Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
96s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
01/10/2024, 00:42
Behavioral task
behavioral1
Sample
03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe
Resource
win7-20240903-en
General
-
Target
03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe
-
Size
298KB
-
MD5
03ca8f4558571b27bef876d0005663bd
-
SHA1
08e6dbadc0e38517565127514f66a6d5794bb88d
-
SHA256
3716b919a585fa4902c432b81235b850d36d2d07079498b958927804ff947c22
-
SHA512
4391181cc2ca0acf4c94d076d614f1c2a770706c710ede7e355bcdd7e07bfc41ad8ae47eb909a2d5ce21bb3698f4bc728413eb3650f79abee7bb25fae4c29716
-
SSDEEP
6144:CzSY0RcrnbIFMzEOjh64JDZs6z7/WKtuujadWphpVsznR1bYhmbM:uKcrnbIA7dTYKsujaqpkRChmbM
Malware Config
Signatures
-
resource yara_rule behavioral2/files/0x000700000002342d-34.dat aspack_v212_v242 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation 03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\pp111.exe 03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\pp111.exe 03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\Pnkx.exe 03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Internet Explorer\ie\iexplore.exe 03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe File created C:\Program Files (x86)\Internet Explorer\ie\iexplore.exe 03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 16 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Internet Explorer\Main 03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Version Vector 03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe -
Modifies Internet Explorer start page 1 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.1188.com/?JaffaCakes118" 03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe -
Modifies registry class 24 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78506}\ShellFolder 03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78506}\InprocServer32 03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78506}\shell\open 03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78506}\Shell\open\command\ = "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe http://www.1188.com/?JaffaCakes118" 03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78506}\shell\ÊôÐÔ(&R) 03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78506}\shell\ÊôÐÔ(&R)\Command 03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78506} 03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78506}\DefaultIcon 03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78506}\InprocServer32\ = "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" 03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78506}\shell 03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78506}\Shell\ÊôÐÔ(&R) 03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78506}\shell\open\command 03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\lnkfile 03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78506}\ = "Internet Explorer" 03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78506}\Shell\open 03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78506}\Shell\open\command 03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78506}\Shell\ÊôÐÔ(&R)\ = "ÊôÐÔ(&R)" 03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78506}\Shell\ÊôÐÔ(&R)\Command\ = "Rundll32.exe Shell32.dll,Control_RunDLL Inetcpl.cpl" 03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78506}\Shell 03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78506}\shellex 03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78506}\DefaultIcon\ = "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" 03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78506}\InprocServer32\InprocServer32 = "Apartment" 03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78506}\Shell\open\ = "´ò¿ªÖ÷Ò³(&H)" 03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78506}\ShellFolder\Attributes = "0" 03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 45 IoCs
description pid Process procid_target PID 220 wrote to memory of 2664 220 03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe 86 PID 220 wrote to memory of 2664 220 03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe 86 PID 220 wrote to memory of 2664 220 03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe 86 PID 220 wrote to memory of 700 220 03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe 88 PID 220 wrote to memory of 700 220 03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe 88 PID 220 wrote to memory of 700 220 03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe 88 PID 220 wrote to memory of 4028 220 03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe 89 PID 220 wrote to memory of 4028 220 03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe 89 PID 220 wrote to memory of 4028 220 03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe 89 PID 220 wrote to memory of 2424 220 03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe 92 PID 220 wrote to memory of 2424 220 03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe 92 PID 220 wrote to memory of 2424 220 03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe 92 PID 220 wrote to memory of 2580 220 03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe 93 PID 220 wrote to memory of 2580 220 03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe 93 PID 220 wrote to memory of 2580 220 03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe 93 PID 2664 wrote to memory of 3232 2664 cmd.exe 94 PID 2664 wrote