Analysis
-
max time kernel
92s -
max time network
98s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
10-07-2024 10:19
Static task
static1
Behavioral task
behavioral1
Sample
82af0e06f33e00430d4bd6d8fd026cfce5a413d45f819263fc7db31b1e45d989.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
82af0e06f33e00430d4bd6d8fd026cfce5a413d45f819263fc7db31b1e45d989.exe
Resource
win10v2004-20240709-en
General
-
Target
82af0e06f33e00430d4bd6d8fd026cfce5a413d45f819263fc7db31b1e45d989.exe
-
Size
740KB
-
MD5
b9a2922c33a07f381ab2765ad7c09ccb
-
SHA1
8beba7166d8a50cbbd22e9999c6f446d0759943a
-
SHA256
82af0e06f33e00430d4bd6d8fd026cfce5a413d45f819263fc7db31b1e45d989
-
SHA512
855c91db9fb21f90d2eefb0ee2222b99049dbdda356a1004831364960356dafacf1fffc93609fde9c3883b9fcdf9e957811e0a3676fa31f91f6e13068cd38f51
-
SSDEEP
12288:lCV86nofv3fNIGJpIlOrIhYW6NappxuBguALkPSoakQ91YlcM4Ai5H6vDmKiY98j:lyFnoXfNIApwhYVepeALkPgkQ/rrAiRN
Malware Config
Signatures
-
Detect Poverty Stealer Payload 5 IoCs
Processes:
resource yara_rule behavioral2/memory/3960-69-0x0000000003F70000-0x0000000003F7A000-memory.dmp family_povertystealer behavioral2/memory/3960-70-0x0000000003F70000-0x0000000003F7A000-memory.dmp family_povertystealer behavioral2/memory/3960-71-0x0000000003F70000-0x0000000003F7A000-memory.dmp family_povertystealer behavioral2/memory/3960-73-0x0000000003F70000-0x0000000003F7A000-memory.dmp family_povertystealer behavioral2/memory/3960-74-0x0000000003F70000-0x0000000003F7A000-memory.dmp family_povertystealer -
Poverty Stealer
Poverty Stealer is a crypto and infostealer written in C++.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
Valve.pifdescription pid Process procid_target PID 3960 created 3484 3960 Valve.pif 56 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
82af0e06f33e00430d4bd6d8fd026cfce5a413d45f819263fc7db31b1e45d989.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation 82af0e06f33e00430d4bd6d8fd026cfce5a413d45f819263fc7db31b1e45d989.exe -
Deletes itself 1 IoCs
Processes:
Valve.pifpid Process 3960 Valve.pif -
Drops startup file 2 IoCs
Processes:
cmd.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CyberPanther.url cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CyberPanther.url cmd.exe -
Executes dropped EXE 1 IoCs
Processes:
Valve.pifpid Process 3960 Valve.pif -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid Process 664 timeout.exe -
Enumerates processes with tasklist 1 TTPs 2 IoCs
Processes:
tasklist.exetasklist.exepid Process 3888 tasklist.exe 208 tasklist.exe -
Suspicious behavior: EnumeratesProcesses 40 IoCs
Processes:
Valve.pifpid Process 3960 Valve.pif 3960 Valve.pif 3960 Valve.pif 3960 Valve.pif 3960 Valve.pif 3960 Valve.pif 3960 Valve.pif 3960 Valve.pif 3960 Valve.pif 3960 Valve.pif 3960 Valve.pif 3960 Valve.pif 3960 Valve.pif 3960 Valve.pif 3960 Valve.pif 3960 Valve.pif 3960 Valve.pif 3960 Valve.pif 3960 Valve.pif 3960 Valve.pif 3960 Valve.pif 3960 Valve.pif 3960 Valve.pif 3960 Valve.pif 3960 Valve.pif 3960 Valve.pif 3960 Valve.pif 3960 Valve.pif 3960 Valve.pif 3960 Valve.pif 3960 Valve.pif 3960 Valve.pif 3960 Valve.pif 3960 Valve.pif 3960 Valve.pif 3960 Valve.pif 3960 Valve.pif 3960 Valve.pif 3960 Valve.pif 3960 Valve.pif -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
tasklist.exetasklist.exedescription pid Process Token: SeDebugPrivilege 208 tasklist.exe Token: SeDebugPrivilege 3888 tasklist.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
Valve.pifpid Process 3960 Valve.pif 3960 Valve.pif 3960 Valve.pif -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
Valve.pifpid Process 3960 Valve.pif 3960 Valve.pif 3960 Valve.pif -
Suspicious use of WriteProcessMemory 33 IoCs
Processes:
82af0e06f33e00430d4bd6d8fd026cfce5a413d45f819263fc7db31b1e45d989.execmd.exeValve.pifdescription pid Process procid_target PID 1576 wrote to memory of 4676 1576 82af0e06f33e00430d4bd6d8fd026cfce5a413d45f819263fc7db31b1e45d989.exe 85 PID 1576 wrote to memory of 4676 1576 82af0e06f33e00430d4bd6d8fd026cfce5a413d45f819263fc7db31b1e45d989.exe 85 PID 1576 wrote to memory of 4676 1576 82af0e06f33e00430d4bd6d8fd026cfce5a413d45f819263fc7db31b1e45d989.exe 85 PID 4676 wrote to memory of 208 4676 cmd.exe 87 PID 4676 wrote to memory of 208 4676 cmd.exe 87 PID 4676 wrote to memory of 208 4676 cmd.exe 87 PID 4676 wrote to memory of 3540 4676 cmd.exe 88 PID 4676 wrote to memory of 3540 4676 cmd.exe 88 PID 4676 wrote to memory of 3540 4676 cmd.exe 88 PID 4676 wrote to memory of 3888 4676 cmd.exe 90 PID 4676 wrote to memory of 3888 4676 cmd.exe 90 PID 4676 wrote to memory of 3888 4676 cmd.exe 90 PID 4676 wrote to memory of 2168 4676 cmd.exe 91 PID 4676 wrote to memory of 2168 4676 cmd.exe 91 PID 4676 wrote to memory of 2168 4676 cmd.exe 91 PID 4676 wrote to memory of 3844 4676 cmd.exe 92 PID 4676 wrote to memory of 3844 4676 cmd.exe 92 PID 4676 wrote to memory of 3844 4676 cmd.exe 92 PID 4676 wrote to memory of 2688 4676 cmd.exe 93 PID 4676 wrote to memory of 2688 4676 cmd.exe 93 PID 4676 wrote to memory of 2688 4676 cmd.exe 93 PID 4676 wrote to memory of 5044 4676 cmd.exe 94 PID 4676 wrote to memory of 5044 4676 cmd.exe 94 PID 4676 wrote to memory of 5044 4676 cmd.exe 94 PID 4676 wrote to memory of 3960 4676 cmd.exe 95 PID 4676 wrote to memory of 3960 4676 cmd.exe 95 PID 4676 wrote to memory of 3960 4676 cmd.exe 95 PID 4676 wrote to memory of 664 4676 cmd.exe 96 PID 4676 wrote to memory of 664 4676 cmd.exe 96 PID 4676 wrote to memory of 664 4676 cmd.exe 96 PID 3960 wrote to memory of 2148 3960 Valve.pif 97 PID 3960 wrote to memory of 2148 3960 Valve.pif 97 PID 3960 wrote to memory of 2148 3960 Valve.pif 97
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3484
-
C:\Users\Admin\AppData\Local\Temp\82af0e06f33e00430d4bd6d8fd026cfce5a413d45f819263fc7db31b1e45d989.exe"C:\Users\Admin\AppData\Local\Temp\82af0e06f33e00430d4bd6d8fd026cfce5a413d45f819263fc7db31b1e45d989.exe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1576 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k move Properties Properties.cmd & Properties.cmd & exit3⤵
- Suspicious use of WriteProcessMemory
PID:4676 -
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:208
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa.exe opssvc.exe"4⤵PID:3540
-
-
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3888
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe"4⤵PID:2168
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 1978154⤵PID:3844
-
-
C:\Windows\SysWOW64\findstr.exefindstr /V "CARLFAMILIESPATIENTSAGED" Gaps4⤵PID:2688
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b Renew 197815\D4⤵PID:5044
-
-
C:\Users\Admin\AppData\Local\Temp\197815\Valve.pif197815\Valve.pif 197815\D4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Deletes itself
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3960
-
-
C:\Windows\SysWOW64\timeout.exetimeout 54⤵
- Delays execution with timeout.exe
PID:664
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CyberPanther.url" & echo URL="C:\Users\Admin\AppData\Local\SecureScope Dynamics\CyberPanther.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CyberPanther.url" & exit2⤵
- Drops startup file
PID:2148
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
915KB
MD5b06e67f9767e5023892d9698703ad098
SHA1acc07666f4c1d4461d3e1c263cf6a194a8dd1544
SHA2568498900e57a490404e7ec4d8159bee29aed5852ae88bd484141780eaadb727bb
SHA5127972c78acebdd86c57d879c12cb407120155a24a52fda23ddb7d9e181dd59dac1eb74f327817adbc364d37c8dc704f8236f3539b4d3ee5a022814924a1616943
-
Filesize
32KB
MD5c18ed82ea8c7d9081f167373d5a765d9
SHA11706e8d276343f799a21e9ae08e77f0424aea339
SHA25670d7d64ccf506d5dc0cda5aa67518189c21b2cbb0c6a7af8a4e74e9539de7825
SHA512071d1b851446c4d6c6a722b80fd3037ff1c005b586f24f9e229dcf9ca962bee58c32720a2bf11911d808e73ba8390f5055cc4614afdfee21811b9b887fdb3513
-
Filesize
42KB
MD52453cd07e028170480c5b48f4924b67d
SHA146a59c16db05fcfb84fed33c9932c9724838a0ea
SHA256ba786355c6959758136f260f28bbc8cd67884b69e36c1a64f515baecda0df4e4
SHA5122115720a8c3a9e73ec2166c08363d000f05a4911a2e38f83b30c6bcd133402e619507966bddc68737587dc5ac8f60cd39be27d2347ca0a2205ccac9ff4c8f8af
-
Filesize
52KB
MD5ff0e11be9fd4606e5ad00a89879856e6
SHA19a4bcf379d6e0d5538559378e2144c214526435b
SHA256cd0ba62ae4aa132df45708b6661fcf3cec75ec7b027e8be2c215fd3a0dd76cd0
SHA51264963b66237150ef98c60ad2c3ca34f414b545886a6f0a2646abbd6dd194f68c85e2e6cdfae5870131d620fe79d5d2a02c0ef74030b70c6674425f3ba447fe7b
-
Filesize
49KB
MD595d8787115394aa0ed6cc30862606605
SHA15af2aa3e40289cd9455c3e46f3f2df87213fc02d
SHA256e19b46fe431196dccd0fe8e91d3d2c2994e093b012cd9f73f99d852280e0c196
SHA5121f4efa14b1de096794952dae6c1b540fed7d2a8350009d158368791ca63f8cda3aa68945404929e9de30d58083ba7a263c87d54774fdb62b71f57e13a80f7734
-
Filesize
52KB
MD5819da0d3f36272eb0692bf6a438f45ed
SHA19d3fb8879a26c353c85901c5e5aacec0c28fea6e
SHA2565f3b858ce0fabb14d1bdcdbf73b984a932db719d073a04013376093b32d3f4fb
SHA5122bfc221ef497a4ce8da3d332878a7a7e535377daaab528aebd9e484bd25ec625b3b34bdf8116cf45ac282df3f1f343d619f8faad9c9a5a1c622d2fcbe6a7d199
-
Filesize
53KB
MD579cede3e951130d118d2541f5c6e7e82
SHA186566db43209350cfdad16711ac1a2314e1c37dd
SHA2563fd1509b068b7f2382025cc3b4306448ed2b7ed081a75430360eaae982e19da8
SHA5120f7a06ae8e64915798f1156ef7ed0eccc2e831e47f6d8c4ec52d61b6c61fb322812760d0fdde8bdee026a469be5e7a3c3e1e451e841fd8f8f0f17870dd104bf4
-
Filesize
217B
MD5e47d7c82216757ead7d630d61b10331b
SHA132599b16a0ec633037bdbb2933b0213169e61a2a
SHA256657e5120d05cae32d1b5f6bd1199bbbdde3ec28d74a8f90f33ce180b592e75ff
SHA512cf6e7e7a58ca4dc1bdcf136690d4636b84b66c8f08d70bc7e02ffaac228e2b4c9a8a1cd38e7e79045f454cdea3837964062a9bf555eba3ab45acab8c47f950ba
-
Filesize
27KB
MD551dfe6fe23c0737c906a29ba288c7256
SHA1eda478a421e8e8f5e7a55da8d93a67aad4031a36
SHA2562e41250ef2d8fa1ce4c603b43a85c943aabf66c202f95fab16786848a2c0e93b
SHA512056b29ca7677f9a9303fe3565c0e3351e85f925d12edb6cb527025e358d4827c4823921185230cea2a1ea4f1a43f034ec313b500964492e95cf899e672c67082
-
Filesize
21KB
MD5b3f8eb5788df9a8313cd421b0261aa5a
SHA17a5c3e22482f38c63b287a301e8fb1c64bd0e1f2
SHA25620c373e4563bfb772c4b6f377187b4a40d2cf9a0e68a99c08ef1924226d29f09
SHA5128fec7e9da5a7b417eb71ec531a83d5dfeb85b796fcf78367f31a295775ac9e53dbfe0e061afb3c6cf945d2ba79bdaa874fe2078f9966def5a68d4683c7235f93
-
Filesize
31KB
MD5d25a6a8619e49d225b370bc1e964a20b
SHA14c6ea046b60b609cba51d2eb029fa1b2fab28a92
SHA256df68b2896894ededce175f11b09809329b54ce4cee27854f31424da7e463b623
SHA5121a5c78f5f15bf883f8792c9a1a4d5ec98eef8a610798dafaa56a727a4c864bf30bede27eb075358e49bb65620a5c8495e85e84d683593c285717c5af032907ac
-
Filesize
30KB
MD5e1c6e0b0366cbc159e2a3c3fa42186e1
SHA134f8caccbe0165b507e8508012dd253bc6b8dbc3
SHA25603697fa62cf751b9a403107b0fa8780d8b25061099c0a93c873344923d07aa5a
SHA51221c0783272e34599a51ca46e1c542e3830049380ea48e51f16f8e75162d51b2165bf7317b2d84b3974720afa7ab3b165c5441f7907a5a1dcc6d6c9b2cad837aa
-
Filesize
50KB
MD51aff3e47ad68412d132811ce22a41102
SHA125d49b22b30743a086406e6281f395f45a2d3c02
SHA2563cb212a1da6d34ecd8238fbab84b581c6af83d30f9e93336a5540aea10aac88b
SHA51237453eb9c5752d0d01c17dc35bad741552c6ee15e8717174a2375ccccde6a62cef15f1eb8d6b23932e8162d025f2c721ed5065c4345a419a1f04ceafec179119
-
Filesize
15KB
MD56cecee44c1dad0bb79f2c16a88cb6062
SHA1c379020fdce7e4af871eebeb3edcd93aaf6c7d32
SHA256ea0490e6651506a582fb5760ac2c23fa3d1c338064348d8abd582085eca61d8e
SHA512d4e7088e1b4e92a529094d37bf74e9c5285a2c14f2d00345a8a1238b2cb80cbce78de316718ce3c6bcdbd2dbb1e1d7714ad143174c4d52578f6497b094bb6d83
-
Filesize
166KB
MD5e2373a63ce699a18efbc3fede5e87c4f
SHA1a9f74372a97c95545cc2c5a88a864dfb8738eb64
SHA256bb7b5d330f997bc42d7660f6dc3a5cdd7f1a27f37643edb08dc17ea87881e8a4
SHA512bd38aec89d835f965460aa84df7faefb52329357a5fdc0f032b1c4fa59521fd5856dee272a9cab21a4ee12dde0b97210428c9a58a1def0932e209adc5f2eee90
-
Filesize
32KB
MD57aa5cb40b4f2443de21da0a0b46ccc5d
SHA19a83d518bcc6c31754fd389232e129d372fc0c5f
SHA25651aa39ebccb32903ee7fa690a1d7c68fd58e9661c9ffd17a3f3421070f847564
SHA512b6ead4ceb0850506d267260f24de2ee4cc8f2523f091babce21ba78669c6cbc6b5a42e3b86b052b76a3ea7b532a9fd896a2a27f7b468f367a313c1deb5877f1c
-
Filesize
65KB
MD509e01401b85caa707c5ff3cebca814e6
SHA14120b4b422bce5541ef97e7aaeeb5a223f42fedc
SHA256e801bb986beec3a9f7451fa157eee944f0b58b164bc06aa01acd9c73df1d74d6
SHA5125452a8aeb473d8a5f7c169b4b67da9d88dbad91b4844122b73823769ac324239f2dfd96ded3c7d4b5ee5b3bb1667614b7935290a6e60193dd50384acf552669b
-
Filesize
13KB
MD53896b36f2678ca6e66155b334dd1ab2d
SHA1296d4d92c8a39798fba5f0bd6953b3c1d3a7d562
SHA256779c6323ebfe5116927ed31401566a272b6cc630f2f0893f6ba2a1d0104eea1f
SHA512a1aaaac30c486e253b02684e98b81bcdf42ea8eea906d0321c60940a0e86490b04b51e606fa052861b9b8055755550e3aa64dbc1cc33ec498973dfcbd6c3a970
-
Filesize
46KB
MD59fc28bced4c009e9c0b9d435ac009df7
SHA1f5af69cc30731c8f23e185a3452aadfd7ab7225c
SHA25610a9d7a45fdef23e4175ddb6302b115c0ffe35bd4698bebffed180beab64ef07
SHA5124f7a06bfa707cb466815761fd4108335d18de6412202e4bdd07fc2d297bb24993f86ba76cdd137a30b5f73a285bfda61f72db163080d91c45b2be249e3631100
-
Filesize
54KB
MD508addeda316684b2118939f8bd22f2aa
SHA119911f2e0b69f968bcff06826637346e4658ec35
SHA256b316c909c36ea4827ae447bc8bc2b7e8902bcf7af64eeb2a58d74c9da4340460
SHA5123d3e3bc6a94313b73e40b08e89e13032d2c1659e943bf0bceba58dec9a458276cf538fda750586cd233b4354125ffee3013f0a07b5c741ee822106619b9445a2
-
Filesize
60KB
MD53dfb933bff341ad3a7874cb001deb475
SHA17c2aa36be83a2c6b9061b16d3f9d2b1f8b90a11f
SHA256d5455ffd704e58603d91726e572dc3f856391b29680a09f4b967f6ab601c6135
SHA512ade89f4298736dd55cee475809bfc16d4ae41d15d330d6a140e8095c98bb0b944b095d0804f2a49228a6ffd3197a0e0169b9875ce7b8b69605c1d782518c9320
-
Filesize
22KB
MD52857f3ef717dcab920cbb97d8df85057
SHA1db6470489bf8eaa4365f3311f260b4e1cfef4a7c
SHA256341cf7c6442dae51f5d7953c59c3a4d0b06c2ef93561c6cc0841afa52379106c
SHA512a0b7ddf02cda2a34bd0588d62b0211937a451cb27ed4d9736af82dc16538e4070e6b0221cffc90fc56ad5fdb4695e9a36a1f5f7f9fd51f6be94f685ab0ea18fa
-
Filesize
38KB
MD535372beddb63033773ee2b862e45a484
SHA1373f531346c9710ef6d674585cb8e43a41d25b83
SHA2569df311d6f6de2fcda4ff975ab2e11edd50eb89057611939789bd27667c34eff7
SHA512fac08c3e4ab88c759aae6db11357f7b4cf2605503c43e38359d59967872421fdb3ef81484481429275084decd0ede7569fe5d0ebfbfa39e3b71ed9bac51fb43c
-
Filesize
12KB
MD5c7d25687901ac9ccccbbffe0c26db674
SHA177d40b04e4aa7f10056b8250ef1d3d99d3d3f4b3
SHA2565906c8066dcb01690c776323fe6588bdf6fb039aaa213494b366df28de7961e8
SHA51252453c651d37ba5ae81814e713afc90f1eb2ebb0ec3f1dc491110dcc772880d78ab8da9e358502cc13fe2218fbaf3bc0320426cedd5f896532da180dfdf0417e
-
Filesize
25KB
MD532835815345885a10ae6c0801a7107d0
SHA196740f90ea912cc8dfd9fa0ebec09f3118a40d53
SHA2562b929b6a935fce90cf9822b0c5bb2df9fefe6836f08d7d9ccdc38c451b8d6327
SHA512caaed73299da26ef4b1638b876d125cce576c51099a51e62b42e4a82b26ff76cb82c413f0105b899cae908aa6edeb0eda7f1e8a10a0b8b3fc3e3b77464080fca
-
Filesize
47KB
MD5a959b5cfa1777ebe482f1c86b5a44023
SHA1980d6b60b8539428cb3e212732fe9b4c5620b60b
SHA2562f94a608165710b0eff8bb6151a3c237063fc8792a15671d26361936fab75624
SHA5123b30213029a4579f80e4a74f8a061a3119425944ad9724c0bffcd5f51a1fa92b710b88858af67df3c75d20559da0984ed2f4baa656e1b7bd9c4792c5d98d11bb
-
Filesize
62KB
MD5ea608ac654b28d2f011230666a9393f9
SHA18957c29ce024f4f1deb291b153ad0aeab7bd32e8
SHA256ef8e68746c92e1f040c3c237a25b77eb9fa8aa2d5d9edfe1f4839366e053871b
SHA51237370b51444528d4171e762a0ea5309c1d9fdd4878fb950f6fecabe6fe5dab8a7f7741e5b5c2af567d539054b8de9ecf31cbc32279e78d37f85cc1d537b7f4ba