× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 29a5b019120ec7199941f63529004394676fe5af4cd9764ab916e2f43836ba33
File name: 553784
Detection ratio: 0 / 55
Analysis date: 2016-02-08 20:01:04 UTC ( 3 years, 1 month ago ) View latest
Antivirus Result Update
Ad-Aware 20160208
AegisLab 20160208
Yandex 20160206
AhnLab-V3 20160208
Alibaba 20160204
ALYac 20160208
Antiy-AVL 20160208
Arcabit 20160208
Avast 20160208
AVG 20160208
Avira (no cloud) 20160208
Baidu-International 20160208
BitDefender 20160208
Bkav 20160204
ByteHero 20160208
CAT-QuickHeal 20160208
ClamAV 20160206
CMC 20160205
Comodo 20160208
Cyren 20160208
DrWeb 20160208
Emsisoft 20160208
ESET-NOD32 20160208
F-Prot 20160129
F-Secure 20160208
Fortinet 20160208
GData 20160208
Ikarus 20160208
Jiangmin 20160208
K7AntiVirus 20160208
K7GW 20160208
Kaspersky 20160208
Malwarebytes 20160208
McAfee 20160208
McAfee-GW-Edition 20160208
Microsoft 20160208
eScan 20160208
NANO-Antivirus 20160208
nProtect 20160205
Panda 20160208
Qihoo-360 20160208
Rising 20160208
Sophos AV 20160208
SUPERAntiSpyware 20160208
Symantec 20160208
Tencent 20160208
TheHacker 20160208
TotalDefense 20160208
TrendMicro 20160208
TrendMicro-HouseCall 20160208
VBA32 20160208
VIPRE 20160208
ViRobot 20160208
Zillya 20160208
Zoner 20160208
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
Authenticode signature block and FileVersionInfo properties
Copyright
Copyright (C) 2007-2014 Ariolic Software, Ltd.

Product Complete File Recovery
Original name CFRecovery.exe
Internal name CompleteFileRecovery
File version 1, 7, 0, 140
Description Deleted file recovery
Comments Website: http://www.CompleteFileRecovery.com
Signature verification Signed file, verified signature
Signing date 3:30 PM 9/14/2014
Signers
[+] Ariolic Software Ltd
Status This certificate or one of the certificates in the certificate chain is not time valid.
Issuer COMODO Code Signing CA 2
Valid from 1:00 AM 9/17/2013
Valid to 12:59 AM 9/18/2014
Valid usage Code Signing
Algorithm sha1RSA
Thumbprint 07957B19E3B595172B43F1297B78958348E4B941
Serial number 14 B7 23 39 0C E3 C5 D4 1A 7F 66 C3 3F EE B0 DD
[+] COMODO Code Signing CA 2
Status Valid
Issuer UTN-USERFirst-Object
Valid from 1:00 AM 8/24/2011
Valid to 11:48 AM 5/30/2020
Valid usage Code Signing
Algorithm sha1RSA
Thumbprint B64771392538D1EB7A9281998791C14AFD0C5035
Serial number 10 70 9D 4F F5 54 08 D7 30 60 01 D8 EA 91 75 BB
[+] USERTrust (Code Signing)
Status Valid
Issuer UTN-USERFirst-Object
Valid from 7:31 PM 7/9/1999
Valid to 7:40 PM 7/9/2019
Valid usage EFS, Timestamp Signing, Code Signing
Algorithm sha1RSA
Thumbprint E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46
Serial number 44 BE 0C 8B 50 00 24 B4 11 D3 36 2D E0 B3 5F 1B
Counter signers
[+] Symantec Time Stamping Services Signer - G4
Status Valid
Issuer Symantec Time Stamping Services CA - G2
Valid from 1:00 AM 10/18/2012
Valid to 12:59 AM 12/30/2020
Valid usage Timestamp Signing
Algorithm sha1RSA
Thumbrint 65439929B67973EB192D6FF243E6767ADF0834E4
Serial number 0E CF F4 38 C8 FE BF 35 6E 04 D8 6A 98 1B 1A 50
[+] Symantec Time Stamping Services CA - G2
Status Valid
Issuer Thawte Timestamping CA
Valid from 1:00 AM 12/21/2012
Valid to 12:59 AM 12/31/2020
Valid usage Timestamp Signing
Algorithm sha1RSA
Thumbrint 6C07453FFDDA08B83707C09B82FB3D15F35336B1
Serial number 7E 93 EB FB 7C C6 4E 59 EA 4B 9A 77 D4 06 FC 3B
[+] Thawte Timestamping CA
Status Valid
Issuer Thawte Timestamping CA
Valid from 1:00 AM 1/1/1997
Valid to 12:59 AM 1/1/2021
Valid usage Timestamp Signing
Algorithm md5RSA
Thumbrint BE36A4562FB2EE05DBB3D32323ADF445084ED656
Serial number 00
Packers identified
F-PROT Aspack
PEiD ASProtect v1.23 RC1
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2014-09-14 14:30:27
Entry Point 0x00001000
Number of sections 7
PE sections
Overlays
MD5 0efd9a71e69157ea12292fad16c38a25
File type data
Offset 2497024
Size 6144
Entropy 7.35
PE imports
RegDeleteValueW
ImageList_GetIconSize
GetFileTitleW
CreatePen
GdipGetImageGraphicsContext
ImmReleaseContext
GetProcAddress
GetModuleHandleA
LoadLibraryA
RaiseException
AlphaBlend
OleInitialize
AccessibleObjectFromWindow
SysStringLen
VariantChangeTypeEx
OleUIBusyW
SHGetDesktopFolder
PathFindExtensionW
ReleaseCapture
VerQueryValueW
PlaySoundW
DocumentPropertiesW
Number of PE resources by type
RT_ICON 32
RT_STRING 29
RT_BITMAP 26
RT_GROUP_ICON 26
RT_CURSOR 25
RT_GROUP_CURSOR 20
RT_HTML 18
RT_DIALOG 14
LANGUAGE 3
RT_MENU 2
XML 1
Struct(241) 1
RT_MANIFEST 1
DEF_JPG 1
AVI 1
RT_ACCELERATOR 1
RT_VERSION 1
Number of PE resources by language
NEUTRAL DEFAULT 116
ENGLISH US 78
UKRAINIAN DEFAULT 6
GERMAN 1
JAPANESE DEFAULT 1
PE resources
ExifTool file metadata
SubsystemVersion
5.1

