File name:

activator.zip

Full analysis: https://app.any.run/tasks/338b5dc9-5db2-4139-bf60-e2297a362dce
Verdict: Malicious activity
Analysis date: July 05, 2018, 04:38:43
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

9A942C07B6A88B43612D1F7EA1D79ADB

SHA1:

54EA1E2071CC3516E5543529F781359CBE4D8FDD

SHA256:

EE791763A0BEA206BC32F72899206B9A2425952EFB204A58866AC3722E76E954

SSDEEP:

98304:aU3LNO6RFGKur16hvbDpUbva4pdaN0ueDPJCWoe84VoNXu:a4Ls6RsUUbvpp+0u4BCp4VoNXu

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • usb_network_gate.exe (PID: 3416)
      • usb_network_gate.exe (PID: 2940)
      • setup_server_ung.exe (PID: 3744)
      • UsbService.exe (PID: 544)
      • UsbService.exe (PID: 3296)
      • activator.exe (PID: 3644)
      • UsbService.exe (PID: 4016)

    • Loads dropped or rewritten executable

      • UsbService.exe (PID: 544)

    • Changes settings of System certificates

      • UsbService.exe (PID: 544)
      • UsbService.exe (PID: 3296)

  • SUSPICIOUS

    • Reads the Windows organization settings

      • usb_network_gate.tmp (PID: 1800)

    • Executable content was dropped or overwritten

      • usb_network_gate.exe (PID: 3416)
      • usb_network_gate.exe (PID: 2940)
      • usb_network_gate.tmp (PID: 1800)
      • setup_server_ung.exe (PID: 3744)
      • DrvInst.exe (PID: 2828)
      • DrvInst.exe (PID: 1544)
      • DrvInst.exe (PID: 2660)

    • Reads Windows owner settings

      • usb_network_gate.tmp (PID: 1800)

    • Removes files from Windows directory

      • DrvInst.exe (PID: 2660)
      • DrvInst.exe (PID: 2828)
      • DrvInst.exe (PID: 1544)
      • UsbService.exe (PID: 3296)
      • setup_server_ung.exe (PID: 3744)

    • Creates files in the Windows directory

      • DrvInst.exe (PID: 2660)
      • DrvInst.exe (PID: 2828)
      • DrvInst.exe (PID: 1544)
      • DrvInst.exe (PID: 2116)
      • UsbService.exe (PID: 3296)
      • setup_server_ung.exe (PID: 3744)

    • Creates files in the driver directory

      • DrvInst.exe (PID: 2828)
      • DrvInst.exe (PID: 1544)
      • DrvInst.exe (PID: 2660)
      • setup_server_ung.exe (PID: 3744)

    • Creates or modifies windows services

      • setup_server_ung.exe (PID: 3744)

    • Adds / modifies Windows certificates

      • UsbService.exe (PID: 544)
      • UsbService.exe (PID: 3296)

    • Creates files in the program directory

      • UsbService.exe (PID: 3296)

    • Uses NETSH.EXE for network configuration

      • usb_network_gate.tmp (PID: 1800)

    • Low-level read access rights to disk partition

      • UsbService.exe (PID: 3296)

  • INFO

    • Application was dropped or rewritten from another process

      • usb_network_gate.tmp (PID: 1800)
      • usb_network_gate.tmp (PID: 3440)

    • Loads dropped or rewritten executable

      • usb_network_gate.tmp (PID: 1800)

    • Creates files in the program directory

      • usb_network_gate.tmp (PID: 1800)

    • Dropped object may contain URL's

      • DrvInst.exe (PID: 2828)
      • DrvInst.exe (PID: 1544)
      • usb_network_gate.tmp (PID: 1800)
      • UsbService.exe (PID: 3296)
      • setup_server_ung.exe (PID: 3744)
      • DrvInst.exe (PID: 2660)

    • Reads settings of System Certificates

      • DrvInst.exe (PID: 2116)
      • DrvInst.exe (PID: 2564)

    • Creates a software uninstall entry

      • usb_network_gate.tmp (PID: 1800)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2015:12:29 17:15:00
ZipCRC: 0xe24ff983
ZipCompressedSize: 3676
ZipUncompressedSize: 6144
ZipFileName: activator.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
61
Monitored processes
17
Malicious processes
8
Suspicious processes
3

