Loading ...

Play interactive tourEdit tour

Analysis Report Everything-1.4.1.969.x64-Setup.exe

Overview

General Information

Sample Name:Everything-1.4.1.969.x64-Setup.exe
MD5:1f9813ce529d72087a7ff9cb99fbdf8b
SHA1:290ba48c2bed177bf286c9881a10efccb94879b9
SHA256:015612db20d31ed42bbcbca0d94f362360a6bb61cde0c861814f2eda6abe636b

Most interesting Screenshot:

Detection

Score:9
Range:0 - 100
Whitelisted:false
Confidence:0%

Signatures

AV process strings found (often used to terminate AV products)
Checks for available system drives (often done to infect USB drives)
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to delete services
Contains functionality to dynamically determine API calls
Contains functionality to get notified if a device is plugged in / out
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Installs a raw input device (often for capturing keystrokes)
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Analysis Advice

Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox
Sample has functionality to log and monitor keystrokes, analyze it with the 'Simulates keyboard and window changes' cookbook
Sample is a service DLL but no service has been registered
Sample is looking for USB drives. Launch the sample with the USB Fake Disk cookbook
Sample searches for specific file, try point organization specific fake files to the analysis machine



Startup

  • System is w10x64
  • Everything-1.4.1.969.x64-Setup.exe (PID: 5496 cmdline: 'C:\Users\user\Desktop\Everything-1.4.1.969.x64-Setup.exe' MD5: 1F9813CE529D72087A7FF9CB99FBDF8B)
    • Everything.exe (PID: 5876 cmdline: 'C:\Users\user\AppData\Local\Temp\nscCF8E.tmp\Everything\Everything.exe' -install 'C:\Program Files\Everything' -install-options ' -app-data -disable-update-notification -install-run-on-system-startup -uninstall-service -enable-run-as-admin -uninstall-folder-context-menu -install-start-menu-shortcuts -install-desktop-shortcut -uninstall-quick-launch-shortcut -uninstall-url-protocol -install-efu-association -no-choose-volumes -language 1033' MD5: AF55D1839AAE5A604D94D9C7C3082141)
      • Everything.exe (PID: 5924 cmdline: 'C:\Program Files\Everything\Everything.exe' -app-data -disable-update-notification -install-run-on-system-startup -uninstall-service -enable-run-as-admin -uninstall-folder-context-menu -install-start-menu-shortcuts -install-desktop-shortcut -uninstall-quick-launch-shortcut -uninstall-url-protocol -install-efu-association -no-choose-volumes -language 1033 MD5: AF55D1839AAE5A604D94D9C7C3082141)
    • Everything.exe (PID: 6112 cmdline: C:\Program Files\Everything\Everything.exe MD5: AF55D1839AAE5A604D94D9C7C3082141)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

Source: C:\Program Files\Everything\Everything.exeFile opened: z:Jump to behavior
Source: C:\Program Files\Everything\Everything.exeFile opened: x:Jump to behavior
Source: C:\Program Files\Everything\Everything.exeFile opened: v:Jump to behavior
Source: C:\Program Files\Everything\Everything.exeFile opened: t:Jump to behavior
Source: C:\Program Files\Everything\Everything.exeFile opened: r:Jump to behavior
Source: C:\Program Files\Everything\Everything.exeFile opened: p:Jump to behavior
Source: C:\Program Files\Everything\Everything.exeFile opened: n:Jump to behavior
Source: C:\Program Files\Everything\Everything.exeFile opened: l:Jump to behavior
Source: C:\Program Files\Everything\Everything.exeFile opened: j:Jump to behavior
Source: C:\Program Files\Everything\Everything.exeFile opened: h:Jump to behavior
Source: C:\Program Files\Everything\Everything.exeFile opened: f:Jump to behavior
Source: C:\Program Files\Everything\Everything.exeFile opened: b:Jump to behavior
Source: C:\Program Files\Everything\Everything.exeFile opened: y:Jump to behavior
Source: C:\Program Files\Everything\Everything.exeFile opened: w:Jump to behavior
Source: C:\Program Files\Everything\Everything.exeFile opened: u:Jump to behavior
Source: C:\Program Files\Everything\Everything.exeFile opened: s:Jump to behavior
Source: C:\Program Files\Everything\Everything.exeFile opened: q:Jump to behavior
Source: C:\Program Files\Everything\Everything.exeFile opened: o:Jump to behavior
Source: C:\Program Files\Everything\Everything.exeFile opened: m:Jump to behavior
Source: C:\Program Files\Everything\Everything.exeFile opened: k:Jump to behavior
Source: C:\Program Files\Everything\Everything.exeFile opened: i:Jump to behavior
Source: C:\Program Files\Everything\Everything.exeFile opened: g:Jump to behavior
Source: C:\Program Files\Everything\Everything.exeFile opened: e:Jump to behavior
Source: C:\Program Files\Everything\Everything.exeFile opened: c:Jump to behavior
Source: C:\Program Files\Everything\Everything.exeFile opened: a:Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nscCF8E.tmp\Everything\Everything.exeCode function: 4_2_000000014004E860 SetEvent,CloseHandle,UnregisterDeviceNotification,4_2_000000014004E860
Source: C:\Users\user\Desktop\Everything-1.4.1.969.x64-Setup.exeCode function: 0_2_00406436 FindFirstFileW,FindClose,0_2_00406436
Source: C:\Users\user\Desktop\Everything-1.4.1.969.x64-Setup.exeCode function: 0_2_00406DFC DeleteFileW,CloseHandle,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,0_2_00406DFC
Source: C:\Users\user\Desktop\Everything-1.4.1.969.x64-Setup.exeCode function: 0_2_00402E18 FindFirstFileW,0_2_00402E18
Source: C:\Users\user\AppData\Local\Temp\nscCF8E.tmp\Everything\Everything.exeCode function: 4_2_00000001400D6470 FindFirstFileW,4_2_00000001400D6470
Source: C:\Users\user\AppData\Local\Temp\nscCF8E.tmp\Everything\Everything.exeCode function: 4_2_00000001400D8DC0 PathIsRootW,GetFileAttributesExW,FindFirstFileW,FindClose,4_2_00000001400D8DC0
Source: C:\Users\user\AppData\Local\Temp\nscCF8E.tmp\Everything\Everything.exeCode function: 4_2_00000001400D8EE0 PathIsRootW,GetFileAttributesExW,FindFirstFileW,FindClose,4_2_00000001400D8EE0
Source: C:\Program Files\Everything\Everything.exeCode function: 5_2_00000001400D8EE0 PathIsRootW,GetFileAttributesExW,FindFirstFileW,FindClose,5_2_00000001400D8EE0
Source: C:\Program Files\Everything\Everything.exeCode function: 5_2_00000001400D6470 FindFirstFileW,5_2_00000001400D6470
Source: C:\Program Files\Everything\Everything.exeCode function: 5_2_00000001400D8DC0 PathIsRootW,GetFileAttributesExW,FindFirstFileW,FindClose,5_2_00000001400D8DC0
Source: C:\Program Files\Everything\Everything.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
Source: C:\Program Files\Everything\Everything.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Program Files\Everything\Everything.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Program Files\Everything\Everything.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Program Files\Everything\Everything.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: C:\Program Files\Everything\Everything.exeFile opened: C:\Users\userJump to behavior

Source: C:\Users\user\AppData\Local\Temp\nscCF8E.tmp\Everything\Everything.exeCode function: 4x nop then add rcx, 01h4_2_000000014000B740
Source: C:\Users\user\AppData\Local\Temp\nscCF8E.tmp\Everything\Everything.exeCode function: 4x nop then mov rax, qword ptr [r8]4_2_0000000140012800
Source: C:\Users\user\AppData\Local\Temp\nscCF8E.tmp\Everything\Everything.exeCode function: 4x nop then mov rax, qword ptr [r13+00000088h]4_2_0000000140012800
Source: C:\Users\user\AppData\Local\Temp\nscCF8E.tmp\Everything\Everything.exeCode function: 4x nop then mov rax, qword ptr [r15+08h]4_2_00000001400AF920
Source: C:\Users\user\AppData\Local\Temp\nscCF8E.tmp\Everything\Everything.exeCode function: 4x nop then mov rax, qword ptr [r15+30h]4_2_00000001400AF920
Source: C:\Users\user\AppData\Local\Temp\nscCF8E.tmp\Everything\Everything.exeCode function: 4x nop then mov rdx, qword ptr [rbx]4_2_000000014005D950
Source: C:\Users\user\AppData\Local\Temp\nscCF8E.tmp\Everything\Everything.exeCode function: 4x nop then movsxd rdx, qword ptr [rbx+74h]4_2_0000000140182950
Source: C:\Users\user\AppData\Local\Temp\nscCF8E.tmp\Everything\Everything.exeCode function: 4x nop then mov r8d, 00000001h4_2_000000014004D160
Source: C:\Users\user\AppData\Local\Temp\nscCF8E.tmp\Everything\Everything.exeCode function: 4x nop then mov qword ptr [rcx], rdi4_2_000000014001C190
Source: C:\Users\user\AppData\Local\Temp\nscCF8E.tmp\Everything\Everything.exeCode function: 4x nop then test cl, cl4_2_00000001400101F0
Source: C:\Users\user\AppData\Local\Temp\nscCF8E.tmp\Everything\Everything.exeCode function: 4x nop then mov rax, qword ptr [rax]4_2_0000000140002A20
Source: C:\Users\user\AppData\Local\Temp\nscCF8E.tmp\Everything\Everything.exeCode function: 4x nop then movzx eax, byte ptr [r8]4_2_0000000140190A60
Source: C:\Users\user\AppData\Local\Temp\nscCF8E.tmp\Everything\Everything.exeCode function: 4x nop then mov eax, r11d4_2_000000014016AAA0
Source: C:\Users\user\AppData\Local\Temp\nscCF8E.tmp\Everything\Everything.exeCode function: 4x nop then mov rcx, qword ptr [rax+00000408h]4_2_0000000140010B10
Source: C:\Users\user\AppData\Local\Temp\nscCF8E.tmp\Everything\Everything.exeCode function: 4x nop then mov rax, qword ptr [rbx]4_2_000000014006D330
Source: C:\Users\user\AppData\Local\Temp\nscCF8E.tmp\Everything\Everything.exeCode function: 4x nop then mov dword ptr [rax+18h], 00000001h4_2_0000000140015B60
Source: C:\Users\user\AppData\Local\Temp\nscCF8E.tmp\Everything\Everything.exeCode function: 4x nop then mov r8, rdi4_2_0000000140015B60
Source: C:\Users\user\AppData\Local\Temp\nscCF8E.tmp\Everything\Everything.exeCode function: 4x nop then add rbx, 01h4_2_00000001400E8BC0
Source: C:\Users\user\AppData\Local\Temp\nscCF8E.tmp\Everything\Everything.exeCode function: 4x nop then mov r9d, esi4_2_000000014016F3B0
Source: C:\Users\user\AppData\Local\Temp\nscCF8E.tmp\Everything\Everything.exeCode function: 4x nop then mov rax, qword ptr [rcx+10h]4_2_00000001400293C0
Source: C:\Users\user\AppData\Local\Temp\nscCF8E.tmp\Everything\Everything.exeCode function: 4x nop then test al, al4_2_0000000140009BE0
Source: C:\Users\user\AppData\Local\Temp\nscCF8E.tmp\Everything\Everything.exeCode function: 4x nop then mov eax, r9d4_2_0000000140001C30
Source: C:\Users\user\AppData\Local\Temp\nscCF8E.tmp\Everything\Everything.exeCode function: 4x nop then mov rax, qword ptr [r9]4_2_0000000140062C50
Source: C:\Users\user\AppData\Local\Temp\nscCF8E.tmp\Everything\Everything.exeCode function: 4x nop then mov rax, qword ptr [rdi+000000A8h]4_2_0000000140062C50
Source: C:\Users\user\AppData\Local\Temp\nscCF8E.tmp\Everything\Everything.exeCode function: 4x nop then mov rcx, qword ptr [r8]4_2_0000000140062C50
Source: C:\Users\user\AppData\Local\Temp\nscCF8E.tmp\Everything\Everything.exeCode function: 4x nop then test al, al4_2_0000000140044C50
Source: C:\Users\user\AppData\Local\Temp\nscCF8E.tmp\Everything\Everything.exeCode function: 4x nop then test al, al4_2_0000000140044C50
Source: C:\Users\user\AppData\Local\Temp\nscCF8E.tmp\Everything\Everything.exeCode function: 4x nop then mov rdx, qword ptr [rbp+00h]4_2_000000014000CC50
Source: C:\Users\user\AppData\Local\Temp\nscCF8E.tmp\Everything\Everything.exeCode function: 4x nop then mov ebx, ebp4_2_0000000140005450
Source: C:\Users\user\AppData\Local\Temp\nscCF8E.tmp\Everything\Everything.exeCode function: 4x nop then mov word ptr [r9+04h], r12w4_2_000000014017D450
Source: C:\Users\user\AppData\Local\Temp\nscCF8E.tmp\Everything\Everything.exeCode function: 4x nop then mov eax, edx4_2_000000014017D450
Source: C:\Users\user\AppData\Local\Temp\nscCF8E.tmp\Everything\Everything.exeCode function: 4x nop then movzx eax, byte ptr [rcx+rdi]4_2_000000014017D450
Source: C:\Users\user\AppData\Local\Temp\nscCF8E.tmp\Everything\Everything.exeCode function: 4x nop then xor edx, edx4_2_00000001400E1C70
Source: C:\Users\user\AppData\Local\Temp\nscCF8E.tmp\Everything\Everything.exeCode function: 4x nop then mov rax, qword ptr [rdx]4_2_0000000140001470
Source: C:\Users\user\AppData\Local\Temp\nscCF8E.tmp\Everything\Everything.exeCode function: 4x nop then mov rax, qword ptr [r14]4_2_0000000140002C80
Source: C:\Users\user\AppData\Local\Temp\nscCF8E.tmp\Everything\Everything.exeCode function: 4x nop then mov ecx, r9d4_2_000000014017C4A0
Source: C:\Users\user\AppData\Local\Temp\nscCF8E.tmp\Everything\Everything.exeCode function: 4x nop then test r14d, r14d4_2_000000014017C4A0
Source: C:\Users\user\AppData\Local\Temp\nscCF8E.tmp\Everything\Everything.exeCode function: 4x nop then movzx r8d, word ptr [r9]4_2_00000001401744B0
Source: C:\Users\user\AppData\Local\Temp\nscCF8E.tmp\Everything\Everything.exeCode function: 4x nop then lea ecx, dword ptr [rdx+r9]4_2_000000014017ECD0
Source: C:\Users\user\AppData\Local\Temp\nscCF8E.tmp\Everything\Everything.exeCode function: 4x nop then movzx eax, byte ptr [rsp+r8+000001D0h]4_2_0000000140056D20
Source: C:\Users\user\AppData\Local\Temp\nscCF8E.tmp\Everything\Everything.exeCode function: 4x nop then test al, al4_2_0000000140044D70
Source: C:\Users\user\AppData\Local\Temp\nscCF8E.tmp\Everything\Everything.exeCode function: 4x nop then test al, al4_2_0000000140044D70
Source: C:\Users\user\AppData\Local\Temp\nscCF8E.tmp\Everything\Everything.exeCode function: 4x nop then add rbx, 01h4_2_0000000140189DA0
Source: C:\Users\user\AppData\Local\Temp\nscCF8E.tmp\Everything\Everything.exeCode function: 4x nop then movzx eax, byte ptr [rcx]4_2_0000000140189DA0
Source: C:\Users\user\AppData\Local\Temp\nscCF8E.tmp\Everything\Everything.exeCode function: 4x nop then mov rdx, qword ptr [rbx]4_2_000000014006CE00
