Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
16-05-2024 05:59
Static task
static1
Behavioral task
behavioral1
Sample
49b3ed4c73d8d5a6613b725d40172590_JaffaCakes118.ps1
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
49b3ed4c73d8d5a6613b725d40172590_JaffaCakes118.ps1
Resource
win10v2004-20240508-en
General
-
Target
49b3ed4c73d8d5a6613b725d40172590_JaffaCakes118.ps1
-
Size
902KB
-
MD5
49b3ed4c73d8d5a6613b725d40172590
-
SHA1
07e30496992d7087674cf5542c78856f66ff7737
-
SHA256
1899ff66b76a3f6302fea0afbc26c8452949345d2ea6d987b683c6a0037f22d0
-
SHA512
026c0a58a56747cbb9efab721382924d6da48c65483325ec868c9c894ff601a0461fa3674f4fa01c570635521cc6e7e8c96efe8765fcf68aa7eb713df988e2a3
-
SSDEEP
12288:aeeKC+CqCJCqCwCqC7yH5A7+vEeJaZkeq06aQKLI1XqO/bYyoSWjUUFy55576GYj:J
Malware Config
Extracted
C:\Program Files\Microsoft Office\Office14\F9D1F3-Readme.txt
netwalker
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion
Signatures
-
Netwalker Ransomware
Ransomware family with multiple versions. Also known as MailTo.
-
Renames multiple (7461) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN058.XML Explorer.EXE File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler.xml Explorer.EXE File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\XLMACRO.CHM Explorer.EXE File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-threaddump_zh_CN.jar Explorer.EXE File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL075.XML Explorer.EXE File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14583_.GIF Explorer.EXE File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierUpArrow.jpg Explorer.EXE File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00038_.GIF Explorer.EXE File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\classes.jsa Explorer.EXE File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightOrange.css Explorer.EXE File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\eclipse.inf Explorer.EXE File opened for modification C:\Program Files\Java\jre7\lib\zi\Australia\Lindeman Explorer.EXE File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.nl_zh_4.4.0.v20140623020002.jar Explorer.EXE File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105520.WMF Explorer.EXE File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0090087.WMF Explorer.EXE File opened for modification C:\Program Files\VideoLAN\VLC\lua\playlist\jamendo.luac Explorer.EXE File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_highlight-soft_100_eeeeee_1x100.png Explorer.EXE File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00525_.WMF Explorer.EXE File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR51F.GIF Explorer.EXE File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\symbol.txt Explorer.EXE File opened for modification C:\Program Files\Java\jre7\lib\zi\Antarctica\Palmer Explorer.EXE File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Miquelon Explorer.EXE File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\Discussion14.gta Explorer.EXE File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD00449_.WMF Explorer.EXE File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-actions.jar Explorer.EXE File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0175361.JPG Explorer.EXE File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382948.JPG Explorer.EXE File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\CLICK.WAV Explorer.EXE File created C:\Program Files\VideoLAN\VLC\locale\el\LC_MESSAGES\F9D1F3-Readme.txt Explorer.EXE File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ecf.provider.filetransfer_3.2.200.v20140827-1444.jar Explorer.EXE File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\IN00915_.WMF Explorer.EXE File opened for modification C:\Program Files\ReadInvoke.mhtml Explorer.EXE File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\DVA.api Explorer.EXE File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18214_.WMF Explorer.EXE File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_choosecolor.gif Explorer.EXE File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BIZFORM.XML Explorer.EXE File created C:\Program Files (x86)\Microsoft Office\Office14\ACCWIZ\F9D1F3-Readme.txt Explorer.EXE File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\F9D1F3-Readme.txt Explorer.EXE