File name:

GetDataBack_Portable_4.33_En-Fr-De-Ru.exe

Full analysis: https://app.any.run/tasks/f564a0a6-ddea-41d5-b461-98f146932482
Verdict: Malicious activity
Analysis date: January 29, 2024, 01:03:20
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

4145D08DF73AB96C819D0A1275CF1606

SHA1:

DD991215F55B9A06F9CE2A3697B71865D1D9173E

SHA256:

C046D4736C8210A7FB92162F989581AB759A0DE4732DF9A1B9D6ADF91FD893AE

SSDEEP:

98304:CQJ1YshIicWa+Cf1tEnRQeqkpnZmtJiQ9jxgoytSo6o5cpntEwtiOcWNkJrRrliw:RhFPTugs+

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • GetDataBack_Portable_4.33_En-Fr-De-Ru.exe (PID: 2568)
      • GetDataBackPortable.exe (PID: 2688)
      • GetDataBackNTPortable.exe (PID: 3980)
      • GetDataBackNTPortable.exe (PID: 2612)
      • GetDataBackPortable.exe (PID: 4012)
      • GetDataBackNTPortable.exe (PID: 3464)

  • SUSPICIOUS

    • Malware-specific behavior (creating "System.dll" in Temp)

      • GetDataBack_Portable_4.33_En-Fr-De-Ru.exe (PID: 2568)

    • The process creates files with name similar to system file names

      • GetDataBack_Portable_4.33_En-Fr-De-Ru.exe (PID: 2568)

    • Executable content was dropped or overwritten

      • GetDataBack_Portable_4.33_En-Fr-De-Ru.exe (PID: 2568)
      • GetDataBackPortable.exe (PID: 2688)
      • GetDataBackNTPortable.exe (PID: 3980)
      • GetDataBackNTPortable.exe (PID: 2612)
      • GetDataBackPortable.exe (PID: 4012)
      • GetDataBackNTPortable.exe (PID: 3464)

    • Reads the Internet Settings

      • GetDataBackPortable.exe (PID: 2688)
      • GetDataBackNTPortable.exe (PID: 3980)
      • GetDataBackPortable.exe (PID: 4012)
      • GetDataBackNTPortable.exe (PID: 2612)
      • GetDataBackNTPortable.exe (PID: 3464)

    • Uses REG/REGEDIT.EXE to modify registry

      • GetDataBackNTPortable.exe (PID: 2612)
      • GetDataBackPortable.exe (PID: 4012)
      • GetDataBackNTPortable.exe (PID: 3464)

  • INFO

    • Reads the computer name

      • GetDataBack_Portable_4.33_En-Fr-De-Ru.exe (PID: 2568)
      • GetDataBackPortable.exe (PID: 2688)
      • gdb.exe (PID: 2420)
      • GetDataBackNTPortable.exe (PID: 3980)
      • gdbnt.exe (PID: 3068)
      • GetDataBackNTPortable.exe (PID: 2612)
      • gdbnt.exe (PID: 3728)
      • gdb.exe (PID: 2924)
      • GetDataBackPortable.exe (PID: 4012)
      • gdbnt.exe (PID: 1776)
      • GetDataBackNTPortable.exe (PID: 3464)

    • Checks supported languages

      • GetDataBack_Portable_4.33_En-Fr-De-Ru.exe (PID: 2568)
      • GetDataBackPortable.exe (PID: 2688)
      • gdb.exe (PID: 2420)
      • GetDataBackNTPortable.exe (PID: 3980)
      • GetDataBackNTPortable.exe (PID: 2612)
      • gdbnt.exe (PID: 3068)
      • GetDataBackPortable.exe (PID: 4012)
      • gdb.exe (PID: 2924)
      • gdbnt.exe (PID: 3728)
      • gdbnt.exe (PID: 1776)
      • GetDataBackNTPortable.exe (PID: 3464)

    • Create files in a temporary directory

      • GetDataBack_Portable_4.33_En-Fr-De-Ru.exe (PID: 2568)
      • GetDataBackPortable.exe (PID: 2688)
      • GetDataBackNTPortable.exe (PID: 2612)
      • GetDataBackNTPortable.exe (PID: 3980)
      • GetDataBackPortable.exe (PID: 4012)
      • gdbnt.exe (PID: 1776)
      • GetDataBackNTPortable.exe (PID: 3464)

    • Manual execution by a user

      • GetDataBackPortable.exe (PID: 2688)
      • GetDataBackPortable.exe (PID: 1268)
      • GetDataBackNTPortable.exe (PID: 1808)
      • GetDataBackNTPortable.exe (PID: 3980)
      • GetDataBackNTPortable.exe (PID: 2612)
      • GetDataBackNTPortable.exe (PID: 3532)
      • GetDataBackPortable.exe (PID: 4012)
      • GetDataBackNTPortable.exe (PID: 3652)
      • GetDataBackNTPortable.exe (PID: 3464)
      • GetDataBackPortable.exe (PID: 3824)

    • Reads the machine GUID from the registry

      • GetDataBackPortable.exe (PID: 2688)
      • GetDataBackNTPortable.exe (PID: 3980)
      • GetDataBackPortable.exe (PID: 4012)
      • GetDataBackNTPortable.exe (PID: 2612)
      • GetDataBackNTPortable.exe (PID: 3464)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | NSIS - Nullsoft Scriptable Install System (91.9)
.exe | Win32 Executable MS Visual C++ (generic) (3.3)
.exe | Win64 Executable (generic) (3)
.dll | Win32 Dynamic Link Library (generic) (0.7)
.exe | Win32 Executable (generic) (0.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2012:02:24 20:21:56+01:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 10
CodeSize: 27648
InitializedDataSize: 272896
UninitializedDataSize: 8704
EntryPoint: 0x3814
OSVersion: 5
ImageVersion: 6
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 0.0.0.0
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Windows, Latin1
Comments: 24/05/2013 20:24:55
CompanyName: PortableAppZ.blogspot.com
FileDescription: GetDataBack for FAT-NTFS Portable
FileVersion: 0.0.0.0
InternalName: GetDataBack for FAT-NTFS Portable
LegalCopyright: Bernat
LegalTrademarks: PortableAppZ is a Trademark of Bernat
OriginalFileName: GetDataBackPortable.exe
ProductName: GetDataBack for FAT-NTFS Portable
ProductVersion: 0.0.0.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
75
Monitored processes
19
Malicious processes
6
Suspicious processes
0

Behavior graph

Click at the process to see the details
start getdataback_portable_4.33_en-fr-de-ru.exe getdatabackportable.exe no specs getdatabackportable.exe gdb.exe getdatabackntportable.exe no specs getdatabackntportable.exe gdbnt.exe getdatabackntportable.exe no specs getdatabackntportable.exe regedit.exe no specs gdbnt.exe getdatabackportable.exe no specs getdatabackportable.exe regedit.exe no specs gdb.exe getdatabackntportable.exe no specs getdatabackntportable.exe regedit.exe no specs gdbnt.exe

Process information

PID
CMD
Path
Indicators
Parent process
1268"C:\Users\admin\Desktop\GetDataBackPortable\GetDataBackPortable.exe" C:\Users\admin\Desktop\GetDataBackPortable\GetDataBackPortable.exeexplorer.exe
User:
admin
Company:
PortableAppZ.blogspot.com
Integrity Level:
MEDIUM
Description:
GetDataBack for FAT Portable
Exit code:
3221226540
Version:
0.0.0.0
Modules
Images
c:\users\admin\desktop\getdatabackportable\getdatabackportable.exe
c:\windows\system32\ntdll.dll
1776"C:\Users\admin\Desktop\GetDataBackPortable\App\GetDataBack\gdbnt.exe" C:\Users\admin\Desktop\GetDataBackPortable\App\GetDataBack\gdbnt.exe
GetDataBackNTPortable.exe
User:
admin
Company:
Runtime Software
Integrity Level:
HIGH
Description:
GetDataBack for NTFS Data Recovery
Exit code:
0
Version:
4.3.3.0
Modules
Images
c:\users\admin\desktop\getdatabackportable\app\getdataback\gdbnt.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
1808"C:\Users\admin\Desktop\GetDataBackPortable\GetDataBackNTPortable.exe" C:\Users\admin\Desktop\GetDataBackPortable\GetDataBackNTPortable.exeexplorer.exe
User:
admin
Company:
PortableAppZ.blogspot.com
Integrity Level:
MEDIUM
Description:
GetDataBack for NTFS Portable
Exit code:
3221226540
Version:
0.0.0.0
Modules
Images
c:\users\admin\desktop\getdatabackportable\getdatabackntportable.exe
c:\windows\system32\ntdll.dll
1876C:\Windows\regedit.exe /s "C:\Users\admin\Desktop\GetDataBackPortable\Data\GetDataBackNT.reg"C:\Windows\regedit.exeGetDataBackNTPortable.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Editor
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\regedit.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
2420"C:\Users\admin\Desktop\GetDataBackPortable\App\GetDataBack\gdb.exe" C:\Users\admin\Desktop\GetDataBackPortable\App\GetDataBack\gdb.exe
GetDataBackPortable.exe
User:
admin
Company:
Runtime Software
Integrity Level:
HIGH
Description:
GetDataBack for FAT Data Recovery
Exit code:
0
Version:
4.3.3.0
Modules
Images
c:\users\admin\desktop\getdatabackportable\app\getdataback\gdb.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
2568"C:\Users\admin\AppData\Local\Temp\GetDataBack_Portable_4.33_En-Fr-De-Ru.exe" C:\Users\admin\AppData\Local\Temp\GetDataBack_Portable_4.33_En-Fr-De-Ru.exe
explorer.exe
User:
admin
Company:
PortableAppZ.blogspot.com
Integrity Level:
MEDIUM
Description:
GetDataBack for FAT-NTFS Portable
Exit code:
0
Version:
0.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\getdataback_portable_4.33_en-fr-de-ru.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
2612"C:\Users\admin\Desktop\GetDataBackPortable\GetDataBackNTPortable.exe" C:\Users\admin\Desktop\GetDataBackPortable\GetDataBackNTPortable.exe
explorer.exe
User:
admin
Company:
PortableAppZ.blogspot.com
Integrity Level:
HIGH
Description:
GetDataBack for NTFS Portable
Exit code:
0
Version:
0.0.0.0
Modules
Images
c:\users\admin\desktop\getdatabackportable\getdatabackntportable.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
2688"C:\Users\admin\Desktop\GetDataBackPortable\GetDataBackPortable.exe" C:\Users\admin\Desktop\GetDataBackPortable\GetDataBackPortable.exe
explorer.exe
User:
admin
Company:
PortableAppZ.blogspot.com
Integrity Level:
HIGH
Description:
GetDataBack for FAT Portable
Exit code:
0
Version:
0.0.0.0
Modules
Images
c:\users\admin\desktop\getdatabackportable\getdatabackportable.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
2924"C:\Users\admin\Desktop\GetDataBackPortable\App\GetDataBack\gdb.exe" C:\Users\admin\Desktop\GetDataBackPortable\App\GetDataBack\gdb.exe
GetDataBackPortable.exe
User:
admin
Company:
Runtime Software
Integrity Level:
HIGH
Description:
GetDataBack for FAT Data Recovery
Exit code:
0
Version:
4.3.3.0
Modules
Images
c:\users\admin\desktop\getdatabackportable\app\getdataback\gdb.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
3068"C:\Users\admin\Desktop\GetDataBackPortable\App\GetDataBack\gdbnt.exe" C:\Users\admin\Desktop\GetDataBackPortable\App\GetDataBack\gdbnt.exe
GetDataBackNTPortable.exe
User:
admin
Company:
Runtime Software
Integrity Level:
HIGH
Description:
GetDataBack for NTFS Data Recovery
Exit code:
0
Version:
4.3.3.0
Modules
Images
c:\users\admin\desktop\getdatabackportable\app\getdataback\gdbnt.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
Total events
2 970
Read events
2 893
Write events
48
Delete events
29

Modification events

(PID) Process:(2568) GetDataBack_Portable_4.33_En-Fr-De-Ru.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2568) GetDataBack_Portable_4.33_En-Fr-De-Ru.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:Browse For Folder Width
Value:
318
(PID) Process:(2568) GetDataBack_Portable_4.33_En-Fr-De-Ru.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:Browse For Folder Height
Value:
288
(PID) Process:(2688) GetDataBackPortable.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\PortableAppRegistryTest
Operation:delete keyName:(default)
Value:
(PID) Process:(2688) GetDataBackPortable.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2688) GetDataBackPortable.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2688) GetDataBackPortable.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(2688) GetDataBackPortable.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(3980) GetDataBackNTPortable.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\PortableAppRegistryTest
Operation:delete keyName:(default)
Value:
(PID) Process:(3980) GetDataBackNTPortable.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Runtime Software
Operation:delete keyName:(default)
Value:
Executable files
29
Suspicious files
15
Text files
16
Unknown types
0

Dropped files

PID
Process
Filename
Type
2568GetDataBack_Portable_4.33_En-Fr-De-Ru.exeC:\Users\admin\AppData\Local\Temp\nsp9367.tmp\FindProcDLL.dllexecutable
MD5:8614C450637267AFACAD1645E23BA24A
SHA256:0FA04F06A6DE18D316832086891E9C23AE606D7784D5D5676385839B21CA2758
2568GetDataBack_Portable_4.33_En-Fr-De-Ru.exeC:\Users\admin\Desktop\GetDataBackPortable\App\GetDataBack\gdb.initext
MD5:594B969990D12B399999D78035F661D2
SHA256:3EAC15B32DC62B6E9A754732EE08B3DBD2927ED0B12CB6BFE4F2232E5D138ED9
2568GetDataBack_Portable_4.33_En-Fr-De-Ru.exeC:\Users\admin\Desktop\GetDataBackPortable\App\GetDataBack\gdb.DEUexecutable
MD5:3FB0A4C838E4959BB94C0F7BF0E40A45
SHA256:6EC1F205FC1146C0E7C00BADF85BFF09DE74B265D2760408638B789452FB335D
2568GetDataBack_Portable_4.33_En-Fr-De-Ru.exeC:\Users\admin\Desktop\GetDataBackPortable\App\GetDataBack\gdb.FRAexecutable
MD5:83CA8996A73CE89129AC2A14C4BD4A3E
SHA256:3A69B60ED16F98915BE26BC2019632CF9B64C81E51FD39F5D953B23E94774F5B
2568GetDataBack_Portable_4.33_En-Fr-De-Ru.exeC:\Users\admin\AppData\Local\Temp\nsp9366.tmp
MD5:
SHA256:
2568GetDataBack_Portable_4.33_En-Fr-De-Ru.exeC:\Users\admin\Desktop\GetDataBackPortable\App\GetDataBack\RUS-Readme.txttext
MD5:ABC03C7D123E12740EC093A56DC96EDA
SHA256:CC9F5A1E4EC4452BD2760F81DFD61D211C48C98674364BAB424BB8430D5C13C1
2568GetDataBack_Portable_4.33_En-Fr-De-Ru.exeC:\Users\admin\Desktop\GetDataBackPortable\App\GetDataBack\gdb.exeexecutable
MD5:B447984E017E2733033DC7C918C14745
SHA256:B7E0C59B5E1C82E478C4BF56E6F7E160B67E023F3545433D5246DD93300CE07B
2568GetDataBack_Portable_4.33_En-Fr-De-Ru.exeC:\Users\admin\Desktop\GetDataBackPortable\App\GetDataBack\gdb_fat.chmbinary
MD5:C1174710F765BE02F30A6BAB5A18399B
SHA256:AC3294B8251D0C6162275B84273FBDE7D4C8E118F68606AB02A7482E0445B581
2568GetDataBack_Portable_4.33_En-Fr-De-Ru.exeC:\Users\admin\Desktop\GetDataBackPortable\App\GetDataBack\DRV16.DLLexecutable
MD5:29174131FBB9E9CEDAA426B3B70D6C63
SHA256:18ACCD226F347047FBA09C036FCCC1714D5C13C45DCB4A290CF16345F860931E
2568GetDataBack_Portable_4.33_En-Fr-De-Ru.exeC:\Users\admin\Desktop\GetDataBackPortable\App\GetDataBack\gdb_fat_deu.chmbinary
MD5:72B86A7661CC7F78293F1AD12B7CECFC
SHA256:D6F915FFBB4033FAA88575DF649861D252755C3F2DF8B039029A26DBDF83C901
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
Process
Message
gdb.exe
loaded
gdb.exe
loaded
gdb.exe
loaded
gdb.exe
loaded
gdb.exe
loaded
gdb.exe
loaded
gdb.exe
loaded
gdb.exe
loaded
gdb.exe
loaded
gdb.exe
loaded
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
GetDataBack_Portable_4.33_En-Fr-De-Ru.exe