File name:

usbsafelyremovesetup_7-0-5.exe

Full analysis: https://app.any.run/tasks/dc07d23c-f058-44ee-b44b-89ec0097469b
Verdict: Malicious activity
Analysis date: May 17, 2024, 09:22:34
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

1160764FDA32F71097ACCACF1D284A7D

SHA1:

BA6306AB3E2291F14AE6BE6014112C4E3937B0E6

SHA256:

F0AEA3CB0F3CCB2D6C16A159338C1DF9F1CCBF1CE570BE5E1B2B044DD9469922

SSDEEP:

98304:60pEiMuF7g99oRFBySi4NJYp/Foe8LAyrYmyeFm4Q7vAddx6J7LzeovjMYVV0a9S:1IfLsD5sSB

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • usbsafelyremovesetup_7-0-5.exe (PID: 3984)
      • usbsafelyremovesetup_7-0-5.exe (PID: 820)
      • usbsafelyremovesetup_7-0-5.tmp (PID: 1036)

    • Changes the autorun value in the registry

      • USBSafelyRemove.exe (PID: 2204)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • usbsafelyremovesetup_7-0-5.exe (PID: 3984)
      • usbsafelyremovesetup_7-0-5.exe (PID: 820)
      • usbsafelyremovesetup_7-0-5.tmp (PID: 1036)

    • Reads the Windows owner or organization settings

      • usbsafelyremovesetup_7-0-5.tmp (PID: 1036)

    • Drops a system driver (possible attempt to evade defenses)

      • usbsafelyremovesetup_7-0-5.tmp (PID: 1036)

    • Reads security settings of Internet Explorer

      • usbsafelyremovesetup_7-0-5.tmp (PID: 1036)
      • USBSafelyRemove.exe (PID: 2204)

    • Executes as Windows Service

      • USBSRService.exe (PID: 336)

    • Reads the Internet Settings

      • usbsafelyremovesetup_7-0-5.tmp (PID: 1036)
      • USBSafelyRemove.exe (PID: 2204)

    • Write to the desktop.ini file (may be used to cloak folders)

      • USBSafelyRemove.exe (PID: 2204)

    • Starts CMD.EXE for commands execution

      • USBSafelyRemove.exe (PID: 2204)

  • INFO

    • Checks supported languages

      • usbsafelyremovesetup_7-0-5.exe (PID: 3984)
      • usbsafelyremovesetup_7-0-5.tmp (PID: 4000)
      • usbsafelyremovesetup_7-0-5.exe (PID: 820)
      • usbsafelyremovesetup_7-0-5.tmp (PID: 1036)
      • USBSRService.exe (PID: 328)
      • USBSafelyRemove.exe (PID: 2204)
      • USBSRService.exe (PID: 336)
      • usr.exe (PID: 1620)

    • Reads the computer name

      • usbsafelyremovesetup_7-0-5.tmp (PID: 4000)
      • usbsafelyremovesetup_7-0-5.tmp (PID: 1036)
      • USBSRService.exe (PID: 328)
      • USBSRService.exe (PID: 336)
      • USBSafelyRemove.exe (PID: 2204)

    • Create files in a temporary directory

      • usbsafelyremovesetup_7-0-5.exe (PID: 3984)
      • usbsafelyremovesetup_7-0-5.exe (PID: 820)
      • usbsafelyremovesetup_7-0-5.tmp (PID: 1036)

    • Creates files in the program directory

      • usbsafelyremovesetup_7-0-5.tmp (PID: 1036)
      • USBSRService.exe (PID: 328)

    • Application launched itself

      • chrome.exe (PID: 1424)

    • Manual execution by a user

      • chrome.exe (PID: 1424)

    • Creates files or folders in the user directory

      • USBSafelyRemove.exe (PID: 2204)
      • usr.exe (PID: 1620)
      • usbsafelyremovesetup_7-0-5.tmp (PID: 1036)

    • Creates a software uninstall entry

      • usbsafelyremovesetup_7-0-5.tmp (PID: 1036)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable Delphi generic (57.2)
.exe | Win32 Executable (generic) (18.2)
.exe | Win16/32 Executable Delphi generic (8.3)
.exe | Generic Win/DOS Executable (8)
.exe | DOS Executable Generic (8)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2018:06:14 13:27:46+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 66560
InitializedDataSize: 78336
UninitializedDataSize: -
EntryPoint: 0x1181c
OSVersion: 5
ImageVersion: 6
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 7.0.5.1320
ProductVersionNumber: 7.0.5.1320
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName: Crystal Rich Ltd
FileDescription: USB Safely Remove Setup
FileVersion: 7.0.5.1320
LegalCopyright:
ProductName: USB Safely Remove
ProductVersion: 7.0.5.1320
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
50
Monitored processes
14
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start usbsafelyremovesetup_7-0-5.exe usbsafelyremovesetup_7-0-5.tmp no specs usbsafelyremovesetup_7-0-5.exe usbsafelyremovesetup_7-0-5.tmp usbsrservice.exe no specs usbsrservice.exe no specs usbsafelyremove.exe cmd.exe no specs usr.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
328"C:\Program Files\USB Safely Remove\USBSRService.exe" /install /silentC:\Program Files\USB Safely Remove\USBSRService.exeusbsafelyremovesetup_7-0-5.tmp
User:
admin
Company:
Crystal Rich Ltd
Integrity Level:
HIGH
Description:
USB Safely Remove assistant service
Exit code:
0
Version:
7.0.5.1320
Modules
Images
c:\program files\usb safely remove\usbsrservice.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
336"C:\Program Files\USB Safely Remove\USBSRService.exe"C:\Program Files\USB Safely Remove\USBSRService.exeservices.exe
User:
SYSTEM
Company:
Crystal Rich Ltd
Integrity Level:
SYSTEM
Description:
USB Safely Remove assistant service
Version:
7.0.5.1320
Modules
Images
c:\program files\usb safely remove\usbsrservice.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
616"C:\Windows\System32\cmd.exe" /k "usr.exe"C:\Windows\System32\cmd.exeUSBSafelyRemove.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
3221225786
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
820"C:\Users\admin\AppData\Local\Temp\usbsafelyremovesetup_7-0-5.exe" /SPAWNWND=$20130 /NOTIFYWND=$20138 C:\Users\admin\AppData\Local\Temp\usbsafelyremovesetup_7-0-5.exe
usbsafelyremovesetup_7-0-5.tmp
User:
admin
Company:
Crystal Rich Ltd
Integrity Level:
HIGH
Description:
USB Safely Remove Setup
Exit code:
0
Version:
7.0.5.1320
Modules
Images
c:\users\admin\appdata\local\temp\usbsafelyremovesetup_7-0-5.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
824"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --disable-quic --mojo-platform-channel-handle=1612 --field-trial-handle=1192,i,15003908287637572377,9047423707186556626,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Version:
109.0.5414.120
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\109.0.5414.120\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
1036"C:\Users\admin\AppData\Local\Temp\is-C378H.tmp\usbsafelyremovesetup_7-0-5.tmp" /SL5="$2013A,3231395,145920,C:\Users\admin\AppData\Local\Temp\usbsafelyremovesetup_7-0-5.exe" /SPAWNWND=$20130 /NOTIFYWND=$20138 C:\Users\admin\AppData\Local\Temp\is-C378H.tmp\usbsafelyremovesetup_7-0-5.tmp
usbsafelyremovesetup_7-0-5.exe
User:
admin
Integrity Level:
HIGH
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-c378h.tmp\usbsafelyremovesetup_7-0-5.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
1424"C:\Program Files\Google\Chrome\Application\chrome.exe" "--disable-features=OptimizationGuideModelDownloading,OptimizationHintsFetching,OptimizationTargetPrediction,OptimizationHints"C:\Program Files\Google\Chrome\Application\chrome.exeexplorer.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
109.0.5414.120
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\109.0.5414.120\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
1620usr.exeC:\Program Files\USB Safely Remove\usr.execmd.exe
User:
admin
Company:
Crystal Rich Ltd
Integrity Level:
MEDIUM
Description:
Zentimo\USB Safely Remove command line tool
Exit code:
0
Version:
7.0.5.1320
Modules
Images
c:\program files\usb safely remove\usr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
1884"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --disable-quic --mojo-platform-channel-handle=1340 --field-trial-handle=1192,i,15003908287637572377,9047423707186556626,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
109.0.5414.120
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\109.0.5414.120\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
2060"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=109.0.5414.120 --initial-client-data=0xc8,0xcc,0xd0,0x9c,0xd4,0x6d8d8b38,0x6d8d8b48,0x6d8d8b54C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
109.0.5414.120
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\109.0.5414.120\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
Total events
6 217
Read events
6 129
Write events
83
Delete events
5

Modification events

(PID) Process:(1036) usbsafelyremovesetup_7-0-5.tmpKey:HKEY_CURRENT_USER\Software\SafelyRemove\Options
Operation:writeName:DoNotShareSettings
Value:
1
(PID) Process:(1036) usbsafelyremovesetup_7-0-5.tmpKey:HKEY_CURRENT_USER\Software\SafelyRemove\Main
Operation:writeName:InstallCount
Value:
1
(PID) Process:(1036) usbsafelyremovesetup_7-0-5.tmpKey:HKEY_CURRENT_USER\Software\SafelyRemove\Options
Operation:writeName:LangFileName
Value:
Russian
(PID) Process:(1036) usbsafelyremovesetup_7-0-5.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
Operation:writeName:C:\Program Files\USB Safely Remove\USBSafelyRemove.exe
Value:
DisableNXShowUI
(PID) Process:(1036) usbsafelyremovesetup_7-0-5.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\NoExecuteState
Operation:writeName:LastNoExecuteRadioButtonState
Value:
14013
(PID) Process:(1036) usbsafelyremovesetup_7-0-5.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
Operation:writeName:C:\Program Files\USB Safely Remove\USBSafelyRemove.exe
Value:
DisableNXShowUI
(PID) Process:(1036) usbsafelyremovesetup_7-0-5.tmpKey:HKEY_CURRENT_USER\Software\SafelyRemove\Main
Operation:delete valueName:FirstRunDT
Value:
(PID) Process:(1036) usbsafelyremovesetup_7-0-5.tmpKey:HKEY_CURRENT_USER\Software\SafelyRemove\Main
Operation:delete valueName:RunCount
Value:
(PID) Process:(1036) usbsafelyremovesetup_7-0-5.tmpKey:HKEY_CURRENT_USER\Software\SafelyRemove\Main
Operation:delete valueName:TotalRunSeconds
Value:
(PID) Process:(1036) usbsafelyremovesetup_7-0-5.tmpKey:HKEY_CURRENT_USER\Software\SafelyRemove\Main
Operation:delete valueName:FirstRunDTRaw
Value:
Executable files
8
Suspicious files
11
Text files
473
Unknown types
0

Dropped files

PID
Process
Filename
Type
1036usbsafelyremovesetup_7-0-5.tmpC:\Program Files\USB Safely Remove\unins000.exe
MD5:
SHA256:
1036usbsafelyremovesetup_7-0-5.tmpC:\Users\admin\AppData\Local\Temp\is-1UNP6.tmp\Russian.lngtext
MD5:9D12326D75A5EDB20A66DFD16D15257A
SHA256:E7DC922729618BC4E4205BFA177B42D3589ED3317C97993572251095AADFAE3B
1036usbsafelyremovesetup_7-0-5.tmpC:\Program Files\USB Safely Remove\DeviceImages\Bluetooth.icoimage
MD5:F8F80923B68C6C2E4266364A3FB9CCBE
SHA256:50B2B00A74BC3B8D68DE0A4FAF329E83D10AE79FDB83682326122B4EA3C9D702
3984usbsafelyremovesetup_7-0-5.exeC:\Users\admin\AppData\Local\Temp\is-CRR0R.tmp\usbsafelyremovesetup_7-0-5.tmpexecutable
MD5:AD51A2FA0D4E495C95FA4D9BE19418B0
SHA256:B22F23CD7FFB5E8D9D2430D837C7A00EA09D6FBD8604C9938C13FC535862CFB4
1036usbsafelyremovesetup_7-0-5.tmpC:\Program Files\USB Safely Remove\DeviceImages\Battery.icoimage
MD5:C25501DE265B8A6851CFF9C98F14E516
SHA256:8F7D3B3774C73FDD67548074FD0BBA864300B97D64A359D482138FC705118D25
1036usbsafelyremovesetup_7-0-5.tmpC:\Program Files\USB Safely Remove\DeviceImages\is-0BMOB.tmpimage
MD5:F8F80923B68C6C2E4266364A3FB9CCBE
SHA256:50B2B00A74BC3B8D68DE0A4FAF329E83D10AE79FDB83682326122B4EA3C9D702
1036usbsafelyremovesetup_7-0-5.tmpC:\Program Files\USB Safely Remove\DeviceImages\is-CRSVE.tmpimage
MD5:7C5627F1F7DACB12AB9958C588FA118B
SHA256:83D361F19DB28A193FF768228D38EE78E2E62AF272E13B9BF34B31998B283DD3
1036usbsafelyremovesetup_7-0-5.tmpC:\Program Files\USB Safely Remove\DeviceImages\is-QRJP0.tmpimage
MD5:32F09E24498FD1700C96AD9F0655B04C
SHA256:FD57ABE1E508A0226F68B13AC2ECA93A217E53E797DF815DDFB432E377BF7A4B
1036usbsafelyremovesetup_7-0-5.tmpC:\Program Files\USB Safely Remove\DeviceImages\Card reader (green).icoimage
MD5:CE36E67D82F723B604D4DF39FB91B89A
SHA256:20E7414483748A8065581A7019AC2C63C805FFC3445B5568D93852D2FEC417EF
1036usbsafelyremovesetup_7-0-5.tmpC:\Program Files\USB Safely Remove\DeviceImages\Card reader (red).icoimage
MD5:32F09E24498FD1700C96AD9F0655B04C
SHA256:FD57ABE1E508A0226F68B13AC2ECA93A217E53E797DF815DDFB432E377BF7A4B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
224.0.0.252:5355
unknown
4
System
192.168.100.255:138
whitelisted
1088
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
usbsafelyremovesetup_7-0-5.exe