Analysis Overview
SHA256
2e103871d889c34072f71de6763075addc8388252d143798db4acd543013ceb9
Threat Level: Known bad
The file 2024-06-03_e663004a81348c99c4dffb352411fdca_mafia was found to be: Known bad.
Malicious Activity Summary
Detects executables embedding registry key / value combination indicative of disabling Windows Defender features
Detects executables referencing many IR and analysis tools
Detects executables referencing many IR and analysis tools
Detects executables embedding registry key / value combination indicative of disabling Windows Defender features
Drops file in Drivers directory
Executes dropped EXE
Loads dropped DLL
Modifies system executable filetype association
Uses Volume Shadow Copy WMI provider
Suspicious use of AdjustPrivilegeToken
Uses Volume Shadow Copy service COM API
Modifies registry class
Opens file in notepad (likely ransom note)
Suspicious behavior: EnumeratesProcesses
Uses Task Scheduler COM API
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-03 22:22
Signatures
Detects executables embedding registry key / value combination indicative of disabling Windows Defender features
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects executables referencing many IR and analysis tools
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-03 22:22
Reported
2024-06-03 22:25
Platform
win10v2004-20240426-en
Max time kernel
78s
Max time network
124s
Command Line
Signatures
Detects executables embedding registry key / value combination indicative of disabling Windows Defender features
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables referencing many IR and analysis tools
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Notepad.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1276 wrote to memory of 1068 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe |
| PID 1276 wrote to memory of 1068 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe |
| PID 1068 wrote to memory of 4020 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe | C:\Windows\System32\Notepad.exe |
| PID 1068 wrote to memory of 4020 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe | C:\Windows\System32\Notepad.exe |
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia.exe"
C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe
C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia.exe
C:\Windows\System32\Notepad.exe
Notepad.exe C:\Users\Admin\Desktop\Rkill.txt
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
Files
memory/1276-0-0x0000000000570000-0x0000000000740000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe
| MD5 | ae368c10327fe7a8e5c875360e529b35 |
| SHA1 | d69fad67631f48f2eee9109a368eb176356da531 |
| SHA256 | 797f0917162e74e64f556fd467cc13d10401e826309c3ed889574889a96b88c7 |
| SHA512 | e7e6e4d29dfdc537b21fdffc6c1ac0674b55fdf6c61e5fecfbdde1fa271903db1291c50bac3263bc9f4ee7797689542f29770e0d98b8180453c39bc6058a5c67 |
C:\Users\Admin\Desktop\Rkill.txt
| MD5 | f3b25701fe362ec84616a93a45ce9998 |
| SHA1 | d62636d8caec13f04e28442a0a6fa1afeb024bbb |
| SHA256 | b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209 |
| SHA512 | 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84 |
memory/1276-12-0x0000000000570000-0x0000000000740000-memory.dmp
C:\Users\Admin\Desktop\Rkill.txt
| MD5 | 5337a59ad686bfad387a31e3271459bd |
| SHA1 | d016ebd9f94066d7af70e6127c351f76adf1ce54 |
| SHA256 | 1b98256c1c65c9d23e5918400d5707c26f6b5e2270c24c59e4d159fcd4efd479 |
| SHA512 | 0666a17cf5514f977dab94f288fe71e84c6894b9b3386828f8a8bbde45439945053ee59d014442ef88910a00d204d95044c7ea27e653c0061c9dc75a48ca59c8 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-03 22:22
Reported
2024-06-03 22:25
Platform
win7-20240508-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Detects executables embedding registry key / value combination indicative of disabling Windows Defender features
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables referencing many IR and analysis tools
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "Application" | C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\HasLUAShield | C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runasuser\ = "@shell32.dll,-50944" | C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runasuser\SuppressionPolicyEx = "{F211AA05-D4DF-4370-A2A0-9F19C09756A7}" | C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\EditFlags = 38070000 | C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\Compatibility\ = "{1d27f844-3a1f-4410-85ac-14651078412d}" | C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\ShellEx\ContextMenuHandlers\Compatibility\ = "{1d27f844-3a1f-4410-85ac-14651078412d}" | C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\batfile\shellex\DropHandler | C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\comfile\shell\open\command | C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\EditFlags = 30000000 | C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\comfile\shellex\DropHandler | C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\EditFlags = 30040000 | C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\FriendlyTypeName = "@%SystemRoot%\\System32\\acppage.dll,-6002" | C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\batfile\shell\print\command | C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\batfile\shellex\ContextMenuHandlers | C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\batfile\shellex\PropertySheetHandlers\ShimLayer Property Page | C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser\SuppressionPolicyEx = "{F211AA05-D4DF-4370-A2A0-9F19C09756A7}" | C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\FriendlyTypeName = "@%SystemRoot%\\System32\\shell32.dll,-8464" | C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\comfile\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\exefile\shell\runasuser | C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\DropHandler\ = "{86C86720-42A0-1069-A2E8-08002B30309D}" | C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers | C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\batfile\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser\Extended | C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\batfile\shell\runasuser | C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\batfile\shellex\{8895b1c6-b41f-4c1c-a562-0d564250836f} | C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\ShimLayer Property Page | C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\ = "Windows Batch File" | C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\ShellEx\{8895b1c6-b41f-4c1c-a562-0d564250836f}\ = "{1531d583-8375-4d3f-b5fb-d23bbd169f22}" | C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex | C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex | C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\EditFlags = 00000000 | C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runasuser\command\DelegateExecute = "{ea72d00e-4960-42fa-ba92-7792a7944c1d}" | C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\exefile\shell\open | C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\exefile\shellex\DropHandler | C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\exefile\shell\runas\command | C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shellex\DropHandler\ = "{86C86720-42A0-1069-A2E8-08002B30309D}" | C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\ShellEx\ContextMenuHandlers\ = "Compatibility" | C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\EditFlags = "0" | C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\DefaultIcon\ = "%SystemRoot%\\System32\\shell32.dll,2" | C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\exefile\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\exefile\shellex\ContextMenuHandlers | C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\exefile\shellex\PropertySheetHandlers\ShimLayer Property Page | C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\batfile\shell\runas | C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runas\HasLUAShield | C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\FriendlyTypeName = "@%SystemRoot%\\System32\\shell32.dll,-10156" | C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "%1" | C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\ = "Compatibility" | C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\ShellEx\DropHandler\ = "{86C86720-42A0-1069-A2E8-08002B30309D}" | C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\comfile\shell\open | C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\exefile\shell\runas | C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\ShellEx\PropertySheetHandlers | C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\ShellEx\PropertySheetHandlers\ShimLayer Property Page | C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\EditFlags = 00000000 | C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\DefaultIcon\ = "%SystemRoot%\\System32\\imageres.dll,-68" | C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser\ = "@shell32.dll,-50944" | C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\batfile\shellex\ContextMenuHandlers\Compatibility | C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\exefile\shellex\ContextMenuHandlers\Compatibility | C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\batfile\shell\edit\command | C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\batfile\shell\runasuser\command | C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\ = "MS-DOS Application" | C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\exefile\shell\runasuser\command | C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runasuser\Extended | C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command | C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Classes\exefile\shellex\ContextMenuHandlers | C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile | C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\batfile\shell\runas | C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser\ = "@shell32.dll,-50944" | C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\ShellEx\PropertySheetHandlers\ShimLayer Property Page | C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\ShellEx\PropertySheetHandlers | C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "%1" | C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\ShimLayer Property Page | C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\.bat\PersistentHandler\ | C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\exefile\shellex\ContextMenuHandlers\Compatibility | C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\ = "Windows Batch File" | C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\FriendlyTypeName = "@%SystemRoot%\\System32\\acppage.dll,-6002" | C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shellex\DropHandler\ = "{86C86720-42A0-1069-A2E8-08002B30309D}" | C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.exe\PersistentHandler\ = "{098f2470-bae0-11cd-b579-08002b30bfeb}" | C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\exefile\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\ShellEx\ContextMenuHandlers\ = "Compatibility" | C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\ = "MS-DOS Application" | C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\ShellEx\ContextMenuHandlers\Compatibility\ = "{1d27f844-3a1f-4410-85ac-14651078412d}" | C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\.exe\PersistentHandler | C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "Application" | C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runasuser\Extended | C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers | C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\batfile\shell\print\command | C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser\command\DelegateExecute = "{ea72d00e-4960-42fa-ba92-7792a7944c1d}" | C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\batfile\shellex\ContextMenuHandlers\Compatibility | C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.com\PersistentHandler\ = "{098f2470-bae0-11cd-b579-08002b30bfeb}" | C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\EditFlags = 00000000 | C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\exefile\shell\runas | C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\batfile\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\DefaultIcon\ = "%SystemRoot%\\System32\\imageres.dll,-68" | C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runas\HasLUAShield | C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\exefile\shell\runasuser\command | C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command | C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\.bat | C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\EditFlags = 00000000 | C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\.com\PersistentHandler\ | C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\batfile\shell\runasuser | C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser\SuppressionPolicyEx = "{F211AA05-D4DF-4370-A2A0-9F19C09756A7}" | C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\batfile\shellex\ContextMenuHandlers | C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\EditFlags = 38070000 | C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\FriendlyTypeName = "@%SystemRoot%\\System32\\shell32.dll,-10156" | C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\exefile\shellex\PropertySheetHandlers\ShimLayer Property Page | C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\exefile\shell\runas\command | C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\batfile\shell\edit\command | C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\comfile\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\comfile\shellex\DropHandler | C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\PersistentHandler\ = "{5e941d80-bf96-11cd-b579-08002b30bfeb}" | C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\ShellEx\{8895b1c6-b41f-4c1c-a562-0d564250836f}\ = "{1531d583-8375-4d3f-b5fb-d23bbd169f22}" | C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\batfile\shellex\DropHandler | C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runasuser\SuppressionPolicyEx = "{F211AA05-D4DF-4370-A2A0-9F19C09756A7}" | C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\ShellEx\DropHandler\ = "{86C86720-42A0-1069-A2E8-08002B30309D}" | C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\EditFlags = 30000000 | C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\comfile\shell\open\command | C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\EditFlags = "0" | C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\FriendlyTypeName = "@%SystemRoot%\\System32\\shell32.dll,-8464" | C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\exefile | C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runasuser\command\DelegateExecute = "{ea72d00e-4960-42fa-ba92-7792a7944c1d}" | C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\batfile\shell\runasuser\command | C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser\Extended | C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\batfile\shellex\{8895b1c6-b41f-4c1c-a562-0d564250836f} | C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\batfile\shell\runas\command | C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile | C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.exe\Content Type = "application/x-msdownload" | C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Notepad.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia.exe"
C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe
C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia.exe
C:\Windows\System32\Notepad.exe
Notepad.exe C:\Users\Admin\Desktop\Rkill.txt
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| BE | 2.17.107.81:80 | crl.microsoft.com | tcp |
Files
memory/1232-0-0x0000000000930000-0x0000000000B00000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2024-06-03_e663004a81348c99c4dffb352411fdca_mafia64.exe
| MD5 | ae368c10327fe7a8e5c875360e529b35 |
| SHA1 | d69fad67631f48f2eee9109a368eb176356da531 |
| SHA256 | 797f0917162e74e64f556fd467cc13d10401e826309c3ed889574889a96b88c7 |
| SHA512 | e7e6e4d29dfdc537b21fdffc6c1ac0674b55fdf6c61e5fecfbdde1fa271903db1291c50bac3263bc9f4ee7797689542f29770e0d98b8180453c39bc6058a5c67 |
C:\Users\Admin\Desktop\Rkill.txt
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\Desktop\Rkill.txt
| MD5 | f3b25701fe362ec84616a93a45ce9998 |
| SHA1 | d62636d8caec13f04e28442a0a6fa1afeb024bbb |
| SHA256 | b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209 |
| SHA512 | 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84 |
memory/1232-25-0x0000000000930000-0x0000000000B00000-memory.dmp
C:\Users\Admin\Desktop\Rkill.txt
| MD5 | 571be6f6313fb4e904401155ac1a7317 |
| SHA1 | 7b4ba7e7306fc3a6b39e0b66998ea8f57cbc531a |
| SHA256 | 5e03ef2493fdf8903d89e2aa54c333b6ec0925f988fe1431eec1ae205f68533b |
| SHA512 | 429c2f61f375147cbbc9bdba583277842294d9057b12c1af7c2af47064dac44d68b0ce6105ecf7660e0653d349a19c1b0e631b44d0d7e6c26efd972ce594a31a |