File name:

MyPCBackup_WebInstaller.exe

Full analysis: https://app.any.run/tasks/9ae43ad3-2375-4cd5-bc33-01ae01c29db6
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: May 27, 2025, 19:25:59
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
loader
auto-startup
confuser
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections
MD5:

3C3B17C6909D0031F0D636BCF7FF592A

SHA1:

31DDBEF445456614727D9A39DD2FE61BBA375239

SHA256:

85C27331F6C0626C5D57F7FDD64FCE692DB5C3342F59213886F577160E0F565B

SSDEEP:

98304:tSGtM8w/bPuC4XayCp96UXr8UQMVMOH+sie:IM8b0Y4UfjeW

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Create files in the Startup directory

      • MyPCBackup_WebInstaller.exe (PID: 7596)

  • SUSPICIOUS

    • The process creates files with name similar to system file names

      • MyPCBackup_WebInstaller.exe (PID: 7596)

    • Executable content was dropped or overwritten

      • MyPCBackup_WebInstaller.exe (PID: 7596)
      • 7za.exe (PID: 7428)

    • Process requests binary or script from the Internet

      • MyPCBackup_WebInstaller.exe (PID: 7596)

    • There is functionality for taking screenshot (YARA)

      • MyPCBackup_WebInstaller.exe (PID: 7596)
      • Signup Wizard.exe (PID: 7764)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • MyPCBackup_WebInstaller.exe (PID: 7596)

    • Drops 7-zip archiver for unpacking

      • MyPCBackup_WebInstaller.exe (PID: 7596)

    • Uses TASKKILL.EXE to kill process

      • MyPCBackup_WebInstaller.exe (PID: 7596)

    • Creates a software uninstall entry

      • MyPCBackup_WebInstaller.exe (PID: 7596)

    • Reads security settings of Internet Explorer

      • MyPCBackup_WebInstaller.exe (PID: 7596)
      • MyPC Backup.exe (PID: 7576)
      • Signup Wizard.exe (PID: 7764)

    • Reads the date of Windows installation

      • MyPC Backup.exe (PID: 7576)

  • INFO

    • Checks supported languages

      • MyPCBackup_WebInstaller.exe (PID: 7596)
      • 7za.exe (PID: 7428)
      • MyPC Backup.exe (PID: 7576)
      • Signup Wizard.exe (PID: 7764)

    • Reads the computer name

      • MyPCBackup_WebInstaller.exe (PID: 7596)
      • 7za.exe (PID: 7428)
      • MyPC Backup.exe (PID: 7576)
      • Signup Wizard.exe (PID: 7764)

    • Checks proxy server information

      • MyPCBackup_WebInstaller.exe (PID: 7596)
      • MyPC Backup.exe (PID: 7576)
      • slui.exe (PID: 6676)

    • Create files in a temporary directory

      • MyPCBackup_WebInstaller.exe (PID: 7596)

    • Creates files in the program directory

      • MyPCBackup_WebInstaller.exe (PID: 7596)
      • MyPC Backup.exe (PID: 7576)
      • Signup Wizard.exe (PID: 7764)
      • 7za.exe (PID: 7428)

    • The sample compiled with english language support

      • MyPCBackup_WebInstaller.exe (PID: 7596)
      • 7za.exe (PID: 7428)

    • Launch of the file from Startup directory

      • MyPCBackup_WebInstaller.exe (PID: 7596)

    • Process checks computer location settings

      • MyPCBackup_WebInstaller.exe (PID: 7596)
      • MyPC Backup.exe (PID: 7576)

    • Creates files or folders in the user directory

      • MyPC Backup.exe (PID: 7576)
      • MyPCBackup_WebInstaller.exe (PID: 7596)

    • Reads the machine GUID from the registry

      • MyPC Backup.exe (PID: 7576)
      • Signup Wizard.exe (PID: 7764)

    • Reads the software policy settings

      • MyPC Backup.exe (PID: 7576)
      • Signup Wizard.exe (PID: 7764)
      • slui.exe (PID: 6676)

    • Confuser has been detected (YARA)

      • Signup Wizard.exe (PID: 7764)

    • SQLite executable

      • 7za.exe (PID: 7428)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | NSIS - Nullsoft Scriptable Install System (94.8)
.exe | Win32 Executable MS Visual C++ (generic) (3.4)
.dll | Win32 Dynamic Link Library (generic) (0.7)
.exe | Win32 Executable (generic) (0.5)
.exe | Generic Win/DOS Executable (0.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2009:12:05 22:50:46+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 23552
InitializedDataSize: 119808
UninitializedDataSize: 1024
EntryPoint: 0x323c
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
144
Monitored processes
11
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start mypcbackup_webinstaller.exe taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs 7za.exe conhost.exe no specs mypc backup.exe signup wizard.exe no specs slui.exe mypcbackup_webinstaller.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2852\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exetaskkill.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6048"taskkill" /f /T /IM "MyPC Backup.exe"C:\Windows\SysWOW64\taskkill.exeMyPCBackup_WebInstaller.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
128
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
6268\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exe7za.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6676C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7336\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exetaskkill.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7396"taskkill" /f /T /IM BackupStack.exeC:\Windows\SysWOW64\taskkill.exeMyPCBackup_WebInstaller.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
128
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
7428"C:\Users\admin\AppData\Local\Temp\7za.exe" x -y -p:aq1sw2de3 -o"C:\Program Files (x86)\MyPC Backup" "C:\Users\admin\AppData\Local\Temp\mypcbackup_pp.7z"C:\Users\admin\AppData\Local\Temp\7za.exe
MyPCBackup_WebInstaller.exe
User:
admin
Company:
Igor Pavlov
Integrity Level:
HIGH
Description:
7-Zip Standalone Console
Exit code:
0
Version:
9.38 beta
Modules
Images
c:\users\admin\appdata\local\temp\7za.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
7484"C:\Users\admin\Desktop\MyPCBackup_WebInstaller.exe" C:\Users\admin\Desktop\MyPCBackup_WebInstaller.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\desktop\mypcbackup_webinstaller.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
7576"C:\Program Files (x86)\MyPC Backup\MyPC Backup.exe" windowlaunchC:\Program Files (x86)\MyPC Backup\MyPC Backup.exe
MyPCBackup_WebInstaller.exe
User:
admin
Integrity Level:
HIGH
Description:
Exit code:
0
Version:
1.0.*
Modules
Images
c:\program files (x86)\mypc backup\mypc backup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
7596"C:\Users\admin\Desktop\MyPCBackup_WebInstaller.exe" C:\Users\admin\Desktop\MyPCBackup_WebInstaller.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\desktop\mypcbackup_webinstaller.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Total events
11 269
Read events
11 262
Write events
7
Delete events
0

Modification events

(PID) Process:(7596) MyPCBackup_WebInstaller.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyPC Backup
Operation:writeName:DisplayName
Value:
MyPC Backup 1.0.0
(PID) Process:(7596) MyPCBackup_WebInstaller.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyPC Backup
Operation:writeName:UninstallString
Value:
C:\Program Files (x86)\MyPC Backup\uninst.exe
(PID) Process:(7596) MyPCBackup_WebInstaller.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyPC Backup
Operation:writeName:DisplayIcon
Value:
C:\Program Files (x86)\MyPC Backup\MyPC Backup.exe
(PID) Process:(7596) MyPCBackup_WebInstaller.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyPC Backup
Operation:writeName:DisplayVersion
Value:
1.0.0
(PID) Process:(7596) MyPCBackup_WebInstaller.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyPC Backup
Operation:writeName:Publisher
Value:
MyPC Backup
(PID) Process:(7596) MyPCBackup_WebInstaller.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyPC Backup
Operation:writeName:ProductVersion
Value:
1.0.0
(PID) Process:(7596) MyPCBackup_WebInstaller.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyPC Backup
Operation:writeName:HelpLink
Value:
http://www.mypcbackup.com
Executable files
38
Suspicious files
15
Text files
14
Unknown types
12

Dropped files

PID
Process
Filename
Type
7596MyPCBackup_WebInstaller.exeC:\Users\admin\AppData\Local\Temp\nsqC49C.tmp\ioSpecial.iniini
MD5:E2D5070BC28DB1AC745613689FF86067
SHA256:D95AED234F932A1C48A2B1B0D98C60CA31F962310C03158E2884AB4DDD3EA1E0
7596MyPCBackup_WebInstaller.exeC:\Users\admin\AppData\Local\Temp\nsqC49C.tmp\modern-wizard.bmpimage
MD5:5DBC1E12AA3B79084009058F2622D52E
SHA256:84B3FA8161F873A3B4F708035DEA60205FDBE2FB103F156069AD18FAD2EBCB4B
7596MyPCBackup_WebInstaller.exeC:\Users\admin\AppData\Local\Temp\nsqC49C.tmp\modern-header.bmpimage
MD5:3CC1FA4E3475D24CED77A3C0556C0F16
SHA256:4B64BCD5AF1A1ADFE2611E4FE3A15DF7AF5705B03F1C2E8E51684C4D73CDA50E
7596MyPCBackup_WebInstaller.exeC:\Users\admin\AppData\Local\Temp\nsqC49C.tmp\System.dllexecutable
MD5:C17103AE9072A06DA581DEC998343FC1
SHA256:DC58D8AD81CACB0C1ED72E33BFF8F23EA40B5252B5BB55D393A0903E6819AE2F
7596MyPCBackup_WebInstaller.exeC:\Users\admin\AppData\Local\Temp\nsqC49C.tmp\InstallOptions.dllexecutable
MD5:325B008AEC81E5AAA57096F05D4212B5
SHA256:C9CD5C9609E70005926AE5171726A4142FFBCCCC771D307EFCD195DAFC1E6B4B
7596MyPCBackup_WebInstaller.exeC:\Users\admin\AppData\Local\Temp\nsqC49C.tmp\nsSCM.dllexecutable
MD5:62EFA7B730EB0523A026EA4325403B77
SHA256:0B96456E8CF6B3E582388D3E530C73CE9121974381D51E5A21CD945C75FD2A38
7596MyPCBackup_WebInstaller.exeC:\Users\admin\AppData\Local\Temp\7za.exeexecutable
MD5:B41886A0207245A4C7179671C6B0E6E5
SHA256:BF830307EFC2B22C44D4D90CED495258E8D3F807D3EF12241E12EB4067C2C067
7596MyPCBackup_WebInstaller.exeC:\Users\admin\AppData\Local\Temp\nsqC49C.tmp\nsExec.dllexecutable
MD5:ACC2B699EDFEA5BF5AAE45ABA3A41E96
SHA256:168A974EAA3F588D759DB3F47C1A9FDC3494BA1FA1A73A84E5E3B2A4D58ABD7E
7596MyPCBackup_WebInstaller.exeC:\Users\admin\AppData\Local\Temp\mypcbackup_pp.7zcompressed
MD5:184C5A6D480855EAB629A2F1528D78C5
SHA256:7245611D261880DAB51A2A77D319929F9A2BC0073B2A8F78D90CF935690F42F4
74287za.exeC:\Program Files (x86)\MyPC Backup\mypcbackup.icoimage
MD5:53EC72743DC9D410D15801E5945E1D3C
SHA256:98C274E929B7A7C1A2EAD57ADA2B67163F1127DEC714AC933D0E005DB6998CC5
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
157
TCP/UDP connections
169
DNS requests
21
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2104
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
400
20.190.160.128:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
POST
200
40.126.32.76:443
https://login.live.com/RST2.srf
unknown
xml
1.24 Kb
whitelisted
7596
MyPCBackup_WebInstaller.exe
GET
302
23.58.110.83:80
http://download.microsoft.com/download/2/d/6/2d61c766-107b-409d-8fba-c39e61ca08e8/vcredist_x64.exe
unknown
whitelisted
7596
MyPCBackup_WebInstaller.exe
GET
302
23.58.110.83:80
http://download.microsoft.com/download/2/d/6/2d61c766-107b-409d-8fba-c39e61ca08e8/vcredist_x64.exe
unknown
whitelisted
7596
MyPCBackup_WebInstaller.exe
GET
302
23.58.110.83:80
http://download.microsoft.com/download/2/d/6/2d61c766-107b-409d-8fba-c39e61ca08e8/vcredist_x64.exe
unknown
whitelisted
POST
400
40.126.32.74:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
7596
MyPCBackup_WebInstaller.exe
GET
302
23.58.110.83:80
http://download.microsoft.com/download/2/d/6/2d61c766-107b-409d-8fba-c39e61ca08e8/vcredist_x64.exe
unknown
whitelisted
7596
MyPCBackup_WebInstaller.exe
GET
302
23.58.110.83:80
http://download.microsoft.com/download/2/d/6/2d61c766-107b-409d-8fba-c39e61ca08e8/vcredist_x64.exe
unknown
whitelisted
7596
MyPCBackup_WebInstaller.exe
GET
302
23.58.110.83:80
http://download.microsoft.com/download/2/d/6/2d61c766-107b-409d-8fba-c39e61ca08e8/vcredist_x64.exe
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
6404
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
5496
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2104
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
2104
svchost.exe
2.16.164.49:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
2104
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
3216
svchost.exe
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
20.190.160.128:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
7596
MyPCBackup_WebInstaller.exe
23.58.110.83:80
download.microsoft.com
AKAMAI-AS
IN
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.110
whitelisted
crl.microsoft.com
  • 2.16.164.49
  • 2.16.164.120
  • 2.16.168.114
  • 2.16.168.124
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
client.wns.windows.com
  • 172.211.123.250
  • 172.211.123.248
whitelisted
login.live.com
  • 20.190.160.128
  • 40.126.32.136
  • 40.126.32.72
  • 20.190.160.3
  • 40.126.32.74
  • 20.190.160.67
  • 40.126.32.138
  • 20.190.160.4
whitelisted
download.microsoft.com
  • 23.58.110.83
  • 23.212.89.111
whitelisted
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.104.136.2
whitelisted
slscr.update.microsoft.com
  • 4.175.87.197
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.3.187.198
whitelisted
ocsp.digicert.com
  • 23.63.118.230
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
MyPCBackup_WebInstaller.exe