Analysis Overview
SHA256
8b0a5fb13309623c3518473551cb1f55d38d8450129d4a3c16b476f7b2867d7d
Threat Level: Known bad
The file yOMHr.exe was found to be: Known bad.
Malicious Activity Summary
Ryuk
Adds Run key to start application
Drops file in Program Files directory
Drops file in Windows directory
Enumerates physical storage devices
Program crash
Unsigned PE
Suspicious use of SendNotifyMessage
Suspicious use of AdjustPrivilegeToken
Checks processor information in registry
Opens file in notepad (likely ransom note)
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Checks SCSI registry key(s)
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2023-07-31 12:37
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-07-31 12:37
Reported
2023-07-31 12:40
Platform
win10-20230703-en
Max time kernel
71s
Max time network
146s
Command Line
Signatures
Ryuk
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yOMHr.exe" | C:\Windows\system32\reg.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\include\classfile_constants.h | c:\windows\system32\sihost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\javafx-src.zip | c:\windows\system32\sihost.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\Ole DB\ja-JP\sqlxmlx.rll.mui | c:\windows\system32\sihost.exe | N/A |
| File opened for modification | C:\Program Files\CompressRegister.gif | c:\windows\system32\sihost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\topnav.gif | c:\windows\system32\sihost.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\RyukReadMe.txt | c:\windows\system32\sihost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\include\jni.h | c:\windows\system32\sihost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\messages_it.properties | c:\windows\system32\sihost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\dt.jar | c:\windows\system32\sihost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.swt.nl_zh_4.4.0.v20140623020002.jar | c:\windows\system32\sihost.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\Source Engine\RyukReadMe.txt | c:\windows\system32\sihost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\include\RyukReadMe.txt | c:\windows\system32\sihost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\jre\README.txt | c:\windows\system32\sihost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.jdp_5.5.0.165303.jar | c:\windows\system32\sihost.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\7z.sfx | c:\windows\system32\sihost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.zh_CN_5.5.0.165303.jar | c:\windows\system32\sihost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\RyukReadMe.txt | c:\windows\system32\sihost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rcp.intro.zh_CN_5.5.0.165303.jar | c:\windows\system32\sihost.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\id.txt | c:\windows\system32\sihost.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\ku-ckb.txt | c:\windows\system32\sihost.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\RyukReadMe.txt | c:\windows\system32\sihost.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\ado\msador28.tlb | c:\windows\system32\sihost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\db\bin\startNetworkServer | c:\windows\system32\sihost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\jre\lib\cmm\CIEXYZ.pf | c:\windows\system32\sihost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.ui_5.5.0.165303.jar | c:\windows\system32\sihost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.apache.felix.gogo.command_0.10.0.v201209301215.jar | c:\windows\system32\sihost.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols.xml | c:\windows\system32\sihost.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\Stationery\Orange Circles.htm | c:\windows\system32\sihost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\include\win32\bridge\AccessBridgePackages.h | c:\windows\system32\sihost.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\RyukReadMe.txt | c:\windows\system32\sihost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_zh_TW.jar | c:\windows\system32\sihost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\RyukReadMe.txt | c:\windows\system32\sihost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\epl-v10.html | c:\windows\system32\sihost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.historicaldata.zh_CN_5.5.0.165303.jar | c:\windows\system32\sihost.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\RyukReadMe.txt | c:\windows\system32\sihost.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\oskpredbase.xml | c:\windows\system32\sihost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\RyukReadMe.txt | c:\windows\system32\sihost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF\ECLIPSE_.SF | c:\windows\system32\sihost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\localedata.jar | c:\windows\system32\sihost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.controlpanel.ui.ja_5.5.0.165303.jar | c:\windows\system32\sihost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.jobs_3.6.0.v20140424-0053.jar | c:\windows\system32\sihost.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\el-GR\RyukReadMe.txt | c:\windows\system32\sihost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\RyukReadMe.txt | c:\windows\system32\sihost.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\sl-SI\RyukReadMe.txt | c:\windows\system32\sihost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\jre\lib\cmm\LINEAR_RGB.pf | c:\windows\system32\sihost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\feature.xml | c:\windows\system32\sihost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.diagnostic.ja_5.5.0.165303.jar | c:\windows\system32\sihost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.core.nl_ja_4.4.0.v20140623020002.jar | c:\windows\system32\sihost.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\sa.txt | c:\windows\system32\sihost.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\RyukReadMe.txt | c:\windows\system32\sihost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\jre\lib\applet\RyukReadMe.txt | c:\windows\system32\sihost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.databinding.observable.nl_ja_4.4.0.v20140623020002.jar | c:\windows\system32\sihost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\splash.gif | c:\windows\system32\sihost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\jre\lib\security\blacklisted.certs | c:\windows\system32\sihost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\plugin.xml | c:\windows\system32\sihost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.filesystem_1.4.100.v20140514-1614.jar | c:\windows\system32\sihost.exe | N/A |
| File opened for modification | C:\Program Files\Internet Explorer\images\bing.ico | c:\windows\system32\sihost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\feature.xml | c:\windows\system32\sihost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\MANIFEST.MF | c:\windows\system32\sihost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\conticon.gif | c:\windows\system32\sihost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\jconsole.jar | c:\windows\system32\sihost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\db\bin\dblook.bat | c:\windows\system32\sihost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\db\lib\derby.jar | c:\windows\system32\sihost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\MANIFEST.MF | c:\windows\system32\sihost.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\rescache\_merged\4183903823\810424605.pri | C:\Windows\system32\taskmgr.exe | N/A |
| File created | C:\Windows\rescache\_merged\1601268389\3877292338.pri | C:\Windows\system32\taskmgr.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\WerFault.exe | C:\Windows\system32\DllHost.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\taskmgr.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\yOMHr.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
c:\windows\system32\sihost.exe
sihost.exe
C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
C:\Windows\System32\InstallAgent.exe
C:\Windows\System32\InstallAgent.exe -Embedding
C:\Windows\system32\ApplicationFrameHost.exe
C:\Windows\system32\ApplicationFrameHost.exe -Embedding
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
c:\windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
C:\Users\Admin\AppData\Local\Temp\yOMHr.exe
"C:\Users\Admin\AppData\Local\Temp\yOMHr.exe"
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\yOMHr.exe" /f
C:\Windows\system32\reg.exe
REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\yOMHr.exe" /f
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4064 -s 960
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\vcredist2012_x64_0_vcRuntimeMinimum_x64.log
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\RyukReadMe.txt
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ff839b29758,0x7ff839b29768,0x7ff839b29778
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2384 --field-trial-handle=2504,i,17803168445526759469,1899138605924690302,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2376 --field-trial-handle=2504,i,17803168445526759469,1899138605924690302,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1824 --field-trial-handle=2504,i,17803168445526759469,1899138605924690302,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1796 --field-trial-handle=2504,i,17803168445526759469,1899138605924690302,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1516 --field-trial-handle=2504,i,17803168445526759469,1899138605924690302,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4416 --field-trial-handle=2504,i,17803168445526759469,1899138605924690302,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4744 --field-trial-handle=2504,i,17803168445526759469,1899138605924690302,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4588 --field-trial-handle=2504,i,17803168445526759469,1899138605924690302,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5016 --field-trial-handle=2504,i,17803168445526759469,1899138605924690302,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=5212 --field-trial-handle=2504,i,17803168445526759469,1899138605924690302,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=5696 --field-trial-handle=2504,i,17803168445526759469,1899138605924690302,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=3256 --field-trial-handle=2504,i,17803168445526759469,1899138605924690302,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=5716 --field-trial-handle=2504,i,17803168445526759469,1899138605924690302,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3024 --field-trial-handle=2504,i,17803168445526759469,1899138605924690302,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5260 --field-trial-handle=2504,i,17803168445526759469,1899138605924690302,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5288 --field-trial-handle=2504,i,17803168445526759469,1899138605924690302,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4764 --field-trial-handle=2504,i,17803168445526759469,1899138605924690302,131072 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 171.252.72.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 45.8.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.168.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | apis.google.com | udp |
| US | 8.8.8.8:53 | 206.23.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | clients2.google.com | udp |
| NL | 142.251.36.46:443 | clients2.google.com | tcp |
| US | 8.8.8.8:53 | 46.36.251.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.blockchain.com | udp |
| US | 104.16.156.132:443 | www.blockchain.com | tcp |
| US | 104.16.156.132:443 | www.blockchain.com | tcp |
| US | 8.8.8.8:53 | content-autofill.googleapis.com | udp |
| NL | 172.217.168.202:443 | content-autofill.googleapis.com | tcp |
| US | 8.8.8.8:53 | 132.156.16.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rsms.me | udp |
| US | 104.21.234.234:443 | rsms.me | tcp |
| US | 8.8.8.8:53 | cdn.polyfill.io | udp |
| US | 151.101.1.26:443 | cdn.polyfill.io | tcp |
| US | 8.8.8.8:53 | 234.234.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 202.168.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.1.101.151.in-addr.arpa | udp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| NL | 88.221.25.153:80 | apps.identrust.com | tcp |
| US | 8.8.8.8:53 | 226.21.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 153.25.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 104.21.234.234:443 | rsms.me | udp |
| US | 8.8.8.8:53 | 200.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.blockchain.info | udp |
| US | 104.16.13.151:443 | api.blockchain.info | tcp |
| US | 104.16.13.151:443 | api.blockchain.info | tcp |
| US | 104.16.13.151:443 | api.blockchain.info | tcp |
| US | 104.16.13.151:443 | api.blockchain.info | tcp |
| US | 104.16.13.151:443 | api.blockchain.info | tcp |
| US | 104.16.13.151:443 | api.blockchain.info | tcp |
| NL | 172.217.168.202:443 | content-autofill.googleapis.com | udp |
| US | 8.8.8.8:53 | 151.13.16.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | static.ads-twitter.com | udp |
| US | 8.8.8.8:53 | connect.facebook.net | udp |
| NL | 199.232.148.157:443 | static.ads-twitter.com | tcp |
| NL | 157.240.201.15:443 | connect.facebook.net | tcp |
| US | 8.8.8.8:53 | stats.g.doubleclick.net | udp |
| NL | 142.250.102.156:443 | stats.g.doubleclick.net | tcp |
| NL | 142.250.102.156:443 | stats.g.doubleclick.net | tcp |
| US | 8.8.8.8:53 | 194.23.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.148.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.201.240.157.in-addr.arpa | udp |
| US | 8.8.8.8:53 | t.co | udp |
| US | 104.244.42.69:443 | t.co | tcp |
| NL | 157.240.201.15:443 | connect.facebook.net | udp |
| US | 8.8.8.8:53 | 156.102.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.42.244.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.facebook.com | udp |
| NL | 157.240.247.35:443 | www.facebook.com | tcp |
| US | 104.16.156.132:443 | www.blockchain.com | tcp |
| US | 8.8.8.8:53 | 35.247.240.157.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ssl.google-analytics.com | udp |
| NL | 142.250.179.136:443 | ssl.google-analytics.com | tcp |
| US | 8.8.8.8:53 | 136.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | request-global.czilladx.com | udp |
| DE | 142.93.100.104:443 | request-global.czilladx.com | tcp |
| US | 8.8.8.8:53 | 104.100.93.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cdn.coinzilla.io | udp |
| US | 188.114.97.0:443 | cdn.coinzilla.io | tcp |
| US | 8.8.8.8:53 | 0.97.114.188.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 9.57.101.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ws.blockchain.info | udp |
| US | 104.16.14.151:443 | ws.blockchain.info | tcp |
| US | 8.8.8.8:53 | 151.14.16.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.111.78.13.in-addr.arpa | udp |
Files
memory/2384-123-0x00007FF776370000-0x00007FF7766FE000-memory.dmp
memory/3496-131-0x00007FF776370000-0x00007FF7766FE000-memory.dmp
F:\RyukReadMe.txt
| MD5 | cd99cba6153cbc0b14b7a849e4d0180f |
| SHA1 | 375961866404a705916cbc6cd4915de7d9778923 |
| SHA256 | 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2 |
| SHA512 | 0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda |
memory/2384-145-0x00007FF776370000-0x00007FF7766FE000-memory.dmp
memory/2384-144-0x00007FF776370000-0x00007FF7766FE000-memory.dmp
memory/2384-147-0x00007FF776370000-0x00007FF7766FE000-memory.dmp
memory/2384-155-0x00007FF776370000-0x00007FF7766FE000-memory.dmp
memory/2384-156-0x00007FF776370000-0x00007FF7766FE000-memory.dmp
memory/2384-161-0x00007FF776370000-0x00007FF7766FE000-memory.dmp
memory/2384-159-0x00007FF776370000-0x00007FF7766FE000-memory.dmp
memory/2384-165-0x00007FF776370000-0x00007FF7766FE000-memory.dmp
memory/2384-164-0x00007FF776370000-0x00007FF7766FE000-memory.dmp
memory/2384-169-0x00007FF776370000-0x00007FF7766FE000-memory.dmp
memory/2384-172-0x00007FF776370000-0x00007FF7766FE000-memory.dmp
memory/2384-173-0x00007FF776370000-0x00007FF7766FE000-memory.dmp
memory/2384-181-0x00007FF776370000-0x00007FF7766FE000-memory.dmp
memory/2384-177-0x00007FF776370000-0x00007FF7766FE000-memory.dmp
memory/2384-183-0x00007FF776370000-0x00007FF7766FE000-memory.dmp
memory/2384-187-0x00007FF776370000-0x00007FF7766FE000-memory.dmp
memory/2384-189-0x00007FF776370000-0x00007FF7766FE000-memory.dmp
memory/2384-192-0x00007FF776370000-0x00007FF7766FE000-memory.dmp
memory/2384-195-0x00007FF776370000-0x00007FF7766FE000-memory.dmp
memory/2384-198-0x00007FF776370000-0x00007FF7766FE000-memory.dmp
memory/2384-201-0x00007FF776370000-0x00007FF7766FE000-memory.dmp
memory/2384-202-0x00007FF776370000-0x00007FF7766FE000-memory.dmp
memory/2384-204-0x00007FF776370000-0x00007FF7766FE000-memory.dmp
memory/2384-210-0x00007FF776370000-0x00007FF7766FE000-memory.dmp
memory/2384-207-0x00007FF776370000-0x00007FF7766FE000-memory.dmp
memory/2384-199-0x00007FF776370000-0x00007FF7766FE000-memory.dmp
memory/2384-211-0x00007FF776370000-0x00007FF7766FE000-memory.dmp
memory/2384-214-0x00007FF776370000-0x00007FF7766FE000-memory.dmp
memory/2384-216-0x00007FF776370000-0x00007FF7766FE000-memory.dmp
memory/2384-219-0x00007FF776370000-0x00007FF7766FE000-memory.dmp
memory/2384-220-0x00007FF776370000-0x00007FF7766FE000-memory.dmp
memory/2384-222-0x00007FF776370000-0x00007FF7766FE000-memory.dmp
memory/2384-228-0x00007FF776370000-0x00007FF7766FE000-memory.dmp
memory/2384-226-0x00007FF776370000-0x00007FF7766FE000-memory.dmp
memory/2384-225-0x00007FF776370000-0x00007FF7766FE000-memory.dmp
C:\RyukReadMe.txt
| MD5 | cd99cba6153cbc0b14b7a849e4d0180f |
| SHA1 | 375961866404a705916cbc6cd4915de7d9778923 |
| SHA256 | 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2 |
| SHA512 | 0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda |
\??\pipe\crashpad_3080_MZVWIZBOEEWCFVBB
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 6e070fdcc8ea075d014ef24d2d8f5f09 |
| SHA1 | 3acebf15e7b77838ed25053dc5ad15a155dac2a4 |
| SHA256 | a65bc6faba0142d6ae1b370ef404c606e156b511160a794b2cd91fee02627c88 |
| SHA512 | 8555624af95c4814c92df3f70303166928ea4bfe5c0f2be3d2ec15f9c9011b5f5909ee442ae8992517b5654b584ab0f88fd4892ae2b69937c23280f7b325d182 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | ae3f57ed846101118b5b28552a0b3672 |
| SHA1 | 84537ce42cbda6a3cdebe21171d1de0b3de3fe3c |
| SHA256 | 6b9300ef48f080978921294b93361f777da588093acb6294c088ff2e8ff3b9e0 |
| SHA512 | e0598225a600baac978d321b745c45be8c0268f84dddee98b612629fe6edc10c6e8a56c15a60acd9f77acb44ca967f04cda9c24daa36b9ecfe7156e6bd4fe430 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 2348a872c571314760d300439ac54144 |
| SHA1 | 004728f059eb518726a10121ce6866ad14760841 |
| SHA256 | 95ade341361b5c4ad2b4d09cbb4931656bbb1b950f1c7a7b8fcd0ea77e40c6be |
| SHA512 | dc82ad1d5cc7bb0b53432b9571941b4e6323c7144f5786f9c19ec44740571912b38d92cd4fc6f34bc2bc5c9f8a5e5671e15509b34f5d0412b890be6a83b74a3f |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
| MD5 | da07b61ebeb3329d21696f259384ca70 |
| SHA1 | 740ebb0035c265217d898e6a7afc385fec08a166 |
| SHA256 | 14513d4c8b2c8b6df6731619f4975b2a44105aaa90c9c4c5b7ca6afdccd2d1bb |
| SHA512 | e9776cd42b7e58314725064446bdec11c43ba6c8f4da734c3b4f3ff4c1705fd169c9516c2a4e7cae445d7b4b1fd7229f9e3e0662becde733655029004d065424 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | fb312dc56b88c655e1ff2332af0d49b1 |
| SHA1 | 266138b8b4ff8edf697981d5c91aa4466acc386e |
| SHA256 | abe15fdd116632cc00e14b225d916e112934219cbf8d96259041928189ab1f10 |
| SHA512 | 8ef7ae513e24bff6f68acfa56c8a3bc88e0facc4e96044b4837a0560c77c04b096f605deb123b4b7d4a3d999feb8dd60650202c7456667e35dbd336fbf449271 |
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic
| MD5 | f3b25701fe362ec84616a93a45ce9998 |
| SHA1 | d62636d8caec13f04e28442a0a6fa1afeb024bbb |
| SHA256 | b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209 |
| SHA512 | 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | f3db0ba5dda88a664c85360265c0ffd6 |
| SHA1 | 72e2e5410bedfe0f841e192b4d58e30db70e1020 |
| SHA256 | 04e744c66ad48ea9be9913cf2573fb48f8bfb4bcb777638b446394507924bb9a |
| SHA512 | c5fc70588fc8024e5940be082ef526c2f7317e7e590cf1902ea07ba9b6e2d0bf3a644f7643d4ccd787d73168a14bda199ecdc3f540a6a3782e30bc8dc3bde03e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
| MD5 | 99914b932bd37a50b983c5e7c90ae93b |
| SHA1 | bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f |
| SHA256 | 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a |
| SHA512 | 27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 5bc1e603f027036ed4d968604c6e6472 |
| SHA1 | aae53d491749db0f85872ff3c685ac084939bd7f |
| SHA256 | f31041aea77b80b25277cc8849a73f0b5df61121ac6ece43578d1e9a4771fb70 |
| SHA512 | 16007683aa8fd9c5d1b9ea52db0e1b0ed52fcd45ad811ae41d93318b5d09a2d5ac573159b4ca03623710853a56fe37152aa3af7b1e285fd7f9299a02a4e1a1eb |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | b3c7a8087a5388cf30e569cc1900e228 |
| SHA1 | 80ece602ae099e115363227648e238216c7b0468 |
| SHA256 | 762ed03ab14fcfd1350523c5c379e6609103dddb20a1742a7ed68386d6ca8f13 |
| SHA512 | 9f5ddf784850eae70fbb069e5ff87f8558916cd56850bb7d0efe5ee7f9beff0d3a439209ef2b0e4bf337ad791b8837ec0de30fff020dd4f115ffeaf02a3d7192 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 25fbf708901af6798b2c896d93540619 |
| SHA1 | 0c07743a76a0a3a4a4c1b66ad1454ccef3206bee |
| SHA256 | 21409ed7347572234ae5a428adfaa9342f2db359ce9f34544ce6c56634873964 |
| SHA512 | 3fdcc8675154f1327c07720cfa2cbcdd045aa80346772f3d094108977b598c320b11d06d14a2a033c11d60ab54efcdbaf46c016890a5baebbc5c598a13defbe0 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | d83708351a1ad7b3499cc1500bcb923f |
| SHA1 | ca235c92cb7b1ff2f16975a7c8af3af03f0a9f03 |
| SHA256 | 09e05cbe3a375bdb2a4210f535d94bacb5a5da1ee72584f3a7ccfc0471e5a245 |
| SHA512 | dee9dd2c63479967bdeff6330b40315ea3b1a7f493671909ad26b864c57761707932a4ebeed0680c763e88c4263d103a115ed777e88be0162e1e143f6793a5e4 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 14460e37f8af20e8e0de11e00515a578 |
| SHA1 | 684f3dc907c74f32cbdfaed7b1d943d3a3af195a |
| SHA256 | cb421e48e344c46d3c600d57a559d5e28d8ced6b2d625d1239c1614fdd6608ca |
| SHA512 | 2f601156d2a750eaac72b728b65c6a2054670786ab0804dcfd9ce2aacb9032b160b486c9ca90c262bccd2ee9a26280534611195745403fcef6774beaedf3b849 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | e0ded7013da949486d130e515084c36a |
| SHA1 | a31d47854c60b86e0e8d22881f55a7b775fbe0b2 |
| SHA256 | b66ab473aa02d99bb588c521d3cad1d2c4c25fcacf258e650a0c0f456687966a |
| SHA512 | 7f952c969a82c68f922d13c826b48dfba103f06ee3a3b0d2a570823fa154dc4e9397ed49ddf200e2dfdae84b80423b9c4f4c0076925fbe6f8c1e4993aa9b8384 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000007
| MD5 | 500ecdda9ad3e919a1f41c1588266a1b |
| SHA1 | d5ddf92dc08284a48701a4d3555590bda05f77e0 |
| SHA256 | caad3feace9086d27e006d538d2daf4dd50e2b33307232a7db6d5f8c48f73b37 |
| SHA512 | 5e47a0d0721ec0f9adb5a439ffc98c1b4da780e74270332313f8350f228bdb919d32c4812c6ede84ebae3ead1342c2eaf4c73f4dfca5a87e8887e1b5913c0d9f |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 0f7ab306482e168df8ae4db0da366a23 |
| SHA1 | 7cd96f1892eed08892bcad19b6dfd9f8e24b42d1 |
| SHA256 | c2114f65f31ec1d737b02b0bf0545a5fd61799881b7bc80f3666beffe2cccf7d |
| SHA512 | a3fbe4a812ab9af1652e3624afd99c5e666edb055658d558857b0baa5a829355e01e4ded7f3ee0c60049ed6f1321aefd55b1517aceb53476ce7c63bf3ee74b8d |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 2a3924f10550b34cb768e1312043bcdc |
| SHA1 | f6fa158c1185d4c7f11ce779008e6d1e1aba757f |
| SHA256 | ae7927f2be212cdd19ca854ef363d2ac4b207c439c5e7dda837a8bccfd101295 |
| SHA512 | baf385ce29304d74e89a2321e5e2a9488c8ba413d78813eb62a0e131d6e106a8726c08d1d353ac445d87545b5150b970b90af41198ea14b9a0b99a79f64f4b22 |