akira | cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04-09-2024 10:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
Size

1005KB
MD5

0c30fdc297c54753166d572ed04d1d6b
SHA1

3a05c251c1050b505b15e57f60459506cdec3c72
SHA256

cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8
SHA512

880a70b5637e19ac2f67fcaac16680335e26aa2b41245670574944249d9100a110d66c311659285c04ab1b1db6f0d69369b3626621972cc4b149dcdc79ecc016
SSDEEP

12288:wbWIqB/A1gv9XQ7ZNlZDV3LEWI+Xx+uBW6y4qNmhY:wbyxv9XQ7B3oWI+XHW6y4g

Score

10^/10

akira execution persistence ransomware ransowmware spyware stealer

Malware Config

Extracted

Path

C:\PerfLogs\Admin\akira_readme.txt

Family

akira

Ransom Note

Hi friends, Whatever who you are and what your title is if you're reading this it means the internal infrastructure of your company is fully or partially dead, all your backups - virtual, physical - everything that we managed to reach - are completely removed. Moreover, we have taken a great amount of your corporate data prior to encryption. Well, for now let's keep all the tears and resentment to ourselves and try to build a constructive dialogue. We're fully aware of what damage we caused by locking your internal sources. At the moment, you have to know: 1. Dealing with us you will save A LOT due to we are not interested in ruining your financially. We will study in depth your finance, bank & income statements, your savings, investments etc. and present our reasonable demand to you. If you have an active cyber insurance, let us know and we will guide you how to properly use it. Also, dragging out the negotiation process will lead to failing of a deal. 2. Paying us you save your TIME, MONEY, EFFORTS and be back on track within 24 hours approximately. Our decryptor works properly on any files or systems, so you will be able to check it by requesting a test decryption service from the beginning of our conversation. If you decide to recover on your own, keep in mind that you can permanently lose access to some files or accidently corrupt them - in this case we won't be able to help. 3. The security report or the exclusive first-hand information that you will receive upon reaching an agreement is of a great value, since NO full audit of your network will show you the vulnerabilities that we've managed to detect and used in order to get into, identify backup solutions and upload your data. 4. As for your data, if we fail to agree, we will try to sell personal information/trade secrets/databases/source codes - generally speaking, everything that has a value on the darkmarket - to multiple threat actors at ones. Then all of this will be published in our blog - https://akiral2iz6a7qgd3ayp3l6yub7xx2uep76idk3u2kollpj5z3z636bad.onion. 5. We're more than negotiable and will definitely find the way to settle this quickly and reach an agreement which will satisfy both of us. If you're indeed interested in our assistance and the services we provide you can reach out to us following simple instructions: 1. Install TOR Browser to get access to our chat room - https://www.torproject.org/download/. 2. Paste this link - https://akiralkzxzq2dsrzsrvbr2xgbbu2wgsmxryd4csgfameg52n7efvr2id.onion. 3. Use this code - 0881-XL-QXGY-OMYQ - to log into our chat. Keep in mind that the faster you will get in touch, the less damage we cause.

URLs

https://akiral2iz6a7qgd3ayp3l6yub7xx2uep76idk3u2kollpj5z3z636bad.onion

https://akiralkzxzq2dsrzsrvbr2xgbbu2wgsmxryd4csgfameg52n7efvr2id.onion

Signatures

Akira
Akira is a ransomware first seen in March 2023 and targets several industries, including education, finance, real estate, manufacturing, and consulting.
ransomware akira

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

powershell.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2068	1628	powershell.exe

Renames multiple (8630) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell command to delete shadowcopy.
execution ransowmware

PowerShell
T1059.001

Processes:

powershell.exe

pid process

2068 powershell.exe

pid	process
2068	powershell.exe

Drops startup file 1 IoCs

Processes:

cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\akira_readme.txt	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 47 IoCs

Processes:

cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Music\desktop.ini	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
File opened for modification	C:\Program Files\desktop.ini	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\YPLB435F\desktop.ini	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
File opened for modification	C:\Users\Public\desktop.ini	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\desktop.ini	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\R627XHFP\desktop.ini	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\OM66BHWE\desktop.ini	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\U8F4PBMO\desktop.ini	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Drops file in Program Files directory 64 IoCs

Processes:

cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe

description	ioc	process
File opened for modification	C:\Program Files\Windows NT\Accessories\it-IT\wordpad.exe.mui	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Verve.eftx	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\akira_readme.txt	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\Things\akira_readme.txt	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\14.png	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\modern_m.png	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0291984.WMF	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
File created	C:\Program Files\Windows Media Player\Network Sharing\akira_readme.txt	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGPUNCT.DPV	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_ko.properties	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\bookicon.gif	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0148309.JPG	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Americana\TAB_OFF.GIF	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0198113.WMF	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_corner_top_left.png	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\PreviousMenuButtonIcon.png	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\IRIS\IRIS.ELM	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.bidi_0.10.0.v20130327-1442.jar	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AFTRNOON\akira_readme.txt	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\J0143744.GIF	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Slipstream.eftx	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BrightYellow\TAB_OFF.GIF	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\ja-JP\MSTTSLoc.dll.mui	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\msdaorar.dll.mui	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\js\timeZones.js	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\(120DPI)greenStateIcon.png	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\MANIFEST.MF	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\builtincontrolsschema.xsd	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Biscay\akira_readme.txt	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VBA\akira_readme.txt	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.touchpoint.natives.nl_zh_4.4.0.v20140623020002.jar	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\org-openide-util.jar	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\css\akira_readme.txt	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\css\akira_readme.txt	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\mip.exe.mui	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0183574.WMF	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\akira_readme.txt	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0183328.WMF	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tr.txt	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.VisualElementsManifest.xml	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\feature.properties	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB00531L.GIF	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoAcq.dll.mui	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\akira_readme.txt	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Uzhgorod	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_left_hover.png	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\b106fc1550e0a54696235c7a7f5464a1.arika	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightYellow\TAB_OFF.GIF	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Atikokan	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
File created	C:\Program Files\Windows Photo Viewer\fr-FR\akira_readme.txt	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\en-US\css\currency.css	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\handler.reg	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\drag.png	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Adak	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0200521.WMF	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.BusinessData.xml	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\info.png	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_box_divider_right.png	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152884.WMF	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00555_.WMF	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14790_.GIF	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\WWINTL.REST.IDX_DLL	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\javafx-doclet.jar	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe

Drops file in Windows directory 2 IoCs

Processes:

explorer.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe	explorer.exe
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\sc_reader.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 5 IoCs

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exepowershell.exe

pid	process
2512	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
2512	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
2068	powershell.exe
2512	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
2512	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
2512	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
2512	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
2512	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
2512	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
2512	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
2512	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
2512	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
2512	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
2512	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
2512	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
2512	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
2512	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
2512	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
2512	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
2512	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
2512	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
2512	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
2512	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
2512	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
2512	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
2512	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
2512	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
2512	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
2512	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
2512	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
2512	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
2512	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
2512	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
2512	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
2512	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
2512	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
2512	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
2512	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
2512	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
2512	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
2512	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
2512	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
2512	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
2512	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
2512	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
2512	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
2512	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
2512	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
2512	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
2512	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
2512	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
2512	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
2512	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
2512	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
2512	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
2512	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
2512	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
2512	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
2512	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
2512	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
2512	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
2512	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
2512	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
2512	cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

1948 explorer.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

powershell.exevssvc.exeexplorer.exe

description	pid	process
Token: SeDebugPrivilege	2068	powershell.exe
Token: SeBackupPrivilege	1920	vssvc.exe
Token: SeRestorePrivilege	1920	vssvc.exe
Token: SeAuditPrivilege	1920	vssvc.exe
Token: SeShutdownPrivilege	1948	explorer.exe
Token: SeShutdownPrivilege	1948	explorer.exe
Token: SeShutdownPrivilege	1948	explorer.exe
Token: SeShutdownPrivilege	1948	explorer.exe
Token: SeShutdownPrivilege	1948	explorer.exe
Token: SeShutdownPrivilege	1948	explorer.exe
Token: SeShutdownPrivilege	1948	explorer.exe
Token: SeShutdownPrivilege	1948	explorer.exe
Token: SeShutdownPrivilege	1948	explorer.exe
Token: SeShutdownPrivilege	1948	explorer.exe
Token: SeShutdownPrivilege	1948	explorer.exe
Token: SeShutdownPrivilege	1948	explorer.exe

