File name:

recoverit_setup_full4174.exe

Full analysis: https://app.any.run/tasks/3905d2b3-c9e4-4efd-8acf-afdf68546718
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: November 14, 2024, 19:34:23
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
loader
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:

33AC074DB2081380061DD9BE87F75B33

SHA1:

D583CD94E0C20E1A35C93C443C2E8772EF277522

SHA256:

5EA7231F1FF816CB345F9DA6B1D96BFB71911450B92E943D65B0D08D22C69BBD

SSDEEP:

98304:0lfQXEWshcHSoOqDjBBJQC/374tmR6XMPudO:f

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • recoverit_setup_full4174.exe (PID: 6688)

    • Executable content was dropped or overwritten

      • recoverit_setup_full4174.exe (PID: 6688)
      • recoverit_64bit_full4174.tmp (PID: 6904)
      • recoverit_64bit_full4174.exe (PID: 6368)
      • recoverit.exe (PID: 5184)

    • Likely accesses (executes) a file from the Public directory

      • NFWCHK.exe (PID: 6044)
      • recoverit_64bit_full4174.exe (PID: 6368)
      • recoverit_64bit_full4174.tmp (PID: 6904)

    • Reads Microsoft Outlook installation path

      • recoverit_setup_full4174.exe (PID: 6688)

    • Reads Internet Explorer settings

      • recoverit_setup_full4174.exe (PID: 6688)

    • Process requests binary or script from the Internet

      • recoverit_setup_full4174.exe (PID: 6688)

    • Potential Corporate Privacy Violation

      • recoverit_setup_full4174.exe (PID: 6688)

    • Connects to unusual port

      • recoverit_setup_full4174.exe (PID: 6688)

    • Process drops SQLite DLL files

      • recoverit_64bit_full4174.tmp (PID: 6904)

    • The process drops C-runtime libraries

      • recoverit_64bit_full4174.tmp (PID: 6904)
      • recoverit.exe (PID: 5184)

    • Process drops legitimate windows executable

      • recoverit_64bit_full4174.tmp (PID: 6904)
      • recoverit.exe (PID: 5184)

    • Drops 7-zip archiver for unpacking

      • recoverit_64bit_full4174.tmp (PID: 6904)

    • Executing commands from a ".bat" file

      • recoverit_64bit_full4174.tmp (PID: 6904)

    • Starts CMD.EXE for commands execution

      • recoverit_64bit_full4174.tmp (PID: 6904)
      • recoverit.exe (PID: 5184)

    • Connects to SMTP port

      • diskfeedback.exe (PID: 2184)

    • Using 'findstr.exe' to search for text patterns in files and output

      • cmd.exe (PID: 6296)
      • cmd.exe (PID: 7596)

    • Uses NETSH.EXE to add a firewall rule or allowed programs

      • cmd.exe (PID: 4548)

    • Process drops python dynamic module

      • recoverit_64bit_full4174.tmp (PID: 6904)

  • INFO

    • Create files in a temporary directory

      • recoverit_setup_full4174.exe (PID: 6688)

    • Reads the computer name

      • recoverit_setup_full4174.exe (PID: 6688)
      • NFWCHK.exe (PID: 6044)

    • Checks proxy server information

      • recoverit_setup_full4174.exe (PID: 6688)

    • Checks supported languages

      • recoverit_setup_full4174.exe (PID: 6688)
      • NFWCHK.exe (PID: 6044)

    • Reads the machine GUID from the registry

      • recoverit_setup_full4174.exe (PID: 6688)
      • NFWCHK.exe (PID: 6044)

    • Application launched itself

      • chrome.exe (PID: 6972)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (3.6)
.exe | Generic Win/DOS Executable (1.6)
.exe | DOS Executable Generic (1.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:05:30 06:39:07+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 12
CodeSize: 1285120
InitializedDataSize: 709120
UninitializedDataSize: -
EntryPoint: 0x107e80
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 4.0.4.22
ProductVersionNumber: 4.0.4.22
FileFlagsMask: 0x0017
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
FileDescription: recoverit---data-recovery-(cpc)_setup_full4174.exe
FileVersion: 4.0.4.22
LegalCopyright: Copyright©2024 Wondershare. All rights reserved.
ProductName: Recoverit - Data Recovery (CPC)
ProductVersion: 12.6.1
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
275
Monitored processes
142
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start recoverit_setup_full4174.exe svchost.exe nfwchk.exe no specs conhost.exe no specs sppextcomobj.exe no specs slui.exe recoverit_64bit_full4174.exe recoverit_64bit_full4174.tmp slui.exe cmd.exe no specs conhost.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs addrecycleandfoldericon.exe no specs netsh.exe no specs conhost.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs recoverit.exe chrome.exe chrome.exe no specs diskfeedback.exe conhost.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs cmd.exe no specs conhost.exe no specs drrs.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs cmd.exe no specs conhost.exe no specs redis-cli.exe no specs cmd.exe no specs conhost.exe no specs netstat.exe no specs findstr.exe no specs drengsrv.exe no specs conhost.exe no specs chrome.exe no specs chrome.exe no specs drss.exe no specs conhost.exe no specs chrome.exe no specs wget.exe no specs cbscustomizedclient.exe no specs conhost.exe no specs conhost.exe no specs requestconfigure.exe no specs conhost.exe no specs cbscustomizedclient.exe no specs conhost.exe no specs chrome.exe no specs fetchabtest.exe no specs conhost.exe no specs requestconfigure_advertisementflagcache.exe no specs conhost.exe no specs requestconfigure_downloadrescache.exe no specs conhost.exe no specs requestconfigure_uploadworkercache.exe no specs conhost.exe no specs requestconfigure.exe no specs conhost.exe no specs requestconfigure_uploadworkercache.exe no specs conhost.exe no specs requestconfigure.exe no specs conhost.exe no specs requestconfigure_downloadrescache.exe no specs conhost.exe no specs chrome.exe no specs chrome.exe no specs requestconfigure_userrateworkercache.exe no specs conhost.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs messagepush.exe no specs requestpushmessage.exe no specs autoupgrade.exe no specs conhost.exe no specs conhost.exe no specs chrome.exe no specs chrome.exe no specs requestconfigure.exe no specs conhost.exe no specs chrome.exe no specs requestconfigure_userrateworkercache.exe no specs conhost.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs previewassist.exe no specs chrome.exe no specs chrome.exe no specs cmd.exe no specs conhost.exe no specs redis-cli.exe no specs findstr.exe no specs recoverit_setup_full4174.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
300"C:\Users\admin\AppData\Local\Temp\recoverit_setup_full4174.exe" C:\Users\admin\AppData\Local\Temp\recoverit_setup_full4174.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
recoverit---data-recovery-(cpc)_setup_full4174.exe
Exit code:
3221226540
Version:
4.0.4.22
Modules
Images
c:\users\admin\appdata\local\temp\recoverit_setup_full4174.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
860netsh advfirewall firewall add rule name="RecoveritRSTCPAccessInboundRule" dir=in action=allow protocol=TCP localport=23008C:\Windows\SysWOW64\netsh.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Network Command Shell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1244netsh advfirewall firewall add rule name="RecoveritRSTCPAccessInboundRule" dir=in action=allow protocol=TCP localport=53014C:\Windows\SysWOW64\netsh.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Network Command Shell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1452redis-cli.exe -p 23007 pingC:\Program Files\Wondershare\Recoverit - Data Recovery (CPC)\redis-cli.execmd.exe
User:
admin
Company:
Poradowski.com Tomasz Poradowski
Integrity Level:
HIGH
Description:
Redis for Windows, based on MS OpenTech port.
Exit code:
0
Version:
5.0.10
Modules
Images
c:\program files\wondershare\recoverit - data recovery (cpc)\redis-cli.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
1748netsh advfirewall firewall add rule name="RecoveritRSTCPAccessInboundRule" dir=in action=allow protocol=TCP localport=53015C:\Windows\SysWOW64\netsh.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Network Command Shell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1784netstat -ano C:\Windows\System32\NETSTAT.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
TCP/IP Netstat Command
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\netstat.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\snmpapi.dll
1788\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1792netsh advfirewall firewall add rule name="RecoveritRSUDPAccessInboundRule" dir=in action=allow protocol=UDP localport=23007C:\Windows\SysWOW64\netsh.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Network Command Shell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
2084netsh advfirewall firewall add rule name="RecoveritTCPAccessInboundRule" dir=in action=allow protocol=TCP localport=57214C:\Windows\SysWOW64\netsh.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Network Command Shell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
2124netsh advfirewall firewall add rule name="RecoveritRSTCPAccessInboundRule" dir=in action=allow protocol=TCP localport=43013C:\Windows\SysWOW64\netsh.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Network Command Shell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
23 299
Read events
23 229
Write events
67
Delete events
3