File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00330_.WMF Explorer.EXE File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21340_.GIF Explorer.EXE File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGACCBAR.XML Explorer.EXE File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Welcome Tool\F9D1F3-Readme.txt Explorer.EXE File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME18.CSS Explorer.EXE File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Americana\TAB_ON.GIF Explorer.EXE File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099155.JPG Explorer.EXE File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02028K.JPG Explorer.EXE File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\OliveGreen.css Explorer.EXE File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\WidescreenPresentation.potx Explorer.EXE File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Riyadh Explorer.EXE File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0384885.JPG Explorer.EXE File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_Medium.jpg Explorer.EXE File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR11F.GIF Explorer.EXE File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.core_2.3.0.v20131211-1531.jar Explorer.EXE File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\OLADD.FAE Explorer.EXE File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\GREETING.DPV Explorer.EXE File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN027.XML Explorer.EXE File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\license.html Explorer.EXE File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_browser.gif Explorer.EXE File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\F9D1F3-Readme.txt Explorer.EXE File created C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightOrange\F9D1F3-Readme.txt Explorer.EXE File opened for modification C:\Program Files\Java\jre7\lib\security\trusted.libraries Explorer.EXE File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TR00482_.WMF Explorer.EXE File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEIRM.XML Explorer.EXE File opened for modification C:\Program Files\7-Zip\Lang\id.txt Explorer.EXE -
pid Process 2208 powershell.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2208 powershell.exe 2208 powershell.exe 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeDebugPrivilege 2208 powershell.exe Token: SeDebugPrivilege 1208 Explorer.EXE Token: SeImpersonatePrivilege 1208 Explorer.EXE Token: SeBackupPrivilege 2088 vssvc.exe Token: SeRestorePrivilege 2088 vssvc.exe Token: SeAuditPrivilege 2088 vssvc.exe Token: SeShutdownPrivilege 1208 Explorer.EXE Token: SeShutdownPrivilege 1208 Explorer.EXE -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2208 wrote to memory of 2608 2208 powershell.exe 29 PID 2208 wrote to memory of 2608 2208 powershell.exe 29 PID 2208 wrote to memory of 2608 2208 powershell.exe 29 PID 2608 wrote to memory of 2768 2608 csc.exe 30 PID 2608 wrote to memory of 2768 2608 csc.exe 30 PID 2608 wrote to memory of 2768 2608 csc.exe 30 PID 2208 wrote to memory of 2596 2208 powershell.exe 32 PID 2208 wrote to memory of 2596 2208 powershell.exe 32 PID 2208 wrote to memory of 2596 2208 powershell.exe 32 PID 2596 wrote to memory of 2436 2596 csc.exe 33 PID 2596 wrote to memory of 2436 2596 csc.exe 33 PID 2596 wrote to memory of 2436 2596 csc.exe 33 PID 2208 wrote to memory of 1208 2208 powershell.exe 21 PID 1208 wrote to memory of 13180 1208 Explorer.EXE 39 PID 1208 wrote to memory of 13180 1208 Explorer.EXE 39 PID 1208 wrote to memory of 13180 1208 Explorer.EXE 39 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1208 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\49b3ed4c73d8d5a6613b725d40172590_JaffaCakes118.ps12⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\x26egocd.cmdline"3⤵
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2CCC.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC2CCB.tmp"4⤵PID:2768
-
-
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bwcs4-bc.cmdline"3⤵
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2F6B.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC2F6A.tmp"4⤵PID:2436
-
-
-
-
C:\Windows\system32\notepad.exeC:\Windows\system32\notepad.exe "C:\Users\Admin\Desktop\F9D1F3-Readme.txt"2⤵PID:13180
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2088
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD52c51aa9a01d8b5836d17dd7342df90d7
SHA154af3bb24b8e6bb1157ac4aa6dea1964b1c0b298
SHA25682a950483a8adc146882de6d2020c9d16fc1b152b3a2442ab88bde05200050ec
SHA512896f7c99a2f3a7f12eeb47a9cc92e8523fb611f394db05722bba953edc8c8d16935ad52720d53ee91176240632076f88dd1b00cbd1a567e80868ed78b7c37a91
-
Filesize
229KB
MD50a53e5c07f92f52f09657da1877d6b9f
SHA1b065761426fa21c79ffd7a2039e59d6de379b7ae
SHA25696df1e56a571c86337324e2059cc32e9bdc01a2c7dfb63a7fafdcd10e3ee2255
SHA512799798d33b3f2a5d4992ae475876a146d162e4b8504eb2b6e30b6a734d63903f9a8b588794e6798033681b8eeb405f11a7342fda26678c1cfd1cb5e16431204d
-
Filesize
1KB
MD5edcfdf6a73f2525a34e8d9a35e65531e
SHA1917a608dfb4c6c9b38f1e35d53341b5bbf0cf717
SHA2568c11332d34979a2dbbe10e591f0f10c3db085d4966b5d3d799a03216dc89031a
SHA5129945953757c3365f3f3cbc069ff295c2dd6da2dd9781d3824e1cfba1ada611ac2e811c94006ce1c48fd4e9339d73243efa6a8dd0f3a82da0f79d98eb85659e0c
-
Filesize
1KB
MD5e87998f030bedd1a8d040404126c36cd
SHA10bb5ae649f02b03e69bdc0e9f999ac47ebb9770c
SHA256e39e9b241a5110cc89d62f35947fcc9a72ac3eeaf45b9f94a4c7932824e3e688
SHA5127a31d2f026b74fc083cbd5034508e80524fde62bcb0097ed903fcd16db4c597d6f7ece82b54e8291dc0c9a8807169d27a52699163736c8cabb445616b3018332
-
Filesize
4KB
MD5778e9d5c45fe0150d03a294bacebc0ba
SHA1ce28ee2f14214e98722a413dcf94a24a135fc1dc
SHA2567b6a9987d64f54bc0a698a5fc412f5db3fdfe2525634b6414ec731b16b9db4cd
SHA512bef9082ddc84508f66d607dd6f1922bee443d1d6cc1440973fb2eeef291825dfdf44085bb28c4729e84e1ea9f45e984d63afce59e963046c13cf05b127d26950
-
Filesize
7KB
MD5ecbecb88efe9139caf19acaa49cb7643
SHA18f46d1ec8b005827ab90b3256aac0b0a384b40b9
SHA25681e453399c9e1e62aea5f3e338e7cd031333b6284c2da4f5e20e27ca29c7187a
SHA512b089eb66f68794f4ba8cc626a9c95ee88f63e93d4ec74574ccf032b1e428af2ada90ea404b7cf34955a7b42fce14640eff68a63ce32ca9648c65d48e938c84f4
-
Filesize
6KB
MD53693afb9529a3b168a99ca73cd4d88d6
SHA12da331a0d008b53574f135c57b193e2dead1b2d8
SHA256db4e17704580ea179b5d7fbd481169e7ca79934e8850ccfbf93a86b52ad61967
SHA512829490d253d9d355cd1c98068b1d0efb33af32ab75170772004ef43ed7c9b6983388982c13ad525c02766ea86f93cf0f632408823a1c19ad18f3108b1dc5eab1
-
Filesize
7KB
MD580da185c04cf8e9bab4ffdfab629dd90
SHA1ab60f4f0e5f755d029a2170d1ad8201c152f4d9c
SHA256ffb1ba9b8420cec407334f7300b1579299d37ef266b7eb80292ba928dea19e79
SHA5122889533b42940f27102f2f1b306d963895c285e0c12f37e7e573e0a97102f98fe32457219619733d9bc5b2f8df0adecc31c6a98941f0ab23593305ac5e8d64e0
-
Filesize
652B
MD53886a03890facd508e130954548b7197
SHA1359b074a99af14df4cba9bd01787ed15ad60a979
SHA256f913fee53c98376e47fbd8ac7340f756d106139458e7bc3e8df28ce510d9fa5d
SHA512d559f444742b6fed799261717fe16c97b3d85cd9c9cd1603ce5aa3ee306ae0ad917e51c6ef241a05c284b57463dc75ce2f6739fffe47adb25bafe2b71c639f19
-
Filesize
652B
MD5b0df9a847354c768c3d7230283feb220
SHA15c311daa3b3c9305f3804fe048c2b4351b6838f8
SHA2564ff36a45ea92bd9444244d6ba83e248aa1162e62c553e4423458a57c32fa0ad1
SHA51250ef5efe70790179cb4d6af17bce03ffc349e273e36d0f2c3729a6eb323b6c5ca01ed16857727c0d0d410782e9b767b550abdcf1d16ef4bd307d38b16497c80a
-
Filesize
2KB
MD5a743f528f761e35ac1dc7a017c5da581
SHA1e73fb085f518f6a5f673bc4714b976136bc21ef0
SHA256f8b1b7b2ce8d8b2ca62f154a633bdebe0b3fd778786d084ec9191b333b3f9636
SHA512373ef7d8ccfe75824e80fa7eac151021a4ca2e3e4ddb9aecbd01f61092179665e00216acd434c049bdf0d8c987fc3d9a570deb0017c71bd83e1f7a7a42038990
-
Filesize
309B
MD54f22016cb7ffa21cd6b672c29659fd8f
SHA13e76841044af4454a8205a2712d3d4bb17a2edcc
SHA2560f40f89e6fbbb8d8030bcd00e9317bf7fc3bec3580dcee188f609296f78d4f64
SHA5120e22fa058cc156030902082ea6f33e5cf5b5857034796735ede33d1a186c71cae902f1ed663d2f06ef58cc43bf100cb9e3c501ab12279827083329c98d83e842
-
Filesize
8KB
MD5a6fdb1be50d474af2e6256b67312df1c
SHA137e6afca5aed0ffe685f420c086b8deb5101cedb
SHA256fed2ae961915149cef840afc3f89abd70494a58a4000748299f8a43581697cd4
SHA5124e0ddf25074533850d0b0339dd4a447202b824b67a3ca949c87a270db0cb5d5bad1301f739afa1ee98075cf3e3e3abd57b9aa72db6b8cd479a77904ec42297a3
-
Filesize
309B
MD5876b6d4ff3cbc585a7eeac6fffe732e2
SHA10887c71865cda09f0092c6bec872af434d0734db
SHA256aeac41141b1bae5736705befa7ddee236d059954f40c08023b2079d24dd33bbf
SHA5127475815571747ec5a189697ce5d1f43a5add147d7a633d06792156d27614539dfde333f1e2759ceb0ef2a2df726534a1f013a0b9f697b9bfb9151ec3afabaf8e