File name:

recoverit_setup_full4134.exe

Full analysis: https://app.any.run/tasks/5647b981-6d81-4e5d-8aa0-8c56e5224de0
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: August 22, 2024, 06:42:31
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
loader
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

78F7FCF855471760ED06AD70A270F57F

SHA1:

1DCCCD6BE6788FEDF26DECE091B4C81466875051

SHA256:

2A8E60101A430F81D17236EDCF4D55A6A8172AFB1C7BA492B71911F723059FEC

SSDEEP:

98304:IlfQXEWshcHSoOqDjBBJQC/374tmR6XzPuP:1

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Scans artifacts that could help determine the target

      • recoverit_setup_full4134.exe (PID: 6624)

  • SUSPICIOUS

    • Drops the executable file immediately after the start

      • recoverit_setup_full4134.exe (PID: 6624)
      • recoverit_64bit_full4134.exe (PID: 1360)
      • recoverit_64bit_full4134.tmp (PID: 5144)

    • Reads security settings of Internet Explorer

      • recoverit_setup_full4134.exe (PID: 6624)
      • recoverit_64bit_full4134.tmp (PID: 5144)
      • recoverit.exe (PID: 6188)

    • Reads Microsoft Outlook installation path

      • recoverit_setup_full4134.exe (PID: 6624)

    • Executable content was dropped or overwritten

      • recoverit_setup_full4134.exe (PID: 6624)
      • recoverit_64bit_full4134.exe (PID: 1360)
      • recoverit_64bit_full4134.tmp (PID: 5144)

    • Likely accesses (executes) a file from the Public directory

      • NFWCHK.exe (PID: 6776)
      • recoverit_64bit_full4134.exe (PID: 1360)
      • recoverit_64bit_full4134.tmp (PID: 5144)

    • Potential Corporate Privacy Violation

      • recoverit_setup_full4134.exe (PID: 6624)

    • Process requests binary or script from the Internet

      • recoverit_setup_full4134.exe (PID: 6624)

    • Connects to unusual port

      • recoverit_setup_full4134.exe (PID: 6624)
      • recoverit.exe (PID: 6188)

    • Reads the date of Windows installation

      • recoverit_setup_full4134.exe (PID: 6624)
      • recoverit_64bit_full4134.tmp (PID: 5144)
      • recoverit.exe (PID: 6188)

    • Reads the Windows owner or organization settings

      • recoverit_64bit_full4134.tmp (PID: 5144)

    • Process drops SQLite DLL files

      • recoverit_64bit_full4134.tmp (PID: 5144)

    • The process drops C-runtime libraries

      • recoverit_64bit_full4134.tmp (PID: 5144)

    • Process drops legitimate windows executable

      • recoverit_64bit_full4134.tmp (PID: 5144)

    • Drops 7-zip archiver for unpacking

      • recoverit_64bit_full4134.tmp (PID: 5144)

    • Process drops python dynamic module

      • recoverit_64bit_full4134.tmp (PID: 5144)

    • Starts CMD.EXE for commands execution

      • recoverit_64bit_full4134.tmp (PID: 5144)

    • Executing commands from a ".bat" file

      • recoverit_64bit_full4134.tmp (PID: 5144)

    • Uses NETSH.EXE to add a firewall rule or allowed programs

      • cmd.exe (PID: 7092)

    • Reads the BIOS version

      • recoverit.exe (PID: 6188)

    • Uses TASKKILL.EXE to kill process

      • recoverit.exe (PID: 6188)

    • Reads Internet Explorer settings

      • recoverit_setup_full4134.exe (PID: 6624)

    • Checks Windows Trust Settings

      • recoverit_setup_full4134.exe (PID: 6624)

  • INFO

    • Reads the software policy settings

      • recoverit_setup_full4134.exe (PID: 6624)
      • recoverit_64bit_full4134.tmp (PID: 5144)

    • Creates files or folders in the user directory

      • recoverit_setup_full4134.exe (PID: 6624)
      • recoverit_64bit_full4134.tmp (PID: 5144)
      • recoverit.exe (PID: 6188)

    • Reads the computer name

      • recoverit_setup_full4134.exe (PID: 6624)
      • recoverit_64bit_full4134.tmp (PID: 5144)
      • recoverit.exe (PID: 6188)
      • fetchabtest.exe (PID: 6572)
      • autoupgrade.exe (PID: 5464)
      • drengsrv.exe (PID: 2960)
      • drss.exe (PID: 6880)
      • NFWCHK.exe (PID: 6776)

    • Checks supported languages

      • recoverit_setup_full4134.exe (PID: 6624)
      • recoverit_64bit_full4134.exe (PID: 1360)
      • recoverit_64bit_full4134.tmp (PID: 5144)
      • recoverit.exe (PID: 6188)
      • AddRecycleAndFolderIcon.exe (PID: 5164)
      • autoupgrade.exe (PID: 5464)
      • fetchabtest.exe (PID: 6572)
      • NFWCHK.exe (PID: 6776)
      • drengsrv.exe (PID: 2960)
      • drss.exe (PID: 6880)
      • videorepairclean.exe (PID: 6812)
      • closeprocess.exe (PID: 6472)

    • Reads the machine GUID from the registry

      • recoverit_setup_full4134.exe (PID: 6624)
      • recoverit.exe (PID: 6188)
      • fetchabtest.exe (PID: 6572)
      • NFWCHK.exe (PID: 6776)
      • drss.exe (PID: 6880)

    • Checks proxy server information

      • recoverit_setup_full4134.exe (PID: 6624)
      • recoverit.exe (PID: 6188)

    • Process checks Internet Explorer phishing filters

      • recoverit_setup_full4134.exe (PID: 6624)

    • Create files in a temporary directory

      • recoverit_setup_full4134.exe (PID: 6624)
      • recoverit_64bit_full4134.exe (PID: 1360)
      • recoverit_64bit_full4134.tmp (PID: 5144)
      • recoverit.exe (PID: 6188)

    • Process checks computer location settings

      • recoverit_setup_full4134.exe (PID: 6624)
      • recoverit_64bit_full4134.tmp (PID: 5144)
      • recoverit.exe (PID: 6188)

    • Creates files in the program directory

      • recoverit_64bit_full4134.tmp (PID: 5144)
      • recoverit.exe (PID: 6188)
      • autoupgrade.exe (PID: 5464)
      • fetchabtest.exe (PID: 6572)
      • drengsrv.exe (PID: 2960)
      • recoverit_setup_full4134.exe (PID: 6624)

    • Dropped object may contain TOR URL's

      • recoverit_64bit_full4134.tmp (PID: 5144)

    • Creates a software uninstall entry

      • recoverit_64bit_full4134.tmp (PID: 5144)

    • Process checks whether UAC notifications are on

      • recoverit.exe (PID: 6188)

    • Reads Microsoft Office registry keys

      • chrome.exe (PID: 4680)

    • Application launched itself

      • chrome.exe (PID: 4680)

    • The process uses the downloaded file

      • chrome.exe (PID: 6164)
      • chrome.exe (PID: 5908)
      • chrome.exe (PID: 7128)
      • chrome.exe (PID: 5464)
      • chrome.exe (PID: 7104)
      • chrome.exe (PID: 6756)
      • chrome.exe (PID: 6472)
      • chrome.exe (PID: 2700)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (3.6)
.exe | Generic Win/DOS Executable (1.6)
.exe | DOS Executable Generic (1.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:05:30 06:39:07+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 12
CodeSize: 1285120
InitializedDataSize: 709120
UninitializedDataSize: -
EntryPoint: 0x107e80
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 4.0.4.22
ProductVersionNumber: 4.0.4.22
FileFlagsMask: 0x0017
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
FileDescription: recoverit---data-recovery_setup_full4134.exe
FileVersion: 4.0.4.22
LegalCopyright: Copyright©2024 Wondershare. All rights reserved.
ProductName: Recoverit - Data Recovery
ProductVersion: 13.0.2
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
254
Monitored processes
110
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start recoverit_setup_full4134.exe svchost.exe nfwchk.exe no specs conhost.exe no specs recoverit_64bit_full4134.exe recoverit_64bit_full4134.tmp cmd.exe no specs conhost.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs addrecycleandfoldericon.exe no specs conhost.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs recoverit.exe chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs autoupgrade.exe conhost.exe no specs fetchabtest.exe conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs drengsrv.exe no specs conhost.exe no specs chrome.exe no specs drss.exe no specs conhost.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs closeprocess.exe no specs conhost.exe no specs videorepairclean.exe no specs conhost.exe no specs chrome.exe no specs chrome.exe no specs recoverit_setup_full4134.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
304netsh advfirewall firewall add rule name="RecoveritRSTCPAccessInboundRule" dir=in action=allow protocol=TCP localport=23007C:\Windows\SysWOW64\netsh.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Network Command Shell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
368netsh advfirewall firewall add rule name="RecoveritRSUDPAccessInboundRule" dir=in action=allow protocol=UDP localport=53015C:\Windows\SysWOW64\netsh.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Network Command Shell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
508netsh advfirewall firewall add rule name="RecoveritTCPAccessInboundRule" dir=in action=allow protocol=TCP localport=57211C:\Windows\SysWOW64\netsh.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Network Command Shell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
608\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeautoupgrade.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
740\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exetaskkill.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
892"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --disable-quic --no-appcompat-clear --mojo-platform-channel-handle=2272 --field-trial-handle=1880,i,14987563054750262595,9255075118979949589,262144 --variations-seed-version /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
122.0.6261.70
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
940netsh advfirewall firewall add rule name="RecoveritRSTCPAccessInboundRule" dir=in action=allow protocol=TCP localport=33011C:\Windows\SysWOW64\netsh.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Network Command Shell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1044"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --disable-quic --no-appcompat-clear --mojo-platform-channel-handle=4964 --field-trial-handle=1880,i,14987563054750262595,9255075118979949589,262144 --variations-seed-version /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
122.0.6261.70
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
1048netsh advfirewall firewall add rule name="RecoveritRSUDPAccessInboundRule" dir=in action=allow protocol=TCP localport=50053C:\Windows\SysWOW64\netsh.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Network Command Shell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1168taskkill /im drss.exe /fC:\Windows\System32\taskkill.exerecoverit.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
Total events
45 458
Read events
45 240
Write events
199
Delete events
19

Modification events

(PID) Process:(6624) recoverit_setup_full4134.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\WafCX
Operation:writeName:4134
Value:
sku-ween
(PID) Process:(6624) recoverit_setup_full4134.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Wondershare\Wondershare Helper Compact
Operation:writeName:ClientSign
Value:
{4f3302b1-200e-4aed-98b6-35f8a4ca0156G}
(PID) Process:(6624) recoverit_setup_full4134.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Wondershare\WAF
Operation:writeName:ClientSign
Value:
{4f3302b1-200e-4aed-98b6-35f8a4ca0156G}
(PID) Process:(6624) recoverit_setup_full4134.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(6624) recoverit_setup_full4134.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(6624) recoverit_setup_full4134.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(6624) recoverit_setup_full4134.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(6624) recoverit_setup_full4134.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(6624) recoverit_setup_full4134.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(6624) recoverit_setup_full4134.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
595
Suspicious files
513
Text files
461
Unknown types
170

Dropped files

PID
Process
Filename
Type
6624recoverit_setup_full4134.exeC:\Users\Public\Documents\Wondershare\recoverit_64bit_full4134.exe.~P2S
MD5:
SHA256:
6624recoverit_setup_full4134.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\NotoSansSC-Regular[1].otf
MD5:
SHA256:
6624recoverit_setup_full4134.exeC:\Users\Public\Documents\Wondershare\recoverit_64bit_full4134.exe
MD5:
SHA256:
6624recoverit_setup_full4134.exeC:\Users\admin\AppData\Local\Temp\wsduilib.logtext
MD5:0B3188389D01FD7B0460BDC26DFBE839
SHA256:AED55812E376EC222D4297CC759D421A9E49758F15341AFCB34AE311258D3424
6624recoverit_setup_full4134.exeC:\Users\Public\Documents\Wondershare\NFWCHK.exe.configxml
MD5:5BABF2A106C883A8E216F768DB99AD51
SHA256:9E676A617EB0D0535AC05A67C0AE0C0E12D4E998AB55AC786A031BFC25E28300
6624recoverit_setup_full4134.exeC:\Users\admin\AppData\Local\Temp\Wondershare\WAE\wsWAE.logtext
MD5:2138F80D6839F116207D39D9ABEDDAAA
SHA256:96CBA7832DE5D5EBF91C6ED49F59CB38E2DD0BF249CF8BFC23380E1483080F74
6624recoverit_setup_full4134.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCV3KQBA\json2[1].jstext
MD5:E78199FE40036021717F4A18BCDB91CE
SHA256:9DD0F1D3CECD1368D46CD881FF6F6529485F0414BC40F35D2A4D2C08769517F0
6624recoverit_setup_full4134.exeC:\Users\Public\Documents\Wondershare\WAE_DOWNTASK_4134.xmlxml
MD5:0FA6CC1495F78975E007E7938DB7B59D
SHA256:56960BC93CF329CB253344932A6E4F24FFD90C9AF3D29DA725841E9E8F07ADB7
6624recoverit_setup_full4134.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_23FFFDCAABB8E63694AD1202ED02BF57binary
MD5:5D70B992EF34E35225D12AAC1B5F0DAD
SHA256:801DA533F19D7DA44BE89C7BCBAC300D623AED57D3FABF777FC5A20115D0F3CE
6624recoverit_setup_full4134.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\E4DJRUXW\javascript_call_native[1].jsbinary
MD5:B9DA127236EFDB755F568304B5EF3044
SHA256:01C839C0A9C47DC571175312EBC208EAE6FF28CED3A3EFA13C1EE81CD9764F71
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
32
TCP/UDP connections
170
DNS requests
150
Threats
20

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6624
recoverit_setup_full4134.exe
HEAD
200
23.48.23.41:80
http://download.wondershare.com/cbs_down/recoverit_64bit_full4134.exe
unknown
whitelisted
6624
recoverit_setup_full4134.exe
GET
8.209.73.211:80
http://platform.wondershare.cc/rest/v2/downloader/runtime/?client_sign={4f3302b1-200e-4aed-98b6-35f8a4ca0156G}&product_id=4134&wae=4.0.4&platform=win_x64
unknown
whitelisted
6624
recoverit_setup_full4134.exe
HEAD
200
23.48.23.41:80
http://download.wondershare.com/cbs_down/recoverit_64bit_full4134.exe
unknown
whitelisted
6624
recoverit_setup_full4134.exe
HEAD
200
23.48.23.50:80
http://download.wondershare.com/cbs_down/recoverit_64bit_full4134.exe
unknown
whitelisted
2228
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6624
recoverit_setup_full4134.exe
GET
206
23.48.23.50:80
http://download.wondershare.com/cbs_down/recoverit_64bit_full4134.exe
unknown
whitelisted
4248
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
6624
recoverit_setup_full4134.exe
GET
206
23.48.23.41:80
http://download.wondershare.com/cbs_down/recoverit_64bit_full4134.exe
unknown
whitelisted
4820
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
6624
recoverit_setup_full4134.exe
GET
23.48.23.41:80
http://download.wondershare.com/cbs_down/recoverit_64bit_full4134.exe
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4876
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2120
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4436
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6624
recoverit_setup_full4134.exe
8.209.72.213:443
pc-api.wondershare.cc
Alibaba US Technology Co., Ltd.
DE
unknown
6624
recoverit_setup_full4134.exe
8.209.73.211:80
platform.wondershare.cc
Alibaba US Technology Co., Ltd.
DE
unknown
6624
recoverit_setup_full4134.exe
47.91.89.51:443
prod-web.wondershare.cc
Alibaba US Technology Co., Ltd.
DE
unknown
6624
recoverit_setup_full4134.exe
23.48.23.41:80
download.wondershare.com
Akamai International B.V.
DE
unknown
6624
recoverit_setup_full4134.exe
47.91.90.244:8106
analytics.wondershare.cc
Alibaba US Technology Co., Ltd.
DE
unknown
6624
recoverit_setup_full4134.exe
163.181.92.231:443
wae.wondershare.cc
Zhejiang Taobao Network Co.,Ltd
DE
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 40.127.240.158
whitelisted
google.com
  • 216.58.206.46
whitelisted
pc-api.wondershare.cc
  • 8.209.72.213
malicious
platform.wondershare.cc
  • 8.209.73.211
malicious
prod-web.wondershare.cc
  • 47.91.89.51
malicious
download.wondershare.com
  • 23.48.23.41
  • 23.48.23.50
whitelisted
analytics.wondershare.cc
  • 47.91.90.244
malicious
wae.wondershare.cc
  • 163.181.92.231
  • 163.181.92.232
  • 163.181.92.233
  • 163.181.92.229
  • 163.181.92.235
  • 163.181.92.230
  • 163.181.92.228
  • 163.181.92.234
malicious
ocsp.digicert.com
  • 192.229.221.95
whitelisted
client.wns.windows.com
  • 40.113.103.199
whitelisted

Threats

PID
Process
Class
Message
2256
svchost.exe
Potentially Bad Traffic
ET DNS Query for .cc TLD
2256
svchost.exe
Potentially Bad Traffic
ET DNS Query for .cc TLD
2256
svchost.exe
Potentially Bad Traffic
ET DNS Query for .cc TLD
2256
svchost.exe
Potentially Bad Traffic
ET DNS Query for .cc TLD
2256
svchost.exe
Potentially Bad Traffic
ET DNS Query for .cc TLD
6624
recoverit_setup_full4134.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
6624
recoverit_setup_full4134.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2256
svchost.exe
Potentially Bad Traffic
ET DNS Query for .cc TLD
2256
svchost.exe
Potentially Bad Traffic
ET DNS Query for .cc TLD
7072
chrome.exe
Potentially Bad Traffic
ET DNS Query for .cc TLD
3 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
recoverit_setup_full4134.exe