cerber

Resubmissions

18-07-2024 07:25

240718-h84wjs1hpb 10

18-07-2024 07:19

240718-h51pqa1gng 10

17-07-2024 20:55

240717-zqkhmaydmq 10

17-07-2024 19:21

240717-x2pwdaycjb 10

Sharing

Copy URL

Twitter E-mail

General

Target

RANSOMWARE11224.rar
Size

6.5MB
Sample

240717-x2pwdaycjb
MD5

6f34e6d90096072ff1a7fc295f2c8a17
SHA1

da305a3b884ea3acafcf1209ad24fc04f28bc7d3
SHA256

84bebbe2cc14519a656dd6ee54e892191872f7122ebf53ef6b2349a5218c11e1
SHA512

0ffa38a106c5ccdaa82b6a5a64b061bcf069125744d5c86cc800367c0d249885f725b89ebd27184bc66286590e2a6b9129d6614221c5cc7e6fe3cf1f2e7994f4
SSDEEP

196608:Wze5gvd12z//fon5Cvg/Hvq6t0Qp9DnaJJ3:uKgvdMs5PC6tZU1

Score

10^/10

Malware Config

Extracted

Family

gozi

Extracted

Path

C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___5GFQ2ZM_.txt

Family

cerber

Ransom Note

Hi, I'am CRBR ENCRYPTOR ;) ----- YOUR DOCUMENTS, PHOTOS, DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ----- The only way to decrypt your files is to receive the private key and decryption program. To receive the private key and decryption program go to any decrypted folder, inside there is the special file (*_R_E_A_D___T_H_I_S_*) with complete instructions how to decrypt your files. If you cannot find any (*_R_E_A_D___T_H_I_S_*) file at your PC, follow the instructions below: ----- 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://xpcx6erilkjced3j.onion/85A4-3B17-D2F0-005C-97F6 Note! This page is available via "Tor Browser" only. ----- Also you can use temporary addresses on your personal page without using "Tor Browser". ----- 1. http://xpcx6erilkjced3j.1t2jhk.top/85A4-3B17-D2F0-005C-97F6 2. http://xpcx6erilkjced3j.1e6ly3.top/85A4-3B17-D2F0-005C-97F6 3. http://xpcx6erilkjced3j.1ewuh5.top/85A4-3B17-D2F0-005C-97F6 4. http://xpcx6erilkjced3j.15ezkm.top/85A4-3B17-D2F0-005C-97F6 5. http://xpcx6erilkjced3j.16umxg.top/85A4-3B17-D2F0-005C-97F6 ----- Note! These are temporary addresses! They will be available for a limited amount of time! -----

URLs

http://xpcx6erilkjced3j.onion/85A4-3B17-D2F0-005C-97F6

http://xpcx6erilkjced3j.1t2jhk.top/85A4-3B17-D2F0-005C-97F6

http://xpcx6erilkjced3j.1e6ly3.top/85A4-3B17-D2F0-005C-97F6

http://xpcx6erilkjced3j.1ewuh5.top/85A4-3B17-D2F0-005C-97F6

http://xpcx6erilkjced3j.15ezkm.top/85A4-3B17-D2F0-005C-97F6

http://xpcx6erilkjced3j.16umxg.top/85A4-3B17-D2F0-005C-97F6

Extracted

Path

C:\vcredist2010_x86.log-MSI_vc_red.msi.txt.readme_txt

Ransom Note

YOUR COMPANY HAS BEEN SUCCESSFULLY PENETRATED! All files are encrypted. We accept only bitcoins to share the decryption software for your network. Also, we have gathered all your private sensitive data.So if you decide not to pay anytime soon, we would share it with media's. It may harm your business reputation and the company's capitalization fell sharply. Do not try to do it with 3rd-parties programs, files might be damaged then. Decrypting of your files is only possible with the special decryption software. To receive your private key and the decryption software please follow the link (using tor2web service): https://qmnmrba4s4a3py6z.onion.to/order/43e4593a-5dc7-11e7-8803-00163e417ea3 If this address is not available, follow these steps: 1. Download and install Tor Browser: https://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser and wait for initialization. 3. Type in the address bar: http://qmnmrba4s4a3py6z.onion/order/43e4593a-5dc7-11e7-8803-00163e417ea3 4. Follow the instructions on the site 5. This link is valid for 72 hours only. Afetr that period your local data would be lost completely. 6. Any questions: [email protected]

Emails

[email protected]

