resource	yara_rule
behavioral4/memory/4900-0-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral4/memory/4900-1-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral4/memory/4900-2-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral4/memory/4900-7-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral4/memory/4900-2320-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral4/memory/4900-4073-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral4/memory/4900-4425-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral4/memory/4900-11695-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral4/memory/4900-14009-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral4/memory/4900-14010-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral4/memory/4900-14011-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral4/memory/4900-14012-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona
behavioral4/memory/4900-14013-0x0000000000400000-0x0000000000526000-memory.dmp	family_trigona

description	ioc	process
File opened for modification	\??\c:\$Recycle.Bin\S-1-5-21-4286256601-2211319207-2237621277-1000\desktop.ini	8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0.exe
File opened for modification	\??\c:\Program Files\desktop.ini	8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-4286256601-2211319207-2237621277-1000\desktop.ini	8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0.exe

description	ioc	process
File opened for modification	\??\c:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt	8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest3-pl.xrm-ms	8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.scale-180.png	8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\index.win32.bundle	8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0.exe
File created	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\sl-sl\how_to_decrypt.hta	8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.41182.0_x64__8wekyb3d8bbwe\Assets\contrast-black\StoreLogo.scale-400_contrast-black.png	8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0.exe
File created	\??\c:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.50.24002.0_neutral_split.scale-100_8wekyb3d8bbwe\microsoft.system.package.metadata\how_to_decrypt.hta	8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\JOURNAL\JOURNAL.INF	8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.GetHelp_10.2008.32311.0_x64__8wekyb3d8bbwe\Assets\contrast-white\GetHelpAppList.targetsize-72_contrast-white.png	8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.6.3102.0_x64__8wekyb3d8bbwe\Win10\MicrosoftSolitaireAppList.targetsize-30_altform-unplated.png	8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0.exe
File opened for modification	\??\c:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Google.scale-100.png	8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0.exe
File created	\??\c:\Program Files\VideoLAN\VLC\locale\pa\LC_MESSAGES\how_to_decrypt.hta	8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0.exe
File created	\??\c:\Program Files\WindowsApps\Microsoft.Windows.Photos_21.21030.25003.0_x64__8wekyb3d8bbwe\PhotosApp\Assets\how_to_decrypt.hta	8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Calibri Light-Constantia.xml	8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.WindowsNotepad_10.2102.13.0_x64__8wekyb3d8bbwe\Assets\NotepadAppList.targetsize-40.png	8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0.exe
File created	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ko-kr\how_to_decrypt.hta	8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0.exe
File created	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\root\how_to_decrypt.hta	8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\sql2000.xsl	8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0.exe
File created	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\images\how_to_decrypt.hta	8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0.exe
File created	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\en-gb\how_to_decrypt.hta	8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_OEM_Perp-ppd.xrm-ms	8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0.exe
File created	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\fr-ma\how_to_decrypt.hta	8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0.exe
File created	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\how_to_decrypt.hta	8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\EmptyReport.rdlc	8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.2012.21.0_x64__8wekyb3d8bbwe\Assets\Scientific.targetsize-20_contrast-black.png	8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0.exe
File created	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\how_to_decrypt.hta	8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_KMS_ClientC2R-ppd.xrm-ms	8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0.exe
File created	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\nl-nl\how_to_decrypt.hta	8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ink\en-US\tipresx.dll.mui	8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-black_scale-140.png	8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.6.3102.0_x64__8wekyb3d8bbwe\SolitaireLiveTileUpdater.winmd	8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.Windows.Photos_21.21030.25003.0_x64__8wekyb3d8bbwe\ThreeWayBlendPage.xbf	8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0.exe
File opened for modification	\??\c:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\GenericMailMediumTile.scale-200.png	8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0.exe
File created	\??\c:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsNotepad_10.2102.13.0_neutral_split.scale-125_8wekyb3d8bbwe\microsoft.system.package.metadata\how_to_decrypt.hta	8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0.exe
File created	\??\c:\Program Files\WindowsApps\Microsoft.WindowsNotepad_10.2102.13.0_x64__8wekyb3d8bbwe\Assets\contrast-white\how_to_decrypt.hta	8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription5-ppd.xrm-ms	8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0.exe
File opened for modification	\??\c:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\offsymxb.ttf	8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.2103.1172.0_x64__8wekyb3d8bbwe\Assets\contrast-white\FeedbackHubAppList.targetsize-24.png	8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Retail-pl.xrm-ms	8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0.exe
File opened for modification	\??\c:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarLargeTile.scale-125.png	8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0.exe
File opened for modification	\??\c:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Paint_10.2104.17.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\PaintLargeTile.scale-125.png	8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.2012.21.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-64_contrast-black.png	8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0.exe
File created	\??\c:\Program Files\VideoLAN\VLC\locale\co\how_to_decrypt.hta	8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0.exe
File created	\??\c:\Program Files\WindowsApps\Microsoft.BingWeather_1.0.6.0_neutral_split.scale-125_8wekyb3d8bbwe\how_to_decrypt.hta	8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0.exe
File created	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\sl-si\how_to_decrypt.hta	8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0.exe
File created	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\en-il\how_to_decrypt.hta	8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\browser\features\[email protected]	8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.2104.12721.0_neutral_split.scale-100_8wekyb3d8bbwe\Images\Square44x44Logo.scale-100.png	8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0.exe
File opened for modification	\??\c:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Exchange.scale-400.png	8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0.exe
File opened for modification	\??\c:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Generic-Dark.scale-100.png	8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0.exe
File created	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\how_to_decrypt.hta	8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0.exe
File created	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\zh-cn\how_to_decrypt.hta	8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0.exe
File opened for modification	\??\c:\Program Files\7-Zip\Lang\mng2.txt	8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.Windows.Photos_21.21030.25003.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-96_altform-lightunplated_contrast-white.png	8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0.exe
File opened for modification	\??\c:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\HxA-Yahoo-Light.scale-300.png	8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.WindowsCamera_2020.503.58.0_x64__8wekyb3d8bbwe\Assets\contrast-black\CameraAppList.targetsize-80.png	8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0.exe
File created	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\how_to_decrypt.hta	8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0.exe
File created	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\hr-hr\how_to_decrypt.hta	8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0.exe
File opened for modification	\??\c:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-white\LinkedInboxMediumTile.scale-400.png	8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.WindowsNotepad_10.2102.13.0_x64__8wekyb3d8bbwe\Assets\NotepadAppList.targetsize-40_altform-unplated.png	8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0.exe
File created	\??\c:\Program Files\WindowsApps\Microsoft.WindowsNotepad_10.2102.13.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\how_to_decrypt.hta	8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0.exe
File created	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files-select\how_to_decrypt.hta	8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.41182.0_x64__8wekyb3d8bbwe\Assets\contrast-white\LargeTile.scale-400_contrast-white.png	8804d34b7cf7bd2fc6e20c0dc27da287cee9fccbc52a5630c4752f9cfc6d6cd0.exe

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads