File name:

Everything-1.4.1.1027.x86.Lite-Setup.exe

Full analysis: https://app.any.run/tasks/68837755-3ee9-4861-8d34-f4ec5d3d1fba
Verdict: Malicious activity
Analysis date: June 06, 2025, 19:07:32
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
auto-reg
everything
tool
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections
MD5:

CC02B882DDD6DB82A38BD04174BBF9A2

SHA1:

C0AAD26E14F3A9A4F244E4A7A75B008E662999FC

SHA256:

4809EFFB6B6518E23B3CA03B418E0F39DC624E285F20A3B70643A5D492907E3D

SSDEEP:

98304:kJ87vH5hICTgRvvRN3tg/1zrSmLjVRKvGX3WDN/kfDEb78Rp0qDGeuqR0IQza98P:k3snpEx

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • Everything.exe (PID: 4212)

  • SUSPICIOUS

    • The process creates files with name similar to system file names

      • Everything-1.4.1.1027.x86.Lite-Setup.exe (PID: 6476)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • Everything-1.4.1.1027.x86.Lite-Setup.exe (PID: 6476)

    • Executable content was dropped or overwritten

      • Everything-1.4.1.1027.x86.Lite-Setup.exe (PID: 6476)
      • Everything.exe (PID: 6392)

    • Reads security settings of Internet Explorer

      • Everything.exe (PID: 7720)
      • Everything.exe (PID: 6392)

    • There is functionality for taking screenshot (YARA)

      • Everything-1.4.1.1027.x86.Lite-Setup.exe (PID: 6476)
      • Everything.exe (PID: 2416)
      • Everything.exe (PID: 4228)

    • Application launched itself

      • Everything.exe (PID: 7720)

    • Creates a software uninstall entry

      • Everything.exe (PID: 6392)

    • Starts itself from another location

      • Everything.exe (PID: 6392)

    • Executes as Windows Service

      • Everything.exe (PID: 2416)

  • INFO

    • Checks supported languages

      • Everything-1.4.1.1027.x86.Lite-Setup.exe (PID: 6476)
      • Everything.exe (PID: 7720)
      • Everything.exe (PID: 4212)
      • Everything.exe (PID: 5360)
      • Everything.exe (PID: 2416)
      • Everything.exe (PID: 4228)
      • Everything.exe (PID: 5344)
      • Everything.exe (PID: 6392)

    • The sample compiled with english language support

      • Everything-1.4.1.1027.x86.Lite-Setup.exe (PID: 6476)
      • Everything.exe (PID: 6392)

    • Reads the computer name

      • Everything-1.4.1.1027.x86.Lite-Setup.exe (PID: 6476)
      • Everything.exe (PID: 7720)
      • Everything.exe (PID: 6392)
      • Everything.exe (PID: 4212)
      • Everything.exe (PID: 2416)
      • Everything.exe (PID: 5360)
      • Everything.exe (PID: 4228)
      • Everything.exe (PID: 5344)

    • Create files in a temporary directory

      • Everything-1.4.1.1027.x86.Lite-Setup.exe (PID: 6476)

    • Process checks computer location settings

      • Everything.exe (PID: 7720)
      • Everything.exe (PID: 6392)

    • Creates files in the program directory

      • Everything.exe (PID: 6392)
      • Everything.exe (PID: 4212)

    • Launching a file from a Registry key

      • Everything.exe (PID: 4212)

    • Creates files or folders in the user directory

      • Everything.exe (PID: 5360)

    • EVERYTHING mutex has been found

      • Everything.exe (PID: 4228)
      • Everything.exe (PID: 5344)

    • Manual execution by a user

      • Everything.exe (PID: 5344)

    • Checks proxy server information

      • slui.exe (PID: 7852)

    • Reads the software policy settings

      • slui.exe (PID: 7852)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2021:09:25 21:56:47+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 26624
InitializedDataSize: 141824
UninitializedDataSize: 2048
EntryPoint: 0x3640
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.4.1.1027
ProductVersionNumber: 1.4.1.1027
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
Comments: -
CompanyName: -
FileDescription: Everything Setup
FileVersion: 1.4.1.1027
LegalCopyright: Copyright (c) 2025 voidtools
LegalTrademarks: -
ProductName: Everything
ProductVersion: 1.4.1.1027
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
133
Monitored processes
9
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
start everything-1.4.1.1027.x86.lite-setup.exe everything.exe no specs everything.exe everything.exe everything.exe no specs everything.exe no specs everything.exe no specs everything.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
2416"C:\Program Files (x86)\Everything\Everything.exe" -svcC:\Program Files (x86)\Everything\Everything.exeservices.exe
User:
SYSTEM
Company:
voidtools
Integrity Level:
SYSTEM
Description:
Everything
Version:
1.4.1.1027
Modules
Images
c:\program files (x86)\everything\everything.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ws2_32.dll
c:\windows\syswow64\rpcrt4.dll
4212"C:\Program Files (x86)\Everything\Everything.exe" -app-data -install-run-on-system-startup -install-service -disable-run-as-admin -uninstall-folder-context-menu -uninstall-start-menu-shortcuts -uninstall-desktop-shortcut -uninstall-url-protocol -install-efu-association -install-language 1033 -save-install-options 2C:\Program Files (x86)\Everything\Everything.exe
Everything.exe
User:
admin
Company:
voidtools
Integrity Level:
HIGH
Description:
Everything
Exit code:
0
Version:
1.4.1.1027
Modules
Images
c:\program files (x86)\everything\everything.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ws2_32.dll
4228"C:\Program Files (x86)\Everything\Everything.exe"C:\Program Files (x86)\Everything\Everything.exeEverything-1.4.1.1027.x86.Lite-Setup.exe
User:
admin
Company:
voidtools
Integrity Level:
MEDIUM
Description:
Everything
Version:
1.4.1.1027
Modules
Images
c:\program files (x86)\everything\everything.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ws2_32.dll
5344"C:\Program Files (x86)\Everything\Everything.exe" -startupC:\Program Files (x86)\Everything\Everything.exeexplorer.exe
User:
admin
Company:
voidtools
Integrity Level:
MEDIUM
Description:
Everything
Exit code:
0
Version:
1.4.1.1027
Modules
Images
c:\program files (x86)\everything\everything.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ws2_32.dll
c:\windows\syswow64\rpcrt4.dll
5360"C:\Program Files (x86)\Everything\Everything.exe" -disable-update-notification -install-quick-launch-shortcut -no-choose-volumes -language 1033C:\Program Files (x86)\Everything\Everything.exeEverything-1.4.1.1027.x86.Lite-Setup.exe
User:
admin
Company:
voidtools
Integrity Level:
MEDIUM
Description:
Everything
Exit code:
0
Version:
1.4.1.1027
Modules
Images
c:\program files (x86)\everything\everything.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ws2_32.dll
6392"C:\Users\admin\AppData\Local\Temp\nsh6EF.tmp\Everything\Everything.exe" -isrunas -install "C:\Program Files (x86)\Everything" -install-options " -app-data -install-run-on-system-startup -install-service -disable-run-as-admin -uninstall-folder-context-menu -uninstall-start-menu-shortcuts -uninstall-desktop-shortcut -uninstall-url-protocol -install-efu-association -install-language 1033 -save-install-options 2"C:\Users\admin\AppData\Local\Temp\nsh6EF.tmp\Everything\Everything.exe
Everything.exe
User:
admin
Company:
voidtools
Integrity Level:
HIGH
Description:
Everything
Exit code:
0
Version:
1.4.1.1027
Modules
Images
c:\users\admin\appdata\local\temp\nsh6ef.tmp\everything\everything.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ws2_32.dll
6476"C:\Users\admin\Desktop\Everything-1.4.1.1027.x86.Lite-Setup.exe" C:\Users\admin\Desktop\Everything-1.4.1.1027.x86.Lite-Setup.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Everything Setup
Exit code:
0
Version:
1.4.1.1027
Modules
Images
c:\users\admin\desktop\everything-1.4.1.1027.x86.lite-setup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
7720"C:\Users\admin\AppData\Local\Temp\nsh6EF.tmp\Everything\Everything.exe" -install "C:\Program Files (x86)\Everything" -install-options " -app-data -install-run-on-system-startup -install-service -disable-run-as-admin -uninstall-folder-context-menu -uninstall-start-menu-shortcuts -uninstall-desktop-shortcut -uninstall-url-protocol -install-efu-association -install-language 1033 -save-install-options 2"C:\Users\admin\AppData\Local\Temp\nsh6EF.tmp\Everything\Everything.exeEverything-1.4.1.1027.x86.Lite-Setup.exe
User:
admin
Company:
voidtools
Integrity Level:
MEDIUM
Description:
Everything
Exit code:
0
Version:
1.4.1.1027
Modules
Images
c:\users\admin\appdata\local\temp\nsh6ef.tmp\everything\everything.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ws2_32.dll
7852C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
5 025
Read events
4 992
Write events
30
Delete events
3

Modification events

(PID) Process:(4212) Everything.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\voidtools\Everything
Operation:writeName:InstallAppData
Value:
1
(PID) Process:(4212) Everything.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\voidtools\Everything
Operation:writeName:InstallStartMenuShortcuts
Value:
0
(PID) Process:(4212) Everything.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\voidtools\Everything
Operation:writeName:InstallDesktopShortcut
Value:
0
(PID) Process:(4212) Everything.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\voidtools\Everything
Operation:writeName:InstallFolderContextMenu
Value:
0
(PID) Process:(4212) Everything.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\voidtools\Everything
Operation:writeName:InstallURLProtocol
Value:
0
(PID) Process:(4212) Everything.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:delete valueName:Everything
Value:
(PID) Process:(4212) Everything.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:delete valueName:Everything
Value:
(PID) Process:(4212) Everything.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\voidtools\Everything
Operation:writeName:InstallRunOnStartup
Value:
0
(PID) Process:(4212) Everything.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Everything
Value:
"C:\Program Files (x86)\Everything\Everything.exe" -startup
(PID) Process:(4212) Everything.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\voidtools\Everything
Operation:writeName:InstallRunOnStartup
Value:
1
Executable files
10
Suspicious files
3
Text files
9
Unknown types
1

