Windows Analysis Report
Everything-1.4.1.1026.x86-Setup.exe

ID:	1543807
Product:	CloudBasic
Start time:	13:55:44
Start date:	28.10.2024
Sample:	Everything-1.4.1.1026.x86-Setup.exe
Cookbook:	defaultwindowsinteractivecookbook.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	f81112d40609b97330688098222ef1fb
SHA1:	092f5b3f4f7b437923e4cbaf2dd12a6d793a32b0
SHA256:	bbf249ab7d4ea4b17a56d2effcd0df563bf4d5cd4f6e00ebf5e74a74ca0034e2
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\Program Files (x86)\Everything\Changes.txt	ASCII text, with CRLF line terminators	E3CC8979834C21DDCC26BD94599242F6	2045335DA8E3A5723547E0C728D3323ECFF2AA15	9871A374B9E6B8660004450F2E735DDA01025D4CB51EAE0C296FEE3FC285D9DF
C:\Program Files (x86)\Everything\Everything.exe	PE32 executable (GUI) Intel 80386, for MS Windows	C665FA0AA5AFA3FB41C21AFE5884B4F1	C79BDDBEA392247A4E88221F53C0E2E30368B614	FB653FD840B0399CEA31986B49B5CEADD28FB739DD2403A8BB05051EEA5E5BBC
C:\Program Files (x86)\Everything\Everything.ini (copy)	ASCII text, with CRLF line terminators	B2B308D8C164F75BC11BCCF7BAF3DF67	6F1E5561268B2DB5B46BB6F738C0F7A637FD6B6D	F0969F438D2869641D8F76D5B9FD2B82C7232134A90972E96ABB3783D1E2FBE5
C:\Program Files (x86)\Everything\Everything.ini.tmp	ASCII text, with CRLF line terminators	B2B308D8C164F75BC11BCCF7BAF3DF67	6F1E5561268B2DB5B46BB6F738C0F7A637FD6B6D	F0969F438D2869641D8F76D5B9FD2B82C7232134A90972E96ABB3783D1E2FBE5
C:\Program Files (x86)\Everything\License.txt	Unicode text, UTF-8 (with BOM) text, with very long lines (458)	6486B25DAC2DC4CD259233B143EDC3EE	F9F56D68E5FEB5D015EB51B29509A5284DBE338C	080841BA08FC8F8AB3E9049A46F0EA0B0A35A51264393FD1D9EADA1F98F283C6
C:\Program Files (x86)\Everything\Uninstall.exe	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive	4C5F28025A2603F28F5DC07EB8B802A9	B10EEFA1319F7A0CD6ECCC5B6D6EFF52CC3DC78B	1316A694538AD8C2333836CE0AB3A748B670CBAB394B4683A59219772F1F92EE
C:\ProgramData\Microsoft\Network\Downloader\edb.log	data	E7F2CB7F85DE9746F73A7D9157C63C4B	0642F7FFB5349210C4B57F155D856E52BD2612B6	7E312C79D01F64EF0EC97A06C6F6A3F5193E1297A02B5EB2C6224438ED6FA60E
C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm	data	C486B673C12FE131CA68C534BD7DA44E	E4B4982A9E6C55D179AD098A4F33A4009A0289CA	C40CD9075AA539FADE9AAF4A537D95F5A429A9C8418DDC961B600A7CC2800910
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Everything.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Mon Oct 28 11:56:48 2024, mtime=Mon Oct 28 11:56:48 2024, atime=Thu Aug 1 08:13:54 2024, length=1778192, window=hide	611862C39A583D283125FE81792989C3	0A59900552D85E90671DC1540423E5A2E48EBF24	60A36DFA8204DD05F0FAB9F4E6B8D4175A6D287D464F70075ABF54817DFE8229
C:\Users\Public\Desktop\Everything.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Mon Oct 28 11:56:48 2024, mtime=Mon Oct 28 11:56:48 2024, atime=Thu Aug 1 08:13:54 2024, length=1778192, window=hide	74BED0C9D2354BF8744C77BC9C12C82A	ECD5F6646EEFAA1B11B9C43B590630ADB07BC065	8C53E95E4AA3C89670E578AAC57F19061D9ACB5FF3969B4230FA2C78660CB23D
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\AN5UOLP8\update[1].ini	ASCII text, with CRLF line terminators	44C03DD62C01471FA39DD12C60630D24	39FA16CF4D3056AECA40B3685BF7BA9709CD2AB4	431B90C3B738D1A6C3F47D660D30E0FE741A87EC187E67B4B9E005F1AFD8069B
C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\Everything\Everything.lng	data	112F64226EE5A339BBE7AEFBD9E8DEBA	D9F73EAF2B60531CA155814D217A3B480C940B75	D925B044BAA9AF9375B8918758A4CCF12B48C5DC7B4AABA8791B92E77E9233F1
C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\InstallOptions.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	ECE25721125D55AA26CDFE019C871476	B87685AE482553823BF95E73E790DE48DC0C11BA	C7FEF6457989D97FECC0616A69947927DA9D8C493F7905DC8475C748F044F3CF
C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\InstallOptions.ini	Unicode text, UTF-16, little-endian text, with CRLF line terminators	147397AD15CB70DD26A91E7AC9EB7171	D1227E8383B61F592239E4A850ED89B1991AF124	280C46560E1B9ED198898851495D4688762DDC203952951241EB35B1102A81EC
C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\InstallOptions2.ini	Unicode text, UTF-16, little-endian text, with CRLF line terminators	66812C8D56628B7A93D958F0ABF5EB15	16A9D1387C2E588447CBF547276F9F71D4FE128D	D6C8A3EB204D76E04ECDB1FFB22DC7D4C84749B099E5C656636F4A1A1D8251F9
C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\LangDLL.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	68B287F4067BA013E34A1339AFDB1EA8	45AD585B3CC8E5A6AF7B68F5D8269C97992130B3	18E8B40BA22C7A1687BD16E8D585380BC2773FFF5002D7D67E9485FCC0C51026
C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\System.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	CFF85C549D536F651D4FB8387F1976F2	D41CE3A5FF609DF9CF5C7E207D3B59BF8A48530E	8DC562CDA7217A3A52DB898243DE3E2ED68B80E62DDCB8619545ED0B4E7F65A8
C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\ioSpecial.ini	Unicode text, UTF-16, little-endian text, with CRLF line terminators	3E240F2E0C1A1B484CD5B519BEA7E455	E522A8E0DEDD4FC3BDF70F3995A5C5656BBE6F0A	34BDF03677F605B22B9A1BBCBF2ECDEC8259C29F0179ADB69091BB1A0295B38C
C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\modern-wizard.bmp	PC bitmap, Windows 3.x format, 164 x 314 x 4, image size 26376, resolution 2834 x 2834 px/m, cbSize 26494, bits offset 118	CBE40FD2B1EC96DAEDC65DA172D90022	366C216220AA4329DFF6C485FD0E9B0F4F0A7944	3AD2DC318056D0A2024AF1804EA741146CFC18CC404649A44610CBF8B2056CF2
C:\Users\user\AppData\Local\Temp\nsu8BE7.tmp	data	82DB8BB886FE2B7AC7166529AFEA62F2	D3FE3151877884C75642420CBAAB6C0E65FFDECF	D5D3A0FA67895ABB8740A31497FFA5ADA1B9900CF48143E07E80ADB65E8296AD
C:\Users\user\AppData\Roaming\Everything\Everything.ini (copy)	ASCII text, with CRLF line terminators	A83E513876E6A57B4D9C0E3C78C6EEFC	232987E7D1EEE28E6DF10DF4F4B349758532C7F4	5AFB6C41BA1DDB19A0110D42AAF2E164FDF2F444703A2E4E2E4642E8915FE326
C:\Users\user\AppData\Roaming\Everything\Everything.ini.tmp	ASCII text, with CRLF line terminators	A83E513876E6A57B4D9C0E3C78C6EEFC	232987E7D1EEE28E6DF10DF4F4B349758532C7F4	5AFB6C41BA1DDB19A0110D42AAF2E164FDF2F444703A2E4E2E4642E8915FE326
C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Everything.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Mon Oct 28 11:56:48 2024, mtime=Mon Oct 28 11:56:49 2024, atime=Thu Aug 1 08:13:54 2024, length=1778192, window=hide	12F386330E456B0C78A640D1896E49CD	61EB6479648C6B139C2F0A048929BD4CEDADBDEC	E3720ADFDBFF7D16D26CB217766BCAD4C6B1A318D88FC26DB6B6EBA5A5BE6CC4

