xworm | f02af48dd4d4bf22ee95a261e7973392965f440ae0b5602223e94050f55cb6f5

Analysis

max time kernel
284s
max time network
301s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
02/03/2025, 17:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NerestPCPrivate.rar
Size

3.0MB
MD5

93d9bdadb583296cf8b8bb957706b9c2
SHA1

ae56cd83e3017fead64b01df5fec0c6aeaa8bd33
SHA256

f02af48dd4d4bf22ee95a261e7973392965f440ae0b5602223e94050f55cb6f5
SHA512

f2e5d324a0448ce02f981169a82cfa429fdfe62b2f38ebe60874d7bfeea2a62cbd12c61dd02a47c4d96d014ae71579a05c22a68daccf12267c0f93abcbb28c89
SSDEEP

98304:cGzGzI7me0/ZChP6qU6OKt0lZ3Nw7dShl4:cGzyIgZChyqrtgWdShl4

Score

10^/10

xworm credential_access defense_evasion discovery execution persistence privilege_escalation rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

Attributes

Install_directory
%Userprofile%
install_file
svhost.exe
pastebin_url
https://pastebin.com/raw/wkqhHUws

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral1/memory/1780-68-0x00000000015A0000-0x00000000015AE000-memory.dmp	disable_win_def

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000a000000023c5b-10.dat	family_xworm
behavioral1/memory/1780-13-0x0000000000C90000-0x0000000000CB0000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4360	powershell.exe
4428	powershell.exe
888	powershell.exe
3620	powershell.exe

Disables RegEdit via registry modification 1 IoCs

defense_evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "0"	NerestPCPrivate.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	NerestPCPrivate.exe

Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk	NerestPCPrivate.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk	NerestPCPrivate.exe

Executes dropped EXE 1 IoCs

pid	Process
1780	NerestPCPrivate.exe

Loads dropped DLL 1 IoCs

pid	Process
1780	NerestPCPrivate.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svhost = "C:\\Users\\Admin\\svhost.exe"	NerestPCPrivate.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
35	pastebin.com
36	pastebin.com

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\	NerestPCPrivate.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 1 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
2124	netsh.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3620	powershell.exe
3620	powershell.exe
3620	powershell.exe
4360	powershell.exe
4360	powershell.exe
4360	powershell.exe
4428	powershell.exe
4428	powershell.exe
4428	powershell.exe
888	powershell.exe
888	powershell.exe
888	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3496	7zFM.exe

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeRestorePrivilege	3496	7zFM.exe
Token: 35	3496	7zFM.exe
Token: SeSecurityPrivilege	3496	7zFM.exe
Token: SeDebugPrivilege	1780	NerestPCPrivate.exe
Token: SeDebugPrivilege	3620	powershell.exe
Token: SeDebugPrivilege	4360	powershell.exe
Token: SeDebugPrivilege	4428	powershell.exe
Token: SeDebugPrivilege	888	powershell.exe
Token: SeDebugPrivilege	1780	NerestPCPrivate.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
3496	7zFM.exe
3496	7zFM.exe
1780	NerestPCPrivate.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1780 wrote to memory of 3620	1780	NerestPCPrivate.exe	101
PID 1780 wrote to memory of 3620	1780	NerestPCPrivate.exe	101
PID 1780 wrote to memory of 4360	1780	NerestPCPrivate.exe	103
PID 1780 wrote to memory of 4360	1780	NerestPCPrivate.exe	103
PID 1780 wrote to memory of 4428	1780	NerestPCPrivate.exe	105
PID 1780 wrote to memory of 4428	1780	NerestPCPrivate.exe	105
PID 1780 wrote to memory of 888	1780	NerestPCPrivate.exe	107
PID 1780 wrote to memory of 888	1780	NerestPCPrivate.exe	107
PID 1780 wrote to memory of 1516	1780	NerestPCPrivate.exe	133
PID 1780 wrote to memory of 1516	1780	NerestPCPrivate.exe	133
PID 1516 wrote to memory of 2124	1516	cmd.exe	135
PID 1516 wrote to memory of 2124	1516	cmd.exe	135

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\NerestPCPrivate.rar"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3496

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2024

C:\Users\Admin\Desktop\NerestPCPrivate\NerestPCPrivate.exe
"C:\Users\Admin\Desktop\NerestPCPrivate\NerestPCPrivate.exe"
1⤵
- Disables RegEdit via registry modification
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1780
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\NerestPCPrivate\NerestPCPrivate.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3620
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'NerestPCPrivate.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4360
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\svhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4428
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:888
- C:\Windows\SYSTEM32\cmd.exe
  "cmd"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1516
- - C:\Windows\system32\netsh.exe
    netsh wlan show profiles
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:2124

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.Windows.Search_cw5n1h2txyewy
1⤵
PID:4932

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
PID:3116

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4372

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy
1⤵
PID:1716

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy
1⤵
PID:1512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
a43e653ffb5ab07940f4bdd9cc8fade4

SHA1
af43d04e3427f111b22dc891c5c7ee8a10ac4123

SHA256
c4c53abb13e99475aebfbe9fec7a8fead81c14c80d9dcc2b81375304f3a683fe

SHA512
62a97e95e1f19a8d4302847110dae44f469877eed6aa8ea22345c6eb25ee220e7d310fa0b7ec5df42356815421c0af7c46a0f1fee8933cc446641800eda6cd1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
1f8b23cd03fdfb5d4559ac10c445b89f

SHA1
cea378877687b1967095d5237e3c0111929f012d

SHA256
f1bb0869c1d26c4282aa06a4840a9ca86e9145c136af42bb85b6d2e77e684551

SHA512
3ffe559e174f4706d3e7681f0d88d53dfde5eef56ee5005ccf7b3036a5d6ba85e02fa4d0cb213d237afcb894d79fbe673b18f986f57db2904558f447e42fe550

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
22310ad6749d8cc38284aa616efcd100

SHA1
440ef4a0a53bfa7c83fe84326a1dff4326dcb515

SHA256
55b1d8021c4eb4c3c0d75e3ed7a4eb30cd0123e3d69f32eeb596fe4ffec05abf

SHA512
2ef08e2ee15bb86695fe0c10533014ffed76ececc6e579d299d3365fafb7627f53e32e600bb6d872b9f58aca94f8cb7e1e94cdfd14777527f7f0aa019d9c6def

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
15dde0683cd1ca19785d7262f554ba93

SHA1
d039c577e438546d10ac64837b05da480d06bf69

SHA256
d6fa39eab7ee36f44dc3f9f2839d098433db95c1eba924e4bcf4e5c0d268d961

SHA512
57c0e1b87bc1c136f0d39f3ce64bb8f8274a0491e4ca6e45e5c7f9070aa9d9370c6f590ce37cd600b252df2638d870205249a514c43245ca7ed49017024a4672

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\GSCUG8YT\microsoft.windows[1].xml

Filesize
96B

MD5
9fda726e3496741a806a82c51d7525c2

SHA1
328010ca7fc72de4d350df7808139196e7667b3b

SHA256
50fd79ed651f1583ba3243bf100b279f8f81eb86697f817c5cd6fd2f0c377e96

SHA512
b889c697a0adcedc93c7a3ac2c3ba8221040908e38a6dd5ef13b624cdcbf20c0c13b9b42e88235973fbec0dd702b9cdd59b13938f6c99eb273e565283f84fd8a

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{41404643-bc75-4f74-9497-0213277a4eca}\0.0.filtertrie.intermediate.txt

Filesize
1KB

MD5
9913dee3ab28ad6ebd60b930d6ee8da3

SHA1
6e6327df9f85d9037d83a4f537f32541f46a1dbc

SHA256
3bfac338a56813338b62dba88261ff9b1aa7e505af5f7a50ab9960a35f6ed5e4

SHA512
e7dead4ccbd7468e7d3d1cc930be40bc5fa0a881b406318bd56346b27651c3a58611c086b369de641f058af5748fa02eb5e02b9f482ff2443d2fbf442c04188d

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{41404643-bc75-4f74-9497-0213277a4eca}\0.1.filtertrie.intermediate.txt

