Malware analysis recoverit_setup_full4280.exe Malicious activity

Add for printing

File name:	recoverit_setup_full4280.exe
Full analysis:	https://app.any.run/tasks/f26530ef-164a-4f01-9627-b1b8137a4486
Verdict:	Malicious activity
Threats:	A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Malware Trends Tracker >>>
Analysis date:	August 22, 2024, 06:37:06
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	loader
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows
MD5:	53D6B59F3E552E08AC845A5BF110D957
SHA1:	5040D7F56EE5E47E50A788DD83BA692D6A4181F7
SHA256:	A81645AB83F2825F0869901462F9064C2579737E1694EA58BFD38DD7DCD09C66
SSDEEP:	98304:XufRsK6MOagwNYrOoOBJJS/B5B8EgCVPuquN:C

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Scans artifacts that could help determine the target
  - recoverit_setup_full4280.exe (PID: 6692)
SUSPICIOUS
- Drops the executable file immediately after the start
  - recoverit_setup_full4280.exe (PID: 6692)
  - recoverit_64bit_full4280.exe (PID: 6516)
  - recoverit_64bit_full4280.tmp (PID: 6864)
  - Wondershare NativePush_14416_64bit.exe (PID: 2032)
  - Wondershare NativePush_14416_64bit.tmp (PID: 1964)
  - recoverit.exe (PID: 2384)
  - processprotect.exe (PID: 6152)
- Reads security settings of Internet Explorer
  - recoverit_setup_full4280.exe (PID: 6692)
  - recoverit_64bit_full4280.tmp (PID: 6864)
  - recoverit.exe (PID: 2384)
  - cbscustomizedclient.exe (PID: 7160)
  - cbscustomizedclient.exe (PID: 6360)
- Reads Microsoft Outlook installation path
  - recoverit_setup_full4280.exe (PID: 6692)
- Reads Internet Explorer settings
  - recoverit_setup_full4280.exe (PID: 6692)
- Executable content was dropped or overwritten
  - recoverit_setup_full4280.exe (PID: 6692)
  - recoverit_64bit_full4280.exe (PID: 6516)
  - recoverit_64bit_full4280.tmp (PID: 6864)
  - Wondershare NativePush_14416_64bit.exe (PID: 2032)
  - Wondershare NativePush_14416_64bit.tmp (PID: 1964)
  - recoverit.exe (PID: 2384)
  - processprotect.exe (PID: 6152)
- Likely accesses (executes) a file from the Public directory
  - NFWCHK.exe (PID: 6836)
  - recoverit_64bit_full4280.exe (PID: 6516)
  - recoverit_64bit_full4280.tmp (PID: 6864)
- Checks Windows Trust Settings
  - recoverit_setup_full4280.exe (PID: 6692)
- Potential Corporate Privacy Violation
  - recoverit_setup_full4280.exe (PID: 6692)
- Connects to unusual port
  - recoverit_setup_full4280.exe (PID: 6692)
  - WsToastNotification.exe (PID: 6636)
  - recoverit.exe (PID: 2384)
  - processprotect.exe (PID: 6152)
- Reads the date of Windows installation
  - recoverit_setup_full4280.exe (PID: 6692)
  - recoverit_64bit_full4280.tmp (PID: 6864)
  - recoverit.exe (PID: 2384)
- Process drops SQLite DLL files
  - recoverit_64bit_full4280.tmp (PID: 6864)
- Reads the Windows owner or organization settings
  - recoverit_64bit_full4280.tmp (PID: 6864)
  - Wondershare NativePush_14416_64bit.tmp (PID: 1964)
- Process requests binary or script from the Internet
  - recoverit_setup_full4280.exe (PID: 6692)
- Process drops legitimate windows executable
  - recoverit_64bit_full4280.tmp (PID: 6864)
  - recoverit.exe (PID: 2384)
- The process drops C-runtime libraries
  - recoverit_64bit_full4280.tmp (PID: 6864)
  - recoverit.exe (PID: 2384)
- Drops 7-zip archiver for unpacking
  - recoverit_64bit_full4280.tmp (PID: 6864)
- Process drops python dynamic module
  - recoverit_64bit_full4280.tmp (PID: 6864)
- Executing commands from a ".bat" file
  - recoverit_64bit_full4280.tmp (PID: 6864)
- Executes as Windows Service
  - WsNativePushService.exe (PID: 5708)
- Starts CMD.EXE for commands execution
  - recoverit_64bit_full4280.tmp (PID: 6864)
  - recoverit.exe (PID: 2384)
  - processprotect.exe (PID: 6152)
- Uses NETSH.EXE to add a firewall rule or allowed programs
  - cmd.exe (PID: 4880)
- Reads the BIOS version
  - recoverit.exe (PID: 2384)
- Using 'findstr.exe' to search for text patterns in files and output
  - cmd.exe (PID: 4160)
- Connects to SMTP port
  - diskfeedback.exe (PID: 6516)
- Searches for installed software
  - recoverit.exe (PID: 2384)
- The executable file from the user directory is run by the CMD process
  - ossutil64.exe (PID: 376)
INFO
- Create files in a temporary directory
  - recoverit_setup_full4280.exe (PID: 6692)
  - recoverit_64bit_full4280.exe (PID: 6516)
  - recoverit_64bit_full4280.tmp (PID: 6864)
  - Wondershare NativePush_14416_64bit.exe (PID: 2032)
  - Wondershare NativePush_14416_64bit.tmp (PID: 1964)
  - WsNativePushService.exe (PID: 4672)
  - WsToastNotification.exe (PID: 6636)
  - recoverit.exe (PID: 2384)
  - processprotect.exe (PID: 6152)
- Checks supported languages
  - recoverit_setup_full4280.exe (PID: 6692)
  - NFWCHK.exe (PID: 6836)
  - recoverit_64bit_full4280.exe (PID: 6516)
  - recoverit_64bit_full4280.tmp (PID: 6864)
  - Wondershare NativePush_14416_64bit.exe (PID: 2032)
  - Wondershare NativePush_14416_64bit.tmp (PID: 1964)
  - _setup64.tmp (PID: 2580)
  - WsNativePushService.exe (PID: 5708)
  - WsNativePushService.exe (PID: 5492)
  - WsToastNotification.exe (PID: 6636)
  - WsNativePushService.exe (PID: 4672)
  - recoverit.exe (PID: 2384)
  - drrs.exe (PID: 6232)
  - diskfeedback.exe (PID: 6516)
  - AddRecycleAndFolderIcon.exe (PID: 6400)
  - redis-cli.exe (PID: 6108)
  - drengsrv.exe (PID: 7088)
  - drss.exe (PID: 1928)
  - cbscustomizedclient.exe (PID: 6360)
  - wget.exe (PID: 7084)
  - cbscustomizedclient.exe (PID: 7160)
  - requestconfigure_uploadworkercache.exe (PID: 3568)
  - requestconfigure.exe (PID: 7076)
  - messagepush.exe (PID: 7084)
  - requestpushmessage.exe (PID: 6796)
  - autoupgrade.exe (PID: 3660)
  - requestconfigure.exe (PID: 6372)
  - requestconfigure_uploadworkercache.exe (PID: 1920)
  - requestconfigure_userrateworkercache.exe (PID: 4672)
  - requestconfigure.exe (PID: 1116)
  - requestconfigure_userrateworkercache.exe (PID: 6684)
  - closeprocess.exe (PID: 2892)
  - videorepairclean.exe (PID: 5160)
  - ossutil64.exe (PID: 376)
  - requestconfigure_advertisementFlagcache.exe (PID: 6372)
  - processprotect.exe (PID: 6152)
- Reads the machine GUID from the registry
  - recoverit_setup_full4280.exe (PID: 6692)
  - NFWCHK.exe (PID: 6836)
  - recoverit.exe (PID: 2384)
  - diskfeedback.exe (PID: 6516)
  - drss.exe (PID: 1928)
  - requestconfigure_uploadworkercache.exe (PID: 3568)
  - requestconfigure.exe (PID: 7076)
  - requestconfigure_userrateworkercache.exe (PID: 4672)
  - requestconfigure_uploadworkercache.exe (PID: 1920)
  - requestconfigure.exe (PID: 6372)
  - messagepush.exe (PID: 7084)
  - requestconfigure_userrateworkercache.exe (PID: 6684)
  - requestconfigure.exe (PID: 1116)
  - requestconfigure_advertisementFlagcache.exe (PID: 6372)
  - processprotect.exe (PID: 6152)
- Reads the computer name
  - recoverit_setup_full4280.exe (PID: 6692)
  - NFWCHK.exe (PID: 6836)
  - recoverit_64bit_full4280.tmp (PID: 6864)
  - Wondershare NativePush_14416_64bit.tmp (PID: 1964)
  - WsNativePushService.exe (PID: 4672)
  - WsNativePushService.exe (PID: 5492)
  - WsNativePushService.exe (PID: 5708)
  - WsToastNotification.exe (PID: 6636)
  - recoverit.exe (PID: 2384)
  - diskfeedback.exe (PID: 6516)
  - drss.exe (PID: 1928)
  - drengsrv.exe (PID: 7088)
  - wget.exe (PID: 7084)
  - cbscustomizedclient.exe (PID: 7160)
  - cbscustomizedclient.exe (PID: 6360)
  - requestconfigure_uploadworkercache.exe (PID: 3568)
  - requestconfigure.exe (PID: 7076)
  - requestconfigure_userrateworkercache.exe (PID: 4672)
  - messagepush.exe (PID: 7084)
  - requestconfigure.exe (PID: 6372)
  - requestconfigure_uploadworkercache.exe (PID: 1920)
  - autoupgrade.exe (PID: 3660)
  - requestpushmessage.exe (PID: 6796)
  - requestconfigure_userrateworkercache.exe (PID: 6684)
  - requestconfigure.exe (PID: 1116)
  - requestconfigure_advertisementFlagcache.exe (PID: 6372)
  - ossutil64.exe (PID: 376)
  - processprotect.exe (PID: 6152)
- Checks proxy server information
  - recoverit_setup_full4280.exe (PID: 6692)
  - recoverit.exe (PID: 2384)
- Process checks Internet Explorer phishing filters
  - recoverit_setup_full4280.exe (PID: 6692)
- Creates files in the program directory
  - recoverit_setup_full4280.exe (PID: 6692)
  - recoverit_64bit_full4280.tmp (PID: 6864)
  - recoverit.exe (PID: 2384)
  - drengsrv.exe (PID: 7088)
  - cbscustomizedclient.exe (PID: 6360)
  - wget.exe (PID: 7084)
  - requestconfigure.exe (PID: 7076)
  - messagepush.exe (PID: 7084)
  - requestconfigure_uploadworkercache.exe (PID: 3568)
  - requestconfigure_uploadworkercache.exe (PID: 1920)
  - requestconfigure.exe (PID: 6372)
  - requestpushmessage.exe (PID: 6796)
  - autoupgrade.exe (PID: 3660)
  - requestconfigure_userrateworkercache.exe (PID: 4672)
  - requestconfigure.exe (PID: 1116)
  - requestconfigure_userrateworkercache.exe (PID: 6684)
  - requestconfigure_advertisementFlagcache.exe (PID: 6372)
  - processprotect.exe (PID: 6152)
- Creates files or folders in the user directory
  - recoverit_setup_full4280.exe (PID: 6692)
  - recoverit_64bit_full4280.tmp (PID: 6864)
  - Wondershare NativePush_14416_64bit.tmp (PID: 1964)
  - WsToastNotification.exe (PID: 6636)
  - recoverit.exe (PID: 2384)
- Reads the software policy settings
  - recoverit_setup_full4280.exe (PID: 6692)
  - recoverit_64bit_full4280.tmp (PID: 6864)
- Process checks computer location settings
  - recoverit_setup_full4280.exe (PID: 6692)
  - recoverit_64bit_full4280.tmp (PID: 6864)
  - recoverit.exe (PID: 2384)
- Dropped object may contain TOR URL's
  - recoverit_64bit_full4280.tmp (PID: 6864)
  - recoverit.exe (PID: 2384)
- Creates a software uninstall entry
  - recoverit_64bit_full4280.tmp (PID: 6864)
  - Wondershare NativePush_14416_64bit.tmp (PID: 1964)
- Process checks whether UAC notifications are on
  - recoverit.exe (PID: 2384)
- Application launched itself
  - chrome.exe (PID: 6400)
- Reads Microsoft Office registry keys
  - chrome.exe (PID: 6400)
- The process uses the downloaded file
  - chrome.exe (PID: 6296)
  - chrome.exe (PID: 4692)
  - chrome.exe (PID: 3660)
  - chrome.exe (PID: 2368)
  - chrome.exe (PID: 1116)
  - chrome.exe (PID: 4056)
  - chrome.exe (PID: 6876)
  - chrome.exe (PID: 1432)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win32 Executable MS Visual C++ (generic) (16.3)
.exe	\|	Win64 Executable (generic) (14.5)
.dll	\|	Win32 Dynamic Link Library (generic) (3.4)
.exe	\|	Win32 Executable (generic) (2.3)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2024:02:01 09:17:35+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	12
CodeSize:	1278976
InitializedDataSize:	706560
UninitializedDataSize:	-
EntryPoint:	0x106970
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows GUI
FileVersionNumber:	4.0.4.19
ProductVersionNumber:	4.0.4.19
FileFlagsMask:	0x0017
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
FileDescription:	recoverit_setup_full4280.exe
FileVersion:	4.0.4.19
LegalCopyright:	Copyright©2023 Wondershare. All rights reserved.
ProductName:	Recoverit
ProductVersion:	12.0.13

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

286

Monitored processes

144

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

188

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --disable-quic --no-appcompat-clear --mojo-platform-channel-handle=2344 --field-trial-handle=1972,i,13995065343461172030,10166707661784955615,262144 --variations-seed-version /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

LOW

Description:

Google Chrome

Version:

122.0.6261.70

Modules

Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll

232

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

drss.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

368

netsh advfirewall firewall add rule name="RecoveritUDPAccessInboundRule" dir=in action=allow protocol=UDP localport=57210

C:\Windows\SysWOW64\netsh.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Network Command Shell

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

376

ossutil64.exe -i LTAI4GJduMz5KumGNLa4B7Et -k BScaTX5vEqMnp8PFNgnmcxQROlZt9L -e oss-us-west-1.aliyuncs.com cp {6e03edd8-081e-4946-964d-d7ba03a34937G}_20240822064031.db3 oss://eus-recoverit-data-collect/recoverit/20240822/

C:\Users\admin\AppData\Local\Temp\Wondershare_Recoverit_Processprotect\UploadDB\ossutil64.exe

cmd.exe

User:

admin

Integrity Level:

HIGH

Exit code:

Modules

Images
c:\users\admin\appdata\local\temp\wondershare_recoverit_processprotect\uploaddb\ossutil64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\winmm.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll

448

netsh advfirewall firewall add rule name="RecoveritRSTCPAccessInboundRule" dir=in action=allow protocol=TCP localport=23007

C:\Windows\SysWOW64\netsh.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Network Command Shell

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

568

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

drengsrv.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

788

netsh advfirewall firewall add rule name="RecoveritRSUDPAccessInboundRule" dir=in action=allow protocol=UDP localport=33009

C:\Windows\SysWOW64\netsh.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Network Command Shell

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

812

netsh advfirewall firewall add rule name="RecoveritRSUDPAccessInboundRule" dir=in action=allow protocol=UDP localport=50053

C:\Windows\SysWOW64\netsh.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Network Command Shell

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

1116

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1116

"C:\Program Files\Wondershare\Recoverit\requestconfigure.exe" "C:/Program Files/Wondershare/Recoverit/netrequestJson/moveurlsourceJson_06_40_37_997_json" "C:/Program Files/Wondershare/Recoverit/netrequestJson/moveurldestJson_06_40_37_997_json"

C:\Program Files\Wondershare\Recoverit\requestconfigure.exe

recoverit.exe

User:

admin

Integrity Level:

HIGH

Exit code:

Modules

Images
c:\program files\wondershare\recoverit\requestconfigure.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\crypt32.dll

Add for printing

Total events

58 185

Read events

57 935

Write events

226

Delete events

Modification events


(PID) Process:	(6692) recoverit_setup_full4280.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\WafCX
Operation:	write	Name:	4280
Value: sku-ween
(PID) Process:	(6692) recoverit_setup_full4280.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Wondershare\Wondershare Helper Compact
Operation:	write	Name:	ClientSign
Value: {6e03edd8-081e-4946-964d-d7ba03a34937G}
(PID) Process:	(6692) recoverit_setup_full4280.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Wondershare\WAF
Operation:	write	Name:	ClientSign
Value: {6e03edd8-081e-4946-964d-d7ba03a34937G}
(PID) Process:	(6692) recoverit_setup_full4280.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(6692) recoverit_setup_full4280.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(6692) recoverit_setup_full4280.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(6692) recoverit_setup_full4280.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(6692) recoverit_setup_full4280.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(6692) recoverit_setup_full4280.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(6692) recoverit_setup_full4280.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:

Add for printing

Executable files

654

Suspicious files

286

Text files

465

Unknown types

Dropped files

PID	Process	Filename		Type
6692	recoverit_setup_full4280.exe	C:\Users\Public\Documents\Wondershare\recoverit_64bit_full4280.exe.~P2S		—
		MD5:—	SHA256:—
6692	recoverit_setup_full4280.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\AH8CR9J5\NotoSansSC-Regular[1].otf		—
		MD5:—	SHA256:—
6692	recoverit_setup_full4280.exe	C:\Users\Public\Documents\Wondershare\recoverit_64bit_full4280.exe		—
		MD5:—	SHA256:—
6692	recoverit_setup_full4280.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_23FFFDCAABB8E63694AD1202ED02BF57		der
		MD5:5A09DFF8558C06F7E932924B3EE4F2F8	SHA256:6496816A994C3B703FE0CCE04A607CB89890DEC11F3A20DB4594E6F45DD49858
6692	recoverit_setup_full4280.exe	C:\Users\admin\AppData\Local\Temp\Wondershare\WAE\wsWAE.log		text
		MD5:FDD24956704CE5D7CB7C6A099257122B	SHA256:00AC9A2ECD7126FA1ABA573D8E7FFBF8BAD08E96546FE5932C8584CEF52C5928
6692	recoverit_setup_full4280.exe	C:\Users\Public\Documents\Wondershare\NFWCHK.exe.config		xml
		MD5:5BABF2A106C883A8E216F768DB99AD51	SHA256:9E676A617EB0D0535AC05A67C0AE0C0E12D4E998AB55AC786A031BFC25E28300
6692	recoverit_setup_full4280.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\14561BF7422BB6F70A9CB14F5AA8A7DA_6D5FC9FD3617659722A64D73A114DFF7		der
		MD5:1296F740502A5AC304BB556801AFB84A	SHA256:7EF3290B70C6EEF234CA2727010C13B1956B04807AC2E2D9BE764B08729055D1
6692	recoverit_setup_full4280.exe	C:\Users\admin\AppData\Local\Temp\wsduilib.log		text
		MD5:3B6D6F499418E0FC44EADDDBC9F5976A	SHA256:F8278768B6EDBCE66FF43CEDDB6AC8476BE4A55663666775BE0B43791C4F9D74
6692	recoverit_setup_full4280.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\14561BF7422BB6F70A9CB14F5AA8A7DA_6D5FC9FD3617659722A64D73A114DFF7		binary
		MD5:5B9F5E47B85E5245DFF39C9DE5BE5521	SHA256:B00BEC0A1D6321D882BCD528B8F22B28BA293A8E1C9FFB519A65917167A02BD1
6692	recoverit_setup_full4280.exe	C:\Users\Public\Documents\Wondershare\WAE_DOWNTASK_4280.xml		xml
		MD5:C15E9FD55D1ABC9C58726BCF1510494E	SHA256:4805296C89D1249BE3478986F2E8829545D373C97ADE9CA7C1BDCB48540DE140

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

189

DNS requests

168

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
6692	recoverit_setup_full4280.exe	GET	—	8.209.73.211:80	http://platform.wondershare.cc/rest/v2/downloader/runtime/?client_sign={6e03edd8-081e-4946-964d-d7ba03a34937G}&product_id=4280&wae=4.0.4&platform=win_x64	unknown	—	—	whitelisted
6692	recoverit_setup_full4280.exe	HEAD	200	2.19.126.135:80	http://download.wondershare.com/cbs_down/recoverit_64bit_full4280.exe	unknown	—	—	whitelisted
6692	recoverit_setup_full4280.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQlOydjtpho0%2Bholo77zGjGxETUEQQU8JyF%2FaKffY%2FJaLvV1IlNHb7TkP8CEA3EQd5SLWy5mr7JXcu5TKw%3D	unknown	—	—	whitelisted
6692	recoverit_setup_full4280.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAoFmyX1Sz2HlMxmMUd1OKM%3D	unknown	—	—	whitelisted
6692	recoverit_setup_full4280.exe	HEAD	200	2.19.126.135:80	http://download.wondershare.com/cbs_down/recoverit_64bit_full4280.exe	unknown	—	—	whitelisted
6692	recoverit_setup_full4280.exe	HEAD	200	2.19.126.140:80	http://download.wondershare.com/cbs_down/recoverit_64bit_full4280.exe	unknown	—	—	whitelisted
6692	recoverit_setup_full4280.exe	GET	—	2.19.126.135:80	http://download.wondershare.com/cbs_down/recoverit_64bit_full4280.exe	unknown	—	—	whitelisted
6692	recoverit_setup_full4280.exe	GET	206	2.19.126.140:80	http://download.wondershare.com/cbs_down/recoverit_64bit_full4280.exe	unknown	—	—	whitelisted
6692	recoverit_setup_full4280.exe	GET	206	2.19.126.140:80	http://download.wondershare.com/cbs_down/recoverit_64bit_full4280.exe	unknown	—	—	whitelisted
6692	recoverit_setup_full4280.exe	GET	206	2.19.126.140:80	http://download.wondershare.com/cbs_down/recoverit_64bit_full4280.exe	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
1128	svchost.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
5624	RUXIMICS.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
2120	MoUsoCoreWorker.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
6692	recoverit_setup_full4280.exe	8.209.72.213:443	pc-api.wondershare.cc	Alibaba US Technology Co., Ltd.	DE	unknown
6692	recoverit_setup_full4280.exe	8.209.73.211:80	platform.wondershare.cc	Alibaba US Technology Co., Ltd.	DE	unknown
6692	recoverit_setup_full4280.exe	47.91.89.51:443	prod-web.wondershare.cc	Alibaba US Technology Co., Ltd.	DE	unknown
6692	recoverit_setup_full4280.exe	2.19.126.135:80	download.wondershare.com	Akamai International B.V.	DE	unknown
6692	recoverit_setup_full4280.exe	47.91.90.244:8106	analytics.wondershare.cc	Alibaba US Technology Co., Ltd.	DE	unknown
6692	recoverit_setup_full4280.exe	163.181.92.231:443	wae.wondershare.cc	Zhejiang Taobao Network Co.,Ltd	DE	unknown

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	20.73.194.208 51.124.78.146 51.104.136.2	whitelisted
google.com	142.250.186.78	whitelisted
pc-api.wondershare.cc	8.209.72.213	malicious
platform.wondershare.cc	8.209.73.211	malicious
prod-web.wondershare.cc	47.91.89.51	malicious
download.wondershare.com	2.19.126.135 2.19.126.140	whitelisted
analytics.wondershare.cc	47.91.90.244	malicious
wae.wondershare.cc	163.181.92.231 163.181.92.230 163.181.92.232 163.181.92.229 163.181.92.228 163.181.92.235 163.181.92.234 163.181.92.233	malicious
ocsp.digicert.com	192.229.221.95	whitelisted
client.wns.windows.com	40.115.3.253	whitelisted

Threats

PID	Process	Class	Message
2256	svchost.exe	Potentially Bad Traffic	ET DNS Query for .cc TLD
2256	svchost.exe	Potentially Bad Traffic	ET DNS Query for .cc TLD
2256	svchost.exe	Potentially Bad Traffic	ET DNS Query for .cc TLD
2256	svchost.exe	Potentially Bad Traffic	ET DNS Query for .cc TLD
2256	svchost.exe	Potentially Bad Traffic	ET DNS Query for .cc TLD
6692	recoverit_setup_full4280.exe	Potential Corporate Privacy Violation	ET POLICY PE EXE or DLL Windows file download HTTP
6692	recoverit_setup_full4280.exe	Potential Corporate Privacy Violation	ET POLICY PE EXE or DLL Windows file download HTTP
2256	svchost.exe	Potentially Bad Traffic	ET DNS Query for .cc TLD
2256	svchost.exe	Potentially Bad Traffic	ET DNS Query for .cc TLD
6580	chrome.exe	Potentially Bad Traffic	ET DNS Query for .cc TLD

3 ETPRO signatures available at the full report

Add for printing

No debug info

General Info

recoverit_setup_full4280.exe

53D6B59F3E552E08AC845A5BF110D957

5040D7F56EE5E47E50A788DD83BA692D6A4181F7

A81645AB83F2825F0869901462F9064C2579737E1694EA58BFD38DD7DCD09C66

98304:XufRsK6MOagwNYrOoOBJJS/B5B8EgCVPuquN:C

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Scans artifacts that could help determine the target

SUSPICIOUS

Drops the executable file immediately after the start

Reads security settings of Internet Explorer

Reads Microsoft Outlook installation path

Reads Internet Explorer settings

Executable content was dropped or overwritten

Likely accesses (executes) a file from the Public directory

Checks Windows Trust Settings

Potential Corporate Privacy Violation

Connects to unusual port

Reads the date of Windows installation

Process drops SQLite DLL files

Reads the Windows owner or organization settings

Process requests binary or script from the Internet

Process drops legitimate windows executable

The process drops C-runtime libraries

Drops 7-zip archiver for unpacking

Process drops python dynamic module

Executing commands from a ".bat" file

Executes as Windows Service

Starts CMD.EXE for commands execution

Uses NETSH.EXE to add a firewall rule or allowed programs

Reads the BIOS version

Using 'findstr.exe' to search for text patterns in files and output

Connects to SMTP port

Searches for installed software

The executable file from the user directory is run by the CMD process

INFO

Create files in a temporary directory

Checks supported languages

Reads the machine GUID from the registry

Reads the computer name

Checks proxy server information

Process checks Internet Explorer phishing filters

Creates files in the program directory

Creates files or folders in the user directory

Reads the software policy settings

Process checks computer location settings

Dropped object may contain TOR URL's

Creates a software uninstall entry

Process checks whether UAC notifications are on

Application launched itself

Reads Microsoft Office registry keys

The process uses the downloaded file

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information