08a0c1698abe4187c009d990186fabaf8034b799f10c3cc4de4331f1f37ab28b

Analysis

max time kernel
69s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
31-01-2023 04:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setup.exe
Size

35.8MB
MD5

13f7bb041ba7842c4336abf248a44a1d
SHA1

c7e0a6b5790a9f4be397b5f2720240731d266f49
SHA256

08a0c1698abe4187c009d990186fabaf8034b799f10c3cc4de4331f1f37ab28b
SHA512

7bdd79901b56aed3c1b935189b732bb8f437830b659428e2d9f08f97b50db1056879c25a5b3737f9505d66190ecffb8f1d5f963d7a2588834129066114381e47
SSDEEP

786432:jZjvhnzMvquroI3/rZy1WiIVN+1SH8MfW6Mu1bMQHzE+ZxMyzx:/ntI3/rZniGN+sco5MFCzvZxMyzx

Score

8^/10

discovery

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
332	Setup.tmp
2516	smart2.exe
1164	OCDK16.exe
792	OCDK16.tmp

Loads dropped DLL 19 IoCs

pid	Process
3616	regsvr32.exe
4444	regsvr32.exe
3848	regsvr32.exe
1212	regsvr32.exe
400	regsvr32.exe
2216	regsvr32.exe
2516	smart2.exe
2516	smart2.exe
2516	smart2.exe
2516	smart2.exe
2516	smart2.exe
2516	smart2.exe
2516	smart2.exe
2516	smart2.exe
2516	smart2.exe
2516	smart2.exe
2516	smart2.exe
2516	smart2.exe
2516	smart2.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\msvcr100.dll	OCDK16.tmp
File created	C:\Windows\SysWOW64\is-U48SM.tmp	OCDK16.tmp
File created	C:\Windows\SysWOW64\is-PPIC2.tmp	OCDK16.tmp
File created	C:\Windows\SysWOW64\is-VTQEA.tmp	Setup.tmp
File created	C:\Windows\SysWOW64\is-OE5QO.tmp	Setup.tmp
File created	C:\Windows\SysWOW64\is-R6H7K.tmp	Setup.tmp
File opened for modification	C:\Windows\SysWOW64\libsybfssl.dll	OCDK16.tmp
File created	C:\Windows\SysWOW64\is-NR971.tmp	OCDK16.tmp
File created	C:\Windows\SysWOW64\is-GPH5K.tmp	OCDK16.tmp
File opened for modification	C:\Windows\SysWOW64\logis05.dll	Setup.tmp
File opened for modification	C:\Windows\SysWOW64\logis12.dll	Setup.tmp
File opened for modification	C:\Windows\SysWOW64\libsybdb.dll	OCDK16.tmp
File created	C:\Windows\SysWOW64\is-VT8T5.tmp	OCDK16.tmp
File created	C:\Windows\SysWOW64\is-R6029.tmp	Setup.tmp
File opened for modification	C:\Windows\SysWOW64\libsybct.dll	OCDK16.tmp
File opened for modification	C:\Windows\SysWOW64\logis39.dll	Setup.tmp
File created	C:\Windows\SysWOW64\is-675D8.tmp	Setup.tmp
File created	C:\Windows\SysWOW64\is-OUP8E.tmp	Setup.tmp
File created	C:\Windows\SysWOW64\is-0J6MG.tmp	Setup.tmp
File opened for modification	C:\Windows\SysWOW64\libsybtcl.dll	OCDK16.tmp
File opened for modification	C:\Windows\SysWOW64\logis33.dll	Setup.tmp
File opened for modification	C:\Windows\SysWOW64\LKUTIL.dll	Setup.tmp
File created	C:\Windows\SysWOW64\is-HMROG.tmp	Setup.tmp
File created	C:\Windows\SysWOW64\is-F5772.tmp	OCDK16.tmp
File created	C:\Windows\SysWOW64\is-VSVE4.tmp	Setup.tmp
File opened for modification	C:\Windows\SysWOW64\logis13.dll	Setup.tmp
File created	C:\Windows\SysWOW64\is-H3OUG.tmp	Setup.tmp
File opened for modification	C:\Windows\SysWOW64\msvcr110.dll	OCDK16.tmp
File created	C:\Windows\SysWOW64\is-SS89L.tmp	OCDK16.tmp
File opened for modification	C:\Windows\SysWOW64\logis08.dll	Setup.tmp
File created	C:\Windows\SysWOW64\is-DQCEA.tmp	Setup.tmp
File created	C:\Windows\SysWOW64\is-PTEKE.tmp	OCDK16.tmp
File created	C:\Windows\SysWOW64\is-8CN2T.tmp	Setup.tmp
File created	C:\Windows\SysWOW64\is-KRG3L.tmp	Setup.tmp
File opened for modification	C:\Windows\SysWOW64\libsybintl.dll	OCDK16.tmp
File opened for modification	C:\Windows\SysWOW64\libsybblk.dll	OCDK16.tmp
File opened for modification	C:\Windows\SysWOW64\libsybdreg.dll	OCDK16.tmp
File opened for modification	C:\Windows\SysWOW64\slcryptokernel.dll	OCDK16.tmp
File opened for modification	C:\Windows\SysWOW64\logis22.dll	Setup.tmp
File created	C:\Windows\SysWOW64\is-TPO92.tmp	Setup.tmp
File opened for modification	C:\Windows\SysWOW64\libsybunic.dll	OCDK16.tmp
File opened for modification	C:\Windows\SysWOW64\libsybskrb.dll	OCDK16.tmp
File opened for modification	C:\Windows\SysWOW64\logis11.dll	Setup.tmp
File created	C:\Windows\SysWOW64\is-18VQC.tmp	Setup.tmp
File opened for modification	C:\Windows\SysWOW64\msvcr71.dll	Setup.tmp
File created	C:\Windows\SysWOW64\is-25I6U.tmp	OCDK16.tmp
File opened for modification	C:\Windows\SysWOW64\msvcp71.dll	Setup.tmp
File created	C:\Windows\SysWOW64\is-0KMRT.tmp	OCDK16.tmp
File opened for modification	C:\Windows\SysWOW64\logis34.dll	Setup.tmp
File created	C:\Windows\SysWOW64\is-JD5SI.tmp	Setup.tmp
File created	C:\Windows\SysWOW64\is-24RQE.tmp	Setup.tmp
File opened for modification	C:\Windows\SysWOW64\libsybcs.dll	OCDK16.tmp
File created	C:\Windows\SysWOW64\is-0D8S8.tmp	OCDK16.tmp
File opened for modification	C:\Windows\SysWOW64\logis07.dll	Setup.tmp
File opened for modification	C:\Windows\SysWOW64\logis21.dll	Setup.tmp
File opened for modification	C:\Windows\SysWOW64\libsybsmssp.dll	OCDK16.tmp
File opened for modification	C:\Windows\SysWOW64\libsybsrv.dll	OCDK16.tmp
File opened for modification	C:\Windows\SysWOW64\msvcp110.dll	OCDK16.tmp
File created	C:\Windows\SysWOW64\is-NM2DQ.tmp	OCDK16.tmp
File created	C:\Windows\SysWOW64\is-CNQ6E.tmp	Setup.tmp
File opened for modification	C:\Windows\SysWOW64\sapcrypto.dll	OCDK16.tmp
File created	C:\Windows\SysWOW64\is-VKUGE.tmp	OCDK16.tmp
File created	C:\Windows\SysWOW64\is-09LK9.tmp	OCDK16.tmp
File created	C:\Windows\SysWOW64\is-ALR5J.tmp	OCDK16.tmp

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\GAC_32\Sybase.PowerBuilder.DataWindow.Excel12\11.5.0.0__b76b10796def6a00\Sybase.PowerBuilder.DataWindow.Excel12.dll	Setup.tmp
File created	C:\Windows\Fonts\is-14O20.tmp	Setup.tmp
File created	C:\Windows\assembly\GAC_32\Sybase.PowerBuilder.DataWindow.Excel12\11.5.0.0__b76b10796def6a00\is-KS57T.tmp	Setup.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International	smart2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\sShortDate = "yyyy-MM-dd"	smart2.exe

Modifies Internet Explorer settings 1 TTPs 54 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{F08DF954-8592-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{1EFB6596-857C-11D1-B16A-00C0F0283628}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{95F0B3BE-E8AC-4995-9DCA-419849E06410}	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{3B7C8860-D78F-101B-B9B5-04021C009402}\Compatibility Flags = "1024"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{BDD1F04B-858B-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{979127D3-7D01-4FDE-AF65-A698091468AF}\Compatibility Flags = "1024"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{979127D3-7D01-4FDE-AF65-A698091468AF}\AlternateCLSID = "{CCDB0DF2-FD1A-4856-80BC-32929D8359B7}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{35053A22-8589-11D1-B16A-00C0F0283628}\AlternateCLSID = "{A0E7BF67-8D30-4620-8825-7111714C7CAB}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{F08DF954-8592-11D1-B16A-00C0F0283628}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{F08DF954-8592-11D1-B16A-00C0F0283628}\AlternateCLSID = "{0B314611-2C19-4AB4-8513-A6EEA569D3C4}"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{627C8B79-918A-4C5C-9E19-20F66BF30B86}\Compatibility Flags = "1024"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{7DC6F291-BF55-4E50-B619-EF672D9DCC58}\AlternateCLSID = "{8B2ADD10-33B7-4506-9569-0A1E1DBBEBAE}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{9181DC5F-E07D-418A-ACA6-8EEA1ECB8E9E}\AlternateCLSID = "{DD2DBE12-F9F8-4E32-B087-DAD1DCEF0783}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{2C247F23-8591-11D1-B16A-00C0F0283628}	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{24B224E0-9545-4A2F-ABD5-86AA8A849385}\Compatibility Flags = "1024"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{9181DC5F-E07D-418A-ACA6-8EEA1ECB8E9E}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{3B7C8860-D78F-101B-B9B5-04021C009402}\AlternateCLSID = "{894BA3A3-3CA3-402F-B4FE-CD08337E9535}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{66833FE6-8583-11D1-B16A-00C0F0283628}	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{996BF5E0-8044-4650-ADEB-0B013914E99C}\Compatibility Flags = "1024"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{979127D3-7D01-4FDE-AF65-A698091468AF}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{F91CAF91-225B-43A7-BB9E-472F991FC402}\AlternateCLSID = "{556C2772-F1AD-4DE1-8456-BD6E8F66113B}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{24B224E0-9545-4A2F-ABD5-86AA8A849385}\AlternateCLSID = "{9A948063-66C3-4F63-AB46-582EDAA35047}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{DD9DA666-8594-11D1-B16A-00C0F0283628}\AlternateCLSID = "{87DACC48-F1C5-4AF3-84BA-A2A72C2AB959}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{2C247F23-8591-11D1-B16A-00C0F0283628}\AlternateCLSID = "{556C2772-F1AD-4DE1-8456-BD6E8F66113B}"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{8E3867A3-8586-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{95F0B3BE-E8AC-4995-9DCA-419849E06410}\AlternateCLSID = "{DD2DBE12-F9F8-4E32-B087-DAD1DCEF0783}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{BDD1F04B-858B-11D1-B16A-00C0F0283628}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{8E3867A3-8586-11D1-B16A-00C0F0283628}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{627C8B79-918A-4C5C-9E19-20F66BF30B86}	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{1EFB6596-857C-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{66833FE6-8583-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{F91CAF91-225B-43A7-BB9E-472F991FC402}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{35053A22-8589-11D1-B16A-00C0F0283628}	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{7DC6F291-BF55-4E50-B619-EF672D9DCC58}\Compatibility Flags = "1024"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{9181DC5F-E07D-418A-ACA6-8EEA1ECB8E9E}\Compatibility Flags = "1024"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{2C247F23-8591-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{996BF5E0-8044-4650-ADEB-0B013914E99C}\AlternateCLSID = "{CCDB0DF2-FD1A-4856-80BC-32929D8359B7}"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{35053A22-8589-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{8E3867A3-8586-11D1-B16A-00C0F0283628}\AlternateCLSID = "{585AA280-ED8B-46B2-93AE-132ECFA1DAFC}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{24B224E0-9545-4A2F-ABD5-86AA8A849385}	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{DD9DA666-8594-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{F91CAF91-225B-43A7-BB9E-472F991FC402}\Compatibility Flags = "1024"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{BDD1F04B-858B-11D1-B16A-00C0F0283628}\AlternateCLSID = "{CCDB0DF2-FD1A-4856-80BC-32929D8359B7}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{66833FE6-8583-11D1-B16A-00C0F0283628}\AlternateCLSID = "{8B2ADD10-33B7-4506-9569-0A1E1DBBEBAE}"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{C74190B6-8589-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{95F0B3BE-E8AC-4995-9DCA-419849E06410}\Compatibility Flags = "1024"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{3B7C8860-D78F-101B-B9B5-04021C009402}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{1EFB6596-857C-11D1-B16A-00C0F0283628}\AlternateCLSID = "{9A948063-66C3-4F63-AB46-582EDAA35047}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{627C8B79-918A-4C5C-9E19-20F66BF30B86}\AlternateCLSID = "{585AA280-ED8B-46B2-93AE-132ECFA1DAFC}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{7DC6F291-BF55-4E50-B619-EF672D9DCC58}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{DD9DA666-8594-11D1-B16A-00C0F0283628}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{996BF5E0-8044-4650-ADEB-0B013914E99C}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{C74190B6-8589-11D1-B16A-00C0F0283628}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{C74190B6-8589-11D1-B16A-00C0F0283628}\AlternateCLSID = "{DD2DBE12-F9F8-4E32-B087-DAD1DCEF0783}"	regsvr32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{ED117630-4090-11CF-8981-00AA00688B10}\ = "IOLEObject"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A06F76A2-99C1-4B0A-BD51-8713ADE32B50}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95F0B3BE-E8AC-4995-9DCA-419849E06410}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9A948063-66C3-4F63-AB46-582EDAA35047}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{35053A21-8589-11D1-B16A-00C0F0283628}\TypeLib\ = "{831FDD16-0C5C-11D2-A9FC-0000F8754DA1}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\LOGIS31.LOGIS31Ctrl.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5522DAFA-06D6-11D2-8D70-00A0C98B28E2}\ProgID\ = "ComCtl3.Bands"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66833FE6-8583-11D1-B16A-00C0F0283628}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{627C8B79-918A-4C5C-9E19-20F66BF30B86}\MiscStatus\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A0E7BF67-8D30-4620-8825-7111714C7CAB}\MiscStatus\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BDD1F053-858B-11D1-B16A-00C0F0283628}\ = "IListSubItems"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2C247F24-8591-11D1-B16A-00C0F0283628}\TypeLib\Version = "2.2"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F08DF952-8592-11D1-B16A-00C0F0283628}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E4DBED3A-F534-46A4-9AC2-2E86DBFC9447}\TypeLib\ = "{72531EDC-0208-4DB7-956E-E1BDDB89B3F7}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.Toolbar\CurVer\ = "MSComctlLib.Toolbar.2"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0095E2C4-6B4F-4E2D-AB4E-760C2DDD3A4D}\ = "rmpHTML.clsDirectoryList"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D8CAC8E9-3D41-4DA6-BDAA-5B4F54B8502E}\ProxyStubClsid	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1EFB6596-857C-11D1-B16A-00C0F0283628}\MiscStatus	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8E3867A3-8586-11D1-B16A-00C0F0283628}\Control	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5522DAF8-06D6-11D2-8D70-00A0C98B28E2}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8B2ADD10-33B7-4506-9569-0A1E1DBBEBAE}\ProgID\ = "MSComctlLib.Toolbar.2"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66833FE9-8583-11D1-B16A-00C0F0283628}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8E3867A2-8586-11D1-B16A-00C0F0283628}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{35053A21-8589-11D1-B16A-00C0F0283628}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C74190B4-8589-11D1-B16A-00C0F0283628}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{69620165-77DD-44EE-995C-3632E525A22B}\TypeLib\ = "{FF14B02B-6EE4-400F-A729-B0EA35F921C2}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5522DB04-06D6-11D2-8D70-00A0C98B28E2}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2C247F21-8591-11D1-B16A-00C0F0283628}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{237184B4-E878-49B6-B6F4-6E488F8617C8}\TypeLib\Version = "15b.6"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3B7C8860-D78F-101B-B9B5-04021C009402}\MiscStatus\1\ = "131473"	Setup.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.ImageListCtrl\CurVer\ = "MSComctlLib.ImageListCtrl.2"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C27CCE41-8596-11D1-B16A-00C0F0283628}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66833FEB-8583-11D1-B16A-00C0F0283628}\TypeLib\Version = "2.2"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C8A3DC00-8593-11D1-B16A-00C0F0283628}\TypeLib\Version = "2.2"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3B7C8860-D78F-101B-B9B5-04021C009402}\ToolboxBitmap32	Setup.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.ListViewCtrl\CLSID\ = "{979127D3-7D01-4FDE-AF65-A698091468AF}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2334D2B3-713E-11CF-8AE5-00AA00C00905}\ = "IVBDataObjectFiles"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3B7C8860-D78F-101B-B9B5-04021C009402}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B2A250E6-EF97-4485-832A-6757BD6B3D82}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F91CAF91-225B-43A7-BB9E-472F991FC402}\ = "Microsoft ImageList Control 6.0 (SP6)"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F08DF954-8592-11D1-B16A-00C0F0283628}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{38911D8A-E448-11D0-84A3-00DD01104159}\ = "Bands"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{38911D87-E448-11D0-84A3-00DD01104159}\ = "Band"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C74190B5-8589-11D1-B16A-00C0F0283628}\TypeLib\Version = "2.2"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2C247F22-8591-11D1-B16A-00C0F0283628}\ = "ImageListEvents"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AOSMTP.Mail.1\CLSID\ = "{F8D07B72-B4B4-46A0-ACC0-C771D4614B82}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5522DAF7-06D6-11D2-8D70-00A0C98B28E2}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DD9DA665-8594-11D1-B16A-00C0F0283628}\ = "DImageComboEvents"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66833FE6-8583-11D1-B16A-00C0F0283628}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0B314611-2C19-4AB4-8513-A6EEA569D3C4}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5221CCDF-0E5B-422E-8036-45DE875184C0}\ = "_HTMLed"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\rmpHTML.CTimer\Clsid	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B068AFB5-AC36-49F9-B6A4-06C0178602A6}\VERSION\ = "347.6"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1ECC44FB-970D-4BC8-90E3-002DA4DD21B8}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{556C2772-F1AD-4DE1-8456-BD6E8F66113B}\Control	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\rmpHTML.HTMLed\Clsid	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A06F76A2-99C1-4B0A-BD51-8713ADE32B50}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B068AFB5-AC36-49F9-B6A4-06C0178602A6}\ProgID\ = "rmpHTML.HTMLed"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{38911D8D-E448-11D0-84A3-00DD01104159}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8E3867AA-8586-11D1-B16A-00C0F0283628}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{137C9DDF-D281-498F-A2A8-9094A34470E2}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{979127D3-7D01-4FDE-AF65-A698091468AF}\Version\ = "2.2"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2334D2B3-713E-11CF-8AE5-00AA00C00905}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDD1F04E-858B-11D1-B16A-00C0F0283628}\TypeLib\Version = "2.2"	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
332	Setup.tmp
332	Setup.tmp
792	OCDK16.tmp
792	OCDK16.tmp

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
332	Setup.tmp
792	OCDK16.tmp

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 1200 wrote to memory of 332	1200	Setup.exe	79
PID 1200 wrote to memory of 332	1200	Setup.exe	79
PID 1200 wrote to memory of 332	1200	Setup.exe	79
PID 332 wrote to memory of 3616	332	Setup.tmp	87
PID 332 wrote to memory of 3616	332	Setup.tmp	87
PID 332 wrote to memory of 3616	332	Setup.tmp	87
PID 332 wrote to memory of 4444	332	Setup.tmp	88
PID 332 wrote to memory of 4444	332	Setup.tmp	88
PID 332 wrote to memory of 4444	332	Setup.tmp	88
PID 332 wrote to memory of 3848	332	Setup.tmp	90
PID 332 wrote to memory of 3848	332	Setup.tmp	90
PID 332 wrote to memory of 3848	332	Setup.tmp	90
PID 332 wrote to memory of 1212	332	Setup.tmp	92
PID 332 wrote to memory of 1212	332	Setup.tmp	92
PID 332 wrote to memory of 1212	332	Setup.tmp	92
PID 332 wrote to memory of 400	332	Setup.tmp	94
PID 332 wrote to memory of 400	332	Setup.tmp	94
PID 332 wrote to memory of 400	332	Setup.tmp	94
PID 332 wrote to memory of 2216	332	Setup.tmp	95
PID 332 wrote to memory of 2216	332	Setup.tmp	95
PID 332 wrote to memory of 2216	332	Setup.tmp	95
PID 332 wrote to memory of 2516	332	Setup.tmp	96
PID 332 wrote to memory of 2516	332	Setup.tmp	96
PID 332 wrote to memory of 2516	332	Setup.tmp	96
PID 2516 wrote to memory of 1164	2516	smart2.exe	98
PID 2516 wrote to memory of 1164	2516	smart2.exe	98
PID 2516 wrote to memory of 1164	2516	smart2.exe	98
PID 1164 wrote to memory of 792	1164	OCDK16.exe	99
PID 1164 wrote to memory of 792	1164	OCDK16.exe	99
PID 1164 wrote to memory of 792	1164	OCDK16.exe	99

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1200
- C:\Users\Admin\AppData\Local\Temp\is-85QQQ.tmp\Setup.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-85QQQ.tmp\Setup.tmp" /SL5="$30050,37294317,64000,C:\Users\Admin\AppData\Local\Temp\Setup.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:332
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\logis11.dll"
    3⤵
    - Loads dropped DLL
    - Modifies registry class
    PID:3616
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\logis31.ocx"
    3⤵
    - Loads dropped DLL
    - Modifies registry class
    PID:4444
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\comct332.ocx"
    3⤵
    - Loads dropped DLL
    - Modifies registry class
    PID:3848
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\mscomctl.ocx"
    3⤵
    - Loads dropped DLL
    - Modifies Internet Explorer settings
    - Modifies registry class
    PID:1212
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\richtx32.ocx"
    3⤵
    - Loads dropped DLL
    - Modifies Internet Explorer settings
    - Modifies registry class
    PID:400
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\rmpHTML.ocx"
    3⤵
    - Loads dropped DLL
    - Modifies registry class
    PID:2216
- - C:\ELS\CILC\smart2.exe
    "C:\ELS\CILC\smart2.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies Control Panel
    - Suspicious use of WriteProcessMemory
    PID:2516
  - - C:\ELS\CILC\upgrade\OCDK16.exe
      C:\ELS\CILC\upgrade\OCDK16.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1164
    - - C:\Users\Admin\AppData\Local\Temp\is-KT9II.tmp\OCDK16.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-KT9II.tmp\OCDK16.tmp" /SL5="$20200,7064623,64000,C:\ELS\CILC\upgrade\OCDK16.exe"
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        
        PID:792

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ELS\CILC\ATL71.DLL

Filesize
87KB

MD5
8f2097e8b174f38178570c611464935f

SHA1
86476819229f4bf00f32e5f0969e19c5b61d1b2a

SHA256
3f25e7b097b65eaf82a6d5b58646dff38ca19347664f40c2b8a409b9d6939457

SHA512
85f60b00b4d2e7d5047d4d0f1b834c23073797fcaea0e14161baac9a7ec719d79782a17ba6aa8da55b933c89b3d94c89696da194c3cf7170c746c8bab7e38904

Download Submit
C:\ELS\CILC\PBSHR115.DLL

Filesize
2.8MB

MD5
133892a0f155679d60a084095dab90b0

SHA1
0e92d1da83dbdfe16926037ce14e0a3fe7705364

SHA256
2b4052504c900cf2803ddb2d189548d948ffdaf0f2b3a9c064affc33d814b18b

SHA512
23847c012763d8c395e9c6d97e9309ae10ab0f40eb923e1861f4a5bb057a430c0e1eecb0dcdabd5545ac4592f5baba461c84efa4652a5917b8b10d244f588ec6

Download Submit
C:\ELS\CILC\PBSHR115.DLL

Filesize
2.8MB

MD5
133892a0f155679d60a084095dab90b0

SHA1
0e92d1da83dbdfe16926037ce14e0a3fe7705364

SHA256
2b4052504c900cf2803ddb2d189548d948ffdaf0f2b3a9c064affc33d814b18b

SHA512
23847c012763d8c395e9c6d97e9309ae10ab0f40eb923e1861f4a5bb057a430c0e1eecb0dcdabd5545ac4592f5baba461c84efa4652a5917b8b10d244f588ec6

Download Submit
C:\ELS\CILC\PBSHR115.dll

Filesize
2.8MB

MD5
133892a0f155679d60a084095dab90b0

SHA1
0e92d1da83dbdfe16926037ce14e0a3fe7705364

SHA256
2b4052504c900cf2803ddb2d189548d948ffdaf0f2b3a9c064affc33d814b18b

SHA512
23847c012763d8c395e9c6d97e9309ae10ab0f40eb923e1861f4a5bb057a430c0e1eecb0dcdabd5545ac4592f5baba461c84efa4652a5917b8b10d244f588ec6

Download Submit
C:\ELS\CILC\PBVM115.DLL

Filesize
4.6MB

MD5
02cb922450f0c038de3fe34c527abc2b

SHA1
3648bd2c46a27b5e665acb3c13b28717f75d42f3

SHA256
9d8f51f4ddf16c08f710e49d8b4df87cbc5f98ee3677fdddc51d8fe49594ac21

SHA512
91ff2a2816c2ad72e48e05eb2ee1b7ace5c0f18e0e0bf0f46217c842f7d9c9c8106b3b7aa215127bc76221aefbf41edf935c2d984e157d81e9b2df933c509b19

Download Submit
C:\ELS\CILC\PBVM115.dll

Filesize
4.6MB

MD5
02cb922450f0c038de3fe34c527abc2b

SHA1
3648bd2c46a27b5e665acb3c13b28717f75d42f3

SHA256
9d8f51f4ddf16c08f710e49d8b4df87cbc5f98ee3677fdddc51d8fe49594ac21

SHA512
91ff2a2816c2ad72e48e05eb2ee1b7ace5c0f18e0e0bf0f46217c842f7d9c9c8106b3b7aa215127bc76221aefbf41edf935c2d984e157d81e9b2df933c509b19

Download Submit
C:\ELS\CILC\Upgrade\OCDK16.exe

Filesize
7.0MB

MD5
4337c5e1bffd5294d49959be50ec2657

SHA1
c2b1f9fc0c512ddb10e4a787c7fe3b4ad666cce9

SHA256
04d0c809b0a626a29495dfd2b92ecf35e68751ec6780775c1af0c4d151990dc9

SHA512
3942e9e9c4261d3340f456c7ced443bc04cf69497f1a613054afcd0f3fd4bda02102f09478e882266986ce2899c09bc2a7d20ce6361a2004425792b25ab2b191

Download Submit
C:\ELS\CILC\atl71.dll

Filesize
87KB

MD5
8f2097e8b174f38178570c611464935f

SHA1
86476819229f4bf00f32e5f0969e19c5b61d1b2a

SHA256
3f25e7b097b65eaf82a6d5b58646dff38ca19347664f40c2b8a409b9d6939457

SHA512
85f60b00b4d2e7d5047d4d0f1b834c23073797fcaea0e14161baac9a7ec719d79782a17ba6aa8da55b933c89b3d94c89696da194c3cf7170c746c8bab7e38904

Download Submit
C:\ELS\CILC\libjcc.dll

Filesize
357KB

MD5
4a9e9f28b0897c8a123c851de72daf2e

SHA1
539e99dd844761635cfb23c3e69d37724747a602

SHA256
d9da58f67d2861799348b3fd9135eafc62a088d2220fc72c6983f3cf78628d1f

SHA512
25d2fd853e83f8240790d495ab956a047b576ef2766500d955178b6c1cfb40397d8688af60a0866b3938ba6560e0f09923d74e23d0ff6acb246e7d4a45f1c62d

Download Submit
C:\ELS\CILC\libjcc.dll

Filesize
357KB

MD5
4a9e9f28b0897c8a123c851de72daf2e

SHA1
539e99dd844761635cfb23c3e69d37724747a602

SHA256
d9da58f67d2861799348b3fd9135eafc62a088d2220fc72c6983f3cf78628d1f

SHA512
25d2fd853e83f8240790d495ab956a047b576ef2766500d955178b6c1cfb40397d8688af60a0866b3938ba6560e0f09923d74e23d0ff6acb246e7d4a45f1c62d

Download Submit
C:\ELS\CILC\libjcc.dll

Filesize
357KB

MD5
4a9e9f28b0897c8a123c851de72daf2e

SHA1
539e99dd844761635cfb23c3e69d37724747a602

SHA256
d9da58f67d2861799348b3fd9135eafc62a088d2220fc72c6983f3cf78628d1f

SHA512
25d2fd853e83f8240790d495ab956a047b576ef2766500d955178b6c1cfb40397d8688af60a0866b3938ba6560e0f09923d74e23d0ff6acb246e7d4a45f1c62d

Download Submit
C:\ELS\CILC\libjutils.dll

Filesize
61KB

MD5
4167246cedfa0b18a37ec0f76dd37d93

SHA1
4682598d64450ed8abfa63eda8cfc4332efdc58f

SHA256
456be10c493e1ea230f92590ee2adf76871be20ee9ba22fdfff77af2ecc0c2b8

SHA512
0cff41b8fa6a934946120c2db93f0fcb6f9909ed91d5d6600189166735549515011bb080282ced3dc77c60865c3db734f61918f2bfdafcda9a658e14a74232ad

