Everything.exe

  • File Path: C:\program files\Everything\Everything.exe
  • Description: Everything

Screenshot

Everything.exe Everything.exe

Hashes

Type Hash
MD5 462FB57AD469C670E93EE05CAD1D9DE9
SHA1 57916930EA9C4C062E431D58FE68C5749FE1C410
SHA256 A8E8A69C6ADBDEE716B58D3768E65AE14EA52AF6B2667CBF998B379756B5597E
SHA384 430685FE17A7E0182F59F4D3416604700D2843C89E22291A6A36E2FB648745FF814127663F6EA36B371D049B527309AC
SHA512 7CFEFDBD58039694657FA23F0D5C150C026FC3F007DD7E40F853CF78B2101B5943D9E452A4F6291FB2567C8F69C946C4193BFB8B604356069AB1E382609B9A9C
SSDEEP 49152:MoSbtAyjXQ52sKplatxaix287JaOB/i+OYOOrm:Mo357t8Ybry

Runtime Data

Window Title:

Command Line Options - Everything

Open Handles:

Path Type
(R-D) C:\Windows\Fonts\StaticCache.dat File
(RW-) C:\Users\user\Documents File
(RW-) C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1_none_b555e41d4684ddec File
\BaseNamedObjects__ComCatalogCache__ Section
\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 Section
\BaseNamedObjects\NLS_CodePage_437_3_2_0_0 Section
\BaseNamedObjects\windows_shell_global_counters Section
\Sessions\1\BaseNamedObjects\windows_shell_global_counters Section
\Sessions\1\Windows\Theme4048709601 Section
\Windows\Theme603176458 Section

Loaded Modules:

Path
C:\program files\Everything\Everything.exe
C:\Windows\System32\ADVAPI32.dll
C:\Windows\System32\bcryptPrimitives.dll
C:\Windows\System32\combase.dll
C:\Windows\System32\comdlg32.dll
C:\Windows\System32\GDI32.dll
C:\Windows\System32\gdi32full.dll
C:\Windows\SYSTEM32\iertutil.dll
C:\Windows\System32\IMM32.dll
C:\Windows\SYSTEM32\kernel.appcore.dll
C:\Windows\System32\KERNEL32.DLL
C:\Windows\System32\KERNELBASE.dll
C:\Windows\System32\msvcp_win.dll
C:\Windows\System32\msvcrt.dll
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\ole32.dll
C:\Windows\System32\RPCRT4.dll
C:\Windows\System32\sechost.dll
C:\Windows\System32\shcore.dll
C:\Windows\System32\SHELL32.dll
C:\Windows\System32\SHLWAPI.dll
C:\Windows\System32\ucrtbase.dll
C:\Windows\SYSTEM32\urlmon.dll
C:\Windows\System32\USER32.dll
C:\Windows\system32\uxtheme.dll
C:\Windows\System32\win32u.dll
C:\Windows\System32\WS2_32.dll
C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1_none_b555e41d4684ddec\COMCTL32.dll

Signature

  • Status: Signature verified.
  • Serial: 0554D03D517345589F62CA21C7789A22
  • Thumbprint: D729CE691A8FC342ED6B0F607C7457B05B5AACF9
  • Issuer: CN=DigiCert SHA2 Assured ID Code Signing CA, OU=www.digicert.com, O=DigiCert Inc, C=US
  • Subject: CN=voidtools, O=voidtools, L=Wilmington, S=South Australia, C=AU

File Metadata

  • Original Filename: Everything.exe
  • Product Name: Everything
  • Company Name: voidtools
  • File Version: 1.4.1.988
  • Product Version: 1.4.1.988
  • Language: English (United States)
  • Legal Copyright: Copyright 2020 voidtools

Possible Misuse

The following table contains possible examples of Everything.exe being misused. While Everything.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_lnx_network_service_scanning.yml - '/telnet' # could be wget, curl, ssh, many things. basically everything that is able to do network connection. consider fine tuning DRL 1.0
sigma registry_event_asep_reg_keys_modification_currentversion.yml - 'C:\Program Files\Everything\Everything.exe' DRL 1.0
atomic-red-team T1098.001.md # in the context of an ART test (and not a real attack), we don’t need to keep access for too long. In case the cleanup command isn’t called, it’s better to ensure that everything expires after 1 day so it doesn’t leave this backdoor open for too long MIT License. © 2018 Red Canary
atomic-red-team T1114.001.md Search through local Outlook installation, extract mail, compress the contents, and saves everything to a directory for later exfiltration. MIT License. © 2018 Red Canary
atomic-red-team T1176.md <blockquote>Adversaries may abuse Internet browser extensions to establish persistent access to victim systems. Browser extensions or plugins are small programs that can add functionality and customize aspects of Internet browsers. They can be installed directly or through a browser’s app store and generally have access and permissions to everything that the browser can access.(Citation: Wikipedia Browser Extension)(Citation: Chrome Extensions Definition) MIT License. © 2018 Red Canary
atomic-red-team T1548.002.md REM will tell it to ignore everything after %windir% and treat it just as a NOTE. Therefore just executing cmd with admin privs. MIT License. © 2018 Red Canary
signature-base airbnb_binaryalert.yar $s3 = “-cmdfile local.bat #will execute everything from local.bat” ascii wide CC BY-NC 4.0
signature-base apt_eqgrp.yar $s4 = “Not everything is set yet” fullword ascii CC BY-NC 4.0
signature-base apt_eqgrp_apr17.yar $x4 = “[!] nothing looks vulnerable, trying everything” fullword ascii CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.