File name:

1bca88ef695a571b209d53645981a5bf0d005491ee35b4bf7fb5890c4f7fb8d5.exe

Full analysis: https://app.any.run/tasks/76b9aa71-f91d-440c-8ac9-28dd20de0695
Verdict: Malicious activity
Threats:

Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links.

Malware Trends Tracker     >>>
Analysis date: July 17, 2024, 17:33:36
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
xenorat
rat
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

76E42AE7F8BE751DC2802F8429ACAD56

SHA1:

60B373BCD072FF1F31CB32ABCB9F26387CFACB9E

SHA256:

1BCA88EF695A571B209D53645981A5BF0D005491EE35B4BF7FB5890C4F7FB8D5

SSDEEP:

24576:MaLPSWHBdOZavLvBp//aRrqraoJCqZ080dL9zIkehmrEX+SHu:MaeK3aOLvBp//aRrqraoJCqZ080dL9zD

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • 1bca88ef695a571b209d53645981a5bf0d005491ee35b4bf7fb5890c4f7fb8d5.exe (PID: 1736)
      • gfdhxdh.sfx.exe (PID: 5952)
      • gfdhxdh.exe (PID: 2100)

    • XenoRAT has been detected (FILE)

      • gfdhxdh.exe (PID: 2100)
      • gfdhxdh.exe (PID: 476)
      • gfdhxdh.exe (PID: 4624)
      • gfdhxdh.exe (PID: 2612)
      • gfdhxdh.exe (PID: 4544)
      • gfdhxdh.exe (PID: 3832)

    • Changes the autorun value in the registry

      • gfdhxdh.exe (PID: 4624)

    • XENORAT has been detected (YARA)

      • gfdhxdh.exe (PID: 4624)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • 1bca88ef695a571b209d53645981a5bf0d005491ee35b4bf7fb5890c4f7fb8d5.exe (PID: 1736)
      • gfdhxdh.sfx.exe (PID: 5952)
      • gfdhxdh.exe (PID: 2100)

    • Executable content was dropped or overwritten

      • 1bca88ef695a571b209d53645981a5bf0d005491ee35b4bf7fb5890c4f7fb8d5.exe (PID: 1736)
      • gfdhxdh.sfx.exe (PID: 5952)
      • gfdhxdh.exe (PID: 2100)

    • Reads the date of Windows installation

      • 1bca88ef695a571b209d53645981a5bf0d005491ee35b4bf7fb5890c4f7fb8d5.exe (PID: 1736)
      • gfdhxdh.sfx.exe (PID: 5952)
      • gfdhxdh.exe (PID: 2100)

    • Starts CMD.EXE for commands execution

      • 1bca88ef695a571b209d53645981a5bf0d005491ee35b4bf7fb5890c4f7fb8d5.exe (PID: 1736)

    • The executable file from the user directory is run by the CMD process

      • gfdhxdh.sfx.exe (PID: 5952)

    • Executing commands from ".cmd" file

      • 1bca88ef695a571b209d53645981a5bf0d005491ee35b4bf7fb5890c4f7fb8d5.exe (PID: 1736)

    • Application launched itself

      • gfdhxdh.exe (PID: 4072)
      • gfdhxdh.exe (PID: 3724)

    • Executes application which crashes

      • gfdhxdh.exe (PID: 5844)
      • gfdhxdh.exe (PID: 3848)

    • Starts itself from another location

      • gfdhxdh.exe (PID: 2100)

    • Connects to unusual port

      • gfdhxdh.exe (PID: 4624)

  • INFO

    • Checks supported languages

      • 1bca88ef695a571b209d53645981a5bf0d005491ee35b4bf7fb5890c4f7fb8d5.exe (PID: 1736)
      • gfdhxdh.sfx.exe (PID: 5952)
      • gfdhxdh.exe (PID: 4072)
      • gfdhxdh.exe (PID: 476)
      • gfdhxdh.exe (PID: 4624)
      • gfdhxdh.exe (PID: 2100)
      • gfdhxdh.exe (PID: 2612)
      • gfdhxdh.exe (PID: 4544)
      • gfdhxdh.exe (PID: 3832)
      • gfdhxdh.exe (PID: 3724)

    • Reads the computer name

      • 1bca88ef695a571b209d53645981a5bf0d005491ee35b4bf7fb5890c4f7fb8d5.exe (PID: 1736)
      • gfdhxdh.sfx.exe (PID: 5952)
      • gfdhxdh.exe (PID: 4624)
      • gfdhxdh.exe (PID: 2100)
      • gfdhxdh.exe (PID: 476)
      • gfdhxdh.exe (PID: 4072)
      • gfdhxdh.exe (PID: 3724)
      • gfdhxdh.exe (PID: 4544)
      • gfdhxdh.exe (PID: 2612)
      • gfdhxdh.exe (PID: 3832)

    • Creates files or folders in the user directory

      • 1bca88ef695a571b209d53645981a5bf0d005491ee35b4bf7fb5890c4f7fb8d5.exe (PID: 1736)
      • gfdhxdh.sfx.exe (PID: 5952)
      • gfdhxdh.exe (PID: 2100)

    • Process checks computer location settings

      • 1bca88ef695a571b209d53645981a5bf0d005491ee35b4bf7fb5890c4f7fb8d5.exe (PID: 1736)
      • gfdhxdh.sfx.exe (PID: 5952)
      • gfdhxdh.exe (PID: 2100)

    • Reads the machine GUID from the registry

      • gfdhxdh.exe (PID: 4072)
      • gfdhxdh.exe (PID: 3724)
      • gfdhxdh.exe (PID: 4624)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2019:04:27 20:03:27+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14
CodeSize: 190976
InitializedDataSize: 72192
UninitializedDataSize: -
EntryPoint: 0x1d759
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
138
Monitored processes
16
Malicious processes
11
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 1bca88ef695a571b209d53645981a5bf0d005491ee35b4bf7fb5890c4f7fb8d5.exe cmd.exe no specs conhost.exe no specs gfdhxdh.sfx.exe gfdhxdh.exe no specs gfdhxdh.exe #XENORAT gfdhxdh.exe #XENORAT gfdhxdh.exe no specs #XENORAT gfdhxdh.exe werfault.exe no specs gfdhxdh.exe no specs #XENORAT gfdhxdh.exe no specs gfdhxdh.exe #XENORAT gfdhxdh.exe no specs #XENORAT gfdhxdh.exe no specs werfault.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
476C:\Users\admin\AppData\Roaming\gfdhxdh.exeC:\Users\admin\AppData\Roaming\gfdhxdh.exe
gfdhxdh.exe
User:
admin
Company:
Display Driver Recovery
Integrity Level:
MEDIUM
Description:
Display Driver Recovery
Exit code:
0
Version:
2.2.7.9
Modules
Images
c:\users\admin\appdata\roaming\gfdhxdh.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
1320\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1736"C:\Users\admin\Desktop\1bca88ef695a571b209d53645981a5bf0d005491ee35b4bf7fb5890c4f7fb8d5.exe" C:\Users\admin\Desktop\1bca88ef695a571b209d53645981a5bf0d005491ee35b4bf7fb5890c4f7fb8d5.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\1bca88ef695a571b209d53645981a5bf0d005491ee35b4bf7fb5890c4f7fb8d5.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.3996_none_d954cb49e10154a6\gdiplus.dll
2100C:\Users\admin\AppData\Roaming\gfdhxdh.exeC:\Users\admin\AppData\Roaming\gfdhxdh.exe
gfdhxdh.exe
User:
admin
Company:
Display Driver Recovery
Integrity Level:
MEDIUM
Description:
Display Driver Recovery
Exit code:
0
Version:
2.2.7.9
Modules
Images
c:\users\admin\appdata\roaming\gfdhxdh.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
2612C:\Users\admin\AppData\Roaming\XenoManager\gfdhxdh.exeC:\Users\admin\AppData\Roaming\XenoManager\gfdhxdh.exe
gfdhxdh.exe
User:
admin
Company:
Display Driver Recovery
Integrity Level:
MEDIUM
Description:
Display Driver Recovery
Exit code:
0
Version:
2.2.7.9
Modules
Images
c:\users\admin\appdata\roaming\xenomanager\gfdhxdh.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
3724"C:\Users\admin\AppData\Roaming\XenoManager\gfdhxdh.exe" C:\Users\admin\AppData\Roaming\XenoManager\gfdhxdh.exegfdhxdh.exe
User:
admin
Company:
Display Driver Recovery
Integrity Level:
MEDIUM
Description:
Display Driver Recovery
Exit code:
0
Version:
2.2.7.9
Modules
Images
c:\users\admin\appdata\roaming\xenomanager\gfdhxdh.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
3832C:\Users\admin\AppData\Roaming\XenoManager\gfdhxdh.exeC:\Users\admin\AppData\Roaming\XenoManager\gfdhxdh.exe
gfdhxdh.exe
User:
admin
Company:
Display Driver Recovery
Integrity Level:
MEDIUM
Description:
Display Driver Recovery
Exit code:
0
Version:
2.2.7.9
Modules
Images
c:\users\admin\appdata\roaming\xenomanager\gfdhxdh.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
3848C:\Users\admin\AppData\Roaming\XenoManager\gfdhxdh.exeC:\Users\admin\AppData\Roaming\XenoManager\gfdhxdh.exe
gfdhxdh.exe
User:
admin
Company:
Display Driver Recovery
Integrity Level:
MEDIUM
Description:
Display Driver Recovery
Exit code:
3221225477
Version:
2.2.7.9
Modules
Images
c:\users\admin\appdata\roaming\xenomanager\gfdhxdh.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
4072"C:\Users\admin\AppData\Roaming\gfdhxdh.exe" C:\Users\admin\AppData\Roaming\gfdhxdh.exegfdhxdh.sfx.exe
User:
admin
Company:
Display Driver Recovery
Integrity Level:
MEDIUM
Description:
Display Driver Recovery
Exit code:
0
Version:
2.2.7.9
Modules
Images
c:\users\admin\appdata\roaming\gfdhxdh.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
4544C:\Users\admin\AppData\Roaming\XenoManager\gfdhxdh.exeC:\Users\admin\AppData\Roaming\XenoManager\gfdhxdh.exe
gfdhxdh.exe
User:
admin
Company:
Display Driver Recovery
Integrity Level:
MEDIUM
Description:
Display Driver Recovery
Exit code:
0
Version:
2.2.7.9
Modules
Images
c:\users\admin\appdata\roaming\xenomanager\gfdhxdh.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
Total events
12 047
Read events
12 022
Write events
25
Delete events
0

Modification events

(PID) Process:(1736) 1bca88ef695a571b209d53645981a5bf0d005491ee35b4bf7fb5890c4f7fb8d5.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(1736) 1bca88ef695a571b209d53645981a5bf0d005491ee35b4bf7fb5890c4f7fb8d5.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(1736) 1bca88ef695a571b209d53645981a5bf0d005491ee35b4bf7fb5890c4f7fb8d5.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(1736) 1bca88ef695a571b209d53645981a5bf0d005491ee35b4bf7fb5890c4f7fb8d5.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(5952) gfdhxdh.sfx.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(5952) gfdhxdh.sfx.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(5952) gfdhxdh.sfx.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(5952) gfdhxdh.sfx.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(2100) gfdhxdh.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2100) gfdhxdh.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
Executable files
3
Suspicious files
0
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
2100gfdhxdh.exeC:\Users\admin\AppData\Roaming\XenoManager\gfdhxdh.exeexecutable
MD5:AE15CAE1D0C81BA873C1CF558FEAD841
SHA256:C696A4F2ED661C6282B957C16D04EC16114FCBAB6153033A5F1F663D5DAD129D
17361bca88ef695a571b209d53645981a5bf0d005491ee35b4bf7fb5890c4f7fb8d5.exeC:\Users\admin\AppData\Roaming\ghjostsdf.cmdtext
MD5:222AEEB413BA16970DD3C02AD9ABC0CE
SHA256:1061CEE35AE6A842F744991C1E42FADB47F445A1504ABE161480DA8E5E3ED2FC
17361bca88ef695a571b209d53645981a5bf0d005491ee35b4bf7fb5890c4f7fb8d5.exeC:\Users\admin\AppData\Roaming\gfdhxdh.sfx.exeexecutable
MD5:E3971905E8DE0B85CD2631ACD6CD9ACA
SHA256:E2F1F0C71EC63D9A715BD284D9B772AA95C237736A6F535BD6D6D09EF8256FB9
5952gfdhxdh.sfx.exeC:\Users\admin\AppData\Roaming\gfdhxdh.exeexecutable
MD5:AE15CAE1D0C81BA873C1CF558FEAD841
SHA256:C696A4F2ED661C6282B957C16D04EC16114FCBAB6153033A5F1F663D5DAD129D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
49
DNS requests
6
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1792
MoUsoCoreWorker.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
3828
RUXIMICS.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2052
svchost.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1792
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2052
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
3828
RUXIMICS.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
200
20.189.173.11:443
https://self.events.data.microsoft.com/OneCollector/1.0/
unknown
binary
9 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
3828
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1792
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
184.86.251.24:443
www.bing.com
Akamai International B.V.
DE
unknown
2052
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4032
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:138
whitelisted
1792
MoUsoCoreWorker.exe
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
2052
svchost.exe
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
3828
RUXIMICS.exe
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
unknown

DNS requests

Domain
IP
Reputation
www.bing.com
  • 184.86.251.24
  • 184.86.251.17
  • 184.86.251.22
  • 184.86.251.18
  • 184.86.251.20
  • 184.86.251.25
  • 184.86.251.19
  • 184.86.251.26
  • 184.86.251.15
whitelisted
google.com
  • 142.250.185.110
whitelisted
crl.microsoft.com
  • 23.48.23.143
  • 23.48.23.156
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
self.events.data.microsoft.com
  • 20.189.173.11
whitelisted

Threats

PID
Process
Class
Message
4624
gfdhxdh.exe
Misc Attack
ET DROP Spamhaus DROP Listed Traffic Inbound group 13
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
1bca88ef695a571b209d53645981a5bf0d005491ee35b4bf7fb5890c4f7fb8d5.exe