hxxps://www[.]upload[.]ee/files/15753410/BLTools_v2[.]4[.]zip[.]html

Analysis

max time kernel
59s
max time network
64s
platform
windows10-1703_x64
resource
win10-20230915-en
resource tags

arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
submitted
02/10/2023, 11:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.upload.ee/files/15753410/BLTools_v2.4.zip.html

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
4488	BL Tools.exe
4904	SecurityHealth.exe
4088	SecurityHealths.exe
2972	BLTools.exe

Loads dropped DLL 2 IoCs

pid	Process
2972	BLTools.exe
2972	BLTools.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000\Software\Microsoft\Windows\CurrentVersion\Run\SecurityHealth = "C:\\ProgramData\\SecurityHealth.exe"	BL Tools.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000\Software\Microsoft\Windows\CurrentVersion\Run\SecurityHealths = "C:\\ProgramData\\SecurityHealths.exe"	BL Tools.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133407189384230469"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4520	chrome.exe
4520	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

pid	Process
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4520	chrome.exe
Token: SeCreatePagefilePrivilege	4520	chrome.exe
Token: SeShutdownPrivilege	4520	chrome.exe
Token: SeCreatePagefilePrivilege	4520	chrome.exe
Token: SeShutdownPrivilege	4520	chrome.exe
Token: SeCreatePagefilePrivilege	4520	chrome.exe
Token: SeShutdownPrivilege	4520	chrome.exe
Token: SeCreatePagefilePrivilege	4520	chrome.exe
Token: SeShutdownPrivilege	4520	chrome.exe
Token: SeCreatePagefilePrivilege	4520	chrome.exe
Token: SeShutdownPrivilege	4520	chrome.exe
Token: SeCreatePagefilePrivilege	4520	chrome.exe
Token: SeShutdownPrivilege	4520	chrome.exe
Token: SeCreatePagefilePrivilege	4520	chrome.exe
Token: SeShutdownPrivilege	4520	chrome.exe
Token: SeCreatePagefilePrivilege	4520	chrome.exe
Token: SeShutdownPrivilege	4520	chrome.exe
Token: SeCreatePagefilePrivilege	4520	chrome.exe
Token: SeShutdownPrivilege	4520	chrome.exe
Token: SeCreatePagefilePrivilege	4520	chrome.exe
Token: SeShutdownPrivilege	4520	chrome.exe
Token: SeCreatePagefilePrivilege	4520	chrome.exe
Token: SeShutdownPrivilege	4520	chrome.exe
Token: SeCreatePagefilePrivilege	4520	chrome.exe
Token: SeShutdownPrivilege	4520	chrome.exe
Token: SeCreatePagefilePrivilege	4520	chrome.exe
Token: SeShutdownPrivilege	4520	chrome.exe
Token: SeCreatePagefilePrivilege	4520	chrome.exe
Token: SeShutdownPrivilege	4520	chrome.exe
Token: SeCreatePagefilePrivilege	4520	chrome.exe
Token: SeShutdownPrivilege	4520	chrome.exe
Token: SeCreatePagefilePrivilege	4520	chrome.exe
Token: SeShutdownPrivilege	4520	chrome.exe
Token: SeCreatePagefilePrivilege	4520	chrome.exe
Token: SeShutdownPrivilege	4520	chrome.exe
Token: SeCreatePagefilePrivilege	4520	chrome.exe
Token: SeShutdownPrivilege	4520	chrome.exe
Token: SeCreatePagefilePrivilege	4520	chrome.exe
Token: SeShutdownPrivilege	4520	chrome.exe
Token: SeCreatePagefilePrivilege	4520	chrome.exe
Token: SeShutdownPrivilege	4520	chrome.exe
Token: SeCreatePagefilePrivilege	4520	chrome.exe
Token: SeShutdownPrivilege	4520	chrome.exe
Token: SeCreatePagefilePrivilege	4520	chrome.exe
Token: SeShutdownPrivilege	4520	chrome.exe
Token: SeCreatePagefilePrivilege	4520	chrome.exe
Token: SeShutdownPrivilege	4520	chrome.exe
Token: SeCreatePagefilePrivilege	4520	chrome.exe
Token: SeShutdownPrivilege	4520	chrome.exe
Token: SeCreatePagefilePrivilege	4520	chrome.exe
Token: SeShutdownPrivilege	4520	chrome.exe
Token: SeCreatePagefilePrivilege	4520	chrome.exe
Token: SeShutdownPrivilege	4520	chrome.exe
Token: SeCreatePagefilePrivilege	4520	chrome.exe
Token: SeShutdownPrivilege	4520	chrome.exe
Token: SeCreatePagefilePrivilege	4520	chrome.exe
Token: SeRestorePrivilege	4836	7zG.exe
Token: 35	4836	7zG.exe
Token: SeSecurityPrivilege	4836	7zG.exe
Token: SeSecurityPrivilege	4836	7zG.exe
Token: SeShutdownPrivilege	4520	chrome.exe
Token: SeCreatePagefilePrivilege	4520	chrome.exe
Token: SeShutdownPrivilege	4520	chrome.exe
Token: SeCreatePagefilePrivilege	4520	chrome.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4836	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe
4520	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4520 wrote to memory of 4068	4520	chrome.exe	70
PID 4520 wrote to memory of 4068	4520	chrome.exe	70
PID 4520 wrote to memory of 3704	4520	chrome.exe	73
PID 4520 wrote to memory of 3704	4520	chrome.exe	73
PID 4520 wrote to memory of 3704	4520	chrome.exe	73
PID 4520 wrote to memory of 3704	4520	chrome.exe	73
PID 4520 wrote to memory of 3704	4520	chrome.exe	73
PID 4520 wrote to memory of 3704	4520	chrome.exe	73
PID 4520 wrote to memory of 3704	4520	chrome.exe	73
PID 4520 wrote to memory of 3704	4520	chrome.exe	73
PID 4520 wrote to memory of 3704	4520	chrome.exe	73
PID 4520 wrote to memory of 3704	4520	chrome.exe	73
PID 4520 wrote to memory of 3704	4520	chrome.exe	73
PID 4520 wrote to memory of 3704	4520	chrome.exe	73
PID 4520 wrote to memory of 3704	4520	chrome.exe	73
PID 4520 wrote to memory of 3704	4520	chrome.exe	73
PID 4520 wrote to memory of 3704	4520	chrome.exe	73
PID 4520 wrote to memory of 3704	4520	chrome.exe	73
PID 4520 wrote to memory of 3704	4520	chrome.exe	73
PID 4520 wrote to memory of 3704	4520	chrome.exe	73
PID 4520 wrote to memory of 3704	4520	chrome.exe	73
PID 4520 wrote to memory of 3704	4520	chrome.exe	73
PID 4520 wrote to memory of 3704	4520	chrome.exe	73
PID 4520 wrote to memory of 3704	4520	chrome.exe	73
PID 4520 wrote to memory of 3704	4520	chrome.exe	73
PID 4520 wrote to memory of 3704	4520	chrome.exe	73
PID 4520 wrote to memory of 3704	4520	chrome.exe	73
PID 4520 wrote to memory of 3704	4520	chrome.exe	73
PID 4520 wrote to memory of 3704	4520	chrome.exe	73
PID 4520 wrote to memory of 3704	4520	chrome.exe	73
PID 4520 wrote to memory of 3704	4520	chrome.exe	73
PID 4520 wrote to memory of 3704	4520	chrome.exe	73
PID 4520 wrote to memory of 3704	4520	chrome.exe	73
PID 4520 wrote to memory of 3704	4520	chrome.exe	73
PID 4520 wrote to memory of 3704	4520	chrome.exe	73
PID 4520 wrote to memory of 3704	4520	chrome.exe	73
PID 4520 wrote to memory of 3704	4520	chrome.exe	73
PID 4520 wrote to memory of 3704	4520	chrome.exe	73
PID 4520 wrote to memory of 3704	4520	chrome.exe	73
PID 4520 wrote to memory of 3704	4520	chrome.exe	73
PID 4520 wrote to memory of 1096	4520	chrome.exe	72
PID 4520 wrote to memory of 1096	4520	chrome.exe	72
PID 4520 wrote to memory of 2384	4520	chrome.exe	74
PID 4520 wrote to memory of 2384	4520	chrome.exe	74
PID 4520 wrote to memory of 2384	4520	chrome.exe	74
PID 4520 wrote to memory of 2384	4520	chrome.exe	74
PID 4520 wrote to memory of 2384	4520	chrome.exe	74
PID 4520 wrote to memory of 2384	4520	chrome.exe	74
PID 4520 wrote to memory of 2384	4520	chrome.exe	74
PID 4520 wrote to memory of 2384	4520	chrome.exe	74
PID 4520 wrote to memory of 2384	4520	chrome.exe	74
PID 4520 wrote to memory of 2384	4520	chrome.exe	74
PID 4520 wrote to memory of 2384	4520	chrome.exe	74
PID 4520 wrote to memory of 2384	4520	chrome.exe	74
PID 4520 wrote to memory of 2384	4520	chrome.exe	74
PID 4520 wrote to memory of 2384	4520	chrome.exe	74
PID 4520 wrote to memory of 2384	4520	chrome.exe	74
PID 4520 wrote to memory of 2384	4520	chrome.exe	74
PID 4520 wrote to memory of 2384	4520	chrome.exe	74
PID 4520 wrote to memory of 2384	4520	chrome.exe	74
PID 4520 wrote to memory of 2384	4520	chrome.exe	74
PID 4520 wrote to memory of 2384	4520	chrome.exe	74
PID 4520 wrote to memory of 2384	4520	chrome.exe	74
PID 4520 wrote to memory of 2384	4520	chrome.exe	74

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://www.upload.ee/files/15753410/BLTools_v2.4.zip.html
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffb467f9758,0x7ffb467f9768,0x7ffb467f9778
  2⤵
  PID:4068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1924 --field-trial-handle=1764,i,1101703328266700852,1095087025761202833,131072 /prefetch:8
  2⤵
  PID:1096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=232 --field-trial-handle=1764,i,1101703328266700852,1095087025761202833,131072 /prefetch:2
  2⤵
  PID:3704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2084 --field-trial-handle=1764,i,1101703328266700852,1095087025761202833,131072 /prefetch:8
  2⤵
  PID:2384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2860 --field-trial-handle=1764,i,1101703328266700852,1095087025761202833,131072 /prefetch:1
  2⤵
  PID:2464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2852 --field-trial-handle=1764,i,1101703328266700852,1095087025761202833,131072 /prefetch:1
  2⤵
  PID:3580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3672 --field-trial-handle=1764,i,1101703328266700852,1095087025761202833,131072 /prefetch:1
  2⤵
  PID:4448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4732 --field-trial-handle=1764,i,1101703328266700852,1095087025761202833,131072 /prefetch:1
  2⤵
  PID:2452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=3020 --field-trial-handle=1764,i,1101703328266700852,1095087025761202833,131072 /prefetch:1
  2⤵
  PID:4524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=2972 --field-trial-handle=1764,i,1101703328266700852,1095087025761202833,131072 /prefetch:1
  2⤵
  PID:2816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=5220 --field-trial-handle=1764,i,1101703328266700852,1095087025761202833,131072 /prefetch:1
  2⤵
  PID:3440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5536 --field-trial-handle=1764,i,1101703328266700852,1095087025761202833,131072 /prefetch:8
  2⤵
  PID:3316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5628 --field-trial-handle=1764,i,1101703328266700852,1095087025761202833,131072 /prefetch:8
  2⤵
  PID:3864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4780 --field-trial-handle=1764,i,1101703328266700852,1095087025761202833,131072 /prefetch:1
  2⤵
  PID:1412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=5956 --field-trial-handle=1764,i,1101703328266700852,1095087025761202833,131072 /prefetch:1
  2⤵
  PID:2148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=6112 --field-trial-handle=1764,i,1101703328266700852,1095087025761202833,131072 /prefetch:1
  2⤵
  PID:1020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=5764 --field-trial-handle=1764,i,1101703328266700852,1095087025761202833,131072 /prefetch:1
  2⤵
  PID:380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=5956 --field-trial-handle=1764,i,1101703328266700852,1095087025761202833,131072 /prefetch:1
  2⤵
  PID:4184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5648 --field-trial-handle=1764,i,1101703328266700852,1095087025761202833,131072 /prefetch:8
  2⤵
  PID:2128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=5504 --field-trial-handle=1764,i,1101703328266700852,1095087025761202833,131072 /prefetch:1
  2⤵
  PID:5104

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2352

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3216

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\BLTools_v2.4\" -spe -an -ai#7zMap19634:86:7zEvent28054
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4836

C:\Users\Admin\Downloads\BLTools_v2.4\BLTools v2.4\BL Tools.exe
"C:\Users\Admin\Downloads\BLTools_v2.4\BLTools v2.4\BL Tools.exe"
1⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4488
- C:\ProgramData\SecurityHealth.exe
  "C:\ProgramData\SecurityHealth.exe"
  2⤵
  - Executes dropped EXE
  PID:4904
- C:\ProgramData\SecurityHealths.exe
  "C:\ProgramData\SecurityHealths.exe"
  2⤵
  - Executes dropped EXE
  PID:4088
- C:\Users\Admin\Downloads\BLTools_v2.4\BLTools v2.4\BLTools.exe
  "C:\Users\Admin\Downloads\BLTools_v2.4\BLTools v2.4\BLTools.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\SecurityHealth.exe

Filesize
234KB

MD5
25fbd64645f4ed44e64e4cd5c3817a53

SHA1
f0579645e9e7f729aa9372e0455748a7aee5dc49

SHA256
adce7ca3bbea5346603783d5d97829b9279a1516389f4a94c4498fdb9a68f188

SHA512
09d56f031d762d7bef0d74ff2ff015f4fc3d12dcf865aee48e2202275d294a05e9e288efefeb8d70f851d29021c9e35d88efd9591d724ca3e5c65c83a3853b55

Download Submit
C:\ProgramData\SecurityHealth.exe

Filesize
234KB

MD5
25fbd64645f4ed44e64e4cd5c3817a53

SHA1
f0579645e9e7f729aa9372e0455748a7aee5dc49

SHA256
adce7ca3bbea5346603783d5d97829b9279a1516389f4a94c4498fdb9a68f188

SHA512
09d56f031d762d7bef0d74ff2ff015f4fc3d12dcf865aee48e2202275d294a05e9e288efefeb8d70f851d29021c9e35d88efd9591d724ca3e5c65c83a3853b55

Download Submit
C:\ProgramData\SecurityHealths.exe

Filesize
228KB

MD5
364b7b10f968ae17b31499f6b08a6139

SHA1
550fbe7e8e356cd945ccd1be0e250c7d70538009

SHA256
b9155f0676dac46541de618bdf1171ea5e5490cc44d3b95e9a364cf3e624814b

SHA512
accf988465b72c92575ec4ad45ec923b20dbca76fc199de02e704d249303ee0a57861f2d0cea57ee4bbee7bc9d262d23370cb71e63a044d4297d365690f7a3e4

Download Submit
C:\ProgramData\SecurityHealths.exe

Filesize
228KB

MD5
364b7b10f968ae17b31499f6b08a6139

SHA1
550fbe7e8e356cd945ccd1be0e250c7d70538009

SHA256
b9155f0676dac46541de618bdf1171ea5e5490cc44d3b95e9a364cf3e624814b

SHA512
accf988465b72c92575ec4ad45ec923b20dbca76fc199de02e704d249303ee0a57861f2d0cea57ee4bbee7bc9d262d23370cb71e63a044d4297d365690f7a3e4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
480B

MD5
586afb1b213abbe6d2f83a58ef7a6cbe

SHA1
03c4922e6f8b4d567c313c05f4ca3cbbd5e07528

SHA256
93b18192fd9e96291c68e0df72fb169a97a47eb1b36902cbfd631eeaa24ab80a

SHA512
df345cc414cc426fa09f57c1f7ed8848e21e916182d42bbf0f90e0c36693495626e69081472ef79d846ee8e4c11af934e681641de7587f04fcf304829a320f50

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
5d746e5f441d0a748f87eb7e4dfad2d0

SHA1
d61d56e5a6b629c5075083d79fccc92dc6d78922

SHA256
2513340431bea1720a474107599e7c7c80b3b8af4d65da21d7150285a3fd1317

SHA512
4d3c248d68e294fe2786e23299500ec08ee62a05e5c047592b13cf0ebb0e1788cf787fba3ce9dc2e8918d11c23d00284cc315845bd87fe82dda7d27a406a2b3a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
b87abff2dee1d918ace6102c2e0f4d11

SHA1
04a8a21ff81e4d7b473db3b117e020029ae7e8ae

SHA256
b89a0a2f7df29592c8779cb325a63a827e105d81b7afb694737eb62eb2e541ef

SHA512
df4245bc5ffa2853ea09a43e954b88dc2503ae2a3574dd4b64da91c4e2e18f39e5a01079e16a9f815c64f086376ae404e74c5ee8e4663186fc37e783dde8b8e5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
bb01d544801b6898421d98fdc05d5cc5

SHA1
ac881756c190662936f0594c94bdabe8df433cf8

SHA256
96625c954181c0b65c3a3558a758b974faf5507a9586b1872aeb1a7591e95d60

SHA512
297598b5d54772561b95a750f4134a3d322a7e3086e7e31121e4066d311ac053816b6fc4e3f3775b4e7117e2e760c1b8ef0587daaf0466198759401f592bba44

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
a1b30a4c5162d6ffaca1a9cae89eb671

SHA1
dac613cd27a7a8a650b67907d3a00b9e98be3d4c

SHA256
9016eb04db62fd7fded5f74411b65cabf52342528d0b3d41a8bfa7cd3f71c68c

SHA512
1edeeac1b577b20ba358d20cd25b42cd69ea2c2017fb732f3130267e14df8c87d17e6d51286a2c0d51562f31640126bf5afd9c960af204ddb0f27acd5d683f07

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
101KB

MD5
dd8125106190ad2d88b0bb377fd1f9a8

SHA1
99f994ed2a381a8aa64bb3829c7c6c95fca02c4b

SHA256
0e58c96c5ccaaab4cce49d18c6acfc04f784ba9f8dea5df625926087080a0bc2

SHA512
e5f28dde2d9d341be2b02e9cec751bb26189786112e98da50b885d725a61c3f899e6683d6204150e722cd278ea4328a07bb424aea1c0614c8d4c56cf2927ad2d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
101KB

MD5
8959b55277cf75a2890d3bd25a304099

SHA1
2adaf68d215f97f3e861690c3bf314376288f884

SHA256
9ffd38ca40a28bfc57e2d51da2d304a7c4346013bbe596be05a9557c35a95f27

SHA512
cfba6850b75939a9940ecf640e37060ce7a1b86cc9921545919914c206957a9b36d37d32bfcb6dbc3dae7c5e5353da5413fa2ed5e95d5d8a963e099c0cffd1ee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
111KB

MD5
3e637c93bd34e39660287d6adf7820fd

SHA1
66ce80ca14bbf5657b829120105ab2ae75a7c0d1

SHA256
4b75d8c4bf65e56f0c66bc73f497f4c5af42374401a0177f574e27f9c89f8dbc

SHA512
b50a9bfddb27aff41fbea81264c9633f783929c2e043366544837dfe35c8f0b73eb1b7b551ec2d8ceeef33ec595f4220f362ccd3fc7891d116b0dca833cea1c1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe586481.TMP

Filesize
100KB

MD5
3ad9481161b79b46adedba7087b31e5b

SHA1
3fa2f5cc7a4dc8af663164d4ef55085f87abb934

SHA256
29f122996f32f44ce3af4b8ca63691685895e88601e5a829cd892e15045ff265

SHA512
7110613a0ff57013134c2210b1998aa088f69c7ef7281290e18b9c5915e30af54bbf03de33b75acc3f1f46c2e46c4e3ad2a1794a4fde1f9914d4e786dfd9c796

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\Downloads\BLTools_v2.4.zip

Filesize
2.9MB

MD5
3860f910ce2f28f881c2303d8a35b1d2

SHA1
247a08cee7efc934af7423e2132f55cb8eec6e35

SHA256
6a9d054b3a14fcac39d9924fb0d5cadbee373059a61aa1e49d368b02c3f9ed7b

SHA512
6544bf1aecdfd44729a074707f6b90c4b63e00727066a2601442d9da7b74e7548bac3287e413051b8118fcf10d62cca3e564f57c3133b8372ccfcff9f424a635

Download Submit
C:\Users\Admin\Downloads\BLTools_v2.4\BLTools v2.4\BL Tools.exe

Filesize
1.4MB

MD5
337d279e0b15254b30bea078706e6a86

SHA1
a21d747f743aca044ee8e90ef58a2f6f950eb0cf

SHA256
12c61522f095fc5e4d9eab66f82ae3328b3df29ae4ad9153a1a9ed48a7b08100

SHA512
692e3850f818d0e0ae0d6440624133cd46194467f761b561be08a423050d1d04ba75fedbeb7ebbd1f4cba427a0acfa6d5913efa825fc0ca3ac276f57721d49d3

Download Submit
C:\Users\Admin\Downloads\BLTools_v2.4\BLTools v2.4\BL Tools.exe

Filesize
1.4MB

MD5
337d279e0b15254b30bea078706e6a86

SHA1
a21d747f743aca044ee8e90ef58a2f6f950eb0cf

SHA256
12c61522f095fc5e4d9eab66f82ae3328b3df29ae4ad9153a1a9ed48a7b08100

SHA512
692e3850f818d0e0ae0d6440624133cd46194467f761b561be08a423050d1d04ba75fedbeb7ebbd1f4cba427a0acfa6d5913efa825fc0ca3ac276f57721d49d3

Download Submit
C:\Users\Admin\Downloads\BLTools_v2.4\BLTools v2.4\BLTools.exe

Filesize
4.0MB

MD5
65ecc99b0c162d11b0094e56a1ea38f3

SHA1
629a89a0cbcb36b5fb0a0d5e5f3b6f32df3858aa

SHA256
55edf9a8e5d3fd3f647f26f593ab39e511cac2abf0e444ef82c309b5c78067fe

SHA512
478d91b811969543fc752139b0d7a4bbf3eb74162cf05bc8121add3f3f5e64e3b8bdddea3aa30c851f1522c5db29470c0cfa9f69c0b07795585b92a6370ebb74

Download Submit
\Users\Admin\Downloads\BLTools_v2.4\BLTools v2.4\AlphaFS.dll

Filesize
359KB

MD5
f2f6f6798d306d6d7df4267434b5c5f9

SHA1
23be62c4f33fc89563defa20e43453b7cdfc9d28

SHA256
837f2ceab6bbd9bc4bf076f1cb90b3158191888c3055dd2b78a1e23f1c3aafdd

SHA512
1f0c52e1d6e27382599c91ebd5e58df387c6f759d755533e36688b402417101c0eb1d6812e523d23048e0d03548fd0985a3fd7f96c66625c6299b1537c872211

Download Submit
\Users\Admin\Downloads\BLTools_v2.4\BLTools v2.4\AlphaFS.dll

Filesize
359KB

MD5
f2f6f6798d306d6d7df4267434b5c5f9

SHA1
23be62c4f33fc89563defa20e43453b7cdfc9d28

SHA256
837f2ceab6bbd9bc4bf076f1cb90b3158191888c3055dd2b78a1e23f1c3aafdd

SHA512
1f0c52e1d6e27382599c91ebd5e58df387c6f759d755533e36688b402417101c0eb1d6812e523d23048e0d03548fd0985a3fd7f96c66625c6299b1537c872211

Download Submit
memory/2972-258-0x000000006CED0000-0x000000006CEE7000-memory.dmp

Filesize
92KB

Download
memory/2972-255-0x0000000001560000-0x000000000160E000-memory.dmp

Filesize
696KB

Download
memory/4088-248-0x000000001B9D0000-0x000000001B9E0000-memory.dmp

Filesize
64KB

Download
memory/4088-254-0x00007FFB310C0000-0x00007FFB31AAC000-memory.dmp

Filesize
9.9MB

Download
memory/4088-243-0x0000000001420000-0x0000000001421000-memory.dmp

Filesize
4KB

Download
memory/4088-241-0x00007FFB310C0000-0x00007FFB31AAC000-memory.dmp

Filesize
9.9MB

Download
memory/4088-260-0x000000001B9D0000-0x000000001B9E0000-memory.dmp

Filesize
64KB

Download
memory/4088-239-0x0000000000C60000-0x0000000000CA0000-memory.dmp

Filesize
256KB

Download
memory/4488-221-0x00007FFB310C0000-0x00007FFB31AAC000-memory.dmp

Filesize
9.9MB

Download
memory/4488-223-0x0000000000BA0000-0x0000000000BA1000-memory.dmp

Filesize
4KB

Download
memory/4488-220-0x00000000002C0000-0x000000000042E000-memory.dmp

Filesize
1.4MB

Download
memory/4488-252-0x00007FFB310C0000-0x00007FFB31AAC000-memory.dmp

Filesize
9.9MB

Download
memory/4488-222-0x000000001B0A0000-0x000000001B0B0000-memory.dmp

Filesize
64KB

Download
memory/4904-238-0x0000000000DA0000-0x0000000000DE2000-memory.dmp

Filesize
264KB

Download
memory/4904-253-0x00007FFB310C0000-0x00007FFB31AAC000-memory.dmp

Filesize
9.9MB

Download
memory/4904-249-0x000000001BB80000-0x000000001BB90000-memory.dmp

Filesize
64KB

Download
memory/4904-240-0x00007FFB310C0000-0x00007FFB31AAC000-memory.dmp

Filesize
9.9MB

Download
memory/4904-259-0x000000001BB80000-0x000000001BB90000-memory.dmp

Filesize
64KB

Download
memory/4904-244-0x0000000001570000-0x0000000001571000-memory.dmp

Filesize
4KB

Download