File name:

Stormshot.PC.V1.0_e85d1776e3.exe

Full analysis: https://app.any.run/tasks/8a77489a-2b42-4408-bba1-ad8f7d8894ac
Verdict: Malicious activity
Analysis date: January 11, 2025, 20:51:54
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
antivm
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 7 sections
MD5:

6AAE47CBAA4C56095A1EB0422C1D2ECB

SHA1:

34E29D1801D270A2BD7AC02D4EA84C14C553D66F

SHA256:

FFD63FE2AEAA91F05BEF47B3583290CCDBA3F44912AB8B67044F3D58BF817EBF

SSDEEP:

98304:5qXfKQQqTpl6ykKzUczpKnUOsGMG7F/1jzzXcVNbgtgz9GMGevZ7DTQ4H:DrzZtE

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • PC-Launcher.exe (PID: 4556)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • st_e85d1776e3.exe (PID: 3808)
      • 7za.exe (PID: 7032)

    • Creates a software uninstall entry

      • st_e85d1776e3.exe (PID: 3808)

    • Drops 7-zip archiver for unpacking

      • st_e85d1776e3.exe (PID: 3808)

    • Executable content was dropped or overwritten

      • st_e85d1776e3.exe (PID: 3808)
      • 7za.exe (PID: 7032)

    • The process drops C-runtime libraries

      • st_e85d1776e3.exe (PID: 3808)
      • 7za.exe (PID: 7032)

    • The process checks if it is being run in the virtual environment

      • PC-Launcher.exe (PID: 4556)

    • There is functionality for VM detection antiVM strings (YARA)

      • PC-Launcher.exe (PID: 4556)

  • INFO

    • Reads the computer name

      • Stormshot.PC.V1.0_e85d1776e3.exe (PID: 6548)
      • st_e85d1776e3.exe (PID: 3808)
      • PC-Launcher.exe (PID: 4556)
      • 7za.exe (PID: 7032)

    • Reads CPU info

      • Stormshot.PC.V1.0_e85d1776e3.exe (PID: 6548)
      • PC-Launcher.exe (PID: 4556)

    • Checks supported languages

      • Stormshot.PC.V1.0_e85d1776e3.exe (PID: 6548)
      • st_e85d1776e3.exe (PID: 3808)
      • PC-Launcher.exe (PID: 4556)
      • Launcher.exe (PID: 396)
      • 7za.exe (PID: 7032)

    • Reads the machine GUID from the registry

      • Stormshot.PC.V1.0_e85d1776e3.exe (PID: 6548)
      • PC-Launcher.exe (PID: 4556)

    • Create files in a temporary directory

      • Stormshot.PC.V1.0_e85d1776e3.exe (PID: 6548)
      • PC-Launcher.exe (PID: 4556)

    • Sends debugging messages

      • st_e85d1776e3.exe (PID: 3808)
      • PC-Launcher.exe (PID: 4556)

    • Creates files in the program directory

      • st_e85d1776e3.exe (PID: 3808)
      • PC-Launcher.exe (PID: 4556)
      • 7za.exe (PID: 7032)

    • The sample compiled with english language support

      • st_e85d1776e3.exe (PID: 3808)
      • 7za.exe (PID: 7032)

    • The sample compiled with chinese language support

      • st_e85d1776e3.exe (PID: 3808)
      • 7za.exe (PID: 7032)

    • Checks proxy server information

      • PC-Launcher.exe (PID: 4556)

    • Creates files or folders in the user directory

      • PC-Launcher.exe (PID: 4556)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (50)
.exe | DOS Executable Generic (49.9)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2023:06:12 11:20:51+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.29
CodeSize: 1302016
InitializedDataSize: 1638912
UninitializedDataSize: -
EntryPoint: 0x11272c
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
138
Monitored processes
7
Malicious processes
4
Suspicious processes
1

Behavior graph

Click at the process to see the details
start stormshot.pc.v1.0_e85d1776e3.exe st_e85d1776e3.exe launcher.exe no specs pc-launcher.exe 7za.exe conhost.exe no specs stormshot.pc.v1.0_e85d1776e3.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
396"C:\Program Files (x86)\FunPlus\Stormshot\Launcher.exe" C:\Program Files (x86)\FunPlus\Stormshot\Launcher.exest_e85d1776e3.exe
User:
admin
Company:
FunPlus, Inc.
Integrity Level:
HIGH
Description:
Stormshot
Exit code:
0
Version:
1.0.0.1
Modules
Images
c:\program files (x86)\funplus\stormshot\launcher.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
3808C:\Users\admin\AppData\Local\Temp\st_e85d1776e3.exeC:\Users\admin\AppData\Local\Temp\st_e85d1776e3.exe
Stormshot.PC.V1.0_e85d1776e3.exe
User:
admin
Company:
FunPlus, Inc.
Integrity Level:
HIGH
Description:
Stormshot
Exit code:
0
Version:
1, 0, 0, 96
Modules
Images
c:\users\admin\appdata\local\temp\st_e85d1776e3.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
4556"C:\Program Files (x86)\FunPlus\Stormshot\1.0.0.96\PC-Launcher.exe" --currentPath="C:\Program Files (x86)\FunPlus\Stormshot" --configVersion=1.0.0.96 --launchExe="C:\Program Files (x86)\FunPlus\Stormshot\Launcher.exe" C:\Program Files (x86)\FunPlus\Stormshot\1.0.0.96\PC-Launcher.exe
Launcher.exe
User:
admin
Company:
FunPlus, Inc.
Integrity Level:
HIGH
Description:
Stormshot
Version:
1.0.0.96
Modules
Images
c:\program files (x86)\funplus\stormshot\1.0.0.96\pc-launcher.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
6280"C:\Users\admin\AppData\Local\Temp\Stormshot.PC.V1.0_e85d1776e3.exe" C:\Users\admin\AppData\Local\Temp\Stormshot.PC.V1.0_e85d1776e3.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\appdata\local\temp\stormshot.pc.v1.0_e85d1776e3.exe
c:\windows\system32\ntdll.dll
6548"C:\Users\admin\AppData\Local\Temp\Stormshot.PC.V1.0_e85d1776e3.exe" C:\Users\admin\AppData\Local\Temp\Stormshot.PC.V1.0_e85d1776e3.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\stormshot.pc.v1.0_e85d1776e3.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
7032"C:\Program Files (x86)\FunPlus\Stormshot\Plugin\7z.21.07\7za.exe" x -aoa -bsp2 -bse1 -bso0 "C:/Program Files (x86)/FunPlus/Stormshot/download/ngame/st_global_4.10.100_9e0c9d2c7430dd02c50ffae3d615d044.7z" "-oC:/Program Files (x86)/FunPlus/Stormshot/nGame/4.10.100"C:\Program Files (x86)\FunPlus\Stormshot\Plugin\7z.21.07\7za.exe
PC-Launcher.exe
User:
admin
Company:
Igor Pavlov
Integrity Level:
HIGH
Description:
7-Zip Standalone Console
Version:
23.01
Modules
Images
c:\program files (x86)\funplus\stormshot\plugin\7z.21.07\7za.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
7052\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exe7za.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
2 493
Read events
2 483
Write events
10
Delete events
0

Modification events

(PID) Process:(3808) st_e85d1776e3.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{304AB6C2-70F5-4A16-A5CA-2529CF4223E5}_is1
Operation:writeName:DisplayIcon
Value:
"C:\Program Files (x86)\FunPlus\Stormshot\Launcher.exe"
(PID) Process:(3808) st_e85d1776e3.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{304AB6C2-70F5-4A16-A5CA-2529CF4223E5}_is1
Operation:writeName:DisplayName
Value:
Stormshot
(PID) Process:(3808) st_e85d1776e3.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{304AB6C2-70F5-4A16-A5CA-2529CF4223E5}_is1
Operation:writeName:DisplayVersion
Value:
1.0.0.96
(PID) Process:(3808) st_e85d1776e3.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{304AB6C2-70F5-4A16-A5CA-2529CF4223E5}_is1
Operation:writeName:Publisher
Value:
FunPlus, Inc.
(PID) Process:(3808) st_e85d1776e3.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{304AB6C2-70F5-4A16-A5CA-2529CF4223E5}_is1
Operation:writeName:UninstallString
Value:
"C:\Program Files (x86)\FunPlus\Stormshot\uninstall.exe"
(PID) Process:(3808) st_e85d1776e3.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{304AB6C2-70F5-4A16-A5CA-2529CF4223E5}_is1
Operation:writeName:InstallLocation
Value:
"C:\Program Files (x86)\FunPlus\Stormshot"
(PID) Process:(3808) st_e85d1776e3.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{304AB6C2-70F5-4A16-A5CA-2529CF4223E5}_is1
Operation:writeName:EstimatedSize
Value:
149718
(PID) Process:(396) Launcher.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\funplus.st
Operation:writeName:URL Protocol
Value:
(PID) Process:(4556) PC-Launcher.exeKey:HKEY_CURRENT_USER\SOFTWARE\funplus.sdk
Operation:writeName:orginuuid
Value:
O6PJ0D8rJYvZNiGDY3q+tdgvKhT5BAgJxiA8xvLKrK4mAQKxSoLP6W1HkPKiMUyz
(PID) Process:(4556) PC-Launcher.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:st_global
Value:
C:\Program Files (x86)\FunPlus\Stormshot\Launcher.exe
Executable files
107
Suspicious files
2 288
Text files
102
Unknown types
1

