Kaspersky removal tool OS credential dumping

July 26

Hello everyone,
I launched kaspersky removal tool on a windows machine with crowdstrike installed which at a certain point after 10 minutes from the start of the Kaspersky scan killed the kaspersky removal tool and triggered a critical detection with this wording: "A process appears to be accessing credentials and might be dumping passwords. If this is unexpected, review the process tree."
The killed process is identified as numeric.exe and in my case as "418ecc20.exe" which refers to Kaspersky Virus Removal Tool and which is located in Users\username\AppData\Local\Temp\{060a28d3-7b79-4b97-bfcb-6c1693af6922}
Can you please explain to me on a technical level why this happened?

Thanks everyone

July 26

Welcome to Kaspersky Community.

This is clearly a false positive of CrowdStrike...

Every time You run KVRT, a new random exe name is created, to avoid a possible malware in memory recognizes and kill it, for example.

July 26

Hi Harlan,
I had imagined this but I wanted to understand why kaspersky removal tool needs to dump credentials.

Thanks

July 27

Hello.

KVRT opens processes for query loaded libraries list. May be this triggers CrowdStrike. You should ask CrowdStrike what causes this alert.

August 5

@Yury N. thank you very mutch for your explanation.

Kaspersky removal tool OS credential dumping

Recommended Posts

fabiodanzetta

harlan4096

fabiodanzetta

Yury N.

fabiodanzetta

Please sign in to comment

Forum

Products

Support

Personal Account