Modification events

(PID) Process:(6688) recoverit_setup_full4174.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\WafCX
Operation:writeName:4174
Value:
sku-ppc
(PID) Process:(6688) recoverit_setup_full4174.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Wondershare\Wondershare Helper Compact
Operation:writeName:ClientSign
Value:
{7123214f-65e7-482b-869f-618d9e0b380eG}
(PID) Process:(6688) recoverit_setup_full4174.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Wondershare\WAF
Operation:writeName:ClientSign
Value:
{7123214f-65e7-482b-869f-618d9e0b380eG}
(PID) Process:(6688) recoverit_setup_full4174.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(6688) recoverit_setup_full4174.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(6688) recoverit_setup_full4174.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(6688) recoverit_setup_full4174.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch
Operation:writeName:Version
Value:
WS not running
(PID) Process:(6688) recoverit_setup_full4174.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main
Operation:writeName:DisableFirstRunCustomize
Value:
1
(PID) Process:(6904) recoverit_64bit_full4174.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
Operation:writeName:C:\Program Files\Wondershare\Recoverit - Data Recovery (CPC)\recoverit.exe
Value:
RUNASADMIN
(PID) Process:(6904) recoverit_64bit_full4174.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Wondershare\Recoverit
Operation:writeName:PID
Value:
542
Executable files
636
Suspicious files
301
Text files
477
Unknown types
7

Dropped files

PID
Process
Filename
Type
6688recoverit_setup_full4174.exeC:\Users\Public\Documents\Wondershare\recoverit_64bit_full4174.exe.~P2S
MD5:
SHA256:
6688recoverit_setup_full4174.exeC:\Users\Public\Documents\Wondershare\NFWCHK.exeexecutable
MD5:27CFB3990872CAA5930FA69D57AEFE7B
SHA256:43881549228975C7506B050BCE4D9B671412D3CDC08C7516C9DBBB7F50C25146
6688recoverit_setup_full4174.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_23FFFDCAABB8E63694AD1202ED02BF57binary
MD5:0BB8EB44E77E855F038A4EFA0BBE542B
SHA256:38ABBD5A617F24EF8AD713080659ADE97E504ADD8405C63C9A554644CEBC47E6
6688recoverit_setup_full4174.exeC:\Users\admin\AppData\Local\Temp\wsduilib.logtext
MD5:FFF80BBAF00AB743BAA7E61DC1D74E1E
SHA256:A77F6BC73422C6CCE515B79A17A6C8F828FC0428A123B9CABB8891FA153C58BE
6688recoverit_setup_full4174.exeC:\Users\admin\AppData\Local\Temp\Wondershare\WAE\wsWAE.logtext
MD5:D87EC1CD98273FEA59CDDB955A145F3E
SHA256:7CD295C1D4DF30DF6C9AF187DDA363C810223AA355AA0E996F492C1978828EFA
6688recoverit_setup_full4174.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_23FFFDCAABB8E63694AD1202ED02BF57der
MD5:ACC9D04BDC4835367A312D4C8E89505D
SHA256:BEEAE51355E6A09CDB65FF5A631DE02942BD6B4481C23F93E21340598C30F232
6688recoverit_setup_full4174.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\14561BF7422BB6F70A9CB14F5AA8A7DA_6D5FC9FD3617659722A64D73A114DFF7der
MD5:9CD1CD38014E3C391BFFEB7CA78848DB
SHA256:F19C9A4F9266B8ED8A5F8EE6C3361EFBF37381D2B5A9C5F9F87C9C1F48343243
6688recoverit_setup_full4174.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCV3KQBA\banner1[1].pngimage
MD5:A27D511EF8CC64B7A7DDB435B0CD494F
SHA256:501DD56C6F97C3E5582FF1F17FC05F6F93519789E9737DF38607261971233663
6688recoverit_setup_full4174.exeC:\Users\Public\Documents\Wondershare\recoverit_64bit_full4174.exe
MD5:
SHA256:
6688recoverit_setup_full4174.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAder
MD5:E760E0F47461AD44F6CCA8EF6D1AC835
SHA256:CBF8C57173CF6628D71554170F006ED59E4A2E23ACE781A402AE9AB6BCFE7013
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
54
TCP/UDP connections
272
DNS requests
230
Threats
34

