File name:

mybackup.exe

Full analysis: https://app.any.run/tasks/c714f22d-6015-4e40-a505-0094137674e0
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: May 18, 2025, 19:52:57
OS: Windows 11 Professional (build: 22000, 64 bit)
Tags:
pastebin
evasion
stealer
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 15 sections
MD5:

BADAE9230FA08101181512615A9A0138

SHA1:

FB3F76DF4A469C4E846D14672E82CF0298984C11

SHA256:

57ABCF7B74B9A935BA6AC10ABAD4C9F609124257CCC0ABF45E577AADB3432BD0

SSDEEP:

98304:0sQhmdEKimGGp+VKRErA3ScWjsiaOhJ8qRCYN3F6yUCVe1w2zaM6z0ZSCyMhuUun:2scV

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Actions looks like stealing of personal data

      • mybackup.exe (PID: 5740)

    • Steals credentials from Web Browsers

      • mybackup.exe (PID: 5740)

  • SUSPICIOUS

    • Reads settings of System Certificates

      • mybackup.exe (PID: 5740)

    • Starts CMD.EXE for commands execution

      • mybackup.exe (PID: 5740)

    • Uses TASKKILL.EXE to kill process

      • mybackup.exe (PID: 5740)

    • Checks for external IP

      • mybackup.exe (PID: 5740)

    • Uses TASKKILL.EXE to kill Browsers

      • mybackup.exe (PID: 5740)

    • Connects to unusual port

      • mybackup.exe (PID: 5740)

  • INFO

    • Reads the machine GUID from the registry

      • mybackup.exe (PID: 5740)

    • Checks supported languages

      • mybackup.exe (PID: 5740)

    • Reads the software policy settings

      • mybackup.exe (PID: 5740)

    • Reads the computer name

      • mybackup.exe (PID: 5740)

    • Checks operating system version

      • mybackup.exe (PID: 5740)

    • Drops encrypted JS script (Microsoft Script Encoder)

      • mybackup.exe (PID: 5740)

    • Create files in a temporary directory

      • mybackup.exe (PID: 5740)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 0000:00:00 00:00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 3
CodeSize: 3109888
InitializedDataSize: 398848
UninitializedDataSize: -
EntryPoint: 0x77b20
OSVersion: 6.1
ImageVersion: 1
SubsystemVersion: 6.1
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
111
Monitored processes
11
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start mybackup.exe cmd.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
136\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exetaskkill.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
1104\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exetaskkill.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
1228taskkill /IM chrome.exe /FC:\Windows\System32\taskkill.exemybackup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
128
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
1516\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
1724\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exetaskkill.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
1752taskkill /IM msedge.exe /FC:\Windows\System32\taskkill.exemybackup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
128
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
2276cmd /C verC:\Windows\System32\cmd.exemybackup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
2840\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exetaskkill.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
3040taskkill /F /IM Discord.exeC:\Windows\System32\taskkill.exemybackup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
128
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
5524taskkill /IM brave.exe /FC:\Windows\System32\taskkill.exemybackup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
128
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
Total events
5 236
Read events
4 990
Write events
246
Delete events
0