Dropped files

PID
Process
Filename
Type
6476Everything-1.4.1.1027.x86.Lite-Setup.exeC:\Users\admin\AppData\Local\Temp\nsh6EF.tmp\InstallOptions.initext
MD5:F4B7EA54A35FE41EB4ABB5F9E53CD9DD
SHA256:B520532CE65105E5414423491084A05EEC67ADD6CA5FEF67B56BB9866C07BB95
6476Everything-1.4.1.1027.x86.Lite-Setup.exeC:\Users\admin\AppData\Local\Temp\nsh6EF.tmp\System.dllexecutable
MD5:CFF85C549D536F651D4FB8387F1976F2
SHA256:8DC562CDA7217A3A52DB898243DE3E2ED68B80E62DDCB8619545ED0B4E7F65A8
6476Everything-1.4.1.1027.x86.Lite-Setup.exeC:\Users\admin\AppData\Local\Temp\nsh6EF.tmp\ioSpecial.initext
MD5:E2D5070BC28DB1AC745613689FF86067
SHA256:D95AED234F932A1C48A2B1B0D98C60CA31F962310C03158E2884AB4DDD3EA1E0
6476Everything-1.4.1.1027.x86.Lite-Setup.exeC:\Users\admin\AppData\Local\Temp\nsh6EF.tmp\modern-wizard.bmpimage
MD5:CBE40FD2B1EC96DAEDC65DA172D90022
SHA256:3AD2DC318056D0A2024AF1804EA741146CFC18CC404649A44610CBF8B2056CF2
6476Everything-1.4.1.1027.x86.Lite-Setup.exeC:\Users\admin\AppData\Local\Temp\nsh6EF.tmp\LangDLL.dllexecutable
MD5:68B287F4067BA013E34A1339AFDB1EA8
SHA256:18E8B40BA22C7A1687BD16E8D585380BC2773FFF5002D7D67E9485FCC0C51026
6476Everything-1.4.1.1027.x86.Lite-Setup.exeC:\Users\admin\AppData\Local\Temp\nsh6EF.tmp\InstallOptions2.initext
MD5:2D388F85F070760E18EC39C0DF0980DB
SHA256:6003368F4183B166539C96B734C01595A9D1B1494C11F16AEDEFE8AD68E9CFA8
6476Everything-1.4.1.1027.x86.Lite-Setup.exeC:\Users\admin\AppData\Local\Temp\nsh6EF.tmp\Everything\Uninstall.exeexecutable
MD5:6E338C581EC63221F49E26775D4A04D1
SHA256:34769CF76B350501992C052EACE6D19665AE2530B499269E9F381EC71A01F7C8
6476Everything-1.4.1.1027.x86.Lite-Setup.exeC:\Users\admin\AppData\Local\Temp\nsh6EF.tmp\Everything\License.txttext
MD5:4AD0FF3A90AD4DD6CFFDD413E312EBA3
SHA256:2E1224296BAA039A0A73A76A4693048FA9EDD6A512E21D0F9DE8A24B7360BF9A
6392Everything.exeC:\Program Files (x86)\Everything\Uninstall.exeexecutable
MD5:6E338C581EC63221F49E26775D4A04D1
SHA256:34769CF76B350501992C052EACE6D19665AE2530B499269E9F381EC71A01F7C8
6476Everything-1.4.1.1027.x86.Lite-Setup.exeC:\Users\admin\AppData\Local\Temp\nsh6EF.tmp\Everything\Everything.lngpsf
MD5:F7F8FAE622D1E8CB5569576357B9C492
SHA256:E2788B4A9977D4F63D0EE1ADAFA9359D0AD657D51126D132E3B2418AEC9D5AD9
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
20
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1180
RUXIMICS.exe
GET
200
2.16.168.114:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1180
RUXIMICS.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1180
RUXIMICS.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
1180
RUXIMICS.exe
2.16.168.114:80
crl.microsoft.com
Akamai International B.V.
RU
whitelisted
1180
RUXIMICS.exe
23.219.150.101:80
www.microsoft.com
AKAMAI-AS
CL
whitelisted
1168
slui.exe
20.83.72.98:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7852
slui.exe
20.83.72.98:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.186.110
whitelisted
crl.microsoft.com
  • 2.16.168.114
  • 2.16.168.124
whitelisted
www.microsoft.com
  • 23.219.150.101
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted
self.events.data.microsoft.com
  • 20.189.173.15
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Everything-1.4.1.1027.x86.Lite-Setup.exe