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6688
recoverit_setup_full4174.exe
GET
8.209.73.211:80
http://platform.wondershare.cc/rest/v2/downloader/runtime/?client_sign={7123214f-65e7-482b-869f-618d9e0b380eG}&product_id=4174&wae=4.0.4&platform=win_x64
unknown
whitelisted
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4360
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
6384
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6688
recoverit_setup_full4174.exe
HEAD
200
2.19.126.135:80
http://download.wondershare.net/cbs_down/recoverit_64bit_full4174.exe
unknown
whitelisted
6688
recoverit_setup_full4174.exe
HEAD
200
2.19.126.135:80
http://download.wondershare.net/cbs_down/recoverit_64bit_full4174.exe
unknown
whitelisted
6688
recoverit_setup_full4174.exe
HEAD
200
2.19.126.140:80
http://download.wondershare.net/cbs_down/recoverit_64bit_full4174.exe
unknown
whitelisted
6688
recoverit_setup_full4174.exe
GET
2.19.126.135:80
http://download.wondershare.net/cbs_down/recoverit_64bit_full4174.exe
unknown
whitelisted
6688
recoverit_setup_full4174.exe
GET
206
2.19.126.140:80
http://download.wondershare.net/cbs_down/recoverit_64bit_full4174.exe
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5488
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
23.52.120.96:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
6688
recoverit_setup_full4174.exe
8.209.72.213:443
pc-api.wondershare.cc
Alibaba US Technology Co., Ltd.
DE
malicious
6688
recoverit_setup_full4174.exe
8.209.73.211:80
platform.wondershare.cc
Alibaba US Technology Co., Ltd.
DE
whitelisted
6688
recoverit_setup_full4174.exe
47.91.89.51:443
prod-web.wondershare.cc
Alibaba US Technology Co., Ltd.
DE
malicious
4360
SearchApp.exe
92.123.104.44:443
www.bing.com
Akamai International B.V.
DE
whitelisted

DNS requests

Domain
IP
Reputation
crl.microsoft.com
  • 23.48.23.156
  • 23.48.23.143
whitelisted
www.microsoft.com
  • 23.52.120.96
whitelisted
google.com
  • 142.250.185.110
whitelisted
pc-api.wondershare.cc
  • 8.209.72.213
malicious
platform.wondershare.cc
  • 8.209.73.211
malicious
prod-web.wondershare.cc
  • 47.91.89.51
malicious
www.bing.com
  • 92.123.104.44
  • 92.123.104.51
  • 92.123.104.35
  • 92.123.104.37
  • 92.123.104.46
  • 92.123.104.43
  • 92.123.104.38
  • 92.123.104.42
  • 92.123.104.36
  • 92.123.104.21
  • 92.123.104.25
  • 92.123.104.10
  • 92.123.104.28
  • 92.123.104.12
  • 92.123.104.11
  • 92.123.104.16
  • 92.123.104.15
  • 92.123.104.18
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
login.live.com
  • 40.126.31.73
  • 20.190.159.0
  • 20.190.159.23
  • 20.190.159.75
  • 40.126.31.69
  • 20.190.159.4
  • 20.190.159.68
  • 40.126.31.67
whitelisted
download.wondershare.net
  • 2.19.126.135
  • 2.19.126.140
whitelisted

Threats

PID
Process
Class
Message
2172
svchost.exe
Potentially Bad Traffic
ET DNS Query for .cc TLD
2172
svchost.exe
Potentially Bad Traffic
ET DNS Query for .cc TLD
2172
svchost.exe
Potentially Bad Traffic
ET DNS Query for .cc TLD
2172
svchost.exe
Potentially Bad Traffic
ET DNS Query for .cc TLD
2172
svchost.exe
Potentially Bad Traffic
ET DNS Query for .cc TLD
6688
recoverit_setup_full4174.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
6688
recoverit_setup_full4174.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2172
svchost.exe
Potentially Bad Traffic
ET DNS Query for .cc TLD
2172
svchost.exe
Potentially Bad Traffic
ET DNS Query for .cc TLD
2172
svchost.exe
Potentially Bad Traffic
ET DNS Query for .cc TLD
3 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
recoverit_setup_full4174.exe