Malware Analysis Report

2024-12-07 10:15

Sample ID 241112-t3xqtsvqhy
Target 566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.sample
SHA256 566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739
Tags
akira execution persistence ransomware ransowmware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739

Threat Level: Known bad

The file 566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.sample was found to be: Known bad.

Malicious Activity Summary

akira execution persistence ransomware ransowmware spyware stealer

Process spawned unexpected child process

Akira

Akira family

Renames multiple (8666) files with added filename extension

Renames multiple (8389) files with added filename extension

Boot or Logon Autostart Execution: Active Setup

Command and Scripting Interpreter: PowerShell

Reads user/profile data of web browsers

Drops startup file

Drops desktop.ini file(s)

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious behavior: GetForegroundWindowSpam

Uses Volume Shadow Copy service COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-12 16:35

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-12 16:35

Reported

2024-11-12 16:38

Platform

win7-20240903-en

Max time kernel

127s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe"

Signatures

Akira

ransomware akira

Akira family

akira

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Renames multiple (8666) files with added filename extension

ransomware

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A

Command and Scripting Interpreter: PowerShell

execution ransowmware
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\akira_readme.txt C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Hearts\desktop.ini C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\TUVLNS83\desktop.ini C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Chess\desktop.ini C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Users\Public\Recorded TV\desktop.ini C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\HUSZWRNT\desktop.ini C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Purble Place\desktop.ini C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\OIPA882W\desktop.ini C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\F17E26FP\desktop.ini C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Program Files\Microsoft Games\FreeCell\desktop.ini C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Mahjong\desktop.ini C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Solitaire\desktop.ini C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\feature.properties C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\El_Salvador C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\akira_readme.txt C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE03451_.WMF C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE03731_.WMF C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Etc\GMT-5 C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Program Files\Windows Journal\NBDoc.DLL C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsMacroTemplate.html C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\NavigationRight_ButtonGraphic.png C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\splash.gif C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00224_.WMF C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\weather.html C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\UrbanReport.Dotx C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\js\akira_readme.txt C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\css\settings.css C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File created C:\Program Files\Microsoft Games\Multiplayer\Spades\it-IT\akira_readme.txt C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0216724.WMF C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\css\settings.css C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\IPDESIGN.DLL C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\1px.gif C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\symbase.xml C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-windows.jar C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Oral C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0175361.JPG C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\bg_SlateBlue.gif C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\MSPUB.DEV_COL.HXT C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview\InactiveTabImageMask.bmp C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\POSTCARD.DPV C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\VDK10.STC C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EDGE\PREVIEW.GIF C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\Triedit\ja-JP\akira_readme.txt C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\akira_readme.txt C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\attention.gif C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File created C:\Program Files (x86)\Windows Photo Viewer\ja-JP\akira_readme.txt C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Tirane C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CharSetTable.chr C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SECURE.CFG C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\dependentlibs.list C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_gray_thunderstorm.png C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\eclipse.inf C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-profiling.jar C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File created C:\Program Files\Microsoft Games\Multiplayer\Backgammon\fr-FR\akira_readme.txt C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\it.txt C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\akira_readme.txt C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\drag.png C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\feature.xml C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0172067.WMF C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TN00095_.WMF C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\WEBHED98.POC C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\css\settings.css C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\de-DE\akira_readme.txt C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\Triedit\de-DE\akira_readme.txt C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Casablanca C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099200.GIF C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-queries_ja.jar C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-spi-quicksearch_ja.jar C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Eirunepe C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\sv\LC_MESSAGES\akira_readme.txt C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\a2bbd2db1ef7ec9f66ec97128c44b432.arika C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\TravelIntroToMainMask_PAL.wmv C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\akira_readme.txt C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\images\Other-48.png C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\js\akira_readme.txt C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02268_.WMF C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe C:\Windows\explorer.exe N/A
File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\sc_reader.exe C:\Windows\explorer.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\explorer.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe

"C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -Command "Get-WmiObject Win32_Shadowcopy | Remove-WmiObject"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\explorer.exe

explorer.exe

Network

N/A

Files

memory/2460-4-0x000007FEF667E000-0x000007FEF667F000-memory.dmp

memory/2460-5-0x000007FEF63C0000-0x000007FEF6D5D000-memory.dmp

memory/2460-6-0x000000001B710000-0x000000001B9F2000-memory.dmp

memory/2460-7-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

memory/2460-8-0x000007FEF63C0000-0x000007FEF6D5D000-memory.dmp

memory/2460-9-0x000007FEF63C0000-0x000007FEF6D5D000-memory.dmp

memory/2460-10-0x000007FEF63C0000-0x000007FEF6D5D000-memory.dmp

C:\MSOCache\All Users\akira_readme.txt

MD5 6cebf6475fc85d813f51f27b29b423e4
SHA1 83b7abf27a2559bb07b4bfc8f534294b178ca0da
SHA256 c919c167f9e936f48b5f7a79926840a1abc7772d7a9ba98b33c447d67a9ea2bf
SHA512 e3eccda216a798ea85df18c24353d0ebeafc04a5678c390f063809db3eda6f09a9a17429708ca6cb3e41c79878ed4462edba6e1ff02a4a6d4fa3a710823ef4e1

C:\PROGRA~1\MICROS~2\Office14\GROOVEEX.DLL

MD5 0e51fd4afc5c208964654c3e1a80eb63
SHA1 b7e2fb5228091e1fe6c6de2b5736a287dd360ef9
SHA256 fca53608ebc766f03389f302ab46dcd5f7cd655980e7232cf45e9c2ec8893068
SHA512 021fc8d51896b34e1b58d3c65e667fff131bf2c9c1164109bb15db94d4c01cfd14662fc05eaab8014b4742356138dbe5605ab87b08723031a42168aaab796045

C:\Users\Admin\Desktop\ExportSwitch.m3u.akira

MD5 01b43fbdb5884d28edcd94e25db5b02b
SHA1 18840913f4f44eb97ba4bb46f9633bb3bc0704ac
SHA256 3b2ba64223333990d3a25476aa3e8bfa42c4324f120f0a28160dc40464c503bc
SHA512 f79c7b598526e3e9df679a6c134b69cbf100de851d753ba807b6fd43cfea75972734411139dbebf67d8ed1d3ce474ce23d03826bc14888651573007ae2760fda

C:\Users\Admin\Desktop\WriteCheckpoint.mp2.akira

MD5 8dc83db0b9aa0ed87bb7cdc46aaed3bc
SHA1 a8b7839af429c6467bf8305cadafe6219b8cc60f
SHA256 123b21907319b0adca3d793cb8ebbc43540ce14d124896c2089e836e4b7541f5
SHA512 827a37918c33230cba22361c81837b220c0c61118a0f003411da3abf0e266a146f91b7bae8a9f546dae719d368a3ee5ab15339d63bbcbf76b2126d61feeddf95

C:\Users\Admin\Desktop\ReadEnable.wmx.akira

MD5 34a7de0f52a536fc59e89195832c4296
SHA1 ad3b784e12ca5d73062528bb804f76e466333b11
SHA256 7fb7c23f70e0fa66ea730cf5add3807fa24ca4030af94257ddd28d74fd78b67e
SHA512 6f8601444e4d27c487dd84facf96baf32cd0ea8d7b7490db12b44af62c0a1c782064f9aee8f05690543343d3a2f4b19a1344b028e98ee0322028b7c68cf8e3c9

C:\Users\Admin\Desktop\GrantRequest.xml.akira

MD5 b3b977da3f411e6aff39e2f6e62d2e4e
SHA1 08b6b056f53a0dcd1f658e7b7fcfd650711f9c22
SHA256 877f093236e6a6ffe6f89edd950c376329c0b50f24b2f9dfc51659034ca7b41e
SHA512 960144a2a1d46fa245a293864fca2cff552059fb95414849ada1b71176311eee9a57ed56e630391c4e63beddd63f18354ad5bcb3acc8e5c3e3279074061853db

C:\Users\Admin\Desktop\GrantSwitch.docx.akira

MD5 345fd19677b7111bd033feb6972ae1fa
SHA1 3d12599f000b0656b97a5b2942f8e39fc58b3aca
SHA256 fbb28da6cf3ad2cce740f4ba7bab2a679b4decac0d6ee7c2919561de2ed99097
SHA512 8d0b04c088559c6da054bd852f557b26ad333593be2b016a875e143b5617d69b045b15f7c581ba0366f17eb9c94c068fe894716a252edeb7f72b7ea40532330b

