Analysis
-
max time kernel
20s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
02-03-2024 20:27
Static task
static1
Behavioral task
behavioral1
Sample
Chernobyl.exe
Resource
win7-20240221-en
General
-
Target
Chernobyl.exe
-
Size
343KB
-
MD5
c9ce5df22d3f9ea06215cd30ed5e07b8
-
SHA1
0631376b2fd56c4bd9795291e03067ce95884cea
-
SHA256
72ee1e0f426ed0786fa2de693982292fc5bae8135068b4a73fc758832048bde0
-
SHA512
38702bbb0de87b669f58feeaadd828bec1b80c47807ea2e0251731a613426999a4804e650c189ed23dfa75d7f3794bad7472b668fca83904bf0269208f3d1cff
-
SSDEEP
6144:FbbKo02222222222222222222222222222222222222222222222222222222226:F9kMOZzv4TatsNqaJg
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
Chernobyl.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, cluttscape.exe" Chernobyl.exe -
Processes:
Chernobyl.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Chernobyl.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
Chernobyl.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Chernobyl.exe -
Disables Task Manager via registry modification
-
Possible privilege escalation attempt 14 IoCs
Processes:
takeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exepid process 1440 takeown.exe 2164 takeown.exe 1320 icacls.exe 2716 icacls.exe 2892 takeown.exe 2348 takeown.exe 1296 icacls.exe 2184 takeown.exe 2972 takeown.exe 884 takeown.exe 2252 takeown.exe 1744 takeown.exe 2500 takeown.exe 2024 takeown.exe -
Modifies file permissions 1 TTPs 14 IoCs
Processes:
icacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exepid process 2716 icacls.exe 1744 takeown.exe 2972 takeown.exe 884 takeown.exe 2252 takeown.exe 2348 takeown.exe 1320 icacls.exe 2184 takeown.exe 1440 takeown.exe 2164 takeown.exe 2500 takeown.exe 2024 takeown.exe 1296 icacls.exe 2892 takeown.exe -
Processes:
Chernobyl.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Chernobyl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Chernobyl.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
Chernobyl.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoRestartShell = "0" Chernobyl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\DisableCAD = "1" Chernobyl.exe -
Drops file in System32 directory 1 IoCs
Processes:
Chernobyl.exedescription ioc process File opened for modification C:\Windows\SysWOW64\kill.ico Chernobyl.exe -
Drops file in Windows directory 2 IoCs
Processes:
Chernobyl.exedescription ioc process File created C:\Windows\cluttscape.exe Chernobyl.exe File opened for modification C:\Windows\cluttscape.exe Chernobyl.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
Chernobyl.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Unknown\DefaultIcon\ = "C:\\Windows\\SysWow64\\kill.ico" Chernobyl.exe -
Suspicious use of AdjustPrivilegeToken 14 IoCs
Processes:
Chernobyl.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exedescription pid process Token: SeDebugPrivilege 1196 Chernobyl.exe Token: SeDebugPrivilege 1196 Chernobyl.exe Token: SeTakeOwnershipPrivilege 2500 takeown.exe Token: SeTakeOwnershipPrivilege 2184 takeown.exe Token: SeTakeOwnershipPrivilege 2972 takeown.exe Token: SeTakeOwnershipPrivilege 1440 takeown.exe Token: SeTakeOwnershipPrivilege 2892 takeown.exe Token: SeTakeOwnershipPrivilege 884 takeown.exe Token: SeTakeOwnershipPrivilege 2252 takeown.exe Token: SeTakeOwnershipPrivilege 2024 takeown.exe Token: SeTakeOwnershipPrivilege 2164 takeown.exe Token: SeTakeOwnershipPrivilege 2348 takeown.exe Token: SeTakeOwnershipPrivilege 1744 takeown.exe Token: SeShutdownPrivilege 1196 Chernobyl.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Chernobyl.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 1196 wrote to memory of 1864 1196 Chernobyl.exe cmd.exe PID 1196 wrote to memory of 1864 1196 Chernobyl.exe cmd.exe PID 1196 wrote to memory of 1864 1196 Chernobyl.exe cmd.exe PID 1196 wrote to memory of 1864 1196 Chernobyl.exe cmd.exe PID 1196 wrote to memory of 2800 1196 Chernobyl.exe cmd.exe PID 1196 wrote to memory of 2800 1196 Chernobyl.exe cmd.exe PID 1196 wrote to memory of 2800 1196 Chernobyl.exe cmd.exe PID 1196 wrote to memory of 2800 1196 Chernobyl.exe cmd.exe PID 1196 wrote to memory of 912 1196 Chernobyl.exe cmd.exe PID 1196 wrote to memory of 912 1196 Chernobyl.exe cmd.exe PID 1196 wrote to memory of 912 1196 Chernobyl.exe cmd.exe PID 1196 wrote to memory of 912 1196 Chernobyl.exe cmd.exe PID 1196 wrote to memory of 2360 1196 Chernobyl.exe cmd.exe PID 1196 wrote to memory of 2360 1196 Chernobyl.exe cmd.exe PID 1196 wrote to memory of 2360 1196 Chernobyl.exe cmd.exe PID 1196 wrote to memory of 2360 1196 Chernobyl.exe cmd.exe PID 2800 wrote to memory of 784 2800 cmd.exe rundll32.exe PID 2800 wrote to memory of 784 2800 cmd.exe rundll32.exe PID 2800 wrote to memory of 784 2800 cmd.exe rundll32.exe PID 2800 wrote to memory of 784 2800 cmd.exe rundll32.exe PID 2800 wrote to memory of 784 2800 cmd.exe rundll32.exe PID 2800 wrote to memory of 784 2800 cmd.exe rundll32.exe PID 2800 wrote to memory of 784 2800 cmd.exe rundll32.exe PID 1864 wrote to memory of 1736 1864 cmd.exe rundll32.exe PID 1864 wrote to memory of 1736 1864 cmd.exe rundll32.exe PID 1864 wrote to memory of 1736 1864 cmd.exe rundll32.exe PID 1864 wrote to memory of 1736 1864 cmd.exe rundll32.exe PID 1864 wrote to memory of 1736 1864 cmd.exe rundll32.exe PID 1864 wrote to memory of 1736 1864 cmd.exe rundll32.exe PID 1864 wrote to memory of 1736 1864 cmd.exe rundll32.exe PID 912 wrote to memory of 1668 912 cmd.exe rundll32.exe PID 912 wrote to memory of 1668 912 cmd.exe rundll32.exe PID 912 wrote to memory of 1668 912 cmd.exe rundll32.exe PID 912 wrote to memory of 1668 912 cmd.exe rundll32.exe PID 912 wrote to memory of 1668 912 cmd.exe rundll32.exe PID 912 wrote to memory of 1668 912 cmd.exe rundll32.exe PID 912 wrote to memory of 1668 912 cmd.exe rundll32.exe PID 1196 wrote to memory of 1000 1196 Chernobyl.exe cmd.exe PID 1196 wrote to memory of 1000 1196 Chernobyl.exe cmd.exe PID 1196 wrote to memory of 1000 1196 Chernobyl.exe cmd.exe PID 1196 wrote to memory of 1000 1196 Chernobyl.exe cmd.exe PID 2360 wrote to memory of 1312 2360 cmd.exe rundll32.exe PID 2360 wrote to memory of 1312 2360 cmd.exe rundll32.exe PID 2360 wrote to memory of 1312 2360 cmd.exe rundll32.exe PID 2360 wrote to memory of 1312 2360 cmd.exe rundll32.exe PID 2360 wrote to memory of 1312 2360 cmd.exe rundll32.exe PID 2360 wrote to memory of 1312 2360 cmd.exe rundll32.exe PID 2360 wrote to memory of 1312 2360 cmd.exe rundll32.exe PID 1196 wrote to memory of 2104 1196 Chernobyl.exe cmd.exe PID 1196 wrote to memory of 2104 1196 Chernobyl.exe cmd.exe PID 1196 wrote to memory of 2104 1196 Chernobyl.exe cmd.exe PID 1196 wrote to memory of 2104 1196 Chernobyl.exe cmd.exe PID 1196 wrote to memory of 1752 1196 Chernobyl.exe cmd.exe PID 1196 wrote to memory of 1752 1196 Chernobyl.exe cmd.exe PID 1196 wrote to memory of 1752 1196 Chernobyl.exe cmd.exe PID 1196 wrote to memory of 1752 1196 Chernobyl.exe cmd.exe PID 1196 wrote to memory of 2860 1196 Chernobyl.exe cmd.exe PID 1196 wrote to memory of 2860 1196 Chernobyl.exe cmd.exe PID 1196 wrote to memory of 2860 1196 Chernobyl.exe cmd.exe PID 1196 wrote to memory of 2860 1196 Chernobyl.exe cmd.exe PID 2104 wrote to memory of 1596 2104 cmd.exe rundll32.exe PID 2104 wrote to memory of 1596 2104 cmd.exe rundll32.exe PID 2104 wrote to memory of 1596 2104 cmd.exe rundll32.exe PID 2104 wrote to memory of 1596 2104 cmd.exe rundll32.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
Chernobyl.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Chernobyl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon = "0" Chernobyl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\UseDefaultTile = "1" Chernobyl.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe"C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe"1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Disables RegEdit via registry modification
- Checks whether UAC is enabled
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1196 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1736
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:784
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵
- Suspicious use of WriteProcessMemory
PID:912 -
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1668
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1312
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:1000
-
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1588
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1596
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:1752
-
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1692
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2860
-
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1680
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:1584
-
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2628
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:1788
-
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2528
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:796
-
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2632
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2036
-
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2648
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\smss.exe && icacls C:\Windows\System32\smss.exe /grant "%username%:F" && exit2⤵PID:2588
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\smss.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2500
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\csrss.exe && icacls C:\Windows\System32\csrss.exe /grant "%username%:F" && exit2⤵PID:2488
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\csrss.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2184
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\wininit.exe && icacls C:\Windows\System32\wininit.exe /grant "%username%:F" && exit2⤵PID:2444
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\wininit.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2972
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32\wininit.exe /grant "Admin:F"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2716
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\LogonUI.exe && icacls C:\Windows\System32\LogonUI.exe /grant "%username%:F" && exit2⤵PID:2468
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\LogonUI.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1440
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\lsass.exe && icacls C:\Windows\System32\lsass.exe /grant "%username%:F" && exit2⤵PID:2044
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\lsass.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2892
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\services.exe && icacls C:\Windows\System32\services.exe /grant "%username%:F" && exit2⤵PID:2764
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\services.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:884
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\winlogon.exe && icacls C:\Windows\System32\winlogon.exe /grant "%username%:F" && exit2⤵PID:1944
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\winlogon.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2252
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\winload.efi && icacls C:\Windows\System32\winload.efi /grant "%username%:F" && exit2⤵PID:2032
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\winload.efi3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2024
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\winload.exe && icacls C:\Windows\System32\winload.exe /grant "%username%:F" && exit2⤵PID:2320
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\winload.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2164
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\ntoskrnl.exe && icacls C:\Windows\System32\ntoskrnl.exe /grant "%username%:F" && exit2⤵PID:1600
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\ntoskrnl.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2348
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32\ntoskrnl.exe /grant "Admin:F"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1320
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\svchost.exe && icacls C:\Windows\System32\svchost.exe /grant "%username%:F" && exit2⤵PID:1036
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\svchost.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1744
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32\svchost.exe /grant "Admin:F"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1296
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Winlogon Helper DLL
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Desktop\╤■╤♠å≈öš®∩38☼╧±ě▲☻Â☺ÿ╩7♦¶5åï◄Æ♣æäöÇÿÿπ■▀◘▌ä¶Çæÿ◄×▼▐2π∞Ç♪▀é►▲○♂č♀√«řÆ®♠►í¢ø∞╬◄↑±äžÂ5µñ¢µ╠£¤╩◙█ř«♠¤éÿ™
Filesize666B
MD59e1e5883c74742a497cf5c272ccd2321
SHA12cf33e34d08b8e17743a60352baffef4b6f02dee
SHA256ca687b6a7c3d29b566f3e1988b9f877b51d9a83ee25ffe0755a8dcd3eb5f434a
SHA512f2284f0c624cc07a65c16f87865bb98aaa176b1d8b45cd4fbcc1143c9c2297fe6b1d4db55ef054be2bc151c8cc25ff4da7c997b7d38dae3dccd2ffe1c3c01a6b