mr1_staff_kl.exe

Kaspersky Security Center

Kaspersky Lab ZAO

This is a self-extracting archive and installer. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘KLPkInst_37979754-72af-4931-93d2-d2d8c152c7b4’. The file has been seen being downloaded from antivirus.utm.my.
Publisher:
Kaspersky Lab ZAO

Product:
Kaspersky Security Center

Description:
Kaspersky Security Center Self-Extracting Installation Package

Version:
10.0.3361.0

MD5:
7b2c4147f83aff8d20fc560899bb6bc1

SHA-1:
2e442908dc323dd097f5d01877ea6561dd43290d

SHA-256:
a3f1efc47bfa9f66da8187a894e06be955511726722ae75bbc4733f973d1c4df

Scanner detections:
0 / 68

Status:
Clean (as of last analysis)

Analysis date:
11/26/2024 7:50:23 AM UTC  (today)

File size:
387.4 MB (406,174,179 bytes)

Product version:
10.0.3361.0

Copyright:
© 2013 Kaspersky Lab ZAO. All Rights Reserved.

Trademarks:
Registered trademarks and service marks are the property of their respective owners

Original file name:
KLPKINST.EXE

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\downloads\mr1_staff_kl.exe

File PE Metadata
Compilation timestamp:
1/22/2013 11:20:23 PM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

CTPH (ssdeep):
12582912:S3y053d+rJvHgD//dbpq7M5+CMxu0CAFnzRuFk:SCo3qvHe/ltqrCMg0/FnluFk

Entry address:
0xAE23D

Entry point:
E8, F6, DD, 00, 00, E9, 79, FE, FF, FF, 8B, FF, 55, 8B, EC, 53, 56, 8B, 75, 08, 8B, 86, BC, 00, 00, 00, 33, DB, 57, 3B, C3, 74, 6F, 3D, B8, 21, 57, 00, 74, 68, 8B, 86, B0, 00, 00, 00, 3B, C3, 74, 5E, 39, 18, 75, 5A, 8B, 86, B8, 00, 00, 00, 3B, C3, 74, 17, 39, 18, 75, 13, 50, E8, 1A, B7, FF, FF, FF, B6, BC, 00, 00, 00, E8, 74, E6, 00, 00, 59, 59, 8B, 86, B4, 00, 00, 00, 3B, C3, 74, 17, 39, 18, 75, 13, 50, E8, F9, B6, FF, FF, FF, B6, BC, 00, 00, 00, E8, 44, E4, 00, 00, 59, 59, FF, B6, B0, 00, 00, 00, E8, E1...
 
[+]

Entropy:
7.9876  (probably packed)

Code size:
1.1 MB (1,191,424 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
KLPkInst_37979754-72af-4931-93d2-d2d8c152c7b4

Command:
"C:\users\{user}\downloads\mr1_staff_kl.exe" -klpi$id 37979754-72af-4931-93d2-d2d8c152c7b4 -tl 4


The file mr1_staff_kl.exe has been seen being distributed by the following URL.

Scan mr1_staff_kl.exe - Powered by Reason Core Security