www.trendmicro.com
Open in
urlscan Pro
184.29.136.154
Public Scan
URL:
https://www.trendmicro.com/en_us/research/24/c/agenda-ransomware-propagates-to-vcenters-and-esxi-via-custom-pow.html
Submission: On June 06 via api from IT — Scanned from IT
Submission: On June 06 via api from IT — Scanned from IT
Form analysis 1 forms found in the DOM
<form class="main-menu-search" aria-label="Search Trend Micro" data-equally-id="equally_ai___PDMeE">
<div class="main-menu-search__field-wrapper" id="cludo-search-form">
<table class="gsc-search-box">
<tbody>
<tr>
<td class="gsc-input">
<input type="text" class="gsc-input-field" name="search" title="search" placeholder="Search" autocomplete="off" aria-label="search">
</td>
</tr>
</tbody>
</table>
</div>
</form>Text Content
Business
search close
* Solutions
* By Challenge
* By Challenge
* By Challenge
Learn more
* Understand, Prioritize & Mitigate Risks
* Understand, Prioritize & Mitigate Risks
Improve your risk posture with attack surface management
Learn more
* Protect Cloud-Native Apps
* Protect Cloud-Native Apps
Security that enables business outcomes
Learn more
* Protect Your Hybrid World
* Protect Your Hybrid, Multi-Cloud World
Gain visibility and meet business needs with security
Learn more
* Securing Your Borderless Workforce
* Securing Your Borderless Workforce
Connect with confidence from anywhere, on any device
Learn more
* Eliminate Network Blind Spots
* Eliminate Network Blind Spots
Secure users and key operations throughout your environment
Learn more
* See More. Respond Faster.
* See More. Respond Faster.
Move faster than your adversaries with powerful purpose-built XDR,
attack surface risk management, and zero trust capabilities
Learn more
* Extend Your Team
* Extend Your Team. Respond to Threats Agilely
Maximize effectiveness with proactive risk reduction and managed
services
Learn more
* Operationalizing Zero Trust
* Operationalizing Zero Trust
Understand your attack surface, assess your risk in real time, and
adjust policies across network, workloads, and devices from a single
console
Learn more
* By Role
* By Role
* By Role
Learn more
* CISO
* CISO
Drive business value with measurable cybersecurity outcomes
Learn more
* SOC Manager
* SOC Manager
See more, act faster
Learn more
* Infrastructure Manager
* Infrastructure Manager
Evolve your security to mitigate threats quickly and effectively
Learn more
* Cloud Builder and Developer
* Cloud Builder and Developer
Ensure code runs only as intended
Learn more
* Cloud Security Ops
* Cloud Security Ops
Gain visibility and control with security designed for cloud
environments
Learn more
* By Industry
* By Industry
* By Industry
Learn more
* Healthcare
* Healthcare
Protect patient data, devices, and networks while meeting regulations
Learn more
* Manufacturing
* Manufacturing
Protecting your factory environments – from traditional devices to
state-of-the-art infrastructures
Learn more
* Oil & Gas
* Oil & Gas
ICS/OT Security for the oil and gas utility industry
Learn more
* Electric Utility
* Electric Utility
ICS/OT Security for the electric utility
Learn more
* Federal
* Federal
Learn more
* Automotive
* Automotive
Learn more
* 5G Networks
* 5G Networks
Learn more
* Small & Midsized Business Security
* Small & Midsized Business Security
Stop threats with comprehensive, set-it-and-forget-it protection
Learn more
* Platform
* Vision One Platform
* Vision One Platform
* Trend Vision One
Our Unified Platform
Bridge threat protection and cyber risk management
Learn more
* AI Companion
* Trend Vision One Companion
Your generative AI cybersecurity assistant
Learn more
* Attack Surface Management
* Attack Surface Management
Stop breaches before they happen
Learn more
* XDR (Extended Detection & Response)
* XDR (Extended Detection & Response)
Stop adversaries faster with a broader perspective and better context to
hunt, detect, investigate, and respond to threats from a single platform
Learn more
* Cloud Security
* Cloud Security
* Trend Vision One™
Cloud Security Overview
The most trusted cloud security platform for developers, security
teams, and businesses
Learn more
* Attack Surface Risk Management for Cloud
