83ef3f1565125e92013796a4375893f6e7dffc68c4d96a7e648b32a8237e53d7

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01-10-2024 18:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

econnect.msi
Size

2.8MB
MD5

047ea0b83a21c9f424aefc040bd9b306
SHA1

56fc16c0ff5b429c476881dcce6357c91af27073
SHA256

83ef3f1565125e92013796a4375893f6e7dffc68c4d96a7e648b32a8237e53d7
SHA512

dd6b3d425870eaedab1971bd6e8a5084078e835e52de3b641679a55fadf55e06fdfa551ad8e227b5fc99e780a875afb26dd1e490a54be06664cdc8467ed60a0e
SSDEEP

49152:VRp2xbpUcxaDubTYjXkYyI08+qiS4bcGzzZv:VS8cxnb0fyK+y4wWl

Score

6^/10

defense_evasion discovery persistence privilege_escalation

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Eagle eConnect Tray Monitor = "\"C:\\Program Files (x86)\\Epicor\\eConnect\\eConnectTray.exe\""	msiexec.exe

Blocklisted process makes network request 3 IoCs

flow	pid	Process
5	4428	msiexec.exe
7	4428	msiexec.exe
11	4428	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe

Hide Artifacts: Hidden Users 1 TTPs 1 IoCs

defense_evasion

Hidden Users

T1564.002

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\eConnectService = "0"	msiexec.exe

Drops file in Program Files directory 21 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Epicor\eConnect\Interop.WindowsInstaller.dll	msiexec.exe
File created	C:\Program Files (x86)\Epicor\eConnect\ZZServices.dll	msiexec.exe
File created	C:\Program Files (x86)\Epicor\eConnect\eConnectQueue.dll	msiexec.exe
File created	C:\Program Files (x86)\Epicor\eConnect\eConnectTray.exe	msiexec.exe
File created	C:\Program Files (x86)\Epicor\eConnect\eConnectUpdateHelper.exe	msiexec.exe
File created	C:\Program Files (x86)\Epicor\eConnect\eConnectWorker.dll	msiexec.exe
File created	C:\Program Files (x86)\Epicor\eConnect\3zlib10.dll	msiexec.exe
File created	C:\Program Files (x86)\Epicor\eConnect\eConnectBusinessObject.dll	msiexec.exe
File created	C:\Program Files (x86)\Epicor\eConnect\eConnectStorage.dll	msiexec.exe
File created	C:\Program Files (x86)\Epicor\eConnect\Renci.SshNet.dll	msiexec.exe
File created	C:\Program Files (x86)\Epicor\eConnect\epplus.dll	msiexec.exe
File created	C:\Program Files (x86)\Epicor\eConnect\eConnectTaskService.exe	msiexec.exe
File created	C:\Program Files (x86)\Epicor\eConnect\Ionic.Zip.dll	msiexec.exe
File created	C:\Program Files (x86)\Epicor\eConnect\Zetup.zip	msiexec.exe
File created	C:\Program Files (x86)\Epicor\eConnect\eConnectCommonLibrary.dll	msiexec.exe
File created	C:\Program Files (x86)\Epicor\eConnect\eConnectConsole.exe	msiexec.exe
File created	C:\Program Files (x86)\Epicor\eConnect\eConnectHelper.dll	msiexec.exe
File created	C:\Program Files (x86)\Epicor\eConnect\eConnectTask.dll	msiexec.exe
File created	C:\Program Files (x86)\Epicor\eConnect\Eagle.Catapult.dll	msiexec.exe
File created	C:\Program Files (x86)\Epicor\eConnect\eConnectBusinessObject.XmlSerializers.dll	msiexec.exe
File created	C:\Program Files (x86)\Epicor\eConnect\Newtonsoft.Json.dll	msiexec.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\e58406f.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\{71BB18D2-7561-44F0-AE70-595AF380AAB6}\econnect.ico	msiexec.exe
File created	C:\Windows\Installer\e584071.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI44A7.tmp	msiexec.exe
File created	C:\Windows\Installer\{71BB18D2-7561-44F0-AE70-595AF380AAB6}\econnect.ico	msiexec.exe
File opened for modification	C:\Windows\3appsfwd.ini	eConnectTaskService.exe
File created	C:\Windows\Installer\e58406f.msi	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{71BB18D2-7561-44F0-AE70-595AF380AAB6}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4179.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI41A9.tmp	msiexec.exe

Executes dropped EXE 2 IoCs

pid	Process
4648	eConnectTaskService.exe
1572	eConnectTray.exe

Loads dropped DLL 23 IoCs

pid	Process
1940	MsiExec.exe
2824	MsiExec.exe
2748	MsiExec.exe
4648	eConnectTaskService.exe
4648	eConnectTaskService.exe
4648	eConnectTaskService.exe
4648	eConnectTaskService.exe
4648	eConnectTaskService.exe
4648	eConnectTaskService.exe
4648	eConnectTaskService.exe
4648	eConnectTaskService.exe
4648	eConnectTaskService.exe
4648	eConnectTaskService.exe
4648	eConnectTaskService.exe
4648	eConnectTaskService.exe
4648	eConnectTaskService.exe
4648	eConnectTaskService.exe
1572	eConnectTray.exe
1572	eConnectTray.exe
4648	eConnectTaskService.exe
4648	eConnectTaskService.exe
4648	eConnectTaskService.exe
4648	eConnectTaskService.exe

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
4428	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eConnectTaskService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eConnectTray.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000532ba7f3274a467a0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000532ba7f30000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900532ba7f3000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d532ba7f3000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000532ba7f300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	eConnectTaskService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	eConnectTaskService.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe

Modifies registry class 23 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2D81BB1716570F44EA0795A53F08AA6B\SourceList\PackageName = "econnect.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\2D81BB1716570F44EA0795A53F08AA6B	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2D81BB1716570F44EA0795A53F08AA6B	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2D81BB1716570F44EA0795A53F08AA6B\PackageCode = "6424221403AD1D14DA3CF9EE6774DB7F"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2D81BB1716570F44EA0795A53F08AA6B\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2D81BB1716570F44EA0795A53F08AA6B\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2D81BB1716570F44EA0795A53F08AA6B\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2D81BB1716570F44EA0795A53F08AA6B\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2D81BB1716570F44EA0795A53F08AA6B\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\2D81BB1716570F44EA0795A53F08AA6B\CompleteInstall	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2D81BB1716570F44EA0795A53F08AA6B\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2D81BB1716570F44EA0795A53F08AA6B\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\9C6511B682858514E9B85E40CDF87729	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\9C6511B682858514E9B85E40CDF87729\2D81BB1716570F44EA0795A53F08AA6B	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2D81BB1716570F44EA0795A53F08AA6B\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2D81BB1716570F44EA0795A53F08AA6B\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2D81BB1716570F44EA0795A53F08AA6B\ProductIcon = "C:\\Windows\\Installer\\{71BB18D2-7561-44F0-AE70-595AF380AAB6}\\econnect.ico"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2D81BB1716570F44EA0795A53F08AA6B\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2D81BB1716570F44EA0795A53F08AA6B\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2D81BB1716570F44EA0795A53F08AA6B\ProductName = "Eagle eConnect 04.0429.001"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2D81BB1716570F44EA0795A53F08AA6B\Version = "40429001"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2D81BB1716570F44EA0795A53F08AA6B\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2D81BB1716570F44EA0795A53F08AA6B\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 57 IoCs

pid	Process
4216	msiexec.exe
4216	msiexec.exe
4648	eConnectTaskService.exe
4648	eConnectTaskService.exe
4648	eConnectTaskService.exe
4648	eConnectTaskService.exe
4648	eConnectTaskService.exe
4648	eConnectTaskService.exe
4648	eConnectTaskService.exe
4648	eConnectTaskService.exe
4648	eConnectTaskService.exe
4648	eConnectTaskService.exe
4648	eConnectTaskService.exe
4648	eConnectTaskService.exe
4648	eConnectTaskService.exe
4648	eConnectTaskService.exe
4648	eConnectTaskService.exe
4648	eConnectTaskService.exe
4648	eConnectTaskService.exe
4648	eConnectTaskService.exe
4648	eConnectTaskService.exe
4648	eConnectTaskService.exe
4648	eConnectTaskService.exe
4648	eConnectTaskService.exe
4648	eConnectTaskService.exe
4648	eConnectTaskService.exe
4648	eConnectTaskService.exe
4648	eConnectTaskService.exe
4648	eConnectTaskService.exe
4648	eConnectTaskService.exe
4648	eConnectTaskService.exe
4648	eConnectTaskService.exe
4648	eConnectTaskService.exe
4648	eConnectTaskService.exe
4648	eConnectTaskService.exe
4648	eConnectTaskService.exe
4648	eConnectTaskService.exe
4648	eConnectTaskService.exe
4648	eConnectTaskService.exe
4648	eConnectTaskService.exe
4648	eConnectTaskService.exe
4648	eConnectTaskService.exe
4648	eConnectTaskService.exe
4648	eConnectTaskService.exe
4648	eConnectTaskService.exe
4648	eConnectTaskService.exe
4648	eConnectTaskService.exe
4648	eConnectTaskService.exe
4648	eConnectTaskService.exe
4648	eConnectTaskService.exe
4648	eConnectTaskService.exe
4648	eConnectTaskService.exe
4648	eConnectTaskService.exe
4648	eConnectTaskService.exe
4648	eConnectTaskService.exe
4648	eConnectTaskService.exe
4648	eConnectTaskService.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4428	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4428	msiexec.exe
Token: SeSecurityPrivilege	4216	msiexec.exe
Token: SeCreateTokenPrivilege	4428	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4428	msiexec.exe
Token: SeLockMemoryPrivilege	4428	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4428	msiexec.exe
Token: SeMachineAccountPrivilege	4428	msiexec.exe
Token: SeTcbPrivilege	4428	msiexec.exe
Token: SeSecurityPrivilege	4428	msiexec.exe
Token: SeTakeOwnershipPrivilege	4428	msiexec.exe
Token: SeLoadDriverPrivilege	4428	msiexec.exe
Token: SeSystemProfilePrivilege	4428	msiexec.exe
Token: SeSystemtimePrivilege	4428	msiexec.exe
Token: SeProfSingleProcessPrivilege	4428	msiexec.exe
Token: SeIncBasePriorityPrivilege	4428	msiexec.exe
Token: SeCreatePagefilePrivilege	4428	msiexec.exe
Token: SeCreatePermanentPrivilege	4428	msiexec.exe
Token: SeBackupPrivilege	4428	msiexec.exe
Token: SeRestorePrivilege	4428	msiexec.exe
Token: SeShutdownPrivilege	4428	msiexec.exe
Token: SeDebugPrivilege	4428	msiexec.exe
Token: SeAuditPrivilege	4428	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4428	msiexec.exe
Token: SeChangeNotifyPrivilege	4428	msiexec.exe
Token: SeRemoteShutdownPrivilege	4428	msiexec.exe
Token: SeUndockPrivilege	4428	msiexec.exe
Token: SeSyncAgentPrivilege	4428	msiexec.exe
Token: SeEnableDelegationPrivilege	4428	msiexec.exe
Token: SeManageVolumePrivilege	4428	msiexec.exe
Token: SeImpersonatePrivilege	4428	msiexec.exe
Token: SeCreateGlobalPrivilege	4428	msiexec.exe
Token: SeCreateTokenPrivilege	4428	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4428	msiexec.exe
Token: SeLockMemoryPrivilege	4428	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4428	msiexec.exe
Token: SeMachineAccountPrivilege	4428	msiexec.exe
Token: SeTcbPrivilege	4428	msiexec.exe
Token: SeSecurityPrivilege	4428	msiexec.exe
Token: SeTakeOwnershipPrivilege	4428	msiexec.exe
Token: SeLoadDriverPrivilege	4428	msiexec.exe
Token: SeSystemProfilePrivilege	4428	msiexec.exe
Token: SeSystemtimePrivilege	4428	msiexec.exe
Token: SeProfSingleProcessPrivilege	4428	msiexec.exe
Token: SeIncBasePriorityPrivilege	4428	msiexec.exe
Token: SeCreatePagefilePrivilege	4428	msiexec.exe
Token: SeCreatePermanentPrivilege	4428	msiexec.exe
Token: SeBackupPrivilege	4428	msiexec.exe
Token: SeRestorePrivilege	4428	msiexec.exe
Token: SeShutdownPrivilege	4428	msiexec.exe
Token: SeDebugPrivilege	4428	msiexec.exe
Token: SeAuditPrivilege	4428	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4428	msiexec.exe
Token: SeChangeNotifyPrivilege	4428	msiexec.exe
Token: SeRemoteShutdownPrivilege	4428	msiexec.exe
Token: SeUndockPrivilege	4428	msiexec.exe
Token: SeSyncAgentPrivilege	4428	msiexec.exe
Token: SeEnableDelegationPrivilege	4428	msiexec.exe
Token: SeManageVolumePrivilege	4428	msiexec.exe
Token: SeImpersonatePrivilege	4428	msiexec.exe
Token: SeCreateGlobalPrivilege	4428	msiexec.exe
Token: SeCreateTokenPrivilege	4428	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4428	msiexec.exe
Token: SeLockMemoryPrivilege	4428	msiexec.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
4428	msiexec.exe
1572	eConnectTray.exe
4428	msiexec.exe
1572	eConnectTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1572	eConnectTray.exe
1572	eConnectTray.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 4216 wrote to memory of 1940	4216	msiexec.exe	84
PID 4216 wrote to memory of 1940	4216	msiexec.exe	84
PID 4216 wrote to memory of 1940	4216	msiexec.exe	84
PID 4216 wrote to memory of 2756	4216	msiexec.exe	95
PID 4216 wrote to memory of 2756	4216	msiexec.exe	95
PID 4216 wrote to memory of 2824	4216	msiexec.exe	97
PID 4216 wrote to memory of 2824	4216	msiexec.exe	97
PID 4216 wrote to memory of 2824	4216	msiexec.exe	97
PID 4216 wrote to memory of 2748	4216	msiexec.exe	98
PID 4216 wrote to memory of 2748	4216	msiexec.exe	98
PID 4216 wrote to memory of 2748	4216	msiexec.exe	98
PID 4648 wrote to memory of 1572	4648	eConnectTaskService.exe	100
PID 4648 wrote to memory of 1572	4648	eConnectTaskService.exe	100
PID 4648 wrote to memory of 1572	4648	eConnectTaskService.exe	100

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\econnect.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4428