URLs

https://qmnmrba4s4a3py6z.onion.to/order/43e4593a-5dc7-11e7-8803-00163e417ea3

http://qmnmrba4s4a3py6z.onion/order/43e4593a-5dc7-11e7-8803-00163e417ea3

Extracted

Path

C:\IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS.TXT

Ransom Note

__________________________________________________________________________________________________ | | | *** IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS *** | |__________________________________________________________________________________________________| Your files are now encrypted! -----BEGIN PERSONAL IDENTIFIER----- pAQAAAAAAACOw7DxHZTJFYRACERTY6zIPnFz2t7beArU5fEpffP=pVuLqyf2wi9e7tkOvkavg2u+sUl3Ze08uvMKmbj7thR5dh=I khr60b3TOzbpKIKyVqwQ9WXax4vqjfdUxel=0gZqmdI=VUU+vSqfTyPA6faq+JtPoKtnAT+fAWnh=35RjgkDfbhQDKABxALHXqOn CJabDB4Qec6diph11BsUy57XcK0mH4yr1UFa6uGy+HLhBrxB9De=M=eP2xP+Dd74C4HMJcw2cBhVI6skPQBiB6Goc1xWuuyl2Ldq N4khckIv9Lahaan5RwvFsslUC8eU6qY9oZ9SCXqdjuJLXV5l0WlD=5DPo9Nl93gIDhkwNpALSAxfOm2paICUbPZBcZ6debn6cVcW VA4D97Mv4S64nghDyOiNCo7PixJ50u9MwbcyDbEBmKw37xGNpsm4dovrFGejY4YxmQVz83mJ5Upt7xHDRLkGP0CMYSBpPmefaDpO qiIt4wsZ0IHRL4H2hT9vt06xR6jSQUQ0BxCGXj4Ix0KEmIZ5Edo85KJKQ+CfF4gt67WH2Xj2ZN8IA14RFJc8k3DfaQ8BmLn8jktZ nCmzZAnwmGIus0sv1C3vmLNDDJiy+GisxTLvwO7B=+KmlJZaHGNJbzM5J+hKGYEflaVTE07QQuLIdvWfVeSFBoRzr8vSv4U6QUNq ca6KM3ZWtOqXNxu2ySTOMsRzLAa0YsWdmxVmCGP4pfCb=m9YFUkvZMQZoMDnRA7sVCmfAgE5Pm7uMJBvKt4xO2bspcvNIKegEqFk R5VKw0qA6IbNuc0ySQdSwUESS0=B+9kP9OFDQjtZIA5z -----END PERSONAL IDENTIFIER----- All your files have been encrypted due to a security problem with your PC. Now you should send us email with your personal identifier. This email will be as confirmation you are ready to pay for decryption key. You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. Contact us using this email address: [email protected] Free decryption as guarantee! Before paying you can send us up to 3 files for free decryption. The total size of files must be less than 10Mb (non archived), and files should not contain valuable information (databases, backups, large excel sheets, etc.). __________________________________________________________________________________________________ | | | How to obtain Bitcoins? | | | | * The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click | | 'Buy bitcoins', and select the seller by payment method and price: | | https://localbitcoins.com/buy_bitcoins | | * Also you can find other places to buy Bitcoins and beginners guide here: | | http://www.coindesk.com/information/how-can-i-buy-bitcoins | | | |__________________________________________________________________________________________________| __________________________________________________________________________________________________ | | | Attention! | | | | * Do not rename encrypted files. | | * Do not try to decrypt your data using third party software, it may cause permanent data loss. | | * Decryption of your files with the help of third parties may cause increased price | | (they add their fee to our) or you can become a victim of a scam. | | | |__________________________________________________________________________________________________|

Emails

[email protected]

Targets

- Target
  
  2272954a2c9f631b4f9c5f6d230287b0989ab3b512bb5f4a282214eadf42085a.exe
- Size
  
  299KB
- MD5
  
  2ad96b646ad5f323f0bef0bfb6b23ebb
- SHA1
  
  a8ac661b22bd557fe3dbff8f706cb5741d43ac67
- SHA256
  
  2272954a2c9f631b4f9c5f6d230287b0989ab3b512bb5f4a282214eadf42085a
- SHA512
  
  8959aebd064c488e7247604b7b30e8487ecc498695206173d1251eff565bd5bb3e8ee90ac22bb1250f78412bcabe9a57d930972d6d4fdd886eef0901d89b38a9
- SSDEEP
  
  6144:0gggrNE0oCD4IKXgWi2AL/Pe5f6LiJbfPcEfm0fg:G6DhfTR8C2JbMEfm0fg
Score

10^/10

gozi banker isfb trojan
- Gozi
  Gozi is a well-known and widely distributed banking trojan.
  banker trojan gozi
behavioral1
- Target
  
  72716d15ea7d118b8c99dbcb15114188abe468718c876ac52b0779161ef7e821.exe
- Size
  
  703KB
- MD5
  
  d7c62a22cc1a832ba2ce0bfd1c4f9e9c
- SHA1
  
  a484b5a49a5b94f045100dd5e659b9504ed99211
- SHA256
  
  72716d15ea7d118b8c99dbcb15114188abe468718c876ac52b0779161ef7e821
- SHA512
  
  7c036f46c6c5a34d991d277c3ecf3c8abdf3a70042c40aaa3c20ce2f3e02a5a63200530587c2980ba5e000a7f1394a33390e63ec53782892b27874e293dff1c6
- SSDEEP
  
  12288:Qu/mk3LQLwumO7mL945Hj1wcBsXcDBif+w+nstV7uikFg:5+WLQLP7mL9eDb+Msfsnstlubg
Score

7^/10

discovery
- Drops startup file
- Creates a large amount of network flows
  This may indicate a network scan to discover remotely running services.
  discovery
behavioral2
- Target
  
  Bit Paymer.exe
- Size
  
  92KB
- MD5
  
  998246bd0e51f9582b998ca514317c33
- SHA1
  
  5a2d799ac4cca8954fc117c7fb3e868f93c6f009
- SHA256
  
  d693c33dd550529f3634e3c7e53d82df70c9d4fbd0c339dbc1849ada9e539ea2
- SHA512
  
  773d9838be9c09bd43a22aa1eada8f623f95739b21828712236a4a209c6d9266647ef43592d072d68399224965253c37f9ce9ef36e46e8191169c03ac7789130
- SSDEEP
  
  1536:tacFdjxs2TlWlpnXv91nhixG8/lA5jG8387SpK6jXOMVHoi5e+vRb:taqJC6lWlpnXv7nhixhlAU83VwMCifvR
Score

10^/10

persistence ransomware spyware stealer
- Renames multiple (9929) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
behavioral3
- Target
  
  KeepCalm.exe
- Size
  
  218KB
- MD5
  
  f994759181fb964af17fab2f7994b9ca
- SHA1
  
  9ae72a3dc37955af7526fd8566698b7a97ed7cb0
- SHA256
  
  043969e70014662e6a8b90eaaec10f4b4064dc42c0aeba39639af82f11cbab7e
- SHA512
  
  c36ff4026879e6cbab1e95e8a8a9cc6dc8538de9fa5719625ddf5a9d578dda310325cbf1e44a2dddbc85f27521e7e736637bb102e1d230f861ecb8f2e0219188
- SSDEEP
  
  3072:Y9mM+lmsolAIrRuw+mqv9j1MWLQFidJM+lmsolAIrRuw+mqv9j1MWLQd:EF+lDAAJdi+lDAA
Score

1^/10
behavioral4
- Target
  
  LockedIn.exe
- Size
  
  650KB
- MD5
  
  e9e34a4dbf0c9fe5fb595b0282b0b4f0
- SHA1
  
  4f3f6bc4aff97eecb9ab52d47520e248c618da45
- SHA256
  
  613af1bf17a11dbf12849568ce08186cc4109a5cdb32d0bcce7c1bd81306f5c6
- SHA512
  
  b234f7a6fef8eb3153da20b1c9f668a8177e489817b1e7e36a572fbfc7dc3604f5cd509f5ff7087f4d3a2e3c1a5a0c7e93ae571be11c70732b1078ba8050a119
- SSDEEP
  
  12288:dl6aKEZf4r/s6IzjtyHQDWcFXXGmmBJ0d35O3CEkk4zglJaKfZf4m:dlNCr/sFFmmmHIpKCEx4sljCm
Score

9^/10

ransomware
- Renames multiple (56) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
behavioral5
- Target
  
  NotPetya.dll
- Size
  
  353KB
- MD5
  
  71b6a493388e7d0b40c83ce903bc6b04
- SHA1
  
  34f917aaba5684fbe56d3c57d48ef2a1aa7cf06d
- SHA256
  
  027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745
- SHA512
  
  072205eca5099d9269f358fe534b370ff21a4f12d7938d6d2e2713f69310f0698e53b8aff062849f0b2a521f68bee097c1840993825d2a5a3aa8cf4145911c6f
- SSDEEP
  
  6144:y/Bt80VmNTBo/x95ZjAetGDN3VFNq7pC+9OqFoK30b3ni5rdQY/CdUOs2:y/X4NTS/x9jNG+w+9OqFoK323qdQYKUG
Score

10^/10

mimikatz bootkit persistence spyware stealer
- Mimikatz
  mimikatz is an open source tool to dump credentials on Windows.
  mimikatz
- mimikatz is an open source tool to dump credentials on Windows
- Blocklisted process makes network request
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
behavioral6
- Target
  
  Purge.exe
- Size
  
  24KB
- MD5
  
  b02916e5c5215ef3ce25269c8d8afbe2
- SHA1
  
  7ea2e4eebea27ade84075a5bd47e048297377259
- SHA256
  
  b4e9d14e4ea8a1c459805ec46870f12a3e6ea3308864511a3d9c7af9fb841403
- SHA512
  
  c84cd98801dbc515f8e800c5fae57158d4167347c2267f1decbf37e98819b2bc1e9439eacec71eaad1c6ece62bf468b21db9cc53e6568cc73499595b1935296e
- SSDEEP
  
  384:lMX3iNFRHDy0nxaP/JqiKV+aQlSp591U7qO7o4FQcc4KVOJ5ogxlwAx9sLtsNtt7:qHitm/JqiO+aB5s7qOUvOJ5ogDrCO8tm
Score

1^/10
behavioral7
- Target
  
  Scarab.exe
- Size
  
  342KB
- MD5
  
  6899003aaa63ab4397f9e32e0a1daf43
- SHA1
  
  c22272ff0944d127992b393562871473b23ef8ea
- SHA256
  
  53f73dc2e8af9c059136029b3b535e885d4452d3375586eb9a0336d7a389aad5
- SHA512
  
  d8895f96e12d1b0b5907f7b1e7b976a37ff0cbe6db929cfbea5c931d905fb8269dc91bf44db83743920b63affc64ba88a0933d3111bc68f71ee266971b91b6bc
- SSDEEP
  
  6144:zmTLRf45/wAfqj6pjohSws+wZQtmk6LnAlnZ:eq5/tyjMLd+Rtmkc0
Score

10^/10

defense_evasion execution impact persistence privilege_escalation ransomware
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Renames multiple (295) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral8
- Target
  
  a631ad1b1a59001a5f594880c6ae3337bda98f8ce3bb46cd7a9de0b35cd2bc4b.exe
- Size
  
  272KB
- MD5
  
  cb4ef16070b2dec59effcdb4a2134a83
- SHA1
  
  c9fcc72c08eece9ca0beb2a3d3801bbfffcb6196
- SHA256
  
  a631ad1b1a59001a5f594880c6ae3337bda98f8ce3bb46cd7a9de0b35cd2bc4b
- SHA512
  
  be87293a1b9537d54780639006b6e7a6048755064ca4e78cc295ae1b6263ab4d511e4f720f2687a55372da10e8fd67a47bb091bd5357c50045690936b2411091
- SSDEEP
  
  6144:1xIPLPHOoW/EHVDJSBD94vqW6Q65Ln1ZEVNl999999999999999999999POU:+DHOVcHVDJMgX6Qu0V
Score

6^/10
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral9
- Target
  
  a9053a3a52113698143a2b9801509c68d0d8b4b8208da453f0974547df0931bc.exe
- Size
  
  703KB
- MD5
  
  43478841baa4b8754f75516220e33ac3
- SHA1
  
  2585a613129d7e3dbff3eb16b10ce3fe940c99a3
- SHA256
  
  a9053a3a52113698143a2b9801509c68d0d8b4b8208da453f0974547df0931bc
- SHA512
  
  9441209433e2d3d49012431011048cd33a7ce980482658a0b1e2ccd3baa70524d2585901b6130d4644d7ca0139d881a9f11a933949ed39ad805a147694b37f87
- SSDEEP
  
  12288:C6JZ+UD5+1fpL2ikTgmPb2EdVu/BdmSHqDd6bhW2RJV7uikFg:JEUD52fpL2bgmSEds/BnKQPlubg
Score

7^/10

discovery
- Drops startup file
- Creates a large amount of network flows
  This may indicate a network scan to discover remotely running services.
  discovery
behavioral10
- Target
  
  b764629e1f43851daf984c9372422b65ddceae28f83d6211873f4c8f8672c41c.exe
- Size
  
  3.6MB
- MD5
  
  ef29f0f2a7b98ea19767b8ae66d1ffb8
- SHA1
  
  093b3916ee1bea0442278d0aa87be5703207e627
- SHA256
  
  b764629e1f43851daf984c9372422b65ddceae28f83d6211873f4c8f8672c41c
- SHA512
  
  9ab431d19633ed54dc1cc8bc4e511cabcfcba56ee0ff30197f5bd7aca07b33f2b605ab17f07fba066f5c910903f27bb04f4eb04cbed539af783564bbeba2c80e
- SSDEEP
  
  98304:yDqPoBhhRxcSUDk36SAEdhvxWa9P59Uc/Jf:yDqPSxcxk3ZAEUadv1
Score

10^/10

wannacry discovery ransomware worm
- Wannacry
  WannaCry is a ransomware cryptoworm.
  ransomware worm wannacry
- Contacts a large (35801) amount of remote hosts
  This may indicate a network scan to discover remotely running services.
  discovery
- Creates a large amount of network flows
  This may indicate a network scan to discover remotely running services.
  discovery
- Executes dropped EXE
- Drops file in System32 directory
behavioral11
- Target
  
  cf89f70633865aa06123062a7dc51f8158905afb4b00f6f3597de3edfba97c5c.exe
- Size
  
  322KB
- MD5
  
  3f4e0582663260629e1046d300bfd47c
- SHA1
  
  05d4b2e99a8ad0436cb5d9066987eb0df0321250
- SHA256
  
  cf89f70633865aa06123062a7dc51f8158905afb4b00f6f3597de3edfba97c5c
- SHA512
  
  b12505249227706b22e054d47d99d4b770a958875fb5eddb9a254ec06353415f00379383a091932ed70a1bcac14a9f8113f0221abed3c6211e6b7fe1f6fe1e81
- SSDEEP
  
  6144:2FexvJFSPxQksREdUZo64wHijE77BoLUbeKMazza722uutBq3:2FyJWQkX/njG7BSEeKMazzaqRut4
Score

1^/10
behavioral12
- Target
  
  e951e82867a4f3af5a34b714571e9acf99cca794c4ed1895c9025a642d5d4350.exe
- Size
  
  2.2MB
- MD5
  
  52cae327d2b2fef71f1af28e15a2811c
- SHA1
  
  62b516f72b03515078cb89cbecaa4522726e79d4
- SHA256
  
  e951e82867a4f3af5a34b714571e9acf99cca794c4ed1895c9025a642d5d4350
- SHA512
  
  6daabedfc0accba661c84155ea449b0cdd8819378de9c102da07631390a7a9c1fc7ee1fb71505bfb4dfb974f71696ff57bf376184934bfa230d572400bfb422a
- SSDEEP
  
  24576:d/2jBNbRL7T3QeFlUp1BcKZbn30QYKr5kw4AMMtG3oirCM/e52bZDHwSuQWTsFNz:d/yb9dw5dirCM/cIHnksFsK971
Score

1^/10
behavioral13
- Target
  
  fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7_WthaiV9ed2.exe
- Size
  
  121KB
- MD5
  
  eac0a08470ee67c63b14ae2ce7f6aa61
- SHA1
  
  285c0163376d5d9a5806364411652fe73424d571
- SHA256
  
  fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7
- SHA512
  
  f3fd7eeae18843d049443f0d5e818302eb3b3f73ad85e26c01e1ddc0a102a0a22b065afe01879aafc95ff3a2d15b5c302394bd03d91e6c4401648cd4222bddc5
- SSDEEP
  
  1536:3THoX8wNjiMsyPcjgbKx534oU6Llg/iLBkZhifkdol9LYuVF5yZbn:DjksYKx5o3Slg/itMg8+LYu9ubn
Score

9^/10

defense_evasion evasion execution impact persistence ransomware
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Stops running service(s)
  evasion execution
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
behavioral14
- Target
  
  fc184274ad3908021e4c8ef28f35dc77447ed6457375d2a4e7b411955e042527.exe
- Size
  
  268KB
- MD5
  
  d3fdd9807a32f5c27c14879336762119
- SHA1
  
  73132972d130adb7106e6b9319b21856434eff65
- SHA256
  
  fc184274ad3908021e4c8ef28f35dc77447ed6457375d2a4e7b411955e042527
- SHA512
  
  87468ab4136f449cab6e3689b4460de6dc59421ad20ce8208e251b3e4ef63f4ac281288ec51a35469e2473328de8b45b487cd72f40ba72d304a44b89a99a7a80
- SSDEEP
  
  6144:IXJ6Mv/PMB5lZOx4ccuiA8HYVVo7bBPxwdNaLvo:KJf/kBrZOxfwAsYVVoZZwdNaE
Score

10^/10

cerber discovery evasion persistence privilege_escalation ransomware
- Cerber
  Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
  ransomware cerber
- Blocklisted process makes network request
- Contacts a large (1095) amount of remote hosts
  This may indicate a network scan to discover remotely running services.
  discovery
- Modifies Windows Firewall
  evasion
- Deletes itself
- Drops startup file
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops file in System32 directory
- Sets desktop wallpaper using registry
  ransomware
behavioral15