recover.exe

  • File Path: C:\WINDOWS\SysWOW64\recover.exe
  • Description: Recover Files Utility

Hashes

Type Hash
MD5 E353214C4C892016E9F063880720EDCE
SHA1 331B13ADDB6B86FE3261AE0666A3B134A8FAE90D
SHA256 067DDF575A5E28467605B9201967FCC8FF61759BDD058C3356C980702BC74A01
SHA384 BAEE514C67BE1AD6C83A2216D2103CB0DAF70039C8C263C5E0D3FDB1621FE9B76D9C4510790EA94D6173A1CC4E8D8530
SHA512 A1417AC81C7D5530A4FB281D127A92AB098A78F46E659BE0329A3F7BD968A7B81FE9FF7217A33314A4801176E809FE2CED56FA4844084D14700EC52C65367B03
SSDEEP 192:2wxijs+v5O6FIVR+/Ja03YgeAhYFk2DWbnW7f+:bihv5FWY/JaGei2DWbnWq
IMP CD8185705936323067B6715FDC1BF798
PESHA1 F2AC6A70B0C206FB7E391948378AE065EF9C15BC
PE256 00AB4D4C7EFF761AE1E84284791B2F48122C8A5BC4389B966C619F5C3B4C3C83

Runtime Data

Usage (stdout):

Recovers readable information from a bad or defective disk.

RECOVER [drive:][path]filename
Consult the online Command Reference in Windows Help
before using the RECOVER command.

Child Processes:

conhost.exe

Open Handles:

Path Type
(R-D) C:\Windows\System32\en-US\ulib.dll.mui File
(RW-) C:\Windows File
(RW-) C:\Windows\SysWOW64 File
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000001.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2.ro Section
\Sessions\2\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 Section
\Sessions\2\BaseNamedObjects\NLS_CodePage_437_3_2_0_0 Section

Loaded Modules:

Path
C:\WINDOWS\SYSTEM32\ntdll.dll
C:\WINDOWS\System32\wow64.dll
C:\WINDOWS\System32\wow64base.dll
C:\WINDOWS\System32\wow64con.dll
C:\WINDOWS\System32\wow64cpu.dll
C:\WINDOWS\System32\wow64win.dll
C:\WINDOWS\SysWOW64\recover.exe

Signature

  • Status: Signature verified.
  • Serial: 33000002ED2C45E4C145CF48440000000002ED
  • Thumbprint: 312860D2047EB81F8F58C29FF19ECDB4C634CF6A
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: Recover.Exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.22000.1 (WinBuild.160101.0800)
  • Product Version: 10.0.22000.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/73
  • VirusTotal Link: https://www.virustotal.com/gui/file/067ddf575a5e28467605b9201967fcc8ff61759bdd058c3356c980702bc74a01/detection

File Similarity (ssdeep match)

File Score
C:\WINDOWS\system32\recover.exe 33

Possible Misuse

The following table contains possible examples of recover.exe being misused. While recover.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma azure_keyvault_key_modified_or_deleted.yml - MICROSOFT.KEYVAULT/VAULTS/KEYS/RECOVER/ACTION DRL 1.0
sigma azure_keyvault_secrets_modified_or_deleted.yml - MICROSOFT.KEYVAULT/VAULTS/SECRETS/RECOVER/ACTION DRL 1.0
sigma proc_creation_win_sqlcmd_veeam_dump.yml - https://forums.veeam.com/veeam-backup-replication-f2/recover-esxi-password-in-veeam-t34630.html DRL 1.0
atomic-red-team T1048.003.md 3. Once the data is received, use the below command to recover the data. MIT License. © 2018 Red Canary
atomic-red-team T1110.002.md <blockquote>Adversaries may use password cracking to attempt to recover usable credentials, such as plaintext passwords, when credential material such as password hashes are obtained. OS Credential Dumping is used to obtain password hashes, this may only get an adversary so far when Pass the Hash is not an option. Techniques to systematically guess the passwords used to compute hashes are available, or the adversary may use a pre-computed rainbow table to crack hashes. Cracking hashes is usually done on adversary-controlled systems outside of the target network.(Citation: Wikipedia Password cracking) The resulting plaintext password resulting from a successfully cracked hash may be used to log into systems, resources, and services in which the account has access.</blockquote> MIT License. © 2018 Red Canary
atomic-red-team T1485.md RansomEXX malware removes all deleted files using windows built-in cipher.exe to prevent forensic recover. MIT License. © 2018 Red Canary

Additional Info*

*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.


recover

Recovers readable information from a bad or defective disk. This command reads a file, sector-by-sector, and recovers data from the good sectors. Data in bad sectors is lost. Because all data in bad sectors is lost when you recover a file, you should recover only one file at a time.

Bad sectors reported by the chkdsk command were marked as bad when your disk was prepared for operation. They pose no danger, and recover does not affect them.

Syntax

recover [<drive>:][<path>]<filename>

Parameters

Parameter Description
[<drive>:][<path>]<filename> Specifies the file name (and the location of the file if it is not in the current directory) you want to recover. Filename is required and wildcards aren’t supported.
/? Displays help at the command prompt.

Examples

To recover the file story.txt in the \fiction directory on drive D, type:

recover d:\fiction\story.txt

Additional References


MIT License. Copyright (c) 2020-2021 Strontic.