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Hide Artifacts: Hidden Users
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4216
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 984AB2FD14E394AC59E2FD0E77209171 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1940
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:2756
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 4C06B2B037449F56E18A7CF9C44C1D15
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2824
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 3EF316EEEFCF39FCEE5F7F0E9D813603 E Global\MSI0000
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2748

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:1920

C:\Program Files (x86)\Epicor\eConnect\eConnectTaskService.exe
"C:\Program Files (x86)\Epicor\eConnect\eConnectTaskService.exe"
1⤵
- Drops file in Windows directory
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4648
- C:\Program Files (x86)\Epicor\eConnect\eConnectTray.exe
  "C:\Program Files (x86)\Epicor\eConnect\eConnectTray.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1572

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:1540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

Hide Artifacts

T1564

Hidden Users

T1564.002

Modify Registry

T1112

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\3apps\3apps.ini

Filesize
105B

MD5
de1b364f9342695e1ba9bdf2e1dce888

SHA1
c8f0fa6add10c7527cab3271068351ef9abf14e1

SHA256
14893e63060c3b9e6371e5477127f7138ee158b6bd9d17e329793cacc8db415e

SHA512
fff0b36c2c7959b3401eb9853c4e5bfefd0cabf8ea655e766fb8c4c2dfe344efba56484133bd4d513a3d86f11df704274afe54c4ea9c0e988fa2fdccb1645328

Download Submit
C:\3apps\3apps.ini

Filesize
105B

MD5
21bdd8aed60645e8e441d8259b9b3f6c

SHA1
d9181ca509e45b6e53fd0cdbee5537cfe929961a

SHA256
437c0ba7488967ec0ff38834520f2afc0b2f93e58bed9f8b4dce91d71d188767

SHA512
40f94f97c140b4cf40d0cc427460d0247afff146ba9ee4a824eeca86aec59a37c8ee480dce126542b1deae97ec03dcdd266b7331f8ad4fe82c85f9788ea91e9a

Download Submit
C:\3apps\3log.log

Filesize
210B

MD5
8221114ddbf883e91ce4ad54689171f5

SHA1
6d0f72fcaf2681d209edccd83babef6ced9a8a89

SHA256
3b08433d793a2fd3751439b7cc3ddab7acfca5ed1f873a6eaa19ca2ee0e1df0b

SHA512
264e1563029eef8b4fc2f2c38b3b61d4043f6a43a4ddbb8efa2bb128b154a444cb77de5077f2d4e27b42041b434c1c55c6fbc9abb1a1cc073cc69b34e2c33f9e

Download Submit
C:\Config.Msi\e584070.rbs

Filesize
13KB

MD5
574f51cc385d0c3a46467bc549ea46d7

SHA1
d785939b036e86629cfe8f3f8993cead46291aeb

SHA256
fd4a9b19fd9bae0d073b1c4e42ff209b99b59d82c5e7b5077b75911c2c01c494

SHA512
fa2db1dffc7c63fd3def2f257bd0adab900231c680a2d27bfbcef0199450b94ee81be89e3388cb86ed53b0dcbe5f5e09bb0e1afa014ecd380ad9d6880a9bda77

Download Submit
C:\Program Files (x86)\Epicor\eConnect\Eagle.Catapult.dll

Filesize
38KB

MD5
20cbe496a7e355c51c46a0baf7256e29

SHA1
92b41f313da4934178c7f11aa003ccd97c8531a7

SHA256
cb085113e8022a55b380c234395b757c1d8ab92632173519a76b48a9b2b8d895

SHA512
9bb87124908746480c969c79bba90b25d4eba59578c9c12329a8d2677fd61aba7f71f416cc4a173180a03308b452062fef95ba8623d8374578d858db86ace3ab

Download Submit
C:\Program Files (x86)\Epicor\eConnect\ZZServices.dll

Filesize
75KB

MD5
c58558855135ff6ca6ab856ff2fd27d4

SHA1
bbe3b3e1de5afe7e065750f8eacfc47dce9cbd04

SHA256
faace1fd378b8a02bbf6c19c50b72c862714aa3ee40db681586ee7314c169bda

SHA512
a1526bf23c94c305872b408ac9e26439ca30b197295577b37c875a4c877bb7bf61ad27b0d471f92d4b4c0b8ef1b4d4d61e1b222b3d069f3d8ef3895f951a3095

Download Submit
C:\Program Files (x86)\Epicor\eConnect\eConnectBusinessObject.XmlSerializers.dll

Filesize
230KB

MD5
0926a4f1614ed17d531e4199b01a9f15

SHA1
d67fe509b16f74312cbd1679b347832c8aebba14

SHA256
0d480df689d0faf163aae168ae82f8dcee55de746e1b016ccccc1dc5c6947732

SHA512
e0579a2f1ad352738cab41a7f050635ff6f06a5119c89dca78835ee950ee4fcbcddf0a477cf7cbec0eadee6d8b318906079552534464fdca08682791e4dd106c

Download Submit
C:\Program Files (x86)\Epicor\eConnect\eConnectBusinessObject.dll

Filesize
99KB

MD5
c406253c0e479ee4df435ce16fe2c13b

SHA1
1d2a3129105e186a5cae946e99ca364074034c7d

SHA256
e7932ce6424233a7d8bde290bbb2945db2d8c17c0dd925c058981975097e9968

SHA512
527f3bd707728f9bbc340aaf707df2b79fe7a8c51fbe641397abc5124b290e10412a6e652535b5851717feed242f8ac6c654d412b16ddfba441c99d9491c9b2e

Download Submit
C:\Program Files (x86)\Epicor\eConnect\eConnectCommonLibrary.dll

Filesize
47KB

MD5
049d71fe85fcbdaf810e44629540b564

SHA1
d7bf06567da7c7cbd059d68f96bda1fe76788bf1

SHA256
5f92acdbbc0e522d143417d91c4eab7a7b82c799548dd5f341c1070736284e0a

SHA512
26c518ad2dea989ba5f909c7f5aa7dd4a554ec20d5f2f477d6000054dc53b5d08d82c5ba136700c73fd00af7a1c247876b967a9ace86c0e0f1fb986b333c8421

Download Submit
C:\Program Files (x86)\Epicor\eConnect\eConnectHelper.dll

Filesize
152KB

MD5
dc8eda0c7df119fd7d011ebdf1773cab

SHA1
e8b3e9c6459ada4f0d3c735c5f205c92ac96158d

SHA256
80f85a538a379a8b7613d6fa256f50efda9b6dc55a7e0576d9e93126f1dd6301

SHA512
37017b2897c4be97383f336490e4667cede6314659ea3009d557cd208d84fcecab515f805970be8badfc952ebb0735a0941dda9574327d795f7b1a2b27fbbc0f

Download Submit
C:\Program Files (x86)\Epicor\eConnect\eConnectTask.dll

Filesize
71KB

MD5
694b21817f1e425ab3ea9a912037dc0e

SHA1
12af125ec0cad9f9047b8c40cfb36a76521835f3

SHA256
5d34ef352a57a8452f1c18adf0c5ea241378da0a51aa3282c785795f50fefbe1

SHA512
e9ff5211da0c3507f74b54cd8042953d1d99f4d39356cf5097b1edd6ad81b4bb651c97c750f7dc24716bb6244d4405567ab82a6647f73b4787014836c26a49c8

Download Submit
C:\Program Files (x86)\Epicor\eConnect\eConnectTaskService.exe

Filesize
363KB

MD5
3bedc71df767e2462931f01031d278e4

SHA1
634e0805987e9ef5fe021a7c97cb0f8b67aa4b0c

SHA256
a58147c5c8514228ae260bc2c8c4e97ed45fb4f62674f684286a99c45ad7ef1b

SHA512
447a78fcab0d676e6cac29221976c4d5f28f9afb24106a8846ea75878c6e02f1a3ef7a2d61f387a37d43bc5b9cf3606057e0284647700766eaec19884eb0be24

Download Submit
C:\Program Files (x86)\Epicor\eConnect\eConnectTray.exe

Filesize
1.4MB

MD5
24b4a2e8983426e801eacea68857282c

SHA1
8422af784d3ec94b11b8e77b1608fe62e1e81797

SHA256
cff0aa74931201d1bd9bddcf02aae5cf4fd8454b12532f4907e49f41baac7f3f

SHA512
7ee38dc652cf4a4ae4a308e6ca7acdb0d8c3eae37850d1ebd7708e76ec31061b4427243d80bdf51ab85a59635db37c7fec7a7d6e499af361665afa1d6cd6d9f9

Download Submit
C:\Program Files (x86)\Epicor\eConnect\eConnectWorker.dll

Filesize
45KB

MD5
fdd963e0e2ab2610c91d31fee97a3530

SHA1
71ef21c1d79bd8876928757c4a7eda46587e55c6

SHA256
c03c5bd73ec0edef58202567612188f92747e94de1e51f140781d1445dae2af3

SHA512
69b899c1489519ee6f756eef84e3e76b86e4bf4850f34055882bd02d752e5061022678a3b84a721b43b7b0b25eb799471e8abd9891da751f74e6dd3420f7c28d

Download Submit
C:\ProgramData\Epicor\eConnect\Data\ComputerId.txt

Filesize
36B

MD5
219881bc589cf29a155562401f0e6c36

SHA1
f08a479824e8e5623a60e0b66d045377459ce377

SHA256
86c92d8fdda5af901da9bf3ab868949e7236aada1fa9afd49a840a1adccae07e

SHA512
50fc74728fa4b2216aa5124af986233208f04ed259c2dc6d56bea8bed48abf207944193f916f5730417346e4e8eea73b5ea2becaf51896b5c258b22f19e8398c

Download Submit
C:\ProgramData\Epicor\eConnect\Data\ec4audit_20241001.log

Filesize
162B

MD5
6a69e41ea0d2a0110b78b990fd000e6e

SHA1
0de661947cd200876d7e66a9748722378be755b0

SHA256
6f7839da3f204e8e38c02cd7ae2d6f7ea25af71fae5189302ee2b4e291b01901

SHA512
aebe0720783fa983603f67543344407537e4c24ec3a6473d7510c6c81fa089a68364f3c459f0abba7c2cefb74a22f367c4ee4bae1847356eaf20770f8fa713a4

Download Submit
C:\ProgramData\Epicor\eConnect\Data\ec4audit_20241001.log

Filesize
334B

MD5
5a142ce3184497565b4ebb9675edf58b

SHA1
ebd85712882aea6be597c949b08b3e9f497cac3c

SHA256
db84a17ddb8beda5ce3eae875dc7f5dd7a5661fcf3fd3e8ad0a182d692908507

SHA512
7141c2c607b60ba193a0bd757db5576d9300927f948ef2b8ed1de31107c1b1e6c849fb15238c01b42dcae5f0543ee7047836ce180e13ecba6716cd79dd0fd45e

Download Submit
C:\ProgramData\Epicor\eConnect\Temp\4oaph3ri.tq0

Filesize
3KB

MD5
2a38ca6f3a405ed31a5aabdc98bab43b

SHA1
3e2169f5a916a23c2ea79b7461ee0a2da7b666ee

SHA256
566bc48d4032f24c67bc290ed4aaf6dbaf522b74d5c438a93dd8b64766198ca1

SHA512
877f44b2d8b9f9800b5c037db032edea1e170d38f35588caf3f36ec89f2cc559c13bf8b1b7cc5f039250f028f0b4832c2fe17e5a31583a25ddd3a7839489cea8

Download Submit
C:\ProgramData\Epicor\eConnect\Temp\emtdselq.fta

Filesize
5KB

MD5
d3ebb91b3a36adfcf61bc1b553022f81

SHA1
eada8500367f026253efe295c745d395ab46aa09

SHA256
78b59df127477b1c683b1e1989a3ab15978a123db1bc7fe19d83c41c8232c55f

SHA512
8c62ae774296a042e6096a1aa0402fc929d8eba17d02a3af6b091f9247d4d545b1166d2c1c523780f61e35c880c7f60e748fd900870fe171ee7164c1a81c2a06

Download Submit
C:\ProgramData\Epicor\eConnect\Temp\hkyne5cm.iu2

Filesize
11KB

MD5
c646106534f1f725e65b3e884ae4ce00

SHA1
a3266878dc8803b55123aede56f7f0b9f2b9cf43

SHA256
097d44d0a6f5f1ee068d55f198b66f2ee9db1ec28dbc0304ec8b05561f8709f7

SHA512
63d57f2ca00ddd31350dd349c84fa80ed710b073ed187c726786f6b734548c4829210eb818772cbb1fe967480cfe831b8bc964b6f3d451173809253936459f70

Download Submit
C:\ProgramData\Epicor\eConnect\Temp\lxabivb4.tmh

Filesize
190B

MD5
e3c11ad35baa542b265ffeafce0ec1d7

SHA1
3d9e07724adeaa2a113c0a1038576ffb91a9d234

SHA256
ee3020ae194a685e913332b450b40febcb043ae0c57963fc581b94e030e52299

SHA512
3950fc0c1c95552fb05b0dae12422c841213d50abb9278709f02f1cdfdafb1edd683cd7596438ca3e0e807405b0ec238d73bb9e4938e543efbe43486c81eb8cb

Download Submit
C:\ProgramData\Epicor\eConnect\Temp\qibbxq0h.qiq

Filesize
11KB

MD5
0c6d9bea56b0a06fa23294d2c6cf8db6

SHA1
d3c937004ea4bc99f84d90ddd28df223354f9eb9

SHA256
1cd4ac6dde195641cb3cbd42b7630a54067515709e1ae9db77e5fea4de08fdae

SHA512
c8a5a9a5e71677167dfc3d9fb55a383c1ce5b6475aef841425b2a5d41a8361c5e4ca6417cd41055fb49ab5aa4a5e9a92bb03456f8d3e0f1c2474691721597f0d

Download Submit
C:\ProgramData\Epicor\eConnect\Temp\r3bkhd2g.jix

Filesize
11KB

MD5
8a79a81e42b7bd1fc5b444b306eac5dd

SHA1
d45ccbcdc0b6a201fbd81899f2d2177a65ddc4f7

SHA256
3988a89c9b7cd3f0aacf2370ebee130da6e34daaa4d3ff14c081622d97acc53e

SHA512
98cfc6c9e68f3cbda3a72b3ffb5b8a36703b916cbbd45534b6f2fe146b250c9a098cc028385e65e4058300f1781e23426eea623393247160a7779ade47cde7b1

Download Submit
C:\ProgramData\Epicor\eConnect\client\client-4fa4f455-7084-4b01-a462-bfdac6161f49\boTaskList.xml

Filesize
2KB

MD5
d38f03a769f231b21dfe391ee9089a01

SHA1
8a32b0378c25f823c8561c88bfe8b924e4803c16

SHA256
1f1a44287361f2f125ce3a7289542ff0ed4ab103aa763222ea8e1d752f05f25d

SHA512
a5b847a39b8ffd4661b753be22d54d5cdf00352e95889686abeb75f6bf606d62402a5cfc2460e5a7de65f695ef0191a9a76e844d5e07d8c1cb20d173351edc8b

Download Submit
C:\ProgramData\Epicor\eConnect\config.xml

Filesize
132B

MD5
64c5fe662838f40f4a9b9bc0f552928a

SHA1
4925e079183eb8b6fc101d79acfb4c56462971e4

SHA256
536d2eec3df3d567c1d13fb44f0a43e7111f647217aed2bc65487c1e43004b4d

SHA512
bbaa54e67443ac80e0540765f6085c2db875de238e284ca1fd000eb07436bac1f4bf81d410c21ceb78cc700b955d96ea98157a73feff5134aa2e381afbfb3269

Download Submit
C:\ProgramData\Epicor\eConnect\config.xml

Filesize
132B

MD5
1d7731a55c5d92b0f6b8e73f6ec5e1d9

SHA1
cb75f3b98c03121621059e4e888ab771f074791d

SHA256
5fad4dc5ce68e00fbd5e9838c03f2d0064c04a761832c71bdaec543d19c36f9a

SHA512
420decccff46e6749482078a6e81b52889fb65af025caabb1d6508462bb4863d899435715fe871a1be783fad5e17c50b743b5f6442519eba8903d5017d783aef

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5080DC7A65DB6A5960ECD874088F3328_BC00434159DAE8351451CCE9C748F5D7

Filesize
2KB

MD5
9d2275717648f432e6c9753a145ae891

SHA1
ccc2a163c58f4fdb32c89c4a19eb1a0a2e61b526

SHA256
e89bec8fe3435a944a0ab9762174502601fa20e466448cfb23b2c93b6e9e87c0

SHA512
36a4ac0cfd93d748f897f99db1f883b96426d2cc8552fa781d0f46c003a3b69f83b1094c0a0616460cad1c81e3cd060e7afff0a49db9ec09751146750d658bdd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_2DBE917624E9880FE0C7C5570D56E691

Filesize
1KB

MD5
e8d445d52350d53eff1318548a5cda34

SHA1
30649484b5613e5bd3e717759c119768d8f4c0d7

SHA256
87f89299821f8dc5cd2ea388c245c104a7f09e523e4532207a6f7ec06ccb5b4e

SHA512
8f0aee76f11b34c7f89d86eda6826ab233602bea531ec482c7e75aa64851c75e0bb432c778ced889f2d8baedcee367c838d5ec6355ef5ad88a5525cd28c1f848

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D2B5168CDD0EBF4C0C8EA1C3A1FAE07F_344D88508365255339C24128F5456393

Filesize
510B

MD5
d10e1a288cc780e9872e35364c33e014

SHA1
ece570343744d2c40402c45d5085d75b26c54682

SHA256
1aefffc054fff876007a623afc260fa9ed1f0dc98814cffaad72f45e27c11d52

SHA512
3613bec8b0cb124bd5b2844924d2ad779cb22d793142a1940bdd12b86d11d40d2961caa9c91bc26953c31db5097d6fe5acd50fca63a080bdb67dd2f307682af9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5080DC7A65DB6A5960ECD874088F3328_BC00434159DAE8351451CCE9C748F5D7

Filesize
490B

MD5
21b1adf5ac519a5449ba543fb874be65

SHA1
6d7cbbd39e3c5977ce0939ecc103e6681192f5b7

SHA256
bd554c8c02ed5a33f2b839592d393cc1cd22bb528dd128c63e7043dd2c4a9121

SHA512
b012c97604aed1e92882d4063187c258654cf9f77b8af25bf8830aab5e9981bb47c47db15548b3b147b4fb142264557358ceba1886c00ddf6b71ff2886740bba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_2DBE917624E9880FE0C7C5570D56E691

Filesize
486B

MD5
2a9aeff0abd5936c96d826d39a6c675f

SHA1
da891c38644ffc588b1ff00fd8babc94595737ec

SHA256
1f760708a6e2bc0d0ab34d728ab85ef5a3bac05b7747ca4c26fdd61ac5e4fa59

SHA512
c1bb88da5390fde66ef83916e7ba106c5705305687cd9a5a77f61dd30b53440155f2144cc9ac4a142a510b5c82b6769ab449d8906aac6c861bf8a3d761a09da0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D2B5168CDD0EBF4C0C8EA1C3A1FAE07F_344D88508365255339C24128F5456393

Filesize
494B

MD5
50d2f049baf72194ee5846d69fb031c2

SHA1
458abb4fab64a90407087a8a897311142b29b789

SHA256
8f755650d4c7f161d29bb6c95d85cff928189f0ffed92eb537e460fd6cf55d64

SHA512
ad9b31fc740ffec917a5d1c1325543a638ef8383e18b82abf931b822555d97595e538777b3f745cda40d85d99efb3394eae526c9b437b7c8f9e658f04e0eee4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIF8C7.tmp

Filesize
199KB

MD5
3a4e61909500d677745ef2ab508f3f3b

SHA1
ee398e1a153ca96c2592816eb8e8b2b7bb845e1e

SHA256
fb7a6eb19d1d1042d3bd8b3add9271116b8b6db3714dfcc0b6fee8e088d4a2cc

SHA512
feba07bba5007a20e0a1e2ca8c9050ae8624e8fbb0f24aada5dc7c2bde3be561b844453a573cab2a24c3769a8dba401db4eeef0d22ef86e2109b67e54392ee45

Download Submit
C:\Windows\3appsfwd.ini

Filesize
44B

MD5
8995ec38303f42c6eeccb48237f4c2c5

SHA1
470a9afe67f4b96356d9725ce02e77955b26a5c0

SHA256
85530286099e1ec98e8baf8e044733fdef9e455155e92a327140ec2f381831d8

SHA512
42afc5f46244d94c8762326f544a2f51b0a29f9d6b1949c6c7ec9dd3cfbca1eb96a02af3397b80ef0e3b21c780a4d018b10f5aedf102bb210d4741d39ba8b66a

Download Submit
C:\Windows\Installer\e58406f.msi

Filesize
2.8MB

MD5
047ea0b83a21c9f424aefc040bd9b306

SHA1
56fc16c0ff5b429c476881dcce6357c91af27073

SHA256
83ef3f1565125e92013796a4375893f6e7dffc68c4d96a7e648b32a8237e53d7

SHA512
dd6b3d425870eaedab1971bd6e8a5084078e835e52de3b641679a55fadf55e06fdfa551ad8e227b5fc99e780a875afb26dd1e490a54be06664cdc8467ed60a0e

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.7MB

MD5
100110988e97f47f9f1963826ac9944f

SHA1
4122f208eb1d47e9490ab729bf784b7ce99ce514

SHA256
cb0caf2590df87c2acb86cb8261d75714b5c99cfae556749442b8e7db3f86391

SHA512
16eb45ea9956b5e39800c9a708e38de5dc319c7e5908e1097d023781a89aeafab17e2eefc2fc41b74122bd69de7b84338fb7348f0086f5026355ab6f4253715f

Download Submit
\??\Volume{f3a72b53-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{4ae6de4f-d20f-49f8-8194-eab5d860e0fd}_OnDiskSnapshotProp

Filesize
6KB

MD5
03656bbed94e871148625db57f9731b3

SHA1
38fc6bac89b4e0ac4677dd6e353b8e890e9a2532

SHA256
c1d2152bdcbad246b251fff40e2687f064f00350e1967df613fb24c15d980abf

SHA512
c742493e5b8f7a0ce6371d2ce4d73933b988b40e7c0a31988699a56edf1186604e271882aba435acb15b93caf6cc7232ac385ffa270e18a97aaa123fb851c0df

Download Submit
memory/1572-279-0x0000000005BC0000-0x0000000005BCA000-memory.dmp

Filesize
40KB

Download
memory/1572-271-0x00000000008D0000-0x0000000000A34000-memory.dmp

Filesize
1.4MB

Download
memory/4648-77-0x0000000000350000-0x00000000003B0000-memory.dmp

Filesize
384KB

Download
memory/4648-139-0x0000000004C30000-0x0000000004C48000-memory.dmp

Filesize
96KB

Download
memory/4648-86-0x0000000003990000-0x00000000039B2000-memory.dmp

Filesize
136KB

Download
memory/4648-81-0x0000000001450000-0x000000000147C000-memory.dmp

Filesize
176KB

Download
memory/4648-87-0x0000000004040000-0x00000000045E4000-memory.dmp

Filesize
5.6MB

Download
memory/4648-114-0x0000000003A60000-0x0000000003A7E000-memory.dmp

Filesize
120KB

Download
memory/4648-85-0x0000000001480000-0x0000000001492000-memory.dmp

Filesize
72KB

Download
memory/4648-88-0x0000000003B30000-0x0000000003BC2000-memory.dmp

Filesize
584KB

Download
memory/4648-284-0x0000000003C60000-0x0000000003C70000-memory.dmp

Filesize
64KB

Download
memory/4648-129-0x0000000004AF0000-0x0000000004B08000-memory.dmp

Filesize
96KB

Download
memory/4648-288-0x0000000005290000-0x00000000052A2000-memory.dmp

Filesize
72KB

Download
memory/4648-169-0x0000000004ED0000-0x0000000004EE8000-memory.dmp

Filesize
96KB

Download
memory/4648-128-0x0000000003FC0000-0x0000000004026000-memory.dmp

Filesize
408KB

Download
memory/4648-294-0x0000000005460000-0x00000000054C6000-memory.dmp

Filesize
408KB

Download
memory/4648-119-0x0000000003C10000-0x0000000003C50000-memory.dmp

Filesize
256KB

Download