Edit tour

Windows Analysis Report
Everything-1.4.1.1026.x86-Setup.exe

Overview

General Information

Sample name:	Everything-1.4.1.1026.x86-Setup.exe
Analysis ID:	1543807
MD5:	f81112d40609b97330688098222ef1fb
SHA1:	092f5b3f4f7b437923e4cbaf2dd12a6d793a32b0
SHA256:	bbf249ab7d4ea4b17a56d2effcd0df563bf4d5cd4f6e00ebf5e74a74ca0034e2
Infos:

Detection

Score:	20
Range:	0 - 100
Whitelisted:	false
Confidence:	0%

Compliance

Score:	48
Range:	0 - 100

Signatures

Changes security center settings (notifications, updates, antivirus, firewall)

Checks for available system drives (often done to infect USB drives)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains capabilities to detect virtual machines

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Drops PE files

Found dropped PE file which has not been started or loaded

May sleep (evasive loops) to hinder dynamic analysis

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Stores files to the Windows start menu directory

Uses 32bit PE files

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

System is w10x64_ra

Everything-1.4.1.1026.x86-Setup.exe (PID: 736 cmdline: "C:\Users\user\Desktop\Everything-1.4.1.1026.x86-Setup.exe" MD5: F81112D40609B97330688098222EF1FB)

Everything.exe (PID: 6588 cmdline: "C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\Everything\Everything.exe" -install "C:\Program Files (x86)\Everything" -install-options " -app-data -install-run-on-system-startup -install-service -disable-run-as-admin -install-folder-context-menu -install-start-menu-shortcuts -install-desktop-shortcut -install-url-protocol -install-efu-association -install-language 1036 -save-install-options 3" MD5: C665FA0AA5AFA3FB41C21AFE5884B4F1)

Everything.exe (PID: 6384 cmdline: "C:\Program Files (x86)\Everything\Everything.exe" -app-data -install-run-on-system-startup -install-service -disable-run-as-admin -install-folder-context-menu -install-start-menu-shortcuts -install-desktop-shortcut -install-url-protocol -install-efu-association -install-language 1036 -save-install-options 3 MD5: C665FA0AA5AFA3FB41C21AFE5884B4F1)

Everything.exe (PID: 6820 cmdline: "C:\Program Files (x86)\Everything\Everything.exe" -enable-update-notification -install-quick-launch-shortcut -no-choose-volumes -language 1036 MD5: C665FA0AA5AFA3FB41C21AFE5884B4F1)

Everything.exe (PID: 6420 cmdline: "C:\Program Files (x86)\Everything\Everything.exe" MD5: C665FA0AA5AFA3FB41C21AFE5884B4F1)

svchost.exe (PID: 6864 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 7096 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

SgrmBroker.exe (PID: 7052 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: 3BA1A18A0DC30A0545E7765CB97D8E63)

svchost.exe (PID: 6188 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 7144 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 6500 cmdline: C:\Windows\system32\svchost.exe -k UnistackSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

Everything.exe (PID: 7000 cmdline: "C:\Program Files (x86)\Everything\Everything.exe" -svc MD5: C665FA0AA5AFA3FB41C21AFE5884B4F1)

cleanup

Sigma Signatures

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Program Files (x86)\Everything\Everything.exe" -startup, EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Everything\Everything.exe, ProcessId: 6384, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Everything

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 656, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 6864, ProcessName: svchost.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Compliance

Uses 32bit PE files

Source: Everything-1.4.1.1026.x86-Setup.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Creates license or readme file

Source: C:\Users\user\Desktop\Everything-1.4.1.1026.x86-Setup.exe	File created: C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\Everything\License.txt
Source: C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\Everything\Everything.exe	File created: C:\Program Files (x86)\Everything\License.txt

PE / OLE file has a valid certificate

Source: Everything-1.4.1.1026.x86-Setup.exe

Static PE information: certificate valid

Uses secure TLS version for HTTPS connections

Source: unknown

HTTPS traffic detected: 162.211.80.236:443 -> 192.168.2.16:49705 version: TLS 1.2

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: Everything-1.4.1.1026.x86-Setup.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Spreading

Checks for available system drives (often done to infect USB drives)

Source: C:\Program Files (x86)\Everything\Everything.exe	File opened: z:
Source: C:\Program Files (x86)\Everything\Everything.exe	File opened: x:
Source: C:\Program Files (x86)\Everything\Everything.exe	File opened: v:
Source: C:\Program Files (x86)\Everything\Everything.exe	File opened: t:
Source: C:\Program Files (x86)\Everything\Everything.exe	File opened: r:
Source: C:\Program Files (x86)\Everything\Everything.exe	File opened: p:
Source: C:\Program Files (x86)\Everything\Everything.exe	File opened: n:
Source: C:\Program Files (x86)\Everything\Everything.exe	File opened: l:
Source: C:\Program Files (x86)\Everything\Everything.exe	File opened: j:
Source: C:\Program Files (x86)\Everything\Everything.exe	File opened: h:
Source: C:\Program Files (x86)\Everything\Everything.exe	File opened: f:
Source: C:\Windows\System32\svchost.exe	File opened: d:
Source: C:\Program Files (x86)\Everything\Everything.exe	File opened: b:
Source: C:\Program Files (x86)\Everything\Everything.exe	File opened: y:
Source: C:\Program Files (x86)\Everything\Everything.exe	File opened: w:
Source: C:\Program Files (x86)\Everything\Everything.exe	File opened: u:
Source: C:\Program Files (x86)\Everything\Everything.exe	File opened: s:
Source: C:\Program Files (x86)\Everything\Everything.exe	File opened: q:
Source: C:\Program Files (x86)\Everything\Everything.exe	File opened: o:
Source: C:\Program Files (x86)\Everything\Everything.exe	File opened: m:
Source: C:\Program Files (x86)\Everything\Everything.exe	File opened: k:
Source: C:\Program Files (x86)\Everything\Everything.exe	File opened: i:
Source: C:\Program Files (x86)\Everything\Everything.exe	File opened: g:
Source: C:\Program Files (x86)\Everything\Everything.exe	File opened: e:
Source: C:\Program Files (x86)\Everything\Everything.exe	File opened: c:
Source: C:\Program Files (x86)\Everything\Everything.exe	File opened: a:

Source: C:\Program Files (x86)\Everything\Everything.exe	File opened: C:\Users\user
Source: C:\Program Files (x86)\Everything\Everything.exe	File opened: C:\Users\user\AppData\Roaming
Source: C:\Program Files (x86)\Everything\Everything.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
Source: C:\Program Files (x86)\Everything\Everything.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
Source: C:\Program Files (x86)\Everything\Everything.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Program Files (x86)\Everything\Everything.exe	File opened: C:\Users\user\AppData

Networking

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: www.voidtools.com

Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705

Uses secure TLS version for HTTPS connections

Source: unknown

HTTPS traffic detected: 162.211.80.236:443 -> 192.168.2.16:49705 version: TLS 1.2

System Summary

Creates files inside the system directory

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Uses 32bit PE files

Source: Everything-1.4.1.1026.x86-Setup.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: sus20.evad.winEXE@16/26@1/9

Source: C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\Everything\Everything.exe

File created: C:\Program Files (x86)\Everything

Source: C:\Program Files (x86)\Everything\Everything.exe

File created: C:\Users\Public\Desktop\Everything.lnk

Source: C:\Program Files (x86)\Everything\Everything.exe

Mutant created: \Sessions\1\BaseNamedObjects\EVERYTHING_MUTEX

Source: C:\Users\user\Desktop\Everything-1.4.1.1026.x86-Setup.exe

File created: C:\Users\user\AppData\Local\Temp\nsu8BE6.tmp

Source: Everything-1.4.1.1026.x86-Setup.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Everything-1.4.1.1026.x86-Setup.exe

File read: C:\Users\desktop.ini

Source: C:\Users\user\Desktop\Everything-1.4.1.1026.x86-Setup.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Users\user\Desktop\Everything-1.4.1.1026.x86-Setup.exe

File read: C:\Users\user\Desktop\Everything-1.4.1.1026.x86-Setup.exe

Source: unknown	Process created: C:\Users\user\Desktop\Everything-1.4.1.1026.x86-Setup.exe "C:\Users\user\Desktop\Everything-1.4.1.1026.x86-Setup.exe"
Source: C:\Users\user\Desktop\Everything-1.4.1.1026.x86-Setup.exe	Process created: C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\Everything\Everything.exe "C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\Everything\Everything.exe" -install "C:\Program Files (x86)\Everything" -install-options " -app-data -install-run-on-system-startup -install-service -disable-run-as-admin -install-folder-context-menu -install-start-menu-shortcuts -install-desktop-shortcut -install-url-protocol -install-efu-association -install-language 1036 -save-install-options 3"
Source: C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\Everything\Everything.exe	Process created: C:\Program Files (x86)\Everything\Everything.exe "C:\Program Files (x86)\Everything\Everything.exe" -app-data -install-run-on-system-startup -install-service -disable-run-as-admin -install-folder-context-menu -install-start-menu-shortcuts -install-desktop-shortcut -install-url-protocol -install-efu-association -install-language 1036 -save-install-options 3
Source: unknown	Process created: C:\Program Files (x86)\Everything\Everything.exe "C:\Program Files (x86)\Everything\Everything.exe" -svc
Source: C:\Users\user\Desktop\Everything-1.4.1.1026.x86-Setup.exe	Process created: C:\Program Files (x86)\Everything\Everything.exe "C:\Program Files (x86)\Everything\Everything.exe" -enable-update-notification -install-quick-launch-shortcut -no-choose-volumes -language 1036
Source: C:\Users\user\Desktop\Everything-1.4.1.1026.x86-Setup.exe	Process created: C:\Program Files (x86)\Everything\Everything.exe "C:\Program Files (x86)\Everything\Everything.exe"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown	Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k UnistackSvcGroup
Source: C:\Users\user\Desktop\Everything-1.4.1.1026.x86-Setup.exe	Process created: C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\Everything\Everything.exe "C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\Everything\Everything.exe" -install "C:\Program Files (x86)\Everything" -install-options " -app-data -install-run-on-system-startup -install-service -disable-run-as-admin -install-folder-context-menu -install-start-menu-shortcuts -install-desktop-shortcut -install-url-protocol -install-efu-association -install-language 1036 -save-install-options 3"
Source: C:\Users\user\Desktop\Everything-1.4.1.1026.x86-Setup.exe	Process created: C:\Program Files (x86)\Everything\Everything.exe "C:\Program Files (x86)\Everything\Everything.exe" -enable-update-notification -install-quick-launch-shortcut -no-choose-volumes -language 1036
Source: C:\Users\user\Desktop\Everything-1.4.1.1026.x86-Setup.exe	Process created: C:\Program Files (x86)\Everything\Everything.exe "C:\Program Files (x86)\Everything\Everything.exe"
Source: C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\Everything\Everything.exe	Process created: C:\Program Files (x86)\Everything\Everything.exe "C:\Program Files (x86)\Everything\Everything.exe" -app-data -install-run-on-system-startup -install-service -disable-run-as-admin -install-folder-context-menu -install-start-menu-shortcuts -install-desktop-shortcut -install-url-protocol -install-efu-association -install-language 1036 -save-install-options 3

Source: C:\Users\user\Desktop\Everything-1.4.1.1026.x86-Setup.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\Everything-1.4.1.1026.x86-Setup.exe	Section loaded: userenv.dll
Source: C:\Users\user\Desktop\Everything-1.4.1.1026.x86-Setup.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Desktop\Everything-1.4.1.1026.x86-Setup.exe	Section loaded: propsys.dll
Source: C:\Users\user\Desktop\Everything-1.4.1.1026.x86-Setup.exe	Section loaded: dwmapi.dll
Source: C:\Users\user\Desktop\Everything-1.4.1.1026.x86-Setup.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Desktop\Everything-1.4.1.1026.x86-Setup.exe	Section loaded: oleacc.dll
Source: C:\Users\user\Desktop\Everything-1.4.1.1026.x86-Setup.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\Desktop\Everything-1.4.1.1026.x86-Setup.exe	Section loaded: version.dll
Source: C:\Users\user\Desktop\Everything-1.4.1.1026.x86-Setup.exe	Section loaded: shfolder.dll
Source: C:\Users\user\Desktop\Everything-1.4.1.1026.x86-Setup.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\Everything-1.4.1.1026.x86-Setup.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\Everything-1.4.1.1026.x86-Setup.exe	Section loaded: wldp.dll
Source: C:\Users\user\Desktop\Everything-1.4.1.1026.x86-Setup.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\Desktop\Everything-1.4.1.1026.x86-Setup.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\Desktop\Everything-1.4.1.1026.x86-Setup.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\Desktop\Everything-1.4.1.1026.x86-Setup.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\Everything-1.4.1.1026.x86-Setup.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\Everything-1.4.1.1026.x86-Setup.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\Everything-1.4.1.1026.x86-Setup.exe	Section loaded: textshaping.dll
Source: C:\Users\user\Desktop\Everything-1.4.1.1026.x86-Setup.exe	Section loaded: riched20.dll
Source: C:\Users\user\Desktop\Everything-1.4.1.1026.x86-Setup.exe	Section loaded: usp10.dll
Source: C:\Users\user\Desktop\Everything-1.4.1.1026.x86-Setup.exe	Section loaded: msls31.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: moshost.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mapsbtsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mosstorage.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ztrace_maps.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ztrace_maps.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ztrace_maps.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mapconfiguration.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: storsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: devobj.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fltlib.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bcd.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wer.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cabinet.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: storageusage.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: aphostservice.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: networkhelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userdataplatformhelperutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mccspal.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: syncutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: syncutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vaultcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dmcfgutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dmcmnutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dmxmlhelputils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: inproclogger.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.networking.connectivity.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: synccontroller.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pimstore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: aphostclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: accountaccessor.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dsclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: systemeventsbrokerclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userdatalanguageutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mccsengineshared.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pimstore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cemapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userdatatypehelperutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: phoneutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll
Source: C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\Everything\Everything.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\Everything\Everything.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\Everything\Everything.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\Everything\Everything.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\Everything\Everything.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\Everything\Everything.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\Everything\Everything.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\Everything\Everything.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\Everything\Everything.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\Everything\Everything.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\Everything\Everything.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\Everything\Everything.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\Everything\Everything.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\Everything\Everything.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\Everything\Everything.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\Everything\Everything.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\Everything\Everything.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\Everything\Everything.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\Everything\Everything.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\Everything\Everything.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\Everything\Everything.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\Everything\Everything.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\Everything\Everything.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\Everything\Everything.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\Everything\Everything.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\Everything\Everything.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\Everything\Everything.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\Everything\Everything.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\Everything\Everything.exe	Section loaded: pcacli.dll
Source: C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\Everything\Everything.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\Everything\Everything.exe	Section loaded: sfc_os.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: apphelp.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: urlmon.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: iertutil.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: srvcli.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: propsys.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: linkinfo.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: ntshrui.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: cscapi.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: urlmon.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: iertutil.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: srvcli.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: urlmon.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: iertutil.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: srvcli.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: propsys.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: linkinfo.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: ntshrui.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: cscapi.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: urlmon.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: iertutil.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: srvcli.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: propsys.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: windowscodecs.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: wininet.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: textshaping.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: dataexchange.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: d3d11.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: dcomp.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: dxgi.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: twinapi.appcore.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: winhttp.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: mswsock.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: winnsi.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: textinputframework.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: coreuicomponents.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: coremessaging.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: ntmarta.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: wintypes.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: wintypes.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: wintypes.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: rasadhlp.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: schannel.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: mskeyprotect.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: ntasn1.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: msasn1.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: dpapi.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: gpapi.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: ncrypt.dll
Source: C:\Program Files (x86)\Everything\Everything.exe	Section loaded: ncryptsslp.dll

Source: C:\Users\user\Desktop\Everything-1.4.1.1026.x86-Setup.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Source: C:\Users\user\Desktop\Everything-1.4.1.1026.x86-Setup.exe

File written: C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\InstallOptions.ini

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

PE / OLE file has a valid certificate

Source: Everything-1.4.1.1026.x86-Setup.exe

Static PE information: certificate valid

Submission file is bigger than most known malware samples

Source: Everything-1.4.1.1026.x86-Setup.exe

Static file information: File size 1816888 > 1048576

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: Everything-1.4.1.1026.x86-Setup.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Persistence and Installation Behavior

Drops PE files

Source: C:\Users\user\Desktop\Everything-1.4.1.1026.x86-Setup.exe	File created: C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\InstallOptions.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Everything-1.4.1.1026.x86-Setup.exe	File created: C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\LangDLL.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Everything-1.4.1.1026.x86-Setup.exe	File created: C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\System.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\Everything\Everything.exe	File created: C:\Program Files (x86)\Everything\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\Everything\Everything.exe	File created: C:\Program Files (x86)\Everything\Everything.exe	Jump to dropped file

Creates license or readme file

Source: C:\Users\user\Desktop\Everything-1.4.1.1026.x86-Setup.exe	File created: C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\Everything\License.txt
Source: C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\Everything\Everything.exe	File created: C:\Program Files (x86)\Everything\License.txt

Boot Survival

Stores files to the Windows start menu directory

Source: C:\Program Files (x86)\Everything\Everything.exe

File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Everything.lnk

Source: C:\Program Files (x86)\Everything\Everything.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Everything
Source: C:\Program Files (x86)\Everything\Everything.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Everything

Hooking and other Techniques for Hiding and Protection

Source: C:\Users\user\Desktop\Everything-1.4.1.1026.x86-Setup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\Everything\Everything.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Everything\Everything.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Contains capabilities to detect virtual machines

Source: C:\Windows\System32\svchost.exe

File opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\Everything-1.4.1.1026.x86-Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\InstallOptions.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Everything-1.4.1.1026.x86-Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\LangDLL.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Everything-1.4.1.1026.x86-Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\System.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\Everything\Everything.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Everything\Uninstall.exe	Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\svchost.exe TID: 6768

Thread sleep time: -30000s >= -30000s

Queries disk information (often used to detect virtual machines)

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Source: C:\Users\user\Desktop\Everything-1.4.1.1026.x86-Setup.exe	File Volume queried: C:\Program Files (x86) FullSizeInformation
Source: C:\Users\user\Desktop\Everything-1.4.1.1026.x86-Setup.exe	File Volume queried: C:\Program Files (x86) FullSizeInformation
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\Windows\System32 FullSizeInformation

Source: C:\Program Files (x86)\Everything\Everything.exe	File opened: C:\Users\user
Source: C:\Program Files (x86)\Everything\Everything.exe	File opened: C:\Users\user\AppData\Roaming
Source: C:\Program Files (x86)\Everything\Everything.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
Source: C:\Program Files (x86)\Everything\Everything.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
Source: C:\Program Files (x86)\Everything\Everything.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Program Files (x86)\Everything\Everything.exe	File opened: C:\Users\user\AppData

HIPS / PFW / Operating System Protection Evasion

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\Everything\Everything.exe

Process created: C:\Program Files (x86)\Everything\Everything.exe "C:\Program Files (x86)\Everything\Everything.exe" -app-data -install-run-on-system-startup -install-service -disable-run-as-admin -install-folder-context-menu -install-start-menu-shortcuts -install-desktop-shortcut -install-url-protocol -install-efu-association -install-language 1036 -save-install-options 3

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Users\user\Desktop\Everything-1.4.1.1026.x86-Setup.exe	Process created: C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\Everything\Everything.exe "c:\users\user\appdata\local\temp\nsp8c17.tmp\everything\everything.exe" -install "c:\program files (x86)\everything" -install-options " -app-data -install-run-on-system-startup -install-service -disable-run-as-admin -install-folder-context-menu -install-start-menu-shortcuts -install-desktop-shortcut -install-url-protocol -install-efu-association -install-language 1036 -save-install-options 3"
Source: C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\Everything\Everything.exe	Process created: C:\Program Files (x86)\Everything\Everything.exe "c:\program files (x86)\everything\everything.exe" -app-data -install-run-on-system-startup -install-service -disable-run-as-admin -install-folder-context-menu -install-start-menu-shortcuts -install-desktop-shortcut -install-url-protocol -install-efu-association -install-language 1036 -save-install-options 3
Source: C:\Users\user\Desktop\Everything-1.4.1.1026.x86-Setup.exe	Process created: C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\Everything\Everything.exe "c:\users\user\appdata\local\temp\nsp8c17.tmp\everything\everything.exe" -install "c:\program files (x86)\everything" -install-options " -app-data -install-run-on-system-startup -install-service -disable-run-as-admin -install-folder-context-menu -install-start-menu-shortcuts -install-desktop-shortcut -install-url-protocol -install-efu-association -install-language 1036 -save-install-options 3"
Source: C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\Everything\Everything.exe	Process created: C:\Program Files (x86)\Everything\Everything.exe "c:\program files (x86)\everything\everything.exe" -app-data -install-run-on-system-startup -install-service -disable-run-as-admin -install-folder-context-menu -install-start-menu-shortcuts -install-desktop-shortcut -install-url-protocol -install-efu-association -install-language 1036 -save-install-options 3

Language, Device and Operating System Detection

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C: VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C: VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C: VolumeInformation
Source: C:\Program Files (x86)\Everything\Everything.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\Everything\Everything.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\Everything\Everything.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\Everything\Everything.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\Everything\Everything.exe	Queries volume information: C:\ VolumeInformation

Lowering of HIPS / PFW / Operating System Security Settings

Changes security center settings (notifications, updates, antivirus, firewall)

Source: C:\Windows\System32\svchost.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Replication Through Removable Media	1 Windows Management Instrumentation	11 Registry Run Keys / Startup Folder	11 Process Injection	12 Masquerading	OS Credential Dumping	3 Security Software Discovery	Remote Services	Data from Local System	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Command and Scripting Interpreter	1 DLL Side-Loading	11 Registry Run Keys / Startup Folder	1 Disable or Modify Tools	LSASS Memory	3 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	3 Virtualization/Sandbox Evasion	Security Account Manager	11 Peripheral Device Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	3 File and Directory Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	22 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Source	Detection	Scanner	Label	Link
Everything-1.4.1.1026.x86-Setup.exe	4%	ReversingLabs

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\InstallOptions.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\LangDLL.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\System.dll	0%	ReversingLabs
C:\Program Files (x86)\Everything\Everything.exe	4%	ReversingLabs
C:\Program Files (x86)\Everything\Uninstall.exe	0%	ReversingLabs

Name	IP	Active	Malicious	Antivirus Detection	Reputation
voidtools.com	162.211.80.236	true	false		unknown
www.voidtools.com	unknown	unknown	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
162.211.80.236	voidtools.com	United States		63410	PRIVATESYSTEMSUS	false
184.28.90.27	unknown	United States		16625	AKAMAI-ASUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1543807
Start date and time:	2024-10-28 13:55:44 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	16
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled
Analysis Mode:	stream
Analysis stop reason:	Timeout
Sample name:	Everything-1.4.1.1026.x86-Setup.exe
Detection:	SUS
Classification:	sus20.evad.winEXE@16/26@1/9
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: Everything-1.4.1.1026.x86-Setup.exe

Created / dropped Files

C:\Program Files (x86)\Everything\Changes.txt

Download File

Process:	C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\Everything\Everything.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	19634
Entropy (8bit):	4.6580306052133995
Encrypted:	false
SSDEEP:
MD5:	E3CC8979834C21DDCC26BD94599242F6
SHA1:	2045335DA8E3A5723547E0C728D3323ECFF2AA15
SHA-256:	9871A374B9E6B8660004450F2E735DDA01025D4CB51EAE0C296FEE3FC285D9DF
SHA-512:	F25E89F6CC99C06197889F60E1898AF4B1EA309AED9194E42FC5107B0101A195D795690F5EE5F98475A3FE252B839EB6367B154CA8686EB04D033B682002036B
Malicious:	false
Reputation:	unknown
Preview:	Thursday, 1 August 2024: Version 1.4.1.1026...updated louserzation.....Thursday, 1 August 2024: Version 1.4.1.1025...updated louserzation.....Friday, 26 May 2023: Version 1.4.1.1024...fixed a security issue with the HTTP server.....Wednesday, 10 May 2023: Version 1.4.1.1023...fixed a security issue with the HTTP server....fixed an issue with empty EFU items.....Monday, 10 October 2022: Version 1.4.1.1022...fixed a crash when loading a preview failed.....Monday, 3 October 2022: Version 1.4.1.1021...fixed a security issue with using an insecure http connection to check for updates....fixed an issue with preventing devices from being safely removed.....Thursday, 8 September 2022: Version 1.4.1.1020...updated louserzation....fixed a security issue with using an insecure http connection to open the download page.....Wednesday, 17 August 2022: Version 1.4.1.1018...fixed an issue with the MSI installer and removing previous versions.....Friday, 20 May 2022: Version 1.4.1.1017...updated louser

C:\Program Files (x86)\Everything\Everything.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\Everything\Everything.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1778192
Entropy (8bit):	6.725229016084223
Encrypted:	false
SSDEEP:
MD5:	C665FA0AA5AFA3FB41C21AFE5884B4F1
SHA1:	C79BDDBEA392247A4E88221F53C0E2E30368B614
SHA-256:	FB653FD840B0399CEA31986B49B5CEADD28FB739DD2403A8BB05051EEA5E5BBC
SHA-512:	743328D688E21F1E19605E82F1ABE1B451A4812108FBA7B3838B63404F9DD53A693839006CC5176DD070AB5F43DE94FA9CDEC47805A7E36B01042C9F6C9E4B7F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..U_.U_.U_.Z(_..U_.Z;_.U_..<_..U_).._..U_).._..U_.T_..U_.Z8_P.U_.Z)_.U_.Z-_.U_Rich.U_................PE..L....P.f..........................................@..........................@.......?....@.................................t...........................(...P.......................................z..@...............(............................text............................... ..`.rdata.............................@..@.data...,...........................@....rsrc...............p..............@..@.reloc..v....P......................@..B........................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Everything\Everything.ini (copy)

Download File

Process:	C:\Program Files (x86)\Everything\Everything.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:
MD5:	B2B308D8C164F75BC11BCCF7BAF3DF67
SHA1:	6F1E5561268B2DB5B46BB6F738C0F7A637FD6B6D
SHA-256:	F0969F438D2869641D8F76D5B9FD2B82C7232134A90972E96ABB3783D1E2FBE5
SHA-512:	5CB56D715D35A33E5BBC7E7DEB43E4F143E4193AE59282892FE72B82C66A21A62CEC85222A9879D5126479A59B9A5E715568F4BB62040A4C03B706F1EBDE9659
Malicious:	false
Reputation:	unknown
Preview:	; Please make sure Everything is not running before modifying this file...[Everything]..; settings stored in %APPDATA%\Everything\Everything.ini..app_data=1..run_as_admin=0..allow_http_server=1..allow_etp_server=1..

C:\Program Files (x86)\Everything\Everything.ini.tmp

Download File

Process:	C:\Program Files (x86)\Everything\Everything.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	215
Entropy (8bit):	4.8351120181527865
Encrypted:	false
SSDEEP:
MD5:	B2B308D8C164F75BC11BCCF7BAF3DF67
SHA1:	6F1E5561268B2DB5B46BB6F738C0F7A637FD6B6D
SHA-256:	F0969F438D2869641D8F76D5B9FD2B82C7232134A90972E96ABB3783D1E2FBE5
SHA-512:	5CB56D715D35A33E5BBC7E7DEB43E4F143E4193AE59282892FE72B82C66A21A62CEC85222A9879D5126479A59B9A5E715568F4BB62040A4C03B706F1EBDE9659
Malicious:	false
Reputation:	unknown
Preview:	; Please make sure Everything is not running before modifying this file...[Everything]..; settings stored in %APPDATA%\Everything\Everything.ini..app_data=1..run_as_admin=0..allow_http_server=1..allow_etp_server=1..

C:\Program Files (x86)\Everything\License.txt

Download File

Process:	C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\Everything\Everything.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (458)
Category:	dropped
Size (bytes):	1053
Entropy (8bit):	5.072025794212358
Encrypted:	false
SSDEEP:
MD5:	6486B25DAC2DC4CD259233B143EDC3EE
SHA1:	F9F56D68E5FEB5D015EB51B29509A5284DBE338C
SHA-256:	080841BA08FC8F8AB3E9049A46F0EA0B0A35A51264393FD1D9EADA1F98F283C6
SHA-512:	045A80049B274B0323CD0EE49A96D162D7A4F7B8F830598F8C35FC25E569671BCBC6AA6ACFB1467651B0F2B177AF21E300C1BFBA0C614BA669E7682FB98B5FCF
Malicious:	false
Reputation:	unknown
Preview:	.Copyright (C) 2024 voidtools..Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:..The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software...THE SOFTWARE IS PROVIDED "AS IS"WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE S

C:\Program Files (x86)\Everything\Uninstall.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\Everything\Everything.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	140940
Entropy (8bit):	6.906520216537174
Encrypted:	false
SSDEEP:
MD5:	4C5F28025A2603F28F5DC07EB8B802A9
SHA1:	B10EEFA1319F7A0CD6ECCC5B6D6EFF52CC3DC78B
SHA-256:	1316A694538AD8C2333836CE0AB3A748B670CBAB394B4683A59219772F1F92EE
SHA-512:	8F670967CAE054C90F420DDF9A94CC6943C86680367F5CAF0D49016E01494E77518CCEDB31F1A37174B0FFFA176BD5E35A88ED87E2E1AF1FB75ECC31675D8B46
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf._9..Pf..Pg.LPf._;..Pf.sV..Pf..V`..Pf.Rich.Pf.........................PE..L.....Oa.................h...*......@6............@.......................................@.........................................................(....(...........................................................................................text...vf.......h.................. ..`.rdata...............l..............@..@.data...x...........................@....ndata... ...............................rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\edb.log

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.7946124158862874
Encrypted:	false
SSDEEP:
MD5:	E7F2CB7F85DE9746F73A7D9157C63C4B
SHA1:	0642F7FFB5349210C4B57F155D856E52BD2612B6
SHA-256:	7E312C79D01F64EF0EC97A06C6F6A3F5193E1297A02B5EB2C6224438ED6FA60E
SHA-512:	31903B1261EDF7BE7B42878C623FEF794A11D26428C563918FEA58F7B0CD84CD235F8F8F78051EF3450A93223FB23DB9B90A7C44157FA1E45867E24A287CD523
Malicious:	false
Reputation:	unknown
Preview:	..6.........@..@.....{...;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@....................................d6d6.#.........`h.................h.......6.......X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.08128996704538673
Encrypted:	false
SSDEEP:
MD5:	C486B673C12FE131CA68C534BD7DA44E
SHA1:	E4B4982A9E6C55D179AD098A4F33A4009A0289CA
SHA-256:	C40CD9075AA539FADE9AAF4A537D95F5A429A9C8418DDC961B600A7CC2800910
SHA-512:	0CC216FDEB5DF72B9CD4BC75F1362F705FE50188795E19FC9FDCADAD0FDF7977791A93D71192B527225F764AB5C9C1F3D042D2DE3BC9249E99B2E24BA767BE0E
Malicious:	false
Reputation:	unknown
Preview:	.........................................;...{...8...\|... ...{........... ...{... ...{..#.#.. ...{.\|................`?.!.8...\|..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Everything.lnk

Download File

Process:	C:\Program Files (x86)\Everything\Everything.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Mon Oct 28 11:56:48 2024, mtime=Mon Oct 28 11:56:48 2024, atime=Thu Aug 1 08:13:54 2024, length=1778192, window=hide
Category:	dropped
Size (bytes):	1116
Entropy (8bit):	4.647139576739267
Encrypted:	false
SSDEEP:
MD5:	611862C39A583D283125FE81792989C3
SHA1:	0A59900552D85E90671DC1540423E5A2E48EBF24
SHA-256:	60A36DFA8204DD05F0FAB9F4E6B8D4175A6D287D464F70075ABF54817DFE8229
SHA-512:	29B7ED1E0196968BFD921D0AD955D86C572A718AA6C5925A2AB699249B67ECCAFCF6F1F9A908BA158A15FA39400DCB83A9218D76C7FFB975D5B2BDCA837433AD
Malicious:	false
Reputation:	unknown
Preview:	L..................F.... .....8)..#w..8)...u.!....."...........................P.O. .:i.....+00.../C:\.....................1.....\Y.g..PROGRA~2.........O.I\Y.g....................V.....%...P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....^.1.....\Y.g..EVERYT~1..F......\Y.g\Y.g..............................E.v.e.r.y.t.h.i.n.g.....j.2.."...Y.I .EVERYT~1.EXE..N......\Y.g\Y.g..............................E.v.e.r.y.t.h.i.n.g...e.x.e......._...............-.......^...........k.R......C:\Program Files (x86)\Everything\Everything.exe..<.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.E.v.e.r.y.t.h.i.n.g.\.E.v.e.r.y.t.h.i.n.g...e.x.e.!.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.E.v.e.r.y.t.h.i.n.g.........*................@Z\|...K.J.........`.......X.......571345...........hT..CrF.f4... ...............%..hT..CrF.f4... ...............%.............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1.2.2.6.5.8.-.3.6.9.3.4

C:\Users\Public\Desktop\Everything.lnk

Download File

Process:	C:\Program Files (x86)\Everything\Everything.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Mon Oct 28 11:56:48 2024, mtime=Mon Oct 28 11:56:48 2024, atime=Thu Aug 1 08:13:54 2024, length=1778192, window=hide
Category:	dropped
Size (bytes):	1104
Entropy (8bit):	4.650648289305253
Encrypted:	false
SSDEEP:
MD5:	74BED0C9D2354BF8744C77BC9C12C82A
SHA1:	ECD5F6646EEFAA1B11B9C43B590630ADB07BC065
SHA-256:	8C53E95E4AA3C89670E578AAC57F19061D9ACB5FF3969B4230FA2C78660CB23D
SHA-512:	75232794F15EEB9A18B0E476FED7F278AE13D0E0AA11986DA35565BA44323331B9AC906442AC989EE8C0D9DC6C0E127656F4FFF37D4607C658A1E329EE4B7A7D
Malicious:	false
Reputation:	unknown
Preview:	L..................F.... .....8)..i...8)...u.!....."...........................P.O. .:i.....+00.../C:\.....................1.....\Y.g..PROGRA~2.........O.I\Y.g....................V.....%...P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....^.1.....\Y.g..EVERYT~1..F......\Y.g\Y.g..............................E.v.e.r.y.t.h.i.n.g.....j.2.."...Y.I .EVERYT~1.EXE..N......\Y.g\Y.g..............................E.v.e.r.y.t.h.i.n.g...e.x.e......._...............-.......^...........k.R......C:\Program Files (x86)\Everything\Everything.exe..6.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.E.v.e.r.y.t.h.i.n.g.\.E.v.e.r.y.t.h.i.n.g...e.x.e.!.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.E.v.e.r.y.t.h.i.n.g.........*................@Z\|...K.J.........`.......X.......571345...........hT..CrF.f4... ...............%..hT..CrF.f4... ...............%.............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1.2.2.6.5.8.-.3.6.9.3.4.0.5.1.1.7.-

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\AN5UOLP8\update[1].ini

Download File

Process:	C:\Program Files (x86)\Everything\Everything.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	121
Entropy (8bit):	4.858000098850337
Encrypted:	false
SSDEEP:
MD5:	44C03DD62C01471FA39DD12C60630D24
SHA1:	39FA16CF4D3056AECA40B3685BF7BA9709CD2AB4
SHA-256:	431B90C3B738D1A6C3F47D660D30E0FE741A87EC187E67B4B9E005F1AFD8069B
SHA-512:	832545140544E2665176EF596AA4A1922D0DBBF7E4550B84A50B3B9037FD5C7B7697D76EC8491E1DF177CE4C6604633F4D779F420A3A55DF3E057CA12BB08EC3
Malicious:	false
Reputation:	unknown
Preview:	[Everything]..major=1..minor=4..revision=1..build=1024..message="Fixed a security issue with the optional HTTP server."..

C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\Everything\Everything.lng

Download File

Process:	C:\Users\user\Desktop\Everything-1.4.1.1026.x86-Setup.exe
File Type:	data
Category:	dropped
Size (bytes):	958342
Entropy (8bit):	7.985485154693937
Encrypted:	false
SSDEEP:
MD5:	112F64226EE5A339BBE7AEFBD9E8DEBA
SHA1:	D9F73EAF2B60531CA155814D217A3B480C940B75
SHA-256:	D925B044BAA9AF9375B8918758A4CCF12B48C5DC7B4AABA8791B92E77E9233F1
SHA-512:	D349D1546B031BABB84450E66D2E92570441A07F5EF5D8CE843043E03F9050BEB160D6FD343EBF3B730A116070F7CA017CD268AB1BF20E0AB71F876542678A1E
Malicious:	false
Reputation:	unknown
Preview:	:.......BZh91AY&SY.'p...........s...k...............k.g.xN@..;ct..U<H..@.@.......@..........4.....LB.zh.............f.@.e=@..............T..mL.F&..dz.....M...2.C#i...C@......i...@..0..H...#..?J. h...h.CF...G...M.m5..2................M...P.B.R:.M.6....U.a.`a........1.~$........:.....dt..o.Ik.F..(.Q..q.P6@kl..Qk.(.@;(..t.j...s......5mI..J..5U!.?v.Y.Sf.........Y.DT..."Z..?..A....]gL..& ....[]0..........3..o..3..F.BX_>B.....`H.......d.......qD......Mh.........Q.."^.{(.YS.K\.?^. \|B_......2k..Bx4.n..IZ.OVm..y..% ..H......1.[.g..L.5..../.-4P.`.C.u@Kc?c.p....k...-J2.f...,...5........OXj....Y;....H@$..D....(Q].>.......f'...w................p. .w...X.....D.sg..].w.l..%y..L.f.ul..veK8..a.@:E....4."]..P.b.R.........<..?a.[+g.V.S. W)2`.H&.}x.....>B1..CfUS8%M.T....RD.%..J......z...X9..%...B...&.]h...T..{...!.r4.T.x.....I.\.L.:.mt..D~..as.:W[..".6@.L....(x.;E.f.....;..kG2.%..m..9P.a...RR.....t..x.AcTY5cLK..v.a.rOu......41.........}.l. u2.C...!U.q.....

C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\InstallOptions.dll

Download File

Process:	C:\Users\user\Desktop\Everything-1.4.1.1026.x86-Setup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	15872
Entropy (8bit):	5.471852540236525
Encrypted:	false
SSDEEP:
MD5:	ECE25721125D55AA26CDFE019C871476
SHA1:	B87685AE482553823BF95E73E790DE48DC0C11BA
SHA-256:	C7FEF6457989D97FECC0616A69947927DA9D8C493F7905DC8475C748F044F3CF
SHA-512:	4E384735D03C943F5EB3396BB3A9CB42C9D8A5479FE2871DE5B8BC18DB4BBD6E2C5F8FD71B6840512A7249E12A1C63E0E760417E4BAA3DC30F51375588410480
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......N.px.q.+.q.+.q.+.q.+[q.+.~C+.q.+^R.+.q.+^R/+.q.+.w.+.q.+.Q.+.q.+Rich.q.+........PE..L....Oa...........!.........`.......+.......0............................................@..........................8......X1..................................X....................................................0..X............................text............................... ..`.rdata..G....0......."..............@..@.data...DL...@.......,..............@....rsrc................6..............@..@.reloc..x............8..............@..B........................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\InstallOptions.ini

Download File

Process:	C:\Users\user\Desktop\Everything-1.4.1.1026.x86-Setup.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	modified
Size (bytes):	1724
Entropy (8bit):	3.577729151662332
Encrypted:	false
SSDEEP:
MD5:	147397AD15CB70DD26A91E7AC9EB7171
SHA1:	D1227E8383B61F592239E4A850ED89B1991AF124
SHA-256:	280C46560E1B9ED198898851495D4688762DDC203952951241EB35B1102A81EC
SHA-512:	EF57C08EB99C4AD69222F0335DEC418A9DE4E9F264CC22F9E59F6CF36543204A9656C44C21ED2C36CB3C6F7BBBFA1C132A7BA22ECA63BB3B539618FF38037748
Malicious:	false
Reputation:	unknown
Preview:	..[.S.e.t.t.i.n.g.s.].....N.u.m.F.i.e.l.d.s.=.9.....R.T.L.=.0.....S.t.a.t.e.=.0.........[.F.i.e.l.d. .1.].....T.y.p.e.=.G.r.o.u.p.B.o.x.....T.e.x.t.=.S.e.t.t.i.n.g.s. .a.n.d. .d.a.t.a. .l.o.c.a.t.i.o.n.....L.e.f.t.=.0.....R.i.g.h.t.=.-.1.....T.o.p.=.0.....B.o.t.t.o.m.=.3.9.....H.W.N.D.=.1.9.7.3.6.4.........[.F.i.e.l.d. .2.].....F.l.a.g.s.=.G.R.O.U.P.....T.y.p.e.=.R.a.d.i.o.B.u.t.t.o.n.....T.e.x.t.=.%.A.P.P.D.A.T.A.%.\.E.v.e.r.y.t.h.i.n.g.....S.t.a.t.e.=.1.....L.e.f.t.=.6.....R.i.g.h.t.=.-.6.....T.o.p.=.1.0.....B.o.t.t.o.m.=.2.3.....H.W.N.D.=.1.9.7.3.5.6.........[.F.i.e.l.d. .3.].....T.y.p.e.=.R.a.d.i.o.B.u.t.t.o.n.....T.e.x.t.=.I.n.s.t.a.l.l.a.t.i.o.n. .f.o.l.d.e.r.....S.t.a.t.e.=.0.....L.e.f.t.=.6.....R.i.g.h.t.=.-.6.....T.o.p.=.2.3.....B.o.t.t.o.m.=.3.6.....H.W.N.D.=.1.9.7.3.5.8.........[.F.i.e.l.d. .4.].....T.y.p.e.=.G.r.o.u.p.B.o.x.....T.e.x.t.=.N.T.F.S. .i.n.d.e.x.i.n.g.....L.e.f.t.=.0.....R.i.g.h.t.=.-.1.....T.o.p.=.4.5.....B.o.t.t.o.m.=.9.7.....H.W.N.D.=.1.9.7.3.5.2.........[.F.

C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\InstallOptions2.ini

Download File

Process:	C:\Users\user\Desktop\Everything-1.4.1.1026.x86-Setup.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	modified
Size (bytes):	2302
Entropy (8bit):	3.5812189946280837
Encrypted:	false
SSDEEP:
MD5:	66812C8D56628B7A93D958F0ABF5EB15
SHA1:	16A9D1387C2E588447CBF547276F9F71D4FE128D
SHA-256:	D6C8A3EB204D76E04ECDB1FFB22DC7D4C84749B099E5C656636F4A1A1D8251F9
SHA-512:	5EBF72265291EEB429099D2FCA528F2CF552F7D3D491DE2DFEAD602D4C6B89FD62F5C1CD51941AB1B71361DF6B749E869076F710AFE03E88A5568BE119264FFF
Malicious:	false
Reputation:	unknown
Preview:	..[.S.e.t.t.i.n.g.s.].....N.u.m.F.i.e.l.d.s.=.9.....R.T.L.=.0.....S.t.a.t.e.=.0.........[.F.i.e.l.d. .1.].....T.y.p.e.=.C.h.e.c.k.B.o.x.....T.e.x.t.=.C.h.e.c.k. .f.o.r. .u.p.d.a.t.e.s. .o.n. .s.t.a.r.t.u.p.....S.t.a.t.e.=.1.....L.e.f.t.=.0.....R.i.g.h.t.=.-.1.....T.o.p.=.0.....B.o.t.t.o.m.=.1.3.....H.W.N.D.=.2.6.2.9.0.6.........[.F.i.e.l.d. .2.].....T.y.p.e.=.C.h.e.c.k.B.o.x.....T.e.x.t.=.S.t.a.r.t. .E.v.e.r.y.t.h.i.n.g. .o.n. .s.y.s.t.e.m. .s.t.a.r.t.u.p.....S.t.a.t.e.=.1.....L.e.f.t.=.0.....R.i.g.h.t.=.-.1.....T.o.p.=.1.3.....B.o.t.t.o.m.=.2.6.....H.W.N.D.=.2.6.2.9.1.2.........[.F.i.e.l.d. .3.].....T.y.p.e.=.C.h.e.c.k.B.o.x.....T.e.x.t.=.I.n.s.t.a.l.l. .f.o.l.d.e.r. .c.o.n.t.e.x.t. .m.e.n.u.s.....S.t.a.t.e.=.1.....L.e.f.t.=.0.....R.i.g.h.t.=.-.1.....T.o.p.=.2.6.....B.o.t.t.o.m.=.3.9.....H.W.N.D.=.2.6.2.9.1.0.........[.F.i.e.l.d. .4.].....T.y.p.e.=.C.h.e.c.k.B.o.x.....T.e.x.t.=.I.n.s.t.a.l.l. .S.t.a.r.t. .m.e.n.u. .s.h.o.r.t.c.u.t.s.....S.t.a.t.e.=.1.....L.e.f.t.=.0.....R.i.g.h.t.=.-.

C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\LangDLL.dll

Download File

Process:	C:\Users\user\Desktop\Everything-1.4.1.1026.x86-Setup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5632
Entropy (8bit):	3.81812520226775
Encrypted:	false
SSDEEP:
MD5:	68B287F4067BA013E34A1339AFDB1EA8
SHA1:	45AD585B3CC8E5A6AF7B68F5D8269C97992130B3
SHA-256:	18E8B40BA22C7A1687BD16E8D585380BC2773FFF5002D7D67E9485FCC0C51026
SHA-512:	06C38BBB07FB55256F3CDC24E77B3C8F3214F25BFD140B521A39D167113BF307A7E8D24E445D510BC5E4E41D33C9173BB14E3F2A38BC29A0E3D08C1F0DCA4BDB
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.....................>..........:..........Rich..........................PE..L....Oa...........!........."......?........ ...............................p............@.........................`"..I...\ ..P....P..`....................`....................................................... ..\............................text............................... ..`.rdata....... ......................@..@.data........0......................@....rsrc...`....P......................@..@.reloc..`....`......................@..B................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\System.dll

Download File

Process:	C:\Users\user\Desktop\Everything-1.4.1.1026.x86-Setup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	5.814115788739565
Encrypted:	false
SSDEEP:
MD5:	CFF85C549D536F651D4FB8387F1976F2
SHA1:	D41CE3A5FF609DF9CF5C7E207D3B59BF8A48530E
SHA-256:	8DC562CDA7217A3A52DB898243DE3E2ED68B80E62DDCB8619545ED0B4E7F65A8
SHA-512:	531D6328DAF3B86D85556016D299798FA06FEFC81604185108A342D000E203094C8C12226A12BD6E1F89B0DB501FB66F827B610D460B933BD4AB936AC2FD8A88
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......qr.5.D.5.D.5.D...J.2.D.5.E.!.D.....2.D.a0t.1.D.V1n.4.D..3@.4.D.Rich5.D.........PE..L.....Oa...........!....."..................@...............................p............@..........................B.......@..P............................`.......................................................@..X............................text.... .......".................. ..`.rdata..c....@.......&..............@..@.data...x....P.......*..............@....reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\ioSpecial.ini

Download File

Process:	C:\Users\user\Desktop\Everything-1.4.1.1026.x86-Setup.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	modified
Size (bytes):	1338
Entropy (8bit):	3.6888380779407575
Encrypted:	false
SSDEEP:
MD5:	3E240F2E0C1A1B484CD5B519BEA7E455
SHA1:	E522A8E0DEDD4FC3BDF70F3995A5C5656BBE6F0A
SHA-256:	34BDF03677F605B22B9A1BBCBF2ECDEC8259C29F0179ADB69091BB1A0295B38C
SHA-512:	41917CF1E86D9E98E60B946FC27367859C4B14061F2E7B2B1EEC369070DB18369F8958F5FCC565922A5661DB6FAA3643B0D18E0A0223DB5DB042D631D9616C70
Malicious:	false
Reputation:	unknown
Preview:	..[.S.e.t.t.i.n.g.s.].....R.e.c.t.=.1.0.4.4.....N.u.m.F.i.e.l.d.s.=.4.....R.T.L.=.0.....N.e.x.t.B.u.t.t.o.n.T.e.x.t.=.&.F.e.r.m.e.r.....S.t.a.t.e.=.0.....[.F.i.e.l.d. .1.].....T.y.p.e.=.b.i.t.m.a.p.....L.e.f.t.=.0.....R.i.g.h.t.=.1.0.9.....T.o.p.=.0.....B.o.t.t.o.m.=.1.9.3.....F.l.a.g.s.=.R.E.S.I.Z.E.T.O.F.I.T.....T.e.x.t.=.C.:.\.U.s.e.r.s.\.c.a.l.i.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.n.s.p.8.C.1.7...t.m.p.\.m.o.d.e.r.n.-.w.i.z.a.r.d...b.m.p.....H.W.N.D.=.3.9.3.7.7.8.....[.F.i.e.l.d. .2.].....T.y.p.e.=.l.a.b.e.l.....L.e.f.t.=.1.2.0.....R.i.g.h.t.=.3.1.5.....T.o.p.=.1.0.....B.o.t.t.o.m.=.3.8.....T.e.x.t.=.F.i.n. .d.e. .l.'.i.n.s.t.a.l.l.a.t.i.o.n. .d.e. .E.v.e.r.y.t.h.i.n.g.....H.W.N.D.=.7.2.1.3.1.0.....[.F.i.e.l.d. .3.].....T.y.p.e.=.l.a.b.e.l.....L.e.f.t.=.1.2.0.....R.i.g.h.t.=.3.1.5.....T.o.p.=.4.5.....B.o.t.t.o.m.=.8.5.....T.e.x.t.=.E.v.e.r.y.t.h.i.n.g. .a. ...t... .i.n.s.t.a.l.l... .s.u.r. .v.o.t.r.e. .o.r.d.i.n.a.t.e.u.r...\.r.\.n.\.r.\.n.C.l.i.q.u.e.z. .s.u.r. .F.e.r.m.e.r. .

C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\modern-wizard.bmp

Download File

Process:	C:\Users\user\Desktop\Everything-1.4.1.1026.x86-Setup.exe
File Type:	PC bitmap, Windows 3.x format, 164 x 314 x 4, image size 26376, resolution 2834 x 2834 px/m, cbSize 26494, bits offset 118
Category:	dropped
Size (bytes):	26494
Entropy (8bit):	1.9568109962493656
Encrypted:	false
SSDEEP:
MD5:	CBE40FD2B1EC96DAEDC65DA172D90022
SHA1:	366C216220AA4329DFF6C485FD0E9B0F4F0A7944
SHA-256:	3AD2DC318056D0A2024AF1804EA741146CFC18CC404649A44610CBF8B2056CF2
SHA-512:	62990CB16E37B6B4EFF6AB03571C3A82DCAA21A1D393C3CB01D81F62287777FB0B4B27F8852B5FA71BC975FEAB5BAA486D33F2C58660210E115DE7E2BD34EA63
Malicious:	false
Reputation:	unknown
Preview:	BM~g......v...(.......:............g..................................................................................DDD@@@@DDDDDD@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@DDDDDDDDDD@@@@DDDDDDDDD@@@@@@..DDD....DDDDDD........................................DDDDDDDDDD....DDDDDDDDD........DD@@@@DDDDDD@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@DDDDDDDDD@@@@DDDDDDDDDD@@@@@@D..DD....DDDDDDD......................................DDDDDDDDDD....DDDDDDDDDD......D..D@@@@@DDDDDD@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@DDDDDDDDDD@@@@DDDDDDDDDD@@@@@DDD..D.....DDDDDD......................................DDDDDDDDD.....DDDDDDDDD......DDD..@@@@@DDDDDD@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@DDDDDDDDDD@@@@DDDDDDDDDD@@@@@@DDDD.......DDDDDD.....................................DDDDDDDDDD....DDDDDDDDDD.....DDDDD..@@@@@DDDDDD@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@DDDDDDDDDD@@@@DDDDDDDDD@@@@@@DDDDDD.......DDDDDD....................................DDDDDDDDD....DDDDDDDDDD......DDDDDD..@@@@DDDDDD@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

C:\Users\user\AppData\Local\Temp\nsu8BE7.tmp

Download File

Process:	C:\Users\user\Desktop\Everything-1.4.1.1026.x86-Setup.exe
File Type:	data
Category:	dropped
Size (bytes):	3306139
Entropy (8bit):	7.160244854308023
Encrypted:	false
SSDEEP:
MD5:	82DB8BB886FE2B7AC7166529AFEA62F2
SHA1:	D3FE3151877884C75642420CBAAB6C0E65FFDECF
SHA-256:	D5D3A0FA67895ABB8740A31497FFA5ADA1B9900CF48143E07E80ADB65E8296AD
SHA-512:	DAFE12A5700F4653C350C7C7AB378322433C411253CF1C853044D95C8A7926B03A28352ABAD628647586B2F8043D9AF44C9165BC6CB4B1D84722E4011524111D
Malicious:	false
Reputation:	unknown
Preview:	.......,................................X..'...........................................................>...................................................................................................................................................................................G...J...........*...f.......................U.......................................g.......................U.......................................................................................................................................................................j.......................U...............................................................................................................(...............U.......................................J...........T...8.......................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Everything\Everything.ini (copy)

Download File

Process:	C:\Program Files (x86)\Everything\Everything.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:
MD5:	A83E513876E6A57B4D9C0E3C78C6EEFC
SHA1:	232987E7D1EEE28E6DF10DF4F4B349758532C7F4
SHA-256:	5AFB6C41BA1DDB19A0110D42AAF2E164FDF2F444703A2E4E2E4642E8915FE326
SHA-512:	101C712CF3C5F1F85D999EB96D509C0F4FB65082ABAE583D010E70EBF4C22791AD17854B0544DED532F1C27FC99E972D4F6A94040EA055CF939AD513D88842CD
Malicious:	false
Reputation:	unknown
Preview:	; Please make sure Everything is not running before modifying this file...[Everything]..window_x=0..window_y=0..window_wide=0..window_high=0..maximized=0..minimized=0..fullscreen=0..ontop=0..bring_into_view=1..alpha=255..match_whole_word=0..match_path=0..match_case=0..match_diacritics=0..match_regex=0..view=0..thumbnail_size=64..thumbnail_fill=0..min_thumbnail_size=32..max_thumbnail_size=256..medium_thumbnail_size=64..large_thumbnail_size=128..extra_large_thumbnail_size=256..thumbnail_load_size=0..thumbnail_overlay_icon=1..shell_max_path=0..allow_multiple_windows=0..allow_multiple_instances=0..run_in_background=1..show_in_taskbar=1..show_tray_icon=1..minimize_to_tray=0..toggle_window_from_tray_icon=0..alternate_row_color=0..show_mouseover=0..check_for_updates_on_startup=1..beta_updates=0..show_highlighted_search_terms=1..text_size=0..hide_empty_search_results=0..clear_selection_on_search=1..show_focus_on_search=0..new_window_key=0..show_window_key=0..toggle_window_key=0..language=1036.

C:\Users\user\AppData\Roaming\Everything\Everything.ini.tmp

Download File

Process:	C:\Program Files (x86)\Everything\Everything.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	20568
Entropy (8bit):	4.711662203996934
Encrypted:	false
SSDEEP:
MD5:	A83E513876E6A57B4D9C0E3C78C6EEFC
SHA1:	232987E7D1EEE28E6DF10DF4F4B349758532C7F4
SHA-256:	5AFB6C41BA1DDB19A0110D42AAF2E164FDF2F444703A2E4E2E4642E8915FE326
SHA-512:	101C712CF3C5F1F85D999EB96D509C0F4FB65082ABAE583D010E70EBF4C22791AD17854B0544DED532F1C27FC99E972D4F6A94040EA055CF939AD513D88842CD
Malicious:	false
Reputation:	unknown
Preview:	; Please make sure Everything is not running before modifying this file...[Everything]..window_x=0..window_y=0..window_wide=0..window_high=0..maximized=0..minimized=0..fullscreen=0..ontop=0..bring_into_view=1..alpha=255..match_whole_word=0..match_path=0..match_case=0..match_diacritics=0..match_regex=0..view=0..thumbnail_size=64..thumbnail_fill=0..min_thumbnail_size=32..max_thumbnail_size=256..medium_thumbnail_size=64..large_thumbnail_size=128..extra_large_thumbnail_size=256..thumbnail_load_size=0..thumbnail_overlay_icon=1..shell_max_path=0..allow_multiple_windows=0..allow_multiple_instances=0..run_in_background=1..show_in_taskbar=1..show_tray_icon=1..minimize_to_tray=0..toggle_window_from_tray_icon=0..alternate_row_color=0..show_mouseover=0..check_for_updates_on_startup=1..beta_updates=0..show_highlighted_search_terms=1..text_size=0..hide_empty_search_results=0..clear_selection_on_search=1..show_focus_on_search=0..new_window_key=0..show_window_key=0..toggle_window_key=0..language=1036.

C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Everything.lnk

Download File

Process:	C:\Program Files (x86)\Everything\Everything.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Mon Oct 28 11:56:48 2024, mtime=Mon Oct 28 11:56:49 2024, atime=Thu Aug 1 08:13:54 2024, length=1778192, window=hide
Category:	dropped
Size (bytes):	1128
Entropy (8bit):	4.634741453035741
Encrypted:	false
SSDEEP:
MD5:	12F386330E456B0C78A640D1896E49CD
SHA1:	61EB6479648C6B139C2F0A048929BD4CEDADBDEC
SHA-256:	E3720ADFDBFF7D16D26CB217766BCAD4C6B1A318D88FC26DB6B6EBA5A5BE6CC4
SHA-512:	85EAEAABD7E763F003AB6D3B9819B37D4435116EF6B74515F68FC8C692AB0EC1DC34E2BC7C0D4E06480D0EC554FBDC25E708E5200A5BBF9A566812D2977A4553
Malicious:	false
Reputation:	unknown
Preview:	L..................F.... .....8)..B.$.8)...u.!....."...........................P.O. .:i.....+00.../C:\.....................1.....\Y.g..PROGRA~2.........O.I\Y.g....................V.....%...P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....^.1.....\Y.g..EVERYT~1..F......\Y.g\Y.g..........................~;..E.v.e.r.y.t.h.i.n.g.....j.2.."...Y.I .EVERYT~1.EXE..N......\Y.g\Y.g..............................E.v.e.r.y.t.h.i.n.g...e.x.e......._...............-.......^...........k.R......C:\Program Files (x86)\Everything\Everything.exe..B.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.E.v.e.r.y.t.h.i.n.g.\.E.v.e.r.y.t.h.i.n.g...e.x.e.!.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.E.v.e.r.y.t.h.i.n.g.........*................@Z\|...K.J.........`.......X.......571345...........hT..CrF.f4... ...............%..hT..CrF.f4... ...............%.............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1.2.2.6.5.8

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.970305597547622
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Everything-1.4.1.1026.x86-Setup.exe
File size:	1'816'888 bytes
MD5:	f81112d40609b97330688098222ef1fb
SHA1:	092f5b3f4f7b437923e4cbaf2dd12a6d793a32b0
SHA256:	bbf249ab7d4ea4b17a56d2effcd0df563bf4d5cd4f6e00ebf5e74a74ca0034e2
SHA512:	86d6cc9d402764557c9011cd79f9d9feb3c57a3ec7717156a0dbb1a107f89bc33d7a4f61d7356c0fed8576ab1d44674e25772566b82e0ef219cf69011ebf872c
SSDEEP:	49152:O4pDO4v8RH5CuO6kqFIymNDELHVDJNs9Ix:O4cFRO65ILMh7
TLSH:	DE852329A340C763D0BA0278D6FE5623D5E1BC70102846D3771A7F7DBD562CBAE9E281
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf._9..Pf..Pg.LPf._;..Pf..sV..Pf..V`..Pf.Rich.Pf.........................PE..L.....Oa.................h...*.....

File Icon


Icon Hash:	0e63e3e36b1d1a41

Static PE Info

General

Entrypoint:	0x403640
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x614F9B1F [Sat Sep 25 21:56:47 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	61259b55b8912888e90f516ca08dc514

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	21/12/2021 01:00:00 18/03/2025 00:59:59
Subject Chain	CN=voidtools, O=voidtools, L=Wilmington, S=South Australia, C=AU
Version:	3
Thumbprint MD5:	47600C2C2AC4F0D2BA87EC07595B844F
Thumbprint SHA-1:	4DA2AD938358643571084F75F21AFDDD15D4BAE9
Thumbprint SHA-256:	FC351CC1ED83511F34CDB83EFB574764799AA7BD6E025F5A66928213255E8589
Serial:	030FA09194B22DC51D006531C9C16104

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
sub esp, 000003F4h
push ebx
push esi
push edi
push 00000020h
pop edi
xor ebx, ebx
push 00008001h
mov dword ptr [ebp-14h], ebx
mov dword ptr [ebp-04h], 0040A230h
mov dword ptr [ebp-10h], ebx
call dword ptr [004080C8h]
mov esi, dword ptr [004080CCh]
lea eax, dword ptr [ebp-00000140h]
push eax
mov dword ptr [ebp-0000012Ch], ebx
mov dword ptr [ebp-2Ch], ebx
mov dword ptr [ebp-28h], ebx
mov dword ptr [ebp-00000140h], 0000011Ch
call esi
test eax, eax
jne 00007F42C8B683EAh
lea eax, dword ptr [ebp-00000140h]
mov dword ptr [ebp-00000140h], 00000114h
push eax
call esi
mov ax, word ptr [ebp-0000012Ch]
mov ecx, dword ptr [ebp-00000112h]
sub ax, 00000053h
add ecx, FFFFFFD0h
neg ax
sbb eax, eax
mov byte ptr [ebp-26h], 00000004h
not eax
and eax, ecx
mov word ptr [ebp-2Ch], ax
cmp dword ptr [ebp-0000013Ch], 0Ah
jnc 00007F42C8B683BAh
and word ptr [ebp-00000132h], 0000h
mov eax, dword ptr [ebp-00000134h]
movzx ecx, byte ptr [ebp-00000138h]
mov dword ptr [0042A318h], eax
xor eax, eax
mov ah, byte ptr [ebp-0000013Ch]
movzx eax, ax
or eax, ecx
xor ecx, ecx
mov ch, byte ptr [ebp-2Ch]
movzx ecx, cx
shl eax, 10h
or eax, ecx

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8504	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4d000	0xb488	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x1b9128	0x2810
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2b0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6676	0x6800	6f5abe9eeda26ee84b3c1ed1a6c82001	False	0.6568134014423077	data	6.4174599871908855	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x139a	0x1400	8c5edfd8ff9cc0135e197611be38ca18	False	0.4498046875	data	5.141066817170598	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x20378	0x600	4b2421975c21b032f7ea000f5e7f9fbf	False	0.509765625	data	4.110582127654237	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x2b000	0x22000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x4d000	0xb488	0xb600	6ecf3dcfb51323500f43f6cd356d91d7	False	0.26644059065934067	data	4.012965092772975	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x4dc28	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	United States	0.15435684647302905
RT_ICON	0x501d0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	United States	0.22443714821763602
RT_ICON	0x51278	0x1015	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9599222735001215
RT_ICON	0x52290	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	English	United States	0.28975409836065574
RT_ICON	0x52c18	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	United States	0.4693140794223827
RT_ICON	0x534c0	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	English	United States	0.538594470046083
RT_ICON	0x53b88	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	United States	0.5621387283236994
RT_ICON	0x540f0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	United States	0.375
RT_ICON	0x54558	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	United States	0.2970430107526882
RT_ICON	0x54840	0x1e8	Device independent bitmap graphic, 24 x 48 x 4, image size 0	English	United States	0.38114754098360654
RT_ICON	0x54a28	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	United States	0.4594594594594595
RT_DIALOG	0x54b50	0xb4	data	English	United States	0.6111111111111112
RT_DIALOG	0x54c08	0x120	data	English	United States	0.5138888888888888
RT_DIALOG	0x54d28	0x202	data	English	United States	0.4085603112840467
RT_DIALOG	0x54f30	0xf8	data	English	United States	0.6290322580645161
RT_DIALOG	0x55028	0xa0	data	English	United States	0.60625
RT_DIALOG	0x550c8	0xee	data	English	United States	0.6302521008403361
RT_DIALOG	0x551b8	0xb4	data	English	United States	0.6888888888888889
RT_DIALOG	0x55270	0x120	data	English	United States	0.5381944444444444
RT_DIALOG	0x55390	0x202	data	English	United States	0.42217898832684825
RT_DIALOG	0x55598	0xf8	data	English	United States	0.6653225806451613
RT_DIALOG	0x55690	0xa0	data	English	United States	0.68125
RT_DIALOG	0x55730	0xee	data	English	United States	0.6596638655462185
RT_DIALOG	0x55820	0xb4	data	English	United States	0.6888888888888889
RT_DIALOG	0x558d8	0x120	data	English	United States	0.5381944444444444
RT_DIALOG	0x559f8	0x202	data	English	United States	0.42217898832684825
RT_DIALOG	0x55c00	0xf8	data	English	United States	0.6653225806451613
RT_DIALOG	0x55cf8	0xa0	data	English	United States	0.68125
RT_DIALOG	0x55d98	0xee	data	English	United States	0.6596638655462185
RT_DIALOG	0x55e88	0xb4	data	English	United States	0.6888888888888889
RT_DIALOG	0x55f40	0x120	data	English	United States	0.5381944444444444
RT_DIALOG	0x56060	0x202	data	English	United States	0.42217898832684825
RT_DIALOG	0x56268	0xf8	data	English	United States	0.6653225806451613
RT_DIALOG	0x56360	0xa0	data	English	United States	0.68125
RT_DIALOG	0x56400	0xee	data	English	United States	0.6596638655462185
RT_DIALOG	0x564f0	0xac	data	English	United States	0.6337209302325582
RT_DIALOG	0x565a0	0x118	data	English	United States	0.5321428571428571
RT_DIALOG	0x566b8	0x1fa	data	English	United States	0.40118577075098816
RT_DIALOG	0x568b8	0xf0	data	English	United States	0.6666666666666666
RT_DIALOG	0x569a8	0x98	data	English	United States	0.625
RT_DIALOG	0x56a40	0xe6	data	English	United States	0.6652173913043479
RT_DIALOG	0x56b28	0xa0	data	English	United States	0.6
RT_DIALOG	0x56bc8	0x10c	data	English	United States	0.5111940298507462
RT_DIALOG	0x56cd8	0x1ee	data	English	United States	0.3866396761133603
RT_DIALOG	0x56ec8	0xe4	data	English	United States	0.6359649122807017
RT_DIALOG	0x56fb0	0x8c	data	English	United States	0.5857142857142857
RT_DIALOG	0x57040	0xda	data	English	United States	0.6467889908256881
RT_DIALOG	0x57120	0xa4	data	English	United States	0.6158536585365854
RT_DIALOG	0x571c8	0x110	data	English	United States	0.5183823529411765
RT_DIALOG	0x572d8	0x1f2	data	English	United States	0.39759036144578314
RT_DIALOG	0x574d0	0xe8	data	English	United States	0.6508620689655172
RT_DIALOG	0x575b8	0x90	data	English	United States	0.6041666666666666
RT_DIALOG	0x57648	0xde	data	English	United States	0.6621621621621622
RT_DIALOG	0x57728	0xa0	data	English	United States	0.60625
RT_DIALOG	0x577c8	0x10c	data	English	United States	0.5111940298507462
RT_DIALOG	0x578d8	0x1ee	data	English	United States	0.38866396761133604
RT_DIALOG	0x57ac8	0xe4	data	English	United States	0.6447368421052632
RT_DIALOG	0x57bb0	0x8c	data	English	United States	0.5928571428571429
RT_DIALOG	0x57c40	0xda	data	English	United States	0.6513761467889908
RT_GROUP_ICON	0x57d20	0xa0	data	English	United States	0.6375
RT_VERSION	0x57dc0	0x2a0	data	English	United States	0.4791666666666667
RT_MANIFEST	0x58060	0x423	XML 1.0 document, ASCII text, with very long lines (1059), with no line terminators	English	United States	0.5127478753541076

Imports

DLL	Import
ADVAPI32.dll	RegCreateKeyExW, RegEnumKeyW, RegQueryValueExW, RegSetValueExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, SetFileSecurityW, RegOpenKeyExW, RegEnumValueW
SHELL32.dll	SHGetSpecialFolderLocation, SHFileOperationW, SHBrowseForFolderW, SHGetPathFromIDListW, ShellExecuteExW, SHGetFileInfoW
ole32.dll	OleInitialize, OleUninitialize, CoCreateInstance, IIDFromString, CoTaskMemFree
COMCTL32.dll	ImageList_Create, ImageList_Destroy, ImageList_AddMasked
USER32.dll	GetClientRect, EndPaint, DrawTextW, IsWindowEnabled, DispatchMessageW, wsprintfA, CharNextA, CharPrevW, MessageBoxIndirectW, GetDlgItemTextW, SetDlgItemTextW, GetSystemMetrics, FillRect, AppendMenuW, TrackPopupMenu, OpenClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcW, GetMessagePos, CheckDlgButton, LoadCursorW, SetCursor, GetSysColor, SetWindowPos, GetWindowLongW, PeekMessageW, SetClassLongW, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, FindWindowExW, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, EmptyClipboard, CreatePopupMenu
GDI32.dll	SetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectW, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
KERNEL32.dll	GetExitCodeProcess, WaitForSingleObject, GetModuleHandleA, GetProcAddress, GetSystemDirectoryW, lstrcatW, Sleep, lstrcpyA, WriteFile, GetTempFileNameW, lstrcmpiA, RemoveDirectoryW, CreateProcessW, CreateDirectoryW, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceW, WideCharToMultiByte, lstrcpynW, lstrlenW, SetErrorMode, GetVersionExW, GetCommandLineW, GetTempPathW, GetWindowsDirectoryW, SetEnvironmentVariableW, CopyFileW, ExitProcess, GetCurrentProcess, GetModuleFileNameW, GetFileSize, CreateFileW, GetTickCount, MulDiv, SetFileAttributesW, GetFileAttributesW, SetCurrentDirectoryW, MoveFileW, GetFullPathNameW, GetShortPathNameW, SearchPathW, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalFree, GlobalAlloc, GetModuleHandleW, LoadLibraryExW, MoveFileExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, MultiByteToWideChar, ReadFile, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Everything-1.4.1.1026.x86-Setup.exe

Overview

General Information

Detection

Compliance

Signatures

Classification

Process Tree

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

Compliance

Spreading

Networking

System Summary

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Created / dropped Files

C:\Program Files (x86)\Everything\Changes.txt

C:\Program Files (x86)\Everything\Everything.exe

C:\Program Files (x86)\Everything\Everything.ini (copy)

C:\Program Files (x86)\Everything\Everything.ini.tmp

C:\Program Files (x86)\Everything\License.txt

C:\Program Files (x86)\Everything\Uninstall.exe

C:\ProgramData\Microsoft\Network\Downloader\edb.log

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Everything.lnk

C:\Users\Public\Desktop\Everything.lnk

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\AN5UOLP8\update[1].ini

C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\Everything\Everything.lng

C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\InstallOptions.dll

C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\InstallOptions.ini

C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\InstallOptions2.ini

C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\LangDLL.dll

C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\System.dll

C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\ioSpecial.ini

C:\Users\user\AppData\Local\Temp\nsp8C17.tmp\modern-wizard.bmp

C:\Users\user\AppData\Local\Temp\nsu8BE7.tmp

C:\Users\user\AppData\Roaming\Everything\Everything.ini (copy)

C:\Users\user\AppData\Roaming\Everything\Everything.ini.tmp

C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Everything.lnk

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Rich Headers

Data Directories

Windows Analysis Report
Everything-1.4.1.1026.x86-Setup.exe