Analysis

  • max time kernel
    137s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/11/2024, 02:40

General

  • Target

    9eb87c0b29794234739b1fb08248b355eff2d7f73896186052c14894a49ab424.exe

  • Size

    83.2MB

  • MD5

    a157b97ebf2a03f99dbab4b3c5d5c58c

  • SHA1

    dd5d1d5a2dbf11695fb37c23a14f7fd2cdc86fa3

  • SHA256

    9eb87c0b29794234739b1fb08248b355eff2d7f73896186052c14894a49ab424

  • SHA512

    4574a88f2e7c5a94d15978fcebe8e26a7401fbe8aa724e304732bd5035705b5890b0a30c063c3131bfa57cd01942fe3cd07be6669a7cb5659ea355ccfa1cb760

  • SSDEEP

    1572864:cuSMmzLGvb7e7Qk/nTx+VloFnSejh2ceXktLRi6z7E005j9ES9m:clMmzE7e77/nTxSW8ejh2dXktLNz7E0j

Malware Config

Signatures

  • Modifies Windows Defender notification settings 3 TTPs 4 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Delays execution with timeout.exe 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9eb87c0b29794234739b1fb08248b355eff2d7f73896186052c14894a49ab424.exe
    "C:\Users\Admin\AppData\Local\Temp\9eb87c0b29794234739b1fb08248b355eff2d7f73896186052c14894a49ab424.exe"
    1⤵
    • Modifies Windows Defender notification settings
    • Checks computer location settings
    • Loads dropped DLL
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2764
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath $ENV:TEMP
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2756
    • C:\Windows\SysWOW64\cscript.exe
      cscript.exe C:\Users\Admin\AppData\Local\Temp\oek5070.tmp.vbs //B //Nologo //T:5
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:716
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gpmsc_externalDBMSleanup.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2140
        • C:\Windows\SysWOW64\timeout.exe
          timeout /t 1
          4⤵
          • System Location Discovery: System Language Discovery
          • Delays execution with timeout.exe
          PID:4812
    • C:\Users\Admin\AppData\Local\Temp\ysm5890.tmp
      C:\Users\Admin\AppData\Local\Temp\ysm5890.tmp C:\Users\Admin\AppData\Local\Temp\nhx588F.tmp
      2⤵
      • Executes dropped EXE
      PID:5040
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /Q /C "timeout 1 && del /Q /F a"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4892
      • C:\Windows\SysWOW64\timeout.exe
        timeout 1
        3⤵
        • System Location Discovery: System Language Discovery
        • Delays execution with timeout.exe
        PID:3996

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\Nacah\Areas\10e\2c.dat

          Filesize

          19B

          MD5

          e0a22104a5e06d58ba0bae0a0d8aa8bd

          SHA1

          ac61cad3b9cfebcbeb614c121817b1e28801ecfe

          SHA256

          0958b68bff7f5ecedcf27e403acdaa9ebfeee76d886d5dfb8f0707e2bd9ee7c8

          SHA512

          5a2a9f34742b8ba5d348c344d2b8a298e6632813fedab23eb2ec226d43ebfa3338bfd16db49ec244ea84eff38863e4578a0bd63cb9ff163066afdd7175328ba0

        • C:\Program Files (x86)\Nacah\Areas\10n\1d.dat

          Filesize

          367B

          MD5

          fa8d1423c333185dce5cfeced441dfd0

          SHA1

          66b8b6ba4f9b6d58f39aa0bb9f02f0eed1bf2f5f

          SHA256

          5523f93f3bbe3daf477b36b48efca4d154615e297df62e76feaced3d1da1a2f5

          SHA512

          a03a99cbfec60565a749955d1fd40acd1796b8d691728182b851ac1c396a5335948d9f1d8143ff0dec2803ea7049869c7906ccfacbd3a14345723ebe64032cf0

        • C:\Program Files (x86)\Nacah\Areas\10n\5d.dat

          Filesize

          368B

          MD5

          f118d58073883db13519571469da1b1e

          SHA1

          9e8e7b217ed9cd878bb0a0ef668cfda46d522dcf

          SHA256

          1588a23ce1858cea31e5cd02cd537332e9c4464880c6ad47fe4ba85848657f2f

          SHA512

          167db65a6113e62ed7a722541929e3241f5c8c7d8d1c9d41a2ed1c16cdcea28eb5841bc2a44db2f14f8e88f2b7dc44bc50dfbfb72523bcb51cda73bc0d25c0e9

        • C:\Program Files (x86)\Nacah\Areas\19n\2d.dat

          Filesize

          368B

          MD5

          c0dfbc1446b900548dfc0982611f702a

          SHA1

          42c0206b096ac8ecab5973c87042fcd414266f63

          SHA256

          e6fdadfa84f8ec6de8575f1f5bb537d792e1c1feff7f975a166b682b5ddbcf14

          SHA512

          0dbe8585794f23ab73a38ffeed13c440020bfae4081b41fd48a2b50ae9b109ff9c6300feecb73c14d3258389ca2eeac2bcb1fb348ae67dfc6ca85fd96bb7e619

