83ef3f1565125e92013796a4375893f6e7dffc68c4d96a7e648b32a8237e53d7

Analysis

max time kernel
148s
max time network
119s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
01/10/2024, 18:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

econnect.msi
Size

2.8MB
MD5

047ea0b83a21c9f424aefc040bd9b306
SHA1

56fc16c0ff5b429c476881dcce6357c91af27073
SHA256

83ef3f1565125e92013796a4375893f6e7dffc68c4d96a7e648b32a8237e53d7
SHA512

dd6b3d425870eaedab1971bd6e8a5084078e835e52de3b641679a55fadf55e06fdfa551ad8e227b5fc99e780a875afb26dd1e490a54be06664cdc8467ed60a0e
SSDEEP

49152:VRp2xbpUcxaDubTYjXkYyI08+qiS4bcGzzZv:VS8cxnb0fyK+y4wWl

Score

6^/10

defense_evasion discovery persistence privilege_escalation

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Eagle eConnect Tray Monitor = "\"C:\\Program Files (x86)\\Epicor\\eConnect\\eConnectTray.exe\""	msiexec.exe

Blocklisted process makes network request 3 IoCs

flow	pid	Process
3	2820	msiexec.exe
5	2820	msiexec.exe
7	2820	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe

Hide Artifacts: Hidden Users 1 TTPs 1 IoCs

defense_evasion

Hidden Users

T1564.002

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\eConnectService = "0"	msiexec.exe

Drops file in Program Files directory 21 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Epicor\eConnect\epplus.dll	msiexec.exe
File created	C:\Program Files (x86)\Epicor\eConnect\Interop.WindowsInstaller.dll	msiexec.exe
File created	C:\Program Files (x86)\Epicor\eConnect\Renci.SshNet.dll	msiexec.exe
File created	C:\Program Files (x86)\Epicor\eConnect\ZZServices.dll	msiexec.exe
File created	C:\Program Files (x86)\Epicor\eConnect\Eagle.Catapult.dll	msiexec.exe
File created	C:\Program Files (x86)\Epicor\eConnect\eConnectBusinessObject.XmlSerializers.dll	msiexec.exe
File created	C:\Program Files (x86)\Epicor\eConnect\eConnectCommonLibrary.dll	msiexec.exe
File created	C:\Program Files (x86)\Epicor\eConnect\eConnectTask.dll	msiexec.exe
File created	C:\Program Files (x86)\Epicor\eConnect\eConnectTray.exe	msiexec.exe
File created	C:\Program Files (x86)\Epicor\eConnect\eConnectTaskService.exe	msiexec.exe
File created	C:\Program Files (x86)\Epicor\eConnect\eConnectWorker.dll	msiexec.exe
File created	C:\Program Files (x86)\Epicor\eConnect\eConnectBusinessObject.dll	msiexec.exe
File created	C:\Program Files (x86)\Epicor\eConnect\eConnectConsole.exe	msiexec.exe
File created	C:\Program Files (x86)\Epicor\eConnect\eConnectHelper.dll	msiexec.exe
File created	C:\Program Files (x86)\Epicor\eConnect\eConnectUpdateHelper.exe	msiexec.exe
File created	C:\Program Files (x86)\Epicor\eConnect\Newtonsoft.Json.dll	msiexec.exe
File created	C:\Program Files (x86)\Epicor\eConnect\Zetup.zip	msiexec.exe
File created	C:\Program Files (x86)\Epicor\eConnect\3zlib10.dll	msiexec.exe
File created	C:\Program Files (x86)\Epicor\eConnect\eConnectQueue.dll	msiexec.exe
File created	C:\Program Files (x86)\Epicor\eConnect\eConnectStorage.dll	msiexec.exe
File created	C:\Program Files (x86)\Epicor\eConnect\Ionic.Zip.dll	msiexec.exe

Drops file in Windows directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File created	C:\Windows\Installer\f7744cd.msi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\f7744cd.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI45E8.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{71BB18D2-7561-44F0-AE70-595AF380AAB6}\econnect.ico	msiexec.exe
File created	C:\Windows\Installer\f7744ce.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI46F4.tmp	msiexec.exe
File created	C:\Windows\Installer\{71BB18D2-7561-44F0-AE70-595AF380AAB6}\econnect.ico	msiexec.exe
File created	C:\Windows\Installer\f7744d0.msi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4618.tmp	msiexec.exe
File opened for modification	C:\Windows\3appsfwd.ini	eConnectTaskService.exe
File opened for modification	C:\Windows\Installer\f7744ce.ipi	msiexec.exe

Executes dropped EXE 2 IoCs

pid	Process
2896	eConnectTaskService.exe
1688	eConnectTray.exe

Loads dropped DLL 26 IoCs

pid	Process
760	MsiExec.exe
632	MsiExec.exe
2200	MsiExec.exe
2896	eConnectTaskService.exe
2896	eConnectTaskService.exe
2896	eConnectTaskService.exe
2896	eConnectTaskService.exe
2896	eConnectTaskService.exe
2896	eConnectTaskService.exe
2896	eConnectTaskService.exe
2896	eConnectTaskService.exe
2896	eConnectTaskService.exe
2896	eConnectTaskService.exe
2896	eConnectTaskService.exe
2896	eConnectTaskService.exe
2896	eConnectTaskService.exe
2896	eConnectTaskService.exe
2896	eConnectTaskService.exe
2896	eConnectTaskService.exe
2896	eConnectTaskService.exe
1688	eConnectTray.exe
1688	eConnectTray.exe
2896	eConnectTaskService.exe
2896	eConnectTaskService.exe
2896	eConnectTaskService.exe
2896	eConnectTaskService.exe

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
2820	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eConnectTaskService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eConnectTray.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Modifies data under HKEY_USERS 46 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe

Modifies registry class 23 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2D81BB1716570F44EA0795A53F08AA6B\AuthorizedLUAApp = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2D81BB1716570F44EA0795A53F08AA6B\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\9C6511B682858514E9B85E40CDF87729\2D81BB1716570F44EA0795A53F08AA6B	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2D81BB1716570F44EA0795A53F08AA6B\SourceList\PackageName = "econnect.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2D81BB1716570F44EA0795A53F08AA6B\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2D81BB1716570F44EA0795A53F08AA6B\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2D81BB1716570F44EA0795A53F08AA6B\SourceList\Media\1 = ";"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2D81BB1716570F44EA0795A53F08AA6B	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2D81BB1716570F44EA0795A53F08AA6B\ProductName = "Eagle eConnect 04.0429.001"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2D81BB1716570F44EA0795A53F08AA6B\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2D81BB1716570F44EA0795A53F08AA6B\ProductIcon = "C:\\Windows\\Installer\\{71BB18D2-7561-44F0-AE70-595AF380AAB6}\\econnect.ico"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2D81BB1716570F44EA0795A53F08AA6B\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2D81BB1716570F44EA0795A53F08AA6B\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2D81BB1716570F44EA0795A53F08AA6B\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\2D81BB1716570F44EA0795A53F08AA6B\CompleteInstall	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2D81BB1716570F44EA0795A53F08AA6B\PackageCode = "6424221403AD1D14DA3CF9EE6774DB7F"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2D81BB1716570F44EA0795A53F08AA6B\Assignment = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\9C6511B682858514E9B85E40CDF87729	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2D81BB1716570F44EA0795A53F08AA6B\SourceList	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2D81BB1716570F44EA0795A53F08AA6B\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\2D81BB1716570F44EA0795A53F08AA6B	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2D81BB1716570F44EA0795A53F08AA6B\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2D81BB1716570F44EA0795A53F08AA6B\Version = "40429001"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
2808	msiexec.exe
2808	msiexec.exe
2896	eConnectTaskService.exe
2896	eConnectTaskService.exe
2896	eConnectTaskService.exe
2896	eConnectTaskService.exe
2896	eConnectTaskService.exe
2896	eConnectTaskService.exe
2896	eConnectTaskService.exe
2896	eConnectTaskService.exe
2896	eConnectTaskService.exe
2896	eConnectTaskService.exe
2896	eConnectTaskService.exe
2896	eConnectTaskService.exe
2896	eConnectTaskService.exe
2896	eConnectTaskService.exe
2896	eConnectTaskService.exe
2896	eConnectTaskService.exe
2896	eConnectTaskService.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2820	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2820	msiexec.exe
Token: SeRestorePrivilege	2808	msiexec.exe
Token: SeTakeOwnershipPrivilege	2808	msiexec.exe
Token: SeSecurityPrivilege	2808	msiexec.exe
Token: SeCreateTokenPrivilege	2820	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2820	msiexec.exe
Token: SeLockMemoryPrivilege	2820	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2820	msiexec.exe
Token: SeMachineAccountPrivilege	2820	msiexec.exe
Token: SeTcbPrivilege	2820	msiexec.exe
Token: SeSecurityPrivilege	2820	msiexec.exe
Token: SeTakeOwnershipPrivilege	2820	msiexec.exe
Token: SeLoadDriverPrivilege	2820	msiexec.exe
Token: SeSystemProfilePrivilege	2820	msiexec.exe
Token: SeSystemtimePrivilege	2820	msiexec.exe
Token: SeProfSingleProcessPrivilege	2820	msiexec.exe
Token: SeIncBasePriorityPrivilege	2820	msiexec.exe
Token: SeCreatePagefilePrivilege	2820	msiexec.exe
Token: SeCreatePermanentPrivilege	2820	msiexec.exe
Token: SeBackupPrivilege	2820	msiexec.exe
Token: SeRestorePrivilege	2820	msiexec.exe
Token: SeShutdownPrivilege	2820	msiexec.exe
Token: SeDebugPrivilege	2820	msiexec.exe
Token: SeAuditPrivilege	2820	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2820	msiexec.exe
Token: SeChangeNotifyPrivilege	2820	msiexec.exe
Token: SeRemoteShutdownPrivilege	2820	msiexec.exe
Token: SeUndockPrivilege	2820	msiexec.exe
Token: SeSyncAgentPrivilege	2820	msiexec.exe
Token: SeEnableDelegationPrivilege	2820	msiexec.exe
Token: SeManageVolumePrivilege	2820	msiexec.exe
Token: SeImpersonatePrivilege	2820	msiexec.exe
Token: SeCreateGlobalPrivilege	2820	msiexec.exe
Token: SeCreateTokenPrivilege	2820	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2820	msiexec.exe
Token: SeLockMemoryPrivilege	2820	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2820	msiexec.exe
Token: SeMachineAccountPrivilege	2820	msiexec.exe
Token: SeTcbPrivilege	2820	msiexec.exe
Token: SeSecurityPrivilege	2820	msiexec.exe
Token: SeTakeOwnershipPrivilege	2820	msiexec.exe
Token: SeLoadDriverPrivilege	2820	msiexec.exe
Token: SeSystemProfilePrivilege	2820	msiexec.exe
Token: SeSystemtimePrivilege	2820	msiexec.exe
Token: SeProfSingleProcessPrivilege	2820	msiexec.exe
Token: SeIncBasePriorityPrivilege	2820	msiexec.exe
Token: SeCreatePagefilePrivilege	2820	msiexec.exe
Token: SeCreatePermanentPrivilege	2820	msiexec.exe
Token: SeBackupPrivilege	2820	msiexec.exe
Token: SeRestorePrivilege	2820	msiexec.exe
Token: SeShutdownPrivilege	2820	msiexec.exe
Token: SeDebugPrivilege	2820	msiexec.exe
Token: SeAuditPrivilege	2820	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2820	msiexec.exe
Token: SeChangeNotifyPrivilege	2820	msiexec.exe
Token: SeRemoteShutdownPrivilege	2820	msiexec.exe
Token: SeUndockPrivilege	2820	msiexec.exe
Token: SeSyncAgentPrivilege	2820	msiexec.exe
Token: SeEnableDelegationPrivilege	2820	msiexec.exe
Token: SeManageVolumePrivilege	2820	msiexec.exe
Token: SeImpersonatePrivilege	2820	msiexec.exe
Token: SeCreateGlobalPrivilege	2820	msiexec.exe
Token: SeCreateTokenPrivilege	2820	msiexec.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2820	msiexec.exe
2820	msiexec.exe
1688	eConnectTray.exe
1688	eConnectTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1688	eConnectTray.exe
1688	eConnectTray.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2808 wrote to memory of 760	2808	msiexec.exe	31
PID 2808 wrote to memory of 760	2808	msiexec.exe	31
PID 2808 wrote to memory of 760	2808	msiexec.exe	31
PID 2808 wrote to memory of 760	2808	msiexec.exe	31
PID 2808 wrote to memory of 760	2808	msiexec.exe	31
PID 2808 wrote to memory of 760	2808	msiexec.exe	31
PID 2808 wrote to memory of 760	2808	msiexec.exe	31
PID 2808 wrote to memory of 632	2808	msiexec.exe	35
PID 2808 wrote to memory of 632	2808	msiexec.exe	35
PID 2808 wrote to memory of 632	2808	msiexec.exe	35
PID 2808 wrote to memory of 632	2808	msiexec.exe	35
PID 2808 wrote to memory of 632	2808	msiexec.exe	35
PID 2808 wrote to memory of 632	2808	msiexec.exe	35
PID 2808 wrote to memory of 632	2808	msiexec.exe	35
PID 2808 wrote to memory of 2200	2808	msiexec.exe	36
PID 2808 wrote to memory of 2200	2808	msiexec.exe	36
PID 2808 wrote to memory of 2200	2808	msiexec.exe	36
PID 2808 wrote to memory of 2200	2808	msiexec.exe	36
PID 2808 wrote to memory of 2200	2808	msiexec.exe	36
PID 2808 wrote to memory of 2200	2808	msiexec.exe	36
PID 2808 wrote to memory of 2200	2808	msiexec.exe	36
PID 2896 wrote to memory of 1688	2896	eConnectTaskService.exe	40
PID 2896 wrote to memory of 1688	2896	eConnectTaskService.exe	40
PID 2896 wrote to memory of 1688	2896	eConnectTaskService.exe	40
PID 2896 wrote to memory of 1688	2896	eConnectTaskService.exe	40

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\econnect.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2820

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Hide Artifacts: Hidden Users
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2808
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding C1A7A8E11C42B2DC59DB76D7AE85D934 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:760
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding B6AD2917DCA1F17100C9D0E9EB51BE52
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:632
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding ADA547965E1543A7F86E4F7160A3534F M Global\MSI0000
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2200

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2644

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005E0" "0000000000000390"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1948

C:\Program Files (x86)\Epicor\eConnect\eConnectTaskService.exe
"C:\Program Files (x86)\Epicor\eConnect\eConnectTaskService.exe"
1⤵
- Drops file in Windows directory
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2896
- C:\Program Files (x86)\Epicor\eConnect\eConnectTray.exe
  "C:\Program Files (x86)\Epicor\eConnect\eConnectTray.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1688

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

Hide Artifacts

T1564

Hidden Users

T1564.002

Modify Registry

T1112

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\3apps\3apps.ini

Filesize
105B

MD5
d8c3fc6f377b19cc6da9553049aac266

SHA1
0731f87a9c9004273b654d0a78841aad260ab551

SHA256
a300ce31df5a2bc6007af9fdb791d30152812f65450c7dfc00146c538e684d13

SHA512
ee959c0579723ccd0a09e7045599e5a2e030e6c60d402de37f40fa26ee2cdd06a0c56b770335a24cdb83c15d2639b5fc1f58dd4653938728dde48ea9ad17796a

Download Submit
C:\3apps\3log.log

Filesize
210B

MD5
aaa40dd2c8648d4aea29d0e5f6f9f428

SHA1
b69feb643c32ddd813b9b57ad4dce1b96182b26a

SHA256
cee8c33f79514d5d25ace7dc2084403afc19e7980fe6b3fc663431c8d407704d

SHA512
30297c8e92d20069c192d81b335813462bb0d924f4f1d9268c94a9dc1ed54d012c99df3c35bb26c2082105c0f97e1ad9b9296b16569396e82cebb99f8e21fee5

Download Submit
C:\Config.Msi\f7744cf.rbs

Filesize
12KB

MD5
640558186070d74a0ef3b78226b87647

SHA1
3a74ab781a436a77de5b09c459130cdea670e1ab

SHA256
356a942d7372fd754e9f4bcec9a165e5ff4a4ba9c51bc24e1511cf6af77858a8

SHA512
51e2739d3318f1784baf20367525bd2ffb8675afef747a783874767f36ff7b3f4f7d69efa200de4d6748ad441b4e3257885d04136cfb1595fce985cd4eb5235a

Download Submit
C:\Program Files (x86)\Epicor\eConnect\ZZServices.dll

Filesize
75KB

MD5
c58558855135ff6ca6ab856ff2fd27d4

SHA1
bbe3b3e1de5afe7e065750f8eacfc47dce9cbd04

SHA256
faace1fd378b8a02bbf6c19c50b72c862714aa3ee40db681586ee7314c169bda

SHA512
a1526bf23c94c305872b408ac9e26439ca30b197295577b37c875a4c877bb7bf61ad27b0d471f92d4b4c0b8ef1b4d4d61e1b222b3d069f3d8ef3895f951a3095

Download Submit
C:\Program Files (x86)\Epicor\eConnect\eConnectBusinessObject.XmlSerializers.dll

Filesize
230KB

MD5
0926a4f1614ed17d531e4199b01a9f15

SHA1
d67fe509b16f74312cbd1679b347832c8aebba14

SHA256
0d480df689d0faf163aae168ae82f8dcee55de746e1b016ccccc1dc5c6947732

SHA512
e0579a2f1ad352738cab41a7f050635ff6f06a5119c89dca78835ee950ee4fcbcddf0a477cf7cbec0eadee6d8b318906079552534464fdca08682791e4dd106c

Download Submit
C:\Program Files (x86)\Epicor\eConnect\eConnectCommonLibrary.dll

Filesize
47KB

MD5
049d71fe85fcbdaf810e44629540b564

SHA1
d7bf06567da7c7cbd059d68f96bda1fe76788bf1

SHA256
5f92acdbbc0e522d143417d91c4eab7a7b82c799548dd5f341c1070736284e0a

SHA512
26c518ad2dea989ba5f909c7f5aa7dd4a554ec20d5f2f477d6000054dc53b5d08d82c5ba136700c73fd00af7a1c247876b967a9ace86c0e0f1fb986b333c8421

Download Submit
C:\Program Files (x86)\Epicor\eConnect\eConnectHelper.dll

Filesize
152KB

MD5
dc8eda0c7df119fd7d011ebdf1773cab

SHA1
e8b3e9c6459ada4f0d3c735c5f205c92ac96158d

SHA256
80f85a538a379a8b7613d6fa256f50efda9b6dc55a7e0576d9e93126f1dd6301

SHA512
37017b2897c4be97383f336490e4667cede6314659ea3009d557cd208d84fcecab515f805970be8badfc952ebb0735a0941dda9574327d795f7b1a2b27fbbc0f

Download Submit
C:\Program Files (x86)\Epicor\eConnect\eConnectTask.dll

Filesize
71KB

MD5
694b21817f1e425ab3ea9a912037dc0e

SHA1
12af125ec0cad9f9047b8c40cfb36a76521835f3

SHA256
5d34ef352a57a8452f1c18adf0c5ea241378da0a51aa3282c785795f50fefbe1

SHA512
e9ff5211da0c3507f74b54cd8042953d1d99f4d39356cf5097b1edd6ad81b4bb651c97c750f7dc24716bb6244d4405567ab82a6647f73b4787014836c26a49c8

Download Submit
C:\Program Files (x86)\Epicor\eConnect\eConnectTaskService.exe

Filesize
363KB

MD5
3bedc71df767e2462931f01031d278e4

SHA1
634e0805987e9ef5fe021a7c97cb0f8b67aa4b0c

SHA256
a58147c5c8514228ae260bc2c8c4e97ed45fb4f62674f684286a99c45ad7ef1b

SHA512
447a78fcab0d676e6cac29221976c4d5f28f9afb24106a8846ea75878c6e02f1a3ef7a2d61f387a37d43bc5b9cf3606057e0284647700766eaec19884eb0be24

Download Submit
C:\Program Files (x86)\Epicor\eConnect\eConnectTray.exe

Filesize
1.4MB

MD5
24b4a2e8983426e801eacea68857282c

SHA1
8422af784d3ec94b11b8e77b1608fe62e1e81797

SHA256
cff0aa74931201d1bd9bddcf02aae5cf4fd8454b12532f4907e49f41baac7f3f

SHA512
7ee38dc652cf4a4ae4a308e6ca7acdb0d8c3eae37850d1ebd7708e76ec31061b4427243d80bdf51ab85a59635db37c7fec7a7d6e499af361665afa1d6cd6d9f9

Download Submit
C:\Program Files (x86)\Epicor\eConnect\eConnectWorker.dll

Filesize
45KB

MD5
fdd963e0e2ab2610c91d31fee97a3530

SHA1
71ef21c1d79bd8876928757c4a7eda46587e55c6

SHA256
c03c5bd73ec0edef58202567612188f92747e94de1e51f140781d1445dae2af3

SHA512
69b899c1489519ee6f756eef84e3e76b86e4bf4850f34055882bd02d752e5061022678a3b84a721b43b7b0b25eb799471e8abd9891da751f74e6dd3420f7c28d

Download Submit
C:\ProgramData\Epicor\eConnect\Data\ComputerId.txt

Filesize
36B

MD5
ee28b6ec55eb0950bf92f80fe6665912

SHA1
383dd509cc4c2f40962b2176dce741febf6a45d2

SHA256
c3cadc4bf7a31f1404cfbcc98cbea99453d7b44f6b59a5b0aaf37afad1e1a27a

SHA512
8930ea30e08dd4a71eefdeb5ac8951ae9a2e0eb5f8d2e63c944200c74792eed0205cc80cb7f2b20c5967c48e10ee978f3c01444c53215e1882959d0401df4807

Download Submit
C:\ProgramData\Epicor\eConnect\Data\ec4audit_20241001.log

Filesize
162B

MD5
b72af2c9ca291ab7a18c080e7d6226c3

SHA1
58924adfcbae6f1977587c6a104d267a403112db

SHA256
b80bcaf247917ab447bd0accb46516fc5ada37179cd4d322f5373641a3cb8a10

SHA512
0ff6f4507e3e92d88a6482ab6184f22322a77086c9b68675855628cddcfff3bd3ce37ee554352d1e6622f97c8f5736d47b9829db16e84fdec166c5ddd4f451a5

Download Submit
C:\ProgramData\Epicor\eConnect\Data\ec4audit_20241001.log

Filesize
335B

MD5
32ec3dd0b66d77d629aa275ed61ad5da

SHA1
c0b57c09013c34957515acdc2ff57b6c41b14097

SHA256
dd8a35fd3fb07cf5aeea500e018f6adb50f0b1adfaca7261a3a2844ba9415621

SHA512
188a4eec37d74fe6e02f2d98d5ff57751bda9e330a2ec3d13ba3a5d75968427464d707e092c2a1b160249217e7fe7cafd83b529891712d729ef47d4b93540f77

Download Submit
C:\ProgramData\Epicor\eConnect\Temp\5ajdn1rk.x2v

Filesize
11KB

MD5
c4a3b3c4a711fb640ec932bd5cbcb7ca

SHA1
03595ae6a120af501c63ab279381c3016efdc604

SHA256
62f363c05f8bbc8cbf5adfbfef5360151414a0137814e4aa1c1bfea2e03d2df9

SHA512
d96fdf709a3de39fa2508b422f1680833606db694a37023ec7d33d732bf80981378b789763b51b7058638507d64017fbcdb2562a6fd15d33821d2deaa54ebad3

Download Submit
C:\ProgramData\Epicor\eConnect\Temp\afyt5xsq.nrs

Filesize
5KB

MD5
d8719d5ea2adc76e449741fafbe7c217

SHA1
7d5d72adc383593c3508e272f6646d116120d046

SHA256
13b8b1399428b41c6d882cc3ba001e9664d54c68a16f5bcb2f120b84f9ffeaa4

SHA512
f911e3e5ad92fad8d0603edfe6ef4c60de0a3997e9163f2a95b181e5dd3ff04c03a8dfa6dd5a57bedd14686cbf92b80675c09e8002ddb4ecbbf3d165974cab94

Download Submit
C:\ProgramData\Epicor\eConnect\Temp\broqutzq.yf0

Filesize
3KB

MD5
f5d92ffb8bc26adeb33f36986ed116a8

SHA1
29f877aeb5018eb57d6082a2b16c49668dbbdb59

SHA256
aebfd48b1e1dd5d65e86b5c7348419c4d0276086d58f5703df635ce531f7945f

SHA512
2bb691cc3822dbf1a9b9366d66967be57829471b9eb0280f3544f44343348bfb8eff19a25fc7151e2753e03fc20ea34b64dfcc7ba712bdcd729331cfc74b1d73

Download Submit
C:\ProgramData\Epicor\eConnect\Temp\ch4cn3tp.tce

Filesize
11KB

MD5
6043574900451eb61c1e4ebb66ab5a69

SHA1
3161f2c1c2d9d5b808de424e21f84c8ede845d9b

SHA256
92fd6d33fc71f518db01d88dcaf9b98fc458da34cbae5e8cfcf737ac3c1940aa

SHA512
709f089857e6862d8acee6fb24d309f0a306b034567972325b81e7042219d4a796c487d06006a993889980c261ae6e14a6c85e9bbfd627aae35d14454d37a515

Download Submit
C:\ProgramData\Epicor\eConnect\Temp\zmxtqtfi.urk

Filesize
11KB

MD5
02d28a9eeea3640f9f39278c323c1de8

SHA1
b955743951c46c15ed2c05e689636ceca4d45905

SHA256
131e2357afccd2999fdf555fdccc0a972d7b2d074aea2130d1040fdd5797f2a4

SHA512
89f77f2319e1ccc3692598ae5cf332eeff4e3b703a9a166184b9442f6e001995bb67ce73360794a723e206644aaacdab063ade5b73577323c010f027ff0ffe78

Download Submit
C:\ProgramData\Epicor\eConnect\client\client-f1dc8aee-702e-4539-a3d7-419cd6f3f82c\boTaskList.xml

Filesize
190B

MD5
6400fcabd1229302efff128568dd3e03

SHA1
28c801b391075f0f90555a1d7ef1304cdf6c29ff

SHA256
0e5ad37e4542e5527e82af9d211bac8be6155825b82e6f1d24775a9bc6f43622

SHA512
278479a57d344b586bf177d91fd0195795f0cac2e9aa15db6bdee034fa7ed20b67d587de65d5a1caff8c54f657b94bf58d762b7860abb8e00de6f2ddf4c6a174

Download Submit
C:\ProgramData\Epicor\eConnect\config.xml

Filesize
85B

MD5
aefab7a3ff05fad6631ee5b24d19ca16

SHA1
663ec986f63c9ac7ab29cd31741eb1a94dbbe2dd

SHA256
5d8423ba131b1f2397b016d8c9c54753eafe63439fcc11c143f30c78b49da212

SHA512
70e5d6599b28075ef43a9a95bf6270d1c87419b3344db0819cc8b49a46fdc2fc7e37bc1e6a4c79fac00d6fda5c1ed76837139173b091617242777cb0595604ae

Download Submit
C:\ProgramData\Epicor\eConnect\config.xml

Filesize
132B

MD5
1d7731a55c5d92b0f6b8e73f6ec5e1d9

SHA1
cb75f3b98c03121621059e4e888ab771f074791d

SHA256
5fad4dc5ce68e00fbd5e9838c03f2d0064c04a761832c71bdaec543d19c36f9a

SHA512
420decccff46e6749482078a6e81b52889fb65af025caabb1d6508462bb4863d899435715fe871a1be783fad5e17c50b743b5f6442519eba8903d5017d783aef

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5080DC7A65DB6A5960ECD874088F3328_BC00434159DAE8351451CCE9C748F5D7

Filesize
2KB

MD5
9d2275717648f432e6c9753a145ae891

SHA1
ccc2a163c58f4fdb32c89c4a19eb1a0a2e61b526

SHA256
e89bec8fe3435a944a0ab9762174502601fa20e466448cfb23b2c93b6e9e87c0

SHA512
36a4ac0cfd93d748f897f99db1f883b96426d2cc8552fa781d0f46c003a3b69f83b1094c0a0616460cad1c81e3cd060e7afff0a49db9ec09751146750d658bdd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_2DBE917624E9880FE0C7C5570D56E691

Filesize
1KB

MD5
e8d445d52350d53eff1318548a5cda34

SHA1
30649484b5613e5bd3e717759c119768d8f4c0d7

SHA256
87f89299821f8dc5cd2ea388c245c104a7f09e523e4532207a6f7ec06ccb5b4e

SHA512
8f0aee76f11b34c7f89d86eda6826ab233602bea531ec482c7e75aa64851c75e0bb432c778ced889f2d8baedcee367c838d5ec6355ef5ad88a5525cd28c1f848

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D2B5168CDD0EBF4C0C8EA1C3A1FAE07F_344D88508365255339C24128F5456393

Filesize
510B

MD5
d10e1a288cc780e9872e35364c33e014

SHA1
ece570343744d2c40402c45d5085d75b26c54682

SHA256
1aefffc054fff876007a623afc260fa9ed1f0dc98814cffaad72f45e27c11d52

SHA512
3613bec8b0cb124bd5b2844924d2ad779cb22d793142a1940bdd12b86d11d40d2961caa9c91bc26953c31db5097d6fe5acd50fca63a080bdb67dd2f307682af9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5080DC7A65DB6A5960ECD874088F3328_BC00434159DAE8351451CCE9C748F5D7

Filesize
490B

MD5
7493da9b6092af614b06fcb64ed03f88

SHA1
e51c1cce011d0162046fc357cbf0eea142f85961

SHA256
4760b6339421aebdfed3eac976cc94e0108e52f14d8760b068440dd7a25fab20

SHA512
e30007a7a309c04b91fcb453df11b5ad95a5b57e306b5d5c8b70b7c7ba1d2e37848ac66916f0882f48512e95cf2e55a80cdb027ac0db314589562fd816083354

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a44079efecd10d2db516b045f67e9dac

SHA1
af1ea42e88aa0f4623761ac941856bdd7542e0a4

SHA256
db702c4b101e287e5b32b3a0805649ebc1c81f0f9b6cc0ec4044183b0f8cdcda

SHA512
fac11f01c4cca9edc7a8fdffebb09a80b5e26612765b4309f49fab3e49b4d92f7760384d0f5664c5d3b0f658279bd80234d20b04d2ac66e0baef137628f87eb4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_2DBE917624E9880FE0C7C5570D56E691

Filesize
486B

MD5
c816b9db6e5cf30ab2265b54e45aced1

SHA1
749afe70fd50eeac279fb2e5cdf56c89e86440c6

SHA256
c45cc960a802fcdb69075989ae73ffa1738437c58f8103328597050dc4eceb2c

SHA512
f96adfff5fd889607bd1994b9ad220cf9e3d77b2e9da91da55b3bb3ebc011e8f2b087fdd2fa2e25a6fd861394036700957c72ed38e177c74dd2e89196088a29e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D2B5168CDD0EBF4C0C8EA1C3A1FAE07F_344D88508365255339C24128F5456393

Filesize
494B

MD5
0558e5a4802482160839aa8bdc6eadab

SHA1
dab2e4c0bc8b1102ab4865541d4927b2879b0c91

SHA256
d1033d816ce106524a33e76946cd968f38953969ce5951c1dbaecd94f0b16876

SHA512
11c328e368721768638f6c04d22f01eafbae1021f6ebb8668ec3025b578abc6b6e338ff1af1af04e50fc723e27d1591bf98c1163121bc14b3153ad5ed6d3c929

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab84C.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar85F.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\3appsfwd.ini

Filesize
44B

MD5
8995ec38303f42c6eeccb48237f4c2c5

SHA1
470a9afe67f4b96356d9725ce02e77955b26a5c0

SHA256
85530286099e1ec98e8baf8e044733fdef9e455155e92a327140ec2f381831d8

SHA512
42afc5f46244d94c8762326f544a2f51b0a29f9d6b1949c6c7ec9dd3cfbca1eb96a02af3397b80ef0e3b21c780a4d018b10f5aedf102bb210d4741d39ba8b66a

Download Submit
C:\Windows\Installer\f7744cd.msi

Filesize
2.8MB

MD5
047ea0b83a21c9f424aefc040bd9b306

SHA1
56fc16c0ff5b429c476881dcce6357c91af27073

SHA256
83ef3f1565125e92013796a4375893f6e7dffc68c4d96a7e648b32a8237e53d7

SHA512
dd6b3d425870eaedab1971bd6e8a5084078e835e52de3b641679a55fadf55e06fdfa551ad8e227b5fc99e780a875afb26dd1e490a54be06664cdc8467ed60a0e

Download Submit
\Program Files (x86)\Epicor\eConnect\Eagle.Catapult.dll

Filesize
38KB

MD5
20cbe496a7e355c51c46a0baf7256e29

SHA1
92b41f313da4934178c7f11aa003ccd97c8531a7

SHA256
cb085113e8022a55b380c234395b757c1d8ab92632173519a76b48a9b2b8d895

SHA512
9bb87124908746480c969c79bba90b25d4eba59578c9c12329a8d2677fd61aba7f71f416cc4a173180a03308b452062fef95ba8623d8374578d858db86ace3ab

Download Submit
\Program Files (x86)\Epicor\eConnect\eConnectBusinessObject.dll

Filesize
99KB

MD5
c406253c0e479ee4df435ce16fe2c13b

SHA1
1d2a3129105e186a5cae946e99ca364074034c7d

SHA256
e7932ce6424233a7d8bde290bbb2945db2d8c17c0dd925c058981975097e9968

SHA512
527f3bd707728f9bbc340aaf707df2b79fe7a8c51fbe641397abc5124b290e10412a6e652535b5851717feed242f8ac6c654d412b16ddfba441c99d9491c9b2e

Download Submit
\Users\Admin\AppData\Local\Temp\MSIACC.tmp

Filesize
199KB

MD5
3a4e61909500d677745ef2ab508f3f3b

SHA1
ee398e1a153ca96c2592816eb8e8b2b7bb845e1e

SHA256
fb7a6eb19d1d1042d3bd8b3add9271116b8b6db3714dfcc0b6fee8e088d4a2cc

SHA512
feba07bba5007a20e0a1e2ca8c9050ae8624e8fbb0f24aada5dc7c2bde3be561b844453a573cab2a24c3769a8dba401db4eeef0d22ef86e2109b67e54392ee45

Download Submit
memory/1688-328-0x0000000000BF0000-0x0000000000D54000-memory.dmp

Filesize
1.4MB

Download
memory/2896-213-0x0000000000E30000-0x0000000000E48000-memory.dmp

Filesize
96KB

Download
memory/2896-190-0x0000000000A40000-0x0000000000A5E000-memory.dmp

Filesize
120KB

Download
memory/2896-164-0x0000000000470000-0x000000000049C000-memory.dmp

Filesize
176KB

Download
memory/2896-160-0x0000000000F30000-0x0000000000F90000-memory.dmp

Filesize
384KB

Download
memory/2896-340-0x0000000000B70000-0x0000000000B80000-memory.dmp

Filesize
64KB

Download
memory/2896-195-0x00000000032C0000-0x0000000003300000-memory.dmp

Filesize
256KB

Download
memory/2896-344-0x0000000000F00000-0x0000000000F12000-memory.dmp

Filesize
72KB

Download
memory/2896-198-0x00000000032C0000-0x0000000003300000-memory.dmp

Filesize
256KB

Download
memory/2896-234-0x0000000000EA0000-0x0000000000EB8000-memory.dmp

Filesize
96KB

Download
memory/2896-168-0x0000000000980000-0x0000000000992000-memory.dmp

Filesize
72KB

Download