| File name: | libusbK-3.1.0.0-setup.zip |
| Full analysis: | https://app.any.run/tasks/66f5052b-5078-4b5f-be5c-9bc8d9292273 |
| Verdict: | Malicious activity |
| Analysis date: | June 05, 2025, 12:57:33 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/zip |
| File info: | Zip archive data, at least v1.0 to extract, compression method=store |
| MD5: | C06D137E36C4BF8357ADFD5C3EFCCE20 |
| SHA1: | 7670E4C94F1230250ED5CBE6686C4B589C4039CA |
| SHA256: | 3B004080BFEE5AB2C2DEF06678E98B2C029D1DF9DE5864BAC97F48CAC326F2C4 |
| SSDEEP: | 98304:JfoQ+k15+8FdfTlGld+KSh8Hg8VJ1yzDNPxbfnXJ7Sy4Rq9f63xsfxTsZdnfojOr:9NqNJN |
MALICIOUS
Generic archive extractor
- WinRAR.exe (PID: 1512)
SUSPICIOUS
Executable content was dropped or overwritten
- libusbK-3.1.0.0-setup.exe (PID: 6992)
- libusbK-3.1.0.0-setup.exe (PID: 5568)
- libusbK-3.1.0.0-setup.tmp (PID: 1284)
Reads security settings of Internet Explorer
- WinRAR.exe (PID: 1512)
- libusbK-3.1.0.0-setup.tmp (PID: 6724)
Starts CMD.EXE for commands execution
- WinRAR.exe (PID: 1512)
Reads the Windows owner or organization settings
- libusbK-3.1.0.0-setup.tmp (PID: 1284)
Executing commands from a ".bat" file
- WinRAR.exe (PID: 1512)
INFO
Checks supported languages
- libusbK-3.1.0.0-setup.tmp (PID: 6724)
- libusbK-3.1.0.0-setup.exe (PID: 6992)
- libusbK-3.1.0.0-setup.exe (PID: 5568)
- libusbK-3.1.0.0-setup.tmp (PID: 1284)
- MpCmdRun.exe (PID: 7844)
- MpCmdRun.exe (PID: 6880)
Manual execution by a user
- libusbK-3.1.0.0-setup.exe (PID: 6992)
Create files in a temporary directory
- libusbK-3.1.0.0-setup.exe (PID: 6992)
- libusbK-3.1.0.0-setup.exe (PID: 5568)
- libusbK-3.1.0.0-setup.tmp (PID: 1284)
- MpCmdRun.exe (PID: 6880)
Reads the computer name
- libusbK-3.1.0.0-setup.tmp (PID: 6724)
- libusbK-3.1.0.0-setup.tmp (PID: 1284)
- MpCmdRun.exe (PID: 7844)
- MpCmdRun.exe (PID: 6880)
Process checks computer location settings
- libusbK-3.1.0.0-setup.tmp (PID: 6724)
Detects InnoSetup installer (YARA)
- libusbK-3.1.0.0-setup.exe (PID: 5568)
- libusbK-3.1.0.0-setup.exe (PID: 6992)
- libusbK-3.1.0.0-setup.tmp (PID: 6724)
- libusbK-3.1.0.0-setup.tmp (PID: 1284)
Executable content was dropped or overwritten
- WinRAR.exe (PID: 1512)
Compiled with Borland Delphi (YARA)
- libusbK-3.1.0.0-setup.tmp (PID: 6724)
- libusbK-3.1.0.0-setup.tmp (PID: 1284)
Reads the software policy settings
- slui.exe (PID: 4424)
Checks proxy server information
- slui.exe (PID: 4424)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .xpi | | | Mozilla Firefox browser extension (42.1) |
|---|---|---|
| .zip | | | ZIP compressed archive (21) |
EXIF
ZIP
| ZipRequiredVersion: | 10 |
|---|---|
| ZipBitFlag: | - |
| ZipCompression: | None |
| ZipModifyDate: | 2023:09:13 22:18:56 |
| ZipCRC: | 0xbaa9dd31 |
| ZipCompressedSize: | 7904435 |
| ZipUncompressedSize: | 7904435 |
| ZipFileName: | libusbK-3.1.0.0-setup.exe |
Total processes
133
Monitored processes
12
Malicious processes
0
Suspicious processes
3
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1284 | "C:\Users\admin\AppData\Local\Temp\is-PGR63.tmp\libusbK-3.1.0.0-setup.tmp" /SL5="$A0344,7640034,58368,C:\Users\admin\Desktop\libusbK-3.1.0.0-setup.exe" /SPAWNWND=$A031C /NOTIFYWND=$80304 | C:\Users\admin\AppData\Local\Temp\is-PGR63.tmp\libusbK-3.1.0.0-setup.tmp | libusbK-3.1.0.0-setup.exe | ||||||||||||
User: admin Integrity Level: HIGH Description: Setup/Uninstall Version: 51.52.0.0 Modules
| |||||||||||||||
| 1512 | "C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\Desktop\libusbK-3.1.0.0-setup.zip | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | ||||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.91.0 Modules
| |||||||||||||||
| 2152 | C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\Rar$VR1512.9200\Rar$Scan18691.bat" " | C:\Windows\System32\cmd.exe | — | WinRAR.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2268 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4424 | C:\WINDOWS\System32\slui.exe -Embedding | C:\Windows\System32\slui.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Activation Client Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5568 | "C:\Users\admin\Desktop\libusbK-3.1.0.0-setup.exe" /SPAWNWND=$A031C /NOTIFYWND=$80304 | C:\Users\admin\Desktop\libusbK-3.1.0.0-setup.exe | libusbK-3.1.0.0-setup.tmp | ||||||||||||
User: admin Company: Travis Lee Robinson Integrity Level: HIGH Description: UsbK Development Kit Setup Version: 3.1.0.0 Modules
| |||||||||||||||
| 6724 | "C:\Users\admin\AppData\Local\Temp\is-9QO9S.tmp\libusbK-3.1.0.0-setup.tmp" /SL5="$80304,7640034,58368,C:\Users\admin\Desktop\libusbK-3.1.0.0-setup.exe" | C:\Users\admin\AppData\Local\Temp\is-9QO9S.tmp\libusbK-3.1.0.0-setup.tmp | — | libusbK-3.1.0.0-setup.exe | |||||||||||
User: admin Integrity Level: MEDIUM Description: Setup/Uninstall Version: 51.52.0.0 Modules
| |||||||||||||||
| 6880 | "C:\Program Files\Windows Defender\MpCmdRun.exe" -Scan -ScanType 3 -File "C:\Users\admin\AppData\Local\Temp\Rar$VR1512.9200" | C:\Program Files\Windows Defender\MpCmdRun.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Malware Protection Command Line Utility Exit code: 2 Version: 4.18.1909.6 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6992 | "C:\Users\admin\Desktop\libusbK-3.1.0.0-setup.exe" | C:\Users\admin\Desktop\libusbK-3.1.0.0-setup.exe | explorer.exe | ||||||||||||
User: admin Company: Travis Lee Robinson Integrity Level: MEDIUM Description: UsbK Development Kit Setup Version: 3.1.0.0 Modules
| |||||||||||||||
| 7276 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
5 418
Read events
5 406
Write events
12
Delete events
0
Modification events
| (PID) Process: | (1512) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 3 |
Value: C:\Users\admin\Desktop\preferences.zip | |||
| (PID) Process: | (1512) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\chromium_ext.zip | |||
| (PID) Process: | (1512) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\omni_23_10_2024_.zip | |||
| (PID) Process: | (1512) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\Desktop\libusbK-3.1.0.0-setup.zip | |||
| (PID) Process: | (1512) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (1512) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (1512) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
| (PID) Process: | (1512) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | mtime |
Value: 100 | |||
| (PID) Process: | (1512) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList |
| Operation: | write | Name: | ArcSort |
Value: 32 | |||
| (PID) Process: | (1512) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\VirusScan |
| Operation: | write | Name: | DefScanner |
Value: Windows Defender | |||
Executable files
5
Suspicious files
0
Text files
3
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 6992 | libusbK-3.1.0.0-setup.exe | C:\Users\admin\AppData\Local\Temp\is-9QO9S.tmp\libusbK-3.1.0.0-setup.tmp | executable | |
MD5:1AFBD25DB5C9A90FE05309F7C4FBCF09 | SHA256:3BB0EE5569FE5453C6B3FA25AA517B925D4F8D1F7BA3475E58FA09C46290658C | |||
| 1512 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$VR1512.19289\Rar$Scan119570.bat | text | |
MD5:25701B328835584D04292C16658C815E | SHA256:2F1B80A7B1C169981C0AB83E5B37C5D7FA97276EE7195AB57C698C6171BD68C3 | |||
| 1284 | libusbK-3.1.0.0-setup.tmp | C:\Users\admin\AppData\Local\Temp\is-7VFHN.tmp\_isetup\_setup64.tmp | executable | |
MD5:E4211D6D009757C078A9FAC7FF4F03D4 | SHA256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95 | |||
| 1512 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$VR1512.9200\Rar$Scan18691.bat | text | |
MD5:086006ED0CFAA3F9F3172E7F7C6E3DD1 | SHA256:A5BD2611BA655F5789DA5C30270F232B2B7010AA8D302C8F5EF152880B3CDE50 | |||
| 1512 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$VR1512.19289\libusbK-3.1.0.0-setup.zip\libusbK-3.1.0.0-setup.exe | executable | |
MD5:AD52BA6F461AEE4EECDFBF9DA70E9EEE | SHA256:498F3A9D4A655E5C2CBD2924EDBBBC54C7BAD74563869F1DCA85979F97EEF773 | |||
| 6880 | MpCmdRun.exe | C:\Users\admin\AppData\Local\Temp\MpCmdRun.log | text | |
MD5:D6FCB3211E5790B49B6C96474844C499 | SHA256:DE6061CD84989E93DBA155756EA136A6595F1A83174D1EA51E1BF8D406EB4A8C | |||
| 5568 | libusbK-3.1.0.0-setup.exe | C:\Users\admin\AppData\Local\Temp\is-PGR63.tmp\libusbK-3.1.0.0-setup.tmp | executable | |
MD5:1AFBD25DB5C9A90FE05309F7C4FBCF09 | SHA256:3BB0EE5569FE5453C6B3FA25AA517B925D4F8D1F7BA3475E58FA09C46290658C | |||
| 1512 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$VR1512.9200\libusbK-3.1.0.0-setup.zip\libusbK-3.1.0.0-setup.exe | executable | |
MD5:AD52BA6F461AEE4EECDFBF9DA70E9EEE | SHA256:498F3A9D4A655E5C2CBD2924EDBBBC54C7BAD74563869F1DCA85979F97EEF773 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
20
DNS requests
5
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
2088 | RUXIMICS.exe | GET | 200 | 2.16.241.12:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
— | — | POST | 500 | 40.91.76.224:443 | https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail | unknown | xml | 512 b | whitelisted |
2088 | RUXIMICS.exe | GET | 200 | 95.101.149.131:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
— | — | POST | 500 | 20.83.72.98:443 | https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail | unknown | xml | 512 b | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
— | — | 20.73.194.208:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
2088 | RUXIMICS.exe | 20.73.194.208:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
2088 | RUXIMICS.exe | 2.16.241.12:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
2088 | RUXIMICS.exe | 95.101.149.131:80 | www.microsoft.com | Akamai International B.V. | NL | whitelisted |
7388 | slui.exe | 40.91.76.224:443 | activation-v2.sls.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
4424 | slui.exe | 40.91.76.224:443 | activation-v2.sls.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
activation-v2.sls.microsoft.com |
| whitelisted |
self.events.data.microsoft.com |
| whitelisted |