Suspicious use of FindShellTrayWindow 28 IoCs

Processes:

explorer.exe

pid	process
1948	explorer.exe
1948	explorer.exe
1948	explorer.exe
1948	explorer.exe
1948	explorer.exe
1948	explorer.exe
1948	explorer.exe
1948	explorer.exe
1948	explorer.exe
1948	explorer.exe
1948	explorer.exe
1948	explorer.exe
1948	explorer.exe
1948	explorer.exe
1948	explorer.exe
1948	explorer.exe
1948	explorer.exe
1948	explorer.exe
1948	explorer.exe
1948	explorer.exe
1948	explorer.exe
1948	explorer.exe
1948	explorer.exe
1948	explorer.exe
1948	explorer.exe
1948	explorer.exe
1948	explorer.exe
1948	explorer.exe

Suspicious use of SendNotifyMessage 17 IoCs

Processes:

explorer.exe

pid	process
1948	explorer.exe
1948	explorer.exe
1948	explorer.exe
1948	explorer.exe
1948	explorer.exe
1948	explorer.exe
1948	explorer.exe
1948	explorer.exe
1948	explorer.exe
1948	explorer.exe
1948	explorer.exe
1948	explorer.exe
1948	explorer.exe
1948	explorer.exe
1948	explorer.exe
1948	explorer.exe
1948	explorer.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe
"C:\Users\Admin\AppData\Local\Temp\cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8.bin.exe"
1⤵
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:2512

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -Command "Get-WmiObject Win32_Shadowcopy | Remove-WmiObject"
1⤵
- Process spawned unexpected child process
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2068

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1920

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~1\MICROS~2\Office14\GROOVEEX.DLL

Filesize
6.4MB

MD5
c26026883c4aa1847c5ef3e094e05bc4

SHA1
ca56c69020467aec6551f9b377bcf1cec995a9ab

SHA256
2653c3ea2f9bf567d2e9702e778750e6d7e7b6553156216c67f1a1c556fff025

SHA512
cdffe0fab49d040873681fb6d0110470a1636a720ad8d85b5836e27611fff9014ad406d504b618dd29bc39ba131fcfe3ec9717bf460eb4bd31cd9dc0eedbbe8f

Download Submit
C:\PerfLogs\Admin\akira_readme.txt

Filesize
2KB

MD5
95860a3684e436a515c86ba954e7e491

SHA1
8d61cff23d56fc922fedc978fc0293f34f6b13cf

SHA256
65a5356f6bc47c81ed14441a08354f6a59e41d3e61965d5edb7c4f3fb8a5a1ae

SHA512
5388bfb907208af091a2831411a7493e09866e5cf85699100476f151660192a48dc8e1fcc71937b23988f731020e72df912ce757ade42a1798c748d5e6277624

Download Submit
C:\Users\Admin\Desktop\ApproveDismount.midi.akira

Filesize
159KB

MD5
bea81ba40c087482c5c7e9f6f10cf7d9

SHA1
e4167b661043f5b753433c2437b11bf4488b200d

SHA256
a625c62b1184c06226f7dd5a5771370e98546f5c6192485c3c70008c16539a3b

SHA512
f78720b79a6e84a463726555a82a96ec40ec699ad83b4416453fa134a6b7cf1508a9708bd1698e07af021739481bf770995b88df0c2893c8b30ee77cf6b85546

Download Submit
C:\Users\Admin\Desktop\BlockSelect.xlsx.akira

Filesize
10KB

MD5
cb3b6b41cef7ce5f3f1850938ffc3e71

SHA1
c933a1a2d8d26d3100a8599c8373dadb510a1dc4

SHA256
4ff39d5ae25501c5ed2f9aa2f3d170a5425589b1fc6cda17afb460873f4cd12e

SHA512
c33b3b61a4871ba8ba0ef713df6b96eb4831ae91b5632a75da5711c78c6d71fd7e05636c60cf8345c5eae26cf0f68ec336179e1c3287283131a4e8a21397bfe6

Download Submit
C:\Users\Admin\Desktop\DebugReceive.zip.akira

Filesize
350KB

MD5
12b2f2cb5b638a6dd6047cde4c245334

SHA1
7e9e933d20335d353c4432fad6be22ca04dbf8c1

SHA256
890269954a245d930be425b7807616a14e02c3e6f8e4ca1cc69680cf53f8eec8

SHA512
e920d01be1e4a9b7ff32311d22b198e6f02b5f1c4aad690ddc7b0b40db9eee84fd78505d12f4f0cdf9b8252fc1b4e454d1d272b445eb31e32d5d2abd49ceb46d

Download Submit
C:\Users\Admin\Desktop\DisableRequest.mpp.akira

Filesize
276KB

MD5
b3aa1ca385cede0b5e931fef2c6e38d2

SHA1
b6b371885fdcaec2c950af08555db162b2e32814

SHA256
e544917c6cb8be25766af6d78a0f8c0c63b00a32c1be32888da02ed6e02bcb26

SHA512
0cd2a53fa57302c12473054705e26ab0c1b45282f62562717aec98ab6b204f4a2ed17eded8d0e7300b1637163462ecd1b04259c933382a9115f509ce69ab43c5

Download Submit
C:\Users\Admin\Desktop\ExportRead.bmp.akira

Filesize
148KB

MD5
bef926b3d35e9c6f9f9e8f4d22676415

SHA1
cd5de8c26df561c5652c2b6b30888415df0d4854

SHA256
09a656cbc4f95b010391486d91b4b8a8cd7821c9d227368438ceaefc69be14be

SHA512
74b2aa11bb1e32482931221dff5d0415b5a86c93c0ae6e00f7a7be83fdaa2a6d3c485e776116f761a7da6a908da6c2c9fbb8f2da4a38bb1ed17ff3578e57fc77

Download Submit
C:\Users\Admin\Desktop\FindCompress.tiff.akira

Filesize
392KB

MD5
ff9fc9af9d789f47f2135f2045433b4b

SHA1
795c20ee0f2fae302880afb3ac3e52a2e67003f9

SHA256
8d5d7312d0d33dd5618769ee46728cb261430c77cc07e3fbab0469bcab38c858

SHA512
d6014572a85b8fbe990360ec9284684f1c8db7babaada20c6d9e90ac78441cb4eb3e1e8892cddfa4ba7c700e4337088f5aae4958b6b30a8f65a1e11764498024

Download Submit
C:\Users\Admin\Desktop\HideAssert.mp2v.akira

Filesize
191KB

MD5
2a71cde53065d4c8721744a1f810cfe8

SHA1
c0ac28d91829495de3fe49e8b9001cf51343116e

SHA256
a9b6b1936af4d1bd27d78d521ecfd0530e39628c000022bdea05a75babd0d55c

SHA512
3e642fd5b603d831327ae0c33e1353d233bd91558a5344852e294cc416ea248022433982f383b726636e05bedda76f87a7b890cb0d1215caedcc72fd20177c13

Download Submit
C:\Users\Admin\Desktop\InitializeCheckpoint.scf.akira

Filesize
212KB

MD5
af57e3dcad8d61b5a00893efc555e41b

SHA1
82830fbcc63cd36f603cb17b1d12d06c206065f2

SHA256
84d9ee5567f77d616ea129e6de33e5fbd0183271966875b221a5ddb2b65a7d1a

SHA512
c1405f90cf02eaad52ef7091ad2155962ce299ee738245d6152a3d0307d26aa96cf7db5171be9e4bdd4d16d9f0329084399dbe106b848c12b92475e9dd468aa3

Download Submit
C:\Users\Admin\Desktop\InvokeCheckpoint.xlsx.akira

Filesize
12KB

MD5
44fe61ea3aa0c571e5ecfc1595cae381

SHA1
9ed754b6b1013b223c36b285cdde5305deb16221

SHA256
eaf0fcae80ba1e04feee66ba14e6d64e7d3c77e086d990d65630bf440e744147

SHA512
455daf63e67492edc6d571204c1b8451f3dee91b48ded435ae9a0de54442d9210956a34cfd41451887ab2cd804cdb8f7a0ee4485913f0c4730cb2f6219b96fed

Download Submit
C:\Users\Admin\Desktop\MeasureWatch.DVR.akira

Filesize
138KB

MD5
8840bc7ddac54995f0831ab0bba8adcc

SHA1
89fad940483460d32af9df9ee24f485813e3d508

SHA256
d5538adc1f7bbfc60324ae667fd98d6b313ad8b6684f974c84476aa046094811

SHA512
86e3e2c194c66863dd493b9088d6354ef1eb5bc126f4cf28f4933e92e52ecd3302a069d8145ddb9381b4084af5cb28fd2ccd82b21606c0ad31ec84aee32dcdb9