C:\Users\Admin\Desktop\ImportSuspend.clr.akira

MD5 f31be399dea0908634ca8c557bcdd71e
SHA1 bcb391691fe8f837610392680a1249a69ef80b1f
SHA256 8e99d45793564f2d7340e6187fdbd1cac9551a1e11d83501c86512c02f98c41a
SHA512 3a790c7c558ac44cbe597b118761d1a6475b34cbf9bce3e98b4dd4e059c0f446e752f82975afed7db80f0a65c1ee7df514a543b2d92e4c0d7d95cbeab2b6906a

C:\Users\Admin\Desktop\MountUnblock.tif.akira

MD5 39e2b938a5b76d89422e8064fb2efeee
SHA1 26ebe2929106b78fa303493e560e9176b1b946a3
SHA256 b53838c24ba2bb51a319c1bb7ae447ff9d9650133a86ecd386b27a6b07ebcefc
SHA512 0a041d501d53236e009adcdb034a49c9f150355e5208fe7a7a0e00b9d2377bf615f21ee4ae96b08dd4ca635995d1be5f8ff5091a5e46b0aa448b119e5cfd7434

C:\Users\Admin\Desktop\NewExpand.jtx.akira

MD5 15dc26d72ff1f357a13c7bbf167cac28
SHA1 d325a33c284baa441771159efb2363c36d404ab3
SHA256 2c66af5e9db581da55f8a65730980d906b680f3c2ed2e918d43dc81433391309
SHA512 4f0db0912d212fea8dca19da2fd9ef540875878f25b711ef0b7e984b4e1669718b08bb24376c60e00eeed0fe5cf8a3059f4b17ab0b4bcc5c569c71262a228a41

C:\Users\Admin\Desktop\PublishWrite.contact.akira

MD5 dea9870bacfd24ea623bba1f484acdda
SHA1 e7e8159311b82658bfafeae6e57931d12397a78e
SHA256 4465d823bd5503e16405a2e5533948baa841ddefa26817f2772400ccc088c7e5
SHA512 dda57e7915b42d4bf73d4882e09c40e91bf1a89e5a4ba9d70e521abcd3001cb1ad607049e264b911383509323d46fab0f25e407f47bc15dd024b06606df683ed

C:\Users\Admin\Desktop\AssertSet.7z.akira

MD5 851ff511898d135331d708f16bd5b7eb
SHA1 54a28c12b7d4e94a2d9448931ea4d3832a8cfa3c
SHA256 05e8939bc299a05a9d40516d7ee0378cda5d6a92d012bab90b135f8f42bcebc9
SHA512 278c2a5dc6d7218b0a519196443559691cd115a5e4f5ec6b9efce824f3a7b3ecde5116ce25fd6e7246e6f32868c1d4e1311071262c2a1327247e6fc5791a27be

C:\Users\Admin\Desktop\RenameExport.xlsx.akira

MD5 d64b8f1b48a18b246ceba0cb18a4b939
SHA1 7c33e843e60cc51afcc95cfec66f70ff7deb92cb
SHA256 64134ebcedc6ed86e3550915d7b5ffd77ebb52b4992efb775ec4577377652c73
SHA512 aa999f4b380f385f8a856c0dbcdd769645b4d6845cfb2363d4109d83126d1628d432efce3c912e5503ac46955f553f3a2c0f28e0dff2ad77d944f951b0e631bb

C:\Users\Admin\Desktop\RepairSplit.jpe.akira

MD5 e65ac2cb90c809da66434b999a9482ba
SHA1 b387b2b9461ae99d37bedd92c324d0bd6aed9c42
SHA256 bdf45cb899d3526e9080fc5c14521935f706961ed1d18355e802a2ab7303fe1c
SHA512 95c87934d86160447451204e3f928bb08d01b3a4ac38fe6aefa34461272d15fd30cee87f5a798e25604296a011c94c0235ea8a89170faee910a60960005d88e6

C:\Users\Admin\Desktop\SaveInitialize.emz.akira

MD5 08c0eaabe11a71f17b3b9bdd395d4155
SHA1 3bcdd6b3e09672d450eef0a3b749ca451a0326bc
SHA256 0d2bd0c5dbb9331a48c623758a17788a686a307f019f013da10eacf738b9a569
SHA512 9488254cde441039bdf04a0a26836b33032b791ecb6c89bc014756744bc535eb28f9bcc4ef5d6681d2e2513124503b4e5ca84946ce9aa9a3465d5156290ba1dd

C:\Users\Admin\Desktop\SaveUninstall.ADT.akira

MD5 bd4f6c3e4ca701211356cc3ff99931b5
SHA1 a4fe6fa7b2e02bbfcae0efbfbe897ca86abf2603
SHA256 f7e326a007cbb81e4666d371cd24b88819b874e9ed2d5932d251af319b2d127f
SHA512 140df411e86f960ba3fa6ba3c686dd164f416d87e1abcb82b53e6b222ed48929a68a6b3209edfab8d36190f5c3c795826ad5ebb906aa403a19d5fb52eff9a2d0

C:\Users\Admin\Desktop\SkipTrace.odp.akira

MD5 db8dd1b66c38bdd0768e0ffd58adf14d
SHA1 c3beb712bf0917666e4c7b7316cb52972a4453c7
SHA256 0e24e4e40d5cd62e2bbaad2864e8f64ef002dc9a8a55781a8ae278a548c235c9
SHA512 89b3eca24a3990e682558cf8a5ea9df84c28e77bb17478b4ad99f2b604154101bf38e4ccc93768b3fc75fae1ce7f4a501d24abf9c02475ade66c874468072677

C:\Users\Admin\Desktop\StartCompress.crw.akira

MD5 a296f3a3e16ee92fb40160f3585ba899
SHA1 0612a9a529c515c2ea0d352ec64fae878ca06e43
SHA256 d58ebbac76f1f7571650453a5796c2c103e6f03d1fff8924e85c3b6ef6a7703f
SHA512 2e893913fbafa4f4cbac773aca91f14becffc1891700f3faa8541b36e474fc3b6535ca8b849e1a901955d0ca81ea6e928f434eb48c693b11e2044ab3d161bb95

C:\Users\Admin\Desktop\StopClose.html.akira

MD5 203d7d705db458fad8b03b8d158f6e68
SHA1 086d58d20f1f6e890031a9cd67ecabfa17bd80de
SHA256 2db6cb0d756a708b0b73904de7ad95871b8744bbff972150c0bc589885c170aa
SHA512 9119b9e53f60a63936a941439442d59facc4a93ff5e3caf6a28f5a900ca520efab84d8d04817921b749f46caafa1314cfb8d8d25f1df3b4ff18fbec3ec62cc97

C:\Users\Admin\Desktop\UninstallExpand.xlsx.akira

MD5 cc769177413621ea23b3b5b635188bac
SHA1 f687c8333a52b5031f09824b6f7f071dd1a08f4b
SHA256 55883f9b1f815f7b3d33b68370693039540bf3bcd9b9266fd2b9c70755274c38
SHA512 a7dde9e3431cd981093417dab80e93619ea594549d2f48797903df7e319280445ef66d814cb45f9e0a003e5ac18556b8dfc0ce3af3f429f14ce2e3c02094c04a

C:\Users\Admin\Desktop\ConvertFromPush.mov.akira

MD5 a538a800edff99383f81b233a70606c9
SHA1 c460bf2608ca9054b431dc32239090569b83306f
SHA256 d743cb36ccd12c8ff9a0ff38ae1105fa968a7418e34d8d45bb3854f9ca0887db
SHA512 0f916d5bfc7b7165c0de2e6005559e24a6aec2676901d5f15b626d10696591520581c4c47a9fc7758ae99bf72843a018a35bd5f9eac614eca2d262c95b15711d

C:\Users\Admin\Desktop\ConvertSync.ADTS.akira

MD5 6928853d88d4f242ebe3c812a53220bc
SHA1 08192e8b5b3c9261d57545c12a6f55077fc01551
SHA256 a640a05c87c7a479540f3dc06a9d0f767cd603c4106eda03a20ec59ae4745eba
SHA512 f8561fc8f4799ae910cd8888b745d9b9f8c71a36acc43326665770d835cc1d8ad52468a5458d9c211f166b7934f4862498d009065e8c5c332357cb6c24af5e48

C:\Users\Admin\Desktop\CopyEdit.mpeg2.akira

MD5 8dd8470f36e59f06da9bd211b155e5e9
SHA1 13a71eb2e7be1475de03b7d521c96c14df07f91c
SHA256 9c6cd37b418feb8578ac4bf922432e1bcbcd7e4c61e045a000aa3450f29699db
SHA512 deb3a39d7d6f19333b9a5058cbb495b32b5f25e39e23a724fa588c2821f7b3211f3caf8ff41c893e592f161488793b304e07f75ae32c3a54353362dcc09c3a70

C:\Users\Admin\Desktop\CopyWatch.wma.akira

MD5 6c7857dd1fd61096066c188c48eefcf6
SHA1 b75a5149f5872ca8573f0ecb5c39e6d1fb1651d8
SHA256 5fbfbe21b70c396845d56b649297a7eae998261d1487cb808aa52bf62d99c12e
SHA512 0c84a752c04bb7b5b7eebcc1fe2e0b64233f5a948c4545a075b186bec3c15b52851cd32fe92d4932cbd0a87685cd96a5f8d58e8534eae0b0641c68a018bacac0

C:\Users\Admin\Desktop\DebugUnpublish.ram.akira

MD5 1376756dcb069ebbccc06840c2252987
SHA1 bd3c952fc782a95ddc8c60377968b29159547d2e
SHA256 307894fe4dccce6c218a601c5402622825160640f350dcd314f8a07c02c55a24
SHA512 6e2eeafcbadd73852bd21b43183ae94bf946c0d7ac23e49bfda955e0755db7f710ff10f359e42a6e38d44bb0eae3ccd930a5eaf114f6b7afb0c11500c100ed9c

C:\Users\Admin\Desktop\DismountWrite.cfg.akira

MD5 ea6ef5afdf6422560e3f591ab610e606
SHA1 f412e1b1573ef20436b30be56b0ac9f2ee894393
SHA256 9595e37a48b84f86ee8d4306bd982712ddfe06a80e38c8ab701d0af4fe413194
SHA512 d1470bbda67a48d9626bad54b39170a042ac8596488a849dd193163e2ff8f7456264716f52c3c830a7d84a6aa24c07504ddf58e1ab8b2edf90fd0ac0e8a13b5f

C:\Users\Admin\Desktop\EnterMeasure.001.akira

MD5 0f32f3e4f75c05f9560a2f2d5856ed71
SHA1 269287c7982372dedea4757f5a675d80876a25b5
SHA256 3839c1569446648a9d2a2f980a39c9a317629ca8659df1bda033165a55802d45
SHA512 431ee32da13be2944c1d8025cd177ddaeae878c819649d073d55ad1f14bffb75ba57ddd3b954bec9038f28813c6fcfc0baccad1a96788865d1f9fc03c87bf831

C:\Users\Admin\Desktop\ExitSave.M2TS.akira

MD5 b323f7f8855e0fc631a005892657bec0
SHA1 d89d8fc79029878872c034e3209811114f2196d9
SHA256 eee5c9f4b30583890ddfb31424c9620f0f51f75cfcb5e3093450999a1c11478d
SHA512 0f93f7cbeb22dc56abf0d38aed2fc58a1f39d6ad85c9d5f2200c75991fa468ecc8302e1886717894aa76d63300a27e75dd795203be94f6dd9944a3746df321a7

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-12 16:35

Reported

2024-11-12 16:38

Platform

win10v2004-20241007-en

Max time kernel

94s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe"

Signatures

Akira

ransomware akira

Akira family

akira

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Renames multiple (8389) files with added filename extension

ransomware

Command and Scripting Interpreter: PowerShell

execution ransowmware
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Users\Admin\3D Objects\desktop.ini C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Users\Public\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\akira_readme.txt C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\GenericMailBadge.scale-100.png C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-96_contrast-white.png C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\RTL\contrast-black\LargeTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.targetsize-64_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubMedTile.scale-200_contrast-black.png C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File created C:\Program Files\Common Files\System\ado\fr-FR\akira_readme.txt C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\icons_ie8.gif C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_Grace-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteAppList.targetsize-24.png C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\typing\bubble\dark.gif C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\resources\strings\LocalizedStrings_zh-TW.json C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Ion.thmx C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\akira_readme.txt C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\ado\es-ES\msader15.dll.mui C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\Ole DB\en-US\msdasqlr.dll.mui C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Program Files\Windows Media Player\Media Renderer\DMR_120.jpg C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\LTR\contrast-black\MedTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\download.svg C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\zh-tw\ui-strings.js C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\FBIBLIO.DLL C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\6445_48x48x32.png C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\OutlookMailLargeTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\AppIcon.altform-unplated_targetsize-48.png C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\uk-UA\ShapeCollector.exe.mui C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File created C:\Program Files\Mozilla Firefox\gmp-clearkey\akira_readme.txt C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-60_contrast-black.png C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\AppxSignature.p7x C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\ExchangeBadge.scale-150.png C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\da-dk\akira_readme.txt C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\2.0.1\Diagnostics\Simple\akira_readme.txt C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailMediumTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\GamesXboxHubStoreLogo.scale-100.png C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-48_altform-unplated_contrast-white_devicefamily-colorfulunplated.png C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File created C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\ja\akira_readme.txt C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Tw Cen MT-Rockwell.xml C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\id.pak C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\LTR\contrast-white\SmallTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.1813.0_neutral_~_8wekyb3d8bbwe\AppxSignature.p7x C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\Glyph_0xe805.png C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\ClientVolumeLicense_eula.txt C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\hr-hr\ui-strings.js C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\akira_readme.txt C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.targetsize-96_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-72_contrast-white.png C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Home\contrast-black\WideTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaTypewriterRegular.ttf C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\zh-cn\akira_readme.txt C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\cstm_brand_preview.png C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\VBA\VBA7.1\VBEUIRES.DLL C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraWideTile.contrast-black_scale-125.png C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\es-ES\View3d\akira_readme.txt C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipscat.xml C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\CardViewIcon.png C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\ind_prog.gif C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\akira_readme.txt C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteWideTile.scale-150.png C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-32_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\uk.txt C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ja-jp\ui-strings.js C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\COMPASS\PREVIEW.GIF C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-24.png C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\en-US\tabskb.dll.mui C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\root\akira_readme.txt C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe

"C:\Users\Admin\AppData\Local\Temp\566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739.bin.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -Command "Get-WmiObject Win32_Shadowcopy | Remove-WmiObject"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 100.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

memory/1964-0-0x00007FFB52733000-0x00007FFB52735000-memory.dmp

memory/1964-1-0x000001F1E3F00000-0x000001F1E3F22000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bs5i2hol.cm0.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1964-11-0x00007FFB52730000-0x00007FFB531F1000-memory.dmp

memory/1964-12-0x00007FFB52730000-0x00007FFB531F1000-memory.dmp

memory/1964-15-0x00007FFB52730000-0x00007FFB531F1000-memory.dmp

C:\PerfLogs\akira_readme.txt

MD5 6cebf6475fc85d813f51f27b29b423e4
SHA1 83b7abf27a2559bb07b4bfc8f534294b178ca0da
SHA256 c919c167f9e936f48b5f7a79926840a1abc7772d7a9ba98b33c447d67a9ea2bf
SHA512 e3eccda216a798ea85df18c24353d0ebeafc04a5678c390f063809db3eda6f09a9a17429708ca6cb3e41c79878ed4462edba6e1ff02a4a6d4fa3a710823ef4e1

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 cc438e64745e14bc28f50736dba5ffab
SHA1 8dec4488febdb9d599feb8901ec4d792f187e18c
SHA256 b1720123b5912e58e98477363533c7819666c055aaefe96cd657e35cc807d800
SHA512 3dc2bc5361bdb7951fc49766dafda24e9fd7f23295cb559df2f69f0d86cf8b13db76d8b277afc53302dd7517d64263012fccbb04d205cac0d5f30842a7a6b561