| File name: | USBSafelyRemove.exe |
| Full analysis: | https://app.any.run/tasks/e229671c-f078-4a84-92db-fe4582c996f4 |
| Verdict: | Malicious activity |
| Analysis date: | June 07, 2025, 14:01:17 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows, 10 sections |
| MD5: | B4CFD32FFB792EDF01F31F8C6FFD567A |
| SHA1: | 9304380465198D6CE0F83AB9FDAE5B9CD69D8D29 |
| SHA256: | A037109176C8863EB858F6C1FB1C8DEAB31DA8A39BF4A7CD5EB5803663903A1E |
| SSDEEP: | 98304:d2EgIxYXEpB9cys6W6vXjuryzLEGLiG+raebyvlycunTTw4AMh7dVblgP6UZshs:crs |
MALICIOUS
Executing a file with an untrusted certificate
- USBSafelyRemove.exe (PID: 3784)
SUSPICIOUS
Write to the desktop.ini file (may be used to cloak folders)
- USBSafelyRemove.exe (PID: 3784)
Reads security settings of Internet Explorer
- USBSafelyRemove.exe (PID: 3784)
INFO
Reads the computer name
- USBSafelyRemove.exe (PID: 3784)
- identity_helper.exe (PID: 7904)
The sample compiled with english language support
- USBSafelyRemove.exe (PID: 3784)
Checks supported languages
- USBSafelyRemove.exe (PID: 3784)
- identity_helper.exe (PID: 7904)
Creates files or folders in the user directory
- USBSafelyRemove.exe (PID: 3784)
Application launched itself
- msedge.exe (PID: 6820)
Compiled with Borland Delphi (YARA)
- USBSafelyRemove.exe (PID: 3784)
Reads Environment values
- identity_helper.exe (PID: 7904)
Checks proxy server information
- slui.exe (PID: 8136)
Reads the software policy settings
- slui.exe (PID: 8136)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Inno Setup installer (67.7) |
|---|---|---|
| .exe | | | Win32 EXE PECompact compressed (generic) (25.6) |
| .exe | | | Win32 Executable (generic) (2.7) |
| .exe | | | Win16/32 Executable Delphi generic (1.2) |
| .exe | | | Generic Win/DOS Executable (1.2) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2025:05:06 21:19:27+00:00 |
| ImageFileCharacteristics: | Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi |
| PEType: | PE32 |
| LinkerVersion: | 2.25 |
| CodeSize: | 5048832 |
| InitializedDataSize: | 1547264 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x4d1c7c |
| OSVersion: | 5 |
| ImageVersion: | - |
| SubsystemVersion: | 5 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 7.1.2.1327 |
| ProductVersionNumber: | 7.1.2.1327 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | English (British) |
| CharacterSet: | Unicode |
| CompanyName: | Crystal Rich Ltd |
| FileDescription: | USB Safely Remove |
| FileVersion: | 7.1.2.1327 |
| OriginalFileName: | USBSafelyRemove.exe |
| InternalName: | USB Safely Remove |
| LegalCopyright: | Copyright © 2025 by Crystal Rich Ltd |
| ProductName: | USB Safely Remove |
| ProductVersion: | 7.1.2.1327 |
Total processes
171
Monitored processes
42
Malicious processes
1
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 132 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --disable-quic --no-appcompat-clear --mojo-platform-channel-handle=5040 --field-trial-handle=2476,i,11015624513626403747,12109197002260465652,262144 --variations-seed-version /prefetch:8 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 122.0.2365.59 Modules
| |||||||||||||||
| 236 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --disable-quic --no-appcompat-clear --mojo-platform-channel-handle=5596 --field-trial-handle=2476,i,11015624513626403747,12109197002260465652,262144 --variations-seed-version /prefetch:8 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 122.0.2365.59 Modules
| |||||||||||||||
| 404 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --disable-quic --no-appcompat-clear --mojo-platform-channel-handle=5284 --field-trial-handle=2476,i,11015624513626403747,12109197002260465652,262144 --variations-seed-version /prefetch:8 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 122.0.2365.59 Modules
| |||||||||||||||
| 1300 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --disable-quic --no-appcompat-clear --mojo-platform-channel-handle=5984 --field-trial-handle=2476,i,11015624513626403747,12109197002260465652,262144 --variations-seed-version /prefetch:8 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 122.0.2365.59 Modules
| |||||||||||||||
| 1324 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --disable-quic --no-appcompat-clear --mojo-platform-channel-handle=6620 --field-trial-handle=2476,i,11015624513626403747,12109197002260465652,262144 --variations-seed-version /prefetch:8 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 122.0.2365.59 Modules
| |||||||||||||||
| 2124 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --disable-quic --no-appcompat-clear --mojo-platform-channel-handle=7072 --field-trial-handle=2476,i,11015624513626403747,12109197002260465652,262144 --variations-seed-version /prefetch:8 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 122.0.2365.59 Modules
| |||||||||||||||
| 2240 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --disable-quic --no-appcompat-clear --mojo-platform-channel-handle=7136 --field-trial-handle=2476,i,11015624513626403747,12109197002260465652,262144 --variations-seed-version /prefetch:8 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Edge Exit code: 0 Version: 122.0.2365.59 Modules
| |||||||||||||||
| 2552 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --disable-quic --no-appcompat-clear --mojo-platform-channel-handle=6840 --field-trial-handle=2476,i,11015624513626403747,12109197002260465652,262144 --variations-seed-version /prefetch:8 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 122.0.2365.59 Modules
| |||||||||||||||
| 3784 | "C:\Users\admin\Desktop\USBSafelyRemove.exe" | C:\Users\admin\Desktop\USBSafelyRemove.exe | — | explorer.exe | |||||||||||
User: admin Company: Crystal Rich Ltd Integrity Level: MEDIUM Description: USB Safely Remove Version: 7.1.2.1327 Modules
| |||||||||||||||
| 4008 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --disable-quic --no-appcompat-clear --mojo-platform-channel-handle=5852 --field-trial-handle=2476,i,11015624513626403747,12109197002260465652,262144 --variations-seed-version /prefetch:8 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 122.0.2365.59 Modules
| |||||||||||||||
Total events
8 094
Read events
8 011
Write events
82
Delete events
1
Modification events
| (PID) Process: | (3784) USBSafelyRemove.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\SafelyRemove\Options |
| Operation: | write | Name: | SkinName |
Value: Win10 Dark | |||
| (PID) Process: | (3784) USBSafelyRemove.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\SafelyRemove\Options |
| Operation: | write | Name: | AsprKeyConversionDone |
Value: 1 | |||
| (PID) Process: | (3784) USBSafelyRemove.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\SafelyRemove\Options |
| Operation: | write | Name: | DefTPosition |
Value: {5317EF-B2F25EE-6405-317EFB-2B262-E640} | |||
| (PID) Process: | (3784) USBSafelyRemove.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\SafelyRemove\Main |
| Operation: | write | Name: | Version |
Value: 7.1 | |||
| (PID) Process: | (3784) USBSafelyRemove.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\SafelyRemove\Main |
| Operation: | write | Name: | FirstRunDT |
Value: 070620251401 | |||
| (PID) Process: | (3784) USBSafelyRemove.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\SafelyRemove\Main |
| Operation: | write | Name: | FirstRunDTRaw |
Value: 45815,5843434259 | |||
| (PID) Process: | (3784) USBSafelyRemove.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\SafelyRemove\Main |
| Operation: | write | Name: | RunCount |
Value: 1 | |||
| (PID) Process: | (3784) USBSafelyRemove.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\SafelyRemove\Main |
| Operation: | write | Name: | RootHubState |
Value: 3A0D46E8 | |||
| (PID) Process: | (3784) USBSafelyRemove.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\SafelyRemove\Main |
| Operation: | write | Name: | AutoUpdateID |
Value: 6DBA9EA0-E581-4671-87F6-89584E6AFDED | |||
| (PID) Process: | (3784) USBSafelyRemove.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\SafelyRemove\Drives\USB*VID_0627&PID_0001*28754-0000:00:04.7-1 |
| Operation: | write | Name: | InternalDisabledHasVolumes |
Value: 0 | |||
Executable files
11
Suspicious files
441
Text files
46
Unknown types
2
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 6820 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Local State~RF121b60.TMP | — | |
MD5:— | SHA256:— | |||
| 6820 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG.old~RF121b6f.TMP | — | |
MD5:— | SHA256:— | |||
| 6820 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\LOG.old~RF121b6f.TMP | — | |
MD5:— | SHA256:— | |||
| 6820 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG.old | — | |
MD5:— | SHA256:— | |||
| 6820 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\LOG.old | — | |
MD5:— | SHA256:— | |||
| 6820 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG.old~RF121b7f.TMP | — | |
MD5:— | SHA256:— | |||
| 6820 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG.old | — | |
MD5:— | SHA256:— | |||
| 6820 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old~RF121b7f.TMP | — | |
MD5:— | SHA256:— | |||
| 6820 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old | — | |
MD5:— | SHA256:— | |||
| 6820 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old~RF121b8f.TMP | — | |
MD5:— | SHA256:— | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
207
TCP/UDP connections
122
DNS requests
71
Threats
5
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
6544 | svchost.exe | GET | 200 | 2.23.77.188:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | unknown | — | — | whitelisted |
5496 | MoUsoCoreWorker.exe | GET | 200 | 23.216.77.28:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
— | — | POST | 200 | 20.190.160.128:443 | https://login.live.com/RST2.srf | unknown | xml | 11.0 Kb | whitelisted |
— | — | POST | 200 | 20.190.160.65:443 | https://login.live.com/RST2.srf | unknown | xml | 10.3 Kb | whitelisted |
— | — | POST | 200 | 20.190.160.132:443 | https://login.live.com/RST2.srf | unknown | xml | 11.0 Kb | whitelisted |
— | — | POST | 200 | 20.190.160.14:443 | https://login.live.com/RST2.srf | unknown | xml | 10.3 Kb | whitelisted |
5496 | MoUsoCoreWorker.exe | GET | 200 | 2.16.253.202:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
— | — | GET | 503 | 13.107.6.158:443 | https://business.bing.com/work/api/v2/tenant/my/settingswithflights?&clienttype=edge-omnibox | unknown | html | 13.7 Kb | whitelisted |
— | — | GET | 200 | 150.171.28.11:443 | https://edge.microsoft.com/serviceexperimentation/v3/?osname=win&channel=stable&osver=10.0.19045&devicefamily=desktop&installdate=1661339457&clientversion=122.0.2365.59&experimentationmode=2&scpguard=0&scpfull=0&scpver=0 | unknown | binary | 446 b | whitelisted |
— | — | GET | 503 | 13.107.6.158:443 | https://business.bing.com/api/v1/user/token/microsoftgraph?&clienttype=edge-omnibox | unknown | html | 13.7 Kb | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
5496 | MoUsoCoreWorker.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
6544 | svchost.exe | 40.126.31.73:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | IE | unknown |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
6544 | svchost.exe | 2.23.77.188:80 | ocsp.digicert.com | AKAMAI-AS | DE | whitelisted |
5496 | MoUsoCoreWorker.exe | 23.216.77.28:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
5496 | MoUsoCoreWorker.exe | 2.16.253.202:80 | www.microsoft.com | Akamai International B.V. | NL | whitelisted |
3216 | svchost.exe | 172.211.123.249:443 | client.wns.windows.com | MICROSOFT-CORP-MSN-AS-BLOCK | FR | whitelisted |
6372 | RUXIMICS.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
7564 | svchost.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
client.wns.windows.com |
| whitelisted |
config.edge.skype.com |
| whitelisted |
safelyremove.com |
| whitelisted |
edge.microsoft.com |
| whitelisted |
edge-mobile-static.azureedge.net |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
7516 | msedge.exe | Not Suspicious Traffic | INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com) |
7516 | msedge.exe | Not Suspicious Traffic | INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com) |
7516 | msedge.exe | Not Suspicious Traffic | INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com) |
7516 | msedge.exe | Not Suspicious Traffic | INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com) |
— | — | Potentially Bad Traffic | ET INFO Possible Chrome Plugin install |