Compliance

Source: Everything-1.4.1.1026.x86-Setup.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\Desktop\Everything-1.4.1.1026.x86-Setup.exe	File created: C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\Everything\License.txt
Source: C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\Everything\Everything.exe	File created: C:\Program Files (x86)\Everything\License.txt

Source: Everything-1.4.1.1026.x86-Setup.exe

Static PE information: certificate valid

Source: unknown

HTTPS traffic detected: 162.211.80.236:443 -> 192.168.2.16:49705 version: TLS 1.2

Source: Everything-1.4.1.1026.x86-Setup.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Spreading

Source: C:\Program Files (x86)\Everything\Everything.exe	File opened: z:
Source: C:\Program Files (x86)\Everything\Everything.exe	File opened: x:
Source: C:\Program Files (x86)\Everything\Everything.exe	File opened: v:
Source: C:\Program Files (x86)\Everything\Everything.exe	File opened: t:
Source: C:\Program Files (x86)\Everything\Everything.exe	File opened: r:
Source: C:\Program Files (x86)\Everything\Everything.exe	File opened: p:
Source: C:\Program Files (x86)\Everything\Everything.exe	File opened: n:
Source: C:\Program Files (x86)\Everything\Everything.exe	File opened: l:
Source: C:\Program Files (x86)\Everything\Everything.exe	File opened: j:
Source: C:\Program Files (x86)\Everything\Everything.exe	File opened: h:
Source: C:\Program Files (x86)\Everything\Everything.exe	File opened: f:
Source: C:\Windows\System32\svchost.exe	File opened: d:
Source: C:\Program Files (x86)\Everything\Everything.exe	File opened: b:
Source: C:\Program Files (x86)\Everything\Everything.exe	File opened: y:
Source: C:\Program Files (x86)\Everything\Everything.exe	File opened: w:
Source: C:\Program Files (x86)\Everything\Everything.exe	File opened: u:
Source: C:\Program Files (x86)\Everything\Everything.exe	File opened: s:
Source: C:\Program Files (x86)\Everything\Everything.exe	File opened: q:
Source: C:\Program Files (x86)\Everything\Everything.exe	File opened: o:
Source: C:\Program Files (x86)\Everything\Everything.exe	File opened: m:
Source: C:\Program Files (x86)\Everything\Everything.exe	File opened: k:
Source: C:\Program Files (x86)\Everything\Everything.exe	File opened: i:
Source: C:\Program Files (x86)\Everything\Everything.exe	File opened: g:
Source: C:\Program Files (x86)\Everything\Everything.exe	File opened: e:
Source: C:\Program Files (x86)\Everything\Everything.exe	File opened: c:
Source: C:\Program Files (x86)\Everything\Everything.exe	File opened: a:

Source: C:\Program Files (x86)\Everything\Everything.exe	File opened: C:\Users\user
Source: C:\Program Files (x86)\Everything\Everything.exe	File opened: C:\Users\user\AppData\Roaming
Source: C:\Program Files (x86)\Everything\Everything.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
Source: C:\Program Files (x86)\Everything\Everything.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
Source: C:\Program Files (x86)\Everything\Everything.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Program Files (x86)\Everything\Everything.exe	File opened: C:\Users\user\AppData

Networking

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: www.voidtools.com

Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705

Source: unknown

HTTPS traffic detected: 162.211.80.236:443 -> 192.168.2.16:49705 version: TLS 1.2

System Summary

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Source: Everything-1.4.1.1026.x86-Setup.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: sus20.evad.winEXE@16/26@1/9

Source: C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\Everything\Everything.exe

File created: C:\Program Files (x86)\Everything

Source: C:\Program Files (x86)\Everything\Everything.exe

File created: C:\Users\Public\Desktop\Everything.lnk

Source: C:\Program Files (x86)\Everything\Everything.exe

Mutant created: \Sessions\1\BaseNamedObjects\EVERYTHING_MUTEX

Source: C:\Users\user\Desktop\Everything-1.4.1.1026.x86-Setup.exe

File created: C:\Users\user\AppData\Local\Temp\nsu8BE6.tmp

Source: Everything-1.4.1.1026.x86-Setup.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Everything-1.4.1.1026.x86-Setup.exe

File read: C:\Users\desktop.ini

Source: C:\Users\user\Desktop\Everything-1.4.1.1026.x86-Setup.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Users\user\Desktop\Everything-1.4.1.1026.x86-Setup.exe

File read: C:\Users\user\Desktop\Everything-1.4.1.1026.x86-Setup.exe

Source: unknown	Process created: C:\Users\user\Desktop\Everything-1.4.1.1026.x86-Setup.exe "C:\Users\user\Desktop\Everything-1.4.1.1026.x86-Setup.exe"
Source: C:\Users\user\Desktop\Everything-1.4.1.1026.x86-Setup.exe	Process created: C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\Everything\Everything.exe "C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\Everything\Everything.exe" -install "C:\Program Files (x86)\Everything" -install-options " -app-data -install-run-on-system-startup -install-service -disable-run-as-admin -install-folder-context-menu -install-start-menu-shortcuts -install-desktop-shortcut -install-url-protocol -install-efu-association -install-language 1036 -save-install-options 3"
Source: C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\Everything\Everything.exe	Process created: C:\Program Files (x86)\Everything\Everything.exe "C:\Program Files (x86)\Everything\Everything.exe" -app-data -install-run-on-system-startup -install-service -disable-run-as-admin -install-folder-context-menu -install-start-menu-shortcuts -install-desktop-shortcut -install-url-protocol -install-efu-association -install-language 1036 -save-install-options 3
Source: unknown	Process created: C:\Program Files (x86)\Everything\Everything.exe "C:\Program Files (x86)\Everything\Everything.exe" -svc
Source: C:\Users\user\Desktop\Everything-1.4.1.1026.x86-Setup.exe	Process created: C:\Program Files (x86)\Everything\Everything.exe "C:\Program Files (x86)\Everything\Everything.exe" -enable-update-notification -install-quick-launch-shortcut -no-choose-volumes -language 1036
Source: C:\Users\user\Desktop\Everything-1.4.1.1026.x86-Setup.exe	Process created: C:\Program Files (x86)\Everything\Everything.exe "C:\Program Files (x86)\Everything\Everything.exe"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown	Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k UnistackSvcGroup
Source: C:\Users\user\Desktop\Everything-1.4.1.1026.x86-Setup.exe	Process created: C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\Everything\Everything.exe "C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\Everything\Everything.exe" -install "C:\Program Files (x86)\Everything" -install-options " -app-data -install-run-on-system-startup -install-service -disable-run-as-admin -install-folder-context-menu -install-start-menu-shortcuts -install-desktop-shortcut -install-url-protocol -install-efu-association -install-language 1036 -save-install-options 3"
Source: C:\Users\user\Desktop\Everything-1.4.1.1026.x86-Setup.exe	Process created: C:\Program Files (x86)\Everything\Everything.exe "C:\Program Files (x86)\Everything\Everything.exe" -enable-update-notification -install-quick-launch-shortcut -no-choose-volumes -language 1036
Source: C:\Users\user\Desktop\Everything-1.4.1.1026.x86-Setup.exe	Process created: C:\Program Files (x86)\Everything\Everything.exe "C:\Program Files (x86)\Everything\Everything.exe"
Source: C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\Everything\Everything.exe	Process created: C:\Program Files (x86)\Everything\Everything.exe "C:\Program Files (x86)\Everything\Everything.exe" -app-data -install-run-on-system-startup -install-service -disable-run-as-admin -install-folder-context-menu -install-start-menu-shortcuts -install-desktop-shortcut -install-url-protocol -install-efu-association -install-language 1036 -save-install-options 3

