download:

/anyrecover-for-win_setup.exe

Full analysis: https://app.any.run/tasks/14fb2e17-0112-47f6-9523-909e4e863df1
Verdict: Malicious activity
Analysis date: July 03, 2024, 13:46:30
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

FC21B78D8012DCFC1D94185ED5083DFF

SHA1:

23458457BD546BEFB18162BED4A408B7D72A2A18

SHA256:

651907C1B631BDD79F8AA3F097BD23156D168A1E2C489C41238DDFD1F5434BA7

SSDEEP:

98304:GkHIjVlwnqm0fYXbQI0arGkDiKhQOYtpAxPtpaCZ4jxCbhvd1Q57u918yLBDWsLN:i4H/

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • anyrecover-for-win_setup.exe (PID: 2944)
      • imyfone-download.exe (PID: 932)
      • imyfone-download.tmp (PID: 3092)

  • SUSPICIOUS

    • Reads the Internet Settings

      • anyrecover-for-win_setup.exe (PID: 2944)

    • Adds/modifies Windows certificates

      • anyrecover-for-win_setup.exe (PID: 2944)

    • Reads settings of System Certificates

      • anyrecover-for-win_setup.exe (PID: 2944)

    • Executable content was dropped or overwritten

      • imyfone-download.exe (PID: 932)
      • imyfone-download.tmp (PID: 3092)

    • Reads the Windows owner or organization settings

      • imyfone-download.tmp (PID: 3092)

    • Process drops legitimate windows executable

      • imyfone-download.tmp (PID: 3092)

    • Drops 7-zip archiver for unpacking

      • imyfone-download.tmp (PID: 3092)

    • Drops a system driver (possible attempt to evade defenses)

      • imyfone-download.tmp (PID: 3092)

    • The process drops C-runtime libraries

      • imyfone-download.tmp (PID: 3092)

  • INFO

    • Reads the computer name

      • anyrecover-for-win_setup.exe (PID: 2944)
      • imyfone-download.tmp (PID: 3092)

    • Creates files in the program directory

      • anyrecover-for-win_setup.exe (PID: 2944)
      • imyfone-download.tmp (PID: 3092)

    • Checks supported languages

      • anyrecover-for-win_setup.exe (PID: 2944)
      • imyfone-download.exe (PID: 932)
      • imyfone-download.tmp (PID: 3092)

    • Reads product name

      • anyrecover-for-win_setup.exe (PID: 2944)

    • Reads Environment values

      • anyrecover-for-win_setup.exe (PID: 2944)

    • Reads the machine GUID from the registry

      • anyrecover-for-win_setup.exe (PID: 2944)
      • imyfone-download.tmp (PID: 3092)

    • Checks proxy server information

      • anyrecover-for-win_setup.exe (PID: 2944)

    • Reads the software policy settings

      • anyrecover-for-win_setup.exe (PID: 2944)

