home

staff-win7_win8_winserver.exe

Kaspersky Security Center

Kaspersky Lab ZAO

This is a setup and installation application. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘KLPkInst_48903cc8-9d0e-4ffb-a426-02ec9e0f0f11’. The file has been seen being downloaded from antivirus.utm.my.
Publisher:
Kaspersky Lab ZAO

Product:
Kaspersky Security Center

Description:
Kaspersky Security Center Self-Extracting Installation Package

Version:
10.0.3361.0

MD5:
94d328230ffe5bff2075d8327fe1129c

SHA-1:
0889ac9e548934401dc3dc2d4463efe7ea58ee4e

SHA-256:
971c2349f5dbd5b5dd5d3b3a85e2dce8bf1c48c919e89c4fb20cd5c28b728db2

Scanner detections:
0 / 68

Status:
Clean (as of last analysis)

Analysis date:
11/26/2024 7:32:07 AM UTC  (today)

File size:
387.4 MB (406,174,179 bytes)

Product version:
10.0.3361.0

Copyright:
© 2013 Kaspersky Lab ZAO. All Rights Reserved.

Trademarks:
Registered trademarks and service marks are the property of their respective owners

Original file name:
KLPKINST.EXE

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\downloads\staff-win7_win8_winserver.exe

File PE Metadata
Compilation timestamp:
1/22/2013 11:20:23 PM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

CTPH (ssdeep):
12582912:I3y053d+rJvHgD//dbpq7M5+CMxu0CAFWuRuFk:ICo3qvHe/ltqrCMg0/FWQuFk

Entry address:
0xAE23D

Entry point:
E8, F6, DD, 00, 00, E9, 79, FE, FF, FF, 8B, FF, 55, 8B, EC, 53, 56, 8B, 75, 08, 8B, 86, BC, 00, 00, 00, 33, DB, 57, 3B, C3, 74, 6F, 3D, B8, 21, 57, 00, 74, 68, 8B, 86, B0, 00, 00, 00, 3B, C3, 74, 5E, 39, 18, 75, 5A, 8B, 86, B8, 00, 00, 00, 3B, C3, 74, 17, 39, 18, 75, 13, 50, E8, 1A, B7, FF, FF, FF, B6, BC, 00, 00, 00, E8, 74, E6, 00, 00, 59, 59, 8B, 86, B4, 00, 00, 00, 3B, C3, 74, 17, 39, 18, 75, 13, 50, E8, F9, B6, FF, FF, FF, B6, BC, 00, 00, 00, E8, 44, E4, 00, 00, 59, 59, FF, B6, B0, 00, 00, 00, E8, E1...
 
[+]

Entropy:
7.9876  (probably packed)

Code size:
1.1 MB (1,191,424 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
KLPkInst_48903cc8-9d0e-4ffb-a426-02ec9e0f0f11

Command:
"C:\users\{user}\downloads\staff-win7_win8_winserver.exe" -klpi$id 48903cc8-9d0e-4ffb-a426-02ec9e0f0f11 -tl 4


The file staff-win7_win8_winserver.exe has been seen being distributed by the following URL.

http://antivirus.utm.my/download/av/.../staff-win7_win8_winserver.exe

Scan staff-win7_win8_winserver.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.