        • C:\Program Files (x86)\Nacah\Areas\22s\10_pagetree.drg

          Filesize

          202B

          MD5

          26d06364d8397f9c024af0354341d9cc

          SHA1

          83b37299471821a66a1d86be9e7d5b40c20deb97

          SHA256

          7b054bf73b05e768fcdf9bcf9eefe0dd8f6c800e51d82fa7a54510e2bcde16e1

          SHA512

          0a218e2b2df20d2d1946a69f7968034354dde6dafa206e4237b4b632a2babc0ee570e869ff75f4cdeff581f74f60cf15ef7ef00f95ffbbf461f3a2651272bd3d

        • C:\Program Files (x86)\Nacah\Areas\22s\11_smgold.chn

          Filesize

          376B

          MD5

          d6fecec26008de93731929fca656080e

          SHA1

          2983b32a5f299a464ce4c637cedfab8ca5f0bc19

          SHA256

          8a9330829759993b614e377e4375364f300ac9f9f3825a35c023c9cecc45ed8c

          SHA512

          5c2fc060d799a37f1fbf6d3f25bd8a12a25709af66c23f80f159b4f042ce7f218fa8aeb2a4435e0d75d26dcc1418dc328c4cb544a6ccbcff8444301cb7f6ea62

        • C:\Program Files (x86)\Nacah\Areas\22s\12_pagetree.drg

          Filesize

          202B

          MD5

          daea8264ef26d3d7ff7a8f8bb6236ca3

          SHA1

          1267e4e97dd5b3c137188cb0125044702a03e781

          SHA256

          7dc9ec457a6ad29d9323e114692bed0577e7607350f869730939b8fd7386b8f2

          SHA512

          392b0ec9ff1f0488b4ebbc7f4a8c1940e9fcb9ee46ee278860868fc4641246d626ef67fc131f82c1b472716a190d84a139a1b81b66a9c2faa04ba5f6d0b89159

        • C:\Program Files (x86)\Nacah\Areas\29w\4d.dat

          Filesize

          368B

          MD5

          42270379d2ca47be4b1cbd1fd48e63e7

          SHA1

          c481587aa4c24efcf5de45465cd35d4bc99c3d08

          SHA256

          22ededc1cef460495e144a4266597d1f9e344144bbf5ddbe1b332712579604b9

          SHA512

          757fdc272f3ef76525ab031df9310b6710c54d40709247a2d41c3e5956ab2183eb5c83f485646e5196a8e30ad6305ab84ae3a116662acef7552b18092502e2f4

        • C:\Program Files (x86)\Nacah\Areas\3startep\5d.dat

          Filesize

          377B

          MD5

          6b752024f1d69d5b7e5ba18acc854aa2

          SHA1

          e0752fb02e5c6093256932c2315cfddbae36c837

          SHA256

          f7f935936a5641fff2db9ed5e0c9c9c7ff2fa92e784915a290083aa9683a3ae0

          SHA512

          beb15ad3f2e800a0fe9cf4bf862740173784a8a82f89874da07d0a3793ff2a9847cfc027858e25dc09815b21567a61bab3fc1b063433f6787eeb79d7691e864e

        • C:\Program Files (x86)\Nacah\Areas\8n\14d.dat

          Filesize

          375B

          MD5

          c5751b01d6b34496dba632e4de9ffd22

          SHA1

          327bdbe5d23c6f0a80195b1806765613fd0c2f1a

          SHA256

          6585dfca4c209427d0c784e3d0ee8acd8e235e0a525041685d95844aabc82973

          SHA512

          0687ef953c744004e87f024064f4c1d4439e5348f391a55b4cc3ed33f7a0b9a7ab730992f2ca92a6bb26d231765d9c684d2c7c4722c15ff8846ecb2698d12065

        • C:\Program Files (x86)\Nacah\Areas\cartube2\3d.dat

          Filesize

          378B

          MD5

          b3aa2b6e7c274c392b168690e6795886

          SHA1

          4fe40bca5a0286c2e46662567ba2ec9889d92322

          SHA256

          f9f0af274d72609edbb846ba61ccb15caadb6ad6c023f4a461535fea788fa244

          SHA512

          c44d7f54d0331a8b42e356ed1b3cd4dddf900c84dd75518b4b7b6fa1311145cb41bf5cea6f2c6e1a878f31b3d16b075801c39705e951f57b8909d8433db1db91

        • C:\Program Files (x86)\Nacah\Areas\doorke2\2d.dat

          Filesize

          378B

          MD5

          00569354028adf47174640e375fe327a

          SHA1

          0f7cb3be6d341d7cb1963ecd6cf53ab58131f3b1

          SHA256

          83e45ad7436742ed9bbe295b9789f2523c031d5f9770a8d034c8888bfe70da9f

          SHA512

          56190960730f22ec5003bb6e47ca429aa765e67e9dcc1e7da29f7a479901664dc6c3d439a091f0fd13a64897197bd42ff4030b66d9762ff7761343fac03a112c

        • C:\Program Files (x86)\Nacah\Areas\hall13-pipe-puzzle\18d.dat

          Filesize

          383B

          MD5

          a0fd5e653715c35bc65799b25b85cee9

          SHA1

          b097bd93a5d8c0fc66db6efc75f6c3d79901b2c9

          SHA256

          cc182c6c9c793fc7f1011b1babf1427b25c4a97c22c429abed1fa621dc195c6e

          SHA512

          2c37c99e8a12603557e3cc2842c6a053c436387a042bea4260f549aa4e94491c0ba78a06f7b75b0289d259987e0b019fb8e6ca3cd513cc196ba349e8d4491687

