File name:

kav21.3.10.391abcdefghijklen_26157.exe

Full analysis: https://app.any.run/tasks/40838c6a-1028-4723-94ff-0f0365f30e97
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: April 08, 2025, 16:28:53
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
stealer
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:

69DD39AAD54AB8646E9FC520CEC1DD01

SHA1:

0723D4FE16B5DF6589CE60F3EF44E09F1B10B3F6

SHA256:

F367025F71C510F9A71DC57F104E92B57D3614FC6FE221CFF4202AFE091DE1A3

SSDEEP:

98304:SKBwrBZbYrniSos+jMPSyK88tXmgeYXRlPdjE48/V1otBbQEIHoEdni8RJwjhvdI:cIv

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Registers / Runs the DLL via REGSVR32.EXE

      • msiexec.exe (PID: 7692)

    • Antivirus name has been found in the command line (generic signature)

      • avp.exe (PID: 4448)

    • Actions looks like stealing of personal data

      • avp.exe (PID: 4448)

    • Steals credentials from Web Browsers

      • avp.exe (PID: 4448)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • kav21.3.10.391abcdefghijklen_26157.exe (PID: 7608)
      • kav21.3.10.391abcdefghijklen_26157.exe (PID: 7356)
      • drvinst.exe (PID: 7948)
      • avp.exe (PID: 4448)
      • upgrade_launcher.exe (PID: 8004)
      • kpm.exe (PID: 3820)
      • drvinst.exe (PID: 5380)
      • {B4411535-005D-4FFE-A062-8900C1B6BB91}.exe (PID: 7804)

    • Reads security settings of Internet Explorer

      • kav21.3.10.391abcdefghijklen_26157.exe (PID: 7608)
      • kav21.3.10.391abcdefghijklen_26157.exe (PID: 7356)
      • avp.exe (PID: 4448)
      • avpui.exe (PID: 4208)

    • Application launched itself

      • kav21.3.10.391abcdefghijklen_26157.exe (PID: 7608)
      • kav21.3.10.391abcdefghijklen_26157.exe (PID: 7356)

    • Reads Microsoft Outlook installation path

      • kav21.3.10.391abcdefghijklen_26157.exe (PID: 7608)
      • kav21.3.10.391abcdefghijklen_26157.exe (PID: 7356)
      • regsvr32.exe (PID: 3992)

    • The process verifies whether the antivirus software is installed

      • kav21.3.10.391abcdefghijklen_26157.exe (PID: 7356)
      • msiexec.exe (PID: 7692)
      • drvinst.exe (PID: 7948)
      • bcdedit.exe (PID: 5504)
      • regsvr32.exe (PID: 8120)
      • conhost.exe (PID: 4436)
      • regsvr32.exe (PID: 7968)
      • regsvr32.exe (PID: 7928)
      • regsvr32.exe (PID: 6676)
      • regsvr32.exe (PID: 7532)
      • regsvr32.exe (PID: 6512)
      • msiexec.exe (PID: 8112)
      • msiexec.exe (PID: 4688)
      • regsvr32.exe (PID: 632)
      • regsvr32.exe (PID: 8068)
      • plugins-setup.exe (PID: 3008)
      • plugins-setup.exe (PID: 736)
      • regsvr32.exe (PID: 2552)
      • regsvr32.exe (PID: 5260)
      • regsvr32.exe (PID: 4188)
      • plugins-setup.exe (PID: 5936)
      • plugins-setup.exe (PID: 7104)
      • regsvr32.exe (PID: 3992)
      • regsvr32.exe (PID: 3012)
      • regsvr32.exe (PID: 2092)
      • msiexec.exe (PID: 7576)
      • msiexec.exe (PID: 6080)
      • avp.exe (PID: 4448)
      • drvinst.exe (PID: 5380)
      • kav21.3.10.391abcdefghijklen_26157.exe (PID: 7608)
      • avpui.exe (PID: 4208)
      • msiexec.exe (PID: 1116)
      • avpui.exe (PID: 2408)
      • msiexec.exe (PID: 7872)

    • Adds/modifies Windows certificates

      • kav21.3.10.391abcdefghijklen_26157.exe (PID: 7356)
      • avp.exe (PID: 4448)

    • Reads the Windows owner or organization settings

      • msiexec.exe (PID: 7872)

    • Drops a system driver (possible attempt to evade defenses)

      • msiexec.exe (PID: 8112)
      • msiexec.exe (PID: 7872)
      • msiexec.exe (PID: 4688)
      • drvinst.exe (PID: 7948)
      • avp.exe (PID: 4448)
      • drvinst.exe (PID: 5380)

    • Creates files in the driver directory

      • msiexec.exe (PID: 4688)
      • drvinst.exe (PID: 7948)
      • avp.exe (PID: 4448)
      • drvinst.exe (PID: 5380)

    • The process creates files with name similar to system file names

      • msiexec.exe (PID: 8112)
      • msiexec.exe (PID: 1116)
      • {B4411535-005D-4FFE-A062-8900C1B6BB91}.exe (PID: 7804)
      • msiexec.exe (PID: 7872)

    • Process drops legitimate windows executable

      • msiexec.exe (PID: 8112)
      • msiexec.exe (PID: 1116)
      • {B4411535-005D-4FFE-A062-8900C1B6BB91}.exe (PID: 7804)
      • msiexec.exe (PID: 7872)

    • The process drops C-runtime libraries

      • msiexec.exe (PID: 8112)
      • msiexec.exe (PID: 1116)
      • {B4411535-005D-4FFE-A062-8900C1B6BB91}.exe (PID: 7804)

    • There is functionality for taking screenshot (YARA)

      • msiexec.exe (PID: 8112)
      • msiexec.exe (PID: 7692)

    • Creates/Modifies COM task schedule object

      • regsvr32.exe (PID: 7968)
      • regsvr32.exe (PID: 8120)
      • regsvr32.exe (PID: 8068)
      • regsvr32.exe (PID: 7532)
      • regsvr32.exe (PID: 632)
      • regsvr32.exe (PID: 5260)
      • regsvr32.exe (PID: 6512)
      • regsvr32.exe (PID: 2552)
      • regsvr32.exe (PID: 3992)
      • regsvr32.exe (PID: 2092)

    • Executes as Windows Service

      • avp.exe (PID: 4448)

    • Creates or modifies Windows services

      • avp.exe (PID: 4448)

    • Process checks Powershell history file

      • avp.exe (PID: 4448)

  • INFO

    • The sample compiled with english language support

      • kav21.3.10.391abcdefghijklen_26157.exe (PID: 7608)
      • kav21.3.10.391abcdefghijklen_26157.exe (PID: 7356)
      • msiexec.exe (PID: 7872)
      • msiexec.exe (PID: 8112)
      • msiexec.exe (PID: 4688)
      • msiexec.exe (PID: 7692)
      • drvinst.exe (PID: 7948)
      • avp.exe (PID: 4448)
      • msiexec.exe (PID: 1116)
      • drvinst.exe (PID: 5380)
      • {B4411535-005D-4FFE-A062-8900C1B6BB91}.exe (PID: 7804)

    • Reads the computer name

      • kav21.3.10.391abcdefghijklen_26157.exe (PID: 7608)
      • kav21.3.10.391abcdefghijklen_26157.exe (PID: 7356)
      • TEST_WPF.EXE (PID: 1324)
      • msiexec.exe (PID: 8112)
      • msiexec.exe (PID: 7872)
      • msiexec.exe (PID: 7692)
      • msiexec.exe (PID: 4688)
      • drvinst.exe (PID: 7948)
      • plugins-setup.exe (PID: 7104)
      • avpui.exe (PID: 4208)
      • msiexec.exe (PID: 1116)
      • avp.exe (PID: 4448)
      • msiexec.exe (PID: 6080)
      • msiexec.exe (PID: 7576)
      • upgrade_launcher.exe (PID: 8004)
      • {B4411535-005D-4FFE-A062-8900C1B6BB91}.exe (PID: 7804)
      • avpui.exe (PID: 2408)
      • msiexec.exe (PID: 4024)

    • Checks proxy server information

      • kav21.3.10.391abcdefghijklen_26157.exe (PID: 7608)
      • kav21.3.10.391abcdefghijklen_26157.exe (PID: 7356)
      • slui.exe (PID: 8004)

    • Reads the machine GUID from the registry

      • kav21.3.10.391abcdefghijklen_26157.exe (PID: 7608)
      • kav21.3.10.391abcdefghijklen_26157.exe (PID: 7356)
      • TEST_WPF.EXE (PID: 1324)
      • msiexec.exe (PID: 7872)
      • msiexec.exe (PID: 4688)
      • drvinst.exe (PID: 7948)
      • plugins-setup.exe (PID: 5936)
      • plugins-setup.exe (PID: 736)
      • plugins-setup.exe (PID: 7104)
      • avp.exe (PID: 4448)
      • avpui.exe (PID: 4208)
      • msiexec.exe (PID: 7576)
      • drvinst.exe (PID: 5380)
      • {B4411535-005D-4FFE-A062-8900C1B6BB91}.exe (PID: 7804)

    • Create files in a temporary directory

      • kav21.3.10.391abcdefghijklen_26157.exe (PID: 7608)
      • kav21.3.10.391abcdefghijklen_26157.exe (PID: 7356)
      • msiexec.exe (PID: 8112)
      • msiexec.exe (PID: 1116)

    • Creates files in the program directory

      • kav21.3.10.391abcdefghijklen_26157.exe (PID: 7608)
      • kav21.3.10.391abcdefghijklen_26157.exe (PID: 7356)
      • plugins-setup.exe (PID: 5936)
      • plugins-setup.exe (PID: 736)
      • regsvr32.exe (PID: 3992)
      • plugins-setup.exe (PID: 7104)
      • avp.exe (PID: 4448)
      • upgrade_launcher.exe (PID: 8004)
      • {B4411535-005D-4FFE-A062-8900C1B6BB91}.exe (PID: 7804)

    • Process checks computer location settings

      • kav21.3.10.391abcdefghijklen_26157.exe (PID: 7608)
      • avp.exe (PID: 4448)

    • Checks supported languages

      • kav21.3.10.391abcdefghijklen_26157.exe (PID: 7356)
      • kav21.3.10.391abcdefghijklen_26157.exe (PID: 7608)
      • TEST_WPF.EXE (PID: 1324)
      • msiexec.exe (PID: 8112)
      • msiexec.exe (PID: 7872)
      • msiexec.exe (PID: 7692)
      • msiexec.exe (PID: 4688)
      • drvinst.exe (PID: 7948)
      • plugins-setup.exe (PID: 736)
      • plugins-setup.exe (PID: 7104)
      • plugins-setup.exe (PID: 3008)
      • plugins-setup.exe (PID: 5936)
      • avp.exe (PID: 4448)
      • avpui.exe (PID: 4208)
      • msiexec.exe (PID: 1116)
      • msiexec.exe (PID: 6080)
      • msiexec.exe (PID: 7576)
      • drvinst.exe (PID: 7524)
      • kpm.exe (PID: 3820)
      • drvinst.exe (PID: 5380)
      • upgrade_launcher.exe (PID: 8004)
      • {B4411535-005D-4FFE-A062-8900C1B6BB91}.exe (PID: 7804)
      • msiexec.exe (PID: 4024)
      • avpui.exe (PID: 2408)
      • kav21.3.10.391abcdefghijklen_26157.exe (PID: 4276)
      • kav21.3.10.391abcdefghijklen_26157.exe (PID: 6904)

    • Process checks whether UAC notifications are on

      • kav21.3.10.391abcdefghijklen_26157.exe (PID: 7608)
      • kav21.3.10.391abcdefghijklen_26157.exe (PID: 7356)

    • Reads the software policy settings

      • kav21.3.10.391abcdefghijklen_26157.exe (PID: 7356)
      • msiexec.exe (PID: 7872)
      • msiexec.exe (PID: 4688)
      • drvinst.exe (PID: 7948)
      • slui.exe (PID: 8004)
      • kav21.3.10.391abcdefghijklen_26157.exe (PID: 7608)
      • msiexec.exe (PID: 7576)
      • drvinst.exe (PID: 5380)
      • avp.exe (PID: 4448)
      • {B4411535-005D-4FFE-A062-8900C1B6BB91}.exe (PID: 7804)

    • Creates files or folders in the user directory

      • msiexec.exe (PID: 7872)
      • kav21.3.10.391abcdefghijklen_26157.exe (PID: 7608)
      • avp.exe (PID: 4448)
      • kav21.3.10.391abcdefghijklen_26157.exe (PID: 7356)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 7872)
      • msiexec.exe (PID: 8112)
      • msiexec.exe (PID: 4688)
      • msiexec.exe (PID: 7692)
      • msiexec.exe (PID: 1116)

    • Checks for the presence of KasperskyLab

      • kav21.3.10.391abcdefghijklen_26157.exe (PID: 7608)
      • kav21.3.10.391abcdefghijklen_26157.exe (PID: 7356)
      • msiexec.exe (PID: 7872)
      • avpui.exe (PID: 4208)

    • Application launched itself

      • msiexec.exe (PID: 7872)

    • Creates or modifies Windows services

      • msiexec.exe (PID: 4688)
      • msiexec.exe (PID: 7692)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 7872)

    • Reads CPU info

      • avp.exe (PID: 4448)

    • Reads Environment values

      • avp.exe (PID: 4448)

    • Reads the time zone

      • avp.exe (PID: 4448)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1972:01:30 11:30:30+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.16
CodeSize: 302080
InitializedDataSize: 2372096
UninitializedDataSize: -
EntryPoint: 0x24c0
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 21.3.10.391
ProductVersionNumber: 21.3.10.391
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Kaspersky
FileDescription: Kaspersky Anti-Virus [21.3.10.391.0.2472.0 (a.b.c.d.e.f.g.h.i.j.k.l)]
FileVersion: 21.3.10.391
LegalCopyright: © 2021 AO Kaspersky Lab
LegalTrademarks: Registered trademarks and service marks are the property of their respective owners
ProductName: Kaspersky Anti-Virus
ProductVersion: 21.3.10.391
InternalName: Setup
OriginalFileName: Setup.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
194
Monitored processes
45
Malicious processes
22
Suspicious processes
7

Behavior graph

Click at the process to see the details
start kav21.3.10.391abcdefghijklen_26157.exe kav21.3.10.391abcdefghijklen_26157.exe test_wpf.exe no specs slui.exe msiexec.exe msiexec.exe msiexec.exe msiexec.exe drvinst.exe bcdedit.exe no specs conhost.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs plugins-setup.exe no specs plugins-setup.exe no specs plugins-setup.exe no specs plugins-setup.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs avp.exe avpui.exe no specs msiexec.exe msiexec.exe no specs msiexec.exe no specs drvinst.exe drvinst.exe no specs upgrade_launcher.exe kpm.exe {b4411535-005d-4ffe-a062-8900c1b6bb91}.exe avpui.exe no specs kav21.3.10.391abcdefghijklen_26157.exe no specs kav21.3.10.391abcdefghijklen_26157.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
632"C:\WINDOWS\SysWOW64\regsvr32.exe" "C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 21.3\kpm_integration.dll" /sC:\Windows\SysWOW64\regsvr32.exemsiexec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
736"C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 21.3\plugins-setup.exe" --install --browser=firefox --config="C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 21.3\skin\resources\neutral\locs\plugins_config.lt"C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 21.3\plugins-setup.exemsiexec.exe
User:
SYSTEM
Company:
AO Kaspersky Lab
Integrity Level:
SYSTEM
Description:
Light Plugin Extension Registrar
Exit code:
0
Version:
30.587.0.1060
Modules
Images
c:\program files (x86)\kaspersky lab\kaspersky anti-virus 21.3\plugins-setup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ws2_32.dll
c:\windows\syswow64\rpcrt4.dll
1116C:\Windows\syswow64\MsiExec.exe -Embedding E9CDB36E210B67EE9FB4BB07FEDD13BCC:\Windows\SysWOW64\msiexec.exe
msiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows® installer
Exit code:
0
Version:
5.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
1324"C:\Users\admin\AppData\Local\Temp\9AE85F7F-1496-11F0-B4ED-18F7786F96EE\TEST_WPF.EXE" "C:\Users\admin\AppData\Local\Temp\D7F58EA969410F114BDE817F87F669EE\setup.dll"C:\Users\admin\AppData\Local\Temp\9AE85F7F-1496-11F0-B4ED-18F7786F96EE\TEST_WPF.EXEkav21.3.10.391abcdefghijklen_26157.exe
User:
admin
Integrity Level:
HIGH
Description:
test_wpf
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\9ae85f7f-1496-11f0-b4ed-18f7786f96ee\test_wpf.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
2092 "C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 21.3\x64\mcou.dll" /sC:\Windows\System32\regsvr32.exeregsvr32.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
2408"C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 21.3\avpui.exe" C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 21.3\avpui.exekav21.3.10.391abcdefghijklen_26157.exe
User:
admin
Company:
AO Kaspersky Lab
Integrity Level:
MEDIUM
Description:
Kaspersky Anti-Virus
Exit code:
0
Version:
21.3.12.434
Modules
Images
c:\program files (x86)\kaspersky lab\kaspersky anti-virus 21.3\avpui.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
2552 "C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 21.3\x64\antimalware_provider.dll" /sC:\Windows\System32\regsvr32.exeregsvr32.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
2852"C:\WINDOWS\system32\msiexec.exe" /p "C:\WINDOWS\TEMP\{45C00643-5A34-4CFC-96B4-754E4E08AC09}\kpmwin25.0.0.225.0.7.0\KPM10_0_patch.msp" /qnC:\Windows\SysWOW64\msiexec.exe{B4411535-005D-4FFE-A062-8900C1B6BB91}.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Exit code:
1642
Version:
5.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\program files (x86)\common files\kaspersky lab\klhk\klhk_x64\klhkum.dll
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
3008"C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 21.3\plugins-setup.exe" --install --browser=common --config="C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 21.3\skin\resources\neutral\locs\plugins_config.lt"C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 21.3\plugins-setup.exemsiexec.exe
User:
SYSTEM
Company:
AO Kaspersky Lab
Integrity Level:
SYSTEM
Description:
Light Plugin Extension Registrar
Exit code:
1
Version:
30.587.0.1060
Modules
Images
c:\program files (x86)\kaspersky lab\kaspersky anti-virus 21.3\plugins-setup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ws2_32.dll
3012"C:\WINDOWS\System32\regsvr32.exe" "C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 21.3\x64\mcou.dll" /sC:\Windows\SysWOW64\regsvr32.exemsiexec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
Total events
185 677
Read events
173 463
Write events
11 073
Delete events
1 141

Modification events

(PID) Process:(7608) kav21.3.10.391abcdefghijklen_26157.exeKey:HKEY_CURRENT_USER\SOFTWARE\KasperskyLabSetup\Setup21.3.10.391.0.2472.0
Operation:writeName:TrashFiles
Value:
C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2472.0 C:\ProgramData\Kaspersky Lab Setup Files C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2472.0\index2.txt C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2472.0\index-bases-x64-2.txt C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2472.0\index-kleaner-2.txt C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2472.0\kdscrl.rdb.z C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2472.0\kdscrl.rdb C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2472.0\eula_en.txt C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2472.0\eula_gdpr_en.txt C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2472.0\ksn_antispam_en.txt
(PID) Process:(7608) kav21.3.10.391abcdefghijklen_26157.exeKey:HKEY_CURRENT_USER\SOFTWARE\KasperskyLabSetup\Setup21.3.10.391.0.2472.0
Operation:writeName:TrashFiles
Value:
C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2472.0 C:\ProgramData\Kaspersky Lab Setup Files C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2472.0\index2.txt C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2472.0\index-bases-x64-2.txt C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2472.0\index-kleaner-2.txt C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2472.0\kdscrl.rdb.z C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2472.0\kdscrl.rdb C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2472.0\eula_en.txt C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2472.0\eula_gdpr_en.txt C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2472.0\ksn_antispam_en.txt C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2472.0\ksn_en.txt C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2472.0\ksn_ep_en.txt C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2472.0\ksn_marketing_en.txt C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2472.0\ksde_eula_en.txt
(PID) Process:(7608) kav21.3.10.391abcdefghijklen_26157.exeKey:HKEY_CURRENT_USER\SOFTWARE\KasperskyLabSetup\Setup21.3.10.391.0.2472.0
Operation:writeName:TrashFiles
Value:
C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2472.0 C:\ProgramData\Kaspersky Lab Setup Files C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2472.0\index2.txt C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2472.0\index-bases-x64-2.txt C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2472.0\index-kleaner-2.txt C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2472.0\kdscrl.rdb.z C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2472.0\kdscrl.rdb C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2472.0\eula_en.txt C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2472.0\eula_gdpr_en.txt C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2472.0\ksn_antispam_en.txt C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2472.0\ksn_en.txt C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2472.0\ksn_ep_en.txt C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2472.0\ksn_marketing_en.txt C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2472.0\ksde_eula_en.txt C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2472.0\ksde_eula_gdpr_en.txt C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2472.0\ksde_ksn_en.txt C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2472.0\ksde_ksn_ep_en.txt
(PID) Process:(7608) kav21.3.10.391abcdefghijklen_26157.exeKey:HKEY_CURRENT_USER\SOFTWARE\KasperskyLabSetup\Setup21.3.10.391.0.2472.0
Operation:writeName:TrashFiles
Value:
C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2472.0 C:\ProgramData\Kaspersky Lab Setup Files C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2472.0\index2.txt C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2472.0\index-bases-x64-2.txt C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2472.0\index-kleaner-2.txt C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2472.0\kdscrl.rdb.z C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2472.0\kdscrl.rdb C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2472.0\eula_en.txt C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2472.0\eula_gdpr_en.txt C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2472.0\ksn_antispam_en.txt C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2472.0\ksn_en.txt C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2472.0\ksn_ep_en.txt C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2472.0\ksn_marketing_en.txt C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2472.0\ksde_eula_en.txt C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2472.0\ksde_eula_gdpr_en.txt C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2472.0\ksde_ksn_en.txt C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2472.0\ksde_ksn_ep_en.txt C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2472.0\ksde_ksn_marketing_en.txt
(PID) Process:(7608) kav21.3.10.391abcdefghijklen_26157.exeKey:HKEY_CURRENT_USER\SOFTWARE\KasperskyLab\IEOverride\Main
Operation:writeName:Enable Browser Extensions
Value:
no
(PID) Process:(7608) kav21.3.10.391abcdefghijklen_26157.exeKey:HKEY_CURRENT_USER\SOFTWARE\KasperskyLab\IEOverride\Main
Operation:writeName:UseSWRender
Value:
1
(PID) Process:(7608) kav21.3.10.391abcdefghijklen_26157.exeKey:HKEY_CURRENT_USER\SOFTWARE\KasperskyLabSetup\Setup21.3.10.391.0.2472.0
Operation:writeName:TrashFiles
Value:
C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2472.0
(PID) Process:(7608) kav21.3.10.391abcdefghijklen_26157.exeKey:HKEY_CURRENT_USER\SOFTWARE\KasperskyLabSetup\Setup21.3.10.391.0.2472.0
Operation:writeName:TrashFiles
Value:
C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2472.0 C:\ProgramData\Kaspersky Lab Setup Files
(PID) Process:(7608) kav21.3.10.391abcdefghijklen_26157.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(7608) kav21.3.10.391abcdefghijklen_26157.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
Executable files
1 344
Suspicious files
635
Text files
2 211
Unknown types
2

Dropped files

PID
Process
Filename
Type
7608kav21.3.10.391abcdefghijklen_26157.exeC:\Users\admin\AppData\Local\Temp\94068F86-1496-11F0-B4ED-18F7786F96EE\check_new_version.htmlhtml
MD5:B79AB8145423E4714F4D3623A7913EEF
SHA256:59A439DEBCEA1F039382E258A337031F9878450AFBCE19A2A52A37783009FAFE
7608kav21.3.10.391abcdefghijklen_26157.exeC:\Users\admin\AppData\Local\Temp\kl-setup-2025-04-08-16-29-02_KAV.21.3.10.391.logbinary
MD5:9651233CC26A16DFEAFDB7DA858DFC88
SHA256:1B6B60EFF9E3069E6C031E937BF1E824F1EACFF5A90E41555C5F417485526722
7608kav21.3.10.391abcdefghijklen_26157.exeC:\Users\admin\AppData\Local\Temp\94068F86-1496-11F0-B4ED-18F7786F96EE\kis-print.csstext
MD5:1304724DD5001B2600FC5BD80C098F1E
SHA256:2481B34B48FD96B194405DA621E8E5F19142DCB55744F9C9A93591705CB697FD
7608kav21.3.10.391abcdefghijklen_26157.exeC:\Users\admin\AppData\Local\Temp\94068F86-1496-11F0-B4ED-18F7786F96EE\jquery-1.12.4.min.jsbinary
MD5:4F252523D4AF0B478C810C2547A63E19
SHA256:668B046D12DB350CCBA6728890476B3EFEE53B2F42DBB84743E5E9F1AE0CC404
7608kav21.3.10.391abcdefghijklen_26157.exeC:\Users\admin\AppData\Local\Temp\58F8604969410F114BDE817F87F669EE\setup.dllexecutable
MD5:53179D48DF3A37E67EFFE6E88A95371D
SHA256:47C734C75EB998A776480E6396613B4E910D19D2702AC3F888ABDBEAE2B6C927
7608kav21.3.10.391abcdefghijklen_26157.exeC:\Users\admin\AppData\Local\Temp\94068F86-1496-11F0-B4ED-18F7786F96EE\kis-style.csstext
MD5:2B4BD0AFD0E9DD5C90FB8C3BB4A5D619
SHA256:F9963B403E053F6BFA7C87CAD3C10DD55CF1F94FEFE00C6380921440E28B48D2
7608kav21.3.10.391abcdefghijklen_26157.exeC:\Users\admin\AppData\Local\Temp\94068F86-1496-11F0-B4ED-18F7786F96EE\kis-script.jsbinary
MD5:026425CCBF4417EEFA444285707132EF
SHA256:97E5F342227EA23C27C1B660F111847FCDD9D7B23C1D248C733A36F983FD7F04
7608kav21.3.10.391abcdefghijklen_26157.exeC:\Users\admin\AppData\Local\Temp\94068F86-1496-11F0-B4ED-18F7786F96EE\jquery.custom_select.min.jsbinary
MD5:D2C620C462B75696EEA1FB22FB23602A
SHA256:DD678D32073078552E0E2C35EED78F16CC8D6E8662D4734518561A1B183F775C
7608kav21.3.10.391abcdefghijklen_26157.exeC:\Users\admin\AppData\Local\Temp\94068F86-1496-11F0-B4ED-18F7786F96EE\kis-loading.gifimage
MD5:69D4B9B309BFA6A87F7620647BAFD2D0
SHA256:F056164CF99799234C90E2318E90AB5D83D0FD855118224286FF0680EE455734
7608kav21.3.10.391abcdefghijklen_26157.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04binary
MD5:92C567321378C7CC0275650B5BAE00A6
SHA256:7F495ABCC27881523DB72ACDA4B4AF8219F1349324A37D17950D4DD3F07A1942
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
22
TCP/UDP connections
74
DNS requests
108
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6544
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
7608
kav21.3.10.391abcdefghijklen_26157.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAbY2QTVWENG9oovp1QifsQ%3D
unknown
whitelisted
7356
kav21.3.10.391abcdefghijklen_26157.exe
GET
301
80.239.170.149:80
http://redirect.kaspersky.com/slideshow_default
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
7356
kav21.3.10.391abcdefghijklen_26157.exe
GET
301
80.239.170.149:80
http://redirect.kaspersky.com/slideshow_default
unknown
whitelisted
7312
SIHClient.exe
GET
200
2.23.9.218:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
7872
msiexec.exe
GET
200
151.101.66.133:80
http://ocsp.globalsign.com/rootr3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT1nGh%2FJBjWKnkPdZIzB1bqhelHBwQUj%2FBLf6guRSSuTVD6Y5qL3uLdG7wCEHgDGEJFcIpBz28BuO60qVQ%3D
unknown
whitelisted
7312
SIHClient.exe
GET
200
2.23.9.218:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
7356
kav21.3.10.391abcdefghijklen_26157.exe
GET
301
80.239.170.149:80
http://redirect.kaspersky.com/slideshow_default
unknown
whitelisted
7872
msiexec.exe
GET
200
151.101.66.133:80
http://ocsp.globalsign.com/codesigningrootr45/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQVFZP5vqhCrtRN5SWf40Rn6NM1IAQUHwC%2FRoAK%2FHg5t6W0Q9lWULvOljsCEHe9DgW3WQu2HUdhUx4%2Fde0%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
2104
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6700
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5496
MoUsoCoreWorker.exe
23.216.77.28:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
2112
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
7608
kav21.3.10.391abcdefghijklen_26157.exe
80.239.174.35:443
dm.s.kaspersky-labs.com
Telia Company AB
SE
whitelisted
7608
kav21.3.10.391abcdefghijklen_26157.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
3216
svchost.exe
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 40.127.240.158
  • 20.73.194.208
whitelisted
google.com
  • 142.250.186.142
whitelisted
crl.microsoft.com
  • 23.216.77.28
  • 23.216.77.6
  • 23.216.77.8
  • 23.216.77.36
  • 23.216.77.42
  • 23.216.77.22
  • 23.216.77.38
  • 23.216.77.30
  • 23.216.77.41
  • 23.216.77.37
  • 23.216.77.35
  • 23.216.77.18
  • 23.216.77.31
  • 23.216.77.21
whitelisted
dm.s.kaspersky-labs.com
  • 80.239.174.35
  • 46.8.206.115
  • 80.231.123.135
  • 109.248.196.5
  • 212.73.221.196
unknown
ocsp.digicert.com
  • 2.17.190.73
whitelisted
client.wns.windows.com
  • 172.211.123.248
  • 172.211.123.249
whitelisted
login.live.com
  • 40.126.31.73
  • 20.190.159.73
  • 40.126.31.2
  • 40.126.31.3
  • 20.190.159.71
  • 20.190.159.130
  • 20.190.159.0
  • 40.126.31.130
whitelisted
redirect.kaspersky.com
  • 80.239.170.149
  • 81.19.104.200
whitelisted
www.not.existing.kaspersky.com
  • 77.74.178.24
whitelisted
slscr.update.microsoft.com
  • 172.202.163.200
whitelisted

Threats

No threats detected
Process
Message
avp.exe
rmt Name resolution: register property PR_REMOTE_MANAGER_PROP
avp.exe
rmt Name resolution: find property PR_REMOTE_MANAGER_PROP, 12582912
avp.exe
avp.exe
avp.exe
avp.exe
rmt Name resolution: register property cpnPRAGUE_REMOTE_API
avp.exe
avp.exe
rmt Name resolution: find property cpnPRAGUE_REMOTE_API, 12582912
avp.exe
avp.exe
rmt Name resolution: property registered successfully, id 1355802410
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
kav21.3.10.391abcdefghijklen_26157.exe