Malware Analysis Report

2024-12-07 10:15

Sample ID 241112-t3fsbazmaj
Target ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.sample
SHA256 ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5
Tags
akira execution persistence ransomware ransowmware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5

Threat Level: Known bad

The file ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.sample was found to be: Known bad.

Malicious Activity Summary

akira execution persistence ransomware ransowmware spyware stealer

Process spawned unexpected child process

Akira family

Akira

Renames multiple (8640) files with added filename extension

Renames multiple (8413) files with added filename extension

Command and Scripting Interpreter: PowerShell

Boot or Logon Autostart Execution: Active Setup

Reads user/profile data of web browsers

Drops startup file

Drops desktop.ini file(s)

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Uses Volume Shadow Copy service COM API

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-12 16:34

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-12 16:34

Reported

2024-11-12 16:37

Platform

win7-20240903-en

Max time kernel

122s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe"

Signatures

Akira

ransomware akira

Akira family

akira

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Renames multiple (8640) files with added filename extension

ransomware

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A

Command and Scripting Interpreter: PowerShell

execution ransowmware
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\akira_readme.txt C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Mahjong\desktop.ini C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\QJELLEL3\desktop.ini C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Solitaire\desktop.ini C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\HE9LBEC2\desktop.ini C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\YLJ4V77F\desktop.ini C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Users\Public\Recorded TV\desktop.ini C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Purble Place\desktop.ini C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Chess\desktop.ini C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Program Files\Microsoft Games\FreeCell\desktop.ini C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Hearts\desktop.ini C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\RM4QEUM4\desktop.ini C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\VideoLAN\VLC\locale\lo\LC_MESSAGES\vlc.mo C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\es-ES\sbdrop.dll.mui C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\de-DE\msdaprsr.dll.mui C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\ado\en-US\msader15.dll.mui C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.ui_5.5.0.165303.jar C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\SUBMIT.JS C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\bg_VelvetRose.gif C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\sw\LC_MESSAGES\akira_readme.txt C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\2.png C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-queries.jar C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\AUDIOSEARCHMAIN.DLL C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Puerto_Rico C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Computers\akira_readme.txt C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\2c1e44b6cc009b0c7fbf2dc1601a4a41.arika C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\InkObj.dll.mui C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\MLA.XSL C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Program Files\Microsoft Games\FreeCell\FreeCellMCE.png C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\64ef4a2a6bea026c231b5c939e884865.arika C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR47B.GIF C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\SystemV\MST7 C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Program Files\Windows Journal\en-US\JNTFiltr.dll.mui C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGCHKBRD.DPV C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0185778.WMF C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0282932.WMF C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02439_.WMF C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0299611.WMF C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\cgg\akira_readme.txt C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\settings.html C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\METCONV.DLL C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Paper.xml C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR9B.GIF C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Checkers\ja-JP\chkrzm.exe.mui C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_thunderstorm.png C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office64.en-us\Office64MUI.XML C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ACCICONS.EXE C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL078.XML C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGBOXES.DPV C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21520_.GIF C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\Tasks.accdt C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGWEBBTN.DPV C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\js\settings.js C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\css\clock.css C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\settings.html C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\rtscom.dll.mui C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\akira_readme.txt C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01243_.GIF C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Africa\Bissau C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue.css C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\FORMCTL.POC C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\css\calendar.css C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPOBJS.DLL C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Sand_Paper.jpg C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.es\akira_readme.txt C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.attach_5.5.0.165303.jar C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File created C:\Program Files\Microsoft Games\Chess\en-US\akira_readme.txt C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File created C:\Program Files\Microsoft Games\Purble Place\en-US\akira_readme.txt C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Riga C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0314068.JPG C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface_3.10.1.v20140813-1009.jar C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-templates.xml C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\js\akira_readme.txt C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\ENVELOPE.XML C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\akira_readme.txt C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe C:\Windows\explorer.exe N/A
File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\sc_reader.exe C:\Windows\explorer.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\explorer.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe

"C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -Command "Get-WmiObject Win32_Shadowcopy | Remove-WmiObject"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\explorer.exe

explorer.exe

Network

N/A

Files

memory/2040-4-0x000007FEF57DE000-0x000007FEF57DF000-memory.dmp

memory/2040-5-0x000000001B710000-0x000000001B9F2000-memory.dmp

memory/2040-6-0x0000000001E00000-0x0000000001E08000-memory.dmp

memory/2040-7-0x000007FEF5520000-0x000007FEF5EBD000-memory.dmp

memory/2040-8-0x000007FEF5520000-0x000007FEF5EBD000-memory.dmp

memory/2040-9-0x000007FEF5520000-0x000007FEF5EBD000-memory.dmp

C:\PerfLogs\Admin\akira_readme.txt

MD5 8911b4610953c2433136df6a6404bd4c
SHA1 b198ba0fed1bc3888e85cfb64b694736e42b011c
SHA256 986645b3e96ce4ffdb76723233a26fc12b6b4074888477ade0cbdf92b59ac002
SHA512 0a72bf31f7f7acb6ed2c1502ebffb6f35824c254fecdde865de2c6976fed2410ec5b80354364b323e16f966c07a10561f779e3f23c2774bcb1bbac57439b7824

C:\PROGRA~1\MICROS~2\Office14\GROOVEEX.DLL

MD5 5c1bf2729492f0ed4f7ccf8ab2600fd6
SHA1 10dfdd7b34d7ca7bf3a1ec4069899e10215f3b8b
SHA256 eb5e7093b72ab6ffa13d33fb6b511bf5fbbf890f78132f93fa115d2bcb1e55db
SHA512 bf954a0dd6c14f606e39cecd027c09359ab548f892e1690e913f392c84357f8b4f2b59a472d834b515e6f99e83d0e899fd9c8ecdfdd700a65e61bc217a2eb0f4

C:\Users\Admin\Desktop\WaitSelect.ocx.akira

MD5 ec86c1afc9e9edc7ac3dd39d8e99b7e0
SHA1 90b8a36fd6f9828886f756cd66aa44767c459b05
SHA256 d42be90f3bb484ae9eacda462a43029aae5913c77c23862ce2e35310a9658248
SHA512 d42418373ecac903989d8e0d4edaf04dbde163a0a3a003d57b857d239abf146b39a50c47b70149bced2c5d1532f90286ac355b53427eaf7922c3d6ac67231ba7

C:\Users\Admin\Desktop\UpdateGet.TS.akira

MD5 60d8206ff666397d99aeedcf29b451b5
SHA1 e0cd26c0bee586631a474c589a61ed7fb95824ae
SHA256 cda58e8fec1ab7388e8521991e0329a5ded00150bea08babbe405c0acfb08f19
SHA512 5a5b10430a0fe0f5636ebffe00d6f024cd352c307a1c35746ead471c13003721bbec26615a1bec6e350084eb0e7b1b32e2bc2e2ace2c60fbd1d683d5822197e7

C:\Users\Admin\Desktop\UninstallAdd.rar.akira

MD5 71be5b4ea7b60b93641e6a84378c2a98
SHA1 e8d740f1c1faf2b0dabfbdfb4a1d1a16f74eab44
SHA256 7d69df60975aca028a054352edacb9f45b5037b765c21fe14e46a0ac53253bba
SHA512 0893964dcb021e8600850c9baefa11ee72d3564580a31e6ff3756327df1fc12f44744aadede6f1c78cea81a12d7116369f36056c9850e85a21e25052ab3d6847

C:\Users\Admin\Desktop\SyncUnregister.tif.akira

MD5 7f67694b8b58128e7b5e75c593bd4c72
SHA1 2ffa636f6490b1a9d47d89ac71093e5c06d6b1fe
SHA256 a7293cc529540c0b5c0fce9007781c93b148bdfe0a71f52e9a9f42488caf527a
SHA512 39e5fb167873e2ddb20102b73f802700956e5191e7a423b0f91545f15660ae84bf13a8c50eefbd314e58727826503374778a9914d51d4d54f4dec1217e8354cd

C:\Users\Admin\Desktop\SuspendAdd.xml.akira

MD5 6abad443305c645e91f756125d94d815
SHA1 607d09f04c0c64940be852329d31cba77cf596f3
SHA256 e6a10eb3c546f235e1bbc510cd852f8fb36168118b1e94f1d83a52b095add294
SHA512 8ab5d0a3710ec7afee3446ca6e17fa41456edfcc6948e9872f96257c34850de6582a3a7e40d76b8f0bfd3341caa66842d69a8beec997fca28127eb463c4e0ec2

C:\Users\Admin\Desktop\UndoGet.emz.akira

MD5 e3b1e3d72314f52e093061a4a7174745
SHA1 37481a385090c256f817f43c5cd740b472ec8f4a
SHA256 5b58d6ed558662e05b05b25271e5a7de539be0ba4de7833ebf4ff06149380b16
SHA512 d02c64895a9509b5fe315cc99d50f76d83469807ae0e8674fb87f565b6ba0a6e0438e66061d374efb86d362c590c353a8cf61f31047da983e5424b2bfdabb815

C:\Users\Admin\Desktop\SubmitConvertTo.xlsx.akira

MD5 08719a622bb86956be38d0f3197b51a1
SHA1 5f74f38e34347a159ae3dc92bd70db81902b7dbd
SHA256 aea0776f2a3bd73b014659bc38f8022cbd41d31f05803582a9d724fc67b00b90
SHA512 3d9aaf500ec61fa753d11f714e6a4758368532d76564f16d159111cbb6f52b8270857684b8d1271631ed9eb92bcf038a869107b5e708dd5adb21007afd979dff

C:\Users\Admin\Desktop\ShowSwitch.doc.akira

MD5 6608fad91c45c9073e7c165f9e76bd78
SHA1 3deecd737c38f721b5bd286dd49d3920e1616bf1
SHA256 b75b3ef542b333d6f1f1cd0e80d8946cc3acb8eeaa878f57d32498e33ec4d679
SHA512 5a07fae36a0650a8bb908ead01f73731cb5cff50b908db88197b91c82b44497641983b709963067b39bc612d56e21b447d1b3bc8ba8289599f10edffab380bcf

C:\Users\Admin\Desktop\ResumeComplete.tif.akira

MD5 90a71c6722854fb2e3223d7cee361e86
SHA1 0cfd146129b6a02d82be7c2386d12114beb1f8a9
SHA256 80848216d40c92267aef45a73ed5039f119ee6515167e64245d83e918d943f93
SHA512 a19536323061adee70bd12cc6d9f7e521678183cee4fffc8ff4d4b398eefab55b09137a12bc340513823440a2366569e7fa97dc2a3ee5697b76500e2ab643215

C:\Users\Admin\Desktop\ReadRepair.scf.akira

MD5 54bece2cfc0ec84595a0de659e43d82b
SHA1 dd47d8f8fdd90ac91b00ec7bebd92956e87d84ac
SHA256 9072943666ebd17c30eb04615cdae01497fb13ebb02aa25905db9d58a0b7eac1
SHA512 7fc082e6de4a9286f70dc1be94edaf2b95555f63092f3f093fce021245f702ce4a51962d15f7b45beaebf59b39302f40e8345f0d7e1d1f13e1bb99d259ff92df

C:\Users\Admin\Desktop\PushReset.ram.akira

MD5 a1c2dfe1c36080a98309348238c69cd7
SHA1 6a3fbd41309f1a2af725dcbb5b565a829fd0f294
SHA256 f163c2996c551c002c9f74e0c9b3435fcb299be7bbf7d13667ac0d3c1824297d
SHA512 1d8364203c49c789ba7f569be7b0b17bea809e979531bd1b1bb120b020445edb3203735d49ac032ceb053ebe289a91b223d5f9f17af411d8d82ec3a7bb23fb14

C:\Users\Admin\Desktop\InitializeSelect.docx.akira

MD5 45804d03e89442d8b539698644e77a33
SHA1 fb97cf24def3d6c9e344d52e7aa404859fb1fd49
SHA256 4b2a699f795e39ca9c4abcc083c354d25ad3d1074566dfe5e76a418ea96cd355
SHA512 566a166a16cf899d7db816936dabda6e80eefb6c93a41093bf610d87b308b717542fc76bfed1901d3ab1e1200e953d9973f4cddf0b5877554777ea52a28d82e5

C:\Users\Admin\Desktop\DismountHide.ico.akira

MD5 6571cffb8e56b34ec7e815e344024d36
SHA1 f3949e7650cab5e5409fe1a8765f626978e7d5c0
SHA256 98917566d1a8cece1f2b3dbe82fc10d5d37301a9e18d2e9294510444fa2366e5
SHA512 f9a1ecea2c46fbd32b266463d86629b392e9a2e99fbd47b570d7d688debd2a097a1f8fe88a584f48bf15bb4c88e3159f676510650a1764337ad0e234d7151ccc

C:\Users\Admin\Desktop\ExpandExit.rm.akira

MD5 00035388f502f251f3f61913d58e438e
SHA1 9e1ff861e14f136ff061a62c4cf8d919feddb6f0
SHA256 0c8e4c90fa39609e849de8b27d526ffb0ea7e61029f7ecfe489617c5d0a061c8
SHA512 2a73ebb5e17d850210fc7e87b4282e1cc041a908729441b5da591a157ad56aacf654946107d35a2cfb74cf28c20b4bebb7296ca252339bbadcc1e971c9556c94

C:\Users\Admin\Desktop\ExportUnprotect.xsl.akira

MD5 9041e84c5f0247ae96172bebcc56205e
SHA1 9ca59e8898b65252d21da25ae8115fb17edbf0ce
SHA256 645d6f4362f366b6bf9788cea6d305dd21900bc4be3111daf9f20aeb9b7154a9
SHA512 4ebd2c11f2c5cc550470081d53da1f160522c6d1fed900518d2594d432a783cc52c8a0404aaaa56ea34fdfd8c548814d5732ab1867ec7c85c871b4ec5ff5add9

C:\Users\Admin\Desktop\DenyCompress.midi.akira

MD5 58a506df7680a25b5577fe3663067567
SHA1 ffd11f18239ca193a69ea75dc22f44822330a769
SHA256 0000af7fc4efef2614585f3b621c6e4fae54e59828f30f063020b38900ab38d8
SHA512 a39788ed97e1659049245b255343f4dd1ec24a9b7d3da1e8f3bf2aa3dec3b893c65f93e83eca82b2b74a97f49779d96d814e9627d3d177a67ff5566cd02ae1a3

C:\Users\Admin\Desktop\ConfirmRestart.docx.akira

MD5 31d53ddc46c033b3db8f3a74f1a2bc33
SHA1 d13e92bf2eca20839780cc38610245cfc8007ec8
SHA256 3a0510719b9e8b32d4898bdf8c6438ed9db6eee8bf44b4eb4e617a652389863f
SHA512 0da9c3f0eaf3393381b9431d6bb25777a3f8334962d7d282256439927dd660dc965b5ebafe3b1eec6e3c9e20f336331de2754b3062ab8928f3a46adc5df30e1e

C:\Users\Admin\Desktop\GetApprove.xlsx.akira

MD5 08f758bc511a735a0afc9d9e97be372a
SHA1 b4654c2617300478e9cbd2d61620c94a05a674a0
SHA256 d1356f28bcc77b0cd735c331cbcbfe180ce52e5328a3a449752b3803965e8c77
SHA512 bee828375afe68ccdedce629b86e7249285515e9c02519271e05c0ae30b444079459068c8775d6d60650f4a687dae16a16653c10f217160acd3f0b6875c822e2

C:\Users\Admin\Desktop\GroupSkip.docx.akira

MD5 81131d522498428525bf0c56de2accf6
SHA1 7f9760aaea8dbb33ad2533bc8f1a414a76a0b22f
SHA256 ca07cb4cb38ff311dfc9bff860238f33a7ac52320692f96b28805941b7134a97
SHA512 893d1027fc3a19cceae870e3b332cf89d4e0c32ebb94ee9c671a97049f9a73efd69fd86c27f1cfb6cb57b3da664975aafc21116404c485d3c3130b676139d4d0

C:\Users\Admin\Desktop\InitializeInvoke.sql.akira

MD5 b89c224053b33e30209adf1bcab1d84a
SHA1 efbb30cf451c8f30dce664226227f36f17ea7503
SHA256 6ef55b1efea7082a87e3863390e853cf90415b22cea0f48e1f5e17f50a3bafdd
SHA512 2aa3e3a05a611d0e8c8715d75276518bfc35cb5105129cef9e2752715d008e6def7c389cb6571c8ec4d6e66e9cf702dc66ff93de700789dffd821cadf6286273

C:\Users\Admin\Desktop\MergeCompress.TTS.akira

MD5 6c157184fe6e5ec8d2b3215fd30226b4
SHA1 a91549a9852afa17ae2403beb5ee1832b05afb79
SHA256 9dcac1436acc0ae53c7d65e0e211b7a65ce3e476019af7c4ca774b560749da0b
SHA512 fa43ccf4e78347f7ef718a274be76af90f2382c584c193214ddf2cc59c4650316e9ad2b0443838e98d3b7968d355e6523bc32d6df471a56d6936c226f99856e5

C:\Users\Admin\Desktop\ProtectRegister.ttf.akira

MD5 67fcd942dcadd7578b4a3c5e8253c88a
SHA1 1f80f662a13cb0741a8cdda3bd355a7af3df91ad
SHA256 d5e3afdb10e17840cc8c24f266bdc4885a5f24a0b91b8eb0cf5ae403fd46cace
SHA512 4df9eb22b5a0312477b896616efa6f4514f7aa912da3862075d6f86da3fe606bde6bde540481fdd7325c065d29f6253ecb3a58698ec2717f9fdf349c4cffcffe

C:\Users\Admin\Desktop\ReadComplete.ps1.akira

MD5 0bb1dadbf8df30d09e551622fde3d3b2
SHA1 89b0902ab50fc222e5991d94ee212dd1e4c3cdc1
SHA256 f801c89066fe024dd7257312453ad0d46b2a707c1baa9fe92995712b51c27a40
SHA512 bbad60cc575da96e974b7f985d79a0c312fa0ffa415352429597f74f24be833687f31c6f9fbd1121ad9c79113f81b63c6354ee766c3db89b4ea47b661d98d241

C:\Users\Admin\Desktop\ReadOut.pot.akira

MD5 bec74722a863049499af0ce4ebe3acd1
SHA1 0dd67f7370cc49478b9ce0f803ee9086f5e1fa6e
SHA256 d9f22d4cfa718ea50e2ddac5b2a793b2d2c621ce4be0ad094e9f94eebf17efde
SHA512 5ac9b24383361f65130515b2346b971cd89fa21bd881ef0bb6c9674034c296de4a5079de76898c06bdf9732858666311105f6b3c5ad6ac62f5378cb2f0383759

C:\Users\Admin\Desktop\RenameResolve.csv.akira

MD5 aeb367c80b761e6ec120e2bc0e99eeed
SHA1 f23f690885db239aa8d00c136af51af3e8b0a6b1
SHA256 2523545a62b089d569d635b0befb1b68489539fb38aff217e92309ca7c1de556
SHA512 719f47502e26c9ff85a8b6c09a4b1dd694109135ff96278889454ac1e9780bd388cd1e523bae40948508ab90fe0f661f58b2f7a62a5cecc3c6e800d5822f26cd

C:\Users\Admin\Desktop\RestoreUnregister.m3u.akira

MD5 4226a9c1ece8712a2b684e162af10c88
SHA1 55613d2d1808273876c66749936164398dde820c
SHA256 6b92866cb6b4950028774725cb3a8f6dc0cba0b6ddd1466997ec55e3afa70325
SHA512 cc7935ea920740b14d7136d5b7999d35e635843e2a566026c253f94988700b38eba5010e08c45a359a9b3b403acc6c7faaa3409f2d67de6ad1cead7f4f5ef462

C:\Users\Admin\Desktop\SkipDisconnect.wmv.akira

MD5 14fae003443477ba166bc2f6b497b055
SHA1 532ab1f6cc4c96c5e43afb7940e76ab6f6f95348
SHA256 85e37ba840c79e499d0da8b5024a1e498a40b1782670bb82f2798613e4e3f839
SHA512 b6320d49d5bafac97221bb191234af495a1f8be0ed671b1fcc85df1e9615a428e0fb64721e798e71875a23c627a87b4662ddc663776d19099db469ba60e775b6

C:\Users\Admin\Desktop\StopInitialize.inf.akira

MD5 111879c2e841ac3603271faadf2bee36
SHA1 6f353a890c42700bfd0a805d87cf5007b6ea5f6e
SHA256 ff70d8debe47170e800d48d2da535c65e581f5046f1741d942494f5864e250da
SHA512 be6f8c0425ab013b948cc174ad4a5309ee1eab005d944b62934d05f75fe5858f4463e8d8883e404b9027796f2ad0dd7457cae2939dffe16904e2df7024a96a0e

C:\Users\Admin\Desktop\StopMeasure.mov.akira

MD5 0fda6b22659fba744551f87488d09c4e
SHA1 80b3cad28e21d1e47e2471afadddf63f7b09c0d2
SHA256 ace051cc143a3c070d3943a2cb0e6b9bbaa68b847a1a272e9e6a3d8d20450e38
SHA512 6fecd9ab4969f52930ae1e9bf659dacd34d8a8b7dedb79068bfafaa96bb746cdb08a2228b0df0c673a6f836bcfe567ccc617e5ea3680c040395a9e18f8669e57

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-12 16:34

Reported

2024-11-12 16:37

Platform

win10v2004-20241007-en

Max time kernel

95s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe"

Signatures

Akira

ransomware akira

Akira family

akira

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Renames multiple (8413) files with added filename extension

ransomware

Command and Scripting Interpreter: PowerShell

execution ransowmware
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\akira_readme.txt C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Users\Admin\3D Objects\desktop.ini C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Users\Public\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\CP1252.TXT C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\Interceptor.tlb C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\msapp-error.js C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_TeethSmile.png C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_MAKC2R-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\it-it\akira_readme.txt C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\sl-si\akira_readme.txt C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\LAYERS\THMBNAIL.PNG C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\ro-RO\akira_readme.txt C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\AppxMetadata\akira_readme.txt C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\zh-cn\ui-strings.js C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dummy.dic C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\In.ps1 C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\download.svg C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Program Files\Common Files\System\ado\en-US\msader15.dll.mui C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Green.xml C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\cs-cz\akira_readme.txt C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-addtotable.png C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\WorldClockMedTile.contrast-black_scale-100.png C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\Standard.targetsize-24_contrast-white.png C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\ca-es\akira_readme.txt C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Download_on_the_App_Store_Badge_cs_135x40.svg C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\akira_readme.txt C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Work\contrast-black\akira_readme.txt C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\co\akira_readme.txt C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\FileAssociation\akira_readme.txt C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-36_altform-lightunplated.png C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Home\contrast-white\SmallTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\bg_pattern_RHP.png C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\cstm_brand_preview2x.png C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\eeb162f84f26b66ba8f07f9bb87a7797.arika C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\AppCS\Assets\FirstTimeUse.png C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\microsoft.system.package.metadata\akira_readme.txt C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Program Files\Common Files\System\Ole DB\en-US\sqlxmlx.rll.mui C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_reject_18.svg C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentDemoR_BypassTrial180-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\cs-cz\akira_readme.txt C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Fonts\BhaiMDL2.2.52.ttf C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\Ratings\akira_readme.txt C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\fr-ma\akira_readme.txt C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL112.XML C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsLargeTile.contrast-white_scale-200.png C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\contrast-white\SmallTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Trial-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\en-ae\akira_readme.txt C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\resources.pri C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\EmptyShare.scale-150.png C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\GenericMailSmallTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\root\ui-strings.js C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Grace-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACEEXCH.DLL C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\AppPackageMedTile.scale-125_contrast-white.png C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-20.png C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\en-US\ieinstal.exe.mui C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Win10\Classic\Klondike.Wide.png C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-36_contrast-white.png C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\iheart-radio.scale-200.png C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.targetsize-48.png C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_MAK-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\tr-tr\ui-strings.js C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\nl-nl\ui-strings.js C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\en-gb\ui-strings.js C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\OneNote\SendToOneNote-PipelineConfig.xml C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\Ole DB\en-US\sqloledb.rll.mui C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe

"C:\Users\Admin\AppData\Local\Temp\ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5.bin.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -Command "Get-WmiObject Win32_Shadowcopy | Remove-WmiObject"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 100.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp

Files

memory/5040-0-0x00007FFB0A653000-0x00007FFB0A655000-memory.dmp

memory/5040-1-0x000001E8E92F0000-0x000001E8E9312000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4tbd5wiu.fr1.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/5040-11-0x00007FFB0A650000-0x00007FFB0B111000-memory.dmp

memory/5040-12-0x00007FFB0A650000-0x00007FFB0B111000-memory.dmp

memory/5040-15-0x00007FFB0A650000-0x00007FFB0B111000-memory.dmp

C:\Program Files (x86)\akira_readme.txt

MD5 8911b4610953c2433136df6a6404bd4c
SHA1 b198ba0fed1bc3888e85cfb64b694736e42b011c
SHA256 986645b3e96ce4ffdb76723233a26fc12b6b4074888477ade0cbdf92b59ac002
SHA512 0a72bf31f7f7acb6ed2c1502ebffb6f35824c254fecdde865de2c6976fed2410ec5b80354364b323e16f966c07a10561f779e3f23c2774bcb1bbac57439b7824

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 0c05cf71ea0f68affe8c6a1f62d43ae1
SHA1 83ddb53028f5075e177cc91b78fbaf1c74f13480
SHA256 cf2962136c2b3de3ab08426a75a34e037864b1e5a525572889266b5141e1395a
SHA512 581ad40389812fbb97b3ae69bea3fdea5b631c703cbe285e1c6d8649c9bf0ea86b9b25f0f2f05054427235c500c2dfe209f290212986154dd4fd876e22f657f4