Malware analysis kaspersky4win202121.18.5.438aen_46538.exe Malicious activity

Add for printing

File name:	kaspersky4win202121.18.5.438aen_46538.exe
Full analysis:	https://app.any.run/tasks/f46fd851-52a8-43cb-9bd8-49586b74a059
Verdict:	Malicious activity
Analysis date:	September 15, 2024, 17:52:45
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	antivm kaspersky safe
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows
MD5:	58E0821A78ED09A3E4FF8E28709B3575
SHA1:	06B5644AF0C59350D77B6A61A590445FD0A1FCC9
SHA256:	ABD71FAA64AE306F30912522ED7D5CC01A1BA97498376D24A0AB496E171B48C6
SSDEEP:	98304:Ca7U4cWF/Yp9GKoym6Vl9aKFFsbRcAZOk5qHPP13JApJCJPMt1o3ma2fwTT+Dj91:EMVBrN

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Registers / Runs the DLL via REGSVR32.EXE
  - msiexec.exe (PID: 6992)
- Antivirus name has been found in the command line (generic signature)
  - avp.exe (PID: 6788)
SUSPICIOUS
- Reads security settings of Internet Explorer
  - setup_ui.exe (PID: 4092)
  - kaspersky4win202121.18.5.438aen_46538.exe (PID: 6296)
  - kaspersky4win202121.18.5.438aen_46538.exe (PID: 6204)
  - setup_ui.exe (PID: 1964)
  - avp.exe (PID: 6788)
  - avpui.exe (PID: 5556)
- Executable content was dropped or overwritten
  - kaspersky4win202121.18.5.438aen_46538.exe (PID: 6296)
  - kaspersky4win202121.18.5.438aen_46538.exe (PID: 6644)
  - kaspersky4win202121.18.5.438aen_46538.exe (PID: 6204)
  - drvinst.exe (PID: 3328)
  - avp.exe (PID: 6788)
  - upgrade_launcher.exe (PID: 6868)
- Checks Windows Trust Settings
  - kaspersky4win202121.18.5.438aen_46538.exe (PID: 6296)
  - kaspersky4win202121.18.5.438aen_46538.exe (PID: 6204)
  - msiexec.exe (PID: 5904)
  - msiexec.exe (PID: 232)
  - drvinst.exe (PID: 3328)
  - avp.exe (PID: 6788)
- Starts itself from another location
  - kaspersky4win202121.18.5.438aen_46538.exe (PID: 6644)
- Application launched itself
  - kaspersky4win202121.18.5.438aen_46538.exe (PID: 6296)
  - avp.exe (PID: 6788)
  - kaspersky4win202121.18.5.438aen_46538.exe (PID: 6204)
- Reads the Windows owner or organization settings
  - msiexec.exe (PID: 5904)
- Adds/modifies Windows certificates
  - kaspersky4win202121.18.5.438aen_46538.exe (PID: 6204)
  - avp.exe (PID: 6788)
- The process verifies whether the antivirus software is installed
  - kaspersky4win202121.18.5.438aen_46538.exe (PID: 6204)
  - msiexec.exe (PID: 6992)
  - msiexec.exe (PID: 5904)
  - drvinst.exe (PID: 3328)
  - bcdedit.exe (PID: 5484)
  - conhost.exe (PID: 5984)
  - regsvr32.exe (PID: 2368)
  - plugins-setup.exe (PID: 4604)
  - plugins-setup.exe (PID: 300)
  - msiexec.exe (PID: 232)
  - regsvr32.exe (PID: 4688)
  - regsvr32.exe (PID: 6784)
  - plugins-setup.exe (PID: 4976)
  - plugins-setup.exe (PID: 5656)
  - avp.exe (PID: 6788)
  - kaspersky4win202121.18.5.438aen_46538.exe (PID: 6296)
  - avpui.exe (PID: 6244)
  - msiexec.exe (PID: 6664)
  - avp.exe (PID: 1948)
  - avpui.exe (PID: 5556)
- Creates files in the driver directory
  - msiexec.exe (PID: 232)
  - drvinst.exe (PID: 3328)
  - msiexec.exe (PID: 6992)
  - avp.exe (PID: 6788)
- The process creates files with name similar to system file names
  - msiexec.exe (PID: 6992)
  - msiexec.exe (PID: 6664)
- Drops a system driver (possible attempt to evade defenses)
  - msiexec.exe (PID: 5904)
  - msiexec.exe (PID: 6664)
  - msiexec.exe (PID: 232)
  - msiexec.exe (PID: 6992)
  - drvinst.exe (PID: 3328)
  - avp.exe (PID: 6788)
- Creates/Modifies COM task schedule object
  - msiexec.exe (PID: 5904)
  - regsvr32.exe (PID: 2368)
  - regsvr32.exe (PID: 6784)
  - regsvr32.exe (PID: 4688)
- Executes as Windows Service
  - avp.exe (PID: 6788)
- Creates or modifies Windows services
  - avp.exe (PID: 6788)
- There is functionality for VM detection (antiVM strings)
  - avp.exe (PID: 1948)
INFO
- Checks supported languages
  - kaspersky4win202121.18.5.438aen_46538.exe (PID: 6296)
  - setup_ui.exe (PID: 4092)
  - kaspersky4win202121.18.5.438aen_46538.exe (PID: 6644)
  - kaspersky4win202121.18.5.438aen_46538.exe (PID: 6204)
  - setup_ui.exe (PID: 1964)
  - msiexec.exe (PID: 5904)
  - msiexec.exe (PID: 6664)
  - msiexec.exe (PID: 6992)
  - msiexec.exe (PID: 232)
  - drvinst.exe (PID: 3328)
  - plugins-setup.exe (PID: 300)
  - plugins-setup.exe (PID: 4976)
  - plugins-setup.exe (PID: 5656)
  - plugins-setup.exe (PID: 4604)
  - avp.exe (PID: 6788)
  - avpui.exe (PID: 5556)
  - avpui.exe (PID: 6244)
  - avp.exe (PID: 1948)
  - upgrade_launcher.exe (PID: 6868)
  - kaspersky4win202121.18.5.438aen_46538.exe (PID: 3272)
  - kaspersky4win202121.18.5.438aen_46538.exe (PID: 6752)
- The process uses the downloaded file
  - setup_ui.exe (PID: 4092)
  - kaspersky4win202121.18.5.438aen_46538.exe (PID: 6296)
  - setup_ui.exe (PID: 1964)
- Reads the computer name
  - kaspersky4win202121.18.5.438aen_46538.exe (PID: 6296)
  - setup_ui.exe (PID: 4092)
  - kaspersky4win202121.18.5.438aen_46538.exe (PID: 6204)
  - kaspersky4win202121.18.5.438aen_46538.exe (PID: 6644)
  - setup_ui.exe (PID: 1964)
  - msiexec.exe (PID: 5904)
  - msiexec.exe (PID: 6664)
  - msiexec.exe (PID: 232)
  - msiexec.exe (PID: 6992)
  - drvinst.exe (PID: 3328)
  - plugins-setup.exe (PID: 300)
  - avp.exe (PID: 6788)
  - avpui.exe (PID: 5556)
  - avpui.exe (PID: 6244)
  - upgrade_launcher.exe (PID: 6868)
  - avp.exe (PID: 1948)
- Checks for the presence of KasperskyLab
  - kaspersky4win202121.18.5.438aen_46538.exe (PID: 6296)
  - kaspersky4win202121.18.5.438aen_46538.exe (PID: 6204)
  - avpui.exe (PID: 5556)
- Checks proxy server information
  - kaspersky4win202121.18.5.438aen_46538.exe (PID: 6296)
  - kaspersky4win202121.18.5.438aen_46538.exe (PID: 6204)
  - slui.exe (PID: 7020)
- Create files in a temporary directory
  - kaspersky4win202121.18.5.438aen_46538.exe (PID: 6296)
  - kaspersky4win202121.18.5.438aen_46538.exe (PID: 6204)
  - msiexec.exe (PID: 6664)
- Reads the machine GUID from the registry
  - setup_ui.exe (PID: 4092)
  - kaspersky4win202121.18.5.438aen_46538.exe (PID: 6296)
  - kaspersky4win202121.18.5.438aen_46538.exe (PID: 6204)
  - setup_ui.exe (PID: 1964)
  - msiexec.exe (PID: 5904)
  - msiexec.exe (PID: 232)
  - drvinst.exe (PID: 3328)
  - msiexec.exe (PID: 6992)
  - plugins-setup.exe (PID: 5656)
  - plugins-setup.exe (PID: 4604)
  - plugins-setup.exe (PID: 300)
  - avp.exe (PID: 6788)
  - avp.exe (PID: 1948)
  - avpui.exe (PID: 5556)
- Reads the software policy settings
  - kaspersky4win202121.18.5.438aen_46538.exe (PID: 6296)
  - slui.exe (PID: 5724)
  - slui.exe (PID: 7020)
  - msiexec.exe (PID: 5904)
  - kaspersky4win202121.18.5.438aen_46538.exe (PID: 6204)
  - msiexec.exe (PID: 232)
  - drvinst.exe (PID: 3328)
  - avp.exe (PID: 6788)
- Process checks computer location settings
  - kaspersky4win202121.18.5.438aen_46538.exe (PID: 6296)
  - avp.exe (PID: 6788)
  - avpui.exe (PID: 5556)
- Process checks whether UAC notifications are on
  - kaspersky4win202121.18.5.438aen_46538.exe (PID: 6296)
  - kaspersky4win202121.18.5.438aen_46538.exe (PID: 6204)
- Creates files in the program directory
  - kaspersky4win202121.18.5.438aen_46538.exe (PID: 6296)
  - kaspersky4win202121.18.5.438aen_46538.exe (PID: 6204)
  - plugins-setup.exe (PID: 5656)
  - plugins-setup.exe (PID: 4604)
  - plugins-setup.exe (PID: 300)
  - avp.exe (PID: 6788)
  - upgrade_launcher.exe (PID: 6868)
- Sends debugging messages
  - setup_ui.exe (PID: 4092)
  - setup_ui.exe (PID: 1964)
  - avpui.exe (PID: 5556)
  - avp.exe (PID: 6788)
  - avp.exe (PID: 1948)
  - avpui.exe (PID: 6244)
- Creates files or folders in the user directory
  - kaspersky4win202121.18.5.438aen_46538.exe (PID: 6296)
  - kaspersky4win202121.18.5.438aen_46538.exe (PID: 6204)
  - msiexec.exe (PID: 5904)
- Reads Environment values
  - kaspersky4win202121.18.5.438aen_46538.exe (PID: 6204)
  - avp.exe (PID: 6788)
- Executable content was dropped or overwritten
  - msiexec.exe (PID: 5904)
  - msiexec.exe (PID: 6664)
  - msiexec.exe (PID: 232)
  - msiexec.exe (PID: 6992)
- Application launched itself
  - msiexec.exe (PID: 5904)
- Creates or modifies Windows services
  - msiexec.exe (PID: 232)
  - msiexec.exe (PID: 6992)
- Reads Microsoft Office registry keys
  - msiexec.exe (PID: 5904)
- Creates a software uninstall entry
  - msiexec.exe (PID: 5904)
- Reads the time zone
  - avp.exe (PID: 6788)
- Reads CPU info
  - avp.exe (PID: 6788)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win64 Executable (generic) (76.4)
.exe	\|	Win32 Executable (generic) (12.4)
.exe	\|	Generic Win/DOS Executable (5.5)
.exe	\|	DOS Executable Generic (5.5)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2000:04:01 13:47:06+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	14.29
CodeSize:	248832
InitializedDataSize:	4413952
UninitializedDataSize:	-
EntryPoint:	0x4260
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows GUI
FileVersionNumber:	21.18.5.438
ProductVersionNumber:	21.18.5.438
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Windows NT 32-bit
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
CompanyName:	Kaspersky
FileDescription:	Kaspersky [21.18.5.438.0.301.0 (a)]
FileVersion:	21.18.5.438
LegalCopyright:	© 2024 AO Kaspersky Lab
LegalTrademarks:	Registered trademarks and service marks are the property of their respective owners
ProductName:	Kaspersky
ProductVersion:	21.18.5.438
InternalName:	Setup
OriginalFileName:	Setup.exe

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

165

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

232

C:\Windows\System32\MsiExec.exe -Embedding 60156DE1044A2E58B20A3707EE671DA3 E Global\MSI0000

C:\Windows\System32\msiexec.exe

msiexec.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Windows® installer

Exit code:

Version:

5.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll

300

"C:\Program Files (x86)\Kaspersky Lab\Kaspersky 21.18\plugins-setup.exe" --install --browser=edge-new --config="C:\Program Files (x86)\Kaspersky Lab\Kaspersky 21.18\skin\resources\neutral\locs\plugins_config.lt"

C:\Program Files (x86)\Kaspersky Lab\Kaspersky 21.18\plugins-setup.exe

—

msiexec.exe

User:

SYSTEM

Company:

AO Kaspersky Lab

Integrity Level:

SYSTEM

Description:

Light Plugin Extension Registrar

Exit code:

Version:

30.1719.0.1660

Modules

Images
c:\program files (x86)\kaspersky lab\kaspersky 21.18\plugins-setup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\secur32.dll
c:\windows\syswow64\sspicli.dll

1948

-host -hostId=2484719374 -securityCookie=6788 -initParameters=

C:\Program Files (x86)\Kaspersky Lab\Kaspersky 21.18\avp.exe

avp.exe

User:

SYSTEM

Company:

AO Kaspersky Lab

Integrity Level:

SYSTEM

Description:

Kaspersky Lab launcher

Version:

21.4.0.0

Modules

Images
c:\program files (x86)\kaspersky lab\kaspersky 21.18\avp.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll

1964

"C:\Users\admin\AppData\Local\Temp\6418B685B837FE114B3E817F87F669EE\setup_ui.exe" -cp=objref:TUVPVwEAAAAAAAAAAAAAAMAAAAAAAABGgQIAAAAAAACQmoIlG0a1J6VkMTQEh5x2AggAADwY///iege865dLdTkAIwAHAEQARQBTAEsAVABPAFAALQBKAEcATABMAEoATABEAAAABwAxADkAMgAuADEANgA4AC4AMQAwADAALgAxADgAMAAAAAAACQD//wAAHgD//wAAEAD//wAACgD//wAAFgD//wAAHwD//wAADgD//wAAAAA=:

C:\Users\admin\AppData\Local\Temp\6418B685B837FE114B3E817F87F669EE\setup_ui.exe

kaspersky4win202121.18.5.438aen_46538.exe

User:

admin

Company:

Kaspersky

Integrity Level:

MEDIUM

Description:

Kaspersky [21.18.5.438.0.301.0 (a)]

Exit code:

Version:

21.18.5.438

Modules

Images
c:\users\admin\appdata\local\temp\6418b685b837fe114b3e817f87f669ee\setup_ui.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\version.dll

2368

"C:\WINDOWS\SysWOW64\regsvr32.exe" "C:\Program Files (x86)\Kaspersky Lab\Kaspersky 21.18\shellex.dll" /s /i:"C:\Program Files (x86)\Kaspersky Lab\Kaspersky 21.18\ kiskavpure"

C:\Windows\SysWOW64\regsvr32.exe

—

msiexec.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Microsoft(C) Register Server

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll

3272

"C:\Users\admin\Desktop\kaspersky4win202121.18.5.438aen_46538.exe" -cleanup="C:\Users\admin\AppData\Local\Temp\16EA4E25B837FE114B3E817F87F669EE;6296"

C:\Users\admin\Desktop\kaspersky4win202121.18.5.438aen_46538.exe

—

kaspersky4win202121.18.5.438aen_46538.exe

User:

admin

Company:

Kaspersky

Integrity Level:

MEDIUM

Description:

Kaspersky [21.18.5.438.0.301.0 (a)]

Exit code:

Version:

21.18.5.438

Modules

Images
c:\users\admin\desktop\kaspersky4win202121.18.5.438aen_46538.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\version.dll

3328

DrvInst.exe "4" "1" "C:\Program Files (x86)\Kaspersky Lab\Kaspersky 21.18\klimx64\klim6.inf" "9" "4750a1b23" "00000000000001CC" "WinSta0\Default" "00000000000001DC" "208" "C:\Program Files (x86)\Kaspersky Lab\Kaspersky 21.18\klimx64"

C:\Windows\System32\drvinst.exe

svchost.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Driver Installation Module

Exit code:

Version:

10.0.19041.3996 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\drvinst.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\drvstore.dll

4092

"C:\Users\admin\AppData\Local\Temp\16EA4E25B837FE114B3E817F87F669EE\setup_ui.exe" -cp=objref:TUVPVwEAAAAAAAAAAAAAAMAAAAAAAABGgQIAAAAAAAAbfTw4U5Bs0soxUsAmVSlgAmwAAJgY//9sOvSnvkGkKDkAIwAHAEQARQBTAEsAVABPAFAALQBKAEcATABMAEoATABEAAAABwAxADkAMgAuADEANgA4AC4AMQAwADAALgAxADgAMAAAAAAACQD//wAAHgD//wAAEAD//wAACgD//wAAFgD//wAAHwD//wAADgD//wAAAAA=:

C:\Users\admin\AppData\Local\Temp\16EA4E25B837FE114B3E817F87F669EE\setup_ui.exe

kaspersky4win202121.18.5.438aen_46538.exe

User:

admin

Company:

Kaspersky

Integrity Level:

MEDIUM

Description:

Kaspersky [21.18.5.438.0.301.0 (a)]

Exit code:

Version:

21.18.5.438

Modules

Images
c:\users\admin\appdata\local\temp\16ea4e25b837fe114b3e817f87f669ee\setup_ui.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\version.dll

4604

"C:\Program Files (x86)\Kaspersky Lab\Kaspersky 21.18\plugins-setup.exe" --install --browser=chrome --config="C:\Program Files (x86)\Kaspersky Lab\Kaspersky 21.18\skin\resources\neutral\locs\plugins_config.lt"

C:\Program Files (x86)\Kaspersky Lab\Kaspersky 21.18\plugins-setup.exe

—

msiexec.exe

User:

SYSTEM

Company:

AO Kaspersky Lab

Integrity Level:

SYSTEM

Description:

Light Plugin Extension Registrar

Exit code:

Version:

30.1719.0.1660

Modules

Images
c:\program files (x86)\kaspersky lab\kaspersky 21.18\plugins-setup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\secur32.dll
c:\windows\syswow64\sspicli.dll

4688

"C:\WINDOWS\SysWOW64\regsvr32.exe" "C:\Program Files (x86)\Kaspersky Lab\Kaspersky 21.18\kpm_integration.dll" /s

C:\Windows\SysWOW64\regsvr32.exe

—

msiexec.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Microsoft(C) Register Server

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll

Add for printing

Total events

65 899

Read events

57 864

Write events

7 925

Delete events

110

Modification events


(PID) Process:	(6296) kaspersky4win202121.18.5.438aen_46538.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\KasperskyLabSetup\Setup21.18.5.438.0.301.0\volatile
Operation:	write	Name:	cp_storedResolvedType
Value: -1
(PID) Process:	(6296) kaspersky4win202121.18.5.438aen_46538.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\KasperskyLabSetup\Setup21.18.5.438.0.301.0\volatile
Operation:	write	Name:	cp_storedResolvedProductTier
Value: 0
(PID) Process:	(6296) kaspersky4win202121.18.5.438aen_46538.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\KasperskyLabSetup\Setup21.18.5.438.0.301.0\volatile
Operation:	write	Name:	cp_storedResolvedStartupScenario
Value:
(PID) Process:	(6296) kaspersky4win202121.18.5.438aen_46538.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\KasperskyLabSetup\Setup21.18.5.438.0.301.0\volatile
Operation:	write	Name:	cp_storedResolvedType
Value: 4
(PID) Process:	(6296) kaspersky4win202121.18.5.438aen_46538.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\KasperskyLabSetup\Setup21.18.5.438.0.301.0\volatile
Operation:	write	Name:	cp_storedResolvedProductTier
Value: 230
(PID) Process:	(6296) kaspersky4win202121.18.5.438aen_46538.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\KasperskyLabSetup\Setup21.18.5.438.0.301.0\volatile
Operation:	write	Name:	cp_storedResolvedStartupScenario
Value: Free
(PID) Process:	(6296) kaspersky4win202121.18.5.438aen_46538.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\KasperskyLabSetup\Setup21.18.5.438.0.301.0\volatile
Operation:	write	Name:	PreferredUI
Value: 0
(PID) Process:	(6296) kaspersky4win202121.18.5.438aen_46538.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\KasperskyLabSetup\Setup21.18.5.438.0.301.0\volatile
Operation:	write	Name:	PreferredUI
Value: 1
(PID) Process:	(6296) kaspersky4win202121.18.5.438aen_46538.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\KasperskyLabSetup\Setup21.18.5.438.0.301.0
Operation:	write	Name:	TrashFiles
Value: C:\Users\admin\AppData\Local\Temp\discovery.cfg
(PID) Process:	(6296) kaspersky4win202121.18.5.438aen_46538.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\KasperskyLabSetup\Setup21.18.5.438.0.301.0
Operation:	write	Name:	TrashFiles
Value: C:\Users\admin\AppData\Local\Temp\discovery.cfg C:\ProgramData\Kaspersky Lab Setup Files\KFA21.18.5.438.0.301.0

Add for printing

Executable files

1 144

Suspicious files

839

Text files

634

Unknown types

Dropped files

PID	Process	Filename		Type
6296	kaspersky4win202121.18.5.438aen_46538.exe	C:\Users\admin\AppData\Local\Temp\52E4AE62-738B-11EF-B4E3-18F7786F96EE\downloader_neutral_KFA.ini		text
		MD5:2E10B2D4181D2F07D2DD305BD4285BD5	SHA256:CBB72CDC1E461226C7D0E49E7EF955F77DFEEF4F7FE12D0D8A8D0CF9658EDC78
6296	kaspersky4win202121.18.5.438aen_46538.exe	C:\Users\admin\AppData\Local\Temp\16EA4E25B837FE114B3E817F87F669EE\sharpvectorcore.dll		executable
		MD5:9620B9B61A710C8A2178747A74D066AC	SHA256:3929EF5D1C09611BDE783054CDAA6F19E07A9F22C7E9C85EDF9510D13C7C423E
6296	kaspersky4win202121.18.5.438aen_46538.exe	C:\Users\admin\AppData\Local\Temp\16EA4E25B837FE114B3E817F87F669EE\setup.dll		executable
		MD5:147AAECC3BAD71192F6333A866794400	SHA256:C0946716F91EC37F9C30E3A27293D66F75466B2C1D0C03053992D3132BAB0611
6296	kaspersky4win202121.18.5.438aen_46538.exe	C:\Users\admin\AppData\Local\Temp\16EA4E25B837FE114B3E817F87F669EE\sharpvectorcss.dll		executable
		MD5:3249C9313D6902A72EF8F971C26F5082	SHA256:393D5AC9B4F30928496F39120AD300B7A81CD7533133ADC8C935CE3D1CCACF60
6296	kaspersky4win202121.18.5.438aen_46538.exe	C:\Users\admin\AppData\Local\Temp\16EA4E25B837FE114B3E817F87F669EE\setup_ui.exe		executable
		MD5:43E870E61765A8B5B208F633AB9351F8	SHA256:251DC9804BFB37B50897594F508BCD629D4A45D5C749AAAFB4B5E84D195F68AE
6296	kaspersky4win202121.18.5.438aen_46538.exe	C:\Users\admin\AppData\Local\Temp\16EA4E25B837FE114B3E817F87F669EE\sharpvectordom.dll		executable
		MD5:46F91941E61609973979D8E5BF321A31	SHA256:21675B87BE651E4A2E7CE2AF5A62D9E10A1A04DC2C58E1751B304089A7D5A070
6296	kaspersky4win202121.18.5.438aen_46538.exe	C:\Users\admin\AppData\Local\Temp\16EA4E25B837FE114B3E817F87F669EE\kl.setup.ui.dll		executable
		MD5:3C7D941E01763DB131F05CD5E17909D0	SHA256:A985540C3DEDAB11D80FAA0537FFC3E91F3F778DA28F7D60DFF3CCBBEC97DE74
6296	kaspersky4win202121.18.5.438aen_46538.exe	C:\Users\admin\AppData\Local\Temp\52E4AE62-738B-11EF-B4E3-18F7786F96EE\GuiStrings.loc		html
		MD5:09C4E9F41C4B8BFDB6BF8916AF730ECD	SHA256:57BF969D3C10D5BE0A4B31B8E530C1E005622C8DC809EE4FBD4C214F3B3E9A37
6296	kaspersky4win202121.18.5.438aen_46538.exe	C:\Users\admin\AppData\Local\Temp\52E4AE62-738B-11EF-B4E3-18F7786F96EE\GuiStrings_KFA.loc		text
		MD5:ECAA88F7FA0BF610A5A26CF545DCD3AA	SHA256:F1945CD6C19E56B3C1C78943EF5EC18116907A4CA1EFC40A57D48AB1DB7ADFC5
6296	kaspersky4win202121.18.5.438aen_46538.exe	C:\Users\admin\AppData\Local\Temp\52E4AE62-738B-11EF-B4E3-18F7786F96EE\downloader_neutral.ini		text
		MD5:635000D027160A52E2320AD7D4B0A857	SHA256:8E6025B49C9D1F8B3134357125D01B71EBD69258E7F90E97C0B3BF8D3886D1C6

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
6296	kaspersky4win202121.18.5.438aen_46538.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAbY2QTVWENG9oovp1QifsQ%3D	unknown	—	—	whitelisted
360	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
1280	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
360	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
6516	svchost.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
6204	kaspersky4win202121.18.5.438aen_46538.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAz1vQYrVgL0erhQLCPM8GY%3D	unknown	—	—	whitelisted
5904	msiexec.exe	GET	200	104.18.21.226:80	http://ocsp.globalsign.com/rootr3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT1nGh%2FJBjWKnkPdZIzB1bqhelHBwQUj%2FBLf6guRSSuTVD6Y5qL3uLdG7wCEHgDGEJFcIpBz28BuO60qVQ%3D	unknown	—	—	whitelisted
5904	msiexec.exe	GET	200	104.18.21.226:80	http://ocsp.globalsign.com/codesigningrootr45/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQVFZP5vqhCrtRN5SWf40Rn6NM1IAQUHwC%2FRoAK%2FHg5t6W0Q9lWULvOljsCEHe9DgW3WQu2HUdhUx4%2Fde0%3D	unknown	—	—	whitelisted
5904	msiexec.exe	GET	200	104.18.21.226:80	http://ocsp.globalsign.com/gsgccr45evcodesignca2020/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBQaCbVYh07WONuW4e63Ydlu4AlbDAQUJZ3Q%2FFkJhmPF7POxEztXHAOSNhECDBO%2F8SXGUNfFoIIgjw%3D%3D	unknown	—	—	whitelisted
6788	avp.exe	GET	200	212.73.221.196:80	http://crl.kaspersky.com/cdp/KSNGlobalRootCAECC.crl	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
6516	svchost.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
6232	RUXIMICS.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
2120	MoUsoCoreWorker.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
6296	kaspersky4win202121.18.5.438aen_46538.exe	62.67.238.151:443	ds.kaspersky.com	LEVEL3	GB	whitelisted
6296	kaspersky4win202121.18.5.438aen_46538.exe	46.8.206.115:443	dm.s.kaspersky-labs.com	Solucions Valencianes i Noves Tecnologies SL	ES	whitelisted
6296	kaspersky4win202121.18.5.438aen_46538.exe	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted
6516	svchost.exe	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
6204	kaspersky4win202121.18.5.438aen_46538.exe	62.67.238.151:443	ds.kaspersky.com	LEVEL3	GB	whitelisted
6204	kaspersky4win202121.18.5.438aen_46538.exe	46.8.206.115:443	dm.s.kaspersky-labs.com	Solucions Valencianes i Noves Tecnologies SL	ES	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	51.124.78.146 20.73.194.208 4.231.128.59	whitelisted
google.com	142.250.185.206	whitelisted
ds.kaspersky.com	62.67.238.151 82.202.184.184 62.67.238.152 81.19.104.172 82.202.185.148 46.8.206.90 82.202.184.193	whitelisted
dm.s.kaspersky-labs.com	46.8.206.115 195.122.169.10 80.239.174.35	unknown
ocsp.digicert.com	192.229.221.95	whitelisted
www.microsoft.com	184.30.21.171	whitelisted
client.wns.windows.com	40.115.3.253	whitelisted
login.live.com	40.126.32.140 40.126.32.68 20.190.160.14 40.126.32.134 40.126.32.72 40.126.32.136 40.126.32.76 20.190.160.20	whitelisted
slscr.update.microsoft.com	20.114.59.183	whitelisted
fe3cr.delivery.mp.microsoft.com	20.166.126.56	whitelisted

Threats

No threats detected

Add for printing

Process	Message
setup_ui.exe	setup_ui.exe Information: 0 :
setup_ui.exe	LocalizationEngine Making localization parameters
setup_ui.exe	setup_ui.exe Information: 0 :
setup_ui.exe	Core DisplayCulture = en-US DisplayCulture.FullLocalization = en FormatCulture = en-US
setup_ui.exe	setup_ui.exe Information: 0 :
setup_ui.exe	TextScaleService SystemScaleFactor '1' provided from Registry.
setup_ui.exe	setup_ui.exe Information: 0 :
setup_ui.exe	Core OS: Major=10, Minor=0, Build=19045, Type=Workstation
setup_ui.exe	setup_ui.exe Information: 0 :
setup_ui.exe	Core OS: Major=10, Minor=0, Build=19045, Type=Workstation

General Info

kaspersky4win202121.18.5.438aen_46538.exe

58E0821A78ED09A3E4FF8E28709B3575

06B5644AF0C59350D77B6A61A590445FD0A1FCC9

ABD71FAA64AE306F30912522ED7D5CC01A1BA97498376D24A0AB496E171B48C6

98304:Ca7U4cWF/Yp9GKoym6Vl9aKFFsbRcAZOk5qHPP13JApJCJPMt1o3ma2fwTT+Dj91:EMVBrN

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Registers / Runs the DLL via REGSVR32.EXE

Antivirus name has been found in the command line (generic signature)

SUSPICIOUS

Reads security settings of Internet Explorer

Executable content was dropped or overwritten

Checks Windows Trust Settings

Starts itself from another location

Application launched itself

Reads the Windows owner or organization settings

Adds/modifies Windows certificates

The process verifies whether the antivirus software is installed

Creates files in the driver directory

The process creates files with name similar to system file names

Drops a system driver (possible attempt to evade defenses)

Creates/Modifies COM task schedule object

Executes as Windows Service

Creates or modifies Windows services

There is functionality for VM detection (antiVM strings)

INFO

Checks supported languages

The process uses the downloaded file

Reads the computer name

Checks for the presence of KasperskyLab

Checks proxy server information

Create files in a temporary directory

Reads the machine GUID from the registry

Reads the software policy settings

Process checks computer location settings

Process checks whether UAC notifications are on

Creates files in the program directory

Sends debugging messages

Creates files or folders in the user directory

Reads Environment values

Executable content was dropped or overwritten

Application launched itself

Creates or modifies Windows services

Reads Microsoft Office registry keys

Creates a software uninstall entry

Reads the time zone

Reads CPU info

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules