akira | 566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739

Analysis

max time kernel
127s
max time network
124s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12-11-2024 16:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
Size

1.0MB
MD5

4b807353dfbeadaddb392627e27470f9
SHA1

7144371d00217533f49e03d40f650f3349fd04d1
SHA256

566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739
SHA512

837875efffe6b85983cee5e4dd938e201bf3be1e6c4c5e4effdbad8ed0f4f3d58e22f5d9b196703d7b6b099ec59e1b44ac3edc76b685681951b0b4e09828a32c
SSDEEP

12288:Vpp+QIEmDzuImC01vbUE98pik+2i1NkshdMMK+AX99etq2dTdqf:Vpp+Q+u5bUI8pij1NkshdMf99etb5c

Score

10^/10

akira execution persistence ransomware ransowmware spyware stealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\akira_readme.txt

Family

akira

Ransom Note

Hi friends, Whatever who you are and what your title is if you're reading this it means the internal infrastructure of your company is fully or partially dead, all your backups - virtual, physical - everything that we managed to reach - are completely removed. Moreover, we have taken a great amount of your corporate data prior to encryption. Well, for now let's keep all the tears and resentment to ourselves and try to build a constructive dialogue. We're fully aware of what damage we caused by locking your internal sources. At the moment, you have to know: 1. Dealing with us you will save A LOT due to we are not interested in ruining your financially. We will study in depth your finance, bank & income statements, your savings, investments etc. and present our reasonable demand to you. If you have an active cyber insurance, let us know and we will guide you how to properly use it. Also, dragging out the negotiation process will lead to failing of a deal. 2. Paying us you save your TIME, MONEY, EFFORTS and be back on track within 24 hours approximately. Our decryptor works properly on any files or systems, so you will be able to check it by requesting a test decryption service from the beginning of our conversation. If you decide to recover on your own, keep in mind that you can permanently lose access to some files or accidently corrupt them - in this case we won't be able to help. 3. The security report or the exclusive first-hand information that you will receive upon reaching an agreement is of a great value, since NO full audit of your network will show you the vulnerabilities that we've managed to detect and used in order to get into, identify backup solutions and upload your data. 4. As for your data, if we fail to agree, we will try to sell personal information/trade secrets/databases/source codes - generally speaking, everything that has a value on the darkmarket - to multiple threat actors at ones. Then all of this will be published in our blog - https://akiral2iz6a7qgd3ayp3l6yub7xx2uep76idk3u2kollpj5z3z636bad.onion. 5. We're more than negotiable and will definitely find the way to settle this quickly and reach an agreement which will satisfy both of us. If you're indeed interested in our assistance and the services we provide you can reach out to us following simple instructions: 1. Install TOR Browser to get access to our chat room - https://www.torproject.org/download/. 2. Paste this link - https://akiralkzxzq2dsrzsrvbr2xgbbu2wgsmxryd4csgfameg52n7efvr2id.onion. 3. Use this code - 0561-LH-GHCU-ZSTZ - to log into our chat. Keep in mind that the faster you will get in touch, the less damage we cause.

URLs

https://akiral2iz6a7qgd3ayp3l6yub7xx2uep76idk3u2kollpj5z3z636bad.onion

https://akiralkzxzq2dsrzsrvbr2xgbbu2wgsmxryd4csgfameg52n7efvr2id.onion

Signatures

Akira
Akira is a ransomware first seen in March 2023 and targets several industries, including education, finance, real estate, manufacturing, and consulting.
ransomware akira
Akira family
akira

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

powershell.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2460	2060	powershell.exe

Renames multiple (8666) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell command to delete shadowcopy.
execution ransowmware

PowerShell
T1059.001

Processes:

powershell.exe

pid process

2460 powershell.exe

pid	process
2460	powershell.exe

Drops startup file 1 IoCs

Processes:

566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\akira_readme.txt	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops desktop.ini file(s) 47 IoCs

Processes:

