akira | e7a44ea5adc366e7600623e7ff433d57cf3ba0bfac8171899497fec6c8a28acc

Analysis

max time kernel
120s
max time network
122s
platform
windows7_x64
resource
win7-20250207-en
resource tags

arch:x64arch:x86image:win7-20250207-enlocale:en-usos:windows7-x64system
submitted
07/03/2025, 16:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
Size

1.0MB
MD5

834d44a077ef00f7b27c64998d8553a9
SHA1

8b941cb9ab2e5d93c9484f29136fdb579c11c7cd
SHA256

e7a44ea5adc366e7600623e7ff433d57cf3ba0bfac8171899497fec6c8a28acc
SHA512

e4d7b33e117161622b04b1622eddac2c17927dfb3ac919192367babf95b16dd69a512e8a96e08694bf094b6a147284955d37ed507550d4ff21ce24b95ba8f19c
SSDEEP

24576:FTyLPsJjVjzhWwiENiUGC86pNV2GNxgr+oBwGxGs:FTyLPsJjVjzliE0opNV2G7gr+o+GT

Score

10^/10

akira execution persistence ransomware ransowmware spyware stealer

Malware Config

Extracted

Path

C:\PerfLogs\Admin\akira_readme.txt

Family

akira

Ransom Note

Hi friends, Whatever who you are and what your title is if you're reading this it means the internal infrastructure of your company is fully or partially dead, all your backups - virtual, physical - everything that we managed to reach - are completely removed. Moreover, we have taken a great amount of your corporate data prior to encryption. Well, for now let's keep all the tears and resentment to ourselves and try to build a constructive dialogue. We're fully aware of what damage we caused by locking your internal sources. At the moment, you have to know: 1. Dealing with us you will save A LOT due to we are not interested in ruining your financially. We will study in depth your finance, bank & income statements, your savings, investments etc. and present our reasonable demand to you. If you have an active cyber insurance, let us know and we will guide you how to properly use it. Also, dragging out the negotiation process will lead to failing of a deal. 2. Paying us you save your TIME, MONEY, EFFORTS and be back on track within 24 hours approximately. Our decryptor works properly on any files or systems, so you will be able to check it by requesting a test decryption service from the beginning of our conversation. If you decide to recover on your own, keep in mind that you can permanently lose access to some files or accidently corrupt them - in this case we won't be able to help. 3. The security report or the exclusive first-hand information that you will receive upon reaching an agreement is of a great value, since NO full audit of your network will show you the vulnerabilities that we've managed to detect and used in order to get into, identify backup solutions and upload your data. 4. As for your data, if we fail to agree, we will try to sell personal information/trade secrets/databases/source codes - generally speaking, everything that has a value on the darkmarket - to multiple threat actors at ones. Then all of this will be published in our blog - https://akiral2iz6a7qgd3ayp3l6yub7xx2uep76idk3u2kollpj5z3z636bad.onion. 5. We're more than negotiable and will definitely find the way to settle this quickly and reach an agreement which will satisfy both of us. If you're indeed interested in our assistance and the services we provide you can reach out to us following simple instructions: 1. Install TOR Browser to get access to our chat room - https://www.torproject.org/download/. 2. Paste this link - https://akiralkzxzq2dsrzsrvbr2xgbbu2wgsmxryd4csgfameg52n7efvr2id.onion/d/3128244783-SKWFO 3. Use this code - 6490-RC-CJJU-IVKS - to log into our chat. Keep in mind that the faster you will get in touch, the less damage we cause.

URLs

https://akiral2iz6a7qgd3ayp3l6yub7xx2uep76idk3u2kollpj5z3z636bad.onion

https://akiralkzxzq2dsrzsrvbr2xgbbu2wgsmxryd4csgfameg52n7efvr2id.onion/d/3128244783-SKWFO

Signatures

Akira
Akira is a ransomware first seen in March 2023 and targets several industries, including education, finance, real estate, manufacturing, and consulting.
ransomware akira
Akira family
akira

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	2724	powershell.exe	31

Renames multiple (8609) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell command to delete shadowcopy.

execution ransowmware

PowerShell

T1059.001

pid	Process
2880	powershell.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\akira_readme.txt	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops desktop.ini file(s) 47 IoCs

description	ioc	Process
File opened for modification	C:\Users\Public\Downloads\desktop.ini	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\IIIOELH0\desktop.ini	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\8IHN5N04\desktop.ini	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\desktop.ini	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
File opened for modification	C:\Program Files\desktop.ini	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\KZ8AGS28\desktop.ini	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\07ABS1DK\desktop.ini	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
File opened for modification	C:\Users\Public\desktop.ini	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\7-zip.chm	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\InfoPath.en-us\SETUP.XML	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\La_Rioja	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BREEZE\BREEZE.INF	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Puerto_Rico	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Argentina\La_Rioja	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR27F.GIF	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\fr-FR\TableTextService.dll.mui	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsrom.xml	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\akira_readme.txt	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\performance.png	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099159.WMF	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0153398.WMF	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\plugin.properties	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0237759.WMF	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.nl_zh_4.4.0.v20140623020002.jar	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipshrv.xml	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\HxRuntime.HxS	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\sql90.xsl	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Chisinau	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\trad_settings.png	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\slideShow.html	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\akira_readme.txt	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\IN00919_.WMF	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02091_.WMF	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD14595_.GIF	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\CHICAGO.XSL	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\DOCL.ICO	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
File opened for modification	C:\Program Files\Windows Media Player\fr-FR\mpvis.dll.mui	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormToolImages.jpg	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Buenos_Aires	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\feature.xml	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification.zh_CN_5.5.0.165303.jar	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Executive.eftx	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
File opened for modification	C:\Program Files\Mozilla Firefox\platform.ini	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\css\clock.css	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_box_bottom.png	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_thunderstorm.png	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00636_.WMF	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00394_.WMF	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15\windows-amd64\akira_readme.txt	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\CET	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
File opened for modification	C:\Program Files\Windows Journal\ja-JP\JNTFiltr.dll.mui	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\ja-JP\gadget.xml	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-last-quarter_partly-cloudy.png	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\SELFCERT.EXE	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\IpsMigrationPlugin.dll.mui	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\SY______.PFM	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Lindeman	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382836.JPG	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Bahia_Banderas	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Bougainville	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL016.XML	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\UrbanLetter.Dotx	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\WATER\akira_readme.txt	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\StarterToolTemplates.xml	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\WITHCOMP.XML	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\e93341576d9f2590de47997606737cba.arika	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\modern_dot.png	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\en-US\js\library.js	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\bin\sysinfo.bat	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00932_.WMF	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\OIS_COL.HXC	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\ChessMCE.png	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe	explorer.exe
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\sc_reader.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1684	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
1684	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
2880	powershell.exe
1684	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
1684	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
1684	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
1684	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
1684	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
1684	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
1684	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
1684	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
1684	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
1684	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
1684	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
1684	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
1684	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
1684	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
1684	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
1684	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
1684	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
1684	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
1684	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
1684	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
1684	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
1684	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
1684	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
1684	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
1684	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
1684	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
1684	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
1684	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
1684	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
1684	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
1684	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
1684	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
1684	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
1684	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
1684	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
1684	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
1684	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
1684	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
1684	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
1684	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
1684	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
1684	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
1684	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
1684	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
1684	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
1684	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
1684	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
1684	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
1684	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
1684	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
1684	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
1684	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
1684	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
1684	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
1684	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
1684	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
1684	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
1684	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
1684	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
1684	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
1684	2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	2880	powershell.exe
Token: SeBackupPrivilege	2776	vssvc.exe
Token: SeRestorePrivilege	2776	vssvc.exe
Token: SeAuditPrivilege	2776	vssvc.exe
Token: SeShutdownPrivilege	536	explorer.exe
Token: SeShutdownPrivilege	536	explorer.exe
Token: SeShutdownPrivilege	536	explorer.exe
Token: SeShutdownPrivilege	536	explorer.exe
Token: SeShutdownPrivilege	536	explorer.exe
Token: SeShutdownPrivilege	536	explorer.exe
Token: SeShutdownPrivilege	536	explorer.exe
Token: SeShutdownPrivilege	536	explorer.exe
Token: SeShutdownPrivilege	536	explorer.exe
Token: SeShutdownPrivilege	536	explorer.exe
Token: SeShutdownPrivilege	536	explorer.exe
Token: SeShutdownPrivilege	536	explorer.exe

