recover.exe

  • File Path: C:\windows\system32\recover.exe
  • Description: Recover Files Utility

Hashes

Type Hash
MD5 C0CC9E1A8AA53A2E7BBEA3BEB0ED5281
SHA1 188421022518C3B21350C98042F897AA45929DCC
SHA256 525BC408B5DA791F7EB751BA5FA34343AD3719D6F8EE64A90F122C069E4C9F47
SHA384 18CA9AE1480521A4DC104D7DBF96834C602DE6FEEC9070F15E5C80B8CAD794FF22D103358F94440FCDC20660EA1B91F8
SHA512 7CEDF76D10DDFD34959582A932A64D8BEABD8334F5909A04C7D0171D7CC6019F15F719E841A9B287539EA160C50B22D7D638D9737F67343F8BD41437493E1553
SSDEEP 192:bsseIpJBGdP/2YhEvxepqkK/IT38Rny8MeAGkzCOFum2TWCnWa:bssdpJBSTUxfC3+ype8zz2TWCnWa

Signature

  • Status: The file C:\windows\system32\recover.exe is not digitally signed. You cannot run this script on the current system. For more information about running scripts and setting execution policy, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170
  • Serial: ``
  • Thumbprint: ``
  • Issuer:
  • Subject:

File Metadata

  • Original Filename: Recover.Exe.MUI
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 6.3.9600.16384 (winblue_rtm.130821-1623)
  • Product Version: 6.3.9600.16384
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

File Similarity (ssdeep match)

File Score
C:\windows\SysWOW64\recover.exe 41

Possible Misuse

The following table contains possible examples of recover.exe being misused. While recover.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma azure_keyvault_key_modified_or_deleted.yml - MICROSOFT.KEYVAULT/VAULTS/KEYS/RECOVER/ACTION DRL 1.0
sigma azure_keyvault_secrets_modified_or_deleted.yml - MICROSOFT.KEYVAULT/VAULTS/SECRETS/RECOVER/ACTION DRL 1.0
sigma proc_creation_win_sqlcmd_veeam_dump.yml - https://forums.veeam.com/veeam-backup-replication-f2/recover-esxi-password-in-veeam-t34630.html DRL 1.0
atomic-red-team T1048.003.md 3. Once the data is received, use the below command to recover the data. MIT License. © 2018 Red Canary
atomic-red-team T1110.002.md <blockquote>Adversaries may use password cracking to attempt to recover usable credentials, such as plaintext passwords, when credential material such as password hashes are obtained. OS Credential Dumping is used to obtain password hashes, this may only get an adversary so far when Pass the Hash is not an option. Techniques to systematically guess the passwords used to compute hashes are available, or the adversary may use a pre-computed rainbow table to crack hashes. Cracking hashes is usually done on adversary-controlled systems outside of the target network.(Citation: Wikipedia Password cracking) The resulting plaintext password resulting from a successfully cracked hash may be used to log into systems, resources, and services in which the account has access.</blockquote> MIT License. © 2018 Red Canary
atomic-red-team T1485.md RansomEXX malware removes all deleted files using windows built-in cipher.exe to prevent forensic recover. MIT License. © 2018 Red Canary

Additional Info*

*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.


recover

Recovers readable information from a bad or defective disk. This command reads a file, sector-by-sector, and recovers data from the good sectors. Data in bad sectors is lost. Because all data in bad sectors is lost when you recover a file, you should recover only one file at a time.

Bad sectors reported by the chkdsk command were marked as bad when your disk was prepared for operation. They pose no danger, and recover does not affect them.

Syntax

recover [<drive>:][<path>]<filename>

Parameters

Parameter Description
[<drive>:][<path>]<filename> Specifies the file name (and the location of the file if it is not in the current directory) you want to recover. Filename is required and wildcards aren’t supported.
/? Displays help at the command prompt.

Examples

To recover the file story.txt in the \fiction directory on drive D, type:

recover d:\fiction\story.txt

Additional References


MIT License. Copyright (c) 2020-2021 Strontic.