File name:

recoverit_setup_full4280.exe

Full analysis: https://app.any.run/tasks/f26530ef-164a-4f01-9627-b1b8137a4486
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: August 22, 2024, 06:37:06
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
loader
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

53D6B59F3E552E08AC845A5BF110D957

SHA1:

5040D7F56EE5E47E50A788DD83BA692D6A4181F7

SHA256:

A81645AB83F2825F0869901462F9064C2579737E1694EA58BFD38DD7DCD09C66

SSDEEP:

98304:XufRsK6MOagwNYrOoOBJJS/B5B8EgCVPuquN:C

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Scans artifacts that could help determine the target

      • recoverit_setup_full4280.exe (PID: 6692)

  • SUSPICIOUS

    • Drops the executable file immediately after the start

      • recoverit_setup_full4280.exe (PID: 6692)
      • recoverit_64bit_full4280.tmp (PID: 6864)
      • recoverit_64bit_full4280.exe (PID: 6516)
      • Wondershare NativePush_14416_64bit.exe (PID: 2032)
      • Wondershare NativePush_14416_64bit.tmp (PID: 1964)
      • recoverit.exe (PID: 2384)
      • processprotect.exe (PID: 6152)

    • Reads Microsoft Outlook installation path

      • recoverit_setup_full4280.exe (PID: 6692)

    • Reads security settings of Internet Explorer

      • recoverit_setup_full4280.exe (PID: 6692)
      • recoverit_64bit_full4280.tmp (PID: 6864)
      • recoverit.exe (PID: 2384)
      • cbscustomizedclient.exe (PID: 7160)
      • cbscustomizedclient.exe (PID: 6360)

    • Reads Internet Explorer settings

      • recoverit_setup_full4280.exe (PID: 6692)

    • Executable content was dropped or overwritten

      • recoverit_setup_full4280.exe (PID: 6692)
      • recoverit_64bit_full4280.exe (PID: 6516)
      • recoverit_64bit_full4280.tmp (PID: 6864)
      • Wondershare NativePush_14416_64bit.exe (PID: 2032)
      • Wondershare NativePush_14416_64bit.tmp (PID: 1964)
      • recoverit.exe (PID: 2384)
      • processprotect.exe (PID: 6152)

    • Likely accesses (executes) a file from the Public directory

      • NFWCHK.exe (PID: 6836)
      • recoverit_64bit_full4280.exe (PID: 6516)
      • recoverit_64bit_full4280.tmp (PID: 6864)

    • Checks Windows Trust Settings

      • recoverit_setup_full4280.exe (PID: 6692)

    • Connects to unusual port

      • recoverit_setup_full4280.exe (PID: 6692)
      • WsToastNotification.exe (PID: 6636)
      • recoverit.exe (PID: 2384)
      • processprotect.exe (PID: 6152)

    • Process requests binary or script from the Internet

      • recoverit_setup_full4280.exe (PID: 6692)

    • Reads the date of Windows installation

      • recoverit_setup_full4280.exe (PID: 6692)
      • recoverit_64bit_full4280.tmp (PID: 6864)
      • recoverit.exe (PID: 2384)

    • Potential Corporate Privacy Violation

      • recoverit_setup_full4280.exe (PID: 6692)

    • Reads the Windows owner or organization settings

      • recoverit_64bit_full4280.tmp (PID: 6864)
      • Wondershare NativePush_14416_64bit.tmp (PID: 1964)

    • Process drops legitimate windows executable

      • recoverit_64bit_full4280.tmp (PID: 6864)
      • recoverit.exe (PID: 2384)

    • Process drops SQLite DLL files

      • recoverit_64bit_full4280.tmp (PID: 6864)

    • Drops 7-zip archiver for unpacking

      • recoverit_64bit_full4280.tmp (PID: 6864)

    • Process drops python dynamic module

      • recoverit_64bit_full4280.tmp (PID: 6864)

    • The process drops C-runtime libraries

      • recoverit_64bit_full4280.tmp (PID: 6864)
      • recoverit.exe (PID: 2384)

    • Executing commands from a ".bat" file

      • recoverit_64bit_full4280.tmp (PID: 6864)

    • Starts CMD.EXE for commands execution

      • recoverit_64bit_full4280.tmp (PID: 6864)
      • recoverit.exe (PID: 2384)
      • processprotect.exe (PID: 6152)

    • Executes as Windows Service

      • WsNativePushService.exe (PID: 5708)

    • Reads the BIOS version

      • recoverit.exe (PID: 2384)

    • Uses NETSH.EXE to add a firewall rule or allowed programs

      • cmd.exe (PID: 4880)

    • Connects to SMTP port

      • diskfeedback.exe (PID: 6516)

    • Using 'findstr.exe' to search for text patterns in files and output

      • cmd.exe (PID: 4160)

    • Searches for installed software

      • recoverit.exe (PID: 2384)

    • The executable file from the user directory is run by the CMD process

      • ossutil64.exe (PID: 376)

  • INFO

    • Reads the machine GUID from the registry

      • recoverit_setup_full4280.exe (PID: 6692)
      • NFWCHK.exe (PID: 6836)
      • recoverit.exe (PID: 2384)
      • drss.exe (PID: 1928)
      • diskfeedback.exe (PID: 6516)
      • requestconfigure_uploadworkercache.exe (PID: 3568)
      • requestconfigure.exe (PID: 7076)
      • requestconfigure_uploadworkercache.exe (PID: 1920)
      • requestconfigure_userrateworkercache.exe (PID: 4672)
      • requestconfigure.exe (PID: 6372)
      • requestconfigure.exe (PID: 1116)
      • requestconfigure_userrateworkercache.exe (PID: 6684)
      • messagepush.exe (PID: 7084)
      • processprotect.exe (PID: 6152)
      • requestconfigure_advertisementFlagcache.exe (PID: 6372)

    • Checks proxy server information

      • recoverit_setup_full4280.exe (PID: 6692)
      • recoverit.exe (PID: 2384)

    • Reads the computer name

      • NFWCHK.exe (PID: 6836)
      • recoverit_setup_full4280.exe (PID: 6692)
      • recoverit_64bit_full4280.tmp (PID: 6864)
      • Wondershare NativePush_14416_64bit.tmp (PID: 1964)
      • WsNativePushService.exe (PID: 4672)
      • WsNativePushService.exe (PID: 5492)
      • WsNativePushService.exe (PID: 5708)
      • recoverit.exe (PID: 2384)
      • WsToastNotification.exe (PID: 6636)
      • wget.exe (PID: 7084)
      • cbscustomizedclient.exe (PID: 7160)
      • drengsrv.exe (PID: 7088)
      • drss.exe (PID: 1928)
      • diskfeedback.exe (PID: 6516)
      • cbscustomizedclient.exe (PID: 6360)
      • requestconfigure.exe (PID: 7076)
      • requestconfigure_uploadworkercache.exe (PID: 1920)
      • requestconfigure_uploadworkercache.exe (PID: 3568)
      • requestconfigure_userrateworkercache.exe (PID: 4672)
      • messagepush.exe (PID: 7084)
      • autoupgrade.exe (PID: 3660)
      • requestpushmessage.exe (PID: 6796)
      • requestconfigure.exe (PID: 6372)
      • requestconfigure.exe (PID: 1116)
      • requestconfigure_userrateworkercache.exe (PID: 6684)
      • processprotect.exe (PID: 6152)
      • ossutil64.exe (PID: 376)
      • requestconfigure_advertisementFlagcache.exe (PID: 6372)

    • Process checks Internet Explorer phishing filters

      • recoverit_setup_full4280.exe (PID: 6692)

    • Checks supported languages

      • NFWCHK.exe (PID: 6836)
      • recoverit_64bit_full4280.tmp (PID: 6864)
      • recoverit_64bit_full4280.exe (PID: 6516)
      • Wondershare NativePush_14416_64bit.exe (PID: 2032)
      • Wondershare NativePush_14416_64bit.tmp (PID: 1964)
      • _setup64.tmp (PID: 2580)
      • WsNativePushService.exe (PID: 4672)
      • WsNativePushService.exe (PID: 5708)
      • WsNativePushService.exe (PID: 5492)
      • WsToastNotification.exe (PID: 6636)
      • recoverit.exe (PID: 2384)
      • AddRecycleAndFolderIcon.exe (PID: 6400)
      • recoverit_setup_full4280.exe (PID: 6692)
      • drrs.exe (PID: 6232)
      • diskfeedback.exe (PID: 6516)
      • redis-cli.exe (PID: 6108)
      • wget.exe (PID: 7084)
      • drengsrv.exe (PID: 7088)
      • drss.exe (PID: 1928)
      • cbscustomizedclient.exe (PID: 7160)
      • cbscustomizedclient.exe (PID: 6360)
      • requestconfigure_uploadworkercache.exe (PID: 3568)
      • requestconfigure.exe (PID: 7076)
      • requestconfigure_uploadworkercache.exe (PID: 1920)
      • messagepush.exe (PID: 7084)
      • requestconfigure_userrateworkercache.exe (PID: 4672)
      • requestpushmessage.exe (PID: 6796)
      • autoupgrade.exe (PID: 3660)
      • requestconfigure.exe (PID: 6372)
      • requestconfigure.exe (PID: 1116)
      • requestconfigure_userrateworkercache.exe (PID: 6684)
      • requestconfigure_advertisementFlagcache.exe (PID: 6372)
      • videorepairclean.exe (PID: 5160)
      • closeprocess.exe (PID: 2892)
      • processprotect.exe (PID: 6152)
      • ossutil64.exe (PID: 376)

    • Reads the software policy settings

      • recoverit_setup_full4280.exe (PID: 6692)
      • recoverit_64bit_full4280.tmp (PID: 6864)

    • Creates files in the program directory

      • recoverit_setup_full4280.exe (PID: 6692)
      • recoverit_64bit_full4280.tmp (PID: 6864)
      • recoverit.exe (PID: 2384)
      • drengsrv.exe (PID: 7088)
      • wget.exe (PID: 7084)
      • requestconfigure_uploadworkercache.exe (PID: 3568)
      • requestconfigure.exe (PID: 7076)
      • requestconfigure_uploadworkercache.exe (PID: 1920)
      • cbscustomizedclient.exe (PID: 6360)
      • requestconfigure.exe (PID: 6372)
      • messagepush.exe (PID: 7084)
      • requestpushmessage.exe (PID: 6796)
      • requestconfigure_userrateworkercache.exe (PID: 4672)
      • requestconfigure.exe (PID: 1116)
      • requestconfigure_userrateworkercache.exe (PID: 6684)
      • autoupgrade.exe (PID: 3660)
      • requestconfigure_advertisementFlagcache.exe (PID: 6372)
      • processprotect.exe (PID: 6152)

    • Creates files or folders in the user directory

      • recoverit_setup_full4280.exe (PID: 6692)
      • recoverit_64bit_full4280.tmp (PID: 6864)
      • Wondershare NativePush_14416_64bit.tmp (PID: 1964)
      • WsToastNotification.exe (PID: 6636)
      • recoverit.exe (PID: 2384)

    • Create files in a temporary directory

      • recoverit_64bit_full4280.tmp (PID: 6864)
      • recoverit_64bit_full4280.exe (PID: 6516)
      • Wondershare NativePush_14416_64bit.exe (PID: 2032)
      • Wondershare NativePush_14416_64bit.tmp (PID: 1964)
      • WsNativePushService.exe (PID: 4672)
      • WsToastNotification.exe (PID: 6636)
      • recoverit_setup_full4280.exe (PID: 6692)
      • recoverit.exe (PID: 2384)
      • processprotect.exe (PID: 6152)

    • Dropped object may contain TOR URL's

      • recoverit_64bit_full4280.tmp (PID: 6864)
      • recoverit.exe (PID: 2384)

    • Process checks computer location settings

      • recoverit_setup_full4280.exe (PID: 6692)
      • recoverit_64bit_full4280.tmp (PID: 6864)
      • recoverit.exe (PID: 2384)

    • Creates a software uninstall entry

      • recoverit_64bit_full4280.tmp (PID: 6864)
      • Wondershare NativePush_14416_64bit.tmp (PID: 1964)

    • Process checks whether UAC notifications are on

      • recoverit.exe (PID: 2384)

    • Application launched itself

      • chrome.exe (PID: 6400)

    • Reads Microsoft Office registry keys

      • chrome.exe (PID: 6400)

    • The process uses the downloaded file

      • chrome.exe (PID: 6296)
      • chrome.exe (PID: 4692)
      • chrome.exe (PID: 3660)
      • chrome.exe (PID: 2368)
      • chrome.exe (PID: 1116)
      • chrome.exe (PID: 4056)
      • chrome.exe (PID: 6876)
      • chrome.exe (PID: 1432)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (16.3)
.exe | Win64 Executable (generic) (14.5)
.dll | Win32 Dynamic Link Library (generic) (3.4)
.exe | Win32 Executable (generic) (2.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:02:01 09:17:35+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 12
CodeSize: 1278976
InitializedDataSize: 706560
UninitializedDataSize: -
EntryPoint: 0x106970
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 4.0.4.19
ProductVersionNumber: 4.0.4.19
FileFlagsMask: 0x0017
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
FileDescription: recoverit_setup_full4280.exe
FileVersion: 4.0.4.19
LegalCopyright: Copyright©2023 Wondershare. All rights reserved.
ProductName: Recoverit
ProductVersion: 12.0.13
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
286
Monitored processes
144
Malicious processes
7
Suspicious processes
6

Behavior graph

Click at the process to see the details
start recoverit_setup_full4280.exe svchost.exe nfwchk.exe no specs conhost.exe no specs recoverit_64bit_full4280.exe recoverit_64bit_full4280.tmp wondershare nativepush_14416_64bit.exe wondershare nativepush_14416_64bit.tmp _setup64.tmp no specs conhost.exe no specs wsnativepushservice.exe no specs conhost.exe no specs wsnativepushservice.exe no specs conhost.exe no specs cmd.exe no specs wsnativepushservice.exe no specs conhost.exe no specs wstoastnotification.exe conhost.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs addrecycleandfoldericon.exe no specs conhost.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs recoverit.exe chrome.exe chrome.exe no specs diskfeedback.exe cmd.exe no specs conhost.exe no specs conhost.exe no specs drrs.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs cmd.exe no specs conhost.exe no specs redis-cli.exe no specs cmd.exe no specs chrome.exe no specs chrome.exe no specs conhost.exe no specs netstat.exe no specs findstr.exe no specs drengsrv.exe no specs conhost.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs drss.exe no specs conhost.exe no specs wget.exe conhost.exe no specs cbscustomizedclient.exe no specs conhost.exe no specs cbscustomizedclient.exe no specs conhost.exe no specs chrome.exe no specs requestconfigure_uploadworkercache.exe conhost.exe no specs requestconfigure.exe conhost.exe no specs requestconfigure_uploadworkercache.exe conhost.exe no specs requestconfigure.exe conhost.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs requestconfigure_userrateworkercache.exe conhost.exe no specs messagepush.exe requestpushmessage.exe no specs autoupgrade.exe conhost.exe no specs conhost.exe no specs requestconfigure.exe conhost.exe no specs requestconfigure_userrateworkercache.exe conhost.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs requestconfigure_advertisementflagcache.exe conhost.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs closeprocess.exe no specs conhost.exe no specs videorepairclean.exe no specs conhost.exe no specs processprotect.exe conhost.exe no specs cmd.exe no specs ossutil64.exe recoverit_setup_full4280.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
188"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --disable-quic --no-appcompat-clear --mojo-platform-channel-handle=2344 --field-trial-handle=1972,i,13995065343461172030,10166707661784955615,262144 --variations-seed-version /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Version:
122.0.6261.70
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
232\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exedrss.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
368netsh advfirewall firewall add rule name="RecoveritUDPAccessInboundRule" dir=in action=allow protocol=UDP localport=57210C:\Windows\SysWOW64\netsh.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Network Command Shell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
376ossutil64.exe -i LTAI4GJduMz5KumGNLa4B7Et -k BScaTX5vEqMnp8PFNgnmcxQROlZt9L -e oss-us-west-1.aliyuncs.com cp {6e03edd8-081e-4946-964d-d7ba03a34937G}_20240822064031.db3 oss://eus-recoverit-data-collect/recoverit/20240822/C:\Users\admin\AppData\Local\Temp\Wondershare_Recoverit_Processprotect\UploadDB\ossutil64.exe
cmd.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\wondershare_recoverit_processprotect\uploaddb\ossutil64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\winmm.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
448netsh advfirewall firewall add rule name="RecoveritRSTCPAccessInboundRule" dir=in action=allow protocol=TCP localport=23007C:\Windows\SysWOW64\netsh.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Network Command Shell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
568\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exedrengsrv.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
788netsh advfirewall firewall add rule name="RecoveritRSUDPAccessInboundRule" dir=in action=allow protocol=UDP localport=33009C:\Windows\SysWOW64\netsh.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Network Command Shell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
812netsh advfirewall firewall add rule name="RecoveritRSUDPAccessInboundRule" dir=in action=allow protocol=UDP localport=50053C:\Windows\SysWOW64\netsh.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Network Command Shell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1116\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1116"C:\Program Files\Wondershare\Recoverit\requestconfigure.exe" "C:/Program Files/Wondershare/Recoverit/netrequestJson/moveurlsourceJson_06_40_37_997_json" "C:/Program Files/Wondershare/Recoverit/netrequestJson/moveurldestJson_06_40_37_997_json"C:\Program Files\Wondershare\Recoverit\requestconfigure.exe
recoverit.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\program files\wondershare\recoverit\requestconfigure.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\crypt32.dll
Total events
58 185
Read events
57 935
Write events
226
Delete events
24

Modification events

(PID) Process:(6692) recoverit_setup_full4280.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\WafCX
Operation:writeName:4280
Value:
sku-ween
(PID) Process:(6692) recoverit_setup_full4280.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Wondershare\Wondershare Helper Compact
Operation:writeName:ClientSign
Value:
{6e03edd8-081e-4946-964d-d7ba03a34937G}
(PID) Process:(6692) recoverit_setup_full4280.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Wondershare\WAF
Operation:writeName:ClientSign
Value:
{6e03edd8-081e-4946-964d-d7ba03a34937G}
(PID) Process:(6692) recoverit_setup_full4280.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(6692) recoverit_setup_full4280.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(6692) recoverit_setup_full4280.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(6692) recoverit_setup_full4280.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(6692) recoverit_setup_full4280.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(6692) recoverit_setup_full4280.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(6692) recoverit_setup_full4280.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
654
Suspicious files
286
Text files
465
Unknown types
2

Dropped files

PID
Process
Filename
Type
6692recoverit_setup_full4280.exeC:\Users\Public\Documents\Wondershare\recoverit_64bit_full4280.exe.~P2S
MD5:
SHA256:
6692recoverit_setup_full4280.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\AH8CR9J5\NotoSansSC-Regular[1].otf
MD5:
SHA256:
6692recoverit_setup_full4280.exeC:\Users\Public\Documents\Wondershare\recoverit_64bit_full4280.exe
MD5:
SHA256:
6692recoverit_setup_full4280.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_23FFFDCAABB8E63694AD1202ED02BF57der
MD5:5A09DFF8558C06F7E932924B3EE4F2F8
SHA256:6496816A994C3B703FE0CCE04A607CB89890DEC11F3A20DB4594E6F45DD49858
6692recoverit_setup_full4280.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCV3KQBA\json2[1].jstext
MD5:E78199FE40036021717F4A18BCDB91CE
SHA256:9DD0F1D3CECD1368D46CD881FF6F6529485F0414BC40F35D2A4D2C08769517F0
6692recoverit_setup_full4280.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\AH8CR9J5\3[1].pngimage
MD5:372B65E4E4DB5F8D577FDAB2562571EC
SHA256:6F0B3D3BD005C2EC33CDB3639BAFDC86EFF8847043FB3A0100EB7760499E5B78
6692recoverit_setup_full4280.exeC:\Users\Public\Documents\Wondershare\NFWCHK.exeexecutable
MD5:27CFB3990872CAA5930FA69D57AEFE7B
SHA256:43881549228975C7506B050BCE4D9B671412D3CDC08C7516C9DBBB7F50C25146
6692recoverit_setup_full4280.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\14561BF7422BB6F70A9CB14F5AA8A7DA_6D5FC9FD3617659722A64D73A114DFF7der
MD5:1296F740502A5AC304BB556801AFB84A
SHA256:7EF3290B70C6EEF234CA2727010C13B1956B04807AC2E2D9BE764B08729055D1
6692recoverit_setup_full4280.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\2[1].pngimage
MD5:E53723595415D18AE412E68D7EEA212F
SHA256:DD9D2E79297A7C51FBD5BA603CB02ABA6CB4436509B8583899D3D4307287B17E
6692recoverit_setup_full4280.exeC:\Users\Public\Documents\Wondershare\NFWCHK.exe.configxml
MD5:5BABF2A106C883A8E216F768DB99AD51
SHA256:9E676A617EB0D0535AC05A67C0AE0C0E12D4E998AB55AC786A031BFC25E28300
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
30
TCP/UDP connections
189
DNS requests
168
Threats
35

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6692
recoverit_setup_full4280.exe
GET
8.209.73.211:80
http://platform.wondershare.cc/rest/v2/downloader/runtime/?client_sign={6e03edd8-081e-4946-964d-d7ba03a34937G}&product_id=4280&wae=4.0.4&platform=win_x64
unknown
whitelisted
6692
recoverit_setup_full4280.exe
HEAD
200
2.19.126.135:80
http://download.wondershare.com/cbs_down/recoverit_64bit_full4280.exe
unknown
whitelisted
6692
recoverit_setup_full4280.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQlOydjtpho0%2Bholo77zGjGxETUEQQU8JyF%2FaKffY%2FJaLvV1IlNHb7TkP8CEA3EQd5SLWy5mr7JXcu5TKw%3D
unknown
whitelisted
6692
recoverit_setup_full4280.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAoFmyX1Sz2HlMxmMUd1OKM%3D
unknown
whitelisted
6692
recoverit_setup_full4280.exe
HEAD
200
2.19.126.135:80
http://download.wondershare.com/cbs_down/recoverit_64bit_full4280.exe
unknown
whitelisted
6692
recoverit_setup_full4280.exe
HEAD
200
2.19.126.140:80
http://download.wondershare.com/cbs_down/recoverit_64bit_full4280.exe
unknown
whitelisted
6692
recoverit_setup_full4280.exe
GET
2.19.126.135:80
http://download.wondershare.com/cbs_down/recoverit_64bit_full4280.exe
unknown
whitelisted
6692
recoverit_setup_full4280.exe
GET
206
2.19.126.140:80
http://download.wondershare.com/cbs_down/recoverit_64bit_full4280.exe
unknown
whitelisted
6692
recoverit_setup_full4280.exe
GET
206
2.19.126.140:80
http://download.wondershare.com/cbs_down/recoverit_64bit_full4280.exe
unknown
whitelisted
6692
recoverit_setup_full4280.exe
GET
206
2.19.126.135:80
http://download.wondershare.com/cbs_down/recoverit_64bit_full4280.exe
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1128
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
5624
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2120
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6692
recoverit_setup_full4280.exe
8.209.72.213:443
pc-api.wondershare.cc
Alibaba US Technology Co., Ltd.
DE
unknown
6692
recoverit_setup_full4280.exe
8.209.73.211:80
platform.wondershare.cc
Alibaba US Technology Co., Ltd.
DE
unknown
6692
recoverit_setup_full4280.exe
47.91.89.51:443
prod-web.wondershare.cc
Alibaba US Technology Co., Ltd.
DE
unknown
6692
recoverit_setup_full4280.exe
2.19.126.135:80
download.wondershare.com
Akamai International B.V.
DE
unknown
6692
recoverit_setup_full4280.exe
47.91.90.244:8106
analytics.wondershare.cc
Alibaba US Technology Co., Ltd.
DE
unknown
6692
recoverit_setup_full4280.exe
163.181.92.231:443
wae.wondershare.cc
Zhejiang Taobao Network Co.,Ltd
DE
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 51.124.78.146
  • 51.104.136.2
whitelisted
google.com
  • 142.250.186.78
whitelisted
pc-api.wondershare.cc
  • 8.209.72.213
malicious
platform.wondershare.cc
  • 8.209.73.211
malicious
prod-web.wondershare.cc
  • 47.91.89.51
malicious
download.wondershare.com
  • 2.19.126.135
  • 2.19.126.140
whitelisted
analytics.wondershare.cc
  • 47.91.90.244
malicious
wae.wondershare.cc
  • 163.181.92.231
  • 163.181.92.230
  • 163.181.92.232
  • 163.181.92.229
  • 163.181.92.228
  • 163.181.92.235
  • 163.181.92.234
  • 163.181.92.233
malicious
ocsp.digicert.com
  • 192.229.221.95
whitelisted
client.wns.windows.com
  • 40.115.3.253
whitelisted

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET DNS Query for .cc TLD
Potentially Bad Traffic
ET DNS Query for .cc TLD
Potentially Bad Traffic
ET DNS Query for .cc TLD
Potentially Bad Traffic
ET DNS Query for .cc TLD
Potentially Bad Traffic
ET DNS Query for .cc TLD
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
Potentially Bad Traffic
ET DNS Query for .cc TLD
Potentially Bad Traffic
ET DNS Query for .cc TLD
Potentially Bad Traffic
ET DNS Query for .cc TLD
3 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
recoverit_setup_full4280.exe