× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 95bbdad74c9498dc4847f6e4fbb2009107e3d0b604cd41a9805650af794982d1
File name: kvisoft-dr-trial.exe
Detection ratio: 0 / 47
Analysis date: 2013-11-18 11:09:51 UTC ( 5 months ago ) View latest
Probably harmless! There are strong indicators suggesting that this file is safe to use.
Antivirus Result Update
AVG 20131118
Agnitum 20131118
AhnLab-V3 20131118
AntiVir 20131118
Antiy-AVL 20131118
Avast 20131118
Baidu-International 20131118
BitDefender 20131118
Bkav 20131118
ByteHero 20131118
CAT-QuickHeal 20131118
ClamAV 20131118
Commtouch 20131118
Comodo 20131118
DrWeb 20131118
ESET-NOD32 20131118
Emsisoft 20131118
F-Prot 20131118
F-Secure 20131118
Fortinet 20131118
GData 20131118
Ikarus 20131118
Jiangmin 20131118
K7AntiVirus 20131118
K7GW 20131118
Kaspersky 20131118
Kingsoft 20130829
Malwarebytes 20131118
McAfee 20131118
McAfee-GW-Edition 20131117
MicroWorld-eScan 20131118
Microsoft 20131118
NANO-Antivirus 20131118
Norman 20131118
Panda 20131118
Rising 20131118
SUPERAntiSpyware 20131118
Sophos 20131118
Symantec 20131118
TheHacker 20131118
TotalDefense 20131115
TrendMicro 20131118
TrendMicro-HouseCall 20131118
VBA32 20131118
VIPRE 20131118
ViRobot 20131118
nProtect 20131118
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
Authenticode signature block
Copyright

Publisher Kvisoft Co.
Product Kvisoft Data Recovery
File version 1.5.2
Description Kvisoft Data Recovery Setup
Comments This installation was built with Inno Setup.
Signature verification Signed file, verified signature
Signing date 10:14 AM 10/29/2013
Signers
[+] Kvisoft Co.
Status Valid
Valid from 1:00 AM 7/24/2012
Valid to 12:59 AM 7/25/2014
Valid usage Code Signing, 1.3.6.1.4.1.311.2.1.22
Algorithm SHA1
Thumbrint FA082EA8A954D7754DF24A931AC9F95508145F51
Serial number 0D D1 FA 9B 80 33 DD 67 5D 1E 91 3F 05 8B F0 19
[+] Thawte Code Signing CA - G2
Status Valid
Valid from 1:00 AM 2/8/2010
Valid to 12:59 AM 2/8/2020
Valid usage Client Auth, Code Signing
Algorithm SHA1
Thumbrint 808D62642B7D1C4A9A83FD667F7A2A9D243FB1C7
Serial number 47 97 4D 78 73 A5 BC AB 0D 2F B3 70 19 2F CE 5E
[+] thawte
Status Valid
Valid from 1:00 AM 11/17/2006
Valid to 12:59 AM 7/17/2036
Valid usage Server Auth, Client Auth, Email Protection, Code Signing
Algorithm SHA1
Thumbrint 91C6D6EE3E8AC86384E548C299295C756C817B81
Serial number 34 4E D5 57 20 D5 ED EC 49 F4 2F CE 37 DB 2B 6D
Counter signers
[+] Symantec Time Stamping Services Signer - G4
Status Valid
Valid from 1:00 AM 10/18/2012
Valid to 12:59 AM 12/30/2020
Valid usage Timestamp Signing
Algorithm SHA1
Thumbrint 65439929B67973EB192D6FF243E6767ADF0834E4
Serial number 0E CF F4 38 C8 FE BF 35 6E 04 D8 6A 98 1B 1A 50
[+] Symantec Time Stamping Services CA - G2
Status Valid
Valid from 1:00 AM 12/21/2012
Valid to 12:59 AM 12/31/2020
Valid usage Timestamp Signing
Algorithm SHA1
Thumbrint 6C07453FFDDA08B83707C09B82FB3D15F35336B1
Serial number 7E 93 EB FB 7C C6 4E 59 EA 4B 9A 77 D4 06 FC 3B
[+] Thawte Timestamping CA
Status Valid
Valid from 1:00 AM 1/1/1997
Valid to 12:59 AM 1/1/2021
Valid usage Timestamp Signing
Algorithm MD5
Thumbrint BE36A4562FB2EE05DBB3D32323ADF445084ED656
Serial number 00
Packers identified
F-PROT INNO, INNO, INNO, Aspack, INNO, INNO, INNO, INNO, INNO, INNO, INNO, INNO, INNO, INNO, INNO, INNO, INNO, INNO, INNO, INNO, INNO, INNO, INNO, INNO, INNO, INNO, INNO, INNO, INNO, INNO, INNO, INNO, INNO, INNO, INNO, INNO
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 1992-06-19 22:22:17
Entry Point 0x00009C40
Number of sections 8
PE sections
PE imports
LookupPrivilegeValueA
RegCloseKey
OpenProcessToken
RegQueryValueExA
AdjustTokenPrivileges
RegOpenKeyExA
InitCommonControls
GetSystemTime
GetLastError
GetEnvironmentVariableA
GetStdHandle
EnterCriticalSection
GetUserDefaultLangID
GetSystemInfo
GetFileAttributesA
GetExitCodeProcess
ExitProcess
CreateDirectoryA
VirtualProtect
GetVersionExA
RemoveDirectoryA
RtlUnwind
LoadLibraryA
DeleteCriticalSection
GetCurrentProcess
SizeofResource
GetLocaleInfoA
LocalAlloc
LockResource
IsDBCSLeadByte
DeleteFileA
GetWindowsDirectoryA
GetSystemDefaultLCID
SetErrorMode
MultiByteToWideChar
GetCommandLineA
GetProcAddress
FormatMessageA
SetFilePointer
RaiseException
WideCharToMultiByte
GetModuleHandleA
ReadFile
InterlockedExchange
WriteFile
CloseHandle
GetACP
GetFullPathNameA
LocalFree
CreateProcessA
GetModuleFileNameA
InitializeCriticalSection
LoadResource
VirtualQuery
VirtualFree
TlsGetValue
Sleep
GetFileType
SetEndOfFile
TlsSetValue
CreateFileA
FindResourceA
VirtualAlloc
GetFileSize
SetLastError
LeaveCriticalSection
SysStringLen
SysAllocStringLen
VariantCopyInd
VariantClear
VariantChangeTypeEx
CharPrevA
CreateWindowExA
LoadStringA
DispatchMessageA
CallWindowProcA
MessageBoxA
PeekMessageA
SetWindowLongA
MsgWaitForMultipleObjects
TranslateMessage
ExitWindowsEx
DestroyWindow
Number of PE resources by type
RT_ICON 10
RT_STRING 6
RT_MANIFEST 1
RT_RCDATA 1
RT_VERSION 1
RT_GROUP_ICON 1
Number of PE resources by language
ENGLISH US 13
NEUTRAL 7
ExifTool file metadata
UninitializedDataSize
0