Source: C:\Users\user\AppData\Local\Temp\nscCF8E.tmp\Everything\Everything.exeCode function: 4x nop then movzx eax, byte ptr [r9]4_2_0000000140173610
Source: C:\Users\user\AppData\Local\Temp\nscCF8E.tmp\Everything\Everything.exeCode function: 4x nop then test al, al4_2_00000001400E4640
Source: C:\Users\user\AppData\Local\Temp\nscCF8E.tmp\Everything\Everything.exeCode function: 4x nop then mov rsi, qword ptr [r15]4_2_000000014003D680
Source: C:\Users\user\AppData\Local\Temp\nscCF8E.tmp\Everything\Everything.exeCode function: 4x nop then mov rcx, rax4_2_000000014001C680
Source: C:\Users\user\AppData\Local\Temp\nscCF8E.tmp\Everything\Everything.exeCode function: 4x nop then movsxd r8, qword ptr [r10+74h]4_2_000000014017F6C0
Source: C:\Users\user\AppData\Local\Temp\nscCF8E.tmp\Everything\Everything.exeCode function: 4x nop then movzx eax, byte ptr [r9+rdx]4_2_00000001400CE6C0
Source: C:\Users\user\AppData\Local\Temp\nscCF8E.tmp\Everything\Everything.exeCode function: 4x nop then add rcx, 01h4_2_00000001401746B0
Source: C:\Users\user\AppData\Local\Temp\nscCF8E.tmp\Everything\Everything.exeCode function: 4x nop then mov rdx, qword ptr [r10]4_2_00000001400B0EE0
Source: C:\Users\user\AppData\Local\Temp\nscCF8E.tmp\Everything\Everything.exeCode function: 4x nop then mov rax, qword ptr [r8]4_2_00000001400B0EE0
Source: C:\Users\user\AppData\Local\Temp\nscCF8E.tmp\Everything\Everything.exeCode function: 4x nop then cmp rcx, 0000000000000100h4_2_000000014001B700
Source: C:\Users\user\AppData\Local\Temp\nscCF8E.tmp\Everything\Everything.exeCode function: 4x nop then mov qword ptr [rcx], rbx4_2_000000014001B700
Source: C:\Users\user\AppData\Local\Temp\nscCF8E.tmp\Everything\Everything.exeCode function: 4x nop then mov rax, qword ptr [rax]4_2_000000014001B700
Source: C:\Users\user\AppData\Local\Temp\nscCF8E.tmp\Everything\Everything.exeCode function: 4x nop then mov qword ptr [rcx], rdi4_2_000000014001B700
Source: C:\Users\user\AppData\Local\Temp\nscCF8E.tmp\Everything\Everything.exeCode function: 4x nop then test r10d, r10d4_2_000000014000DF10
Source: C:\Users\user\AppData\Local\Temp\nscCF8E.tmp\Everything\Everything.exeCode function: 4x nop then mov rcx, qword ptr [rdi+20h]4_2_000000014000872C
Source: C:\Users\user\AppData\Local\Temp\nscCF8E.tmp\Everything\Everything.exeCode function: 4x nop then mov rax, qword ptr [rsi+000002B8h]4_2_0000000140028F40
Source: C:\Users\user\AppData\Local\Temp\nscCF8E.tmp\Everything\Everything.exeCode function: 4x nop then mov rax, qword ptr [rdi]4_2_000000014006D780
Source: C:\Users\user\AppData\Local\Temp\nscCF8E.tmp\Everything\Everything.exeCode function: 4x nop then mov rax, qword ptr [rsi+00000178h]4_2_000000014000E790
Source: C:\Users\user\AppData\Local\Temp\nscCF8E.tmp\Everything\Everything.exeCode function: 4x nop then mov rax, qword ptr [rsi+000001C8h]4_2_000000014000E790
Source: C:\Users\user\AppData\Local\Temp\nscCF8E.tmp\Everything\Everything.exeCode function: 4x nop then mov rax, qword ptr [rsi+00000218h]4_2_000000014000E790
Source: C:\Users\user\AppData\Local\Temp\nscCF8E.tmp\Everything\Everything.exeCode function: 4x nop then mov rax, qword ptr [rsi+00000268h]4_2_000000014000E790
Source: C:\Users\user\AppData\Local\Temp\nscCF8E.tmp\Everything\Everything.exeCode function: 4x nop then mov rax, qword ptr [rsi+00000150h]4_2_000000014000E790
Source: C:\Users\user\AppData\Local\Temp\nscCF8E.tmp\Everything\Everything.exeCode function: 4x nop then mov rax, qword ptr [rsi+000001A0h]4_2_000000014000E790
Source: C:\Users\user\AppData\Local\Temp\nscCF8E.tmp\Everything\Everything.exeCode function: 4x nop then mov rax, qword ptr [rsi+000001F0h]4_2_000000014000E790
Source: C:\Users\user\AppData\Local\Temp\nscCF8E.tmp\Everything\Everything.exeCode function: 4x nop then mov rax, qword ptr [rsi+00000240h]4_2_000000014000E790
Source: C:\Users\user\AppData\Local\Temp\nscCF8E.tmp\Everything\Everything.exeCode function: 4x nop then mov rax, qword ptr [rsi+00000290h]4_2_000000014000E790
Source: C:\Users\user\AppData\Local\Temp\nscCF8E.tmp\Everything\Everything.exeCode function: 4x nop then mov rax, qword ptr [rsi+000002B8h]4_2_000000014000E790
Source: C:\Users\user\AppData\Local\Temp\nscCF8E.tmp\Everything\Everything.exeCode function: 4x nop then add rax, 01h4_2_00000001400467B0
Source: C:\Users\user\AppData\Local\Temp\nscCF8E.tmp\Everything\Everything.exeCode function: 4x nop then mov r9, qword ptr [r11+08h]4_2_00000001400087C0
Source: C:\Program Files\Everything\Everything.exeCode function: 4x nop then mov rdx, qword ptr [rbp+00h]5_2_000000014000CC50
Source: C:\Program Files\Everything\Everything.exeCode function: 4x nop then add rcx, 01h5_2_000000014000B740
Source: C:\Program Files\Everything\Everything.exeCode function: 4x nop then mov rax, qword ptr [r8]5_2_0000000140012800
Source: C:\Program Files\Everything\Everything.exeCode function: 4x nop then mov rax, qword ptr [r13+00000088h]5_2_0000000140012800
Source: C:\Program Files\Everything\Everything.exeCode function: 4x nop then mov rax, qword ptr [r15+08h]5_2_00000001400AF920
Source: C:\Program Files\Everything\Everything.exeCode function: 4x nop then mov rax, qword ptr [r15+30h]5_2_00000001400AF920
Source: C:\Program Files\Everything\Everything.exeCode function: 4x nop then mov rdx, qword ptr [rbx]5_2_000000014005D950
Source: C:\Program Files\Everything\Everything.exeCode function: 4x nop then movsxd rdx, qword ptr [rbx+74h]5_2_0000000140182950
Source: C:\Program Files\Everything\Everything.exeCode function: 4x nop then mov r8d, 00000001h5_2_000000014004D160
Source: C:\Program Files\Everything\Everything.exeCode function: 4x nop then mov qword ptr [rcx], rdi5_2_000000014001C190
Source: C:\Program Files\Everything\Everything.exeCode function: 4x nop then test cl, cl5_2_00000001400101F0
Source: C:\Program Files\Everything\Everything.exeCode function: 4x nop then mov rax, qword ptr [rax]5_2_0000000140002A20
Source: C:\Program Files\Everything\Everything.exeCode function: 4x nop then movzx eax, byte ptr [r8]5_2_0000000140190A60
Source: C:\Program Files\Everything\Everything.exeCode function: 4x nop then mov eax, r11d5_2_000000014016AAA0
Source: C:\Program Files\Everything\Everything.exeCode function: 4x nop then mov rcx, qword ptr [rax+00000408h]5_2_0000000140010B10
Source: C:\Program Files\Everything\Everything.exeCode function: 4x nop then mov rax, qword ptr [rbx]5_2_000000014006D330
Source: C:\Program Files\Everything\Everything.exeCode function: 4x nop then mov dword ptr [rax+18h], 00000001h5_2_0000000140015B60
Source: C:\Program Files\Everything\Everything.exeCode function: 4x nop then mov r8, rdi5_2_0000000140015B60
Source: C:\Program Files\Everything\Everything.exeCode function: 4x nop then add rbx, 01h5_2_00000001400E8BC0
Source: C:\Program Files\Everything\Everything.exeCode function: 4x nop then mov r9d, esi5_2_000000014016F3B0
Source: C:\Program Files\Everything\Everything.exeCode function: 4x nop then mov rax, qword ptr [rcx+10h]5_2_00000001400293C0
Source: C:\Program Files\Everything\Everything.exeCode function: 4x nop then test al, al5_2_0000000140009BE0
Source: C:\Program Files\Everything\Everything.exeCode function: 4x nop then mov eax, r9d5_2_0000000140001C30
Source: C:\Program Files\Everything\Everything.exeCode function: 4x nop then mov rax, qword ptr [r9]5_2_0000000140062C50
Source: C:\Program Files\Everything\Everything.exeCode function: 4x nop then mov rax, qword ptr [rdi+000000A8h]5_2_0000000140062C50
Source: C:\Program Files\Everything\Everything.exeCode function: 4x nop then mov rcx, qword ptr [r8]5_2_0000000140062C50
Source: C:\Program Files\Everything\Everything.exeCode function: 4x nop then test al, al5_2_0000000140044C50
Source: C:\Program Files\Everything\Everything.exeCode function: 4x nop then test al, al5_2_0000000140044C50
Source: C:\Program Files\Everything\Everything.exeCode function: 4x nop then mov ebx, ebp5_2_0000000140005450
Source: C:\Program Files\Everything\Everything.exeCode function: 4x nop then mov word ptr [r9+04h], r12w5_2_000000014017D450
Source: C:\Program Files\Everything\Everything.exeCode function: 4x nop then mov eax, edx5_2_000000014017D450
Source: C:\Program Files\Everything\Everything.exeCode function: 4x nop then movzx eax, byte ptr [rcx+rdi]5_2_000000014017D450
Source: C:\Program Files\Everything\Everything.exeCode function: 4x nop then xor edx, edx5_2_00000001400E1C70
Source: C:\Program Files\Everything\Everything.exeCode function: 4x nop then mov rax, qword ptr [rdx]5_2_0000000140001470
Source: C:\Program Files\Everything\Everything.exeCode function: 4x nop then mov rax, qword ptr [r14]5_2_0000000140002C80
Source: C:\Program Files\Everything\Everything.exeCode function: 4x nop then mov ecx, r9d5_2_000000014017C4A0
Source: C:\Program Files\Everything\Everything.exeCode function: 4x nop then test r14d, r14d5_2_000000014017C4A0
Source: C:\Program Files\Everything\Everything.exeCode function: 4x nop then movzx r8d, word ptr [r9]5_2_00000001401744B0
Source: C:\Program Files\Everything\Everything.exeCode function: 4x nop then lea ecx, dword ptr [rdx+r9]5_2_000000014017ECD0
Source: C:\Program Files\Everything\Everything.exeCode function: 4x nop then movzx eax, byte ptr [rsp+r8+000001D0h]5_2_0000000140056D20
Source: C:\Program Files\Everything\Everything.exeCode function: 4x nop then test al, al5_2_0000000140044D70
Source: C:\Program Files\Everything\Everything.exeCode function: 4x nop then test al, al5_2_0000000140044D70
Source: C:\Program Files\Everything\Everything.exeCode function: 4x nop then add rbx, 01h5_2_0000000140189DA0
Source: C:\Program Files\Everything\Everything.exeCode function: 4x nop then movzx eax, byte ptr [rcx]5_2_0000000140189DA0
Source: C:\Program Files\Everything\Everything.exeCode function: 4x nop then mov rdx, qword ptr [rbx]5_2_000000014006CE00
Source: C:\Program Files\Everything\Everything.exeCode function: 4x nop then movzx eax, byte ptr [r9]5_2_0000000140173610
Source: C:\Program Files\Everything\Everything.exeCode function: 4x nop then test al, al5_2_00000001400E4640
Source: C:\Program Files\Everything\Everything.exeCode function: 4x nop then mov rsi, qword ptr [r15]5_2_000000014003D680
Source: C:\Program Files\Everything\Everything.exeCode function: 4x nop then mov rcx, rax5_2_000000014001C680
Source: C:\Program Files\Everything\Everything.exeCode function: 4x nop then movsxd r8, qword ptr [r10+74h]5_2_000000014017F6C0
Source: C:\Program Files\Everything\Everything.exeCode function: 4x nop then movzx eax, byte ptr [r9+rdx]5_2_00000001400CE6C0
Source: C:\Program Files\Everything\Everything.exeCode function: 4x nop then add rcx, 01h5_2_00000001401746B0
Source: C:\Program Files\Everything\Everything.exeCode function: 4x nop then mov rdx, qword ptr [r10]5_2_00000001400B0EE0
Source: C:\Program Files\Everything\Everything.exeCode function: 4x nop then mov rax, qword ptr [r8]5_2_00000001400B0EE0
Source: C:\Program Files\Everything\Everything.exeCode function: 4x nop then cmp rcx, 0000000000000100h5_2_000000014001B700
Source: C:\Program Files\Everything\Everything.exeCode function: 4x nop then mov qword ptr [rcx], rbx5_2_000000014001B700
Source: C:\Program Files\Everything\Everything.exeCode function: 4x nop then mov rax, qword ptr [rax]5_2_000000014001B700
Source: C:\Program Files\Everything\Everything.exeCode function: 4x nop then mov qword ptr [rcx], rdi5_2_000000014001B700
Source: C:\Program Files\Everything\Everything.exeCode function: 4x nop then test r10d, r10d5_2_000000014000DF10
Source: C:\Program Files\Everything\Everything.exeCode function: 4x nop then mov rcx, qword ptr [rdi+20h]5_2_000000014000872C
Source: C:\Program Files\Everything\Everything.exeCode function: 4x nop then mov rax, qword ptr [rsi+000002B8h]5_2_0000000140028F40
Source: C:\Program Files\Everything\Everything.exeCode function: 4x nop then mov rax, qword ptr [rdi]5_2_000000014006D780
Source: C:\Program Files\Everything\Everything.exeCode function: 4x nop then mov rax, qword ptr [rsi+00000178h]5_2_000000014000E790
Source: C:\Program Files\Everything\Everything.exeCode function: 4x nop then mov rax, qword ptr [rsi+000001C8h]5_2_000000014000E790
Source: C:\Program Files\Everything\Everything.exeCode function: 4x nop then mov rax, qword ptr [rsi+00000218h]5_2_000000014000E790
Source: C:\Program Files\Everything\Everything.exeCode function: 4x nop then mov rax, qword ptr [rsi+00000268h]5_2_000000014000E790
Source: C:\Program Files\Everything\Everything.exeCode function: 4x nop then mov rax, qword ptr [rsi+00000150h]5_2_000000014000E790
Source: C:\Program Files\Everything\Everything.exeCode function: 4x nop then mov rax, qword ptr [rsi+000001A0h]5_2_000000014000E790
Source: C:\Program Files\Everything\Everything.exeCode function: 4x nop then mov rax, qword ptr [rsi+000001F0h]5_2_000000014000E790
Source: C:\Program Files\Everything\Everything.exeCode function: 4x nop then mov rax, qword ptr [rsi+00000240h]5_2_000000014000E790
Source: C:\Program Files\Everything\Everything.exeCode function: 4x nop then mov rax, qword ptr [rsi+00000290h]5_2_000000014000E790
Source: C:\Program Files\Everything\Everything.exeCode function: 4x nop then mov rax, qword ptr [rsi+000002B8h]5_2_000000014000E790
Source: C:\Program Files\Everything\Everything.exeCode function: 4x nop then add rax, 01h5_2_00000001400467B0
Source: C:\Program Files\Everything\Everything.exeCode function: 4x nop then mov r9, qword ptr [r11+08h]5_2_00000001400087C0

Source: Everything-1.4.1.969.x64-Setup.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
Source: Everything-1.4.1.969.x64-Setup.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: Everything-1.4.1.969.x64-Setup.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: Everything-1.4.1.969.x64-Setup.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
Source: Everything-1.4.1.969.x64-Setup.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: Everything-1.4.1.969.x64-Setup.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: Everything-1.4.1.969.x64-Setup.exeString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: Everything-1.4.1.969.x64-Setup.exeString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
Source: Everything-1.4.1.969.x64-Setup.exeString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: Everything-1.4.1.969.x64-Setup.exeString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: Everything-1.4.1.969.x64-Setup.exeString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: Everything-1.4.1.969.x64-Setup.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: Everything-1.4.1.969.x64-Setup.exeString found in binary or memory: http://ocsp.digicert.com0A
Source: Everything-1.4.1.969.x64-Setup.exeString found in binary or memory: http://ocsp.digicert.com0C
Source: Everything-1.4.1.969.x64-Setup.exeString found in binary or memory: http://ocsp.digicert.com0N
Source: Everything-1.4.1.969.x64-Setup.exeString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: Everything-1.4.1.969.x64-Setup.exe, 00000000.00000002.535377291.000000000041F000.00000004.00020000.sdmp, Everything.exe, 00000004.00000003.489665746.0000000000565000.00000004.00000001.sdmp, Changes.txt.0.drString found in binary or memory: http://www.voidtools.com
Source: Everything-1.4.1.969.x64-Setup.exe, 00000000.00000002.541088506.0000000002942000.00000004.00000001.sdmp, Everything.exe, 00000004.00000003.489394069.0000000000574000.00000004.00000001.sdmp, Everything.exe, 00000005.00000002.502166493.00000001401AE000.00000002.00020000.sdmp, Everything.exe, 00000007.00000000.533770793.00000001401AE000.00000002.00020000.sdmp, nscCF8D.tmp.0.drString found in binary or memory: http://www.voidtools.com/
Source: Everything-1.4.1.969.x64-Setup.exe, 00000000.00000002.541088506.0000000002942000.00000004.00000001.sdmp, Everything.exe, 00000004.00000003.489394069.0000000000574000.00000004.00000001.sdmp, Everything.exe, 00000005.00000002.502166493.00000001401AE000.00000002.00020000.sdmp, Everything.exe, 00000007.00000000.533770793.00000001401AE000.00000002.00020000.sdmp, nscCF8D.tmp.0.drString found in binary or memory: http://www.voidtools.com/donate/
Source: Everything-1.4.1.969.x64-Setup.exe, 00000000.00000002.541088506.0000000002942000.00000004.00000001.sdmp, Everything.exe, 00000004.00000003.489394069.0000000000574000.00000004.00000001.sdmp, Everything.exe, 00000005.00000002.502166493.00000001401AE000.00000002.00020000.sdmp, Everything.exe, 00000007.00000000.533770793.00000001401AE000.00000002.00020000.sdmp, nscCF8D.tmp.0.drString found in binary or memory: http://www.voidtools.com/donate/Help
Source: Everything-1.4.1.969.x64-Setup.exe, 00000000.00000002.541088506.0000000002942000.00000004.00000001.sdmp, Everything.exe, 00000004.00000003.489394069.0000000000574000.00000004.00000001.sdmp, Everything.exe, 00000005.00000002.502166493.00000001401AE000.00000002.00020000.sdmp, Everything.exe, 00000007.00000000.533770793.00000001401AE000.00000002.00020000.sdmp, nscCF8D.tmp.0.drString found in binary or memory: http://www.voidtools.com/downloads/
Source: Everything-1.4.1.969.x64-Setup.exe, 00000000.00000002.541088506.0000000002942000.00000004.00000001.sdmp, Everything.exe, 00000004.00000003.489394069.0000000000574000.00000004.00000001.sdmp, Everything.exe, 00000005.00000002.502166493.00000001401AE000.00000002.00020000.sdmp, Everything.exe, 00000007.00000000.533770793.00000001401AE000.00000002.00020000.sdmp, nscCF8D.tmp.0.drString found in binary or memory: http://www.voidtools.com/downloads/#language
Source: Everything-1.4.1.969.x64-Setup.exe, 00000000.00000002.541088506.0000000002942000.00000004.00000001.sdmp, Everything.exe, 00000004.00000003.489394069.0000000000574000.00000004.00000001.sdmp, Everything.exe, 00000005.00000002.502166493.00000001401AE000.00000002.00020000.sdmp, Everything.exe, 00000007.00000000.533770793.00000001401AE000.00000002.00020000.sdmp, nscCF8D.tmp.0.drString found in binary or memory: http://www.voidtools.com/downloads/http://www.voidtools.com/downloads/#languagehttp://www.voidtools.
Source: Everything-1.4.1.969.x64-Setup.exe, 00000000.00000002.541088506.0000000002942000.00000004.00000001.sdmp, Everything.exe, 00000004.00000003.489394069.0000000000574000.00000004.00000001.sdmp, Everything.exe, 00000005.00000002.502166493.00000001401AE000.00000002.00020000.sdmp, Everything.exe, 00000007.00000000.533770793.00000001401AE000.00000002.00020000.sdmp, nscCF8D.tmp.0.drString found in binary or memory: http://www.voidtools.com/everything/beta-update.ini
Source: Everything-1.4.1.969.x64-Setup.exe, 00000000.00000002.541088506.0000000002942000.00000004.00000001.sdmp, Everything.exe, 00000004.00000003.489394069.0000000000574000.00000004.00000001.sdmp, Everything.exe, 00000005.00000002.502166493.00000001401AE000.00000002.00020000.sdmp, Everything.exe, 00000007.00000000.533770793.00000001401AE000.00000002.00020000.sdmp, nscCF8D.tmp.0.drString found in binary or memory: http://www.voidtools.com/everything/beta-update.iniupdate:
Source: Everything-1.4.1.969.x64-Setup.exe, 00000000.00000002.541088506.0000000002942000.00000004.00000001.sdmp, Everything.exe, 00000004.00000003.489394069.0000000000574000.00000004.00000001.sdmp, Everything.exe, 00000005.00000002.502166493.00000001401AE000.00000002.00020000.sdmp, Everything.exe, 00000007.00000000.533770793.00000001401AE000.00000002.00020000.sdmp, nscCF8D.tmp.0.drString found in binary or memory: http://www.voidtools.com/everything/update.ini
Source: Everything-1.4.1.969.x64-Setup.exe, 00000000.00000002.541088506.0000000002942000.00000004.00000001.sdmp, Everything.exe, 00000004.00000003.489394069.0000000000574000.00000004.00000001.sdmp, Everything.exe, 00000005.00000002.502166493.00000001401AE000.00000002.00020000.sdmp, Everything.exe, 00000007.00000000.533770793.00000001401AE000.00000002.00020000.sdmp, nscCF8D.tmp.0.drString found in binary or memory: http://www.voidtools.com/support/everything/
Source: Everything-1.4.1.969.x64-Setup.exe, 00000000.00000002.541088506.0000000002942000.00000004.00000001.sdmp, Everything.exe, 00000004.00000003.489394069.0000000000574000.00000004.00000001.sdmp, Everything.exe, 00000005.00000002.502166493.00000001401AE000.00000002.00020000.sdmp, Everything.exe, 00000007.00000000.533770793.00000001401AE000.00000002.00020000.sdmp, nscCF8D.tmp.0.drString found in binary or memory: http://www.voidtools.com/support/everything/http://www.voidtools.com/everything/update.iniwww.voidto
Source: Everything-1.4.1.969.x64-Setup.exe, 00000000.00000002.541088506.0000000002942000.00000004.00000001.sdmp, Everything.exe, 00000004.00000003.489394069.0000000000574000.00000004.00000001.sdmp, Everything.exe, 00000005.00000002.502166493.00000001401AE000.00000002.00020000.sdmp, Everything.exe, 00000007.00000000.533770793.00000001401AE000.00000002.00020000.sdmp, nscCF8D.tmp.0.drString found in binary or memory: http://www.voidtools.com/update.php)
Source: Everything-1.4.1.969.x64-Setup.exeString found in binary or memory: https://www.digicert.com/CPS0

