usbsafelyremove.exe

USB Safely Remove

Crystal Rich Ltd

The executable usbsafelyremove.exe, “USB Safely Remove - an enhanced replacement for Windows safe removal tool” has been detected as malware by 3 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘USB Safely Remove’.
Publisher:
Crystal Rich Ltd  (signed and verified)

Product:
USB Safely Remove

Description:
USB Safely Remove - an enhanced replacement for Windows safe removal tool

Version:
5.2.3.1205

MD5:
b949886cb870d6eb065a2bd6a35a9a7d

SHA-1:
331e3cc0c3316b8faa0af842c68a2db9c2be9dd7

SHA-256:
bdc37aea627d417a0f60dcd2755bad924df7fbd9455f35dcdcb77903f108c5a0

Scanner detections:
3 / 68

Status:
Malware

Analysis date:
12/26/2024 2:52:25 PM UTC  (today)

Scan engine
Detection
Engine version

ESET NOD32
Win32/Floxif.H virus
6.3.12010.0

F-Prot
W32/Floxif.B
4.6.5.141

F-Secure
Win32.Floxif.A
5.15.154

File size:
3.3 MB (3,491,583 bytes)

Product version:
5.2.3.1205

Copyright:
Copyright © 2014 by Crystal Rich Ltd

File type:
Executable application (Win32 EXE)

Language:
English (United Kingdom)

Common path:
C:\Program Files\usb safely remove\usbsafelyremove.exe

Digital Signature
Authority:
VeriSign, Inc.

Valid from:
1/4/2014 6:00:00 AM

Valid to:
2/3/2017 5:59:59 AM

Subject:
CN=Crystal Rich Ltd, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=Crystal Rich Ltd, L=Saint Petersburg, S=Saint Petersburg, C=RU

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
077EBA83916E963439554F9098F40B15

File PE Metadata
Compilation timestamp:
3/26/2014 12:22:11 AM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

CTPH (ssdeep):
49152:0A9cZ4+bTZdEcM0et1hC36Svw7Q9H5r9FRcT+TIT1Igm3lZUgkTR+Yu1Wal:Ni4+X7Mn1hCx19F9gT+TIT5du1Wal

Entry address:
0x1000

Entry point:
E9, E2, 08, 12, 00, E8, 01, 00, 00, 00, C3, C3, 13, C1, 6D, 13, BC, A7, D4, 79, 3A, 44, F7, AC, A3, 51, B2, 80, FA, AF, EF, EC, 8D, B4, DA, F1, 94, 41, D3, 85, EF, B2, F6, 4E, 8C, 0F, B6, BA, D0, CD, FE, B6, 69, 89, 2B, D1, 3E, 59, 1C, 1A, FA, 8E, 9C, F7, 5A, DE, 09, 25, 4C, 8C, 5A, 87, 6F, B0, 63, 9C, 7E, F5, 68, 38, 0B, 5B, B8, 29, 6A, 46, C3, BB, F3, 37, CA, 11, 51, A2, 1F, 93, E0, 34, C1, BF, 96, B4, 62, BF, B6, 53, 77, 34, 51, 2E, D8, B2, 8B, 7D, 1A, E8, 18, 17, 7C, CD, 4A, 4F, F8, EF, 4C, 5B, F5, B2...
 
[+]

Entropy:
6.9031

Packer / compiler:
Xtreme-Protector v1.05

Code size:
3.9 MB (4,090,880 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
USB Safely Remove

Command:
C:\Program Files\usb safely remove\usbsafelyremove.exe \startup


Remove usbsafelyremove.exe - Powered by Reason Core Security