File name:

Recoverit_Installer.exe

Full analysis: https://app.any.run/tasks/c4497546-85c5-4261-846e-1555a4fcee86
Verdict: Malicious activity
Analysis date: March 28, 2026, 06:34:11
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
inno
installer
delphi
everything
tool
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:

5361684F14EEA0B289ACD3E70E5E67EA

SHA1:

AF0F7C181B0FF8C9F498A2614FB70C84CEB390F4

SHA256:

6CC035AA6B3B676D4F20BEDFBA340E301BF26453970B8518B7A8536FC5AD0996

SSDEEP:

98304:pifXK3QT32rkQr1yZra1tYNYlFUvSW/H3JYvfz9C7U5mD8ZLowAqlLM0:Rx9

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Reads Microsoft Outlook installation path

      • Recoverit_Installer.exe (PID: 2456)

    • Reads Internet Explorer settings

      • Recoverit_Installer.exe (PID: 2456)

    • Searches for installed software

      • Recoverit_Installer.exe (PID: 2456)

    • Likely accesses (executes) a file from the Public directory

      • recoverit_64bit_full4174.exe (PID: 5116)
      • recoverit_64bit_full4174.tmp (PID: 2300)

    • Executable content was dropped or overwritten

      • recoverit_64bit_full4174.exe (PID: 5116)
      • recoverit_64bit_full4174.tmp (PID: 2300)
      • recoverit.exe (PID: 5848)

    • Reads the Windows owner or organization settings

      • recoverit_64bit_full4174.tmp (PID: 2300)

    • Process drops SQLite DLL files

      • recoverit_64bit_full4174.tmp (PID: 2300)

    • The process drops C-runtime libraries

      • recoverit_64bit_full4174.tmp (PID: 2300)
      • recoverit.exe (PID: 5848)

    • Drops 7-zip archiver for unpacking

      • recoverit_64bit_full4174.tmp (PID: 2300)

    • Executing commands from a ".bat" file

      • recoverit_64bit_full4174.tmp (PID: 2300)

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 8036)

    • Uses NETSH.EXE to add a firewall rule or allowed programs

      • cmd.exe (PID: 8036)

    • Uses TASKKILL.EXE to kill process

      • recoverit.exe (PID: 5848)

    • Reads the date of Windows installation

      • recoverit.exe (PID: 5848)

  • INFO

    • Checks supported languages

      • Recoverit_Installer.exe (PID: 2456)
      • recoverit_64bit_full4174.exe (PID: 5116)
      • recoverit_64bit_full4174.tmp (PID: 2300)
      • autoupgrade.exe (PID: 664)
      • Everything.exe (PID: 6632)
      • drengsrv.exe (PID: 7780)
      • drdaemon.exe (PID: 5564)
      • AddRecycleAndFolderIcon.exe (PID: 7404)
      • recoverit.exe (PID: 5848)
      • drss.exe (PID: 8148)

    • Reads the computer name

      • Recoverit_Installer.exe (PID: 2456)
      • recoverit_64bit_full4174.tmp (PID: 2300)
      • autoupgrade.exe (PID: 664)
      • recoverit.exe (PID: 5848)
      • drengsrv.exe (PID: 7780)
      • drss.exe (PID: 8148)
      • Everything.exe (PID: 6632)

    • Reads security settings of Internet Explorer

      • Recoverit_Installer.exe (PID: 2456)
      • recoverit_64bit_full4174.tmp (PID: 2300)
      • recoverit.exe (PID: 5848)

    • Reads the machine GUID from the registry

      • Recoverit_Installer.exe (PID: 2456)
      • recoverit.exe (PID: 5848)
      • drss.exe (PID: 8148)

    • The sample compiled with english language support

      • Recoverit_Installer.exe (PID: 2456)
      • recoverit_64bit_full4174.tmp (PID: 2300)
      • recoverit.exe (PID: 5848)

    • Create files in a temporary directory

      • Recoverit_Installer.exe (PID: 2456)
      • recoverit_64bit_full4174.exe (PID: 5116)
      • recoverit_64bit_full4174.tmp (PID: 2300)
      • drdaemon.exe (PID: 5564)
      • recoverit.exe (PID: 5848)

    • Creates files or folders in the user directory

      • Recoverit_Installer.exe (PID: 2456)
      • recoverit_64bit_full4174.tmp (PID: 2300)
      • recoverit.exe (PID: 5848)

    • Detects InnoSetup installer (YARA)

      • recoverit_64bit_full4174.exe (PID: 5116)
      • recoverit_64bit_full4174.tmp (PID: 2300)

    • The sample compiled with chinese language support

      • recoverit_64bit_full4174.tmp (PID: 2300)
      • recoverit.exe (PID: 5848)

    • Compiled with Borland Delphi (YARA)

      • recoverit_64bit_full4174.exe (PID: 5116)
      • recoverit_64bit_full4174.tmp (PID: 2300)

    • Creates a software uninstall entry

      • recoverit_64bit_full4174.tmp (PID: 2300)

    • Application launched itself

      • chrome.exe (PID: 6112)

    • There is functionality for taking screenshot (YARA)

      • recoverit.exe (PID: 5848)

    • EVERYTHING mutex has been found

      • Everything.exe (PID: 6632)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (3.6)
.exe | Generic Win/DOS Executable (1.6)
.exe | DOS Executable Generic (1.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:12:02 02:15:35+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 12
CodeSize: 1413632
InitializedDataSize: 1192448
UninitializedDataSize: -
EntryPoint: 0x1141ec
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 4.5.9.0
ProductVersionNumber: 4.5.9.0
FileFlagsMask: 0x0017
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
FileDescription: recoverit---data-recovery_setup_full4174.exe
FileVersion: 4.5.9.0
LegalCopyright: Copyright©2025 Wondershare. All rights reserved.
ProductName: Recoverit - Data Recovery
ProductVersion: 13.5.25
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
248
Monitored processes
103
Malicious processes
0
Suspicious processes
4

Behavior graph

Click at the process to see the details
start recoverit_installer.exe recoverit_64bit_full4174.exe recoverit_64bit_full4174.tmp cmd.exe no specs conhost.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs addrecycleandfoldericon.exe no specs conhost.exe no specs netsh.exe no specs netsh.exe no specs recoverit.exe netsh.exe no specs chrome.exe netsh.exe no specs chrome.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs netsh.exe no specs netsh.exe no specs chrome.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs taskkill.exe no specs conhost.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs chrome.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs autoupgrade.exe conhost.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs taskkill.exe no specs conhost.exe no specs netsh.exe no specs taskkill.exe no specs conhost.exe no specs netsh.exe no specs netsh.exe no specs drengsrv.exe no specs conhost.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs drdaemon.exe no specs conhost.exe no specs chrome.exe no specs everything.exe no specs drss.exe no specs conhost.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs recoverit_installer.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
420taskkill /im drss.exe /fC:\Windows\System32\taskkill.exerecoverit.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
128
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
488netsh advfirewall firewall add rule name="RecoveritTCPAccessInboundRule" dir=in action=allow protocol=TCP localport=57215C:\Windows\SysWOW64\netsh.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Network Command Shell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
664"C:\Program Files\Wondershare\Recoverit - Data Recovery\autoupgrade.exe" "4174" "14.0.19" "" ""C:\Program Files\Wondershare\Recoverit - Data Recovery\autoupgrade.exe
recoverit.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\program files\wondershare\recoverit - data recovery\autoupgrade.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ucrtbase.dll
c:\program files\wondershare\recoverit - data recovery\qt5core.dll
c:\program files\wondershare\recoverit - data recovery\wsupgrade.dll
c:\program files\wondershare\recoverit - data recovery\vcruntime140.dll
c:\windows\system32\ws2_32.dll
880netsh advfirewall firewall add rule name="RecoveritRSUDPAccessInboundRule" dir=in action=allow protocol=UDP localport=53015C:\Windows\SysWOW64\netsh.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Network Command Shell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1296netsh advfirewall firewall add rule name="RecoveritRSTCPAccessInboundRule" dir=in action=allow protocol=TCP localport=33011C:\Windows\SysWOW64\netsh.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Network Command Shell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1724netsh advfirewall firewall add rule name="RecoveritTCPAccessInboundRule" dir=in action=allow protocol=TCP localport=57209C:\Windows\SysWOW64\netsh.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Network Command Shell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1980netsh advfirewall firewall add rule name="RecoveritUDPAccessInboundRule" dir=in action=allow protocol=UDP localport=57216C:\Windows\SysWOW64\netsh.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Network Command Shell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
2100netsh advfirewall firewall add rule name="RecoveritTCPAccessInboundRule" dir=in action=allow protocol=TCP localport=57214C:\Windows\SysWOW64\netsh.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Network Command Shell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
2160netsh advfirewall firewall add rule name="RecoveritUDPAccessInboundRule" dir=in action=allow protocol=UDP localport=57212C:\Windows\SysWOW64\netsh.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Network Command Shell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
2204netsh advfirewall firewall add rule name="RecoveritTCPAccessInboundRule" dir=in action=allow protocol=TCP localport=57213C:\Windows\SysWOW64\netsh.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Network Command Shell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
29 314
Read events
29 253
Write events
58
Delete events
3

Modification events

(PID) Process:(2456) Recoverit_Installer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(2456) Recoverit_Installer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(2456) Recoverit_Installer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(2456) Recoverit_Installer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\WafCX
Operation:writeName:4174
Value:
sku-ppc
(PID) Process:(2456) Recoverit_Installer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Wondershare\Wondershare Helper Compact
Operation:writeName:ClientSign
Value:
{bf0e9b3d-31ef-4b20-a173-864540e04c18G}
(PID) Process:(2456) Recoverit_Installer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Wondershare\WAF
Operation:writeName:ClientSign
Value:
{bf0e9b3d-31ef-4b20-a173-864540e04c18G}
(PID) Process:(2456) Recoverit_Installer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch
Operation:writeName:Version
Value:
WS not running
(PID) Process:(2456) Recoverit_Installer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main
Operation:writeName:DisableFirstRunCustomize
Value:
1
(PID) Process:(2300) recoverit_64bit_full4174.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
Operation:writeName:C:\Program Files\Wondershare\Recoverit - Data Recovery\recoverit.exe
Value:
RUNASADMIN
(PID) Process:(2300) recoverit_64bit_full4174.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Wondershare\Recoverit
Operation:writeName:PID
Value:
542
Executable files
568
Suspicious files
656
Text files
1 067
Unknown types
5

Dropped files

PID
Process
Filename
Type
2456Recoverit_Installer.exeC:\Users\Public\Documents\Wondershare\recoverit_64bit_full4174.exe.~P2S
MD5:
SHA256:
2456Recoverit_Installer.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_C39E9DBC666D19C07EEE7CD1E11AF8BEbinary
MD5:999BFEDC0EDF480D9DFCAC86CC37CF6D
SHA256:A42EBD81CE42A17EA668867A36C7EC91D6186F3E533460A24452330F47B669B5
2456Recoverit_Installer.exeC:\Users\admin\AppData\Local\Temp\Wondershare\WAE\wsWAE.logtext
MD5:C53B399404B5A4503BE064F5A0FFEA56
SHA256:42A09DE7BD010DAAA05CD883BE3D97B781A4420E73F0BC8667AD76E9DAC477C3
2456Recoverit_Installer.exeC:\Users\admin\AppData\Local\Temp\wsduilib.logtext
MD5:768B229560C631B25F6F351D72F44C32
SHA256:F6AAC6F774F9E37D307BDB22321AD8291E0BE41D729351A3F0B18C694FE14516
2456Recoverit_Installer.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3FE2BD01AB6BC312BF0DADE7F797388F_D700B3BF42AE699B26DDBDD3E4CB7EDDbinary
MD5:B5BA9B24AC64DF4F521BD2993614479D
SHA256:D473869B1334B795B3AE7D9AEA42695C12FD2DE130C1407ADEF43FDE43778309
2456Recoverit_Installer.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\773CFF2C7835D48C4E76FE153DBA9F81_F73A14973152EAF0E91481422F3B2561binary
MD5:6A542A60776FA8C79933F79C7D84FBB9
SHA256:DDFC076C99BBD7D45439F85D1EAE3C3BFE6E21E546791B820712120CA6D48CDC
2456Recoverit_Installer.exeC:\Users\Public\Documents\Wondershare\WAE_DOWNTASK_4174.xmlxml
MD5:0FA6CC1495F78975E007E7938DB7B59D
SHA256:56960BC93CF329CB253344932A6E4F24FFD90C9AF3D29DA725841E9E8F07ADB7
2456Recoverit_Installer.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3FE2BD01AB6BC312BF0DADE7F797388F_D700B3BF42AE699B26DDBDD3E4CB7EDDbinary
MD5:A6E53F28B7B19BE35C9141F446A6BF01
SHA256:A534E1B331BF4852F3F1111A9690DB8D70087A18551D7C6FD91E6190CA6B4505
2456Recoverit_Installer.exeC:\Users\Public\Documents\Wondershare\recoverit_64bit_full4174.exe
MD5:
SHA256:
2456Recoverit_Installer.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_C39E9DBC666D19C07EEE7CD1E11AF8BEbinary
MD5:B4B49DDB2AA3FD0CAE8BEC3F2930252E
SHA256:E311722DFA6E4A28DE6519076912AD14E39A927FE58E1BCA79C4108743D91049
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
343
TCP/UDP connections
318
DNS requests
199
Threats
5

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2456
Recoverit_Installer.exe
HEAD
200
23.48.23.41:443
https://download.wondershare.net/cbs_down/recoverit_64bit_full4174.exe
NL
unknown
2456
Recoverit_Installer.exe
HEAD
200
23.48.23.41:443
https://download.wondershare.net/cbs_down/recoverit_64bit_full4174.exe
NL
unknown
2456
Recoverit_Installer.exe
HEAD
200
23.48.23.50:443
https://download.wondershare.net/cbs_down/recoverit_64bit_full4174.exe
NL
unknown
2456
Recoverit_Installer.exe
GET
200
8.209.72.213:443
https://pc-api.wondershare.cc/v1/product/downloader/recovery?version=4.5.9
CN
text
31 b
unknown
2456
Recoverit_Installer.exe
GET
23.48.23.41:443
https://download.wondershare.net/cbs_down/recoverit_64bit_full4174.exe
NL
unknown
2456
Recoverit_Installer.exe
GET
23.48.23.50:443
https://download.wondershare.net/cbs_down/recoverit_64bit_full4174.exe
NL
unknown
2456
Recoverit_Installer.exe
GET
23.48.23.50:443
https://download.wondershare.net/cbs_down/recoverit_64bit_full4174.exe
NL
unknown
2456
Recoverit_Installer.exe
GET
23.48.23.41:443
https://download.wondershare.net/cbs_down/recoverit_64bit_full4174.exe
NL
unknown
2456
Recoverit_Installer.exe
GET
23.48.23.41:443
https://download.wondershare.net/cbs_down/recoverit_64bit_full4174.exe
NL
unknown
2456
Recoverit_Installer.exe
GET
23.48.23.41:443
https://download.wondershare.net/cbs_down/recoverit_64bit_full4174.exe
NL
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
Not routed
whitelisted
6696
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5276
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
92.123.104.53:443
www.bing.com
AKAMAI-ASN1
NL
whitelisted
48.192.1.64:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:138
Not routed
whitelisted
2456
Recoverit_Installer.exe
8.209.72.213:443
pc-api.wondershare.cc
ALIBABA-CN-NET Alibaba US Technology Co., Ltd.
CN
unknown
2456
Recoverit_Installer.exe
8.209.73.211:80
platform.wondershare.cc
ALIBABA-CN-NET Alibaba US Technology Co., Ltd.
CN
whitelisted
2456
Recoverit_Installer.exe
47.91.89.51:443
prod-web.wondershare.cc
ALIBABA-CN-NET Alibaba US Technology Co., Ltd.
CN
whitelisted
2456
Recoverit_Installer.exe
23.48.23.41:443
download.wondershare.net
AKAMAI-ASN1
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.124.78.146
  • 20.73.194.208
whitelisted
www.bing.com
  • 92.123.104.53
  • 92.123.104.52
  • 92.123.104.46
  • 92.123.104.65
  • 92.123.104.58
  • 92.123.104.61
  • 92.123.104.50
  • 92.123.104.67
  • 92.123.104.43
whitelisted
activation-v2.sls.microsoft.com
  • 48.192.1.64
whitelisted
google.com
  • 172.217.16.206
whitelisted
pc-api.wondershare.cc
  • 8.209.72.213
unknown
platform.wondershare.cc
  • 8.209.73.211
whitelisted
prod-web.wondershare.cc
  • 47.91.89.51
unknown
download.wondershare.net
  • 23.48.23.41
  • 23.48.23.50
whitelisted
analytics.wondershare.cc
  • 47.254.169.108
  • 8.211.53.191
whitelisted
login.live.com
  • 40.126.32.68
  • 40.126.32.136
  • 20.190.160.66
  • 40.126.32.72
  • 20.190.160.65
  • 20.190.160.4
  • 20.190.160.130
  • 20.190.160.132
whitelisted

Threats

PID
Process
Class
Message
2232
svchost.exe
Misc activity
INFO [ANY.RUN] .cc TLD domain request
6696
svchost.exe
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
4284
chrome.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
4284
chrome.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
4284
chrome.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
Process
Message
recoverit.exe
WebPageImpl::init: 0000023DE8386A60
recoverit.exe
addAsynchronousJob: 0, https://recoverit.wondershare.com/pcms-ads/buy-ads-H.html?lang=en-us&pid=4174&UserType=0&version=14.0.19&theme=light
recoverit.exe
addAsynchronousJob: 5, https://recoverit.wondershare.com/pcms-ads/icon/icon16_Safety.png
recoverit.exe
addAsynchronousJob: 9, https://recoverit.wondershare.com/pcms-ads/icon/buy-ads-new-bg.svg
recoverit.exe
addAsynchronousJob: 1, https://recoverit.wondershare.com/pcms-ads/icon/thumb.png
recoverit.exe
addAsynchronousJob: 22, https://recoverit.wondershare.com/pcms-ads/js/message.js
recoverit.exe
addAsynchronousJob: 0, https://recoverit.wondershare.com/pcms-ads/icon/buy_background.png
recoverit.exe
addAsynchronousJob: 7, https://recoverit.wondershare.com/pcms-ads/icon/icon16_7th.png
recoverit.exe
addAsynchronousJob: 18, https://recoverit.wondershare.com/pcms-ads/icon/icon16_Safety_dark.png
recoverit.exe
addAsynchronousJob: 3, https://recoverit.wondershare.com/pcms-ads/icon/icon24_gold.png
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Recoverit_Installer.exe