566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\TUVLNS83\desktop.ini	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\desktop.ini	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\HUSZWRNT\desktop.ini	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\OIPA882W\desktop.ini	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
File opened for modification	C:\Program Files\desktop.ini	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\F17E26FP\desktop.ini	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
File opened for modification	C:\Users\Public\desktop.ini	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Drops file in Program Files directory 64 IoCs

Processes:

566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\feature.properties	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\El_Salvador	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\akira_readme.txt	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE03451_.WMF	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE03731_.WMF	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT-5	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
File opened for modification	C:\Program Files\Windows Journal\NBDoc.DLL	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsMacroTemplate.html	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\NavigationRight_ButtonGraphic.png	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\splash.gif	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00224_.WMF	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\weather.html	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\UrbanReport.Dotx	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\js\akira_readme.txt	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\css\settings.css	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Spades\it-IT\akira_readme.txt	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0216724.WMF	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\css\settings.css	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\IPDESIGN.DLL	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\1px.gif	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\symbase.xml	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-windows.jar	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Oral	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0175361.JPG	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\bg_SlateBlue.gif	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\MSPUB.DEV_COL.HXT	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview\InactiveTabImageMask.bmp	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\POSTCARD.DPV	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\VDK10.STC	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EDGE\PREVIEW.GIF	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Triedit\ja-JP\akira_readme.txt	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\akira_readme.txt	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\attention.gif	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\ja-JP\akira_readme.txt	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Tirane	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CharSetTable.chr	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SECURE.CFG	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
File opened for modification	C:\Program Files\Mozilla Firefox\dependentlibs.list	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_gray_thunderstorm.png	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\eclipse.inf	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-profiling.jar	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\fr-FR\akira_readme.txt	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
File opened for modification	C:\Program Files\7-Zip\Lang\it.txt	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\akira_readme.txt	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\drag.png	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\feature.xml	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0172067.WMF	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TN00095_.WMF	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\WEBHED98.POC	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\css\settings.css	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\de-DE\akira_readme.txt	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Triedit\de-DE\akira_readme.txt	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Casablanca	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099200.GIF	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-queries_ja.jar	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-spi-quicksearch_ja.jar	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Eirunepe	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sv\LC_MESSAGES\akira_readme.txt	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\a2bbd2db1ef7ec9f66ec97128c44b432.arika	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\TravelIntroToMainMask_PAL.wmv	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\akira_readme.txt	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\images\Other-48.png	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\js\akira_readme.txt	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02268_.WMF	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe

Drops file in Windows directory 2 IoCs

Processes:

explorer.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe	explorer.exe
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\sc_reader.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 5 IoCs

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exepowershell.exe

pid	process
2644	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
2644	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
2460	powershell.exe
2644	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
2644	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
2644	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
2644	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
2644	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
2644	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
2644	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
2644	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
2644	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
2644	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
2644	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
2644	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
2644	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
2644	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
2644	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
2644	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
2644	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
2644	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
2644	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
2644	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
2644	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
2644	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
2644	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
2644	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
2644	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
2644	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
2644	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
2644	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
2644	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
2644	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
2644	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
2644	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
2644	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
2644	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
2644	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
2644	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
2644	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
2644	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
2644	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
2644	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
2644	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
2644	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
2644	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
2644	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
2644	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
2644	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
2644	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
2644	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
2644	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
2644	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
2644	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
2644	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
2644	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
2644	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
2644	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
2644	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
2644	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
2644	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
2644	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
2644	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
2644	566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

1948 explorer.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

powershell.exevssvc.exeexplorer.exe

description	pid	process
Token: SeDebugPrivilege	2460	powershell.exe
Token: SeBackupPrivilege	2432	vssvc.exe
Token: SeRestorePrivilege	2432	vssvc.exe
Token: SeAuditPrivilege	2432	vssvc.exe
Token: SeShutdownPrivilege	1948	explorer.exe
Token: SeShutdownPrivilege	1948	explorer.exe
Token: SeShutdownPrivilege	1948	explorer.exe
Token: SeShutdownPrivilege	1948	explorer.exe
Token: SeShutdownPrivilege	1948	explorer.exe
Token: SeShutdownPrivilege	1948	explorer.exe
Token: SeShutdownPrivilege	1948	explorer.exe
Token: SeShutdownPrivilege	1948	explorer.exe
Token: SeShutdownPrivilege	1948	explorer.exe
Token: SeShutdownPrivilege	1948	explorer.exe
Token: SeShutdownPrivilege	1948	explorer.exe
Token: SeShutdownPrivilege	1948	explorer.exe

Suspicious use of FindShellTrayWindow 28 IoCs

Processes:

explorer.exe

pid	process
1948	explorer.exe
1948	explorer.exe
1948	explorer.exe
1948	explorer.exe
1948	explorer.exe
1948	explorer.exe
1948	explorer.exe
1948	explorer.exe
1948	explorer.exe
1948	explorer.exe
1948	explorer.exe
1948	explorer.exe
1948	explorer.exe
1948	explorer.exe
1948	explorer.exe
1948	explorer.exe
1948	explorer.exe
1948	explorer.exe
1948	explorer.exe
1948	explorer.exe
1948	explorer.exe
1948	explorer.exe
1948	explorer.exe
1948	explorer.exe
1948	explorer.exe
1948	explorer.exe
1948	explorer.exe
1948	explorer.exe

Suspicious use of SendNotifyMessage 17 IoCs

Processes:

explorer.exe

pid	process
1948	explorer.exe
1948	explorer.exe
1948	explorer.exe
1948	explorer.exe
1948	explorer.exe
1948	explorer.exe
1948	explorer.exe
1948	explorer.exe
1948	explorer.exe
1948	explorer.exe
1948	explorer.exe
1948	explorer.exe
1948	explorer.exe
1948	explorer.exe
1948	explorer.exe
1948	explorer.exe
1948	explorer.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe
"C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe"
1⤵
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:2644

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -Command "Get-WmiObject Win32_Shadowcopy | Remove-WmiObject"
1⤵
- Process spawned unexpected child process
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2460

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2432

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\akira_readme.txt

Filesize
2KB

MD5
6cebf6475fc85d813f51f27b29b423e4

SHA1
83b7abf27a2559bb07b4bfc8f534294b178ca0da

SHA256
c919c167f9e936f48b5f7a79926840a1abc7772d7a9ba98b33c447d67a9ea2bf

SHA512
e3eccda216a798ea85df18c24353d0ebeafc04a5678c390f063809db3eda6f09a9a17429708ca6cb3e41c79878ed4462edba6e1ff02a4a6d4fa3a710823ef4e1

Download Submit
C:\PROGRA~1\MICROS~2\Office14\GROOVEEX.DLL

Filesize
6.4MB

MD5
0e51fd4afc5c208964654c3e1a80eb63

SHA1
b7e2fb5228091e1fe6c6de2b5736a287dd360ef9

SHA256
fca53608ebc766f03389f302ab46dcd5f7cd655980e7232cf45e9c2ec8893068

SHA512
021fc8d51896b34e1b58d3c65e667fff131bf2c9c1164109bb15db94d4c01cfd14662fc05eaab8014b4742356138dbe5605ab87b08723031a42168aaab796045

Download Submit
C:\Users\Admin\Desktop\AssertSet.7z.akira

Filesize
448KB

MD5
851ff511898d135331d708f16bd5b7eb

SHA1
54a28c12b7d4e94a2d9448931ea4d3832a8cfa3c

SHA256
05e8939bc299a05a9d40516d7ee0378cda5d6a92d012bab90b135f8f42bcebc9

SHA512
278c2a5dc6d7218b0a519196443559691cd115a5e4f5ec6b9efce824f3a7b3ecde5116ce25fd6e7246e6f32868c1d4e1311071262c2a1327247e6fc5791a27be

Download Submit
C:\Users\Admin\Desktop\ConvertFromPush.mov.akira

Filesize
512KB

MD5
a538a800edff99383f81b233a70606c9

SHA1
c460bf2608ca9054b431dc32239090569b83306f

SHA256
d743cb36ccd12c8ff9a0ff38ae1105fa968a7418e34d8d45bb3854f9ca0887db

SHA512
0f916d5bfc7b7165c0de2e6005559e24a6aec2676901d5f15b626d10696591520581c4c47a9fc7758ae99bf72843a018a35bd5f9eac614eca2d262c95b15711d

Download Submit
C:\Users\Admin\Desktop\ConvertSync.ADTS.akira

Filesize
704KB

MD5
6928853d88d4f242ebe3c812a53220bc

SHA1
08192e8b5b3c9261d57545c12a6f55077fc01551

SHA256
a640a05c87c7a479540f3dc06a9d0f767cd603c4106eda03a20ec59ae4745eba

SHA512
f8561fc8f4799ae910cd8888b745d9b9f8c71a36acc43326665770d835cc1d8ad52468a5458d9c211f166b7934f4862498d009065e8c5c332357cb6c24af5e48

Download Submit
C:\Users\Admin\Desktop\CopyEdit.mpeg2.akira

Filesize
480KB

MD5
8dd8470f36e59f06da9bd211b155e5e9

SHA1
13a71eb2e7be1475de03b7d521c96c14df07f91c

SHA256
9c6cd37b418feb8578ac4bf922432e1bcbcd7e4c61e045a000aa3450f29699db

SHA512
deb3a39d7d6f19333b9a5058cbb495b32b5f25e39e23a724fa588c2821f7b3211f3caf8ff41c893e592f161488793b304e07f75ae32c3a54353362dcc09c3a70

Download Submit
C:\Users\Admin\Desktop\CopyWatch.wma.akira

Filesize
416KB

MD5
6c7857dd1fd61096066c188c48eefcf6

SHA1
b75a5149f5872ca8573f0ecb5c39e6d1fb1651d8

SHA256
5fbfbe21b70c396845d56b649297a7eae998261d1487cb808aa52bf62d99c12e

SHA512
0c84a752c04bb7b5b7eebcc1fe2e0b64233f5a948c4545a075b186bec3c15b52851cd32fe92d4932cbd0a87685cd96a5f8d58e8534eae0b0641c68a018bacac0

Download Submit
C:\Users\Admin\Desktop\DebugUnpublish.ram.akira

Filesize
736KB

MD5
1376756dcb069ebbccc06840c2252987

SHA1
bd3c952fc782a95ddc8c60377968b29159547d2e

SHA256
307894fe4dccce6c218a601c5402622825160640f350dcd314f8a07c02c55a24

SHA512
6e2eeafcbadd73852bd21b43183ae94bf946c0d7ac23e49bfda955e0755db7f710ff10f359e42a6e38d44bb0eae3ccd930a5eaf114f6b7afb0c11500c100ed9c

Download Submit
C:\Users\Admin\Desktop\DismountWrite.cfg.akira

Filesize
608KB

MD5
ea6ef5afdf6422560e3f591ab610e606

SHA1
f412e1b1573ef20436b30be56b0ac9f2ee894393

SHA256
9595e37a48b84f86ee8d4306bd982712ddfe06a80e38c8ab701d0af4fe413194

SHA512
d1470bbda67a48d9626bad54b39170a042ac8596488a849dd193163e2ff8f7456264716f52c3c830a7d84a6aa24c07504ddf58e1ab8b2edf90fd0ac0e8a13b5f

Download Submit
C:\Users\Admin\Desktop\EnterMeasure.001.akira

Filesize
896KB

MD5
0f32f3e4f75c05f9560a2f2d5856ed71

SHA1
269287c7982372dedea4757f5a675d80876a25b5

SHA256
3839c1569446648a9d2a2f980a39c9a317629ca8659df1bda033165a55802d45

SHA512
431ee32da13be2944c1d8025cd177ddaeae878c819649d073d55ad1f14bffb75ba57ddd3b954bec9038f28813c6fcfc0baccad1a96788865d1f9fc03c87bf831

Download Submit
C:\Users\Admin\Desktop\ExitSave.M2TS.akira

Filesize
992KB

MD5
b323f7f8855e0fc631a005892657bec0

SHA1
d89d8fc79029878872c034e3209811114f2196d9

SHA256
eee5c9f4b30583890ddfb31424c9620f0f51f75cfcb5e3093450999a1c11478d

SHA512
0f93f7cbeb22dc56abf0d38aed2fc58a1f39d6ad85c9d5f2200c75991fa468ecc8302e1886717894aa76d63300a27e75dd795203be94f6dd9944a3746df321a7

Download Submit
C:\Users\Admin\Desktop\ExportSwitch.m3u.akira

Filesize
960KB

MD5
01b43fbdb5884d28edcd94e25db5b02b

SHA1
18840913f4f44eb97ba4bb46f9633bb3bc0704ac

SHA256
3b2ba64223333990d3a25476aa3e8bfa42c4324f120f0a28160dc40464c503bc

SHA512
f79c7b598526e3e9df679a6c134b69cbf100de851d753ba807b6fd43cfea75972734411139dbebf67d8ed1d3ce474ce23d03826bc14888651573007ae2760fda

Download Submit
C:\Users\Admin\Desktop\GrantRequest.xml.akira

Filesize
544KB

MD5
b3b977da3f411e6aff39e2f6e62d2e4e

SHA1
08b6b056f53a0dcd1f658e7b7fcfd650711f9c22

SHA256
877f093236e6a6ffe6f89edd950c376329c0b50f24b2f9dfc51659034ca7b41e

SHA512
960144a2a1d46fa245a293864fca2cff552059fb95414849ada1b71176311eee9a57ed56e630391c4e63beddd63f18354ad5bcb3acc8e5c3e3279074061853db

Download Submit
C:\Users\Admin\Desktop\GrantSwitch.docx.akira

Filesize
20KB

MD5
345fd19677b7111bd033feb6972ae1fa

SHA1
3d12599f000b0656b97a5b2942f8e39fc58b3aca

SHA256
fbb28da6cf3ad2cce740f4ba7bab2a679b4decac0d6ee7c2919561de2ed99097

SHA512
8d0b04c088559c6da054bd852f557b26ad333593be2b016a875e143b5617d69b045b15f7c581ba0366f17eb9c94c068fe894716a252edeb7f72b7ea40532330b

Download Submit
C:\Users\Admin\Desktop\ImportSuspend.clr.akira

Filesize
576KB

MD5
f31be399dea0908634ca8c557bcdd71e

SHA1
bcb391691fe8f837610392680a1249a69ef80b1f

SHA256
8e99d45793564f2d7340e6187fdbd1cac9551a1e11d83501c86512c02f98c41a

SHA512
3a790c7c558ac44cbe597b118761d1a6475b34cbf9bce3e98b4dd4e059c0f446e752f82975afed7db80f0a65c1ee7df514a543b2d92e4c0d7d95cbeab2b6906a

Download Submit
C:\Users\Admin\Desktop\MountUnblock.tif.akira

Filesize
928KB

MD5
39e2b938a5b76d89422e8064fb2efeee

SHA1
26ebe2929106b78fa303493e560e9176b1b946a3

SHA256
b53838c24ba2bb51a319c1bb7ae447ff9d9650133a86ecd386b27a6b07ebcefc

SHA512
0a041d501d53236e009adcdb034a49c9f150355e5208fe7a7a0e00b9d2377bf615f21ee4ae96b08dd4ca635995d1be5f8ff5091a5e46b0aa448b119e5cfd7434

Download Submit
C:\Users\Admin\Desktop\NewExpand.jtx.akira

Filesize
768KB

MD5
15dc26d72ff1f357a13c7bbf167cac28

SHA1
d325a33c284baa441771159efb2363c36d404ab3

SHA256
2c66af5e9db581da55f8a65730980d906b680f3c2ed2e918d43dc81433391309

SHA512
4f0db0912d212fea8dca19da2fd9ef540875878f25b711ef0b7e984b4e1669718b08bb24376c60e00eeed0fe5cf8a3059f4b17ab0b4bcc5c569c71262a228a41

Download Submit
C:\Users\Admin\Desktop\PublishWrite.contact.akira

Filesize
1.1MB

MD5
dea9870bacfd24ea623bba1f484acdda

SHA1
e7e8159311b82658bfafeae6e57931d12397a78e

SHA256
4465d823bd5503e16405a2e5533948baa841ddefa26817f2772400ccc088c7e5

SHA512
dda57e7915b42d4bf73d4882e09c40e91bf1a89e5a4ba9d70e521abcd3001cb1ad607049e264b911383509323d46fab0f25e407f47bc15dd024b06606df683ed

Download Submit
C:\Users\Admin\Desktop\ReadEnable.wmx.akira

Filesize
864KB

MD5
34a7de0f52a536fc59e89195832c4296

SHA1
ad3b784e12ca5d73062528bb804f76e466333b11

SHA256
7fb7c23f70e0fa66ea730cf5add3807fa24ca4030af94257ddd28d74fd78b67e

SHA512
6f8601444e4d27c487dd84facf96baf32cd0ea8d7b7490db12b44af62c0a1c782064f9aee8f05690543343d3a2f4b19a1344b028e98ee0322028b7c68cf8e3c9

Download Submit
C:\Users\Admin\Desktop\RenameExport.xlsx.akira

Filesize
12KB

MD5
d64b8f1b48a18b246ceba0cb18a4b939

SHA1
7c33e843e60cc51afcc95cfec66f70ff7deb92cb

SHA256
64134ebcedc6ed86e3550915d7b5ffd77ebb52b4992efb775ec4577377652c73

SHA512
aa999f4b380f385f8a856c0dbcdd769645b4d6845cfb2363d4109d83126d1628d432efce3c912e5503ac46955f553f3a2c0f28e0dff2ad77d944f951b0e631bb

Download Submit
C:\Users\Admin\Desktop\RepairSplit.jpe.akira

Filesize
1.0MB

MD5
e65ac2cb90c809da66434b999a9482ba

SHA1
b387b2b9461ae99d37bedd92c324d0bd6aed9c42

SHA256
bdf45cb899d3526e9080fc5c14521935f706961ed1d18355e802a2ab7303fe1c

SHA512
95c87934d86160447451204e3f928bb08d01b3a4ac38fe6aefa34461272d15fd30cee87f5a798e25604296a011c94c0235ea8a89170faee910a60960005d88e6

Download Submit
C:\Users\Admin\Desktop\SaveInitialize.emz.akira

Filesize
832KB

MD5
08c0eaabe11a71f17b3b9bdd395d4155

SHA1
3bcdd6b3e09672d450eef0a3b749ca451a0326bc

SHA256
0d2bd0c5dbb9331a48c623758a17788a686a307f019f013da10eacf738b9a569

SHA512
9488254cde441039bdf04a0a26836b33032b791ecb6c89bc014756744bc535eb28f9bcc4ef5d6681d2e2513124503b4e5ca84946ce9aa9a3465d5156290ba1dd

Download Submit
C:\Users\Admin\Desktop\SaveUninstall.ADT.akira

Filesize
640KB

MD5
bd4f6c3e4ca701211356cc3ff99931b5

SHA1
a4fe6fa7b2e02bbfcae0efbfbe897ca86abf2603

SHA256
f7e326a007cbb81e4666d371cd24b88819b874e9ed2d5932d251af319b2d127f

SHA512
140df411e86f960ba3fa6ba3c686dd164f416d87e1abcb82b53e6b222ed48929a68a6b3209edfab8d36190f5c3c795826ad5ebb906aa403a19d5fb52eff9a2d0

Download Submit
C:\Users\Admin\Desktop\SkipTrace.odp.akira

Filesize
800KB

MD5
db8dd1b66c38bdd0768e0ffd58adf14d

SHA1
c3beb712bf0917666e4c7b7316cb52972a4453c7

SHA256
0e24e4e40d5cd62e2bbaad2864e8f64ef002dc9a8a55781a8ae278a548c235c9

SHA512
89b3eca24a3990e682558cf8a5ea9df84c28e77bb17478b4ad99f2b604154101bf38e4ccc93768b3fc75fae1ce7f4a501d24abf9c02475ade66c874468072677

Download Submit
C:\Users\Admin\Desktop\StartCompress.crw.akira

Filesize
1.0MB

MD5
a296f3a3e16ee92fb40160f3585ba899

SHA1
0612a9a529c515c2ea0d352ec64fae878ca06e43

SHA256
d58ebbac76f1f7571650453a5796c2c103e6f03d1fff8924e85c3b6ef6a7703f

SHA512
2e893913fbafa4f4cbac773aca91f14becffc1891700f3faa8541b36e474fc3b6535ca8b849e1a901955d0ca81ea6e928f434eb48c693b11e2044ab3d161bb95

Download Submit
C:\Users\Admin\Desktop\StopClose.html.akira

Filesize
1.5MB

MD5
203d7d705db458fad8b03b8d158f6e68

SHA1
086d58d20f1f6e890031a9cd67ecabfa17bd80de

SHA256
2db6cb0d756a708b0b73904de7ad95871b8744bbff972150c0bc589885c170aa

SHA512
9119b9e53f60a63936a941439442d59facc4a93ff5e3caf6a28f5a900ca520efab84d8d04817921b749f46caafa1314cfb8d8d25f1df3b4ff18fbec3ec62cc97

Download Submit
C:\Users\Admin\Desktop\UninstallExpand.xlsx.akira

Filesize
13KB

MD5
cc769177413621ea23b3b5b635188bac

SHA1
f687c8333a52b5031f09824b6f7f071dd1a08f4b

SHA256
55883f9b1f815f7b3d33b68370693039540bf3bcd9b9266fd2b9c70755274c38

SHA512
a7dde9e3431cd981093417dab80e93619ea594549d2f48797903df7e319280445ef66d814cb45f9e0a003e5ac18556b8dfc0ce3af3f429f14ce2e3c02094c04a

Download Submit
C:\Users\Admin\Desktop\WriteCheckpoint.mp2.akira

Filesize
672KB

MD5
8dc83db0b9aa0ed87bb7cdc46aaed3bc

SHA1
a8b7839af429c6467bf8305cadafe6219b8cc60f

SHA256
123b21907319b0adca3d793cb8ebbc43540ce14d124896c2089e836e4b7541f5

SHA512
827a37918c33230cba22361c81837b220c0c61118a0f003411da3abf0e266a146f91b7bae8a9f546dae719d368a3ee5ab15339d63bbcbf76b2126d61feeddf95

Download Submit
memory/2460-4-0x000007FEF667E000-0x000007FEF667F000-memory.dmp

Filesize
4KB

Download
memory/2460-10-0x000007FEF63C0000-0x000007FEF6D5D000-memory.dmp

Filesize
9.6MB

Download
memory/2460-9-0x000007FEF63C0000-0x000007FEF6D5D000-memory.dmp

Filesize
9.6MB

Download
memory/2460-8-0x000007FEF63C0000-0x000007FEF6D5D000-memory.dmp

Filesize
9.6MB

Download
memory/2460-7-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

Filesize
32KB

Download
memory/2460-6-0x000000001B710000-0x000000001B9F2000-memory.dmp

Filesize
2.9MB

Download
memory/2460-5-0x000007FEF63C0000-0x000007FEF6D5D000-memory.dmp

Filesize
9.6MB

Download