47685b74eeda5f4a0144dd9ff2efe37f1d1cce49e69ee100575fb165419f1752

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Kies3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	AgentUpdate.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Kies3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	AgentUpdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	AgentUpdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Kies3.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Control Panel\International\Geo\Nation	Kies3Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Control Panel\International\Geo\Nation	Kies3.exe

Executes dropped EXE 7 IoCs

pid	Process
5020	ISBEW64.exe
4168	WriteDescExecuteFileName.exe
4996	WriteDescExecuteFileName.exe
596	Kies3.exe
4092	Kies3.exe
2092	Kies3.exe
4456	AgentUpdate.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Wine	Kies3.exe
Key opened	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Wine	AgentUpdate.exe

Loads dropped DLL 59 IoCs

pid	Process
2776	Kies3Setup.exe
4904	MsiExec.exe
4904	MsiExec.exe
2776	Kies3Setup.exe
2776	Kies3Setup.exe
2776	Kies3Setup.exe
2776	Kies3Setup.exe
2776	Kies3Setup.exe
2776	Kies3Setup.exe
2776	Kies3Setup.exe
3272	MsiExec.exe
3272	MsiExec.exe
2776	Kies3Setup.exe
2776	Kies3Setup.exe
596	Kies3.exe
596	Kies3.exe
596	Kies3.exe
596	Kies3.exe
596	Kies3.exe
596	Kies3.exe
596	Kies3.exe
596	Kies3.exe
596	Kies3.exe
596	Kies3.exe
4092	Kies3.exe
4092	Kies3.exe
4092	Kies3.exe
4092	Kies3.exe
4092	Kies3.exe
4092	Kies3.exe
4092	Kies3.exe
4092	Kies3.exe
4092	Kies3.exe
4092	Kies3.exe
2092	Kies3.exe
2092	Kies3.exe
2092	Kies3.exe
2092	Kies3.exe
2092	Kies3.exe
2092	Kies3.exe
2092	Kies3.exe
2092	Kies3.exe
2092	Kies3.exe
2092	Kies3.exe
596	Kies3.exe
596	Kies3.exe
596	Kies3.exe
596	Kies3.exe
596	Kies3.exe
596	Kies3.exe
596	Kies3.exe
596	Kies3.exe
596	Kies3.exe
596	Kies3.exe
596	Kies3.exe
4456	AgentUpdate.exe
4456	AgentUpdate.exe
4456	AgentUpdate.exe
4456	AgentUpdate.exe

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/596-825-0x00000000737A0000-0x00000000737BB000-memory.dmp	upx
behavioral1/memory/596-826-0x0000000073730000-0x000000007379C000-memory.dmp	upx
behavioral1/memory/596-829-0x00000000733F0000-0x0000000073443000-memory.dmp	upx
behavioral1/memory/596-830-0x000000006E190000-0x000000006E9F6000-memory.dmp	upx
behavioral1/memory/596-847-0x00000000737A0000-0x00000000737BB000-memory.dmp	upx
behavioral1/memory/596-848-0x0000000073730000-0x000000007379C000-memory.dmp	upx
behavioral1/memory/596-851-0x00000000733F0000-0x0000000073443000-memory.dmp	upx
behavioral1/memory/596-852-0x000000006E190000-0x000000006E9F6000-memory.dmp	upx
behavioral1/memory/4456-854-0x00000000733F0000-0x0000000073443000-memory.dmp	upx
behavioral1/memory/4456-857-0x000000006E190000-0x000000006E9F6000-memory.dmp	upx
behavioral1/memory/4456-862-0x00000000733F0000-0x0000000073443000-memory.dmp	upx
behavioral1/memory/4456-864-0x00000000733F0000-0x0000000073443000-memory.dmp	upx
behavioral1/memory/4456-867-0x000000006E190000-0x000000006E9F6000-memory.dmp	upx
behavioral1/memory/4456-868-0x000000006E190000-0x000000006E9F6000-memory.dmp	upx
behavioral1/memory/4456-997-0x00000000733F0000-0x0000000073443000-memory.dmp	upx
behavioral1/memory/4456-1000-0x000000006E190000-0x000000006E9F6000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\F:	Kies3Setup.exe
File opened (read-only)	\??\G:	Kies3Setup.exe
File opened (read-only)	\??\R:	Kies3Setup.exe
File opened (read-only)	\??\P:	Kies3Setup.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\A:	Kies3Setup.exe
File opened (read-only)	\??\B:	Kies3Setup.exe
File opened (read-only)	\??\N:	Kies3Setup.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	Kies3Setup.exe
File opened (read-only)	\??\Q:	Kies3Setup.exe
File opened (read-only)	\??\U:	Kies3Setup.exe
File opened (read-only)	\??\W:	Kies3Setup.exe
File opened (read-only)	\??\Z:	Kies3Setup.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\H:	Kies3Setup.exe
File opened (read-only)	\??\L:	Kies3Setup.exe
File opened (read-only)	\??\M:	Kies3Setup.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\I:	Kies3Setup.exe
File opened (read-only)	\??\S:	Kies3Setup.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	Kies3Setup.exe
File opened (read-only)	\??\Y:	Kies3Setup.exe
File opened (read-only)	\??\V:	Kies3Setup.exe
File opened (read-only)	\??\X:	Kies3Setup.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\J:	Kies3Setup.exe
File opened (read-only)	\??\K:	Kies3Setup.exe
File opened (read-only)	\??\O:	Kies3Setup.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
596	Kies3.exe
596	Kies3.exe
4456	AgentUpdate.exe
4456	AgentUpdate.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Samsung\Kies3\SLocales.dll	msiexec.exe
File created	C:\Program Files (x86)\Samsung\Kies3\FirmwareUpdate\language\Resource_pl-PL.dll	msiexec.exe
File created	C:\Program Files (x86)\Samsung\Kies3\FirmwareUpdate\language\Resource_ro-RO.dll	msiexec.exe
