akira | 9bbae99548d3a1a1ba72ebd1354f999afeffe25d9d482137185c018653e3133c

Resubmissions

05-09-2024 01:35

240905-bz2w9s1hle 10

05-09-2024 01:35

240905-bzmsca1hkb 10

05-09-2024 01:17

240905-bns5zszeqm 10

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
05-09-2024 01:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
Size

1.0MB
MD5

4aecef9ddc8d07b82a6902b27f051f34
SHA1

8ad1b4ed98794e8f0a9a9d6fc161697974099d91
SHA256

988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42
SHA512

605fb600668cbadb0f556589f923209def1cd3c51b123f4ce7a5325722bcca05f6bb3b26bf7a6aa52bffabe6129c508b302e85ee0a120bedd96a71a105eae437
SSDEEP

12288:Vpp+QIEmDzuImC01vbUE98pik+2i1NkshdMMK+AX99etq2dTdYf:Vpp+Q+u5bUI8pij1NkshdMf99etb5m

Score

10^/10

akira execution persistence ransomware ransowmware spyware stealer

Malware Config

Extracted

Path

C:\PerfLogs\akira_readme.txt

Family

akira

Ransom Note

Hi friends, Whatever who you are and what your title is if you're reading this it means the internal infrastructure of your company is fully or partially dead, all your backups - virtual, physical - everything that we managed to reach - are completely removed. Moreover, we have taken a great amount of your corporate data prior to encryption. Well, for now let's keep all the tears and resentment to ourselves and try to build a constructive dialogue. We're fully aware of what damage we caused by locking your internal sources. At the moment, you have to know: 1. Dealing with us you will save A LOT due to we are not interested in ruining your financially. We will study in depth your finance, bank & income statements, your savings, investments etc. and present our reasonable demand to you. If you have an active cyber insurance, let us know and we will guide you how to properly use it. Also, dragging out the negotiation process will lead to failing of a deal. 2. Paying us you save your TIME, MONEY, EFFORTS and be back on track within 24 hours approximately. Our decryptor works properly on any files or systems, so you will be able to check it by requesting a test decryption service from the beginning of our conversation. If you decide to recover on your own, keep in mind that you can permanently lose access to some files or accidently corrupt them - in this case we won't be able to help. 3. The security report or the exclusive first-hand information that you will receive upon reaching an agreement is of a great value, since NO full audit of your network will show you the vulnerabilities that we've managed to detect and used in order to get into, identify backup solutions and upload your data. 4. As for your data, if we fail to agree, we will try to sell personal information/trade secrets/databases/source codes - generally speaking, everything that has a value on the darkmarket - to multiple threat actors at ones. Then all of this will be published in our blog - https://akiral2iz6a7qgd3ayp3l6yub7xx2uep76idk3u2kollpj5z3z636bad.onion. 5. We're more than negotiable and will definitely find the way to settle this quickly and reach an agreement which will satisfy both of us. If you're indeed interested in our assistance and the services we provide you can reach out to us following simple instructions: 1. Install TOR Browser to get access to our chat room - https://www.torproject.org/download/. 2. Paste this link - https://akiralkzxzq2dsrzsrvbr2xgbbu2wgsmxryd4csgfameg52n7efvr2id.onion. 3. Use this code - 6729-HK-NIZN-WOPQ - to log into our chat. Keep in mind that the faster you will get in touch, the less damage we cause.

URLs

https://akiral2iz6a7qgd3ayp3l6yub7xx2uep76idk3u2kollpj5z3z636bad.onion

https://akiralkzxzq2dsrzsrvbr2xgbbu2wgsmxryd4csgfameg52n7efvr2id.onion

Signatures

Akira
Akira is a ransomware first seen in March 2023 and targets several industries, including education, finance, real estate, manufacturing, and consulting.
ransomware akira

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

powershell.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2856	2228	powershell.exe

Renames multiple (8641) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell command to delete shadowcopy.
execution ransowmware

