Overview
overview
10Static
static
3Windows11D...er.ps1
windows7-x64
10Windows11D...er.ps1
windows10-2004-x64
9Windows11D...et.ps1
windows7-x64
3Windows11D...et.ps1
windows10-2004-x64
3Windows11D...er.ps1
windows7-x64
10Windows11D...er.ps1
windows10-2004-x64
10Windows11D...ns.ps1
windows7-x64
3Windows11D...ns.ps1
windows10-2004-x64
3Windows11D...er.exe
windows7-x64
1Windows11D...er.exe
windows10-2004-x64
1Analysis
-
max time kernel
84s -
max time network
91s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
30/03/2025, 18:58
Static task
static1
Behavioral task
behavioral1
Sample
Windows11DebloaterV205/Config/advanceddebloater/advanceddebloater.ps1
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
Windows11DebloaterV205/Config/advanceddebloater/advanceddebloater.ps1
Resource
win10v2004-20250314-en
Behavioral task
behavioral3
Sample
Windows11DebloaterV205/Config/extra/fixwinget.ps1
Resource
win7-20241010-en
Behavioral task
behavioral4
Sample
Windows11DebloaterV205/Config/extra/fixwinget.ps1
Resource
win10v2004-20250314-en
Behavioral task
behavioral5
Sample
Windows11DebloaterV205/Config/ezdebloater/ezdebloater.ps1
Resource
win7-20241010-en
Behavioral task
behavioral6
Sample
Windows11DebloaterV205/Config/ezdebloater/ezdebloater.ps1
Resource
win10v2004-20250314-en
Behavioral task
behavioral7
Sample
Windows11DebloaterV205/Config/finetuningdebloater/functions.ps1
Resource
win7-20240729-en
Behavioral task
behavioral8
Sample
Windows11DebloaterV205/Config/finetuningdebloater/functions.ps1
Resource
win10v2004-20250314-en
Behavioral task
behavioral9
Sample
Windows11DebloaterV205/Windows11Debloater.exe
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
Windows11DebloaterV205/Windows11Debloater.exe
Resource
win10v2004-20250314-en
General
-
Target
Windows11DebloaterV205/Config/ezdebloater/ezdebloater.ps1
-
Size
52KB
-
MD5
e00cf4301db40d49990672255a164eb2
-
SHA1
32ec132aa7825535bd70f1c6c284f707db08c181
-
SHA256
6456d8389910e5e584bafad8aca74d1c228acdeafc194a552232cd5039fc3980
-
SHA512
749b95809afcc88ef92da1551a388085f39f5892d5722655a6d36724ed734814692ac26cd828c19404f995ce06a65cddefcbf27d6eaf391fe83ae133171bafe4
-
SSDEEP
1536:3YxKHezR4N0RUxBZA3bz8gNE6yu0xFD2N8:3Yxbl4N0ORA3bz8gnyu0xFD2N8
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" powershell.exe -
Modifies boot configuration data using bcdedit 1 TTPs 1 IoCs
pid Process 3036 bcdedit.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Modifies file permissions 1 TTPs 2 IoCs
pid Process 1692 icacls.exe 2332 icacls.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe -
pid Process 2304 powershell.exe -
Disables Windows logging functionality 2 TTPs
Changes registry settings to disable Windows Event logging.
-
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Set value (int) \REGISTRY\USER\.DEFAULT\Control Panel\Keyboard\InitialKeyboardIndicators = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Set value (int) \REGISTRY\USER\.DEFAULT\Control Panel\Keyboard\InitialKeyboardIndicators = "2" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_Classes\Local Settings explorer.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2304 powershell.exe 2304 powershell.exe 2304 powershell.exe -
Suspicious use of AdjustPrivilegeToken 38 IoCs
description pid Process Token: SeDebugPrivilege 2304 powershell.exe Token: SeBackupPrivilege 2740 vssvc.exe Token: SeRestorePrivilege 2740 vssvc.exe Token: SeAuditPrivilege 2740 vssvc.exe Token: SeRestorePrivilege 2352 DrvInst.exe Token: SeRestorePrivilege 2352 DrvInst.exe Token: SeRestorePrivilege 2352 DrvInst.exe Token: SeRestorePrivilege 2352 DrvInst.exe Token: SeRestorePrivilege 2352 DrvInst.exe Token: SeRestorePrivilege 2352 DrvInst.exe Token: SeRestorePrivilege 2352 DrvInst.exe Token: SeLoadDriverPrivilege 2352 DrvInst.exe Token: SeLoadDriverPrivilege 2352 DrvInst.exe Token: SeLoadDriverPrivilege 2352 DrvInst.exe Token: SeRestorePrivilege 1824 DrvInst.exe Token: SeRestorePrivilege 1824 DrvInst.exe Token: SeRestorePrivilege 1824 DrvInst.exe Token: SeRestorePrivilege 1824 DrvInst.exe Token: SeRestorePrivilege 1824 DrvInst.exe Token: SeRestorePrivilege 1824 DrvInst.exe Token: SeRestorePrivilege 1824 DrvInst.exe Token: SeLoadDriverPrivilege 1824 DrvInst.exe Token: SeLoadDriverPrivilege 1824 DrvInst.exe Token: SeLoadDriverPrivilege 1824 DrvInst.exe Token: SeShutdownPrivilege 772 explorer.exe Token: SeShutdownPrivilege 772 explorer.exe Token: SeShutdownPrivilege 772 explorer.exe Token: SeShutdownPrivilege 772 explorer.exe Token: SeShutdownPrivilege 772 explorer.exe Token: SeShutdownPrivilege 772 explorer.exe Token: SeShutdownPrivilege 772 explorer.exe Token: SeShutdownPrivilege 772 explorer.exe Token: SeShutdownPrivilege 772 explorer.exe Token: SeShutdownPrivilege 772 explorer.exe Token: 33 1480 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1480 AUDIODG.EXE Token: 33 1480 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1480 AUDIODG.EXE -
Suspicious use of FindShellTrayWindow 7 IoCs
pid Process 772 explorer.exe 772 explorer.exe 772 explorer.exe 772 explorer.exe 772 explorer.exe 772 explorer.exe 772 explorer.exe -
Suspicious use of SendNotifyMessage 4 IoCs
pid Process 772 explorer.exe 772 explorer.exe 772 explorer.exe 772 explorer.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 2304 wrote to memory of 3036 2304 powershell.exe 35 PID 2304 wrote to memory of 3036 2304 powershell.exe 35 PID 2304 wrote to memory of 3036 2304 powershell.exe 35 PID 2304 wrote to memory of 1692 2304 powershell.exe 36 PID 2304 wrote to memory of 1692 2304 powershell.exe 36 PID 2304 wrote to memory of 1692 2304 powershell.exe 36 PID 2304 wrote to memory of 2332 2304 powershell.exe 39 PID 2304 wrote to memory of 2332 2304 powershell.exe 39 PID 2304 wrote to memory of 2332 2304 powershell.exe 39 PID 2304 wrote to memory of 2668 2304 powershell.exe 40 PID 2304 wrote to memory of 2668 2304 powershell.exe 40 PID 2304 wrote to memory of 2668 2304 powershell.exe 40 PID 2304 wrote to memory of 2408 2304 powershell.exe 41 PID 2304 wrote to memory of 2408 2304 powershell.exe 41 PID 2304 wrote to memory of 2408 2304 powershell.exe 41 PID 2304 wrote to memory of 2684 2304 powershell.exe 42 PID 2304 wrote to memory of 2684 2304 powershell.exe 42 PID 2304 wrote to memory of 2684 2304 powershell.exe 42 PID 2684 wrote to memory of 560 2684 cmd.exe 43 PID 2684 wrote to memory of 560 2684 cmd.exe 43 PID 2684 wrote to memory of 560 2684 cmd.exe 43 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\Windows11DebloaterV205\Config\ezdebloater\ezdebloater.ps11⤵
- Modifies visibility of file extensions in Explorer
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Windows\system32\bcdedit.exe"C:\Windows\system32\bcdedit.exe" /set {current} bootmenupolicy Legacy2⤵
- Modifies boot configuration data using bcdedit
PID:3036
-
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" C:\ProgramData\Microsoft\Diagnosis\ETLLogs\AutoLogger /deny SYSTEM:(OI)(CI)F2⤵
- Modifies file permissions
PID:1692
-
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" C:\ProgramData\Microsoft\Diagnosis\ETLLogs\AutoLogger /grant:r SYSTEM:(OI)(CI)F2⤵
- Modifies file permissions
PID:2332
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c RD /S /Q %WinDir%\System32\GroupPolicyUsers2⤵PID:2668
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c RD /S /Q %WinDir%\System32\GroupPolicy2⤵PID:2408
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c gpupdate /force2⤵
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\system32\gpupdate.exegpupdate /force3⤵PID:560
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2740
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003E8" "00000000000002F8"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2352
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot20" "" "" "65dbac317" "0000000000000000" "00000000000005B4" "00000000000003E8"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1824
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:772
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5901⤵
- Suspicious use of AdjustPrivilegeToken
PID:1480
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵PID:2444
-
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-3692679935-4019334568-335155002-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-3692679935-4019334568-335155002-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"2⤵PID:2148
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 512 516 524 65536 5202⤵PID:752
-
-
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵PID:2784
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1024KB
MD551da34a4f22540e7676f7e66bbb3d544
SHA1963a8594079797affc9f8761097d2923fbdaaa79
SHA2569f28ece875b6bbe68f45aa53fc6d82f4891ba8112988e67c9d09c564ff6fced6
SHA51233cc454adcbf59703a93e68a0523ff49a6e5dea120cfb16f4e5b74417b0bff426e8cf6c6adca7cc92c2a7f65ce626e7eece84b8f3f5c4199afce2a7a6c6f524f