        • C:\Program Files (x86)\Nacah\Areas\hall13-pipe-puzzle\1d.dat

          Filesize

          396B

          MD5

          eb2df2a7ad35460f5544a0b4e6c3f270

          SHA1

          6545c487deb639294384cd8bfac981793039d4c6

          SHA256

          f15f898fdc93c5b073501bf4f86bd058089af49e14dd77fcfe28a5c55bc05a2f

          SHA512

          58718ee9a9a170f20ec7bf973ea4f4e2c5295c0b535b0d35636119df87381d446834b61b814e850b190c849b745924c100f52cd7be2f24a4c88f26b2339961a9

        • C:\Program Files (x86)\Nacah\Areas\island11epuzz\13d.dat

          Filesize

          377B

          MD5

          f0bc6cf40efd72ff11a8f11d67075c28

          SHA1

          64dd3c573f99804ff9457991aee66d2aa724ac28

          SHA256

          8d87de02e75839ad650c62297eac1278289467a048cd4213972c803860d3b2a2

          SHA512

          d32cd2bf796aeadf8e553ba5a9b14d09f7ca0a32b374b1da9636cf3567b965e46024c5ce21a317b2dac5e3d2e277561cb6841ca2adba8cb7dbf327df12f5cb29

        • C:\Program Files (x86)\Nacah\Areas\puzzsigneltext3\3d.dat

          Filesize

          380B

          MD5

          6b61d71dcd76d69e10aa23c5b946debd

          SHA1

          bfca3a9992aa955f234dc47166842fc6618e3a59

          SHA256

          500fbb12e656f61c8c86e0081956877c2f517fa888d6ede5fb7f27cdf05a7630

          SHA512

          f5da7e5edde3891f713c0a29ddba334ff3c689e14b1efb41a2a2d208d2ebf6db76d2b86bc2d73a8ff0d65d00336cc15440c91b9484d3b3ed54345b953dca5571

        • C:\Program Files (x86)\Nacah\Areas\puzzsigner\1a.dat

          Filesize

          66B

          MD5

          2250881466037ec4aa27aba3b3296395

          SHA1

          34aa7a11da003550ca81e0b91bdd8dae142db123

          SHA256

          fe8868a7d7b2171e348f8e3f379c81aabf90d59f937441a238d3b32790c6c5e5

          SHA512

          a65880abe43fec7ca39614648d03e1d99165c017dfbd5f80db653cd10117a2992d39c88388bbdeea2ff8b2c97972ca66b7dc8bfa665d4272ffcfcd5602a8ae51

        • C:\Program Files (x86)\Nacah\Areas\puzzsigner\1d.dat

          Filesize

          379B

          MD5

          0a43c803429232e4d915c03aa21abe22

          SHA1

          08baa176d380f87bb00cb13a49a38c7f2fdc18b2

          SHA256

          2f57416a4bbc0fea2ecbf001a568a7fcc4dba0f72b3833cf92b08c808417a709

          SHA512

          335a088f212913b93b659f0b9b547ce086ad3f98ecc5b308b081408a662c6ee4a5df62e5713ec07d08e332e645f6e7e7b5cb1403e7a5e3e9f205f5178d555598

        • C:\Program Files (x86)\Nacah\Areas\puzzsigner\2b.dat

          Filesize

          197B

          MD5

          6b84462993852b7edf2d8699c910672e

          SHA1

          c8b45c9943abdb4650c57c53ecce679bce7903b1

          SHA256

          9c68ffdf2f73cd910d8c0954c697e168fe3cd08f2aa8e96b8c89d12023c3c17a

          SHA512

          2c54ce60c750f28adcb2864acc0681b2eadd18906420faa4f85f72cba6029c383abc15c4928dcfd0f73f132d42b2e21d53d315b7be4ba7803f16010c92ef5efe

        • C:\Program Files (x86)\Nacah\Areas\puzzsignertext3\3a.dat

          Filesize

          65B

          MD5

          dc717158282e197983e78247eb99aafc

          SHA1

          a74b5d1dae2ad97c1367b9b771ad1031d84bfd1e

          SHA256

          c30f1ee52a23a1bc5a6384657ab37f6fc09ed8668858a48471eb2b9f8575cbb9

          SHA512

          dce7454d86a42ef640fd532f24002f11918e8f3ead37b91ccaef551d4f042e5d1ca07ef4be027854d2859e3d403fb2c666e502da49196918461adff01185a699

        • C:\Program Files (x86)\Nacah\Areas\puzzsignwr\2a.dat

          Filesize

          68B

          MD5

          52e0c88aeff714ecb4046a695455f197

          SHA1

          8b757e8df7c018d04b0d3201e413054ddc29754c

          SHA256

          037dc4dbfa432fbf81ccfde10d025afd7f7b7249d532fc5df01d59d0d3a00a03

          SHA512

          b06f16f1586d4f1ac57b9a7dc2892b2388248ba194e007cd0968982f5f24035862c85b0bbca72c400f161e136bf099d4876b3a4148f478dbe1b43f5973c5fe63

        • C:\Program Files (x86)\Nacah\Areas\puzzsignwr\2b.dat

          Filesize

          197B

          MD5

          f7cd7ca22e92f0d6f325abb769326c07

          SHA1

          25024f8f448e45a8bf1e48b9b52e8fd5481fccee

          SHA256

          14d1514a2b8b8226912342f51487e5c7823cb5aa3bc3b0bb2e930f48b6086687

          SHA512

          0534bd255a544b2f979de24840a46f71aea0861a746839c4eac6857f20d1b6ff111ed824948cc75dcd7a5fc3b825815c8900a10d59a52fa25c293baa00df0664

        • C:\Program Files (x86)\Nacah\Areas\starts\7d.dat

          Filesize

          380B

          MD5

          b9d01a45b27a972a81dc08840a10cf2b

          SHA1

          adef8a2cbd8c894af93cc325048671e5ad83dcac

          SHA256

          04172e227f164cd442af658a32f7b70640cf08c35433ec7c0ba1c8e0139642f0

          SHA512

          502c65bb3efff0b5f0eb6b5b6f18adb3e909b23a95d08ccd74362f8ef9258f0c2dcca6591d8d132682eaebf1aeaf92dfe0f9e5c9a7cabec7583e181bfc0572ba

        • C:\Program Files (x86)\Nacah\Areas\stonehall-n4box-key+\1c.dat

          Filesize

          23B

          MD5

          ef583aac0804ce510f8bc17a1b33cae9

          SHA1

          e76e502e6f43eb0f224ef2c416586bb3360ac9f0

          SHA256

          2fe69783413cc7396398fb85eea59d85ee91a2e32764f60c7a681926c7e0656b

          SHA512

          6143d6397d4567b76bc8cd330e05f43c1a763d9b56df1f2bc37da42279bc077f30768137467b765b9b122cd1297e9ded43679af25949b21ae92dc6e988a316ab

        • C:\Program Files (x86)\Nacah\Areas\stonehall-n4key-gone\3c.dat

          Filesize

          25B

          MD5

          7ce18998d3ef5118892520c2ddda7c6d

          SHA1

          62875bc978fed1786cfd03e1a9ff9c49b2d782d1

          SHA256

          914e2d545d0204701b03fd863e5f7ddd360c2136dfb87670c7245c338a7ae7ca

          SHA512

          61ec0cbb01e00cf1c9413cc8b680f877042fdaa120c660e8732052edb41471bd5a8ccdc0a41ef4c2422baf42fc07f8ef7190317039b0149f3e5b7d2059c304e9

        • C:\Program Files (x86)\Nacah\Areas\stonehall-n4key-gone\3d.dat

          Filesize

          380B

          MD5

          3f234d058687d7ce1844c71ad9e00c38

          SHA1

          2af448e4bff1940148444041c9cc60ec6b2da26b

          SHA256

          7504dac09852fdddc786db6fd4816b6ff89b8fd73f53c8c6d9d4b58395637373

          SHA512

          0a96599921cde991bafc994fe3d6e2f0b15ba07854afd8e9790398abcba9147110a7097d0570e3df1351d52bc8cbdfa3b42bea92099fa8db99e728293b261a53

        • C:\Program Files (x86)\Nacah\Areas\sundial11\3d.dat

          Filesize

          379B

          MD5

          fdf1ccef6f6a4549cb7d0253ad810776

          SHA1

          5317fb60e2d74c1e9132486de4fdf99e74ae4e12

          SHA256

          5d7940de230586bec948cd1c233a8ca3d392184df461164c6c1ef3ae65000ef5

          SHA512

          2450be2bd2b42c44eae4a672cdd8b34ca3e28e2032e5dddf521538e15e65b1c3d7ad5f2f24c726e5cc421328a6afa9eaa3ecb7307c26249842e1b696e34f6738

        • C:\Program Files (x86)\Nacah\Areas\sundial6\4d.dat

          Filesize

          377B

          MD5

          4e3f8aa360a8c8c4bf9d586238fe07f5

          SHA1

          db1e5d5e2e7b855c80c6dcb31830191abae25487

          SHA256

          10decefdc9039447bf2c5a294eb6faeed4eb9f5e2f38593e8e9a1204dbf1c3b3

          SHA512

          54abd99d0abcc2dc900c19e61c4ee2bc1befeac97dae73a77b9824dcb49fd2fd38966763ce7b11d538b058312a0d7ac4eccdbe750d18d227546c0d3f778857bf

        • C:\Program Files (x86)\Nacah\Areas\sunroom-n\5d.dat

          Filesize

          397B

          MD5

          6f533e43303b34a59afe36a8d5202c6a

          SHA1

          c16f7cb4ab988e26583dc6c4e889d0129d531f83

          SHA256

          97844440ecc746b3ff3f6bfc8bccec989e6e1455e267486624bace87e45c5459

          SHA512

          93e6b2c17aed22de17d80e0fe1e37eb103228101eb23de51cd49072f536fcefa6c1cf5e5cd2b708d2742ec232318edb4c23d8c70faf1ca12f6b50135e24ae221

        • C:\Program Files (x86)\Nacah\Areas\z1k-p\2_pagex.drg

          Filesize

          196B

          MD5

          38df539b1756539729ff90cf77e29f08

          SHA1

          a4b042973a961c67febc4393cfffd225265b561c

          SHA256

          4b0dbee7a40de8a825413028e5a0983da5da5308cf0276ba7e1d72100a6010b1

          SHA512

          b5bfd4cd2b9c71c0a114fd93ac64b1792ce53e32d657df536a9a594ea78a6ea6af8aab0208e055b0e1641a3847d18ede39611c8ffa72908de69ba80c8d808618

        • C:\Program Files (x86)\Nacah\Areas\zp-r\1a.dat

          Filesize

          70B

          MD5

          bda11609ceee478cd7f5f0db8ecf3541

          SHA1

          396da36cad939a3391d9922e61e87292c5410dfb

          SHA256

          a6c2176c0131813ecff46f92495973aec397bc1188cb3b84267354a4dc06cd8b

          SHA512

          3c4e3258ead7940c7ae77e2f1e265db391bb2db094afe60ca523af6a0e93b4a9734debdbe3809de2e8ccd76f84d7351c853f467de11a17def595120ef9951751

        • C:\Program Files (x86)\Nacah\Areas\zp-r\1b.dat

          Filesize

          196B

          MD5

          ebc3e5ff61c12bbe08e9f659c92e75f0

          SHA1

          9a2c357327c451a377d6ecf3404160e0dc33d314

          SHA256

          5a17e9bd086a4d17288aa667aef00d24464830ec90d64f02575971d0f99c43e7

          SHA512

          27b77c5a98f88227a8b1a228c616a0201e1d7c60fd46a23b673f97333b92be3c693380c9339505835383ec77e3e396cdef6f5eafb54d51cd0505f5ee6d0578bf

        • C:\Program Files (x86)\Nacah\Areas\zp-r\1d.dat

          Filesize

          377B

          MD5

          654983c65a71ae7245531d07b3dc9f81

          SHA1

          ad55fe0206a3ebd93b4598edcb43bfcb95860bfe

          SHA256

          adb1ddc9796cbf77c54f25a3d06ced83a6c569aa08d3ac590fd7b843f1d516e6

          SHA512

          cd916576cd850399e0067d755286ddd5ef667f3ba213e35018934f053f0d82489a3aac7f4ce7cb8296fa80dc70274948b9cbd3033684b486176c501d8e8cdf19

        • C:\Program Files (x86)\Nacah\Areas\zp-r\2_flower.drg

          Filesize

          203B

          MD5

          6978c391cd9a95ba6475eb274253318f

          SHA1

          b74b7e61aaefda82f9f63e9d97e4b70944c9fca1

          SHA256

          32020f497b8c8ccc715e0e5552efc4384dbcb9cc9a854979e0f7ba94ae3c8840

          SHA512

          7c9eefb9f84ff8dd6018161ddab327c531a4a167fd8b4c4280989ea93fddd0958d6451a63387bcec6b0f40ca87b422472be7f2606cc00131a4c068892c456b92

        • C:\Program Files (x86)\Nacah\Areas\zp-r\2a.dat

          Filesize

          63B

          MD5

          08f6b51a9c225024992e1b7851e4f615

          SHA1

          89df75ca7a27dbce5c59d0bd66a7a6df872ecacb

          SHA256

          27e15c0b2d4d605349f651c5cb597cc41418c0346448920bccfa5f5aa63c0b00

          SHA512

          44c2782604a9d504da71e64575192172162249cc56d03204b7062dba4910c61d63ce6d6ef43e55ec3609b2de3fefa98c65ef1facd62377b02795a1b2f8b878a6

        • C:\Program Files (x86)\Nacah\Areas\zp-r\2b.dat

          Filesize

          190B

          MD5

          6ef397a4501a3e00968d97af7fae052e

          SHA1

          da3aec4974de838a48ef694065444303b3a13d70

          SHA256

          be22a310f2f44a1f2514d31a292d36c486b2f2b96d78e458dd4332afb982d943

          SHA512

          d26171aaa7eef7bd078e694f8f6a7f88d78ad12ca283f363fb7a95c37c6bbd5a4e28a0ce09a703553eff4c2a4f210643e8365b04bfd6ff263f93c18b8512e560

        • C:\Program Files (x86)\Nacah\Frames\11.lks

          Filesize

          3B

          MD5

          844afd44ff5361df28129df1e3ef8915

          SHA1

          e925cc2bdc642a0866a7dd5a95f1f9d220b5856e

          SHA256

          24ba1e99dc06b19351323aae0d7370243d586475a634b7f6ff7927fbc72cfaed

          SHA512

          c6775d4704c041de26b0b56e2682f68fc63ce496bfdad155dcb794ade68183f2ff2da8ecf1e8c6c70f6bfab074e7a2c238decc9ce25c244d1127834cf7429d56

        • C:\Program Files (x86)\Nacah\Frames\12back5.lks

          Filesize

          3B

          MD5

          c83bbf39a26190b2d0ec2d3091356053

          SHA1

          2c29ec19a8ec05d0caa6527ea271229c0e7a7442

          SHA256

          7c468f5e59f2871b946e051445493bbcace531d597edbbcc9935e7d02d025114

          SHA512

          076c9ebfdd34c47081d70ea7a493b1cf324b3b5ae8286886590167f865d0d2936c8fe31b8c1e4bf7c40425c58f146c4d7b8e49b2eff991efb830a0518e041b7f