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start drop and start drop and start 7zfm.exe no specs usb_network_gate.exe usb_network_gate.tmp no specs usb_network_gate.exe usb_network_gate.tmp setup_server_ung.exe drvinst.exe drvinst.exe drvinst.exe drvinst.exe no specs drvinst.exe no specs usbservice.exe usbservice.exe no specs usbservice.exe netsh.exe no specs netsh.exe no specs activator.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
544"C:\Program Files\Eltima Software\USB Network Gate\UsbService.exe" install E232F16E-D109-45DB-A1D3-DD21BEB3B75FC:\Program Files\Eltima Software\USB Network Gate\UsbService.exe
usb_network_gate.tmp
User:
admin
Company:
ELTIMA Software
Integrity Level:
HIGH
Description:
USB Network Gate
Exit code:
4294967295
Version:
8.0.1859
Modules
Images
c:\program files\eltima software\usb network gate\usbservice.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\user32.dll
1388"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\admin\AppData\Local\Temp\activator.zip"C:\Program Files\7-Zip\7zFM.exeexplorer.exe
User:
admin
Company:
Igor Pavlov
Integrity Level:
MEDIUM
Description:
7-Zip File Manager
Exit code:
0
Version:
16.04
Modules
Images
c:\program files\7-zip\7zfm.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1496"C:\Windows\system32\netsh.exe" advfirewall firewall add rule name=u2ec_gui dir=in action=allow program="C:\Program Files\Eltima Software\USB Network Gate\UsbConfig.exe" enable=yesC:\Windows\system32\netsh.exeusb_network_gate.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Network Command Shell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\netsh.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\credui.dll
c:\windows\system32\user32.dll
1544DrvInst.exe "2" "211" "ROOT\SYSTEM\0001" "C:\Windows\INF\oem5.inf" "vuh.inf:Eltima.NTx86:VUHUB_Device:7.0.1420.0:vuhub" "625e1bb63" "0000055C" "000005F0" "000005F4"C:\Windows\system32\DrvInst.exe
svchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Driver Installation Module
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\drvinst.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
1800"C:\Users\admin\AppData\Local\Temp\is-0PS8O.tmp\usb_network_gate.tmp" /SL5="$150128,5388476,121344,C:\Users\admin\Desktop\usb_network_gate.exe" /SPAWNWND=$F0194 /NOTIFYWND=$A0242 C:\Users\admin\AppData\Local\Temp\is-0PS8O.tmp\usb_network_gate.tmp
usb_network_gate.exe
User:
admin
Integrity Level:
HIGH
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-0ps8o.tmp\usb_network_gate.tmp
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
2116DrvInst.exe "1" "200" "UsbEStub\Devices\0004" "" "" "6c5c6bf7f" "00000000" "000005F4" "00000600"C:\Windows\system32\DrvInst.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Driver Installation Module
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\drvinst.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
2564DrvInst.exe "1" "200" "UsbEStub\Devices\0000" "" "" "655b45ca3" "00000000" "00000614" "00000618"C:\Windows\system32\DrvInst.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Driver Installation Module
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\drvinst.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
2660DrvInst.exe "4" "0" "C:\Users\admin\AppData\Local\Temp\{1a7ef324-4661-3ac5-1ce2-dd51bc754933}\UsbStub.inf" "0" "64be6d557" "0000057C" "WinSta0\Default" "000004D8" "208" "C:\Program Files\Eltima Software\USB Network Gate\drv\NT6"C:\Windows\system32\DrvInst.exe
svchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Driver Installation Module
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\drvinst.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
2828DrvInst.exe "4" "0" "C:\Users\admin\AppData\Local\Temp\{13acccea-0a4c-4af5-0b8c-7d1e0d3e5c79}\vuh.inf" "0" "625e1bb63" "0000055C" "WinSta0\Default" "0000057C" "208" "c:\program files\eltima software\usb network gate\drv\nt6"C:\Windows\system32\DrvInst.exe
svchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Driver Installation Module
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\drvinst.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
2940"C:\Users\admin\Desktop\usb_network_gate.exe" /SPAWNWND=$F0194 /NOTIFYWND=$A0242 C:\Users\admin\Desktop\usb_network_gate.exe
usb_network_gate.tmp
User:
admin
Company:
ELTIMA Software
Integrity Level:
HIGH
Description:
USB Network Gate
Exit code:
0
Version:
Usb Network Gate 8.0
Modules
Images
c:\users\admin\desktop\usb_network_gate.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
Total events
663
Read events
420
Write events
237
Delete events
6

Modification events

(PID) Process:(1800) usb_network_gate.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:Owner
Value:
08070000DE67BF231A14D401
(PID) Process:(1800) usb_network_gate.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:SessionHash
Value:
A6B5375EC9B76F4BEE0DB66D4A04D97792B41F34276C5468E874F6DD95438736
(PID) Process:(1800) usb_network_gate.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:Sequence
Value:
1
(PID) Process:(1800) usb_network_gate.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:RegFiles0000
Value:
C:\Program Files\Eltima Software\USB Network Gate\usb4citrix.dll
(PID) Process:(1800) usb_network_gate.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:RegFilesHash
Value:
EE3DC28E32A603A6D51930E79AFFD519344F1825ECD3993D5C7EBC71F6C102A8
(PID) Process:(3744) setup_server_ung.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\Setup\SetupapiLogStatus
Operation:writeName:setupapi.dev.log
Value:
4096
(PID) Process:(3744) setup_server_ung.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\93\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(1800) usb_network_gate.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\ELTIMA Software\UsbToEthernetConnector
Operation:writeName:u2ec_log
Value:
C:\Program Files\Eltima Software\USB Network Gate\u2ec.log
(PID) Process:(1800) usb_network_gate.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default\AddIns\usb4rdp
Operation:writeName:Name
Value:
C:\Program Files\Eltima Software\USB Network Gate\usb4rdp32.dll
(PID) Process:(1800) usb_network_gate.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\ELTIMA Software\UsbToEthernetConnector
Operation:writeName:settingsPath
Value:
C:\ProgramData\Eltima Software\UNG
Executable files
24
Suspicious files
49
Text files
151
Unknown types
19

Dropped files

PID
Process
Filename
Type
13887zFM.exeC:\Users\admin\AppData\Local\Temp\7zEC65D87EA\activator.exe
MD5:
SHA256:
13887zFM.exeC:\Users\admin\AppData\Local\Temp\7zEC65D87EA\usb_network_gate.exe
MD5:
SHA256:
1800usb_network_gate.tmpC:\Program Files\Eltima Software\USB Network Gate\is-BAUSK.tmp
MD5:
SHA256:
1800usb_network_gate.tmpC:\Program Files\Eltima Software\USB Network Gate\is-9S8Q1.tmp
MD5:
SHA256:
1800usb_network_gate.tmpC:\Program Files\Eltima Software\USB Network Gate\is-HJO1C.tmp
MD5:
SHA256:
1800usb_network_gate.tmpC:\Program Files\Eltima Software\USB Network Gate\is-PA0BB.tmp
MD5:
SHA256:
1800usb_network_gate.tmpC:\Program Files\Eltima Software\USB Network Gate\is-QAUNC.tmp
MD5:
SHA256:
1800usb_network_gate.tmpC:\Program Files\Eltima Software\USB Network Gate\is-NA6MO.tmp
MD5:
SHA256:
1800usb_network_gate.tmpC:\Program Files\Eltima Software\USB Network Gate\is-6M73T.tmp
MD5:
SHA256:
1800usb_network_gate.tmpC:\Program Files\Eltima Software\USB Network Gate\is-OPBN0.tmp
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
4
DNS requests
3
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3296
UsbService.exe
GET
200
13.107.4.50:80
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
US
compressed
52.7 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
544
UsbService.exe
78.46.96.38:443
appstatico.eltima.com
Hetzner Online GmbH
DE
suspicious
3296
UsbService.exe
188.40.191.126:443
activate.eltima.com
Hetzner Online GmbH
DE
suspicious
3296
UsbService.exe
78.46.96.38:443
appstatico.eltima.com
Hetzner Online GmbH
DE
suspicious
3296
UsbService.exe
13.107.4.50:80
www.download.windowsupdate.com
Microsoft Corporation
US
whitelisted

DNS requests

Domain
IP
Reputation
appstatico.eltima.com
  • 78.46.96.38
suspicious
www.download.windowsupdate.com
  • 13.107.4.50
whitelisted
activate.eltima.com
  • 188.40.191.126
suspicious

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
activator.zip