PowerShell
T1059.001

Processes:

powershell.exe

pid process

2856 powershell.exe

pid	process
2856	powershell.exe

Drops startup file 1 IoCs

Processes:

988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\akira_readme.txt	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 47 IoCs

Processes:

988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\JMFEWY8E\desktop.ini	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\CBCNU6WZ\desktop.ini	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\RTJA0BV0\desktop.ini	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
File opened for modification	C:\Program Files\desktop.ini	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\desktop.ini	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
File opened for modification	C:\Users\Public\desktop.ini	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\25UY7HZX\desktop.ini	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Drops file in Program Files directory 64 IoCs

Processes:

988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21298_.GIF	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\ACERECR.DLL	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\ENVELOPR.DLL.IDX_DLL	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\POSTS.ICO	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00913_.WMF	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\OrielLetter.Dotx	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
File opened for modification	C:\Program Files\Windows Media Player\Media Renderer\DMR_120.png	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\POWERPNT.DEV_F_COL.HXK	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationRight_ButtonGraphic.png	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\akira_readme.txt	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
File created	C:\Program Files (x86)\Windows Media Player\akira_readme.txt	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\ADMPlugin.apl	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\de-DE\ChkrRes.dll.mui	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\ECLIPSE_.RSA	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
File created	C:\Program Files (x86)\Microsoft Office\Document Themes 14\c7670fae2482d4b550841ef09da02ad8.arika	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.Targets	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationLeft_ButtonGraphic.png	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\css\flyout.css	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
File created	C:\Program Files (x86)\Windows Media Player\Media Renderer\akira_readme.txt	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationLeft_SelectionSubpicture.png	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\validation.js	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Athens	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15133_.GIF	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
File opened for modification	C:\Program Files\Windows Media Player\de-DE\wmpnscfg.exe.mui	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
File opened for modification	C:\Program Files\Mozilla Firefox\Accessible.tlb	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\oskpredbase.xml	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipscsy.xml	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\InfoPath.en-us\InfoPathMUI.XML	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
File created	C:\Program Files\Microsoft Games\More Games\akira_readme.txt	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sa.txt	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\J0143753.GIF	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\eu\LC_MESSAGES\vlc.mo	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\css\akira_readme.txt	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\square_m.png	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-9	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTLWVW.DLL.IDX_DLL	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\js\init.js	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\css\akira_readme.txt	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\akira_readme.txt	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\include\jvmticmlr.h	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152722.WMF	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\J0115839.GIF	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GRAPH_COL.HXC	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\akira_readme.txt	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\6.png	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\css\akira_readme.txt	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\bin\setNetworkClientCP.bat	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SpringGreen\TAB_ON.GIF	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Sort\TITLE.XSL	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\SoftBlue.css	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SATIN\akira_readme.txt	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-sampler.xml	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\akira_readme.txt	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Riyadh	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE02120_.WMF	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME10.CSS	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
File created	C:\Program Files\Common Files\akira_readme.txt	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\akira_readme.txt	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\js\akira_readme.txt	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.observable.nl_ja_4.4.0.v20140623020002.jar	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00768_.WMF	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME09.CSS	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR9F.GIF	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
File opened for modification	C:\Program Files\Internet Explorer\en-US\iedvtool.dll.mui	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe

Drops file in Windows directory 2 IoCs

Processes:

explorer.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe	explorer.exe
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\sc_reader.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 5 IoCs

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exepowershell.exe

pid	process
2264	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
2264	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
2856	powershell.exe
2264	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
2264	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
2264	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
2264	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
2264	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
2264	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
2264	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
2264	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
2264	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
2264	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
2264	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
2264	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
2264	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
2264	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
2264	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
2264	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
2264	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
2264	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
2264	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
2264	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
2264	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
2264	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
2264	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
2264	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
2264	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
2264	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
2264	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
2264	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
2264	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
2264	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
2264	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
2264	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
2264	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
2264	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
2264	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
2264	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
2264	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
2264	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
2264	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
2264	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
2264	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
2264	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
2264	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
2264	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
2264	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
2264	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
2264	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
2264	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
2264	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
2264	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
2264	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
2264	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
2264	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
2264	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
2264	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
2264	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
2264	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
2264	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
2264	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
2264	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
2264	988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

