38e4a29ab9f16e4fa94d66b4d4e8f43a24872da912a3bdbd341e0ef21616b576

Resubmissions

12-01-2025 13:59

250112-ran7waxpaj 10

12-01-2025 13:48

250112-q38asavke1 10

12-01-2025 13:44

250112-q114paxlan 10

12-01-2025 13:37

250112-qw2jnaxjcl 10

Analysis

max time kernel
615s
max time network
487s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12-01-2025 13:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AxoPac.zip
Size

151.2MB
MD5

0dba64071e747e29fa9cf49c0b1c49db
SHA1

aeb1db90861e0b24713be3c0db292b58ca1858d9
SHA256

38e4a29ab9f16e4fa94d66b4d4e8f43a24872da912a3bdbd341e0ef21616b576
SHA512

b672a815d51172803281a2660f1e768021e7ca8c3504a1ab69c8e0da434e1a36ecca68193a5fc149052421271fe21e3b7345fc037dfbbef2dffbff3253dd935a
SSDEEP

3145728:Bq9V3ZOHG1pl1t3e50qZ04swW48GnGXB2/+rNPfOxeVf0dL:Bq9V9J3e506f7WxGnGXB/vC

Score

7^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	ssvagent.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 36 IoCs

pid	Process
1456	Installer.exe
2600	Installer.exe
3084	unpack200.exe
5024	tnameserv.exe
3400	tnameserv.exe
3124	ssvagent.exe
1992	ssvagent.exe
3628	rmiregistry.exe
1152	servertool.exe
5040	rmid.exe
1072	policytool.exe
2768	orbd.exe
1240	pack200.exe
1096	orbd.exe
2368	pack200.exe
4976	kinit.exe
2196	klist.exe
1136	ktab.exe
2768	keytool.exe
376	jp2launcher.exe
4368	jp2launcher.exe
4788	jjs.exe
2520	jjs.exe
708	jjs.exe
4760	javaws.exe
3596	javaw.exe
724	java.exe
3124	javacpl.exe
1824	javaw.exe
3512	java.exe
3928	java-rmi.exe
2092	jabswitch.exe
1372	migrate.exe
3588	WebConfigCA.exe
4156	WebConfigCA.exe
3676	servertool.exe

Loads dropped DLL 64 IoCs

pid	Process
3084	unpack200.exe
5024	tnameserv.exe
5024	tnameserv.exe
5024	tnameserv.exe
5024	tnameserv.exe
5024	tnameserv.exe
5024	tnameserv.exe
5024	tnameserv.exe
5024	tnameserv.exe
3400	tnameserv.exe
3400	tnameserv.exe
3400	tnameserv.exe
3400	tnameserv.exe
3400	tnameserv.exe
3400	tnameserv.exe
3400	tnameserv.exe
3400	tnameserv.exe
3124	ssvagent.exe
3124	ssvagent.exe
3124	ssvagent.exe
1992	ssvagent.exe
1992	ssvagent.exe
1992	ssvagent.exe
3628	rmiregistry.exe
3628	rmiregistry.exe
3628	rmiregistry.exe
3628	rmiregistry.exe
3628	rmiregistry.exe
3628	rmiregistry.exe
3628	rmiregistry.exe
3628	rmiregistry.exe
1152	servertool.exe
1152	servertool.exe
1152	servertool.exe
1152	servertool.exe
1152	servertool.exe
1152	servertool.exe
1152	servertool.exe
5040	rmid.exe
5040	rmid.exe
5040	rmid.exe
5040	rmid.exe
5040	rmid.exe
5040	rmid.exe
5040	rmid.exe
5040	rmid.exe
1072	policytool.exe
1072	policytool.exe
1072	policytool.exe
1072	policytool.exe
1072	policytool.exe
1072	policytool.exe
1072	policytool.exe
1072	policytool.exe
1072	policytool.exe
1072	policytool.exe
1072	policytool.exe
2768	orbd.exe
2768	orbd.exe
2768	orbd.exe
2768	orbd.exe
2768	orbd.exe
2768	orbd.exe
2768	orbd.exe

Drops file in System32 directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\log\New_Version_Number	rmid.exe
File opened for modification	C:\Windows\SysWOW64\orb.db\servers.db	orbd.exe
File created	C:\Windows\SysWOW64\orb.db\servers.db	orbd.exe
File created	C:\Windows\SysWOW64\orb.db\NC0	orbd.exe
File opened for modification	C:\Windows\SysWOW64\log\Version_Number	rmid.exe
File opened for modification	C:\Windows\SysWOW64\orb.db\counter	orbd.exe
File created	C:\Windows\SysWOW64\orb.db\counter	orbd.exe
File created	C:\Windows\SysWOW64\log\Version_Number	rmid.exe
File created	C:\Windows\SysWOW64\log\Snapshot.1	rmid.exe
File opened for modification	C:\Windows\SysWOW64\log\Logfile.1	rmid.exe
File created	C:\Windows\SysWOW64\log\New_Version_Number	rmid.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1456 set thread context of 2600	1456	Installer.exe	90

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1256	1456	WerFault.exe	86
3516	1372	WerFault.exe	172

System Location Discovery: System Language Discovery 1 TTPs 34 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	policytool.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	orbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tnameserv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ktab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jp2launcher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ssvagent.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ssvagent.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	servertool.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	keytool.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jjs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	java.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	servertool.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jjs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaws.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javacpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tnameserv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rmid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pack200.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	orbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rmiregistry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pack200.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	java-rmi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kinit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	klist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jp2launcher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jjs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	migrate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unpack200.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	java.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jabswitch.exe

Modifies registry class 57 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0018-0000-0101-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0018-0000-0101-ABCDEFFEDCBB}	ssvagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0018-0000-0101-ABCDEFFEDCBB}\InprocServer32	ssvagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0018-0000-0101-ABCDEFFEDCBC}	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0018-0000-0101-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0018-0000-0101-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Users\\Admin\\Desktop\\AxoPac\\x64\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0018-0000-0101-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Users\\Admin\\Desktop\\AxoPac\\x64\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0018-0000-0101-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\TreatAs\ = "{8AD9C840-044E-11D1-B3E9-00805F499D93}"	ssvagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\Implemented Categories	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0018-0000-0101-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Users\\Admin\\Desktop\\AxoPac\\x64\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0018-0000-0101-ABCDEFFEDCBC}\ = "Java Plug-in 1.8.0_101"	ssvagent.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_CLASSES\JAVAPLUGIN.113812\CLSID	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0018-0000-0101-ABCDEFFEDCBA}\ = "Java Plug-in 1.8.0_101"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\WOW6432Node\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ = "Java Plug-in 11.101.2"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ = "Java Plug-in 11.101.2"	ssvagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0018-0000-0101-ABCDEFFEDCBB}\ = "Java Plug-in 1.8.0_101"	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0018-0000-0101-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0018-0000-0101-ABCDEFFEDCBC}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\WOW6432Node\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\InprocServer32\ = "C:\\Users\\Admin\\Desktop\\AxoPac\\x64\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0018-0000-0101-ABCDEFFEDCBB}\ = "Java Plug-in 1.8.0_101"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0018-0000-0101-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Users\\Admin\\Desktop\\AxoPac\\x64\\bin\\jp2iexp.dll"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0018-0000-0101-ABCDEFFEDCBC}\InprocServer32	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\WOW6432Node\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}	ssvagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0018-0000-0101-ABCDEFFEDCBA}	ssvagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\WOW6432Node\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\WOW6432Node\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Users\\Admin\\Desktop\\AxoPac\\x64\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0018-0000-0101-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\InprocServer32	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0018-0000-0101-ABCDEFFEDCBA}\InprocServer32	ssvagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}	ssvagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\TreatAs	ssvagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\Implemented Categories\{59fb2056-d625-48d0-a944-1a85b5ab2640}	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0018-0000-0101-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Users\\Admin\\Desktop\\AxoPac\\x64\\bin\\jp2iexp.dll"	ssvagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0018-0000-0101-ABCDEFFEDCBB}	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0018-0000-0101-ABCDEFFEDCBC}	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Users\\Admin\\Desktop\\AxoPac\\x64\\bin\\jp2iexp.dll"	ssvagent.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\JavaPlugin.113812	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0018-0000-0101-ABCDEFFEDCBA}\ = "Java Plug-in 1.8.0_101"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0018-0000-0101-ABCDEFFEDCBB}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0018-0000-0101-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Users\\Admin\\Desktop\\AxoPac\\x64\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ = "Java Plug-in 11.101.2"	ssvagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0018-0000-0101-ABCDEFFEDCBA}	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ = "Java Plug-in 11.101.2"	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\InprocServer32\ = "C:\\Users\\Admin\\Desktop\\AxoPac\\x64\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0018-0000-0101-ABCDEFFEDCBC}\ = "Java Plug-in 1.8.0_101"	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0018-0000-0101-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0018-0000-0101-ABCDEFFEDCBA}\InprocServer32	ssvagent.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4348	7zFM.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	4348	7zFM.exe
Token: 35	4348	7zFM.exe
Token: SeSecurityPrivilege	4348	7zFM.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4348	7zFM.exe
4348	7zFM.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1072	policytool.exe
1072	policytool.exe
1824	javaw.exe
1824	javaw.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1456 wrote to memory of 2600	1456	Installer.exe	90
PID 1456 wrote to memory of 2600	1456	Installer.exe	90
PID 1456 wrote to memory of 2600	1456	Installer.exe	90
PID 1456 wrote to memory of 2600	1456	Installer.exe	90
PID 1456 wrote to memory of 2600	1456	Installer.exe	90
PID 1456 wrote to memory of 2600	1456	Installer.exe	90
PID 1456 wrote to memory of 2600	1456	Installer.exe	90
PID 1456 wrote to memory of 2600	1456	Installer.exe	90
PID 1456 wrote to memory of 2600	1456	Installer.exe	90
PID 3124 wrote to memory of 1992	3124	ssvagent.exe	111
PID 3124 wrote to memory of 1992	3124	ssvagent.exe	111
PID 3124 wrote to memory of 1992	3124	ssvagent.exe	111
PID 1096 wrote to memory of 724	1096	orbd.exe	162
PID 1096 wrote to memory of 724	1096	orbd.exe	162
PID 1096 wrote to memory of 724	1096	orbd.exe	162
PID 3124 wrote to memory of 1824	3124	javacpl.exe	165
PID 3124 wrote to memory of 1824	3124	javacpl.exe	165
PID 3124 wrote to memory of 1824	3124	javacpl.exe	165

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\AxoPac.zip"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4348

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4964

C:\Users\Admin\Desktop\AxoPac\Installer.exe
"C:\Users\Admin\Desktop\AxoPac\Installer.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1456
- C:\Users\Admin\Desktop\AxoPac\Installer.exe
  "C:\Users\Admin\Desktop\AxoPac\Installer.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2600
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1456 -s 140
  2⤵
  - Program crash
  PID:1256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1456 -ip 1456
1⤵
PID:784

C:\Users\Admin\Desktop\AxoPac\x64\bin\unpack200.exe
"C:\Users\Admin\Desktop\AxoPac\x64\bin\unpack200.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3084

C:\Users\Admin\Desktop\AxoPac\x64\bin\tnameserv.exe
"C:\Users\Admin\Desktop\AxoPac\x64\bin\tnameserv.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:5024

C:\Users\Admin\Desktop\AxoPac\x64\bin\tnameserv.exe
"C:\Users\Admin\Desktop\AxoPac\x64\bin\tnameserv.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3400

C:\Users\Admin\Desktop\AxoPac\x64\bin\ssvagent.exe
"C:\Users\Admin\Desktop\AxoPac\x64\bin\ssvagent.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3124
- C:\Users\Admin\Desktop\AxoPac\x64\bin\ssvagent.exe
  "C:\Users\Admin\Desktop\AxoPac\x64\bin\ssvagent.exe" -new -high
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:1992

C:\Users\Admin\Desktop\AxoPac\x64\bin\rmiregistry.exe
"C:\Users\Admin\Desktop\AxoPac\x64\bin\rmiregistry.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3628

C:\Users\Admin\Desktop\AxoPac\x64\bin\servertool.exe
"C:\Users\Admin\Desktop\AxoPac\x64\bin\servertool.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1152

C:\Users\Admin\Desktop\AxoPac\x64\bin\rmid.exe
"C:\Users\Admin\Desktop\AxoPac\x64\bin\rmid.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5040

C:\Users\Admin\Desktop\AxoPac\x64\bin\policytool.exe
"C:\Users\Admin\Desktop\AxoPac\x64\bin\policytool.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1072

C:\Users\Admin\Desktop\AxoPac\x64\bin\orbd.exe
"C:\Users\Admin\Desktop\AxoPac\x64\bin\orbd.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2768

C:\Users\Admin\Desktop\AxoPac\x64\bin\pack200.exe
"C:\Users\Admin\Desktop\AxoPac\x64\bin\pack200.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1240

C:\Users\Admin\Desktop\AxoPac\x64\bin\orbd.exe
"C:\Users\Admin\Desktop\AxoPac\x64\bin\orbd.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1096
- C:\Users\Admin\Desktop\AxoPac\x64\bin\java.exe
  C:\Users\Admin\Desktop\AxoPac\x64\bin\java -Dioser=null -Dorg.omg.CORBA.ORBInitialPort=900 -Dcom.sun.CORBA.activation.DbDir= -Dcom.sun.CORBA.POA.ORBActivated=true -Dcom.sun.CORBA.POA.ORBServerId=-1 -Dcom.sun.CORBA.POA.ORBServerName=urmom -Dcom.sun.CORBA.activation.ORBServerVerify=true -classpath C:\Users\Admin\Desktop\AxoPac\x64/lib/tools.jar;C:\Users\Admin\Desktop\AxoPac\x64/classes com.sun.corba.se.impl.activation.ServerMain
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:724

C:\Users\Admin\Desktop\AxoPac\x64\bin\pack200.exe
"C:\Users\Admin\Desktop\AxoPac\x64\bin\pack200.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2368

C:\Users\Admin\Desktop\AxoPac\x64\bin\kinit.exe
"C:\Users\Admin\Desktop\AxoPac\x64\bin\kinit.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4976

C:\Users\Admin\Desktop\AxoPac\x64\bin\klist.exe
"C:\Users\Admin\Desktop\AxoPac\x64\bin\klist.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2196

C:\Users\Admin\Desktop\AxoPac\x64\bin\ktab.exe
"C:\Users\Admin\Desktop\AxoPac\x64\bin\ktab.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1136

C:\Users\Admin\Desktop\AxoPac\x64\bin\keytool.exe
"C:\Users\Admin\Desktop\AxoPac\x64\bin\keytool.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2768

C:\Users\Admin\Desktop\AxoPac\x64\bin\jp2launcher.exe
"C:\Users\Admin\Desktop\AxoPac\x64\bin\jp2launcher.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:376

C:\Users\Admin\Desktop\AxoPac\x64\bin\jp2launcher.exe
"C:\Users\Admin\Desktop\AxoPac\x64\bin\jp2launcher.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4368

C:\Users\Admin\Desktop\AxoPac\x64\bin\jjs.exe
"C:\Users\Admin\Desktop\AxoPac\x64\bin\jjs.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4788

C:\Users\Admin\Desktop\AxoPac\x64\bin\jjs.exe
"C:\Users\Admin\Desktop\AxoPac\x64\bin\jjs.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2520

C:\Users\Admin\Desktop\AxoPac\x64\bin\jjs.exe
"C:\Users\Admin\Desktop\AxoPac\x64\bin\jjs.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:708

C:\Users\Admin\Desktop\AxoPac\x64\bin\javaws.exe
"C:\Users\Admin\Desktop\AxoPac\x64\bin\javaws.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4760

C:\Users\Admin\Desktop\AxoPac\x64\bin\javaw.exe
"C:\Users\Admin\Desktop\AxoPac\x64\bin\javaw.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3596

