Malware Analysis Report

2025-01-06 07:47

Sample ID 240530-p3g8xshc3s
Target kav21.3.10.391en_26074.exe
SHA256 2718dbeb8322435219fedc9e55ef236052c9e8f1e85429a3c98d963ad733b9b6
Tags
bootkit evasion persistence trojan
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

2718dbeb8322435219fedc9e55ef236052c9e8f1e85429a3c98d963ad733b9b6

Threat Level: Likely malicious

The file kav21.3.10.391en_26074.exe was found to be: Likely malicious.

Malicious Activity Summary

bootkit evasion persistence trojan

Downloads MZ/PE file

Loads dropped DLL

Executes dropped EXE

Checks for any installed AV software in registry

Checks whether UAC is enabled

Writes to the Master Boot Record (MBR)

Drops file in Windows directory

Checks for VirtualBox DLLs, possible anti-VM trick

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Modifies system certificate store

Suspicious use of SendNotifyMessage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-30 12:51

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-30 12:51

Reported

2024-05-30 12:54

Platform

win7-20240508-en

Max time kernel

150s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe"

Signatures

Downloads MZ/PE file

Checks for any installed AV software in registry

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\KasperskyLab\IEOverride\Viewport C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2091.0\au_setup_5DC373B2-1E83-11EF-A9A6-4658C477BD5D\startup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\KasperskyLab C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\KasperskyLab\IEOverride\RtfConverterFlags C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\KasperskyLab\IEOverride\Main\Expand Alt Text C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\KasperskyLab\IEOverride\Main\CSS_Compat C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2091.0\au_setup_5DC373B2-1E83-11EF-A9A6-4658C477BD5D\startup.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\KasperskyLab\IEOverride\Main\Disable Script Debugger C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2091.0\au_setup_5DC373B2-1E83-11EF-A9A6-4658C477BD5D\startup.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\KasperskyLab\IEOverride\Main\Enable AutoImageResize C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2091.0\au_setup_5DC373B2-1E83-11EF-A9A6-4658C477BD5D\startup.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\KasperskyLab\IEOverride\Main\CSS_Compat C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\KasperskyLab\IEOverride\Main\Play_Background_Sounds C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\KasperskyLab\IEOverride\Main\DOMStorage C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\KasperskyLab\IEOverride\Main\Anchor Underline C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2091.0\au_setup_5DC373B2-1E83-11EF-A9A6-4658C477BD5D\startup.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\KasperskyLab\IEOverride\Main\Display Inline Images C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\KasperskyLab\IEOverride\Main\Enable AutoImageResize C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\KasperskyLab\IEOverride C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2091.0\au_setup_5DC373B2-1E83-11EF-A9A6-4658C477BD5D\startup.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\KasperskyLab\IEOverride\Main\Display Inline Images C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2091.0\au_setup_5DC373B2-1E83-11EF-A9A6-4658C477BD5D\startup.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\KasperskyLab\IEOverride\Main\SmoothScroll C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2091.0\au_setup_5DC373B2-1E83-11EF-A9A6-4658C477BD5D\startup.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\KasperskyLab\IEOverride\Main\JScriptProfileCacheEventDelay C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\KasperskyLab\IEOverride\Main\UseSWRender = "1" C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2091.0\au_setup_5DC373B2-1E83-11EF-A9A6-4658C477BD5D\startup.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\KasperskyLab\IEOverride\Main\Expand Alt Text C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2091.0\au_setup_5DC373B2-1E83-11EF-A9A6-4658C477BD5D\startup.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\KasperskyLab\IEOverride\Main\DOMStorage C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2091.0\au_setup_5DC373B2-1E83-11EF-A9A6-4658C477BD5D\startup.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\KasperskyLab\IEOverride\International\Scripts\3 C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2091.0\au_setup_5DC373B2-1E83-11EF-A9A6-4658C477BD5D\startup.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\KasperskyLab C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\KasperskyLab\IEOverride\Main\Play_Animations C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2091.0\au_setup_5DC373B2-1E83-11EF-A9A6-4658C477BD5D\startup.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\KasperskyLab\IEOverride\Main\Print_Background C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2091.0\au_setup_5DC373B2-1E83-11EF-A9A6-4658C477BD5D\startup.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\KasperskyLab\IEOverride\Main\Use_DlgBox_Colors C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\KasperskyLab\IEOverride\Main\Disable Diagnostics Mode C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\KasperskyLab\IEOverride\Main\XDomainRequest C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\KasperskyLab\IEOverride\International\Scripts C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\KasperskyLab\IEOverride\Text Scaling C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\KasperskyLab\IEOverride C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2091.0\au_setup_5DC373B2-1E83-11EF-A9A6-4658C477BD5D\startup.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\KasperskyLab\IEOverride\Main\Q300829 C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2091.0\au_setup_5DC373B2-1E83-11EF-A9A6-4658C477BD5D\startup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\KasperskyLab\IEOverride\Main C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\KasperskyLab\IEOverride\Main\Print_Background C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\KasperskyLab\IEOverride\AdvancedOptions\DISAMBIGUATION C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\KasperskyLab\IEOverride\Main\XMLHTTP C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2091.0\au_setup_5DC373B2-1E83-11EF-A9A6-4658C477BD5D\startup.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\KasperskyLab\IEOverride\RtfConverterFlags C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2091.0\au_setup_5DC373B2-1E83-11EF-A9A6-4658C477BD5D\startup.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\KasperskyLab\IEOverride\Main\Show image placeholders C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2091.0\au_setup_5DC373B2-1E83-11EF-A9A6-4658C477BD5D\startup.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\KasperskyLab\IEOverride\Main\Play_Animations C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\KasperskyLab\IEOverride\Main\DisableScriptDebuggerIE C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\KasperskyLab\IEOverride\Main\Enable Browser Extensions = "no" C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2091.0\au_setup_5DC373B2-1E83-11EF-A9A6-4658C477BD5D\startup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\KasperskyLab\IEOverride\Main\Enable Browser Extensions = "no" C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\KasperskyLab\IEOverride\International\Scripts\4 C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\KasperskyLab\IEOverride\International C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2091.0\au_setup_5DC373B2-1E83-11EF-A9A6-4658C477BD5D\startup.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVAST Software\Avast C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2091.0\au_setup_5DC373B2-1E83-11EF-A9A6-4658C477BD5D\startup.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\KasperskyLab\IEOverride\Main\DisableScriptDebuggerIE C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2091.0\au_setup_5DC373B2-1E83-11EF-A9A6-4658C477BD5D\startup.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\KasperskyLab\IEOverride\International\Scripts C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2091.0\au_setup_5DC373B2-1E83-11EF-A9A6-4658C477BD5D\startup.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\KasperskyLab\IEOverride\Main\Disable Script Debugger C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\KasperskyLab\IEOverride\Main\UseHR C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\KasperskyLab\IEOverride\Styles C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\KasperskyLab\IEOverride\Larger Hit Test C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\KasperskyLab\IEOverride\MenuExt C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\KasperskyLab\IEOverride\International\Scripts\3 C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\KasperskyLab\IEOverride\Main C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2091.0\au_setup_5DC373B2-1E83-11EF-A9A6-4658C477BD5D\startup.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\KasperskyLab\IEOverride\Main\Play_Background_Sounds C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2091.0\au_setup_5DC373B2-1E83-11EF-A9A6-4658C477BD5D\startup.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\KasperskyLab\IEOverride\Main\Disable Diagnostics Mode C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2091.0\au_setup_5DC373B2-1E83-11EF-A9A6-4658C477BD5D\startup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\KasperskyLab\IEOverride C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\KasperskyLab\IEOverride C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\KasperskyLab\IEOverride\Main\Cleanup HTCs C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\KasperskyLab\IEOverride\International C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\KasperskyLab\IEOverride\Main\Use_DlgBox_Colors C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2091.0\au_setup_5DC373B2-1E83-11EF-A9A6-4658C477BD5D\startup.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\KasperskyLab\IEOverride\Main\XDomainRequest C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2091.0\au_setup_5DC373B2-1E83-11EF-A9A6-4658C477BD5D\startup.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\KasperskyLab\IEOverride\Styles C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2091.0\au_setup_5DC373B2-1E83-11EF-A9A6-4658C477BD5D\startup.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\KasperskyLab\IEOverride\Larger Hit Test C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2091.0\au_setup_5DC373B2-1E83-11EF-A9A6-4658C477BD5D\startup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\KasperskyLab\IEOverride\Main C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2091.0\au_setup_5DC373B2-1E83-11EF-A9A6-4658C477BD5D\startup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe N/A
File opened for modification \??\PhysicalDrive0 C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2091.0\au_setup_5DC373B2-1E83-11EF-A9A6-4658C477BD5D\startup.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe N/A
File opened (read-only) \??\VBoxMiniRdrDN C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2091.0\au_setup_5DC373B2-1E83-11EF-A9A6-4658C477BD5D\startup.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\installer C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2091.0\au_setup_5DC373B2-1E83-11EF-A9A6-4658C477BD5D\startup.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2091.0\au_setup_5DC373B2-1E83-11EF-A9A6-4658C477BD5D\startup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2091.0\au_setup_5DC373B2-1E83-11EF-A9A6-4658C477BD5D\startup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2091.0\au_setup_5DC373B2-1E83-11EF-A9A6-4658C477BD5D\startup.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d4304000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe N/A
N/A N/A C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2091.0\au_setup_5DC373B2-1E83-11EF-A9A6-4658C477BD5D\startup.exe N/A
N/A N/A C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2091.0\au_setup_5DC373B2-1E83-11EF-A9A6-4658C477BD5D\startup.exe N/A
N/A N/A C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2091.0\au_setup_5DC373B2-1E83-11EF-A9A6-4658C477BD5D\startup.exe N/A
N/A N/A C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2091.0\au_setup_5DC373B2-1E83-11EF-A9A6-4658C477BD5D\startup.exe N/A
N/A N/A C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2091.0\au_setup_5DC373B2-1E83-11EF-A9A6-4658C477BD5D\startup.exe N/A
N/A N/A C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2091.0\au_setup_5DC373B2-1E83-11EF-A9A6-4658C477BD5D\startup.exe N/A
N/A N/A C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2091.0\au_setup_5DC373B2-1E83-11EF-A9A6-4658C477BD5D\startup.exe N/A
N/A N/A C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2091.0\au_setup_5DC373B2-1E83-11EF-A9A6-4658C477BD5D\startup.exe N/A
N/A N/A C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2091.0\au_setup_5DC373B2-1E83-11EF-A9A6-4658C477BD5D\startup.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2091.0\au_setup_5DC373B2-1E83-11EF-A9A6-4658C477BD5D\startup.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe N/A
N/A N/A C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2091.0\au_setup_5DC373B2-1E83-11EF-A9A6-4658C477BD5D\startup.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe N/A
N/A N/A C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2091.0\au_setup_5DC373B2-1E83-11EF-A9A6-4658C477BD5D\startup.exe N/A
N/A N/A C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2091.0\au_setup_5DC373B2-1E83-11EF-A9A6-4658C477BD5D\startup.exe N/A
N/A N/A C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2091.0\au_setup_5DC373B2-1E83-11EF-A9A6-4658C477BD5D\startup.exe N/A
N/A N/A C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2091.0\au_setup_5DC373B2-1E83-11EF-A9A6-4658C477BD5D\startup.exe N/A
N/A N/A C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2091.0\au_setup_5DC373B2-1E83-11EF-A9A6-4658C477BD5D\startup.exe N/A
N/A N/A C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2091.0\au_setup_5DC373B2-1E83-11EF-A9A6-4658C477BD5D\startup.exe N/A
N/A N/A C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2091.0\au_setup_5DC373B2-1E83-11EF-A9A6-4658C477BD5D\startup.exe N/A
N/A N/A C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2091.0\au_setup_5DC373B2-1E83-11EF-A9A6-4658C477BD5D\startup.exe N/A
N/A N/A C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2091.0\au_setup_5DC373B2-1E83-11EF-A9A6-4658C477BD5D\startup.exe N/A
N/A N/A C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2091.0\au_setup_5DC373B2-1E83-11EF-A9A6-4658C477BD5D\startup.exe N/A
N/A N/A C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2091.0\au_setup_5DC373B2-1E83-11EF-A9A6-4658C477BD5D\startup.exe N/A
N/A N/A C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2091.0\au_setup_5DC373B2-1E83-11EF-A9A6-4658C477BD5D\startup.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1956 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2091.0\au_setup_5DC373B2-1E83-11EF-A9A6-4658C477BD5D\startup.exe
PID 1956 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2091.0\au_setup_5DC373B2-1E83-11EF-A9A6-4658C477BD5D\startup.exe
PID 1956 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2091.0\au_setup_5DC373B2-1E83-11EF-A9A6-4658C477BD5D\startup.exe
PID 1956 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2091.0\au_setup_5DC373B2-1E83-11EF-A9A6-4658C477BD5D\startup.exe
PID 1956 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2091.0\au_setup_5DC373B2-1E83-11EF-A9A6-4658C477BD5D\startup.exe
PID 1956 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2091.0\au_setup_5DC373B2-1E83-11EF-A9A6-4658C477BD5D\startup.exe
PID 1956 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2091.0\au_setup_5DC373B2-1E83-11EF-A9A6-4658C477BD5D\startup.exe
PID 1956 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe
PID 1956 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe
PID 1956 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe
PID 1956 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe
PID 1956 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe
PID 1956 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe
PID 1956 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe
PID 1564 wrote to memory of 2904 N/A C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2091.0\au_setup_5DC373B2-1E83-11EF-A9A6-4658C477BD5D\startup.exe C:\Users\Admin\AppData\Local\Temp\6B916330-1E83-11EF-A9A6-4658C477BD5D\TEST_WPF.EXE
PID 1564 wrote to memory of 2904 N/A C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2091.0\au_setup_5DC373B2-1E83-11EF-A9A6-4658C477BD5D\startup.exe C:\Users\Admin\AppData\Local\Temp\6B916330-1E83-11EF-A9A6-4658C477BD5D\TEST_WPF.EXE
PID 1564 wrote to memory of 2904 N/A C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2091.0\au_setup_5DC373B2-1E83-11EF-A9A6-4658C477BD5D\startup.exe C:\Users\Admin\AppData\Local\Temp\6B916330-1E83-11EF-A9A6-4658C477BD5D\TEST_WPF.EXE
PID 1564 wrote to memory of 2904 N/A C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2091.0\au_setup_5DC373B2-1E83-11EF-A9A6-4658C477BD5D\startup.exe C:\Users\Admin\AppData\Local\Temp\6B916330-1E83-11EF-A9A6-4658C477BD5D\TEST_WPF.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe

"C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe"

C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2091.0\au_setup_5DC373B2-1E83-11EF-A9A6-4658C477BD5D\startup.exe

"C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2091.0\au_setup_5DC373B2-1E83-11EF-A9A6-4658C477BD5D\startup.exe" -auto_update_mode="C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe" /-self_remove -l=en -xpos=450 -ypos=95 -prevsetupver=21.3.10.391.0.21.0

C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe

"C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe" -cleanup="C:\Users\Admin\AppData\Local\Temp\0B373CD538E1FE119A6A64854C77DBD5;1956"

C:\Users\Admin\AppData\Local\Temp\6B916330-1E83-11EF-A9A6-4658C477BD5D\TEST_WPF.EXE

"C:\Users\Admin\AppData\Local\Temp\6B916330-1E83-11EF-A9A6-4658C477BD5D\TEST_WPF.EXE" "C:\Users\Admin\AppData\Local\Temp\0324711638E1FE119A6A64854C77DBD5\setup.dll"

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Microsoft .NET Framework 4.7.2 Setup_20240508_141741285-MSI_netfx_Full_x64.msi.txt

C:\Users\Admin\AppData\Local\Temp\ose00000.exe

"C:\Users\Admin\AppData\Local\Temp\ose00000.exe"

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

Network

Country Destination Domain Proto
US 8.8.8.8:53 dm.s.kaspersky-labs.com udp
FR 80.231.123.135:443 dm.s.kaspersky-labs.com tcp
FR 80.231.123.135:443 dm.s.kaspersky-labs.com tcp
US 8.8.8.8:53 redirect.kaspersky.com udp
DE 81.19.104.200:443 redirect.kaspersky.com tcp
DE 81.19.104.200:80 redirect.kaspersky.com tcp
US 8.8.8.8:53 www.not.existing.kaspersky.com udp
DE 185.85.15.34:443 www.not.existing.kaspersky.com tcp
DE 185.85.15.34:443 www.not.existing.kaspersky.com tcp
DE 185.85.15.34:443 www.not.existing.kaspersky.com tcp
DE 185.85.15.34:443 www.not.existing.kaspersky.com tcp
DE 185.85.15.34:443 www.not.existing.kaspersky.com tcp
DE 185.85.15.34:443 www.not.existing.kaspersky.com tcp
DE 185.85.15.34:443 www.not.existing.kaspersky.com tcp
DE 185.85.15.34:443 www.not.existing.kaspersky.com tcp
DE 185.85.15.34:443 www.not.existing.kaspersky.com tcp
DE 185.85.15.34:443 www.not.existing.kaspersky.com tcp
DE 185.85.15.34:443 www.not.existing.kaspersky.com tcp
DE 185.85.15.34:443 www.not.existing.kaspersky.com tcp
FR 80.231.123.135:443 dm.s.kaspersky-labs.com tcp

Files

memory/1956-1-0x0000000077C30000-0x0000000077C40000-memory.dmp

memory/1956-0-0x0000000077C30000-0x0000000077C40000-memory.dmp

memory/1956-2-0x0000000077C30000-0x0000000077C40000-memory.dmp

\Users\Admin\AppData\Local\Temp\0B373CD538E1FE119A6A64854C77DBD5\setup.dll

MD5 7c0418acfb24086ede591a7e1d3df7ac
SHA1 9bee27188d04bf44fa2e95a8fcb575497396f2b0
SHA256 d7b6905661d364be51bdb7e8e2ef9832ed0c33f056c4f40368f9ae6c1b4e608a
SHA512 e2c45aad07d5db230c9758fde258ab5589160d81a8723a5d246fe3287fca1a192b162c33f35144a44d16dd655e4a86694acd55c9279a15b795777ede2b14f71c

C:\Users\Admin\AppData\Local\Temp\5DC373B1-1E83-11EF-A9A6-4658C477BD5D\check_new_version.html

MD5 b79ab8145423e4714f4d3623a7913eef
SHA1 0f17053bd76724cb244866c537de47ea6124331a
SHA256 59a439debcea1f039382e258a337031f9878450afbce19a2a52a37783009fafe
SHA512 239663617d89722d8c4187804901436c456444b92655ade83c1fbf04231467693869efdc689123724dcc58d63665efb5dbb2a835fe49144facbea361c8ae9151

C:\Users\Admin\AppData\Local\Temp\Cab346B.tmp

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2091.0\au_setup_5DC373B2-1E83-11EF-A9A6-4658C477BD5D\startup.exe

MD5 52c9f5d97af0e8d7345f51091dc905e6
SHA1 ebbf72c39d30654130c9bcde627abb33a22210ac
SHA256 1c44c2e745d5b0b9c16e26b04f062401426218fac5797c789ca9c02576e30617
SHA512 3a74a5fda0cf1758311f62c55d90474be91c057974bfd18637fd79754a0fe6551ceac80270845ff7377c41dc32cdf5ba37c7184c65ff6322101326359f6d8267

memory/1564-87-0x0000000077C40000-0x0000000077C50000-memory.dmp

memory/1564-86-0x0000000077C40000-0x0000000077C50000-memory.dmp

memory/1564-85-0x0000000077C40000-0x0000000077C50000-memory.dmp

\Users\Admin\AppData\Local\Temp\0324711638E1FE119A6A64854C77DBD5\setup.dll

MD5 47bba658d9b8c74a8c94d7024ba608b6
SHA1 902be0a993f37db76eb5ad237aae5568c20bad95
SHA256 3279d6e132eb640cef3d74c5edf851a93e9553d7c889a6e665360058405af5f5
SHA512 8a8635083db6cc825cac63ca834cc1b1ec5412746db293f1bf44af5731265044c45108a54adf428e83111237c1f3e60f7dd048ec7066b655780145c80569a1e0

C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2091.0\au_setup_5DC373B2-1E83-11EF-A9A6-4658C477BD5D\static.ini

MD5 11069b61a2b705e749d8f48d291d7a3e
SHA1 f1c0d52e26d8d653471643487c561fe3811c6145
SHA256 14f8f4f4f67cfa6c322c4e46c245294b2e3632b1209bc6588e755cc7b7d2a825
SHA512 5feec50c42cb7046206f54f53b25e3df422bb4fc61a965c6fdb7605f25fcb10bd67deece0e1b14ffee0f6d11dea2638715c9654f2ceab0b5f85d4f8f12c4643b

C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2091.0\au_setup_5DC373B2-1E83-11EF-A9A6-4658C477BD5D\dynamic.ini

MD5 9a12b0564846c2f89206cb696bd1bbef
SHA1 27c2f3f918f84d588aff70ceac635c4d238342a2
SHA256 afe8c46600655e1e5157257ecca5e0bb80dbf3084066a2117d4915e68c1c7439
SHA512 785da457c13014452e71b2d0b1ddc6c90539e8133be84c9a73e9490e8bd9424aa3fb750f3432d693085179bc03b8af584f79023152e5c16c855786fa7db8c13a

C:\Users\Admin\AppData\Local\Temp\61174231-1E83-11EF-A9A6-4658C477BD5D\kis-style.css

MD5 2b4bd0afd0e9dd5c90fb8c3bb4a5d619
SHA1 a4a1a61d43e8f897d36fef9e1927848de2d312cc
SHA256 f9963b403e053f6bfa7c87cad3c10dd55cf1f94fefe00c6380921440e28b48d2
SHA512 c0b284552502304f05dd10606e01b0d35210a27f982bba8a605f2939a2ac43890636175431eab99edc45cfc2825fe1b1cffabd8067d9eaa7ad59af466a052974

C:\Users\Admin\AppData\Local\Temp\61174231-1E83-11EF-A9A6-4658C477BD5D\kis-print.css

MD5 1304724dd5001b2600fc5bd80c098f1e
SHA1 87ec458c25a35e3a45c2a6ede9ec16ec4d4c7093
SHA256 2481b34b48fd96b194405da621e8e5f19142dcb55744f9c9a93591705cb697fd
SHA512 4371fbd6ba7e84ae827ec73bec4c903275e4373c16063b6fe63ca157a4db346df5617a9db5c9e1fdcb661f220f6dcbc1f7e4003805dba9fa7a279fc882aebeeb

C:\Users\Admin\AppData\Local\Temp\61174231-1E83-11EF-A9A6-4658C477BD5D\jquery-1.12.4.min.js

MD5 618538b4ab9639d444e962729a927f15
SHA1 dacc1f76630a9708add066819b1aabf8dce01056
SHA256 27d92130c0321dad5a03760fd5ac98a3d04ed4c94d88418fe6d50da1f7fc5cbe
SHA512 bcb6754ea246939a19a917cc0b810e1753c1b0f1a8b1b7e652128ef15dee4fc79111e4d88fe12f9188449a307e82240d0261af402d783428edfe5785c860372d

C:\Users\Admin\AppData\Local\Temp\61174231-1E83-11EF-A9A6-4658C477BD5D\kis-script.js

MD5 026425ccbf4417eefa444285707132ef
SHA1 a953b9f6781d4b6daa2eedc0c45d358f2a472370
SHA256 97e5f342227ea23c27c1b660f111847fcdd9d7b23c1d248c733a36f983fd7f04
SHA512 a266e2f9f10620347f0d05d081362086e81c67fb7c5f4a74c26cca54686f6afb2f2933b1f7afb6d9c96382ff4e4e3cf2f0f38cdd162175cdefccb5909b1aa6c3

C:\Users\Admin\AppData\Local\Temp\61174231-1E83-11EF-A9A6-4658C477BD5D\jquery.custom_select.min.js

MD5 d2c620c462b75696eea1fb22fb23602a
SHA1 900f78eb8e1103be1535af5e76d1bed686cdcce3
SHA256 dd678d32073078552e0e2c35eed78f16cc8d6e8662d4734518561a1b183f775c
SHA512 40e1180b63b328c22cfacc40529cbda2409a54fbbbd5813fcc5f8dcdf95ad7fcd74ea96382e3a2d0bcfed9e68c208f7733b7c630edee7e2013c9a5459091c02c

C:\Users\Admin\AppData\Local\Temp\61174231-1E83-11EF-A9A6-4658C477BD5D\kis-script-lte-ie8.js

MD5 5134186180074c51639d7a514919ed23
SHA1 23bddb16b3b6c3a687dfcfed5c1a6c23c0ed1f0a
SHA256 33e84b33ff911257e3a6a303c08a2cc178827dadb7dfd7c951e096866e02ad5e
SHA512 8ad216cee9192533801b0f10f3bc149506f75dfd2cd554e801e1732b474629435ada4549473176b5440c57c112986dd198dcf508fb0e55ed3a050a75b0fa3d82

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\Q08BRRYD.txt

MD5 b5d1137f27f75976c6ea592b8a268eed
SHA1 929e51636e880b5fcab8d40a2020de7cde9cb65b
SHA256 e9d10ba5015c58fb563e33c6ff6212613175af33547f3de7db1d6b0b03ac0f48
SHA512 cce5e3f297b027487bb3da40ef0b352046766777a4e861f936eb08a417b86ddd4697822ce60b72c8cd97ac34edd6d046ee03741a00314b91ef06c5567e36394c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

MD5 990d6177733a1129ae8d02b7d4b2f73d
SHA1 03bf5a010604dff2687d9eb518eb13eadc49c252
SHA256 21a0bef5d8c13366aecf2f927270af3adf62c513fb582cfc8f2977198eea369a
SHA512 044755e017d26ef6db91c249477badf011d7408d0aace0735a8e057110a31293eb09376f723e9608b66dc39f0bcce77b7cb0d5cf287509f5ac07eb4aff814d40

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

MD5 3185ffeed84403768c366131881b4188
SHA1 0c3ed5e32e8b34e8868280bf4e769e89f382b355
SHA256 e517c612a02adfb10aed59a13cc305515b743faf8ffb44413ab3889916293c13
SHA512 0ff7f94a7003f847d1f17402f3ff5150bb21c6a5381460dfc461a9b51c62e174437ab8bfd0afb837e852ba2bac88e0f7a6b877c82779118521b59e5be0aa1840

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 31bcc54bcc3c524a2876e1c0591317c3
SHA1 e24392689b2faf8dbbf2723528aee4a3d1e8ab13
SHA256 eac40fb255e51690db5a2710b2b97ea29705ab3758fba238117968855a5f6cf7
SHA512 71cbf6d74e6bdfb2b9639aba763fdf91b26f86c2059eb1bdb4c7cad33b15f11c5920d5b092cd604285938b21a20648f649201368de2a8c3ea20954a2f3f6b8d1

C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2091.0\kdscrl.rdb.z

MD5 eb309b1a13f071ca561f65e1e23dd43e
SHA1 689d8f26dee22ea7bd902574efe51c113f7d7c25
SHA256 78ca16e654d9d8f240e11a55f9328e9ea96c9594a1962db7eef8ee89c19ebbac
SHA512 a34e4b9d2bb724d25350d47f402cf8b745eb076f4039331ef60d8c5bf1537a1ab8ed5f437df726ad37dfc4414980c1d070465c845962ea39e1f5b70a7e0045a1

C:\Users\Admin\AppData\Local\Temp\61174231-1E83-11EF-A9A6-4658C477BD5D\welcome_page_kavkis.html

MD5 725363d5b886e02f1c5476f79590b577
SHA1 be2e4e60b62c8705443972015a86a23c7ec4bd50
SHA256 29f0688682087bc5262f8abb97d0804a1fc8a7ff16685c24b6197e61cc1a6401
SHA512 eeabe64d4828c5633fb687c72d75b3524f62b9a4a912b3fb36d280e0c32e7d79fe12f92e8bb962ccbe10a1770016ac108d853b5046089316d25d7e2d6bf39413

C:\Users\Admin\AppData\Local\Temp\5DC373B1-1E83-11EF-A9A6-4658C477BD5D\kis-logo.png

MD5 18f81892daa926fec1d30324b4cd9367
SHA1 0f0753271f09aecd6731c9dd998d15df5f967b7e
SHA256 681a96b96b5e0425fc74be929d29164528bf0bc0a84ac97952c011e407e23d9b
SHA512 5e07a3f44f6135291909680abb62e21d0c6bca899905aafa66cc3b436e77430a3ea96a95b54f2705e1f9dd49b60a855d986c4d76ea65dc9a9a5edf3d2748550d

C:\Users\Admin\AppData\Local\Temp\5DC373B1-1E83-11EF-A9A6-4658C477BD5D\kis-loading.gif

MD5 69d4b9b309bfa6a87f7620647bafd2d0
SHA1 c9f6bb4d6494bbd7a47d52874da43501afb97c6d
SHA256 f056164cf99799234c90e2318e90ab5d83d0fd855118224286ff0680ee455734
SHA512 2aa95fa187d24b4310af4e72a49c8fe665b84aa15ed33ca5b78a88da861554948d5fdb2f0b59ba8560b8c9dc1d4ff8cf5b37bdc1cbdb4fdf7a6e6fbe7e4f4b1a

memory/2568-256-0x0000000077C40000-0x0000000077C50000-memory.dmp

memory/2568-255-0x0000000077C40000-0x0000000077C50000-memory.dmp

memory/2568-254-0x0000000077C40000-0x0000000077C50000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\61174231-1E83-11EF-A9A6-4658C477BD5D\welcome_page_ready_for_install.html

MD5 980ba4502a2013faf926940ab9a607b0
SHA1 cbf9b99cdf4323513eb614f77afc44e9005eeb27
SHA256 16082956bc9dc994c093542d2d7148c31d950beeeedee2ba499aa09d843039d2
SHA512 ae4c7ab6a399433eda880a702f8a0b4f1e82fa3bd1d6da1db9bc90b4acaad80dc9bc85655211d3aad8dd496096267122420ce049a99b6c5cddedfe826f176bdc

C:\Users\Admin\AppData\Local\Temp\61174231-1E83-11EF-A9A6-4658C477BD5D\progress_page.html

MD5 4420b72ebf4e4adccb24495cb1ea2ae3
SHA1 f1a568f03c4427631698f4b5b898910a5cccd1a2
SHA256 e6dc758016bdf87714eb1d3033d1618e6f8301b91e21c31c57b830ef056d7805
SHA512 b4fec7907069a1d73ccf8ae3796bb29d510826f4ec97a30495313aafa35b7a0dc022eb3576f87dde60d3b5320e6d936067f8f2c6f2f6dc0d9492a9c4d7b8fefb

C:\Users\Admin\AppData\Local\Temp\61174231-1E83-11EF-A9A6-4658C477BD5D\default_slide.html

MD5 f56557132c620da7a847248386f1651d
SHA1 3663505e61c38ea40a6675090d7d20893beac69b
SHA256 a0f3b6ba8cfc5513a7a812630fa941c9586f61851e0b387ff53538e31c58e62a
SHA512 981bda6eedb3a8171de8cd2a681036ab0ea39299423ff397f7027fbb611e5a24f5130eae28e1646fd86a8de997804c056a0eb651b37e194f740565a04e5b519f

\Users\Admin\AppData\Local\Temp\6B916330-1E83-11EF-A9A6-4658C477BD5D\TEST_WPF.EXE

MD5 ff5a0f886248cf3a78fad8d2059f6ecb
SHA1 1dd9929259e6ef818482bc775936a57e2e1edfbf
SHA256 f9e1bf7cb669adcb4c0ff1096376d27c6e1729fd253990078f721961cbcce794
SHA512 c8b8b12f3351980346fd3ed017233a93816f7cd505077d7403627330c7080f17b691bd69fb81061018685ca32f0b8dc6352beba6bd312a32e65c98e74aebfb07

C:\Users\Admin\AppData\Local\Temp\6B916330-1E83-11EF-A9A6-4658C477BD5D\TEST_WPF.EXE.config

MD5 291d5cf5b0752c78eaefa2c1d099cdd6
SHA1 39d2c6a4ac22c219de3bf7e44733e4d02e4a08d8
SHA256 8a09e9d24204a2e4dcbb2ace67e06e7a04934fa7b1741579aa2ccddc3eeb7a8d
SHA512 0b10053abfdbc49a35191ad7e8e73bee0550ef50fb1cd5fe368e3e21260e948d91521e74e6a7ad31547aa4ab3d157ce8a17ad60632e0e27c82436bcb0da15c34

memory/2904-314-0x0000000004640000-0x0000000004BA2000-memory.dmp

memory/2904-316-0x0000000000B80000-0x0000000000B88000-memory.dmp

memory/2904-338-0x0000000077C40000-0x0000000077C50000-memory.dmp

memory/2904-375-0x0000000077C40000-0x0000000077C50000-memory.dmp

memory/2904-374-0x0000000077C40000-0x0000000077C50000-memory.dmp

memory/2904-373-0x0000000077C40000-0x0000000077C50000-memory.dmp

memory/2904-429-0x00000000051C0000-0x00000000052FC000-memory.dmp

memory/2904-431-0x0000000005900000-0x0000000005C64000-memory.dmp

memory/2904-430-0x0000000005300000-0x00000000058F4000-memory.dmp

memory/2904-428-0x0000000004E40000-0x00000000051B7000-memory.dmp

memory/2904-372-0x0000000077C40000-0x0000000077C50000-memory.dmp

memory/2904-370-0x0000000077C40000-0x0000000077C50000-memory.dmp

memory/2904-369-0x0000000077C40000-0x0000000077C50000-memory.dmp

memory/2904-368-0x0000000077C40000-0x0000000077C50000-memory.dmp

memory/2904-367-0x0000000077C40000-0x0000000077C50000-memory.dmp

memory/2904-366-0x0000000077C40000-0x0000000077C50000-memory.dmp

memory/2904-432-0x0000000005C70000-0x0000000005D0C000-memory.dmp

memory/2904-365-0x0000000077C40000-0x0000000077C50000-memory.dmp

memory/2904-364-0x0000000077C40000-0x0000000077C50000-memory.dmp

memory/2904-363-0x0000000077C40000-0x0000000077C50000-memory.dmp

memory/2904-362-0x0000000077C40000-0x0000000077C50000-memory.dmp

memory/2904-361-0x0000000077C40000-0x0000000077C50000-memory.dmp

memory/2904-360-0x0000000077C40000-0x0000000077C50000-memory.dmp

memory/2904-359-0x0000000077C40000-0x0000000077C50000-memory.dmp

memory/2904-358-0x0000000077C40000-0x0000000077C50000-memory.dmp

memory/2904-357-0x0000000077C40000-0x0000000077C50000-memory.dmp

memory/2904-356-0x0000000077C40000-0x0000000077C50000-memory.dmp

memory/2904-355-0x0000000077C40000-0x0000000077C50000-memory.dmp

memory/2904-353-0x0000000077C40000-0x0000000077C50000-memory.dmp

memory/2904-352-0x0000000077C40000-0x0000000077C50000-memory.dmp

memory/2904-351-0x0000000077C40000-0x0000000077C50000-memory.dmp

memory/2904-350-0x0000000077C40000-0x0000000077C50000-memory.dmp

memory/2904-349-0x0000000077C40000-0x0000000077C50000-memory.dmp

memory/2904-348-0x0000000077C40000-0x0000000077C50000-memory.dmp

memory/2904-347-0x0000000077C40000-0x0000000077C50000-memory.dmp

memory/2904-346-0x0000000077C40000-0x0000000077C50000-memory.dmp

memory/2904-345-0x0000000077C40000-0x0000000077C50000-memory.dmp

memory/2904-344-0x0000000077C40000-0x0000000077C50000-memory.dmp

memory/2904-343-0x0000000077C40000-0x0000000077C50000-memory.dmp

memory/2904-342-0x0000000077C40000-0x0000000077C50000-memory.dmp

memory/2904-341-0x0000000077C40000-0x0000000077C50000-memory.dmp

memory/2904-337-0x0000000077C40000-0x0000000077C50000-memory.dmp

memory/2904-336-0x0000000077C40000-0x0000000077C50000-memory.dmp

memory/2904-335-0x0000000077C40000-0x0000000077C50000-memory.dmp

memory/2904-333-0x0000000077C40000-0x0000000077C50000-memory.dmp

memory/2904-332-0x0000000077C40000-0x0000000077C50000-memory.dmp

memory/2904-331-0x0000000077C40000-0x0000000077C50000-memory.dmp

memory/2904-330-0x0000000077C40000-0x0000000077C50000-memory.dmp

memory/2904-329-0x0000000077C40000-0x0000000077C50000-memory.dmp

memory/2904-328-0x0000000077C40000-0x0000000077C50000-memory.dmp

memory/2904-327-0x0000000077C40000-0x0000000077C50000-memory.dmp

memory/2904-326-0x0000000077C40000-0x0000000077C50000-memory.dmp

memory/2904-325-0x0000000077C40000-0x0000000077C50000-memory.dmp

memory/2904-324-0x0000000077C40000-0x0000000077C50000-memory.dmp

memory/2904-323-0x0000000077C40000-0x0000000077C50000-memory.dmp

memory/2904-322-0x0000000077C40000-0x0000000077C50000-memory.dmp

memory/2904-321-0x0000000077C40000-0x0000000077C50000-memory.dmp

memory/2904-320-0x0000000077C40000-0x0000000077C50000-memory.dmp

memory/2904-319-0x0000000077C40000-0x0000000077C50000-memory.dmp

memory/2904-371-0x0000000077C40000-0x0000000077C50000-memory.dmp

memory/2904-354-0x0000000077C40000-0x0000000077C50000-memory.dmp

memory/2904-340-0x0000000077C40000-0x0000000077C50000-memory.dmp

memory/2904-433-0x0000000006160000-0x00000000061C4000-memory.dmp

memory/2904-434-0x00000000061D0000-0x000000000645C000-memory.dmp

memory/2904-435-0x0000000006520000-0x0000000006558000-memory.dmp

memory/2904-437-0x0000000006A80000-0x0000000006A8A000-memory.dmp

memory/2904-436-0x0000000006A80000-0x0000000006A8A000-memory.dmp

memory/2904-438-0x0000000006C80000-0x0000000006CC0000-memory.dmp

memory/2904-439-0x0000000007870000-0x0000000007878000-memory.dmp

memory/2904-440-0x0000000007900000-0x000000000790E000-memory.dmp

memory/2904-443-0x0000000006A80000-0x0000000006A8A000-memory.dmp

C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2091.0\product.msi

MD5 944ee200ab1e4b8119bd9bfa3d943c4a
SHA1 00e65ed5c285d9beb7a9777fdb82f8102ab3e665
SHA256 5e09be4742167c7608711167894b2e63413224905033e47454385024fbe24716
SHA512 b66268401d701ce0dae228080c607e4dfca69f8f39fc30bcc7aad6c99f2e3a7d647f6a1b9649f26ae5853ca4a2037213485b980be1d8b33312c9b0814ec9b8d6

C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2091.0\kleaner.cab

MD5 ee0fb0d0a82fbca7b0efdf541379e167
SHA1 d7532546ece77ebb4c3318cc3e4181e6502fcfe4
SHA256 e3740fb3f8e06d58dd664bddf0c679416c5c103970620a49102a6e7778d6deb3
SHA512 5278ff84cdb2488540b051fcfaf699a9966ffdadf5b237f963f3d8531d207088fd8b635027bd526b9d484796dcc72882729bd9d5585dd4dd923e7bab490d3622

\Users\Admin\AppData\Local\Temp\6B916331-1E83-11EF-A9A6-4658C477BD5D\Cleaner\cleanapi.dll

MD5 c8708ca7e9de4b73b909271db2cfae8b
SHA1 671feefffb3af2d8a35624129f5c38a94de1b7ab
SHA256 e2d0561db4a1897a628f58887f9f44cdb3d481f7b599c21076252d763a6a32ba
SHA512 e41bc7fa9c8c86e6e4f62e7b436dbfe443f18e66136d56f381ec974290de0e35703db52e38c5ccef17d573e59db8e966ef15863096dba9d89a6cb0e51360fbb4

C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2091.0\ksde.msi

MD5 0d222d6ce6dd61cc1040f9c5763a438d
SHA1 2dfae934feb75a15d7f93af8f66cf119b681d2d9
SHA256 3c336401c1d46eba815c78cf84bbbec09b9776066b980dbf0b21233066841a6a
SHA512 38eace84a09d454d756ec91ff9fd3ded164313e577644bf7110dbaefcc02e65f2802b5292f51b6c77335bab30a9a34d1e34ac58be6f5bb51dd42e4917f1e28c9

C:\Users\Admin\AppData\Local\Temp\TarCC76.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2091.0\ksde_corebases.cab

