Analysis Overview
SHA256
2718dbeb8322435219fedc9e55ef236052c9e8f1e85429a3c98d963ad733b9b6
Threat Level: Likely malicious
The file kav21.3.10.391en_26074.exe was found to be: Likely malicious.
Malicious Activity Summary
Downloads MZ/PE file
Loads dropped DLL
Executes dropped EXE
Checks for any installed AV software in registry
Checks whether UAC is enabled
Writes to the Master Boot Record (MBR)
Drops file in Windows directory
Checks for VirtualBox DLLs, possible anti-VM trick
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Modifies system certificate store
Suspicious use of SendNotifyMessage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-30 12:51
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-30 12:51
Reported
2024-05-30 12:54
Platform
win7-20240508-en
Max time kernel
150s
Max time network
147s
Command Line
Signatures
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2091.0\au_setup_5DC373B2-1E83-11EF-A9A6-4658C477BD5D\startup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6B916330-1E83-11EF-A9A6-4658C477BD5D\TEST_WPF.EXE | N/A |
Loads dropped DLL
Checks for any installed AV software in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\KasperskyLab\IEOverride\Viewport | C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2091.0\au_setup_5DC373B2-1E83-11EF-A9A6-4658C477BD5D\startup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\KasperskyLab | C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\KasperskyLab\IEOverride\RtfConverterFlags | C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\KasperskyLab\IEOverride\Main\Expand Alt Text | C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\KasperskyLab\IEOverride\Main\CSS_Compat | C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2091.0\au_setup_5DC373B2-1E83-11EF-A9A6-4658C477BD5D\startup.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\KasperskyLab\IEOverride\Main\Disable Script Debugger | C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2091.0\au_setup_5DC373B2-1E83-11EF-A9A6-4658C477BD5D\startup.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\KasperskyLab\IEOverride\Main\Enable AutoImageResize | C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2091.0\au_setup_5DC373B2-1E83-11EF-A9A6-4658C477BD5D\startup.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\KasperskyLab\IEOverride\Main\CSS_Compat | C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\KasperskyLab\IEOverride\Main\Play_Background_Sounds | C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\KasperskyLab\IEOverride\Main\DOMStorage | C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\KasperskyLab\IEOverride\Main\Anchor Underline | C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2091.0\au_setup_5DC373B2-1E83-11EF-A9A6-4658C477BD5D\startup.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\KasperskyLab\IEOverride\Main\Display Inline Images | C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\KasperskyLab\IEOverride\Main\Enable AutoImageResize | C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\KasperskyLab\IEOverride | C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2091.0\au_setup_5DC373B2-1E83-11EF-A9A6-4658C477BD5D\startup.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\KasperskyLab\IEOverride\Main\Display Inline Images | C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2091.0\au_setup_5DC373B2-1E83-11EF-A9A6-4658C477BD5D\startup.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\KasperskyLab\IEOverride\Main\SmoothScroll | C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2091.0\au_setup_5DC373B2-1E83-11EF-A9A6-4658C477BD5D\startup.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\KasperskyLab\IEOverride\Main\JScriptProfileCacheEventDelay | C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\KasperskyLab\IEOverride\Main\UseSWRender = "1" | C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2091.0\au_setup_5DC373B2-1E83-11EF-A9A6-4658C477BD5D\startup.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\KasperskyLab\IEOverride\Main\Expand Alt Text | C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2091.0\au_setup_5DC373B2-1E83-11EF-A9A6-4658C477BD5D\startup.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\KasperskyLab\IEOverride\Main\DOMStorage | C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2091.0\au_setup_5DC373B2-1E83-11EF-A9A6-4658C477BD5D\startup.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\KasperskyLab\IEOverride\International\Scripts\3 | C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2091.0\au_setup_5DC373B2-1E83-11EF-A9A6-4658C477BD5D\startup.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\KasperskyLab | C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\KasperskyLab\IEOverride\Main\Play_Animations | C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2091.0\au_setup_5DC373B2-1E83-11EF-A9A6-4658C477BD5D\startup.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\KasperskyLab\IEOverride\Main\Print_Background | C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2091.0\au_setup_5DC373B2-1E83-11EF-A9A6-4658C477BD5D\startup.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\KasperskyLab\IEOverride\Main\Use_DlgBox_Colors | C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\KasperskyLab\IEOverride\Main\Disable Diagnostics Mode | C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\KasperskyLab\IEOverride\Main\XDomainRequest | C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\KasperskyLab\IEOverride\International\Scripts | C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\KasperskyLab\IEOverride\Text Scaling | C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\KasperskyLab\IEOverride | C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2091.0\au_setup_5DC373B2-1E83-11EF-A9A6-4658C477BD5D\startup.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\KasperskyLab\IEOverride\Main\Q300829 | C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2091.0\au_setup_5DC373B2-1E83-11EF-A9A6-4658C477BD5D\startup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\KasperskyLab\IEOverride\Main | C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\KasperskyLab\IEOverride\Main\Print_Background | C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\KasperskyLab\IEOverride\AdvancedOptions\DISAMBIGUATION | C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\KasperskyLab\IEOverride\Main\XMLHTTP | C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2091.0\au_setup_5DC373B2-1E83-11EF-A9A6-4658C477BD5D\startup.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\KasperskyLab\IEOverride\RtfConverterFlags | C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2091.0\au_setup_5DC373B2-1E83-11EF-A9A6-4658C477BD5D\startup.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\KasperskyLab\IEOverride\Main\Show image placeholders | C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2091.0\au_setup_5DC373B2-1E83-11EF-A9A6-4658C477BD5D\startup.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\KasperskyLab\IEOverride\Main\Play_Animations | C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\KasperskyLab\IEOverride\Main\DisableScriptDebuggerIE | C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\KasperskyLab\IEOverride\Main\Enable Browser Extensions = "no" | C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2091.0\au_setup_5DC373B2-1E83-11EF-A9A6-4658C477BD5D\startup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\KasperskyLab\IEOverride\Main\Enable Browser Extensions = "no" | C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\KasperskyLab\IEOverride\International\Scripts\4 | C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\KasperskyLab\IEOverride\International | C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2091.0\au_setup_5DC373B2-1E83-11EF-A9A6-4658C477BD5D\startup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVAST Software\Avast | C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2091.0\au_setup_5DC373B2-1E83-11EF-A9A6-4658C477BD5D\startup.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\KasperskyLab\IEOverride\Main\DisableScriptDebuggerIE | C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2091.0\au_setup_5DC373B2-1E83-11EF-A9A6-4658C477BD5D\startup.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\KasperskyLab\IEOverride\International\Scripts | C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2091.0\au_setup_5DC373B2-1E83-11EF-A9A6-4658C477BD5D\startup.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\KasperskyLab\IEOverride\Main\Disable Script Debugger | C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\KasperskyLab\IEOverride\Main\UseHR | C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\KasperskyLab\IEOverride\Styles | C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\KasperskyLab\IEOverride\Larger Hit Test | C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\KasperskyLab\IEOverride\MenuExt | C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\KasperskyLab\IEOverride\International\Scripts\3 | C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\KasperskyLab\IEOverride\Main | C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2091.0\au_setup_5DC373B2-1E83-11EF-A9A6-4658C477BD5D\startup.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\KasperskyLab\IEOverride\Main\Play_Background_Sounds | C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2091.0\au_setup_5DC373B2-1E83-11EF-A9A6-4658C477BD5D\startup.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\KasperskyLab\IEOverride\Main\Disable Diagnostics Mode | C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2091.0\au_setup_5DC373B2-1E83-11EF-A9A6-4658C477BD5D\startup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\KasperskyLab\IEOverride | C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\KasperskyLab\IEOverride | C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\KasperskyLab\IEOverride\Main\Cleanup HTCs | C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\KasperskyLab\IEOverride\International | C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\KasperskyLab\IEOverride\Main\Use_DlgBox_Colors | C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2091.0\au_setup_5DC373B2-1E83-11EF-A9A6-4658C477BD5D\startup.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\KasperskyLab\IEOverride\Main\XDomainRequest | C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2091.0\au_setup_5DC373B2-1E83-11EF-A9A6-4658C477BD5D\startup.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\KasperskyLab\IEOverride\Styles | C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2091.0\au_setup_5DC373B2-1E83-11EF-A9A6-4658C477BD5D\startup.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\KasperskyLab\IEOverride\Larger Hit Test | C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2091.0\au_setup_5DC373B2-1E83-11EF-A9A6-4658C477BD5D\startup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\KasperskyLab\IEOverride\Main | C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2091.0\au_setup_5DC373B2-1E83-11EF-A9A6-4658C477BD5D\startup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2091.0\au_setup_5DC373B2-1E83-11EF-A9A6-4658C477BD5D\startup.exe | N/A |
Checks for VirtualBox DLLs, possible anti-VM trick
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe | N/A |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2091.0\au_setup_5DC373B2-1E83-11EF-A9A6-4658C477BD5D\startup.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\installer | C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2091.0\au_setup_5DC373B2-1E83-11EF-A9A6-4658C477BD5D\startup.exe | N/A |
Enumerates physical storage devices
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2091.0\au_setup_5DC373B2-1E83-11EF-A9A6-4658C477BD5D\startup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2091.0\au_setup_5DC373B2-1E83-11EF-A9A6-4658C477BD5D\startup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main | C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main | C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2091.0\au_setup_5DC373B2-1E83-11EF-A9A6-4658C477BD5D\startup.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 | C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde | C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 | C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 | C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 | C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d4304000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 | C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe
"C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe"
C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2091.0\au_setup_5DC373B2-1E83-11EF-A9A6-4658C477BD5D\startup.exe
"C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2091.0\au_setup_5DC373B2-1E83-11EF-A9A6-4658C477BD5D\startup.exe" -auto_update_mode="C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe" /-self_remove -l=en -xpos=450 -ypos=95 -prevsetupver=21.3.10.391.0.21.0
C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe
"C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe" -cleanup="C:\Users\Admin\AppData\Local\Temp\0B373CD538E1FE119A6A64854C77DBD5;1956"
C:\Users\Admin\AppData\Local\Temp\6B916330-1E83-11EF-A9A6-4658C477BD5D\TEST_WPF.EXE
"C:\Users\Admin\AppData\Local\Temp\6B916330-1E83-11EF-A9A6-4658C477BD5D\TEST_WPF.EXE" "C:\Users\Admin\AppData\Local\Temp\0324711638E1FE119A6A64854C77DBD5\setup.dll"
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Microsoft .NET Framework 4.7.2 Setup_20240508_141741285-MSI_netfx_Full_x64.msi.txt
C:\Users\Admin\AppData\Local\Temp\ose00000.exe
"C:\Users\Admin\AppData\Local\Temp\ose00000.exe"
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | dm.s.kaspersky-labs.com | udp |
| FR | 80.231.123.135:443 | dm.s.kaspersky-labs.com | tcp |
| FR | 80.231.123.135:443 | dm.s.kaspersky-labs.com | tcp |
| US | 8.8.8.8:53 | redirect.kaspersky.com | udp |
| DE | 81.19.104.200:443 | redirect.kaspersky.com | tcp |
| DE | 81.19.104.200:80 | redirect.kaspersky.com | tcp |
| US | 8.8.8.8:53 | www.not.existing.kaspersky.com | udp |
| DE | 185.85.15.34:443 | www.not.existing.kaspersky.com | tcp |
| DE | 185.85.15.34:443 | www.not.existing.kaspersky.com | tcp |
| DE | 185.85.15.34:443 | www.not.existing.kaspersky.com | tcp |
| DE | 185.85.15.34:443 | www.not.existing.kaspersky.com | tcp |
| DE | 185.85.15.34:443 | www.not.existing.kaspersky.com | tcp |
| DE | 185.85.15.34:443 | www.not.existing.kaspersky.com | tcp |
| DE | 185.85.15.34:443 | www.not.existing.kaspersky.com | tcp |
| DE | 185.85.15.34:443 | www.not.existing.kaspersky.com | tcp |
| DE | 185.85.15.34:443 | www.not.existing.kaspersky.com | tcp |
| DE | 185.85.15.34:443 | www.not.existing.kaspersky.com | tcp |
| DE | 185.85.15.34:443 | www.not.existing.kaspersky.com | tcp |
| DE | 185.85.15.34:443 | www.not.existing.kaspersky.com | tcp |
| FR | 80.231.123.135:443 | dm.s.kaspersky-labs.com | tcp |
Files
memory/1956-1-0x0000000077C30000-0x0000000077C40000-memory.dmp
memory/1956-0-0x0000000077C30000-0x0000000077C40000-memory.dmp
memory/1956-2-0x0000000077C30000-0x0000000077C40000-memory.dmp
\Users\Admin\AppData\Local\Temp\0B373CD538E1FE119A6A64854C77DBD5\setup.dll
| MD5 | 7c0418acfb24086ede591a7e1d3df7ac |
| SHA1 | 9bee27188d04bf44fa2e95a8fcb575497396f2b0 |
| SHA256 | d7b6905661d364be51bdb7e8e2ef9832ed0c33f056c4f40368f9ae6c1b4e608a |
| SHA512 | e2c45aad07d5db230c9758fde258ab5589160d81a8723a5d246fe3287fca1a192b162c33f35144a44d16dd655e4a86694acd55c9279a15b795777ede2b14f71c |
C:\Users\Admin\AppData\Local\Temp\5DC373B1-1E83-11EF-A9A6-4658C477BD5D\check_new_version.html
| MD5 | b79ab8145423e4714f4d3623a7913eef |
| SHA1 | 0f17053bd76724cb244866c537de47ea6124331a |
| SHA256 | 59a439debcea1f039382e258a337031f9878450afbce19a2a52a37783009fafe |
| SHA512 | 239663617d89722d8c4187804901436c456444b92655ade83c1fbf04231467693869efdc689123724dcc58d63665efb5dbb2a835fe49144facbea361c8ae9151 |
C:\Users\Admin\AppData\Local\Temp\Cab346B.tmp
| MD5 | 29f65ba8e88c063813cc50a4ea544e93 |
| SHA1 | 05a7040d5c127e68c25d81cc51271ffb8bef3568 |
| SHA256 | 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184 |
| SHA512 | e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa |
C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2091.0\au_setup_5DC373B2-1E83-11EF-A9A6-4658C477BD5D\startup.exe
| MD5 | 52c9f5d97af0e8d7345f51091dc905e6 |
| SHA1 | ebbf72c39d30654130c9bcde627abb33a22210ac |
| SHA256 | 1c44c2e745d5b0b9c16e26b04f062401426218fac5797c789ca9c02576e30617 |
| SHA512 | 3a74a5fda0cf1758311f62c55d90474be91c057974bfd18637fd79754a0fe6551ceac80270845ff7377c41dc32cdf5ba37c7184c65ff6322101326359f6d8267 |
memory/1564-87-0x0000000077C40000-0x0000000077C50000-memory.dmp
memory/1564-86-0x0000000077C40000-0x0000000077C50000-memory.dmp
memory/1564-85-0x0000000077C40000-0x0000000077C50000-memory.dmp
\Users\Admin\AppData\Local\Temp\0324711638E1FE119A6A64854C77DBD5\setup.dll
| MD5 | 47bba658d9b8c74a8c94d7024ba608b6 |
| SHA1 | 902be0a993f37db76eb5ad237aae5568c20bad95 |
| SHA256 | 3279d6e132eb640cef3d74c5edf851a93e9553d7c889a6e665360058405af5f5 |
| SHA512 | 8a8635083db6cc825cac63ca834cc1b1ec5412746db293f1bf44af5731265044c45108a54adf428e83111237c1f3e60f7dd048ec7066b655780145c80569a1e0 |
C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2091.0\au_setup_5DC373B2-1E83-11EF-A9A6-4658C477BD5D\static.ini
| MD5 | 11069b61a2b705e749d8f48d291d7a3e |
| SHA1 | f1c0d52e26d8d653471643487c561fe3811c6145 |
| SHA256 | 14f8f4f4f67cfa6c322c4e46c245294b2e3632b1209bc6588e755cc7b7d2a825 |
| SHA512 | 5feec50c42cb7046206f54f53b25e3df422bb4fc61a965c6fdb7605f25fcb10bd67deece0e1b14ffee0f6d11dea2638715c9654f2ceab0b5f85d4f8f12c4643b |
C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2091.0\au_setup_5DC373B2-1E83-11EF-A9A6-4658C477BD5D\dynamic.ini
| MD5 | 9a12b0564846c2f89206cb696bd1bbef |
| SHA1 | 27c2f3f918f84d588aff70ceac635c4d238342a2 |
| SHA256 | afe8c46600655e1e5157257ecca5e0bb80dbf3084066a2117d4915e68c1c7439 |
| SHA512 | 785da457c13014452e71b2d0b1ddc6c90539e8133be84c9a73e9490e8bd9424aa3fb750f3432d693085179bc03b8af584f79023152e5c16c855786fa7db8c13a |
C:\Users\Admin\AppData\Local\Temp\61174231-1E83-11EF-A9A6-4658C477BD5D\kis-style.css
| MD5 | 2b4bd0afd0e9dd5c90fb8c3bb4a5d619 |
| SHA1 | a4a1a61d43e8f897d36fef9e1927848de2d312cc |
| SHA256 | f9963b403e053f6bfa7c87cad3c10dd55cf1f94fefe00c6380921440e28b48d2 |
| SHA512 | c0b284552502304f05dd10606e01b0d35210a27f982bba8a605f2939a2ac43890636175431eab99edc45cfc2825fe1b1cffabd8067d9eaa7ad59af466a052974 |
C:\Users\Admin\AppData\Local\Temp\61174231-1E83-11EF-A9A6-4658C477BD5D\kis-print.css
| MD5 | 1304724dd5001b2600fc5bd80c098f1e |
| SHA1 | 87ec458c25a35e3a45c2a6ede9ec16ec4d4c7093 |
| SHA256 | 2481b34b48fd96b194405da621e8e5f19142dcb55744f9c9a93591705cb697fd |
| SHA512 | 4371fbd6ba7e84ae827ec73bec4c903275e4373c16063b6fe63ca157a4db346df5617a9db5c9e1fdcb661f220f6dcbc1f7e4003805dba9fa7a279fc882aebeeb |
C:\Users\Admin\AppData\Local\Temp\61174231-1E83-11EF-A9A6-4658C477BD5D\jquery-1.12.4.min.js
| MD5 | 618538b4ab9639d444e962729a927f15 |
| SHA1 | dacc1f76630a9708add066819b1aabf8dce01056 |
| SHA256 | 27d92130c0321dad5a03760fd5ac98a3d04ed4c94d88418fe6d50da1f7fc5cbe |
| SHA512 | bcb6754ea246939a19a917cc0b810e1753c1b0f1a8b1b7e652128ef15dee4fc79111e4d88fe12f9188449a307e82240d0261af402d783428edfe5785c860372d |
C:\Users\Admin\AppData\Local\Temp\61174231-1E83-11EF-A9A6-4658C477BD5D\kis-script.js
| MD5 | 026425ccbf4417eefa444285707132ef |
| SHA1 | a953b9f6781d4b6daa2eedc0c45d358f2a472370 |
| SHA256 | 97e5f342227ea23c27c1b660f111847fcdd9d7b23c1d248c733a36f983fd7f04 |
| SHA512 | a266e2f9f10620347f0d05d081362086e81c67fb7c5f4a74c26cca54686f6afb2f2933b1f7afb6d9c96382ff4e4e3cf2f0f38cdd162175cdefccb5909b1aa6c3 |
C:\Users\Admin\AppData\Local\Temp\61174231-1E83-11EF-A9A6-4658C477BD5D\jquery.custom_select.min.js
| MD5 | d2c620c462b75696eea1fb22fb23602a |
| SHA1 | 900f78eb8e1103be1535af5e76d1bed686cdcce3 |
| SHA256 | dd678d32073078552e0e2c35eed78f16cc8d6e8662d4734518561a1b183f775c |
| SHA512 | 40e1180b63b328c22cfacc40529cbda2409a54fbbbd5813fcc5f8dcdf95ad7fcd74ea96382e3a2d0bcfed9e68c208f7733b7c630edee7e2013c9a5459091c02c |
C:\Users\Admin\AppData\Local\Temp\61174231-1E83-11EF-A9A6-4658C477BD5D\kis-script-lte-ie8.js
| MD5 | 5134186180074c51639d7a514919ed23 |
| SHA1 | 23bddb16b3b6c3a687dfcfed5c1a6c23c0ed1f0a |
| SHA256 | 33e84b33ff911257e3a6a303c08a2cc178827dadb7dfd7c951e096866e02ad5e |
| SHA512 | 8ad216cee9192533801b0f10f3bc149506f75dfd2cd554e801e1732b474629435ada4549473176b5440c57c112986dd198dcf508fb0e55ed3a050a75b0fa3d82 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\Q08BRRYD.txt
| MD5 | b5d1137f27f75976c6ea592b8a268eed |
| SHA1 | 929e51636e880b5fcab8d40a2020de7cde9cb65b |
| SHA256 | e9d10ba5015c58fb563e33c6ff6212613175af33547f3de7db1d6b0b03ac0f48 |
| SHA512 | cce5e3f297b027487bb3da40ef0b352046766777a4e861f936eb08a417b86ddd4697822ce60b72c8cd97ac34edd6d046ee03741a00314b91ef06c5567e36394c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04
| MD5 | 990d6177733a1129ae8d02b7d4b2f73d |
| SHA1 | 03bf5a010604dff2687d9eb518eb13eadc49c252 |
| SHA256 | 21a0bef5d8c13366aecf2f927270af3adf62c513fb582cfc8f2977198eea369a |
| SHA512 | 044755e017d26ef6db91c249477badf011d7408d0aace0735a8e057110a31293eb09376f723e9608b66dc39f0bcce77b7cb0d5cf287509f5ac07eb4aff814d40 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04
| MD5 | 3185ffeed84403768c366131881b4188 |
| SHA1 | 0c3ed5e32e8b34e8868280bf4e769e89f382b355 |
| SHA256 | e517c612a02adfb10aed59a13cc305515b743faf8ffb44413ab3889916293c13 |
| SHA512 | 0ff7f94a7003f847d1f17402f3ff5150bb21c6a5381460dfc461a9b51c62e174437ab8bfd0afb837e852ba2bac88e0f7a6b877c82779118521b59e5be0aa1840 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 31bcc54bcc3c524a2876e1c0591317c3 |
| SHA1 | e24392689b2faf8dbbf2723528aee4a3d1e8ab13 |
| SHA256 | eac40fb255e51690db5a2710b2b97ea29705ab3758fba238117968855a5f6cf7 |
| SHA512 | 71cbf6d74e6bdfb2b9639aba763fdf91b26f86c2059eb1bdb4c7cad33b15f11c5920d5b092cd604285938b21a20648f649201368de2a8c3ea20954a2f3f6b8d1 |
C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2091.0\kdscrl.rdb.z
| MD5 | eb309b1a13f071ca561f65e1e23dd43e |
| SHA1 | 689d8f26dee22ea7bd902574efe51c113f7d7c25 |
| SHA256 | 78ca16e654d9d8f240e11a55f9328e9ea96c9594a1962db7eef8ee89c19ebbac |
| SHA512 | a34e4b9d2bb724d25350d47f402cf8b745eb076f4039331ef60d8c5bf1537a1ab8ed5f437df726ad37dfc4414980c1d070465c845962ea39e1f5b70a7e0045a1 |
C:\Users\Admin\AppData\Local\Temp\61174231-1E83-11EF-A9A6-4658C477BD5D\welcome_page_kavkis.html
| MD5 | 725363d5b886e02f1c5476f79590b577 |
| SHA1 | be2e4e60b62c8705443972015a86a23c7ec4bd50 |
| SHA256 | 29f0688682087bc5262f8abb97d0804a1fc8a7ff16685c24b6197e61cc1a6401 |
| SHA512 | eeabe64d4828c5633fb687c72d75b3524f62b9a4a912b3fb36d280e0c32e7d79fe12f92e8bb962ccbe10a1770016ac108d853b5046089316d25d7e2d6bf39413 |
C:\Users\Admin\AppData\Local\Temp\5DC373B1-1E83-11EF-A9A6-4658C477BD5D\kis-logo.png
| MD5 | 18f81892daa926fec1d30324b4cd9367 |
| SHA1 | 0f0753271f09aecd6731c9dd998d15df5f967b7e |
| SHA256 | 681a96b96b5e0425fc74be929d29164528bf0bc0a84ac97952c011e407e23d9b |
| SHA512 | 5e07a3f44f6135291909680abb62e21d0c6bca899905aafa66cc3b436e77430a3ea96a95b54f2705e1f9dd49b60a855d986c4d76ea65dc9a9a5edf3d2748550d |
C:\Users\Admin\AppData\Local\Temp\5DC373B1-1E83-11EF-A9A6-4658C477BD5D\kis-loading.gif
| MD5 | 69d4b9b309bfa6a87f7620647bafd2d0 |
| SHA1 | c9f6bb4d6494bbd7a47d52874da43501afb97c6d |
| SHA256 | f056164cf99799234c90e2318e90ab5d83d0fd855118224286ff0680ee455734 |
| SHA512 | 2aa95fa187d24b4310af4e72a49c8fe665b84aa15ed33ca5b78a88da861554948d5fdb2f0b59ba8560b8c9dc1d4ff8cf5b37bdc1cbdb4fdf7a6e6fbe7e4f4b1a |
memory/2568-256-0x0000000077C40000-0x0000000077C50000-memory.dmp
memory/2568-255-0x0000000077C40000-0x0000000077C50000-memory.dmp
memory/2568-254-0x0000000077C40000-0x0000000077C50000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\61174231-1E83-11EF-A9A6-4658C477BD5D\welcome_page_ready_for_install.html
| MD5 | 980ba4502a2013faf926940ab9a607b0 |
| SHA1 | cbf9b99cdf4323513eb614f77afc44e9005eeb27 |
| SHA256 | 16082956bc9dc994c093542d2d7148c31d950beeeedee2ba499aa09d843039d2 |
| SHA512 | ae4c7ab6a399433eda880a702f8a0b4f1e82fa3bd1d6da1db9bc90b4acaad80dc9bc85655211d3aad8dd496096267122420ce049a99b6c5cddedfe826f176bdc |
C:\Users\Admin\AppData\Local\Temp\61174231-1E83-11EF-A9A6-4658C477BD5D\progress_page.html
| MD5 | 4420b72ebf4e4adccb24495cb1ea2ae3 |
| SHA1 | f1a568f03c4427631698f4b5b898910a5cccd1a2 |
| SHA256 | e6dc758016bdf87714eb1d3033d1618e6f8301b91e21c31c57b830ef056d7805 |
