File name:

recoverit_setup_full4174.exe

Full analysis: https://app.any.run/tasks/3905d2b3-c9e4-4efd-8acf-afdf68546718
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: November 14, 2024, 19:34:23
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
loader
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:

33AC074DB2081380061DD9BE87F75B33

SHA1:

D583CD94E0C20E1A35C93C443C2E8772EF277522

SHA256:

5EA7231F1FF816CB345F9DA6B1D96BFB71911450B92E943D65B0D08D22C69BBD

SSDEEP:

98304:0lfQXEWshcHSoOqDjBBJQC/374tmR6XMPudO:f

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • recoverit_setup_full4174.exe (PID: 6688)

    • Executable content was dropped or overwritten

      • recoverit_setup_full4174.exe (PID: 6688)
      • recoverit_64bit_full4174.exe (PID: 6368)
      • recoverit_64bit_full4174.tmp (PID: 6904)
      • recoverit.exe (PID: 5184)

    • Reads Microsoft Outlook installation path

      • recoverit_setup_full4174.exe (PID: 6688)

    • Likely accesses (executes) a file from the Public directory

      • NFWCHK.exe (PID: 6044)
      • recoverit_64bit_full4174.exe (PID: 6368)
      • recoverit_64bit_full4174.tmp (PID: 6904)

    • Reads Internet Explorer settings

      • recoverit_setup_full4174.exe (PID: 6688)

    • Potential Corporate Privacy Violation

      • recoverit_setup_full4174.exe (PID: 6688)

    • Connects to unusual port

      • recoverit_setup_full4174.exe (PID: 6688)

    • Process requests binary or script from the Internet

      • recoverit_setup_full4174.exe (PID: 6688)

    • The process drops C-runtime libraries

      • recoverit_64bit_full4174.tmp (PID: 6904)
      • recoverit.exe (PID: 5184)

    • Process drops legitimate windows executable

      • recoverit_64bit_full4174.tmp (PID: 6904)
      • recoverit.exe (PID: 5184)

    • Drops 7-zip archiver for unpacking

      • recoverit_64bit_full4174.tmp (PID: 6904)

    • Starts CMD.EXE for commands execution

      • recoverit.exe (PID: 5184)
      • recoverit_64bit_full4174.tmp (PID: 6904)

    • Executing commands from a ".bat" file

      • recoverit_64bit_full4174.tmp (PID: 6904)

    • Using 'findstr.exe' to search for text patterns in files and output

      • cmd.exe (PID: 6296)
      • cmd.exe (PID: 7596)

    • Process drops python dynamic module

      • recoverit_64bit_full4174.tmp (PID: 6904)

    • Connects to SMTP port

      • diskfeedback.exe (PID: 2184)

    • Process drops SQLite DLL files

      • recoverit_64bit_full4174.tmp (PID: 6904)

    • Uses NETSH.EXE to add a firewall rule or allowed programs

      • cmd.exe (PID: 4548)

  • INFO

    • Create files in a temporary directory

      • recoverit_setup_full4174.exe (PID: 6688)

    • Reads the machine GUID from the registry

      • recoverit_setup_full4174.exe (PID: 6688)
      • NFWCHK.exe (PID: 6044)

    • Checks supported languages

      • recoverit_setup_full4174.exe (PID: 6688)
      • NFWCHK.exe (PID: 6044)

    • Reads the computer name

      • recoverit_setup_full4174.exe (PID: 6688)
      • NFWCHK.exe (PID: 6044)

    • Checks proxy server information

      • recoverit_setup_full4174.exe (PID: 6688)

    • Application launched itself

      • chrome.exe (PID: 6972)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (3.6)
.exe | Generic Win/DOS Executable (1.6)
.exe | DOS Executable Generic (1.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:05:30 06:39:07+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 12
CodeSize: 1285120
InitializedDataSize: 709120
UninitializedDataSize: -
EntryPoint: 0x107e80
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 4.0.4.22
ProductVersionNumber: 4.0.4.22
FileFlagsMask: 0x0017
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
FileDescription: recoverit---data-recovery-(cpc)_setup_full4174.exe
FileVersion: 4.0.4.22
LegalCopyright: Copyright©2024 Wondershare. All rights reserved.
ProductName: Recoverit - Data Recovery (CPC)
ProductVersion: 12.6.1
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
275
Monitored processes
142
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start recoverit_setup_full4174.exe svchost.exe nfwchk.exe no specs conhost.exe no specs sppextcomobj.exe no specs slui.exe recoverit_64bit_full4174.exe recoverit_64bit_full4174.tmp slui.exe cmd.exe no specs conhost.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs addrecycleandfoldericon.exe no specs netsh.exe no specs conhost.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs recoverit.exe chrome.exe chrome.exe no specs diskfeedback.exe conhost.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs cmd.exe no specs conhost.exe no specs drrs.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs cmd.exe no specs conhost.exe no specs redis-cli.exe no specs cmd.exe no specs conhost.exe no specs netstat.exe no specs findstr.exe no specs drengsrv.exe no specs conhost.exe no specs chrome.exe no specs chrome.exe no specs drss.exe no specs conhost.exe no specs chrome.exe no specs wget.exe no specs cbscustomizedclient.exe no specs conhost.exe no specs conhost.exe no specs requestconfigure.exe no specs conhost.exe no specs cbscustomizedclient.exe no specs conhost.exe no specs chrome.exe no specs fetchabtest.exe no specs conhost.exe no specs requestconfigure_advertisementflagcache.exe no specs conhost.exe no specs requestconfigure_downloadrescache.exe no specs conhost.exe no specs requestconfigure_uploadworkercache.exe no specs conhost.exe no specs requestconfigure.exe no specs conhost.exe no specs requestconfigure_uploadworkercache.exe no specs conhost.exe no specs requestconfigure.exe no specs conhost.exe no specs requestconfigure_downloadrescache.exe no specs conhost.exe no specs chrome.exe no specs chrome.exe no specs requestconfigure_userrateworkercache.exe no specs conhost.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs messagepush.exe no specs requestpushmessage.exe no specs autoupgrade.exe no specs conhost.exe no specs conhost.exe no specs chrome.exe no specs chrome.exe no specs requestconfigure.exe no specs conhost.exe no specs chrome.exe no specs requestconfigure_userrateworkercache.exe no specs conhost.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs previewassist.exe no specs chrome.exe no specs chrome.exe no specs cmd.exe no specs conhost.exe no specs redis-cli.exe no specs findstr.exe no specs recoverit_setup_full4174.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
300"C:\Users\admin\AppData\Local\Temp\recoverit_setup_full4174.exe" C:\Users\admin\AppData\Local\Temp\recoverit_setup_full4174.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
recoverit---data-recovery-(cpc)_setup_full4174.exe
Exit code:
3221226540
Version:
4.0.4.22
Modules
Images
c:\users\admin\appdata\local\temp\recoverit_setup_full4174.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
860netsh advfirewall firewall add rule name="RecoveritRSTCPAccessInboundRule" dir=in action=allow protocol=TCP localport=23008C:\Windows\SysWOW64\netsh.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Network Command Shell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1244netsh advfirewall firewall add rule name="RecoveritRSTCPAccessInboundRule" dir=in action=allow protocol=TCP localport=53014C:\Windows\SysWOW64\netsh.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Network Command Shell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1452redis-cli.exe -p 23007 pingC:\Program Files\Wondershare\Recoverit - Data Recovery (CPC)\redis-cli.execmd.exe
User:
admin
Company:
Poradowski.com Tomasz Poradowski
Integrity Level:
HIGH
Description:
Redis for Windows, based on MS OpenTech port.
Exit code:
0
Version:
5.0.10
Modules
Images
c:\program files\wondershare\recoverit - data recovery (cpc)\redis-cli.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
1748netsh advfirewall firewall add rule name="RecoveritRSTCPAccessInboundRule" dir=in action=allow protocol=TCP localport=53015C:\Windows\SysWOW64\netsh.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Network Command Shell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1784netstat -ano C:\Windows\System32\NETSTAT.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
TCP/IP Netstat Command
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\netstat.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\snmpapi.dll
1788\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1792netsh advfirewall firewall add rule name="RecoveritRSUDPAccessInboundRule" dir=in action=allow protocol=UDP localport=23007C:\Windows\SysWOW64\netsh.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Network Command Shell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
2084netsh advfirewall firewall add rule name="RecoveritTCPAccessInboundRule" dir=in action=allow protocol=TCP localport=57214C:\Windows\SysWOW64\netsh.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Network Command Shell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
2124netsh advfirewall firewall add rule name="RecoveritRSTCPAccessInboundRule" dir=in action=allow protocol=TCP localport=43013C:\Windows\SysWOW64\netsh.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Network Command Shell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
23 299
Read events
23 229
Write events
67
Delete events
3