File created	C:\Program Files (x86)\InstallShield Installation Information\{88547073-C566-4895-9005-EBE98EA3F7C7}\1033e72.rra	Kies3Setup.exe
File created	C:\Program Files (x86)\InstallShield Installation Information\{88547073-C566-4895-9005-EBE98EA3F7C7}\0x0412.ini	Kies3Setup.exe
File created	C:\Program Files (x86)\Samsung\Kies3\msvcp90.dll	msiexec.exe
File created	C:\Program Files (x86)\Samsung\Kies3\FirmwareUpdate\AgentInstaller.exe	msiexec.exe
File created	C:\Program Files (x86)\Samsung\Kies3\FirmwareUpdate\NTMsg.exe	msiexec.exe
File created	C:\Program Files (x86)\Samsung\Kies3\cximageu.dll	msiexec.exe
File created	C:\Program Files (x86)\Samsung\Kies3\FirmwareUpdate\language\Resource_th-TH.dll	msiexec.exe
File created	C:\Program Files (x86)\Samsung\Kies3\basswma.dll	msiexec.exe
File created	C:\Program Files (x86)\Samsung\Kies3\FirmwareUpdate\Microsoft.VC90.OpenMP.manifest	msiexec.exe
File created	C:\Program Files (x86)\Samsung\Kies3\FirmwareUpdate\language\Resource_nb-NO.dll	msiexec.exe
File created	C:\Program Files (x86)\Samsung\Kies3\FirmwareUpdate\language\Resource_zh-CN.dll	msiexec.exe
File opened for modification	C:\Program Files (x86)\Samsung\Kies3\FirmwareUpdate\msvcp90.dll	Kies3Setup.exe
File opened for modification	C:\Program Files (x86)\InstallShield Installation Information\{88547073-C566-4895-9005-EBE98EA3F7C7}\0x0409.ini	Kies3Setup.exe
File created	C:\Program Files (x86)\Samsung\Kies3\basscd.dll	msiexec.exe
File created	C:\Program Files (x86)\Samsung\Kies3\Kies3.exe	msiexec.exe
File created	C:\Program Files (x86)\Samsung\Kies3\SamsungModelDB.xml	msiexec.exe
File created	C:\Program Files (x86)\Samsung\Kies3\FirmwareUpdate\Kies3PDLR.exe	msiexec.exe
File created	C:\Program Files (x86)\Samsung\Kies3\FirmwareUpdate\language\Resource_el-GR.dll	msiexec.exe
File created	C:\Program Files (x86)\Samsung\Kies3\FirmwareUpdate\AgentModels.dll	msiexec.exe
File created	C:\Program Files (x86)\Samsung\Kies3\FirmwareUpdate\res.zip	msiexec.exe
File created	C:\Program Files (x86)\Samsung\Kies3\FirmwareUpdate\SkinData	msiexec.exe
File created	C:\Program Files (x86)\Samsung\Kies3\FirmwareUpdate\language\Resource_ko-KR.dll	msiexec.exe
File created	C:\Program Files (x86)\Samsung\Kies3\Kies3Version.txt	msiexec.exe
File created	C:\Program Files (x86)\Samsung\Kies3\FirmwareUpdate\language\Resource_lv-LV.dll	msiexec.exe
File created	C:\Program Files (x86)\Samsung\Kies3\FirmwareUpdate\language\Resource_ms-MY.dll	msiexec.exe
File created	C:\Program Files (x86)\Samsung\Kies3\FirmwareUpdate\language\Resource_vi-VN.dll	msiexec.exe
File created	C:\Program Files (x86)\Samsung\Kies3\FirmwareUpdate\language\Resource_zh-HK.dll	msiexec.exe
File created	C:\Program Files (x86)\Samsung\Kies3\bassenc.dll	msiexec.exe
File created	C:\Program Files (x86)\Samsung\Kies3\libpng14-14.dll	msiexec.exe
File created	C:\Program Files (x86)\Samsung\Kies3\External\TransModules\tg_video.txt	msiexec.exe
File created	C:\Program Files (x86)\Samsung\Kies3\FirmwareUpdate\AgentDialogs.dll	msiexec.exe
File created	C:\Program Files (x86)\Samsung\Kies3\FirmwareUpdate\AgentUpdate.exe	msiexec.exe
File opened for modification	C:\Program Files (x86)\InstallShield Installation Information\{88547073-C566-4895-9005-EBE98EA3F7C7}\0x0412.ini	Kies3Setup.exe
File created	C:\Program Files (x86)\Samsung\Kies3\KiesUpdateClient.exe	msiexec.exe
File created	C:\Program Files (x86)\Samsung\Kies3\FirmwareUpdate\AgentVer.txt	msiexec.exe
File created	C:\Program Files (x86)\Samsung\Kies3\FirmwareUpdate\language\Resource_de-DE.dll	msiexec.exe
File created	C:\Program Files (x86)\Samsung\Kies3\FirmwareUpdate\language\Resource_et-EE.dll	msiexec.exe
File opened for modification	C:\Program Files (x86)\InstallShield Installation Information\{88547073-C566-4895-9005-EBE98EA3F7C7}\setup.ini	Kies3Setup.exe
File created	C:\Program Files (x86)\Samsung\Kies3\FirmwareUpdate\language\Resource_lt-LT.dll	msiexec.exe
File created	C:\Program Files (x86)\Samsung\Kies3\FirmwareUpdate\mfc9126a.rra	Kies3Setup.exe
File created	C:\Program Files (x86)\Samsung\Kies3\FirmwareUpdate\AdminDelegator_Kies3.exe	msiexec.exe
File created	C:\Program Files (x86)\Samsung\Kies3\FirmwareUpdate\mfcm90u.dll	msiexec.exe
File created	C:\Program Files (x86)\Samsung\Kies3\FirmwareUpdate\language\Resource_cs-CZ.dll	msiexec.exe
File created	C:\Program Files (x86)\Samsung\Kies3\FirmwareUpdate\language\Resource_hr-HR.dll	msiexec.exe
File created	C:\Program Files (x86)\Samsung\Kies3\FirmwareUpdate\language\Resource_uk-UA.dll	msiexec.exe
File created	C:\Program Files (x86)\InstallShield Installation Information\{88547073-C566-4895-9005-EBE98EA3F7C7}\ISSetup.dll	Kies3Setup.exe
File created	C:\Program Files (x86)\InstallShield Installation Information\{88547073-C566-4895-9005-EBE98EA3F7C7}\0x04e72.rra	Kies3Setup.exe
File created	C:\Program Files (x86)\Samsung\Kies3\cairo.dll	msiexec.exe
File created	C:\Program Files (x86)\Samsung\Kies3\msvcr71.dll	msiexec.exe
File created	C:\Program Files (x86)\Samsung\Kies3\FirmwareUpdate\BaseUI.dll	msiexec.exe
File created	C:\Program Files (x86)\Samsung\Kies3\FirmwareUpdate\language\msvcr90.dll	msiexec.exe
File created	C:\Program Files (x86)\Samsung\Kies3\FirmwareUpdate\language\Resource_ru-RU.dll	msiexec.exe
File created	C:\Program Files (x86)\Samsung\Kies3\FirmwareUpdate\language\Resource_he-IL.dll	msiexec.exe
File created	C:\Program Files (x86)\Samsung\Kies3\bass.dll	msiexec.exe
File created	C:\Program Files (x86)\Samsung\Kies3\External\TransModules\TG_MOVIE.dll	msiexec.exe
File created	C:\Program Files (x86)\Samsung\Kies3\FirmwareUpdate\mfcm90.dll	msiexec.exe
File opened for modification	C:\Program Files (x86)\InstallShield Installation Information\{88547073-C566-4895-9005-EBE98EA3F7C7}\1042.mst	Kies3Setup.exe
File created	C:\Program Files (x86)\Samsung\Kies3\FirmwareUpdate\language\Resource_id-ID.dll	msiexec.exe
File created	C:\Program Files (x86)\Samsung\Kies3\FirmwareUpdate\Agent.dll	msiexec.exe
File created	C:\Program Files (x86)\Samsung\Kies3\FirmwareUpdate\language\Resource_zh-TW.dll	msiexec.exe
File created	C:\Program Files (x86)\Samsung\Kies3\FirmwareUpdate\msvc1875.rra	Kies3Setup.exe

Drops file in Windows directory 16 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\e57f5e9.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57f5ea.mst	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\{88547073-C566-4895-9005-EBE98EA3F7C7}\ARPPRODUCTICON.exe	msiexec.exe
File created	C:\Windows\Installer\{88547073-C566-4895-9005-EBE98EA3F7C7}\1033.MST	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\e57f5ea.mst	msiexec.exe
File created	C:\Windows\Installer\SourceHash{88547073-C566-4895-9005-EBE98EA3F7C7}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{88547073-C566-4895-9005-EBE98EA3F7C7}\1033.MST	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC73.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{88547073-C566-4895-9005-EBE98EA3F7C7}\ARPPRODUCTICON.exe	msiexec.exe
File created	C:\Windows\Installer\e57f5ec.msi	msiexec.exe
File created	C:\Windows\Installer\e57f5e9.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFA2F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\DeviceDesc	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Mfg	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Mfg	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1E\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	svchost.exe

Modifies registry class 25 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\37074588665C59840950BE9EE83A7F7C\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\37074588665C59840950BE9EE83A7F7C\SourceList\PackageName = "Samsung Kies3.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\37074588665C59840950BE9EE83A7F7C\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\37074588665C59840950BE9EE83A7F7C\DefaultFeature	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\37074588665C59840950BE9EE83A7F7C\ProductName = "Samsung Kies3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\37074588665C59840950BE9EE83A7F7C\PackageCode = "4DD9F73FBDCE1464882B8BE1AD5F4D3D"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\37074588665C59840950BE9EE83A7F7C\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\37074588665C59840950BE9EE83A7F7C\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\37074588665C59840950BE9EE83A7F7C\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\37074588665C59840950BE9EE83A7F7C\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\37074588665C59840950BE9EE83A7F7C	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\37074588665C59840950BE9EE83A7F7C\Transforms = "C:\\Windows\\Installer\\{88547073-C566-4895-9005-EBE98EA3F7C7}\\1033.MST"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\37074588665C59840950BE9EE83A7F7C\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\37074588665C59840950BE9EE83A7F7C\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Downloaded Installations\\{F37F9DD4-ECDB-4641-88B2-B81EDAF5D4D3}\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\37074588665C59840950BE9EE83A7F7C\SourceList\Media	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\37074588665C59840950BE9EE83A7F7C\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\37074588665C59840950BE9EE83A7F7C\SourceList\Media\1 = "DISK1;1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\37074588665C59840950BE9EE83A7F7C	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\37074588665C59840950BE9EE83A7F7C\Language = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\37074588665C59840950BE9EE83A7F7C\Version = "50410287"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\37074588665C59840950BE9EE83A7F7C\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\687BD84E93C6D9C42BCAF424648B800B\37074588665C59840950BE9EE83A7F7C	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\37074588665C59840950BE9EE83A7F7C\ProductIcon = "C:\\Windows\\Installer\\{88547073-C566-4895-9005-EBE98EA3F7C7}\\ARPPRODUCTICON.exe"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\687BD84E93C6D9C42BCAF424648B800B	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\37074588665C59840950BE9EE83A7F7C\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Downloaded Installations\\{F37F9DD4-ECDB-4641-88B2-B81EDAF5D4D3}\\"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4168	WriteDescExecuteFileName.exe
4168	WriteDescExecuteFileName.exe
1312	msiexec.exe
1312	msiexec.exe
4996	WriteDescExecuteFileName.exe
4996	WriteDescExecuteFileName.exe
596	Kies3.exe
596	Kies3.exe
596	Kies3.exe
596	Kies3.exe
4456	AgentUpdate.exe
4456	AgentUpdate.exe
4456	AgentUpdate.exe
4456	AgentUpdate.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSecurityPrivilege	1312	msiexec.exe
Token: SeCreateTokenPrivilege	2776	Kies3Setup.exe
Token: SeAssignPrimaryTokenPrivilege	2776	Kies3Setup.exe
Token: SeLockMemoryPrivilege	2776	Kies3Setup.exe
Token: SeIncreaseQuotaPrivilege	2776	Kies3Setup.exe
Token: SeMachineAccountPrivilege	2776	Kies3Setup.exe
Token: SeTcbPrivilege	2776	Kies3Setup.exe
Token: SeSecurityPrivilege	2776	Kies3Setup.exe
Token: SeTakeOwnershipPrivilege	2776	Kies3Setup.exe
Token: SeLoadDriverPrivilege	2776	Kies3Setup.exe
Token: SeSystemProfilePrivilege	2776	Kies3Setup.exe
Token: SeSystemtimePrivilege	2776	Kies3Setup.exe
Token: SeProfSingleProcessPrivilege	2776	Kies3Setup.exe
Token: SeIncBasePriorityPrivilege	2776	Kies3Setup.exe
Token: SeCreatePagefilePrivilege	2776	Kies3Setup.exe
Token: SeCreatePermanentPrivilege	2776	Kies3Setup.exe
Token: SeBackupPrivilege	2776	Kies3Setup.exe
Token: SeRestorePrivilege	2776	Kies3Setup.exe
Token: SeShutdownPrivilege	2776	Kies3Setup.exe
Token: SeDebugPrivilege	2776	Kies3Setup.exe
Token: SeAuditPrivilege	2776	Kies3Setup.exe
Token: SeSystemEnvironmentPrivilege	2776	Kies3Setup.exe
Token: SeChangeNotifyPrivilege	2776	Kies3Setup.exe
Token: SeRemoteShutdownPrivilege	2776	Kies3Setup.exe
Token: SeUndockPrivilege	2776	Kies3Setup.exe
Token: SeSyncAgentPrivilege	2776	Kies3Setup.exe
Token: SeEnableDelegationPrivilege	2776	Kies3Setup.exe
Token: SeManageVolumePrivilege	2776	Kies3Setup.exe
Token: SeImpersonatePrivilege	2776	Kies3Setup.exe
Token: SeCreateGlobalPrivilege	2776	Kies3Setup.exe
Token: SeCreateTokenPrivilege	2776	Kies3Setup.exe
Token: SeAssignPrimaryTokenPrivilege	2776	Kies3Setup.exe
Token: SeLockMemoryPrivilege	2776	Kies3Setup.exe
Token: SeIncreaseQuotaPrivilege	2776	Kies3Setup.exe
Token: SeMachineAccountPrivilege	2776	Kies3Setup.exe
Token: SeTcbPrivilege	2776	Kies3Setup.exe
Token: SeSecurityPrivilege	2776	Kies3Setup.exe
Token: SeTakeOwnershipPrivilege	2776	Kies3Setup.exe
Token: SeLoadDriverPrivilege	2776	Kies3Setup.exe
Token: SeSystemProfilePrivilege	2776	Kies3Setup.exe
Token: SeSystemtimePrivilege	2776	Kies3Setup.exe
Token: SeProfSingleProcessPrivilege	2776	Kies3Setup.exe
Token: SeIncBasePriorityPrivilege	2776	Kies3Setup.exe
Token: SeCreatePagefilePrivilege	2776	Kies3Setup.exe
Token: SeCreatePermanentPrivilege	2776	Kies3Setup.exe
Token: SeBackupPrivilege	2776	Kies3Setup.exe
Token: SeRestorePrivilege	2776	Kies3Setup.exe
Token: SeShutdownPrivilege	2776	Kies3Setup.exe
Token: SeDebugPrivilege	2776	Kies3Setup.exe
Token: SeAuditPrivilege	2776	Kies3Setup.exe
Token: SeSystemEnvironmentPrivilege	2776	Kies3Setup.exe
Token: SeChangeNotifyPrivilege	2776	Kies3Setup.exe
Token: SeRemoteShutdownPrivilege	2776	Kies3Setup.exe
Token: SeUndockPrivilege	2776	Kies3Setup.exe
Token: SeSyncAgentPrivilege	2776	Kies3Setup.exe
Token: SeEnableDelegationPrivilege	2776	Kies3Setup.exe
Token: SeManageVolumePrivilege	2776	Kies3Setup.exe
Token: SeImpersonatePrivilege	2776	Kies3Setup.exe
Token: SeCreateGlobalPrivilege	2776	Kies3Setup.exe
Token: SeCreateTokenPrivilege	2776	Kies3Setup.exe
Token: SeAssignPrimaryTokenPrivilege	2776	Kies3Setup.exe
Token: SeLockMemoryPrivilege	2776	Kies3Setup.exe
Token: SeIncreaseQuotaPrivilege	2776	Kies3Setup.exe
Token: SeMachineAccountPrivilege	2776	Kies3Setup.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2776	Kies3Setup.exe

Suspicious use of SetWindowsHookEx 22 IoCs

pid	Process
2776	Kies3Setup.exe
2776	Kies3Setup.exe
2776	Kies3Setup.exe
2776	Kies3Setup.exe
2776	Kies3Setup.exe
2776	Kies3Setup.exe
2776	Kies3Setup.exe
596	Kies3.exe
4092	Kies3.exe
2092	Kies3.exe
596	Kies3.exe
596	Kies3.exe
596	Kies3.exe
596	Kies3.exe
596	Kies3.exe
596	Kies3.exe
596	Kies3.exe
4456	AgentUpdate.exe
4456	AgentUpdate.exe
596	Kies3.exe
4456	AgentUpdate.exe
4456	AgentUpdate.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1312 wrote to memory of 4904	1312	msiexec.exe	68
PID 1312 wrote to memory of 4904	1312	msiexec.exe	68
PID 1312 wrote to memory of 4904	1312	msiexec.exe	68
PID 2776 wrote to memory of 5020	2776	Kies3Setup.exe	69
PID 2776 wrote to memory of 5020	2776	Kies3Setup.exe	69
PID 2776 wrote to memory of 4168	2776	Kies3Setup.exe	70
PID 2776 wrote to memory of 4168	2776	Kies3Setup.exe	70
PID 2776 wrote to memory of 4168	2776	Kies3Setup.exe	70
PID 1312 wrote to memory of 3272	1312	msiexec.exe	77
PID 1312 wrote to memory of 3272	1312	msiexec.exe	77
PID 1312 wrote to memory of 3272	1312	msiexec.exe	77
PID 2776 wrote to memory of 4996	2776	Kies3Setup.exe	78
PID 2776 wrote to memory of 4996	2776	Kies3Setup.exe	78
PID 2776 wrote to memory of 4996	2776	Kies3Setup.exe	78
PID 596 wrote to memory of 4456	596	Kies3.exe	85
PID 596 wrote to memory of 4456	596	Kies3.exe	85
PID 596 wrote to memory of 4456	596	Kies3.exe	85

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\Kies3Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Kies3Setup.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2776
- C:\Users\Admin\AppData\Local\Temp\{860C75F3-0C5E-4689-8EBE-A2898AAC3E7B}\ISBEW64.exe
  C:\Users\Admin\AppData\Local\Temp\{860C75F3-0C5E-4689-8EBE-A2898AAC3E7B}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{48F05FDD-19B4-47FF-AB7D-E27ADACA88A8}
  2⤵
  - Executes dropped EXE
  PID:5020
- C:\Users\Admin\AppData\Local\Temp\{860C75F3-0C5E-4689-8EBE-A2898AAC3E7B}\WriteDescExecuteFileName.exe
  C:\Users\Admin\AppData\Local\Temp\{860C75F3-0C5E-4689-8EBE-A2898AAC3E7B}\WriteDescExecuteFileName.exe Software\Samsung\KIESSETUP "Samsung Kies Installer 3.0"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4168
- C:\Users\Admin\AppData\Local\Temp\{860C75F3-0C5E-4689-8EBE-A2898AAC3E7B}\WriteDescExecuteFileName.exe
  C:\Users\Admin\AppData\Local\Temp\{860C75F3-0C5E-4689-8EBE-A2898AAC3E7B}\WriteDescExecuteFileName.exe Software\Samsung\KIESSETUP "Samsung Kies Installer 3.0"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4996
- C:\Program Files (x86)\Samsung\Kies3\Kies3.exe
  "C:\Program Files (x86)\Samsung\Kies3\Kies3.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Checks computer location settings
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:596
- - C:\Program Files (x86)\Samsung\Kies3\FirmwareUpdate\AgentUpdate.exe
    "C:\Program Files (x86)\Samsung\Kies3\FirmwareUpdate\AgentUpdate.exe" RunByAgent_3
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Loads dropped DLL
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4456

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1312
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 02EEDEF74C80429AE9765F59831EFB6F C
  2⤵
  - Loads dropped DLL
  PID:4904
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 5861D88CC3358DD4CD7AFDCCF7085ED6
  2⤵
  - Loads dropped DLL
  PID:3272

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:1780

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:4420

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
1⤵
PID:2528

C:\Program Files (x86)\Samsung\Kies3\Kies3.exe
"C:\Program Files (x86)\Samsung\Kies3\Kies3.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4092

C:\Program Files (x86)\Samsung\Kies3\Kies3.exe
"C:\Program Files (x86)\Samsung\Kies3\Kies3.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2092

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion