File name:

USB.Safely.Remove.v7.1.2.1327.exe

Full analysis: https://app.any.run/tasks/26318a1a-6a70-451d-9633-aab5ac325cfc
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: June 07, 2025, 13:57:27
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
pastebin
auto-reg
loader
auto
generic
stealer
delphi
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections
MD5:

94B7DA9B12A7FD85E444C521D3046577

SHA1:

BA02C95B1BC29544CD054830EF525C334910BD48

SHA256:

4FB0A8CE59CC9820989BB2719E4A2EF6883728651731BA0A864C3BC62CED1776

SSDEEP:

98304:QdV2kkZ/tN4t0uYcVEQ259V6ruy5OeG95oXOC6VYF5E8m5HMT9PYSfsSQ3mW3C8o:ryBQonKW

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • USB.Safely.Remove.v7.1.2.1327.exe (PID: 7816)

    • GENERIC has been found (auto)

      • USB.Safely.Remove.v7.1.2.1327.exe (PID: 7816)
      • PACK.EXE (PID: 5048)

    • Executing a file with an untrusted certificate

      • USBSafelyRemove.exe (PID: 2868)
      • USBSafelyRemove.exe (PID: 3896)

    • Changes Windows Defender settings

      • PACK.EXE (PID: 5048)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 7512)
      • powershell.exe (PID: 1164)
      • powershell.exe (PID: 7556)

    • Actions looks like stealing of personal data

      • setup.exe (PID: 7548)

    • Steals credentials from Web Browsers

      • setup.exe (PID: 7548)
      • setup.exe (PID: 6248)
      • setup.exe (PID: 5988)
      • setup.exe (PID: 7488)
      • setup.exe (PID: 4120)
      • setup.exe (PID: 2596)

  • SUSPICIOUS

    • There is functionality for taking screenshot (YARA)

      • USB.Safely.Remove.v7.1.2.1327.exe (PID: 7816)
      • setup.exe (PID: 7488)
      • setup.exe (PID: 6248)
      • setup.exe (PID: 5988)
      • setup.exe (PID: 7548)

    • Drops a system driver (possible attempt to evade defenses)

      • USB.Safely.Remove.v7.1.2.1327.exe (PID: 7816)

    • Creates a software uninstall entry

      • USB.Safely.Remove.v7.1.2.1327.exe (PID: 7816)

    • The process creates files with name similar to system file names

      • USB.Safely.Remove.v7.1.2.1327.exe (PID: 7816)
      • ya.exe (PID: 2084)

    • Executable content was dropped or overwritten

      • USB.Safely.Remove.v7.1.2.1327.exe (PID: 7816)
      • PACK.EXE (PID: 5048)
      • ya.exe (PID: 2084)
      • OperaSetup.exe (PID: 7576)
      • setup.exe (PID: 6248)
      • setup.exe (PID: 7548)
      • setup.exe (PID: 680)
      • OperaSetup.exe (PID: 5308)
      • setup.exe (PID: 7488)
      • setup.exe (PID: 5988)
      • setup.exe (PID: 4120)
      • setup.exe (PID: 2596)
      • setup.exe (PID: 6820)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • USB.Safely.Remove.v7.1.2.1327.exe (PID: 7816)
      • ya.exe (PID: 2084)

    • Executes as Windows Service

      • USBSRService.exe (PID: 1452)

    • Reads security settings of Internet Explorer

      • USB.Safely.Remove.v7.1.2.1327.exe (PID: 7816)
      • PACK.EXE (PID: 5048)
      • ya.exe (PID: 2084)
      • setup.exe (PID: 7548)
      • setup.exe (PID: 4120)

    • The executable file from the user directory is run by the CMD process

      • PACK.EXE (PID: 5048)

    • Starts CMD.EXE for commands execution

      • USB.Safely.Remove.v7.1.2.1327.exe (PID: 7816)

    • The process bypasses the loading of PowerShell profile settings

      • PACK.EXE (PID: 5048)

    • The process hides Powershell's copyright startup banner

      • PACK.EXE (PID: 5048)

    • The process hide an interactive prompt from the user

      • PACK.EXE (PID: 5048)

    • Script uses the treat ID number to allow Windows Defender to execute it

      • PACK.EXE (PID: 5048)

