File name:

recoverit_setup_full4151.exe

Full analysis: https://app.any.run/tasks/eb7bff1a-59e1-4e78-acda-2c9907d43f93
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: August 29, 2024, 09:46:35
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
loader
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

1B7C0275540A21C52CCF2B885CD2BAE2

SHA1:

FB5C95E306952AE98B06CF1DDE53C2BBC15678EC

SHA256:

2581EA53AF3B9499F1E8567D1D5298DB5B4A772CE1E4F7B49366086C6885FC2A

SSDEEP:

98304:MZfuFwPzq0ubqPCtPbCDEOzFxLKM6FPuwSCd:X

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Scans artifacts that could help determine the target

      • recoverit_setup_full4151.exe (PID: 488)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • recoverit_setup_full4151.exe (PID: 488)
      • recoverit_64bit_full4151.tmp (PID: 5104)
      • recoverit.exe (PID: 3104)
      • diskfeedback.exe (PID: 3140)
      • cbscustomizedclient.exe (PID: 4680)
      • cbscustomizedclient.exe (PID: 6756)

    • Reads Microsoft Outlook installation path

      • recoverit_setup_full4151.exe (PID: 488)

    • Reads Internet Explorer settings

      • recoverit_setup_full4151.exe (PID: 488)

    • Drops the executable file immediately after the start

      • recoverit_setup_full4151.exe (PID: 488)
      • recoverit_64bit_full4151.exe (PID: 5944)
      • recoverit_64bit_full4151.tmp (PID: 5104)
      • recoverit.exe (PID: 3104)
      • autoupgrade.exe (PID: 7052)

    • Executable content was dropped or overwritten

      • recoverit_setup_full4151.exe (PID: 488)
      • recoverit_64bit_full4151.tmp (PID: 5104)
      • recoverit_64bit_full4151.exe (PID: 5944)
      • recoverit.exe (PID: 3104)

    • Likely accesses (executes) a file from the Public directory

      • NFWCHK.exe (PID: 4540)
      • recoverit_64bit_full4151.exe (PID: 5944)
      • recoverit_64bit_full4151.tmp (PID: 5104)

    • Reads the date of Windows installation

      • recoverit_setup_full4151.exe (PID: 488)
      • recoverit_64bit_full4151.tmp (PID: 5104)
      • recoverit.exe (PID: 3104)

    • Process requests binary or script from the Internet

      • recoverit_setup_full4151.exe (PID: 488)
      • autoupgrade.exe (PID: 7052)

    • Checks Windows Trust Settings

      • recoverit_setup_full4151.exe (PID: 488)
      • diskfeedback.exe (PID: 3140)
      • cbscustomizedclient.exe (PID: 4680)
      • cbscustomizedclient.exe (PID: 6756)

    • Connects to unusual port

      • recoverit_setup_full4151.exe (PID: 488)
      • recoverit.exe (PID: 3104)

    • Reads the Windows owner or organization settings

      • recoverit_64bit_full4151.tmp (PID: 5104)

    • Process drops SQLite DLL files

      • recoverit_64bit_full4151.tmp (PID: 5104)

    • The process drops C-runtime libraries

      • recoverit_64bit_full4151.tmp (PID: 5104)
      • recoverit.exe (PID: 3104)

    • Process drops legitimate windows executable

      • recoverit_64bit_full4151.tmp (PID: 5104)
      • recoverit.exe (PID: 3104)

    • Process drops python dynamic module

      • recoverit_64bit_full4151.tmp (PID: 5104)

    • Drops 7-zip archiver for unpacking

      • recoverit_64bit_full4151.tmp (PID: 5104)

    • Potential Corporate Privacy Violation

      • recoverit_setup_full4151.exe (PID: 488)
      • autoupgrade.exe (PID: 7052)

    • Starts CMD.EXE for commands execution

      • recoverit_64bit_full4151.tmp (PID: 5104)
      • recoverit.exe (PID: 3104)

    • Uses NETSH.EXE to add a firewall rule or allowed programs

      • cmd.exe (PID: 568)

    • Executing commands from a ".bat" file

      • recoverit_64bit_full4151.tmp (PID: 5104)

    • Reads the BIOS version

      • recoverit.exe (PID: 3104)

    • Using 'findstr.exe' to search for text patterns in files and output

      • cmd.exe (PID: 4344)

    • Searches for installed software

      • recoverit.exe (PID: 3104)

    • Connects to SMTP port

      • diskfeedback.exe (PID: 3140)

  • INFO

    • Checks proxy server information

      • recoverit_setup_full4151.exe (PID: 488)
      • slui.exe (PID: 2068)
      • diskfeedback.exe (PID: 3140)
      • recoverit.exe (PID: 3104)

    • Checks supported languages

      • recoverit_setup_full4151.exe (PID: 488)
      • NFWCHK.exe (PID: 4540)
      • recoverit_64bit_full4151.exe (PID: 5944)
      • recoverit_64bit_full4151.tmp (PID: 5104)
      • recoverit.exe (PID: 3104)
      • AddRecycleAndFolderIcon.exe (PID: 6552)
      • drrs.exe (PID: 6252)
      • diskfeedback.exe (PID: 3140)
      • redis-cli.exe (PID: 4820)
      • drengsrv.exe (PID: 7156)
      • drss.exe (PID: 5708)
      • wget.exe (PID: 6232)
      • cbscustomizedclient.exe (PID: 4680)
      • requestconfigure.exe (PID: 2768)
      • fetchabtest.exe (PID: 6748)
      • requestconfigure_uploadworkercache.exe (PID: 4068)
      • requestconfigure_advertisementFlagcache.exe (PID: 5984)
      • cbscustomizedclient.exe (PID: 6756)
      • requestconfigure.exe (PID: 2232)
      • requestconfigure_uploadworkercache.exe (PID: 4540)
      • requestconfigure.exe (PID: 5768)
      • messagepush.exe (PID: 3648)
      • requestpushmessage.exe (PID: 6248)
      • autoupgrade.exe (PID: 7052)
      • requestconfigure_userrateworkercache.exe (PID: 4680)
      • requestconfigure_userrateworkercache.exe (PID: 6716)
      • requestconfigure.exe (PID: 5916)
      • PreviewAssist.exe (PID: 6336)

    • Reads the machine GUID from the registry

      • recoverit_setup_full4151.exe (PID: 488)
      • NFWCHK.exe (PID: 4540)
      • recoverit.exe (PID: 3104)
      • diskfeedback.exe (PID: 3140)
      • drss.exe (PID: 5708)
      • cbscustomizedclient.exe (PID: 4680)
      • requestconfigure_advertisementFlagcache.exe (PID: 5984)
      • fetchabtest.exe (PID: 6748)
      • requestconfigure.exe (PID: 2768)
      • cbscustomizedclient.exe (PID: 6756)
      • requestconfigure_uploadworkercache.exe (PID: 4068)
      • requestconfigure.exe (PID: 2232)
      • requestconfigure_uploadworkercache.exe (PID: 4540)
      • requestconfigure.exe (PID: 5768)
      • requestconfigure.exe (PID: 5916)
      • requestconfigure_userrateworkercache.exe (PID: 4680)
      • messagepush.exe (PID: 3648)
      • requestconfigure_userrateworkercache.exe (PID: 6716)

    • Reads the computer name

      • recoverit_setup_full4151.exe (PID: 488)
      • NFWCHK.exe (PID: 4540)
      • recoverit_64bit_full4151.tmp (PID: 5104)
      • recoverit.exe (PID: 3104)
      • diskfeedback.exe (PID: 3140)
      • drengsrv.exe (PID: 7156)
      • drss.exe (PID: 5708)
      • wget.exe (PID: 6232)
      • cbscustomizedclient.exe (PID: 4680)
      • fetchabtest.exe (PID: 6748)
      • cbscustomizedclient.exe (PID: 6756)
      • requestconfigure_advertisementFlagcache.exe (PID: 5984)
      • requestconfigure.exe (PID: 2768)
      • requestconfigure_uploadworkercache.exe (PID: 4068)
      • requestconfigure.exe (PID: 2232)
      • requestconfigure_uploadworkercache.exe (PID: 4540)
      • requestconfigure.exe (PID: 5768)
      • messagepush.exe (PID: 3648)
      • requestpushmessage.exe (PID: 6248)
      • autoupgrade.exe (PID: 7052)
      • requestconfigure_userrateworkercache.exe (PID: 4680)
      • requestconfigure.exe (PID: 5916)
      • PreviewAssist.exe (PID: 6336)
      • requestconfigure_userrateworkercache.exe (PID: 6716)