Modification events

(PID) Process:(6688) recoverit_setup_full4174.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\WafCX
Operation:writeName:4174
Value:
sku-ppc
(PID) Process:(6688) recoverit_setup_full4174.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Wondershare\Wondershare Helper Compact
Operation:writeName:ClientSign
Value:
{7123214f-65e7-482b-869f-618d9e0b380eG}
(PID) Process:(6688) recoverit_setup_full4174.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Wondershare\WAF
Operation:writeName:ClientSign
Value:
{7123214f-65e7-482b-869f-618d9e0b380eG}
(PID) Process:(6688) recoverit_setup_full4174.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(6688) recoverit_setup_full4174.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(6688) recoverit_setup_full4174.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(6688) recoverit_setup_full4174.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch
Operation:writeName:Version
Value:
WS not running
(PID) Process:(6688) recoverit_setup_full4174.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main
Operation:writeName:DisableFirstRunCustomize
Value:
1
(PID) Process:(6904) recoverit_64bit_full4174.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
Operation:writeName:C:\Program Files\Wondershare\Recoverit - Data Recovery (CPC)\recoverit.exe
Value:
RUNASADMIN
(PID) Process:(6904) recoverit_64bit_full4174.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Wondershare\Recoverit
Operation:writeName:PID
Value:
542
Executable files
636
Suspicious files
301
Text files
477
Unknown types
7

Dropped files

PID
Process
Filename
Type
6688recoverit_setup_full4174.exeC:\Users\Public\Documents\Wondershare\recoverit_64bit_full4174.exe.~P2S
MD5:
SHA256:
6688recoverit_setup_full4174.exeC:\Users\admin\AppData\Local\Temp\Wondershare\WAE\wsWAE.logtext
MD5:D87EC1CD98273FEA59CDDB955A145F3E
SHA256:7CD295C1D4DF30DF6C9AF187DDA363C810223AA355AA0E996F492C1978828EFA
6688recoverit_setup_full4174.exeC:\Users\Public\Documents\Wondershare\NFWCHK.exeexecutable
MD5:27CFB3990872CAA5930FA69D57AEFE7B
SHA256:43881549228975C7506B050BCE4D9B671412D3CDC08C7516C9DBBB7F50C25146
6688recoverit_setup_full4174.exeC:\Users\Public\Documents\Wondershare\WAE_DOWNTASK_4174.xmlxml
MD5:0FA6CC1495F78975E007E7938DB7B59D
SHA256:56960BC93CF329CB253344932A6E4F24FFD90C9AF3D29DA725841E9E8F07ADB7
6688recoverit_setup_full4174.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_23FFFDCAABB8E63694AD1202ED02BF57der
MD5:ACC9D04BDC4835367A312D4C8E89505D
SHA256:BEEAE51355E6A09CDB65FF5A631DE02942BD6B4481C23F93E21340598C30F232
6688recoverit_setup_full4174.exeC:\Users\Public\Documents\Wondershare\NFWCHK.exe.configxml
MD5:5BABF2A106C883A8E216F768DB99AD51
SHA256:9E676A617EB0D0535AC05A67C0AE0C0E12D4E998AB55AC786A031BFC25E28300
6688recoverit_setup_full4174.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\index-new[1].htmhtml
MD5:B233FAB3C78C1A0AE7A4469EF0DE3904
SHA256:0F6EA86DBAFFD6FE9B7FC0E44B99A67D9D8418D31B602E15483A2D043A5571C1
6688recoverit_setup_full4174.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\14561BF7422BB6F70A9CB14F5AA8A7DA_6D5FC9FD3617659722A64D73A114DFF7der
MD5:9CD1CD38014E3C391BFFEB7CA78848DB
SHA256:F19C9A4F9266B8ED8A5F8EE6C3361EFBF37381D2B5A9C5F9F87C9C1F48343243
6688recoverit_setup_full4174.exeC:\Users\Public\Documents\Wondershare\recoverit_64bit_full4174.exe
MD5:
SHA256:
6688recoverit_setup_full4174.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\14561BF7422BB6F70A9CB14F5AA8A7DA_6D5FC9FD3617659722A64D73A114DFF7binary
MD5:23D9EF3FF0B3C5E3C51CC041271E5B62
SHA256:9E2C944DB4F13A553010E7E452633B061D8FD8628BA8911D021A27658D9E3F48
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
54
TCP/UDP connections
272
DNS requests
230
Threats
34

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6688
recoverit_setup_full4174.exe
GET
2.19.126.135:80
http://download.wondershare.net/cbs_down/recoverit_64bit_full4174.exe
DE
whitelisted
6688
recoverit_setup_full4174.exe
GET
206
2.19.126.140:80
http://download.wondershare.net/cbs_down/recoverit_64bit_full4174.exe
DE
binary
21.9 Mb
whitelisted
6688
recoverit_setup_full4174.exe
GET
200
216.58.206.35:80
http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D
US
binary
1.41 Kb
whitelisted
6688
recoverit_setup_full4174.exe
GET
2.19.126.140:80
http://download.wondershare.net/cbs_down/recoverit_64bit_full4174.exe
DE
whitelisted
6688
recoverit_setup_full4174.exe
GET
206
2.19.126.135:80
http://download.wondershare.net/cbs_down/recoverit_64bit_full4174.exe
DE
executable
21.9 Mb
whitelisted
6688
recoverit_setup_full4174.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQlOydjtpho0%2Bholo77zGjGxETUEQQU8JyF%2FaKffY%2FJaLvV1IlNHb7TkP8CEA3EQd5SLWy5mr7JXcu5TKw%3D
US
binary
727 b
whitelisted
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
DE
binary
1.01 Kb
whitelisted
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
DE
binary
973 b
whitelisted
4360
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
US
binary
313 b
whitelisted
6236
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
US
binary
471 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5488
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
23.52.120.96:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
6688
recoverit_setup_full4174.exe
8.209.72.213:443
pc-api.wondershare.cc
Alibaba US Technology Co., Ltd.
DE
malicious
6688
recoverit_setup_full4174.exe
8.209.73.211:80
platform.wondershare.cc
Alibaba US Technology Co., Ltd.
DE
whitelisted
6688
recoverit_setup_full4174.exe
47.91.89.51:443
prod-web.wondershare.cc
Alibaba US Technology Co., Ltd.
DE
malicious
4360
SearchApp.exe
92.123.104.44:443
www.bing.com
Akamai International B.V.
DE
whitelisted

DNS requests

Domain
IP
Reputation
crl.microsoft.com
  • 23.48.23.156
  • 23.48.23.143
whitelisted
www.microsoft.com
  • 23.52.120.96
whitelisted
google.com
  • 142.250.185.110
whitelisted
pc-api.wondershare.cc
  • 8.209.72.213
malicious
platform.wondershare.cc
  • 8.209.73.211
malicious
prod-web.wondershare.cc
  • 47.91.89.51
malicious
www.bing.com
  • 92.123.104.44
  • 92.123.104.51
  • 92.123.104.35
  • 92.123.104.37
  • 92.123.104.46
  • 92.123.104.43
  • 92.123.104.38
  • 92.123.104.42
  • 92.123.104.36
  • 92.123.104.21
  • 92.123.104.25
  • 92.123.104.10
  • 92.123.104.28
  • 92.123.104.12
  • 92.123.104.11
  • 92.123.104.16
  • 92.123.104.15
  • 92.123.104.18
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
login.live.com
  • 40.126.31.73
  • 20.190.159.0
  • 20.190.159.23
  • 20.190.159.75
  • 40.126.31.69
  • 20.190.159.4
  • 20.190.159.68
  • 40.126.31.67
whitelisted
download.wondershare.net
  • 2.19.126.135
  • 2.19.126.140
whitelisted

Threats

PID
Process
Class
Message
2172
svchost.exe
Potentially Bad Traffic
ET DNS Query for .cc TLD
2172
svchost.exe
Potentially Bad Traffic
ET DNS Query for .cc TLD
2172
svchost.exe
Potentially Bad Traffic
ET DNS Query for .cc TLD
2172
svchost.exe
Potentially Bad Traffic
ET DNS Query for .cc TLD
2172
svchost.exe
Potentially Bad Traffic
ET DNS Query for .cc TLD
6688
recoverit_setup_full4174.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
6688
recoverit_setup_full4174.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2172
svchost.exe
Potentially Bad Traffic
ET DNS Query for .cc TLD
2172
svchost.exe
Potentially Bad Traffic
ET DNS Query for .cc TLD
2172
svchost.exe
Potentially Bad Traffic
ET DNS Query for .cc TLD
3 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
recoverit_setup_full4174.exe