download:

/anyrecover-for-win_setup.exe

Full analysis: https://app.any.run/tasks/14fb2e17-0112-47f6-9523-909e4e863df1
Verdict: Malicious activity
Analysis date: July 03, 2024, 13:46:30
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

FC21B78D8012DCFC1D94185ED5083DFF

SHA1:

23458457BD546BEFB18162BED4A408B7D72A2A18

SHA256:

651907C1B631BDD79F8AA3F097BD23156D168A1E2C489C41238DDFD1F5434BA7

SSDEEP:

98304:GkHIjVlwnqm0fYXbQI0arGkDiKhQOYtpAxPtpaCZ4jxCbhvd1Q57u918yLBDWsLN:i4H/

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • anyrecover-for-win_setup.exe (PID: 2944)
      • imyfone-download.tmp (PID: 3092)
      • imyfone-download.exe (PID: 932)

  • SUSPICIOUS

    • Reads the Internet Settings

      • anyrecover-for-win_setup.exe (PID: 2944)

    • Reads settings of System Certificates

      • anyrecover-for-win_setup.exe (PID: 2944)

    • Adds/modifies Windows certificates

      • anyrecover-for-win_setup.exe (PID: 2944)

    • Process drops legitimate windows executable

      • imyfone-download.tmp (PID: 3092)

    • Executable content was dropped or overwritten

      • imyfone-download.tmp (PID: 3092)
      • imyfone-download.exe (PID: 932)

    • Drops 7-zip archiver for unpacking

      • imyfone-download.tmp (PID: 3092)

    • Drops a system driver (possible attempt to evade defenses)

      • imyfone-download.tmp (PID: 3092)

    • The process drops C-runtime libraries

      • imyfone-download.tmp (PID: 3092)

    • Reads the Windows owner or organization settings

      • imyfone-download.tmp (PID: 3092)

  • INFO

    • Creates files in the program directory

      • anyrecover-for-win_setup.exe (PID: 2944)
      • imyfone-download.tmp (PID: 3092)

    • Reads the computer name

      • anyrecover-for-win_setup.exe (PID: 2944)
      • imyfone-download.tmp (PID: 3092)

    • Checks supported languages

      • anyrecover-for-win_setup.exe (PID: 2944)
      • imyfone-download.tmp (PID: 3092)
      • imyfone-download.exe (PID: 932)

    • Reads product name

      • anyrecover-for-win_setup.exe (PID: 2944)

    • Reads Environment values

      • anyrecover-for-win_setup.exe (PID: 2944)

    • Checks proxy server information

      • anyrecover-for-win_setup.exe (PID: 2944)

    • Reads the software policy settings

      • anyrecover-for-win_setup.exe (PID: 2944)

    • Reads the machine GUID from the registry

      • anyrecover-for-win_setup.exe (PID: 2944)
      • imyfone-download.tmp (PID: 3092)

    • Create files in a temporary directory

      • imyfone-download.exe (PID: 932)
      • imyfone-download.tmp (PID: 3092)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (16.3)
.exe | Win64 Executable (generic) (14.5)
.dll | Win32 Dynamic Link Library (generic) (3.4)
.exe | Win32 Executable (generic) (2.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:05:10 11:08:43+00:00
ImageFileCharacteristics: Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 12
CodeSize: 2126336
InitializedDataSize: 1104896
UninitializedDataSize: -
EntryPoint: 0x1bd804
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 4.3.0.10
ProductVersionNumber: 4.3.0.10
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
FileDescription: anyrecover-for-win_setup.exe
FileVersion: 4.3.0.10
LegalCopyright: Copyright (C) 2024 iMyFone. All rights reserved.
ProductName: AnyRecover Data Recovery
ProductVersion: 4.3.0.10
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
45
Monitored processes
4
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start anyrecover-for-win_setup.exe imyfone-download.exe imyfone-download.tmp anyrecover-for-win_setup.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
932 /verysilent /imyfone_down /wait_run /path="C:\Program Files\" /progress="C:\Program Files\imyfone_down\anyrecover-for-win_setup\temp.progress"C:\Program Files\imyfone_down\anyrecover-for-win_setup\imyfone-download.exe
anyrecover-for-win_setup.exe
User:
admin
Company:
Shenzhen AnyRecover Technology Co., Ltd.
Integrity Level:
HIGH
Description:
AnyRecover
Version:
6.4.5.5
Modules
Images
c:\program files\imyfone_down\anyrecover-for-win_setup\imyfone-download.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
2944"C:\Users\admin\Desktop\anyrecover-for-win_setup.exe" C:\Users\admin\Desktop\anyrecover-for-win_setup.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Description:
anyrecover-for-win_setup.exe
Version:
4.3.0.10
Modules
Images
c:\users\admin\desktop\anyrecover-for-win_setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
3092"C:\Users\admin\AppData\Local\Temp\is-J4J04.tmp\imyfone-download.tmp" /SL5="$6015A,148463507,399872,C:\Program Files\imyfone_down\anyrecover-for-win_setup\imyfone-download.exe" /verysilent /imyfone_down /wait_run /path="C:\Program Files\" /progress="C:\Program Files\imyfone_down\anyrecover-for-win_setup\temp.progress"C:\Users\admin\AppData\Local\Temp\is-J4J04.tmp\imyfone-download.tmp
imyfone-download.exe
User:
admin
Integrity Level:
HIGH
Description:
Setup/Uninstall
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-j4j04.tmp\imyfone-download.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
3272"C:\Users\admin\Desktop\anyrecover-for-win_setup.exe" C:\Users\admin\Desktop\anyrecover-for-win_setup.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
anyrecover-for-win_setup.exe
Exit code:
3221226540
Version:
4.3.0.10
Modules
Images
c:\users\admin\desktop\anyrecover-for-win_setup.exe
c:\windows\system32\ntdll.dll
Total events
6 424
Read events
6 393
Write events
24
Delete events
7

Modification events

(PID) Process:(2944) anyrecover-for-win_setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\iMyfone\iMyfoneDown
Operation:writeName:GUID
Value:
C0D800D5-31C1-43db-AA8D-DE60DA9AF4B4
(PID) Process:(2944) anyrecover-for-win_setup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(2944) anyrecover-for-win_setup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:delete valueName:ProxyServer
Value:
(PID) Process:(2944) anyrecover-for-win_setup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:delete valueName:ProxyOverride
Value:
(PID) Process:(2944) anyrecover-for-win_setup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:delete valueName:AutoConfigURL
Value:
(PID) Process:(2944) anyrecover-for-win_setup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:delete valueName:AutoDetect
Value:
(PID) Process:(2944) anyrecover-for-win_setup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
460000005D010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A8016B000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(2944) anyrecover-for-win_setup.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2944) anyrecover-for-win_setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates
Operation:delete valueName:07E032E020B72C3F192F0628A2593A19A70F069E
Value:
(PID) Process:(2944) anyrecover-for-win_setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\07E032E020B72C3F192F0628A2593A19A70F069E
Operation:writeName:Blob
Value:
040000000100000010000000D5E98140C51869FC462C8975620FAA781900000001000000100000001F7E750B566B128AC0B8D6576D2A70A553000000010000006500000030633021060B2A84680186F6770205010130123010060A2B0601040182373C0101030200C03021060B2A84680186F6770205010730123010060A2B0601040182373C0101030200C0301B060567810C010330123010060A2B0601040182373C0101030200C00B0000000100000034000000430065007200740075006D002000540072007500730074006500640020004E006500740077006F0072006B0020004300410000006200000001000000200000005C58468D55F58E497E743982D2B50010B6D165374ACF83A7D4A32DB768C4408E1400000001000000140000000876CDCB07FF24F6C5CDEDBB90BCE284374675F71D0000000100000010000000E3F9AF952C6DF2AAA41706A77A44C20303000000010000001400000007E032E020B72C3F192F0628A2593A19A70F069E0F0000000100000014000000A8569CCD21EF9CC5737C7A12DF608C2CBC545DF1090000000100000054000000305206082B0601050507030206082B06010505070303060A2B0601040182370A030406082B0601050507030406082B0601050507030606082B0601050507030706082B0601050507030106082B060105050703082000000001000000BF030000308203BB308202A3A00302010202030444C0300D06092A864886F70D0101050500307E310B300906035504061302504C31223020060355040A1319556E697A65746F20546563686E6F6C6F6769657320532E412E31273025060355040B131E43657274756D2043657274696669636174696F6E20417574686F72697479312230200603550403131943657274756D2054727573746564204E6574776F726B204341301E170D3038313032323132303733375A170D3239313233313132303733375A307E310B300906035504061302504C31223020060355040A1319556E697A65746F20546563686E6F6C6F6769657320532E412E31273025060355040B131E43657274756D2043657274696669636174696F6E20417574686F72697479312230200603550403131943657274756D2054727573746564204E6574776F726B20434130820122300D06092A864886F70D01010105000382010F003082010A0282010100E3FB7DA372BAC2F0C91487F56B014EE16E4007BA6D275D7FF75B2DB35AC7515FABA432A66187B66E0F86D2300297F8D76957A118395D6A6479C60159AC3C314A387CD204D24B28E8205F3B07A2CC4D73DBF3AE4FC756D55AA79689FAF3AB68D423865927CF0927BCAC6E72831C3072DFE0A2E9D2E1747519BD2A9E7B1554041BD74339AD5528C5E21ABBF4C0E4AE384933CC76859F3945D2A49EF2128C51F87CE42D7FF5AC5FEB169FB12DD1BACC9142774C25C990386FDBF0CCFB8E1E97593ED5604EE60528ED4979134BBA48DB2FF972D339CAFE1FD83472F5B440CF3101C3ECDE112D175D1FB850D15E19A769DE073328CA5095F9A754CB54865045A9F9490203010001A3423040300F0603551D130101FF040530030101FF301D0603551D0E041604140876CDCB07FF24F6C5CDEDBB90BCE284374675F7300E0603551D0F0101FF040403020106300D06092A864886F70D01010505000382010100A6A8AD22CE013DA6A3FF62D0489D8B5E72B07844E3DC1CAF09FD2348FABD2AC4B95504B510A38D27DE0B8263D0EEDE0C3779415B22B2B09A415CA670E0D4D077CB23D300E06C562FE1690D0DD9AABF218150D906A5A8FF9537D0AAFEE2B3F5992D45848AE54209D774022FF789D899E9BC27D4478DBA0D461C77CF14A41CB9A431C49C28740334FF331926A5E90D74B73E97C676E82796A366DDE1AEF2415BCA9856837370E4861AD23141BA2FBE2D135A766F4EE84E810E3F5B0322A012BE6658114ACB03C4B42A2A2D9617E03954BC48D376279D9A2D06A6C9EC39D2ABDB9F9A0B27023529B14095E7F9E89C55881946D6B734F57ECE399AD938F151F74F2C
Executable files
459
Suspicious files
228
Text files
2 180
Unknown types
125

Dropped files

PID
Process
Filename
Type
2944anyrecover-for-win_setup.exeC:\Program Files\imyfone_down\anyrecover-for-win_setup\language\French\UrlInfo.initext
MD5:5E196E4E5719F8AD01D8E3C16CBD42F2
SHA256:EA63A5C73139C844BB992EC669550EAFDD2FE12B70D9E4588EF84236925244C6
2944anyrecover-for-win_setup.exeC:\Program Files\imyfone_down\anyrecover-for-win_setup\language\French\install_tips.pngimage
MD5:3F79740F11316CC74CF14D3F64864108
SHA256:9E31BDF1C45DBD4527C83EC5A384AF2BA57CC68C7E1AEE83AA3A17DF97A29867
2944anyrecover-for-win_setup.exeC:\Program Files\imyfone_down\anyrecover-for-win_setup\language\Italian\text.initext
MD5:EF884C4CC9D3AB648BBB051FA6AE5D0A
SHA256:A173A46A9BF2277B657F6854B1820E2C369DC5C2985A96F9F922F3CFF951D7D2
2944anyrecover-for-win_setup.exeC:\Program Files\imyfone_down\anyrecover-for-win_setup\language\German\UrlInfo.initext
MD5:68CF18F9F5084868C17BAAC05EB7CBCE
SHA256:545134C6FBA1810FFF48B1F38A10B1EC44116BA712FC7968A6665D415CBFF11B
2944anyrecover-for-win_setup.exeC:\Program Files\imyfone_down\anyrecover-for-win_setup\language\German\text.initext
MD5:2C0EFDFC16144D196899A90B32E23645
SHA256:AF424A6F248C71E34A977B42124BA289627CD0637C2BDE04B78D34AE51CC0A4B
2944anyrecover-for-win_setup.exeC:\Program Files\imyfone_down\anyrecover-for-win_setup\language\Italian\install_tips.pngimage
MD5:AAC533901E9E38466F70A7A919DD57CF
SHA256:7AE2B225C790C7F9BFC2F7AA105CC42E9FFC48A7D1539991362B70780E1B14AF
2944anyrecover-for-win_setup.exeC:\Program Files\imyfone_down\anyrecover-for-win_setup\language\Japanese\UrlInfo.initext
MD5:B9188C63A26002CCD023335B65240BDB
SHA256:96E68399C253DCB5D315525B2397AF08C40271E2A631941B2E7CB17C429E7362
2944anyrecover-for-win_setup.exeC:\Program Files\imyfone_down\anyrecover-for-win_setup\language\Italian\UrlInfo.initext
MD5:BB29291BBFEDC7410D95753984A8EEED
SHA256:D6C0DDD30E1872509FAE5858BA56E2E8609A9BD7C2D7F37A0E8AC2283BE3FE63
2944anyrecover-for-win_setup.exeC:\Program Files\imyfone_down\anyrecover-for-win_setup\language\French\text.initext
MD5:4BFB6A95D94EED97FCBF602A93F9F190
SHA256:E55D60A16990477BFA6C3F957D70D455FE06BBD426619BC0326E31500E3F5D49
2944anyrecover-for-win_setup.exeC:\Program Files\imyfone_down\anyrecover-for-win_setup\language\Japanese\install_tips.pngimage
MD5:07D10DD97F21D19DF95E2C11482CFED5
SHA256:D877E3EA588D0AF807CAD494B0704F3E53073CBC2C97DDD14AB7CBB2433CB86F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
36
DNS requests
8
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2944
anyrecover-for-win_setup.exe
HEAD
200
3.161.82.51:80
http://download.anyrecover.com/data-recovery/anyrecover-for-win.exe
unknown
unknown
2944
anyrecover-for-win_setup.exe
GET
200
3.161.82.51:80
http://download.anyrecover.com/downloaderCarousel/20240126/pd-65b356cfd44e3.gif
unknown
unknown
1372
svchost.exe
GET
304
23.50.131.200:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?33775f6043c93e33
unknown
unknown
1060
svchost.exe
GET
304
199.232.210.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?11acddbe1ebd82b3
unknown
unknown
1372
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
1372
svchost.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
239.255.255.250:3702
whitelisted
4
System
192.168.100.255:137
whitelisted
1372
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
1060
svchost.exe
224.0.0.252:5355
unknown
2944
anyrecover-for-win_setup.exe
172.217.18.14:443
www.google-analytics.com
GOOGLE
US
whitelisted
2944
anyrecover-for-win_setup.exe
52.39.55.200:443
apipdm.imyfone.club
AMAZON-02
US
unknown
2944
anyrecover-for-win_setup.exe
3.161.82.51:443
download.anyrecover.com
US
unknown
2944
anyrecover-for-win_setup.exe
3.161.82.51:80
download.anyrecover.com
US
unknown
1372
svchost.exe
23.50.131.200:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
unknown

DNS requests

Domain
IP
Reputation
www.google-analytics.com
  • 172.217.18.14
whitelisted
apipdm.imyfone.club
  • 52.39.55.200
unknown
download.anyrecover.com
  • 3.161.82.51
  • 3.161.82.2
  • 3.161.82.81
  • 3.161.82.94
unknown
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
ctldl.windowsupdate.com
  • 23.50.131.200
  • 23.50.131.196
  • 199.232.210.172
  • 199.232.214.172
whitelisted
crl.microsoft.com
  • 23.48.23.156
  • 23.48.23.143
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
/anyrecover-for-win_setup.exe