powershell.exevssvc.exeexplorer.exe

description	pid	process
Token: SeDebugPrivilege	2856	powershell.exe
Token: SeBackupPrivilege	2608	vssvc.exe
Token: SeRestorePrivilege	2608	vssvc.exe
Token: SeAuditPrivilege	2608	vssvc.exe
Token: SeShutdownPrivilege	2196	explorer.exe
Token: SeShutdownPrivilege	2196	explorer.exe
Token: SeShutdownPrivilege	2196	explorer.exe
Token: SeShutdownPrivilege	2196	explorer.exe
Token: SeShutdownPrivilege	2196	explorer.exe
Token: SeShutdownPrivilege	2196	explorer.exe
Token: SeShutdownPrivilege	2196	explorer.exe
Token: SeShutdownPrivilege	2196	explorer.exe
Token: SeShutdownPrivilege	2196	explorer.exe
Token: SeShutdownPrivilege	2196	explorer.exe
Token: SeShutdownPrivilege	2196	explorer.exe
Token: SeShutdownPrivilege	2196	explorer.exe

Suspicious use of FindShellTrayWindow 28 IoCs

Processes:

explorer.exe

pid	process
2196	explorer.exe
2196	explorer.exe
2196	explorer.exe
2196	explorer.exe
2196	explorer.exe
2196	explorer.exe
2196	explorer.exe
2196	explorer.exe
2196	explorer.exe
2196	explorer.exe
2196	explorer.exe
2196	explorer.exe
2196	explorer.exe
2196	explorer.exe
2196	explorer.exe
2196	explorer.exe
2196	explorer.exe
2196	explorer.exe
2196	explorer.exe
2196	explorer.exe
2196	explorer.exe
2196	explorer.exe
2196	explorer.exe
2196	explorer.exe
2196	explorer.exe
2196	explorer.exe
2196	explorer.exe
2196	explorer.exe

Suspicious use of SendNotifyMessage 17 IoCs

Processes:

explorer.exe

pid	process
2196	explorer.exe
2196	explorer.exe
2196	explorer.exe
2196	explorer.exe
2196	explorer.exe
2196	explorer.exe
2196	explorer.exe
2196	explorer.exe
2196	explorer.exe
2196	explorer.exe
2196	explorer.exe
2196	explorer.exe
2196	explorer.exe
2196	explorer.exe
2196	explorer.exe
2196	explorer.exe
2196	explorer.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe
"C:\Users\Admin\AppData\Local\Temp\988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42.exe"
1⤵
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:2264

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -Command "Get-WmiObject Win32_Shadowcopy | Remove-WmiObject"
1⤵
- Process spawned unexpected child process
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2856

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2608

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~1\MICROS~2\Office14\GROOVEEX.DLL

Filesize
6.4MB

MD5
aa012baf2213988e85c5025ad168c1e9

SHA1
8b19633db859200c153c6dd930aa4b1e0af34b6c

SHA256
efc9d10629099d72bb0078c9613d9ae880ab30500482177fcb678ba83fe84ca9

SHA512
0e32c801d9b7759564754f42d2666fad7b63121b4d3f4ccb9208ed9365eb804f5bf4a3327f8613692eb369b528fc7cf84e9f7a39a58c481d98e50560963f48be

Download Submit
C:\PerfLogs\akira_readme.txt

Filesize
2KB

MD5
e158265e513c5b865b19240370d4cb81

SHA1
4a37838237b622bc8f6049cf62573d7ed69b1a25

SHA256
f13ffbbdf446bb88a48de8162406b9b2f97cde15a27ce007a156f4dbd028fb2a

SHA512
dd8e241126d131f4d3d4c3936ccb06eef955258573c7337a241cb93fea66e41324caae2ced4548b9e69c7427f3649d134f670607e0e65a13bdaa61b3381cbb34

