home

do_application_start.exe

Kpi Media Group

The application do_application_start.exe has been detected as a potentially unwanted program by 3 anti-malware scanners. This is a setup program which is used to install the application. This program installs potentially unwanted software on your PC at the same time as the software you are trying to install, without adequate consent. The file has been seen being downloaded from intva6.routinetrends.com and multiple other hosts.
Publisher:
Kpi Media Group

Product:
Kpi Media Group

Version:
83.0.1.1579

MD5:
51100901c0122d3ac434e97372167a88

SHA-1:
eabdd93c490987a0baa1497880fe16bf516c2db2

SHA-256:
3896f1cc62145cb1fa6b61e23aa5b9b7863bcc6e1666c1551c5bd7ff1413cfa6

Scanner detections:
3 / 68

Status:
Potentially unwanted

Analysis date:
11/15/2024 12:32:18 AM UTC  (today)

Scan engine
Detection
Engine version

avast!
Win32:Malware-gen
160327-1

ESET NOD32
Win32/DownloadAdmin.Q potentially unwanted application
7.0.302.0

Norman
Gen:Variant.Application.Bundler.DownloadAdmin.9
02.04.2016 17:35:19

File size:
887.3 KB (908,544 bytes)

Product version:
83.0.1.1579

Copyright:
Copyright (C) 2015

Original file name:
setup.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\do_application_start.exe

File PE Metadata
Compilation timestamp:
5/2/2015 5:03:31 AM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

CTPH (ssdeep):
12288:gHmnzD+eEyfguQPCAyerl1Fl39+LaentsG4+CjeeCvDneHslu84M+/nZsSHszYiL:gkwoQr/ztEfeCLyslu8V+/nZPHscFCp

Entry address:
0x4E16

Entry point:
E8, A5, 93, 00, 00, E9, A7, 8C, 00, 00, FF, 25, 08, 63, 4C, 00, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, 8B, 44, 24, 0C, 8A, 4C, 24, 04, 56, 8B, 74, 24, 0C, 88, 0C, 06, 8A, 0E, 40, 80, F9, 0D, 0F, 84, BA, 00, 00, 00, 80, F9, 3D, 74, 3C, 80, F9, 09, 74, 12, 80, F9, 1F, 0F, 86, C2, 00, 00, 00, 80, F9, 7F, 0F, 83, B9, 00, 00, 00, 57, 8B, 7C, 24, 18, 8D, 97, 0C, 02, 00, 00, 39, 17, 72, 09, 57, E8, 33, E5, FF, FF, 83, C4, 04, 8B, 07, 8A, 0E, 88, 08, FF, 07, 5F, 33, C0, 5E, C3, 83, F8, 03, 0F, 82, 8D, 00, 00, 00...
 
[+]

Entropy:
7.9654

Packer / compiler:
PEQuake V0.06

Code size:
56.5 KB (57,856 bytes)

The file do_application_start.exe has been seen being distributed by the following 3 URLs.

http://intva6.routinetrends.com/dl-pure?&usefilename=true&hashstring=jb42016&signature_id=0&_action_=getbin&filename=kmplayer-setup-100191043.exe&checksum=116938

http://intva6.routinetrends.com/dl-pure?&usefilename=true&hashstring=jb42016&signature_id=0&_action_=getbin&filename=kmplayer-setup-50833011.exe&checksum=0

http://intva6.routinetrends.com/dl-pure?&usefilename=true&hashstring=jb42016&signature_id=0&_action_=getbin&filename=kmplayer-setup-50833011.exe&checksum=116938

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):
Connects to ec2-52-72-109-137.compute-1.amazonaws.com  (52.72.109.137:80)

Remove do_application_start.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.