akira | 1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc

Analysis

max time kernel
119s
max time network
121s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
19-07-2024 13:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
Size

573KB
MD5

503f112e243519a1b9e0344499561908
SHA1

8d635ca131d8aa20971744dcb30a9e2e1f8cd1be
SHA256

1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc
SHA512

71da9efbc24bf3428f7efd08f47e6dc698cdae769a918800de72ab4945fb79c2f5b92d21a839d9e13e700b3cfd6ae365073c32a6f368e43830c6ccba3322d00e
SSDEEP

12288:BV0qnXKTH2P6rxTcQpXDHgswvodgnAdA:BV0EMm6rxTcQjos

Score

10^/10

akira execution ransomware ransowmware spyware stealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\akira_readme.txt

Family

akira

Ransom Note

Hi friends, Whatever who you are and what your title is if you're reading this it means the internal infrastructure of your company is fully or partially dead, all your backups - virtual, physical - everything that we managed to reach - are completely removed. Moreover, we have taken a great amount of your corporate data prior to encryption. Well, for now let's keep all the tears and resentment to ourselves and try to build a constructive dialogue. We're fully aware of what damage we caused by locking your internal sources. At the moment, you have to know: 1. Dealing with us you will save A LOT due to we are not interested in ruining your financially. We will study in depth your finance, bank & income statements, your savings, investments etc. and present our reasonable demand to you. If you have an active cyber insurance, let us know and we will guide you how to properly use it. Also, dragging out the negotiation process will lead to failing of a deal. 2. Paying us you save your TIME, MONEY, EFFORTS and be back on track within 24 hours approximately. Our decryptor works properly on any files or systems, so you will be able to check it by requesting a test decryption service from the beginning of our conversation. If you decide to recover on your own, keep in mind that you can permanently lose access to some files or accidently corrupt them - in this case we won't be able to help. 3. The security report or the exclusive first-hand information that you will receive upon reaching an agreement is of a great value, since NO full audit of your network will show you the vulnerabilities that we've managed to detect and used in order to get into, identify backup solutions and upload your data. 4. As for your data, if we fail to agree, we will try to sell personal information/trade secrets/databases/source codes - generally speaking, everything that has a value on the darkmarket - to multiple threat actors at ones. Then all of this will be published in our blog - https://akiral2iz6a7qgd3ayp3l6yub7xx2uep76idk3u2kollpj5z3z636bad.onion. 5. We're more than negotiable and will definitely find the way to settle this quickly and reach an agreement which will satisfy both of us. If you're indeed interested in our assistance and the services we provide you can reach out to us following simple instructions: 1. Install TOR Browser to get access to our chat room - https://www.torproject.org/download/. 2. Paste this link - https://akiralkzxzq2dsrzsrvbr2xgbbu2wgsmxryd4csgfameg52n7efvr2id.onion. 3. Use this code - 8207-KO-BXVB-HKJB - to log into our chat. Keep in mind that the faster you will get in touch, the less damage we cause.

URLs

https://akiral2iz6a7qgd3ayp3l6yub7xx2uep76idk3u2kollpj5z3z636bad.onion

https://akiralkzxzq2dsrzsrvbr2xgbbu2wgsmxryd4csgfameg52n7efvr2id.onion

Signatures

Akira
Akira is a ransomware first seen in March 2023 and targets several industries, including education, finance, real estate, manufacturing, and consulting.
ransomware akira

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

powershell.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	2664	powershell.exe

Renames multiple (8631) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell command to delete shadowcopy.
execution ransowmware

PowerShell
T1059.001

Processes:

powershell.exe

pid process

2800 powershell.exe

pid	process
2800	powershell.exe

Drops startup file 1 IoCs

Processes:

1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\akira_readme.txt	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 47 IoCs

Processes:

1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Videos\desktop.ini	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\G2KVEH0D\desktop.ini	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
File opened for modification	C:\Program Files\desktop.ini	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\7JXML4U5\desktop.ini	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\CNQY6MQU\desktop.ini	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\desktop.ini	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\72EHROQQ\desktop.ini	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
File opened for modification	C:\Users\Public\desktop.ini	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Drops file in Program Files directory 64 IoCs

Processes:

