm, .vbs, .cmd,\r\n.bat\r\nExecutable Files .exe, .msi, .dll, .apk, .lnk\r\nhttps://cyble.com/blog/hexalocker-v2-being-proliferated-by-skuld-stealer/\r\nPage 6 of 12\n\nDatabase Files .db, .dbf, .mdb, .sql, .odc, .odm, .pst, .mdf, .myi, .tab\r\n3D/Design Files .3ds, .dae, .stl, .max, .dwg, .dxf, .obj, .r3d, .kmz, .opt\r\nWeb/Markup Files .html, .htm, .xml, .xsl, .rss, .cfm, .xsf\r\nSystem/Backup\r\nFiles\r\n.bak, .cer, .crt, .pfx, .p12, .p7b, .log, .cfg, .ini, .lnk\r\nOthers .sum, .sln, .dif, .dmg, .p7c, .opt, .sie, .key, .vob\r\nEncryption\r\nThe ransomware generates a key and the salt needed for encryption and sends them to a remote server at\r\n“hxxps[:]//hexalocker.xyz/index[.]php,” along with host-specific details such as the IP address, computer name, and\r\nID. This information is used to identify the victims and facilitate the recovery of the encrypted files.\r\nFigure 7 – Victim’s Details\r\nOnce the gathered information is transmitted to the attacker, HexaLocker proceeds to scan the\r\n“C:\\Users\u003cusername\u003e” directory on the victim’s machine. It searches for files that match a specific set of extensions,\r\nas listed in the table below.\r\nCategory Extensions\r\nText Documents .txt, .doc, .odt, .rtf, .wps, .dot\r\nDatabases .sql, .mdb, .dbf, .pdb, .mdf, .mdw, .myi\r\nSpreadsheets .xls, .ods, .csv, .xla, .xlw, .xlm, .xlt, .slk\r\nPresentations .ppt, .odp, .pps, .pot\r\nProgramming\r\nFiles\r\n.cpp, .css, .php, .asp, .ini, .inc, .obj, .bat, .cmd, .vbs, .jsp, .asm, .cfm\r\nArchives .zip, .rar, .tar, .iso, .bz2, .cab, .lzh, .ace, .arj\r\nhttps://cyble.com/blog/hexalocker-v2-being-proliferated-by-skuld-stealer/\r\nPage 7 of 12\n\nImages\r\n.jpg, .png, .bmp, .gif, .tif, .ico, .psd, .raw, .svg, .jpe, .dib, .iff, .dcm, .bay, .dcr,\r\n.nef, .orf, .r3d\r\nAudio .mp3, .mka, .m4a, .wav, .wma, .flv, .pls, .adp\r\nVideo\r\n.mp4, .mkv, .avi, .mov, .wmv, .3gp, .m4v, .amv, .m4p, .vob, .mpv, .3g2, .f4v,\r\n.m1v\r\nWeb Files .htm, .html, .xml, .css, .js, .jsp, .rss\r\nExecutables .exe, .jar, .msi, .dll\r\nScripts .php, .asp, .vbs, .cmd, .bat\r\nBackup/Logs .bak, .log\r\n3D/CAD .3ds, .dae, .dwg, .max, .geo\r\nCompressed .zip, .rar, .tar, .bz2, .gz\r\nConfiguration .ini, .cfg, .xml\r\nEmails .msg, .oft, .pst, .dbx\r\nFonts .ttf, .otf, .woff\r\nCertificates .crt, .cer, .pfx, .p12, .p7b, .p7c\r\nOthers\r\n.lnk, .dat, .sum, .opt, .dic, .tbi, .xps, .key, .tab, .stm, .ai3, .ai4, .ai5, .ai6, .ai7,\r\n.ai8, .opt\r\nThe ransomware reads the content of the original file and uses the ChaCha20 algorithm to encrypt the data. Once the\r\nencryption is complete, it creates a new file with the “.HexaLockerV2” extension and writes the encrypted content to\r\nthis newly created file. The ransomware then proceeds to delete the original file using the os.Remove function,\r\nleaving only the encrypted file behind. The figure below shows the chacha20 encryption algorithm used by the\r\nransomware binary.\r\nhttps://cyble.com/blog/hexalocker-v2-being-proliferated-by-skuld-stealer/\r\nPage 8 of 12\n\nFigure 8 – Chacha20 Algorithm\r\nThe figure below illustrates the files encrypted by the HexaLocker Ransomware, which have the “.HexaLockerV2”\r\nextension.\r\nFigure 9 – User files after encryption\r\nFinally, the ransomware displays a ransom note to the victim, instructing them to contact the TA through their\r\ncommunication channels, such as Signal, Telegram, and Web Chat, as shown below.\r\nhttps://cyble.com/blog/hexalocker-v2-being-proliferated-by-skuld-stealer/\r\nPage 9 of 12\n\nFigure 10 – Ransom note\r\nThe ransom note contains a unique personal hash, which the victim uses to communicate with the TA through a chat\r\nwindow provided by the attacker, as shown below.\r\nFigure 11 – Web Chat Window\r\nConclusion\r\nThe new version of HexaLocker ransomware represents a significant upgrade, incorporating enhanced encryption\r\nlogic and a customized stealer component. Developed in Go, this ransomware benefits from Go’s efficiency, making\r\nit more challenging to detect by endpoints.\r\nBefore initiating the encryption process, the ransomware employs the Skuld stealer to collect sensitive information\r\nfrom the victim’s machine. This strategic combination of the Skuld stealer and the ransomware highlights the\r\ncontinuous evolution and sophistication of the HexaLocker group, posing an ongoing threat to targeted systems.\r\nhttps://cyble.com/blog/hexalocker-v2-being-proliferated-by-skuld-stealer/\r\nPage 10 of 12\n\nThe Yara rule to detect HexaLocker Version 2 is available for download from the linked Github repository.    \r\nOur Recommendations\r\nWe have listed some essential cybersecurity best practices that create the first line of control against attackers. We\r\nrecommend that our readers follow the best practices given below: \r\nSafety Measures to Prevent Ransomware Attacks \r\nRegularly back up important files to offline or cloud storage, ensuring they are stored securely and not\r\nconnected to the main network.\r\nEnable automatic updates for your operating system, applications, and security software to ensure you receive\r\nthe latest patches and security fixes.\r\nImplement endpoint protection with reputable anti-virus and anti-malware software to detect and block\r\npotential ransomware threats.\r\nEducate employees or users about phishing attacks and suspicious email links, which are common\r\nransomware delivery methods.\r\nRestrict user privileges and avoid running unnecessary services to minimize the attack surface, ensuring users\r\nonly have access to the resources they need.\r\nMITRE ATT\u0026CK® Techniques\r\nTactic Technique ID Procedure\r\nExecution (TA0002)\r\nUser Execution (T1204.002)  \r\nUser executes the\r\nransomware file.\r\nPersistence (TA0003)  \r\nRegistry Run Keys / Startup Folder\r\n(T1547.001)\r\nAdds a Run key entry for\r\nexecution on reboot.\r\nDefense Evasion\r\n(TA0005)\r\nDeobfuscate/Decode Files or\r\nInformation (T1140) \r\nRansomware Decrypts\r\nstrings using the AES\r\nalgorithm\r\nDiscovery (TA0007) File and Directory Discovery (T1083)\r\nRansomware enumerates\r\nfolders for file encryption\r\nand file deletion. \r\nImpact (TA0040) T1486 (Data Encrypted for Impact) \r\nRansomware encrypts files\r\nfor extortion. \r\nCredential Access\r\n(TA0006) \r\nCredentials from Password Stores:\r\nCredentials from Web Browsers\r\n(T1555.003) \r\nRetrieves passwords from\r\nLogin Data\r\nCredential Access\r\n(TA0006) \r\nSteal Web Session Cookie (T1539)  Steals browser cookies \r\nhttps://cyble.com/blog/hexalocker-v2-being-proliferated-by-skuld-stealer/\r\nPage 11 of 12\n\nCollection (TA0009)  Archive via Utility (T1560.001) \r\nZip utility is used to\r\ncompress the data before\r\nexfiltration \r\nExfiltration (TA0010) \r\nExfiltration Over C2 Channel\r\n(T1041) \r\nExfiltration Over C2 Channel\r\nIndicators of Compromise (IOCs)\r\nIndicators\r\nIndicator\r\nType\r\nDescription\r\n8b347bb90c9135c185040ef5fdb87eb5cca821060f716755471a637c350988d8 SHA-256 Stealer\r\n0347aa0b42253ed46fdb4b95e7ffafa40ba5e249dfb5c8c09119f327a1b4795a SHA-256 HexaLockerV2\r\n28c1ec286b178fe06448b25790ae4a0f60ea1647a4bb53fb2ee7de506333b960 SHA-256 HexaLockerV2\r\nd0d8df16331b16f9437c0b488d5a89a4c2f09a84dec4da4bc13eab15aded2e05 SHA-256 HexaLockerV2\r\nhxxps[:]//hexalocker.xyz/SGDYSRE67T43TVD6E5RD[.]exe URL\r\nStealer\r\ndownload url\r\nhxxps[:]//hexalocker[.]xyz/upload[.]php URL NA\r\nhxxps[:]//hexalocker[.]xyz/receive[.]php URL NA\r\nReferences\r\nhttps://www.trellix.com/en-in/blogs/research/skuld-the-infostealer-that-speaks-golang\r\nhttps://www.synacktiv.com/publications/lapsus-is-dead-long-live-hexalocker.html\r\nSource: https://cyble.com/blog/hexalocker-v2-being-proliferated-by-skuld-stealer/\r\nhttps://cyble.com/blog/hexalocker-v2-being-proliferated-by-skuld-stealer/\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://cyble.com/blog/hexalocker-v2-being-proliferated-by-skuld-stealer/" ], "report_names": [ "hexalocker-v2-being-proliferated-by-skuld-stealer" ], "threat_actors": [ { "id": "be5097b2-a70f-490f-8c06-250773692fae", "created_at": "2022-10-27T08:27:13.22631Z", "updated_at": "2026-04-10T02:00:05.311385Z", "deleted_at": null, "main_name": "LAPSUS$", "aliases": [ "LAPSUS$", "DEV-0537", "Strawberry Tempest" ], "source_name": "MITRE:LAPSUS$", "tools": [ "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "d4b9608d-af69-43bc-a08a-38167ac6306a", "created_at": "2023-01-06T13:46:39.335061Z", "updated_at": "2026-04-10T02:00:03.291149Z", "deleted_at": null, "main_name": "LAPSUS", "aliases": [ "Lapsus", "LAPSUS$", "DEV-0537", "SLIPPY SPIDER", "Strawberry Tempest", "UNC3661" ], "source_name": "MISPGALAXY:LAPSUS", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "2347282d-6b88-4fbe-b816-16b156c285ac", "created_at": "2024-06-19T02:03:08.099397Z", "updated_at": "2026-04-10T02:00:03.663831Z", "deleted_at": null, "main_name": "GOLD RAINFOREST", "aliases": [ "Lapsus$", "Slippy Spider ", "Strawberry Tempest " ], "source_name": "Secureworks:GOLD RAINFOREST", "tools": [ "Mimikatz" ], "source_id": "Secureworks", "reports": null }, { "id": "52d5d8b3-ab13-4fc4-8d5f-068f788e4f2b", "created_at": "2022-10-25T16:07:24.503878Z", "updated_at": "2026-04-10T02:00:05.014316Z", "deleted_at": null, "main_name": "Lapsus$", "aliases": [ "DEV-0537", "G1004", "Slippy Spider", "Strawberry Tempest" ], "source_name": "ETDA:Lapsus$", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "156b3bc5-14b7-48e1-b19d-23aa17492621", "created_at": "2025-08-07T02:03:24.793494Z", "updated_at": "2026-04-10T02:00:03.634641Z", "deleted_at": null, "main_name": "COBALT ULSTER", "aliases": [ "Boggy Serpens ", "ENT-11 ", "Earth Vetala ", "ITG17 ", "MERCURY ", "Mango Sandstorm ", "MuddyWater ", "STAC 1171 ", "Seedworm ", "Static Kitten ", "TA450 ", "TEMP.Zagros ", "UNC3313 ", "Yellow Nix " ], "source_name": "Secureworks:COBALT ULSTER", "tools": [ "CrackMapExec", "Empire", "FORELORD", "Koadic", "LaZagne", "Metasploit", "Mimikatz", "Plink", "PowerStats" ], "source_id": "Secureworks", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434117, "ts_updated_at": 1775792208, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f36c9432be4129eeb2b193b5d70c6c847ef1a98d.pdf", "text": "https://archive.orkl.eu/f36c9432be4129eeb2b193b5d70c6c847ef1a98d.txt", "img": "https://archive.orkl.eu/f36c9432be4129eeb2b193b5d70c6c847ef1a98d.jpg" } }