83ef3f1565125e92013796a4375893f6e7dffc68c4d96a7e648b32a8237e53d7

Analysis

max time kernel
147s
max time network
145s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
01-10-2024 18:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

econnect.msi
Size

2.8MB
MD5

047ea0b83a21c9f424aefc040bd9b306
SHA1

56fc16c0ff5b429c476881dcce6357c91af27073
SHA256

83ef3f1565125e92013796a4375893f6e7dffc68c4d96a7e648b32a8237e53d7
SHA512

dd6b3d425870eaedab1971bd6e8a5084078e835e52de3b641679a55fadf55e06fdfa551ad8e227b5fc99e780a875afb26dd1e490a54be06664cdc8467ed60a0e
SSDEEP

49152:VRp2xbpUcxaDubTYjXkYyI08+qiS4bcGzzZv:VS8cxnb0fyK+y4wWl

Score

6^/10

defense_evasion discovery persistence privilege_escalation

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Eagle eConnect Tray Monitor = "\"C:\\Program Files (x86)\\Epicor\\eConnect\\eConnectTray.exe\""	msiexec.exe

Blocklisted process makes network request 3 IoCs

flow	pid	Process
2	2384	msiexec.exe
3	2384	msiexec.exe
4	2384	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe

Hide Artifacts: Hidden Users 1 TTPs 1 IoCs

defense_evasion

Hidden Users

T1564.002

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\eConnectService = "0"	msiexec.exe

Drops file in Program Files directory 21 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Epicor\eConnect\eConnectHelper.dll	msiexec.exe
File created	C:\Program Files (x86)\Epicor\eConnect\eConnectQueue.dll	msiexec.exe
File created	C:\Program Files (x86)\Epicor\eConnect\eConnectStorage.dll	msiexec.exe
File created	C:\Program Files (x86)\Epicor\eConnect\eConnectWorker.dll	msiexec.exe
File created	C:\Program Files (x86)\Epicor\eConnect\Newtonsoft.Json.dll	msiexec.exe
File created	C:\Program Files (x86)\Epicor\eConnect\3zlib10.dll	msiexec.exe
File created	C:\Program Files (x86)\Epicor\eConnect\eConnectBusinessObject.dll	msiexec.exe
File created	C:\Program Files (x86)\Epicor\eConnect\eConnectTaskService.exe	msiexec.exe
File created	C:\Program Files (x86)\Epicor\eConnect\Ionic.Zip.dll	msiexec.exe
File created	C:\Program Files (x86)\Epicor\eConnect\Renci.SshNet.dll	msiexec.exe
File created	C:\Program Files (x86)\Epicor\eConnect\Eagle.Catapult.dll	msiexec.exe
File created	C:\Program Files (x86)\Epicor\eConnect\eConnectUpdateHelper.exe	msiexec.exe
File created	C:\Program Files (x86)\Epicor\eConnect\eConnectTask.dll	msiexec.exe
File created	C:\Program Files (x86)\Epicor\eConnect\eConnectBusinessObject.XmlSerializers.dll	msiexec.exe
File created	C:\Program Files (x86)\Epicor\eConnect\eConnectConsole.exe	msiexec.exe
File created	C:\Program Files (x86)\Epicor\eConnect\epplus.dll	msiexec.exe
File created	C:\Program Files (x86)\Epicor\eConnect\Interop.WindowsInstaller.dll	msiexec.exe
File created	C:\Program Files (x86)\Epicor\eConnect\Zetup.zip	msiexec.exe
File created	C:\Program Files (x86)\Epicor\eConnect\ZZServices.dll	msiexec.exe
File created	C:\Program Files (x86)\Epicor\eConnect\eConnectCommonLibrary.dll	msiexec.exe
File created	C:\Program Files (x86)\Epicor\eConnect\eConnectTray.exe	msiexec.exe

Drops file in Windows directory 17 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\e57be3f.msi	msiexec.exe
File created	C:\Windows\SystemTemp\~DFE069858022B452DE.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBF68.tmp	msiexec.exe
File created	C:\Windows\Installer\e57be41.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{71BB18D2-7561-44F0-AE70-595AF380AAB6}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC12F.tmp	msiexec.exe
File created	C:\Windows\Installer\{71BB18D2-7561-44F0-AE70-595AF380AAB6}\econnect.ico	msiexec.exe
File opened for modification	C:\Windows\Installer\{71BB18D2-7561-44F0-AE70-595AF380AAB6}\econnect.ico	msiexec.exe
File created	C:\Windows\SystemTemp\~DF819EB303258016AE.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBF98.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DFC30DED0BDF322A35.TMP	msiexec.exe
File created	C:\Windows\Installer\e57be3f.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\SystemTemp\~DF056FACE4D5AE0849.TMP	msiexec.exe
File opened for modification	C:\Windows\3appsfwd.ini	eConnectTaskService.exe

Executes dropped EXE 2 IoCs

pid	Process
852	eConnectTaskService.exe
3320	eConnectTray.exe

Loads dropped DLL 23 IoCs

pid	Process
956	MsiExec.exe
3668	MsiExec.exe
4408	MsiExec.exe
852	eConnectTaskService.exe
852	eConnectTaskService.exe
852	eConnectTaskService.exe
852	eConnectTaskService.exe
852	eConnectTaskService.exe
852	eConnectTaskService.exe
852	eConnectTaskService.exe
852	eConnectTaskService.exe
852	eConnectTaskService.exe
852	eConnectTaskService.exe
852	eConnectTaskService.exe
852	eConnectTaskService.exe
852	eConnectTaskService.exe
852	eConnectTaskService.exe
3320	eConnectTray.exe
3320	eConnectTray.exe
852	eConnectTaskService.exe
852	eConnectTaskService.exe
852	eConnectTaskService.exe
852	eConnectTaskService.exe

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
2384	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eConnectTaskService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eConnectTray.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000000b4c6b626f29820b0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800000b4c6b620000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809000b4c6b62000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d0b4c6b62000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000b4c6b6200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	eConnectTaskService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	eConnectTaskService.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe

Modifies registry class 23 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2D81BB1716570F44EA0795A53F08AA6B\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2D81BB1716570F44EA0795A53F08AA6B\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\9C6511B682858514E9B85E40CDF87729	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2D81BB1716570F44EA0795A53F08AA6B\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2D81BB1716570F44EA0795A53F08AA6B\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2D81BB1716570F44EA0795A53F08AA6B\SourceList	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2D81BB1716570F44EA0795A53F08AA6B\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\2D81BB1716570F44EA0795A53F08AA6B\CompleteInstall	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2D81BB1716570F44EA0795A53F08AA6B\ProductName = "Eagle eConnect 04.0429.001"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2D81BB1716570F44EA0795A53F08AA6B\Language = "1033"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2D81BB1716570F44EA0795A53F08AA6B\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2D81BB1716570F44EA0795A53F08AA6B\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2D81BB1716570F44EA0795A53F08AA6B\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2D81BB1716570F44EA0795A53F08AA6B\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\2D81BB1716570F44EA0795A53F08AA6B	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2D81BB1716570F44EA0795A53F08AA6B\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\9C6511B682858514E9B85E40CDF87729\2D81BB1716570F44EA0795A53F08AA6B	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2D81BB1716570F44EA0795A53F08AA6B\ProductIcon = "C:\\Windows\\Installer\\{71BB18D2-7561-44F0-AE70-595AF380AAB6}\\econnect.ico"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2D81BB1716570F44EA0795A53F08AA6B\SourceList\PackageName = "econnect.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2D81BB1716570F44EA0795A53F08AA6B\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2D81BB1716570F44EA0795A53F08AA6B	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2D81BB1716570F44EA0795A53F08AA6B\PackageCode = "6424221403AD1D14DA3CF9EE6774DB7F"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2D81BB1716570F44EA0795A53F08AA6B\Version = "40429001"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 47 IoCs

pid	Process
1992	msiexec.exe
1992	msiexec.exe
852	eConnectTaskService.exe
852	eConnectTaskService.exe
852	eConnectTaskService.exe
852	eConnectTaskService.exe
852	eConnectTaskService.exe
852	eConnectTaskService.exe
852	eConnectTaskService.exe
852	eConnectTaskService.exe
852	eConnectTaskService.exe
852	eConnectTaskService.exe
852	eConnectTaskService.exe
852	eConnectTaskService.exe
852	eConnectTaskService.exe
852	eConnectTaskService.exe
852	eConnectTaskService.exe
852	eConnectTaskService.exe
852	eConnectTaskService.exe
852	eConnectTaskService.exe
852	eConnectTaskService.exe
852	eConnectTaskService.exe
852	eConnectTaskService.exe
852	eConnectTaskService.exe
852	eConnectTaskService.exe
852	eConnectTaskService.exe
852	eConnectTaskService.exe
852	eConnectTaskService.exe
852	eConnectTaskService.exe
852	eConnectTaskService.exe
852	eConnectTaskService.exe
852	eConnectTaskService.exe
852	eConnectTaskService.exe
852	eConnectTaskService.exe
852	eConnectTaskService.exe
852	eConnectTaskService.exe
852	eConnectTaskService.exe
852	eConnectTaskService.exe
852	eConnectTaskService.exe
852	eConnectTaskService.exe
852	eConnectTaskService.exe
852	eConnectTaskService.exe
852	eConnectTaskService.exe
852	eConnectTaskService.exe
852	eConnectTaskService.exe
852	eConnectTaskService.exe
852	eConnectTaskService.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2384	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2384	msiexec.exe
Token: SeSecurityPrivilege	1992	msiexec.exe
Token: SeCreateTokenPrivilege	2384	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2384	msiexec.exe
Token: SeLockMemoryPrivilege	2384	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2384	msiexec.exe
Token: SeMachineAccountPrivilege	2384	msiexec.exe
Token: SeTcbPrivilege	2384	msiexec.exe
Token: SeSecurityPrivilege	2384	msiexec.exe
Token: SeTakeOwnershipPrivilege	2384	msiexec.exe
Token: SeLoadDriverPrivilege	2384	msiexec.exe
Token: SeSystemProfilePrivilege	2384	msiexec.exe
Token: SeSystemtimePrivilege	2384	msiexec.exe
Token: SeProfSingleProcessPrivilege	2384	msiexec.exe
Token: SeIncBasePriorityPrivilege	2384	msiexec.exe
Token: SeCreatePagefilePrivilege	2384	msiexec.exe
Token: SeCreatePermanentPrivilege	2384	msiexec.exe
Token: SeBackupPrivilege	2384	msiexec.exe
Token: SeRestorePrivilege	2384	msiexec.exe
Token: SeShutdownPrivilege	2384	msiexec.exe
Token: SeDebugPrivilege	2384	msiexec.exe
Token: SeAuditPrivilege	2384	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2384	msiexec.exe
Token: SeChangeNotifyPrivilege	2384	msiexec.exe
Token: SeRemoteShutdownPrivilege	2384	msiexec.exe
Token: SeUndockPrivilege	2384	msiexec.exe
Token: SeSyncAgentPrivilege	2384	msiexec.exe
Token: SeEnableDelegationPrivilege	2384	msiexec.exe
Token: SeManageVolumePrivilege	2384	msiexec.exe
Token: SeImpersonatePrivilege	2384	msiexec.exe
Token: SeCreateGlobalPrivilege	2384	msiexec.exe
Token: SeCreateTokenPrivilege	2384	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2384	msiexec.exe
Token: SeLockMemoryPrivilege	2384	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2384	msiexec.exe
Token: SeMachineAccountPrivilege	2384	msiexec.exe
Token: SeTcbPrivilege	2384	msiexec.exe
Token: SeSecurityPrivilege	2384	msiexec.exe
Token: SeTakeOwnershipPrivilege	2384	msiexec.exe
Token: SeLoadDriverPrivilege	2384	msiexec.exe
Token: SeSystemProfilePrivilege	2384	msiexec.exe
Token: SeSystemtimePrivilege	2384	msiexec.exe
Token: SeProfSingleProcessPrivilege	2384	msiexec.exe
Token: SeIncBasePriorityPrivilege	2384	msiexec.exe
Token: SeCreatePagefilePrivilege	2384	msiexec.exe
Token: SeCreatePermanentPrivilege	2384	msiexec.exe
Token: SeBackupPrivilege	2384	msiexec.exe
Token: SeRestorePrivilege	2384	msiexec.exe
Token: SeShutdownPrivilege	2384	msiexec.exe
Token: SeDebugPrivilege	2384	msiexec.exe
Token: SeAuditPrivilege	2384	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2384	msiexec.exe
Token: SeChangeNotifyPrivilege	2384	msiexec.exe
Token: SeRemoteShutdownPrivilege	2384	msiexec.exe
Token: SeUndockPrivilege	2384	msiexec.exe
Token: SeSyncAgentPrivilege	2384	msiexec.exe
Token: SeEnableDelegationPrivilege	2384	msiexec.exe
Token: SeManageVolumePrivilege	2384	msiexec.exe
Token: SeImpersonatePrivilege	2384	msiexec.exe
Token: SeCreateGlobalPrivilege	2384	msiexec.exe
Token: SeCreateTokenPrivilege	2384	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2384	msiexec.exe
Token: SeLockMemoryPrivilege	2384	msiexec.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2384	msiexec.exe
3320	eConnectTray.exe
2384	msiexec.exe
3320	eConnectTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
3320	eConnectTray.exe
3320	eConnectTray.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1992 wrote to memory of 956	1992	msiexec.exe	81
PID 1992 wrote to memory of 956	1992	msiexec.exe	81
PID 1992 wrote to memory of 956	1992	msiexec.exe	81
PID 1992 wrote to memory of 1040	1992	msiexec.exe	85
PID 1992 wrote to memory of 1040	1992	msiexec.exe	85
PID 1992 wrote to memory of 3668	1992	msiexec.exe	87
PID 1992 wrote to memory of 3668	1992	msiexec.exe	87
PID 1992 wrote to memory of 3668	1992	msiexec.exe	87
PID 1992 wrote to memory of 4408	1992	msiexec.exe	88
PID 1992 wrote to memory of 4408	1992	msiexec.exe	88
PID 1992 wrote to memory of 4408	1992	msiexec.exe	88
PID 852 wrote to memory of 3320	852	eConnectTaskService.exe	90
PID 852 wrote to memory of 3320	852	eConnectTaskService.exe	90
PID 852 wrote to memory of 3320	852	eConnectTaskService.exe	90

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\econnect.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2384

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Hide Artifacts: Hidden Users
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1992
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 9DF00C55F79B2F6B14E5425A964ACA50 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:956
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:1040
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 47E897B6BFA651E7706BFDEAFDA06C0E
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3668
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 96E2F68469503A2CFD3F7D55CF6C3F1D E Global\MSI0000
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4408

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:4024

C:\Program Files (x86)\Epicor\eConnect\eConnectTaskService.exe
"C:\Program Files (x86)\Epicor\eConnect\eConnectTaskService.exe"
1⤵
- Drops file in Windows directory
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:852
- C:\Program Files (x86)\Epicor\eConnect\eConnectTray.exe
  "C:\Program Files (x86)\Epicor\eConnect\eConnectTray.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3320

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:1676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

Hide Artifacts

T1564

Hidden Users

T1564.002

Modify Registry

T1112

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\3apps\3apps.ini

Filesize
105B

MD5
1d962fd8c40f5b87875401b24477468e

SHA1
807a576ac6721cd2c715cb909405a31f15dfc139

SHA256
53cc417fee96342245104c4a51cb9786fe58d0cb1462ff90a223eb1c09e7a303

SHA512
fdac0f405cdc31b458506ea78a00b82b9633391f2f4b73258d68aa5fcf085e40eb9cca887eb57cf19830ac39deb13332367657861dedd06327da6d5821c3a832

Download Submit
C:\3apps\3log.log

Filesize
210B

MD5
6cd64ea6d40674cf53d1dac86b9123d9

SHA1
c1d426a4f8c294d1ebb978ed7a7425bf202e4973

SHA256
d5c45335176eee01134ee499cd1eecfdfa6beadb6df20593494c214bbfe65c3a

SHA512
6c546d012f2e9c6d0eff14ec19dda8ffc06120857475233eb52b66b6d04980ab5005ca103a82c828d4fac0c154ab2336798349e36d5a4d4e4008ae491441fd3e

Download Submit
C:\Config.Msi\e57be40.rbs

Filesize
13KB

MD5
069dcfec9da82b9ab9b534e10f5c0380

SHA1
33a8c6c45ab47aa3fa57e0d2a28e02a6d12e093b

SHA256
352e83aac3120aafa1a57ebc0f79925c8d7b3a443fdf6a8750c63f8e30156184

SHA512
198712a6533445bfb5457bf704bdb506f01c9bf509a4239d2f5b28f393a9a7e17aad402df8b338d221113297faa42afdf2ec19ad72f2d327e6f4cee986d59f95

Download Submit
C:\Program Files (x86)\Epicor\eConnect\Eagle.Catapult.dll

Filesize
38KB

MD5
20cbe496a7e355c51c46a0baf7256e29

SHA1
92b41f313da4934178c7f11aa003ccd97c8531a7

SHA256
cb085113e8022a55b380c234395b757c1d8ab92632173519a76b48a9b2b8d895

SHA512
9bb87124908746480c969c79bba90b25d4eba59578c9c12329a8d2677fd61aba7f71f416cc4a173180a03308b452062fef95ba8623d8374578d858db86ace3ab

Download Submit
C:\Program Files (x86)\Epicor\eConnect\ZZServices.dll

Filesize
75KB

MD5
c58558855135ff6ca6ab856ff2fd27d4

SHA1
bbe3b3e1de5afe7e065750f8eacfc47dce9cbd04

SHA256
faace1fd378b8a02bbf6c19c50b72c862714aa3ee40db681586ee7314c169bda

SHA512
a1526bf23c94c305872b408ac9e26439ca30b197295577b37c875a4c877bb7bf61ad27b0d471f92d4b4c0b8ef1b4d4d61e1b222b3d069f3d8ef3895f951a3095

Download Submit
C:\Program Files (x86)\Epicor\eConnect\eConnectBusinessObject.XmlSerializers.dll

Filesize
230KB

MD5
0926a4f1614ed17d531e4199b01a9f15

SHA1
d67fe509b16f74312cbd1679b347832c8aebba14

SHA256
0d480df689d0faf163aae168ae82f8dcee55de746e1b016ccccc1dc5c6947732

SHA512
e0579a2f1ad352738cab41a7f050635ff6f06a5119c89dca78835ee950ee4fcbcddf0a477cf7cbec0eadee6d8b318906079552534464fdca08682791e4dd106c

Download Submit
C:\Program Files (x86)\Epicor\eConnect\eConnectBusinessObject.dll

Filesize
99KB

MD5
c406253c0e479ee4df435ce16fe2c13b

SHA1
1d2a3129105e186a5cae946e99ca364074034c7d

SHA256
e7932ce6424233a7d8bde290bbb2945db2d8c17c0dd925c058981975097e9968

SHA512
527f3bd707728f9bbc340aaf707df2b79fe7a8c51fbe641397abc5124b290e10412a6e652535b5851717feed242f8ac6c654d412b16ddfba441c99d9491c9b2e

Download Submit
C:\Program Files (x86)\Epicor\eConnect\eConnectCommonLibrary.dll

Filesize
47KB

MD5
049d71fe85fcbdaf810e44629540b564

SHA1
d7bf06567da7c7cbd059d68f96bda1fe76788bf1

SHA256
5f92acdbbc0e522d143417d91c4eab7a7b82c799548dd5f341c1070736284e0a

SHA512
26c518ad2dea989ba5f909c7f5aa7dd4a554ec20d5f2f477d6000054dc53b5d08d82c5ba136700c73fd00af7a1c247876b967a9ace86c0e0f1fb986b333c8421

Download Submit
C:\Program Files (x86)\Epicor\eConnect\eConnectHelper.dll

Filesize
152KB

MD5
dc8eda0c7df119fd7d011ebdf1773cab

SHA1
e8b3e9c6459ada4f0d3c735c5f205c92ac96158d

SHA256
80f85a538a379a8b7613d6fa256f50efda9b6dc55a7e0576d9e93126f1dd6301

SHA512
37017b2897c4be97383f336490e4667cede6314659ea3009d557cd208d84fcecab515f805970be8badfc952ebb0735a0941dda9574327d795f7b1a2b27fbbc0f

Download Submit
C:\Program Files (x86)\Epicor\eConnect\eConnectTask.dll

Filesize
71KB

MD5
694b21817f1e425ab3ea9a912037dc0e

SHA1
12af125ec0cad9f9047b8c40cfb36a76521835f3

SHA256
5d34ef352a57a8452f1c18adf0c5ea241378da0a51aa3282c785795f50fefbe1

SHA512
e9ff5211da0c3507f74b54cd8042953d1d99f4d39356cf5097b1edd6ad81b4bb651c97c750f7dc24716bb6244d4405567ab82a6647f73b4787014836c26a49c8

Download Submit
C:\Program Files (x86)\Epicor\eConnect\eConnectTaskService.exe

Filesize
363KB

MD5
3bedc71df767e2462931f01031d278e4

SHA1
634e0805987e9ef5fe021a7c97cb0f8b67aa4b0c

SHA256
a58147c5c8514228ae260bc2c8c4e97ed45fb4f62674f684286a99c45ad7ef1b

SHA512
447a78fcab0d676e6cac29221976c4d5f28f9afb24106a8846ea75878c6e02f1a3ef7a2d61f387a37d43bc5b9cf3606057e0284647700766eaec19884eb0be24

Download Submit
C:\Program Files (x86)\Epicor\eConnect\eConnectTray.exe

Filesize
1.4MB

MD5
24b4a2e8983426e801eacea68857282c

SHA1
8422af784d3ec94b11b8e77b1608fe62e1e81797

SHA256
cff0aa74931201d1bd9bddcf02aae5cf4fd8454b12532f4907e49f41baac7f3f

SHA512
7ee38dc652cf4a4ae4a308e6ca7acdb0d8c3eae37850d1ebd7708e76ec31061b4427243d80bdf51ab85a59635db37c7fec7a7d6e499af361665afa1d6cd6d9f9

Download Submit
C:\Program Files (x86)\Epicor\eConnect\eConnectWorker.dll

Filesize
45KB

MD5
fdd963e0e2ab2610c91d31fee97a3530

SHA1
71ef21c1d79bd8876928757c4a7eda46587e55c6

SHA256
c03c5bd73ec0edef58202567612188f92747e94de1e51f140781d1445dae2af3

SHA512
69b899c1489519ee6f756eef84e3e76b86e4bf4850f34055882bd02d752e5061022678a3b84a721b43b7b0b25eb799471e8abd9891da751f74e6dd3420f7c28d

Download Submit
C:\ProgramData\Epicor\eConnect\Data\ComputerId.txt

Filesize
36B

MD5
b738d4fe351d3c0167cec872a0f462d6

SHA1
0cf2a08a6d4fdf4bbeb1261258250d58da9a4ad7

SHA256
25bd5bba6a06c1934d832a6fe25bffe90610391a7af4f93d5d850b0b267925fe

SHA512
ac68068627985cc0874ddab946e47f27047940afaec7a4e4efcc3d780642a2496a4fddc3079528a0c87f08bdc92c996ceb92821f306cb635b4e5d1d337cbdd8c

Download Submit
C:\ProgramData\Epicor\eConnect\Data\ec4audit_20241001.log

Filesize
162B

MD5
5bd18e81bd8ad768dd7b9a6e6c12e27f

SHA1
262759b6238eb5b4424b111ff831b0a508dc7ab2

SHA256
149e70c9f6b06bd8726bfa62859dedf6cba843bc968484c9a37e8cd16532f3cf

SHA512
dfc3d7aa7ee5ee583b739e73d6e2002fcf1933ef8029a4441ca00a3b054dac5966260afd01414aaf87361e630e96f6530680fec2288e95019c399cf3e0156ef9

Download Submit
C:\ProgramData\Epicor\eConnect\Data\ec4audit_20241001.log

Filesize
405B

MD5
5bd00cb36b7e6daddcfeb4934dcd423f

SHA1
2decaed718edf15a4e6895ae764981f3cfcd2231

SHA256
aaa9ec01b06873227a1dc4e262d4210da6f0f7ab60dcb6fd56449e424f53d95c

SHA512
15aeea0682081f05dd5b621afbd10f5b9aeb7645c1ec261a834f272423667bf48b3f9263408a6789e0874b4c350c6e850a5f3192ec443534bc70c2f9b64cfded

Download Submit
C:\ProgramData\Epicor\eConnect\Temp\0mchx5jz.1wv

Filesize
11KB

MD5
2883dab9d22d88fd36feb4db2d73ceef

SHA1
fa1060631fa4d1d26b082b1cff393a3c9819e822

SHA256
e782a6198429362326bd73717a11e55da910256f12fa6fd51612232794c506ad

SHA512
6ef492a7b3663ffd04b3287767dea2288433da21d18f37e800c00dcd7cc33c14a5cd21c50d5e37cf5b7d4d5195c01b88e674a0dd62cb004b2bc01aba05bbe35b

Download Submit
C:\ProgramData\Epicor\eConnect\Temp\lg2tqlaj.hgz

Filesize
190B

MD5
5396f3d46ee07be596b89f99790264fa

SHA1
f442e28196a68ab8c174236c14937849354e2683

SHA256
897bdba02e670aabfb75775873937172c428e87c1306a6e960aeea3543777c76

SHA512
3933aa5fd92d0596ede08f5fb7b95978854abb8a6c1f87246375f65b7df9f75f0235c6baec0151a7f04120d506f4397982334c2c3cfd3331637d7ee8ffc8d6af

Download Submit
C:\ProgramData\Epicor\eConnect\Temp\tdrgxpmv.q2z

Filesize
11KB

MD5
287bfe1c13e43a08692a469d4070611b

SHA1
d6a30d9cd40f6827ec6628bf3f009e2456850c8a

SHA256
1b931b5ccccae07e85418240d0ffc5eb0e424fd5e4b341c3b3562ae84622c8e2

SHA512
0fb99c3be7010dd8ad32e5d78f61cccc001486994ba47ed45bac2ba709627158f27d65b7944f1352b5ee3a256b2d6f03f14154ce10c0e31da0b7ae357e9020bf

Download Submit
C:\ProgramData\Epicor\eConnect\Temp\x4e2wd4m.tmf

Filesize
2KB

MD5
bfa52a551ca2e721cc294e6515f891c8

SHA1
dab4e18912f48f14ed18ca3cc327b5feb6bc4d1e

SHA256
da7dc3d478692d91fc8a5d587bc7a33e05f3890c95ae73fe2df604a0a9801168

SHA512
29ffe927dc0ca4ebdd960f1d462052ec153062b43edaa5c9048fe2753709dbfa21e9f7c7f5a54d047554552c3b8b66c1b22aeeb3f924ec7f74dcb5b7e12f111d

Download Submit
C:\ProgramData\Epicor\eConnect\Temp\zd2pdgwr.d3m

Filesize
3KB

MD5
f6cbee3998bacead94ca433bab4c8b24

SHA1
ab1964b27e25bfebaeb69bcb2408cbd44250caac

SHA256
c3631e91eccfb6f4f18761517948d128b286f9e89c1235adc300ef82d709542e

SHA512
0890a5a41e02f9217467e059a290a71741ccd870adece62f41a56b583b4ee62f390769fc3c30c3e66d8f6cd1523ae0a916ab4b936fd36a6039b9b7d6873e9ea1

Download Submit
C:\ProgramData\Epicor\eConnect\client\client-eeb793d7-9de9-4295-ae9a-dee87d08fe00\boTaskList.xml

Filesize
11KB

MD5
d7921e9c9741adea2e495da647c7ced0

SHA1
5c780b03aca994aed62d30ffaf4180b9caf941b3

SHA256
164550cd451a3837071f72695fe5c1793ac7c72d8c7c014da138d9d7fcd7a1e1

SHA512
8fa930bd92fc98505add3282a6252efb3178952663cd5d87d7fecbe16e4b2eb4940837eda8b6f1d7686c349964c8354611c9dd02c72ee804396cec6fe7e81047

Download Submit
C:\ProgramData\Epicor\eConnect\client\client-eeb793d7-9de9-4295-ae9a-dee87d08fe00\boTaskList.xml

Filesize
11KB

MD5
1693a11826946aad9d11a57c15edd64f

SHA1
26b1cb856f30d9f4eec83abbb57d6e01506470bf

SHA256
98198d01acd605d04bb5e95bacdd7a5c86ccbf283579f26f8741610f86fbde0c

SHA512
b2c5d17b4c7b884df6704962dde80aaa1b1b2a60753066bb6dbe36303d1799360baf047c66395649d98e955b496e7b818b067db89acf2c3a83c94db5a4c28ab8

Download Submit
C:\ProgramData\Epicor\eConnect\config.xml

Filesize
85B

MD5
aefab7a3ff05fad6631ee5b24d19ca16

SHA1
663ec986f63c9ac7ab29cd31741eb1a94dbbe2dd

SHA256
5d8423ba131b1f2397b016d8c9c54753eafe63439fcc11c143f30c78b49da212

SHA512
70e5d6599b28075ef43a9a95bf6270d1c87419b3344db0819cc8b49a46fdc2fc7e37bc1e6a4c79fac00d6fda5c1ed76837139173b091617242777cb0595604ae

Download Submit
C:\ProgramData\Epicor\eConnect\config.xml

Filesize
132B

MD5
1d7731a55c5d92b0f6b8e73f6ec5e1d9

SHA1
cb75f3b98c03121621059e4e888ab771f074791d

SHA256
5fad4dc5ce68e00fbd5e9838c03f2d0064c04a761832c71bdaec543d19c36f9a

SHA512
420decccff46e6749482078a6e81b52889fb65af025caabb1d6508462bb4863d899435715fe871a1be783fad5e17c50b743b5f6442519eba8903d5017d783aef

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5080DC7A65DB6A5960ECD874088F3328_BC00434159DAE8351451CCE9C748F5D7

Filesize
2KB

MD5
9d2275717648f432e6c9753a145ae891

SHA1
ccc2a163c58f4fdb32c89c4a19eb1a0a2e61b526

SHA256
e89bec8fe3435a944a0ab9762174502601fa20e466448cfb23b2c93b6e9e87c0

SHA512
36a4ac0cfd93d748f897f99db1f883b96426d2cc8552fa781d0f46c003a3b69f83b1094c0a0616460cad1c81e3cd060e7afff0a49db9ec09751146750d658bdd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_2DBE917624E9880FE0C7C5570D56E691

Filesize
1KB

MD5
e8d445d52350d53eff1318548a5cda34

SHA1
30649484b5613e5bd3e717759c119768d8f4c0d7

SHA256
87f89299821f8dc5cd2ea388c245c104a7f09e523e4532207a6f7ec06ccb5b4e

SHA512
8f0aee76f11b34c7f89d86eda6826ab233602bea531ec482c7e75aa64851c75e0bb432c778ced889f2d8baedcee367c838d5ec6355ef5ad88a5525cd28c1f848

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D2B5168CDD0EBF4C0C8EA1C3A1FAE07F_344D88508365255339C24128F5456393

Filesize
510B

MD5
d10e1a288cc780e9872e35364c33e014

SHA1
ece570343744d2c40402c45d5085d75b26c54682

SHA256
1aefffc054fff876007a623afc260fa9ed1f0dc98814cffaad72f45e27c11d52

SHA512
3613bec8b0cb124bd5b2844924d2ad779cb22d793142a1940bdd12b86d11d40d2961caa9c91bc26953c31db5097d6fe5acd50fca63a080bdb67dd2f307682af9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5080DC7A65DB6A5960ECD874088F3328_BC00434159DAE8351451CCE9C748F5D7

Filesize
490B

MD5
915120c7c5f2ee92d98cbee7aaff43e1

SHA1
7575931ed2e123ad980afba3d3e0ab5e36d17763

SHA256
44df9e516f0a953198a9ad82fb42a4a293c186b4245d5bddf67ee11e34333e44

SHA512
bf21230370c7d5cab809900573a0d0471d6700d9410466570e9d774a692c5a7d16c62e2e204eb1a71acbc54a4fb1f440f96820e32e0d029e540ce9ae6150cb82

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_2DBE917624E9880FE0C7C5570D56E691

Filesize
486B

MD5
c35ad5f268916654427dc61fa0f65075

SHA1
84c42152189c606453b8d23301717f5ab8637f24

SHA256
aa0792475ea3c0ad5856d1f0cfc1b6d1359f00a7afbdb0ce41d8330f6e1f52e2

SHA512
44caaeb15101abc296aa42c96174d8dab43bf46f7427470f7b09e3237664a469abfadfec2b18ce4ca4917e47aca339d3816610d64c71dcedbb9cdf59a215ff38

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D2B5168CDD0EBF4C0C8EA1C3A1FAE07F_344D88508365255339C24128F5456393

Filesize
494B

MD5
22e8960ef283360bd71095dc9d509e09

SHA1
08f987a2046582f51f7a4553ca6a8bc0d75f2f34

SHA256
7f5cce2b7340d91818b8986d1362661439fd0983dceb64905919404871e50d76

SHA512
9fe3555f9d7124f58f27a71c0d28b9ec581fb924ba9e24e9832195c2a368f51525f7e31070399ac06496edce9a78d0fe4359fbbffa83593fbd6d7f1b48bccff5

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI8A3E.tmp

Filesize
199KB

MD5
3a4e61909500d677745ef2ab508f3f3b

SHA1
ee398e1a153ca96c2592816eb8e8b2b7bb845e1e

SHA256
fb7a6eb19d1d1042d3bd8b3add9271116b8b6db3714dfcc0b6fee8e088d4a2cc

SHA512
feba07bba5007a20e0a1e2ca8c9050ae8624e8fbb0f24aada5dc7c2bde3be561b844453a573cab2a24c3769a8dba401db4eeef0d22ef86e2109b67e54392ee45

Download Submit
C:\Windows\3appsfwd.ini

Filesize
44B

MD5
8995ec38303f42c6eeccb48237f4c2c5

SHA1
470a9afe67f4b96356d9725ce02e77955b26a5c0

SHA256
85530286099e1ec98e8baf8e044733fdef9e455155e92a327140ec2f381831d8

SHA512
42afc5f46244d94c8762326f544a2f51b0a29f9d6b1949c6c7ec9dd3cfbca1eb96a02af3397b80ef0e3b21c780a4d018b10f5aedf102bb210d4741d39ba8b66a

Download Submit
C:\Windows\Installer\e57be3f.msi

Filesize
2.8MB

MD5
047ea0b83a21c9f424aefc040bd9b306

SHA1
56fc16c0ff5b429c476881dcce6357c91af27073

SHA256
83ef3f1565125e92013796a4375893f6e7dffc68c4d96a7e648b32a8237e53d7

SHA512
dd6b3d425870eaedab1971bd6e8a5084078e835e52de3b641679a55fadf55e06fdfa551ad8e227b5fc99e780a875afb26dd1e490a54be06664cdc8467ed60a0e

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
12.8MB

MD5
1d6422d5ac989d14edb3f469c23334e7

SHA1
6b861c3a69a54ea682fb334a3b8eac0df48d019b

SHA256
5fa71a12047259d66a1b2fb22e2311d410d28f6dd56af2b48bc095f78cae6150

SHA512
090bb01a46091830c1f68afb985e25a10a211da72e8d37076e02fdfbe06bff1d8b75c301597dba50a8b561db8aba0e8f7c6818af3f01796234fe17840cc4d9d7

Download Submit
\??\Volume{626b4c0b-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{20cc13a3-fa60-4a0c-8d93-df82ebe1fbb8}_OnDiskSnapshotProp

Filesize
6KB

MD5
e4c21678e69c499d5a73a8ac64fc36b4

SHA1
8be9e9494c84f101bcd8a215d9c2335449b85a31

SHA256
4af9a2421ba1598ea66e47fba64b1c0203079eae7fa65b4d59d7c8d5c22fda90

SHA512
14d85904f1ab25867fa73f034e275fcb0893f716cabb8627ed6dfab65f36cbc2e7ad6fc6736ccc0e44e679cff407dca1a67cf4d92917ba8f4466eea280d64cf0

Download Submit
memory/852-83-0x0000000003920000-0x0000000003932000-memory.dmp

Filesize
72KB

Download
memory/852-108-0x0000000003A20000-0x0000000003A3E000-memory.dmp

Filesize
120KB

Download
memory/852-75-0x0000000000210000-0x0000000000270000-memory.dmp

Filesize
384KB

Download
memory/852-131-0x0000000004C00000-0x0000000004C18000-memory.dmp

Filesize
96KB

Download
memory/852-123-0x0000000004020000-0x0000000004038000-memory.dmp

Filesize
96KB

Download
memory/852-113-0x0000000003B80000-0x0000000003BC0000-memory.dmp

Filesize
256KB

Download
memory/852-79-0x00000000038F0000-0x000000000391C000-memory.dmp

Filesize
176KB

Download
memory/852-122-0x0000000003F70000-0x0000000003FD6000-memory.dmp

Filesize
408KB

Download
memory/852-268-0x0000000003BE0000-0x0000000003BF0000-memory.dmp

Filesize
64KB

Download
memory/852-152-0x0000000004D60000-0x0000000004D78000-memory.dmp

Filesize
96KB

Download
memory/852-272-0x0000000004E20000-0x0000000004E32000-memory.dmp

Filesize
72KB

Download
memory/852-273-0x0000000005590000-0x00000000055F6000-memory.dmp

Filesize
408KB

Download
memory/852-86-0x0000000003AA0000-0x0000000003B32000-memory.dmp

Filesize
584KB

Download
memory/852-85-0x0000000004050000-0x00000000045F6000-memory.dmp

Filesize
5.6MB

Download
memory/852-84-0x0000000003970000-0x0000000003992000-memory.dmp

Filesize
136KB

Download
memory/3320-263-0x0000000005970000-0x000000000597A000-memory.dmp

Filesize
40KB

Download
memory/3320-255-0x00000000006C0000-0x0000000000824000-memory.dmp

Filesize
1.4MB

Download