    • Application launched itself

      • setup.exe (PID: 7548)
      • setup.exe (PID: 5988)
      • setup.exe (PID: 4120)

    • Starts itself from another location

      • setup.exe (PID: 7548)
      • setup.exe (PID: 4120)

    • Starts POWERSHELL.EXE for commands execution

      • PACK.EXE (PID: 5048)

  • INFO

    • Create files in a temporary directory

      • USB.Safely.Remove.v7.1.2.1327.exe (PID: 7816)
      • PACK.EXE (PID: 5048)
      • ya.exe (PID: 2084)
      • OperaSetup.exe (PID: 7576)
      • setup.exe (PID: 6248)
      • setup.exe (PID: 7548)
      • setup.exe (PID: 680)
      • setup.exe (PID: 5988)
      • OperaSetup.exe (PID: 5308)
      • setup.exe (PID: 7488)
      • setup.exe (PID: 4120)
      • setup.exe (PID: 2596)
      • setup.exe (PID: 6820)

    • The sample compiled with english language support

      • USB.Safely.Remove.v7.1.2.1327.exe (PID: 7816)
      • PACK.EXE (PID: 5048)
      • ya.exe (PID: 2084)
      • OperaSetup.exe (PID: 7576)
      • setup.exe (PID: 7548)
      • setup.exe (PID: 6248)
      • setup.exe (PID: 680)
      • setup.exe (PID: 7488)
      • setup.exe (PID: 5988)
      • setup.exe (PID: 4120)
      • setup.exe (PID: 2596)
      • OperaSetup.exe (PID: 5308)
      • setup.exe (PID: 6820)

    • Reads the computer name

      • USB.Safely.Remove.v7.1.2.1327.exe (PID: 7816)
      • USBSRService.exe (PID: 7888)
      • USBSRService.exe (PID: 1452)
      • PACK.EXE (PID: 5048)
      • USBSafelyRemove.exe (PID: 2868)
      • ya.exe (PID: 2084)
      • USBSafelyRemove.exe (PID: 3896)
      • setup.exe (PID: 7548)
      • setup.exe (PID: 5988)
      • setup.exe (PID: 4120)

    • Creates files in the program directory

      • USBSRService.exe (PID: 7888)
      • USB.Safely.Remove.v7.1.2.1327.exe (PID: 7816)

    • Checks supported languages

      • USBSRService.exe (PID: 1452)
      • USBSRService.exe (PID: 7888)
      • USB.Safely.Remove.v7.1.2.1327.exe (PID: 7816)
      • USBSafelyRemove.exe (PID: 2868)
      • PACK.EXE (PID: 5048)
      • ya.exe (PID: 2084)
      • OperaSetup.exe (PID: 7576)
      • USBSafelyRemove.exe (PID: 3896)
      • setup.exe (PID: 6248)
      • setup.exe (PID: 7548)
      • setup.exe (PID: 680)
      • setup.exe (PID: 5988)
      • OperaSetup.exe (PID: 5308)
      • setup.exe (PID: 7488)
      • setup.exe (PID: 4120)
      • setup.exe (PID: 2596)
      • setup.exe (PID: 6820)

    • Launching a file from a Registry key

      • USB.Safely.Remove.v7.1.2.1327.exe (PID: 7816)

    • Checks proxy server information

      • USB.Safely.Remove.v7.1.2.1327.exe (PID: 7816)
      • ya.exe (PID: 2084)
      • setup.exe (PID: 7548)
      • setup.exe (PID: 4120)

    • Reads the software policy settings

      • USB.Safely.Remove.v7.1.2.1327.exe (PID: 7816)
      • ya.exe (PID: 2084)
      • setup.exe (PID: 7548)
      • setup.exe (PID: 4120)

    • Reads the machine GUID from the registry

      • USB.Safely.Remove.v7.1.2.1327.exe (PID: 7816)
      • ya.exe (PID: 2084)
      • setup.exe (PID: 7548)
      • setup.exe (PID: 4120)

    • Creates files or folders in the user directory

      • USB.Safely.Remove.v7.1.2.1327.exe (PID: 7816)
      • USBSafelyRemove.exe (PID: 2868)
      • ya.exe (PID: 2084)
      • setup.exe (PID: 7548)
      • setup.exe (PID: 6248)

    • Manual execution by a user

      • USBSafelyRemove.exe (PID: 2868)
      • OperaSetup.exe (PID: 5308)

    • Process checks computer location settings

      • PACK.EXE (PID: 5048)
      • ya.exe (PID: 2084)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 7512)
      • powershell.exe (PID: 7556)
      • powershell.exe (PID: 1164)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 7512)
      • powershell.exe (PID: 7556)
      • powershell.exe (PID: 1164)

    • Compiled with Borland Delphi (YARA)

      • USBSafelyRemove.exe (PID: 2868)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:03:08 23:05:20+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 26624
InitializedDataSize: 412160
UninitializedDataSize: 16384
EntryPoint: 0x369f
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 7.1.2.1327
ProductVersionNumber: 7.1.2.1327
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
Comments: -
CompanyName: Crystal Rich Ltd.
FileDescription: USB Safely Remove v7.1.2.1327
FileVersion: 7.1.2.1327
LegalCopyright: © {PUBLISHER}
ProductName: USB Safely Remove v7.1.2.1327
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
158
Monitored processes
28
Malicious processes
6
Suspicious processes
7

Behavior graph

Click at the process to see the details
start #GENERIC usb.safely.remove.v7.1.2.1327.exe usbsrservice.exe no specs usbsrservice.exe no specs cmd.exe no specs conhost.exe no specs #GENERIC pack.exe usbsafelyremove.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs ya.exe operasetup.exe usbsafelyremove.exe no specs setup.exe setup.exe setup.exe setup.exe setup.exe slui.exe operasetup.exe setup.exe setup.exe setup.exe svchost.exe usb.safely.remove.v7.1.2.1327.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
680"C:\Users\admin\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exe" --versionC:\Users\admin\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exe
setup.exe
User:
admin
Company:
Opera Software
Integrity Level:
HIGH
Description:
Opera Installer
Exit code:
0
Version:
119.0.5497.70
Modules
Images
c:\users\admin\appdata\local\temp\.opera\opera installer temp\setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
1164"C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -nologo -noninteractive -windowStyle hidden -noprofile -command "Add-MpPreference -ThreatIDDefaultAction_Ids 2147814523 -ThreatIDDefaultAction_Actions Allow -Force"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exePACK.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1452"C:\Program Files (x86)\USB Safely Remove\USBSRService.exe"C:\Program Files (x86)\USB Safely Remove\USBSRService.exeservices.exe
User:
SYSTEM
Company:
Crystal Rich Ltd
Integrity Level:
SYSTEM
Description:
USB Safely Remove assistant service
Version:
7.1.2.1327
Modules
Images
c:\program files (x86)\usb safely remove\usbsrservice.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
1812\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2084"C:\Users\admin\AppData\Local\Temp\RarSFX0\ya.exe" C:\Users\admin\AppData\Local\Temp\RarSFX0\ya.exe
PACK.EXE
User:
admin
Company:
me.fo
Integrity Level:
HIGH
Description:
me.fo
Exit code:
0
Version:
me.fo
Modules
Images
c:\users\admin\appdata\local\temp\rarsfx0\ya.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2596C:\Users\admin\AppData\Local\Temp\7zSCB484413\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win64 --annotation=prod=OperaDesktop --annotation=ver=119.0.5497.70 --initial-client-data=0x2a0,0x2a4,0x2a8,0x27c,0x2ac,0x7ffc866e8f08,0x7ffc866e8f14,0x7ffc866e8f20C:\Users\admin\AppData\Local\Temp\7zSCB484413\setup.exe
setup.exe
User:
admin
Company:
Opera Software
Integrity Level:
MEDIUM
Description:
Opera Installer
Version:
119.0.5497.70
Modules
Images
c:\users\admin\appdata\local\temp\7zscb484413\setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
2660\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2868"C:\Program Files (x86)\USB Safely Remove\USBSafelyRemove.exe" /startupC:\Program Files (x86)\USB Safely Remove\USBSafelyRemove.exeexplorer.exe
User:
admin
Company:
Crystal Rich Ltd
Integrity Level:
MEDIUM
Description:
USB Safely Remove
Version:
7.1.2.1327
Modules
Images
c:\program files (x86)\usb safely remove\usbsafelyremove.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\oleaut32.dll
c:\windows\syswow64\msvcp_win.dll
3896"C:\Program Files (x86)\USB Safely Remove\USBSafelyRemove.exe" /startupC:\Program Files (x86)\USB Safely Remove\USBSafelyRemove.exeUSB.Safely.Remove.v7.1.2.1327.exe
User:
admin
Company:
Crystal Rich Ltd
Integrity Level:
HIGH
Description:
USB Safely Remove
Exit code:
0
Version:
7.1.2.1327
Modules
Images
c:\program files (x86)\usb safely remove\usbsafelyremove.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
Total events
34 759
Read events
34 707
Write events
51
Delete events
1

Modification events

(PID) Process:(7816) USB.Safely.Remove.v7.1.2.1327.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\USB Safely Remove
Operation:writeName:EstimatedSize
Value:
12763
(PID) Process:(7816) USB.Safely.Remove.v7.1.2.1327.exeKey:HKEY_CURRENT_USER\SOFTWARE\SafelyRemove\Options
Operation:writeName:CheckforUpdates
Value:
0
(PID) Process:(7816) USB.Safely.Remove.v7.1.2.1327.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\USB Safely Remove
Operation:writeName:DisplayName
Value:
USB Safely Remove
(PID) Process:(7816) USB.Safely.Remove.v7.1.2.1327.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\USB Safely Remove
Operation:writeName:Publisher
Value:
Crystal Rich Ltd.
(PID) Process:(7816) USB.Safely.Remove.v7.1.2.1327.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\USB Safely Remove
Operation:writeName:UninstallString
Value:
C:\Program Files (x86)\USB Safely Remove\Uninstall.exe
(PID) Process:(7816) USB.Safely.Remove.v7.1.2.1327.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\USB Safely Remove
Operation:writeName:DisplayIcon
Value:
C:\Program Files (x86)\USB Safely Remove\USBSafelyRemove.exe
(PID) Process:(7816) USB.Safely.Remove.v7.1.2.1327.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\USB Safely Remove
Operation:writeName:DisplayVersion
Value:
7.1.2.1327
(PID) Process:(7816) USB.Safely.Remove.v7.1.2.1327.exeKey:HKEY_CURRENT_USER\SOFTWARE\SafelyRemove\Options
Operation:writeName:ProxyPort
Value:
80
(PID) Process:(7816) USB.Safely.Remove.v7.1.2.1327.exeKey:HKEY_CURRENT_USER\SOFTWARE\SafelyRemove\Options
Operation:writeName:ProxyServer
Value:
0.0.0.0
(PID) Process:(7816) USB.Safely.Remove.v7.1.2.1327.exeKey:HKEY_CURRENT_USER\SOFTWARE\SafelyRemove\Options
Operation:writeName:UseProxy
Value:
1
Executable files
29
Suspicious files
15
Text files
264
Unknown types
0

Dropped files

PID
Process
Filename
Type
7816USB.Safely.Remove.v7.1.2.1327.exeC:\Users\admin\AppData\Local\Temp\nsuC5E.tmp\modern-header.bmpimage
MD5:7EE0EF15C644AA28E91F9D2571E5446C
SHA256:E4A14D6818ECA33C8CE45252F4AF5C0DAA2AE4E64EAAE65A9314C2B0A5044204
7816USB.Safely.Remove.v7.1.2.1327.exeC:\Users\admin\AppData\Local\Temp\nsuC5E.tmp\System.dllexecutable
MD5:9B38A1B07A0EBC5C7E59E63346ECC2DB
SHA256:C881253DAFCF1322A771139B1A429EC1E78C507CA81A218A20DC1A4B25ABBFE7
7816USB.Safely.Remove.v7.1.2.1327.exeC:\Users\admin\AppData\Local\Temp\nsuC5E.tmp\en.bmpimage
MD5:ED25F74135602D4F678F47C8A90B3927
SHA256:572AFBBE22CE62759BC3B1D1E40BFD6F3914994F1EBAF4C93EF9D0ACA93CC6C4
7816USB.Safely.Remove.v7.1.2.1327.exeC:\Users\admin\AppData\Local\Temp\nsuC5E.tmp\nsDialogs.dllexecutable
MD5:8F0E7415F33843431DF308BB8E06AF81
SHA256:BB49F15FA83452370047A7801E39FC7F64E70C7545B8999BB85AA4749EAA048B
7816USB.Safely.Remove.v7.1.2.1327.exeC:\Users\admin\AppData\Local\Temp\nsuC5E.tmp\ru.bmpimage
MD5:ACBA4CB0FEE2EA0560DCE560D8BB1D00
SHA256:A134FDAFE45A29C94295C6164C118B0166870807BFAFA94DB211BF61802EE432
7816USB.Safely.Remove.v7.1.2.1327.exeC:\Users\admin\AppData\Local\Temp\nsuC5E.tmp\LangDLL.dllexecutable
MD5:4B8A750993567AC9A350BA9768FABFA0
SHA256:4CF25411F28F639F72156C24B0F66EA42F5AEE5973F6C137D901DA6AE42D5B7E
7816USB.Safely.Remove.v7.1.2.1327.exeC:\Program Files (x86)\USB Safely Remove\Readme.txttext
MD5:720548FD98D323D51E87DA6B52B4845E
SHA256:56D39490D2500D9BE3E1FDE48D72FEF6800C2D7F457312F754FE9F742FC064C9
7816USB.Safely.Remove.v7.1.2.1327.exeC:\Program Files (x86)\USB Safely Remove\History.txttext
MD5:3CD4CF6EC999E99DF5133AD000F8DF83
SHA256:F9A8C251BF6D5EB3F293855C95E76E9DCB49D68F84463F1A98575763642D8A7A
7816USB.Safely.Remove.v7.1.2.1327.exeC:\Users\admin\AppData\Local\Temp\nsuC5E.tmp\ua.bmpimage
MD5:F7086FF90228A948D8409EAE0ADB2FB6
SHA256:F28654F1B4089E01FC336D8813B4A8C07F1D85088E6FD134EB382F295BD81755
7816USB.Safely.Remove.v7.1.2.1327.exeC:\Program Files (x86)\USB Safely Remove\License.txttext
MD5:A6E5BC2403BE82F95C9943C3D7E3E699
SHA256:CD983294A23495CBBC8E3DDEA380F17DC5CF8C67C196C25C0CB3F6F0A12AEC26
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
111
TCP/UDP connections
125
DNS requests
29
Threats
8

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
MoUsoCoreWorker.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
159.69.51.117:443
https://mail.repack.me/tsjtmfdm.pkg
unknown
executable
410 Kb
whitelisted
GET
304
4.245.163.56:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
7896
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
6544
svchost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
POST
200
20.190.160.14:443
https://login.live.com/RST2.srf
unknown
xml
10.3 Kb
whitelisted
7896
SIHClient.exe
GET
200
2.16.241.19:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
GET
200
4.245.163.56:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
compressed
23.9 Kb
whitelisted
7896
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
7896
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
6544
svchost.exe
20.190.160.131:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
5496
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
6544
svchost.exe
2.23.77.188:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
5496
MoUsoCoreWorker.exe
2.16.241.19:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5496
MoUsoCoreWorker.exe
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
5496
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6564
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3216
svchost.exe
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted

DNS requests

Domain
IP
Reputation
login.live.com
  • 20.190.160.131
  • 40.126.32.133
  • 40.126.32.74
  • 40.126.32.140
  • 40.126.32.134
  • 40.126.32.136
  • 20.190.160.17
  • 40.126.32.68
whitelisted
settings-win.data.microsoft.com
  • 51.124.78.146
  • 4.231.128.59
whitelisted
google.com
  • 142.250.186.142
whitelisted
ocsp.digicert.com
  • 2.23.77.188
whitelisted
crl.microsoft.com
  • 2.16.241.19
  • 2.16.241.12
whitelisted
www.microsoft.com
  • 2.23.246.101
whitelisted
client.wns.windows.com
  • 172.211.123.250
  • 172.211.123.249
whitelisted
pastebin.com
  • 104.22.68.199
  • 104.22.69.199
  • 172.67.25.94
whitelisted
mail.repack.me
  • 159.69.51.117
whitelisted
slscr.update.microsoft.com
  • 4.245.163.56
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Online Pastebin Text Storage
Potentially Bad Traffic
ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla))
Potentially Bad Traffic
ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla))
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
Potentially Bad Traffic
ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla))
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
Misc activity
ET INFO EXE - Served Attached HTTP
Potential Corporate Privacy Violation
ET INFO Outgoing Basic Auth Base64 HTTP Password detected unencrypted
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
USB.Safely.Remove.v7.1.2.1327.exe