Download Submit
C:\Users\Admin\Desktop\CompressStep.xml.akira

Filesize
397KB

MD5
39c30bbe395c7fb2f9ee880cd40a2d02

SHA1
acb2f1eb8d201e2d7a6e27e8990aa6979c9f7adc

SHA256
f7f0524a71e6dbcf1dbba5547ab0924c2c28b595dff91fef1ac2e48169423fe1

SHA512
cc970a4d129b78060d050ca22242c2bbbf4ffd37cd3170d859a19e4348989673c1ce81e93f100b3107a49caa93024940a9f0518e075e96553d3b472a33db097d

Download Submit
C:\Users\Admin\Desktop\DebugSuspend.midi.akira

Filesize
918KB

MD5
72f1497c2c95b3c1f07e315a4d33fc94

SHA1
21d1730c5521e73a59a7f3e2ea9e14fc9b56454d

SHA256
4dc93c655081a67893b08e76861571b2b5288f5f69019e2cd24f929c1032cf73

SHA512
563b1c2269d43eb929a926f47626dc4a76c36287e318c2c0a0fc07e553fdca85ef944c5d1999cc97a53f241c008b230c60dd13bfbe8c990e6ebf5399bb3ef7d5

Download Submit
C:\Users\Admin\Desktop\DenyPing.cab.akira

Filesize
968KB

MD5
8a0d644d77f0e3d57e18050a81b6440f

SHA1
396d498ea59d02ffb81005759ee3f5d118960b08

SHA256
769d444720936bd9c96c90624bdeff4f73b5592387ffa8d26c1ef35730f0e1be

SHA512
f2152e57953505ea6e79219e35f70f43cf3a1dcb2de17c0b732ceb8f738b738a8d01d41d2ead79530cd3352d4aa316aceec9aae1a0a73cef83aa09e4455c6247

Download Submit
C:\Users\Admin\Desktop\DisableSet.mhtml.akira

Filesize
943KB

MD5
7f7b75cfc0c38cbe4443b03e8f4d0dbd

SHA1
98d423c6a46b2bf111a561ab5aca749e3fb827f4

SHA256
9d9110adbe7f831a57b0652a0bdf5612aa5ebe2fad1ced4c077d5dfddadc065c

SHA512
f4a74d0c8957f42b1dff57847292e2b9cd7e34fb1037595f18a861c3a610238c7f062e0d66741a3776150f4e349605fe75bda5eb66c957a0335d9d5ed90575fc

Download Submit
C:\Users\Admin\Desktop\DismountRename.vstx.akira

Filesize
893KB

MD5
c3cfb3ea9e4224cd793824467660a893

SHA1
9cc8e74adbcf6b95a03194ae3731363d82867e5e

SHA256
9945decc26d8beb0395f33ec0f9bd9a181bf9c264e50ec4e91909534928afbf9

SHA512
a1c8fdf7e64f1645ba08ce20e853ee830ce9e2b7e5d06d8693962866247ed13f70b807112568a085d7964f5565c090bcc8791fe0a9b6e37d3205f18e86456f0c

Download Submit
C:\Users\Admin\Desktop\EnterSave.hta.akira

Filesize
596KB

MD5
b997bf68cef7f6d3646984d1136d73d1

SHA1
f02df7eb4944e3c5d89e956450a93b4d743d6143

SHA256
719c36114781f9007401eea4bf74ae5b8d5ed876492ace2a8b4b891c8c1e571b

SHA512
6450f42e384d17fc74dc05045721c09a53a8e678c3530286714bcfca521489538ab8109cabf7674190b04a9669bb8b3cf8a269e31f50d840de4fcda99beb419e

Download Submit
C:\Users\Admin\Desktop\ExitJoin.ini.akira

Filesize
620KB

MD5
c7f171d5b141644db26e52b96be79171

SHA1
82d7c27c563d4a5636370deca764fe1ba945e142

SHA256
991ab1d01e54a37e08a81504fb3415c29ea44ffd03b064bdcaaa81f70a73d060

SHA512
52484aa00d482fc859780c9989b63c8bd31694f07a29aa6b4efdb9ee7d0041e58c16bd95626a32993f8e28a37d4692a0569abc5726d2c07ddd52af267ff23d00

Download Submit
C:\Users\Admin\Desktop\InvokeClose.dotm.akira

Filesize
422KB

MD5
7293431496f0722c5d255b08979df266

SHA1
b585cc11e275795ba10408e1283eec92a5ed2004

SHA256
09f373ffadfcf892726ca8d65e5831191aa3b437f1ba0e19bb0178502dc93b1c

SHA512
3f77cb07bd3a620536cb0b19d891f11233e61628e2fd724f8c08cdfdc9ed7e248e3c86798b7ce23fa621c0c5e31ffdcc94f95f515853dd4948a57d70e40d0a59

Download Submit
C:\Users\Admin\Desktop\JoinNew.php.akira

Filesize
447KB

MD5
58e5a8f934f8b0ff16a65ab02833ff0e

SHA1
0a93729d145514a196806aa596715de04fbd7736

SHA256
037947994be1457283659611acd4a2ab55f3b3e2cb38e944048405a8fba1f9cb

SHA512
0fad1e62f8b1b30da28b8adfac9ef63d096080bb3728828214ae92422ce6da1d7d8cdecf851ee2fd84b5dd7a5c15fb30a75cd87cd156d70d7b69724913450b58

Download Submit
C:\Users\Admin\Desktop\JoinWait.docx.akira

Filesize
20KB

MD5
95bad544c44249b020e8d4513412fd94

SHA1
03cd4a19e6df75983f605b9b87d759d91a17b108

SHA256
263e912fa2bbe90206c1b090704df99f4968ff4b4c0972be9f6eb312ba075f8b

SHA512
4d9b6c0044d167eb2755bbcae41f95b798ed3baf0f0fd211a0d06c632ef94b976ff30c5ddcf7f175af37e418221ba61c4d6d5df326980a13bcca41949bd1ebcd

Download Submit
C:\Users\Admin\Desktop\MeasureDismount.WTV.akira

Filesize
869KB

MD5
239c23c3372fba988a8599ec687a0b05

SHA1
2c9d9d9bb47aa7756cbd710dab4344ce6bfe0173

SHA256
81e35b7c1e7db968b3167e26f0c1058e0d4c6450b6b7ce773fac69039a461919

SHA512
496d32a13c8d58403f408b08bb18eec948b46417b26f405d56e7998f93e365ff84df2a9f296bf2863017dd889985792e761880d8d4e7996baa97420ec33f6ca9

Download Submit
C:\Users\Admin\Desktop\OpenBackup.reg.akira

Filesize
571KB

MD5
6ccde19a691be3df7f76d7285046e56e

SHA1
21624c23935c2139ee356c12d4342686e281fce1

SHA256
be6d0c9271fc598a5d258e8527677e39edc3fd4730816dea158c8c58cce5b8f2

SHA512
812fde723a82555e891be048395889e97c31593c15f73046d683a5363d774bbbc40802d311522f580c55d2bc643e1174e43d08e85a95e3e15af236058d11b67f

Download Submit
C:\Users\Admin\Desktop\PingRedo.vdw.akira

Filesize
695KB

MD5
d8a67adb1fece45b1e30e85343f80e73

SHA1
e977d03be8f06ffd8606b824e8b0b28668a6a49f

SHA256
77c8e3d6ab71866947697f1f6f20d17ff13516089fbc940e581d97124c22a186

SHA512
b84709643170aea7bdb180e182584e241d9907e9400ee2b8a556701c20ac79ffca9cb6739508ae1343366fbd9f1c49fcdc5f1181f860dfa2831fd36ea621c6cc

Download Submit
C:\Users\Admin\Desktop\ProtectDisconnect.vsdx.akira

Filesize
993KB

MD5
806e53663d64b6560b99c7dff84b53e8

SHA1
bbc73f3f21cd746f804f29c9aa34a1f6a292b38b

SHA256
798dc471dbb0e2f6560f266b25d756ee99ada055e637f767dadd15a32d5c0b15

SHA512
93a5b5ac445d9d316cb5d2a33287101cd72159b9bd160b53819dfc0155224e00aa3626a79b1815b4d1021dff863a05fe6e5b532e01cf9db415d08a720b995bac

Download Submit
C:\Users\Admin\Desktop\ProtectTrace.docx.akira

Filesize
16KB

MD5
54a6c82f57b8add921a1a941e78fb728

SHA1
bffd6c438e12eb31d5da1af0a7a38cde3661a33c

SHA256
8b178c5f5278de70f605c94400bf5781625082ab195a55e8ccfa028426b0a61c

SHA512
09901c94ae2bb1d00eaf98d206477cb1bc13adb012f27ebb052e3ec48972e35f12f12b0ec0cf3babbf704c860d31f3cec1338939048c4decedd82e66d56eafc7

Download Submit
C:\Users\Admin\Desktop\PushRegister.ppsx.akira

Filesize
794KB

MD5
e8c1e0cf0d94372559a93ec9b503ae27

SHA1
603fbb49343ba9d24b88b13202e2a927c554bebe

SHA256
80fb6f8d1298b40230eceb1d6b17627243187abd218e9d21a10d26262bbd5670

SHA512
3ade4faa55ca6f665aa0d283b271443908a40ccd208e971ecc15b0e2a71219089e1ef13d44388bec95382b18826466406611383be9d6d8944f68ce0b6223a83e

Download Submit
C:\Users\Admin\Desktop\RedoUse.xsl.akira

Filesize
720KB

MD5
4169e41cb1acefa4a68c25006635fd9b

SHA1
5da3951f55e5f94f467e8f052463325584416940

SHA256
d18b876af94e7ed470094150ab9c4ae2f322690443b94638e9570e94460d64b5

SHA512
7a6d95d034df5a8c06813ea622ebb7d3236893ed3c8eaaeb72d6e5a079d09da772130cc4adfba530816dd19cf2fe1627e4905027e3f2e501f94bf4b6649c85a1

Download Submit
C:\Users\Admin\Desktop\ResetExpand.3gp2.akira

Filesize
472KB

MD5
a797142620c8190ac5c7fd4627033eff

SHA1
68c9a43af8bee318fb6ed019d4d3f5340c571a26

SHA256
d28401db391bb79b552288dedfdb01ac3561ff97b889de4fa11b2560f794b076

SHA512
ad7091d4229b0989de7986ebcae6668661b28b3faf091b2b2e9006e9a691f3e98b0faca02f92a96b4a50e5f1a61bf659b1e783c36219a34885e2f908ba8a83ec

Download Submit
C:\Users\Admin\Desktop\ResumeRedo.au3.akira

Filesize
546KB

MD5
ced28a6585cd70b3316f73381f5b0a27

SHA1
621ff49cd185820602fbba475d36b15121dea5b8

SHA256
1b970295f10aa7719d9d27954ac7722032a15a2474437be9e2c7d1efaa783e8c

SHA512
346a2f6e74f4374d445112152129dd7643035c733b530a1f36f69879433b3d8a413ff0d70797938cc5768f951d2f1904cfd48b0bf33efbbaa406bb89cf86ef37

Download Submit
C:\Users\Admin\Desktop\ResumeRedo.pptm.akira

Filesize
347KB

MD5
e73d4e925d6474914f1e40da2a0b2506

SHA1
befdf2ad45cd9855fb868ee41062ceec05431d4b

SHA256
af115c258bbb55ad8e18b7e5427423f9a9a982e4d7b7f6c749fca5dd44f8ce54

SHA512
c5af1214bf5e2772289b66d31594e6aae40ab054b2e3f9242dfe38f007a01e0c57b6bc0ad59bb5c4fb5121dc92d815584750038b09376529b1327217bd5cc0ce

Download Submit
C:\Users\Admin\Desktop\SetStep.gif.akira

Filesize
645KB

MD5
ab6e7e69490417c6d0bacfb5cf92800c

SHA1
de0760a633dbcd40c093715c52a1894f4d8a2642

SHA256
c0f2cd9758b77d6643e50a4efc14623f975f5f72e04de935e4971cf0038ed331

SHA512
0faacd7122b3aabdddf2511c89e1d97307c2163da46e75982ee5b461d046edd88b90a84abee392935483bc4c5675fd53327e34f2c156b13a1bacb16e2925e926

Download Submit
C:\Users\Admin\Desktop\ShowTest.svgz.akira

Filesize
521KB

MD5
f91c43970ec2da0bbd1da77f28474dee

SHA1
21a566896208ab7e05179474c90eca6bea7bd9ca

SHA256
67c11fe4d98d953cf224423d901cf25e5f40514c92665e4bb19fe6948d196930

SHA512
df2a59ef8908155f94e6591f23ed82fbb87d78267437c8e9ceb1816eb8116733ce558255aefb2af9b71df220eb9d8f8ec241ef3d527abd3080ca3265578542a8

Download Submit
C:\Users\Admin\Desktop\SkipUninstall.wma.akira

Filesize
769KB

MD5
ac29b2b5d33b9db9d3504f9cb7d826e3

SHA1
17840826852cff32f5ae3982fa52d429ae6460d8

SHA256
453b2c30c7ef4e9900f1fcfd66bfa84ab788425287e7f2534e59d4af5f42b47a

SHA512
a389f6af2081ffa731f4231056e5a008b5f0023c6eb7ba1819af54d5197ef90d705ac311c54830b49aa5cc7b2f29bb028181233d7102f4c91527af38fd2ce767

Download Submit
C:\Users\Admin\Desktop\StepExport.DVR.akira

Filesize
496KB

MD5
505151090ba3d375fbe73eac0e0cd7d1

SHA1
169d9cc8eb137ee58228deda3e33eb66db4c4923

SHA256
088686b21afd5a6c1c07d9ce7d5b8ce25810eeae0f2a126db8e6211d9e5652c3

SHA512
18dad0092ad34cecffbf84a8f015ee3fba1d19b690524396b452bae6ace32e484e356204804d40e87a053507fdc499b2621ba484a070724f8672b1b8151b6c72

Download Submit
C:\Users\Admin\Desktop\StepResume.rar.akira

Filesize
670KB

MD5
fe5f7b33f4e3b0537e190ce9e821c6a1

SHA1
b4a13694dcca5903e5d823c73e1522677c7b17cc

SHA256
f0f422875b7302c099d393b8acb48ca8e0788451b69504544a9ac5e781e331ba

SHA512
4fc88cb144be5fe3af1d022e5eff9068ab6de6f27e975a9cb45fbfcc3da7a181e75abc5486dbc6f624541bdb1f33ac67a07ef03952c52210c8522d2b33fd417f

Download Submit
C:\Users\Admin\Desktop\TraceEdit.xlsx.akira

Filesize
15KB

MD5
2baf4789b9618461f506ce9ec5674a24

SHA1
e6cb9fea3897a2ace83c94d29f4d49664ff0a5f4

SHA256
93edbda26f5702207e3b799037afc1ea45d807e48fc7d30595797ad9be8f1f0c

SHA512
470d85aa72ec68f346674585a6d44b535447ef55e855a04525b434fb8e5ef90b9c4551234d490c69476428b8fd399cc4b3b144b332e790765ed2f166e54bf2da

Download Submit
C:\Users\Admin\Desktop\UnblockFormat.wpl.akira

Filesize
372KB

MD5
389757877780ae213990a6acfdaf62c0

SHA1
a3db5c8a93a93aa8eaafcf4c6323b1436f47836e

SHA256
f2ff3b4c5d5ff99ceed2b26fe0521d38d62cfd02d682af318a312ef4723f09f8

SHA512
0c4c9972dfd5e9b31d49e2615524f34565841d7a44a9dc41a17d697f6bec41fbe949c8fe6cfd6623568049be0aefa4d94bd92c3a13999913c3012165240b54bc

Download Submit
C:\Users\Admin\Desktop\UnblockSuspend.rmi.akira

Filesize
744KB

MD5
b458a94069870f3f323f219108035170

SHA1
76bc872d8d5915c2caf7252171c870eb1a10bcde

SHA256
0ad878ad5180221130a1fb37d7288b0148ffd8eafc5f4c9844b53540d7185a64

SHA512
922eaf5b6bf2b9fb073b88974ab00e35bdb5d4b40ff3df09323c5223fe1b84c053e93abef705f02b58a25bd831eed13d67d838bd4bc681ce6269a4376a32e86a

Download Submit
C:\Users\Admin\Desktop\UninstallDebug.docx.akira

Filesize
16KB

MD5
6858d8c93d511bc47c56aff988c4758b

SHA1
89f1eb5c248193aa04b3804a8c810eea12c955ae

SHA256
93c354ac5c9a6d2b51ef47a8b0fad87986f3b28067830b8fcb3705f17afda042

SHA512
3175137040567ab34a7d993e5f60e86156deb382fc8fe469a79e54fb1d571d7e46f0003f05252614c766486b13cd571dea1a6eec5efe123a7f00bc392744c763

Download Submit
C:\Users\Admin\Desktop\UninstallRead.odp.akira

Filesize
1.3MB

MD5
077409d6a192eeabd59fd264683319af

SHA1
76ede404d40e343301ab57f9f65506f57586b249

SHA256
025b471d794e09c0f0018c33aecacbe882082c982d1005baeaff7eecf1bdfa08

SHA512
334cbeccdfd04ab334ff37207caacd9b7a22ad644fdedf1479fe0337c9955b5b348d5f7847d92359ffe1116fb60b355582f3ce168ce7cb8a0cac6ae2d5efd41a

Download Submit
C:\Users\Admin\Desktop\WatchPop.ppsx.akira

Filesize
844KB

MD5
37de571950e149033517d2ec3a647cab

SHA1
d0b2050a9d35d8a62e28bfe3a9835aea7feab025

SHA256
d1cb048a3c6667b2b6385372d503bcf3421f70905e7c0163a2c475205ae5afcd

SHA512
b2e9e42596343ee365b95d5757bebc56f7c93b48fc06aa3ea5e5b773771d640c9181ef14f2a851bc34692e8f4f0cf705184fa625daf8361f4803d710838b4247

Download Submit
C:\Users\Admin\Desktop\WritePing.ttf.akira

Filesize
819KB

MD5
f0bc98bac50f8ae873f667a50b18e7ba

SHA1
1c0f4d62f1084d238bf3be11a219c3e7ccc80e70

SHA256
59860a0910a0442410316be2cd4f5dcf678024c009c88806568d0c8fdeedd9b7

SHA512
2bb8f10a3ffaefb4f6d16f81417de763699d4aad097b0585ed10f3a06d993102b359ea4502f27d09f36c990cc6da2e92189a8e9d15e6e6708dff0b93129dee98

Download Submit
memory/2856-8-0x000007FEF68A0000-0x000007FEF723D000-memory.dmp

Filesize
9.6MB

Download
memory/2856-4-0x000007FEF6B5E000-0x000007FEF6B5F000-memory.dmp

Filesize
4KB

Download
memory/2856-5-0x000000001B700000-0x000000001B9E2000-memory.dmp

Filesize
2.9MB

Download
memory/2856-6-0x0000000002190000-0x0000000002198000-memory.dmp

Filesize
32KB

Download
memory/2856-7-0x000007FEF68A0000-0x000007FEF723D000-memory.dmp

Filesize
9.6MB

Download
memory/2856-9-0x000007FEF68A0000-0x000007FEF723D000-memory.dmp

Filesize
9.6MB

Download
memory/2856-10-0x000007FEF68A0000-0x000007FEF723D000-memory.dmp

Filesize
9.6MB

Download