Download Submit
C:\ELS\CILC\libjutils.dll

Filesize
61KB

MD5
4167246cedfa0b18a37ec0f76dd37d93

SHA1
4682598d64450ed8abfa63eda8cfc4332efdc58f

SHA256
456be10c493e1ea230f92590ee2adf76871be20ee9ba22fdfff77af2ecc0c2b8

SHA512
0cff41b8fa6a934946120c2db93f0fcb6f9909ed91d5d6600189166735549515011bb080282ced3dc77c60865c3db734f61918f2bfdafcda9a658e14a74232ad

Download Submit
C:\ELS\CILC\libjutils.dll

Filesize
61KB

MD5
4167246cedfa0b18a37ec0f76dd37d93

SHA1
4682598d64450ed8abfa63eda8cfc4332efdc58f

SHA256
456be10c493e1ea230f92590ee2adf76871be20ee9ba22fdfff77af2ecc0c2b8

SHA512
0cff41b8fa6a934946120c2db93f0fcb6f9909ed91d5d6600189166735549515011bb080282ced3dc77c60865c3db734f61918f2bfdafcda9a658e14a74232ad

Download Submit
C:\ELS\CILC\smart2.exe

Filesize
271KB

MD5
0400a45bcdcc20fca30f19ee863bc5e6

SHA1
e07088cc3dcc28c3e964eafd08a7868bc132aa6c

SHA256
90047c68475b41b84b98242f33d8234fda680ad34368c855bba215bd366a1298

SHA512
aa840a96f5ec52569dd529f4d6423d7fb07bca3dfd23cfaba6d4ae84e0a3c314873f9ae38340fdb5b5d8c8e435051a62c2aaeb6b0696c4e54818b07a1550b188

Download Submit
C:\ELS\CILC\smart2.exe

Filesize
271KB

MD5
0400a45bcdcc20fca30f19ee863bc5e6

SHA1
e07088cc3dcc28c3e964eafd08a7868bc132aa6c

SHA256
90047c68475b41b84b98242f33d8234fda680ad34368c855bba215bd366a1298

SHA512
aa840a96f5ec52569dd529f4d6423d7fb07bca3dfd23cfaba6d4ae84e0a3c314873f9ae38340fdb5b5d8c8e435051a62c2aaeb6b0696c4e54818b07a1550b188

Download Submit
C:\ELS\CILC\upgrade\OCDK16.exe

Filesize
7.0MB

MD5
4337c5e1bffd5294d49959be50ec2657

SHA1
c2b1f9fc0c512ddb10e4a787c7fe3b4ad666cce9

SHA256
04d0c809b0a626a29495dfd2b92ecf35e68751ec6780775c1af0c4d151990dc9

SHA512
3942e9e9c4261d3340f456c7ced443bc04cf69497f1a613054afcd0f3fd4bda02102f09478e882266986ce2899c09bc2a7d20ce6361a2004425792b25ab2b191

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-85QQQ.tmp\Setup.tmp

Filesize
708KB

MD5
842fe310f4fe920e0d5f2751951711e5

SHA1
fcc650eb5c436d23c691d40d575c3c77e16e9c5b

SHA256
89e8ab4d10e8dcb872acd89f923a17955ffcb703c0a9721e60ccb25146f53a6c

SHA512
1a68de30f3f2f751f6246c161c0c3f174142b4b9e21a6522757718d4b24f913cd4794f80e91dc659831f047b7edf68a2f6dc5f8f273cab11dcb3193d7e8fa9d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-85QQQ.tmp\Setup.tmp

Filesize
708KB

MD5
842fe310f4fe920e0d5f2751951711e5

SHA1
fcc650eb5c436d23c691d40d575c3c77e16e9c5b

SHA256
89e8ab4d10e8dcb872acd89f923a17955ffcb703c0a9721e60ccb25146f53a6c

SHA512
1a68de30f3f2f751f6246c161c0c3f174142b4b9e21a6522757718d4b24f913cd4794f80e91dc659831f047b7edf68a2f6dc5f8f273cab11dcb3193d7e8fa9d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-KT9II.tmp\OCDK16.tmp

Filesize
708KB

MD5
842fe310f4fe920e0d5f2751951711e5

SHA1
fcc650eb5c436d23c691d40d575c3c77e16e9c5b

SHA256
89e8ab4d10e8dcb872acd89f923a17955ffcb703c0a9721e60ccb25146f53a6c

SHA512
1a68de30f3f2f751f6246c161c0c3f174142b4b9e21a6522757718d4b24f913cd4794f80e91dc659831f047b7edf68a2f6dc5f8f273cab11dcb3193d7e8fa9d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-KT9II.tmp\OCDK16.tmp

Filesize
708KB

MD5
842fe310f4fe920e0d5f2751951711e5

SHA1
fcc650eb5c436d23c691d40d575c3c77e16e9c5b

SHA256
89e8ab4d10e8dcb872acd89f923a17955ffcb703c0a9721e60ccb25146f53a6c

SHA512
1a68de30f3f2f751f6246c161c0c3f174142b4b9e21a6522757718d4b24f913cd4794f80e91dc659831f047b7edf68a2f6dc5f8f273cab11dcb3193d7e8fa9d7

Download Submit
C:\Windows\SysWOW64\LOGIS07.DLL

Filesize
228KB

MD5
06d0f083ed45d18ebbfadf3e3d0959e6

SHA1
c117e13588a41982a1459a8d62213d094ab7a3f7

SHA256
4b4db7c3dd213a1438a81dd65d8324565fe5f6c1f5335c68d5a8c39a86d029cb

SHA512
de51fb1921e4ba310094d83a98d59267bd195a0977bb37047889232227bfde0808a618f684a1593ba1c123b516b5c6ee34a7979362fefca02027142b44edf25a

Download Submit
C:\Windows\SysWOW64\MSVCP71.dll

Filesize
488KB

MD5
561fa2abb31dfa8fab762145f81667c2

SHA1
c8ccb04eedac821a13fae314a2435192860c72b8

SHA256
df96156f6a548fd6fe5672918de5ae4509d3c810a57bffd2a91de45a3ed5b23b

SHA512
7d960aa8e3cce22d63a6723d7f00c195de7de83b877eca126e339e2d8cc9859e813e05c5c0a5671a75bb717243e9295fd13e5e17d8c6660eb59f5baee63a7c43

Download Submit
C:\Windows\SysWOW64\MSVCR71.dll

Filesize
340KB

MD5
ca2f560921b7b8be1cf555a5a18d54c3

SHA1
432dbcf54b6f1142058b413a9d52668a2bde011d

SHA256
c4d4339df314a27ff75a38967b7569d9962337b8d4cd4b0db3aba5ff72b2bfbb

SHA512
23e0bdd9458a5a8e0f9bbcb7f6ce4f87fcc9e47c1ee15f964c17ff9fe8d0f82dd3a0f90263daaf1ee87fad4a238aa0ee92a16b3e2c67f47c84d575768edba43e

Download Submit
C:\Windows\SysWOW64\comct332.ocx

Filesize
406KB

MD5
50f9e631ca79d0ce9c2f4143ed90c455

SHA1
463c580a0ab41423d48c7b1209a6092506d998df

SHA256
a089e5e56fe284a7b01fe3f3ffde708e862639212992ad4f526ed95794138ee1

SHA512
e76b863e11a11e74ffb355915bb562ab0203411391af83fbb68a0c3b7876d5dcfa5daba037b99584304592d22e932cd73544f47ff0560e04eeb9f011dd51b611

Download Submit
C:\Windows\SysWOW64\comct332.ocx

Filesize
406KB

MD5
50f9e631ca79d0ce9c2f4143ed90c455

SHA1
463c580a0ab41423d48c7b1209a6092506d998df

SHA256
a089e5e56fe284a7b01fe3f3ffde708e862639212992ad4f526ed95794138ee1

SHA512
e76b863e11a11e74ffb355915bb562ab0203411391af83fbb68a0c3b7876d5dcfa5daba037b99584304592d22e932cd73544f47ff0560e04eeb9f011dd51b611

Download Submit
C:\Windows\SysWOW64\logis07.dll

Filesize
228KB

MD5
06d0f083ed45d18ebbfadf3e3d0959e6

SHA1
c117e13588a41982a1459a8d62213d094ab7a3f7

SHA256
4b4db7c3dd213a1438a81dd65d8324565fe5f6c1f5335c68d5a8c39a86d029cb

SHA512
de51fb1921e4ba310094d83a98d59267bd195a0977bb37047889232227bfde0808a618f684a1593ba1c123b516b5c6ee34a7979362fefca02027142b44edf25a

Download Submit
C:\Windows\SysWOW64\logis07.dll

Filesize
228KB

MD5
06d0f083ed45d18ebbfadf3e3d0959e6

SHA1
c117e13588a41982a1459a8d62213d094ab7a3f7

SHA256
4b4db7c3dd213a1438a81dd65d8324565fe5f6c1f5335c68d5a8c39a86d029cb

SHA512
de51fb1921e4ba310094d83a98d59267bd195a0977bb37047889232227bfde0808a618f684a1593ba1c123b516b5c6ee34a7979362fefca02027142b44edf25a

Download Submit
C:\Windows\SysWOW64\logis11.dll

Filesize
352KB

MD5
f284da098eacb0f3d75c288f3040e098

SHA1
c5b6961679bf9b562f954c7f5108ed332678139d

SHA256
98c95dd240619c793811bf78f10718102ecb8b8a3afe06d2d558ed21d0b9f6f3

SHA512
41c788b31bb6357457ccb669056d2c31e6a83ee5d7c2a3d654ae7a90b2e986533b7b3d58598da72dc0ca48d0507f29bba94c93d0eb8b9fca33833d229874f239

Download Submit
C:\Windows\SysWOW64\logis11.dll

Filesize
352KB

MD5
f284da098eacb0f3d75c288f3040e098

SHA1
c5b6961679bf9b562f954c7f5108ed332678139d

SHA256
98c95dd240619c793811bf78f10718102ecb8b8a3afe06d2d558ed21d0b9f6f3

SHA512
41c788b31bb6357457ccb669056d2c31e6a83ee5d7c2a3d654ae7a90b2e986533b7b3d58598da72dc0ca48d0507f29bba94c93d0eb8b9fca33833d229874f239

Download Submit
C:\Windows\SysWOW64\logis31.ocx

Filesize
212KB

MD5
b4f2833e9eec61382efec6ff4f592023

SHA1
c6df8946c49f44e0b3c661fc7e1e7f34546da118

SHA256
1ac225112d0911ab98e33dfb116321f141002e17a5f776df654403afb2930481

SHA512
22b5b8bae62381471c3a19a691c4503ad95714a791f0ec038e7578adf827fe9c9e997e5d2f5ce84518d9fd919c50029d5963df8774acf88725f1d14e460a7caf

Download Submit
C:\Windows\SysWOW64\logis31.ocx

Filesize
212KB

MD5
b4f2833e9eec61382efec6ff4f592023

SHA1
c6df8946c49f44e0b3c661fc7e1e7f34546da118

SHA256
1ac225112d0911ab98e33dfb116321f141002e17a5f776df654403afb2930481

SHA512
22b5b8bae62381471c3a19a691c4503ad95714a791f0ec038e7578adf827fe9c9e997e5d2f5ce84518d9fd919c50029d5963df8774acf88725f1d14e460a7caf

Download Submit
C:\Windows\SysWOW64\mscomctl.ocx

Filesize
1.0MB

MD5
273676426739b02a45a0fc9349500b65

SHA1
a23c709fae04feef87358abd59504940d0d0c806

SHA256
152121a5d1ac8f12002c18afc294bb1ebcecc1d61deec6211df586c11acde9b6

SHA512
8945d8a68c4ebb5845fb7f6abf3b4947eb6c37812c32d4ff2f30a0472489496c4506b3be358bb350df5c3d3be11c43c19ba6d3ca72449a7122bcec73cee181d2

Download Submit
C:\Windows\SysWOW64\mscomctl.ocx

Filesize
1.0MB

MD5
273676426739b02a45a0fc9349500b65

SHA1
a23c709fae04feef87358abd59504940d0d0c806

SHA256
152121a5d1ac8f12002c18afc294bb1ebcecc1d61deec6211df586c11acde9b6

SHA512
8945d8a68c4ebb5845fb7f6abf3b4947eb6c37812c32d4ff2f30a0472489496c4506b3be358bb350df5c3d3be11c43c19ba6d3ca72449a7122bcec73cee181d2

Download Submit
C:\Windows\SysWOW64\msvcp71.dll

Filesize
488KB

MD5
561fa2abb31dfa8fab762145f81667c2

SHA1
c8ccb04eedac821a13fae314a2435192860c72b8

SHA256
df96156f6a548fd6fe5672918de5ae4509d3c810a57bffd2a91de45a3ed5b23b

SHA512
7d960aa8e3cce22d63a6723d7f00c195de7de83b877eca126e339e2d8cc9859e813e05c5c0a5671a75bb717243e9295fd13e5e17d8c6660eb59f5baee63a7c43

Download Submit
C:\Windows\SysWOW64\msvcp71.dll

Filesize
488KB

MD5
561fa2abb31dfa8fab762145f81667c2

SHA1
c8ccb04eedac821a13fae314a2435192860c72b8

SHA256
df96156f6a548fd6fe5672918de5ae4509d3c810a57bffd2a91de45a3ed5b23b

SHA512
7d960aa8e3cce22d63a6723d7f00c195de7de83b877eca126e339e2d8cc9859e813e05c5c0a5671a75bb717243e9295fd13e5e17d8c6660eb59f5baee63a7c43

Download Submit
C:\Windows\SysWOW64\msvcr71.dll

Filesize
340KB

MD5
ca2f560921b7b8be1cf555a5a18d54c3

SHA1
432dbcf54b6f1142058b413a9d52668a2bde011d

SHA256
c4d4339df314a27ff75a38967b7569d9962337b8d4cd4b0db3aba5ff72b2bfbb

SHA512
23e0bdd9458a5a8e0f9bbcb7f6ce4f87fcc9e47c1ee15f964c17ff9fe8d0f82dd3a0f90263daaf1ee87fad4a238aa0ee92a16b3e2c67f47c84d575768edba43e

Download Submit
C:\Windows\SysWOW64\richtx32.ocx

Filesize
214KB

MD5
14bb5cf93c7d69d019423c73c60aa856

SHA1
6454bb10992eefc59563a73729a8927c6383669b

SHA256
221b54ad16161b8ce71807b07559ab49f59dfff4cdf695e808d90bf8beaafcf5

SHA512
79d3e5ab428a6933c9eed253b1436b437f8042efd9630a3852b04143ff3333bad0575d9204da28f03a228e5c99d4b57cf1e463f784f2fccdb771bd86745be310

Download Submit
C:\Windows\SysWOW64\richtx32.ocx

Filesize
214KB

MD5
14bb5cf93c7d69d019423c73c60aa856

SHA1
6454bb10992eefc59563a73729a8927c6383669b

SHA256
221b54ad16161b8ce71807b07559ab49f59dfff4cdf695e808d90bf8beaafcf5

SHA512
79d3e5ab428a6933c9eed253b1436b437f8042efd9630a3852b04143ff3333bad0575d9204da28f03a228e5c99d4b57cf1e463f784f2fccdb771bd86745be310

Download Submit
C:\Windows\SysWOW64\rmpHTML.ocx

Filesize
816KB

MD5
0d8866e0265866f0fed16c6ee4775b27

SHA1
2b62d3b8f3d4535ed2784276719ae280c2fd373c

SHA256
a9c5b62e36dd0f3b8710434c0dc36f597211068101e7b4ec3385c50c21b1a8a9

SHA512
783726d26bff562eff531aad4e46708475528b9062754fb4e5b874e5c31c4657562d3b1e99af4341ee7e3370cc09daab72b4174294033911242c24fd0fc741a2

Download Submit
C:\Windows\SysWOW64\rmpHTML.ocx

Filesize
816KB

MD5
0d8866e0265866f0fed16c6ee4775b27

SHA1
2b62d3b8f3d4535ed2784276719ae280c2fd373c

SHA256
a9c5b62e36dd0f3b8710434c0dc36f597211068101e7b4ec3385c50c21b1a8a9

SHA512
783726d26bff562eff531aad4e46708475528b9062754fb4e5b874e5c31c4657562d3b1e99af4341ee7e3370cc09daab72b4174294033911242c24fd0fc741a2

Download Submit
memory/332-134-0x0000000000000000-mapping.dmp

Download
memory/400-150-0x0000000000000000-mapping.dmp

Download
memory/792-194-0x0000000000000000-mapping.dmp

Download
memory/1164-193-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1164-196-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1164-198-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1164-188-0x0000000000000000-mapping.dmp

Download
memory/1164-190-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1200-187-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1200-132-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1200-136-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1212-147-0x0000000000000000-mapping.dmp

Download
memory/2216-153-0x0000000000000000-mapping.dmp

Download
memory/2516-176-0x0000000000C60000-0x0000000000CDB000-memory.dmp

Filesize
492KB

Download
memory/2516-182-0x0000000000CE0000-0x0000000000D14000-memory.dmp

Filesize
208KB

Download
memory/2516-186-0x0000000002B80000-0x0000000002BBE000-memory.dmp

Filesize
248KB

Download
memory/2516-156-0x0000000000000000-mapping.dmp

Download
memory/3616-138-0x0000000000000000-mapping.dmp

Download
memory/3848-144-0x0000000000000000-mapping.dmp

Download
memory/4444-141-0x0000000000000000-mapping.dmp

Download