www.trendmicro.com
Open in
urlscan Pro
2.19.224.182
Public Scan
URL:
https://www.trendmicro.com/en_us/research/24/d/earth-freybug.html
Submission: On April 02 via api from TR — Scanned from DE
Submission: On April 02 via api from TR — Scanned from DE
Form analysis 1 forms found in the DOM
<form class="main-menu-search" aria-label="Search Trend Micro" data-equally-id="equally_ai___Z2S10">
<div class="main-menu-search__field-wrapper" id="cludo-search-form">
<table class="gsc-search-box">
<tbody>
<tr>
<td class="gsc-input">
<input type="text" class="gsc-input-field" name="search" title="search" placeholder="Search" autocomplete="off" aria-label="search">
</td>
</tr>
</tbody>
</table>
</div>
</form>Text Content
Business
search close
* Solutions
* By Challenge
* By Challenge
* By Challenge
Learn more
* Understand, Prioritize & Mitigate Risks
* Understand, Prioritize & Mitigate Risks
Improve your risk posture with attack surface management
Learn more
* Protect Cloud-Native Apps
* Protect Cloud-Native Apps
Security that enables business outcomes
Learn more
* Protect Your Hybrid World
* Protect Your Hybrid, Multi-Cloud World
Gain visibility and meet business needs with security
Learn more
* Securing Your Borderless Workforce
* Securing Your Borderless Workforce
Connect with confidence from anywhere, on any device
Learn more
* Eliminate Network Blind Spots
* Eliminate Network Blind Spots
Secure users and key operations throughout your environment
Learn more
* See More. Respond Faster.
* See More. Respond Faster.
Move faster than your adversaries with powerful purpose-built XDR,
attack surface risk management, and zero trust capabilities
Learn more
* Extend Your Team
* Extend Your Team. Respond to Threats Agilely
Maximize effectiveness with proactive risk reduction and managed
services
Learn more
* Operationalizing Zero Trust
* Operationalizing Zero Trust
Understand your attack surface, assess your risk in real time, and
adjust policies across network, workloads, and devices from a single
console
Learn more
* By Role
* By Role
* By Role
Learn more
* CISO
* CISO
Drive business value with measurable cybersecurity outcomes
Learn more
* SOC Manager
* SOC Manager
See more, act faster
Learn more
* Infrastructure Manager
* Infrastructure Manager
Evolve your security to mitigate threats quickly and effectively
Learn more
* Cloud Builder and Developer
* Cloud Builder and Developer
Ensure code runs only as intended
Learn more
* Cloud Security Ops
* Cloud Security Ops
Gain visibility and control with security designed for cloud
environments
Learn more
* By Industry
* By Industry
* By Industry
Learn more
* Healthcare
* Healthcare
Protect patient data, devices, and networks while meeting regulations
Learn more
* Manufacturing
* Manufacturing
Protecting your factory environments – from traditional devices to
state-of-the-art infrastructures
Learn more
* Oil & Gas
* Oil & Gas
ICS/OT Security for the oil and gas utility industry
Learn more
* Electric Utility
* Electric Utility
ICS/OT Security for the electric utility
Learn more
* Federal
* Federal
Learn more
* Automotive
* Automotive
Learn more
* 5G Networks
* 5G Networks
Learn more
* Small & Midsized Business Security
* Small & Midsized Business Security
Stop threats with comprehensive, set-it-and-forget-it protection
Learn more
* Platform
* Vision One Platform
* Vision One Platform
* Trend Vision One
Our Unified Platform
Bridge threat protection and cyber risk management
Learn more
* AI Companion
* Trend Vision One Companion
Your generative AI cybersecurity assistant
Learn more
* Attack Surface Management
* Attack Surface Management
Stop breaches before they happen
Learn more
* XDR (Extended Detection & Response)
* XDR (Extended Detection & Response)
Stop adversaries faster with a broader perspective and better context to
hunt, detect, investigate, and respond to threats from a single platform
Learn more
* Cloud Security
* Cloud Security
* Trend Vision One™
Cloud Security Overview
The most trusted cloud security platform for developers, security
teams, and businesses
Learn more
* Attack Surface Risk Management for Cloud
* Attack Surface Risk Management for Cloud
Cloud asset discovery, vulnerability prioritization, Cloud Security
Posture Management, and Attack Surface Management all in one
Learn more
* XDR for Cloud
* XDR for Cloud
Extend visibility to the cloud and streamline SOC investigations
Learn more
* Workload Security
* Workload Security
Secure your data center, cloud, and containers without compromising
performance by leveraging a cloud security platform with CNAPP
capabilities
Learn more
* Container Security
* Container Security
Simplify security for your cloud-native applications with advanced
container image scanning, policy-based admission control, and container
runtime protection
Learn more
* File Storage Security
* File Storage Security
Security for cloud file/object storage services leveraging cloud-native
application architectures
Learn more
* Endpoint Security
* Endpoint Security
* Endpoint Security Overview
Defend the endpoint through every stage of an attack
Learn more
* XDR for Endpoint
* XDR for Endpoint
Stop adversaries faster with a broader perspective and better context
to hunt, detect, investigate, and respond to threats from a single
platform
Learn more
* Workload Security
* Workload Security
Optimized prevention, detection, and response for endpoints, servers,
and cloud workloads
Learn more
* Industrial Endpoint Security
* Industrial Endpoint Security
Learn more
* Mobile Security
* Mobile Security
On-premises and cloud protection against malware, malicious
applications, and other mobile threats
Learn more
* Network Security
* Network Security
* Network Security Overview
Expand the power of XDR with network detection and response
Learn more
* XDR for Network
* XDR for Network
Stop adversaries faster with a broader perspective and better context
to hunt, detect, investigate, and respond to threats from a single
platform
Learn more
* Network Intrusion Prevention (IPS)
* Network Intrusion Prevention (IPS)
Protect against known, unknown, and undisclosed vulnerabilities in your
network
Learn more
* Breach Detection System (BDS)
* Breach Detection System (BDS)
Detect and respond to targeted attacks moving inbound, outbound, and
laterally
Learn more
* Secure Service Edge (SSE)
* Secure Service Edge (SSE)
Redefine trust and secure digital transformation with continuous risk
assessments
Learn more
* Industrial Network Security
* Industrial Network Security
Learn more
* 5G Network Security
* 5G Network Security
Learn more
* Email Security
* Email Security
* Email Security
Stop phishing, malware, ransomware, fraud, and targeted attacks from
infiltrating your enterprise
Learn more
* Email and Collaboration Security
* Trend Vision One™
Email and Collaboration Security
Stop phishing, ransomware, and targeted attacks on any email service
including Microsoft 365 and Google Workspace
Learn more
* OT Security
* OT Security
* OT Security
Learn about solutions for ICS / OT security.
Learn more
* XDR for OT
* XDR for OT
Stop adversaries faster with a broader perspective and better context
to hunt, detect, investigate, and respond to threats from a single
platform
Learn more
* Industrial Network Security
* Industrial Network Security
Industrial Network Security
* Industrial Endpoint Security
* Industrial Endpoint Security
Learn more
* Threat Intelligence
* Threat Intelligence
Keep ahead of the latest threats and protect your critical data with
ongoing threat prevention and analysis
Learn more
* All Products, Services, and Trials
* All Products, Services, and Trials
Learn more
* Research
* Research
* Research
* Research
Learn more
* Research, News, and Perspectives
* Research, News, and Perspectives
Learn more
* Research and Analysis
* Research and Analysis
Learn more
* Security News
* Security News
Learn more
* Zero Day Initiatives (ZDI)
* Zero Day Initiatives (ZDI)
Learn more
* Services
* Our Services
* Our Services
* Our Services
Learn more
* Service Packages
* Service Packages
Augment security teams with 24/7/365 managed detection, response, and
support
Learn more
* Managed XDR
* Managed XDR
Augment threat detection with expertly managed detection and response
(MDR) for email, endpoints, servers, cloud workloads, and networks
Learn more
* Incident Response
* Incident Response
* Incident Response
Our trusted experts are on call whether you're experiencing a breach
or looking to proactively improve your IR plans
Learn more
* Insurance Carriers and Law Firms
* Insurance Carriers and Law Firms
Stop breaches with the best response and detection technology on the
market and reduce clients’ downtime and claim costs
Learn more
* Support Services
* Support Services
Learn more
* Partners
* Partner Program
* Partner Program
* Partner Program Overview
Grow your business and protect your customers with the best-in-class
complete, multilayered security
Learn more
* Managed Security Service Provider
* Managed Security Service Provider
Deliver modern security operations services with our industry-leading
XDR
Learn more
* Managed Service Provider
* Managed Service Provider
Partner with a leading expert in cybersecurity, leverage proven
solutions designed for MSPs
Learn more
* Cloud Service Provider
* Cloud Service Provider
Add market-leading security to your cloud service offerings – no matter
which platform you use
Learn more
* Professional Services
* Professional Services
Increase revenue with industry-leading security
Learn more
* Resellers
* Resellers
Discover the possibilities
Learn more
* Marketplace
* Marketplace
Learn more
* System Integrators
* System Integrators
Learn more
* Alliance Partners
* Alliance Partners
* Alliance Overview
We work with the best to help you optimize performance and value
Learn more
* Technology Alliance Partners
* Technology Alliance Partners
Learn more
* Our Alliance Partners
* Our Alliance Partners
Learn more
* Partner Tools
* Partner Tools
* Partner Tools
Learn more
* Partner Login
* Partner Login
Login
* Education and Certification
* Education and Certification
Learn more
* Partner Successes
* Partner Successes
Learn more
* Distributors
* Distributors
Learn more
* Find a Partner
* Find a Partner
Learn more
* Company
* Why Trend Micro
* Why Trend Micro
* Why Trend Micro
Learn more
* Customer Success Stories
* Customer Success Stories
Learn more
* The Human Connection
* The Human Connection
Learn more
* Industry Accolades
* Industry Accolades
Learn more
* Strategic Alliances
* Strategic Alliances
Learn more
* Compare Trend Micro
* Compare Trend Micro
* Compare Trend Micro
See how Trend outperforms the competition
Let's go
* vs. Crowdstrike
* Trend Micro vs. Crowdstrike
Crowdstrike provides effective cybersecurity through its cloud-native
platform, but its pricing may stretch budgets, especially for
organizations seeking cost-effective scalability through a true single
platform
Let's go
* vs. Microsoft
* Trend Micro vs. Microsoft
Microsoft offers a foundational layer of protection, yet it often
requires supplemental solutions to fully address customers' security
problems
Let's go
* vs. Palo Alto Networks
* Trend Micro vs. Palo Alto Networks
Palo Alto Networks delivers advanced cybersecurity solutions, but
navigating its comprehensive suite can be complex and unlocking all
capabilities requires significant investment
Let's go
* About Us
* About Us
* About Us
Learn more
* Trust Center
* Trust Center
Learn more
* History
* History
Learn more
* Diversity, Equity and Inclusion
* Diversity, Equity and Inclusion
Learn more
* Corporate Social Responsibility
* Corporate Social Responsibility
Learn more
* Leadership
* Leadership
Learn more
* Security Experts
* Security Experts
Learn more
* Internet Safety and Cybersecurity Education
* Internet Safety and Cybersecurity Education
Learn more
* Legal
* Legal
Learn more
* Investors
* Investors
Learn more
* Formula E Racing
* Formula E Racing
Learn more
* Latest News
* Latest News
* Latest News
Learn more
* Newsroom
* Newsroom
Learn more
* Events
* Events
Learn more
* Careers
* Careers
Learn more
* Webinars
* Webinars
Learn more
Back
Back
Back
Back
* Free Trials
* Contact Us
Looking for home solutions?
Under Attack?
1 Alerts
Back
Unread
All
* Big props to NEOM McLaren Formula E Team on their São Paulo triumph! Proud to
be their cybersecurity partner.
close
More about our partnership >
Folio (0)
Support
* Business Support Portal
* Business Community
* Virus and Threat Help
* Education and Certification
* Contact Support
* Find a Support Partner
Resources
* Trend Micro vs. Competition
* Cyber Risk Index/Assessment
* CISO Resource Center
* DevOps Resource Center
* What Is?
* Threat Encyclopedia
* Cloud Health Assessment
* Cyber Insurance
* Glossary of Terms
* Webinars
Log In
* Vision One
* Support
* Partner Portal
* Cloud One
* Product Activation and Management
* Referral Affiliate
Back
arrow_back
search
close
Content has been added to your Folio
Go to Folio (0) close
APT & Targeted Attacks
EARTH FREYBUG USES UNAPIMON FOR UNHOOKING CRITICAL APIS
This article provides an in-depth look into two techniques used by Earth Freybug
actors: dynamic-link library (DLL) hijacking and application programming
interface (API) unhooking to prevent child processes from being monitored via a
new malware we’ve discovered and dubbed UNAPIMON.
By: Christopher So April 02, 2024 Read time: 6 min (1633 words)
Save to Folio
Subscribe
--------------------------------------------------------------------------------
In the past month, we investigated a cyberespionage attack that we have
attributed to Earth Freybug (also known as a subset of APT41). Earth Freybug is
a cyberthreat group that has been active since at least 2012 that focuses on
espionage and financially motivated activities. It has been observed to target
organizations from various sectors across different countries. Earth Freybug
actors use a diverse range of tools and techniques, including LOLBins and custom
malware. This article provides an in-depth look into two techniques used by
Earth Freybug actors: dynamic-link library (DLL) hijacking and application
programming interface (API) unhooking to prevent child processes from being
monitored via a new malware we’ve discovered and dubbed UNAPIMON.
BACKGROUND OF THE ATTACK FLOW
The tactics, techniques, and procedures (TTPs) used in this campaign are similar
to the ones from a campaign described in an article published by Cybereason. In
this incident, we observed a vmtoolsd.exe process that creates a remote
scheduled task using schtasks.exe. Once executed, this launches a pre-deployed
cc.bat in the remote machine.
Figure 1. Earth Freybug attack chain
download
vmtoolsd.exe is a component of VMware Tools called VMware user process, which is
installed and run inside a guest virtual machine to facilitate communication
with the host machine. Meanwhile, schtasks.exe is a component of Windows called
Task Scheduler Configuration Tool, which is used to manage tasks in a local or
remote machine. Based on the behavior we observed from our telemetry, a code of
unknown origin was injected in vmtoolsd.exe that started schtasks.exe. It’s
important to note that both vmtoolsd.exe and schtasks.exe are legitimate files.
Although the origin of the malicious code in vmtoolsd.exe in this incident is
unknown, there have been documented infections wherein vulnerabilities in
legitimate applications were exploited via vulnerable external-facing servers.
Figure 2. Command line for executing the Task Scheduler Configuration Tool.
download
First cc.bat for reconnaissance
Once the scheduled task is triggered, a previously deployed batch file,
%System%\cc.bat, is executed in the remote machine. Based on our telemetry, this
batch file launches commands to gather system information. Among the commands
executed are:
* powershell.exe -command "Get-NetAdapter |select InterfaceGuid"
* arp -a
* ipconfig /all
* fsutil fsinfo drives
* query user
* net localgroup administrators
* systeminfo
* whoami
* netstat -anb -p tcp
* net start
* tasklist /v
* net session
* net share
* net accounts
* net use
* net user
* net view
* net view /domain
* net time \\127.0.0.1
* net localgroup administrators /domain
* wmic nic get "guid"
The system information gathered via these commands is gathered in a text file
called %System%\res.txt.
Once this is done, another scheduled task is set up to execute
%Windows%\Installer\cc.bat in the target machine, which launches a backdoor.
Second cc.bat hijacking for DLL side-loading
The second cc.bat is notable for leveraging a service that loads a nonexistent
library to side-load a malicious DLL. In this case, the service is SessionEnv. A
detailed technical description of how this technique works can be found here. In
this technique, this second cc.bat first copies a previously dropped
%Windows%\Installer\hdr.bin to %System%\TSMSISrv.DLL. It then stops the
SessionEnv service, waits for a few seconds, then restarts the service. This
will make the service load and execute the file %System%\TSMSISrv.DLL.
Two actions of interest done by TSMSISrv.DLL are dropping and loading a file
named Windows%\_{5 to 9 random alphabetic characters}.dll and starting a cmd.exe
process in which the same dropped DLL is also injected. Based on telemetry data,
we noticed that this instance of cmd.exe is used to execute commands coming from
another machine, thus turning it into a backdoor. We dubbed the dropped DLL
loaded in both the service and cmd.exe as UNAPIMON.
Introducing UNAPIMON for defense evasion
An interesting thing that we observed in this attack is the use of a peculiar
malware that we named UNAPIMON. In its essence, UNAPIMON employs defense evasion
techniques to prevent child processes from being monitored, which we detail in
the succeeding sections.
Malware analysis
UNAPIMON itself is straightforward: It is a DLL malware written in C++ and is
neither packed nor obfuscated; it is not encrypted save for a single string.
At the DllMain function, it first checks whether it is being loaded or unloaded.
When the DLL is being loaded, it creates an event object for synchronization,
and starts the hooking thread.
As shown in Figure 3, the hooking thread first obtains the address of the
function CreateProcessW from kernel32.dll, which it saves for later use.
CreateProcessW is one of the Windows API functions that can be used to create a
process. It then installs a hook on it using Microsoft Detours, an open-source
software package developed by Microsoft for monitoring and instrumenting API
calls on Windows.
Figure 3. Hooking thread disassembly
download
This mechanism redirects any calls made to CreateProcessW from a process where
this DLL is loaded to the hook.
The hook function calls the original CreateProcessW using the previously saved
address to create the actual process but with the value CREATE_SUSPENDED (4) in
the creation flags parameter. This effectively creates the process, but whose
main thread is suspended.
Figure 4. Calling “CreateProcessW” with “CREATE_SUSPENDED”
download
It then walks through a list of hardcoded DLL names as shown in Figure 5.
Figure 5. List of DLL names
download
For each DLL in the list that is loaded in the child process, it creates a copy
of the DLL file to %User Temp%\_{5 to 9 random alphabetic characters}.dll
(hereafter to be referred to as the local copy), which it then loads using the
API function LoadLibraryEx with the parameter DONT_RESOLVE_DLL_REFERENCES (1).
It does this to prevent a loading error as described in this article.
Figure 6. Copy and load DLL
download
After the local copy of the DLL has been loaded, it then proceeds to create a
local memory copy of the loaded DLL image with the same name in the child
process. To ensure that the two DLLs are the same, it compares both the values
of the checksum field in the headers and the values of the number of name
pointers in the export table.
Once verified to be identical, it walks through all exported addresses in the
export table. For each exported address, it checks to ensure that the address
points to a code in an executable memory page, and that the starting code has
been modified. Specifically, it checks if the memory page protection has the
values PAGE_EXECUTE (0x10), PAGE_EXECUTE_READ (0x20), or PAGE_EXECUTE_READWRITE
(0x40). Modifications are detected if the first byte in the exported address is
either 0xE8 (CALL), 0xE9 (JMP), or if its first two bytes are not equal to the
corresponding first two bytes in the loaded local copy. Additionally, it also
verifies that the name of the exported address is not RtlNtdllName, which
contains data instead of executable code.
Figure 7. Exported address checking
download
If an exported address passes these tests, it is added to a list for unpatching.
Once all the DLL names in the list have been processed, it walks through each of
the addresses in the unpatching list. For each address, it copies 8 bytes from
the loaded local copy (the original) to the remote address, which has been
previously modified. This effectively removes any code patches applied to an
exported address.
Figure 8. Unpatching loop
download
Finally, it unloads and deletes the randomly named local copy of the DLL and
resumes the main thread. When the malware is unloaded, it removes the hook from
CreateProcessW.
Impact
Looking at the behavior of UNAPIMON and how it was used in the attack, we can
infer that its primary purpose is to unhook critical API functions in any child
process. For environments that implement API monitoring through hooking such as
sandboxing systems, UNAPIMON will prevent child processes from being monitored.
Thus, this malware can allow any malicious child process to be executed with its
behavior undetected.
A unique and notable feature of this malware is its simplicity and originality.
Its use of existing technologies, such as Microsoft Detours, shows that any
simple and off-the-shelf library can be used maliciously if used creatively.
This also displayed the coding prowess and creativity of the malware writer. In
typical scenarios, it is the malware that does the hooking. However, it is the
opposite in this case.
SECURITY RECOMMENDATIONS
In this specific Earth Freybug attack, the threat actor used administrator
accounts, which means that the threat actors knew the admin credentials,
rendering group policies useless. The only way to prevent this from happening in
an environment is good housekeeping, which involves frequent password rotation,
limiting access to admin accounts to actual admins, and activity logging.
In this incident, data exfiltration was done using a third-party collaborative
software platform over which we do not have control. Even if the write
permissions were revoked for affected folders that could be accessed through the
collaborative software, the threat actor could just simply override it, since
the threat actor is the admin from the system’s point of view.
Users should restrict admin privileges and follow the principle of least
privilege. The fewer people with admin privileges, the fewer loopholes in the
system malicious actors can take advantage of.
Conclusion
Earth Freybug has been around for quite some time, and their methods have been
seen to evolve through time. This was evident from what we observed from this
attack: We concluded that they are still actively finding ways to improve their
techniques to successfully achieve their goals.
This attack also demonstrates that even simple techniques can be used
effectively when applied correctly. Implementing these techniques to an existing
attack pattern makes the attack more difficult to discover. Security researchers
and SOCs must keep a watchful eye not only on malicious actors’ advanced
techniques, but also the simple ones that are easily overlooked.
INDICATOR OF COMPROMISE
Hash Detection name
62ad0407a9cce34afb428dee972292d2aa23c78cbc1a44627cb2e8b945195bc2
Trojan.Win64.UNAPIMON.ZTLB
Tags
APT & Targeted Attacks | Endpoints | Research | Articles, News, Reports
AUTHORS
* Christopher So
Threat Researcher
Contact Us
Subscribe
RELATED ARTICLES
* Agenda Ransomware Propagates to vCenters and ESXi via Custom PowerShell
Script
* APT41 Resurfaces as Earth Baku With New Cyberespionage Campaign
* Earth Lusca Uses Geopolitical Lure to Target Taiwan Before Elections
See all articles
Try our services free for 30 days
* Start your free trial today
*
*
*
*
*
RESOURCES
* Blog
* Newsroom
* Threat Reports
* DevOps Resource Center
* CISO Resource Center
* Find a Partner
SUPPORT
* Business Support Portal
* Contact Us
* Downloads
* Free Trials
*
*
ABOUT TREND
* About Us
* Careers
* Locations
* Upcoming Events
* Trust Center
*
Country Headquarters
Trend Micro - United States (US)
225 East John Carpenter Freeway
Suite 1500
Irving, Texas 75062
Phone: +1 (817) 569-8900
Select a country / region
United States expand_more
close
THE AMERICAS
* United States
* Brasil
* Canada
* México
MIDDLE EAST & AFRICA
* South Africa
* Middle East and North Africa
EUROPE
* België (Belgium)
* Česká Republika
* Danmark
* Deutschland, Österreich Schweiz
* España
* France
* Ireland
* Italia
* Nederland
* Norge (Norway)
* Polska (Poland)
* Suomi (Finland)
* Sverige (Sweden)
* Türkiye (Turkey)
* United Kingdom
ASIA & PACIFIC
* Australia
* Центральная Азия (Central Asia)
* Hong Kong (English)
* 香港 (中文) (Hong Kong)
* भारत गणराज्य (India)
* Indonesia
* 日本 (Japan)
* 대한민국 (South Korea)
* Malaysia
* Монголия (Mongolia) and рузия (Georgia)
* New Zealand
* Philippines
* Singapore
* 台灣 (Taiwan)
* ประเทศไทย (Thailand)
* Việt Nam
Privacy | Legal | Accessibility | Site map
Copyright ©2024 Trend Micro Incorporated. All rights reserved
sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk
This website uses cookies for website functionality, traffic analytics,
personalization, social media functionality and advertising. Our Cookie Notice
provides more information and explains how to amend your cookie settings.Learn
more
Cookies Settings Accept
✓
Thanks for sharing!
AddToAny
More…
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
Sumo