| SHA512 | b4fec7907069a1d73ccf8ae3796bb29d510826f4ec97a30495313aafa35b7a0dc022eb3576f87dde60d3b5320e6d936067f8f2c6f2f6dc0d9492a9c4d7b8fefb |
C:\Users\Admin\AppData\Local\Temp\61174231-1E83-11EF-A9A6-4658C477BD5D\default_slide.html
| MD5 | f56557132c620da7a847248386f1651d |
| SHA1 | 3663505e61c38ea40a6675090d7d20893beac69b |
| SHA256 | a0f3b6ba8cfc5513a7a812630fa941c9586f61851e0b387ff53538e31c58e62a |
| SHA512 | 981bda6eedb3a8171de8cd2a681036ab0ea39299423ff397f7027fbb611e5a24f5130eae28e1646fd86a8de997804c056a0eb651b37e194f740565a04e5b519f |
\Users\Admin\AppData\Local\Temp\6B916330-1E83-11EF-A9A6-4658C477BD5D\TEST_WPF.EXE
| MD5 | ff5a0f886248cf3a78fad8d2059f6ecb |
| SHA1 | 1dd9929259e6ef818482bc775936a57e2e1edfbf |
| SHA256 | f9e1bf7cb669adcb4c0ff1096376d27c6e1729fd253990078f721961cbcce794 |
| SHA512 | c8b8b12f3351980346fd3ed017233a93816f7cd505077d7403627330c7080f17b691bd69fb81061018685ca32f0b8dc6352beba6bd312a32e65c98e74aebfb07 |
C:\Users\Admin\AppData\Local\Temp\6B916330-1E83-11EF-A9A6-4658C477BD5D\TEST_WPF.EXE.config
| MD5 | 291d5cf5b0752c78eaefa2c1d099cdd6 |
| SHA1 | 39d2c6a4ac22c219de3bf7e44733e4d02e4a08d8 |
| SHA256 | 8a09e9d24204a2e4dcbb2ace67e06e7a04934fa7b1741579aa2ccddc3eeb7a8d |
| SHA512 | 0b10053abfdbc49a35191ad7e8e73bee0550ef50fb1cd5fe368e3e21260e948d91521e74e6a7ad31547aa4ab3d157ce8a17ad60632e0e27c82436bcb0da15c34 |
memory/2904-314-0x0000000004640000-0x0000000004BA2000-memory.dmp
memory/2904-316-0x0000000000B80000-0x0000000000B88000-memory.dmp
memory/2904-338-0x0000000077C40000-0x0000000077C50000-memory.dmp
memory/2904-375-0x0000000077C40000-0x0000000077C50000-memory.dmp
memory/2904-374-0x0000000077C40000-0x0000000077C50000-memory.dmp
memory/2904-373-0x0000000077C40000-0x0000000077C50000-memory.dmp
memory/2904-429-0x00000000051C0000-0x00000000052FC000-memory.dmp
memory/2904-431-0x0000000005900000-0x0000000005C64000-memory.dmp
memory/2904-430-0x0000000005300000-0x00000000058F4000-memory.dmp
memory/2904-428-0x0000000004E40000-0x00000000051B7000-memory.dmp
memory/2904-372-0x0000000077C40000-0x0000000077C50000-memory.dmp
memory/2904-370-0x0000000077C40000-0x0000000077C50000-memory.dmp
memory/2904-369-0x0000000077C40000-0x0000000077C50000-memory.dmp
memory/2904-368-0x0000000077C40000-0x0000000077C50000-memory.dmp
memory/2904-367-0x0000000077C40000-0x0000000077C50000-memory.dmp
memory/2904-366-0x0000000077C40000-0x0000000077C50000-memory.dmp
memory/2904-432-0x0000000005C70000-0x0000000005D0C000-memory.dmp
memory/2904-365-0x0000000077C40000-0x0000000077C50000-memory.dmp
memory/2904-364-0x0000000077C40000-0x0000000077C50000-memory.dmp
memory/2904-363-0x0000000077C40000-0x0000000077C50000-memory.dmp
memory/2904-362-0x0000000077C40000-0x0000000077C50000-memory.dmp
memory/2904-361-0x0000000077C40000-0x0000000077C50000-memory.dmp
memory/2904-360-0x0000000077C40000-0x0000000077C50000-memory.dmp
memory/2904-359-0x0000000077C40000-0x0000000077C50000-memory.dmp
memory/2904-358-0x0000000077C40000-0x0000000077C50000-memory.dmp
memory/2904-357-0x0000000077C40000-0x0000000077C50000-memory.dmp
memory/2904-356-0x0000000077C40000-0x0000000077C50000-memory.dmp
memory/2904-355-0x0000000077C40000-0x0000000077C50000-memory.dmp
memory/2904-353-0x0000000077C40000-0x0000000077C50000-memory.dmp
memory/2904-352-0x0000000077C40000-0x0000000077C50000-memory.dmp
memory/2904-351-0x0000000077C40000-0x0000000077C50000-memory.dmp
memory/2904-350-0x0000000077C40000-0x0000000077C50000-memory.dmp
memory/2904-349-0x0000000077C40000-0x0000000077C50000-memory.dmp
memory/2904-348-0x0000000077C40000-0x0000000077C50000-memory.dmp
memory/2904-347-0x0000000077C40000-0x0000000077C50000-memory.dmp
memory/2904-346-0x0000000077C40000-0x0000000077C50000-memory.dmp
memory/2904-345-0x0000000077C40000-0x0000000077C50000-memory.dmp
memory/2904-344-0x0000000077C40000-0x0000000077C50000-memory.dmp
memory/2904-343-0x0000000077C40000-0x0000000077C50000-memory.dmp
memory/2904-342-0x0000000077C40000-0x0000000077C50000-memory.dmp
memory/2904-341-0x0000000077C40000-0x0000000077C50000-memory.dmp
memory/2904-337-0x0000000077C40000-0x0000000077C50000-memory.dmp
memory/2904-336-0x0000000077C40000-0x0000000077C50000-memory.dmp
memory/2904-335-0x0000000077C40000-0x0000000077C50000-memory.dmp
memory/2904-333-0x0000000077C40000-0x0000000077C50000-memory.dmp
memory/2904-332-0x0000000077C40000-0x0000000077C50000-memory.dmp
memory/2904-331-0x0000000077C40000-0x0000000077C50000-memory.dmp
memory/2904-330-0x0000000077C40000-0x0000000077C50000-memory.dmp
memory/2904-329-0x0000000077C40000-0x0000000077C50000-memory.dmp
memory/2904-328-0x0000000077C40000-0x0000000077C50000-memory.dmp
memory/2904-327-0x0000000077C40000-0x0000000077C50000-memory.dmp
memory/2904-326-0x0000000077C40000-0x0000000077C50000-memory.dmp
memory/2904-325-0x0000000077C40000-0x0000000077C50000-memory.dmp
memory/2904-324-0x0000000077C40000-0x0000000077C50000-memory.dmp
memory/2904-323-0x0000000077C40000-0x0000000077C50000-memory.dmp
memory/2904-322-0x0000000077C40000-0x0000000077C50000-memory.dmp
memory/2904-321-0x0000000077C40000-0x0000000077C50000-memory.dmp
memory/2904-320-0x0000000077C40000-0x0000000077C50000-memory.dmp
memory/2904-319-0x0000000077C40000-0x0000000077C50000-memory.dmp
memory/2904-371-0x0000000077C40000-0x0000000077C50000-memory.dmp
memory/2904-354-0x0000000077C40000-0x0000000077C50000-memory.dmp
memory/2904-340-0x0000000077C40000-0x0000000077C50000-memory.dmp
memory/2904-433-0x0000000006160000-0x00000000061C4000-memory.dmp
memory/2904-434-0x00000000061D0000-0x000000000645C000-memory.dmp
memory/2904-435-0x0000000006520000-0x0000000006558000-memory.dmp
memory/2904-437-0x0000000006A80000-0x0000000006A8A000-memory.dmp
memory/2904-436-0x0000000006A80000-0x0000000006A8A000-memory.dmp
memory/2904-438-0x0000000006C80000-0x0000000006CC0000-memory.dmp
memory/2904-439-0x0000000007870000-0x0000000007878000-memory.dmp
memory/2904-440-0x0000000007900000-0x000000000790E000-memory.dmp
memory/2904-443-0x0000000006A80000-0x0000000006A8A000-memory.dmp
C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2091.0\product.msi
| MD5 | 944ee200ab1e4b8119bd9bfa3d943c4a |
| SHA1 | 00e65ed5c285d9beb7a9777fdb82f8102ab3e665 |
| SHA256 | 5e09be4742167c7608711167894b2e63413224905033e47454385024fbe24716 |
| SHA512 | b66268401d701ce0dae228080c607e4dfca69f8f39fc30bcc7aad6c99f2e3a7d647f6a1b9649f26ae5853ca4a2037213485b980be1d8b33312c9b0814ec9b8d6 |
C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2091.0\kleaner.cab
| MD5 | ee0fb0d0a82fbca7b0efdf541379e167 |
| SHA1 | d7532546ece77ebb4c3318cc3e4181e6502fcfe4 |
| SHA256 | e3740fb3f8e06d58dd664bddf0c679416c5c103970620a49102a6e7778d6deb3 |
| SHA512 | 5278ff84cdb2488540b051fcfaf699a9966ffdadf5b237f963f3d8531d207088fd8b635027bd526b9d484796dcc72882729bd9d5585dd4dd923e7bab490d3622 |
\Users\Admin\AppData\Local\Temp\6B916331-1E83-11EF-A9A6-4658C477BD5D\Cleaner\cleanapi.dll
| MD5 | c8708ca7e9de4b73b909271db2cfae8b |
| SHA1 | 671feefffb3af2d8a35624129f5c38a94de1b7ab |
| SHA256 | e2d0561db4a1897a628f58887f9f44cdb3d481f7b599c21076252d763a6a32ba |
| SHA512 | e41bc7fa9c8c86e6e4f62e7b436dbfe443f18e66136d56f381ec974290de0e35703db52e38c5ccef17d573e59db8e966ef15863096dba9d89a6cb0e51360fbb4 |
C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2091.0\ksde.msi
| MD5 | 0d222d6ce6dd61cc1040f9c5763a438d |
| SHA1 | 2dfae934feb75a15d7f93af8f66cf119b681d2d9 |
| SHA256 | 3c336401c1d46eba815c78cf84bbbec09b9776066b980dbf0b21233066841a6a |
| SHA512 | 38eace84a09d454d756ec91ff9fd3ded164313e577644bf7110dbaefcc02e65f2802b5292f51b6c77335bab30a9a34d1e34ac58be6f5bb51dd42e4917f1e28c9 |
C:\Users\Admin\AppData\Local\Temp\TarCC76.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2091.0\ksde_corebases.cab
| MD5 | 593d70d26d93dec45bc0c46843b20f52 |
| SHA1 | 65d7916bd0572af8df57e921126803857b55690d |
| SHA256 | ff98c8d273d54c9de5b2071137c474a684224e913e89fb53ec6871e74aec8792 |
| SHA512 | fd6b82a5da6a07e15aa637648438aa48289876f5270750d2768f762b34f013a782ed4dbf46671a927113f6952a12d4a5e989f3a7ce00c705ce07986c30d82469 |
C:\ProgramData\Kaspersky Lab Setup Files\KAV21.3.10.391.0.2091.0\rdp_en.txt
| MD5 | 3f41dc7cbb36b874d23f3aefce76e038 |
| SHA1 | 502c7d9b61420c47a45ab8c3ebad7255d12ea288 |
| SHA256 | 3a13dc28ae92135614eebb1f1f77b53608c9ee3cf232ef18859ed303d4feeeee |
| SHA512 | 88d5029dc2679a658e9332da39f3ed28b217020611cfcdd11aa0cc4131b5bae4402401403b844c94baac4baea23ab4018e28f5772f49acfec36bdbdedb1aa3fc |
memory/2680-647-0x0000000140000000-0x00000001405E8000-memory.dmp
memory/2680-648-0x0000000140000000-0x00000001405E8000-memory.dmp
\Users\Admin\AppData\Local\Temp\B55D4B50-1E83-11EF-A9A6-4658C477BD5D\cbi.dll
| MD5 | 0a7526c1967e42c5b26233d8ec653f26 |
| SHA1 | 3857be1bc4e0b3afa4175a8e8e2d919362a38cb6 |
| SHA256 | aa5f803cde91726745fafa49edf3ebcc35d0faa4cffdbced53da384a4d659801 |
| SHA512 | 1865afc644bc4c23f77f1a5a2b8c967cc0f600ba0cb4205720966c74c0a65c8392a5dc41ad632400c30df5b204af4ffc23962afc35c0c96072f08ad2c6a28a49 |
C:\Users\Admin\AppData\Local\Temp\61174231-1E83-11EF-A9A6-4658C477BD5D\install_error_retry_page.html
| MD5 | 0c23860aa3297764fc7860662e6d5786 |
| SHA1 | 7fa4cbf4b48945095272af0843238c46b0bc2bde |
| SHA256 | c4bb8e2950bc6ebe5eff29ddb3eab60119d1b59e6b355f154b229affb10accdc |
| SHA512 | cebfc8dbb92848de26f87861f9bf07dc16e2ca839cb13c41716d180a8b806c172ea7e3def9a283f824d47ee5fdb4b376c5afe3819d3282440dc875cfe07f417f |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-30 12:51
Reported
2024-05-30 12:54
Platform
win10v2004-20240426-en
Max time kernel
91s
Max time network
98s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe | N/A |
Checks for any installed AV software in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Enable AutoImageResize | C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Enable Browser Extensions = "no" | C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\KasperskyLab\IEOverride\Main | C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Display Inline Images | C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\KasperskyLab\IEOverride\Main\UseHR | C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Q300829 | C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\KasperskyLab\IEOverride\Main\DOMStorage | C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\KasperskyLab\IEOverride\Main | C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Anchor Underline | C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\KasperskyLab\IEOverride\Main\CSS_Compat | C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\KasperskyLab\IEOverride\Styles | C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\KasperskyLab\IEOverride\Viewport | C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\KasperskyLab | C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Use_DlgBox_Colors | C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Expand Alt Text | C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\KasperskyLab\IEOverride\Settings | C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\KasperskyLab | C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\KasperskyLab\IEOverride\Main\UseSWRender = "1" | C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\KasperskyLab\IEOverride\Main\XDomainRequest | C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\KasperskyLab\IEOverride\Main\DisableScriptDebuggerIE | C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Disable Diagnostics Mode | C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Move System Caret | C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\KasperskyLab\IEOverride\AdvancedOptions\DISAMBIGUATION | C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\KasperskyLab\IEOverride\International\Scripts\3 | C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Play_Background_Sounds | C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Play_Animations | C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Show image placeholders | C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Print_Background | C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\KasperskyLab\IEOverride\Main\XMLHTTP | C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\KasperskyLab\IEOverride\International\Scripts | C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\KasperskyLab\IEOverride | C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\KasperskyLab\IEOverride | C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\KasperskyLab\IEOverride\RtfConverterFlags | C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\KasperskyLab\IEOverride\Main\JScriptProfileCacheEventDelay | C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\KasperskyLab\IEOverride | C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\KasperskyLab\IEOverride\Main | C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Display Inline Videos | C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Cleanup HTCs | C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\KasperskyLab\IEOverride\International | C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\KasperskyLab\IEOverride\Text Scaling | C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\KasperskyLab\IEOverride\Larger Hit Test | C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\KasperskyLab\IEOverride\MenuExt | C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\KasperskyLab\IEOverride\Main | C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\KasperskyLab\IEOverride\Main\SmoothScroll | C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Disable Script Debugger | C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe
"C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.53.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
Files
memory/4664-2-0x0000000077EA0000-0x0000000077EB0000-memory.dmp
memory/4664-3-0x0000000077D32000-0x0000000077D33000-memory.dmp
memory/4664-1-0x0000000077EA0000-0x0000000077EB0000-memory.dmp
memory/4664-0-0x0000000077EA0000-0x0000000077EB0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\35E1851638E1FE112A1D642887CF0FE8\setup.dll
| MD5 | 7c0418acfb24086ede591a7e1d3df7ac |
| SHA1 | 9bee27188d04bf44fa2e95a8fcb575497396f2b0 |
| SHA256 | d7b6905661d364be51bdb7e8e2ef9832ed0c33f056c4f40368f9ae6c1b4e608a |
| SHA512 | e2c45aad07d5db230c9758fde258ab5589160d81a8723a5d246fe3287fca1a192b162c33f35144a44d16dd655e4a86694acd55c9279a15b795777ede2b14f71c |
C:\Users\Admin\AppData\Local\Temp\61581E54-1E83-11EF-A2D1-468278FCF08E\check_new_version.html
| MD5 | b79ab8145423e4714f4d3623a7913eef |
| SHA1 | 0f17053bd76724cb244866c537de47ea6124331a |
| SHA256 | 59a439debcea1f039382e258a337031f9878450afbce19a2a52a37783009fafe |
| SHA512 | 239663617d89722d8c4187804901436c456444b92655ade83c1fbf04231467693869efdc689123724dcc58d63665efb5dbb2a835fe49144facbea361c8ae9151 |