480d12d9b2f266d88a40fcf8e04118276e1ddbf43baf6ec3e2e8762757b9b17b

Analysis

max time kernel
148s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01/10/2024, 19:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ETS666 Tool.exe
Size

133.1MB
MD5

6cd28e270b4e87d09e8ce3e309ba5543
SHA1

0c92f3e1dcab59c3e4b1879dfa3cd26b41cb72c4
SHA256

b25adda4535c6f08cc6ef3756d69c6f8eee89a8c268914fb128b83bf6bf6137f
SHA512

7c367362069bf251ef0e34146d14a2b23c7e30655bdaccc328c091c0617f0b82f9379c68b8045f6c8af346f41ee0f9f648109c80af1a6ffff3d215d6e0ee4fbf
SSDEEP

786432:bdWnQaBaRvHGYJKQSXPz9T/G2nXpf/EtBfamfrpcvFBJFoF2PScuNWqW:RxTRvHF8QS/z9zGud/ET3fcCWq

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	ETS666 Tool.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	ETS666 Tool.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	ETS666 Tool.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	ETS666 Tool.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	ETS666 Tool.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	ETS666 Tool.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	ETS666 Tool.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	ETS666 Tool.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3244	ETS666 Tool.exe
3244	ETS666 Tool.exe
3244	ETS666 Tool.exe
3244	ETS666 Tool.exe
5044	ETS666 Tool.exe
5044	ETS666 Tool.exe
1020	ETS666 Tool.exe
1020	ETS666 Tool.exe
2960	ETS666 Tool.exe
2960	ETS666 Tool.exe
2960	ETS666 Tool.exe
2960	ETS666 Tool.exe

Suspicious use of WriteProcessMemory 46 IoCs

description	pid	Process	procid_target
PID 3244 wrote to memory of 5136	3244	ETS666 Tool.exe	81
PID 3244 wrote to memory of 5136	3244	ETS666 Tool.exe	81
PID 3244 wrote to memory of 5136	3244	ETS666 Tool.exe	81
PID 3244 wrote to memory of 5136	3244	ETS666 Tool.exe	81
PID 3244 wrote to memory of 5136	3244	ETS666 Tool.exe	81
PID 3244 wrote to memory of 5136	3244	ETS666 Tool.exe	81
PID 3244 wrote to memory of 5136	3244	ETS666 Tool.exe	81
PID 3244 wrote to memory of 5136	3244	ETS666 Tool.exe	81
PID 3244 wrote to memory of 5136	3244	ETS666 Tool.exe	81
PID 3244 wrote to memory of 5136	3244	ETS666 Tool.exe	81
PID 3244 wrote to memory of 5136	3244	ETS666 Tool.exe	81
PID 3244 wrote to memory of 5136	3244	ETS666 Tool.exe	81
PID 3244 wrote to memory of 5136	3244	ETS666 Tool.exe	81
PID 3244 wrote to memory of 5136	3244	ETS666 Tool.exe	81
PID 3244 wrote to memory of 5136	3244	ETS666 Tool.exe	81
PID 3244 wrote to memory of 5136	3244	ETS666 Tool.exe	81
PID 3244 wrote to memory of 5136	3244	ETS666 Tool.exe	81
PID 3244 wrote to memory of 5136	3244	ETS666 Tool.exe	81
PID 3244 wrote to memory of 5136	3244	ETS666 Tool.exe	81
PID 3244 wrote to memory of 5136	3244	ETS666 Tool.exe	81
PID 3244 wrote to memory of 5136	3244	ETS666 Tool.exe	81
PID 3244 wrote to memory of 5136	3244	ETS666 Tool.exe	81
PID 3244 wrote to memory of 5136	3244	ETS666 Tool.exe	81
PID 3244 wrote to memory of 5136	3244	ETS666 Tool.exe	81
PID 3244 wrote to memory of 5136	3244	ETS666 Tool.exe	81
PID 3244 wrote to memory of 5136	3244	ETS666 Tool.exe	81
PID 3244 wrote to memory of 5136	3244	ETS666 Tool.exe	81
PID 3244 wrote to memory of 5136	3244	ETS666 Tool.exe	81
PID 3244 wrote to memory of 5136	3244	ETS666 Tool.exe	81
PID 3244 wrote to memory of 5136	3244	ETS666 Tool.exe	81
PID 3244 wrote to memory of 5136	3244	ETS666 Tool.exe	81
PID 3244 wrote to memory of 5136	3244	ETS666 Tool.exe	81
PID 3244 wrote to memory of 5136	3244	ETS666 Tool.exe	81
PID 3244 wrote to memory of 5136	3244	ETS666 Tool.exe	81
PID 3244 wrote to memory of 5136	3244	ETS666 Tool.exe	81
PID 3244 wrote to memory of 5136	3244	ETS666 Tool.exe	81
PID 3244 wrote to memory of 5136	3244	ETS666 Tool.exe	81
PID 3244 wrote to memory of 5136	3244	ETS666 Tool.exe	81
PID 3244 wrote to memory of 5136	3244	ETS666 Tool.exe	81
PID 3244 wrote to memory of 5136	3244	ETS666 Tool.exe	81
PID 3244 wrote to memory of 5044	3244	ETS666 Tool.exe	82
PID 3244 wrote to memory of 5044	3244	ETS666 Tool.exe	82
PID 3244 wrote to memory of 1020	3244	ETS666 Tool.exe	83
PID 3244 wrote to memory of 1020	3244	ETS666 Tool.exe	83
PID 3244 wrote to memory of 2960	3244	ETS666 Tool.exe	94
PID 3244 wrote to memory of 2960	3244	ETS666 Tool.exe	94

C:\Users\Admin\AppData\Local\Temp\ETS666 Tool.exe
"C:\Users\Admin\AppData\Local\Temp\ETS666 Tool.exe"
1⤵
- Checks computer location settings
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3244
- C:\Users\Admin\AppData\Local\Temp\ETS666 Tool.exe
  "C:\Users\Admin\AppData\Local\Temp\ETS666 Tool.exe" --type=gpu-process --field-trial-handle=1560,14049931751003551927,8392824442521963230,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --user-data-dir="C:\Users\Admin\AppData\Roaming\ets666" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAANAAAAEAAAAAAAAAABAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1568 /prefetch:2
  2⤵
  PID:5136
- C:\Users\Admin\AppData\Local\Temp\ETS666 Tool.exe
  "C:\Users\Admin\AppData\Local\Temp\ETS666 Tool.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1560,14049931751003551927,8392824442521963230,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\ets666" --mojo-platform-channel-handle=2024 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5044
- C:\Users\Admin\AppData\Local\Temp\ETS666 Tool.exe
  "C:\Users\Admin\AppData\Local\Temp\ETS666 Tool.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\ets666" --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --no-sandbox --no-zygote --field-trial-handle=1560,14049931751003551927,8392824442521963230,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2240 /prefetch:1
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  PID:1020
- C:\Users\Admin\AppData\Local\Temp\ETS666 Tool.exe
  "C:\Users\Admin\AppData\Local\Temp\ETS666 Tool.exe" --type=gpu-process --field-trial-handle=1560,14049931751003551927,8392824442521963230,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\ets666" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAIAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAANAAAAEAAAAAAAAAABAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1624 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2960

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\ets666\Network Persistent State

Filesize
552B

MD5
adbb64b747cd408a54a130e4c21cbc9d

SHA1
4182cee9cd614d555d2e4c23e2e7f34102f13fc7

SHA256
3e09738fc8634782ff271d42de579b2355a7c4ca66214e2a43d90cfc0ac4a726

SHA512
f504b855a51d32f91fd7ae9017e6c47b7a86b0876cb53dd3ce51619913b0c0c4083cb0f10472bc25968ffb8bff8f20de66a6c0f85ea97b580d8d59276372d894

Download Submit
C:\Users\Admin\AppData\Roaming\ets666\Network Persistent State~RFe594c80.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Roaming\ets666\config.json

Filesize
28B

MD5
dd8824bad7974b4d74b973b86e26ab5a

SHA1
5ebcc7ef9fe2566f913a6857c38bcab4d449f34c

SHA256
63749b0008077336880c40f653d35f539046f30a342e12caf952420418ea2de0

SHA512
14636668baf3639170049792d01e32aed90b0c18e541b62697ebcf1bcf077abef91eed5baab23a896484e1fd20d15ea0ff1e112a36105ae98bb412d81c419567

Download Submit
C:\Users\Admin\AppData\Roaming\ets666\config.json

Filesize
92B

MD5
a2eb087ff1147f90e5c32cba42fdea56

SHA1
5ad22caebefef4d24e519e0161defe0f0309f9ea

SHA256
fd9bd2a6b3df78544d7b0b41e88ceec8abff5114ef4d6d721795b8bf522e63d5

SHA512
dbf159afc0a8fab9e79e00d5f4eda0ebaa61d066366976cf246acf0758251e6a0194e45bf1962d5819bbba7a635c2e89f71cf02e0d7ee9982517978fce927d34

Download Submit
C:\Users\Admin\AppData\Roaming\ets666\config.json

Filesize
119B

MD5
39ac4c5216c15a5cc8d0a40279380426

SHA1
1a2fba86d084f4ea4c773f5fed4d5a2476eece02

SHA256
528e3b08bc390aad1c016f4aa81942d68d14a417e20e705e54a50aceca48a1f8

SHA512
7ed89e854d9378c42a1ad4c765d4c91738adc00cd233d9b606ea67793c51d86aa20e2b15ec0659bf1ca3a79ccf148049fe459cf5957d53bf7a419a22f0c82b68

Download Submit
C:\Users\Admin\AppData\Roaming\ets666\config.json

Filesize
186B

MD5
791baeb1abfef61af3c9e2cc870e08f4

SHA1
29ea9a83546bf5b23d237bacf5b3835dd9aeb99a

SHA256
8364d439d08a61816fce3d8240a44af40554373607d81872cc390f7df5f82509

SHA512
f5cd4f52712648b5c34acdbe3ecbbde47c9e53172c2b5d001962e89feb4e4b4dc268d068d12c369c428dfa72fce1c4f17abe70c2d2fa728c642f966f689506eb

Download Submit
C:\Users\Admin\AppData\Roaming\ets666\config.json.tmp-7809839395d5c84f

Filesize
207B

MD5
c0a191ea2fc7c7c8668b538afe53eb29

SHA1
eaadef3269090f0ee6d93791ccdf280ee3bc1dfc

SHA256
64cb997566cbbe95c41b4d7f0d2e0b3423ca67bcde3791a411b3406f03ebda80

SHA512
7779d02a714bc2e15c5a2a47d594bf265697f189ac5f89434256837e6ed058f3a7425ae2082613d8d9cc3be2ee874ca68562f4cdb9375185d4ad8f6e53d62b2e

Download Submit
memory/2960-610-0x000001DBC65A0000-0x000001DBC65A1000-memory.dmp

Filesize
4KB

Download
memory/2960-609-0x000001DBC65A0000-0x000001DBC65A1000-memory.dmp

Filesize
4KB

Download
memory/2960-611-0x000001DBC65A0000-0x000001DBC65A1000-memory.dmp

Filesize
4KB

Download
memory/2960-615-0x000001DBC65A0000-0x000001DBC65A1000-memory.dmp

Filesize
4KB

Download
memory/2960-616-0x000001DBC65A0000-0x000001DBC65A1000-memory.dmp

Filesize
4KB

Download
memory/2960-621-0x000001DBC65A0000-0x000001DBC65A1000-memory.dmp

Filesize
4KB

Download
memory/2960-620-0x000001DBC65A0000-0x000001DBC65A1000-memory.dmp

Filesize
4KB

Download
memory/2960-619-0x000001DBC65A0000-0x000001DBC65A1000-memory.dmp

Filesize
4KB

Download
memory/2960-618-0x000001DBC65A0000-0x000001DBC65A1000-memory.dmp

Filesize
4KB

Download
memory/2960-617-0x000001DBC65A0000-0x000001DBC65A1000-memory.dmp

Filesize
4KB

Download
memory/5136-21-0x00007FFAAEB30000-0x00007FFAAEB31000-memory.dmp

Filesize
4KB

Download