Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
25-11-2024 12:20
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
9b6efb0d2e99a7d39f7135c8f498e0e1_JaffaCakes118.exe
Resource
win7-20241010-en
windows7-x64
13 signatures
150 seconds
General
-
Target
9b6efb0d2e99a7d39f7135c8f498e0e1_JaffaCakes118.exe
-
Size
124KB
-
MD5
9b6efb0d2e99a7d39f7135c8f498e0e1
-
SHA1
379099f74e8244615ed0b4be7ac17aeaed1013c1
-
SHA256
88c613d451cdda55e4ad5d5efb564a4a7dda97f80c75eab421d7d20840802600
-
SHA512
41e258eca544a46a4bdf880e9678165488f9919fedeaed02994c827f69783109eef2650a213c15845078abf0ad0ed9f23e288ea0f69cbe3bf72c92275debaa6d
-
SSDEEP
1536:Hxf0u77nqMGGGMZZZyVb1t9e4GNqBvrPzO7/YiMIATcji:Hxf02LqbJ1y4GNq5jz+/YiMa
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe" svchost.exe -
Ramnit family
-
Executes dropped EXE 1 IoCs
pid Process 780 WaterMark.exe -
Loads dropped DLL 2 IoCs
pid Process 2388 9b6efb0d2e99a7d39f7135c8f498e0e1_JaffaCakes118.exe 2388 9b6efb0d2e99a7d39f7135c8f498e0e1_JaffaCakes118.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\dmlconf.dat svchost.exe File opened for modification C:\Windows\SysWOW64\dmlconf.dat svchost.exe -
resource yara_rule behavioral1/memory/2388-8-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2388-7-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2388-6-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/780-27-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/780-26-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2388-3-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2388-2-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2388-1-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2388-0-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/780-70-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/780-590-0x0000000000400000-0x0000000000421000-memory.dmp upx -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libsid_plugin.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\UIAutomationClientsideProviders.resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Routing.dll svchost.exe File opened for modification C:\Program Files\Windows Defender\MpRTP.dll svchost.exe File opened for modification C:\Program Files\Common Files\System\msadc\msadcor.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\attach.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\System.Speech.resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libjpeg_plugin.dll svchost.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Checkers\chkrzm.exe svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Management.Instrumentation.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_delay_plugin.dll svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\authplay.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Filters\msgfilt.dll svchost.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\sqlxmlx.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\eula.dll svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\dcpr.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\WindowsFormsIntegration.resources.dll svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\BIB.dll svchost.exe File opened for modification C:\Program Files\Common Files\System\ado\msadomd.dll svchost.exe File opened for modification C:\Program Files\Internet Explorer\networkinspection.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\PresentationFramework.resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_standard_plugin.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\sawindbg.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\System.RunTime.Serialization.Resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\librist_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libaom_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libsubsusf_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libogg_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\misc\liblogger_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libmotiondetect_plugin.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\journal.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\jsdt.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Linq.dll svchost.exe File opened for modification C:\Program Files\Windows Journal\jnwppr.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\UIAutomationTypes.resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Data.Services.resources.dll svchost.exe File opened for modification C:\Program Files\Common Files\System\wab32res.dll svchost.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\System.RunTime.Serialization.Resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\UIAutomationTypes.resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\System.Printing.resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Data.Services.Design.resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libcdda_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\visualization\libglspectrum_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libnsv_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\currency.html svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome.exe svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\glass.dll svchost.exe File opened for modification C:\Program Files\Microsoft Office\Office14\1033\BHOINTL.DLL svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Windows.Presentation.dll svchost.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\UIAutomationProvider.resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libvdr_plugin.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\dt_socket.dll svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\nio.dll svchost.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9b6efb0d2e99a7d39f7135c8f498e0e1_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WaterMark.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe -
Suspicious behavior: EnumeratesProcesses 37 IoCs
pid Process 780 WaterMark.exe 780 WaterMark.exe 780 WaterMark.exe 780 WaterMark.exe 780 WaterMark.exe 780 WaterMark.exe 780 WaterMark.exe 780 WaterMark.exe 2832 svchost.exe 2832 svchost.exe 2832 svchost.exe 2832 svchost.exe 2832 svchost.exe 2832 svchost.exe 2832 svchost.exe 2832 svchost.exe 2832 svchost.exe 2832 svchost.exe 2832 svchost.exe 2832 svchost.exe 2832 svchost.exe 2832 svchost.exe 2832 svchost.exe 2832 svchost.exe 2832 svchost.exe 2832 svchost.exe 2832 svchost.exe 2832 svchost.exe 2832 svchost.exe 2832 svchost.exe 2832 svchost.exe 2832 svchost.exe 2832 svchost.exe 2832 svchost.exe 2832 svchost.exe 2832 svchost.exe 2832 svchost.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 780 WaterMark.exe Token: SeDebugPrivilege 2832 svchost.exe Token: SeDebugPrivilege 780 WaterMark.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 2388 9b6efb0d2e99a7d39f7135c8f498e0e1_JaffaCakes118.exe 780 WaterMark.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2388 wrote to memory of 780 2388 9b6efb0d2e99a7d39f7135c8f498e0e1_JaffaCakes118.exe 29 PID 2388 wrote to memory of 780 2388 9b6efb0d2e99a7d39f7135c8f498e0e1_JaffaCakes118.exe 29 PID 2388 wrote to memory of 780 2388 9b6efb0d2e99a7d39f7135c8f498e0e1_JaffaCakes118.exe 29 PID 2388 wrote to memory of 780 2388 9b6efb0d2e99a7d39f7135c8f498e0e1_JaffaCakes118.exe 29 PID 780 wrote to memory of 2844 780 WaterMark.exe 30 PID 780 wrote to memory of 2844 780 WaterMark.exe 30 PID 780 wrote to memory of 2844 780 WaterMark.exe 30 PID 780 wrote to memory of 2844 780 WaterMark.exe 30 PID 780 wrote to memory of 2844 780 WaterMark.exe 30 PID 780 wrote to memory of 2844 780 WaterMark.exe 30 PID 780 wrote to memory of 2844 780 WaterMark.exe 30 PID 780 wrote to memory of 2844 780 WaterMark.exe 30 PID 780 wrote to memory of 2844 780 WaterMark.exe 30 PID 780 wrote to memory of 2844 780 WaterMark.exe 30 PID 780 wrote to memory of 2832 780 WaterMark.exe 31 PID 780 wrote to memory of 2832 780 WaterMark.exe 31 PID 780 wrote to memory of 2832 780 WaterMark.exe 31 PID 780 wrote to memory of 2832 780 WaterMark.exe 31 PID 780 wrote to memory of 2832 780 WaterMark.exe 31 PID 780 wrote to memory of 2832 780 WaterMark.exe 31 PID 780 wrote to memory of 2832 780 WaterMark.exe 31 PID 780 wrote to memory of 2832 780 WaterMark.exe 31 PID 780 wrote to memory of 2832 780 WaterMark.exe 31 PID 780 wrote to memory of 2832 780 WaterMark.exe 31 PID 2832 wrote to memory of 256 2832 svchost.exe 1 PID 2832 wrote to memory of 256 2832 svchost.exe 1 PID 2832 wrote to memory of 256 2832 svchost.exe 1 PID 2832 wrote to memory of 256 2832 svchost.exe 1 PID 2832 wrote to memory of 256 2832 svchost.exe 1 PID 2832 wrote to memory of 336 2832 svchost.exe 2 PID 2832 wrote to memory of 336 2832 svchost.exe 2 PID 2832 wrote to memory of 336 2832 svchost.exe 2 PID 2832 wrote to memory of 336 2832 svchost.exe 2 PID 2832 wrote to memory of 336 2832 svchost.exe 2 PID 2832 wrote to memory of 372 2832 svchost.exe 3 PID 2832 wrote to memory of 372 2832 svchost.exe 3 PID 2832 wrote to memory of 372 2832 svchost.exe 3 PID 2832 wrote to memory of 372 2832 svchost.exe 3 PID 2832 wrote to memory of 372 2832 svchost.exe 3 PID 2832 wrote to memory of 384 2832 svchost.exe 4 PID 2832 wrote to memory of 384 2832 svchost.exe 4 PID 2832 wrote to memory of 384 2832 svchost.exe 4 PID 2832 wrote to memory of 384 2832 svchost.exe 4 PID 2832 wrote to memory of 384 2832 svchost.exe 4 PID 2832 wrote to memory of 420 2832 svchost.exe 5 PID 2832 wrote to memory of 420 2832 svchost.exe 5 PID 2832 wrote to memory of 420 2832 svchost.exe 5 PID 2832 wrote to memory of 420 2832 svchost.exe 5 PID 2832 wrote to memory of 420 2832 svchost.exe 5 PID 2832 wrote to memory of 464 2832 svchost.exe 6 PID 2832 wrote to memory of 464 2832 svchost.exe 6 PID 2832 wrote to memory of 464 2832 svchost.exe 6 PID 2832 wrote to memory of 464 2832 svchost.exe 6 PID 2832 wrote to memory of 464 2832 svchost.exe 6 PID 2832 wrote to memory of 480 2832 svchost.exe 7 PID 2832 wrote to memory of 480 2832 svchost.exe 7 PID 2832 wrote to memory of 480 2832 svchost.exe 7 PID 2832 wrote to memory of 480 2832 svchost.exe 7 PID 2832 wrote to memory of 480 2832 svchost.exe 7 PID 2832 wrote to memory of 488 2832 svchost.exe 8 PID 2832 wrote to memory of 488 2832 svchost.exe 8 PID 2832 wrote to memory of 488 2832 svchost.exe 8 PID 2832 wrote to memory of 488 2832 svchost.exe 8 PID 2832 wrote to memory of 488 2832 svchost.exe 8
Processes
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe1⤵PID:256
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:336
-
C:\Windows\system32\wininit.exewininit.exe1⤵PID:372
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe2⤵PID:464
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch3⤵PID:604
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}4⤵PID:928
-
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe4⤵PID:1852
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS3⤵PID:684
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted3⤵PID:744
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted3⤵PID:816
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"4⤵PID:1320
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs3⤵PID:856
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService3⤵PID:992
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService3⤵PID:300
-
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe3⤵PID:272
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork3⤵PID:1032
-
-
C:\Windows\system32\taskhost.exe"taskhost.exe"3⤵PID:1232
-
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"3⤵PID:1120
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation3⤵PID:1928
-
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe3⤵PID:1924
-
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe2⤵PID:480
-
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe2⤵PID:488
-
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:384
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:420
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1360
-
C:\Users\Admin\AppData\Local\Temp\9b6efb0d2e99a7d39f7135c8f498e0e1_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\9b6efb0d2e99a7d39f7135c8f498e0e1_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:780 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe4⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2844
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe4⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2832
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
124KB
MD59b6efb0d2e99a7d39f7135c8f498e0e1
SHA1379099f74e8244615ed0b4be7ac17aeaed1013c1
SHA25688c613d451cdda55e4ad5d5efb564a4a7dda97f80c75eab421d7d20840802600
SHA51241e258eca544a46a4bdf880e9678165488f9919fedeaed02994c827f69783109eef2650a213c15845078abf0ad0ed9f23e288ea0f69cbe3bf72c92275debaa6d
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html
Filesize261KB
MD52114e6016f00dc83948cdb6ca3875361
SHA125a18082abaa7799509cc8496eb971a49f6e36a4
SHA25657e59e1b01e3e5b8c87f12d4d438de3101fc9c65a28ed6162088710d9358e559
SHA512cf983297d23c76a58b4c20299bfa9b1a6498a1a75822e732181e83ad459150d1a5a565d87dc42f5032206a4447e7dee3a03808ebcde50de15ba6134b2421da43
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html
Filesize257KB
MD5b13e39ead378f9281d7cf2f597e583e5
SHA179fad4961a317dc4a5b87682b0c0c9cc2f643d86
SHA2565d68e7b40877de0093699d47c31840404cc80961f9ea6057a9eb88747719bf24
SHA5127a8a9be68631064fd3cadc602431dfd511ababbc24ef8d961fe853f557a0c5dbdd96b4c94a35263fc0f9964f11ab904b1f2c5445b8caf2002e6c40a29d7aaa3f