File name:

USBDeview.exe

Full analysis: https://app.any.run/tasks/5b22c0e3-3513-4f11-9e9d-fc6ddd6986c1
Verdict: Malicious activity
Threats:

Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.

Malware Trends Tracker     >>>
Analysis date: September 21, 2020, 17:17:06
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
meterpreter
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

45AF453044C430D5EF5F63F1B77E7E24

SHA1:

F3EF39785DD524E6F95780BFC90E118DA15BB021

SHA256:

93F2E8896197558C7091BF0D9B3864F4A2866D772508A62C570CA7F69B2E3B9E

SSDEEP:

3072:pYz49eSQHH6za3j7zPyCfBNUP7ThgaQ4:pYEM9H2aTaCfBNUvd

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • METERPRETER was detected

      • USBDeview.exe (PID: 3988)

  • SUSPICIOUS

    No suspicious indicators.

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (35.8)
.exe | Win64 Executable (generic) (31.7)
.scr | Windows screen saver (15)
.dll | Win32 Dynamic Link Library (generic) (7.5)
.exe | Win32 Executable (generic) (5.1)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2020:01:20 10:14:39+01:00
PEType: PE32
LinkerVersion: 8
CodeSize: 79360
InitializedDataSize: 42496
UninitializedDataSize: -
EntryPoint: 0x14146
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 2.8.6.0
ProductVersionNumber: 2.8.6.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: NirSoft
FileDescription: Lists USB Devices
FileVersion: 2.86
InternalName: USBDeview
LegalCopyright: Copyright © 2006 - 2020 Nir Sofer
OriginalFileName: USBDeview.exe
ProductName: USBDeview
ProductVersion: 2.86

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 20-Jan-2020 09:14:39
Detected languages:
  • English - United States
  • Hebrew - Israel
Debug artifacts:
  • c:\Projects\VS2005\USBDeview\Release\USBDeview.pdb
CompanyName: NirSoft
FileDescription: Lists USB Devices
FileVersion: 2.86
InternalName: USBDeview
LegalCopyright: Copyright © 2006 - 2020 Nir Sofer
OriginalFilename: USBDeview.exe
ProductName: USBDeview
ProductVersion: 2.86

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000E8

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 4
Time date stamp: 20-Jan-2020 09:14:39
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x000135A9
0x00013600
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.47915
.rdata
0x00015000
0x000036D2
0x00003800
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.68508
.data
0x00019000
0x00001348
0x00000600
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
2.04291
.rsrc
0x0001B000
0x00007C00
0x00007C00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
4.83516

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.39754
896
Latin 1 / Western European
English - United States
RT_MANIFEST
2
3.24077
1522
Latin 1 / Western European
English - United States
RT_STRING
3
3.18893
986
Latin 1 / Western European
English - United States
RT_STRING
4
1.99296
296
Latin 1 / Western European
Hebrew - Israel
RT_ICON
32
3.04212
280
Latin 1 / Western European
English - United States
RT_STRING
35
1.54883
56
Latin 1 / Western European
English - United States
RT_STRING
36
0.545897
36
Latin 1 / Western European
English - United States
RT_STRING
38
3.21939
222
Latin 1 / Western European
English - United States
RT_STRING
39
2.28265
84
Latin 1 / Western European
English - United States
RT_STRING
63
2.93646
190
Latin 1 / Western European
English - United States
RT_STRING

Imports

ADVAPI32.dll
COMCTL32.dll
GDI32.dll
KERNEL32.dll
SHELL32.dll
USER32.dll
WS2_32.dll
comdlg32.dll
msvcrt.dll
ole32.dll
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #METERPRETER usbdeview.exe

Process information

PID
CMD
Path
Indicators
Parent process
3988"C:\Users\admin\AppData\Local\Temp\USBDeview.exe" C:\Users\admin\AppData\Local\Temp\USBDeview.exe
explorer.exe
User:
admin
Company:
NirSoft
Integrity Level:
MEDIUM
Description:
Lists USB Devices
Exit code:
0
Version:
2.86
Modules
Images
c:\users\admin\appdata\local\temp\usbdeview.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
Total events
9
Read events
9
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

No data
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
1
DNS requests
0
Threats
5

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3988
USBDeview.exe
200.81.120.92:2003
Teledifusora S.A.
AR
malicious

DNS requests

No data

Threats

PID
Process
Class
Message
A Network Trojan was detected
MALWARE [PTsecurity] Possible Metasploit Payload Bind_API (from server)
Generic Protocol Command Decode
SURICATA Applayer Protocol detection skipped
A Network Trojan was detected
ET TROJAN Possible Metasploit Payload Common Construct Bind_API (from server)
A Network Trojan was detected
MALWARE [PTsecurity] BackDoor.Meterpreter.19
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
USBDeview.exe