Suspicious use of FindShellTrayWindow 28 IoCs

pid	Process
536	explorer.exe
536	explorer.exe
536	explorer.exe
536	explorer.exe
536	explorer.exe
536	explorer.exe
536	explorer.exe
536	explorer.exe
536	explorer.exe
536	explorer.exe
536	explorer.exe
536	explorer.exe
536	explorer.exe
536	explorer.exe
536	explorer.exe
536	explorer.exe
536	explorer.exe
536	explorer.exe
536	explorer.exe
536	explorer.exe
536	explorer.exe
536	explorer.exe
536	explorer.exe
536	explorer.exe
536	explorer.exe
536	explorer.exe
536	explorer.exe
536	explorer.exe

Suspicious use of SendNotifyMessage 17 IoCs

pid	Process
536	explorer.exe
536	explorer.exe
536	explorer.exe
536	explorer.exe
536	explorer.exe
536	explorer.exe
536	explorer.exe
536	explorer.exe
536	explorer.exe
536	explorer.exe
536	explorer.exe
536	explorer.exe
536	explorer.exe
536	explorer.exe
536	explorer.exe
536	explorer.exe
536	explorer.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe
"C:\Users\Admin\AppData\Local\Temp\2025-03-07_834d44a077ef00f7b27c64998d8553a9_akira_cobalt-strike.exe"
1⤵
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:1684

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -Command "Get-WmiObject Win32_Shadowcopy | Remove-WmiObject"
1⤵
- Process spawned unexpected child process
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2880

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2776

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~1\MICROS~2\Office14\GROOVEEX.DLL

Filesize
6.4MB

MD5
407eccb7a199033d8bb88dc30ddc28ea

SHA1
5c629ad1ab664d7e6a31677479cd93cdd4fd7a6b

SHA256
6c78c2e01889a950564a40b47da651304e11034f855f20ef0849755b6fbba8e5

SHA512
df83b7612327ddbfda5e97323f19a7b3be6d47f8100cf3097cff237b73c4cd316f098c1fc950d78c53e892e6e6c7eebec14695a1294863475c35f1c5580571e8

Download Submit
C:\PerfLogs\Admin\akira_readme.txt

Filesize
2KB

MD5
20e84c27f16e342bfcb57e5a980b1c0d

SHA1
eb44c723bcb323c2ce0cedf54ad1d6a76697e43a

SHA256
3d7d6237e988d65b5fa5ac4dbce2700c4c8b2b252aca9f15e10aac3b2bdb4d58

SHA512
0695a814de090e229290c787f1a3fa423a926444b961a49a5ffe8107f631555d459d829a3883460a13ce2d3c0f2bd49bb36f9fc856fa9fef3e2461edd139c75d

Download Submit
C:\Users\Admin\Desktop\CheckpointConvertTo.ADT.akira

Filesize
545KB

MD5
b0a47b1412ae28e3d0daa84e90039709

SHA1
c5336eb07f7dea1d073d7e4f55ee02a0347eadf5

SHA256
aa2fd3a0d8171e4b43b090ecdcbf078d481dd571a05791611a41ab5dbca236ac

SHA512
fec68dae0f3d76c333afdc4b0d0d8455be7ae4947e0c65d717138244f676390123ef5eed6dd617392a33539d186cf639c4a679a7d901245bf1af3d259b5045cb

Download Submit
C:\Users\Admin\Desktop\CompareSuspend.pcx.akira

Filesize
436KB

MD5
e7d7c50a455739a81b7f1116492fe272

SHA1
6fd0a57fa336622992f68df25e19aca0029fb3ee

SHA256
19100c42c18c9b11f24d0cac0b78faaeacab9fb179c8bb79fac365ead77d84d1

SHA512
43f0ccd743f4ac198443a0c541d654d0344a24811392412e90564549099980a34a2fbd442f7b41a6b7a0b8fdc4dae55170cfd674a1e151a2e58236b9c805ef74

Download Submit
C:\Users\Admin\Desktop\ConvertPublish.wav.akira

Filesize
382KB

MD5
b58b1178f67dc51f3e0287e6aa7503bd

SHA1
e89d2de5245f00706c53e8148500964596315484

SHA256
6a2c94cd7c4c6909e843b7f0ff663da6bf0f9ebcb03cec2ac76f3f3f4c67a52e

SHA512
d6896e65763c08f600e2c15309a70fa2d2dd0732bee374c804dbfb145b5116a677e0d0bf2f131b527cbb515f45768bfd0523ca80cec583dcbe9a22269a12d454

Download Submit
C:\Users\Admin\Desktop\ConvertToRename.TTS.akira

Filesize
400KB

MD5
ace467058c842447103c8ff315bf809d

SHA1
cef462d04761a71bde5150330c8b685a8306c2f5

SHA256
f5cf4a90ea7d8680dbec8ec8f1e0bc04434c6c0fe85512d4799b49f91d6f6183

SHA512
fc3a1b6475f8dc2217a483dc20e186188baa26ddd7597693a4e1ef81a54f58712626f9cec00b61d880a732293713b9dd6dd6f3cf2b754b1a70431f3068ac3d86

Download Submit
C:\Users\Admin\Desktop\ExitSplit.vbs.akira

Filesize
509KB

MD5
9ca06b901a48bc61fa30ecae34f55dc4

SHA1
a5d05ec6977fbf72062b45f207bba47556851a3b

SHA256
1bfc7174e63e95890e753f7c9f5bf4ae07332eba91ae5b055d2ecf8dce68a999

SHA512
45a2de57b0652bca70dcc533875ed538ab4e621869a8108e6afe81d59f8602b75c8ba010f97393a9f7c15057b645d264910d62a91f0bce76cf74f032e27ab4b9

Download Submit
C:\Users\Admin\Desktop\ExitUnpublish.xlt.akira

Filesize
291KB

MD5
98532e4c62dc80ee55bad1ef88f504d9

SHA1
325ab22be0ba130efb422d5962d4e0544057e904

SHA256
c82d1729aa9124e9e1be061555be7d4fee4fdd584a42303e6f24fb8bb618e8d8

SHA512
45a9922b7afad1b76f3ad8fb25526ebfabb34e8224d814a239230ac7af343009c500d7d14a456d148b1ede3298e940b2028b07d3cb38e28dce193b006c5dcd46

Download Submit
C:\Users\Admin\Desktop\ExpandEnter.odp.akira

Filesize
564KB

MD5
8c22e0b88090cc3395df6bdefe2a5b6c

SHA1
33ee4c903d54c5ffe12ed2ba83f3b39c99ff4453

SHA256
ed011cc89174870b14f4780a2b72cbed5b6f48d75d4d5e834394967ab58e0381

SHA512
f5b865908814199381e85de2633f52bf3a6cca8a2d62bcd583a8ff550d794f77dbd7255f03f13712b2ec815863d1cde1836ee6f209bbb400a09a8d84337d7e73

Download Submit
C:\Users\Admin\Desktop\FormatConvert.wvx.akira

Filesize
527KB

MD5
eeee8d3c0b92d7ead5653121968169ae

SHA1
a5f04cbea45c8d43a2d65fc0ddd393df7d5cc76b

SHA256
d3c6bd32cd37cf2a2d41eaea26e92aed4d578b94264250a50eb0471053e85570

SHA512
f3b0bc967ac84389670088086b50be968ce9f71e0da75ee7af46011f8584f7a288c0e877b315a0b3bee5285f665096cfa895c0de7ad4214bb637b741d70fd299

Download Submit
C:\Users\Admin\Desktop\HideFormat.emz.akira

Filesize
654KB

MD5
d8c3832aae149ad3583ffe9f47810b70

SHA1
491062319df8b08a187b5c2854139fa1e6646770

SHA256
32971de98dd38cdfedf6ef2b8dcd642f5e49a9337606a5a70f002eb3b7cb7859

SHA512
722a7631c6ffe1edc72d45249acb418d54bf9a0d8c14e1593e07627c976f155e5cb04ed4bb1df99595b01578b0d901ac30324d441c35af763d2ae7c373dcd1fd

Download Submit
C:\Users\Admin\Desktop\PublishReceive.mht.akira

Filesize
673KB

MD5
512359468c6c17cb47056be8fc3ce583

SHA1
6b4a969ae1f2b8304a02c554acd6a4c1c9306326

SHA256
0b53acbf1b5a4d0da694e14d36d7fee577083c8893f445ff96a8b2a27e846e2f

SHA512
8ce02bfc226c019352a822937e27af37061d5cb0dd6ea8c79f80d143974cf5271d71e6032960623dc941fb1795d1051dfa90cb2b2f9bec6e22498d656e025a1a

Download Submit
C:\Users\Admin\Desktop\ReadUpdate.avi.akira

Filesize
364KB

MD5
ccbefa3dd415b7701e1119ca9578ad05

SHA1
4028d267b23bfb6274c260f90881a20c0acfc9a8

SHA256
f01c11f3187f5195dba064a8b4bc0997e78283633782b0ef9f492e8349da864b

SHA512
4a53a78f7d52e5f3a2fbad2512e5e7b8fffbc291d7807a27e8fdf753bbb74886a87b4be78567d11d2f2bc17a86235666baa6fac192811d985fb3b8a1bbf53e43

Download Submit
C:\Users\Admin\Desktop\RedoClear.otf.akira

Filesize
618KB

MD5
23cb4ca1a34d39ff6b08ea41ec7cc80d

SHA1
d279928917498b03838ff122c5b502b71682762c

SHA256
bfc598d6ac42ce514e09ca3bef145bc968071b3546e86a16a333df039ac27aa9

SHA512
0327ee293679939825d4e22da1df174c5caea901325ff6889be578da808a7756e6e42da4ef24bd6b4beb526126c16c50dad26d477e69e4fe3ee00c63c092e906

Download Submit
C:\Users\Admin\Desktop\RedoSubmit.wmf.akira

Filesize
345KB

MD5
dee58371e5e4db37377c5ad4894a55be

SHA1
c173e522ab76fa20d3e980773b2c6cabba08cfb9

SHA256
9fc9ce4bd3a16099c339fd65b3a91006cd035460f41b187a5ac6af097c76aea6

SHA512
891d3e355224479435b17d13467f31c891ab16d12e323784e7700e92137d742d9e2f1e2c52d15e62cbcb9a112b0c3a92a18e9d6e87f64572c3ef91d82ae9fd31

Download Submit
C:\Users\Admin\Desktop\RegisterDisable.docx.akira

Filesize
309KB

MD5
b29f89a38198f59bec4b11dd906b925c

SHA1
0a1a2837544c3ac674aa3b5a268ae0abae842e58

SHA256
d91ea42b408be81d1790788bf8ea2c141d1b3bbe2f9c5ebf39efdc956b16301e

SHA512
518943ba22748192a3b48b6ac8403912676647aab4ceb68f47b2c48fd88a5ac65cacdf34162534bc25af70a9e4e8fc265cbecd1ec460eed9d1adbceaf4f8bee4

Download Submit
C:\Users\Admin\Desktop\RenameFind.3gpp.akira

Filesize
473KB

MD5
0cd0ae58fbfa8f6831a6ac8fc6ce1dac

SHA1
dd6092679d055ba8ea421b85446d55eb18d5d9bc

SHA256
000b3e2775cbff66040a52380616946d275714b6d0fd18856582587b8e02e541

SHA512
4e083c0d44be029056ddf278f0c55010df7b8c378e2db6c58c2898a7e51fa2d7b4e5aa5526f79072c73362859f99d9b72585138e7d77f52ff10414611f043e9c

Download Submit
C:\Users\Admin\Desktop\RepairWait.docx.akira

Filesize
236KB

MD5
06297087f41a4f14199b467f8feb6429

SHA1
3dc43d969a678f0890a7ce64b255f34752763d91

SHA256
aac424033f00a8eaf2eb3faac1d7551a2593da1c9872a887770b7a6d410e34f1

SHA512
e6971d04bcf6182ec34cb5b2188afe64b5054102053928e75e09ce7c8777926d31643affbcc8597dbf3201751d43b6a9cda4240740836be49292f81f06cb4510

Download Submit
C:\Users\Admin\Desktop\RequestConfirm.potx.akira

Filesize
454KB

MD5
e3662cc24a98103f678ba4563e5d4d49

SHA1
d6bbdec0f84130724300bef4835761dccaf83826

SHA256
67883659789c9c6f2487e32296d717309d5d288d3ebb38d56d4f02242a5e4bc6

SHA512
c3a7b6b9e67a3e6649aaa39d18af03e9e1ba7148265842a93653009bda796afbe2d1959df3f960e48c92033c5800fdfd16171767c08d1345127f58557b450b76

Download Submit
C:\Users\Admin\Desktop\ResumeSync.ex_.akira

Filesize
927KB

MD5
53c4e4fcef03a2609a94b428efd4a3e8

SHA1
1fd243c154f319ceba9f5f1370edd119ea49ab97

SHA256
523d59986b3cdf18304b99b4a1ea1d53615a80e1b75b5454bb625a7935c5d036

SHA512
80a202bfa6afd30951c5c4f8abf29131c5da6f616e6daf3a300267553b70e77053eecfba4f1c642666b9bf3304cacc1fb68fdc61c0c150f6e64681ab251f5d59

Download Submit
C:\Users\Admin\Desktop\SaveGet.mov.akira

Filesize
254KB

MD5
0cc293b24f4b63e9fa201a1b8d7a3af3

SHA1
80c74db9cc88d92d2aae5f7811e8c29ebf2f03af

SHA256
ab09c5562275e090308d7dcd1ebf9e0e0e759173d2e49126caf72fe7b55c26ad

SHA512
3483741cccf6efb0b717191a70bc4f20ebfc8ab2ecb727a706628f2623da43e34622a5951aee152fc3ceed9abf859bb956f584b7078b17c43f062cbb6aa55655

Download Submit
C:\Users\Admin\Desktop\SearchSubmit.xlsx.akira

Filesize
12KB

MD5
47594fb983915f994d335821e7da6e67

SHA1
3217c29ef030c69dcc12dd7a75bdb1af0f8a4bf0

SHA256
4a2d7d33513bb6211f0092268ec41dc029b7fd10629eab90aab691512425772c

SHA512
02daf9ac7175f1c4e52c7209b2d4306f8b8623473f4736b99d1d6fac24e482f9d8cfa11173d033c328d9ff507a12d2bb0326152bd7d8ab41bf40f69873c7b666

Download Submit
C:\Users\Admin\Desktop\SearchUpdate.M2TS.akira

Filesize
636KB

MD5
a9a15bd6bbc9bcec42674c4147f3d342

SHA1
2c589ccd6df677a1c243404e76b12b06c5a349f2

SHA256
741840c32f1676d7a49d8931a4091f596cb7b890207507ffa090e3cc0a0bd5d1

SHA512
294c0ae998d7dc28d5ea3a63974b99f27ba836adf49085259335bd9a2b2df23087b468298eeb819d43bcf0eda2931bd1c19c34ba93d0c5b07efd8ada52f68833

Download Submit
C:\Users\Admin\Desktop\SendUnprotect.odt.akira

Filesize
418KB

MD5
a93d1cafd6629c2fe1bf30749f6908dc

SHA1
68b7b15027ee4368336e314f2ae2ce98e96305dd

SHA256
21442750f9660c55206903e4d26f89a7ffec204d829684a5dd04ecd13ab21519

SHA512
bca24a0863ba79ad501b3781f0946b17f51edc23d2ff90ccc3ad1a0553601da5c3c72f4c8fd7e80984b6d170f1cd29891f4abb7e7a87ea28e604b46979384ae0

Download Submit
C:\Users\Admin\Desktop\SkipUndo.xls.akira

Filesize
273KB

MD5
e147016090a3db46ff78265876a985d3

SHA1
c14f0b2061598a05e88876022916e868af22ef2e

SHA256
38099334b34caa6746c98fda7aa0a32b55af287cbc021183e26e32129f4205ec

SHA512
52a81289d0d46dc5335c4593a2f9cf7bcd3e0d2251956964a53cbd0336d6d1d84d2e07c3d71affd49c1976aabaa9432f2cfd48f21c2265ad5b19d3e921ce4271

Download Submit
C:\Users\Admin\Desktop\SplitConnect.vssx.akira

Filesize
582KB

MD5
7c12f713963a54c5bb7e72bee6f7c644

SHA1
980405c127ce123f497ac5313170613981d05b49

SHA256
fa5988dd074b9cac049079c1253098e8955d9f05f1105522e78ce4555dfbc130

SHA512
2f7b50ca614d3b522e78db75974bfbd1a31d7db36fe4cfe1a450384e1a168d2e94ff89522cd32c27a3e1c5e7f2a0fd222c5e72f2ca77aade5d834705dd0f9338

Download Submit
C:\Users\Admin\Desktop\StopConvertTo.xml.akira

Filesize
327KB

MD5
65b928f4b428fbd131fa6857c2353b87

SHA1
71229d5f90ac4de6253f8b23c369a1aee0a839ad

SHA256
592f6f5070dd1b12ff9fd0f07b23b1f9d9fc9c1ecd7f3db879041e4352f253be

SHA512
93042ac0a71b4e19dceb82b0eef652917675543daf111c1eb08bbe23e815abf2691b4c1767bcaee30330d397f8248faefd1962575e561b2914498a8ebea74715

Download Submit
C:\Users\Admin\Desktop\SubmitEnter.docx.akira

Filesize
19KB

MD5
8654a8c35af390553d16e3316fd21664

SHA1
d7df13989db6fd2264bb47810a01e86816455d50

SHA256
2122706a6ba0b436219225234c9adbd3e050587b688540bd04840f316f9cba5f

SHA512
a78f4578ba8378cc7c05c1840ee3017572aeb8de24a6a9bc6d9ad0936a4b74736b09fcb786435e6cfc0d81ba9db1ae87775ca41a3d858a830b9cfaf1ee3c4698

Download Submit
C:\Users\Admin\Desktop\UnblockPing.M2T.akira

Filesize
600KB

MD5
686f26aeb13f6b7589f0501981f66d59

SHA1
21bd7c1081c895c9fa21336642c9a7b4aadd426a

SHA256
b443cb04d092655983c9f13cceba959f1a1c45308cbeb1c04a8b42621eda7e53

SHA512
273ccfbd5e30918f3c9b68bfc584e9dff2b2271b11b788961ef151f0310e47ffdf737a7be23607f73462faac7a724fe703544e71bd96284604654c584469799c

Download Submit
C:\Users\Admin\Desktop\UnprotectSubmit.tif.akira

Filesize
491KB

MD5
91f0737ef67db179efda7e66b0788005

SHA1
0a980c151ace198a93692806dd9bdad3deb44250

SHA256
bbe2b6f9ca2fab18de0d04abe97d001d4d93cdb36bc0bea374d901da05f19bfb

SHA512
cb59be3d357c5724477967c8c7d497b2f54b399150bac2273f3ef47bbd82e26206d5663a1faa4e5fa74658733918cf230c185af2de0f8bc8e1597802a619a2ab

Download Submit
memory/2880-8-0x000007FEF53E0000-0x000007FEF5D7D000-memory.dmp

Filesize
9.6MB

Download
memory/2880-4-0x000007FEF569E000-0x000007FEF569F000-memory.dmp

Filesize
4KB

Download
memory/2880-5-0x000000001B620000-0x000000001B902000-memory.dmp

Filesize
2.9MB

Download
memory/2880-6-0x0000000002340000-0x0000000002348000-memory.dmp

Filesize
32KB

Download
memory/2880-7-0x000007FEF53E0000-0x000007FEF5D7D000-memory.dmp

Filesize
9.6MB

Download
memory/2880-9-0x000007FEF53E0000-0x000007FEF5D7D000-memory.dmp

Filesize
9.6MB

Download