Filesize
5B

MD5
34bd1dfb9f72cf4f86e6df6da0a9e49a

SHA1
5f96d66f33c81c0b10df2128d3860e3cb7e89563

SHA256
8e1e6a3d56796a245d0c7b0849548932fee803bbdb03f6e289495830e017f14c

SHA512
e3787de7c4bc70ca62234d9a4cdc6bd665bffa66debe3851ee3e8e49e7498b9f1cbc01294bf5e9f75de13fb78d05879e82fa4b89ee45623fe5bf7ac7e48eda96

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{41404643-bc75-4f74-9497-0213277a4eca}\0.2.filtertrie.intermediate.txt

Filesize
5B

MD5
c204e9faaf8565ad333828beff2d786e

SHA1
7d23864f5e2a12c1a5f93b555d2d3e7c8f78eec1

SHA256
d65b6a3bf11a27a1ced1f7e98082246e40cf01289fd47fe4a5ed46c221f2f73f

SHA512
e72f4f79a4ae2e5e40a41b322bc0408a6dec282f90e01e0a8aaedf9fb9d6f04a60f45a844595727539c1643328e9c1b989b90785271cc30a6550bbda6b1909f8

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{41404643-bc75-4f74-9497-0213277a4eca}\Apps.ft

Filesize
2KB

MD5
ae92d8e34c6863d31010632e1472cd7e

SHA1
b6a286b8bc20d4b8fa1b29d234d71a89d696de9a

SHA256
ed6fdb649852ae050e65b42f4b2f0151f06aeb57f58aee36818fd6925ce1e217

SHA512
589e9ee259b2efe4cd4d94307075850274d324ba4232d2870ba4bf8fc570ad0b2d9b9ba1ea31f9aa81615b144c61418c6d09d6b24200a5d16b01eb36450e5eab

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{41404643-bc75-4f74-9497-0213277a4eca}\Apps.index

Filesize
881KB

MD5
832fb9cd22b122f6c9d68f9f4fcc3424

SHA1
d398a299d12f6aeb005c724d1abd62edebabbac3

SHA256
e439f475eb0b32c6dfc9fc485c979b3e15126b54995e2ff9719bc4aa1910339a

SHA512
ba9e934a0880d09c4675d012215001feb282beca68d6c9885caaaabb31d6d3ef32bfb0d48cc9132bb977eee64ade2245fba29c6d5878e9dc9d3c740268d47922

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{1d807abd-1bab-432b-96e8-f3f5b7357c10}\apps.csg

Filesize
444B

MD5
5475132f1c603298967f332dc9ffb864

SHA1
4749174f29f34c7d75979c25f31d79774a49ea46

SHA256
0b0af873ef116a51fc2a2329dc9102817ce923f32a989c7a6846b4329abd62cd

SHA512
54433a284a6b7185c5f2131928b636d6850babebc09acc5ee6a747832f9e37945a60a7192f857a2f6b4dd20433ca38f24b8e438ba1424cc5c73f0aa2d8c946ff

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{1d807abd-1bab-432b-96e8-f3f5b7357c10}\apps.schema

Filesize
150B

MD5
1659677c45c49a78f33551da43494005

SHA1
ae588ef3c9ea7839be032ab4323e04bc260d9387

SHA256
5af0fc2a0b5ccecdc04e54b3c60f28e3ff5c7d4e1809c6d7c8469f0567c090bb

SHA512
740a1b6fd80508f29f0f080a8daddec802aabed467d8c5394468b0cf79d7628c1cb5b93cf69ed785999e8d4e2b0f86776b428d4fa0d1afcdf3cbf305615e5030

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{1d807abd-1bab-432b-96e8-f3f5b7357c10}\appsconversions.txt

Filesize
1.4MB

MD5
2bef0e21ceb249ffb5f123c1e5bd0292

SHA1
86877a464a0739114e45242b9d427e368ebcc02c

SHA256
8b9fae5ea9dd21c2313022e151788b276d995c8b9115ee46832b804a914e6307

SHA512
f5b49f08b44a23f81198b6716195b868e76b2a23a388449356b73f8261107733f05baa027f8cdb8e469086a9869f4a64983c76da0dc978beb4ec1cb257532c6b

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{1d807abd-1bab-432b-96e8-f3f5b7357c10}\appsglobals.txt

Filesize
343KB

MD5
931b27b3ec2c5e9f29439fba87ec0dc9

SHA1
dd5e78f004c55bbebcd1d66786efc5ca4575c9b4

SHA256
541dfa71a3728424420f082023346365cca013af03629fd243b11d8762e3403e

SHA512
4ba517f09d9ad15efd3db5a79747e42db53885d3af7ccc425d52c711a72e15d24648f8a38bc7e001b3b4cc2180996c6cac3949771aa1c278ca3eb7542eae23fd

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{1d807abd-1bab-432b-96e8-f3f5b7357c10}\appssynonyms.txt

Filesize
237KB

MD5
06a69ad411292eca66697dc17898e653

SHA1
fbdcfa0e1761ddcc43a0fb280bbcd2743ba8820d

SHA256
2aa90f795a65f0e636154def7d84094af2e9a5f71b1b73f168a6ea23e74476d1

SHA512
ceb4b102309dffb65804e3a0d54b8627fd88920f555b334c3eac56b13eeb5075222d794c3cdbc3cda8bf1658325fdecf6495334e2c89b5133c9a967ec0d15693

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133854108090010438.txt

Filesize
2KB

MD5
ecaea544af9da1114077b951d8cb520d

SHA1
5820b2d71e7b2543cf1804eb91716c4e9f732fde

SHA256
9117b26ab2c8fdbb8223fe1f2d1770c50a6cf0d9849a5849d6aebcbe90435be6

SHA512
dc7bedbc581818011aa2d313429f234b12e5e9cf320b02b8d7ceeaf9cdc1c921ffc51af7f4080b02740f2d2146fbb006ccbf37cdcba3e3a10009142daffdb919

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ShellFeeds\IDX_CONTENT_TASKBARHEADLINES.json

Filesize
268KB

MD5
55926318b0480cc794064c6ece46ad6f

SHA1
2981570f5445207a2191491325118ea39ac4187f

SHA256
d9ca3bda94ae1481ad92318cc0569ea86b4e8de8ea17ebb20a5caaf4dbd501c7

SHA512
792f46a1d669d70bec7345bbe79bcde3d8bd776c8811a4e2e0ecf7c6a8fe04ba1106b714e20a185f2b68aa985aead23c705932bd68b9d505dd2a4f406be5af79

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\TempState\CortanaUnifiedTileModelCache.dat

Filesize
1KB

MD5
df07f4059644291715884a4fd98db734

SHA1
9df6ced8ea9502aa089471e62c6cb04261696069

SHA256
592aed8c9df94acff78f834aec8d06e2e7fd2a7fffd587145536f64fe09db70c

SHA512
7fa719661643e16b19f51e6c41ae0f7150efc69db909f5db58779e8332f254ef046ee18a14bee4577e59ffc2839f9884174f84c022539fdbe9e1046122ef46fe

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\TempState\CortanaUnifiedTileModelCache.dat

Filesize
1KB

MD5
bac3d72faeaf446eb0dbb5e42441983c

SHA1
5cdfb3020987cc6d621f80875315b7f7f36bdc49

SHA256
30def20c9a2b41ddc587d5992501e754b10aff3a41030d7670b31988b1bbdc3d

SHA512
3e51879083420a467960a3bf1e0225014436dd0ba48c7f00ad884d0856b4b5f19afd71c146a5cbd207704b440f38ebb13990d69482f35dc19ecab14ad9a9390f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_azljjl1x.nay.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpFC05.tmp

Filesize
100KB

MD5
1b942faa8e8b1008a8c3c1004ba57349

SHA1
cd99977f6c1819b12b33240b784ca816dfe2cb91

SHA256
555ccb7ecd9ae52a75135fdd81ab443a49d5785b0621ed6468d28c4234e46ccc

SHA512
5aee3d59478d41ddd5885c99b394c9c4983064e2b3528db1a3f7fc289662bced4f57d072517bbe7573c6d1789435e987ef1aa9cc91f372bcfd30bc016675fa43

Download Submit
C:\Users\Admin\Desktop\NerestPCPrivate\NerestPCPrivate.exe

Filesize
104KB

MD5
040fb6a261a4c66178ff169436a3d780

SHA1
8090327015df3e7661c941d0da8b32f4cff7348c

SHA256
134b3ed0f05b32204049a45ef427583c2e5d3db293e55f444045add110ebe8bc

SHA512
fb9525f29b9503b4e4dc088d8c7495171c5e74be1d93260f6016aeadf94f345ba2871edf45297116f106b63dc6c718a70bddba8d0eb39596db0073730f11e219

Download Submit
C:\Users\Admin\Desktop\NerestPCPrivate\bin\Adb.dll

Filesize
1.3MB

MD5
8818f197cf07662ecc70ae87d77464dd

SHA1
9c3dde439297509b67e56cd9568bd0628ec71d17

SHA256
e8f5a1c3c2f92d861fa868079f80a924be305dd0922a3c023485c9a1291c46fe

SHA512
f07700c7bf954a0f2617e7b3159355bac1f6530b4fcfe62628135f01be70945c8added3b50cab076cb76c0be4387a5b668f6bdc716073a044fff93afa2d01a26

Download Submit
C:\Users\Admin\Desktop\NerestPCPrivate\bin\AdbWinApi.dll

Filesize
105KB

MD5
73030f38c867f5a7bd6ee331203f3d7a

SHA1
3e71b43c9b25af29bb4b8f455c176c5e89404567

SHA256
9ffacedc41b2752075571e1a474ff50c5dcbe1f64db56db24aaec78aea1126df

SHA512
492988fc89ae61e3af4904c0f593fbc4703293a915901ff98824cdcc77a7ac695faee8e1da56c66e3e2591216234a609841fb2393ce1dd2aeb91014952c6a297

Download Submit
C:\Users\Admin\Desktop\NerestPCPrivate\bin\AdbWinUsbApi.dll

Filesize
71KB

MD5
f67d9ec28d19316754d7ecb0e990197d

SHA1
a82ba3ad1a0749dd91eaac34dced3622d10dba54

SHA256
13918fdab0c3ac77d077453a6036247cfeca10910aec845f188c41148c630bb2

SHA512
abd80e386ce282bbb4727c7bd795d7bb0046fecfe65b005c98609f18b341606166187e951a5beacb5112726eab28bf9b75b383cb55ca9d0303b286389fd25022

Download Submit
C:\Users\Admin\Desktop\NerestPCPrivate\bin\adb.exe

Filesize
5.6MB

MD5
f1f479bba21298e758fc22d8d98f8e48

SHA1
2f7ef0bf7a9ca33da621ba29794ae9c8c95c0bca

SHA256
705ddc21f33ac52105d1b075b019962ad0e44fb3d560bde69ce8cb3a36bca183

SHA512
3b491cd07e1e05e14fcec13956e8c023a4f2bbcb9459f3965868a00e33bc4d7e258ac645da9f1b5ca6f9d9a757b879d696ab95800a03240b37aa42265d4e914f

Download Submit
memory/1780-65-0x00007FFD4A7B3000-0x00007FFD4A7B5000-memory.dmp

Filesize
8KB

Download
memory/1780-80-0x0000000020280000-0x00000000207A8000-memory.dmp

Filesize
5.2MB

Download
memory/1780-79-0x000000001D5C0000-0x000000001D670000-memory.dmp

Filesize
704KB

Download
memory/1780-78-0x00000000014F0000-0x00000000014FA000-memory.dmp

Filesize
40KB

Download
memory/1780-72-0x000000001D2F0000-0x000000001D32A000-memory.dmp

Filesize
232KB

Download
memory/1780-71-0x000000001DAC0000-0x000000001DE10000-memory.dmp

Filesize
3.3MB

Download
memory/1780-70-0x0000000001510000-0x000000000151E000-memory.dmp

Filesize
56KB

Download
memory/1780-68-0x00000000015A0000-0x00000000015AE000-memory.dmp

Filesize
56KB

Download
memory/1780-67-0x000000001B9D0000-0x000000001B9DC000-memory.dmp

Filesize
48KB

Download
memory/1780-66-0x00007FFD4A7B0000-0x00007FFD4B271000-memory.dmp

Filesize
10.8MB

Download
memory/1780-64-0x00007FFD4A7B0000-0x00007FFD4B271000-memory.dmp

Filesize
10.8MB

Download
memory/1780-13-0x0000000000C90000-0x0000000000CB0000-memory.dmp

Filesize
128KB

Download
memory/1780-12-0x00007FFD4A7B3000-0x00007FFD4A7B5000-memory.dmp

Filesize
8KB

Download
memory/3116-135-0x0000025CDE010000-0x0000025CDE011000-memory.dmp

Filesize
4KB

Download
memory/3116-131-0x0000025CDE010000-0x0000025CDE011000-memory.dmp

Filesize
4KB

Download
memory/3116-141-0x0000025CDE010000-0x0000025CDE011000-memory.dmp

Filesize
4KB

Download
memory/3116-140-0x0000025CDE010000-0x0000025CDE011000-memory.dmp

Filesize
4KB

Download
memory/3116-142-0x0000025CDE010000-0x0000025CDE011000-memory.dmp

Filesize
4KB

Download
memory/3116-143-0x0000025CDE010000-0x0000025CDE011000-memory.dmp

Filesize
4KB

Download
memory/3116-145-0x0000025CDE010000-0x0000025CDE011000-memory.dmp

Filesize
4KB

Download
memory/3116-144-0x0000025CDE010000-0x0000025CDE011000-memory.dmp

Filesize
4KB

Download
memory/3116-146-0x0000025CDE010000-0x0000025CDE011000-memory.dmp

Filesize
4KB

Download
memory/3116-147-0x0000025CDE010000-0x0000025CDE011000-memory.dmp

Filesize
4KB

Download
memory/3116-148-0x0000025CDE010000-0x0000025CDE011000-memory.dmp

Filesize
4KB

Download
memory/3116-149-0x0000025CDE020000-0x0000025CDE021000-memory.dmp

Filesize
4KB

Download
memory/3116-150-0x0000025CDE020000-0x0000025CDE021000-memory.dmp

Filesize
4KB

Download
memory/3116-151-0x0000025CDE130000-0x0000025CDE131000-memory.dmp

Filesize
4KB

Download
memory/3116-153-0x0000025CDE080000-0x0000025CDE081000-memory.dmp

Filesize
4KB

Download
memory/3116-152-0x0000025CDE080000-0x0000025CDE081000-memory.dmp

Filesize
4KB

Download
memory/3116-88-0x0000025CD5B70000-0x0000025CD5B80000-memory.dmp

Filesize
64KB

Download
memory/3116-104-0x0000025CD5C70000-0x0000025CD5C80000-memory.dmp

Filesize
64KB

Download
memory/3116-138-0x0000025CDE010000-0x0000025CDE011000-memory.dmp

Filesize
4KB

Download
memory/3116-139-0x0000025CDE010000-0x0000025CDE011000-memory.dmp

Filesize
4KB

Download
memory/3116-136-0x0000025CDE010000-0x0000025CDE011000-memory.dmp

Filesize
4KB

Download
memory/3116-134-0x0000025CDE010000-0x0000025CDE011000-memory.dmp

Filesize
4KB

Download
memory/3116-133-0x0000025CDE010000-0x0000025CDE011000-memory.dmp

Filesize
4KB

Download
memory/3116-132-0x0000025CDE010000-0x0000025CDE011000-memory.dmp

Filesize
4KB

Download
memory/3116-130-0x0000025CDDFF0000-0x0000025CDDFF1000-memory.dmp

Filesize
4KB

Download
memory/3116-137-0x0000025CDE010000-0x0000025CDE011000-memory.dmp

Filesize
4KB

Download
memory/3116-129-0x0000025CDDFF0000-0x0000025CDDFF1000-memory.dmp

Filesize
4KB

Download
memory/3116-127-0x0000025CDDFE0000-0x0000025CDDFE1000-memory.dmp

Filesize
4KB

Download
memory/3116-128-0x0000025CDDFF0000-0x0000025CDDFF1000-memory.dmp

Filesize
4KB

Download
memory/3116-125-0x0000025CDDFE0000-0x0000025CDDFE1000-memory.dmp

Filesize
4KB

Download
memory/3116-123-0x0000025CDDEA0000-0x0000025CDDEA1000-memory.dmp

Filesize
4KB

Download
memory/3620-23-0x000001D619EC0000-0x000001D619EE2000-memory.dmp

Filesize
136KB

Download
memory/4372-155-0x0000025F84170000-0x0000025F84270000-memory.dmp

Filesize
1024KB

Download