File name:

GetDataBack_Portable_4.33_En-Fr-De-Ru.exe

Full analysis: https://app.any.run/tasks/f564a0a6-ddea-41d5-b461-98f146932482
Verdict: Malicious activity
Analysis date: January 29, 2024, 01:03:20
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

4145D08DF73AB96C819D0A1275CF1606

SHA1:

DD991215F55B9A06F9CE2A3697B71865D1D9173E

SHA256:

C046D4736C8210A7FB92162F989581AB759A0DE4732DF9A1B9D6ADF91FD893AE

SSDEEP:

98304:CQJ1YshIicWa+Cf1tEnRQeqkpnZmtJiQ9jxgoytSo6o5cpntEwtiOcWNkJrRrliw:RhFPTugs+

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • GetDataBack_Portable_4.33_En-Fr-De-Ru.exe (PID: 2568)
      • GetDataBackPortable.exe (PID: 2688)
      • GetDataBackNTPortable.exe (PID: 3980)
      • GetDataBackPortable.exe (PID: 4012)
      • GetDataBackNTPortable.exe (PID: 3464)
      • GetDataBackNTPortable.exe (PID: 2612)

  • SUSPICIOUS

    • Malware-specific behavior (creating "System.dll" in Temp)

      • GetDataBack_Portable_4.33_En-Fr-De-Ru.exe (PID: 2568)

    • Executable content was dropped or overwritten

      • GetDataBack_Portable_4.33_En-Fr-De-Ru.exe (PID: 2568)
      • GetDataBackPortable.exe (PID: 2688)
      • GetDataBackNTPortable.exe (PID: 3980)
      • GetDataBackNTPortable.exe (PID: 2612)
      • GetDataBackPortable.exe (PID: 4012)
      • GetDataBackNTPortable.exe (PID: 3464)

    • The process creates files with name similar to system file names

      • GetDataBack_Portable_4.33_En-Fr-De-Ru.exe (PID: 2568)

    • Reads the Internet Settings

      • GetDataBackPortable.exe (PID: 2688)
      • GetDataBackNTPortable.exe (PID: 3980)
      • GetDataBackNTPortable.exe (PID: 2612)
      • GetDataBackPortable.exe (PID: 4012)
      • GetDataBackNTPortable.exe (PID: 3464)

    • Uses REG/REGEDIT.EXE to modify registry

      • GetDataBackNTPortable.exe (PID: 2612)
      • GetDataBackPortable.exe (PID: 4012)
      • GetDataBackNTPortable.exe (PID: 3464)

  • INFO

    • Checks supported languages

      • GetDataBack_Portable_4.33_En-Fr-De-Ru.exe (PID: 2568)
      • GetDataBackPortable.exe (PID: 2688)
      • gdb.exe (PID: 2420)
      • gdbnt.exe (PID: 3068)
      • GetDataBackNTPortable.exe (PID: 2612)
      • gdbnt.exe (PID: 3728)
      • GetDataBackPortable.exe (PID: 4012)
      • gdb.exe (PID: 2924)
      • GetDataBackNTPortable.exe (PID: 3464)
      • gdbnt.exe (PID: 1776)
      • GetDataBackNTPortable.exe (PID: 3980)

    • Reads the computer name

      • GetDataBack_Portable_4.33_En-Fr-De-Ru.exe (PID: 2568)
      • GetDataBackPortable.exe (PID: 2688)
      • gdb.exe (PID: 2420)
      • GetDataBackNTPortable.exe (PID: 3980)
      • gdbnt.exe (PID: 3068)
      • GetDataBackNTPortable.exe (PID: 2612)
      • gdbnt.exe (PID: 3728)
      • GetDataBackPortable.exe (PID: 4012)
      • gdb.exe (PID: 2924)
      • gdbnt.exe (PID: 1776)
      • GetDataBackNTPortable.exe (PID: 3464)

    • Manual execution by a user

      • GetDataBackPortable.exe (PID: 2688)
      • GetDataBackPortable.exe (PID: 1268)
      • GetDataBackNTPortable.exe (PID: 1808)
      • GetDataBackNTPortable.exe (PID: 3980)
      • GetDataBackNTPortable.exe (PID: 3532)
      • GetDataBackNTPortable.exe (PID: 2612)
      • GetDataBackPortable.exe (PID: 4012)
      • GetDataBackNTPortable.exe (PID: 3652)
      • GetDataBackNTPortable.exe (PID: 3464)
      • GetDataBackPortable.exe (PID: 3824)

    • Create files in a temporary directory

      • GetDataBackPortable.exe (PID: 2688)
      • GetDataBack_Portable_4.33_En-Fr-De-Ru.exe (PID: 2568)
      • GetDataBackNTPortable.exe (PID: 3980)
      • GetDataBackNTPortable.exe (PID: 2612)
      • GetDataBackPortable.exe (PID: 4012)
      • GetDataBackNTPortable.exe (PID: 3464)
      • gdbnt.exe (PID: 1776)

    • Reads the machine GUID from the registry

      • GetDataBackPortable.exe (PID: 2688)
      • GetDataBackNTPortable.exe (PID: 3980)
      • GetDataBackNTPortable.exe (PID: 2612)
      • GetDataBackPortable.exe (PID: 4012)
      • GetDataBackNTPortable.exe (PID: 3464)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | NSIS - Nullsoft Scriptable Install System (91.9)
.exe | Win32 Executable MS Visual C++ (generic) (3.3)
.exe | Win64 Executable (generic) (3)
.dll | Win32 Dynamic Link Library (generic) (0.7)
.exe | Win32 Executable (generic) (0.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2012:02:24 20:21:56+01:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 10
CodeSize: 27648
InitializedDataSize: 272896
UninitializedDataSize: 8704
EntryPoint: 0x3814
OSVersion: 5
ImageVersion: 6
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 0.0.0.0
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Windows, Latin1
Comments: 24/05/2013 20:24:55
CompanyName: PortableAppZ.blogspot.com
FileDescription: GetDataBack for FAT-NTFS Portable
FileVersion: 0.0.0.0
InternalName: GetDataBack for FAT-NTFS Portable
LegalCopyright: Bernat
LegalTrademarks: PortableAppZ is a Trademark of Bernat
OriginalFileName: GetDataBackPortable.exe
ProductName: GetDataBack for FAT-NTFS Portable
ProductVersion: 0.0.0.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
75
Monitored processes
19
Malicious processes
6
Suspicious processes
0

Behavior graph

Click at the process to see the details
start getdataback_portable_4.33_en-fr-de-ru.exe getdatabackportable.exe no specs getdatabackportable.exe gdb.exe getdatabackntportable.exe no specs getdatabackntportable.exe gdbnt.exe getdatabackntportable.exe no specs getdatabackntportable.exe regedit.exe no specs gdbnt.exe getdatabackportable.exe no specs getdatabackportable.exe regedit.exe no specs gdb.exe getdatabackntportable.exe no specs getdatabackntportable.exe regedit.exe no specs gdbnt.exe

Process information

PID
CMD
Path
Indicators
Parent process
1268"C:\Users\admin\Desktop\GetDataBackPortable\GetDataBackPortable.exe" C:\Users\admin\Desktop\GetDataBackPortable\GetDataBackPortable.exeexplorer.exe
User:
admin
Company:
PortableAppZ.blogspot.com
Integrity Level:
MEDIUM
Description:
GetDataBack for FAT Portable
Exit code:
3221226540
Version:
0.0.0.0
Modules
Images
c:\users\admin\desktop\getdatabackportable\getdatabackportable.exe
c:\windows\system32\ntdll.dll
1776"C:\Users\admin\Desktop\GetDataBackPortable\App\GetDataBack\gdbnt.exe" C:\Users\admin\Desktop\GetDataBackPortable\App\GetDataBack\gdbnt.exe
GetDataBackNTPortable.exe
User:
admin
Company:
Runtime Software
Integrity Level:
HIGH
Description:
GetDataBack for NTFS Data Recovery
Exit code:
0
Version:
4.3.3.0
Modules
Images
c:\users\admin\desktop\getdatabackportable\app\getdataback\gdbnt.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
1808"C:\Users\admin\Desktop\GetDataBackPortable\GetDataBackNTPortable.exe" C:\Users\admin\Desktop\GetDataBackPortable\GetDataBackNTPortable.exeexplorer.exe
User:
admin
Company:
PortableAppZ.blogspot.com
Integrity Level:
MEDIUM
Description:
GetDataBack for NTFS Portable
Exit code:
3221226540
Version:
0.0.0.0
Modules
Images
c:\users\admin\desktop\getdatabackportable\getdatabackntportable.exe
c:\windows\system32\ntdll.dll
1876C:\Windows\regedit.exe /s "C:\Users\admin\Desktop\GetDataBackPortable\Data\GetDataBackNT.reg"C:\Windows\regedit.exeGetDataBackNTPortable.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Editor
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\regedit.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
2420"C:\Users\admin\Desktop\GetDataBackPortable\App\GetDataBack\gdb.exe" C:\Users\admin\Desktop\GetDataBackPortable\App\GetDataBack\gdb.exe
GetDataBackPortable.exe
User:
admin
Company:
Runtime Software
Integrity Level:
HIGH
Description:
GetDataBack for FAT Data Recovery
Exit code:
0
Version:
4.3.3.0
Modules
Images
c:\users\admin\desktop\getdatabackportable\app\getdataback\gdb.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
2568"C:\Users\admin\AppData\Local\Temp\GetDataBack_Portable_4.33_En-Fr-De-Ru.exe" C:\Users\admin\AppData\Local\Temp\GetDataBack_Portable_4.33_En-Fr-De-Ru.exe
explorer.exe
User:
admin
Company:
PortableAppZ.blogspot.com
Integrity Level:
MEDIUM
Description:
GetDataBack for FAT-NTFS Portable
Exit code:
0
Version:
0.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\getdataback_portable_4.33_en-fr-de-ru.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
2612"C:\Users\admin\Desktop\GetDataBackPortable\GetDataBackNTPortable.exe" C:\Users\admin\Desktop\GetDataBackPortable\GetDataBackNTPortable.exe
explorer.exe
User:
admin
Company:
PortableAppZ.blogspot.com
Integrity Level:
HIGH
Description:
GetDataBack for NTFS Portable
Exit code:
0
Version:
0.0.0.0
Modules
Images
c:\users\admin\desktop\getdatabackportable\getdatabackntportable.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
2688"C:\Users\admin\Desktop\GetDataBackPortable\GetDataBackPortable.exe" C:\Users\admin\Desktop\GetDataBackPortable\GetDataBackPortable.exe
explorer.exe
User:
admin
Company:
PortableAppZ.blogspot.com
Integrity Level:
HIGH
Description:
GetDataBack for FAT Portable
Exit code:
0
Version:
0.0.0.0
Modules
Images
c:\users\admin\desktop\getdatabackportable\getdatabackportable.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
2924"C:\Users\admin\Desktop\GetDataBackPortable\App\GetDataBack\gdb.exe" C:\Users\admin\Desktop\GetDataBackPortable\App\GetDataBack\gdb.exe
GetDataBackPortable.exe
User:
admin
Company:
Runtime Software
Integrity Level:
HIGH
Description:
GetDataBack for FAT Data Recovery
Exit code:
0
Version:
4.3.3.0
Modules
Images
c:\users\admin\desktop\getdatabackportable\app\getdataback\gdb.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
3068"C:\Users\admin\Desktop\GetDataBackPortable\App\GetDataBack\gdbnt.exe" C:\Users\admin\Desktop\GetDataBackPortable\App\GetDataBack\gdbnt.exe
GetDataBackNTPortable.exe
User:
admin
Company:
Runtime Software
Integrity Level:
HIGH
Description:
GetDataBack for NTFS Data Recovery
Exit code:
0
Version:
4.3.3.0
Modules
Images
c:\users\admin\desktop\getdatabackportable\app\getdataback\gdbnt.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
Total events
2 970
Read events
2 893
Write events
48
Delete events
29

Modification events

(PID) Process:(2568) GetDataBack_Portable_4.33_En-Fr-De-Ru.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2568) GetDataBack_Portable_4.33_En-Fr-De-Ru.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:Browse For Folder Width
Value:
318
(PID) Process:(2568) GetDataBack_Portable_4.33_En-Fr-De-Ru.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:Browse For Folder Height
Value:
288
(PID) Process:(2688) GetDataBackPortable.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\PortableAppRegistryTest
Operation:delete keyName:(default)
Value:
(PID) Process:(2688) GetDataBackPortable.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2688) GetDataBackPortable.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2688) GetDataBackPortable.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(2688) GetDataBackPortable.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(3980) GetDataBackNTPortable.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\PortableAppRegistryTest
Operation:delete keyName:(default)
Value:
(PID) Process:(3980) GetDataBackNTPortable.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Runtime Software
Operation:delete keyName:(default)
Value:
Executable files
29
Suspicious files
15
Text files
16
Unknown types
0

