Malware analysis /attachments/1335321974917959744/1375600934620762173/startup.exe Malicious activity

Add for printing

download:	/attachments/1335321974917959744/1375600934620762173/startup.exe
Full analysis:	https://app.any.run/tasks/668adeb0-589b-4628-944d-07b27335948c
Verdict:	Malicious activity
Analysis date:	May 25, 2025, 09:08:08
OS:	Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:	CE6E94896BEF15F84C065BF27694411A
SHA1:	B630DF40A9C26C942DC1433C2A3A97A763A73061
SHA256:	58B7FB5F03F01710C956BBA199555C8C197B01E4FA5A8242D9FA40FD7BEBA43B
SSDEEP:	98304:FJ70OtKM6o5PJecdpC+ZCY82yq/OjzNrE4gy0b685ggYSBgzCYryem+ROMFAeJs8:6EKxM+

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Registers / Runs the DLL via REGSVR32.EXE
  - msiexec.exe (PID: 896)
- Antivirus name has been found in the command line (generic signature)
  - avp.exe (PID: 840)
SUSPICIOUS
- Reads security settings of Internet Explorer
  - setup_ui.exe (PID: 5048)
  - startup.exe (PID: 2316)
  - setup_ui.exe (PID: 1240)
  - startup.exe (PID: 4408)
- Executable content was dropped or overwritten
  - startup.exe (PID: 2316)
  - startup.exe (PID: 4756)
  - startup.exe (PID: 4408)
  - drvinst.exe (PID: 6980)
  - upgrade.exe (PID: 7304)
  - avp.exe (PID: 840)
- There is functionality for taking screenshot (YARA)
  - setup_ui.exe (PID: 5048)
  - setup_ui.exe (PID: 1240)
- Application launched itself
  - startup.exe (PID: 2316)
  - msiexec.exe (PID: 4180)
  - avp.exe (PID: 840)
  - startup.exe (PID: 4408)
- Starts itself from another location
  - startup.exe (PID: 4756)
- The process verifies whether the antivirus software is installed
  - startup.exe (PID: 4408)
  - msiexec.exe (PID: 1628)
  - msiexec.exe (PID: 896)
  - msiexec.exe (PID: 4180)
- Adds/modifies Windows certificates
  - msiexec.exe (PID: 4180)
- Reads the Windows owner or organization settings
  - msiexec.exe (PID: 4180)
- Drops a system driver (possible attempt to evade defenses)
  - msiexec.exe (PID: 7100)
  - msiexec.exe (PID: 4180)
  - msiexec.exe (PID: 1628)
  - drvinst.exe (PID: 6980)
  - msiexec.exe (PID: 896)
  - avp.exe (PID: 840)
- Creates files in the driver directory
  - msiexec.exe (PID: 7100)
- The process drops C-runtime libraries
  - msiexec.exe (PID: 1628)
  - msiexec.exe (PID: 896)
- Process drops legitimate windows executable
  - msiexec.exe (PID: 896)
  - msiexec.exe (PID: 1628)
- Executes as Windows Service
  - avp.exe (PID: 840)
- The process creates files with name similar to system file names
  - msiexec.exe (PID: 1628)
INFO
- Reads the computer name
  - startup.exe (PID: 2316)
  - setup_ui.exe (PID: 5048)
  - startup.exe (PID: 4756)
  - startup.exe (PID: 4408)
  - msiexec.exe (PID: 4180)
  - msiexec.exe (PID: 1628)
  - msiexec.exe (PID: 7100)
  - msiexec.exe (PID: 896)
  - setup_ui.exe (PID: 1240)
- Checks supported languages
  - startup.exe (PID: 2316)
  - setup_ui.exe (PID: 5048)
  - startup.exe (PID: 4756)
  - startup.exe (PID: 4408)
  - setup_ui.exe (PID: 1240)
  - msiexec.exe (PID: 4180)
  - msiexec.exe (PID: 1628)
  - msiexec.exe (PID: 896)
  - msiexec.exe (PID: 7100)
- The sample compiled with english language support
  - startup.exe (PID: 2316)
  - startup.exe (PID: 4756)
  - startup.exe (PID: 4408)
  - msiexec.exe (PID: 1628)
  - msiexec.exe (PID: 4180)
  - msiexec.exe (PID: 7100)
  - msiexec.exe (PID: 896)
  - drvinst.exe (PID: 6980)
  - upgrade.exe (PID: 7304)
  - avp.exe (PID: 840)
- Create files in a temporary directory
  - startup.exe (PID: 2316)
  - startup.exe (PID: 4408)
  - msiexec.exe (PID: 1628)
- Reads the machine GUID from the registry
  - setup_ui.exe (PID: 5048)
  - startup.exe (PID: 2316)
  - startup.exe (PID: 4408)
  - setup_ui.exe (PID: 1240)
  - msiexec.exe (PID: 4180)
  - msiexec.exe (PID: 7100)
- Checks proxy server information
  - startup.exe (PID: 2316)
  - startup.exe (PID: 4408)
  - slui.exe (PID: 3132)
- Reads the software policy settings
  - startup.exe (PID: 2316)
  - slui.exe (PID: 5968)
  - startup.exe (PID: 4408)
  - msiexec.exe (PID: 4180)
  - msiexec.exe (PID: 7100)
  - slui.exe (PID: 3132)
- Checks for the presence of KasperskyLab
  - startup.exe (PID: 2316)
  - startup.exe (PID: 4408)
- Creates files or folders in the user directory
  - startup.exe (PID: 2316)
  - startup.exe (PID: 4408)
  - msiexec.exe (PID: 4180)
- Process checks whether UAC notifications are on
  - startup.exe (PID: 2316)
  - startup.exe (PID: 4408)
- Creates files in the program directory
  - startup.exe (PID: 2316)
  - startup.exe (PID: 4408)
- Process checks computer location settings
  - startup.exe (PID: 2316)
- Reads Environment values
  - startup.exe (PID: 4408)
- Executable content was dropped or overwritten
  - msiexec.exe (PID: 4180)
  - msiexec.exe (PID: 1628)
  - msiexec.exe (PID: 7100)
  - msiexec.exe (PID: 896)
- Creates or modifies Windows services
  - msiexec.exe (PID: 7100)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win64 Executable (generic) (76.4)
.exe	\|	Win32 Executable (generic) (12.4)
.exe	\|	Generic Win/DOS Executable (5.5)
.exe	\|	DOS Executable Generic (5.5)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2025:04:16 07:20:24+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	14.29
CodeSize:	255488
InitializedDataSize:	4487680
UninitializedDataSize:	-
EntryPoint:	0x3b10
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows GUI
FileVersionNumber:	21.21.7.384
ProductVersionNumber:	21.21.7.384
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Windows NT 32-bit
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
CompanyName:	Kaspersky
FileDescription:	Kaspersky [21.21.7.384.0.138.0]
FileVersion:	21.21.7.384
LegalCopyright:	© 2025 AO Kaspersky Lab
LegalTrademarks:	Registrerade varumärken och tjänstemärken är respektive innehavares egendom
ProductName:	Kaspersky
ProductVersion:	21.21.7.384
InternalName:	Setup
OriginalFileName:	Setup.exe

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

168

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

840

"C:\Program Files (x86)\Kaspersky Lab\Kaspersky 21.21\avp.exe" -r

C:\Program Files (x86)\Kaspersky Lab\Kaspersky 21.21\avp.exe

services.exe

User:

SYSTEM

Company:

AO Kaspersky Lab

Integrity Level:

SYSTEM

Description:

Kaspersky Lab launcher

Version:

21.22.0.1

Modules

Images
c:\program files (x86)\kaspersky lab\kaspersky 21.21\avp.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\sechost.dll

896

C:\Windows\syswow64\MsiExec.exe -Embedding 54960E366BCF252DDECBF488173EC405 E Global\MSI0000

C:\Windows\SysWOW64\msiexec.exe

msiexec.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Windows® installer

Exit code:

Version:

5.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll

1184

"C:\WINDOWS\SysWOW64\regsvr32.exe" "C:\Program Files (x86)\Kaspersky Lab\Kaspersky 21.21\kpm_integration.dll" /s

C:\Windows\SysWOW64\regsvr32.exe

—

msiexec.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Microsoft(C) Register Server

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll

1240

"C:\Users\admin\AppData\Local\Temp\BD9EC0FD74930F114BDE817F87F669EE\setup_ui.exe" -cp=objref:TUVPVwEAAAAAAAAAAAAAAMAAAAAAAABGgQIAAAAAAABPRzC1Sr4aMnK/NZ8jzcoIAugAADgR//8fcALdt0r8oDgAIgAHAEQARQBTAEsAVABPAFAALQBKAEcATABMAEoATABEAAAABwAxADkAMgAuADEANgA4AC4AMQAwADAALgAxADAAAAAAAAkA//8AAB4A//8AABAA//8AAAoA//8AABYA//8AAB8A//8AAA4A//8AAAAA:

C:\Users\admin\AppData\Local\Temp\BD9EC0FD74930F114BDE817F87F669EE\setup_ui.exe

—

startup.exe

User:

admin

Company:

Kaspersky

Integrity Level:

MEDIUM

Description:

Kaspersky [21.21.7.384.0.138.0]

Exit code:

Version:

21.21.7.384

Modules

Images
c:\users\admin\appdata\local\temp\bd9ec0fd74930f114bde817f87f669ee\setup_ui.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\version.dll

1388

"C:\Program Files (x86)\Kaspersky Lab\Kaspersky 21.21\plugins-setup.exe" --install --browser=firefox --config="C:\Program Files (x86)\Kaspersky Lab\Kaspersky 21.21\skin\resources\neutral\locs\plugins_config.lt"

C:\Program Files (x86)\Kaspersky Lab\Kaspersky 21.21\plugins-setup.exe

—

msiexec.exe

User:

SYSTEM

Company:

AO Kaspersky Lab

Integrity Level:

SYSTEM

Description:

Light Plugin Extension Registrar

Exit code:

Version:

21.21.7.384

Modules

Images
c:\program files (x86)\kaspersky lab\kaspersky 21.21\plugins-setup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\secur32.dll
c:\windows\syswow64\sspicli.dll

1452

"C:\Program Files (x86)\Kaspersky Lab\Kaspersky 21.21\plugins-setup.exe" --install --browser=edge-new --config="C:\Program Files (x86)\Kaspersky Lab\Kaspersky 21.21\skin\resources\neutral\locs\plugins_config.lt"

C:\Program Files (x86)\Kaspersky Lab\Kaspersky 21.21\plugins-setup.exe

—

msiexec.exe

User:

SYSTEM

Company:

AO Kaspersky Lab

Integrity Level:

SYSTEM

Description:

Light Plugin Extension Registrar

Exit code:

Version:

21.21.7.384

Modules

Images
c:\program files (x86)\kaspersky lab\kaspersky 21.21\plugins-setup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\secur32.dll
c:\windows\syswow64\sspicli.dll

1628

C:\Windows\syswow64\MsiExec.exe -Embedding FC79EF88343CF063B85AF970D2B87303

C:\Windows\SysWOW64\msiexec.exe

msiexec.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows® installer

Exit code:

Version:

5.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll

2236

"C:\Program Files (x86)\Kaspersky Lab\Kaspersky 21.21\avpui.exe" -hideuntilnavigate

C:\Program Files (x86)\Kaspersky Lab\Kaspersky 21.21\avpui.exe

—

avp.exe

User:

admin

Company:

AO Kaspersky Lab

Integrity Level:

MEDIUM

Description:

Kaspersky

Version:

21.21.7.384

Modules

Images
c:\program files (x86)\kaspersky lab\kaspersky 21.21\avpui.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\program files (x86)\kaspersky lab\kaspersky 21.21\msvcp140.dll
c:\windows\syswow64\ucrtbase.dll

2316

"C:\Users\admin\AppData\Local\Temp\startup.exe"

C:\Users\admin\AppData\Local\Temp\startup.exe

explorer.exe

User:

admin

Company:

Kaspersky

Integrity Level:

MEDIUM

Description:

Kaspersky [21.21.7.384.0.138.0]

Exit code:

Version:

21.21.7.384

Modules

Images
c:\users\admin\appdata\local\temp\startup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\version.dll

2408

"C:\WINDOWS\Sysnative\bcdedit.exe" -set {globalsettings} integrityservices enable

C:\Windows\System32\bcdedit.exe

—

msiexec.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Boot Configuration Data Editor

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\bcdedit.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\cryptsp.dll

Add for printing

Total events

66 488

Read events

57 744

Write events

8 625

Delete events

119

Modification events


(PID) Process:	(2316) startup.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\KasperskyLabSetup\Setup21.21.7.384.0.138.0\volatile
Operation:	write	Name:	cp_storedResolvedType
Value: -1
(PID) Process:	(2316) startup.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\KasperskyLabSetup\Setup21.21.7.384.0.138.0\volatile
Operation:	write	Name:	cp_storedResolvedProductTier
Value: 0
(PID) Process:	(2316) startup.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\KasperskyLabSetup\Setup21.21.7.384.0.138.0\volatile
Operation:	write	Name:	cp_storedResolvedStartupScenario
Value:
(PID) Process:	(2316) startup.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\KasperskyLabSetup\Setup21.21.7.384.0.138.0\volatile
Operation:	write	Name:	cp_storedResolvedType
Value: 4
(PID) Process:	(2316) startup.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\KasperskyLabSetup\Setup21.21.7.384.0.138.0\volatile
Operation:	write	Name:	cp_storedResolvedProductTier
Value: 230
(PID) Process:	(2316) startup.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\KasperskyLabSetup\Setup21.21.7.384.0.138.0\volatile
Operation:	write	Name:	cp_storedResolvedStartupScenario
Value: Free
(PID) Process:	(2316) startup.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\KasperskyLabSetup\Setup21.21.7.384.0.138.0\volatile
Operation:	write	Name:	PreferredUI
Value: 0
(PID) Process:	(2316) startup.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\KasperskyLabSetup\Setup21.21.7.384.0.138.0\volatile
Operation:	write	Name:	PreferredUI
Value: 1
(PID) Process:	(2316) startup.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\KasperskyLabSetup\Setup21.21.7.384.0.138.0
Operation:	write	Name:	TrashFiles
Value: C:\Users\admin\AppData\Local\Temp\discovery.cfg
(PID) Process:	(2316) startup.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\KasperskyLabSetup\Setup21.21.7.384.0.138.0
Operation:	write	Name:	TrashFiles
Value: C:\Users\admin\AppData\Local\Temp\discovery.cfg C:\ProgramData\Kaspersky Lab Setup Files\KFA21.21.7.384.0.138.0

