File name:

kav21.3.10.391abes_25651.exe

Full analysis: https://app.any.run/tasks/96fd7f04-dcc8-4b4c-81a2-26999399f4c8
Verdict: Malicious activity
Analysis date: June 17, 2024, 20:28:28
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

29CC578F3AB364892D97757A39D82911

SHA1:

E4072FE61EADD6560636E7189ED8848ADD48EA3A

SHA256:

92F6B32F05F75984D21884F57EF393A39C80571F53DB9E0E4713382E2D8B8E55

SSDEEP:

98304:j5FfOW7bYrniSos+y5ujqRp52z5/aCP7LUDOyRu9RYZLTbDVfivcu51c/5/M4zx+:75ILR2

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • kav21.3.10.391abes_25651.exe (PID: 3992)
      • startup.exe (PID: 1588)
      • startup.exe (PID: 2372)

  • SUSPICIOUS

    • Reads Microsoft Outlook installation path

      • kav21.3.10.391abes_25651.exe (PID: 3992)
      • startup.exe (PID: 1588)
      • startup.exe (PID: 2372)

    • Reads the Internet Settings

      • kav21.3.10.391abes_25651.exe (PID: 3992)
      • startup.exe (PID: 1588)
      • startup.exe (PID: 2372)

    • Reads security settings of Internet Explorer

      • kav21.3.10.391abes_25651.exe (PID: 3992)
      • startup.exe (PID: 1588)
      • startup.exe (PID: 2372)

    • Executable content was dropped or overwritten

      • kav21.3.10.391abes_25651.exe (PID: 3992)
      • startup.exe (PID: 1588)
      • startup.exe (PID: 2372)

    • Checks Windows Trust Settings

      • kav21.3.10.391abes_25651.exe (PID: 3992)
      • startup.exe (PID: 1588)
      • startup.exe (PID: 2372)

    • Reads settings of System Certificates

      • kav21.3.10.391abes_25651.exe (PID: 3992)
      • startup.exe (PID: 1588)
      • startup.exe (PID: 2372)

    • Application launched itself

      • startup.exe (PID: 1588)
      • kav21.3.10.391abes_25651.exe (PID: 3992)

  • INFO

    • Reads the computer name

      • kav21.3.10.391abes_25651.exe (PID: 3992)
      • wmpnscfg.exe (PID: 1592)
      • startup.exe (PID: 1588)
      • startup.exe (PID: 2372)
      • TEST_WPF.EXE (PID: 2792)

    • Checks supported languages

      • kav21.3.10.391abes_25651.exe (PID: 3992)
      • wmpnscfg.exe (PID: 1592)
      • startup.exe (PID: 1588)
      • kav21.3.10.391abes_25651.exe (PID: 1612)
      • startup.exe (PID: 2372)
      • TEST_WPF.EXE (PID: 2792)

    • Create files in a temporary directory

      • kav21.3.10.391abes_25651.exe (PID: 3992)
      • startup.exe (PID: 1588)
      • startup.exe (PID: 2372)

    • Process checks whether UAC notifications are on

      • kav21.3.10.391abes_25651.exe (PID: 3992)
      • startup.exe (PID: 1588)
      • startup.exe (PID: 2372)

    • Checks proxy server information

      • kav21.3.10.391abes_25651.exe (PID: 3992)
      • startup.exe (PID: 1588)
      • startup.exe (PID: 2372)

    • Creates files in the program directory

      • kav21.3.10.391abes_25651.exe (PID: 3992)
      • startup.exe (PID: 1588)
      • startup.exe (PID: 2372)

    • Reads the machine GUID from the registry

      • kav21.3.10.391abes_25651.exe (PID: 3992)
      • startup.exe (PID: 1588)
      • startup.exe (PID: 2372)
      • TEST_WPF.EXE (PID: 2792)

    • Creates files or folders in the user directory

      • kav21.3.10.391abes_25651.exe (PID: 3992)

    • Reads the software policy settings

      • kav21.3.10.391abes_25651.exe (PID: 3992)
      • startup.exe (PID: 1588)
      • startup.exe (PID: 2372)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 1592)

    • Checks for the presence of KasperskyLab

      • kav21.3.10.391abes_25651.exe (PID: 3992)
      • startup.exe (PID: 1588)
      • startup.exe (PID: 2372)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2005:02:23 07:48:47+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.16
CodeSize: 302080
InitializedDataSize: 2444288
UninitializedDataSize: -
EntryPoint: 0x24c0
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 21.3.10.391
ProductVersionNumber: 21.3.10.391
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Kaspersky
FileDescription: Kaspersky Anti-Virus [21.3.10.391.0.577.0 (a.b)]
FileVersion: 21.3.10.391
LegalCopyright: © 2021 AO Kaspersky Lab
LegalTrademarks: Las marcas registradas y las marcas de servicio son propiedad de sus respectivos dueños
ProductName: Kaspersky Anti-Virus
ProductVersion: 21.3.10.391
InternalName: Setup
OriginalFileName: Setup.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
44
Monitored processes
6
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start kav21.3.10.391abes_25651.exe wmpnscfg.exe no specs startup.exe kav21.3.10.391abes_25651.exe no specs startup.exe test_wpf.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1588"C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2041.0\au_setup_2B56F08E-2CE8-11EF-9E36-12A9866C77DE\startup.exe" -auto_update_mode="C:\Users\admin\AppData\Local\Temp\kav21.3.10.391abes_25651.exe" /-self_remove -l=es-ES -xpos=351 -ypos=84 -prevsetupver=21.3.10.391.0.577.0 -prevsetuppatch=bC:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2041.0\au_setup_2B56F08E-2CE8-11EF-9E36-12A9866C77DE\startup.exe
kav21.3.10.391abes_25651.exe
User:
admin
Company:
Kaspersky
Integrity Level:
MEDIUM
Description:
Kaspersky Anti-Virus [21.3.10.391.0.2041.0 (a.b.c.d.e.f.g.h.i.j)]
Version:
21.3.10.391
Modules
Images
c:\programdata\kaspersky lab setup files\kav21.3.10.391.0.2041.0\au_setup_2b56f08e-2ce8-11ef-9e36-12a9866c77de\startup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\users\admin\appdata\local\temp\83d8fbe28ec2fe11e963219a68c677ed\setup.dll
c:\windows\system32\user32.dll
1592"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1612"C:\Users\admin\AppData\Local\Temp\kav21.3.10.391abes_25651.exe" -cleanup="C:\Users\admin\AppData\Local\Temp\C80F65B28EC2FE11E963219A68C677ED;3992"C:\Users\admin\AppData\Local\Temp\kav21.3.10.391abes_25651.exekav21.3.10.391abes_25651.exe
User:
admin
Company:
Kaspersky
Integrity Level:
MEDIUM
Description:
Kaspersky Anti-Virus [21.3.10.391.0.577.0 (a.b)]
Exit code:
0
Version:
21.3.10.391
Modules
Images
c:\users\admin\appdata\local\temp\kav21.3.10.391abes_25651.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\msvcrt.dll
2372"C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2041.0\au_setup_2B56F08E-2CE8-11EF-9E36-12A9866C77DE\startup.exe" /-elevated=C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2041.0\au_setup_2B56F08E-2CE8-11EF-9E36-12A9866C77DE\startup.exe
startup.exe
User:
admin
Company:
Kaspersky
Integrity Level:
HIGH
Description:
Kaspersky Anti-Virus [21.3.10.391.0.2041.0 (a.b.c.d.e.f.g.h.i.j)]
Version:
21.3.10.391
Modules
Images
c:\programdata\kaspersky lab setup files\kav21.3.10.391.0.2041.0\au_setup_2b56f08e-2ce8-11ef-9e36-12a9866c77de\startup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\users\admin\appdata\local\temp\2692e8858ec2fe11e963219a68c677ed\setup.dll
c:\windows\system32\user32.dll
2792"C:\Users\admin\AppData\Local\Temp\588E2964-2CE8-11EF-9E36-12A9866C77DE\TEST_WPF.EXE" "C:\Users\admin\AppData\Local\Temp\2692E8858EC2FE11E963219A68C677ED\setup.dll"C:\Users\admin\AppData\Local\Temp\588E2964-2CE8-11EF-9E36-12A9866C77DE\TEST_WPF.EXEstartup.exe
User:
admin
Integrity Level:
HIGH
Description:
test_wpf
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\588e2964-2ce8-11ef-9e36-12a9866c77de\test_wpf.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
3992"C:\Users\admin\AppData\Local\Temp\kav21.3.10.391abes_25651.exe" C:\Users\admin\AppData\Local\Temp\kav21.3.10.391abes_25651.exe
explorer.exe
User:
admin
Company:
Kaspersky
Integrity Level:
MEDIUM
Description:
Kaspersky Anti-Virus [21.3.10.391.0.577.0 (a.b)]
Exit code:
0
Version:
21.3.10.391
Modules
Images
c:\users\admin\appdata\local\temp\kav21.3.10.391abes_25651.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\users\admin\appdata\local\temp\c80f65b28ec2fe11e963219a68c677ed\setup.dll
c:\windows\system32\user32.dll
Total events
18 334
Read events
17 931
Write events
368
Delete events
35

Modification events

(PID) Process:(3992) kav21.3.10.391abes_25651.exeKey:HKEY_CURRENT_USER\Software\KasperskyLab\IEOverride\Main
Operation:writeName:Enable Browser Extensions
Value:
no
(PID) Process:(3992) kav21.3.10.391abes_25651.exeKey:HKEY_CURRENT_USER\Software\KasperskyLab\IEOverride\Main
Operation:writeName:UseSWRender
Value:
1
(PID) Process:(3992) kav21.3.10.391abes_25651.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3992) kav21.3.10.391abes_25651.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3992) kav21.3.10.391abes_25651.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(3992) kav21.3.10.391abes_25651.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(3992) kav21.3.10.391abes_25651.exeKey:HKEY_CURRENT_USER\Software\KasperskyLabSetup\Setup21.3.10.391.0.577.0
Operation:writeName:TrashFiles
Value:
C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.577.0
(PID) Process:(3992) kav21.3.10.391abes_25651.exeKey:HKEY_CURRENT_USER\Software\KasperskyLabSetup\Setup21.3.10.391.0.577.0
Operation:writeName:TrashFiles
Value:
C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.577.0 C:\ProgramData\Kaspersky Lab Setup Files
(PID) Process:(3992) kav21.3.10.391abes_25651.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(3992) kav21.3.10.391abes_25651.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
Executable files
5
Suspicious files
41
Text files
76
Unknown types
5

Dropped files

PID
Process
Filename
Type
3992kav21.3.10.391abes_25651.exeC:\Users\admin\AppData\Local\Temp\C80F65B28EC2FE11E963219A68C677ED\setup.dllexecutable
MD5:502C5B7402B14C57740B25CD96236DBF
SHA256:5F3331EFEEE1E96A429B4C769801316D55B1F1D90485CF0901B4AA2CF4E89E95
3992kav21.3.10.391abes_25651.exeC:\Users\admin\AppData\Local\Temp\2B56F08D-2CE8-11EF-9E36-12A9866C77DE\kis-script.jsbinary
MD5:026425CCBF4417EEFA444285707132EF
SHA256:97E5F342227EA23C27C1B660F111847FCDD9D7B23C1D248C733A36F983FD7F04
3992kav21.3.10.391abes_25651.exeC:\Users\admin\AppData\Local\Temp\2B56F08D-2CE8-11EF-9E36-12A9866C77DE\kis-script-lte-ie8.jstxt
MD5:5134186180074C51639D7A514919ED23
SHA256:33E84B33FF911257E3A6A303C08A2CC178827DADB7DFD7C951E096866E02AD5E
3992kav21.3.10.391abes_25651.exeC:\Users\admin\AppData\Local\Temp\2B56F08D-2CE8-11EF-9E36-12A9866C77DE\kis-logo.pngimage
MD5:18F81892DAA926FEC1D30324B4CD9367
SHA256:681A96B96B5E0425FC74BE929D29164528BF0BC0A84AC97952C011E407E23D9B
3992kav21.3.10.391abes_25651.exeC:\Users\admin\AppData\Local\Temp\2B56F08D-2CE8-11EF-9E36-12A9866C77DE\jquery.custom_select.min.jsbinary
MD5:D2C620C462B75696EEA1FB22FB23602A
SHA256:DD678D32073078552E0E2C35EED78F16CC8D6E8662D4734518561A1B183F775C
3992kav21.3.10.391abes_25651.exeC:\Users\admin\AppData\Local\Temp\2B56F08D-2CE8-11EF-9E36-12A9866C77DE\jquery-1.12.4.min.jss
MD5:618538B4AB9639D444E962729A927F15
SHA256:27D92130C0321DAD5A03760FD5AC98A3D04ED4C94D88418FE6D50DA1F7FC5CBE
3992kav21.3.10.391abes_25651.exeC:\Users\admin\AppData\Local\Temp\2B56F08D-2CE8-11EF-9E36-12A9866C77DE\kis-loading.gifimage
MD5:69D4B9B309BFA6A87F7620647BAFD2D0
SHA256:F056164CF99799234C90E2318E90AB5D83D0FD855118224286FF0680EE455734
3992kav21.3.10.391abes_25651.exeC:\Users\admin\AppData\Local\Temp\2B56F08D-2CE8-11EF-9E36-12A9866C77DE\kis-print.csstext
MD5:1304724DD5001B2600FC5BD80C098F1E
SHA256:2481B34B48FD96B194405DA621E8E5F19142DCB55744F9C9A93591705CB697FD
3992kav21.3.10.391abes_25651.exeC:\Users\admin\AppData\Local\Temp\2B56F08D-2CE8-11EF-9E36-12A9866C77DE\kis-style.csstext
MD5:2B4BD0AFD0E9DD5C90FB8C3BB4A5D619
SHA256:F9963B403E053F6BFA7C87CAD3C10DD55CF1F94FEFE00C6380921440E28B48D2
3992kav21.3.10.391abes_25651.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:245F6651FEAEC6DDE88DB5417C043A35
SHA256:605F96EC13DC1EADB60286C7FA928629F4055FEA64435F5532B666DE62611695
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
22
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3992
kav21.3.10.391abes_25651.exe
GET
304
80.239.138.112:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?7e30843a0e5f72a7
unknown
unknown
3992
kav21.3.10.391abes_25651.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAbY2QTVWENG9oovp1QifsQ%3D
unknown
unknown
1088
svchost.exe
GET
304
80.239.138.112:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?cf4d0ada8a8d9c72
unknown
unknown
2372
startup.exe
GET
301
130.117.190.203:80
http://redirect.kaspersky.com/slideshow_default
unknown
unknown
2372
startup.exe
GET
301
130.117.190.203:80
http://redirect.kaspersky.com/slideshow_default
unknown
unknown
2372
startup.exe
GET
301
130.117.190.203:80
http://redirect.kaspersky.com/slideshow_default
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
3992
kav21.3.10.391abes_25651.exe
195.122.169.10:443
dm.s.kaspersky-labs.com
LEVEL3
DE
unknown
1088
svchost.exe
224.0.0.252:5355
unknown
3992
kav21.3.10.391abes_25651.exe
80.239.138.112:80
ctldl.windowsupdate.com
Telia Company AB
DE
unknown
3992
kav21.3.10.391abes_25651.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
1588
startup.exe
195.122.169.10:443
dm.s.kaspersky-labs.com
LEVEL3
DE
unknown
1088
svchost.exe
80.239.138.112:80
ctldl.windowsupdate.com
Telia Company AB
DE
unknown
2372
startup.exe
130.117.190.203:443
redirect.kaspersky.com
COGENT-174
DE
unknown
2372
startup.exe
80.239.169.147:443
dm.s.kaspersky-labs.com
Telia Company AB
SE
unknown

DNS requests

Domain
IP
Reputation
dm.s.kaspersky-labs.com
  • 195.122.169.10
  • 130.117.190.147
  • 195.27.253.3
  • 80.239.169.147
  • 212.73.221.196
unknown
ctldl.windowsupdate.com
  • 80.239.138.112
  • 80.239.138.97
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
redirect.kaspersky.com
  • 130.117.190.203
unknown
www.not.existing.kaspersky.com
  • 185.85.15.34
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
kav21.3.10.391abes_25651.exe