recover.exe

• File Path: C:\Windows\system32\recover.exe
• Description: Recover Files Utility

Hashes

Type	Hash
MD5	B86B2EABEDC1FC6980C802F75FB9C408
SHA1	F906C8F84C5E9C96766B9F02A17B7312ED658D66
SHA256	B6EC80D55C7BA99165767D74E219D9393E81CA0B7CC1B65E6A697E84E62B9DFD
SHA384	AEE2FE41FAAF2A2457FC9DC1F4BDB1E87361631FCC608C20D3320890615E058C5611FC334ADCBAD0A878EDBBE3916A9A
SHA512	C0566422314622CF27D761765CA16AA404686B226496885F5691DDCF3F57D057F01FF8D78347F13B563FDE188AD4B090ED8FE3AF9AF02B3DE3A958B035E6CCF5
SSDEEP	192:E8nsoUysmXLBrQQ/Ao1mzY1RDfN09BpUZTj6qZ2G08lTSm2TWPnWnh:xn5XL51oo1mEPDm9XUZv12jW2TWPnW
IMP	15EC0ACE85D3228ADCC66943670EF7D8
PESHA1	2F1F2690104C9D62A1A45C1C045BDD361E9B133F
PE256	1944910EED648E72F490AEE459D2155A0B7FF21D8B405938BD3D17C5407A582A

Runtime Data

Usage (stdout):

Recovers readable information from a bad or defective disk.

RECOVER [drive:][path]filename
Consult the online Command Reference in Windows Help
before using the RECOVER command.

Child Processes:

conhost.exe

Open Handles:

Path	Type
(R-D) C:\Windows\System32\en-US\ulib.dll.mui	File
(RW-) C:\Users\user	File
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000004.db	Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000004.db	Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2.ro	Section
\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0	Section
\BaseNamedObjects\NLS_CodePage_437_3_2_0_0	Section

Loaded Modules:

Path
C:\Windows\System32\advapi32.dll
C:\Windows\System32\bcryptPrimitives.dll
C:\Windows\System32\cfgmgr32.dll
C:\Windows\System32\combase.dll
C:\Windows\system32\DEVOBJ.dll
C:\Windows\SYSTEM32\fsutilext.dll
C:\Windows\system32\IfsUtil.dll
C:\Windows\System32\KERNEL32.DLL
C:\Windows\System32\KERNELBASE.dll
C:\Windows\System32\msvcrt.dll
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\system32\recover.exe
C:\Windows\System32\RPCRT4.dll
C:\Windows\System32\sechost.dll
C:\Windows\System32\ucrtbase.dll
C:\Windows\system32\ulib.dll
C:\Windows\system32\UNTFS.DLL

Signature

• Status: Signature verified.
• Serial: 33000001C422B2F79B793DACB20000000001C4
• Thumbprint: AE9C1AE54763822EEC42474983D8B635116C8452
• Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
• Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

• Original Filename: Recover.Exe.MUI
• Product Name: Microsoft Windows Operating System
• Company Name: Microsoft Corporation
• File Version: 10.0.17763.1 (WinBuild.160101.0800)
• Product Version: 10.0.17763.1
• Language: English (United States)
• Legal Copyright: Microsoft Corporation. All rights reserved.
• Machine Type: 64-bit

File Scan

• VirusTotal Detections: 0/69
• VirusTotal Link: https://www.virustotal.com/gui/file/b6ec80d55c7ba99165767d74e219d9393e81ca0b7cc1b65e6a697e84e62b9dfd/detection/

File Similarity (ssdeep match)

File	Score
C:\Windows\SysWOW64\recover.exe	35

Possible Misuse

The following table contains possible examples of recover.exe being misused. While recover.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source	Source File	Example	License
sigma	azure_keyvault_key_modified_or_deleted.yml	- MICROSOFT.KEYVAULT/VAULTS/KEYS/RECOVER/ACTION	DRL 1.0
sigma	azure_keyvault_secrets_modified_or_deleted.yml	- MICROSOFT.KEYVAULT/VAULTS/SECRETS/RECOVER/ACTION	DRL 1.0
sigma	proc_creation_win_sqlcmd_veeam_dump.yml	- https://forums.veeam.com/veeam-backup-replication-f2/recover-esxi-password-in-veeam-t34630.html	DRL 1.0
atomic-red-team	T1048.003.md	3. Once the data is received, use the below command to recover the data.	MIT License. © 2018 Red Canary
atomic-red-team	T1110.002.md	<blockquote>Adversaries may use password cracking to attempt to recover usable credentials, such as plaintext passwords, when credential material such as password hashes are obtained. OS Credential Dumping is used to obtain password hashes, this may only get an adversary so far when Pass the Hash is not an option. Techniques to systematically guess the passwords used to compute hashes are available, or the adversary may use a pre-computed rainbow table to crack hashes. Cracking hashes is usually done on adversary-controlled systems outside of the target network.(Citation: Wikipedia Password cracking) The resulting plaintext password resulting from a successfully cracked hash may be used to log into systems, resources, and services in which the account has access.</blockquote>	MIT License. © 2018 Red Canary
atomic-red-team	T1485.md	RansomEXX malware removes all deleted files using windows built-in cipher.exe to prevent forensic recover.	MIT License. © 2018 Red Canary

Additional Info*

*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.

---

recover

Recovers readable information from a bad or defective disk. This command reads a file, sector-by-sector, and recovers data from the good sectors. Data in bad sectors is lost. Because all data in bad sectors is lost when you recover a file, you should recover only one file at a time.

Bad sectors reported by the chkdsk command were marked as bad when your disk was prepared for operation. They pose no danger, and recover does not affect them.

Syntax

recover [<drive>:][<path>]<filename>

Parameters

Parameter	Description
[<drive>:][<path>]<filename>	Specifies the file name (and the location of the file if it is not in the current directory) you want to recover. Filename is required and wildcards aren’t supported.
/?	Displays help at the command prompt.

Examples

To recover the file story.txt in the \fiction directory on drive D, type:

recover d:\fiction\story.txt

Additional References

• Command-Line Syntax Key

---

MIT License. Copyright (c) 2020-2021 Strontic.