File name:

_99b66d8309edba2ad061e5274a148288012f93a05839a99ff071fea6fe16d2a5.exe

Full analysis: https://app.any.run/tasks/916b0e32-e16d-4815-86a9-c7389f5258f0
Verdict: Malicious activity
Threats:

Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat.

Malware Trends Tracker     >>>
Analysis date: July 31, 2025, 15:10:47
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
auto-sch
lumma
stealer
auto-startup
autoit
rhadamanthys
shellcode
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:

9A9DA8C930A9F0EDF82D0F0ABFAA6768

SHA1:

0732C5888CC357522E7E3803DE99AA4E8CFEAF8D

SHA256:

99B66D8309EDBA2AD061E5274A148288012F93A05839A99FF071FEA6FE16D2A5

SSDEEP:

49152:sAKMb9nTMZAL6kjXRE8g4RqtBtCJjVTturS5L/2xzvlz+a64nl79HoMdL/MpB/Wr:sAPb9noCL6X8+atR5L/2xzIa6ol79IM9

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • LUMMA has been detected (SURICATA)

      • svchost.exe (PID: 2200)

    • Uses Task Scheduler to run other applications

      • cmd.exe (PID: 2628)

    • Connects to the CnC server

      • svchost.exe (PID: 2200)

    • Create files in the Startup directory

      • cmd.exe (PID: 4224)

    • RHADAMANTHYS has been detected (YARA)

      • OpenWith.exe (PID: 1588)

  • SUSPICIOUS

    • The executable file from the user directory is run by the CMD process

      • Favor.com (PID: 3636)

    • Starts the AutoIt3 executable file

      • cmd.exe (PID: 5416)

    • Runs PING.EXE to delay simulation

      • cmd.exe (PID: 5416)

    • Starts application with an unusual extension

      • cmd.exe (PID: 5416)

    • Starts CMD.EXE for commands execution

      • _99b66d8309edba2ad061e5274a148288012f93a05839a99ff071fea6fe16d2a5.exe (PID: 5620)

    • Executable content was dropped or overwritten

      • _99b66d8309edba2ad061e5274a148288012f93a05839a99ff071fea6fe16d2a5.exe (PID: 5620)
      • Favor.com (PID: 3636)

    • Executing commands from ".cmd" file

      • _99b66d8309edba2ad061e5274a148288012f93a05839a99ff071fea6fe16d2a5.exe (PID: 5620)

    • Get information on the list of running processes

      • cmd.exe (PID: 5416)

    • There is functionality for taking screenshot (YARA)

      • Favor.com (PID: 3636)

    • The process checks if it is being run in the virtual environment

      • OpenWith.exe (PID: 1588)

    • Contacting a server suspected of hosting an CnC

      • svchost.exe (PID: 2200)

    • Executes application which crashes

      • Favor.com (PID: 3636)

    • Connects to unusual port

      • OpenWith.exe (PID: 1588)

    • Using 'findstr.exe' to search for text patterns in files and output

      • cmd.exe (PID: 5416)

  • INFO

    • Checks supported languages

      • extrac32.exe (PID: 2028)
      • Favor.com (PID: 3636)
      • _99b66d8309edba2ad061e5274a148288012f93a05839a99ff071fea6fe16d2a5.exe (PID: 5620)

    • Create files in a temporary directory

      • extrac32.exe (PID: 2028)
      • _99b66d8309edba2ad061e5274a148288012f93a05839a99ff071fea6fe16d2a5.exe (PID: 5620)

    • Reads the computer name

      • extrac32.exe (PID: 2028)
      • Favor.com (PID: 3636)

    • The sample compiled with english language support

      • Favor.com (PID: 3636)

    • Reads mouse settings

      • Favor.com (PID: 3636)

    • Creates files or folders in the user directory

      • Favor.com (PID: 3636)

    • Manual execution by a user

      • cmd.exe (PID: 4224)
      • cmd.exe (PID: 2628)
      • OpenWith.exe (PID: 1588)
      • wscript.exe (PID: 5528)

    • Launching a file from the Startup directory

      • cmd.exe (PID: 4224)

    • Launching a file from Task Scheduler

      • cmd.exe (PID: 2628)

    • Checks proxy server information

      • slui.exe (PID: 5528)

    • Reads the software policy settings

      • slui.exe (PID: 5528)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Rhadamanthys

(PID) Process(1588) OpenWith.exe
C2 (3)https://176.46.152.18:8181/gDatFeDway/rbiaph9n.18drr
https://213.209.150.104:8181/gDatFeDway/rbiaph9n.18drr
https://vault-360-nexus.com:8181/gDatFeDway/rbiaph9n.18drr
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2012:02:24 19:19:49+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 10
CodeSize: 29184
InitializedDataSize: 4135936
UninitializedDataSize: 16896
EntryPoint: 0x39e9
OSVersion: 5
ImageVersion: 6
SubsystemVersion: 5
Subsystem: Windows GUI
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
155
Monitored processes
21
Malicious processes
3
Suspicious processes
2

Behavior graph

Click at the process to see the details
start _99b66d8309edba2ad061e5274a148288012f93a05839a99ff071fea6fe16d2a5.exe cmd.exe no specs conhost.exe no specs tasklist.exe no specs findstr.exe no specs tasklist.exe no specs findstr.exe no specs extrac32.exe no specs findstr.exe no specs favor.com ping.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe conhost.exe no specs schtasks.exe no specs #LUMMA svchost.exe wscript.exe no specs #RHADAMANTHYS openwith.exe werfault.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
1044\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1132schtasks.exe /create /tn "Metallic" /tr "wscript //B 'C:\Users\admin\AppData\Local\InnoSphere Innovations\InnoSphere.js'" /sc minute /mo 5 /FC:\Windows\SysWOW64\schtasks.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1232C:\WINDOWS\SysWOW64\WerFault.exe -u -p 3636 -s 1036C:\Windows\SysWOW64\WerFault.exeFavor.com
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
1588"C:\WINDOWS\system32\openwith.exe"C:\Windows\SysWOW64\OpenWith.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Pick an app
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\openwith.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Rhadamanthys
(PID) Process(1588) OpenWith.exe
C2 (3)https://176.46.152.18:8181/gDatFeDway/rbiaph9n.18drr
https://213.209.150.104:8181/gDatFeDway/rbiaph9n.18drr
https://vault-360-nexus.com:8181/gDatFeDway/rbiaph9n.18drr
1592tasklist C:\Windows\SysWOW64\tasklist.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Lists the current running tasks
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\tasklist.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
2028extrac32 /Y Kids.accdb *.*C:\Windows\SysWOW64\extrac32.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft® CAB File Extract Utility
Exit code:
0
Version:
5.00 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\extrac32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
2200C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2628cmd /c schtasks.exe /create /tn "Metallic" /tr "wscript //B 'C:\Users\admin\AppData\Local\InnoSphere Innovations\InnoSphere.js'" /sc minute /mo 5 /FC:\Windows\SysWOW64\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
3028findstr "SophosHealth nsWscSvc ekrn bdservicehost AvastUI AVGUI & if not errorlevel 1 Set qmvDYdLaziVDfUaXliVzQYuDNy=AutoIt3.exe & Set QuKIgZPzvYzcngXaAXrYuZCwYGzqCzYIl=.a3x & Set WWqMeRKjcLHgpKPOIKJsKWxZOcnJJeNZr=300C:\Windows\SysWOW64\findstr.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Find String (QGREP) Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
3636Favor.com P C:\Users\admin\AppData\Local\Temp\834693\Favor.com
cmd.exe
User:
admin
Company:
AutoIt Team
Integrity Level:
MEDIUM
Description:
AutoIt v3 Script (Beta)
Exit code:
3221225725
Version:
3, 3, 17, 0
Modules
Images
c:\users\admin\appdata\local\temp\834693\favor.com
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\psapi.dll
Total events
5 381
Read events
5 381
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
22
Text files
5
Unknown types
3

Dropped files

PID
Process
Filename
Type
5620_99b66d8309edba2ad061e5274a148288012f93a05839a99ff071fea6fe16d2a5.exeC:\Users\admin\AppData\Local\Temp\Di.accdbtext
MD5:A47628D55F6A4098CDD5EE117096C912
SHA256:F4013C5D5BBF14B05F30ED9EE43723543882285FD7894EC33D172878449E563C
5620_99b66d8309edba2ad061e5274a148288012f93a05839a99ff071fea6fe16d2a5.exeC:\Users\admin\AppData\Local\Temp\Matrix.accdbenv
MD5:6CF9972ADBC933F2D947E06B37F0C3B7
SHA256:F39BDB5B4DF0FEA0F5648D4387DEF8F4C2D513F5FD186EFE37B14E9B4CD38F23
5620_99b66d8309edba2ad061e5274a148288012f93a05839a99ff071fea6fe16d2a5.exeC:\Users\admin\AppData\Local\Temp\nszD687.tmp\nsExec.dllexecutable
MD5:08E9796CA20C5FC5076E3AC05FB5709A
SHA256:8165C7AEF7DE3D3E0549776535BEDC380AD9BE7BB85E60AD6436F71528D092AF
5620_99b66d8309edba2ad061e5274a148288012f93a05839a99ff071fea6fe16d2a5.exeC:\Users\admin\AppData\Local\Temp\Sara.accdbbinary
MD5:6981F4B6169B28AA5DA48341E483747C
SHA256:5666AA8CCBC8FD2C6B549C9D988835DE6F562E014D7E6FD372BB7BF93A97C693
5620_99b66d8309edba2ad061e5274a148288012f93a05839a99ff071fea6fe16d2a5.exeC:\Users\admin\AppData\Local\Temp\Do.accdbbinary
MD5:7E6CE3794C655191374A66E14759DC4C
SHA256:DB0A0E74715EA8DACC5F58A505B5875775984CD0057E3D870C6701ECB8E6C772
5620_99b66d8309edba2ad061e5274a148288012f93a05839a99ff071fea6fe16d2a5.exeC:\Users\admin\AppData\Local\Temp\Scotia.accdbbinary
MD5:371EAD09D23F616593B6B979614A0C13
SHA256:BE3032C9D6DF5028970C90E6BEBBCBBA911774F6FB667CA51C0CCE96458A9B1F
5620_99b66d8309edba2ad061e5274a148288012f93a05839a99ff071fea6fe16d2a5.exeC:\Users\admin\AppData\Local\Temp\Approx.accdbbinary
MD5:F8A3622CE2DB172A4DBE2BE681E32A86
SHA256:19B6E21E023616A23EB6780F5C3C19218A81C4ABE8CD394B4BD5BBB0C74FCCF5
5620_99b66d8309edba2ad061e5274a148288012f93a05839a99ff071fea6fe16d2a5.exeC:\Users\admin\AppData\Local\Temp\Filters.accdbbinary
MD5:77F36B01B845DFE1A4C483E95C70ABB2
SHA256:5A8B64A50565825B9D09371348E689AB1F006B8205CF4F33BC9A66E1317D3196
5620_99b66d8309edba2ad061e5274a148288012f93a05839a99ff071fea6fe16d2a5.exeC:\Users\admin\AppData\Local\Temp\Kids.accdbbinary
MD5:3B254E14098256E43F8229E6EAEDB69A
SHA256:B05287E5CF8403FA52614227599A1E2CA3A855DCCAA662F8FEAC6BA13041E40D
5620_99b66d8309edba2ad061e5274a148288012f93a05839a99ff071fea6fe16d2a5.exeC:\Users\admin\AppData\Local\Temp\Outlined.accdbbinary
MD5:C2D3332A24F7D68DA17C774726108F69
SHA256:418727D3FCBC9E29581256F5E2B61D6DD1E8573AE44B9CE0758C42E15418431B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
29
TCP/UDP connections
55
DNS requests
23
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5944
MoUsoCoreWorker.exe
GET
200
23.216.77.42:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.216.77.42:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2992
RUXIMICS.exe
GET
200
23.216.77.42:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2992
RUXIMICS.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
200
20.190.159.2:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
16.7 Kb
whitelisted
POST
200
20.190.159.2:443
https://login.live.com/RST2.srf
unknown
xml
1.24 Kb
whitelisted
POST
200
20.190.159.131:443
https://login.live.com/RST2.srf
unknown
xml
11.1 Kb
whitelisted
POST
200
20.190.159.23:443
https://login.live.com/RST2.srf
unknown
xml
10.3 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5944
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
1268
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2992
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
5944
MoUsoCoreWorker.exe
23.216.77.42:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
23.216.77.42:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2992
RUXIMICS.exe
23.216.77.42:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
1268
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 4.231.128.59
whitelisted
google.com
  • 142.250.184.206
whitelisted
crl.microsoft.com
  • 23.216.77.42
  • 23.216.77.41
  • 23.216.77.11
  • 23.216.77.12
  • 23.216.77.37
  • 23.216.77.7
  • 23.216.77.38
  • 23.216.77.35
  • 23.216.77.5
  • 23.53.40.178
  • 23.53.40.176
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
WGsqMlebVvvKaQ.WGsqMlebVvvKaQ
unknown
login.live.com
  • 20.190.159.64
  • 40.126.31.2
  • 40.126.31.69
  • 20.190.159.75
  • 40.126.31.73
  • 40.126.31.131
  • 20.190.159.68
  • 20.190.159.130
whitelisted
client.wns.windows.com
  • 172.211.123.248
  • 172.211.123.250
whitelisted
slscr.update.microsoft.com
  • 20.109.210.53
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 52.165.164.15
whitelisted
self.events.data.microsoft.com
  • 52.182.143.214
whitelisted

Threats

PID
Process
Class
Message
2200
svchost.exe
A Network Trojan was detected
MALWARE [ANY.RUN] Win32/Lumma DNS Activity observed
2200
svchost.exe
Domain Observed Used for C2 Detected
MALWARE [ANY.RUN] Win32/Generic CnC related domain (vault-360-nexus .com)
Generic Protocol Command Decode
SURICATA HTTP Host header invalid
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
_99b66d8309edba2ad061e5274a148288012f93a05839a99ff071fea6fe16d2a5.exe