1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Sort\AUTHOR.XSL	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\akira_readme.txt	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+9	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\NOTICE	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\fr-FR\rtscom.dll.mui	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-api-annotations-common.xml	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\3.png	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GRAPH.EXE	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\FOLDPROJ.XML	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPCEXT.DLL	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21332_.GIF	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341561.JPG	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR20F.GIF	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0198234.WMF	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Shanghai	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\VisualElements\PrivateBrowsing_150.png	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN01174_.WMF	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Spelling.api	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\Vincennes	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\QUERIES\akira_readme.txt	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Berlin	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\ja-JP\mip.exe.mui	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\msdasqlr.dll.mui	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107290.WMF	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\heart_glass_Thumbnail.bmp	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.osgi_3.10.1.v20140909-1633.jar	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00494_.WMF	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN075.XML	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\cronometer_dot.png	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationLeft_ButtonGraphic.png	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\it-IT\msoeres.dll.mui	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\css\picturePuzzle.css	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\SystemV\EST5	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\settings.html	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0222017.WMF	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\item_hover_floating.png	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\combo-hover-right.png	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\AUMProduct.cer	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_close_down_BIDI.png	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Equity.xml	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\OFFICE10.DLL	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\pushplaysubpicture.png	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
File opened for modification	C:\Program Files\Windows Journal\Templates\Shorthand.jtp	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD00155_.WMF	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSYUBIN7.DLL	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainBackground_PAL.wmv	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME44.CSS	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\QuestionIcon.jpg	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_left_pressed.png	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00775_.WMF	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\STUBBY1.WMF	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\ja-JP\wmlaunch.exe.mui	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGCAL.XML	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0086384.WMF	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\tipresx.dll.mui	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_kor.xml	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\navSubpicture.png	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02253_.WMF	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0285926.WMF	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21504_.GIF	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Chicago	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-new.png	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Perspective.xml	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107492.WMF	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exepowershell.exe

pid	process
2976	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
2976	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
2800	powershell.exe
2976	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
2976	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
2976	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
2976	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
2976	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
2976	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
2976	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
2976	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
2976	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
2976	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
2976	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
2976	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
2976	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
2976	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
2976	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
2976	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
2976	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
2976	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
2976	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
2976	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
2976	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
2976	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
2976	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
2976	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
2976	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
2976	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
2976	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
2976	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
2976	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
2976	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
2976	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
2976	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
2976	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
2976	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
2976	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
2976	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
2976	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
2976	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
2976	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
2976	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
2976	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
2976	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
2976	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
2976	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
2976	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
2976	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
2976	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
2976	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
2976	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
2976	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
2976	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
2976	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
2976	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
2976	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
2976	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
2976	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
2976	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
2976	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
2976	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
2976	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
2976	1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	2800	powershell.exe
Token: SeBackupPrivilege	2864	vssvc.exe
Token: SeRestorePrivilege	2864	vssvc.exe
Token: SeAuditPrivilege	2864	vssvc.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe
"C:\Users\Admin\AppData\Local\Temp\1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc.exe"
1⤵
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:2976

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -Command "Get-WmiObject Win32_Shadowcopy | Remove-WmiObject"
1⤵
- Process spawned unexpected child process
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2800

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2864

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\akira_readme.txt
Filesize
2KB

MD5
de49e2e3eeb866fc517949893ed74bed

SHA1
3b503e6776a34f026f77ba7fea719dec182575e6

SHA256
994010aaf2f723b06ace4f35eba28068160c38714fda8d62205b3b2e7b96b07e

SHA512
f4c59b0f90ff8f6e05106c47160c239da0b5598845316a5a8705bde5f47378596fead491db828f4ab35ec84f796a22907210b51729d4c023c7ace68dccc1f9b8

Download Submit
C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt.akira
Filesize
28KB

MD5
43ba5c26ef4b13615d1779915e6c40c3

SHA1
875a8cf2ad53ba9ff43550526c64fd92e4408e17

SHA256
0f4598d953f3ceb75293ea1327be6b385836dd5d4aab0d4b0f76ccf8230e3e66

SHA512
924befb0a5ce0b073a926dacc7e7b1b3faecd5a467787679206517f95cfafdd07de2b1f829b604d12aa2c91d850b62f5be77e2f8518094f1733cdf72998cf9ad

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightYellow\TAB_OFF.GIF.akira
Filesize
875B

MD5
1af26a84cef68144867eb419627944ba

SHA1
5f592c71eb47b1f79cd6966a6c78bda19dc4ada8

SHA256
17aafca8f5f450e2079525cc5a8ad14f4ccd853f6008d46150b1589350b7c6f5

SHA512
f59f1dd211a30b4daec9506b2b3c1cbc8fa3cb7db2d29c2ecd299b2d8a5e01ce4cb73b7a1c492d0f4cdb79ae4b9c0a9895f1afcd4062e395428a424c6c7f69de

