Malware Analysis Report

2024-09-11 09:56

Sample ID 240613-13qe3sscnc
Target Everything.exe
SHA256 0a2133ba10356f511c288dbd5e8f735b435f4e6c22e4faad8d168563a169f5a9
Tags
xworm discovery execution persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0a2133ba10356f511c288dbd5e8f735b435f4e6c22e4faad8d168563a169f5a9

Threat Level: Known bad

The file Everything.exe was found to be: Known bad.

Malicious Activity Summary

xworm discovery execution persistence rat trojan

Detect Xworm Payload

Xworm

Command and Scripting Interpreter: PowerShell

Loads dropped DLL

Executes dropped EXE

Drops startup file

Checks installed software on the system

Looks up external IP address via web service

Enumerates connected drives

Adds Run key to start application

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Modifies registry class

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Command and Scripting Interpreter
T1059
PowerShell
T1059.001
Scheduled Task/Job
T1053
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Scheduled Task/Job
T1053
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Scheduled Task/Job
T1053
Defense Evasion
TA0005
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
Peripheral Device Discovery
T1120
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-13 22:10

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 22:10

Reported

2024-06-13 22:11

Platform

win11-20240508-en

Max time kernel

42s

Max time network

44s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Everything.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk C:\Users\Admin\AppData\Local\Temp\Everything .exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk C:\Users\Admin\AppData\Local\Temp\Everything .exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Everything-1.4.1.1024.x86-Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Everything .exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsl7CC3.tmp\Everything\Everything.exe N/A
N/A N/A C:\Program Files (x86)\Everything\Everything.exe N/A
N/A N/A C:\Program Files (x86)\Everything\Everything.exe N/A
N/A N/A C:\Program Files (x86)\Everything\Everything.exe N/A
N/A N/A C:\Program Files (x86)\Everything\Everything.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Everything-1.4.1.1024.x86-Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Everything-1.4.1.1024.x86-Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Everything-1.4.1.1024.x86-Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Everything-1.4.1.1024.x86-Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Everything-1.4.1.1024.x86-Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Everything-1.4.1.1024.x86-Setup.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\Everything .exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Everything = "\"C:\\Program Files (x86)\\Everything\\Everything.exe\" -startup" C:\Program Files (x86)\Everything\Everything.exe N/A

Checks installed software on the system

discovery

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\R: C:\Program Files (x86)\Everything\Everything.exe N/A
File opened (read-only) \??\Z: C:\Program Files (x86)\Everything\Everything.exe N/A
File opened (read-only) \??\G: C:\Program Files (x86)\Everything\Everything.exe N/A
File opened (read-only) \??\H: C:\Program Files (x86)\Everything\Everything.exe N/A
File opened (read-only) \??\J: C:\Program Files (x86)\Everything\Everything.exe N/A
File opened (read-only) \??\U: C:\Program Files (x86)\Everything\Everything.exe N/A
File opened (read-only) \??\W: C:\Program Files (x86)\Everything\Everything.exe N/A
File opened (read-only) \??\X: C:\Program Files (x86)\Everything\Everything.exe N/A
File opened (read-only) \??\A: C:\Program Files (x86)\Everything\Everything.exe N/A
File opened (read-only) \??\P: C:\Program Files (x86)\Everything\Everything.exe N/A
File opened (read-only) \??\T: C:\Program Files (x86)\Everything\Everything.exe N/A
File opened (read-only) \??\B: C:\Program Files (x86)\Everything\Everything.exe N/A
File opened (read-only) \??\Q: C:\Program Files (x86)\Everything\Everything.exe N/A
File opened (read-only) \??\L: C:\Program Files (x86)\Everything\Everything.exe N/A
File opened (read-only) \??\M: C:\Program Files (x86)\Everything\Everything.exe N/A
File opened (read-only) \??\N: C:\Program Files (x86)\Everything\Everything.exe N/A
File opened (read-only) \??\O: C:\Program Files (x86)\Everything\Everything.exe N/A
File opened (read-only) \??\S: C:\Program Files (x86)\Everything\Everything.exe N/A
File opened (read-only) \??\E: C:\Program Files (x86)\Everything\Everything.exe N/A
File opened (read-only) \??\I: C:\Program Files (x86)\Everything\Everything.exe N/A
File opened (read-only) \??\K: C:\Program Files (x86)\Everything\Everything.exe N/A
File opened (read-only) \??\V: C:\Program Files (x86)\Everything\Everything.exe N/A
File opened (read-only) \??\Y: C:\Program Files (x86)\Everything\Everything.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Everything\Everything.exe C:\Users\Admin\AppData\Local\Temp\nsl7CC3.tmp\Everything\Everything.exe N/A
File opened for modification C:\Program Files (x86)\Everything\Everything.exe C:\Users\Admin\AppData\Local\Temp\nsl7CC3.tmp\Everything\Everything.exe N/A
File created C:\Program Files (x86)\Everything\Changes.txt C:\Users\Admin\AppData\Local\Temp\nsl7CC3.tmp\Everything\Everything.exe N/A
File created C:\Program Files (x86)\Everything\License.txt C:\Users\Admin\AppData\Local\Temp\nsl7CC3.tmp\Everything\Everything.exe N/A
File created C:\Program Files (x86)\Everything\Everything.lng C:\Users\Admin\AppData\Local\Temp\nsl7CC3.tmp\Everything\Everything.exe N/A
File created C:\Program Files (x86)\Everything\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\nsl7CC3.tmp\Everything\Everything.exe N/A
File created C:\Program Files (x86)\Everything\Everything.ini.tmp C:\Program Files (x86)\Everything\Everything.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shell\Search Everything...\command\ = "\"C:\\Program Files (x86)\\Everything\\Everything.exe\" -path \"%1\"" C:\Program Files (x86)\Everything\Everything.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\Background\shell\Search Everything...\command C:\Program Files (x86)\Everything\Everything.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.efu\Content Type = "text/plain" C:\Program Files (x86)\Everything\Everything.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Everything.FileList\shell C:\Program Files (x86)\Everything\Everything.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Everything.FileList\shell\open C:\Program Files (x86)\Everything\Everything.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory C:\Program Files (x86)\Everything\Everything.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\background\shell\Search Everything...\command\ = "\"C:\\Program Files (x86)\\Everything\\Everything.exe\" -path \"%V\"" C:\Program Files (x86)\Everything\Everything.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Everything.FileList C:\Program Files (x86)\Everything\Everything.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Everything.FileList\shell\open\command\ = "\"C:\\Program Files (x86)\\Everything\\Everything.exe\" \"%1\"" C:\Program Files (x86)\Everything\Everything.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\background\shell\Search Everything... C:\Program Files (x86)\Everything\Everything.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ES\shell\open\command\ = "\"C:\\Program Files (x86)\\Everything\\Everything.exe\" -url \"%1\"" C:\Program Files (x86)\Everything\Everything.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.efu\ = "Everything.FileList" C:\Program Files (x86)\Everything\Everything.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Everything.FileList\shell\edit C:\Program Files (x86)\Everything\Everything.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shell\Search Everything... C:\Program Files (x86)\Everything\Everything.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ES\shell C:\Program Files (x86)\Everything\Everything.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.efu\PerceivedType = "text" C:\Program Files (x86)\Everything\Everything.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Everything.FileList\shell\edit\command C:\Program Files (x86)\Everything\Everything.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Everything.FileList\shell\edit\command\ = "\"C:\\Program Files (x86)\\Everything\\Everything.exe\" -edit \"%1\"" C:\Program Files (x86)\Everything\Everything.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Folder C:\Program Files (x86)\Everything\Everything.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ES C:\Program Files (x86)\Everything\Everything.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ES\URL Protocol C:\Program Files (x86)\Everything\Everything.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ES\shell\open C:\Program Files (x86)\Everything\Everything.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Everything.FileList\ = "Everything File List" C:\Program Files (x86)\Everything\Everything.