Analysis
-
max time kernel
33s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
02-03-2024 20:22
Static task
static1
Behavioral task
behavioral1
Sample
Chernobyl.exe
Resource
win7-20240221-en
General
-
Target
Chernobyl.exe
-
Size
342KB
-
MD5
a7232fbaf3f64cd41a7328eee2d14a43
-
SHA1
f176725ce1fca25c405f00668a3230facbec9215
-
SHA256
4576346568c222356606fe5a5c9e7e2a7141fbedcd0b93c3d7825f00a7622d33
-
SHA512
dbe94db8639a3337f756d240af3fe52852e8a64863d8711dd102c9f911dbbdb97e8235dec5ab70e4146464b0d1db2a41fc41b157dec352c36b12279ecc3ce918
-
SSDEEP
6144:sRbao0222222222222222222222222222222222222222222222222222222222C:8kwOZzv4TatsNqaJg
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
Chernobyl.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, cluttscape.exe" Chernobyl.exe -
Processes:
Chernobyl.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Chernobyl.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
Chernobyl.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Chernobyl.exe -
Disables Task Manager via registry modification
-
Possible privilege escalation attempt 14 IoCs
Processes:
takeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exepid process 1732 takeown.exe 1660 takeown.exe 1996 takeown.exe 528 takeown.exe 1428 takeown.exe 1028 takeown.exe 1144 takeown.exe 1884 takeown.exe 1540 icacls.exe 2136 takeown.exe 2752 icacls.exe 1972 takeown.exe 1652 takeown.exe 2768 icacls.exe -
Modifies file permissions 1 TTPs 14 IoCs
Processes:
takeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exepid process 1144 takeown.exe 1884 takeown.exe 1428 takeown.exe 1732 takeown.exe 1972 takeown.exe 1652 takeown.exe 1996 takeown.exe 1540 icacls.exe 1660 takeown.exe 528 takeown.exe 2768 icacls.exe 2136 takeown.exe 2752 icacls.exe 1028 takeown.exe -
Processes:
Chernobyl.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Chernobyl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Chernobyl.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
Chernobyl.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoRestartShell = "0" Chernobyl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\DisableCAD = "1" Chernobyl.exe -
Drops file in System32 directory 1 IoCs
Processes:
Chernobyl.exedescription ioc process File opened for modification C:\Windows\SysWOW64\kill.ico Chernobyl.exe -
Drops file in Windows directory 2 IoCs
Processes:
Chernobyl.exedescription ioc process File opened for modification C:\Windows\cluttscape.exe Chernobyl.exe File created C:\Windows\cluttscape.exe Chernobyl.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
Chernobyl.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Unknown\DefaultIcon\ = "C:\\Windows\\SysWow64\\kill.ico" Chernobyl.exe -
Suspicious use of AdjustPrivilegeToken 14 IoCs
Processes:
Chernobyl.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exedescription pid process Token: SeDebugPrivilege 2488 Chernobyl.exe Token: SeDebugPrivilege 2488 Chernobyl.exe Token: SeTakeOwnershipPrivilege 528 takeown.exe Token: SeTakeOwnershipPrivilege 1996 takeown.exe Token: SeTakeOwnershipPrivilege 1884 takeown.exe Token: SeTakeOwnershipPrivilege 1144 takeown.exe Token: SeTakeOwnershipPrivilege 1428 takeown.exe Token: SeTakeOwnershipPrivilege 1732 takeown.exe Token: SeTakeOwnershipPrivilege 1028 takeown.exe Token: SeTakeOwnershipPrivilege 1972 takeown.exe Token: SeTakeOwnershipPrivilege 2136 takeown.exe Token: SeTakeOwnershipPrivilege 1652 takeown.exe Token: SeTakeOwnershipPrivilege 1660 takeown.exe Token: SeShutdownPrivilege 2488 Chernobyl.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Chernobyl.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 2488 wrote to memory of 892 2488 Chernobyl.exe cmd.exe PID 2488 wrote to memory of 892 2488 Chernobyl.exe cmd.exe PID 2488 wrote to memory of 892 2488 Chernobyl.exe cmd.exe PID 2488 wrote to memory of 892 2488 Chernobyl.exe cmd.exe PID 2488 wrote to memory of 1608 2488 Chernobyl.exe cmd.exe PID 2488 wrote to memory of 1608 2488 Chernobyl.exe cmd.exe PID 2488 wrote to memory of 1608 2488 Chernobyl.exe cmd.exe PID 2488 wrote to memory of 1608 2488 Chernobyl.exe cmd.exe PID 2488 wrote to memory of 1300 2488 Chernobyl.exe cmd.exe PID 2488 wrote to memory of 1300 2488 Chernobyl.exe cmd.exe PID 2488 wrote to memory of 1300 2488 Chernobyl.exe cmd.exe PID 2488 wrote to memory of 1300 2488 Chernobyl.exe cmd.exe PID 2488 wrote to memory of 2160 2488 Chernobyl.exe cmd.exe PID 2488 wrote to memory of 2160 2488 Chernobyl.exe cmd.exe PID 2488 wrote to memory of 2160 2488 Chernobyl.exe cmd.exe PID 2488 wrote to memory of 2160 2488 Chernobyl.exe cmd.exe PID 892 wrote to memory of 1572 892 cmd.exe rundll32.exe PID 892 wrote to memory of 1572 892 cmd.exe rundll32.exe PID 892 wrote to memory of 1572 892 cmd.exe rundll32.exe PID 892 wrote to memory of 1572 892 cmd.exe rundll32.exe PID 892 wrote to memory of 1572 892 cmd.exe rundll32.exe PID 892 wrote to memory of 1572 892 cmd.exe rundll32.exe PID 892 wrote to memory of 1572 892 cmd.exe rundll32.exe PID 2488 wrote to memory of 2476 2488 Chernobyl.exe cmd.exe PID 2488 wrote to memory of 2476 2488 Chernobyl.exe cmd.exe PID 2488 wrote to memory of 2476 2488 Chernobyl.exe cmd.exe PID 2488 wrote to memory of 2476 2488 Chernobyl.exe cmd.exe PID 1300 wrote to memory of 2112 1300 cmd.exe rundll32.exe PID 1300 wrote to memory of 2112 1300 cmd.exe rundll32.exe PID 1300 wrote to memory of 2112 1300 cmd.exe rundll32.exe PID 1300 wrote to memory of 2112 1300 cmd.exe rundll32.exe PID 1300 wrote to memory of 2112 1300 cmd.exe rundll32.exe PID 1300 wrote to memory of 2112 1300 cmd.exe rundll32.exe PID 1300 wrote to memory of 2112 1300 cmd.exe rundll32.exe PID 1608 wrote to memory of 2176 1608 cmd.exe rundll32.exe PID 1608 wrote to memory of 2176 1608 cmd.exe rundll32.exe PID 1608 wrote to memory of 2176 1608 cmd.exe rundll32.exe PID 1608 wrote to memory of 2176 1608 cmd.exe rundll32.exe PID 1608 wrote to memory of 2176 1608 cmd.exe rundll32.exe PID 1608 wrote to memory of 2176 1608 cmd.exe rundll32.exe PID 1608 wrote to memory of 2176 1608 cmd.exe rundll32.exe PID 2488 wrote to memory of 1968 2488 Chernobyl.exe cmd.exe PID 2488 wrote to memory of 1968 2488 Chernobyl.exe cmd.exe PID 2488 wrote to memory of 1968 2488 Chernobyl.exe cmd.exe PID 2488 wrote to memory of 1968 2488 Chernobyl.exe cmd.exe PID 2160 wrote to memory of 1744 2160 cmd.exe rundll32.exe PID 2160 wrote to memory of 1744 2160 cmd.exe rundll32.exe PID 2160 wrote to memory of 1744 2160 cmd.exe rundll32.exe PID 2160 wrote to memory of 1744 2160 cmd.exe rundll32.exe PID 2160 wrote to memory of 1744 2160 cmd.exe rundll32.exe PID 2160 wrote to memory of 1744 2160 cmd.exe rundll32.exe PID 2160 wrote to memory of 1744 2160 cmd.exe rundll32.exe PID 2476 wrote to memory of 880 2476 cmd.exe rundll32.exe PID 2476 wrote to memory of 880 2476 cmd.exe rundll32.exe PID 2476 wrote to memory of 880 2476 cmd.exe rundll32.exe PID 2476 wrote to memory of 880 2476 cmd.exe rundll32.exe PID 2476 wrote to memory of 880 2476 cmd.exe rundll32.exe PID 2476 wrote to memory of 880 2476 cmd.exe rundll32.exe PID 2476 wrote to memory of 880 2476 cmd.exe rundll32.exe PID 2488 wrote to memory of 2016 2488 Chernobyl.exe cmd.exe PID 2488 wrote to memory of 2016 2488 Chernobyl.exe cmd.exe PID 2488 wrote to memory of 2016 2488 Chernobyl.exe cmd.exe PID 2488 wrote to memory of 2016 2488 Chernobyl.exe cmd.exe PID 1968 wrote to memory of 2604 1968 cmd.exe rundll32.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
Chernobyl.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon = "0" Chernobyl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\UseDefaultTile = "1" Chernobyl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Chernobyl.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe"C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe"1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Disables RegEdit via registry modification
- Checks whether UAC is enabled
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2488 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵
- Suspicious use of WriteProcessMemory
PID:892 -
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1572
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2176
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵
- Suspicious use of WriteProcessMemory
PID:1300 -
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2112
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1744
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:880
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2604
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2016
-
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2552
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2608
-
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2496
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2592
-
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2560
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2512
-
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2532
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2620
-
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2400
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2424
-
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2452
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\smss.exe && icacls C:\Windows\System32\smss.exe /grant "%username%:F" && exit2⤵PID:2472
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\smss.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1996
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\csrss.exe && icacls C:\Windows\System32\csrss.exe /grant "%username%:F" && exit2⤵PID:2988
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\csrss.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:528
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\wininit.exe && icacls C:\Windows\System32\wininit.exe /grant "%username%:F" && exit2⤵PID:2380
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\wininit.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1144
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32\wininit.exe /grant "Admin:F"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1540
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\LogonUI.exe && icacls C:\Windows\System32\LogonUI.exe /grant "%username%:F" && exit2⤵PID:1524
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\LogonUI.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1884
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\lsass.exe && icacls C:\Windows\System32\lsass.exe /grant "%username%:F" && exit2⤵PID:744
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\lsass.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1428
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\services.exe && icacls C:\Windows\System32\services.exe /grant "%username%:F" && exit2⤵PID:2788
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\services.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1972
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\winlogon.exe && icacls C:\Windows\System32\winlogon.exe /grant "%username%:F" && exit2⤵PID:2804
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\winlogon.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2136
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\winload.efi && icacls C:\Windows\System32\winload.efi /grant "%username%:F" && exit2⤵PID:1292
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\winload.efi3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1028
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\winload.exe && icacls C:\Windows\System32\winload.exe /grant "%username%:F" && exit2⤵PID:2436
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\winload.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1732
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\ntoskrnl.exe && icacls C:\Windows\System32\ntoskrnl.exe /grant "%username%:F" && exit2⤵PID:2712
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\ntoskrnl.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1652
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32\ntoskrnl.exe /grant "Admin:F"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2768
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\svchost.exe && icacls C:\Windows\System32\svchost.exe /grant "%username%:F" && exit2⤵PID:2384
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\svchost.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1660
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32\svchost.exe /grant "Admin:F"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2752
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Winlogon Helper DLL
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Desktop\↕6╚♣ß™₧♫Ÿ▲╔1╠æõ╬♂╬ÿ²Â¶±☼öΣ╥Ÿ■πě╠¢½≈Æï♂▼╤εčõř√♦22▼פσ17™►ěσ▀œ♠1☻ÿ♂↕®○ε®®╩►7ΣΣ«õ5Æ≈♠╚Æÿ4▀☻½▄ó■☺Âčě☻2▼
Filesize666B
MD59e1e5883c74742a497cf5c272ccd2321
SHA12cf33e34d08b8e17743a60352baffef4b6f02dee
SHA256ca687b6a7c3d29b566f3e1988b9f877b51d9a83ee25ffe0755a8dcd3eb5f434a
SHA512f2284f0c624cc07a65c16f87865bb98aaa176b1d8b45cd4fbcc1143c9c2297fe6b1d4db55ef054be2bc151c8cc25ff4da7c997b7d38dae3dccd2ffe1c3c01a6b