Download Submit
C:\Users\Admin\Desktop\MergeConvertFrom.mid.akira

Filesize
286KB

MD5
06ff8426bd97986270e58a69c4bee3c6

SHA1
8d2692b086a48501aa0c6945a815549066b7fc68

SHA256
c4c74be6ce679f290c97475f6dddc58494e84ece29e088ae26d2848a0644ac6c

SHA512
902520057107909eeff1996da19e8872bc7cfd5784d72c3639b6d8e59d8e8cdde703a6ee6911469694b32e98e76021d26e474429c2f47ed17acb35785919a896

Download Submit
C:\Users\Admin\Desktop\MountLock.vsw.akira

Filesize
318KB

MD5
84662a1cd80b78d230bec4eb12f94b70

SHA1
3cebcdce3ffe5ef2cf34fca8941e34855668f76a

SHA256
49f20eaf5fe2078dffc2af71d0eafd140fa92f90ae528eff4dc6a368cffa5852

SHA512
f57e138938d271b663e3a107fc01fb9b90c708ff6084ed7f74a74c94044d225825be89063f4f6c6d5999b3af30cc1a7ad4af346d0542ab92d16176aafa332df5

Download Submit
C:\Users\Admin\Desktop\OpenConnect.tif.akira

Filesize
233KB

MD5
4478bfa588693f74c222f57113042172

SHA1
db73bf65da1c071c84199c6cf4e597afc8795ef3

SHA256
d68af8151b178af44209679a05dcd97007a30104a3e0e20b7572c9c29297128d

SHA512
496126357ff14c6e69b80ed9b1d3f72e7f31b57886a73df98586e98d2f640280334fe13d78c7fe67793f093b7bc734a1493f2c56c74e528075d166187b74782d

Download Submit
C:\Users\Admin\Desktop\PingCompare.js.akira

Filesize
308KB

MD5
61e5fe35f363f15754a622aea3c62224

SHA1
2a98e524efb5e4cef4af8505e7fe8d857ca61123

SHA256
3bbc40061aad071deb1c1e8d775c3fb48bbd132f1bdb9c380e5ae6223a3a3471

SHA512
a172249f911a6bde940fe3d1f14aa1715417972e4b8c860e73611a234bb320cb3f3cc3154324ae699e7c5f089096946459f7747c4d7dc2d39d5eeec8afee2a6b

Download Submit
C:\Users\Admin\Desktop\PingRestart.ttf.akira

Filesize
297KB

MD5
bd9d54381ee22d3162474c6e82322ce4

SHA1
b9b43537edf13bb42b2184bb37405c257c6b77cb

SHA256
78c0e25299d5cd6a34e18183c3ef44a06c4ec949328b42d4800732cdeb07aa1b

SHA512
4e02d4cdd92a96beb31b4e4a5e721ce3f35179892d8118c57370b82423ad318751a404b6b77881ef39b993519904cc99f0253dcb6f212292fb7121a0646ab299

Download Submit
C:\Users\Admin\Desktop\RedoUnblock.css.akira

Filesize
339KB

MD5
b4957211065c440450fb3f5e0b4ad119

SHA1
91be3f553627480dcefb4dcac1afcfdb3c372677

SHA256
982815ddfa1527ce524e3088d157c77b8366d7c2b00125039970d469c0eb4556

SHA512
c03311c94ce48f7632916093fcc6f8e47b78bcc153d943d3e054c33e284abb88d10a5a5ce7902fe65330fa818f6dbf1277ab75e9594f274281d4072098caf4b0

Download Submit
C:\Users\Admin\Desktop\RevokeSkip.vssm.akira

Filesize
382KB

MD5
b27bc48927be9b78086b80d8a55bccbf

SHA1
5ecb298337776b3cd10c63b9a3ca4aa8d3e88ee7

SHA256
fe4b46c5b4205aeedac25ede32f80efe57ed6ac754381e5e3f203e52f7aa5b18

SHA512
bb9fa1476e33afd4d3278dcca52e6dacf6d291acb4905c709a6fd9392bf068e8206d9ed354b1967127b0b0bcbe5fd448eda0fdf38589b6e3e082850ed1df80b0

Download Submit
C:\Users\Admin\Desktop\SaveImport.ttc.akira

Filesize
541KB

MD5
5efc037e3f313f001d40dcd26c9b2783

SHA1
a86e0e4add9deec7cee01e35e562bd9ac606f66d

SHA256
f2fefb1d481d76edd390caac8a6a1871cdcb4285ccb65b2c9689fa9e1b27eb0f

SHA512
686dbdc27819697312b6bd4ae94f83a90a8255f438479039d530c30cbee92e74201b28b353fb24b64f7328f0302856ddac4a0cbe8026714a695bdfdd2f2632a7

Download Submit
C:\Users\Admin\Desktop\SaveMeasure.ppt.akira

Filesize
265KB

MD5
055dba2463eb5b0c1a068f3e9769dd8c

SHA1
9fe3a59f3b80ab1059492e30870d4a7997dd010e

SHA256
9afb39195ddd6ae1f8909c06bd6af821858362665a8de59063b5e165c05924bb

SHA512
d58a0983c8097a7ac15c3e2690dcd0dbcbcb0490d6eece891b9cbdd0aa5cb3d360cadccb795e0408434fb98253319f82455711971beecd8008ce0ab191fa0108

Download Submit
C:\Users\Admin\Desktop\SkipResume.rtf.akira

Filesize
201KB

MD5
b2fbcacae2b71c359c67df762f3e8d68

SHA1
f620cfb882db1c6678811880cb630f7fca36f7fa

SHA256
4e98d913e4abae1159bafba38ecc402ca63de5c7c1a2f2ff9003551ac679e2c9

SHA512
eb07b4663ab9eb594c5c29392b5f56a29186c73850590dc0d0a0feb18498e18f703be15806b3c55bd52571972dbe0cbe6851e1201833b4da20ecac7afabbe8c1

Download Submit
C:\Users\Admin\Desktop\StartRevoke.AAC.akira

Filesize
361KB

MD5
d7d0d767e55e249e7216a94b24ed58d6

SHA1
55c619cb43eb6249a59af12c1596605aa415015f

SHA256
7ce3d7c8bb4dbeaaf41b65291f51f03733dce7b542ad5b8aac2cedc2ee5de3a4

SHA512
ddbdc5889d0e5b33e9fd7a80de5d439d821c24f2326a6f2f2de67064ca3db7146a702d83d6790b20954631fd8981916791092e496f081b08a8090c8809d15d80

Download Submit
C:\Users\Admin\Desktop\StepInitialize.xlsx.akira

Filesize
14KB

MD5
7c0f5d5a4eb93099bb873e35db826e5b

SHA1
aec7e9e53053edb0aebd213d0f891b8a521e6904

SHA256
4746289a045a7b8042e04b134b5eb042c26023610c345f12501ca66d6f3b4a96

SHA512
eec0d467f6780103ec93cda7f5d88b337c0535477a979c22096df0421004df1349f7657c073483b1c3bfeb1c4e70165709c500f4a01d2d8263d43c0924475b2e

Download Submit
C:\Users\Admin\Desktop\SubmitExpand.MTS.akira

Filesize
254KB

MD5
f407eb7175551e6804412a968436695b

SHA1
10914e8c7d0c5523fa558c6e0168e46ed7024658

SHA256
4db9d7f5056cab07b7b98f506daf1a39efbec381196168d6cc7a9b65b6a28732

SHA512
e5f76db18133900422f64263b23bd44cbfa5b997a0b4155a5c327eefdfb399322fbf1e4cb142029c5b252218cfceac5803f92523d66b9cbb39b8ddcc6b835cfb

Download Submit
C:\Users\Admin\Desktop\SwitchInitialize.docx.akira

Filesize
19KB

MD5
dd877260066f71c5188ac38860fc61e2

SHA1
b6914bd314e753777c1d83a8b4476e9a47001da5

SHA256
d1eebe70e918dcfddae11a7e48f6fc6f3f4e7186732acf16b8095f13b713a762

SHA512
0c331e8247fa1e80f772dd9977b9bdce4250f05df66ba84fc7ada1114fdbddf17a6a7729a278701161a59bf18c561cde70673a162d5f44b603522cf2268f50ba

Download Submit
C:\Users\Admin\Desktop\SwitchRequest.wm.akira

Filesize
244KB

MD5
618c94226d058e82fa773f14d10c8865

SHA1
d798927a02f39aebe0ec8633011a1209eeff5b55

SHA256
0633d2895089342c2277c8ad39694aec35985490ba6d2f111b1963f6c94e94fd

SHA512
8bc5648950c91fafb68e0982a0567dd1671c58ed7b2855f507619c8f9fd2bf6a41adbc4522cd014f6b9d56dcd92e21e6137d65ed6285fc94372829143ecd9f11

Download Submit
C:\Users\Admin\Desktop\SwitchResolve.tiff.akira

Filesize
170KB

MD5
349c450ccb5c3d6040fed51eaa436a73

SHA1
0d42d8acb0d7ff5d9bbf8d5991b49922784658e4

SHA256
0584e2ccc15a1a2ccbdeb077face902d58cc7c3fa52302bcd57d23bd9c16ed91

SHA512
88b671d1a09d56c68fc45ce488ee11039167ed7e6ff171187c5c7fc6552a7ff8a6081ef3be71b73c69b3cda6172e6ed94f21b27ff3d66c19992e980a7de47bad

Download Submit
C:\Users\Admin\Desktop\UnblockBlock.contact.akira

Filesize
223KB

MD5
ce8aec9a53126a8a26178148d2e2bd5a

SHA1
0ea19616416ddd2a4a0695cd82d56b937cbd4fb2

SHA256
6426593ed2312215278c464be4847925869ce560b00916787e073b56226bdb5f

SHA512
cd7646bcd4b78b12cd2ade7cffc514cdea127cf5b913697a9d5274269bd4150e7380e7217636b6a60b1142dac6a794e2c97f49a65f1121910998628d4e2ab59e

Download Submit
C:\Users\Admin\Desktop\UndoOpen.svgz.akira

Filesize
329KB

MD5
fafd0ee62bf8053a8fe83c8c59cb647d

SHA1
80b2350be0dd29f48a7736b619b49b11119ab340

SHA256
b58dcfe8710eb7dddf87ebc452af8ccbe732177fb1bfdf0276e77d9220e8cec6

SHA512
0744d6f31c9456753ba9063d0e250d34a598c450eef9bee7bb663994c9aa4d4dd1feabbb9eae40298a52535f24edff1dd69531433dea8884fb1467b140e6beee

Download Submit
C:\Users\Admin\Desktop\UnregisterPop.zip.akira

Filesize
371KB

MD5
fd09c4d2a70b2067e3dfcfeacf6451ad

SHA1
217fe20e383602c04ae753f1ac4c7880ca080ab2

SHA256
9ebc41ad8bd43c5ffcdb06c335a5094943dca4f425d18632a4d75cf596616277

SHA512
f97b11158309ad92ad4132665eaaede60aa47c0b44cb70982a3b349be2bf798edd4449084f04a3ab6466f2c21e8d1f2e26c43e51c030e8398959cfca2f94177f

Download Submit
C:\Users\Admin\Desktop\WaitRedo.ps1xml.akira

Filesize
180KB

MD5
d6ee8d68094852a9802573562be61bee

SHA1
fa5b72298bfc03cb938140da00fcd0410a92c706

SHA256
abe3ea3662c9579244cf6d384607455310a63f08f9872df0a98ea98d12d5d4ef

SHA512
895f87372ef6f4f9cf5ff36daeeed19b16d861565f108e5abbe95d9cbecd5ea8c282c9d28b6e10692a6dbac638f0ca0b0b63c20e7702aeae54e4b44d543eb572

Download Submit
memory/2068-8-0x000007FEF51E0000-0x000007FEF5B7D000-memory.dmp

Filesize
9.6MB

Download
memory/2068-12-0x000007FEF51E0000-0x000007FEF5B7D000-memory.dmp

Filesize
9.6MB

Download
memory/2068-6-0x0000000001DF0000-0x0000000001DF8000-memory.dmp

Filesize
32KB

Download
memory/2068-7-0x000007FEF51E0000-0x000007FEF5B7D000-memory.dmp

Filesize
9.6MB

Download
memory/2068-5-0x000000001B730000-0x000000001BA12000-memory.dmp

Filesize
2.9MB

Download
memory/2068-4-0x000007FEF549E000-0x000007FEF549F000-memory.dmp

Filesize
4KB

Download
memory/2068-9-0x000007FEF51E0000-0x000007FEF5B7D000-memory.dmp

Filesize
9.6MB

Download
memory/2068-11-0x000007FEF51E0000-0x000007FEF5B7D000-memory.dmp

Filesize
9.6MB

Download
memory/2068-10-0x000007FEF51E0000-0x000007FEF5B7D000-memory.dmp

Filesize
9.6MB

Download