Source: C:\Users\user\Desktop\Everything-1.4.1.1026.x86-Setup.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\Everything-1.4.1.1026.x86-Setup.exe	Section loaded: userenv.dll
Source: C:\Users\user\Desktop\Everything-1.4.1.1026.x86-Setup.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Desktop\Everything-1.4.1.1026.x86-Setup.exe	Section loaded: propsys.dll
Source: C:\Users\user\Desktop\Everything-1.4.1.1026.x86-Setup.exe	Section loaded: dwmapi.dll
Source: C:\Users\user\Desktop\Everything-1.4.1.1026.x86-Setup.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Desktop\Everything-1.4.1.1026.x86-Setup.exe	Section loaded: oleacc.dll
Source: C:\Users\user\Desktop\Everything-1.4.1.1026.x86-Setup.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\Desktop\Everything-1.4.1.1026.x86-Setup.exe	Section loaded: version.dll
Source: C:\Users\user\Desktop\Everything-1.4.1.1026.x86-Setup.exe	Section loaded: shfolder.dll
Source: C:\Users\user\Desktop\Everything-1.4.1.1026.x86-Setup.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\Everything-1.4.1.1026.x86-Setup.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\Everything-1.4.1.1026.x86-Setup.exe	Section loaded: wldp.dll
Source: C:\Users\user\Desktop\Everything-1.4.1.1026.x86-Setup.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\Desktop\Everything-1.4.1.1026.x86-Setup.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\Desktop\Everything-1.4.1.1026.x86-Setup.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\Desktop\Everything-1.4.1.1026.x86-Setup.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\Everything-1.4.1.1026.x86-Setup.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\Everything-1.4.1.1026.x86-Setup.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\Everything-1.4.1.1026.x86-Setup.exe	Section loaded: textshaping.dll
Source: C:\Users\user\Desktop\Everything-1.4.1.1026.x86-Setup.exe	Section loaded: riched20.dll
Source: C:\Users\user\Desktop\Everything-1.4.1.1026.x86-Setup.exe	Section loaded: usp10.dll
Source: C:\Users\user\Desktop\Everything-1.4.1.1026.x86-Setup.exe	Section loaded: msls31.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: moshost.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mapsbtsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mosstorage.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ztrace_maps.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ztrace_maps.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ztrace_maps.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mapconfiguration.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: storsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: devobj.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fltlib.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bcd.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wer.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cabinet.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: storageusage.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: aphostservice.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: networkhelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userdataplatformhelperutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mccspal.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: syncutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: syncutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vaultcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dmcfgutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dmcmnutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dmxmlhelputils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: inproclogger.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.networking.connectivity.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: synccontroller.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pimstore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: aphostclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: accountaccessor.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dsclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: systemeventsbrokerclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userdatalanguageutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mccsengineshared.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pimstore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cemapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userdatatypehelperutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: phoneutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll
Source: C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\Everything\Everything.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\Everything\Everything.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\Everything\Everything.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\Everything\Everything.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\Everything\Everything.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\Everything\Everything.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\Everything\Everything.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\Everything\Everything.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\Everything\Everything.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\Everything\Everything.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\Everything\Everything.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\Everything\Everything.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\Everything\Everything.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\Everything\Everything.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\Everything\Everything.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\Everything\Everything.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\Everything\Everything.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\Everything\Everything.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\Everything\Everything.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\Everything\Everything.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\Everything\Everything.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\Everything\Everything.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\Everything\Everything.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\Everything\Everything.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\Everything\Everything.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\Everything\Everything.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\Everything\Everything.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\Everything\Everything.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\Everything\Everything.exe	Section loaded: pcacli.dll
Source: C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\Everything\Everything.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\Everything\Everything.exe	Section loaded: sfc_os.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: apphelp.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: urlmon.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: iertutil.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: srvcli.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: propsys.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: linkinfo.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: ntshrui.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: cscapi.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: urlmon.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: iertutil.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: srvcli.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: urlmon.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: iertutil.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: srvcli.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: propsys.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: linkinfo.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: ntshrui.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: cscapi.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: urlmon.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: iertutil.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: srvcli.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: propsys.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: windowscodecs.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: wininet.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: textshaping.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: dataexchange.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: d3d11.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: dcomp.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: dxgi.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: twinapi.appcore.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: winhttp.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: mswsock.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: winnsi.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: textinputframework.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: coreuicomponents.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: coremessaging.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: ntmarta.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: wintypes.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: wintypes.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: wintypes.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: rasadhlp.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: schannel.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: mskeyprotect.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: ntasn1.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: msasn1.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: dpapi.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: gpapi.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: ncrypt.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: ncryptsslp.dll

Source: C:\Users\user\Desktop\Everything-1.4.1.1026.x86-Setup.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Source: C:\Users\user\Desktop\Everything-1.4.1.1026.x86-Setup.exe

File written: C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\InstallOptions.ini

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: Everything-1.4.1.1026.x86-Setup.exe

Static PE information: certificate valid

Source: Everything-1.4.1.1026.x86-Setup.exe

Static file information: File size 1816888 > 1048576

Source: Everything-1.4.1.1026.x86-Setup.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Persistence and Installation Behavior

Source: C:\Users\user\Desktop\Everything-1.4.1.1026.x86-Setup.exe	File created: C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\InstallOptions.dll			Jump to dropped file
Source: C:\Users\user\Desktop\Everything-1.4.1.1026.x86-Setup.exe	File created: C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\LangDLL.dll			Jump to dropped file
Source: C:\Users\user\Desktop\Everything-1.4.1.1026.x86-Setup.exe	File created: C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\System.dll			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\Everything\Everything.exe	File created: C:\Program Files (x86)\Everything\Uninstall.exe			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\Everything\Everything.exe	File created: C:\Program Files (x86)\Everything\Everything.exe			Jump to dropped file

Source: C:\Users\user\Desktop\Everything-1.4.1.1026.x86-Setup.exe	File created: C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\Everything\License.txt
Source: C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\Everything\Everything.exe	File created: C:\Program Files (x86)\Everything\License.txt

Boot Survival

Source: C:\Program Files (x86)\Everything\Everything.exe

File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Everything.lnk

Source: C:\Program Files (x86)\Everything\Everything.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Everything
Source: C:\Program Files (x86)\Everything\Everything.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Everything

Hooking and other Techniques for Hiding and Protection

Source: C:\Users\user\Desktop\Everything-1.4.1.1026.x86-Setup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\Everything\Everything.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Everything\Everything.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Source: C:\Windows\System32\svchost.exe

File opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\Desktop\Everything-1.4.1.1026.x86-Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\InstallOptions.dll			Jump to dropped file
Source: C:\Users\user\Desktop\Everything-1.4.1.1026.x86-Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\LangDLL.dll			Jump to dropped file
Source: C:\Users\user\Desktop\Everything-1.4.1.1026.x86-Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\System.dll			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\Everything\Everything.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Everything\Uninstall.exe			Jump to dropped file

Source: C:\Windows\System32\svchost.exe TID: 6768

Thread sleep time: -30000s >= -30000s

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Source: C:\Users\user\Desktop\Everything-1.4.1.1026.x86-Setup.exe	File Volume queried: C:\Program Files (x86) FullSizeInformation
Source: C:\Users\user\Desktop\Everything-1.4.1.1026.x86-Setup.exe	File Volume queried: C:\Program Files (x86) FullSizeInformation
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\Windows\System32 FullSizeInformation

Source: C:\Program Files (x86)\Everything\Everything.exe	File opened: C:\Users\user
Source: C:\Program Files (x86)\Everything\Everything.exe	File opened: C:\Users\user\AppData\Roaming
Source: C:\Program Files (x86)\Everything\Everything.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
Source: C:\Program Files (x86)\Everything\Everything.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
Source: C:\Program Files (x86)\Everything\Everything.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Program Files (x86)\Everything\Everything.exe	File opened: C:\Users\user\AppData

HIPS / PFW / Operating System Protection Evasion

Source: C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\Everything\Everything.exe

Process created: C:\Program Files (x86)\Everything\Everything.exe "C:\Program Files (x86)\Everything\Everything.exe" -app-data -install-run-on-system-startup -install-service -disable-run-as-admin -install-folder-context-menu -install-start-menu-shortcuts -install-desktop-shortcut -install-url-protocol -install-efu-association -install-language 1036 -save-install-options 3

Source: C:\Users\user\Desktop\Everything-1.4.1.1026.x86-Setup.exe	Process created: C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\Everything\Everything.exe "c:\users\user\appdata\local\temp\nsp8c17.tmp\everything\everything.exe" -install "c:\program files (x86)\everything" -install-options " -app-data -install-run-on-system-startup -install-service -disable-run-as-admin -install-folder-context-menu -install-start-menu-shortcuts -install-desktop-shortcut -install-url-protocol -install-efu-association -install-language 1036 -save-install-options 3"
Source: C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\Everything\Everything.exe	Process created: C:\Program Files (x86)\Everything\Everything.exe "c:\program files (x86)\everything\everything.exe" -app-data -install-run-on-system-startup -install-service -disable-run-as-admin -install-folder-context-menu -install-start-menu-shortcuts -install-desktop-shortcut -install-url-protocol -install-efu-association -install-language 1036 -save-install-options 3
Source: C:\Users\user\Desktop\Everything-1.4.1.1026.x86-Setup.exe	Process created: C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\Everything\Everything.exe "c:\users\user\appdata\local\temp\nsp8c17.tmp\everything\everything.exe" -install "c:\program files (x86)\everything" -install-options " -app-data -install-run-on-system-startup -install-service -disable-run-as-admin -install-folder-context-menu -install-start-menu-shortcuts -install-desktop-shortcut -install-url-protocol -install-efu-association -install-language 1036 -save-install-options 3"
Source: C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\Everything\Everything.exe	Process created: C:\Program Files (x86)\Everything\Everything.exe "c:\program files (x86)\everything\everything.exe" -app-data -install-run-on-system-startup -install-service -disable-run-as-admin -install-folder-context-menu -install-start-menu-shortcuts -install-desktop-shortcut -install-url-protocol -install-efu-association -install-language 1036 -save-install-options 3

Language, Device and Operating System Detection

Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C: VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C: VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C: VolumeInformation
Source: C:\Program Files (x86)\Everything\Everything.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\Everything\Everything.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\Everything\Everything.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\Everything\Everything.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\Everything\Everything.exe	Queries volume information: C:\ VolumeInformation

Lowering of HIPS / PFW / Operating System Security Settings

Source: C:\Windows\System32\svchost.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval

Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'