Malware analysis Kaspersky.exe Malicious activity | ANY.RUN

Add for printing

File name:	Kaspersky.exe
Full analysis:	https://app.any.run/tasks/a5c1b92f-226d-4a37-9e7e-7737bf2a4cf7
Verdict:	Malicious activity
Analysis date:	June 05, 2025, 10:17:36
OS:	Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:	F8DF6F7CC62A9BBA4324194E2BB97B62
SHA1:	561365F81FCB3CE2F9F7DEDC0A786F6663BE63C6
SHA256:	1F9A2DA36A805C62B001A79634D273871275AC36A325D6862E5AB286E1CD5DAA
SSDEEP:	24576:EZeSSDQls3nRjkmDw6jVYgFqSTt49Mm/wyzvyF9y/NgZuUxyDnMS/CkSxs9uYC5y:EZeSSDQs3RjkmDw6jVYgFqSTt49Mm/ws

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Changes the login/logoff helper path in the registry
  - Kaspersky.exe (PID: 7048)
- Disables task manager
  - Kaspersky.exe (PID: 7048)
SUSPICIOUS
- Changes the desktop background image
  - Kaspersky.exe (PID: 7048)
INFO
- Reads the computer name
  - Kaspersky.exe (PID: 7048)
- Reads the machine GUID from the registry
  - Kaspersky.exe (PID: 7048)
- Reads the software policy settings
  - slui.exe (PID: 760)
- Checks supported languages
  - Kaspersky.exe (PID: 7048)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Generic CIL Executable (.NET, Mono, etc.) (82.9)
.dll	\|	Win32 Dynamic Link Library (generic) (7.4)
.exe	\|	Win32 Executable (generic) (5.1)
.exe	\|	Generic Win/DOS Executable (2.2)
.exe	\|	DOS Executable Generic (2.2)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2077:02:22 16:25:04+00:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32
LinkerVersion:	48
CodeSize:	760320
InitializedDataSize:	117248
UninitializedDataSize:	-
EntryPoint:	0xbb942
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	1.0.0.0
ProductVersionNumber:	1.0.0.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
Comments:	-
CompanyName:	-
FileDescription:	Rasomware2.0
FileVersion:	1.0.0.0
InternalName:	Kaspersky.exe
LegalCopyright:	Copyright © 2020
LegalTrademarks:	-
OriginalFileName:	Kaspersky.exe
ProductName:	Rasomware2.0
ProductVersion:	1.0.0.0
AssemblyVersion:	1.0.0.0

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

132

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

760

"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEvent

C:\Windows\System32\slui.exe

SppExtComObj.Exe

User:

NETWORK SERVICE

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Windows Activation Client

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll

3140

C:\WINDOWS\System32\slui.exe -Embedding

C:\Windows\System32\slui.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Activation Client

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll

5960

"C:\Users\admin\AppData\Local\Temp\Kaspersky.exe"

C:\Users\admin\AppData\Local\Temp\Kaspersky.exe

—

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Description:

Rasomware2.0

Exit code:

3221226540

Version:

1.0.0.0

Modules

Images
c:\users\admin\appdata\local\temp\kaspersky.exe
c:\windows\system32\ntdll.dll

6584

C:\WINDOWS\system32\SppExtComObj.exe -Embedding

C:\Windows\System32\SppExtComObj.Exe

—

svchost.exe

User:

NETWORK SERVICE

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

KMS Connection Broker

Version:

10.0.19041.3996 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll

7048

"C:\Users\admin\AppData\Local\Temp\Kaspersky.exe"

C:\Users\admin\AppData\Local\Temp\Kaspersky.exe

explorer.exe

User:

admin

Integrity Level:

HIGH

Description:

Rasomware2.0

Version:

1.0.0.0

Modules

Images
c:\users\admin\appdata\local\temp\kaspersky.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

Add for printing

Total events

644

Read events

641

Write events

Delete events

Modification events


(PID) Process:	(7048) Kaspersky.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:	write	Name:	DisableTaskMgr
Value: 1
(PID) Process:	(7048) Kaspersky.exe	Key:	HKEY_CURRENT_USER\Control Panel\Desktop
Operation:	write	Name:	Wallpaper
Value:
(PID) Process:	(7048) Kaspersky.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Operation:	write	Name:	Shell
Value: empty

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
7048	Kaspersky.exe	C:\Users\admin\Desktop\administrationships.jpg		binary
		MD5:11A38F10F748522A7FC0D65358D3347E	SHA256:FE3A60E280211BAA27719B3800002288333AC92E6EA137710D2DA27A88357D43
7048	Kaspersky.exe	C:\Users\admin\Desktop\feedbackeither.rtf		binary
		MD5:88B8865801DABE5292A017F7608201B5	SHA256:28F434186D242114DFD45A01EC60AF8DC9A433D1EEF06913793B99C0A33AF05E
7048	Kaspersky.exe	C:\Users\admin\Desktop\coffeesite.png		binary
		MD5:CDEB9A974DE1F0065404646B49AC5F74	SHA256:2653F06D2BC83BFFCC881302288B612C5924715B8785A54B5C576AB5988883D9
7048	Kaspersky.exe	C:\Users\admin\Desktop\searchgraduate.rtf		binary
		MD5:C0B181E1353F623B4D556B4BC2FC16E7	SHA256:74ACB52AD0161DEE94893B85826EC1E136FB3906C07DC85A75205685D02443C2
7048	Kaspersky.exe	C:\Users\admin\Desktop\shegraphics.jpg		binary
		MD5:6E5BBB84A13C5C32A735AEAA4499F098	SHA256:6BDC20F074CF1446734AB38AEA9CBC2224239CBA83E36CD7CE1B4654B0C5D7DA
7048	Kaspersky.exe	C:\Users\admin\Downloads\chinacomplete.jpg		binary
		MD5:9446CA524186F67F3F226F6A56C4DF9F	SHA256:192819475DBD44DED071F6F99CE995680BB49EE4A4ED56CBCA73CB5A04FF8408
7048	Kaspersky.exe	C:\Users\admin\Downloads\blogswithout.jpg		binary
		MD5:5F23423FCFE4FCEDEF3780B6753B8E28	SHA256:390C75192D8B9A00FB3BFEEF16277FEC0E3E61C01C773E39F7DD9E34FA1033D3
7048	Kaspersky.exe	C:\Users\admin\Downloads\collectionhands.png		binary
		MD5:8081F91A7CB8A9906D2391813AC4C009	SHA256:FB3E646695B2F1B88A3E52530C7328A365D2280B9EBD6C4CF4F22B2706BF06E2
7048	Kaspersky.exe	C:\Users\admin\Desktop\sancard.rtf		binary
		MD5:9C7DCDFE9AFFA86ECA19F814D64923AE	SHA256:140300F57A76665AE8F86D0ECDEF313407C86232EDFD0702898278E959E45A4A
7048	Kaspersky.exe	C:\Users\admin\Desktop\ordersdouble.jpg		binary
		MD5:AB58F9315F71BD373CC2E8222AC84B0B	SHA256:6CA041873C67CCA22C9BA91A6FC90D3D5D9E779BF8B1C14A54CDBED10B8FF6BD

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5496	MoUsoCoreWorker.exe	GET	200	2.23.181.156:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
6544	svchost.exe	GET	200	2.22.98.7:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
1616	SIHClient.exe	GET	200	2.23.181.156:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
5496	MoUsoCoreWorker.exe	GET	200	23.32.238.107:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
1616	SIHClient.exe	GET	200	2.23.181.156:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
—	—	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
5496	MoUsoCoreWorker.exe	23.32.238.107:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
5496	MoUsoCoreWorker.exe	2.23.181.156:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
472	RUXIMICS.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
7872	svchost.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
6544	svchost.exe	40.126.32.138:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
6544	svchost.exe	2.22.98.7:80	ocsp.digicert.com	AKAMAI-AS	GB	whitelisted
3216	svchost.exe	172.211.123.249:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	FR	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	51.124.78.146	whitelisted
google.com	142.250.185.78	whitelisted
crl.microsoft.com	23.32.238.107 23.32.238.112	whitelisted
www.microsoft.com	2.23.181.156	whitelisted
login.live.com	40.126.32.138 20.190.160.4 20.190.160.128 40.126.32.133 40.126.32.134 40.126.32.136 20.190.160.2 20.190.160.66	whitelisted
ocsp.digicert.com	2.22.98.7	whitelisted
client.wns.windows.com	172.211.123.249	whitelisted
slscr.update.microsoft.com	20.12.23.50	whitelisted
fe3cr.delivery.mp.microsoft.com	20.3.187.198	whitelisted
activation-v2.sls.microsoft.com	40.91.76.224	whitelisted

Threats

No threats detected

Add for printing

No debug info

General Info

Kaspersky.exe

F8DF6F7CC62A9BBA4324194E2BB97B62

561365F81FCB3CE2F9F7DEDC0A786F6663BE63C6

1F9A2DA36A805C62B001A79634D273871275AC36A325D6862E5AB286E1CD5DAA

24576:EZeSSDQls3nRjkmDw6jVYgFqSTt49Mm/wyzvyF9y/NgZuUxyDnMS/CkSxs9uYC5y:EZeSSDQs3RjkmDw6jVYgFqSTt49Mm/ws

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Changes the login/logoff helper path in the registry

Disables task manager

SUSPICIOUS

Changes the desktop background image

INFO

Reads the computer name

Reads the machine GUID from the registry

Reads the software policy settings

Checks supported languages

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings