ateraagent | hxxps://www[.]dropbox[.]com/scl/fi/nerdrsan8par66e96iid8/ListaLaudoVisitaBombeirosPdf[.]msi?rlkey=9ry3e9o3psul1iozbhjvdjafk&st=plrqve9d&dl=1

Analysis

max time kernel
46s
max time network
43s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
04-02-2025 15:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.dropbox.com/scl/fi/nerdrsan8par66e96iid8/ListaLaudoVisitaBombeirosPdf.msi?rlkey=9ry3e9o3psul1iozbhjvdjafk&st=plrqve9d&dl=1

Score

10^/10

ateraagent discovery rat

Malware Config

Signatures

AteraAgent
AteraAgent is a remote monitoring and management tool.
rat ateraagent
Ateraagent family
ateraagent

Detects AteraAgent 1 IoCs

resource	yara_rule
behavioral1/files/0x0044000000020166-35.dat	family_ateraagent

Blocklisted process makes network request 3 IoCs

flow	pid	Process
39	3728	msiexec.exe
59	3056	rundll32.exe
67	1212	rundll32.exe

Executes dropped EXE 2 IoCs

pid	Process
348	AteraAgent.exe
2040	AteraAgent.exe

Loads dropped DLL 31 IoCs

pid	Process
724	MsiExec.exe
4460	rundll32.exe
4460	rundll32.exe
4460	rundll32.exe
4460	rundll32.exe
4460	rundll32.exe
724	MsiExec.exe
3056	rundll32.exe
3056	rundll32.exe
3056	rundll32.exe
3056	rundll32.exe
3056	rundll32.exe
3056	rundll32.exe
3056	rundll32.exe
724	MsiExec.exe
4460	rundll32.exe
4460	rundll32.exe
4460	rundll32.exe
4460	rundll32.exe
4460	rundll32.exe
724	MsiExec.exe
2876	MsiExec.exe
2876	MsiExec.exe
724	MsiExec.exe
1212	rundll32.exe
1212	rundll32.exe
1212	rundll32.exe
1212	rundll32.exe
1212	rundll32.exe
1212	rundll32.exe
1212	rundll32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944	AteraAgent.exe
File opened for modification	C:\Windows\system32\InstallUtil.InstallLog	AteraAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB	AteraAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB	AteraAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141	AteraAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141	AteraAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944	AteraAgent.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\ATERA Networks\AteraAgent\log.txt	AteraAgent.exe
File opened for modification	C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	msiexec.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe.config	msiexec.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dll	msiexec.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll	msiexec.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll	msiexec.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\System.ValueTuple.dll	msiexec.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll	msiexec.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallState	AteraAgent.exe

Drops file in Windows directory 35 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI6AC2.tmp-\Microsoft.Deployment.WindowsInstaller.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI6AC2.tmp-\Newtonsoft.Json.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI6AC2.tmp-\CustomAction.config	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI5639.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5639.tmp-\CustomAction.config	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI58F9.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI58F9.tmp-\AlphaControlAgentInstallation.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI6AC2.tmp-\AlphaControlAgentInstallation.dll	rundll32.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI58F9.tmp-\System.Management.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI5FE0.tmp-\AlphaControlAgentInstallation.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI5639.tmp-\Newtonsoft.Json.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI6AC2.tmp	msiexec.exe
File created	C:\Windows\Installer\e5855af.msi	msiexec.exe
File created	C:\Windows\Installer\e5855ad.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5639.tmp-\System.Management.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI58F9.tmp-\Microsoft.Deployment.WindowsInstaller.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI5FE0.tmp-\System.Management.dll	rundll32.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\e5855ad.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5639.tmp-\AlphaControlAgentInstallation.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI5FE0.tmp-\Microsoft.Deployment.WindowsInstaller.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI5FE0.tmp-\Newtonsoft.Json.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI5639.tmp-\Microsoft.Deployment.WindowsInstaller.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI6177.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6236.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI58F9.tmp-\Newtonsoft.Json.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI5FE0.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5FE0.tmp-\CustomAction.config	rundll32.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\SourceHash{E732A0D7-A2F2-4657-AC41-B19742648E45}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI58F9.tmp-\CustomAction.config	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI6178.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI61B8.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6AC2.tmp-\System.Management.dll	rundll32.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3908	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TaskKill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NET.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000cbf0f937af84f3350000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000cbf0f9370000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900cbf0f937000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1dcbf0f937000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000cbf0f93700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Kills process with taskkill 1 IoCs

defense_evasion

pid	Process
2608	TaskKill.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\System32\ci.dll,-101 = "Enclave"	AteraAgent.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\System32\fveui.dll,-843 = "BitLocker Drive Encryption"	AteraAgent.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\NgcRecovery.dll,-100 = "Windows Hello Recovery Key Encryption"	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	AteraAgent.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	AteraAgent.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	AteraAgent.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\System32\ci.dll,-100 = "Isolated User Mode (IUM)"	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	AteraAgent.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E	AteraAgent.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\System32\fveui.dll,-844 = "BitLocker Data Recovery Agent"	AteraAgent.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	AteraAgent.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust"	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	AteraAgent.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	AteraAgent.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	AteraAgent.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	AteraAgent.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133831550868361918"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	AteraAgent.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	AteraAgent.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	AteraAgent.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\System32\wuaueng.dll,-400 = "Windows Update"	AteraAgent.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption"	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	AteraAgent.exe

Modifies registry class 23 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\7D0A237E2F2A7564CA141B792446E854\INSTALLFOLDER_files_Feature	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\Version = "17301511"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\25F46F8180ECF4345A1FA7A8935DE9AE\7D0A237E2F2A7564CA141B792446E854	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\PackageCode = "559DA127DF979104BB5FD9CCC41157BB"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\SourceList\Net\1 = "C:\\Users\\Admin\\Downloads\\"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\Downloads\\"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\Language = "1033"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\25F46F8180ECF4345A1FA7A8935DE9AE	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\SourceList\PackageName = "ListaLaudoVisitaBombeirosPdf.msi"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\7D0A237E2F2A7564CA141B792446E854	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\ProductName = "AteraAgent"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\SourceList\Media	msiexec.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3340	chrome.exe
3340	chrome.exe
3512	msiexec.exe
3512	msiexec.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
3340	chrome.exe
3340	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3340	chrome.exe
Token: SeCreatePagefilePrivilege	3340	chrome.exe
Token: SeShutdownPrivilege	3340	chrome.exe
Token: SeCreatePagefilePrivilege	3340	chrome.exe
Token: SeShutdownPrivilege	3340	chrome.exe
Token: SeCreatePagefilePrivilege	3340	chrome.exe
Token: SeShutdownPrivilege	3340	chrome.exe
Token: SeCreatePagefilePrivilege	3340	chrome.exe
Token: SeShutdownPrivilege	3340	chrome.exe
Token: SeCreatePagefilePrivilege	3340	chrome.exe
Token: SeShutdownPrivilege	3340	chrome.exe
Token: SeCreatePagefilePrivilege	3340	chrome.exe
Token: SeShutdownPrivilege	3340	chrome.exe
Token: SeCreatePagefilePrivilege	3340	chrome.exe
Token: SeShutdownPrivilege	3340	chrome.exe
Token: SeCreatePagefilePrivilege	3340	chrome.exe
Token: SeShutdownPrivilege	3340	chrome.exe
Token: SeCreatePagefilePrivilege	3340	chrome.exe
Token: SeShutdownPrivilege	3340	chrome.exe
Token: SeCreatePagefilePrivilege	3340	chrome.exe
Token: SeShutdownPrivilege	3340	chrome.exe
Token: SeCreatePagefilePrivilege	3340	chrome.exe
Token: SeShutdownPrivilege	3340	chrome.exe
Token: SeCreatePagefilePrivilege	3340	chrome.exe
Token: SeShutdownPrivilege	3340	chrome.exe
Token: SeCreatePagefilePrivilege	3340	chrome.exe
Token: SeShutdownPrivilege	3340	chrome.exe
Token: SeCreatePagefilePrivilege	3340	chrome.exe
Token: SeShutdownPrivilege	3340	chrome.exe
Token: SeCreatePagefilePrivilege	3340	chrome.exe
Token: SeShutdownPrivilege	3340	chrome.exe
Token: SeCreatePagefilePrivilege	3340	chrome.exe
Token: SeShutdownPrivilege	3340	chrome.exe
Token: SeCreatePagefilePrivilege	3340	chrome.exe
Token: SeShutdownPrivilege	3340	chrome.exe
Token: SeCreatePagefilePrivilege	3340	chrome.exe
Token: SeShutdownPrivilege	3340	chrome.exe
Token: SeCreatePagefilePrivilege	3340	chrome.exe
Token: SeShutdownPrivilege	3340	chrome.exe
Token: SeCreatePagefilePrivilege	3340	chrome.exe
Token: SeShutdownPrivilege	3340	chrome.exe
Token: SeCreatePagefilePrivilege	3340	chrome.exe
Token: SeShutdownPrivilege	3728	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3728	msiexec.exe
Token: SeSecurityPrivilege	3512	msiexec.exe
Token: SeCreateTokenPrivilege	3728	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3728	msiexec.exe
Token: SeLockMemoryPrivilege	3728	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3728	msiexec.exe
Token: SeMachineAccountPrivilege	3728	msiexec.exe
Token: SeTcbPrivilege	3728	msiexec.exe
Token: SeSecurityPrivilege	3728	msiexec.exe
Token: SeTakeOwnershipPrivilege	3728	msiexec.exe
Token: SeLoadDriverPrivilege	3728	msiexec.exe
Token: SeSystemProfilePrivilege	3728	msiexec.exe
Token: SeSystemtimePrivilege	3728	msiexec.exe
Token: SeProfSingleProcessPrivilege	3728	msiexec.exe
Token: SeIncBasePriorityPrivilege	3728	msiexec.exe
Token: SeCreatePagefilePrivilege	3728	msiexec.exe
Token: SeCreatePermanentPrivilege	3728	msiexec.exe
Token: SeBackupPrivilege	3728	msiexec.exe
Token: SeRestorePrivilege	3728	msiexec.exe
Token: SeShutdownPrivilege	3728	msiexec.exe
Token: SeDebugPrivilege	3728	msiexec.exe

Suspicious use of FindShellTrayWindow 37 IoCs

pid	Process
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3728	msiexec.exe
3728	msiexec.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3340 wrote to memory of 5036	3340	chrome.exe	85
PID 3340 wrote to memory of 5036	3340	chrome.exe	85
PID 3340 wrote to memory of 3540	3340	chrome.exe	86
PID 3340 wrote to memory of 3540	3340	chrome.exe	86
PID 3340 wrote to memory of 3540	3340	chrome.exe	86
PID 3340 wrote to memory of 3540	3340	chrome.exe	86
PID 3340 wrote to memory of 3540	3340	chrome.exe	86
PID 3340 wrote to memory of 3540	3340	chrome.exe	86
PID 3340 wrote to memory of 3540	3340	chrome.exe	86
PID 3340 wrote to memory of 3540	3340	chrome.exe	86
PID 3340 wrote to memory of 3540	3340	chrome.exe	86
PID 3340 wrote to memory of 3540	3340	chrome.exe	86
PID 3340 wrote to memory of 3540	3340	chrome.exe	86
PID 3340 wrote to memory of 3540	3340	chrome.exe	86
PID 3340 wrote to memory of 3540	3340	chrome.exe	86
PID 3340 wrote to memory of 3540	3340	chrome.exe	86
PID 3340 wrote to memory of 3540	3340	chrome.exe	86
PID 3340 wrote to memory of 3540	3340	chrome.exe	86
PID 3340 wrote to memory of 3540	3340	chrome.exe	86
PID 3340 wrote to memory of 3540	3340	chrome.exe	86
PID 3340 wrote to memory of 3540	3340	chrome.exe	86
PID 3340 wrote to memory of 3540	3340	chrome.exe	86
PID 3340 wrote to memory of 3540	3340	chrome.exe	86
PID 3340 wrote to memory of 3540	3340	chrome.exe	86
PID 3340 wrote to memory of 3540	3340	chrome.exe	86
PID 3340 wrote to memory of 3540	3340	chrome.exe	86
PID 3340 wrote to memory of 3540	3340	chrome.exe	86
PID 3340 wrote to memory of 3540	3340	chrome.exe	86
PID 3340 wrote to memory of 3540	3340	chrome.exe	86
PID 3340 wrote to memory of 3540	3340	chrome.exe	86
PID 3340 wrote to memory of 3540	3340	chrome.exe	86
PID 3340 wrote to memory of 3540	3340	chrome.exe	86
PID 3340 wrote to memory of 3648	3340	chrome.exe	87
PID 3340 wrote to memory of 3648	3340	chrome.exe	87
PID 3340 wrote to memory of 4876	3340	chrome.exe	88
PID 3340 wrote to memory of 4876	3340	chrome.exe	88
PID 3340 wrote to memory of 4876	3340	chrome.exe	88
PID 3340 wrote to memory of 4876	3340	chrome.exe	88
PID 3340 wrote to memory of 4876	3340	chrome.exe	88
PID 3340 wrote to memory of 4876	3340	chrome.exe	88
PID 3340 wrote to memory of 4876	3340	chrome.exe	88
PID 3340 wrote to memory of 4876	3340	chrome.exe	88
PID 3340 wrote to memory of 4876	3340	chrome.exe	88
PID 3340 wrote to memory of 4876	3340	chrome.exe	88
PID 3340 wrote to memory of 4876	3340	chrome.exe	88
PID 3340 wrote to memory of 4876	3340	chrome.exe	88
PID 3340 wrote to memory of 4876	3340	chrome.exe	88
PID 3340 wrote to memory of 4876	3340	chrome.exe	88
PID 3340 wrote to memory of 4876	3340	chrome.exe	88
PID 3340 wrote to memory of 4876	3340	chrome.exe	88
PID 3340 wrote to memory of 4876	3340	chrome.exe	88
PID 3340 wrote to memory of 4876	3340	chrome.exe	88
PID 3340 wrote to memory of 4876	3340	chrome.exe	88
PID 3340 wrote to memory of 4876	3340	chrome.exe	88
PID 3340 wrote to memory of 4876	3340	chrome.exe	88
PID 3340 wrote to memory of 4876	3340	chrome.exe	88
PID 3340 wrote to memory of 4876	3340	chrome.exe	88
PID 3340 wrote to memory of 4876	3340	chrome.exe	88
PID 3340 wrote to memory of 4876	3340	chrome.exe	88
PID 3340 wrote to memory of 4876	3340	chrome.exe	88
PID 3340 wrote to memory of 4876	3340	chrome.exe	88
PID 3340 wrote to memory of 4876	3340	chrome.exe	88
PID 3340 wrote to memory of 4876	3340	chrome.exe	88
PID 3340 wrote to memory of 4876	3340	chrome.exe	88

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://www.dropbox.com/scl/fi/nerdrsan8par66e96iid8/ListaLaudoVisitaBombeirosPdf.msi?rlkey=9ry3e9o3psul1iozbhjvdjafk&st=plrqve9d&dl=1
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xf8,0x108,0x7ffecfaecc40,0x7ffecfaecc4c,0x7ffecfaecc58
  2⤵
  PID:5036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2052,i,13672186313693495801,9514981932246414793,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=2044 /prefetch:2
  2⤵
  PID:3540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1824,i,13672186313693495801,9514981932246414793,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=2128 /prefetch:3
  2⤵
  PID:3648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2272,i,13672186313693495801,9514981932246414793,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=2284 /prefetch:8
  2⤵
  PID:4876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3116,i,13672186313693495801,9514981932246414793,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=3164 /prefetch:1
  2⤵
  PID:2064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3132,i,13672186313693495801,9514981932246414793,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=3140 /prefetch:1
  2⤵
  PID:1324
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4588,i,13672186313693495801,9514981932246414793,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=4604 /prefetch:8
  2⤵
  PID:4440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4784,i,13672186313693495801,9514981932246414793,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=4812 /prefetch:8
  2⤵
  PID:4392
- C:\Windows\System32\msiexec.exe
  "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\ListaLaudoVisitaBombeirosPdf.msi"
  2⤵
  - Blocklisted process makes network request
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:3728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=208,i,13672186313693495801,9514981932246414793,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=5336 /prefetch:8
  2⤵
  PID:4460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4352,i,13672186313693495801,9514981932246414793,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=4664 /prefetch:8
  2⤵
  PID:5016

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2924

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1664

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3512
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:1612
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 0E8773221CC686E5B23EA7C420DB5AE0
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:724
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Windows\Installer\MSI5639.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240670515 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:4460
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Windows\Installer\MSI58F9.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240671031 6 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStart
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:3056
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Windows\Installer\MSI5FE0.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240672734 11 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallation
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:4460
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Windows\Installer\MSI6AC2.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240675546 33 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiEnd
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:1212
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding A939CA94428B1B903B7ADDCF50167228 E Global\MSI0000
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2876
- - C:\Windows\SysWOW64\NET.exe
    "NET" STOP AteraAgent
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2720
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP AteraAgent
      4⤵
      System Location Discovery: System Language Discovery
      PID:1112
- - C:\Windows\SysWOW64\TaskKill.exe
    "TaskKill.exe" /f /im AteraAgent.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:2608
- C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="[email protected]" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q300000PvztIIAR" /AgentId="ee0de3b0-dfc3-4447-be55-6235064fd428"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Modifies data under HKEY_USERS
  PID:348

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:2988

C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
"C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2040
- C:\Windows\System32\sc.exe
  "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
  2⤵
  - Launches sc.exe
  PID:3908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e5855ae.rbs

Filesize
8KB

MD5
4b491e893986d97355845b0288763d03

SHA1
a2260c1291a1fd2cf92f0e382b9a68c5646ed9c6

SHA256
014f192a8f316d26ff6301d2e544a3d7c007495678bab3ed64d4fdc360edbb84

SHA512
9fe688b8daa3cc6a761392e70c3e2c409d29840fb14b4900625a761d080cd4f7c011d3dd78268716ffcad01e4b385a23de030311b7600e16839ef3ab3528ae8b

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe

Filesize
142KB

MD5
477293f80461713d51a98a24023d45e8

SHA1
e9aa4e6c514ee951665a7cd6f0b4a4c49146241d

SHA256
a96a0ba7998a6956c8073b6eff9306398cc03fb9866e4cabf0810a69bb2a43b2

SHA512
23f3bd44a5fb66be7fea3f7d6440742b657e4050b565c1f8f4684722502d46b68c9e54dcc2486e7de441482fcc6aa4ad54e94b1d73992eb5d070e2a17f35de2f

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe.config

Filesize
1KB

MD5
b3bb71f9bb4de4236c26578a8fae2dcd

SHA1
1ad6a034ccfdce5e3a3ced93068aa216bd0c6e0e

SHA256
e505b08308622ad12d98e1c7a07e5dc619a2a00bcd4a5cbe04fe8b078bcf94a2

SHA512
fb6a46708d048a8f964839a514315b9c76659c8e1ab2cd8c5c5d8f312aa4fb628ab3ce5d23a793c41c13a2aa6a95106a47964dad72a5ecb8d035106fc5b7ba71

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll

Filesize
588KB

MD5
17d74c03b6bcbcd88b46fcc58fc79a0d

SHA1
bc0316e11c119806907c058d62513eb8ce32288c

SHA256
13774cc16c1254752ea801538bfb9a9d1328f8b4dd3ff41760ac492a245fbb15

SHA512
f1457a8596a4d4f9b98a7dcb79f79885fa28bd7fc09a606ad3cd6f37d732ec7e334a64458e51e65d839ddfcdf20b8b5676267aa8ced0080e8cf81a1b2291f030

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944

Filesize
727B

MD5
62f50b09757845b91a11afe304f912e7

SHA1
ca2093d46e2a9138ef71e5cb6d53d6ced356ec76

SHA256
9979dad90650f1a6d82d38cb84e4055e46b88f28bcc099b51cd5e2444cc280e9

SHA512
6b54ad0a12455914f3140a1f5341807cbd97470419109470eabab6cfa1083b703dfd19ea276caba534777bcc8265d80659e6d8db06bc03de57fb6fb3d9e68133

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944

Filesize
404B

MD5
c62a9df279bba31b771a5a4a018881dc

SHA1
95b96b939ab80705e5693f11397c5d35d9a35ece

SHA256
229219bd0b7880ae85fe7c34784bfaa2223b8442689245aa232b80dd8c367cdb

SHA512
e14e6eccfccf90b2961b58716a9a26a80d4d25cd1415a6231df79dbb39c263e9d0287ff28cac254298366b21c270007aac267b40db2c4bfd3c8035d4b7a517ba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
690B

MD5
cf7bb2ebeba4d009b0b1029e1a2cc68f

SHA1
7e23be33fba086e9b37713cfbc09f77475e128ec

SHA256
a25bc3a2a0774901e93337ff07d9a8c8f1c13342ac87b97ad69a8d2560ee7e5d

SHA512
463be96e93ff39d37e7a1eec24ad0e5a2b917b5a93d1c8bc1f46acd635e9b47cee757686def79f86b471a200840abf5c3db6a17122707fbafc9477deaa42a2a3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
38dbe4004deb00905d0477d8904e302d

SHA1
47c3ad37d8e79308acefa1841058fa9dbf429318

SHA256
e5134f7cf442c413f0befc22c1e149f7cd4c0ad427bbd89402f017afd20a3ce7

SHA512
2526a874e0249043b57901c0d83a2e6b2215e11d6443b95b1b9f6df24e87e819ae5ebb83d3c784e5652e944c5291602db3afca56b46e56729254ef3de439dea6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
63b5f4cfaf2861eaff2fb800a988bef9

SHA1
0018f361f85d7096a67b5817fe830108eda467fa

SHA256
9ed94e1e2ea9f3a93cb5cd147dd3aa975a7218bc8f3acc3c71d4c47e17d26205

SHA512
abf7d06498dd2f100ea9bbdd53ecf11b5eb01cd3629325560ed93c26402ab18ce72dd60b3b3b0a3af137566d77d6b46a7ab9ce2319888935d894bd14475368d6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
4dc726b728af371264c67b6632cae20b

SHA1
dc3b15a2b98220ba7e01fdcc1fa41612d1e5b62d

SHA256
418dc3738c4d64c1759601395fe2ecaaf3c25dbf8c90f803ee52138db2157855

SHA512
5a46845d7404d2be93037bd0609f3425f1befeb5fcfd29a63d141e8b66f5e92caeea6d609a3816be03c3a8ed3173c8ddc9502b46d9b72bc93e092b657facacea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
124KB

MD5
65acc24e1ad58b8c3ab4146d3ceff05b

SHA1
fc4565d21ee2366450cce46679e5431ee92e6b10

SHA256
7b8f6d330d4bb83fa09ed013dd01e6609aff942f9c1e07f37506c4e1f829470d

SHA512
c86ac5fc067ded3b1c5f9ef44043e03154d8d8c2453b34b10bcc57da42383c9e46fa559868d62ee62dc4fb99937d60884d339ff92147c4cdaf4b32f08830bb89

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
124KB

MD5
d1537427487f7d61aa50142cf2b2c64c

SHA1
d6462aeb69e9acd90d46176d9d0ae191769e8da9

SHA256
d9def9b22fcac72aadf75e92e5d5fef594ca252a5d8c8011aa5d728402f9ce91

SHA512
485e0e95be0da2a7aaa7f9b5d28f305a20d996e39978a6475d2e043d7bf618d3b1c5b324decf03796d85aa68e0ff5813cf8861198bbafc2e21d6b192b0a2850d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
125KB

MD5
152e4d098df9080d90e7c035eade5589

SHA1
f92c82acf3e3376f12e22d458184995237cefaa8

SHA256
0d46db072505f82177e914cfa62ae8a7ff5a9f3ba6e2f0aa1d7302c62835a4a2

SHA512
184bfa0a00b67fa2cfa5c49f15062235074cc0862edc71302fa35006dd8410d68bedd43b80186a97c6dc3949b6d95509acf67608d4f16458550b8e6bff367bc1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rundll32.exe.log

Filesize
651B

MD5
9bbfe11735bac43a2ed1be18d0655fe2

SHA1
61141928bb248fd6e9cd5084a9db05a9b980fb3a

SHA256
549953bd4fc8acc868a9374ec684ebd9e7b23939adf551016f3433b642697b74

SHA512
a78c52b2ddc057dabf260eeb744b9f55eab3374ad96e1938a291d2b17f204a0d6e1aa02802de75f0b2cd6d156540d2ddee15e889b89d5e619207054df4c1d483

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 396222.crdownload

Filesize
2.9MB

MD5
e377c21d2fb5d15a359aead359a89691

SHA1
1953037a67bb62a21c9fa2f85fa0c516ff2843f5

SHA256
d20b9295b3c7c81624f4a61e533375f4975fe7e740df1a1edf80beeb32b037d8

SHA512
de947ec6df4f861cc9e77e91780ff42f654e6a6ac8f9a95ccf9756820b1626e29b1cc6daf88b374bd3e2738d64219ba695ef8630584c263929a9daf2c7205e2e

Download Submit
C:\Windows\Installer\MSI5639.tmp

Filesize
509KB

MD5
88d29734f37bdcffd202eafcdd082f9d

SHA1
823b40d05a1cab06b857ed87451bf683fdd56a5e

SHA256
87c97269e2b68898be87b884cd6a21880e6f15336b1194713e12a2db45f1dccf

SHA512
1343ed80dccf0fa4e7ae837b68926619d734bc52785b586a4f4102d205497d2715f951d9acacc8c3e5434a94837820493173040dc90fb7339a34b6f3ef0288d0

Download Submit
C:\Windows\Installer\MSI5639.tmp-\AlphaControlAgentInstallation.dll

Filesize
25KB

MD5
aa1b9c5c685173fad2dabebeb3171f01

SHA1
ed756b1760e563ce888276ff248c734b7dd851fb

SHA256
e44a6582cd3f84f4255d3c230e0a2c284e0cffa0ca5e62e4d749e089555494c7

SHA512
d3bfb4bd7e7fdb7159fbfc14056067c813ce52cdd91e885bdaac36820b5385fb70077bf58ec434d31a5a48245eb62b6794794618c73fe7953f79a4fc26592334

Download Submit
C:\Windows\Installer\MSI5639.tmp-\Microsoft.Deployment.WindowsInstaller.dll

Filesize
179KB

MD5
1a5caea6734fdd07caa514c3f3fb75da

SHA1
f070ac0d91bd337d7952abd1ddf19a737b94510c

SHA256
cf06d4ed4a8baf88c82d6c9ae0efc81c469de6da8788ab35f373b350a4b4cdca

SHA512
a22dd3b7cf1c2edcf5b540f3daa482268d8038d468b8f00ca623d1c254affbbc1446e5bd42adc3d8e274be3ba776b0034e179faccd9ac8612ccd75186d1e3bf1

Download Submit
C:\Windows\Installer\MSI58F9.tmp-\CustomAction.config

Filesize
1KB

MD5
bc17e956cde8dd5425f2b2a68ed919f8

SHA1
5e3736331e9e2f6bf851e3355f31006ccd8caa99

SHA256
e4ff538599c2d8e898d7f90ccf74081192d5afa8040e6b6c180f3aa0f46ad2c5

SHA512
02090daf1d5226b33edaae80263431a7a5b35a2ece97f74f494cc138002211e71498d42c260395ed40aee8e4a40474b395690b8b24e4aee19f0231da7377a940

Download Submit
C:\Windows\Installer\MSI58F9.tmp-\Newtonsoft.Json.dll

Filesize
695KB

MD5
715a1fbee4665e99e859eda667fe8034

SHA1
e13c6e4210043c4976dcdc447ea2b32854f70cc6

SHA256
c5c83bbc1741be6ff4c490c0aee34c162945423ec577c646538b2d21ce13199e

SHA512
bf9744ccb20f8205b2de39dbe79d34497b4d5c19b353d0f95e87ea7ef7fa1784aea87e10efcef11e4c90451eaa47a379204eb0533aa3018e378dd3511ce0e8ad

Download Submit
C:\Windows\Installer\MSI6178.tmp

Filesize
211KB

MD5
a3ae5d86ecf38db9427359ea37a5f646

SHA1
eb4cb5ff520717038adadcc5e1ef8f7c24b27a90

SHA256
c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74

SHA512
96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
24.1MB

MD5
7d74c25b7ea56c6e10ca59a74441305d

SHA1
48771c08c1d0cec7e00247162c5d45cbbfeae4e2

SHA256
9141eb7e54a9bc6fdd1f896cc8dc012c9352c1bd2cfb1f804da84bf789ce7490

SHA512
dfe565b3ef65fa50243cec12e6ca1575b814fe68ab06b5613aaa68c35aa8279124868c1baee695a498fe069bfac2f195bb52c539869163db67be34e2660f5000

Download Submit
\??\Volume{37f9f0cb-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{a5dcb716-2af4-4495-8774-72243fc14390}_OnDiskSnapshotProp

Filesize
6KB

MD5
65646362242384b4f6d563fa78a44318

SHA1
3f6871b2d3f2af4b845c38304a3c9711ebf42b25

SHA256
b52a2c76c332c059fd4839f5f69cc55ce70465a4edbec7d2c2fd4d32fb39274b

SHA512
a6b7e11523ddeb8d46ce77baea6c3fc0ba15912a62514d2a22bec13ef9475b73e660f7f94912ec0f6728ba1861ee3efc5c4672901b48bdb3c3c8eb37fc6258d5

Download Submit
memory/348-211-0x000001AE47960000-0x000001AE47988000-memory.dmp

Filesize
160KB

Download
memory/348-228-0x000001AE49570000-0x000001AE495AC000-memory.dmp

Filesize
240KB

Download
memory/348-223-0x000001AE61FE0000-0x000001AE62078000-memory.dmp

Filesize
608KB

Download
memory/348-227-0x000001AE49500000-0x000001AE49512000-memory.dmp

Filesize
72KB

Download
memory/3056-141-0x0000000003170000-0x0000000003192000-memory.dmp

Filesize
136KB

Download
memory/3056-142-0x00000000056F0000-0x0000000005A44000-memory.dmp

Filesize
3.3MB

Download
memory/3056-138-0x0000000005630000-0x00000000056E2000-memory.dmp

Filesize
712KB

Download
memory/4460-173-0x00000000024E0000-0x0000000002546000-memory.dmp

Filesize
408KB

Download
memory/4460-105-0x0000000002E80000-0x0000000002E8C000-memory.dmp

Filesize
48KB

Download
memory/4460-101-0x0000000002E40000-0x0000000002E6E000-memory.dmp

Filesize
184KB

Download