Source: C:\Users\user\Desktop\Everything-1.4.1.969.x64-Setup.exeCode function: 0_2_0040522D GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_0040522D
Source: C:\Users\user\Desktop\Everything-1.4.1.969.x64-Setup.exeCode function: 0_2_00404605 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHAutoComplete,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceExW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_00404605
Source: Everything.exe, 00000007.00000003.563688440.0000000005FA5000.00000004.00000001.sdmpBinary or memory string: #_WinAPI_RegisterRawInputDevices.au3

Source: C:\Users\user\AppData\Local\Temp\nscCF8E.tmp\Everything\Everything.exeCode function: 4_2_00000001400CE920: DeviceIoControl,GetLastError,GetLastError,4_2_00000001400CE920
Source: C:\Users\user\AppData\Local\Temp\nscCF8E.tmp\Everything\Everything.exeCode function: 4_2_00000001400EA340 OpenSCManagerW,OpenServiceW,ControlService,OpenServiceW,QueryServiceStatusEx,OpenProcess,TerminateProcess,CloseHandle,CloseServiceHandle,CloseServiceHandle,OpenServiceW,DeleteService,GetLastError,GetLastError,CloseServiceHandle,GetLastError,GetLastError,CloseServiceHandle,GetLastError,4_2_00000001400EA340
Source: C:\Users\user\Desktop\Everything-1.4.1.969.x64-Setup.exeCode function: 0_2_004039E3 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx,0_2_004039E3
Source: C:\Users\user\Desktop\Everything-1.4.1.969.x64-Setup.exeCode function: 0_2_0040761C0_2_0040761C
Source: C:\Users\user\Desktop\Everything-1.4.1.969.x64-Setup.exeCode function: 0_2_004070330_2_00407033
Source: C:\Users\user\Desktop\Everything-1.4.1.969.x64-Setup.exeCode function: 0_2_00404ADC0_2_00404ADC
Source: C:\Users\user\AppData\Local\Temp\nscCF8E.tmp\Everything\Everything.exeCode function: 4_2_00000001400DE9104_2_00000001400DE910
Source: C:\Users\user\AppData\Local\Temp\nscCF8E.tmp\Everything\Everything.exeCode function: 4_2_000000014000B7404_2_000000014000B740
Source: C:\Users\user\AppData\Local\Temp\nscCF8E.tmp\Everything\Everything.exeCode function: 4_2_00000001400128004_2_0000000140012800
Source: C:\Users\user\AppData\Local\Temp\nscCF8E.tmp\Everything\Everything.exeCode function: 4_2_000000014005D9504_2_000000014005D950
Source: C:\Users\user\AppData\Local\Temp\nscCF8E.tmp\Everything\Everything.exeCode function: 4_2_00000001400321604_2_0000000140032160
Source: C:\Users\user\AppData\Local\Temp\nscCF8E.tmp\Everything\Everything.exeCode function: 4_2_00000001400E49B04_2_00000001400E49B0
Source: C:\Users\user\AppData\Local\Temp\nscCF8E.tmp\Everything\Everything.exeCode function: 4_2_000000014000B1B74_2_000000014000B1B7
Source: C:\Users\user\AppData\Local\Temp\nscCF8E.tmp\Everything\Everything.exeCode function: 4_2_0000000140048A004_2_0000000140048A00
Source: C:\Users\user\AppData\Local\Temp\nscCF8E.tmp\Everything\Everything.exeCode function: 4_2_000000014001AA104_2_000000014001AA10
Source: C:\Users\user\AppData\Local\Temp\nscCF8E.tmp\Everything\Everything.exeCode function: 4_2_00000001400142704_2_0000000140014270
Source: C:\Users\user\AppData\Local\Temp\nscCF8E.tmp\Everything\Everything.exeCode function: 4_2_000000014017D4504_2_000000014017D450
Source: C:\Users\user\AppData\Local\Temp\nscCF8E.tmp\Everything\Everything.exeCode function: 4_2_000000014006BCA04_2_000000014006BCA0
Source: C:\Users\user\AppData\Local\Temp\nscCF8E.tmp\Everything\Everything.exeCode function: 4_2_000000014017ECD04_2_000000014017ECD0
Source: C:\Users\user\AppData\Local\Temp\nscCF8E.tmp\Everything\Everything.exeCode function: 4_2_00000001400B05104_2_00000001400B0510
Source: C:\Users\user\AppData\Local\Temp\nscCF8E.tmp\Everything\Everything.exeCode function: 4_2_0000000140056D204_2_0000000140056D20
Source: C:\Users\user\AppData\Local\Temp\nscCF8E.tmp\Everything\Everything.exeCode function: 4_2_00000001401A8DB04_2_00000001401A8DB0
Source: C:\Users\user\AppData\Local\Temp\nscCF8E.tmp\Everything\Everything.exeCode function: 4_2_00000001400D16804_2_00000001400D1680
Source: C:\Users\user\AppData\Local\Temp\nscCF8E.tmp\Everything\Everything.exeCode function: 4_2_000000014003D6804_2_000000014003D680
Source: C:\Users\user\AppData\Local\Temp\nscCF8E.tmp\Everything\Everything.exeCode function: 4_2_00000001401746B04_2_00000001401746B0
Source: C:\Users\user\AppData\Local\Temp\nscCF8E.tmp\Everything\Everything.exeCode function: 4_2_00000001400146C04_2_00000001400146C0
Source: C:\Users\user\AppData\Local\Temp\nscCF8E.tmp\Everything\Everything.exeCode function: 4_2_000000014001B7004_2_000000014001B700
Source: C:\Users\user\AppData\Local\Temp\nscCF8E.tmp\Everything\Everything.exeCode function: 4_2_000000014017E7204_2_000000014017E720
Source: C:\Users\user\AppData\Local\Temp\nscCF8E.tmp\Everything\Everything.exeCode function: 4_2_000000014000E7904_2_000000014000E790
Source: C:\Program Files\Everything\Everything.exeCode function: 5_2_00000001400DE9105_2_00000001400DE910
Source: C:\Program Files\Everything\Everything.exeCode function: 5_2_000000014000B7405_2_000000014000B740
Source: C:\Program Files\Everything\Everything.exeCode function: 5_2_00000001400128005_2_0000000140012800
Source: C:\Program Files\Everything\Everything.exeCode function: 5_2_000000014005D9505_2_000000014005D950
Source: C:\Program Files\Everything\Everything.exeCode function: 5_2_00000001400321605_2_0000000140032160
Source: C:\Program Files\Everything\Everything.exeCode function: 5_2_00000001400E49B05_2_00000001400E49B0
Source: C:\Program Files\Everything\Everything.exeCode function: 5_2_000000014000B1B75_2_000000014000B1B7
Source: C:\Program Files\Everything\Everything.exeCode function: 5_2_0000000140048A005_2_0000000140048A00
Source: C:\Program Files\Everything\Everything.exeCode function: 5_2_000000014001AA105_2_000000014001AA10
Source: C:\Program Files\Everything\Everything.exeCode function: 5_2_00000001400142705_2_0000000140014270
Source: C:\Program Files\Everything\Everything.exeCode function: 5_2_000000014017D4505_2_000000014017D450
Source: C:\Program Files\Everything\Everything.exeCode function: 5_2_000000014006BCA05_2_000000014006BCA0
Source: C:\Program Files\Everything\Everything.exeCode function: 5_2_000000014017ECD05_2_000000014017ECD0
Source: C:\Program Files\Everything\Everything.exeCode function: 5_2_00000001400B05105_2_00000001400B0510
Source: C:\Program Files\Everything\Everything.exeCode function: 5_2_0000000140056D205_2_0000000140056D20
Source: C:\Program Files\Everything\Everything.exeCode function: 5_2_00000001401A8DB05_2_00000001401A8DB0
Source: C:\Program Files\Everything\Everything.exeCode function: 5_2_00000001400D16805_2_00000001400D1680
Source: C:\Program Files\Everything\Everything.exeCode function: 5_2_000000014003D6805_2_000000014003D680
Source: C:\Program Files\Everything\Everything.exeCode function: 5_2_00000001401746B05_2_00000001401746B0
Source: C:\Program Files\Everything\Everything.exeCode function: 5_2_00000001400146C05_2_00000001400146C0
Source: C:\Program Files\Everything\Everything.exeCode function: 5_2_000000014001B7005_2_000000014001B700
Source: C:\Program Files\Everything\Everything.exeCode function: 5_2_000000014017E7205_2_000000014017E720
Source: C:\Program Files\Everything\Everything.exeCode function: 5_2_000000014000E7905_2_000000014000E790
Source: C:\Users\user\Desktop\Everything-1.4.1.969.x64-Setup.exeCode function: String function: 00406404 appears 58 times
Source: C:\Program Files\Everything\Everything.exeCode function: String function: 00000001400B35E0 appears 272 times
Source: C:\Program Files\Everything\Everything.exeCode function: String function: 00000001401735A0 appears 50 times
Source: C:\Program Files\Everything\Everything.exeCode function: String function: 00000001400C86A0 appears 46 times
Source: C:\Program Files\Everything\Everything.exeCode function: String function: 0000000140010B10 appears 63 times
Source: C:\Program Files\Everything\Everything.exeCode function: String function: 00000001400B3610 appears 87 times
Source: C:\Users\user\AppData\Local\Temp\nscCF8E.tmp\Everything\Everything.exeCode function: String function: 00000001400B35E0 appears 272 times
Source: C:\Users\user\AppData\Local\Temp\nscCF8E.tmp\Everything\Everything.exeCode function: String function: 00000001401735A0 appears 50 times
Source: C:\Users\user\AppData\Local\Temp\nscCF8E.tmp\Everything\Everything.exeCode function: String function: 00000001400C86A0 appears 46 times
Source: C:\Users\user\AppData\Local\Temp\nscCF8E.tmp\Everything\Everything.exeCode function: String function: 0000000140010B10 appears 63 times
Source: C:\Users\user\AppData\Local\Temp\nscCF8E.tmp\Everything\Everything.exeCode function: String function: 00000001400B3610 appears 87 times
Source: Everything-1.4.1.969.x64-Setup.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Everything-1.4.1.969.x64-Setup.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Everything-1.4.1.969.x64-Setup.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Everything.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Everything.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Everything.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Everything-1.4.1.969.x64-Setup.exe, 00000000.00000002.542554005.0000000003300000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs Everything-1.4.1.969.x64-Setup.exe
Source: Everything-1.4.1.969.x64-Setup.exe, 00000000.00000002.541088506.0000000002942000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameEverything.exe6 vs Everything-1.4.1.969.x64-Setup.exe
Source: nscCF8D.tmp.0.drBinary string: \Device\HarddiskVolume
Source: nscCF8D.tmp.0.drBinary string: \??\\Device\HarddiskVolumentfs volume create list %f seconds
Source: Everything.exe, 00000007.00000003.563688440.0000000005FA5000.00000004.00000001.sdmpBinary or memory string: AutoItX.slnx
Source: classification engineClassification label: clean9.winEXE@7/23@0/1
Source: C:\Users\user\Desktop\Everything-1.4.1.969.x64-Setup.exeCode function: 0_2_00404605 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHAutoComplete,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceExW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_00404605
Source: C:\Users\user\AppData\Local\Temp\nscCF8E.tmp\Everything\Everything.exeCode function: OpenSCManagerW,CreateServiceW,CloseServiceHandle,GetLastError,Sleep,CloseServiceHandle,OpenSCManagerW,GetLastError,4_2_00000001400EA9E0
Source: C:\Users\user\AppData\Local\Temp\nscCF8E.tmp\Everything\Everything.exeCode function: OpenSCManagerW,CreateServiceW,CloseServiceHandle,GetLastError,GetLastError,CloseServiceHandle,GetLastError,4_2_0000000140005A40
Source: C:\Program Files\Everything\Everything.exeCode function: OpenSCManagerW,CreateServiceW,CloseServiceHandle,GetLastError,Sleep,CloseServiceHandle,OpenSCManagerW,GetLastError,5_2_00000001400EA9E0
Source: C:\Program Files\Everything\Everything.exeCode function: OpenSCManagerW,CreateServiceW,CloseServiceHandle,GetLastError,GetLastError,CloseServiceHandle,GetLastError,5_2_0000000140005A40
Source: C:\Users\user\Desktop\Everything-1.4.1.969.x64-Setup.exeCode function: 0_2_004024FB CoCreateInstance,0_2_004024FB
Source: C:\Users\user\AppData\Local\Temp\nscCF8E.tmp\Everything\Everything.exeCode function: 4_2_0000000140005810 OpenSCManagerW,OpenServiceW,StartServiceW,GetLastError,GetLastError,CloseServiceHandle,CloseServiceHandle,GetLastError,CloseServiceHandle,GetLastError,4_2_0000000140005810
Source: C:\Users\user\AppData\Local\Temp\nscCF8E.tmp\Everything\Everything.exeCode function: 4_2_0000000140005680 StartServiceCtrlDispatcherW,4_2_0000000140005680
Source: C:\Program Files\Everything\Everything.exeCode function: 5_2_0000000140005680 StartServiceCtrlDispatcherW,5_2_0000000140005680
Source: C:\Users\user\AppData\Local\Temp\nscCF8E.tmp\Everything\Everything.exeFile created: C:\Program Files\EverythingJump to behavior
Source: C:\Program Files\Everything\Everything.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\EverythingJump to behavior
Source: C:\Program Files\Everything\Everything.exeMutant created: \Sessions\1\BaseNamedObjects\EVERYTHING_MUTEX
Source: C:\Users\user\Desktop\Everything-1.4.1.969.x64-Setup.exeFile created: C:\Users\user\AppData\Local\Temp\nscCF8C.tmpJump to behavior
Source: Everything-1.4.1.969.x64-Setup.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Everything-1.4.1.969.x64-Setup.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\Everything-1.4.1.969.x64-Setup.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\Everything-1.4.1.969.x64-Setup.exeFile read: C:\Users\user\Desktop\Everything-1.4.1.969.x64-Setup.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\Everything-1.4.1.969.x64-Setup.exe 'C:\Users\user\Desktop\Everything-1.4.1.969.x64-Setup.exe'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\nscCF8E.tmp\Everything\Everything.exe 'C:\Users\user\AppData\Local\Temp\nscCF8E.tmp\Everything\Everything.exe' -install 'C:\Program Files\Everything' -install-options ' -app-data -disable-update-notification -install-run-on-system-startup -uninstall-service -enable-run-as-admin -uninstall-folder-context-menu -install-start-menu-shortcuts -install-desktop-shortcut -uninstall-quick-launch-shortcut -uninstall-url-protocol -install-efu-association -no-choose-volumes -language 1033'
Source: unknownProcess created: C:\Program Files\Everything\Everything.exe 'C:\Program Files\Everything\Everything.exe' -app-data -disable-update-notification -install-run-on-system-startup -uninstall-service -enable-run-as-admin -uninstall-folder-context-menu -install-start-menu-shortcuts -install-desktop-shortcut -uninstall-quick-launch-shortcut -uninstall-url-protocol -install-efu-association -no-choose-volumes -language 1033
Source: unknownProcess created: C:\Program Files\Everything\Everything.exe C:\Program Files\Everything\Everything.exe
Source: C:\Users\user\Desktop\Everything-1.4.1.969.x64-Setup.exeProcess created: C:\Users\user\AppData\Local\Temp\nscCF8E.tmp\Everything\Everything.exe 'C:\Users\user\AppData\Local\Temp\nscCF8E.tmp\Everything\Everything.exe' -install 'C:\Program Files\Everything' -install-options ' -app-data -disable-update-notification -install-run-on-system-startup -uninstall-service -enable-run-as-admin -uninstall-folder-context-menu -install-start-menu-shortcuts -install-desktop-shortcut -uninstall-quick-launch-shortcut -uninstall-url-protocol -install-efu-association -no-choose-volumes -language 1033'Jump to behavior
Source: C:\Users\user\Desktop\Everything-1.4.1.969.x64-Setup.exeProcess created: C:\Program Files\Everything\Everything.exe C:\Program Files\Everything\Everything.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nscCF8E.tmp\Everything\Everything.exeProcess created: C:\Program Files\Everything\Everything.exe 'C:\Program Files\Everything\Everything.exe' -app-data -disable-update-notification -install-run-on-system-startup -uninstall-service -enable-run-as-admin -uninstall-folder-context-menu -install-start-menu-shortcuts -install-desktop-shortcut -uninstall-quick-launch-shortcut -uninstall-url-protocol -install-efu-association -no-choose-volumes -language 1033Jump to behavior
Source: C:\Users\user\Desktop\Everything-1.4.1.969.x64-Setup.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
Source: C:\Users\user\Desktop\Everything-1.4.1.969.x64-Setup.exeFile written: C:\Users\user\AppData\Local\Temp\nscCF8E.tmp\InstallOptions.iniJump to behavior
Source: C:\Users\user\Desktop\Everything-1.4.1.969.x64-Setup.exeAutomated click: OK
Source: C:\Users\user\Desktop\Everything-1.4.1.969.x64-Setup.exeAutomated click: I Agree
Source: C:\Users\user\Desktop\Everything-1.4.1.969.x64-Setup.exeAutomated click: Next >
Source: C:\Users\user\Desktop\Everything-1.4.1.969.x64-Setup.exeAutomated click: Next >
Source: C:\Users\user\Desktop\Everything-1.4.1.969.x64-Setup.exeAutomated click: Install
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\Everything-1.4.1.969.x64-Setup.exeWindow detected: I &AgreeCancelEverything 1.4.1.969 (x64) Setup Everything 1.4.1.969 (x64) SetupLicense AgreementPlease review the license terms before installing Everything.Press Page Down to see the rest of the agreement.EverythingCopyright (c) 2020 David CarpenterPermission is hereby granted free of charge to any person obtaining a copy of this software and associated documentation files (the "Software") to deal in the Software without restriction including without limitation the rights to use copy modify merge publish distribute sublicense and/or sell copies of the Software and to permit persons to whom the Software is furnished to do so subject to the following conditions:The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND EXPRESS OR IMPLIED INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM DAMAGES OR OTHER LIABILITY WHETHER IN AN ACTION OF CONTRACT TORT OR OTHERWISE ARISING FROM OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.Perl-Compatible Regular ExpressionsCopyright (c) 1997-2012 University of CambridgeRedistribution and use in source and binary forms with or without modification are permitted provided that the following conditions are met:* Redistributions of source code must retain the above copyright notice this list of conditions and the following disclaimer.* Redistributions in binary form must reproduce the above copyright notice this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.* Neither the name of the University of Cambridge nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT INDIRECT INCIDENTAL SPECIAL EXEMPLARY OR CONSEQUENTIAL DAMAGES (INCLUDING BUT NOT LIMITED TO PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE DATA OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY WHETHER IN CONTRACT STRICT LIABILITY OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.If you accept the terms of the agreement click I Agree to continue. You must accept the agreement to install Everything.
Source: C:\Users\user\AppData\Local\Temp\nscCF8E.tmp\Everything\Everything.exeDirectory created: C:\Program Files\EverythingJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nscCF8E.tmp\Everything\Everything.exeDirectory created: C:\Program Files\Everything\Everything.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nscCF8E.tmp\Everything\Everything.exeDirectory created: C:\Program Files\Everything\Changes.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nscCF8E.tmp\Everything\Everything.exeDirectory created: C:\Program Files\Everything\License.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nscCF8E.tmp\Everything\Everything.exeDirectory created: C:\Program Files\Everything\Everything.lngJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nscCF8E.tmp\Everything\Everything.exeDirectory created: C:\Program Files\Everything\Uninstall.exeJump to behavior
Source: C:\Program Files\Everything\Everything.exeDirectory created: C:\Program Files\Everything\Everything.ini.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nscCF8E.tmp\Everything\Everything.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EverythingJump to behavior