Dropped files

PID
Process
Filename
Type
2568GetDataBack_Portable_4.33_En-Fr-De-Ru.exeC:\Users\admin\Desktop\GetDataBackPortable\App\GetDataBack\gdb.initext
MD5:594B969990D12B399999D78035F661D2
SHA256:3EAC15B32DC62B6E9A754732EE08B3DBD2927ED0B12CB6BFE4F2232E5D138ED9
2568GetDataBack_Portable_4.33_En-Fr-De-Ru.exeC:\Users\admin\AppData\Local\Temp\nsp9367.tmp\FindProcDLL.dllexecutable
MD5:8614C450637267AFACAD1645E23BA24A
SHA256:0FA04F06A6DE18D316832086891E9C23AE606D7784D5D5676385839B21CA2758
2568GetDataBack_Portable_4.33_En-Fr-De-Ru.exeC:\Users\admin\Desktop\GetDataBackPortable\App\GetDataBack\gdb.RUSexecutable
MD5:42AA63C304855EE2144D76A936D1B365
SHA256:4FF2428D6C9862387FD10A855F62E7848FD8A3CEC79FEEB569C720745596FB22
2568GetDataBack_Portable_4.33_En-Fr-De-Ru.exeC:\Users\admin\Desktop\GetDataBackPortable\App\GetDataBack\gdb_fat_deu.chmbinary
MD5:72B86A7661CC7F78293F1AD12B7CECFC
SHA256:D6F915FFBB4033FAA88575DF649861D252755C3F2DF8B039029A26DBDF83C901
2568GetDataBack_Portable_4.33_En-Fr-De-Ru.exeC:\Users\admin\AppData\Local\Temp\nsp9366.tmp
MD5:
SHA256:
2568GetDataBack_Portable_4.33_En-Fr-De-Ru.exeC:\Users\admin\Desktop\GetDataBackPortable\GetDataBackNTPortable.exeexecutable
MD5:99C330DA433E93F5F2226B44A8B17A47
SHA256:4AD7378390A596C340E6CCA1C78298604A2A9684050D0DF1EC13FA24212BD8D4
2568GetDataBack_Portable_4.33_En-Fr-De-Ru.exeC:\Users\admin\Desktop\GetDataBackPortable\App\GetDataBack\gdb.DEUexecutable
MD5:3FB0A4C838E4959BB94C0F7BF0E40A45
SHA256:6EC1F205FC1146C0E7C00BADF85BFF09DE74B265D2760408638B789452FB335D
2568GetDataBack_Portable_4.33_En-Fr-De-Ru.exeC:\Users\admin\Desktop\GetDataBackPortable\App\GetDataBack\gdb_nt.chmbinary
MD5:9608B251109BBB0A16A0808C5567F2B0
SHA256:0838BF716684876CB47686000E2975CB7C715F4AFBF412D64EF36D4DBE760AC7
2568GetDataBack_Portable_4.33_En-Fr-De-Ru.exeC:\Users\admin\Desktop\GetDataBackPortable\App\GetDataBack\gdbnt.DEUexecutable
MD5:2CBB66C03057C7B795F4890DE8727AB0
SHA256:38766633B019A5ED694A15E2EE2C022AAC19F1EB026D6FC49B7FDA165D271831
2568GetDataBack_Portable_4.33_En-Fr-De-Ru.exeC:\Users\admin\Desktop\GetDataBackPortable\App\GetDataBack\gdb_nt_deu.chmbinary
MD5:FD723CE6162003EAAD4884537ABAA389
SHA256:ED386266D11C9E6251EEFFBDD0B76AFC6928D458171124F49B882D72CA72E5FC
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
Process
Message
gdb.exe
loaded
gdb.exe
loaded
gdb.exe
loaded
gdb.exe
loaded
gdb.exe
loaded
gdb.exe
loaded
gdb.exe
loaded
gdb.exe
loaded
gdb.exe
loaded
gdb.exe
loaded
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
GetDataBack_Portable_4.33_En-Fr-De-Ru.exe