    • Create files in a temporary directory

      • imyfone-download.exe (PID: 932)
      • imyfone-download.tmp (PID: 3092)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (16.3)
.exe | Win64 Executable (generic) (14.5)
.dll | Win32 Dynamic Link Library (generic) (3.4)
.exe | Win32 Executable (generic) (2.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:05:10 11:08:43+00:00
ImageFileCharacteristics: Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 12
CodeSize: 2126336
InitializedDataSize: 1104896
UninitializedDataSize: -
EntryPoint: 0x1bd804
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 4.3.0.10
ProductVersionNumber: 4.3.0.10
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
FileDescription: anyrecover-for-win_setup.exe
FileVersion: 4.3.0.10
LegalCopyright: Copyright (C) 2024 iMyFone. All rights reserved.
ProductName: AnyRecover Data Recovery
ProductVersion: 4.3.0.10
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
45
Monitored processes
4
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start anyrecover-for-win_setup.exe imyfone-download.exe imyfone-download.tmp anyrecover-for-win_setup.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
932 /verysilent /imyfone_down /wait_run /path="C:\Program Files\" /progress="C:\Program Files\imyfone_down\anyrecover-for-win_setup\temp.progress"C:\Program Files\imyfone_down\anyrecover-for-win_setup\imyfone-download.exe
anyrecover-for-win_setup.exe
User:
admin
Company:
Shenzhen AnyRecover Technology Co., Ltd.
Integrity Level:
HIGH
Description:
AnyRecover
Version:
6.4.5.5
Modules
Images
c:\program files\imyfone_down\anyrecover-for-win_setup\imyfone-download.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
2944"C:\Users\admin\Desktop\anyrecover-for-win_setup.exe" C:\Users\admin\Desktop\anyrecover-for-win_setup.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Description:
anyrecover-for-win_setup.exe
Version:
4.3.0.10
Modules
Images
c:\users\admin\desktop\anyrecover-for-win_setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
3092"C:\Users\admin\AppData\Local\Temp\is-J4J04.tmp\imyfone-download.tmp" /SL5="$6015A,148463507,399872,C:\Program Files\imyfone_down\anyrecover-for-win_setup\imyfone-download.exe" /verysilent /imyfone_down /wait_run /path="C:\Program Files\" /progress="C:\Program Files\imyfone_down\anyrecover-for-win_setup\temp.progress"C:\Users\admin\AppData\Local\Temp\is-J4J04.tmp\imyfone-download.tmp
imyfone-download.exe
User:
admin
Integrity Level:
HIGH
Description:
Setup/Uninstall
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-j4j04.tmp\imyfone-download.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
3272"C:\Users\admin\Desktop\anyrecover-for-win_setup.exe" C:\Users\admin\Desktop\anyrecover-for-win_setup.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
anyrecover-for-win_setup.exe
Exit code:
3221226540
Version:
4.3.0.10
Modules
Images
c:\users\admin\desktop\anyrecover-for-win_setup.exe
c:\windows\system32\ntdll.dll
Total events
6 424
Read events
6 393
Write events
24
Delete events
7