MD5 593d70d26d93dec45bc0c46843b20f52
SHA1 65d7916bd0572af8df57e921126803857b55690d
SHA256 ff98c8d273d54c9de5b2071137c474a684224e913e89fb53ec6871e74aec8792
SHA512 fd6b82a5da6a07e15aa637648438aa48289876f5270750d2768f762b34f013a782ed4dbf46671a927113f6952a12d4a5e989f3a7ce00c705ce07986c30d82469

C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2091.0\rdp_en.txt

MD5 3f41dc7cbb36b874d23f3aefce76e038
SHA1 502c7d9b61420c47a45ab8c3ebad7255d12ea288
SHA256 3a13dc28ae92135614eebb1f1f77b53608c9ee3cf232ef18859ed303d4feeeee
SHA512 88d5029dc2679a658e9332da39f3ed28b217020611cfcdd11aa0cc4131b5bae4402401403b844c94baac4baea23ab4018e28f5772f49acfec36bdbdedb1aa3fc

memory/2680-647-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/2680-648-0x0000000140000000-0x00000001405E8000-memory.dmp

\Users\Admin\AppData\Local\Temp\B55D4B50-1E83-11EF-A9A6-4658C477BD5D\cbi.dll

MD5 0a7526c1967e42c5b26233d8ec653f26
SHA1 3857be1bc4e0b3afa4175a8e8e2d919362a38cb6
SHA256 aa5f803cde91726745fafa49edf3ebcc35d0faa4cffdbced53da384a4d659801
SHA512 1865afc644bc4c23f77f1a5a2b8c967cc0f600ba0cb4205720966c74c0a65c8392a5dc41ad632400c30df5b204af4ffc23962afc35c0c96072f08ad2c6a28a49

C:\Users\Admin\AppData\Local\Temp\61174231-1E83-11EF-A9A6-4658C477BD5D\install_error_retry_page.html

MD5 0c23860aa3297764fc7860662e6d5786
SHA1 7fa4cbf4b48945095272af0843238c46b0bc2bde
SHA256 c4bb8e2950bc6ebe5eff29ddb3eab60119d1b59e6b355f154b229affb10accdc
SHA512 cebfc8dbb92848de26f87861f9bf07dc16e2ca839cb13c41716d180a8b806c172ea7e3def9a283f824d47ee5fdb4b376c5afe3819d3282440dc875cfe07f417f

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-30 12:51

Reported

2024-05-30 12:54

Platform

win10v2004-20240426-en

Max time kernel

91s

Max time network

98s

Command Line

"C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe N/A

Checks for any installed AV software in registry

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Enable AutoImageResize C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Enable Browser Extensions = "no" C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\KasperskyLab\IEOverride\Main C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Display Inline Images C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\KasperskyLab\IEOverride\Main\UseHR C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Q300829 C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\KasperskyLab\IEOverride\Main\DOMStorage C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\KasperskyLab\IEOverride\Main C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Anchor Underline C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\KasperskyLab\IEOverride\Main\CSS_Compat C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\KasperskyLab\IEOverride\Styles C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\KasperskyLab\IEOverride\Viewport C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\KasperskyLab C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Use_DlgBox_Colors C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Expand Alt Text C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\KasperskyLab\IEOverride\Settings C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\KasperskyLab C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\KasperskyLab\IEOverride\Main\UseSWRender = "1" C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\KasperskyLab\IEOverride\Main\XDomainRequest C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\KasperskyLab\IEOverride\Main\DisableScriptDebuggerIE C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Disable Diagnostics Mode C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Move System Caret C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\KasperskyLab\IEOverride\AdvancedOptions\DISAMBIGUATION C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\KasperskyLab\IEOverride\International\Scripts\3 C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Play_Background_Sounds C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Play_Animations C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Show image placeholders C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Print_Background C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\KasperskyLab\IEOverride\Main\XMLHTTP C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\KasperskyLab\IEOverride\International\Scripts C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\KasperskyLab\IEOverride C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\KasperskyLab\IEOverride C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\KasperskyLab\IEOverride\RtfConverterFlags C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\KasperskyLab\IEOverride\Main\JScriptProfileCacheEventDelay C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\KasperskyLab\IEOverride C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\KasperskyLab\IEOverride\Main C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Display Inline Videos C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Cleanup HTCs C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\KasperskyLab\IEOverride\International C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\KasperskyLab\IEOverride\Text Scaling C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\KasperskyLab\IEOverride\Larger Hit Test C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\KasperskyLab\IEOverride\MenuExt C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\KasperskyLab\IEOverride\Main C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\KasperskyLab\IEOverride\Main\SmoothScroll C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Disable Script Debugger C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe

"C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 17.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp

Files

memory/4664-2-0x0000000077EA0000-0x0000000077EB0000-memory.dmp

memory/4664-3-0x0000000077D32000-0x0000000077D33000-memory.dmp

memory/4664-1-0x0000000077EA0000-0x0000000077EB0000-memory.dmp

memory/4664-0-0x0000000077EA0000-0x0000000077EB0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\35E1851638E1FE112A1D642887CF0FE8\setup.dll

MD5 7c0418acfb24086ede591a7e1d3df7ac
SHA1 9bee27188d04bf44fa2e95a8fcb575497396f2b0
SHA256 d7b6905661d364be51bdb7e8e2ef9832ed0c33f056c4f40368f9ae6c1b4e608a
SHA512 e2c45aad07d5db230c9758fde258ab5589160d81a8723a5d246fe3287fca1a192b162c33f35144a44d16dd655e4a86694acd55c9279a15b795777ede2b14f71c

C:\Users\Admin\AppData\Local\Temp\61581E54-1E83-11EF-A2D1-468278FCF08E\check_new_version.html

MD5 b79ab8145423e4714f4d3623a7913eef
SHA1 0f17053bd76724cb244866c537de47ea6124331a
SHA256 59a439debcea1f039382e258a337031f9878450afbce19a2a52a37783009fafe
SHA512 239663617d89722d8c4187804901436c456444b92655ade83c1fbf04231467693869efdc689123724dcc58d63665efb5dbb2a835fe49144facbea361c8ae9151