* Attack Surface Risk Management for Cloud
Cloud asset discovery, vulnerability prioritization, Cloud Security
Posture Management, and Attack Surface Management all in one
Learn more
* XDR for Cloud
* XDR for Cloud
Extend visibility to the cloud and streamline SOC investigations
Learn more
* Workload Security
* Workload Security
Secure your data center, cloud, and containers without compromising
performance by leveraging a cloud security platform with CNAPP
capabilities
Learn more
* Container Security
* Container Security
Simplify security for your cloud-native applications with advanced
container image scanning, policy-based admission control, and container
runtime protection
Learn more
* File Security
* File Security
Protect application workflow and cloud storage against advanced threats
Learn more
* Endpoint Security
* Endpoint Security
* Endpoint Security Overview
Defend the endpoint through every stage of an attack
Learn more
* XDR for Endpoint
* XDR for Endpoint
Stop adversaries faster with a broader perspective and better context
to hunt, detect, investigate, and respond to threats from a single
platform
Learn more
* Workload Security
* Workload Security
Optimized prevention, detection, and response for endpoints, servers,
and cloud workloads
Learn more
* Industrial Endpoint Security
* Industrial Endpoint Security
Learn more
* Mobile Security
* Mobile Security
On-premises and cloud protection against malware, malicious
applications, and other mobile threats
Learn more
* Network Security
* Network Security
* Network Security Overview
Expand the power of XDR with network detection and response
Learn more
* XDR for Network
* XDR for Network
Stop adversaries faster with a broader perspective and better context
to hunt, detect, investigate, and respond to threats from a single
platform
Learn more
* Network Intrusion Prevention (IPS)
* Network Intrusion Prevention (IPS)
Protect against known, unknown, and undisclosed vulnerabilities in your
network
Learn more
* Breach Detection System (BDS)
* Breach Detection System (BDS)
Detect and respond to targeted attacks moving inbound, outbound, and
laterally
Learn more
* Secure Service Edge (SSE)
* Secure Service Edge (SSE)
Redefine trust and secure digital transformation with continuous risk
assessments
Learn more
* Industrial Network Security
* Industrial Network Security
Learn more
* 5G Network Security
* 5G Network Security
Learn more
* Email Security
* Email Security
* Email Security
Stop phishing, malware, ransomware, fraud, and targeted attacks from
infiltrating your enterprise
Learn more
* Email and Collaboration Security
* Trend Vision One™
Email and Collaboration Security
Stop phishing, ransomware, and targeted attacks on any email service
including Microsoft 365 and Google Workspace
Learn more
* OT Security
* OT Security
* OT Security
Learn about solutions for ICS / OT security.
Learn more
* XDR for OT
* XDR for OT
Stop adversaries faster with a broader perspective and better context
to hunt, detect, investigate, and respond to threats from a single
platform
Learn more
* Industrial Network Security
* Industrial Network Security
Industrial Network Security
* Industrial Endpoint Security
* Industrial Endpoint Security
Learn more
* Threat Intelligence
* Threat Intelligence
Keep ahead of the latest threats and protect your critical data with
ongoing threat prevention and analysis
Learn more
* Identity Security
* Identity Security
End-to-end identity security from identity posture management to
detection and response
Learn more
* On-Premises Data Sovereignty
* On-Premises Data Sovereignty
Prevent, detect, respond and protect without compromising data
sovereignty
Learn more
* All Products, Services, and Trials
* All Products, Services, and Trials
Learn more
* Research
* Research
* Research
* Research
Learn more
* Research, News, and Perspectives
* Research, News, and Perspectives
Learn more
* Research and Analysis
* Research and Analysis
Learn more
* Security News
* Security News
Learn more
* Zero Day Initiatives (ZDI)
* Zero Day Initiatives (ZDI)
Learn more
* Services
* Our Services
* Our Services
* Our Services
Learn more
* Service Packages
* Service Packages
Augment security teams with 24/7/365 managed detection, response, and
support
Learn more
* Managed XDR
* Managed XDR
Augment threat detection with expertly managed detection and response
(MDR) for email, endpoints, servers, cloud workloads, and networks
Learn more
* Incident Response
* Incident Response
* Incident Response
Our trusted experts are on call whether you're experiencing a breach
or looking to proactively improve your IR plans
Learn more
* Insurance Carriers and Law Firms
* Insurance Carriers and Law Firms
Stop breaches with the best response and detection technology on the
market and reduce clients’ downtime and claim costs
Learn more
* Support Services
* Support Services
Learn more
* Partners
* Partner Program
* Partner Program
* Partner Program Overview
Grow your business and protect your customers with the best-in-class
complete, multilayered security
Learn more
* Managed Security Service Provider
* Managed Security Service Provider
Deliver modern security operations services with our industry-leading
XDR
Learn more
* Managed Service Provider
* Managed Service Provider
Partner with a leading expert in cybersecurity, leverage proven
solutions designed for MSPs
Learn more
* Cloud Service Provider
* Cloud Service Provider
Add market-leading security to your cloud service offerings – no matter
which platform you use
Learn more
* Professional Services
* Professional Services
Increase revenue with industry-leading security
Learn more
* Resellers
* Resellers
Discover the possibilities
Learn more
* Marketplace
* Marketplace
Learn more
* System Integrators
* System Integrators
Learn more
* Alliance Partners
* Alliance Partners
* Alliance Overview
We work with the best to help you optimize performance and value
Learn more
* Technology Alliance Partners
* Technology Alliance Partners
Learn more
* Our Alliance Partners
* Our Alliance Partners
Learn more
* Partner Tools
* Partner Tools
* Partner Tools
Learn more
* Partner Login
* Partner Login
Login
* Education and Certification
* Education and Certification
Learn more
* Partner Successes
* Partner Successes
Learn more
* Distributors
* Distributors
Learn more
* Find a Partner
* Find a Partner
Learn more
* Company
* Why Trend Micro
* Why Trend Micro
* Why Trend Micro
Learn more
* Customer Success Stories
* Customer Success Stories
Learn more
* The Human Connection
* The Human Connection
Learn more
* Industry Accolades
* Industry Accolades
Learn more
* Strategic Alliances
* Strategic Alliances
Learn more
* Compare Trend Micro
* Compare Trend Micro
* Compare Trend Micro
See how Trend outperforms the competition
Let's go
* vs. Crowdstrike
* Trend Micro vs. Crowdstrike
Crowdstrike provides effective cybersecurity through its cloud-native
platform, but its pricing may stretch budgets, especially for
organizations seeking cost-effective scalability through a true single
platform
Let's go
* vs. Microsoft
* Trend Micro vs. Microsoft
Microsoft offers a foundational layer of protection, yet it often
requires supplemental solutions to fully address customers' security
problems
Let's go
* vs. Palo Alto Networks
* Trend Micro vs. Palo Alto Networks
Palo Alto Networks delivers advanced cybersecurity solutions, but
navigating its comprehensive suite can be complex and unlocking all
capabilities requires significant investment
Let's go
* About Us
* About Us
* About Us
Learn more
* Trust Center
* Trust Center
Learn more
* History
* History
Learn more
* Diversity, Equity and Inclusion
* Diversity, Equity and Inclusion
Learn more
* Corporate Social Responsibility
* Corporate Social Responsibility
Learn more
* Leadership
* Leadership
Learn more
* Security Experts
* Security Experts
Learn more
* Internet Safety and Cybersecurity Education
* Internet Safety and Cybersecurity Education
Learn more
* Legal
* Legal
Learn more
* Investors
* Investors
Learn more
* Formula E Racing
* Formula E Racing
Learn more
* Connect With Us
* Connect With Us
* Connect With Us
Learn more
* Newsroom
* Newsroom
Learn more
* Events
* Events
Learn more
* Careers
* Careers
Learn more
* Webinars
* Webinars
Learn more
Back
Back
Back
Back
* Free Trials
* Contact Us
Looking for home solutions?
Under Attack?
3 Alerts
Back
Unread
All
* Ransomware in Q1 2024: Report on Phobos, LockBit, and other critical threats
close
Read report >
* Deepfakes and AI-driven disinformation threaten polls
close
Get the facts >
* Report on the email threat landscape
close
Learn the latest defense strategies >
Folio (0)
Support
* Business Support Portal
* Business Community
* Virus and Threat Help
* Education and Certification
* Contact Support
* Find a Support Partner
Resources
* Trend Micro vs. Competition
* Cyber Risk Index/Assessment
* CISO Resource Center
* DevOps Resource Center
* What Is?
* Threat Encyclopedia
* Cloud Health Assessment
* Cyber Insurance
* Glossary of Terms
* Webinars
Log In
* Vision One
* Support
* Partner Portal
* Cloud One
* Product Activation and Management
* Referral Affiliate
Back
arrow_back
search
close
Content has been added to your Folio
Go to Folio (0) close
Ransomware
AGENDA RANSOMWARE PROPAGATES TO VCENTERS AND ESXI VIA CUSTOM POWERSHELL SCRIPT
This blog entry discusses the Agenda ransomware group's use of its latest Rust
variant to propagate to VMWare vCenter and ESXi servers.
By: Arianne Dela Cruz, Raymart Yambot, Raighen Sanchez, Darrel Tristan Virtusio
March 26, 2024 Read time: 5 min (1406 words)
Save to Folio
Subscribe
--------------------------------------------------------------------------------
Since its discovery in 2022, the Agenda Ransomware group (also known as Qilin)
has been active and in development. Agenda, which Trend Micro tracks as Water
Galura, continues infecting victims globally with the US, Argentina, and
Australia, and Thailand being among its top targets (based on the threat actor’s
leak site data). Meanwhile the Agenda ransomware was used to target several
industries, such as finance and law.
Figure 1. The distribution by country of Agenda’s victims (March 2024)
Figure 2. The distribution by industry of Agenda’s victim organizations (March
2024)
Furthermore, based on Trend threat intelligence data, Agenda ransomware
detections increased beginning December 2023, in contrast to the number of
detections in November, which shows that its operators are either becoming more
active, or are reaching a greater number of targets.
We recently encountered updated versions of the ransomware, specifically for its
Rust variant. Based on what we’ve observed, Agenda ransomware group uses Remote
Monitoring and Management (RMM) tools, as well as Cobalt Strike for deployment
of the ransomware binary. As for the Agenda ransomware executable, it can also
propagate via PsExec and SecureShell, while also making use of different
vulnerable SYS drivers for defense evasion.
Figure 3. Agenda ransomware infection chain based on recent observations
download
EXECUTION
T1059.003 Command and Scripting Interpreter
The most recent version of the Agenda ransomware contains multiple command-line
arguments. The table below shows a comparison of the arguments we encountered
last July 2023 compared to the version we found in February 2024. Commands in
bold text are changes from previous versions.
Agenda Rust 2023 Agenda Rust February 2024 Details -ips --ips Allows for
providing IP addresses -password --password Password to proceed to the landing
page -paths --paths Defines the path that parses directories; if this flag
is used and left empty, all directories will be scanned -propagate --spread
Propagate to remote machines via PsExec -safe --safe Restart in safe mode -debug
--debug Debug mode -timer --timer Time delay before execution -exclude --exclude
Exclude specified directory for encryption -no-proc --no-proc no process
termination -no-services --no-services no service termination -no-domain
--no-domain no domain encryption -no-network --no-network no network
encryption --no-sandbox disable sandbox detection --no-escalate no
escalating privileges --impersonate Impersonate tokens --no-local no local
encryption --no-ef no extension filter --no-ff no file filter --no-df
no directory filter --no-vm no terminating VM machines --kill-cluster
disables VM clusters --no-extension no extension appended --no-wallpaper no
wallpaper modification --no-note no ransom note dropping --no-delete don’t
delete directories --no-destruct no deleting itself --no-zero
--print-image print ransom note --print-delay delay printing for n seconds
--force --spread-vcenter propagate in vCenter and ESXi --dry-run
--escalated escalated privileges --parent-sid specify SID --spread-process
Executed to spread and execute the sample
Table 1. Agenda Rust command-line Arguments
LATERAL MOVEMENT
T1021.004 Remote Services – SSH
When executed with the command-line --spread-vcenter, Agenda will use a custom
PowerShell script embedded in the binary to propagate across VMWare vCenter and
ESXi servers. This can potentially impact the virtual machines and even the
whole virtual infrastructure, leading to data and financial loss, as well as the
disruption of services running on virtual environments.
Figure 4. PowerShell Script used for propagation
To execute, Agenda requires users to input their credentials in the target
vCenter or ESXi host, and specify the path of the ESXi binary to propagate.
Since this is executed in an interactive shell, this may indicate that the
threat actors are the ones who will input these credentials into the machine
upon deployment.
Figure 5. Console for inputting vCenter or ESXi credentials
The PowerShell script is executed in-memory as a memory stream on a running
PowerShell process, making its execution fileless (since the script will not be
present in the machine).
Figure 6. Writing the PowerShell script in memory
Once loaded, the script first checks if its dependencies are installed:
Figure 7. Commands for checking required modules
Afterwards, it connects to the host names specified by the attacker and changes
the root password for all ESXi hosts. The new password will be the one required
by Agenda for execution. This effectively prevents victims from accessing the
compromised host even after encryption is done.
Figure 8. Changing ESXi host passwords
SSH would then be enabled for file transfer.
Figure 9. Enabling SSH in ESXi
Once SSH is enabled, it would proceed with creating an SSH session that will be
used to upload the ESXi binary:
Figure 10. Creating an SSH session.
After a successful upload, the payload will be executed on the target host,
effectively compromising the system.
Figure 11. Uploading and executing the ESXi binary
T1570 Lateral Tool Transfer
Agenda has also changed its propagation command-line to --spread, making it more
evident. To do this, PsExec is dropped in the following path:
%User Temp%\{random}.exe
Next, it will execute the PsExec file using the following command:
"cmd" /C %User Temp%\{random}.exe -accepteula \\ -c -f -h -d "{Malware File
Path}" --password {Password required}--spread {host name} --spread-process
IMPACT
T1486 Data Encrypted for Impact
Agenda also added a feature to print ransom notes on connected printers. It
copies the ransom note inl %User Temp%\{Generated file name}, and executes the
following commands:
“powershell" -Command "Get-Printer | Format-List Name,DriverName – used to get
printer drivers.
"powershell" -Command " Timeout /T '0' ; Get-Content -Path '%User
Temp%\{Generated file name}' | Out-Printer -Name '{Printer Name}' "
The latter command is used to print the ransom note on a specified printer.
Figure 12. Printing the Ransom Note
DEFENSE EVASION
T1480 Execution Guardrails
The latest version of Agenda can now terminate VMclusters (a group of Virtual
Machines/ESXi hosts configured to share resources). It does so by executing the
following commands:
· PowerShell -Command “Stop-Cluster -Force”
T1211 Exploitation for Defense Evasion
From our recent encounters with Agenda, we observed malicious actors employing
the Bring Your Own Vulnerable Driver (BYOVD) technique to evade detection by
security systems. BYOVD is not new and has been abused by multiple threat groups
such as the Kasseika ransomware (using a signed Martini.sys driver), the Akira
ransomware group, and the AvosLocker ransomware group.
In the Agenda ransomware’s case, we saw that for each infection chain, it
appears to be leveraging different vulnerable drivers to disable different
security tools.
Figure 13. A SYS driver used by the Agenda ransomware
Some drivers we have observed being leveraged by the Agenda ransomware is YDark,
a publicly available tool designed for kernel manipulation, as well as Spyboy’s
Terminator tool used to bypass AVs and EDRs (Endpoint Detection and Response).
Using different vulnerable drivers for defense evasion highlights how ransomware
can adapt, presenting a significant challenge for cybersecurity defenses trying
to stop it.
CONCLUSION AND RECOMMENDATIONS
The Agenda ransomware’s ability to spread to virtual machine infrastructure
shows that its operators are also expanding to new targets and systems,
therefore organizations should be aware of the group’s activities and implement
security measures to protect themselves from these kinds of ransomware, such as:
* Only granting employees administrative rights and access when necessary.
* Performing period scans and ensure that security products are updated
regularly.
* Regularly backing up data to ensure as a failsafe measure for data loss.
* Exercising good email and website safety practices; avoid downloading
attachments, clicking on URLs, and downloading applications unless certain of
the source’s legitimacy.
* Conducting regular user education on the dangers of social engineering.
A multilayered approach can help organizations guard possible entry points into
their system (endpoint, email, web, and network). Security solutions can detect
malicious components and suspicious behavior, which can help protect
enterprises.
Trend Vision One™ provides multilayered protection and behavior detection, which
helps block questionable behavior and tools before ransomware can do any
damage.
Trend Cloud One™ – Workload Security protects systems against both known and
unknown threats that exploit vulnerabilities. This protection is made possible
through techniques such as virtual patching and machine learning.
Trend Micro™ Deep Discovery™ Email Inspector employs custom sandboxing and
advanced analysis techniques to effectively block malicious emails, including
phishing emails that can serve as entry points for ransomware.
Trend Micro Apex One™ offers next-level automated threat detection and response
against advanced concerns such as fileless threats and ransomware, ensuring the
protection of endpoints.
With additional analysis from Nathaniel Morales, Maristel Policarpio, CJ Arsley
Mateo, Don Ladores
Vision One hunting query
The following query lists potentially useful queries for threat hunting within
Vision One:
(fullPath:("C:\Users\Public\enc.exe" OR "C:\Users\Public\pwndll.dll") OR
malName:*agenda*) OR (objectFilePath: ("C:\Users\Public\enc.exe" OR
"C:\Users\Public\pwndll.dll"))
INDICATORS OF COMPROMISE
The indicators of compromise for this entry can be found here.
Tags
Endpoints | Ransomware | Research | Articles, News, Reports
AUTHORS
* Arianne Dela Cruz
Threats Analyst
* Raymart Yambot
Threats Analyst
* Raighen Sanchez
Threat Response Engineer
* Darrel Tristan Virtusio
Cybersecurity Threat Engineer
Contact Us
Subscribe
RELATED ARTICLES
* Commando Cat: A Novel Cryptojacking Attack Abusing Docker Remote API Servers
* TargetCompany’s Linux Variant Targets ESXi Environments
* SANS's 2024 Threat-Hunting Survey Review
See all articles
Try our services free for 30 days
* Start your free trial today
*
*
*
*
*
RESOURCES
* Blog
* Newsroom
* Threat Reports
* DevOps Resource Center
* CISO Resource Center
* Find a Partner
SUPPORT
* Business Support Portal
* Contact Us
* Downloads
* Free Trials
*
*
ABOUT TREND
* About Us
* Careers
* Locations
* Upcoming Events
* Trust Center
*
Country Headquarters
Trend Micro - United States (US)
225 East John Carpenter Freeway
Suite 1500
Irving, Texas 75062
Phone: +1 (817) 569-8900
Select a country / region
United States expand_more
close
THE AMERICAS
* United States
* Brasil
* Canada
* México
MIDDLE EAST & AFRICA
* South Africa
* Middle East and North Africa
EUROPE
* België (Belgium)
* Česká Republika
* Danmark
* Deutschland, Österreich Schweiz
* España
* France
* Ireland
* Italia
* Nederland
* Norge (Norway)
* Polska (Poland)
* Suomi (Finland)
* Sverige (Sweden)
* Türkiye (Turkey)
* United Kingdom
ASIA & PACIFIC
* Australia
* Центральная Азия (Central Asia)
* Hong Kong (English)
* 香港 (中文) (Hong Kong)
* भारत गणराज्य (India)
* Indonesia
* 日本 (Japan)
* 대한민국 (South Korea)
* Malaysia
* Монголия (Mongolia) and рузия (Georgia)
* New Zealand
* Philippines
* Singapore
* 台灣 (Taiwan)
* ประเทศไทย (Thailand)
* Việt Nam
Privacy | Legal | Accessibility | Site map
Copyright ©2024 Trend Micro Incorporated. All rights reserved
sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk
This website uses cookies for website functionality, traffic analytics,
personalization, social media functionality and advertising. Our Cookie Notice
provides more information and explains how to amend your cookie settings.Learn
more
Cookies Settings Accept
✓
Grazie per la condivisione!
AddToAny
Più…
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1Sumo