Overview
overview
10Static
static
90f178bc093...35.exe
windows7_x64
100f178bc093...35.exe
windows10_x64
101b109db549...18.exe
windows7_x64
101b109db549...18.exe
windows10_x64
101dbe9f9565...92.exe
windows7_x64
101dbe9f9565...92.exe
windows10_x64
101e3bf358c7...70.exe
windows7_x64
101e3bf358c7...70.exe
windows10_x64
1026b6a9fecf...39.exe
windows7_x64
1026b6a9fecf...39.exe
windows10_x64
10286bffaa9c...3f.exe
windows7_x64
10286bffaa9c...3f.exe
windows10_x64
10410c884d88...77.exe
windows7_x64
10410c884d88...77.exe
windows10_x64
105072678821...db.exe
windows7_x64
105072678821...db.exe
windows10_x64
1069d9dd7fdd...97.exe
windows7_x64
1069d9dd7fdd...97.exe
windows10_x64
1076a77def28...78.exe
windows7_x64
1076a77def28...78.exe
windows10_x64
1091d1ab6c30...31.exe
windows7_x64
1091d1ab6c30...31.exe
windows10_x64
10ca57455fd1...75.exe
windows7_x64
10ca57455fd1...75.exe
windows10_x64
10e3f236e4ae...77.exe
windows7_x64
10e3f236e4ae...77.exe
windows10_x64
10faa3453ceb...69.exe
windows7_x64
10faa3453ceb...69.exe
windows10_x64
10ffbb6c4d8d...4d.exe
windows7_x64
10ffbb6c4d8d...4d.exe
windows10_x64
10General
-
Target
lockbit-cases.zip
-
Size
2.5MB
-
Sample
210824-v96gc6ka5e
-
MD5
de6c6b3143f6d911c84e3a328854d98f
-
SHA1
902d930733dd950bb376cf46511489b6c82401d6
-
SHA256
d63224f2076b5cdb010e31dd408b07218381fd21939f8bd3b4aa8f5c03f6a702
-
SHA512
e87239cb4e2b79152baded43758adcb0cf980e32b11455b9072ce4059f4a4bf67b926631e67789a97ecb8ef917c7bc5f51f3cd16b41488724c4531890ae58a2a
Behavioral task
behavioral1
Sample
0f178bc093b6b9d25924a85d9a7dde64592215599733e83e3bbc6df219564335.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
0f178bc093b6b9d25924a85d9a7dde64592215599733e83e3bbc6df219564335.exe
Resource
win10v20210408
Behavioral task
behavioral3
Sample
1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
Resource
win7v20210408
Behavioral task
behavioral4
Sample
1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
Resource
win10v20210410
Behavioral task
behavioral5
Sample
1dbe9f956514460774290197ffccb11d817d1a5a5aeab81877ae7b74daa1b592.exe
Resource
win7v20210410
Behavioral task
behavioral6
Sample
1dbe9f956514460774290197ffccb11d817d1a5a5aeab81877ae7b74daa1b592.exe
Resource
win10v20210410
Behavioral task
behavioral7
Sample
1e3bf358c76f4030ffc4437d5fcd80c54bd91b361abb43a4fa6340e62d986770.exe
Resource
win7v20210408
Behavioral task
behavioral8
Sample
1e3bf358c76f4030ffc4437d5fcd80c54bd91b361abb43a4fa6340e62d986770.exe
Resource
win10v20210410
Behavioral task
behavioral9
Sample
26b6a9fecfc9d4b4b2c2ff02885b257721687e6b820f72cf2e66c1cae2675739.exe
Resource
win7v20210410
Behavioral task
behavioral10
Sample
26b6a9fecfc9d4b4b2c2ff02885b257721687e6b820f72cf2e66c1cae2675739.exe
Resource
win10v20210408
Behavioral task
behavioral11
Sample
286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe
Resource
win7v20210410
Behavioral task
behavioral12
Sample
286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe
Resource
win10v20210408
Behavioral task
behavioral13
Sample
410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe
Resource
win7v20210408
Behavioral task
behavioral14
Sample
410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe
Resource
win10v20210408
Behavioral task
behavioral15
Sample
5072678821b490853eff0a97191f262c4e8404984dd8d5be1151fef437ca26db.exe
Resource
win7v20210408
Behavioral task
behavioral16
Sample
5072678821b490853eff0a97191f262c4e8404984dd8d5be1151fef437ca26db.exe
Resource
win10v20210408
Behavioral task
behavioral17
Sample
69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe
Resource
win7v20210408
Behavioral task
behavioral18
Sample
69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe
Resource
win10v20210410
Behavioral task
behavioral19
Sample