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightYellow\TAB_ON.GIF.akira
Filesize
756B

MD5
225d60369312869c071e94f2b199dd7c

SHA1
80b599f2efe7d5dac0adbbd43adb59c80fdf0d18

SHA256
577c4d24d0375854235479402fa50414f07f8b7a3577ff5ce56d00951e685d9c

SHA512
6013341c85ef1d2afbebf9faef1b903e26c71c20c61f0268fef16cfe59e78a38f13167832e9bae253d2439087a2f139b518f55079e78b9ff3af845c87946ff5e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\INFOPATH_F_COL.HXK.akira
Filesize
648B

MD5
0ef3de74b0b642602939a04b223f6f29

SHA1
2704d83fada81180e28690dc0fbd7829362a9c24

SHA256
62ece585f90ff5c598cfc77cd892be7fb5ac72f9b964196f560f60f494359cfa

SHA512
a45fb189412bf01538a74d8431f88b86a1b53b4f56632f58ffa9ecca227217961729ae11471b1aa7b368df4532f347c181baead8f70ba30cc2bf51b4a4863b0d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\INFOPATH_K_COL.HXK.akira
Filesize
647B

MD5
14abb444e62558631aaaa874c4822a0a

SHA1
40c621092a32e258b69044420ed5f68ae5e32c28

SHA256
21e7540452fe05af604c1661e14aca72839b228e2c0bbcd860742683d321e10a

SHA512
d948aa2dfc35b5496ef12049696d88f1926bd286551502135104b595ae601eb7f4498ab1116a36a879848bb771abd5e3e56a04a824b3a652eb0d3fdacf4302c8

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\BUTTON.GIF.akira
Filesize
719B

MD5
e0856ba3aa7798e01fc1a27fd9200987

SHA1
a0807b747b8a74796120359503c99be02855b7ac

SHA256
339593815a39f4e6745e5a1e8730541e3d5315df9e1ffd04cc761ac7a53246e8

SHA512
38e919d1a7bb61c6c9a5c166c2a249e6d68a7a51d1adae0b9b56445a0f950f0f21d421527e79cf51b84e5a509827d82768241381691db2ec933974d847ab6dad

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\TAB_OFF.GIF.akira
Filesize
1KB

MD5
4985e36e57bc97a284e94e55abef0d3e

SHA1
b4f6a9c80b9412864d0b156e4baec6dc36b29e0b

SHA256
9f0691600075b4ee3a71d004b4cdd989581b02cf1d66008e17c79ce11976a9f6

SHA512
8be84ee9f73ff14c61e00896cb7d75404222af5a5842bb12a9b7d3ee8ac273129dea4492bcabaced0c9f335204a983ea8aba871d07fbb6ea5ad468a7b56bb99e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\TAB_ON.GIF.akira
Filesize
1KB

MD5
e1e90e42a74d653c84c3db9ce1b1b8d0

SHA1
d60ee4bc3bcf8972837c4acfa36d9fdd9340fa66

SHA256
63645e39534c70cac2b9c9d59de6216075eab457fb4b91af761a1bec3a216609

SHA512
03689b0c03f3f2b58846e4599783ec8575d9ee047141eeb6637f7184194e60bb2dae9948cbf3dbc1dde2795a8f779bcbfc848f5a3f4820240257011c89db45af

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.PL.XML.akira
Filesize
1KB

MD5
140891448c1dd1e8bb2a1ee9caa19839

SHA1
ff20ceae84021d9d256c670c06c68969c8f2bfa8

SHA256
70e29fc4d16f93cfb5677060d49de36938065aa308a63530faae7db4e4bc67ff

SHA512
f5c948c0322670f0428eaa54843047a50a29b83ac761964d9056bae57370b8aebdef808359fcda85b43187618b5e226f549add2d3c755dce5c2261be3c961286

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\epl-v10.html.akira
Filesize
12KB

MD5
049c94d38563e6fb64028859123c9110

SHA1
a6da794009a1159050996e8390d9b46d7708bc96

SHA256
80fe591ac3f2e0e86cd8e7418cdd889056a4cdae71705717b4529b11baff8907

SHA512
412aa2c42a6be4f0bb0fb26e1cb0a931e2ef7a28ecd7466a926ba96717b67bae536acd41019e4f974a73033a520a1ec3b3dd68293e95b3b5b4cfbe5ad6bec679

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\license.html.akira
Filesize
9KB

MD5
6bb66bcf25bac069e366408201019748

SHA1
babeaf42fd8179b7382d4523a1ea62072bac892b

SHA256
4db01d748a00e8c2160dcd98039dc12e09a0be90a86b9e0b00cd39a4c04956dd

SHA512
3eef914e89185b70861cc72c78d0787ac658f663dedb16360dfbb6bea4b2f05df75bb857147ba64afc09c2cd808f054f3913e594a4681ea9b152abef49215691

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\eclipse.inf.akira
Filesize
591B

MD5
dc10160a19838f79f5eb28d2424f9518

SHA1
5ed3fadaeda37e4b339bbfb192a97f6efe9f94f0

SHA256
422aebd015cbc405f558d7bad6b817da834eb8bdb17205021ac3cf1f8f761024

SHA512
e2a2c17069a8f761a1e9a87d435cab4635786ef5a630376a9266b6f2acc830bf92d885c3ca7bd6106ab5e7864eb5517c85198648b65dfac2cbcf56717e88c37f

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\ECLIPSE_.RSA.akira
Filesize
8KB

MD5
3a0cec29293780cc1a4a430e0405bb1f

SHA1
74cfd27ba3f76e9bb2a7851f9dd6c249e6f26b03

SHA256
ef8c32b045d93074ab7e72e4c6f8aaf42f074b0131d3bf20cbb31b5ab3f1b895

SHA512
7f52a6a7f8d34f2805137940c4f8ef5ddbd5de9e017f5fd08dda0783241fbfe610a0bdf8f7bd2666bfc6f7ae69197eacf44032e4497242122189f8e4bc1a534b

Download Submit
C:\Program Files\Java\jre7\lib\images\cursors\invalid32x32.gif.akira
Filesize
687B

MD5
28960e95fbf01f0f90a4a4544800b759

SHA1
ebf16fea9c5bd25281aca18a0019fcc7be15d52a

SHA256
31d4d7a83d05e0f5e7279eb93371df91935b3f469655f3be5cd98549aeb70f5c

SHA512
66e65c7c9fd1ed140a8e03c209b73229d2450a47c795dc4c1b84b3d2c971e3bb804b975cc8c250b4088fbe7833b60b5dc8f9a211eae84410c11028a9f063ba75

Download Submit
C:\Program Files\Java\jre7\lib\zi\Etc\GMT+5.akira
Filesize
561B

MD5
455568f90cbd35aeffb8bbf79952ad5d

SHA1
a9986fd0dcc5fa6f2c5ae93e5fff3220096941e5

SHA256
154714a335f8c6e9baa0e5b8cf01730832b2820983839f011c8909f9cc0b7236

SHA512
8f9e51a55672e4b549bacb3c5ffb41b791a3149f5a4043333b4a009f3a85e74a9bd0ebffc0be763ac243547670c3f7c1db0b205add84a867d48374849e8ad27c

Download Submit
C:\Program Files\Java\jre7\lib\zi\Etc\GMT.akira
Filesize
561B

MD5
1c7026b45e36acccb941e53f695217ae

SHA1
cc140c6ae4a72c2de2af21e0869478f1b2df5b74

SHA256
8c895745fa8a67cdd4c6f76b7e971cbc0df823522b9740833b3ee619bb2f4a6c

SHA512
68ccd9bf706bbbf67199c22acb17349f0e2ef1a2b20781d54c6705b70da8668193975c3c90222374c38639acda76183587c8fa437a8ee45b6cc4a6e9679b724e

Download Submit
C:\Program Files\Java\jre7\lib\zi\HST.akira
Filesize
561B

MD5
c80d92b0b1f74c6dda5657ece7180f0f

SHA1
6e48d5b9605f31efa085f7da2067c3f53ff44425

SHA256
e472399876ad8911dc1cfa3f44581abb19500a3d3860093285a42fa2e8fa5029

SHA512
eb1ea442d90152638390c8ba208743827ed9c0c9c434307c2fede863944cd6b69fb8236f44e57c9cc5be065005f0a7dc54b0b8ff03f7605b5ea60fddbcedfcef

Download Submit
C:\Program Files\Java\jre7\lib\zi\MST.akira
Filesize
561B

MD5
65914aa8d7709967b46ca6920490ced5

SHA1
3be7cd4067fbaca4bf698b9c0bfbefbb599b0b7d

SHA256
ba9a5c9467386d3d61f5a205e19aacc1c477d98ee4ff2cac539b969db3631477

SHA512
c993e16cff736ec0bb528ac72aef80086f0c21674fc0a6dabd55cb34e8615a2e21ec561a2260d7923944d3200c40a15527166d986817a3f13597a79ceae27b75

Download Submit
C:\Program Files\VideoLAN\VLC\locale\el\LC_MESSAGES\vlc.mo.akira
Filesize
831KB

MD5
d46832aafac44410cb2e9150abff8bd1

SHA1
49c1990ff2e3fa41073607bfa3498457861d63db

SHA256
9c353ae2c06a223a395629c6dd251922019234eb9cb60e22a93eed4b12cdb60d

SHA512
84ed58c85b76ec0c123b4829f93a7000412a0acf15d4d6e05b3e8e5ffd96bbe436e7802bf58406e9db3877161be14c41ebb780e0f4c83f931e0eace8de9772b0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\CURRENT.akira
Filesize
550B

MD5
7f61e6ba2ae4b9652b40d4594189cf87

SHA1
06a9dba51a1861f35aeb2c77398ccea2bf14c075

SHA256
c4a2449c6216acc58c5faea7be6d4b767f3aae58316584c2c2a0441b0e975635

SHA512
74cc06ab7f72b8219a40f788e87aac3bfe0767123801e694ac1366559d5136600c77c42c0ecf785913955881b9b69dbd26c6197ef189c0c4f9813eeceba4667b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_2.akira
Filesize
8KB

MD5
ca6222da3c5dad841f2e3b78289ff2b5

SHA1
64134baa1a0812cd86f64a976e175481e1a79732

SHA256
87d24ed86d5d3662336f340ebfdd0a3bd2b326fc348cf1f01644d89d5b42ae2f

SHA512
9404a13a43c48604e0cdc70af233ac745f1d314fde9a6532a1927381d4ff26fed3d8d3fcbcea51d39436596f7409138d63bb04505e9fa7d6bfe617c8fec7627a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\7JXML4U5\desktop.ini.akira
Filesize
601B

MD5
a6d463eda570832e74adb6377d1fa593

SHA1
1a94b0ca5da39065704a85b4e1d8fbf71741718f

SHA256
021e1142ffb941c24ad0a2de90fef74b2807e149a4d700abff8208d0c9d2b27c

SHA512
22d0fb12e570f1eb23d0602e85fbd145e1c383184328d7337715bcfc49134374de5339b50dba49f16aac472b2392751c54f404225d4924f9dd90f03fba0d3af6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Feeds\Microsoft Feeds~\MSNBC News~.feed-ms.akira
Filesize
28KB

MD5
0a841215d4cf3de178938dcbb19f9b43

SHA1
5c5caa716f1250e321ee068a32205ca1e3558fd8

SHA256
7a7bbb00f07d1a7c996d01c91a853f827de854a330689a28dff5b23e394aae90

SHA512
4199744010ba93370267236ca44c1f9cb571b53f6126d53d78e4660cbf04fbc7ae3b3097b72b5d85a4e5d48bcd1adecec96204d7e92b6a89860bba2cc0bfbe76

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nndpnsl0.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite.akira
Filesize
48KB

MD5
7d38e9582ff7040224cec4bd1ce2c2ec

SHA1
2e85c27d1474a4c07827afe4d65b3cb9a243d95f

SHA256
cf782bd0eb5c4f02161a14a353e334669a9f43a06bc71084eb7c8c9e0c7be2fd

SHA512
23a3006a2b0c0c21a51172be33bd39973bbe5d821f59f3ad5d242616483f3c509626b3663f303bbd1e91c91daf8e4a7db07097b2b136b9705f5565eb48ac0b0f

Download Submit
memory/2800-5-0x000000001B520000-0x000000001B802000-memory.dmp

Filesize
2.9MB

Download
memory/2800-11-0x000007FEF5ED0000-0x000007FEF686D000-memory.dmp

Filesize
9.6MB

Download
memory/2800-10-0x000007FEF5ED0000-0x000007FEF686D000-memory.dmp

Filesize
9.6MB

Download
memory/2800-4-0x000007FEF618E000-0x000007FEF618F000-memory.dmp

Filesize
4KB

Download
memory/2800-6-0x00000000022C0000-0x00000000022C8000-memory.dmp

Filesize
32KB

Download
memory/2800-7-0x000007FEF5ED0000-0x000007FEF686D000-memory.dmp

Filesize
9.6MB

Download
memory/2800-8-0x000007FEF5ED0000-0x000007FEF686D000-memory.dmp

Filesize
9.6MB

Download
memory/2800-9-0x000007FEF5ED0000-0x000007FEF686D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads