83ef3f1565125e92013796a4375893f6e7dffc68c4d96a7e648b32a8237e53d7

Analysis

max time kernel
149s
max time network
135s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
01/10/2024, 18:18

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

econnect.msi
Size

2.8MB
MD5

047ea0b83a21c9f424aefc040bd9b306
SHA1

56fc16c0ff5b429c476881dcce6357c91af27073
SHA256

83ef3f1565125e92013796a4375893f6e7dffc68c4d96a7e648b32a8237e53d7
SHA512

dd6b3d425870eaedab1971bd6e8a5084078e835e52de3b641679a55fadf55e06fdfa551ad8e227b5fc99e780a875afb26dd1e490a54be06664cdc8467ed60a0e
SSDEEP

49152:VRp2xbpUcxaDubTYjXkYyI08+qiS4bcGzzZv:VS8cxnb0fyK+y4wWl

Score

6^/10

defense_evasion discovery persistence privilege_escalation

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Eagle eConnect Tray Monitor = "\"C:\\Program Files (x86)\\Epicor\\eConnect\\eConnectTray.exe\""	msiexec.exe

Blocklisted process makes network request 3 IoCs

flow	pid	Process
2	2820	msiexec.exe
4	2820	msiexec.exe
7	2820	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe

Hide Artifacts: Hidden Users 1 TTPs 1 IoCs

defense_evasion

Hidden Users

T1564.002

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\eConnectService = "0"	msiexec.exe

Drops file in Program Files directory 21 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Epicor\eConnect\eConnectWorker.dll	msiexec.exe
File created	C:\Program Files (x86)\Epicor\eConnect\eConnectBusinessObject.dll	msiexec.exe
File created	C:\Program Files (x86)\Epicor\eConnect\eConnectCommonLibrary.dll	msiexec.exe
File created	C:\Program Files (x86)\Epicor\eConnect\eConnectUpdateHelper.exe	msiexec.exe
File created	C:\Program Files (x86)\Epicor\eConnect\Interop.WindowsInstaller.dll	msiexec.exe
File created	C:\Program Files (x86)\Epicor\eConnect\Newtonsoft.Json.dll	msiexec.exe
File created	C:\Program Files (x86)\Epicor\eConnect\eConnectQueue.dll	msiexec.exe
File created	C:\Program Files (x86)\Epicor\eConnect\eConnectTask.dll	msiexec.exe
File created	C:\Program Files (x86)\Epicor\eConnect\Ionic.Zip.dll	msiexec.exe
File created	C:\Program Files (x86)\Epicor\eConnect\Renci.SshNet.dll	msiexec.exe
File created	C:\Program Files (x86)\Epicor\eConnect\Zetup.zip	msiexec.exe
File created	C:\Program Files (x86)\Epicor\eConnect\ZZServices.dll	msiexec.exe
File created	C:\Program Files (x86)\Epicor\eConnect\eConnectHelper.dll	msiexec.exe
File created	C:\Program Files (x86)\Epicor\eConnect\epplus.dll	msiexec.exe
File created	C:\Program Files (x86)\Epicor\eConnect\eConnectBusinessObject.XmlSerializers.dll	msiexec.exe
File created	C:\Program Files (x86)\Epicor\eConnect\eConnectConsole.exe	msiexec.exe
File created	C:\Program Files (x86)\Epicor\eConnect\eConnectStorage.dll	msiexec.exe
File created	C:\Program Files (x86)\Epicor\eConnect\eConnectTray.exe	msiexec.exe
File created	C:\Program Files (x86)\Epicor\eConnect\eConnectTaskService.exe	msiexec.exe
File created	C:\Program Files (x86)\Epicor\eConnect\3zlib10.dll	msiexec.exe
File created	C:\Program Files (x86)\Epicor\eConnect\Eagle.Catapult.dll	msiexec.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e579bd2.msi	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9D3B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9ED3.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{71BB18D2-7561-44F0-AE70-595AF380AAB6}\econnect.ico	msiexec.exe
File opened for modification	C:\Windows\3appsfwd.ini	eConnectTaskService.exe
File created	C:\Windows\Installer\e579bd4.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e579bd2.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\SourceHash{71BB18D2-7561-44F0-AE70-595AF380AAB6}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9D0B.tmp	msiexec.exe
File created	C:\Windows\Installer\{71BB18D2-7561-44F0-AE70-595AF380AAB6}\econnect.ico	msiexec.exe

Executes dropped EXE 2 IoCs

pid	Process
3964	eConnectTaskService.exe
2876	eConnectTray.exe

Loads dropped DLL 23 IoCs

pid	Process
2456	MsiExec.exe
4296	MsiExec.exe
2996	MsiExec.exe
3964	eConnectTaskService.exe
3964	eConnectTaskService.exe
3964	eConnectTaskService.exe
3964	eConnectTaskService.exe
3964	eConnectTaskService.exe
3964	eConnectTaskService.exe
3964	eConnectTaskService.exe
3964	eConnectTaskService.exe
3964	eConnectTaskService.exe
3964	eConnectTaskService.exe
3964	eConnectTaskService.exe
3964	eConnectTaskService.exe
3964	eConnectTaskService.exe
3964	eConnectTaskService.exe
2876	eConnectTray.exe
2876	eConnectTray.exe
3964	eConnectTaskService.exe
3964	eConnectTaskService.exe
3964	eConnectTaskService.exe
3964	eConnectTaskService.exe

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
2820	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eConnectTaskService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eConnectTray.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Mfg	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Mfg	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	svchost.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1A\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1b	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe

Modifies registry class 23 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2D81BB1716570F44EA0795A53F08AA6B	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2D81BB1716570F44EA0795A53F08AA6B\ProductName = "Eagle eConnect 04.0429.001"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2D81BB1716570F44EA0795A53F08AA6B\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\2D81BB1716570F44EA0795A53F08AA6B	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2D81BB1716570F44EA0795A53F08AA6B\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2D81BB1716570F44EA0795A53F08AA6B\ProductIcon = "C:\\Windows\\Installer\\{71BB18D2-7561-44F0-AE70-595AF380AAB6}\\econnect.ico"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2D81BB1716570F44EA0795A53F08AA6B\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2D81BB1716570F44EA0795A53F08AA6B\SourceList\PackageName = "econnect.msi"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2D81BB1716570F44EA0795A53F08AA6B\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2D81BB1716570F44EA0795A53F08AA6B\PackageCode = "6424221403AD1D14DA3CF9EE6774DB7F"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2D81BB1716570F44EA0795A53F08AA6B\Version = "40429001"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2D81BB1716570F44EA0795A53F08AA6B\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2D81BB1716570F44EA0795A53F08AA6B\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2D81BB1716570F44EA0795A53F08AA6B\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2D81BB1716570F44EA0795A53F08AA6B\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\2D81BB1716570F44EA0795A53F08AA6B\CompleteInstall	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2D81BB1716570F44EA0795A53F08AA6B\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2D81BB1716570F44EA0795A53F08AA6B\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\9C6511B682858514E9B85E40CDF87729	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\9C6511B682858514E9B85E40CDF87729\2D81BB1716570F44EA0795A53F08AA6B	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2D81BB1716570F44EA0795A53F08AA6B\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2D81BB1716570F44EA0795A53F08AA6B\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2D81BB1716570F44EA0795A53F08AA6B\Language = "1033"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 49 IoCs

pid	Process
2240	msiexec.exe
2240	msiexec.exe
3964	eConnectTaskService.exe
3964	eConnectTaskService.exe
3964	eConnectTaskService.exe
3964	eConnectTaskService.exe
3964	eConnectTaskService.exe
3964	eConnectTaskService.exe
3964	eConnectTaskService.exe
3964	eConnectTaskService.exe
3964	eConnectTaskService.exe
3964	eConnectTaskService.exe
3964	eConnectTaskService.exe
3964	eConnectTaskService.exe
3964	eConnectTaskService.exe
3964	eConnectTaskService.exe
3964	eConnectTaskService.exe
3964	eConnectTaskService.exe
3964	eConnectTaskService.exe
3964	eConnectTaskService.exe
3964	eConnectTaskService.exe
3964	eConnectTaskService.exe
3964	eConnectTaskService.exe
3964	eConnectTaskService.exe
3964	eConnectTaskService.exe
3964	eConnectTaskService.exe
3964	eConnectTaskService.exe
3964	eConnectTaskService.exe
3964	eConnectTaskService.exe
3964	eConnectTaskService.exe
3964	eConnectTaskService.exe
3964	eConnectTaskService.exe
3964	eConnectTaskService.exe
3964	eConnectTaskService.exe
3964	eConnectTaskService.exe
3964	eConnectTaskService.exe
3964	eConnectTaskService.exe
3964	eConnectTaskService.exe
3964	eConnectTaskService.exe
3964	eConnectTaskService.exe
3964	eConnectTaskService.exe
3964	eConnectTaskService.exe
3964	eConnectTaskService.exe
3964	eConnectTaskService.exe
3964	eConnectTaskService.exe
3964	eConnectTaskService.exe
3964	eConnectTaskService.exe
3964	eConnectTaskService.exe
3964	eConnectTaskService.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2820	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2820	msiexec.exe
Token: SeSecurityPrivilege	2240	msiexec.exe
Token: SeCreateTokenPrivilege	2820	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2820	msiexec.exe
Token: SeLockMemoryPrivilege	2820	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2820	msiexec.exe
Token: SeMachineAccountPrivilege	2820	msiexec.exe
Token: SeTcbPrivilege	2820	msiexec.exe
Token: SeSecurityPrivilege	2820	msiexec.exe
Token: SeTakeOwnershipPrivilege	2820	msiexec.exe
Token: SeLoadDriverPrivilege	2820	msiexec.exe
Token: SeSystemProfilePrivilege	2820	msiexec.exe
Token: SeSystemtimePrivilege	2820	msiexec.exe
Token: SeProfSingleProcessPrivilege	2820	msiexec.exe
Token: SeIncBasePriorityPrivilege	2820	msiexec.exe
Token: SeCreatePagefilePrivilege	2820	msiexec.exe
Token: SeCreatePermanentPrivilege	2820	msiexec.exe
Token: SeBackupPrivilege	2820	msiexec.exe
Token: SeRestorePrivilege	2820	msiexec.exe
Token: SeShutdownPrivilege	2820	msiexec.exe
Token: SeDebugPrivilege	2820	msiexec.exe
Token: SeAuditPrivilege	2820	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2820	msiexec.exe
Token: SeChangeNotifyPrivilege	2820	msiexec.exe
Token: SeRemoteShutdownPrivilege	2820	msiexec.exe
Token: SeUndockPrivilege	2820	msiexec.exe
Token: SeSyncAgentPrivilege	2820	msiexec.exe
Token: SeEnableDelegationPrivilege	2820	msiexec.exe
Token: SeManageVolumePrivilege	2820	msiexec.exe
Token: SeImpersonatePrivilege	2820	msiexec.exe
Token: SeCreateGlobalPrivilege	2820	msiexec.exe
Token: SeCreateTokenPrivilege	2820	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2820	msiexec.exe
Token: SeLockMemoryPrivilege	2820	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2820	msiexec.exe
Token: SeMachineAccountPrivilege	2820	msiexec.exe
Token: SeTcbPrivilege	2820	msiexec.exe
Token: SeSecurityPrivilege	2820	msiexec.exe
Token: SeTakeOwnershipPrivilege	2820	msiexec.exe
Token: SeLoadDriverPrivilege	2820	msiexec.exe
Token: SeSystemProfilePrivilege	2820	msiexec.exe
Token: SeSystemtimePrivilege	2820	msiexec.exe
Token: SeProfSingleProcessPrivilege	2820	msiexec.exe
Token: SeIncBasePriorityPrivilege	2820	msiexec.exe
Token: SeCreatePagefilePrivilege	2820	msiexec.exe
Token: SeCreatePermanentPrivilege	2820	msiexec.exe
Token: SeBackupPrivilege	2820	msiexec.exe
Token: SeRestorePrivilege	2820	msiexec.exe
Token: SeShutdownPrivilege	2820	msiexec.exe
Token: SeDebugPrivilege	2820	msiexec.exe
Token: SeAuditPrivilege	2820	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2820	msiexec.exe
Token: SeChangeNotifyPrivilege	2820	msiexec.exe
Token: SeRemoteShutdownPrivilege	2820	msiexec.exe
Token: SeUndockPrivilege	2820	msiexec.exe
Token: SeSyncAgentPrivilege	2820	msiexec.exe
Token: SeEnableDelegationPrivilege	2820	msiexec.exe
Token: SeManageVolumePrivilege	2820	msiexec.exe
Token: SeImpersonatePrivilege	2820	msiexec.exe
Token: SeCreateGlobalPrivilege	2820	msiexec.exe
Token: SeCreateTokenPrivilege	2820	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2820	msiexec.exe
Token: SeLockMemoryPrivilege	2820	msiexec.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2820	msiexec.exe
2876	eConnectTray.exe
2820	msiexec.exe
2876	eConnectTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2876	eConnectTray.exe
2876	eConnectTray.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2240 wrote to memory of 2456	2240	msiexec.exe	76
PID 2240 wrote to memory of 2456	2240	msiexec.exe	76
PID 2240 wrote to memory of 2456	2240	msiexec.exe	76
PID 2240 wrote to memory of 2424	2240	msiexec.exe	80
PID 2240 wrote to memory of 2424	2240	msiexec.exe	80
PID 2240 wrote to memory of 4296	2240	msiexec.exe	82
PID 2240 wrote to memory of 4296	2240	msiexec.exe	82
PID 2240 wrote to memory of 4296	2240	msiexec.exe	82
PID 2240 wrote to memory of 2996	2240	msiexec.exe	83
PID 2240 wrote to memory of 2996	2240	msiexec.exe	83
PID 2240 wrote to memory of 2996	2240	msiexec.exe	83
PID 3964 wrote to memory of 2876	3964	eConnectTaskService.exe	86
PID 3964 wrote to memory of 2876	3964	eConnectTaskService.exe	86
PID 3964 wrote to memory of 2876	3964	eConnectTaskService.exe	86

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\econnect.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2820

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Hide Artifacts: Hidden Users
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2240
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 8012F8138C0012EDDCFB9034AC39333D C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2456
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:2424
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 6771CB9B4C833E130E19965A530B1541
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4296
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 1C33D4E510017F2901A9B027846D4586 E Global\MSI0000
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2996

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2384

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:5092

C:\Program Files (x86)\Epicor\eConnect\eConnectTaskService.exe
"C:\Program Files (x86)\Epicor\eConnect\eConnectTaskService.exe"
1⤵
- Drops file in Windows directory
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3964
- C:\Program Files (x86)\Epicor\eConnect\eConnectTray.exe
  "C:\Program Files (x86)\Epicor\eConnect\eConnectTray.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2876

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

Hide Artifacts

T1564

Hidden Users

T1564.002

Modify Registry

T1112

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\3apps\3apps.ini

Filesize
73B

MD5
e84aa005b0563e9be5cfb7ebaaea1db5

SHA1
48b14d3fdbc32e11b634fb2fc6c14c72d2b01732

SHA256
b3676c489942d55d5f994f47d891ee7e61cc7e8e678e81e77704d31f15e39032

SHA512
7e10e49a9eb2f23e70282ba3f93cb17efdf97fb4b390597efbb7ee3cd4c45b21710f054677735112c58a3009d6906bd6f1b0f965f9f8c3f7872d9f7c8648d769

Download Submit
C:\3apps\3apps.ini

Filesize
105B

MD5
954cb1afa3d44836574adc951bc10726

SHA1
7eab5c490374cbf4c7b648de964a0a871c814642

SHA256
ca5ffc6d9a7c08092eb7ba2d6ed064370ab4ab627ef9b122681fa3ed4e436b02

SHA512
93fa91537b95e2785e468a2b3486b70301b581f264079ffa33f16c72431b0669390d6cccf78c505bc828d371d43823ac5f3c778593cf87bbe977092d13fe6bd5

Download Submit
C:\3apps\3apps.ini

Filesize
105B

MD5
4963e10960e0ad7197c2959b2624554d

SHA1
762ceb025202c0a06ba1952958ddf15896768656

SHA256
fd6675138e928c36546083c45b20fcb07520623f78d78766a42a8e9f44807395

SHA512
258f3f2eaeb550793efd2582c729377a330df43bc720c95ca5bc62b55c450bfdf7bc2bcb751f2a5bf5153c44bc7f06851419ebdcf6929e738c74f1dd5edd3bfb

Download Submit
C:\3apps\3log.log

Filesize
210B

MD5
aaa40dd2c8648d4aea29d0e5f6f9f428

SHA1
b69feb643c32ddd813b9b57ad4dce1b96182b26a

SHA256
cee8c33f79514d5d25ace7dc2084403afc19e7980fe6b3fc663431c8d407704d

SHA512
30297c8e92d20069c192d81b335813462bb0d924f4f1d9268c94a9dc1ed54d012c99df3c35bb26c2082105c0f97e1ad9b9296b16569396e82cebb99f8e21fee5

Download Submit
C:\Config.Msi\e579bd3.rbs

Filesize
12KB

MD5
f9f3074580932b9760e85ff688db7dcf

SHA1
2e1831e44bad8c660bcf61c8204c02f65660f75b

SHA256
5a02b96910762065cb9158e87f562b9fc8a208082d3048532afa62f40b2cb75a

SHA512
323bc98810b3fc08b656b6aa488879b2eb7d516cb7799e7722b8c93fc7ad80a5a142ec241ae39a84d2e17b3cb40fa6da7e195f790f96fb5bc48011e7c481fd13

Download Submit
C:\Program Files (x86)\Epicor\eConnect\Eagle.Catapult.dll

Filesize
38KB

MD5
20cbe496a7e355c51c46a0baf7256e29

SHA1
92b41f313da4934178c7f11aa003ccd97c8531a7

SHA256
cb085113e8022a55b380c234395b757c1d8ab92632173519a76b48a9b2b8d895

SHA512
9bb87124908746480c969c79bba90b25d4eba59578c9c12329a8d2677fd61aba7f71f416cc4a173180a03308b452062fef95ba8623d8374578d858db86ace3ab

Download Submit
C:\Program Files (x86)\Epicor\eConnect\ZZServices.dll

Filesize
75KB

MD5
c58558855135ff6ca6ab856ff2fd27d4

SHA1
bbe3b3e1de5afe7e065750f8eacfc47dce9cbd04

SHA256
faace1fd378b8a02bbf6c19c50b72c862714aa3ee40db681586ee7314c169bda

SHA512
a1526bf23c94c305872b408ac9e26439ca30b197295577b37c875a4c877bb7bf61ad27b0d471f92d4b4c0b8ef1b4d4d61e1b222b3d069f3d8ef3895f951a3095

Download Submit
C:\Program Files (x86)\Epicor\eConnect\eConnectBusinessObject.XmlSerializers.dll

Filesize
230KB

MD5
0926a4f1614ed17d531e4199b01a9f15

SHA1
d67fe509b16f74312cbd1679b347832c8aebba14

SHA256
0d480df689d0faf163aae168ae82f8dcee55de746e1b016ccccc1dc5c6947732

SHA512
e0579a2f1ad352738cab41a7f050635ff6f06a5119c89dca78835ee950ee4fcbcddf0a477cf7cbec0eadee6d8b318906079552534464fdca08682791e4dd106c

Download Submit
C:\Program Files (x86)\Epicor\eConnect\eConnectBusinessObject.dll

Filesize
99KB

MD5
c406253c0e479ee4df435ce16fe2c13b

SHA1
1d2a3129105e186a5cae946e99ca364074034c7d

SHA256
e7932ce6424233a7d8bde290bbb2945db2d8c17c0dd925c058981975097e9968

SHA512
527f3bd707728f9bbc340aaf707df2b79fe7a8c51fbe641397abc5124b290e10412a6e652535b5851717feed242f8ac6c654d412b16ddfba441c99d9491c9b2e

Download Submit
C:\Program Files (x86)\Epicor\eConnect\eConnectCommonLibrary.dll

Filesize
47KB

MD5
049d71fe85fcbdaf810e44629540b564

SHA1
d7bf06567da7c7cbd059d68f96bda1fe76788bf1

SHA256
5f92acdbbc0e522d143417d91c4eab7a7b82c799548dd5f341c1070736284e0a

SHA512
26c518ad2dea989ba5f909c7f5aa7dd4a554ec20d5f2f477d6000054dc53b5d08d82c5ba136700c73fd00af7a1c247876b967a9ace86c0e0f1fb986b333c8421

Download Submit
C:\Program Files (x86)\Epicor\eConnect\eConnectHelper.dll

Filesize
152KB

MD5
dc8eda0c7df119fd7d011ebdf1773cab

SHA1
e8b3e9c6459ada4f0d3c735c5f205c92ac96158d

SHA256
80f85a538a379a8b7613d6fa256f50efda9b6dc55a7e0576d9e93126f1dd6301

SHA512
37017b2897c4be97383f336490e4667cede6314659ea3009d557cd208d84fcecab515f805970be8badfc952ebb0735a0941dda9574327d795f7b1a2b27fbbc0f

Download Submit
C:\Program Files (x86)\Epicor\eConnect\eConnectTask.dll

Filesize
71KB

MD5
694b21817f1e425ab3ea9a912037dc0e

SHA1
12af125ec0cad9f9047b8c40cfb36a76521835f3

SHA256
5d34ef352a57a8452f1c18adf0c5ea241378da0a51aa3282c785795f50fefbe1

SHA512
e9ff5211da0c3507f74b54cd8042953d1d99f4d39356cf5097b1edd6ad81b4bb651c97c750f7dc24716bb6244d4405567ab82a6647f73b4787014836c26a49c8

Download Submit
C:\Program Files (x86)\Epicor\eConnect\eConnectTaskService.exe

Filesize
363KB

MD5
3bedc71df767e2462931f01031d278e4

SHA1
634e0805987e9ef5fe021a7c97cb0f8b67aa4b0c

SHA256
a58147c5c8514228ae260bc2c8c4e97ed45fb4f62674f684286a99c45ad7ef1b

SHA512
447a78fcab0d676e6cac29221976c4d5f28f9afb24106a8846ea75878c6e02f1a3ef7a2d61f387a37d43bc5b9cf3606057e0284647700766eaec19884eb0be24

Download Submit
C:\Program Files (x86)\Epicor\eConnect\eConnectTray.exe

Filesize
1.4MB

MD5
24b4a2e8983426e801eacea68857282c

SHA1
8422af784d3ec94b11b8e77b1608fe62e1e81797

SHA256
cff0aa74931201d1bd9bddcf02aae5cf4fd8454b12532f4907e49f41baac7f3f

SHA512
7ee38dc652cf4a4ae4a308e6ca7acdb0d8c3eae37850d1ebd7708e76ec31061b4427243d80bdf51ab85a59635db37c7fec7a7d6e499af361665afa1d6cd6d9f9

Download Submit
C:\Program Files (x86)\Epicor\eConnect\eConnectWorker.dll

Filesize
45KB

MD5
fdd963e0e2ab2610c91d31fee97a3530

SHA1
71ef21c1d79bd8876928757c4a7eda46587e55c6

SHA256
c03c5bd73ec0edef58202567612188f92747e94de1e51f140781d1445dae2af3

SHA512
69b899c1489519ee6f756eef84e3e76b86e4bf4850f34055882bd02d752e5061022678a3b84a721b43b7b0b25eb799471e8abd9891da751f74e6dd3420f7c28d

Download Submit
C:\ProgramData\Epicor\eConnect\Data\ComputerId.txt

Filesize
36B

MD5
df84a4ece91f930235b1176a8d7cc90d

SHA1
0a5e0278188b8cb1ed026656b3aec85832662c72

SHA256
480d9358feceac032351ce812a14b3faac340d3b67909b98c3f314c3037bb2ab

SHA512
712e7669a348e45fd0415a42360864ad6b06cbe3c22126de4c6b1a79190e8f629831c5fdecb3c42dfceff42b26cc2b01844cb7259b416d13016c01eaffc1135e

Download Submit
C:\ProgramData\Epicor\eConnect\Data\ec4audit_20241001.log

Filesize
162B

MD5
a5b182dce57d14454282101e7362211c

SHA1
8398236aedb020e0c5245a3dc420036409f6d4aa

SHA256
283aaa8a73a61591383d47ebf6fe85c2086c2d37f54d9a86da2a999080e01423

SHA512
fe325e9545c79c212e9c19729affcc1c5a09c07ceeb341964c8e5a3acfe0f9c6b35d94da090780e21b8da6895b551f830ca690b09541d334cb3d26511fe25625

Download Submit
C:\ProgramData\Epicor\eConnect\Data\ec4audit_20241001.log

Filesize
406B

MD5
cf1d9a3c7b0dd39ed91c046d73777579

SHA1
e807ab9bcf4cb803b3a7e7a5a1d62d3ca40a3731

SHA256
d57056731e2e5d4d36af2dc18e96ac73eacbfe3f10ecd2dc198431ad18311067

SHA512
44a560dbeb264572732ca9f0acca0036586dfccc5f7c46763907e2c5da6f38dd0237e414e4b1d53333f71ed57ad10e485748b285a350c16905a0137b8ca6de0c

Download Submit
C:\ProgramData\Epicor\eConnect\Temp\0yzs5v5y.pae

Filesize
11KB

MD5
0bf4dd49947b3a49dd83c1f00b407fec

SHA1
399b067e4022b2d4569eeebbce7c630832994c13

SHA256
47c1f85ca4b947f26c4d3ca2ea7a8e3c9831b2f92388cacb210505af98d35642

SHA512
b4e5aee3dacefcad6ebb6006dc4f5ede26af6b46e04ada01b6888a3ada45495457bcd8292e1691b96d02e3597b9be99415dc2d7ef2efc8b3b9373b3dbac46b39

Download Submit
C:\ProgramData\Epicor\eConnect\Temp\r41mkjky.lvm

Filesize
190B

MD5
aa9424dfe0060eea43aff1c02c695a8c

SHA1
66d2358c51f475c6e7b4eb62ef865a7930c60a20

SHA256
d680c41b5584197b08573b7995995e1fad2f7c5bacac5d4439a26c648d0aea07

SHA512
27bd1832a1459ef67df963519dcd120dc7e8bced912ff469e380ffcf15598294b9cc55fcf9b260fd311be193076fe6922708bacd8c56b42f1fbdf708afb01626

Download Submit
C:\ProgramData\Epicor\eConnect\Temp\x0liypyy.2cn

Filesize
11KB

MD5
4d4b11d3f9a79d0b6ab78967001d71fa

SHA1
12bfc46eecc8facc6f2b41c1887d7d05cb6f1a57

SHA256
6f79eae22b17e99c6e94351bb879645c90eb397a027bf52f7b521de8ccd90f4e

SHA512
a7d9eba12ebfb2d67645947cf9af4a95d468496a4a11b6128c2cafb3ec10ea1fb5ce904e5ad4ad804975287c4ff452a33459769c2ac7e9447f36eee9d8b4eafb

Download Submit
C:\ProgramData\Epicor\eConnect\client\client-a99395c5-672a-4a4a-ade5-8401c241d6a6\boTaskList.xml

Filesize
3KB

MD5
f685f22fe36a344ae06a060a3757bf00

SHA1
56273e2894a97f942a1be96dcb9456d232fdfaf5

SHA256
51f7561c54572efda8fa1e0b9804660d0d9f6590fa7b4574dc587a985c6cb605

SHA512
e5a505607585ae4cb3885c3ba5761ccbea23bc26d486d63dbfd76867b7298aa6109f26fd85a3bd752d83ca1103a0e2d0549e76ee52b09d4c0da0402657741bd2

Download Submit
C:\ProgramData\Epicor\eConnect\client\client-a99395c5-672a-4a4a-ade5-8401c241d6a6\boTaskList.xml

Filesize
5KB

MD5
be7cca675f14ec89d9a694ccca577fee

SHA1
22d94ab2374af0e8c5403538209928dbe6061e50

SHA256
95be55efaedbf27f2d457ce52ba075ae7dc43f0def027118c3cd736b5635c85f

SHA512
54ccb8d7a9b89835e38fde6b5f0c3b18b0af75f8f201598b2c70797c935f52534268ddfdde8e5d7b07cc5b868316b228e9339eb479fc43bd533d80daa27aeb93

Download Submit
C:\ProgramData\Epicor\eConnect\client\client-a99395c5-672a-4a4a-ade5-8401c241d6a6\boTaskList.xml

Filesize
11KB

MD5
6eb7e8f9f4625ca64e0e505bb1e8cd29

SHA1
09a6e45334f69b101411ba4cdf6b88b552f9e883

SHA256
b11304ea9b1b89af33f09c982ef6b938f5ee8a69aeae8f1af6f39ade39aff7e5

SHA512
e549d7558d394b544c3907b34129e4cee932fcd2b78ad98b3a1d6ff031a2133678317039147fe86db92f35ac8b9666d5c00d5578f4061241b5018a836f1681b7

Download Submit
C:\ProgramData\Epicor\eConnect\config.xml

Filesize
85B

MD5
aefab7a3ff05fad6631ee5b24d19ca16

SHA1
663ec986f63c9ac7ab29cd31741eb1a94dbbe2dd

SHA256
5d8423ba131b1f2397b016d8c9c54753eafe63439fcc11c143f30c78b49da212

SHA512
70e5d6599b28075ef43a9a95bf6270d1c87419b3344db0819cc8b49a46fdc2fc7e37bc1e6a4c79fac00d6fda5c1ed76837139173b091617242777cb0595604ae

Download Submit
C:\ProgramData\Epicor\eConnect\config.xml

Filesize
132B

MD5
1d7731a55c5d92b0f6b8e73f6ec5e1d9

SHA1
cb75f3b98c03121621059e4e888ab771f074791d

SHA256
5fad4dc5ce68e00fbd5e9838c03f2d0064c04a761832c71bdaec543d19c36f9a

SHA512
420decccff46e6749482078a6e81b52889fb65af025caabb1d6508462bb4863d899435715fe871a1be783fad5e17c50b743b5f6442519eba8903d5017d783aef

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5080DC7A65DB6A5960ECD874088F3328_BC00434159DAE8351451CCE9C748F5D7

Filesize
2KB

MD5
9d2275717648f432e6c9753a145ae891

SHA1
ccc2a163c58f4fdb32c89c4a19eb1a0a2e61b526

SHA256
e89bec8fe3435a944a0ab9762174502601fa20e466448cfb23b2c93b6e9e87c0

SHA512
36a4ac0cfd93d748f897f99db1f883b96426d2cc8552fa781d0f46c003a3b69f83b1094c0a0616460cad1c81e3cd060e7afff0a49db9ec09751146750d658bdd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_2DBE917624E9880FE0C7C5570D56E691

Filesize
1KB

MD5
e8d445d52350d53eff1318548a5cda34

SHA1
30649484b5613e5bd3e717759c119768d8f4c0d7

SHA256
87f89299821f8dc5cd2ea388c245c104a7f09e523e4532207a6f7ec06ccb5b4e

SHA512
8f0aee76f11b34c7f89d86eda6826ab233602bea531ec482c7e75aa64851c75e0bb432c778ced889f2d8baedcee367c838d5ec6355ef5ad88a5525cd28c1f848

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D2B5168CDD0EBF4C0C8EA1C3A1FAE07F_344D88508365255339C24128F5456393

Filesize
510B

MD5
d10e1a288cc780e9872e35364c33e014

SHA1
ece570343744d2c40402c45d5085d75b26c54682

SHA256
1aefffc054fff876007a623afc260fa9ed1f0dc98814cffaad72f45e27c11d52

SHA512
3613bec8b0cb124bd5b2844924d2ad779cb22d793142a1940bdd12b86d11d40d2961caa9c91bc26953c31db5097d6fe5acd50fca63a080bdb67dd2f307682af9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5080DC7A65DB6A5960ECD874088F3328_BC00434159DAE8351451CCE9C748F5D7

Filesize
490B

MD5
ce7e40762ed38ffcb9bba2cf2c7828fb

SHA1
a79b3b61d81729024b448a8a099e5d76a837eef6

SHA256
db37ad204c3990efdcbf3b43f9eb8c3da4191f935cd4c943cbcc790f20cdaedb

SHA512
db62a00430dfe6be6672124e06a3ea2b1e12c618d00dad5958be5a400f441cc9e518aa17ace43946b592989141bc63ab08905be6211088c4949f36e1e7386aab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_2DBE917624E9880FE0C7C5570D56E691

Filesize
486B

MD5
9a936a29319659f3b940acdf5c0e8f3c

SHA1
8e779d091f7a76adce22663d436526c64057dc30

SHA256
a972ec3817153ede2146a68606a9d6cecc95cd8374ccc994a13c7dc8176020f7

SHA512
233a70183860c66975335a2c847428b45e51873492836f9f5214f8db341485a1b4cda18d1fc5d10dce411aef6dafc5036d90706745ce66ceb29e84893ce5f291

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D2B5168CDD0EBF4C0C8EA1C3A1FAE07F_344D88508365255339C24128F5456393

Filesize
494B

MD5
fd95a39fc8574875ebd2757d43dea236

SHA1
cced278c331b1a001caf5e3bf2e04cd6fd54615c

SHA256
9f02d86b02cfb33cac40d921f712a3c839b52534f599a6fe2977cae644b43260

SHA512
31ad8dca0ebf21aafe62f65074cd99df4f4a3f4e8f07f6ad091bddd40fb5bf8a3e48401eb0e1f643c07dad30782a927b58941d700a57d343b948a06e4bea7320

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI5C97.tmp

Filesize
199KB

MD5
3a4e61909500d677745ef2ab508f3f3b

SHA1
ee398e1a153ca96c2592816eb8e8b2b7bb845e1e

SHA256
fb7a6eb19d1d1042d3bd8b3add9271116b8b6db3714dfcc0b6fee8e088d4a2cc

SHA512
feba07bba5007a20e0a1e2ca8c9050ae8624e8fbb0f24aada5dc7c2bde3be561b844453a573cab2a24c3769a8dba401db4eeef0d22ef86e2109b67e54392ee45

Download Submit
C:\Windows\3appsfwd.ini

Filesize
44B

MD5
8995ec38303f42c6eeccb48237f4c2c5

SHA1
470a9afe67f4b96356d9725ce02e77955b26a5c0

SHA256
85530286099e1ec98e8baf8e044733fdef9e455155e92a327140ec2f381831d8

SHA512
42afc5f46244d94c8762326f544a2f51b0a29f9d6b1949c6c7ec9dd3cfbca1eb96a02af3397b80ef0e3b21c780a4d018b10f5aedf102bb210d4741d39ba8b66a

Download Submit
C:\Windows\Installer\e579bd2.msi

Filesize
2.8MB

MD5
047ea0b83a21c9f424aefc040bd9b306

SHA1
56fc16c0ff5b429c476881dcce6357c91af27073

SHA256
83ef3f1565125e92013796a4375893f6e7dffc68c4d96a7e648b32a8237e53d7

SHA512
dd6b3d425870eaedab1971bd6e8a5084078e835e52de3b641679a55fadf55e06fdfa551ad8e227b5fc99e780a875afb26dd1e490a54be06664cdc8467ed60a0e

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
26.0MB

MD5
6a00fc4ef1a18fafdfaf5410698dbf93

SHA1
f6459622c9970889e8471a214dc8a9f317fd9c12

SHA256
968efd249e9a6ee9e0b5854de1586a1fbf0b05e28329afbfb9c61f3e35b7b301

SHA512
1f4481f950bc910f8eca06b56374709111ce64b5c1772295e5a90a07d9f77d8794fe5cdd70ead3255a94388d624003293f17977c8a987fe73f9b80dd7db9666d

Download Submit
\??\Volume{38fc5f00-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{80b2aa6a-bb5b-47d5-b0e1-1e7043e061f3}_OnDiskSnapshotProp

Filesize
5KB

MD5
0598d8298b8f39a759897c7dbad97d0f

SHA1
5d47b3797d71c274d916a67b7377a6b8ce8271ee

SHA256
016dec26ff9d0e014ff369686f5d5a04b07b9d89e00c306453833e92665c08cf

SHA512
7deb7b8d9aef0bdb1c7d819173da0821397fbbff223c5e7b4fc111f5022b6e954c69c811a9a7c984bb9b63daaa54da654d5c074b0e07c5924a9efacdcb9fd9c6

Download Submit
memory/2876-273-0x0000000000130000-0x0000000000294000-memory.dmp

Filesize
1.4MB

Download
memory/2876-281-0x00000000052D0000-0x00000000052DA000-memory.dmp

Filesize
40KB

Download
memory/3964-95-0x0000000001360000-0x0000000001372000-memory.dmp

Filesize
72KB

Download
memory/3964-170-0x0000000004DA0000-0x0000000004DB8000-memory.dmp

Filesize
96KB

Download
memory/3964-149-0x0000000004B00000-0x0000000004B18000-memory.dmp

Filesize
96KB

Download
memory/3964-139-0x0000000004990000-0x00000000049A8000-memory.dmp

Filesize
96KB

Download
memory/3964-138-0x00000000043A0000-0x0000000004406000-memory.dmp

Filesize
408KB

Download
memory/3964-129-0x0000000003A60000-0x0000000003AA0000-memory.dmp

Filesize
256KB

Download
memory/3964-286-0x0000000003AB0000-0x0000000003AC0000-memory.dmp

Filesize
64KB

Download
memory/3964-124-0x0000000003900000-0x000000000391E000-memory.dmp

Filesize
120KB

Download
memory/3964-290-0x0000000005160000-0x0000000005172000-memory.dmp

Filesize
72KB

Download
memory/3964-98-0x0000000003980000-0x0000000003A12000-memory.dmp

Filesize
584KB

Download
memory/3964-97-0x0000000003DA0000-0x000000000429E000-memory.dmp

Filesize
5.0MB

Download
memory/3964-296-0x0000000005330000-0x0000000005396000-memory.dmp

Filesize
408KB

Download
memory/3964-96-0x0000000003830000-0x0000000003852000-memory.dmp

Filesize
136KB

Download
memory/3964-91-0x00000000037D0000-0x00000000037FC000-memory.dmp

Filesize
176KB

Download
memory/3964-87-0x0000000000330000-0x0000000000390000-memory.dmp

Filesize
384KB

Download