{ "id": "e508750c-1feb-4276-9476-2fcc74251ffe", "created_at": "2026-04-06T00:06:12.091714Z", "updated_at": "2026-04-10T03:37:23.8702Z", "deleted_at": null, "sha1_hash": "a87f9e12af0ebf8e795b45da6ef6a16f15549bbf", "title": "SVCReady: A New Loader Gets Ready | HP Wolf Security", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 845089, "plain_text": "SVCReady: A New Loader Gets Ready | HP Wolf Security\r\nBy Patrick Schläpfer\r\nPublished: 2022-06-06 · Archived: 2026-04-05 13:23:54 UTC\r\nSince the end of April 2022, we have observed new malicious spam campaigns spreading a previously unknown\r\nmalware family called SVCReady. The malware is notable for the unusual way it is delivered to target PCs – using\r\nshellcode hidden in the properties of Microsoft Office documents – and because it is likely in an early stage of\r\ndevelopment, given that its authors updated the malware several times in May. In this report, we share a closer\r\nlook at the infection chain of the new SVCReady campaigns, the malware’s features, its changes over time, and\r\npossible links with TA551.\r\nFigure 1 – SVCReady sample isolated by HP Wolf Security in April 2022.\r\nInfection Chain\r\nBased on HP Wolf Security telemetry, the first sighting of this new campaign was on 22 April 2022. The attackers\r\nsent Microsoft Word document (.doc) attachments to targets via email. As in many other malware campaigns, the\r\ndocuments contain Visual Basic for Applications (VBA) AutoOpen macros that are used to execute malicious\r\ncode. But unlike other Office malware, the document does not use PowerShell or MSHTA to download further\r\nhttps://threatresearch.ext.hp.com/svcready-a-new-loader-reveals-itself/\r\nPage 1 of 15\n\npayloads from the web. Instead, the VBA macro runs shellcode stored in the properties of the document, which\r\nthen drops and runs SVCReady malware.\r\nFigure 2 – Document properties containing shellcode, namely a series of nop instructions as represented by 0x90\r\nvalues.\r\nVBA Macro and Shellcode\r\nFirst, two Windows API functions are defined in the VBA code: SetTimer and VirtualProtect.\r\nFigure 3 – Windows API function definitions.\r\nNext the shellcode, which is located in the document properties, is loaded into a variable. Different shellcode is\r\nloaded depending on if the architecture of the system is 32 bit or 64 bit.\r\nFigure 4 – Loading shellcode into a variable.\r\nThe shellcode, now in a variable, is then stored in memory so that it can be assigned executable access rights by\r\ncalling VirtualProtect. After giving executable access rights to the shellcode, SetTimer is called. The SetTimer API\r\ncan be passed a callback function as an argument, which is simply a pointer in memory. In this case, the attackers\r\npass the address of the shellcode, thus executing it.\r\nhttps://threatresearch.ext.hp.com/svcready-a-new-loader-reveals-itself/\r\nPage 2 of 15\n\nFigure 5 – Change of shellcode protection and execution.\r\nAt this point, the execution of the VBA macros ends, and the shellcode takes over the next steps of the infection.\r\nFirst, a dynamic link library (DLL) is dropped into the %TEMP% directory. Next, the shellcode copies\r\nrundll32.exe from the Window system directory into the %TEMP% directory. At this point, rundll32.exe is\r\nrenamed, presumably to evade detection. A detection opportunity here is to alert on the execution of Windows\r\nowned binaries outside their standard directories.\r\nOnce both files are in the %TEMP% directory, the renamed copy of rundll32.exe is run with the DLL and a\r\nfunction name as arguments. This execution launches SVCReady.\r\nFigure 6 – Rundll32.exe executing the malware.\r\nThis infection chain relies on shellcode stored in an Office document, a technique not often seen in malware\r\ncampaigns. However, we have seen one other campaign that used this technique in mid-April to distribute Ursnif.\r\nThe Downloader\r\nThe DLL started via rundll32.exe acts as a downloader, with additional functionalities for collecting information\r\nabout the infected system and communicating with a command and control (C2) server. As soon as the\r\ndownloader runs, it reports to the C2 server and immediately starts gathering information.\r\nhttps://threatresearch.ext.hp.com/svcready-a-new-loader-reveals-itself/\r\nPage 3 of 15\n\nFigure 7 – C2 traffic of downloader, showing a status update (“Starting: success”).\r\nInformation Gathering\r\nThe malware collects system information including the username, computer name, time zone and whether the\r\ncomputer is joined to a domain. It is also queries the Registry, specifically the\r\nHKEY_LOCAL_MACHINE\\HARDWARE\\DESCRIPTION\\System key, for the details about the computer’s\r\nmanufacturer, BIOS and firmware. Additionally, it collects lists of running processes and installed software. The\r\nmalware gathers this information through Windows API calls rather than Windows Management Instrumentation\r\n(WMI) queries. All the information is formatted as JSON and sent to the C2 server through an HTTP POST\r\nrequest.\r\nFigure 8 – Sending system information to the C2 server.\r\nCommand and Control\r\nhttps://threatresearch.ext.hp.com/svcready-a-new-loader-reveals-itself/\r\nPage 4 of 15\n\nCommunication with the C2 server occurs via HTTP, but the data itself is encrypted using the RC4 cipher.\r\nInterestingly, RC4 encryption was not implemented in the first malware samples we analyzed at the end of April\r\n2022. This suggests that the C2 encryption was only added during May and that the malware is being actively\r\ndeveloped. After unpacking the sample, the RC4 key can be extracted from memory. The attackers change the\r\nRC4 key for each campaign.\r\nFigure 9 – The RC4 key used to encrypt the malware’s network communication, shown in memory.\r\nThe RC4 key in Figure 9 corresponds to the campaign from 30 May:\r\nRC4 key – 0v89u6y089ut934uc0t8934uct08934uc0t89u54y895689vuh489cu389ct45\r\nSVCReady DLL – 16851d915aaddf29fa2069b79d50fe3a81ecaafd28cde5b77cb531fe5a4e6742\r\nPersistence\r\nAfter exfiltrating information about the infected PC, the malware tries to achieve persistence on the system. The\r\nmalware’s authors probably intended to copy the malware DLL to the Roaming directory, giving it a unique name\r\nbased on a freshly generated UUID. But it seems they failed to implement this correctly because rundll32.exe is\r\ncopied to the Roaming directory instead of the SVCReady DLL. The malware creates a scheduled task called\r\nRecoveryExTask that runs the file copied to Roaming with rundll32.exe and a function name when the system\r\nstarts.\r\nFigure 10 – Definition of the scheduled task.\r\nBut because of the error, rundll32.exe is executed with rundll32.exe, meaning the malware does not start after the\r\nsystem is rebooted.\r\nAt this point, the malware creates a new registry key that may be useful for building a signature to detect the\r\nmalware: HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{E6D34FFC-AD32-4d6a-934C-D387FA873A19}\r\nhttps://threatresearch.ext.hp.com/svcready-a-new-loader-reveals-itself/\r\nPage 5 of 15\n\nFigure 11 – Registry key created by the malware.\r\nAfter completing a task, the malware sends a status message to the C2 server. These status messages are always in\r\nJSON format. For example, the status message after creating the scheduled task looks like this:\r\nFigure 12 – JSON status.\r\nMore Information Gathering\r\nOnce the persistence phase is completed, another information gathering phase follows. This time, the SVCReady\r\ntakes a screenshot and sends it to the C2 server.\r\nFigure 13 – Sending screenshot to C2.\r\nhttps://threatresearch.ext.hp.com/svcready-a-new-loader-reveals-itself/\r\nPage 6 of 15\n\nThe malware then runs the systeminfo.exe process. The malware extracts the osinfo section from it and sends it to\r\nthe C2 server. The information collected is identical to that gathered in the earlier information gathering phase. It\r\nis possible that the malware makes this redundant query in case the first queries via Windows API and registry key\r\nfail or perhaps the developer was experimenting with different methods of gathering information.\r\nAn example output looks like this:\r\nFigure 14 –\r\nosinfo output.\r\nVirtual Machine Detection\r\nFinally, the malware makes two WMI queries that are used to determine whether its runtime environment is\r\nvirtualized or not:\r\nSelect AccessState from Win32_USBControllerDevice\r\nselect * from CIM_ComputerSystem\r\nThis stage is called checkvm.\r\nhttps://threatresearch.ext.hp.com/svcready-a-new-loader-reveals-itself/\r\nPage 7 of 15\n\nFigure 15 – Checking USB controllers to see if it is running inside a virtual machine (VM).\r\nThe result of this evaluation is then communicated back to the C2, ending the initial phase of the malware. For\r\nexample, if a VM is detected:\r\n{“method”:”log”,params”:{“logs”:[“USB Status 2 VM DETECTED “],”stage”:”usbstatus-ban”}}\r\nThe malware then enters a sleep stage for 30 minutes.\r\nFigure 16 – Malware going to sleep.\r\nhttps://threatresearch.ext.hp.com/svcready-a-new-loader-reveals-itself/\r\nPage 8 of 15\n\nBeaconing activity\r\nSVCReady beacons to its C2 server every five minutes. The beacon only contains the status of the malware. Once\r\nthe six consecutive sleep instructions have elapsed, the malware validates the last domains received via an HTTP\r\nrequest and then asks for new tasks. The API nodes of the malware gate are structured as follows:\r\nPurpose API Node\r\nValidate domain /xl/gate/check\r\nShare information /xl/gate\r\nRequest tasks /xl/gate/task\r\nFigure 17 – C2 response to task request.\r\nThe response can include a list of domains and a command for the malware, for example:\r\n{“domains”:[“galmerts[.]art”,”kikipi[.]art”,”kokoroklo[.]su”],”command”:”nop”}\r\nOther functionalities of the malware are:\r\nDownload a file to the infected client\r\nTake a screenshot\r\nRun a shell command\r\nCheck if it is running in a virtual machine\r\nCollect system information (a short and a “normal” version)\r\nCheck the USB status, i.e. the number of devices plugged-in\r\nhttps://threatresearch.ext.hp.com/svcready-a-new-loader-reveals-itself/\r\nPage 9 of 15\n\nEstablish persistence through a scheduled task\r\nRun a file\r\nRun a file using RunPeNative in memory\r\nFollow-up Malware\r\nIn the campaign on 26 April, RedLine Stealer was delivered as a follow-up payload after the initial infection with\r\nSVCReady. At that time the C2 communication format was not encrypted. It may be that this campaign was a test\r\nby SVCReady’s operators. At the time of writing, we have not yet received any further malware payloads since\r\nthen. Below are the indicators of compromise (IOCs) for the malware campaign on 26 April:\r\nWord documents:\r\nfa5747e42c4574f854cd0083b05064466e75d243da93008b9f0dcac5cf31f208\r\ne09c98b677264fc0de36a9fd99a2711455fe79699ca958938dd12b5bd2c66bad\r\nc0795d7a7f2c5fdb7615ee5826e8453bef832f36282d6229ec07caf49842f4bc\r\nDLL:\r\nd3e69a33913507c80742a2d7a59c889efe7aa8f52beef8d172764e049e03ead5\r\nC2 domain:\r\nmuelgadr[.]top\r\nDownload URL:\r\nhxxp://wikidreamers[.]com/exe/install.exe\r\nPayload:\r\nRedLine Stealer – 6e1137447376815e733c74ab67f202be0d7c769837a0aaac044a9b2696a8fa89\r\nFile name and document similarities to TA551\r\nWe identified similarities between the file names of the documents used to deliver SVCReady and those used in\r\nTA551 campaigns (Figure 18). TA551 activity was last seen at the end of January 2022.\r\nhttps://threatresearch.ext.hp.com/svcready-a-new-loader-reveals-itself/\r\nPage 10 of 15\n\nFigure 18 – List of past TA551 threats.\r\nWe also found similarities between the lure images used in SVCReady and TA551 campaigns.\r\nFigure 19 – Malicious document containing a social engineering image, April 2022 campaign.\r\nWe maintain a database of about 20,000 images extracted from malicious documents, which we use to find\r\nvisually similar images using perceptual hash algorithms. Figure 20 shows the image extracted from a document\r\nthat drops SVCReady.\r\nhttps://threatresearch.ext.hp.com/svcready-a-new-loader-reveals-itself/\r\nPage 11 of 15\n\nFigure 20 – Extracted image from SVCReady document.\r\nSearching our database revealed three documents used to deliver Ursnif that contained the same image, all from\r\nMay 2021:\r\n2021-05-10: e6afaabd1e4a2c7adeedca6ee0ed095271a53a293162e3cf7ed52d570279258e\r\n2021-05-12: 02e62eeb73ac0c0fa55cc203fbee23420a848cf991106eca3f75e8863a0cb4e5\r\n2021-05-21: f21289980710dcbb525d70a2be6aa1dc3118150386c0b2196cc5f23e637b87f5\r\nA closer analysis of these documents found that information was also stored in the document properties that was\r\nsubsequently used by malicious macros. However, the VBA code is significantly different and used MSHTA to\r\ndownload and run the follow-up malware from the web. The malware was downloaded from the following URLs:\r\nhxxp://192.186.183[.]130/ts/909t5HXsDn4QMY6OB0I8tfpOT0N4FPGKuw~~/40PRbE-lUJTVQYhwM4WoZD6MyfeLT3GeSA~~/\r\nhxxp://144.168.197[.]36/ts/KS8qyPL1yA-fh8c8BXwFfnOGiWotKKIvqQ~~/t6q4Lknm9T-M1FiPi5sCy2xtzZ27J7KabQ~~/\r\nUrsnif payload hashes:\r\n2848bfc05bcfaa5704ff4c44ab86b23c69aa386a39ad4bb393f3287bd884f8cc\r\n18d7206e9fa38d5844d3b0ec46576ace8a36091e77477f86a9a43724aa6a2309\r\nFurther, our search found two more images that weren’t identical, but still very similar.\r\nhttps://threatresearch.ext.hp.com/svcready-a-new-loader-reveals-itself/\r\nPage 12 of 15\n\nFigure 21 – Similar document images from 2019 and 2020.\r\nThe difference with this image is that the text is part of the image, whereas in the other campaign, the text and the\r\nbackground were separate element in the document. Notably, the text is identical, including grammatical errors.\r\nThese two documents were observed in 2019 and 2020 in campaigns that distributed Ursnif and IcedID\r\nrespectively:\r\n2019-02-04: 3dab8a906b30e1371b9aab1895cd5aef75294b747b7291d5c308bb19fbc5db10\r\n2020-03-16: e47945f9cc50bb911242f9a69fc4177ed3dcc8e04dbfec0a1d36ff8699541ab5\r\nBoth campaigns can be traced back to TA551 based on the domains used to host the malware:\r\ngou20lclair[.]band\r\nglquaoy[.]com\r\nComparing the images used in malware documents provides no certainty that the same threat actor is behind them,\r\nsince it is possible that we are seeing the artifacts left by two different attackers who are using the same tools.\r\nHowever, our findings show that similar templates and potentially document builders are being used by the actors\r\nbehind the TA551 and SVCReady campaigns.\r\nNaming the Campaigns\r\nThe malware family analyzed in this report corresponds to IDS rules published by Proofpoint, which names it\r\nSVCReady. To avoid confusion, we are tracking the malware by the same name.\r\nConclusion\r\nSince the end of April 2022, we have been seeing new malicious spam campaigns spreading a previously\r\nunknown malware family, called SVCReady. Notably, the malware is dropped by shellcode that is stored in the\r\nproperties of a Word document. SVCReady is under active development. We have tracked several changes since\r\nthe first campaign in April 2022. The malware also has bugs, notably in its persistence feature and duplication in\r\nthe reconnaissance data it collects. This, as well as the low frequency and volume of the campaigns, suggests that\r\nthe malware is in the early stages of development.\r\nIndicators of Compromise\r\nhttps://threatresearch.ext.hp.com/svcready-a-new-loader-reveals-itself/\r\nPage 13 of 15\n\nDocuments\r\n501D971E548139153C64037D07B4E3FEA2C1735A37774531C88CFA95BA660EC3\r\n99DF2CC2535C82B84BA23384DF290D7506242532123D8414C1CFC61967072C28\r\nC6C080A63DD038D11CD6E724D2DE31108CABE7B6E38F674FE8189696886582AF\r\nD270E1CA349DAA668E0807BE65ECA75CC739008A39E283F922A8728C22663417\r\n6C9FD23D88239D819E0B494E589B665C4E7921ED9B9DD0BBD1610D71230BCF81\r\nF47514C680135C7D4285F2284D5621245463F55A901C38F171DCE445695AC533\r\n9F7124303F1C957F7E02F275F3501CBAA6E0645A6D78B50617A97761DC611CFF\r\n4C1DD6A893F86A150E003118148C655044D06E8300678CF6BF3CC3107B91B66C\r\nFCB325D21D1100269731553015D6D0F85143DAE2BFA6CBAF49AC6DA29F1F732E\r\n939863285773B17623F0F027FAAE8B994BF5FC1AFB182C63A026431C71CD3885\r\n65A650DD353EA767EF68CF4627436977E6D55102D699B2E8B8DE491DA5C0A5EB\r\n134D0B10BAC1404FA1DA83C96C08E0882500819DAAD5F49E9E83C92F2A624B3E\r\nF2FADD7A8B88DA62228DAB8981638B5C9F5512A57A0441B57C2B3A29B0A96012\r\n0D55564A2BED4FF06BC8B1DAAB98E2032C39536DAA31878E16FED29BC987A4D1\r\nA8EED171FDCB2A872865620FC2234E0B07201D927ABCB65344846F6D4A7B75F5\r\nC24266CC16D65F0B8D72BB7DF80A6B2FFE343429A764AFB9FB0A9C20D53AB9AF\r\n50FBE350CC660361B919F5E464DA6D6170F35EF497327AE5DEFC7805E76D5568\r\nC362D9EEFAFB44D4116B4DFABD5945E974C8A010221705E021490EFBF34BC3A3\r\n68617985E8AB455316C18172723FBD2748DE58008714C4CB3F7C6F19D326F135\r\n65E551F7093299A9A20EAF536197C19ABBDD51B95B9570EDAC4950D7C951AD92\r\nD8AEC5539973927EB07A23BA4DE3780D28C2DD2D6DBBC697562A44B30CD3B03F\r\nCA61DE1E2442C16C280EB7264D6B7F79EC92CDC10D1C202EFB028DA5F242F83A\r\n74652EAE27C9F5A5C397EACC76DAF768B3E601F106E8539C7D855712AB185E40\r\n0224B906741F248D8BCEDAEF423B58FFB1B4577EC06711293F7065B12AE71788\r\nFDABB1F5B7691F03B2D89FEB8B0D4E3FD036F9B4E718269CAD8741C7E4D14072\r\nFD799D99F7E84436F8AF16D94EE7B2F1D08CA3CEE746E1CF9B36E2139D676E4C\r\n4A2E76B57DE10C687716A1D7A295910CC5C0D04F5D10D4F4C53AE1BDE45A251C\r\n9122092980BC0ED9C9B008C5456CC18656C41798585B8819F1D6F2620CAC3CF3\r\n391D134B792FB660426F183755AD00DBD737F521CFF1F9A12D402CD714D34645\r\nB67120F25963D36560CBB86B35E864F608536ABEF7C3377F46997D65BAD13CAA\r\n5170461322CB1A79ABB84FEED75B7F871B6F1594562E7724C45D7BB98F97C86B\r\n4B8627B5896A0656E801A95B16068F84660F1460A247E712651E0945EB4309CB\r\n95E328A549247F900DA5747F7E2057DEF121D2EDA82CFD7E926A6955C797D317\r\nAFA40C3157F2704ABA4838A7308B53A4853176AF86982CE2999AA4DF3AC7BB9C\r\n00FD57B32A3DF737C274D2184663DE4EDC22A4E003419C1B10B262E66995EE23\r\n5B7FBEC223DEB714DC7A4037348936A27D86B061CB2120213D5A69849CC9B588\r\nFA6F5695AC2530B486FDD6FE8096AAAF65081BC092AB874545628C61E1403919\r\nC86A477579188305132DAB40700D06FFF9E26B5CE627233FB9D20DA1DFC74B47\r\n748352146AB86EA1A32DFED0B0D5FAC0EFC52728BCCD79476B74FB73517EFB21\r\nDLLs\r\n08e427c92010a8a282c894cf5a77a874e09c08e283a66f1905c131871cc4d273\r\nhttps://threatresearch.ext.hp.com/svcready-a-new-loader-reveals-itself/\r\nPage 14 of 15\n\n16851d915aaddf29fa2069b79d50fe3a81ecaafd28cde5b77cb531fe5a4e6742\r\n1d3217d7818e05db29f7c4437d41ea20f75978f67bc2b4419225542b190432fb\r\n235720bec0797367013cbdc1fe9bbdde1c5d325235920a1a3e9499485fb72dba\r\n39c955c9e906075c11948edd79ffc6d6fcc5b5e3ac336231f52c3b03e718371e\r\n5e932751c4dea799d69e1b4f02291dc6b06200dd4562b7ae1b6ac96693165cea\r\nd3e69a33913507c80742a2d7a59c889efe7aa8f52beef8d172764e049e03ead5\r\nf690f484c1883571a8bbf19313025a1264d3e10f570380f7aca3cc92135e1d2e\r\nDomains\r\nmuelgadr[.]top\r\nwikidreamers[.]com\r\ngalmerts[.]art\r\nmarualosa[.]top\r\nkikipi[.]art\r\nkokoroklo[.]su\r\nSource: https://threatresearch.ext.hp.com/svcready-a-new-loader-reveals-itself/\r\nhttps://threatresearch.ext.hp.com/svcready-a-new-loader-reveals-itself/\r\nPage 15 of 15\n\nFile name and We identified similarities document similarities between the file to TA551 names of the documents used to deliver SVCReady and those used in\nTA551 campaigns (Figure 18). TA551 activity was last seen at the end of January 2022.\n Page 10 of 15", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE", "Malpedia" ], "references": [ "https://threatresearch.ext.hp.com/svcready-a-new-loader-reveals-itself/" ], "report_names": [ "svcready-a-new-loader-reveals-itself" ], "threat_actors": [ { "id": "26a04131-2b8c-4e5d-8f38-5c58b86f5e7f", "created_at": "2022-10-25T15:50:23.579601Z", "updated_at": "2026-04-10T02:00:05.360509Z", "deleted_at": null, "main_name": "TA551", "aliases": [ "TA551", "GOLD CABIN", "Shathak" ], "source_name": "MITRE:TA551", "tools": [ "QakBot", "IcedID", "Valak", "Ursnif" ], "source_id": "MITRE", "reports": null }, { "id": "40b623c7-b621-48db-b55b-dd4f6746fbc6", "created_at": "2024-06-19T02:03:08.017681Z", "updated_at": "2026-04-10T02:00:03.665818Z", "deleted_at": null, "main_name": "GOLD CABIN", "aliases": [ "Shathak", "TA551 " ], "source_name": "Secureworks:GOLD CABIN", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "90f216f2-4897-46fc-bb76-3acae9d112ca", "created_at": "2023-01-06T13:46:39.248936Z", "updated_at": "2026-04-10T02:00:03.260122Z", "deleted_at": null, "main_name": "GOLD CABIN", "aliases": [ "Shakthak", "TA551", "ATK236", "G0127", "Monster Libra" ], "source_name": "MISPGALAXY:GOLD CABIN", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "04e34cab-3ee4-4f06-a6f6-5cdd7eccfd68", "created_at": "2022-10-25T16:07:24.578896Z", "updated_at": "2026-04-10T02:00:05.039955Z", "deleted_at": null, "main_name": "TA551", "aliases": [ "G0127", "Gold Cabin", "Monster Libra", "Shathak", "TA551" ], "source_name": "ETDA:TA551", "tools": [ "BokBot", "CRM", "Gozi", "Gozi CRM", "IceID", "IcedID", "Papras", "Snifula", "Ursnif", "Valak", "Valek" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775433972, "ts_updated_at": 1775792243, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a87f9e12af0ebf8e795b45da6ef6a16f15549bbf.pdf", "text": "https://archive.orkl.eu/a87f9e12af0ebf8e795b45da6ef6a16f15549bbf.txt", "img": "https://archive.orkl.eu/a87f9e12af0ebf8e795b45da6ef6a16f15549bbf.jpg" } }