recover.exe
- File Path:
C:\Windows\SysWOW64\recover.exe - Description: Recover Files Utility
Hashes
| Type | Hash |
|---|---|
| MD5 | 2B90F99E5723A85A1E2F4E321500C451 |
| SHA1 | D1E49EE7B38B25BA94DC216DB9959040D475FE25 |
| SHA256 | 29F48C967EFD519B84C8FF518BF7F6CAFA13BB34D8FA9AF893C05A10197F3A34 |
| SHA384 | E8148A0A936094245E2315DFC79AC1C444E7713F119145CBA67D31AC7820145B4C66A9EFA92ACD4FF684C83D4D2B5EFD |
| SHA512 | 3065FE4F4FAAF223048B4961DA07BDFEB840FC49350BF634D5AC6D24ECAEB9CF8BF1BA5E6122646DD8830AC26DEB9DF1CCE9754C48F8BBB94D47E06C1C93F479 |
| SSDEEP | 192:P94R+sms/RBGk4NFOp+DWt2SHsk2TWPnWnhIBw9Go:+RYCR8kiFOpb2q2TWPnWhIi0o |
| IMP | CD8185705936323067B6715FDC1BF798 |
| PESHA1 | D79DA7D46E82B7DAAE37A34BAF6A859174F511F8 |
| PE256 | 4DBE05B38E4521574AF13F8935D56B3603A7D68465540FA7B3302A7493D1ACCB |
Runtime Data
Usage (stdout):
Recovers readable information from a bad or defective disk.
RECOVER [drive:][path]filename
Consult the online Command Reference in Windows Help
before using the RECOVER command.
Child Processes:
conhost.exe
Open Handles:
| Path | Type |
|---|---|
| (R-D) C:\Windows\System32\en-US\ulib.dll.mui | File |
| (RW-) C:\Users\user | File |
| (RW-) C:\Windows | File |
| \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000004.db | Section |
| \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000004.db | Section |
| \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2.ro | Section |
| \BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 | Section |
| \BaseNamedObjects\NLS_CodePage_437_3_2_0_0 | Section |
Loaded Modules:
| Path |
|---|
| C:\Windows\SYSTEM32\ntdll.dll |
| C:\Windows\System32\wow64.dll |
| C:\Windows\System32\wow64cpu.dll |
| C:\Windows\System32\wow64win.dll |
| C:\Windows\SysWOW64\recover.exe |
Signature
- Status: Signature verified.
- Serial:
33000001C422B2F79B793DACB20000000001C4 - Thumbprint:
AE9C1AE54763822EEC42474983D8B635116C8452 - Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
- Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
File Metadata
- Original Filename: Recover.Exe
- Product Name: Microsoft Windows Operating System
- Company Name: Microsoft Corporation
- File Version: 10.0.17763.1 (WinBuild.160101.0800)
- Product Version: 10.0.17763.1
- Language: English (United States)
- Legal Copyright: Microsoft Corporation. All rights reserved.
- Machine Type: 32-bit
File Scan
- VirusTotal Detections: 0/70
- VirusTotal Link: https://www.virustotal.com/gui/file/29f48c967efd519b84c8ff518bf7f6cafa13bb34d8fa9af893c05a10197f3a34/detection/
File Similarity (ssdeep match)
| File | Score |
|---|---|
| C:\Windows\system32\recover.exe | 35 |
Possible Misuse
The following table contains possible examples of recover.exe being misused. While recover.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
| Source | Source File | Example | License |
|---|---|---|---|
| sigma | azure_keyvault_key_modified_or_deleted.yml | - MICROSOFT.KEYVAULT/VAULTS/KEYS/RECOVER/ACTION |
DRL 1.0 |
| sigma | azure_keyvault_secrets_modified_or_deleted.yml | - MICROSOFT.KEYVAULT/VAULTS/SECRETS/RECOVER/ACTION |
DRL 1.0 |
| sigma | proc_creation_win_sqlcmd_veeam_dump.yml | - https://forums.veeam.com/veeam-backup-replication-f2/recover-esxi-password-in-veeam-t34630.html |
DRL 1.0 |
| atomic-red-team | T1048.003.md | 3. Once the data is received, use the below command to recover the data. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1110.002.md | <blockquote>Adversaries may use password cracking to attempt to recover usable credentials, such as plaintext passwords, when credential material such as password hashes are obtained. OS Credential Dumping is used to obtain password hashes, this may only get an adversary so far when Pass the Hash is not an option. Techniques to systematically guess the passwords used to compute hashes are available, or the adversary may use a pre-computed rainbow table to crack hashes. Cracking hashes is usually done on adversary-controlled systems outside of the target network.(Citation: Wikipedia Password cracking) The resulting plaintext password resulting from a successfully cracked hash may be used to log into systems, resources, and services in which the account has access.</blockquote> | MIT License. © 2018 Red Canary |
| atomic-red-team | T1485.md | RansomEXX malware removes all deleted files using windows built-in cipher.exe to prevent forensic recover. | MIT License. © 2018 Red Canary |
Additional Info*
*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.
recover
Recovers readable information from a bad or defective disk. This command reads a file, sector-by-sector, and recovers data from the good sectors. Data in bad sectors is lost. Because all data in bad sectors is lost when you recover a file, you should recover only one file at a time.
Bad sectors reported by the chkdsk command were marked as bad when your disk was prepared for operation. They pose no danger, and recover does not affect them.
Syntax
recover [<drive>:][<path>]<filename>
Parameters
| Parameter | Description |
|---|---|
[<drive>:][<path>]<filename> |
Specifies the file name (and the location of the file if it is not in the current directory) you want to recover. Filename is required and wildcards aren’t supported. |
| /? | Displays help at the command prompt. |
Examples
To recover the file story.txt in the \fiction directory on drive D, type:
recover d:\fiction\story.txt
Additional References
MIT License. Copyright (c) 2020-2021 Strontic.