× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: ce08151ead515c2f0b4ff9bf542033d8fd72155dbc149faaf617ba1616c22e7b
File name: mklif.sys_X64_NT602
Detection ratio: 0 / 46
Analysis date: 2013-05-20 07:15:05 UTC ( 5 years ago )
Antivirus Result Update
Yandex 20130519
AhnLab-V3 20130520
AntiVir 20130519
Antiy-AVL 20130519
Avast 20130520
AVG 20130520
BitDefender 20130520
ByteHero 20130517
CAT-QuickHeal 20130520
ClamAV 20130520
Commtouch 20130520
Comodo 20130520
DrWeb 20130520
Emsisoft 20130520
eSafe 20130516
ESET-NOD32 20130519
F-Prot 20130520
F-Secure 20130520
Fortinet 20130520
GData 20130520
Ikarus 20130520
Jiangmin 20130520
K7AntiVirus 20130517
K7GW 20130517
Kaspersky 20130520
Kingsoft 20130506
Malwarebytes 20130520
McAfee 20130520
McAfee-GW-Edition 20130519
Microsoft 20130520
eScan 20130520
NANO-Antivirus 20130520
Norman 20130520
nProtect 20130520
Panda 20130519
PCTools 20130520
Rising 20130517
Sophos AV 20130520
SUPERAntiSpyware 20130519
Symantec 20130520
TheHacker 20130519
TotalDefense 20130519
TrendMicro 20130520
TrendMicro-HouseCall 20130520
VBA32 20130518
VIPRE 20130520
ViRobot 20130520
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Native subsystem that targets 64bit architectures.
Authenticode signature block and FileVersionInfo properties
Copyright
Copyright © Kaspersky Lab ZAO 1996-2013.

Publisher Kaspersky Lab
Product Kaspersky? Anti-Virus ®
Version 8.11.0.171
Original name KLIF
Internal name KLIF
File version 8.11.0.171
Description Klif Mini-Filter [fre_win8_x64]
Signature verification Signed file, verified signature
Signing date 4:12 PM 3/26/2013
Signers
[+] Kaspersky Lab
Status Valid
Issuer None
Valid from 1:00 AM 2/22/2013
Valid to 1:00 PM 4/28/2015
Valid usage Code Signing
Algorithm SHA1
Thumbprint 5698BCFAB92B567BDDFBB5B71AE1B35E2BC73571
Serial number 02 26 E6 BD A7 6D AE 71 1E 3D B2 32 1E 3B 53 08
[+] DigiCert High Assurance Code Signing CA-1
Status Valid
Issuer None
Valid from 1:00 PM 2/11/2011
Valid to 1:00 PM 2/10/2026
Valid usage Code Signing
Algorithm SHA1
Thumbprint E308F829DC77E80AF15EDD4151EA47C59399AB46
Serial number 02 C4 D1 E5 8A 4A 68 0C 56 8D A3 04 7E 7E 4D 5F
[+] DigiCert High Assurance EV Root CA
Status Valid
Issuer None
Valid from 8:20 PM 1/13/2010
Valid to 7:19 PM 9/30/2015
Valid usage All
Algorithm SHA1
Thumbprint 6751188F0E5563593233300564359411585B0C33
Serial number 07 27 58 3D
[+] GTE CyberTrust Global Root
Status Valid
Issuer None
Valid from 1:29 AM 8/13/1998
Valid to 12:59 AM 8/14/2018
Valid usage Email Protection, Client Auth, Server Auth, Code Signing
Algorithm MD5
Thumbprint 97817950D81C9670CC34D809CF794431367EF474
Serial number 01 A5
Counter signers
[+] COMODO Time Stamping Signer
Status Valid
Issuer None
Valid from 1:00 AM 5/10/2010
Valid to 12:59 AM 5/11/2015
Valid usage Timestamp Signing
Algorithm SHA1
Thumbrint 3DBB6DB5085C6DD5A1CA7F9CF84ECB1A3910CAC8
Serial number 47 8A 8E FB 59 E1 D8 3F 0C E1 42 D2 A2 87 07 BE
[+] UTN-USERFirst-Object
Status Valid
Issuer None
Valid from 9:09 AM 6/7/2005
Valid to 11:48 AM 5/30/2020
Valid usage All
Algorithm SHA1
Thumbrint 8AD5C9987E6F190BD6F5416E2DE44CCD641D8CDA
Serial number 42 1A F2 94 09 84 19 1F 52 0A 4B C6 24 26 A7 4B
[+] USERTrust
Status Valid
Issuer None
Valid from 11:48 AM 5/30/2000
Valid to 11:48 AM 5/30/2020
Valid usage Server Auth, Client Auth, Email Protection, Code Signing, Timestamp Signing, EFS, IPSEC Tunnel, IPSEC User
Algorithm SHA1
Thumbrint 02FAF3E291435468607857694DF5E45B68851868
Serial number 01
PE header basic information
Target machine x64
Compilation timestamp 2013-03-26 15:05:41
Entry Point 0x0009D18C
Number of sections 9
PE sections
PE imports
FltParseFileNameInformation
FltCloseCommunicationPort
FltCreateSectionForDataScan
FltCreateFile
FltSetCallbackDataDirty
FltReadFile
FltGetVolumeProperties
FltClose
FltIsVolumeWritable
FltQueryInformationFile
FltBuildDefaultSecurityDescriptor
FltGetStreamContext
FltGetSectionContext
FltIsDirectory
FltAllocateContext
FltInitializePushLock
FltGetDestinationFileNameInformation
FltRegisterFilter
FltStartFiltering
FltCreateFileEx
FltDetachVolume
FltSetInformationFile
FltGetFileNameInformation
FltIsEcpFromUserMode
FltSetVolumeContext
FltSetInstanceContext
FltGetFileNameInformationUnsafe
FltIs32bitProcess
FltWriteFile
FltGetInstanceContext
FltUnregisterFilter
FltFreeCallbackData
FltEnumerateInstances
FltGetVolumeGuidName
FltObjectDereference
FltGetRequestorProcessIdEx
FltSetStreamContext
FltGetVolumeContext
FltReleaseFileNameInformation
FltCloseClientPort
FltAllocateCallbackData
FltCancelFileOpen
FltGetEcpListFromCallbackData
FltGetRequestorProcessId
FltObjectReference
FltGetVolumeFromInstance
FltEnumerateVolumes
FltReferenceFileNameInformation
FltSetStreamHandleContext
FltClearCallbackDataDirty
FltDeletePushLock
FltAllocatePoolAlignedWithTag
FltAcquirePushLockExclusive
FltGetVolumeName
FltFsControlFile
FltDeleteVolumeContext
FltFlushBuffers
FltGetRequestorProcess
FltCloseSectionForDataScan
FltGetVolumeFromFileObject
FltParseFileName
FltLockUserBuffer
FltGetRoutineAddress
FltRegisterForDataScan
FltReleaseContext
FltCreateCommunicationPort
FltGetStreamHandleContext
FltSendMessage
FltGetDiskDeviceObject
FltFreePoolAlignedWithTag
FltFreeSecurityDescriptor
FltReferenceContext
FltAcquirePushLockShared
FltCreateSystemVolumeInformationFolder
FltFindExtraCreateParameter
FltEnumerateVolumeInformation
FltReleasePushLock
FltPerformSynchronousIo
FltReuseCallbackData
KeQueryPerformanceCounter
FreeMibTable
GetUnicastIpAddressTable
EvAddRemoveItemsCollection
PstEnumProcesses
EfGetProcessFlags
PstSetImagePathProcess
EvGetTimeoutFilter
EvRegisterClient
PstGetFlagsProcess
EvClearCollection
EvRegisterCollectionClient
EvAttachInclusiveProcessListFilter
EvDisableFilterClient
EvSetOfflineLogStatusClient
EvFilterEventWithSet
PstUpdateFlagsProcess
EvGetVerdictFilter
PstLookupByPidProcess
KlGetStringRef
EvRegisterFilterClient
EfRemoveThread
EvCreateFilter
EvOpenFilterClient
PstReferenceProcess
PstGetUidProcess
EvAttachExclusiveProcessListFilter
TmngGetData
TmngFinishLog
TmngReset
EvFilterEventSetUsingParameter
EvUnregisterClientConnection
EvOpenClient
DlWaitForDataLog
DlResetLog
ComrUnregisterClient
EvGetIdClient
EfGetThreadCounter
EvUnregisterPermanentFiltersClient
EvGetPredicateFilter
EvProcessEventWithSet
EfReleaseThreadCounter
EvGetFlagsCollection
EfClearTrusted
EvGetContentUniformCollection
EvMatchCollection
EvSetOfflineQueueTimeoutClient
PstGetCommandLineProcess
EfForceReleaseThreadCounter
EvRemoveItemCollection
EvReleaseQueuedFilterIndication
EvAttachPredicateFilter
EvRegisterClientConnection
EvAttachPermanentIdFilter
ComrAttachClient
EvCalcEventParamsSize
DlReleaseLog
gTmngControl
PstReferenceImagePathProcess
EvGetFlagsClient
DlSetMaxSizeLog
EvGetEventsLostClient
EvGetOfflineQueueClient
EvGetTypeCollection
EfAddProcessCounter
EvGetIdCollection
EvSuspendClient
EvUpdateCollection
EvUnregisterFilterClient
FntProcessRenameOperation
PstGetStartingCurrentDirectoryProcess
EfReleaseProcessCounter
PstDereferenceProcess
EvProcessEventEx
EvUnregisterCollectionClient
EvProcessEventExAtDpcLevel
EvUnregisterClient
EvClearFilterSet
EvSaveClient
EvCalcFilterPredicateSize
EfGetThreadFlags
ComrRegisterClient
PstUnregisterFilter
PstGetContextProcess
EvRegisterCollection
PstGetStartTimeProcess
EvUnregisterCollection
DlPublishDataWithCallbackLog
EvAddItemCollection
EvAttachScheduleFilter
EvCreateConnection
EvDereferenceObject
EvFilterByEventId
KlDereferenceStringRef
EvOpenClientConnection
PstGetParentPidProcess
EvGetContentCollection
EvEnableFilterClient
EfAddThreadCounter
TmngFinishLogRestart
PstGetPidProcess
EvSaveCollection
DlShutdownLog
EvGetEventIdFilter
EvOpenCollection
EfRemoveProcess
EvFilterEventSetUsingProcessId
EvCheckForFacility
EvSetOfflineReadyStatusClient
DlGetMaxDataLengthLog
EvGetFlagsFilter
EvInitializeFilterSet
PstReferenceObjectProcess
EvUpdateUniformCollection
EvGetPermanentIdCollection
EvGetScheduleFilter
EvGetIdFilter
EvUnregisterAllFiltersClient
EvOpenCollectionClient
EvCreateClient
EvCreateExVerdict
EfGet2ProcessCounters
PstRegisterFilter
EvOpenPermanentFilterClient
DlCreateLog
EvGetPermanentIdFilter
EvSetMaxQueueDepthClient
EvCreateCollection
EvAddRemoveItemsUniformCollection
PstGetStartingUserSidProcess
TmngSetType
EvAttachVerdictFilter
EvResumeClient
LsaGetLogonSessionData
FsRtlIsNameInExpression
PsGetProcessWin32WindowStation
PsGetCurrentProcessWow64Process
ZwOpenKey
rand
RtlAppendUnicodeStringToString
ExRundownCompleted
PsRemoveCreateThreadNotifyRoutine
RtlInitializeSid
RtlUpcaseUnicodeString
RtlSubAuthoritySid
IoRegisterPlugPlayNotification
ZwSaveKey
KeInitializeApc
IoDriverObjectType
IoGetAttachedDevice
KeUnstackDetachProcess
FsRtlAreVolumeStartupApplicationsComplete
RtlIpv6StringToAddressW
ExReleaseRundownProtection
SeExports
PsLookupThreadByThreadId
NlsMbOemCodePageTag
SeCreateClientSecurity
ExRundownCompletedCacheAware
PsProcessType
SeRegisterLogonSessionTerminatedRoutine
FsRtlCreateSectionForDataScan
InitializeSListHead
ZwQueryInformationThread
IoGetTopLevelIrp
RtlInsertElementGenericTable
PsGetVersion
KeRemoveQueue
IoWMIRegistrationControl
KeInsertQueueApc
RtlCopySid
PsTerminateSystemThread
IoGetCurrentProcess
RtlIntegerToUnicodeString
KeWaitForSingleObject
IoUnregisterShutdownNotification
RtlInitUnicodeString
CmGetCallbackVersion
SeQueryInformationToken
ExEventObjectType
KeSetEvent
ProbeForRead
RtlNtStatusToDosError
PsGetThreadProcessId
IoGetDeviceProperty
KeStackAttachProcess
RtlLookupElementGenericTableAvl
SeReleaseSubjectContext
ZwQueryInformationProcess
MmGetSystemRoutineAddress
KeAreApcsDisabled
RtlAppendUnicodeToString
ExInitializePagedLookasideList
PsGetProcessImageFileName
IoGetRelatedDeviceObject
IoThreadToProcess
MmUnmapViewInSystemSpace
MmSecureVirtualMemory
MmQuerySystemSize
PsGetThreadWin32Thread
LsaFreeReturnBuffer
MmIsThisAnNtAsSystem
PsReferenceProcessFilePointer
IoCreateFileSpecifyDeviceObjectHint
ZwSetInformationProcess
ExAllocateCacheAwareRundownProtection
ObfReferenceObject
strncmp
ZwReadFile
PsLookupProcessByProcessId
IoCreateFile
MmMapLockedPagesSpecifyCache
IoBuildSynchronousFsdRequest
IoGetDeviceObjectPointer
ExReleaseRundownProtectionCacheAware
_stricmp
PsGetProcessPeb
RtlGetElementGenericTableAvl
IoQueueThreadIrp
PsGetProcessWin32Process
KeSetPriorityThread
ZwOpenProcess
RtlEnumerateGenericTableWithoutSplayingAvl
ExReleaseFastMutexUnsafe
IoCreateDevice
ExReInitializeRundownProtection
ObReferenceObjectByName
IoGetStackLimits
IoDeleteDevice
strncpy
ZwDeleteKey
RtlLookupElementGenericTable
RtlInsertElementGenericTableAvl
RtlGetVersion
ExDeleteNPagedLookasideList
ZwNotifyChangeKey
MmMapViewOfSection
SeQueryAuthenticationIdToken
MmHighestUserAddress
ZwQuerySystemInformation
SeUnregisterLogonSessionTerminatedRoutine
_strnicmp
RtlNumberGenericTableElementsAvl
RtlIpv4StringToAddressW
RtlInitializeGenericTableAvl
KeLeaveCriticalRegion
RtlQueryRegistryValues
KeEnterCriticalRegion
ZwQueryValueKey
IoAllocateMdl
srand
IoGetDeviceAttachmentBaseRef
KeReleaseInStackQueuedSpinLock
ObOpenObjectByPointer
KeReadStateQueue
ZwOpenFile
KeAcquireInStackQueuedSpinLockAtDpcLevel
ZwSetEvent
PsCreateSystemThread
IoDeviceObjectType
IoGetBaseFileSystemDeviceObject
KeInsertQueue
ZwSetValueKey
ZwFlushVirtualMemory
ExFreeCacheAwareRundownProtection
ZwCreateSection
ObReferenceObjectByPointer
MmCreateSection
SeLocateProcessImageName
RtlCompareMemory
NtQueryInformationAtom
ExUuidCreate
RtlDowncaseUnicodeString
PsGetProcessInheritedFromUniqueProcessId
ExQueryDepthSList
CmUnRegisterCallback
RtlImageNtHeader
ExpInterlockedFlushSList
RtlWalkFrameChain
IoAllocateIrp
ExpInterlockedPopEntrySList
ZwQueryKey
KeInitializeEvent
KeReleaseInStackQueuedSpinLockFromDpcLevel
ZwTerminateProcess
RtlDeleteElementGenericTableAvl
PsSetLoadImageNotifyRoutine
KeAcquireInStackQueuedSpinLock
_vsnwprintf
ObOpenObjectByName
PsInitialSystemProcess
ObQueryNameString
ExInitializeNPagedLookasideList
__C_specific_handler
RtlUpcaseUnicodeChar
PsRemoveLoadImageNotifyRoutine
KeSetBasePriorityThread
MmProbeAndLockPages
ExDeletePagedLookasideList
KeWaitForMultipleObjects
IoBuildDeviceIoControlRequest
ExAcquireRundownProtection
RtlHashUnicodeString
KeClearEvent
ExAcquireFastMutexUnsafe
ExGetPreviousMode
PsGetThreadTeb
ExWaitForRundownProtectionRelease
IoIs32bitProcess
PsSetCreateThreadNotifyRoutine
ExInitializeRundownProtection
ZwFreeVirtualMemory
ZwQueryInformationFile
PsDereferenceImpersonationToken
RtlNtStatusToDosErrorNoTeb
ZwReplaceKey
ZwEnumerateValueKey
IoFileObjectType
ExAcquireRundownProtectionCacheAware
RtlLookupFunctionEntry
KeInitializeSpinLock
ObfDereferenceObject
ExDeleteLookasideListEx
PsReferencePrimaryToken
ZwAllocateVirtualMemory
RtlLengthSid
PsGetCurrentThreadId
MmUserProbeAddress
PsGetThreadId
IoCreateSymbolicLink
KeIsAttachedProcess
ZwRestoreKey
PsRevertToSelf
ExAllocatePoolWithTag
PsGetProcessId
IoOpenDeviceRegistryKey
swprintf
PsGetProcessSectionBaseAddress
PsDereferencePrimaryToken
ZwWaitForSingleObject
ZwCreateEvent
MmUnlockPages
ZwDeleteValueKey
MmUnmapViewOfSection
MmMapViewInSystemSpace
KeInitializeQueue
SeTokenType
ZwCreateFile
IoSetThreadHardErrorMode
KeQueryTimeIncrement
RtlAnsiStringToUnicodeString
ZwEnumerateKey
ExpInterlockedPushEntrySList
RtlCopyUnicodeString
KeAddSystemServiceTable
RtlIsGenericTableEmptyAvl
IoUnregisterPlugPlayNotification
ExSemaphoreObjectType
RtlDeleteElementGenericTable
RtlEnumerateGenericTable
SeImpersonateClientEx
ZwCreateKey
ZwMapViewOfSection
SeCaptureSubjectContext
IoRegisterShutdownNotification
InitSafeBootMode
RtlPrefixUnicodeString
IoDeleteSymbolicLink
ZwWaitForMultipleObjects
PsThreadType
MmUnmapLockedPages
KeBugCheckEx
KeRundownQueue
IofCompleteRequest
RtlEqualUnicodeString
FsRtlGetFileSize
NtBuildNumber
SeTokenObjectType
ProbeForWrite
PsGetContextThread
wcsstr
IoIsSystemThread
ExInitializeLookasideListEx
RtlRandomEx
ExFreePoolWithTag
ZwYieldExecution
SeMarkLogonSessionForTerminationNotification
PsGetProcessWow64Process
ZwUnmapViewOfSection
PsIsThreadTerminating
RtlxAnsiStringToUnicodeSize
MmUnsecureVirtualMemory
RtlCompareUnicodeString
IoGetAttachedDeviceReference
ExWaitForRundownProtectionReleaseCacheAware
ZwQueryVirtualMemory
PsGetCurrentProcessId
ObReferenceObjectByHandle
PsReferenceImpersonationToken
CmRegisterCallbackEx
MmIsAddressValid
KeDelayExecutionThread
ZwDuplicateObject
IofCallDriver
MmSystemRangeStart
RtlEnumerateGenericTableAvl
ZwClose
IoFreeMdl
Number of PE resources by type
RT_VERSION 1
Number of PE resources by language
ENGLISH US 1
PE resources
ExifTool file metadata
SubsystemVersion
6.2

LinkerVersion
10.0

ImageVersion
6.2

FileSubtype
7

FileVersionNumber
8.11.0.171

UninitializedDataSize
0

LanguageCode
English (U.S.)

FileFlagsMask
0x003f

CharacterSet
Unicode

InitializedDataSize
129024

FileOS
Windows NT 32-bit

MIMEType
application/octet-stream

LegalCopyright
Copyright Kaspersky Lab ZAO 1996-2013.

FileVersion
8.11.0.171

TimeStamp
2013:03:26 16:05:41+01:00

FileType
Win64 EXE

PEType
PE32+

InternalName
KLIF

FileAccessDate
2013:05:20 08:15:23+01:00

ProductVersion
8.11.0.171

FileDescription
Klif Mini-Filter [fre_win8_x64]

OSVersion
6.2

FileCreateDate
2013:05:20 08:15:23+01:00

OriginalFilename
KLIF

Subsystem
Native

MachineType
AMD AMD64

CompanyName
Kaspersky Lab ZAO

CodeSize
519680

ProductName
Kaspersky Anti-Virus

ProductVersionNumber
8.11.0.171

EntryPoint
0x9d18c

ObjectFileType
Driver

File identification
MD5 1c1c504316f52184d2e6272f143035a3
SHA1 07e8e7bc9904869fee1139dd3f237cb05a73ff34
SHA256 ce08151ead515c2f0b4ff9bf542033d8fd72155dbc149faaf617ba1616c22e7b
ssdeep
12288:EXbKS3htCLWGOxUsyqxyysKvrswlbrOxebqHMJ1zo9U:wbJRtCLqnIAPrseGsJ1QU

File size 605.1 KB ( 619616 bytes )
File type Win32 EXE
Magic literal
PE32+ executable for MS Windows (native) Mono/.Net assembly

TrID Generic Win/DOS Executable (49.9%)
DOS Executable Generic (49.8%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%)
Tags
64bits peexe assembly signed native

VirusTotal metadata
First submission 2013-04-22 17:05:38 UTC ( 5 years, 1 month ago )
Last submission 2013-05-20 07:15:05 UTC ( 5 years ago )
File names klif.sys
vt-upload-tZpzV
klif.sys
KLIF
mklif.sys_X64_NT602
klif.sys
vt-upload-obMHUi
klif.sys
Advanced heuristic and reputation engines
Symantec reputation Suspicious.Insight
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!