File name:

b7974dfd10dea3d89979b441677202d9be7d5c9eab26df59b9d7afe27f56a290.exe

Full analysis: https://app.any.run/tasks/edc26f8e-f3cf-4ed6-a600-581260228c0e
Verdict: Malicious activity
Analysis date: May 31, 2024, 10:21:50
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/x-dosexec
File info: MS-DOS executable PE32 executable (GUI) Intel 80386, for MS Windows, MZ for MS-DOS
MD5:

55F00748454A5BC47A98D5CD51F2E877

SHA1:

3E8B2354B6987D4FAD54E838DDE767DF1554A3BB

SHA256:

B7974DFD10DEA3D89979B441677202D9BE7D5C9EAB26DF59B9D7AFE27F56A290

SSDEEP:

6144:c0/1Thw5w4qjPRrf2VrRZHMrbLcPNDVVVVVVV6qqqqqqqqqqqqqqqqqqqqqqqqqY:HcPNDVVVVVVV6qqqqqqqqqqqqqqqqqqr

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • b7974dfd10dea3d89979b441677202d9be7d5c9eab26df59b9d7afe27f56a290.exe (PID: 6324)
      • explorer.exe (PID: 6364)
      • spoolsv.exe (PID: 6384)

    • Changes the autorun value in the registry

      • svchost.exe (PID: 6404)
      • explorer.exe (PID: 6364)
      • svchost.exe (PID: 4800)
      • explorer.exe (PID: 4768)
      • svchost.exe (PID: 6072)
      • explorer.exe (PID: 5972)

    • Changes appearance of the Explorer extensions

      • explorer.exe (PID: 6364)
      • svchost.exe (PID: 6404)
      • svchost.exe (PID: 6072)
      • explorer.exe (PID: 5972)

  • SUSPICIOUS

    • The process creates files with name similar to system file names

      • b7974dfd10dea3d89979b441677202d9be7d5c9eab26df59b9d7afe27f56a290.exe (PID: 6324)
      • spoolsv.exe (PID: 6384)

    • Starts itself from another location

      • b7974dfd10dea3d89979b441677202d9be7d5c9eab26df59b9d7afe27f56a290.exe (PID: 6324)
      • explorer.exe (PID: 6364)
      • spoolsv.exe (PID: 6384)
      • svchost.exe (PID: 6404)
      • explorer.exe (PID: 5972)
      • spoolsv.exe (PID: 6052)
      • svchost.exe (PID: 6072)

    • Executable content was dropped or overwritten

      • explorer.exe (PID: 6364)
      • b7974dfd10dea3d89979b441677202d9be7d5c9eab26df59b9d7afe27f56a290.exe (PID: 6324)
      • spoolsv.exe (PID: 6384)

    • The process executes via Task Scheduler

      • PLUGScheduler.exe (PID: 876)

    • Reads security settings of Internet Explorer

      • TextInputHost.exe (PID: 6976)

  • INFO

    • Checks supported languages

      • b7974dfd10dea3d89979b441677202d9be7d5c9eab26df59b9d7afe27f56a290.exe (PID: 6324)
      • explorer.exe (PID: 6364)
      • spoolsv.exe (PID: 6384)
      • svchost.exe (PID: 6404)
      • spoolsv.exe (PID: 6432)
      • TextInputHost.exe (PID: 6976)
      • PLUGScheduler.exe (PID: 876)
      • explorer.exe (PID: 5972)
      • svchost.exe (PID: 6072)
      • spoolsv.exe (PID: 6092)
      • explorer.exe (PID: 4768)
      • svchost.exe (PID: 4800)
      • spoolsv.exe (PID: 6052)
      • svchost.exe (PID: 764)

    • Create files in a temporary directory

      • b7974dfd10dea3d89979b441677202d9be7d5c9eab26df59b9d7afe27f56a290.exe (PID: 6324)
      • explorer.exe (PID: 6364)
      • spoolsv.exe (PID: 6384)
      • svchost.exe (PID: 6404)
      • spoolsv.exe (PID: 6432)
      • svchost.exe (PID: 4800)
      • explorer.exe (PID: 5972)
      • svchost.exe (PID: 6072)
      • spoolsv.exe (PID: 6092)
      • explorer.exe (PID: 4768)
      • spoolsv.exe (PID: 6052)
      • svchost.exe (PID: 764)

    • Creates files in the program directory

      • PLUGScheduler.exe (PID: 876)

    • Reads the computer name

      • svchost.exe (PID: 6404)
      • TextInputHost.exe (PID: 6976)
      • PLUGScheduler.exe (PID: 876)
      • svchost.exe (PID: 6072)

    • Manual execution by a user

      • runonce.exe (PID: 4496)
      • explorer.exe (PID: 5916)
      • explorer.exe (PID: 5972)
      • svchost.exe (PID: 6132)
      • svchost.exe (PID: 764)

    • Reads the time zone

      • runonce.exe (PID: 4496)

    • Reads security settings of Internet Explorer

      • runonce.exe (PID: 4528)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2013:04:01 07:08:22+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 106496
InitializedDataSize: 12288
UninitializedDataSize: -
EntryPoint: 0x290c
OSVersion: 4
ImageVersion: 1
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
ProductName: Project1
FileVersion: 1
ProductVersion: 1
InternalName: TJprojMain
OriginalFileName: TJprojMain.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
251
Monitored processes
19
Malicious processes
10
Suspicious processes
1

Behavior graph

Click at the process to see the details
start b7974dfd10dea3d89979b441677202d9be7d5c9eab26df59b9d7afe27f56a290.exe explorer.exe spoolsv.exe svchost.exe spoolsv.exe no specs textinputhost.exe no specs plugscheduler.exe no specs runonce.exe runonce.exe no specs explorer.exe svchost.exe explorer.exe no specs explorer.exe spoolsv.exe no specs svchost.exe spoolsv.exe no specs svchost.exe no specs svchost.exe b7974dfd10dea3d89979b441677202d9be7d5c9eab26df59b9d7afe27f56a290.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
764"C:\Windows\Resources\svchost.exe" C:\Windows\Resources\svchost.exe
runonce.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
1.00
Modules
Images
c:\windows\resources\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
876"C:\Program Files\RUXIM\PLUGscheduler.exe"C:\Program Files\RUXIM\PLUGScheduler.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Update LifeCycle Component Scheduler
Exit code:
0
Version:
10.0.19041.3623 (WinBuild.160101.0800)
Modules
Images
c:\program files\ruxim\plugscheduler.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
4496runonce.exe /ExplorerC:\Windows\System32\runonce.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Run Once Wrapper
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\runonce.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\gdi32.dll
4528C:\WINDOWS\SysWOW64\runonce.exe /RunOnce6432C:\Windows\SysWOW64\runonce.exerunonce.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Run Once Wrapper
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\runonce.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
4768"C:\Windows\Resources\Themes\explorer.exe" ROC:\Windows\Resources\Themes\explorer.exe
runonce.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
1.00
Modules
Images
c:\windows\resources\themes\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvbvm60.dll
c:\windows\syswow64\user32.dll
4800"C:\Windows\Resources\svchost.exe" ROC:\Windows\Resources\svchost.exe
runonce.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
1.00
Modules
Images
c:\windows\resources\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvbvm60.dll
c:\windows\syswow64\user32.dll
5916"C:\Windows\Resources\Themes\explorer.exe" C:\Windows\Resources\Themes\explorer.exerunonce.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Version:
1.00
Modules
Images
c:\windows\resources\themes\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
5972"C:\Windows\Resources\Themes\explorer.exe" C:\Windows\Resources\Themes\explorer.exe
runonce.exe
User:
admin
Integrity Level:
HIGH
Version:
1.00
Modules
Images
c:\windows\resources\themes\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
6052c:\windows\resources\spoolsv.exe SEC:\Windows\Resources\spoolsv.exeexplorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
1.00
Modules
Images
c:\windows\resources\spoolsv.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
6072c:\windows\resources\svchost.exeC:\Windows\Resources\svchost.exe
spoolsv.exe
User:
admin
Integrity Level:
HIGH
Version:
1.00
Modules
Images
c:\windows\resources\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
Total events
4 144
Read events
4 088
Write events
46
Delete events
10

Modification events

(PID) Process:(6324) b7974dfd10dea3d89979b441677202d9be7d5c9eab26df59b9d7afe27f56a290.exeKey:HKEY_CURRENT_USER\SOFTWARE\VB and VBA Program Settings\Explorer\Process
Operation:writeName:LO
Value:
1
(PID) Process:(6364) explorer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:Explorer
Value:
c:\windows\resources\themes\explorer.exe RO
(PID) Process:(6364) explorer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:Svchost
Value:
c:\windows\resources\svchost.exe RO
(PID) Process:(6364) explorer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:delete valueName:Explorer
Value:
(PID) Process:(6364) explorer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:delete valueName:Svchost
Value:
(PID) Process:(6364) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Operation:writeName:ShowSuperHidden
Value:
0
(PID) Process:(6404) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:Explorer
Value:
c:\windows\resources\themes\explorer.exe RO
(PID) Process:(6404) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:Svchost
Value:
c:\windows\resources\svchost.exe RO
(PID) Process:(6404) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:delete valueName:Explorer
Value:
(PID) Process:(6404) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:delete valueName:Svchost
Value:
Executable files
3
Suspicious files
20
Text files
0
Unknown types
2

Dropped files

PID
Process
Filename
Type
6324b7974dfd10dea3d89979b441677202d9be7d5c9eab26df59b9d7afe27f56a290.exeC:\windows\resources\themes\explorer.exeexecutable
MD5:28788445AC7F9BF8C9ABBAE84DF847CA
SHA256:18A0DC3743A6D5322CBFF2F3ADC8FBE3299C308ADFBE4025DCA164470AA31E02
876PLUGScheduler.exeC:\ProgramData\PLUG\Logs\RUXIMLog.010.etletl
MD5:868E79A00A8204448B2FFC4F4D5C08EA
SHA256:148FE324431CB4C826BCF0436147D946AC389A877732612CF40629048B8517DC
876PLUGScheduler.exeC:\ProgramData\PLUG\Logs\RUXIMLog.015.etletl
MD5:FA358BFEE9B4E1FFB7394D13CBBC4898
SHA256:6FF97BBF8A56286A4C71623829514CC14B7F8CBBCF09748D939F733968478A22
876PLUGScheduler.exeC:\ProgramData\PLUG\Logs\RUXIMLog.007.etletl
MD5:C8834D365FAE073DEDE1F1620454CE71
SHA256:C6DD793EEE1D5551CA507A3C5BFFECA82DD3E29C63C2C6DD218A7D4BFB37046B
876PLUGScheduler.exeC:\ProgramData\PLUG\Logs\RUXIMLog.011.etletl
MD5:2F36C598EBFF5B5CDD898C9691D6BCCB
SHA256:8900C5931ED8E0D1B68082B45CF2F4E8C1025D36825508E0804C916D781B9F50
876PLUGScheduler.exeC:\ProgramData\PLUG\Logs\RUXIMLog.012.etletl
MD5:079890A8EC8D5CB6523FCEC2209780AA
SHA256:0E12D2D76DD738CE196BED522E35F75E2CC91294F78CDDCBE8CE7787AAA70049
876PLUGScheduler.exeC:\ProgramData\PLUG\Logs\RUXIMLog.006.etletl
MD5:5EA68411BF8E9EAF4621BAF73F61449E
SHA256:9D4CA5A1D871F819C139A498BB910A63576C2FE6367853544F8D172D8B6EBFF7
876PLUGScheduler.exeC:\ProgramData\PLUG\Logs\RUXIMLog.005.etletl
MD5:A23907B6FDD47DCABFDFD7CF2FCD7671
SHA256:0C9C33FE9E984A2E5A70EBA51F36B9929A86199E424AF2F8080E1267B87DC970
876PLUGScheduler.exeC:\ProgramData\PLUG\Logs\RUXIMLog.002.etlbinary
MD5:76FFBF8D9FE15813722947F940F1FCC0
SHA256:44739D1529DC97966327450F196AE588CB398EB273323507A3A1A7C13623252A
876PLUGScheduler.exeC:\ProgramData\PLUG\Logs\RUXIMLog.004.etlbinary
MD5:2D2436C2C670F47F146CBF93D2845207
SHA256:20A675FDC6AF4A94DD97A3C2F666A2D69A4529D40AA6D7780BF9A93D07FBE924
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
29
TCP/UDP connections
33
DNS requests
13
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5140
MoUsoCoreWorker.exe
GET
200
2.20.13.130:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
5140
MoUsoCoreWorker.exe
GET
200
2.22.201.205:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
4312
RUXIMICS.exe
GET
200
2.20.13.130:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
4312
RUXIMICS.exe
GET
200
2.22.201.205:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
4264
svchost.exe
GET
200
2.20.13.130:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
4264
svchost.exe
GET
200
2.22.201.205:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
GET
200
23.45.176.238:443
https://r.bing.com/rb/17/jnc,nj/6hU_LneafI_NFLeDvM367ebFaKQ.js?bu=DygxdoIBhQGIAX95fLsBvgExrgExwQE&or=w
unknown
21.3 Kb
unknown
GET
200
23.45.176.238:443
https://r.bing.com/rb/1a/cir3,ortl,cc,nc/oT6Um3bDKq3bSDJ4e0e-YJ5MXCI.css?bu=B68CP54ChwFZWbkC&or=w
unknown
5.88 Kb
unknown
GET
200
23.45.176.240:443
https://r.bing.com/rb/3K/ortl,cc,nc/4-xJy3tX6bM2BGl5zKioiEcQ1TU.css?bu=A4gCjAKPAg&or=w
unknown
15.5 Kb
unknown
GET
200
23.45.176.197:443
https://r.bing.com/rb/1a/cir3,ortl,cc,nc/uANxnX_BheDjd2-cdR8N9DEWlds.css?bu=C8QIhQP7A5wJhQjvB6QGWVlZWQ&or=w
unknown
19.9 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4264
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4312
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
239.255.255.250:1900
unknown
5140
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
5140
MoUsoCoreWorker.exe
2.20.13.130:80
crl.microsoft.com
Akamai International B.V.
NL
unknown
4312
RUXIMICS.exe
2.20.13.130:80
crl.microsoft.com
Akamai International B.V.
NL
unknown
4264
svchost.exe
2.20.13.130:80
crl.microsoft.com
Akamai International B.V.
NL
unknown
5140
MoUsoCoreWorker.exe
2.22.201.205:80
www.microsoft.com
AKAMAI-AS
FR
unknown
4312
RUXIMICS.exe
2.22.201.205:80
www.microsoft.com
AKAMAI-AS
FR
unknown
4264
svchost.exe
2.22.201.205:80
www.microsoft.com
AKAMAI-AS
FR
unknown

DNS requests

Domain
IP
Reputation
crl.microsoft.com
  • 2.20.13.130
  • 2.20.13.143
whitelisted
www.microsoft.com
  • 2.22.201.205
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
www.bing.com
  • 23.45.176.238
  • 23.45.176.222
  • 23.45.176.225
  • 23.45.176.240
  • 23.45.176.197
whitelisted
self.events.data.microsoft.com
  • 104.208.16.89
  • 13.69.239.72
whitelisted
officeclient.microsoft.com
  • 52.109.28.46
whitelisted
ecs.office.com
  • 52.123.243.197
  • 52.123.243.215
  • 52.123.243.68
  • 52.123.243.84
whitelisted
r.bing.com
  • 23.45.176.240
  • 23.45.176.197
  • 23.45.176.238
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
b7974dfd10dea3d89979b441677202d9be7d5c9eab26df59b9d7afe27f56a290.exe