Add for printing

Executable files

1 106

Suspicious files

830

Text files

577

Unknown types

Dropped files

PID	Process	Filename		Type
2316	startup.exe	C:\Users\admin\AppData\Local\Temp\CA48B99A-3947-11F0-B4ED-18F7786F96EE\downloader_neutral_KFA.ini		text
		MD5:2E10B2D4181D2F07D2DD305BD4285BD5	SHA256:CBB72CDC1E461226C7D0E49E7EF955F77DFEEF4F7FE12D0D8A8D0CF9658EDC78
2316	startup.exe	C:\Users\admin\AppData\Local\Temp\CA48B99A-3947-11F0-B4ED-18F7786F96EE\downloader_neutral.ini		text
		MD5:63727C1ECDD902A455CCB1ED3A5702C5	SHA256:725DDFCE3AAB347D28F8D8A4EB844DC8AD0BA7D53596AA9F118AD83F6A6075F5
2316	startup.exe	C:\Users\admin\AppData\Local\Temp\999B84AC74930F114BDE817F87F669EE\setup.dll		executable
		MD5:319D58F6DFFEC86B1D4FCFC319766B60	SHA256:974098714A3196C98ABF1E2CBB5C70B19568A0FB7B5DCD455F1EA7D7C94C3D29
2316	startup.exe	C:\Users\admin\AppData\Local\Temp\CA48B99A-3947-11F0-B4ED-18F7786F96EE\GuiStrings_KFA.loc		text
		MD5:ECAA88F7FA0BF610A5A26CF545DCD3AA	SHA256:F1945CD6C19E56B3C1C78943EF5EC18116907A4CA1EFC40A57D48AB1DB7ADFC5
2316	startup.exe	C:\Users\admin\AppData\Local\Temp\CA48B99A-3947-11F0-B4ED-18F7786F96EE\GuiStrings.loc		html
		MD5:09C4E9F41C4B8BFDB6BF8916AF730ECD	SHA256:57BF969D3C10D5BE0A4B31B8E530C1E005622C8DC809EE4FBD4C214F3B3E9A37
2316	startup.exe	C:\Users\admin\AppData\Local\Temp\kl-setup-2025-05-25-09-08-16_KAV.21.21.7.384.log		text
		MD5:1F90D75EE634A5085F27B99E9E7C8534	SHA256:E35D497D27AC31E7D92A0F4AC6DC8A90CC7F9E50551B871F1C3B9C2223B8C6F0
2316	startup.exe	C:\Users\admin\AppData\Local\Temp\999B84AC74930F114BDE817F87F669EE\kl.setup.ui.visuals.dll		executable
		MD5:A1BFE362E97F94F88B7283616177E7BD	SHA256:00EA063ABC23F85DBCFAFAA5CA47A6F2DD6793F4417472B43DA48FCF20839DFD
2316	startup.exe	C:\Users\admin\AppData\Local\Temp\999B84AC74930F114BDE817F87F669EE\kl.setup.ui.core.dll		executable
		MD5:9A1F97D8B717A07492AE65C8B0F6C824	SHA256:23DE41D5D15BC3E3847326834042F54FDEEB2DB5148E238920810DBD26E00766
2316	startup.exe	C:\Users\admin\AppData\Local\Temp\kl-setup-2025-05-25-09-08-16_KFA.21.21.7.384.log		text
		MD5:1F90D75EE634A5085F27B99E9E7C8534	SHA256:E35D497D27AC31E7D92A0F4AC6DC8A90CC7F9E50551B871F1C3B9C2223B8C6F0
2316	startup.exe	C:\Users\admin\AppData\Local\Temp\999B84AC74930F114BDE817F87F669EE\kl.setup.ui.dll		executable
		MD5:35464B0B8281A7A6F6577436A3042312	SHA256:9366179168B998AD9929E6BF3C610CB9EBE809C9B1C34D1D1BDAF2B34044B742

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5496	MoUsoCoreWorker.exe	GET	200	23.216.77.6:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
6544	svchost.exe	GET	200	2.17.190.73:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
5496	MoUsoCoreWorker.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
2316	startup.exe	GET	200	2.17.190.73:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAbY2QTVWENG9oovp1QifsQ%3D	unknown	—	—	whitelisted
632	SIHClient.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
632	SIHClient.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
4408	startup.exe	GET	200	2.17.190.73:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAz1vQYrVgL0erhQLCPM8GY%3D	unknown	—	—	whitelisted
4180	msiexec.exe	GET	200	151.101.194.133:80	http://ocsp.globalsign.com/codesigningrootr45/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQVFZP5vqhCrtRN5SWf40Rn6NM1IAQUHwC%2FRoAK%2FHg5t6W0Q9lWULvOljsCEHe9DgW3WQu2HUdhUx4%2Fde0%3D	unknown	—	—	whitelisted
4180	msiexec.exe	GET	200	151.101.194.133:80	http://ocsp.globalsign.com/rootr3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT1nGh%2FJBjWKnkPdZIzB1bqhelHBwQUj%2FBLf6guRSSuTVD6Y5qL3uLdG7wCEHgDGEJFcIpBz28BuO60qVQ%3D	unknown	—	—	whitelisted
4180	msiexec.exe	GET	200	151.101.194.133:80	http://ocsp.globalsign.com/gsgccr45evcodesignca2020/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBQaCbVYh07WONuW4e63Ydlu4AlbDAQUJZ3Q%2FFkJhmPF7POxEztXHAOSNhECDBO%2F8SXGUNfFoIIgjw%3D%3D	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
2104	svchost.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
5496	MoUsoCoreWorker.exe	23.216.77.6:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
5496	MoUsoCoreWorker.exe	23.35.229.160:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
2316	startup.exe	82.202.184.193:443	ds.kaspersky.com	Kaspersky Lab Switzerland GmbH	CH	whitelisted
6544	svchost.exe	20.190.159.73:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
6544	svchost.exe	2.17.190.73:80	ocsp.digicert.com	AKAMAI-AS	DE	whitelisted
2316	startup.exe	212.73.221.196:443	dm.s.kaspersky-labs.com	LEVEL3	FR	suspicious

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	20.73.194.208 4.231.128.59 51.124.78.146	whitelisted
crl.microsoft.com	23.216.77.6 23.216.77.28	whitelisted
www.microsoft.com	23.35.229.160	whitelisted
google.com	142.250.186.46	whitelisted
ds.kaspersky.com	82.202.184.193 46.8.206.90 82.202.185.146 82.202.185.148 62.67.238.151 81.19.104.172 62.67.238.152 82.202.184.184	whitelisted
login.live.com	20.190.159.73 20.190.159.131 20.190.159.0 40.126.31.3 20.190.159.71 40.126.31.128 20.190.159.68 40.126.31.131	whitelisted
ocsp.digicert.com	2.17.190.73	whitelisted
dm.s.kaspersky-labs.com	212.73.221.196 195.122.169.10 109.248.196.5	unknown
slscr.update.microsoft.com	4.245.163.56	whitelisted
fe3cr.delivery.mp.microsoft.com	40.69.42.241	whitelisted

Threats

No threats detected

Add for printing

Process	Message
avp.exe	rmt Name resolution: find property by id 1355283260
avp.exe	rmt Name resolution: register property cpnPRAGUE_REMOTE_API
avp.exe	rmt Name resolution: register property PR_REMOTE_MANAGER_PROP
avp.exe
avp.exe	rmt Name resolution: find property by id 1355802410
avp.exe
avp.exe	rmt Name resolution: find property cpnPRAGUE_REMOTE_API, 12582912
avp.exe	rmt Name resolution: find property PR_REMOTE_MANAGER_PROP, 12582912
avp.exe
avp.exe	rmt Name resolution: property registered successfully, id 1355283260

General Info

/attachments/1335321974917959744/1375600934620762173/startup.exe

CE6E94896BEF15F84C065BF27694411A

B630DF40A9C26C942DC1433C2A3A97A763A73061

58B7FB5F03F01710C956BBA199555C8C197B01E4FA5A8242D9FA40FD7BEBA43B

98304:FJ70OtKM6o5PJecdpC+ZCY82yq/OjzNrE4gy0b685ggYSBgzCYryem+ROMFAeJs8:6EKxM+

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Registers / Runs the DLL via REGSVR32.EXE

Antivirus name has been found in the command line (generic signature)

SUSPICIOUS

Reads security settings of Internet Explorer

Executable content was dropped or overwritten

There is functionality for taking screenshot (YARA)

Application launched itself

Starts itself from another location

The process verifies whether the antivirus software is installed

Adds/modifies Windows certificates

Reads the Windows owner or organization settings

Drops a system driver (possible attempt to evade defenses)

Creates files in the driver directory

The process drops C-runtime libraries

Process drops legitimate windows executable

Executes as Windows Service

The process creates files with name similar to system file names

INFO

Reads the computer name

Checks supported languages

The sample compiled with english language support

Create files in a temporary directory

Reads the machine GUID from the registry

Checks proxy server information

Reads the software policy settings

Checks for the presence of KasperskyLab

Creates files or folders in the user directory

Process checks whether UAC notifications are on

Creates files in the program directory

Process checks computer location settings

Reads Environment values

Executable content was dropped or overwritten

Creates or modifies Windows services

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity