{ "id": "0bd5a82a-c87e-4469-a474-2b8a38c1a3bb", "created_at": "2026-04-06T00:14:09.598469Z", "updated_at": "2026-04-10T13:12:58.408127Z", "deleted_at": null, "sha1_hash": "59cb3be7a9fdda01c3fb206368c54dadc2de0748", "title": "Karakurt Data Extortion Group | CISA", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 111195, "plain_text": "Karakurt Data Extortion Group | CISA\r\nPublished: 2023-12-12 · Archived: 2026-04-05 15:33:22 UTC\r\n1. Prioritize patching known exploited vulnerabilities.\r\n2. Train users to recognize and report phishing attempts.\r\n3. Enforce multifactor authentication.\r\nSUMMARY\r\nThe Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the\r\nDepartment of the Treasury (Treasury), and the Financial Crimes Enforcement Network (FinCEN) are releasing\r\nthis joint Cybersecurity Advisory (CSA) to provide information on the Karakurt data extortion group, also known\r\nas the Karakurt Team and Karakurt Lair. Karakurt actors have employed a variety of tactics, techniques, and\r\nprocedures (TTPs), creating significant challenges for defense and mitigation. Karakurt victims have not reported\r\nencryption of compromised machines or files; rather, Karakurt actors have claimed to steal data and threatened to\r\nauction it off or release it to the public unless they receive payment of the demanded ransom. Known ransom\r\ndemands have ranged from $25,000 to $13,000,000 in Bitcoin, with payment deadlines typically set to expire\r\nwithin a week of first contact with the victim.\r\nKarakurt actors have typically provided screenshots or copies of stolen file directories as proof of stolen data.\r\nKarakurt actors have contacted victims’ employees, business partners, and clients [T1591.002 ] with harassing\r\nemails and phone calls to pressure the victims to cooperate. The emails have contained examples of stolen data,\r\nsuch as social security numbers, payment accounts, private company emails, and sensitive business data belonging\r\nto employees or clients. Upon payment of ransoms, Karakurt actors have provided some form of proof of deletion\r\nof files and, occasionally, a brief statement explaining how the initial intrusion occurred.\r\nPrior to January 5, 2022, Karakurt operated a leaks and auction website found at https://karakurt[.]group. The\r\ndomain and IP address originally hosting the website went offline in the spring 2022. The website is no longer\r\naccessible on the open internet, but has been reported to be located elsewhere in the deep web and on the dark\r\nweb. As of May 2022, the website contained several terabytes of data purported to belong to victims across North\r\nAmerica and Europe, along with several “press releases” naming victims who had not paid or cooperated, and\r\ninstructions for participating in victim data “auctions.”\r\nDownload the PDF version of this report:\r\nClick here for STIX. \r\nTECHNICAL DETAILS\r\nInitial Intrusion\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-152a\r\nPage 1 of 9\n\nKarakurt does not appear to target any specific sectors, industries, or types of victims. During reconnaissance\r\n[TA0043 ], Karakurt actors appear to obtain access to victim devices primarily:\r\nBy purchasing stolen login credentials [T1589.001 ],[T1589.002 ];\r\nVia cooperating partners in the cybercrime community, who provide Karakurt access to already\r\ncompromised victims; or\r\nThrough buying access to already compromised victims via third-party intrusion broker networks\r\n[T1589.001 ].\r\nNote: Intrusion brokers, or intrusion broker networks, are malicious individual cyber actors or\r\ngroups of actors who use a variety of tools and skills to obtain initial access to—and often create\r\nmarketable persistence within—protected computer systems. Intrusion brokers then sell access to\r\nthese compromised computer systems to other cybercriminal actors, such as those engaged in\r\nransomware, business email compromise, corporate and government espionage, etc.\r\nSome Karakurt victims have reported that initial intrusion may have occurred via compromised Cisco\r\nAnyConnect VPN user accounts. Many of these victims reported multi-factor authentication was not enforced for\r\ntheir Cisco AnyConnect VPN platforms.\r\nCommon intrusion vulnerabilities exploited for initial access [TA001 ] in Karakurt events include the following:\r\nOutdated SonicWall SSL VPN appliances [T1133 ] are vulnerable to multiple recent CVEs,\r\nLog4j “Log4Shell” Apache Logging Services vulnerability (CVE-2021-44228) [T1190] ,\r\nPhishing and spearphishing [T1566 ],\r\nMalicious macros within email attachments [T1566.001 ],\r\nStolen virtual private network (VPN) or Remote Desktop Protocol (RDP) credentials [T1078 ],\r\nOutdated Fortinet FortiGate SSL VPN appliances [T1133 ]/firewall appliances [T1190 ] are vulnerable\r\nto multiple recent CVEs,\r\nOutdated and/or unserviceable Microsoft Windows Server instances,\r\nOutdated and/or unpatched Cisco AnyConnect software and hardware appliances.\r\nNetwork Reconnaissance, Enumeration, Persistence, and Exfiltration\r\nUpon developing or obtaining access to a compromised system, Karakurt actors deploy Cobalt Strike beacons\r\nto enumerate a network [T1083 ], install Mimikatz to pull plain-text credentials [T1078 ], use AnyDesk to\r\nobtain persistent remote control [T1219 ], and utilize additional situation-dependent tools to elevate privileges\r\nand move laterally within a network.\r\nKarakurt actors then compress (typically with 7zip) and exfiltrate large sums of data—and, in many cases, entire\r\nnetwork-connected shared drives in volumes exceeding 1 terabyte (TB)—using open source applications and File\r\nTransfer Protocol (FTP) services [T1048 ] such as Filezilla and cloud storage services including rclone and\r\nMega.nz [T1567.002 ].\r\nExtortion\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-152a\r\nPage 2 of 9\n\nFollowing the exfiltration of data, Karakurt actors present the victim with ransom notes by way of “readme.txt”\r\nfiles, via emails sent to victim employees over the compromised email networks, and emails sent to victim\r\nemployees from external email accounts. The ransom notes reveal the victim has been hacked by the “Karakurt\r\nTeam” and threaten public release or auction of the stolen data. The instructions include a link to a TOR URL with\r\nan access code. Visiting the URL and inputting the access code open a chat application over which victims can\r\nnegotiate with Karakurt actors to have their data deleted.\r\nKarakurt victims have reported extensive harassment campaigns by Karakurt actors in which employees, business\r\npartners, and clients receive numerous emails and phone calls warning the recipients to encourage the victims to\r\nnegotiate with the actors to prevent the dissemination of victim data. These communications often included\r\nsamples of stolen data—primarily personally identifiable information (PII), such as employment records, health\r\nrecords, and financial business records.\r\nVictims who negotiate with Karakurt actors receive “proof of life,” such as screenshots showing file trees of\r\nallegedly stolen data or, in some cases, actual copies of stolen files. Upon reaching an agreement on the price of\r\nthe stolen data with the victims, Karakurt actors provided a Bitcoin address—usually a new, previously unused\r\naddress—to which ransom payments could be made.\r\nUpon receiving the ransom, Karakurt actors provide some form of alleged proof of deletion of the stolen files,\r\nsuch as a screen recording of the files being deleted, a deletion log, or credentials for a victim to log into a storage\r\nserver and delete the files themselves.\r\nAlthough Karakurt’s primary extortion leverage is a promise to delete stolen data and keep the incident\r\nconfidential, some victims reported Karakurt actors did not maintain the confidentiality of victim information after\r\na ransom was paid. Note: The U.S. government strongly discourage the payment of any ransom to Karakurt threat\r\nactors, or any cyber criminals promising to delete stolen files in exchange for payments.\r\nIn some cases, Karakurt actors have conducted extortion against victims previously attacked by other ransomware\r\nvariants. In such cases, Karakurt actors likely purchased or otherwise obtained previously stolen data. Karakurt\r\nactors have also targeted victims at the same time these victims were under attack by other ransomware actors. In\r\nsuch cases, victims received ransom notes from multiple ransomware variants simultaneously, suggesting\r\nKarakurt actors purchased access to a compromised system that was also sold to another ransomware actor.\r\nKarakurt actors have also exaggerated the degree to which a victim had been compromised and the value of data\r\nstolen. For example, in some instances, Karakurt actors claimed to steal volumes of data far beyond the storage\r\ncapacity of compromised systems or claimed to steal data that did not belong to the victim.\r\nIndicators of Compromise\r\nEmail\r\nmark.hubert1986@gmail.com; karakurtlair@gmail.com; personal.information.reveal@gmail.com;\r\nripidelfun1986@protonmail.com; gapreappballye1979@protonmail.com;\r\nconfedicial.datas.download@protonmail.com; armada.mitchell94@protonmail.com\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-152a\r\nPage 3 of 9\n\nEmail\r\nProtonmail email accounts in the following formats: victimname_treasure@protonmail.com,\r\nvictimname_jewels@protonmail.com, victimname_files@protonmail.com\r\nTools  \r\nTools  \r\nOnion site https://omx5iqrdbsoitf3q4xexrqw5r5tfw7vp3vl3li3lfo7saabxazshnead.onion\r\nTools Rclone.exe;; AnyDesk.exe; Mimikatz\r\nNgrok\r\nSSH tunnel application SHA256 -\r\n3e625e20d7f00b6d5121bb0a71cfa61f92d658bcd61af2cf5397e0ae28f4ba56\r\nDLLs\r\nmasquerading as\r\nlegitimate Microsoft\r\nbinaries to System32\r\nMscxxx.dll: SHA1 - c33129a680e907e5f49bcbab4227c0b02e191770 Msuxxx.dll:\r\nSHA1 - 030394b7a2642fe962a7705dcc832d2c08d006f5\r\nMsxsl.exe\r\nLegitimate Microsoft Command Line XSL Transformation Utility SHA1 -\r\n8B516E7BE14172E49085C4234C9A53C6EB490A45\r\ndllhosts.exe Rclone SHA1 - fdb92fac37232790839163a3cae5f37372db7235\r\nrclone.conf Rclone configuration file\r\nfilter.txt Rclone file extension filter file\r\nc.bat UNKNOWN\r\n3.bat UNKNOWN\r\nPotential malicious\r\ndocument\r\nSHA1 - 0E50B289C99A35F4AD884B6A3FFB76DE4B6EBC14\r\nPotential malicious\r\ndocument\r\nSHA1 - 7E654C02E75EC78E8307DBDF95E15529AAAB5DFF\r\nMalicious text\r\nfile\r\nSHA1 - 4D7F4BB3A23EAB33A3A28473292D44C5965DDC95\r\nMalicious text\r\nSHA1 - 10326C2B20D278080AA0CA563FC3E454A85BB32F \r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-152a\r\nPage 4 of 9\n\nTools  \r\nTools  \r\nfile\r\nCobalt Strike Hashes\r\nSHA256 - 563BC09180FD4BB601380659E922C3F7198306E0CAEBE99CD1D88CD2C3FD5C1B\r\nSHA256 - 5E2B2EBF3D57EE58CADA875B8FBCE536EDCBBF59ACC439081635C88789C67ACA\r\nSHA256 - 712733C12EA3B6B7A1BCC032CC02FD7EC9160F5129D9034BF9248B27EC057BD2\r\nSHA256 - 563BC09180FD4BB601380659E922C3F7198306E0CAEBE99CD1D88CD2C3FD5C1B\r\nSHA256 - 5E2B2EBF3D57EE58CADA875B8FBCE536EDCBBF59ACC439081635C88789C67ACA\r\nSHA256 - 712733C12EA3B6B7A1BCC032CC02FD7EC9160F5129D9034BF9248B27EC057BD2\r\nSHA1 - 86366bb7646dcd1a02700ed4be4272cbff5887af\r\nRansom note\r\ntext sample:\r\n \r\nRansom note\r\ntext sample:\r\n \r\n1.\r\nHere's the deal\r\nWe breached your internal network and took control over all of your systems.\r\n2.\r\nWe analyzed and located each piece of more-or-less important files while spending\r\nweeks inside.\r\n3.\r\nWe exfiltrated anything we wanted (xxx GB (including Private \u0026 Confidential\r\ninformation, Intellectual Property, Customer Information and most important Your\r\nTRADE SECRETS)\r\nFAQ:\r\nWho the hell are you?\r\nThe Karakurt Team. Pretty skilled hackers I guess.\r\nPayment Wallets:\r\nbc1qfp3ym02dx7m94td4rdaxy08cwyhdamefwqk9hp\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-152a\r\nPage 5 of 9\n\nPayment Wallets:\r\nbc1qw77uss7stz7y7kkzz7qz9gt7xk7tfet8k30xax\r\nbc1q8ff3lrudpdkuvm3ehq6e27nczm393q9f4ydlgt\r\nbc1qenjstexazw07gugftfz76gh9r4zkhhvc9eeh47\r\nbc1qxfqe0l04cy4qgjx55j4qkkm937yh8sutwhlp4c\r\nbc1qw77uss7stz7y7kkzz7qz9gt7xk7tfet8k30xax\r\nbc1qrtq27tn34pvxaxje4j33g3qzgte0hkwshtq7sq\r\nbc1q25km8usscsra6w2falmtt7wxyga8tnwd5s870g\r\nbc1qta70dm5clfcxp4deqycxjf8l3h4uymzg7g6hn5\r\nbc1qrkcjtdjccpy8t4hcna0v9asyktwyg2fgdmc9al\r\nbc1q3xgr4z53cdaeyn03luhen24xu556y5spvyspt8\r\nbc1q6s0k4l8q9wf3p9wrywf92czrxaf9uvscyqp0fu\r\nbc1qj7aksdmgrnvf4hwjcm5336wg8pcmpegvhzfmhw\r\nbc1qq427hlxpl7agmvffteflrnasxpu7wznjsu02nc\r\nbc1qz9a0nyrqstqdlr64qu8jat03jx5smxfultwpm0\r\nbc1qq9ryhutrprmehapvksmefcr97z2sk3kdycpqtr\r\nbc1qa5v6amyey48dely2zq0g5c6se2keffvnjqm8ms\r\nbc1qx9eu6k3yhtve9n6jtnagza8l2509y7uudwe9f6\r\nbc1qtm6gs5p4nr0y5vugc93wr0vqf2a0q3sjyxw03w\r\nbc1qta70dm5clfcxp4deqycxjf8l3h4uymzg7g6hn5\r\nbc1qx9eu6k3yhtve9n6jtnagza8l2509y7uudwe9f6\r\nbc1qqp73up3xff6jz267n7vm22kd4p952y0mhcd9c8\r\nbc1q3xgr4z53cdaeyn03luhen24xu556y5spvyspt8\r\nMITRE ATT\u0026CK TACTICS AND TECHNIQUES\r\nSee table 1 for all referenced threat actor tactics and techniques in this advisory, as well as corresponding\r\ndetection and/or mitigation recommendations. For additional mitigations, see the Mitigations section.\r\nTable 1: Karakurt Actors ATT\u0026CK Techniques for Enterprise\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-152a\r\nPage 6 of 9\n\nReconnaissance    \r\nTechnique Title ID Use\r\nInitial Access    \r\nTechnique Title ID Use\r\nPrivilege Escalation    \r\nTechnique Title ID Use\r\nDiscovery    \r\nTechnique Title ID Use\r\nCommand and Control    \r\nTechnique Title ID Use\r\nExfiltration    \r\nTechnique Title ID Use\r\nGather Victim Identify\r\nInformation: Credentials\r\nT1589.001\r\nKarakurt actors have purchased stolen login credentials.\r\nGather Victim Identity\r\nInformation: Email\r\nAddresses\r\nT1589.002 Karakurt actors have purchased stolen login credentials\r\nincluding email addresses.\r\nGather Victim Org\r\nInformation: Business\r\nRelationships\r\nT1591.002 Karakurt actors have leveraged victims' relationships with\r\nbusiness partners.\r\nExploit Public-Facing\r\nApplications\r\nT1190\r\nKarakurt actors have exploited the Log4j \"Log4Shell\" Apache\r\nLogging Service vulnerability and vulnerabilities in outdated\r\nfirewall appliances for gaining access to victims' networks.\r\nExternal Remote Services T1133\r\nKarakurt actors have exploited vulnerabilities in outdated\r\nVPN appliances for gaining access to victims' networks.\r\nPhishing T1566\r\nKarakurt actors have used phishing and spearphishing to\r\nobtain access to victims' networks.\r\nPhishing – Spearphishing\r\nAttachment\r\nT1566.001 Karakurt actors have sent malicious macros as email\r\nattachments to gain initial access.\r\nValid Accounts T1078 Karakurt actors have purchased stolen credentials, including\r\nVPN and RDP credentials, to gain access to victims'\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-152a\r\nPage 7 of 9\n\nnetworks.\r\nValid Accounts T1078\r\nKarakurt actors have installed Mimikatz to pull plain-text\r\ncredentials.\r\nFile and Directory Discovery T1083\r\nKarakurt actors have deployed Cobalt Strike beacons to\r\nenumerate a network.\r\nRemote Access Software T1219\r\nKarakurt actors have used AnyDesk to obtain persistent\r\nremote control of victims' systems.\r\nExfiltration Over Alternative\r\nProtocol\r\nT1048\r\nKarakurt actors have used FTP services, including Filezilla, to\r\nexfiltrate data from victims' networks.\r\nExfiltration Over Web\r\nService: Exfiltration to\r\nCloud Storage\r\nT1567.002 Karakurt actors have used rclone and Mega.nz to exfiltrate\r\ndata stolen from victims' networks.\r\nMITIGATIONS\r\nImplement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and\r\nservers in a physically separate, segmented, and secure location (i.e., hard drive, storage device, the cloud).\r\nImplement network segmentation and maintain offline backups of data to ensure limited interruption to the\r\norganization.\r\nRegularly back up data and password protect backup copies offline. Ensure copies of critical data are not\r\naccessible for modification or deletion from the system where the data resides.\r\nInstall and regularly update antivirus software on all hosts and enable real time detection.\r\nInstall updates/patch operating systems, software, and firmware as soon as updates/patches are released.\r\nReview domain controllers, servers, workstations, and active directories for new or unrecognized accounts.\r\nAudit user accounts with administrative privileges and configure access controls with least privilege in\r\nmind. Do not give all users administrative privileges.\r\nDisable unused ports.\r\nConsider adding an email banner to emails received from outside your organization.\r\nDisable hyperlinks in received emails.\r\nEnforce multi-factor authentication.\r\nUse the National Institute for Standards and Technology’s (NIST’s) standards for developing and managing\r\npassword policies.\r\nUse longer passwords consisting of at least 8 characters and no more than 64 characters in length;\r\nStore passwords in hashed format using industry-recognized password managers;\r\nAdd password user “salts” to shared login credentials;\r\nAvoid reusing passwords;\r\nImplement multiple failed login attempt account lockouts;\r\nDisable password “hints”;\r\nRefrain from requiring password changes more frequently than once per year.\r\nNote: NIST guidance suggests favoring longer passwords instead of requiring regular and\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-152a\r\nPage 8 of 9\n\nfrequent password resets. Frequent password resets are more likely to result in users\r\ndeveloping password “patterns” cyber criminals can easily decipher.\r\nRequire administrator credentials to install software.\r\nOnly use secure networks and avoid using public Wi-Fi networks. Consider installing and using a VPN.\r\nFocus on cyber security awareness and training. Regularly provide users with training on information\r\nsecurity principles and techniques as well as overall emerging cybersecurity risks and vulnerabilities (i.e.,\r\nransomware and phishing scams).\r\nRESOURCES\r\nFor additional resources related to the prevention and mitigation of ransomware, visit Stopransomware.gov\r\nas well as the CISA-Multi-State Information Sharing and Analysis Center (MS-ISAC) Joint Ransomware\r\nGuide and NIST’s Data Integrity: Detecting and Responding to Ransomware and Other Destructive Events.\r\nStopransomware.gov is the U.S. government’s one-stop location for resources to tackle ransomware more\r\neffectively.\r\nCISA’s Ransomware Readiness Assessment is a no-cost self-assessment based on a tiered set of practices\r\nto help organizations better assess how well they are equipped to defend and recover from a ransomware\r\nincident.\r\nCISA offers a range of no-cost cyber hygiene services to help critical infrastructure organizations assess,\r\nidentify, and reduce their exposure to threats, including ransomware.\r\nFinancial Institutions must also ensure compliance with any applicable Bank Secrecy Act requirements,\r\nincluding suspicious activity reporting obligations. Indicators of Compromise, such as suspicious email\r\naddresses, file names, hashes, domains, and IP addresses, can be provided under Item 44 of the Suspicious\r\nActivity Report (SAR) form. For more information on mandatory and voluntary reporting of cyber events\r\nvia suspicious activity reports (SARs), see FinCEN Advisory FIN-2016-A005, Advisory to Financial\r\nInstitutions on Cyber-Events and Cyber-Enabled Crime, October 25, 2016, and FinCEN Advisory FIN-2021-A004, Advisory on Ransomware and the Use of the Financial System to Facilitate Ransom Payments,\r\nNovember 8, 2021, which updates FinCEN Advisory FIN-2020-A006.\r\nThe U.S. Department of State’s Rewards for Justice (RFJ) program offers a reward of up to $10 million for\r\nreports of foreign government malicious activity against U.S. critical infrastructure. See the RFJ website\r\nfor more information and how to report information securely.\r\nVERSION HISTORY\r\nJune 01, 2022: Initial version.\r\nJune 02, 2022: Added STIX file.\r\nDecember 12, 2023: Added language about Cisco VPNs being a possible initial access vector.\r\nSource: https://www.cisa.gov/uscert/ncas/alerts/aa22-152a\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-152a\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "origins": [ "web" ], "references": [ "https://www.cisa.gov/uscert/ncas/alerts/aa22-152a" ], "report_names": [ "aa22-152a" ], "threat_actors": [ { "id": "6ad410c7-e291-4327-a54b-281c23f0d4fa", "created_at": "2022-10-25T16:07:24.501468Z", "updated_at": "2026-04-10T02:00:05.013427Z", "deleted_at": null, "main_name": "Karakurt", "aliases": [ "Mushy Scorpius" ], "source_name": "ETDA:Karakurt", "tools": [ "7-Zip", "Agentemis", "AnyDesk", "Cobalt Strike", "CobaltStrike", "FileZilla", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "WinZip", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "2af9bea3-b43e-4a6d-8dc6-46dad6e3ff24", "created_at": "2022-10-25T16:47:55.853415Z", "updated_at": "2026-04-10T02:00:03.856263Z", "deleted_at": null, "main_name": "GOLD TOMAHAWK", "aliases": [ "Karakurt", "Karakurt Lair", "Karakurt Team" ], "source_name": "Secureworks:GOLD TOMAHAWK", "tools": [ "7-Zip", "AnyDesk", "Mega", "QuickPacket", "Rclone", "SendGB" ], "source_id": "Secureworks", "reports": null }, { "id": "079e3d6e-24ef-42b0-b555-75c288f9efd8", "created_at": "2023-03-04T02:01:54.105946Z", "updated_at": "2026-04-10T02:00:03.359009Z", "deleted_at": null, "main_name": "Karakurt", "aliases": [ "Karakurt Lair" ], "source_name": "MISPGALAXY:Karakurt", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434449, "ts_updated_at": 1775826778, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/59cb3be7a9fdda01c3fb206368c54dadc2de0748.pdf", "text": "https://archive.orkl.eu/59cb3be7a9fdda01c3fb206368c54dadc2de0748.txt", "img": "https://archive.orkl.eu/59cb3be7a9fdda01c3fb206368c54dadc2de0748.jpg" } }