Comments
This installation was built with Inno Setup.

LinkerVersion
2.25

ImageVersion
6.0

FileSubtype
0

FileVersionNumber
1.5.2.0

LanguageCode
Neutral

FileFlagsMask
0x003f

CharacterSet
Unicode

InitializedDataSize
518144

MIMEType
application/octet-stream

FileVersion
1.5.2

TimeStamp
1992:06:19 23:22:17+01:00

FileType
Win32 EXE

PEType
PE32

SubsystemVersion
4.0

FileAccessDate
2014:04:14 17:08:16+01:00

ProductVersion
1.5.2

FileDescription
Kvisoft Data Recovery Setup

OSVersion
1.0

FileCreateDate
2014:04:14 17:08:16+01:00

FileOS
Win32

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

CompanyName
http://www.kvisoft.com

CodeSize
37888

ProductName
Kvisoft Data Recovery

ProductVersionNumber
1.5.2.0

EntryPoint
0x9c40

ObjectFileType
Executable application

CarbonBlack CarbonBlack acts as a surveillance camera for computers
While monitoring an end-user machine in-the-wild, CarbonBlack noticed this sample wrote the following files to disk.
File identification
MD5 ec72b3d0022482d5cc40f2eac890f2e0
SHA1 82e50e1023acb4a03f06e8b5e197f77754532e1c
SHA256 95bbdad74c9498dc4847f6e4fbb2009107e3d0b604cd41a9805650af794982d1
ssdeep
196608:fMCQc2J0vl7IYC6HNiNe9jhF/QdhqqCBFioDs55wqeE:fMdlIhIiHNiNOjhZGCiZcBE

imphash 884310b1928934402ea6fec1dbd3cf5e
File size 8.7 MB ( 9094648 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Inno Setup installer (91.1%)
Win32 Executable (generic) (3.7%)
Win16/32 Executable Delphi generic (1.7%)
Generic Win/DOS Executable (1.6%)
DOS Executable Generic (1.6%)
Tags
peexe aspack signed

VirusTotal metadata
First submission 2013-11-17 14:44:02 UTC ( 5 months ago )
Last submission 2013-12-28 12:32:58 UTC ( 3 months, 3 weeks ago )
File names kvisoft-dr-trial.exe
file-6229044_exe
kvisoft-dr-trial.exe
kvisoft-dr-trial_2.exe
kvisoft-dr-trial (2).exe
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Read files
Written files
Deleted files
Created processes
Opened mutexes
Runtime DLLs
Additional details
The file sends control codes directly to certain device drivers making use of the DeviceIoControl Windows API function.