Kaspersky removal tool OS credential dumping

[fabiodanzetta]

Hello everyone,
I launched kaspersky removal tool on a windows machine with crowdstrike installed which at a certain point after 10 minutes from the start of the Kaspersky scan killed the kaspersky removal tool and triggered a critical detection with this wording: "A process appears to be accessing credentials and might be dumping passwords. If this is unexpected, review the process tree."
The killed process is identified as numeric.exe and in my case as "418ecc20.exe" which refers to Kaspersky Virus Removal Tool and which is located in Users\username\AppData\Local\Temp\{060a28d3-7b79-4b97-bfcb-6c1693af6922}
Can you please explain to me on a technical level why this happened?

Thanks everyone

[harlan4096]

Welcome to Kaspersky Community.

 

This is clearly a false positive of CrowdStrike...

 

Every time You run KVRT, a new random exe name is created, to avoid a possible malware in memory recognizes and kill it, for example.

[fabiodanzetta]

Hi Harlan,
I had imagined this but I wanted to understand why kaspersky removal tool needs to dump credentials.

Thanks

[Yury N.]

Hello.

KVRT opens processes for query loaded libraries list. May be this triggers CrowdStrike. You should ask CrowdStrike what causes this alert.

[fabiodanzetta]

@Yury N. thank you very mutch for your explanation.