76a77def28acf51b2b7cdcbfaa182fe5726dd3f9e891682a4efc3226640b9c78.exe
Resource
win7v20210410
Behavioral task
behavioral20
Sample
76a77def28acf51b2b7cdcbfaa182fe5726dd3f9e891682a4efc3226640b9c78.exe
Resource
win10v20210408
Behavioral task
behavioral21
Sample
91d1ab6c305552685996f4d80c44cc1c694355ae7d09243df027827d1df61631.exe
Resource
win7v20210410
Behavioral task
behavioral22
Sample
91d1ab6c305552685996f4d80c44cc1c694355ae7d09243df027827d1df61631.exe
Resource
win10v20210410
Behavioral task
behavioral23
Sample
ca57455fd148754bf443a2c8b06dc2a295f014b071e3990dd99916250d21bc75.exe
Resource
win7v20210410
Behavioral task
behavioral24
Sample
ca57455fd148754bf443a2c8b06dc2a295f014b071e3990dd99916250d21bc75.exe
Resource
win10v20210408
Behavioral task
behavioral25
Sample
e3f236e4aeb73f8f8f0caebe46f53abbb2f71fa4b266a34ab50e01933709e877.exe
Resource
win7v20210410
Behavioral task
behavioral26
Sample
e3f236e4aeb73f8f8f0caebe46f53abbb2f71fa4b266a34ab50e01933709e877.exe
Resource
win10v20210410
Behavioral task
behavioral27
Sample
faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe
Resource
win7v20210410
Behavioral task
behavioral28
Sample
faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe
Resource
win10v20210410
Behavioral task
behavioral29
Sample
ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe
Resource
win7v20210410
Behavioral task
behavioral30
Sample
ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe
Resource
win10v20210410
Malware Config
Extracted
C:\Program Files\7-Zip\Restore-My-Files.txt
lockbit
http://lockbitks2tvnmwk.onion/?83ED6257CCE5CF86BA9919DF127E95C9
Extracted
C:\odt\Restore-My-Files.txt
lockbit
http://lockbitks2tvnmwk.onion/?83ED6257CCE5CF86BFA283CCB065F54C
Extracted
C:\Program Files\7-Zip\Restore-My-Files.txt
lockbit
http://lockbitks2tvnmwk.onion/?F51E3D94FA5D7445BBB8BE7AE573420D
Extracted
C:\odt\Restore-My-Files.txt
lockbit
http://lockbitks2tvnmwk.onion/?F51E3D94FA5D7445AC658FA8496DDB24
Extracted
C:\Program Files\7-Zip\Restore-My-Files.txt
lockbit
http://lockbit-decryptor.com/?920FDCBE179431D5C7ABD78340D1431A
http://lockbitks2tvnmwk.onion/?920FDCBE179431D5C7ABD78340D1431A
Extracted
C:\odt\Restore-My-Files.txt
lockbit
http://lockbit-decryptor.com/?920FDCBE179431D5987920C4732F4B08
http://lockbitks2tvnmwk.onion/?920FDCBE179431D5987920C4732F4B08
Extracted
C:\Program Files\7-Zip\Restore-My-Files.txt
lockbit
http://lockbitks2tvnmwk.onion/?828C57864CBB23B6B152EF89B5036107
Extracted
C:\odt\Restore-My-Files.txt
lockbit
http://lockbitks2tvnmwk.onion/?828C57864CBB23B6BC6E1135DE1B910E
Extracted
C:\Program Files\7-Zip\Restore-My-Files.txt
lockbit
http://lockbitks2tvnmwk.onion/?92727EE520AEBC7DE924ECA22D0A0ED0
Extracted
C:\odt\Restore-My-Files.txt
lockbit
http://lockbitks2tvnmwk.onion/?92727EE520AEBC7DC60BFC436554DCCC
Targets
-
-
Target
0f178bc093b6b9d25924a85d9a7dde64592215599733e83e3bbc6df219564335
-
Size
151KB
-
MD5
1fbef2a9007eb0e32fb586e0fca3f0e7
-
SHA1
3e86304198d1185a36834e59147fc767315d8678
-
SHA256
0f178bc093b6b9d25924a85d9a7dde64592215599733e83e3bbc6df219564335
-
SHA512
94de457c74b783413514bc5804e86f5e1f0962dc03acf12d0a22c8b383b099518242314862417c24e5b13101b135d36dce285f4db11c989f3bc4331ce1b437b0
Score10/10-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Modifies boot configuration data using bcdedit
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18
-
Size
150KB
-
MD5
1f4f6abfced4c347ba951a04c8d86982
-
SHA1
a4c486b0926f55e99d12f749135612602cc4bf64
-
SHA256
1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18
-
SHA512
ae9d631a193d04194bcb54ccf5573730c04b2d9d732addf04af2100e7d67584a3cfba67cfaa2a9da05099d71c56dd58cfdb9f58d070b72ae58d0add20cf0afd3
Score10/10-
Modifies boot configuration data using bcdedit