        • C:\Program Files (x86)\Nacah\Frames\14e.lks

          Filesize

          3B

          MD5

          10400c6faf166902b52fb97042f1e0eb

          SHA1

          d583c3aa489ed954df3be71e71deae3a9895857e

          SHA256

          df4e26a04a444901b95afef44e4a96cfae34690fff2ad2c66389c70079cdff2b

          SHA512

          b89cf2145f5528fa96fa0e68f7aa6e1fafe18c9886ec12f6a0cad20c970a514841f8109e8b2ed1a748a1afa4c44dd2834667069a165f7dd35532abe4db8c5a60

        • C:\Program Files (x86)\Nacah\Frames\30dwn.lks

          Filesize

          3B

          MD5

          a5ea0ad9260b1550a14cc58d2c39b03d

          SHA1

          f0aedf295071ed34ab8c6a7692223d22b6a19841

          SHA256

          f1b2f662800122bed0ff255693df89c4487fbdcf453d3524a42d4ec20c3d9c04

          SHA512

          7c735c613ece191801114785c1ee26a0485cbf1e8ee2c3b85ba1ad290ef75eec9fede5e1a5dc26d504701f3542e6b6457818f4c1d62448d0db40d5f35c357d74

        • C:\Program Files (x86)\Nacah\Frames\9-1.lks

          Filesize

          3B

          MD5

          8bf1569c67ae09bffec145f2ab96e637

          SHA1

          b410ceb89e8b779b6817d63bb13e0808db36c424

          SHA256

          7fb2aaeaf3eef66b52db104118c30f62899f5f0df520350a94a8fcb843c0dfdf

          SHA512

          cadc65a4cc6492217ce20ff67ddcc5b550963e321b68b42a07ce8e9f4f9db196606a1b64d3c05585745f868f4a4d992fe435bdf006261375ecf7631a5be638e9

        • C:\Program Files (x86)\Nacah\Frames\cartroom-picture-n-1samuel.chn

          Filesize

          387B

          MD5

          f07c9bfdaa03b0c1441e92c3007e95e7

          SHA1

          02b986a30d97dccefeb06c889385a288dc46d009

          SHA256

          79b19bd392a59f77ab1e58b069ab9bc0c848de1782ab6c795b618459c00b85e4

          SHA512

          7065df81f99466b47e7e365d2e3c93cb0fef584e4a003cb40634fba34a01fddf38b1a6cc294b9b9ee8d138877527c413e4c3898183c1b1a1c2a7ed76cd29082f

        • C:\Program Files (x86)\Nacah\Frames\cartroom-picture-n-1timothy.fme

          Filesize

          184B

          MD5

          f60cda4ef797ee5e75203fce9f571c53

          SHA1

          e42fccaf30009676b452f8dbbd334f5365ea5b8e

          SHA256

          9779fa53e339583306d4319762e5fea0642fd2fd59840e4dca940cf1b5d66cd8

          SHA512

          128e54bdca56f8f281009a80ae43520128ab63ca53d9568e374e9154d94c083c944b1f30e990b95ca50189137813ee2515da2e8c2d28b295510ca434725a36eb

        • C:\Program Files (x86)\Nacah\Frames\cartroom-picture-n-2kings.fme

          Filesize

          181B

          MD5

          3a77182f5e495282e587752602949cd2

          SHA1

          e59b50f698f34f99be367ce8f07cb7558fddb6ea

          SHA256

          08b1155be5a8771d1034115f699f5bf15d6290bddb024a8f1913106d1cc6334d

          SHA512

          bccc45f6a1ba6c4aa141276e26cc421d90d36b2ed2eacc997454a2a75c3d4cb4522f2781c74eecd5923be9557b19745a42d61c9f033d651d075ca5344e598f8b

        • C:\Program Files (x86)\Nacah\Frames\cartroom-picture-n-restart.lks

          Filesize

          3B

          MD5

          21438ef4b9ad4fc266b6129a2f60de29

          SHA1

          5eb8e2242eeb4f5432beeec8b873f1ab0a6b71fd

          SHA256

          13bf7b3039c63bf5a50491fa3cfd8eb4e699d1ba1436315aef9cbe5711530354

          SHA512

          37436ced85e5cd638973e716d6713257d692f9dd2e1975d5511ae3856a7b3b9f0d9e497315a058b516ab31d652ea9950938c77c1ad435ea8d4b49d73427d1237

        • C:\Program Files (x86)\Nacah\Frames\puzzsigner.fme

          Filesize

          146B

          MD5

          a963aec8a5c59e9a2e82dcfceb82ae49

          SHA1

          5afdfcaed629521e38d79e40c6d2832411f3f3da

          SHA256

          40041669dd7d57c01e458d679c51391fb1d02228627fcc9783d94aecb169f7f8

          SHA512

          a1df2717391d901c1132a4998abb4c83bb38fe596b3234cf2f7c6cd557f7b89f3ed33d4331a2996aae36d6f79f36f0d95d7f3f1a1499ea905c629e8b59934cce

        • C:\Program Files (x86)\Nacah\Frames\stonehall-n4.lks

          Filesize

          3B

          MD5

          66b86ab0232f8377c518f27ef9ae4be8

          SHA1

          08e5ba8ab2c17ed0eb5cdd45c51f7391ea6190ff

          SHA256

          92961e9752250efa971147344b22295db32d7b75e940e0971e5fb34f21d0bc67

          SHA512

          f470202bb57bfb03c37ac0a8ee67f8094af85df9bf10c1bf5706a035262050af7418d8f68eed7ee00c249a3c49b4dd247eded5b49a7cebeab756697fc8ce0545

        • C:\Program Files (x86)\Nacah\Frames\stonehall-s3-b.005

          Filesize

          96KB

          MD5

          2fc825b04e263128dd9fb1d45b85528e

          SHA1

          dc6b20727054dc0b1600d9e1e9c1944c29fca733

          SHA256

          e38e327d5a4a505508eefbb806f3cd8a4b379dfdaa76e91a504ae74a40ee5e72

          SHA512

          d51d0b995e79244cc9780ab16c3d10b8106bb57d89bbdced4a95b310eb1897758979ca4ccfe4f5eb82dc4e8f4ef39ea7af79475045a973cea5eba204476c4db5

        • C:\Program Files (x86)\Nacah\Frames\zp-r.fme

          Filesize

          154B

          MD5

          e5362a4345e51807424ab8299980c452

          SHA1

          9c77cf921cb40ced240dd2690365a4f03cad2214

          SHA256

          601d0e7c1323481d331ef693fc9315d1af68c6886e49a4599ce80b592e5da6b0

          SHA512

          e730b4da3dee9f5d3c0e4394eeec52fdd6467204cb9cc58eae64689b76a7e9622d1db2c2780080543d25443773aa67ab7086c02098a6343a6b7cf8f3707aec7b

        • C:\Program Files (x86)\Nacah\a

          Filesize

          16KB

          MD5

          d7a5aa9937568b1e34ad845c67d59024

          SHA1

          f56692fce5147afd558df4b9be45490155f9dae5

          SHA256

          41794b5b46fb063d7e934eef590f059fa8e6875aff628adcf85b8449f7d3b027

          SHA512

          5313ec50eceaf024bda3dd0e1893de660b3dd3b9c21251293122e155d2578bd943f33e6766606f28583c1e44433aa2da38bfe650ebae192eea7e2f40dfa4810f

        • C:\Users\Admin\AppData\Local\Temp\4F27.tmp

          Filesize

          58KB

          MD5

          1525bb483c55784d134e3bd3dc447b54

          SHA1

          2decac84434ceda70ac31c6285b2b234a911a999

          SHA256

          14f60bf6d8700c82b426a6f724ee51c97b342a9a85dacd4ab7422a8c4961a099

          SHA512

          d0db58a59c69f52ec3924120d3833e7a8ced70488513b89c3e7854568edbc447f405e7e3af425f4c3024275b29ef0eb13b836a0922328dcdeb1a0100d3c115ed

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4vxzvsi2.4om.ps1

          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        • C:\Users\Admin\AppData\Local\Temp\gpmsc_externalDBMSleanup.bat

          Filesize

          475B

          MD5

          c5148520a262094d3cf9155a4f6c6b51

          SHA1

          dcd5cb466c4b625d4dd49d3ff89b766c539b6dee

          SHA256

          ae674f232bf01c2fc7d1fdd88bdf3136261bb8b9733d7d2047981909a6913f9f

          SHA512

          aa34638a57240691ef93ff5d3bc593cfd8995868b94c52b862ff8820059837c4fb2c90b602894a6a0fc6c7cf9876fa8f10dbf5f15400f2f522546747da089924

        • C:\Users\Admin\AppData\Local\Temp\nsbAFE8.tmp\System.dll

          Filesize

          12KB

          MD5

          192639861e3dc2dc5c08bb8f8c7260d5

          SHA1

          58d30e460609e22fa0098bc27d928b689ef9af78

          SHA256

          23d618a0293c78ce00f7c6e6dd8b8923621da7dd1f63a070163ef4c0ec3033d6

          SHA512

          6e573d8b2ef6ed719e271fd0b2fd9cd451f61fc9a9459330108d6d7a65a0f64016303318cad787aa1d5334ba670d8f1c7c13074e1be550b4a316963ecc465cdc

        • C:\Users\Admin\AppData\Local\Temp\nsbAFE8.tmp\modern-wizard.bmp

          Filesize

          25KB

          MD5

          cbe40fd2b1ec96daedc65da172d90022

          SHA1

          366c216220aa4329dff6c485fd0e9b0f4f0a7944

          SHA256

          3ad2dc318056d0a2024af1804ea741146cfc18cc404649a44610cbf8b2056cf2

          SHA512

          62990cb16e37b6b4eff6ab03571c3a82dcaa21a1d393c3cb01d81f62287777fb0b4b27f8852b5fa71bc975feab5baa486d33f2c58660210e115de7e2bd34ea63

        • C:\Users\Admin\AppData\Local\Temp\nsbAFE8.tmp\nsDialogs.dll

          Filesize

          9KB

          MD5

          b7d61f3f56abf7b7ff0d4e7da3ad783d

          SHA1

          15ab5219c0e77fd9652bc62ff390b8e6846c8e3e

          SHA256

          89a82c4849c21dfe765052681e1fad02d2d7b13c8b5075880c52423dca72a912

          SHA512

          6467c0de680fadb8078bdaa0d560d2b228f5a22d4d8358a1c7d564c6ebceface5d377b870eaf8985fbee727001da569867554154d568e3b37f674096bbafafb8

        • C:\Users\Admin\AppData\Local\Temp\oek5070.tmp.vbs

          Filesize

          386B

          MD5

          0a1c237316e11ec81b1df21773710c40

          SHA1

          3eb16f259114b6a4f5ef5b7f3721dc6dcb06f7bc

          SHA256

          1cf290b40445860679be3bed68c03a0e555c7a3fa91aba8c216a34cc345a4dbe

          SHA512

          57004762360c0f74f5d797b7e5d7a56e8ae9090bff9121baa49912717cf919d136508ecf71ca1702549e85e20a4ba15769ef87b8a838e00e8e2542fdb25d9b2d

        • C:\Users\Admin\AppData\Local\Temp\secuserpol5690.cfg

          Filesize

          104B

          MD5

          5f21b391cba1bde137694df8db69cf0f

          SHA1

          bf409326a188f60a664c977e9fbe8ca242032bbf

          SHA256

          7088b0827081ca44062e696bac6a2c0e4922d2513d491bbeafbed142ec9b9cc1

          SHA512

          4423b855b38fb68a7e6e1405f57c92aa48fc378b529d0633063474e20b90018bde3850abac16212b705e021901bfd1141694d30cb85a703476e270b491d43897

        • C:\Users\Admin\AppData\Local\Temp\ysm5890.tmp

          Filesize

          6KB

          MD5

          ac61560a8f57ad2dfd91e63aa3dc60f1

          SHA1

          7e797ddb74ae5fb43190d799334555430f302704

          SHA256

          188f350da1f06a9a10ad9da6120aed854a8108977241d6b9a445a09fdd7f7cda

          SHA512

          bc7bcc661c64e4f0f27c5bf07c0e5ea450e99b602bca17846ec6536675c16632a50c84aba679cfa933bd488994e90dfda7dc28d9254b0eeb3e05efd18767e755

        • memory/2756-6435-0x00000000056D0000-0x0000000005736000-memory.dmp

          Filesize

          408KB

        • memory/2756-6468-0x0000000006F50000-0x0000000006F6E000-memory.dmp

          Filesize

          120KB

        • memory/2756-6428-0x00000000730E0000-0x0000000073890000-memory.dmp

          Filesize

          7.7MB

        • memory/2756-6426-0x0000000004F70000-0x0000000005598000-memory.dmp

          Filesize

          6.2MB

        • memory/2756-6436-0x0000000005740000-0x00000000057A6000-memory.dmp

          Filesize

          408KB

        • memory/2756-6427-0x00000000730E0000-0x0000000073890000-memory.dmp

          Filesize

          7.7MB

        • memory/2756-6446-0x00000000058B0000-0x0000000005C04000-memory.dmp

          Filesize

          3.3MB

        • memory/2756-6424-0x00000000027A0000-0x00000000027D6000-memory.dmp

          Filesize

          216KB

        • memory/2756-6481-0x00000000730E0000-0x0000000073890000-memory.dmp

          Filesize

          7.7MB

        • memory/2756-6423-0x00000000730EE000-0x00000000730EF000-memory.dmp

          Filesize

          4KB

        • memory/2756-6455-0x0000000005D50000-0x0000000005D6E000-memory.dmp

          Filesize

          120KB

        • memory/2756-6456-0x0000000005DF0000-0x0000000005E3C000-memory.dmp

          Filesize

          304KB

        • memory/2756-6457-0x0000000006350000-0x0000000006382000-memory.dmp

          Filesize

          200KB

        • memory/2756-6429-0x0000000004ED0000-0x0000000004EF2000-memory.dmp

          Filesize

          136KB

        • memory/2756-6458-0x00000000719B0000-0x00000000719FC000-memory.dmp

          Filesize

          304KB

        • memory/2756-6469-0x0000000006F70000-0x0000000007013000-memory.dmp

          Filesize

          652KB

        • memory/2756-6470-0x00000000076E0000-0x0000000007D5A000-memory.dmp

          Filesize

          6.5MB

        • memory/2756-6471-0x00000000070A0000-0x00000000070BA000-memory.dmp

          Filesize

          104KB

        • memory/2756-6472-0x0000000007120000-0x000000000712A000-memory.dmp

          Filesize

          40KB

        • memory/2756-6473-0x0000000007320000-0x00000000073B6000-memory.dmp

          Filesize

          600KB

        • memory/2756-6474-0x00000000072B0000-0x00000000072C1000-memory.dmp

          Filesize

          68KB

        • memory/2756-6475-0x00000000072E0000-0x00000000072EE000-memory.dmp

          Filesize

          56KB

        • memory/2756-6476-0x00000000072F0000-0x0000000007304000-memory.dmp

          Filesize

          80KB

        • memory/2756-6477-0x00000000073E0000-0x00000000073FA000-memory.dmp

          Filesize

          104KB

        • memory/2756-6478-0x00000000073C0000-0x00000000073C8000-memory.dmp

          Filesize

          32KB

        • memory/5040-6454-0x0000000000400000-0x0000000000407000-memory.dmp

          Filesize

          28KB