Modification events

(PID) Process:(2944) anyrecover-for-win_setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\iMyfone\iMyfoneDown
Operation:writeName:GUID
Value:
C0D800D5-31C1-43db-AA8D-DE60DA9AF4B4
(PID) Process:(2944) anyrecover-for-win_setup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(2944) anyrecover-for-win_setup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:delete valueName:ProxyServer
Value:
(PID) Process:(2944) anyrecover-for-win_setup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:delete valueName:ProxyOverride
Value:
(PID) Process:(2944) anyrecover-for-win_setup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:delete valueName:AutoConfigURL
Value:
(PID) Process:(2944) anyrecover-for-win_setup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:delete valueName:AutoDetect
Value:
(PID) Process:(2944) anyrecover-for-win_setup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
460000005D010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A8016B000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(2944) anyrecover-for-win_setup.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2944) anyrecover-for-win_setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates
Operation:delete valueName:07E032E020B72C3F192F0628A2593A19A70F069E
Value:
(PID) Process:(2944) anyrecover-for-win_setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\07E032E020B72C3F192F0628A2593A19A70F069E
Operation:writeName:Blob
Value:
040000000100000010000000D5E98140C51869FC462C8975620FAA781900000001000000100000001F7E750B566B128AC0B8D6576D2A70A553000000010000006500000030633021060B2A84680186F6770205010130123010060A2B0601040182373C0101030200C03021060B2A84680186F6770205010730123010060A2B0601040182373C0101030200C0301B060567810C010330123010060A2B0601040182373C0101030200C00B0000000100000034000000430065007200740075006D002000540072007500730074006500640020004E006500740077006F0072006B0020004300410000006200000001000000200000005C58468D55F58E497E743982D2B50010B6D165374ACF83A7D4A32DB768C4408E1400000001000000140000000876CDCB07FF24F6C5CDEDBB90BCE284374675F71D0000000100000010000000E3F9AF952C6DF2AAA41706A77A44C20303000000010000001400000007E032E020B72C3F192F0628A2593A19A70F069E0F0000000100000014000000A8569CCD21EF9CC5737C7A12DF608C2CBC545DF1090000000100000054000000305206082B0601050507030206082B06010505070303060A2B0601040182370A030406082B0601050507030406082B0601050507030606082B0601050507030706082B0601050507030106082B060105050703082000000001000000BF030000308203BB308202A3A00302010202030444C0300D06092A864886F70D0101050500307E310B300906035504061302504C31223020060355040A1319556E697A65746F20546563686E6F6C6F6769657320532E412E31273025060355040B131E43657274756D2043657274696669636174696F6E20417574686F72697479312230200603550403131943657274756D2054727573746564204E6574776F726B204341301E170D3038313032323132303733375A170D3239313233313132303733375A307E310B300906035504061302504C31223020060355040A1319556E697A65746F20546563686E6F6C6F6769657320532E412E31273025060355040B131E43657274756D2043657274696669636174696F6E20417574686F72697479312230200603550403131943657274756D2054727573746564204E6574776F726B20434130820122300D06092A864886F70D01010105000382010F003082010A0282010100E3FB7DA372BAC2F0C91487F56B014EE16E4007BA6D275D7FF75B2DB35AC7515FABA432A66187B66E0F86D2300297F8D76957A118395D6A6479C60159AC3C314A387CD204D24B28E8205F3B07A2CC4D73DBF3AE4FC756D55AA79689FAF3AB68D423865927CF0927BCAC6E72831C3072DFE0A2E9D2E1747519BD2A9E7B1554041BD74339AD5528C5E21ABBF4C0E4AE384933CC76859F3945D2A49EF2128C51F87CE42D7FF5AC5FEB169FB12DD1BACC9142774C25C990386FDBF0CCFB8E1E97593ED5604EE60528ED4979134BBA48DB2FF972D339CAFE1FD83472F5B440CF3101C3ECDE112D175D1FB850D15E19A769DE073328CA5095F9A754CB54865045A9F9490203010001A3423040300F0603551D130101FF040530030101FF301D0603551D0E041604140876CDCB07FF24F6C5CDEDBB90BCE284374675F7300E0603551D0F0101FF040403020106300D06092A864886F70D01010505000382010100A6A8AD22CE013DA6A3FF62D0489D8B5E72B07844E3DC1CAF09FD2348FABD2AC4B95504B510A38D27DE0B8263D0EEDE0C3779415B22B2B09A415CA670E0D4D077CB23D300E06C562FE1690D0DD9AABF218150D906A5A8FF9537D0AAFEE2B3F5992D45848AE54209D774022FF789D899E9BC27D4478DBA0D461C77CF14A41CB9A431C49C28740334FF331926A5E90D74B73E97C676E82796A366DDE1AEF2415BCA9856837370E4861AD23141BA2FBE2D135A766F4EE84E810E3F5B0322A012BE6658114ACB03C4B42A2A2D9617E03954BC48D376279D9A2D06A6C9EC39D2ABDB9F9A0B27023529B14095E7F9E89C55881946D6B734F57ECE399AD938F151F74F2C
Executable files
459
Suspicious files
228
Text files
2 180
Unknown types
125