Comments
Website: http://www.CompleteFileRecovery.com

InitializedDataSize
2481664

ImageVersion
0.0

ProductName
Complete File Recovery

FileVersionNumber
1.7.0.140

UninitializedDataSize
0

LanguageCode
English (U.S.)

FileFlagsMask
0x003f

ImageFileCharacteristics
No relocs, Executable, 32-bit

CharacterSet
Unicode

LinkerVersion
10.0

FileTypeExtension
exe

OriginalFileName
CFRecovery.exe

MIMEType
application/octet-stream

Subsystem
Windows GUI

FileVersion
1, 7, 0, 140

TimeStamp
2014:09:14 15:30:27+01:00

FileType
Win32 EXE

PEType
PE32

InternalName
CompleteFileRecovery

ProductVersion
1, 7, 0, 140

FileDescription
Deleted file recovery

OSVersion
5.1

FileOS
Win32

LegalCopyright
Copyright (C) 2007-2014 Ariolic Software, Ltd.

MachineType
Intel 386 or later, and compatibles

CompanyName
Ariolic Software, Ltd.

CodeSize
2839040

FileSubtype
0

ProductVersionNumber
1.7.0.140

EntryPoint
0x1000

ObjectFileType
Executable application

Execution parents
File identification
MD5 e1b1f2bc66794c89904bb332dc2683d3
SHA1 d4a12064331d7530a3fa37b31c420e31763f654a
SHA256 29a5b019120ec7199941f63529004394676fe5af4cd9764ab916e2f43836ba33
ssdeep
49152:H7+QPAXxHloZlgGTgHf5S7fISLdQVWW4yOW+MoYyqkdCVjiAf:H7+dXxHmZl1gRKASHlW+MXyHCY

authentihash 7aaca28e6eea05c9974a63918195de8e88d5e8f581d2d47e49e5fc6b144465a6
imphash ee195ad9d8332ab146df7285b4d370c6
File size 2.4 MB ( 2503168 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win32 Dynamic Link Library (generic) (38.4%)
Win32 Executable (generic) (26.3%)
OS/2 Executable (generic) (11.8%)
Generic Win/DOS Executable (11.6%)
DOS Executable Generic (11.6%)
Tags
peexe asprotect aspack signed overlay

VirusTotal metadata
First submission 2014-09-20 02:22:56 UTC ( 4 years, 6 months ago )
Last submission 2018-05-12 00:36:13 UTC ( 10 months, 2 weeks ago )
File names cfrecovery17.exe
cfrecovery17.exe
CompleteFileRecovery
29a5b019120ec7199941f63529004394676fe5af4cd9764ab916e2f43836ba33
CFRecovery.exe
cfrecovery17.exe
29A5B019120EC7199941F63529004394676FE5AF4CD9764AB916E2F43836BA33
553784
Advanced heuristic and reputation engines
ClamAV
Possibly Unwanted Application. While not necessarily malicious, the scanned file presents certain characteristics which depending on the user policies and environment may or may not represent a threat. For full details see: https://www.clamav.net/documents/potentially-unwanted-applications-pua .

Symantec reputation Suspicious.Insight
Behaviour characterization
Zemana
dll-injection

No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Read files
Searched windows
Hooking activity
Runtime DLLs
Additional details
The file sends control codes directly to certain device drivers making use of the DeviceIoControl Windows API function.
The file installs an application-defined hook procedure into a hook chain. You would install a hook procedure to monitor the system for certain types of events. These events are associated either with a specific thread or with all threads in the same desktop as the calling thread. This is done making use of the SetWindowsHook Windows API function.
UDP communications