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Sets desktop wallpaper using registry
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
1dbe9f956514460774290197ffccb11d817d1a5a5aeab81877ae7b74daa1b592
-
Size
316KB
-
MD5
4de69c226426a742a17ade81cde8d1f9
-
SHA1
ea10e601a2fb81362687421bc0b8f9d6238d7dfa
-
SHA256
1dbe9f956514460774290197ffccb11d817d1a5a5aeab81877ae7b74daa1b592
-
SHA512
26cab9c626d2d2332942808d1d71f0f8f114d1b8a6e1f3d760850a065a4856c1c2ba9c896be0353457c684f4251357a3bd641dc7547940651cc70fb9050a4c6a
Score10/10-
Modifies boot configuration data using bcdedit
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Deletes itself
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Sets desktop wallpaper using registry
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
1e3bf358c76f4030ffc4437d5fcd80c54bd91b361abb43a4fa6340e62d986770
-
Size
67KB
-
MD5
9fe9f4ee717bae3a5c9fdf1d380e015d
-
SHA1
7df22f2fbe86a07070f262f94e233860b6ae66b2
-
SHA256
1e3bf358c76f4030ffc4437d5fcd80c54bd91b361abb43a4fa6340e62d986770
-
SHA512
546deacbdcfb91a01895fef3a4775f2542642cb20999c5936f50715f173db327c9a8fa5dade93e6fa5cfdc9db3b12238ce20dc7dc41fe9874453e1bf4621224a
Score10/10-
Modifies boot configuration data using bcdedit
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Sets desktop wallpaper using registry
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
26b6a9fecfc9d4b4b2c2ff02885b257721687e6b820f72cf2e66c1cae2675739
-
Size
150KB
-
MD5
207718c939673a5f674ce51f402cfc06
-
SHA1
791f60a24f9b6589a2afed48b3ec17fad43bc1db
-
SHA256
26b6a9fecfc9d4b4b2c2ff02885b257721687e6b820f72cf2e66c1cae2675739
-
SHA512
61a00f0da602100ca4913e94720f873ef682b793e246d9e7e119c9947c102e2888be64cee72e851ef3d24fbbd671cbe70af162f10049e8ef75b475b4a032e701
Score10/10-
Modifies boot configuration data using bcdedit
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Sets desktop wallpaper using registry
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f
-
Size
765KB
-
MD5
5cc28691fdaa505b8f453e3500e3d690
-
SHA1
cb3fb57b5c70c3a2f30aa3af078bbb1cfdd1bf02
-
SHA256
286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f
-
SHA512
0c4eb6a067456c91af908a4c2f77e84a80ba8d77682ba00b06a56af4062e2caf68cb7e63ef7500ae13a1bfa9a2062d838ecbc9aa418daf7faa9b0083f788d847
Score10/10-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Modifies boot configuration data using bcdedit
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677
-
Size
150KB
-
MD5
ec273b5841eadfc43b1908c9905e95a3
-
SHA1
71e7990c8c81ef6c4e265eae11030886c40cc8b0
-
SHA256
410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677
-
SHA512
164875eb5d8ff791fae4baa2a83d957cbe8fc7a6eaf1ffd3f93162ee21c52d01db80e0df17e1162991e380331b4098759f771c96a84374834603b6296c2b633d
Score10/10-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Modifies boot configuration data using bcdedit
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
5072678821b490853eff0a97191f262c4e8404984dd8d5be1151fef437ca26db
-
Size
546KB
-
MD5
8ab0375228416b89becff72a0ae40654
-
SHA1
75f06b636efe53360287c0ff1f51ea7de1e7c8b5
-
SHA256
5072678821b490853eff0a97191f262c4e8404984dd8d5be1151fef437ca26db
-
SHA512
c9f500f347b3b35beeecc1b7ab9fda273a149376d488f68eb456a5625e9c5bf541d85ddbdd7c127c9d92406d9ea9e7d15aae9d4d4c518bce926a55bf1b106277
Score10/10-
Modifies boot configuration data using bcdedit
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Uses the VBS compiler for execution
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Sets desktop wallpaper using registry
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997
-
Size
150KB
-
MD5
49250b4aa060299f0c8f67349c942d1c
-
SHA1
4d0e6d7af9a5edece5273f3c312fdd3b9c229409
-
SHA256
69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997
-
SHA512
289c4277e945b1f30d07c699ebc7cf332835433e0d9f393120a6e208e1e7906133d6405665b676a8d3abccf5dbac58789f1f9372b892b36c42cd628d2638e6c3
Score10/10-
Modifies boot configuration data using bcdedit
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Sets desktop wallpaper using registry
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
76a77def28acf51b2b7cdcbfaa182fe5726dd3f9e891682a4efc3226640b9c78
-
Size
343KB
-
MD5
9a246bf39f3fab9c2d45f1003bdc6b45
-
SHA1
f05e71ed0e4a779fc30c3d732b07e15d56f8e3bc
-
SHA256
76a77def28acf51b2b7cdcbfaa182fe5726dd3f9e891682a4efc3226640b9c78
-
SHA512
fe0fba6970c2e08ddfcfc867644bce49e8d609f1b98aa638f7dd88dac84c71da164ad7fbbd13469504407e82282618e71bc31fb3d57e5d1df906bfb2a1b0addf
Score10/10-
Modifies boot configuration data using bcdedit
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
91d1ab6c305552685996f4d80c44cc1c694355ae7d09243df027827d1df61631
-
Size
146KB
-
MD5
388eafffcc96c71c317cf0908d3a133b
-
SHA1
16e5c5a81a88cb73464d92edf5bec7199907afb9
-
SHA256
91d1ab6c305552685996f4d80c44cc1c694355ae7d09243df027827d1df61631
-
SHA512
6ee2fbfdab206b2f79d423f3b26a5f8033051ab4d10596c530e381b714dcc8854a4eaf57abd02029ab2d33fdd59b2f1f9c2cdc7702442ee700a43a2411af9515
Score10/10-
Modifies boot configuration data using bcdedit
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Deletes itself
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Sets desktop wallpaper using registry
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
ca57455fd148754bf443a2c8b06dc2a295f014b071e3990dd99916250d21bc75
-
Size
546KB
-
MD5
e4179bca5bf5b1fd51172d629f5521f8
-
SHA1
488e532e55100da68eaeee30ba342cc05810e296
-
SHA256
ca57455fd148754bf443a2c8b06dc2a295f014b071e3990dd99916250d21bc75
-
SHA512
9370d3a2b8d118de6396909b0ca3c1e62e374020ddb0c8a94713f0b596391f20008797509abf300f2241327fe1bfa3338623a56b9be55bd013b6b56e26430035
Score10/10-
Modifies boot configuration data using bcdedit
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Uses the VBS compiler for execution
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Sets desktop wallpaper using registry
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
e3f236e4aeb73f8f8f0caebe46f53abbb2f71fa4b266a34ab50e01933709e877
-
Size
151KB
-
MD5
123511227718f17b3dec5431d5ae87f3
-
SHA1
307088ae7027b55541311fd70a9337ff3709fccf
-
SHA256
e3f236e4aeb73f8f8f0caebe46f53abbb2f71fa4b266a34ab50e01933709e877
-
SHA512
182a45c60c0c14d55e40c7941836d7d658623a66ce7760eb71d8836ffa7974a0d1d3132b919fad921abecc9215ce458f06e563417c70682a9935a02d8053b234
Score10/10-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Modifies boot configuration data using bcdedit
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869
-
Size
762KB
-
MD5
a04a99d946fb08b2f65ba664ad7faebd
-
SHA1
1fe7e2f8fbd98d6b5505fd9ee66da5b4f11720a1
-
SHA256
faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869
-
SHA512
1afde06049a7132e552681a71f74fbb09ac5b26e05c0570af95de0ce4484eb647f2afb781c0683fdba6cb37daacf1c6be690b5208df477158a4d8d45e4c2e374
Score10/10-
Modifies boot configuration data using bcdedit
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d
-
Size
191KB
-
MD5
0859a78bb06a77e7c6758276eafbefd9
-
SHA1
a72e18efa33f1e3438dbb4451c335d487cbd4082
-
SHA256
ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d
-
SHA512
49ca427843dd5c5cefef3d50206b0cf772152f78f82bf42a927aa0d70ceed1c1e828cb20f7f2e8dce58bf2c33e14ff75ec74319d15671b9268e0c18457722c5d
-
Modifies system executable filetype association
-
Modifies boot configuration data using bcdedit
-
Executes dropped EXE
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Loads dropped DLL
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Sets desktop wallpaper using registry
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-