| File name: | Everything.exe |
| Full analysis: | https://app.any.run/tasks/ad89e295-7a38-4852-b17b-8d8a7c9ef71b |
| Verdict: | Malicious activity |
| Analysis date: | July 18, 2024, 03:52:36 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32+ executable (GUI) x86-64, for MS Windows |
| MD5: | 0170601E27117E9639851A969240B959 |
| SHA1: | 7A4AEE1910B84C6715C465277229740DFC73FA39 |
| SHA256: | 35CEFE4BC4A98AD73DDA4444C700AAC9F749EFDE8F9DE6A643A57A5B605BD4E7 |
| SSDEEP: | 49152:GQdoNDZW77g1h0lv3o4MyTW+sWxXigRRlmrK:GQf75A4P9Fo+ |
MALICIOUS
Drops the executable file immediately after the start
- Everything.exe (PID: 3232)
Actions looks like stealing of personal data
- Everything.exe (PID: 5340)
SUSPICIOUS
Reads the date of Windows installation
- Everything.exe (PID: 5340)
- Everything.exe (PID: 3232)
- iexplore.exe (PID: 752)
Reads security settings of Internet Explorer
- Everything.exe (PID: 5340)
- Everything.exe (PID: 3232)
- iexplore.exe (PID: 752)
- cookie_exporter.exe (PID: 6540)
Changes internet zones settings
- iexplore.exe (PID: 752)
Application launched itself
- Everything.exe (PID: 3232)
INFO
Checks supported languages
- Everything.exe (PID: 2416)
- Everything.exe (PID: 3232)
- iexplore.exe (PID: 752)
- identity_helper.exe (PID: 6276)
- cookie_exporter.exe (PID: 6540)
- identity_helper.exe (PID: 6504)
- Everything.exe (PID: 3668)
- Everything.exe (PID: 5340)
Manual execution by a user
- Everything.exe (PID: 2416)
- msedge.exe (PID: 2868)
Process checks computer location settings
- Everything.exe (PID: 5340)
- Everything.exe (PID: 3232)
- iexplore.exe (PID: 752)
Reads the computer name
- iexplore.exe (PID: 752)
- Everything.exe (PID: 3232)
- cookie_exporter.exe (PID: 6540)
- identity_helper.exe (PID: 6276)
- identity_helper.exe (PID: 6504)
- Everything.exe (PID: 3668)
- Everything.exe (PID: 5340)
- Everything.exe (PID: 2416)
Reads Microsoft Office registry keys
- Everything.exe (PID: 5340)
- msedge.exe (PID: 4024)
- msedge.exe (PID: 2868)
- msedge.exe (PID: 6964)
Process checks Internet Explorer phishing filters
- iexplore.exe (PID: 752)
Process checks whether UAC notifications are on
- iexplore.exe (PID: 752)
Checks proxy server information
- iexplore.exe (PID: 752)
- cookie_exporter.exe (PID: 6540)
Application launched itself
- msedge.exe (PID: 4024)
- msedge.exe (PID: 2868)
- msedge.exe (PID: 6964)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win64 Executable (generic) (87.3) |
|---|---|---|
| .exe | | | Generic Win/DOS Executable (6.3) |
| .exe | | | DOS Executable Generic (6.3) |
EXIF
EXE
| MachineType: | AMD AMD64 |
|---|---|
| TimeStamp: | 2023:05:25 23:47:01+00:00 |
| ImageFileCharacteristics: | Executable, Large address aware |
| PEType: | PE32+ |
| LinkerVersion: | 8 |
| CodeSize: | 1764352 |
| InitializedDataSize: | 489472 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x1a9cf0 |
| OSVersion: | 4 |
| ImageVersion: | - |
| SubsystemVersion: | 5.2 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 1.4.1.1024 |
| ProductVersionNumber: | 1.4.1.1024 |
| FileFlagsMask: | 0x0017 |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Unknown |
| FileSubtype: | - |
| LanguageCode: | English (U.S.) |
| CharacterSet: | Unicode |
| CompanyName: | voidtools |
| FileDescription: | Everything |
| FileVersion: | 1.4.1.1024 |
| InternalName: | Everything |
| LegalCopyright: | Copyright © 2023 voidtools |
| OriginalFileName: | Everything.exe |
| ProductName: | Everything |
| ProductVersion: | 1.4.1.1024 |
Total processes
181
Monitored processes
51
Malicious processes
2
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 244 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2408 --field-trial-handle=2388,i,600447376763222729,5694673546111570494,262144 --variations-seed-version /prefetch:2 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 122.0.2365.59 Modules
| |||||||||||||||
| 752 | "IEXPLORE.EXE" "C:\Windows\WinSxS\amd64_microsoft-windows-s..rofessional-license_31bf3856ad364e35_10.0.19041.1266_none_f0b32d4cab130f07\f\Professional-OEM-DM-2-pl-rtm.xrm-ms" | C:\Program Files\Internet Explorer\iexplore.exe | — | Everything.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Internet Explorer Exit code: 1 Version: 11.00.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 992 | C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding | C:\Windows\System32\rundll32.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1128 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5004 --field-trial-handle=2256,i,7036487176487033399,14941611306575019415,262144 --variations-seed-version /prefetch:8 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 122.0.2365.59 Modules
| |||||||||||||||
| 1188 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=2776 --field-trial-handle=2440,i,4024424767711392017,7231179249624627429,262144 --variations-seed-version /prefetch:8 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 122.0.2365.59 Modules
| |||||||||||||||
| 1192 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=4168 --field-trial-handle=2440,i,4024424767711392017,7231179249624627429,262144 --variations-seed-version /prefetch:8 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 122.0.2365.59 Modules
| |||||||||||||||
| 1824 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --no-appcompat-clear --mojo-platform-channel-handle=5168 --field-trial-handle=2440,i,4024424767711392017,7231179249624627429,262144 --variations-seed-version /prefetch:8 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 122.0.2365.59 Modules
| |||||||||||||||
| 2260 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=4188 --field-trial-handle=2256,i,7036487176487033399,14941611306575019415,262144 --variations-seed-version /prefetch:8 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Edge Exit code: 0 Version: 122.0.2365.59 Modules
| |||||||||||||||
| 2364 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2436 --field-trial-handle=2440,i,4024424767711392017,7231179249624627429,262144 --variations-seed-version /prefetch:2 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 122.0.2365.59 Modules
| |||||||||||||||
| 2416 | "C:\Users\admin\Desktop\Everything.exe" | C:\Users\admin\Desktop\Everything.exe | explorer.exe | ||||||||||||
User: admin Company: voidtools Integrity Level: HIGH Description: Everything Exit code: 0 Version: 1.4.1.1024 Modules
| |||||||||||||||
Total events
25 001
Read events
24 826
Write events
167
Delete events
8
Modification events
| (PID) Process: | (3232) Everything.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (3232) Everything.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
| (PID) Process: | (3232) Everything.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
| (PID) Process: | (3232) Everything.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 0 | |||
| (PID) Process: | (5340) Everything.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU |
| Operation: | write | Name: | NodeSlots |
Value: 02020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202 | |||
| (PID) Process: | (5340) Everything.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU |
| Operation: | write | Name: | MRUListEx |
Value: 040000000E00000003000000000000000C0000000D0000000B000000050000000A000000090000000800000001000000070000000600000002000000FFFFFFFF | |||
| (PID) Process: | (5340) Everything.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer |
| Operation: | write | Name: | SlowContextMenuEntries |
Value: 6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000 | |||
| (PID) Process: | (5340) Everything.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts |
| Operation: | write | Name: | MSSppLicenseFile_.xrm-ms |
Value: 0 | |||
| (PID) Process: | (5340) Everything.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xrm-ms\OpenWithProgids |
| Operation: | write | Name: | MSSppLicenseFile |
Value: | |||
| (PID) Process: | (5340) Everything.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
Executable files
0
Suspicious files
102
Text files
83
Unknown types
11
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3668 | Everything.exe | C:\Users\admin\Desktop\Everything.ini.tmp | text | |
MD5:26F5A1F77CC81F0FEFD7F97EAF858662 | SHA256:29ADB518656B7F9AA6F254797436ED52693ED2EF5D795278DE74BA6136897894 | |||
| 4024 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat | binary | |
MD5:99EE9F3878A68C103B7B424F43A7BFE8 | SHA256:710390534AAD7E096CBB6BD62CE4CEC55459F12BF80D305EDF3005165D6FA2F7 | |||
| 3232 | Everything.exe | C:\Users\admin\Desktop\Everything.db.tmp | pic | |
MD5:8953CF30853F501E19AFAF722BACB07C | SHA256:2CA2EAEBE20565750B944D796121B0FAD0866C4CBCEC454CD0525F713885F8D8 | |||
| 3232 | Everything.exe | C:\Users\admin\Desktop\Everything.ini | text | |
MD5:6CF8462B74CD13A92B94A54B2D928372 | SHA256:5E2050B94CF646FB3B26797878FF17A9362CA29EE401A645BF55258C59F9DA02 | |||
| 3668 | Everything.exe | C:\Users\admin\Desktop\Everything.ini | text | |
MD5:26F5A1F77CC81F0FEFD7F97EAF858662 | SHA256:29ADB518656B7F9AA6F254797436ED52693ED2EF5D795278DE74BA6136897894 | |||
| 2868 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old~RF1df417.TMP | — | |
MD5:— | SHA256:— | |||
| 2868 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old~RF1df417.TMP | — | |
MD5:— | SHA256:— | |||
| 2868 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old | — | |
MD5:— | SHA256:— | |||
| 2868 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old | — | |
MD5:— | SHA256:— | |||
| 2868 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old~RF1df417.TMP | — | |
MD5:— | SHA256:— | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
56
TCP/UDP connections
70
DNS requests
45
Threats
1
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
2448 | RUXIMICS.exe | GET | 200 | 23.216.77.28:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
4448 | svchost.exe | GET | 200 | 23.216.77.28:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
2448 | RUXIMICS.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
4448 | svchost.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
— | — | OPTIONS | 200 | 23.48.23.26:443 | https://bzib.nelreports.net/api/report?cat=bingbusiness | unknown | — | — | — |
— | — | GET | 401 | 13.107.6.158:443 | https://business.bing.com/api/v1/user/token/microsoftgraph?&clienttype=edge-omnibox | unknown | — | — | — |
— | — | GET | — | 13.107.42.16:443 | https://config.edge.skype.com/config/v1/Edge/122.0.2365.59?clientId=4489578223053569932&agents=EdgeRuntime%2CEdgeRuntimeConfig%2CEdgeDomainActions&osname=win&client=edge&channel=stable&scpfre=0&osarch=x86_64&osver=10.0.19045&wu=1&devicefamily=desktop&uma=0&sessionid=27&mngd=0&installdate=1661339457&edu=0&bphint=2&soobedate=1504771245&fg=1 | unknown | — | — | — |
— | — | GET | — | 13.107.246.60:443 | https://edgeassetservice.azureedge.net/assets/edge_hub_apps_shopping_maximal_light.png/1.5.3/asset | unknown | — | — | — |
— | — | GET | 200 | 13.107.42.16:443 | https://config.edge.skype.com/config/v1/Edge/122.0.2365.59?clientId=4489578223053569932&agents=EdgeFirstRun%2CEdgeFirstRunConfig&osname=win&client=edge&channel=stable&scpfre=0&osarch=x86_64&osver=10.0.19045&wu=1&devicefamily=desktop&uma=0&sessionid=27&mngd=0&installdate=1661339457&edu=0&bphint=2&soobedate=1504771245&fg=1 | unknown | binary | 1.03 Kb | — |
— | — | GET | 200 | 104.126.37.145:443 | https://edgeservices.bing.com/edgesvc/userstatus | unknown | binary | 381 b | — |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
4448 | svchost.exe | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
2448 | RUXIMICS.exe | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4392 | MoUsoCoreWorker.exe | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4032 | svchost.exe | 239.255.255.250:1900 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
2448 | RUXIMICS.exe | 23.216.77.28:80 | crl.microsoft.com | Akamai International B.V. | DE | unknown |
4448 | svchost.exe | 23.216.77.28:80 | crl.microsoft.com | Akamai International B.V. | DE | unknown |
2448 | RUXIMICS.exe | 184.30.21.171:80 | www.microsoft.com | AKAMAI-AS | DE | unknown |
4448 | svchost.exe | 184.30.21.171:80 | www.microsoft.com | AKAMAI-AS | DE | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
self.events.data.microsoft.com |
| whitelisted |
config.edge.skype.com |
| whitelisted |
edge.microsoft.com |
| whitelisted |
edge-mobile-static.azureedge.net |
| whitelisted |
business.bing.com |
| whitelisted |
update.googleapis.com |
| whitelisted |
Threats
1 ETPRO signatures available at the full report