C:\Users\Admin\Desktop\AxoPac\x64\bin\javacpl.exe
"C:\Users\Admin\Desktop\AxoPac\x64\bin\javacpl.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3124
- C:\Users\Admin\Desktop\AxoPac\x64\bin\javaw.exe
  "C:\Users\Admin\Desktop\AxoPac\x64\bin\javaw.exe" -Xbootclasspath/a:"C:\Users\Admin\Desktop\AxoPac\x64\bin\..\lib\deploy.jar" -Djava.locale.providers=HOST,JRE,SPI -Duser.home="C:\Users\Admin" com.sun.deploy.panel.ControlPanel
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1824

C:\Users\Admin\Desktop\AxoPac\x64\bin\java.exe
"C:\Users\Admin\Desktop\AxoPac\x64\bin\java.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3512

C:\Users\Admin\Desktop\AxoPac\x64\bin\java-rmi.exe
"C:\Users\Admin\Desktop\AxoPac\x64\bin\java-rmi.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3928

C:\Users\Admin\Desktop\AxoPac\x64\bin\jabswitch.exe
"C:\Users\Admin\Desktop\AxoPac\x64\bin\jabswitch.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2092

C:\Users\Admin\Desktop\AxoPac\ASP.NET MVC 4\Packages\EntityFramework.5.0.0\tools\migrate.exe
"C:\Users\Admin\Desktop\AxoPac\ASP.NET MVC 4\Packages\EntityFramework.5.0.0\tools\migrate.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1372
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1372 -s 932
  2⤵
  - Program crash
  PID:3516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1372 -ip 1372
1⤵
PID:4572

C:\Users\Admin\Desktop\AxoPac\ASP.NET Web Pages\v1.0\WebConfig\WebConfigCA.exe
"C:\Users\Admin\Desktop\AxoPac\ASP.NET Web Pages\v1.0\WebConfig\WebConfigCA.exe"
1⤵
- Executes dropped EXE
PID:3588

C:\Users\Admin\Desktop\AxoPac\ASP.NET Web Pages\v1.0\WebConfig\WebConfigCA.exe
"C:\Users\Admin\Desktop\AxoPac\ASP.NET Web Pages\v1.0\WebConfig\WebConfigCA.exe"
1⤵
- Executes dropped EXE
PID:4156

C:\Users\Admin\Desktop\AxoPac\x64\bin\servertool.exe
"C:\Users\Admin\Desktop\AxoPac\x64\bin\servertool.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\.oracle_jre_usage\c23d5aae23b6321a.timestamp

Filesize
50B

MD5
812fec0938dafc436acdbe97ba98f062

SHA1
3c083940bf4272aa98689caabb20677f57cded40

SHA256
eb9a491eddc2a0160aab562227efe0faea1d101c73e765f7cb4e88b047589b93

SHA512
12149241c628a083bc962ed332d0da67c8ed9f550118b320195484562b62ee157960c74bf7b4c01aab60c639d11ab717b6769684ffdecd4344cfe29f3ea477a7

Download Submit
C:\Users\Admin\.oracle_jre_usage\c23d5aae23b6321a.timestamp

Filesize
50B

MD5
c172d118c21300115cca740cdbdb9d15

SHA1
6bfc86dda6d97fd958bb867009cad33f518c2094

SHA256
80d69084cee125065bc6c83c9d4b910e2cf2c07754a645c12509ffe50a1b6857

SHA512
2e2a14e8929fa2181ddfccf013642f95e472cccb4825d27fbe9dee7a6b0e770084d8da90a6beea90c28aee1a36fde8086ef96e13f39a621f6869b1f40d47b1d7

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\deployment.properties

Filesize
1KB

MD5
2ccd86600947b146daf3d91576fe0e58

SHA1
1f24f96f1a5bc9944f1df484888807c1519df1a8

SHA256
1d7def8162e7e3d90bfaa8042f0fe9c4400ab2e4a552c32b1a1acaba093d9893

SHA512
079c51d0098b3f1fa73e49937d0e9de475db6b87049b5163b19acec5f8d9f30a0320315266e2cf6b386d3d43345bc8a7ac1b39be8e1527664078b488a456718a

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\deployment.properties

Filesize
1KB

MD5
4f2290435c715481b09e69dd2631e6bf

SHA1
ce2a37d0f6330887e2dc15f972ea6d1525dcc73d

SHA256
7ab2c589abe4fca265a6b6de1b32f6695009c0e3479926a6f50d4d0abab7eba7

SHA512
0d10b2f9382bb5ae52240abe78811946e1af9fc4fa4096ca308532f041a5e8ca150bb172dbe1559bc62df229f508268c7e74679ed2f2f8785929c5c7fd4c7daa

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\deployment.properties

Filesize
1KB

MD5
00646c04e4c5ce8987f758e2f861a1df

SHA1
fdf6aa43b06036650a67053374fbc24089af4a3c

SHA256
e54589e28541d2a03ccfd8e3d3aef200eb672e46941f9a22d3b8a2832859a4db

SHA512
cbb62acdcec991b5a62a16999058844393c477b2f8ab38da0e3a69b88908803c5afeb323ef0b6266148607ddbd579854d3f32a1713be7d08e3404acec8b3ae96

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zECF00BA87\AxoPac\ASP.NET Web Pages\v1.0\Microsoft.AspNet.Razor.ru.1.0.20105.408\lib\net40\ru\system.web.razor.xml

Filesize
88KB

MD5
398dc059ac7b960a31bba803c6d4b7a3

SHA1
dfac62f6e4ac50a0029031244fc5a1469ffe90e8

SHA256
943feccacef5fe23b3daf662594e3b45fcb8bc1caf25ea1c474721921caa9488

SHA512
f3bb82690b39dad744be9c403f7efcf2c40c903f85be013fff4b1a2ac77e8d59e77bc1eb9989134f800fba3d9bcb987485a92b719386750c70dd7fa1acb533e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zECF00BA87\AxoPac\ASP.NET Web Pages\v1.0\Microsoft.AspNet.WebPages.ru.1.0.20105.408\lib\net40\system.web.webpages.razor.xml

Filesize
6KB

MD5
9c8531c1d5f692cd921c8a56d85bc85d

SHA1
801b699bec07e93fdd05469f15cf80be4178e409

SHA256
16953fbbff24c3d927e5640060948da47c15a32918ecb2fc4f922a82b3fcfa9c

SHA512
3e7fbce84ca7bc96d46ffc3b4fc7acf21d962d379589125a6515178693c379eb6b5833e428ec11f106e9b807147c698e898840a20a8189a01baf76ace9a1f719

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zECF00BA87\AxoPac\ASP.NET Web Pages\v1.0\Microsoft.Web.Infrastructure.1.0.0.0\lib\net40\Microsoft.Web.Infrastructure.dll

Filesize
44KB

MD5
969d6caf273394f064475292d549516e

SHA1
91f688c235388c8bcee03ff20d0c8a90dbdd4e3e

SHA256
fe18f4259c947c1fd6d74f1827370e72d7ad09aefb4b720af227333583e0169f

SHA512
b4f6a614e5fc52850e3d02ebf7e85abf1ebe3fb4ebd6b4f03ec9dc4989cce88e44714ca2198dd7e632f5ed0f15225a68b31052da33e5ac3ce48a1c91c3c04446

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zECF00BA87\AxoPac\ASP.NET Web Pages\v1.0\Visual Studio 2012\thirdpartynotices.rtf

Filesize
87KB

MD5
b0ac92e72b07a4b37d66f0264e3373c0

SHA1
769dec94ed0bfcb47e68026aa01e80a26943ff38

SHA256
5a0792c375031840221f1737ba389b0d6dac373b118a107e50fbe78fe5f4ba69

SHA512
716c37b16c577de53b7f6e3934e09ae329e138a8a1725d60e9d8907c43c4400918a31b12ae173644efc25ccc9bf7cb332a3042c17386a3724320ab977a7ded52

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zECF00BA87\AxoPac\ASP.NET Web Pages\v1.0\WebConfig\System.Web.WebPages.Deployment.dll

Filesize
25KB

MD5
f9efab153915541f6cbdd147f85f9842

SHA1
5d923740f2377298ad917eb9f5bfb45e0b1465fb

SHA256
130fe2b8282263c77d9bee89d636166848291432696c449d708c819b17bf053a

SHA512
74890a53f2b0b73816e5155fb2b48580fa1dbf3e35077e7915d96ae57516c5da2bbf968978ae134e12754039a5ada6f8dfbcdc121cab9b887a6d4d259b68f3ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zECF00BA87\AxoPac\x64\lib\images\cursors\win32_LinkNoDrop32x32.gif

Filesize
153B

MD5
1e9d8f133a442da6b0c74d49bc84a341

SHA1
259edc45b4569427e8319895a444f4295d54348f

SHA256
1a1d3079d49583837662b84e11d8c0870698511d9110e710eb8e7eb20df7ae3b

SHA512
63d6f70c8cab9735f0f857f5bf99e319f6ae98238dc7829dd706b7d6855c70be206e32e3e55df884402483cf8bebad00d139283af5c0b85dc1c5bf8f253acd37

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2437139445-1151884604-3026847218-1000\83aa4cc77f591dfc2374580bbd95f6ba_4304acb9-c3f6-452a-9860-eb4e85d38d4e

Filesize
45B

MD5
c8366ae350e7019aefc9d1e6e6a498c6

SHA1
5731d8a3e6568a5f2dfbbc87e3db9637df280b61

SHA256
11e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238

SHA512
33c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd

Download Submit
C:\Users\Admin\Desktop\AxoPac\Installer.exe

Filesize
322KB

MD5
fea4388761569e59cc513d1403ee16c6

SHA1
8a94f6eaf29afbdd1b52b198378e643af49db90b

SHA256
9a72d961c46dc5015fc4e95e528672561faf983ae7db77166588488020e06e87

SHA512
8b6018ff3c8f82b9195b839494811d84c6e03fdc03b38f7b2f99f0c14f789db55c31a0fe6f7e4f2c01a985d33c059baaf455af59a77be3306283f66f11e021a4

Download Submit
C:\Users\Admin\Desktop\AxoPac\x64\bin\MSVCR100.dll

Filesize
755KB

MD5
bf38660a9125935658cfa3e53fdc7d65

SHA1
0b51fb415ec89848f339f8989d323bea722bfd70

SHA256
60c06e0fa4449314da3a0a87c1a9d9577df99226f943637e06f61188e5862efa

SHA512
25f521ffe25a950d0f1a4de63b04cb62e2a3b0e72e7405799586913208bf8f8fa52aa34e96a9cc6ee47afcd41870f3aa0cd8289c53461d1b6e792d19b750c9a1

Download Submit
C:\Users\Admin\Desktop\AxoPac\x64\bin\client\jvm.dll

Filesize
3.7MB

MD5
39c302fe0781e5af6d007e55f509606a

SHA1
23690a52e8c6578de6a7980bb78aae69d0f31780

SHA256
b1fbdbb1e4c692b34d3b9f28f8188fc6105b05d311c266d59aa5e5ec531966bc

SHA512
67f91a75e16c02ca245233b820df985bd8290a2a50480dff4b2fd2695e3cf0b4534eb1bf0d357d0b14f15ce8bd13c82d2748b5edd9cc38dc9e713f5dc383ed77

Download Submit
C:\Users\Admin\Desktop\AxoPac\x64\bin\deploy.dll

Filesize
442KB

MD5
5edaeffc60b5f1147068e4a296f6d7fb

SHA1
7d36698c62386449a5fa2607886f4adf7fb3deef

SHA256
87847204933551f69f1cba7a73b63a252d12ef106c22ed9c561ef188dffcbae8

SHA512
a691ef121d3ac17569e27bb6de4688d3506895b1a1a8740e1f16e80eefce70ba18b9c1efd6fd6794fafc59ba2caf137b4007fcdc65ddb8bcbfcf42c97b13535b

Download Submit
C:\Users\Admin\Desktop\AxoPac\x64\bin\java.dll

Filesize
123KB

MD5
73bd0b62b158c5a8d0ce92064600620d

SHA1
63c74250c17f75fe6356b649c484ad5936c3e871

SHA256
e7b870deb08bc864fa7fd4dec67cef15896fe802fafb3009e1b7724625d7da30

SHA512
eba1cf977365446b35740471882c5209773a313de653404a8d603245417d32a4e9f23e3b6cd85721143d2f9a0e46ed330c3d8ba8c24aee390d137f9b5cd68d8f

Download Submit
C:\Users\Admin\Desktop\AxoPac\x64\bin\jli.dll

Filesize
155KB

MD5
73a76ec257bd5574d9db43df2a3bb27f

SHA1
2c9248eae2f9f5f610f6a1dfd799b0598da00368

SHA256
8f19b1ba9295f87e701c46cb888222bb7e79c6ee74b09237d3313e174ae0154f

SHA512
59ecd5fcf35745bdadcdb94456cb51bb7ea305647c164fe73d42e87f226528d1a53ce732f5ec64ce5b4581fa8a17cfbfdc8173e103ae862d6e92eb3ad3638518

Download Submit
C:\Users\Admin\Desktop\AxoPac\x64\bin\jp2ssv.dll

Filesize
182KB

MD5
e9373908186d0da1f9ead4d1fdad474b

SHA1
c835a6b2e833a0743b1e8f6f947cfe5625fe791f

SHA256
e2fbd6c6334d4765ff8dff5c5fe3df8b50015d0bf9124142748fadb987b492ff

SHA512
bfdc236d462dac45fd63c112e40558ed4e11e76fb4d713926a679fd573f67fa16451231a03178926b76bd267f092a33a3b6760cf4812de2679bb9505b83f8261

Download Submit
C:\Users\Admin\Desktop\AxoPac\x64\bin\net.dll

Filesize
78KB

MD5
691b937a898271ee2cffab20518b310b

SHA1
abedfcd32c3022326bc593ab392dea433fcf667c

SHA256
2f5f1199d277850a009458edb5202688c26dd993f68fe86ca1b946dc74a36d61

SHA512
1c09f4e35a75b336170f64b5c7254a51461dc1997b5862b62208063c6cf84a7cb2d66a67e947cbbf27e1cf34ccd68ba4e91c71c236104070ef3beb85570213ec

Download Submit
C:\Users\Admin\Desktop\AxoPac\x64\bin\nio.dll

Filesize
50KB

MD5
95edb3cb2e2333c146a4dd489ce67cbd

SHA1
79013586a6e65e2e1f80e5caf9e2aa15b7363f9a

SHA256
96cf590bddfd90086476e012d9f48a9a696efc054852ef626b43d6d62e72af31

SHA512
ab671f1bce915d748ee49518cc2a666a2715b329cab4ab8f6b9a975c99c146bb095f7a4284cd2aaf4a5b4fcf4f939f54853af3b3acc4205f89ed2ba8a33bb553

Download Submit
C:\Users\Admin\Desktop\AxoPac\x64\bin\rmiregistry.exe

Filesize
15KB

MD5
31c0ced43a07a2dff3afc557ebabbe0f

SHA1
9100a7393b919eb35c79ce16a559d783219e2f20

SHA256
b93d0d62436d89c84c66abbdcf817084a6ba01f7e10053c8f343df5d53d37536

SHA512
716818bbf6e4f21c2a627259f1d35e8375efef9c3b197b3af6e10a4a1735cc643141c32270df7f6fe25733517be38caa09205b98119996237e8eae6a7d0825a7

Download Submit
C:\Users\Admin\Desktop\AxoPac\x64\bin\ssvagent.exe

Filesize
51KB

MD5
f434a8ac7f1c8c0e2587b9a9f30e397b

SHA1
bd62e10e44117a60eb4180412112593d9460299d

SHA256
6a994b389b8f7109238de6f230b1b540186ed2ec8d081c7601c6996863aa4dc8

SHA512
9896dac36bd4f7289c7701b75ad8eb9f7acd233384075a3fba6e6f2f38e420f37c1a29317eeea3c4ddba1791f6f17187dd5bdfdd9f98f095e7d4df20c0d5ea3e

Download Submit
C:\Users\Admin\Desktop\AxoPac\x64\bin\tnameserv.exe

Filesize
16KB

MD5
7624a9b769cdcf3a75fe5a9feaadd61f

SHA1
9269968968cd63d6e1ecc14f78b9a630fcc26fbe

SHA256
41f9a804c888a58decde2b63a544dbff536b40d87ceced197e1a14050858c0da

SHA512
1af7bb30e1fc7600ad0a209db4e077dab9ceaa5c4332f8b1353ed0db7ea71b4a9b7d126e756b634d3fb22618e39afc5ed52263c88e9f7646eaabb0d9240e382b

Download Submit
C:\Users\Admin\Desktop\AxoPac\x64\bin\unpack200.exe

Filesize
155KB

MD5
c15f0fe651b05f4288cbc3672f6dc3ce

SHA1
ffce84fe532b41f31cddc41c84024fafe6bc30e6

SHA256
869dc4d40444f10325057b0cc3bb7ea48942dd712df8a1ae331a554ff0397f1a

SHA512
e9e27c4c68972e3250b380c1a5d5eb02bec03028d389234a44a7d56974bfa233d177173f929bdb6ff877ae17a529d85d384684b0037e260a0143f7a95a0204c6

Download Submit
C:\Users\Admin\Desktop\AxoPac\x64\bin\verify.dll

Filesize
38KB

MD5
de2167a880207bbf7464bcd1f8bc8657

SHA1
0ff7a5ea29c0364a1162a090dffc13d29bc3d3c7

SHA256
fd856ea783ad60215ce2f920fcb6bb4e416562d3c037c06d047f1ec103cd10b3

SHA512
bb83377c5cff6117cec6fbadf6d40989ce1ee3f37e4ceba17562a59ea903d8962091146e2aa5cc44cfdddf280da7928001eea98abf0c0942d69819b2433f1322

Download Submit
C:\Users\Admin\Desktop\AxoPac\x64\bin\zip.dll

Filesize
68KB

MD5
cb99b83bbc19cd0e1c2ec6031d0a80bc

SHA1
927e1e24fd19f9ca8b5191ef3cc746b74ab68bcd

SHA256
68148243e3a03a3a1aaf4637f054993cb174c04f6bd77894fe84d74af5833bec

SHA512
29c4978fa56f15025355ce26a52bdf8197b8d8073a441425df3dfc93c7d80d36755cc05b6485dd2e1f168df2941315f883960b81368e742c4ea8e69dd82fa2ba

Download Submit
C:\Users\Admin\Desktop\AxoPac\x64\lib\ext\dnsns.jar

Filesize
8KB

MD5
7fa7f97fa1cc0cc8acc37b9dae4464ae

SHA1
c143646a6dbe2ebdb1fbf69c09793e7f07dbc1f5

SHA256
36820223c5b9a225dc3ff7c1c3930bdb112f1d9aab2bee954ff1a1c1828e2c54

SHA512
ad9a0e358be7a765b4a554e6bbe35bdd61a52bcac9f21915d84c2a1929780150dfdcf0e43121d0e844082b1bb92873ed848acf9b38ff3c7d826e5d0f5d32c26c

Download Submit
C:\Users\Admin\Desktop\AxoPac\x64\lib\ext\meta-index

Filesize
1KB

MD5
77abe2551c7a5931b70f78962ac5a3c7

SHA1
a8bb53a505d7002def70c7a8788b9a2ea8a1d7bc

SHA256
c557f0c9053301703798e01dc0f65e290b0ae69075fb49fcc0e68c14b21d87f4

SHA512
9fe671380335804d4416e26c1e00cded200687db484f770ebbdb8631a9c769f0a449c661cb38f49c41463e822beb5248e69fd63562c3d8c508154c5d64421935

Download Submit
C:\Users\Admin\Desktop\AxoPac\x64\lib\i386\jvm.cfg

Filesize
657B

MD5
9fd47c1a487b79a12e90e7506469477b

SHA1
7814df0ff2ea1827c75dcd73844ca7f025998cc6

SHA256
a73aea3074360cf62adedc0c82bc9c0c36c6a777c70da6c544d0fba7b2d8529e

SHA512
97b9d4c68ac4b534f86efa9af947763ee61aee6086581d96cbf7b3dbd6fd5d9db4b4d16772dce6f347b44085cef8a6ea3bfd3b84fbd9d4ef763cef39255fbce3

Download Submit
C:\Users\Admin\Desktop\AxoPac\x64\lib\jsse.jar

Filesize
619KB

MD5
fd1434c81219c385f30b07e33cef9f30

SHA1
0b5ee897864c8605ef69f66dfe1e15729cfcbc59

SHA256
bc3a736e08e68ace28c68b0621dccfb76c1063bd28d7bd8fce7b20e7b7526cc5

SHA512
9a778a3843744f1fabad960aa22880d37c30b1cab29e123170d853c9469dc54a81e81a9070e1de1bf63ba527c332bb2b1f1d872907f3bdce33a6898a02fef22d

Download Submit
C:\Users\Admin\Desktop\AxoPac\x64\lib\logging.properties

Filesize
2KB

MD5
0aa5d5efdb4f2b92bebbeb4160aa808b

SHA1
c6f1b311a4d0790af8c16c1ca9599d043ba99e90

SHA256
a3148336160ea7ef451052d1f435f7c9d96eeb738105ac730358edada5bd45a2

SHA512
a52c2b784cf0b01a2af3066f4bb8e7fd890a86cfd82359a22266341942a25333d4c63ba2c02aa43ade872357fc9c8bbc60d311b2af2ad2634d60377a2294afdd

Download Submit
C:\Users\Admin\Desktop\AxoPac\x64\lib\meta-index

Filesize
2KB

MD5
91aa6ea7320140f30379f758d626e59d

SHA1
3be2febe28723b1033ccdaa110eaf59bbd6d1f96

SHA256
4af21954cdf398d1eae795b6886ca2581dac9f2f1d41c98c6ed9b5dbc3e3c1d4

SHA512
03428803f1d644d89eb4c0dcbdea93acaac366d35fc1356ccabf83473f4fef7924edb771e44c721103cec22d94a179f092d1bfd1c0a62130f076eb82a826d7cb

Download Submit
C:\Users\Admin\Desktop\AxoPac\x64\lib\resources.jar

Filesize
3.3MB

MD5
9a084b91667e7437574236cd27b7c688

SHA1
d8926cc4aa12d6fe9abe64c8c3cb8bc0f594c5b1

SHA256
a1366a75454fc0f1ca5a14ea03b4927bb8584d6d5b402dfa453122ae16dbf22d

SHA512
d603aa29e1f6eefff4b15c7ebc8a0fa18e090d2e1147d56fd80581c7404ee1cb9d6972fcf2bd0cb24926b3af4dfc5be9bce1fe018681f22a38adaa278bf22d73

Download Submit
C:\Users\Admin\Desktop\AxoPac\x64\lib\security\java.security

Filesize
26KB

MD5
409c132fe4ea4abe9e5eb5a48a385b61

SHA1
446d68298be43eb657934552d656fa9ae240f2a2

SHA256
4d9e5a12b8cac8b36ecd88468b1c4018bc83c97eb467141901f90358d146a583

SHA512
7fed286ac9aed03e2dae24c3864edbbf812b65965c7173cc56ce622179eb5f872f77116275e96e1d52d1c58d3cdebe4e82b540b968e95d5da656aa74ad17400d

Download Submit
memory/708-2204-0x0000000000FE0000-0x0000000000FE1000-memory.dmp

Filesize
4KB

Download
memory/1072-1830-0x0000000000A00000-0x0000000000A01000-memory.dmp

Filesize
4KB

Download
memory/1072-1826-0x0000000000A00000-0x0000000000A01000-memory.dmp

Filesize
4KB

Download
memory/1072-1815-0x0000000000A00000-0x0000000000A01000-memory.dmp

Filesize
4KB

Download
memory/1096-1932-0x0000000000F00000-0x0000000000F01000-memory.dmp

Filesize
4KB

Download
memory/1096-1925-0x0000000000F00000-0x0000000000F01000-memory.dmp

Filesize
4KB

Download
memory/1152-1738-0x00000000015D0000-0x00000000015D1000-memory.dmp

Filesize
4KB

Download
memory/1240-1896-0x0000000000AC0000-0x0000000000AC1000-memory.dmp

Filesize
4KB

Download
memory/1372-2530-0x00000000002C0000-0x00000000002E4000-memory.dmp

Filesize
144KB

Download
memory/1456-1541-0x0000000000FE0000-0x0000000001038000-memory.dmp

Filesize
352KB

Download
memory/1456-1542-0x0000000005ED0000-0x0000000006474000-memory.dmp

Filesize
5.6MB

Download
memory/1456-1540-0x0000000074A6E000-0x0000000074A6F000-memory.dmp

Filesize
4KB

Download
memory/1456-1548-0x0000000074A60000-0x0000000075210000-memory.dmp

Filesize
7.7MB

Download
memory/2196-2011-0x0000000000830000-0x0000000000831000-memory.dmp

Filesize
4KB

Download
memory/2520-2172-0x0000000000870000-0x0000000000871000-memory.dmp

Filesize
4KB

Download
memory/2520-2150-0x0000000000870000-0x0000000000871000-memory.dmp

Filesize
4KB

Download
memory/2600-1547-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2600-1546-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2600-1549-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2768-1858-0x0000000000720000-0x0000000000721000-memory.dmp

Filesize
4KB

Download
memory/2768-1869-0x0000000000720000-0x0000000000721000-memory.dmp

Filesize
4KB

Download
memory/2768-2067-0x0000000000AA0000-0x0000000000AA1000-memory.dmp

Filesize
4KB

Download
memory/3400-1653-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/3400-1659-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/3588-2533-0x000000001B2E0000-0x000000001B808000-memory.dmp

Filesize
5.2MB

Download
memory/3588-2532-0x0000000002540000-0x000000000254C000-memory.dmp

Filesize
48KB

Download
memory/3588-2531-0x00000000002A0000-0x00000000002A8000-memory.dmp

Filesize
32KB

Download
memory/3628-1709-0x0000000000E90000-0x0000000000E91000-memory.dmp

Filesize
4KB

Download
memory/4788-2096-0x00000000013F0000-0x00000000013F1000-memory.dmp

Filesize
4KB

Download
memory/4976-1986-0x0000000002DB0000-0x0000000002DB1000-memory.dmp

Filesize
4KB

Download
memory/5024-1614-0x0000000001660000-0x0000000001661000-memory.dmp

Filesize
4KB

Download
memory/5024-1606-0x0000000001660000-0x0000000001661000-memory.dmp

Filesize
4KB

Download
memory/5040-1775-0x0000000002CC0000-0x0000000002CC1000-memory.dmp

Filesize
4KB

Download
memory/5040-1784-0x0000000002CC0000-0x0000000002CC1000-memory.dmp

Filesize
4KB

Download