Dropped files

PID
Process
Filename
Type
6548Stormshot.PC.V1.0_e85d1776e3.exeC:\Users\admin\AppData\Local\Temp\st_tmp.dl
MD5:
SHA256:
6548Stormshot.PC.V1.0_e85d1776e3.exeC:\Users\admin\AppData\Local\Temp\st_e85d1776e3.exe
MD5:
SHA256:
3808st_e85d1776e3.exeC:\Program Files (x86)\FunPlus\Stormshot\Plugin\7z.21.07\Far\far7z.txttext
MD5:E1FA666BC582130D4700A3FA7EA77A2B
SHA256:6F464CF2417FE86D88634A3BE72060B26B4CE695B9BF60E46B1D8FCE8835B2E5
3808st_e85d1776e3.exeC:\Program Files (x86)\FunPlus\Stormshot\1.0.0.96\QtQml\Models.2\qmldirtext
MD5:C6D831AD43AFA82977D838183DE61CD2
SHA256:62F50F9B9AE3B9E6628DD2660B18D326C41794586E0D76B2E40F6FA4B182E0A7
3808st_e85d1776e3.exeC:\Program Files (x86)\FunPlus\Stormshot\1.0.0.96\QtQuick\Timeline\qmldirtext
MD5:8610059F5530F0E4B2111A2E1596DB94
SHA256:50E526690F8C397D9136436A1B44F1D93AE0363F5DABAB98481B8788E42ADD13
3808st_e85d1776e3.exeC:\Program Files (x86)\FunPlus\Stormshot\1.0.0.96\QtQml\RemoteObjects\qmldirtext
MD5:A1EDA6630C96C80E8FA7E8D870DF7516
SHA256:46B7932B643C11FC40268BAEDC58004A70F1135C50CDE5D4BC2B7841864FBC12
3808st_e85d1776e3.exeC:\Program Files (x86)\FunPlus\Stormshot\config\icon.pngimage
MD5:F484B35957374F16D904FC7D9ECD14CD
SHA256:7A9184EF47BDF12A42D98818AD40478F3D66D75414BFFDE87050442CD764660F
3808st_e85d1776e3.exeC:\Program Files (x86)\FunPlus\Stormshot\Plugin\7z.21.07\history.txttext
MD5:96478649BE7A03331E06C68EFC96AD0B
SHA256:0F2B7E92F11D34A9011083BB6D1715539CA6D64133A2271017B869CE129C0D18
3808st_e85d1776e3.exeC:\Program Files (x86)\FunPlus\Stormshot\1.0.0.96\QtQml\StateMachine\qmldirtext
MD5:48521EF985C2D6D22D0EFB27B732455D
SHA256:5344415B19287C163B3031BB07A2FCE8CC16F8D0715682BF803D497D0557F9DE
3808st_e85d1776e3.exeC:\Program Files (x86)\FunPlus\Stormshot\1.0.0.96\QtQml\WorkerScript.2\qmldirtext
MD5:71D7D495C303E56EC10F6D88F3791BA2
SHA256:3C41BB992D227AFC1C613A4FEDC127121C4BC9703F6398CAC9B08766FD3F63C9
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
50
DNS requests
31
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1176
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5064
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
6348
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
6512
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
6512
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4712
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4
System
192.168.100.255:137
unknown
3884
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4
System
192.168.100.255:138
unknown
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
unknown
5064
SearchApp.exe
104.126.37.123:443
www.bing.com
Akamai International B.V.
DE
unknown
5064
SearchApp.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
unknown
6548
Stormshot.PC.V1.0_e85d1776e3.exe
52.42.171.242:443
kg-logagent-st.kingsgroupgames.com
AMAZON-02
US
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 40.127.240.158
unknown
crl.microsoft.com
  • 23.48.23.143
  • 23.48.23.176
  • 23.48.23.145
  • 23.48.23.159
  • 23.48.23.158
  • 23.48.23.141
  • 23.48.23.169
  • 23.48.23.166
  • 23.48.23.156
unknown
google.com
  • 172.217.16.142
unknown
www.microsoft.com
  • 184.30.21.171
  • 95.101.149.131
unknown
www.bing.com
  • 104.126.37.123
  • 104.126.37.152
  • 104.126.37.128
  • 104.126.37.129
  • 104.126.37.184
  • 104.126.37.131
  • 104.126.37.176
unknown
ocsp.digicert.com
  • 192.229.221.95
unknown
kg-logagent-st.kingsgroupgames.com
  • 52.42.171.242
  • 54.70.177.255
unknown
userplatform-download.akamaized.net
  • 2.16.10.167
  • 2.16.10.176
unknown
go.microsoft.com
  • 23.35.238.131
unknown
login.live.com
  • 20.190.160.17
  • 20.190.160.20
  • 40.126.32.140
  • 40.126.32.133
  • 20.190.160.22
  • 40.126.32.136
  • 40.126.32.68
  • 40.126.32.138
unknown

Threats

No threats detected
Process
Message
st_e85d1776e3.exe
OnSize, nType=0 size=720,410
st_e85d1776e3.exe
OnSize, nType=0 size=720,410
PC-Launcher.exe
QCursor: Cannot create bitmap cursor; invalid bitmap(s)
PC-Launcher.exe
QLayout: Attempting to add QLayout "" to MainWindow "", which already has a layout
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Stormshot.PC.V1.0_e85d1776e3.exe