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Everything.FileList\shell\open\command C:\Program Files (x86)\Everything\Everything.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\Background\shell\Search Everything... C:\Program Files (x86)\Everything\Everything.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Everything.FileList\DefaultIcon\ = "C:\\Program Files (x86)\\Everything\\Everything.exe, 1" C:\Program Files (x86)\Everything\Everything.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shell\Search Everything...\command C:\Program Files (x86)\Everything\Everything.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\Background C:\Program Files (x86)\Everything\Everything.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\background\shell\Search Everything...\command C:\Program Files (x86)\Everything\Everything.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\background\shell\Search Everything...\Icon = "C:\\Program Files (x86)\\Everything\\Everything.exe,0" C:\Program Files (x86)\Everything\Everything.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ES\shell\open\command C:\Program Files (x86)\Everything\Everything.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.efu C:\Program Files (x86)\Everything\Everything.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shell C:\Program Files (x86)\Everything\Everything.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\background\shell C:\Program Files (x86)\Everything\Everything.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shell\Search Everything...\Icon = "C:\\Program Files (x86)\\Everything\\Everything.exe,0" C:\Program Files (x86)\Everything\Everything.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ES\ = "URL:Everything Search Protocol" C:\Program Files (x86)\Everything\Everything.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Everything.FileList\DefaultIcon C:\Program Files (x86)\Everything\Everything.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Everything .exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Everything .exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Everything .exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Everything\Everything.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Everything\Everything.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Everything .exe N/A
N/A N/A C:\Program Files (x86)\Everything\Everything.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4760 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\Everything.exe C:\Users\Admin\AppData\Local\Temp\Everything-1.4.1.1024.x86-Setup.exe
PID 4760 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\Everything.exe C:\Users\Admin\AppData\Local\Temp\Everything-1.4.1.1024.x86-Setup.exe
PID 4760 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\Everything.exe C:\Users\Admin\AppData\Local\Temp\Everything-1.4.1.1024.x86-Setup.exe
PID 4760 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\Everything.exe C:\Users\Admin\AppData\Local\Temp\Everything .exe
PID 4760 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\Everything.exe C:\Users\Admin\AppData\Local\Temp\Everything .exe
PID 1892 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\Everything .exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1892 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\Everything .exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1892 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\Everything .exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1892 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\Everything .exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1892 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\Everything .exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1892 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\Everything .exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1892 wrote to memory of 3780 N/A C:\Users\Admin\AppData\Local\Temp\Everything .exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1892 wrote to memory of 3780 N/A C:\Users\Admin\AppData\Local\Temp\Everything .exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1892 wrote to memory of 4156 N/A C:\Users\Admin\AppData\Local\Temp\Everything .exe C:\Windows\System32\schtasks.exe
PID 1892 wrote to memory of 4156 N/A C:\Users\Admin\AppData\Local\Temp\Everything .exe C:\Windows\System32\schtasks.exe
PID 2608 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\Everything-1.4.1.1024.x86-Setup.exe C:\Users\Admin\AppData\Local\Temp\nsl7CC3.tmp\Everything\Everything.exe
PID 2608 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\Everything-1.4.1.1024.x86-Setup.exe C:\Users\Admin\AppData\Local\Temp\nsl7CC3.tmp\Everything\Everything.exe
PID 2608 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\Everything-1.4.1.1024.x86-Setup.exe C:\Users\Admin\AppData\Local\Temp\nsl7CC3.tmp\Everything\Everything.exe
PID 964 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\nsl7CC3.tmp\Everything\Everything.exe C:\Program Files (x86)\Everything\Everything.exe
PID 964 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\nsl7CC3.tmp\Everything\Everything.exe C:\Program Files (x86)\Everything\Everything.exe
PID 964 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\nsl7CC3.tmp\Everything\Everything.exe C:\Program Files (x86)\Everything\Everything.exe
PID 2608 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\Everything-1.4.1.1024.x86-Setup.exe C:\Program Files (x86)\Everything\Everything.exe
PID 2608 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\Everything-1.4.1.1024.x86-Setup.exe C:\Program Files (x86)\Everything\Everything.exe
PID 2608 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\Everything-1.4.1.1024.x86-Setup.exe C:\Program Files (x86)\Everything\Everything.exe
PID 2608 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\Everything-1.4.1.1024.x86-Setup.exe C:\Program Files (x86)\Everything\Everything.exe
PID 2608 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\Everything-1.4.1.1024.x86-Setup.exe C:\Program Files (x86)\Everything\Everything.exe
PID 2608 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\Everything-1.4.1.1024.x86-Setup.exe C:\Program Files (x86)\Everything\Everything.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Everything.exe

"C:\Users\Admin\AppData\Local\Temp\Everything.exe"

C:\Users\Admin\AppData\Local\Temp\Everything-1.4.1.1024.x86-Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Everything-1.4.1.1024.x86-Setup.exe"

C:\Users\Admin\AppData\Local\Temp\Everything .exe

"C:\Users\Admin\AppData\Local\Temp\Everything .exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Everything .exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Everything .exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\svchost.exe"

C:\Users\Admin\AppData\Local\Temp\nsl7CC3.tmp\Everything\Everything.exe

"C:\Users\Admin\AppData\Local\Temp\nsl7CC3.tmp\Everything\Everything.exe" -install "C:\Program Files (x86)\Everything" -install-options " -app-data -install-run-on-system-startup -install-service -disable-run-as-admin -install-folder-context-menu -install-start-menu-shortcuts -install-desktop-shortcut -install-url-protocol -install-efu-association -install-language 1033 -save-install-options 3"

C:\Program Files (x86)\Everything\Everything.exe

"C:\Program Files (x86)\Everything\Everything.exe" -app-data -install-run-on-system-startup -install-service -disable-run-as-admin -install-folder-context-menu -install-start-menu-shortcuts -install-desktop-shortcut -install-url-protocol -install-efu-association -install-language 1033 -save-install-options 3

C:\Program Files (x86)\Everything\Everything.exe

"C:\Program Files (x86)\Everything\Everything.exe" -svc

C:\Program Files (x86)\Everything\Everything.exe

"C:\Program Files (x86)\Everything\Everything.exe" -enable-update-notification -install-quick-launch-shortcut -no-choose-volumes -language 1033

C:\Program Files (x86)\Everything\Everything.exe

"C:\Program Files (x86)\Everything\Everything.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 model-dt.gl.at.ply.gg udp
US 8.8.8.8:53 www.voidtools.com udp

Files

memory/4760-0-0x00007FFA20DB3000-0x00007FFA20DB5000-memory.dmp

memory/4760-1-0x00000000003A0000-0x0000000000560000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Everything-1.4.1.1024.x86-Setup.exe

MD5 f55d52d5d690a8e1b2df9217bc3ddfdf
SHA1 0e45d3a28cc096dc7edc1208f7428d66335df11a
SHA256 59f57803fa5235075c3e470e1006905a61236e491bb75a599d862cafcfbb529f
SHA512 4101015760dd2b1d9cbf9586802e610bbe6f74b73bc5dbb4391417afe8fa20762a84b04cd15019b54107d8ad0e4fc523f25403482431dd53aec3d07a4b217941

memory/4760-10-0x00007FFA20DB0000-0x00007FFA21872000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsl7CC3.tmp\InstallOptions.dll

MD5 ece25721125d55aa26cdfe019c871476
SHA1 b87685ae482553823bf95e73e790de48dc0c11ba
SHA256 c7fef6457989d97fecc0616a69947927da9d8c493f7905dc8475c748f044f3cf
SHA512 4e384735d03c943f5eb3396bb3a9cb42c9d8a5479fe2871de5b8bc18db4bbd6e2c5f8fd71b6840512a7249e12a1c63e0e760417e4baa3dc30f51375588410480

C:\Users\Admin\AppData\Local\Temp\Everything .exe

MD5 014243e26ce4800999d57c2e52dd3e8a
SHA1 7023bdbb98ce49bf26c536737b9e2da1eae30d81
SHA256 079ba190d123a0fce304bb2dc1953fd79405f7c3be6c5757f02ef113880247ce
SHA512 59b28330434be76c96639938da35e794a2df3fd54c1689e875caa05bbafeb6482dc57c8ee042ff64b751dd4cf0b4e1aa8fad3daf4bbab2402640ae55d3e8fadf

C:\Users\Admin\AppData\Local\Temp\nsl7CC3.tmp\LangDLL.dll

MD5 68b287f4067ba013e34a1339afdb1ea8
SHA1 45ad585b3cc8e5a6af7b68f5d8269c97992130b3
SHA256 18e8b40ba22c7a1687bd16e8d585380bc2773fff5002d7d67e9485fcc0c51026
SHA512 06c38bbb07fb55256f3cdc24e77b3c8f3214f25bfd140b521a39d167113bf307a7e8d24e445d510bc5e4e41d33c9173bb14e3f2a38bc29a0e3d08c1f0dca4bdb

memory/1892-44-0x00000000009F0000-0x0000000000A0A000-memory.dmp

memory/1892-46-0x00007FFA20DB0000-0x00007FFA21872000-memory.dmp

memory/4760-45-0x00007FFA20DB0000-0x00007FFA21872000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsl7CC3.tmp\System.dll

MD5 cff85c549d536f651d4fb8387f1976f2
SHA1 d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e
SHA256 8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8
SHA512 531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

C:\Users\Admin\AppData\Local\Temp\nsl7CC3.tmp\InstallOptions.ini

MD5 e2808f4be298a32ae279ee9ebacd0a0c
SHA1 b7929c346ba7a7aa690a766e4f70bc1d44f75460
SHA256 99b98f333848dacc5df866402181a6e2441fff0f9cdbb2a26f5f2c5d5dd12c52
SHA512 a305986b1eb907caa77616bcf3b9929fcbef8156b9162a942b1720ae32b34e1ba0537c553b54e750a22c3106fdb33870c346dd1f9d72db7d0baa6d318c3752a2

C:\Users\Admin\AppData\Local\Temp\nsl7CC3.tmp\InstallOptions.ini

MD5 a485ac27790aaca95bc2fe3b50648748
SHA1 3ffa3f67fd0b50039347cf1af79477bd2e9e16ff
SHA256 cdbd29fa1d0e224f6458433c1ea8bb29cfb4310b15f0f10bb7d8369e2af7e4ef
SHA512 3ac1859c6ed65e3e4eeb19ea2352e38b0a17fc5f8e9c5a1ff60e2015270b46584c638ceddd33254138a0b0c185e00e6794dd3c3e9f5cc3ebd70e1c33a0c322ef

C:\Users\Admin\AppData\Local\Temp\nsl7CC3.tmp\InstallOptions.ini

MD5 ab2c961cab9b040af5e54c9796bff999
SHA1 8d660e48a89ce0d938db05039b76ecf552554531
SHA256 efdf05f583eee733ba0963281585f4a7f5a018a635b70c3f59f92a3b92a610be
SHA512 57232084c9be2b00176d13c46c183e084b87aa58d3120df60eee786bbf8c4525f21406ba4c1209cc86830fd8a5245ba7af71742473b7b973b15e4f5fe59ed9a6

C:\Users\Admin\AppData\Local\Temp\nsl7CC3.tmp\InstallOptions2.ini

MD5 a6634dd375de49a06ff7c8c65f03bb42
SHA1 2834f907bb17d0916cfd1285718695f866e319d6
SHA256 caf045fdf50d8706410dabb4b4db6edab64d09a1c4229854666c5fdcbc70f35d
SHA512 c2d65ed0b99084753447711ea46e2805017b51917851bc7b53a96e58c49b92acf9f3f32fdb9b68beea400050703785ef49f7d7bf77131cb683663375654b71e9

C:\Users\Admin\AppData\Local\Temp\nsl7CC3.tmp\InstallOptions2.ini

MD5 1ab8a173069b84975c796821cfc263ff
SHA1 bb28fe742b108dc364db898978975bc428e52c0a
SHA256 752414c37a031faef88be5d79174c4eed0d8451a2f9ca7dda95caf1ac3e50a69
SHA512 eaa92cc0d0261cb7c0d1d48ed164bd311fdeba72e7f6f4726ef25354b95ea9922dd2f490a54106664ea24d589f0e6ee9eb777e51fa168ba53b3bd5899895844c

memory/3508-375-0x0000023CD9120000-0x0000023CD9142000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gbqhad1w.0uf.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 627073ee3ca9676911bee35548eff2b8
SHA1 4c4b68c65e2cab9864b51167d710aa29ebdcff2e
SHA256 85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c
SHA512 3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 05b3cd21c1ec02f04caba773186ee8d0
SHA1 39e790bfe10abf55b74dfb3603df8fcf6b5e6edb
SHA256 911efc5cf9cbeb697543eb3242f5297e1be46dd6603a390140a9ff031ed9e1e8
SHA512 e751008b032394817beb46937fd93a73be97254c2be94dd42f22fb1306d2715c653ece16fa96eab1a3e73811936768cea6b37888437086fc6f3e3e793a2515eb

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 c31c750d956f899f1d9c1e8f01f093ff
SHA1 810642d8d3d397e72d4f7392ed95b6c54dfe8435
SHA256 124dee944c406919b88bc6ed5e1ea98ca9e38039bccfeb5a3a5cc2160e26791f
SHA512 bd678dfb199231f6363d4c4833b65fb0c15dc389c331b051b0f342810e537bdb733ffd637ccd398f25ae19dc1fb1377e3fd4468312b7cbb5ff3d3448179bf03d

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a9dbfa08ff57ce1a058b13809deaa390
SHA1 6c010521099c8f2295f5f745ae8a67b28216cbd4
SHA256 7067da35857f64c7ec07d602d3883a3f4f5fe40ca29e6b7d38d95bf20d29051a
SHA512 352cf0502392c0414fb7f85fbf58cce6a5af8d7396491f8ddb69d1e4b3d23817d7e5b028c6a7e156a2249aaacc25db8f1dffe4627f600e94c16931873de663d9

C:\Users\Admin\AppData\Local\Temp\nsl7CC3.tmp\InstallOptions2.ini

MD5 ddcff53a261133c1ac210d85521d98d8
SHA1 384a7fdcef6730574680c0e73a9d40f00b2f2934
SHA256 8cd9a81f771798511c4359a264d0cd066b8ec975739f5f19c8c50b22255e96e1
SHA512 76cc49d4e39b502aa2f4fddb166bdcec72eddf098a017257ad95fa4f2bde8831afd2c54c7d9a77827ed289e460a8f4286bdb9baf5a9f798a682d4d25b4436fd4

C:\Users\Admin\AppData\Local\Temp\nsl7CC3.tmp\Everything\Everything.exe

MD5 a7067594451cab167a4f463be9d0209c
SHA1 1c2b1e5a0826ca07cc0aa8b3d24bad0a41845df5
SHA256 d3a6ed07bd3b52c62411132d060560f9c0c88ce183851f16b632a99b4d4e7581
SHA512 8fb6e9a82213cc1c371eddc12833b8cad037b800a58a3a3520eb7b14c9e41e61a8bf5db27bd6a79dd8013c51649396feff22436cb7bacf64989552a5a11abbd4

C:\Users\Admin\AppData\Local\Temp\nsl7CC3.tmp\Everything\Everything.lng

MD5 ba118bdf7118802beea188727b155d5f
SHA1 20fe923ec91d13f03bdb171df2fe54772f86ebba
SHA256 270c2dbd55642543479c7e7e62f99ec11bbc65496010b1354a2be9482269d471
SHA512 01d8dd2bf9aa251512b6b9b47e9d966b7eda5f76302e6441c5e7110ff37b4be325a4f8096df26a140c67bd740dcd720bc4e9356ccb95703ad63fe9fdbbb0c41f

C:\Users\Admin\AppData\Local\Temp\nsl7CC3.tmp\Everything\License.txt

MD5 2d8c6b891bea32e7fa64b381cf3064c2
SHA1 495396d86c96fb1cfdf56cae7658149138056aa9
SHA256 2e017a9c091cf5293e978e796c81025dab6973af96cb8acd56a04ef29703550b
SHA512 03a520f4423da5ef158fb81c32cfff0def361cc4d2caa9cfa4d306136da047a80a6931249a6b9c42f9f2656a27391b7921a64e10baa7468c255bc48bd488a860

C:\Users\Admin\AppData\Local\Temp\nsl7CC3.tmp\Everything\Uninstall.exe

MD5 fc3732ef603b36055209652f749c1080
SHA1 bd8b0806abecf983c89814ab4dcbd3300a78fe88
SHA256 0deee0d9d6e140226de19047c0ab160ec957a6e4bf63bb1c058bac9f09c47874
SHA512 98ee82dfe67fa3d5fe2ae3977b959b0fb1277e5bdb320e7eca347771cd4ef8d8b99c6b3cefc0466347e8f49644386cc2d0f5f7a63eb5404a8371182bd880286f

C:\Users\Admin\AppData\Local\Temp\nsl7CC3.tmp\Everything\Changes.txt

MD5 1ebb92ac516db5077a0c851565b7a2cf
SHA1 9adabfbb11b070169429fd43a250285ee8881213
SHA256 e64b60048b375f0c7d4c1fb4329957a297f2e60c306ef9c380175ea7a42223d6
SHA512 3fba14d13a602937b8600c7d5cc8011f7369857be288510b142573e411b2296cdb3ce58beafdf268d04aa1c5130503a63ba38f87239fc7b0be2e0170bdfc86de

C:\Program Files (x86)\Everything\Everything.ini

MD5 b2b308d8c164f75bc11bccf7baf3df67
SHA1 6f1e5561268b2db5b46bb6f738c0f7a637fd6b6d
SHA256 f0969f438d2869641d8f76d5b9fd2b82c7232134a90972e96abb3783d1e2fbe5
SHA512 5cb56d715d35a33e5bbc7e7deb43e4f143e4193ae59282892fe72b82c66a21a62cec85222a9879d5126479a59b9a5e715568f4bb62040a4c03b706f1ebde9659

C:\Users\Admin\AppData\Local\Temp\nsl7CC3.tmp\ioSpecial.ini

MD5 8b482faf0fc46e2e53e072d4d5c065e9
SHA1 2658ccd61b2f83a30a5a8b400d90c334fdb4db17
SHA256 8d785ce09c72be83c2b7dfb5d829e0f5cf27a6a907a7d1aca49635e2796c3a5a
SHA512 147de4c2733d0800d31e8d15322841cff637c8b0cdacf97c71e8488a2b22c23249029708bf390aa9b7e8ce64d5bfd6aa40bf7ffe4b9f352283413fd0d2d441ac

memory/1892-576-0x00007FFA20DB0000-0x00007FFA21872000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsl7CC3.tmp\ioSpecial.ini

MD5 57f50e26fdbae9bf8856dbf807084983
SHA1 1cfff6d62080730b5570167e0fa1c1a424fe5681
SHA256 8b83ffd5c7dfb3ba09273312d23025b1bd99e6dc8260bf6478295985d18c2826
SHA512 b95e03aa816800eac7b398b37a8df3578421afc8c2eb4cd9d954c1cb1e973e1012012ec210c7d51a6da001c2486ea8bc966676d45f128dee26297def5427fbfa

C:\Users\Admin\AppData\Roaming\Everything\Everything.ini

MD5 a66026f84f87ff2aac407a0075030070
SHA1 56159fdacab50eb70d03ee68c67ade793fb00273
SHA256 e29f90944518c5757aa47e53f1005ce392b9f6cd7408043c217bbb520fe97f11
SHA512 3a3453e3c3f7083a8ee262afb8e38be5f1080014a8d2a58e7dfb9ac49b93cff5c22dab65966d74ff1551b2684c00250bd06a031d3ac63100d701edecd6b7c8f3