resource	yara_rule
behavioral3/memory/4460-0-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral3/memory/4460-1-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral3/memory/4460-2-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral3/memory/4460-3-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral3/memory/4460-8-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral3/memory/4460-4446-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral3/memory/4460-4450-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral3/memory/4460-5126-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral3/memory/4460-12172-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral3/memory/4460-20716-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral3/memory/4460-22907-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral3/memory/4460-22908-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral3/memory/4460-22909-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona

description	ioc	process
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-768304381-2824894965-3840216961-1000\desktop.ini	fb128dbd4e945574a2795c2089340467fcf61bb3232cc0886df98d86ff328d1b.exe
File opened for modification	\??\c:\$Recycle.Bin\S-1-5-21-768304381-2824894965-3840216961-1000\desktop.ini	fb128dbd4e945574a2795c2089340467fcf61bb3232cc0886df98d86ff328d1b.exe
File opened for modification	\??\c:\Program Files\desktop.ini	fb128dbd4e945574a2795c2089340467fcf61bb3232cc0886df98d86ff328d1b.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	fb128dbd4e945574a2795c2089340467fcf61bb3232cc0886df98d86ff328d1b.exe

description	ioc	process
File created	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\nl-nl\how_to_decrypt.hta	fb128dbd4e945574a2795c2089340467fcf61bb3232cc0886df98d86ff328d1b.exe
File opened for modification	\??\c:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml	fb128dbd4e945574a2795c2089340467fcf61bb3232cc0886df98d86ff328d1b.exe
File created	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\uk-ua\how_to_decrypt.hta	fb128dbd4e945574a2795c2089340467fcf61bb3232cc0886df98d86ff328d1b.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription2-pl.xrm-ms	fb128dbd4e945574a2795c2089340467fcf61bb3232cc0886df98d86ff328d1b.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\1033\GR8GALRY.GRA	fb128dbd4e945574a2795c2089340467fcf61bb3232cc0886df98d86ff328d1b.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\api-ms-win-crt-math-l1-1-0.dll	fb128dbd4e945574a2795c2089340467fcf61bb3232cc0886df98d86ff328d1b.exe
File opened for modification	\??\c:\Program Files\VideoLAN\VLC\plugins\services_discovery\libmediadirs_plugin.dll	fb128dbd4e945574a2795c2089340467fcf61bb3232cc0886df98d86ff328d1b.exe
File created	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Help\how_to_decrypt.hta	fb128dbd4e945574a2795c2089340467fcf61bb3232cc0886df98d86ff328d1b.exe
File created	\??\c:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\how_to_decrypt.hta	fb128dbd4e945574a2795c2089340467fcf61bb3232cc0886df98d86ff328d1b.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Blue Green.xml	fb128dbd4e945574a2795c2089340467fcf61bb3232cc0886df98d86ff328d1b.exe
File opened for modification	\??\c:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxSignature.p7x	fb128dbd4e945574a2795c2089340467fcf61bb3232cc0886df98d86ff328d1b.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-150_8wekyb3d8bbwe\AppxSignature.p7x	fb128dbd4e945574a2795c2089340467fcf61bb3232cc0886df98d86ff328d1b.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageAppList.targetsize-48_altform-unplated.png	fb128dbd4e945574a2795c2089340467fcf61bb3232cc0886df98d86ff328d1b.exe
File created	\??\c:\Program Files\Java\jre-1.8\lib\security\policy\unlimited\how_to_decrypt.hta	fb128dbd4e945574a2795c2089340467fcf61bb3232cc0886df98d86ff328d1b.exe
File opened for modification	\??\c:\Program Files\Common Files\System\msadc\fr-FR\msadcor.dll.mui	fb128dbd4e945574a2795c2089340467fcf61bb3232cc0886df98d86ff328d1b.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\ExcelR_OEM_Perp-ul-phn.xrm-ms	fb128dbd4e945574a2795c2089340467fcf61bb3232cc0886df98d86ff328d1b.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\OLicenseHeartbeat.exe	fb128dbd4e945574a2795c2089340467fcf61bb3232cc0886df98d86ff328d1b.exe
File created	\??\c:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Transit\contrast-white\how_to_decrypt.hta	fb128dbd4e945574a2795c2089340467fcf61bb3232cc0886df98d86ff328d1b.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\Fonts\private\LEELAWDB.TTF	fb128dbd4e945574a2795c2089340467fcf61bb3232cc0886df98d86ff328d1b.exe
File created	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\cs-cz\how_to_decrypt.hta	fb128dbd4e945574a2795c2089340467fcf61bb3232cc0886df98d86ff328d1b.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_MAK-pl.xrm-ms	fb128dbd4e945574a2795c2089340467fcf61bb3232cc0886df98d86ff328d1b.exe
File created	\??\c:\Program Files\Common Files\microsoft shared\ink\sk-SK\how_to_decrypt.hta	fb128dbd4e945574a2795c2089340467fcf61bb3232cc0886df98d86ff328d1b.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-console-l1-1-0.dll	fb128dbd4e945574a2795c2089340467fcf61bb3232cc0886df98d86ff328d1b.exe
File opened for modification	\??\c:\Program Files\VideoLAN\VLC\plugins\demux\libsid_plugin.dll	fb128dbd4e945574a2795c2089340467fcf61bb3232cc0886df98d86ff328d1b.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTrial-ul-oob.xrm-ms	fb128dbd4e945574a2795c2089340467fcf61bb3232cc0886df98d86ff328d1b.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\dbghelp.dll	fb128dbd4e945574a2795c2089340467fcf61bb3232cc0886df98d86ff328d1b.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-utility-l1-1-0.dll	fb128dbd4e945574a2795c2089340467fcf61bb3232cc0886df98d86ff328d1b.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Trial-ul-oob.xrm-ms	fb128dbd4e945574a2795c2089340467fcf61bb3232cc0886df98d86ff328d1b.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\Assets\tinytile.targetsize-48_contrast-black.png	fb128dbd4e945574a2795c2089340467fcf61bb3232cc0886df98d86ff328d1b.exe
File created	\??\c:\Program Files\VideoLAN\VLC\locale\bg\how_to_decrypt.hta	fb128dbd4e945574a2795c2089340467fcf61bb3232cc0886df98d86ff328d1b.exe
File created	\??\c:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\fi-FI\View3d\how_to_decrypt.hta	fb128dbd4e945574a2795c2089340467fcf61bb3232cc0886df98d86ff328d1b.exe
File created	\??\c:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Transit\how_to_decrypt.hta	fb128dbd4e945574a2795c2089340467fcf61bb3232cc0886df98d86ff328d1b.exe
File opened for modification	\??\c:\Program Files\VideoLAN\VLC\plugins\video_chroma\libyuy2_i422_plugin.dll	fb128dbd4e945574a2795c2089340467fcf61bb3232cc0886df98d86ff328d1b.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\StandardVL_KMS_Client-ul.xrm-ms	fb128dbd4e945574a2795c2089340467fcf61bb3232cc0886df98d86ff328d1b.exe
File opened for modification	\??\c:\Program Files\7-Zip\7-zip.dll	fb128dbd4e945574a2795c2089340467fcf61bb3232cc0886df98d86ff328d1b.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\api-ms-win-core-file-l2-1-0.dll	fb128dbd4e945574a2795c2089340467fcf61bb3232cc0886df98d86ff328d1b.exe
File created	\??\c:\Program Files\Windows Multimedia Platform\how_to_decrypt.hta	fb128dbd4e945574a2795c2089340467fcf61bb3232cc0886df98d86ff328d1b.exe
File created	\??\c:\Program Files\Windows Photo Viewer\ja-JP\how_to_decrypt.hta	fb128dbd4e945574a2795c2089340467fcf61bb3232cc0886df98d86ff328d1b.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Web Server Extensions\16\BIN\FPWEC.DLL	fb128dbd4e945574a2795c2089340467fcf61bb3232cc0886df98d86ff328d1b.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-72_contrast-white.png	fb128dbd4e945574a2795c2089340467fcf61bb3232cc0886df98d86ff328d1b.exe
File created	\??\c:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\en-US\how_to_decrypt.hta	fb128dbd4e945574a2795c2089340467fcf61bb3232cc0886df98d86ff328d1b.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_OEM_Perp-ul-oob.xrm-ms	fb128dbd4e945574a2795c2089340467fcf61bb3232cc0886df98d86ff328d1b.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL089.XML	fb128dbd4e945574a2795c2089340467fcf61bb3232cc0886df98d86ff328d1b.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	fb128dbd4e945574a2795c2089340467fcf61bb3232cc0886df98d86ff328d1b.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l1-2-0.dll	fb128dbd4e945574a2795c2089340467fcf61bb3232cc0886df98d86ff328d1b.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Retail-ul-oob.xrm-ms	fb128dbd4e945574a2795c2089340467fcf61bb3232cc0886df98d86ff328d1b.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-60_altform-unplated_contrast-white.png	fb128dbd4e945574a2795c2089340467fcf61bb3232cc0886df98d86ff328d1b.exe
File created	\??\c:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\how_to_decrypt.hta	fb128dbd4e945574a2795c2089340467fcf61bb3232cc0886df98d86ff328d1b.exe
File opened for modification	\??\c:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml	fb128dbd4e945574a2795c2089340467fcf61bb3232cc0886df98d86ff328d1b.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CANYON\THMBNAIL.PNG	fb128dbd4e945574a2795c2089340467fcf61bb3232cc0886df98d86ff328d1b.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\listening.slk	fb128dbd4e945574a2795c2089340467fcf61bb3232cc0886df98d86ff328d1b.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ko\System.Windows.Forms.Design.resources.dll	fb128dbd4e945574a2795c2089340467fcf61bb3232cc0886df98d86ff328d1b.exe
File opened for modification	\??\c:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\SplashScreen.scale-125_contrast-white.png	fb128dbd4e945574a2795c2089340467fcf61bb3232cc0886df98d86ff328d1b.exe
File created	\??\c:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\how_to_decrypt.hta	fb128dbd4e945574a2795c2089340467fcf61bb3232cc0886df98d86ff328d1b.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\api-ms-win-core-handle-l1-1-0.dll	fb128dbd4e945574a2795c2089340467fcf61bb3232cc0886df98d86ff328d1b.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_KMS_ClientC2R-ul-oob.xrm-ms	fb128dbd4e945574a2795c2089340467fcf61bb3232cc0886df98d86ff328d1b.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\Square150x150Logo.scale-400.png	fb128dbd4e945574a2795c2089340467fcf61bb3232cc0886df98d86ff328d1b.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Microsoft.Msn.Shell\Themes\Glyphs\Font\WeatherColorIcons.ttf	fb128dbd4e945574a2795c2089340467fcf61bb3232cc0886df98d86ff328d1b.exe
File created	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\eu-es\how_to_decrypt.hta	fb128dbd4e945574a2795c2089340467fcf61bb3232cc0886df98d86ff328d1b.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\System.Security.Cryptography.ProtectedData.dll	fb128dbd4e945574a2795c2089340467fcf61bb3232cc0886df98d86ff328d1b.exe
File created	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\themes\dark\how_to_decrypt.hta	fb128dbd4e945574a2795c2089340467fcf61bb3232cc0886df98d86ff328d1b.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	fb128dbd4e945574a2795c2089340467fcf61bb3232cc0886df98d86ff328d1b.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial3-pl.xrm-ms	fb128dbd4e945574a2795c2089340467fcf61bb3232cc0886df98d86ff328d1b.exe
File created	\??\c:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\how_to_decrypt.hta	fb128dbd4e945574a2795c2089340467fcf61bb3232cc0886df98d86ff328d1b.exe

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads