Authored by: Anandeshwar Unnikrishnan
Stage 1: GULoader Shellcode DeploymentÂ
In latest GULoader campaigns, we’re seeing an increase in NSIS-based installers delivered by way of E-mail as malspam that use plugin libraries to execute the GU shellcode on the sufferer system. The NSIS scriptable installer is a extremely environment friendly software program packaging utility. The installer habits is dictated by an NSIS script and customers can prolong the performance of the packager by including customized libraries (dll) often known as NSIS plugins. Since its inception, adversaries have abused the utility to ship malware.Â
NSIS stands for Nullsoft Scriptable Installer. NSIS installer recordsdata are self-contained archives enabling malware authors to incorporate malicious belongings together with junk information. The junk information is used as Anti-AV / AV Evasion method. The picture under reveals the construction of an NSIS GULoader staging executable archive.
Â
The NSIS script, which is a file discovered within the archive, has a file extension â.nsiâ as proven within the picture above. The deployment technique employed by the risk actor might be studied by analyzing the NSIS script instructions offered within the script file. The picture proven under is an oversimplified view of the entire shellcode staging course of.Â
The file that holds the encoded GULoader shellcode is dropped on to suffererâs disc primarily based on the script configuration together with different information. Junk is appended at first of the encoded shellcode. The encoding model varies from pattern to pattern. However in all most all of the instances, itâs a easy XOR encoding. As talked about earlier than, the shellcode is appended to junk information, due to this, an offset is used to retrieve encoded GULoader shellcode. Within the picture, the FileSeek NSIS command is used to do correct offsetting. Some samples have unprotected GULoader shellcode appended to junk information.Â
Â
A plugin utilized by the NSIS installer is nothing however a DLL which will get loaded by the installer program at runtime and invokes features exported by the library. Two DLL recordsdata are dropped in personâs TEMP listing, in all analyzed samples one DLL has a constant title of system.dll and title of the opposite one varies.  Â
The system.dll is chargeable for allocating reminiscence for the shellcode and its execution. The next picture reveals how the NSIS script calls features in plugin libraries.
Â
The system.dll has the following exports as proven the in the picture under. The operate named âNameâ is getting used to deploy the shellcode on suffererâs system.Â
- The Name operate exported by system.dll resolves following features dynamically and execute them to deploy the shellcode.Â
- CreateFile â To learn the shellcode dumped on to disk by the installer. As a part of installer arrange, all of the recordsdata seen within the installer archive earlier are dumped on to disk in new listing created in C: drive.Â
- VirtualAlloc â To carry the shellcode within the RWX reminiscence.Â
- SetFilePointer â To hunt the precise place of the shellcode within the dumped file.Â
- ReadFile â To learn the shellcode. Â
- EnumResourceTypesA â Execution by way of callback mechanism. The second parameter is of the sort ENUMRESTYPEPROCA which is solely a pointer to a callback routine. The handle the place the shellcode is allotted within the reminiscence is handed because the second argument to this API resulting in execution of the shellcode. Callback features parameters are good assets for oblique execution of the code.  Â
Vectored Exception Dealing with in GULoaderÂ
The implementation of the exception dealing with by the Working System supplies a possibility for the adversary to take over execution stream. The Vectored Exception Dealing with on Home windows supplies the person with skill to register customized exception handler, which is solely a code logic that will get executed on the occasion of an exception. The attention-grabbing factor about dealing with exceptions is that the way in which through which the system resumes its regular execution stream of this system after the occasion of exception. Adversaries exploit this mechanism and take possession of the execution stream. Malware can divert the stream to the code which is beneath its management when the exception happens. Usually it’s employed by the malware to realize following targets:Â
- HookingÂ
- Covert code execution and anti-analysisÂ
The GuLoader employs the VEH primarily for obfuscating the execution stream and to decelerate the evaluation. This part will cowl the internals of Vectored exception dealing with on Home windows and investigates how GUloader is abusing the VEH mechanism to thwart any evaluation efforts. Â
- The Vectored Exception Dealing with (VEH) is an extension of Structured Exception Dealing with (SEH) with which we will add a vectored exception handler which can be referred to as regardless of of our place in a name body, merely put VEH just isn’t frame-based.Â
- VEH is abused by malware, both to govern the management stream or covertly execute person features.Â
- Home windows supplies AddVectoredExceptionHandler Win32 API so as to add customized exception handlers. The operate signature is proven under.Â
The Handler routine is of the kind PVECTORED_EXCEPTION_HANDLER. Additional checking the documentation, we will see the handler operate takes a pointer to _EXCEPTION_POINTERS kind as its enter as proven within the picture under.Â
Â
The _EXCEPTION_POINTERS kind holds two vital buildings; PEXCEPTION_RECORD and PCONTEXT. PEXCEPTION_RECORD incorporates all the data associated to exception raised by the system like exception code and so forth. and PCONTEXT construction maintains CPU register (like RIP/EIP, debug registers and so forth.) values or state of the thread captured when exception occurred.Â
Â
- This implies the exception handler can entry each ExceptionRecord and ContextRecord. Right here from inside the handler one can tamper with the info saved within the ContextRecord, thus manipulating EIP/RIP to manage the execution stream when person software resumes from exception dealing with.  Â
- There may be one attention-grabbing factor about exception dealing with, the execution to the applying is given again by way of NtContinue native routine. Exception dispatch routines name the handler and when handler returns to dispatcher, it passes the ContextRecord to the NtContinue and execution is resumed from the EIP/RIP within the document. On a aspect notice, that is an oversimplified clarification of the entire exception dealing with course of.Â
Vectored Handler in GULoaderÂ
- GULoader registers a vectored exception handler by way of RtlAddVectoredExceptionHandler native routine. The under picture reveals the management stream of the handler code. Apparently a lot of the code blocks current listed here are junk added to thwart the evaluation efforts. Â
Â
- The GULoaderâs handler implementation is as follows (disregarding the junk code).Â
- Reads ExceptionInfo handed to the handler by the system.Â
- Reads the ExceptionCode from ExceptionRecord construction.Â
- Checks the worth of ExceptionCode subject towards the computed exception codes for STATUS_ACCESS_VIOLATION, STATUS_BREAKPOINT and STATUS_SINGLESTEP.Â
- Based mostly on the exception code, malware takes a department and executes code that modifies the EIP.Â
Â
Â
The GULoader units the entice flag to set off single stepping deliberately to detect evaluation. The handler code will get executed as mentioned earlier than, a block of code is executed primarily based on the exception code. If the exception is single stepping, standing code is 0x80000004, following actions happen:
- The GULoader reads the ContextRecord and retrieves EIP worth of the thread.Â
- Â Increments the present EIP by 2 and reads the one byte from there.Â
- Performs an XOR on the one-byte information fetched from step earlier than and a static worth. The static worth modifications with samples. In our pattern worth is 0x1A.Â
- The XORâed worth is then added to the EIP fetched from the ContextRecord.Â
- Lastly, the modified EIP worth from prior step is saved within the ContextRecord and returns the management again to the system(dispatcher).Â
- The malware has the identical logic for the entry violation exception.Â
Â
- When the shellcode is executed with out debugger, INT3 instruction invokes the vectored exception handler routine, with an exception of EXCEPTION_BREAKPOINT, handler computes EIP by incrementing the EIP by 1 and fetching the info from incremented location. Later XORing the fetched information with a continuing in our case 0x1A. The result’s added to present EIP worth. The logic carried out for dealing with INT3 exceptions additionally scan this system code for 0xCC directions put by the researchers. If 0xCC are discovered which are positioned by researchers then EIP just isn’t calculated correctly.Â
Â
EIP Calculation Logic AbstractÂ
Set off by way of interrupt instruction (INT3)Â | eip=((ReadByte(eip+1)^0x1A)+eip)Â |
Set off by way of Single Stepping(PUSHFD/POPFD)Â | eip=((ReadByte(eip+2)^0x1A)+eip)Â |
*The worth 0x1A modifications with samplesÂ
Detecting Irregular Execution Movement by way of VEHÂ
- The shellcode is structured in such a manner that the malware can detect irregular execution stream by the order through which exception occurred at runtime. The pushfd/popfd directions are adopted by the code that when executed throws STATUS_ACCESS_VIOLATION. When program is executed usually, the execution won’t attain the code that follows the pushfd/popfd instruction block, thus elevating solely STATUS_SINGLESTEP. When accidently stepped over the pushfd/popfd block in debugger, the STATUS_SINGLESTEP just isn’t thrown on the debugger because it suppreses this as a result of the debugger is already single stepping by means of the code, that is detected by the handler logic once we encounter code that follows the pushfd/popfd instruction block wich throws a STATUS_ACCESS_VIOLATION. Now it runs right into a nested exception state of affairs (the entry violation adopted by suppressed single stepping exception by way of entice). Due to this, at any time when an entry violation happens, the handler routine checks for nested exception info in _EXCEPTION_POINTERS construction as mentioned at first.Â
Beneath picture reveals this the rigorously laid out code to detect evaluation.Â
Â
The Egg searching: VEH Assisted Runtime PaddingÂ
One attention-grabbing characteristic seen in GULoader shellcode within the wild is runtime padding. Runtime padding is an evasive habits to beat automated scanners and different safety checks employed at runtime. It delays the malicious actions carried out by the malware on the goal system. Â
- The egg worth within the analyzed pattern is 0xAE74B61. Â
- It initiates a seek for this worth in its personal information phase of the shellcode.Â
- Donât neglect the truth that that is carried out by way of VEH handler. This search itself provides 0.3 million of VEH iteration on high of normal VEH management manipulation employed within the code.Â
- The loader ends this search when it retrieves the handle location of the egg worth. To ensure the worth just isn’t being manipulated by any means by the researcher, it performs two further checks to validate the egg location.Â
- If the verify fails, the search continues. The method of retrieving the situation of the egg is proven within the picture under. Â
- As talked about above, the validity of the egg location is checked by retrieving byte values from two offsets: one is 4 bytes away from the egg location and the worth is 0xB8. The opposite is at 9 bytes from the egg location and the worth is 0xC3. This verify must be handed for the loader to proceed to the subsequent stage of an infection. Core malware actions are carried out after this runtime padding loop.Â
 The next photographs present the egg location validity checks carried out by GULoader. The values 0xB8 and 0xC3 are checked through the use of correct offsets from the egg location.Â
Â
Stage 2: Atmosphere Verify and Code Injection Â
Within the second stage of the an infection chain, the GULoader performs anti-analysis and code injection. Main anti-analysis vectors are listed under. After ensuring that shellcode just isn’t working in a sandbox, it proceeds to conduct code injection right into a newly spawned course of the place stage 3 is initiated to obtain and deploy precise payload. This payload might be both commodity stealer or RAT. Â
Anti-analysis Strategies Â
- Employs runtime padding as mentioned earlier than.Â
- Scans complete course of reminiscence for evaluation device particular stringsÂ
- Makes use of DJB2 hashing for string checks and dynamic API handle decision.Â
- Strings are decoded at runtimeÂ
- Checks if qemu is put in on the system by checking the set up path:Â
- C:Program Informationqqaqqa.exeÂ
- Patches the next APIs:Â
- DbgUIRemoteBreakInÂ
- The operateâs prologue is patched with ExitProcess nameÂ
- LdrLoadDllÂ
- The preliminary bytes are patched with instruction âmov edi ediâÂ
- DbgBreakPointÂ
- Patches with instruction nopÂ
- Clears hooks positioned in ntdll.dll by safety merchandise or researcher for the evaluation.Â
- Window Enumeration by way of EnumWindowsÂ
- Hides the shellcode thread from the debugger by way of ZwSetInformationThread by passing 0x11 (ThreadHideFromDebugger)Â
- Gadget driver enumeration by way of EnumDeviceDrivers andGetDeviceDriverBaseNameAÂ
- Put in software program enumeration by way of MsiEnumProductsA and MsiGetProductInfoAÂ
- System service enumeration by way of OpenSCManagerA and EnumServiceStatusAÂ
- Checks use of debugging ports by passing ProcessDebugPort (0x7) class to NtQueryInformationProcessÂ
- Use of CPUID and RDTSC directions to detect digital environments and instrumentation.Â
Anti-dump SafetyÂ
Every time GULoader invokes a Win32 api, the decision is sandwiched between two XOR loops as proven within the picture under. The loop previous to the decision encoded the lively shellcode area the place the decision is going down to stop the reminiscence from getting dumped by the safety merchandise primarily based on occasion monitoring or api calls. Following the decision, the shellcode area is decoded once more again to regular and resumes execution. The XOR key used is a phrase current within the shellcode itself.Â
Â
String Decoding Â
This part covers the method undertaken by the GUloader to decode the strings on the runtime.Â
- The NtAllocateVirtualMemory is known as to allocate a buffer to carry the encoded bytes.Â
- The encoded bytes are computed by performing numerous arithmetic and logical operations on static values embedded as operands of meeting directions. Beneath picture reveals the restoration of encoded bytes by way of numerous mathematical and logical operations. The EAX factors to reminiscence buffer, the place computed encoded values get saved.Â
Â
The primary byte/phrase is reserved to carry the dimensions of the encoded bytes. Beneath reveals a 12 byte lengthy encoded information being written to reminiscence.Â
Later, the primary phrase will get changed by the primary phrase of the particular encoded information. Beneath picture reveals the buffer after changing the primary phrase.Â
The encoded information is totally recovered now, and malware proceeds to decode it. For decoding the easy XOR is employed, and secret’s current within the shellcode. The meeting routine that does the decoding is proven in the picture under. Every byte within the buffer is XORed with the important thing.Â
Â
The results of the XOR operation is written to similar reminiscence buffer that holds the encoded information. A remaining view of the reminiscence buffer with decoded information is proven under.Â
The picture reveals the decoding the string âpsapi.dllâ, later this string is utilized in fetching the handlees of numerous features to make use of anti-evaluation. Â
Â
The stage 2 culminates in code injection, to be particular GULoader employs a variation of the method hollowing method, the place a benign course of is spawned in a suspended state by the malware stager course of and proceeds to overwrite the unique content material current within the suspended course of with malicious content material, later the state of the thread within the suspended course of is modified by modifying processor register values like EIP and eventually the method resumes its execution. By controlling EIP, malware can now direct the management stream within the spawned course of to a desired code location. After a profitable hollowing, the malware code can be working beneath the duvet of a legit software. Â
The variation of hollowing method employed by the GULoader doesnât change the file contents, however as a substitute injects the identical shellcode and maps the reminiscence within the suspended course of. Apparently, GULoader employs a further method if the hollowing try fails. Extra particulars are coated within the following part. Â
Listed under Win32 native APIs are dynamically resolved at runtime to carry out the code injection.Â
- NtCreateSectionÂ
- ZwMapViewOfSectionÂ
- NtWriteVirtualMemoryÂ
- ZwGetContetThreadÂ
- NtSetContextThreadÂ
- NtResumeThread  Â
Overview of Code InjectionÂ
- Initially picture â%windirpercentMicrosoft.NETFrameworkversion on 32-bit programs<model>CasPol.exeâ is spawned in suspended mode by way of CreateProcessInternalW native API.Â
- The Gu loader retrieves a deal with to the file âC:WindowsSysWOW64iertutil.dllâ which is utilized in part creation. The part object created by way of NtCreateSection can be backed by iertutil.dll. Â
- This habits is especially to keep away from suspicion, a piece object which isn’t backed by any file could draw undesirable consideration from safety programs. Â
- The following section within the code injection is the mapping of the view created on the part backed by the iertutil.dll into the spawned CasPol.exe course of. As soon as the view is efficiently mapped to the method, malware can inject the shellcode within the mapped reminiscence and resume the method thus initiating stage 3. The native api ZwMapViewOfSection is used to carry out this process. Following the execution of the above API, the malware checks the results of the operate name towards the under listed error statuses.Â
- C0000018 (STATUS_CONFLICTING_ADDRESS)Â
- C0000220 (STATUS_MAPPED_ALIGNMENT)Â
- 40000003 (STATUS_IMAGE_NOT_AT_BASE).Â
- If the mapping is unsuccessful and standing code returned by ZwMapViewOfSection matches with any of the code talked about above, it has a backup plan.Â
- The GuLoader calls NtAllocateVirtualMemory by instantly calling the system name stub which is often present in ntdll.dll library to bypass EDR/AV hooks. The reminiscence is allotted within the distant CasPol.exe course of with an RWX reminiscence safety. Following picture reveals the direct use of NtAllocateVirtualMemory system name.Â
After reminiscence allocation, it writes itself into distant course of by way of NtWriteVirtualMemory as mentioned above. GULoader shellcodes taken from the subject are greater in dimension, samples taken for this evaluation are all higher than 20 mb. In samples analyzed, the buffer dimension allotted to carry the shellcode is 2950000 bytes. The under picture reveals the GuLoader shellcode within the reminiscence.Â
Â
Deceptive Entry level Â
- The GULoader is extremely evasive in nature, if irregular execution stream is detected with assist of employed anti-analysis vectors, the EIP and EBX fields of thread context construction (of CasPol.exe course of) can be overwritten with a decoy handle, which is required for the stage 3 of malware execution. The placement ebp+4 is used to carry the entry level regardless of of the actual fact whether or not program is being debugged or not.Â
- The Gu loader makes use of ZwGetContextThread and NtSetContextThread routines to perform modification of the thread state. The CONTEXT construction is retrieved by way of ZwGetContextThread, the worth [ebp+14C] is used because the entry level handle. The present EIP worth held within the EIP subject within the context construction of the thread can be modified to a recalculated handle primarily based on worth at ebp+4. Beneath picture reveals the RVA calculation. The bottom handle of the executing shellcode (stage 2) is subtracted from the digital handle [ebp+4] to acquire RVA. Â
Â
The RVA is added to the base handle of the newly allotted reminiscence within the CasPol.exe course of to acquire new VA which can be utilized within the distant course of. The brand new VA is written into EIP and EBX subject within the thread context construction of the CasPol.exe course of retrieved by way of ZwGetContextThread. Beneath picture reveals the modified context construction and worth of EIP. Â
Â
Lastly, by calling ZwSetContextThread, the changes made to the CONTEXT construction is dedicated within the goal thread of CasPol.exe course of. The thread is resumed by calling NtResumeThread. The CasPol.exe resumes execution and performs stage 3 of the an infection chain.Â
Stage 3: Payload Deployment Â
The GULoader shellcode resumes execution from inside a brand new host course of, on this report, analyzed samples inject the shellcode both into the identical course of spawned as a baby course of or caspol.exe. Stage3 performs all of the anti-analysis as soon as once more to ensure this stage just isn’t being analyzed. In spite of everything checks, GUloader proceeds to carry out stage3 actions by decoding the encoded C2 string within the reminiscence as proven within the picture under. The decoding technique is similar as mentioned earlier than.Â
Later the addresses of following features are resolved dynamically by loading wininet.dll:Â
- InternetSetOptionAÂ
- InternetOpenUrlAÂ
- InternetReadFileÂ
- InternetCloseHandle.Â
The under picture reveals the response from the content material supply community (cdn) server the place the ultimate payload is saved. On this evaluation, a payload of dimension 0x2E640 bytes is distributed to the loader. Apparently, the primary 40 bytes are ignored by the loader. The precise payload begins from the offset 40 which is highlighted within the picture.Â
Â
The cdn server is properly protected, it solely serves to purchasers with correct headers and cookies. If these are usually not current within the HTTP request, the next message is proven to the person.Â
Ultimate PayloadÂ
Quasi Key EraÂ
Step one in decoding the the downloaded remaining payload by the GUloader is producing a quasi key which can be later utilized in decoding the precise key embeded within the GULoader shellcode. The encoded embeded key dimension is 371 bytes in analysed pattern. The method of quasi key technology is as follows:Â
- The 40th and 41st bytes (phrase) are retrived from the obtain buffer within the reminiscence.Â
- The above phrase is XORed with the primary phrase of the encoded embeded key alongside and a counter worth.Â
- The method is repeated untill the the phrase taken from the downloaded information totally decodes and have a worth of 0x4D5A âMZâ.Â
- The worth current within the counter when the 4D5A will get decoded is taken because the quasi key. This secret’s proven as âkey-1â within the picture under. Within the analysed pattern the worth of this secret’s â0x5448âÂ
Decoding Precise KeyÂ
The embedded key within the GULoader shellcode is of the dimensions 371 bytes as mentioned earlier than. The quasi secret’s used to decode the embeded key as proven within the picture under.Â
- Every phrase within the embeded secret’s XORed with quasi key key-1.Â
- When the interation counter exceeds the dimensions worth of 371 bytes, it stops and proceeds to decode the downloaded payload with this new key.Â
The decoded 371 bytes of embeded secret’s proven under within the picture under.Â
Decoding FileÂ
A byte degree decoding occurs after embeded secret’s decoded within the reminiscence. Every byte of the downloaded information is XORed with the important thing to acquire the precise information, which is a PE file. The decoded information is overwritten to the identical buffer used to obtain the decoded information.Â
The ultimate decoded PE file residing within the reminiscence is proven within the picture under:Â
Lastly, the loader hundreds the PE file by allocating the reminiscence with RWX permission within the stage3 course of, primarily based on analyzing a number of samples itâs both the identical course of in stage 2 because the baby course of, or casPol.exe. The loading concerned code relocation and IAT correction as anticipated in such a situation. The ultimate payload resumes execution from inside the hollowed stage3 course of. Beneath malware households are normally seen deployed by the GULoader:Â
- Vidar (Stealer)Â
- Raccoon (Stealer)Â
- Remcos RATÂ
Beneath picture reveals the injected reminiscence areas in stage3 course of caspol.exe on this report.Â
Conclusion Â
The function performed by malware loaders popularly often known as âcryptersâ is important within the deployment of Distant Administration Instruments and stealer malwares that concentrate on shopper information. The exfiltrated Private Identifiable Info (PII) extracted from the compromised endpoints are largely collected and funneled to numerous underground information promoting marketplaces. This additionally impacts companies as numerous important info used for authentication functions are getting leaked from the private programs of the person resulting in preliminary entry on the corporate networks. The GuLoader is closely utilized in mass malware campaigns to contaminate the customers with common stealer malware like Raccoon, Vidar, and Redline. Commodity RATs like Remcos are additionally seen delivered in such marketing campaign actions. On the brilliant aspect, it’s not tough to fingerprint malware specimens used within the mass campaigns due to the quantity its quantity and relevance, detection guidelines and programs might be constructed round this actual fact.Â
Â
Following desk summarizes all of the dynamically resolved Win32 APIs Â
Win32 APIÂ |
RtlAddVectoredExceptionHandler |
NtAllocateVirtualMemory |
DbgUIRemoteBreakIn |
LdrLoadDll |
DbgBreakPoint |
EnumWindows |
Nt/ZwSetInformationThread |
EnumDeviceDrivers |
GetDeviceDriverBaseNameAÂ |
MsiEnumProductsAÂ |
MsiGetProductInfoAÂ |
TerminateProcess |
ExitProcess |
NtSetContextThread |
NtWriteVirtualMemory |
NtCreateSection |
NtMapViewOfSection |
NtOpenFile |
NtSetInformationProcess |
NtClose |
NtResumeThread |
NtProtectVirtualMemory |
CreateProcessInternal |
GetLongPathNameWÂ |
Sleep |
NtCreateThreadEx |
WaitForSingleObject |
TerminateThread |
CreateFileWÂ |
WriteFile |
CloseHandle |
GetFileSize |
ReadFile |
ShellExecuteWÂ |
SHCreateDirectoryExWÂ |
RegCreateKeyExAÂ |
RegSetValueExAÂ |
OpenSCManagerAÂ |
EnumServiceStatusAÂ |
CloseServiceHandle |
NtQueryInformationProcess |
InternetOpenAÂ |
InternetSetOptionAÂ |
InternetOpenUrlAÂ |
InternetReadFile |
InternetCloseHandle |
Â
IOCÂ
889fddcb57ed66c63b0b16f2be2dbd7ec0252031cad3b15dfea5411ac245ef56Â
59b71cb2c5a14186a5069d7935ebe28486f49b7961bddac0a818a021373a44a3Â
4d9cdd7526f05343fda35aca3e0e6939abed8a037a0a871ce9ccd0e69a3741f2Â
c8006013fc6a90d635f394c91637eae12706f58897a6489d40e663f46996c664Â
c69e558e5526feeb00ab90efe764fb0b93b3a09692659d1a57c652da81f1d123Â
45156ac4b40b7537f4e003d9f925746b848a939b2362753f6edbcc794ea8b36aÂ
e68ce815ac0211303d2c38ccbb5ccead144909d295230df4b7a419dfdea12782Â
b24b36641fef3acbf3b643967d408b10bf8abfe1fe1f99d704a9a19f1dfc77e8Â
569aa6697083993d9c387426b827414a7ed225a3dd2e1e3eba1b49667573fdcbÂ
60de2308ebfeadadc3e401300172013be27af5b7d816c49696bb3dedc208c54eÂ
23458977440cccb8ac7d0d05c238d087d90f5bf1c42157fb3a161d41b741c39dÂ