Modification events

(PID) Process:(5740) mybackup.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\4c\52C64B7E
Operation:writeName:C:\Windows\system32\,@tzres.dll,-462
Value:
Afghanistan Standard Time
(PID) Process:(5740) mybackup.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\4c\52C64B7E
Operation:writeName:C:\Windows\system32\,@tzres.dll,-461
Value:
Afghanistan Daylight Time
(PID) Process:(5740) mybackup.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\4c\52C64B7E
Operation:writeName:C:\Windows\system32\,@tzres.dll,-222
Value:
Alaskan Standard Time
(PID) Process:(5740) mybackup.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\4c\52C64B7E
Operation:writeName:C:\Windows\system32\,@tzres.dll,-221
Value:
Alaskan Daylight Time
(PID) Process:(5740) mybackup.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\4c\52C64B7E
Operation:writeName:C:\Windows\system32\,@tzres.dll,-2392
Value:
Aleutian Standard Time
(PID) Process:(5740) mybackup.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\4c\52C64B7E
Operation:writeName:C:\Windows\system32\,@tzres.dll,-2391
Value:
Aleutian Daylight Time
(PID) Process:(5740) mybackup.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\4c\52C64B7E
Operation:writeName:C:\Windows\system32\,@tzres.dll,-2162
Value:
Altai Standard Time
(PID) Process:(5740) mybackup.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\4c\52C64B7E
Operation:writeName:C:\Windows\system32\,@tzres.dll,-2161
Value:
Altai Daylight Time
(PID) Process:(5740) mybackup.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\4c\52C64B7E
Operation:writeName:C:\Windows\system32\,@tzres.dll,-392
Value:
Arab Standard Time
(PID) Process:(5740) mybackup.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\4c\52C64B7E
Operation:writeName:C:\Windows\system32\,@tzres.dll,-391
Value:
Arab Daylight Time
Executable files
0
Suspicious files
13
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
5740mybackup.exeC:\Users\admin\AppData\Local\Temp\Chrome_WebDataCopy.dbbinary
MD5:95598559ADF42B08EEAEC4DA9139F34A
SHA256:17229F40CF588999FEACE68ECC82A36590017F5148C2F696DC358283B50BF68D
5740mybackup.exeC:\Users\admin\AppData\Local\Temp\Edge_LoginDataCopy.dbbinary
MD5:29A644B1F0D96166A05602FE27B3F4AD
SHA256:BF96902FEB97E990A471492F78EE8386BCF430D66BDAEFDEAFBF912C8CF7CE46
5740mybackup.exeC:\Users\admin\AppData\Local\Temp\Chrome_LoginDataCopy.dbbinary
MD5:A45465CDCDC6CB30C8906F3DA4EC114C
SHA256:4412319EF944EBCCA9581CBACB1D4E1DC614C348D1DFC5D2FAAAAD863D300209
5740mybackup.exeC:\Users\admin\AppData\Local\Temp\LoginDataCopy.dbbinary
MD5:A45465CDCDC6CB30C8906F3DA4EC114C
SHA256:4412319EF944EBCCA9581CBACB1D4E1DC614C348D1DFC5D2FAAAAD863D300209
5740mybackup.exeC:\Users\admin\AppData\Local\Temp\17241eigvby\chrome.zipcompressed
MD5:76CDB2BAD9582D23C1F6F4D868218D6C
SHA256:8739C76E681F900923B900C9DF0EF75CF421D39CABB54650C4B9AD19B6A76D85
5740mybackup.exeC:\Users\admin\AppData\Local\Temp\Edge_WebDataCopy.dbbinary
MD5:5E7E1E3387F1FA981B8A73A588F1E11C
SHA256:6E9D84198252E325C83A7FD432FFDAAEB126BF14E4A9E74E9FC29A8F7910A6E2
5740mybackup.exeC:\Users\admin\AppData\Local\Temp\17241eigvby\metamask.zipcompressed
MD5:76CDB2BAD9582D23C1F6F4D868218D6C
SHA256:8739C76E681F900923B900C9DF0EF75CF421D39CABB54650C4B9AD19B6A76D85
5740mybackup.exeC:\Users\admin\AppData\Local\Temp\17241eigvby\edge.zipcompressed
MD5:76CDB2BAD9582D23C1F6F4D868218D6C
SHA256:8739C76E681F900923B900C9DF0EF75CF421D39CABB54650C4B9AD19B6A76D85
5740mybackup.exeC:\Users\admin\AppData\Local\Temp\Edge_CookiesCopy.dbbinary
MD5:643F2DD6AE87B2681A33B71E9EBDE13B
SHA256:791078836C97EAB0A48C332BF4F864D6A9DBFE10C02095027671436553A63E12
5740mybackup.exeC:\Users\admin\AppData\Local\Temp\Chrome_LocalStateCopy.jsonbinary
MD5:8798B6E3B2BCBBBD18941C83AD3CB66A
SHA256:C104B6458DF918752BD67C52ADAE1D6B81EA4E1D0DB999D666F19829D280DDD8
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
19
DNS requests
11
Threats
14

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
88.221.110.216:80
http://www.msftconnecttest.com/connecttest.txt
unknown
whitelisted
1348
MoUsoCoreWorker.exe
GET
200
208.89.74.19:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?2cfd168969669c1f
unknown
whitelisted
3640
svchost.exe
GET
200
208.89.74.19:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?6e535fa3ac79830e
unknown
whitelisted
5740
mybackup.exe
POST
54.36.208.152:1234
http://54.36.208.152:1234/api/data/upload
unknown
unknown
2768
svchost.exe
GET
200
199.232.210.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?e8295883656f7dad
unknown
whitelisted
2768
svchost.exe
GET
200
199.232.210.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?7ffa61214c1c53e3
unknown
whitelisted
2768
svchost.exe
GET
200
199.232.210.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?e3701e10c494692d
unknown
whitelisted
2768
svchost.exe
GET
200
199.232.210.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?3e4d47703098faed
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
88.221.110.216:80
Akamai International B.V.
DE
unknown
1348
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1348
MoUsoCoreWorker.exe
208.89.74.19:80
ctldl.windowsupdate.com
US
whitelisted
3640
svchost.exe
20.190.160.2:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3640
svchost.exe
208.89.74.19:80
ctldl.windowsupdate.com
US
whitelisted
5740
mybackup.exe
104.22.69.199:443
pastebin.com
CLOUDFLARENET
whitelisted
5740
mybackup.exe
172.67.74.152:443
api.ipify.org
CLOUDFLARENET
US
shared
996
smartscreen.exe
108.141.15.7:443
checkappexec.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5740
mybackup.exe
54.36.208.152:1234
OVH SAS
FR
unknown

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.110
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
ctldl.windowsupdate.com
  • 208.89.74.19
  • 208.89.74.27
  • 208.89.74.17
  • 208.89.74.31
  • 208.89.74.23
  • 208.89.74.21
  • 208.89.74.29
  • 199.232.210.172
  • 199.232.214.172
whitelisted
login.live.com
  • 20.190.160.2
  • 40.126.32.140
  • 20.190.160.128
  • 20.190.160.66
  • 20.190.160.14
  • 20.190.160.4
  • 40.126.32.134
  • 20.190.160.17
  • 40.126.32.68
  • 20.190.160.3
  • 20.190.160.132
  • 40.126.32.74
  • 40.126.32.72
whitelisted
pastebin.com
  • 104.22.69.199
  • 172.67.25.94
  • 104.22.68.199
whitelisted
api.ipify.org
  • 172.67.74.152
  • 104.26.13.205
  • 104.26.12.205
shared
checkappexec.microsoft.com
  • 108.141.15.7
whitelisted
fs.microsoft.com
  • 23.212.222.21
whitelisted
self.events.data.microsoft.com
  • 40.79.173.41
whitelisted

Threats

PID
Process
Class
Message
Misc activity
ET INFO Microsoft Connection Test
1664
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Online Pastebin Text Storage
1664
svchost.exe
Misc activity
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
5740
mybackup.exe
Misc activity
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
Device Retrieving External IP Address Detected
ET INFO External IP Lookup api.ipify.org
Misc activity
ET INFO Go-http-client User-Agent Observed Outbound
Device Retrieving External IP Address Detected
POLICY [ANY.RUN] External IP Lookup by HTTP (api .ipify .org)
Misc activity
ET INFO Go-http-client User-Agent Observed Outbound
Misc activity
ET USER_AGENTS Go HTTP Client User-Agent
Misc activity
ET USER_AGENTS Go HTTP Client User-Agent
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
mybackup.exe