to memory of 3232 2664 cmd.exe 94 PID 2664 wrote to memory of 3232 2664 cmd.exe 94 PID 2664 wrote to memory of 4468 2664 cmd.exe 95 PID 2664 wrote to memory of 4468 2664 cmd.exe 95 PID 2664 wrote to memory of 4468 2664 cmd.exe 95 PID 4028 wrote to memory of 2288 4028 cmd.exe 98 PID 4028 wrote to memory of 2288 4028 cmd.exe 98 PID 4028 wrote to memory of 2288 4028 cmd.exe 98 PID 4028 wrote to memory of 2920 4028 cmd.exe 99 PID 4028 wrote to memory of 2920 4028 cmd.exe 99 PID 4028 wrote to memory of 2920 4028 cmd.exe 99 PID 700 wrote to memory of 908 700 cmd.exe 100 PID 700 wrote to memory of 908 700 cmd.exe 100 PID 700 wrote to memory of 908 700 cmd.exe 100 PID 700 wrote to memory of 2564 700 cmd.exe 101 PID 700 wrote to memory of 2564 700 cmd.exe 101 PID 700 wrote to memory of 2564 700 cmd.exe 101 PID 2580 wrote to memory of 2252 2580 cmd.exe 102 PID 2580 wrote to memory of 2252 2580 cmd.exe 102 PID 2580 wrote to memory of 2252 2580 cmd.exe 102 PID 2580 wrote to memory of 8 2580 cmd.exe 103 PID 2580 wrote to memory of 8 2580 cmd.exe 103 PID 2580 wrote to memory of 8 2580 cmd.exe 103 PID 2424 wrote to memory of 4776 2424 cmd.exe 105 PID 2424 wrote to memory of 4776 2424 cmd.exe 105 PID 2424 wrote to memory of 4776 2424 cmd.exe 105 PID 2424 wrote to memory of 4016 2424 cmd.exe 106 PID 2424 wrote to memory of 4016 2424 cmd.exe 106 PID 2424 wrote to memory of 4016 2424 cmd.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:220 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\srun12.bat" "2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
PID:3232
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\Desktop\Internet Explorer.lnk" /G Everyone:R /C3⤵
- System Location Discovery: System Language Discovery
PID:4468
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\srun61.bat" "2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:700 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
PID:908
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Internet Explorer\ie\iexplore.exe" /G Everyone:R /C3⤵
- System Location Discovery: System Language Discovery
PID:2564
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\srun73.bat" "2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4028 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
PID:2288
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\Desktop\Internet Explorer.lnk" /G Everyone:R /C3⤵
- System Location Discovery: System Language Discovery
PID:2920
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\srun43.bat" "2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
PID:4776
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\Desktop\Internet Explorer.lnk" /G Everyone:R /C3⤵
- System Location Discovery: System Language Discovery
PID:4016
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\srun19.bat" "2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
PID:2252
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\╞⌠╢» Internet Explorer Σ»└└╞≈.lnk" /G Everyone:R /C3⤵
- System Location Discovery: System Language Discovery
PID:8
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
814KB
MD55e5f63cd0ca3ee94c61a2db20ce33fc9
SHA1c90ea9645c7cc1ad7553675a7ecdf880b1fb4621
SHA256219280ffebd3d771102fc3a7f26529e5e9161366e3a5de2f8943d81dda7756bf
SHA512b36df698f1cbe52df754db9fcfba7e6811b6fc74f44a89378ce29356630f66a10d526402e9d133f8ab608bb614e2214945c0b732b4db3d0cad3d3665e062edcb
-
Filesize
130B
MD5af197ab4ce4325a4d9404424e380d026
SHA1a2d56574a4bc489be1bf25e5030e0a817ffdd2cf
SHA256553c843afa7141da9096178c0b75805e6677d58a08833449fe24f2b7b9b61950
SHA5125547fad3d2866429345e90aa634c5a5fe341b6af24c3e9e76dc42b4fdfee489357708ad9154851ae9e687c9ee08bfcd546d7ae9c60f8403548fec81a150722ba
-
Filesize
191B
MD583a6d9f519941c0c7150da1d3b06f077
SHA1b26fdddaa23010f07853dcc269bc4327160fcf47
SHA25692015fe71ca302fa0a74d7d56b1f84409e2a6a25ac2e40ac6b85309a9be4008e
SHA512b41fa1c48525cf130344dad5137f4f847e52834700c191b10e4f0d738a43fa8d6398cd8c803ee6fad1be2947ae2b48a47bf985b828ba946df98f83bfaed9b019
-
Filesize
130B
MD5cd56ccdaf1d7638c0af8c306696faa2d
SHA10247a2ec40277a4971c3299054467fb51113c8cd
SHA256bc251a0ddd4dfb39f72e1613936530bc06a9466dc451b785e90905ca7d2a20f5
SHA5127b0db034a3ce38d8d780dff9aac1ba40d75d417841851bda1e96acef98f5096d0478ae351a69995839eaa37458dadcd7d13a7bfc9383c10d5a9fe271e004d51b
-
Filesize
142B
MD5e86a459370957b4f3539a3e123e7b3db
SHA1ffc678861a18ff07ca4a7e6470011a51b58e2759
SHA256e955f4eb7a7978d0f4d6cbe29db39503164ca3eac4fa89677311e4e951393747
SHA512d28b933df8723a61663bd4a18d9ef1c3b4fef1502263587a410496f29266762591d06c9846b346849b64bb381062aa3be3950221275361e4fe6d672090eb7bc7
-
Filesize
130B
MD5a64dba561aef05132368b946ef75d1b8
SHA1fc27ba6252030af9547514a92e58a0ea9ebe99d1
SHA25647f97774c7bf781bac836e19deba3f62c83c5b7fa8fc884431730c4a81639e64
SHA512b1da1c7cd754f3f3d2d471f80f76797dec5652e693de8f00a66170cbe7c8c111dca459dea114211afdff807756473fb27562b7fa77e0f83819e4e0a44b7c6023
-
Filesize
1KB
MD5c84397c8fefe5d9b4a480d520b8c75e8
SHA16dd0dc4250400a69d57e543ed4a147c70ac1e7ae
SHA25691e4547b6ca3a6664cf75fb03aea845470f4b00b4863be53d931caaba3cea781
SHA512eb8a2815d8bff51af280c6f23beaa676fdbc0c7707eda90b2e3a66204e1bbe6833348485fc03dbe45863c3d40af6862eb7e7303478eefe7fcf0af2e69372b7f6
-
Filesize
298KB
MD54d7caeaf82ebca37a54a7f9cda40562e
SHA1ab24ef2a3938be8080b57004ac3275299102b5fe
SHA2563783131beaa732f5645933d36c4f47993ced754041bffb40c1c47ae957033eff
SHA5126fe36aef486a5b96cf01ddcc353f6f0f80630bed0959cadb96e992f6b2dd88c9c0f2f2ed9924d826867fa228617cb582d2285abb3364343530a4707d2071d3e0