    • Create files in a temporary directory

      • recoverit_setup_full4151.exe (PID: 488)
      • recoverit_64bit_full4151.tmp (PID: 5104)
      • recoverit_64bit_full4151.exe (PID: 5944)
      • recoverit.exe (PID: 3104)
      • autoupgrade.exe (PID: 7052)

    • Process checks Internet Explorer phishing filters

      • recoverit_setup_full4151.exe (PID: 488)

    • Creates files in the program directory

      • recoverit_setup_full4151.exe (PID: 488)
      • recoverit_64bit_full4151.tmp (PID: 5104)
      • recoverit.exe (PID: 3104)
      • drengsrv.exe (PID: 7156)
      • wget.exe (PID: 6232)
      • fetchabtest.exe (PID: 6748)
      • requestconfigure.exe (PID: 2768)
      • cbscustomizedclient.exe (PID: 6756)
      • requestconfigure_advertisementFlagcache.exe (PID: 5984)
      • requestconfigure_uploadworkercache.exe (PID: 4068)
      • requestconfigure_uploadworkercache.exe (PID: 4540)
      • messagepush.exe (PID: 3648)
      • requestconfigure.exe (PID: 2232)
      • requestconfigure_userrateworkercache.exe (PID: 4680)
      • requestconfigure.exe (PID: 5916)
      • requestpushmessage.exe (PID: 6248)
      • requestconfigure.exe (PID: 5768)
      • autoupgrade.exe (PID: 7052)
      • requestconfigure_userrateworkercache.exe (PID: 6716)
      • PreviewAssist.exe (PID: 6336)

    • Creates files or folders in the user directory

      • recoverit_setup_full4151.exe (PID: 488)
      • recoverit_64bit_full4151.tmp (PID: 5104)
      • diskfeedback.exe (PID: 3140)
      • recoverit.exe (PID: 3104)

    • Process checks computer location settings

      • recoverit_setup_full4151.exe (PID: 488)
      • recoverit_64bit_full4151.tmp (PID: 5104)
      • recoverit.exe (PID: 3104)

    • Reads the software policy settings

      • slui.exe (PID: 1076)
      • recoverit_setup_full4151.exe (PID: 488)
      • slui.exe (PID: 2068)
      • recoverit_64bit_full4151.tmp (PID: 5104)
      • diskfeedback.exe (PID: 3140)
      • cbscustomizedclient.exe (PID: 4680)
      • cbscustomizedclient.exe (PID: 6756)

    • Dropped object may contain TOR URL's

      • recoverit_64bit_full4151.tmp (PID: 5104)
      • recoverit.exe (PID: 3104)

    • Creates a software uninstall entry

      • recoverit_64bit_full4151.tmp (PID: 5104)

    • Process checks whether UAC notifications are on

      • recoverit.exe (PID: 3104)

    • Application launched itself

      • chrome.exe (PID: 4692)

    • Reads Microsoft Office registry keys

      • chrome.exe (PID: 4692)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (3.6)
.exe | Generic Win/DOS Executable (1.6)
.exe | DOS Executable Generic (1.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:05:30 06:40:19+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 12
CodeSize: 1303552
InitializedDataSize: 757760
UninitializedDataSize: -
EntryPoint: 0x10c5ab
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 4.0.4.22
ProductVersionNumber: 4.0.4.22
FileFlagsMask: 0x0017
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
FileDescription: recoverit_setup_full4151.exe
FileVersion: 4.0.4.22
LegalCopyright: Copyright©2024 Wondershare. All rights reserved.
ProductName: Recoverit
ProductVersion: 10.6.6
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
252
Monitored processes
114
Malicious processes
6
Suspicious processes
0

Behavior graph

Click at the process to see the details
start recoverit_setup_full4151.exe svchost.exe nfwchk.exe no specs conhost.exe no specs sppextcomobj.exe no specs slui.exe slui.exe recoverit_64bit_full4151.exe recoverit_64bit_full4151.tmp cmd.exe no specs conhost.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs addrecycleandfoldericon.exe no specs conhost.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs recoverit.exe chrome.exe netsh.exe no specs netsh.exe no specs netsh.exe no specs chrome.exe no specs netsh.exe no specs diskfeedback.exe netsh.exe no specs netsh.exe no specs cmd.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs conhost.exe no specs conhost.exe no specs drrs.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs cmd.exe no specs conhost.exe no specs redis-cli.exe no specs cmd.exe no specs conhost.exe no specs netstat.exe no specs findstr.exe no specs chrome.exe no specs chrome.exe no specs drengsrv.exe no specs conhost.exe no specs chrome.exe no specs chrome.exe no specs drss.exe no specs conhost.exe no specs wget.exe cbscustomizedclient.exe no specs conhost.exe no specs conhost.exe no specs requestconfigure.exe conhost.exe no specs cbscustomizedclient.exe no specs conhost.exe no specs fetchabtest.exe conhost.exe no specs requestconfigure_advertisementflagcache.exe conhost.exe no specs requestconfigure_uploadworkercache.exe conhost.exe no specs requestconfigure.exe conhost.exe no specs requestconfigure_uploadworkercache.exe conhost.exe no specs requestconfigure.exe conhost.exe no specs messagepush.exe requestpushmessage.exe no specs autoupgrade.exe conhost.exe no specs conhost.exe no specs requestconfigure.exe conhost.exe no specs requestconfigure_userrateworkercache.exe conhost.exe no specs requestconfigure_userrateworkercache.exe conhost.exe no specs previewassist.exe no specs recoverit_setup_full4151.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
488"C:\Users\admin\AppData\Local\Temp\recoverit_setup_full4151.exe" C:\Users\admin\AppData\Local\Temp\recoverit_setup_full4151.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Description:
recoverit_setup_full4151.exe
Exit code:
0
Version:
4.0.4.22
Modules
Images
c:\users\admin\appdata\local\temp\recoverit_setup_full4151.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\wldap32.dll
568"C:\WINDOWS\system32\cmd.exe" /C ""C:\Program Files\Wondershare\Recoverit\AccessInboundRule.bat""C:\Windows\SysWOW64\cmd.exerecoverit_64bit_full4151.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
608netsh advfirewall firewall add rule name="RecoveritRSUDPAccessInboundRule" dir=in action=allow protocol=UDP localport=23008C:\Windows\SysWOW64\netsh.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Network Command Shell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1060netsh advfirewall firewall add rule name="RecoveritRSUDPAccessInboundRule" dir=in action=allow protocol=UDP localport=33009C:\Windows\SysWOW64\netsh.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Network Command Shell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1076"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exe
SppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
1084\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exerequestconfigure.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1132netsh advfirewall firewall add rule name="RecoveritUDPAccessInboundRule" dir=in action=allow protocol=UDP localport=57210C:\Windows\SysWOW64\netsh.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Network Command Shell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1168"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --disable-quic --no-appcompat-clear --mojo-platform-channel-handle=2152 --field-trial-handle=1936,i,7786976704909840080,9874299771392188667,262144 --variations-seed-version /prefetch:3C:\Program Files\Google\Chrome\Application\chrome.exe
chrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
HIGH
Description:
Google Chrome
Exit code:
0
Version:
122.0.6261.70
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
1332\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeAddRecycleAndFolderIcon.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1932\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exerequestconfigure_uploadworkercache.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
49 091
Read events
48 962
Write events
118
Delete events
11

Modification events

(PID) Process:(488) recoverit_setup_full4151.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\WafCX
Operation:writeName:4151
Value:
sku-weit-weit-it
(PID) Process:(488) recoverit_setup_full4151.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Wondershare\Wondershare Helper Compact
Operation:writeName:ClientSign
Value:
{42a75011-f046-4e9c-b791-66b2fd5b1bdaG}
(PID) Process:(488) recoverit_setup_full4151.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Wondershare\WAF
Operation:writeName:ClientSign
Value:
{42a75011-f046-4e9c-b791-66b2fd5b1bdaG}
(PID) Process:(488) recoverit_setup_full4151.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(488) recoverit_setup_full4151.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(488) recoverit_setup_full4151.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(488) recoverit_setup_full4151.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(488) recoverit_setup_full4151.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(488) recoverit_setup_full4151.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(488) recoverit_setup_full4151.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
629
Suspicious files
229
Text files
465
Unknown types
19

Dropped files

PID
Process
Filename
Type
488recoverit_setup_full4151.exeC:\Users\Public\Documents\Wondershare\NFWCHK.exeexecutable
MD5:27CFB3990872CAA5930FA69D57AEFE7B
SHA256:43881549228975C7506B050BCE4D9B671412D3CDC08C7516C9DBBB7F50C25146
488recoverit_setup_full4151.exeC:\Users\Public\Documents\Wondershare\NFWCHK.exe.configxml
MD5:5BABF2A106C883A8E216F768DB99AD51
SHA256:9E676A617EB0D0535AC05A67C0AE0C0E12D4E998AB55AC786A031BFC25E28300
488recoverit_setup_full4151.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\14561BF7422BB6F70A9CB14F5AA8A7DA_6D5FC9FD3617659722A64D73A114DFF7binary
MD5:947CB275915D79BACFF5D7B8E5D33A65
SHA256:93F9F540B688BA19F674E936A295D356E95838DC90B9ECF2B85C1DA325BEA5F5
488recoverit_setup_full4151.exeC:\Users\Public\Documents\Wondershare\recoverit_64bit_full4151.exe.~P2S
MD5:
SHA256:
488recoverit_setup_full4151.exeC:\Users\admin\AppData\Local\Temp\wsduilib.logtext
MD5:63D47FC3BFD3A898F4ED3E5BC96D73F9
SHA256:4A8D9694E40D0BB3B51BFB36D86E05516660BDBE7AFB93083654D45463CBAD39
488recoverit_setup_full4151.exeC:\Users\admin\AppData\Local\Temp\Wondershare\WAE\wsWAE.logtext
MD5:35C4132126E0CECDB1B36777B2E0C695
SHA256:777C14C4057BC0C6928E9ACA25B38912D084AAFC6E59E40232E5F5EA9E656D93
488recoverit_setup_full4151.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCV3KQBA\json2[1].jstext
MD5:E78199FE40036021717F4A18BCDB91CE
SHA256:9DD0F1D3CECD1368D46CD881FF6F6529485F0414BC40F35D2A4D2C08769517F0
488recoverit_setup_full4151.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199binary
MD5:09CA612171B80EC543164AA7FF456792
SHA256:0B54369D2ABF9660149DC84F8CE36BD499F561C003C5BF3208DF4EA99983712F
488recoverit_setup_full4151.exeC:\Users\Public\Documents\Wondershare\recoverit_64bit_full4151.exe
MD5:
SHA256:
488recoverit_setup_full4151.exeC:\Users\Public\Documents\Wondershare\WAE_DOWNTASK_4151.xmlxml
MD5:0FA6CC1495F78975E007E7938DB7B59D
SHA256:56960BC93CF329CB253344932A6E4F24FFD90C9AF3D29DA725841E9E8F07ADB7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
52
TCP/UDP connections
223
DNS requests
158
Threats
37

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
488
recoverit_setup_full4151.exe
GET
23.48.23.41:80
http://download-it.wondershare.com/cbs_down/recoverit_64bit_full4151.exe
unknown
whitelisted
488
recoverit_setup_full4151.exe
GET
206
23.48.23.41:80
http://download-it.wondershare.com/cbs_down/recoverit_64bit_full4151.exe
unknown
whitelisted
488
recoverit_setup_full4151.exe
GET
8.209.73.211:80
http://platform.wondershare.cc/rest/v2/downloader/runtime/?client_sign={42a75011-f046-4e9c-b791-66b2fd5b1bdaG}&product_id=4151&wae=4.0.4&platform=win_x64
unknown
whitelisted
488
recoverit_setup_full4151.exe
HEAD
200
23.48.23.41:80
http://download-it.wondershare.com/cbs_down/recoverit_64bit_full4151.exe
unknown
whitelisted
1360
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
3328
SIHClient.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
488
recoverit_setup_full4151.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQlOydjtpho0%2Bholo77zGjGxETUEQQU8JyF%2FaKffY%2FJaLvV1IlNHb7TkP8CEA3EQd5SLWy5mr7JXcu5TKw%3D
unknown
whitelisted
3328
SIHClient.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
488
recoverit_setup_full4151.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAoFmyX1Sz2HlMxmMUd1OKM%3D
unknown
whitelisted
488
recoverit_setup_full4151.exe
HEAD
200
23.48.23.50:80
http://download-it.wondershare.com/cbs_down/recoverit_64bit_full4151.exe
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5796
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6456
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2120
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
488
recoverit_setup_full4151.exe
8.209.72.213:443
pc-api.wondershare.cc
Alibaba US Technology Co., Ltd.
DE
malicious
488
recoverit_setup_full4151.exe
8.209.73.211:80
platform.wondershare.cc
Alibaba US Technology Co., Ltd.
DE
whitelisted
488
recoverit_setup_full4151.exe
47.91.89.51:443
prod-web.wondershare.cc
Alibaba US Technology Co., Ltd.
DE
malicious
488
recoverit_setup_full4151.exe
23.48.23.41:80
download-it.wondershare.com
Akamai International B.V.
DE
whitelisted
488
recoverit_setup_full4151.exe
47.91.90.244:8106
analytics.wondershare.cc
Alibaba US Technology Co., Ltd.
DE
malicious
3260
svchost.exe
40.113.110.67:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 51.124.78.146
whitelisted
google.com
  • 216.58.206.78
whitelisted
pc-api.wondershare.cc
  • 8.209.72.213
malicious
platform.wondershare.cc
  • 8.209.73.211
malicious
prod-web.wondershare.cc
  • 47.91.89.51
malicious
download-it.wondershare.com
  • 23.48.23.41
  • 23.48.23.50
whitelisted
analytics.wondershare.cc
  • 47.91.90.244
malicious
client.wns.windows.com
  • 40.113.110.67
whitelisted
login.live.com
  • 20.190.159.71
  • 20.190.159.75
  • 20.190.159.0
  • 20.190.159.4
  • 20.190.159.2
  • 20.190.159.68
  • 40.126.31.69
  • 40.126.31.67
  • 40.126.32.133
  • 20.190.160.22
  • 40.126.32.134
  • 40.126.32.68
  • 40.126.32.74
  • 40.126.32.136
  • 40.126.32.76
  • 40.126.32.72
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted

Threats

PID
Process
Class
Message
2256
svchost.exe
Potentially Bad Traffic
ET DNS Query for .cc TLD
2256
svchost.exe
Potentially Bad Traffic
ET DNS Query for .cc TLD
2256
svchost.exe
Potentially Bad Traffic
ET DNS Query for .cc TLD
2256
svchost.exe
Potentially Bad Traffic
ET DNS Query for .cc TLD
2256
svchost.exe
Potentially Bad Traffic
ET DNS Query for .cc TLD
488
recoverit_setup_full4151.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
488
recoverit_setup_full4151.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2256
svchost.exe
Potentially Bad Traffic
ET DNS Query for .cc TLD
2256
svchost.exe
Potentially Bad Traffic
ET DNS Query for .cc TLD
3104
recoverit.exe
Potentially Bad Traffic
ET DNS Query for .cc TLD
5 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
recoverit_setup_full4151.exe