Dropped files

PID
Process
Filename
Type
2944anyrecover-for-win_setup.exeC:\Program Files\imyfone_down\anyrecover-for-win_setup\language\Italian\text.initext
MD5:EF884C4CC9D3AB648BBB051FA6AE5D0A
SHA256:A173A46A9BF2277B657F6854B1820E2C369DC5C2985A96F9F922F3CFF951D7D2
2944anyrecover-for-win_setup.exeC:\Program Files\imyfone_down\anyrecover-for-win_setup\language\Korean\text.initext
MD5:39CE00124E4719B8E0B31BD057A6849F
SHA256:05FC83CF4A86ABD7A2E2AC72F5002F0CE918A7AB8BA44F08A5D46862C1097BFC
2944anyrecover-for-win_setup.exeC:\Program Files\imyfone_down\anyrecover-for-win_setup\language\Korean\install_tips.pngimage
MD5:8988D8E7712D5CA2E8EF27152C8182FE
SHA256:76EE0A001C9BDC5A021D966F0946E63B321CCD129C0E36AF35924C9D1D17DA63
2944anyrecover-for-win_setup.exeC:\Program Files\imyfone_down\anyrecover-for-win_setup\language\Portuguese\text.initext
MD5:5B245FB9B9A5C05CAD7C57299283FA0E
SHA256:578B3269CE9C81FADEA1394B4B1A4B2F78ABF7C4DAC8751BD30CBF148D392DC4
2944anyrecover-for-win_setup.exeC:\Program Files\imyfone_down\anyrecover-for-win_setup\language\English\install_tips.pngimage
MD5:28FBF016E49EED024EBC37A11E1F883A
SHA256:78AFDAF35FA6173B08621270842B5D8D899B966FFDFA986A9E98F372AFD4F419
2944anyrecover-for-win_setup.exeC:\Program Files\imyfone_down\anyrecover-for-win_setup\language\English\text.initext
MD5:5C597C99F6BC6E7657C18A4E9F288571
SHA256:6A71402FEA12B91641A3BFCF26093159D4E3CAFCA947E4EDCB666F6D5EC67284
2944anyrecover-for-win_setup.exeC:\Program Files\imyfone_down\anyrecover-for-win_setup\language\Portuguese\install_tips.pngimage
MD5:38C59CB7C7612B5B6424B807EC829074
SHA256:0398677455D5D42B56F69D03A0308DA4FF3DDDC7990A03B81639641264FB3A30
2944anyrecover-for-win_setup.exeC:\Program Files\imyfone_down\anyrecover-for-win_setup\language\Japanese\text.initext
MD5:25052FE709B63698B6318FB5B5F801C7
SHA256:6CE036B280D02B630FE9F124BAE83D121F7AB7535A6964D7A80F0C4526312331
2944anyrecover-for-win_setup.exeC:\Program Files\imyfone_down\anyrecover-for-win_setup\language\German\text.initext
MD5:2C0EFDFC16144D196899A90B32E23645
SHA256:AF424A6F248C71E34A977B42124BA289627CD0637C2BDE04B78D34AE51CC0A4B
2944anyrecover-for-win_setup.exeC:\Program Files\imyfone_down\anyrecover-for-win_setup\language\Japanese\install_tips.pngimage
MD5:07D10DD97F21D19DF95E2C11482CFED5
SHA256:D877E3EA588D0AF807CAD494B0704F3E53073CBC2C97DDD14AB7CBB2433CB86F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
36
DNS requests
8
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2944
anyrecover-for-win_setup.exe
HEAD
200
3.161.82.51:80
http://download.anyrecover.com/data-recovery/anyrecover-for-win.exe
unknown
unknown
1372
svchost.exe
GET
304
23.50.131.200:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?33775f6043c93e33
unknown
unknown
2944
anyrecover-for-win_setup.exe
GET
200
3.161.82.51:80
http://download.anyrecover.com/downloaderCarousel/20240126/pd-65b356cfd44e3.gif
unknown
unknown
1060
svchost.exe
GET
304
199.232.210.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?11acddbe1ebd82b3
unknown
unknown
1372
svchost.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
1372
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
239.255.255.250:3702
whitelisted
4
System
192.168.100.255:137
whitelisted
1372
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
1060
svchost.exe
224.0.0.252:5355
unknown
2944
anyrecover-for-win_setup.exe
172.217.18.14:443
www.google-analytics.com
GOOGLE
US
whitelisted
2944
anyrecover-for-win_setup.exe
52.39.55.200:443
apipdm.imyfone.club
AMAZON-02
US
unknown
2944
anyrecover-for-win_setup.exe
3.161.82.51:443
download.anyrecover.com
US
unknown
2944
anyrecover-for-win_setup.exe
3.161.82.51:80
download.anyrecover.com
US
unknown
1372
svchost.exe
23.50.131.200:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
unknown

DNS requests

Domain
IP
Reputation
www.google-analytics.com
  • 172.217.18.14
whitelisted
apipdm.imyfone.club
  • 52.39.55.200
unknown
download.anyrecover.com
  • 3.161.82.51
  • 3.161.82.2
  • 3.161.82.81
  • 3.161.82.94
unknown
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
ctldl.windowsupdate.com
  • 23.50.131.200
  • 23.50.131.196
  • 199.232.210.172
  • 199.232.214.172
whitelisted
crl.microsoft.com
  • 23.48.23.156
  • 23.48.23.143
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
/anyrecover-for-win_setup.exe