dharma

Sharing

General

Target

Desktop.zip
Size

7.2MB
Sample

241104-xky3qavflf
MD5

f07a13d08d3955db2ed1395dbeb750f5
SHA1

d1f0e600fc007ee5381674e4f1fa090607e0814b
SHA256

503b1aff23f00a7a668cc8213199a78ac5a66704f375f198b9d41514753cefc8
SHA512

972847ae6620d9702b4447e5765d700c18dd9fe6e42ed8e9d4547015c442a64b82657e5d29090da19187e7dc56c33fd0df2ffa1a70265317d62bfea51b408136
SSDEEP

196608:Q3f35VoPxurjsLURhw35ivcLhRyQrCz1977KyoK8:QQPwrjskwJi0L7pWz1972yo1

Score

10^/10

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note

All your files have been encrypted! All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail [email protected] Write this ID in the title of your message EE3F8B4B In case of no answer in 24 hours write us to theese e-mails: [email protected] You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. Free decryption as guarantee Before paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) How to obtain Bitcoins The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. https://localbitcoins.com/buy_bitcoins Also you can find other places to buy Bitcoins and beginners guide here: http://www.coindesk.com/information/how-can-i-buy-bitcoins/ Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

[email protected]

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note

All your files have been encrypted! All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail [email protected] Write this ID in the title of your message 55B272A2 In case of no answer in 24 hours write us to theese e-mails: [email protected] You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. Free decryption as guarantee Before paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) How to obtain Bitcoins The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. https://localbitcoins.com/buy_bitcoins Also you can find other places to buy Bitcoins and beginners guide here: http://www.coindesk.com/information/how-can-i-buy-bitcoins/ Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

[email protected]

Extracted

Path

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note

YOUR FILES ARE ENCRYPTED Don't worry,you can return all your files! If you want to restore them, follow this link: zombietry4o3nzeh.onion/?ticket=6aWH6i3Gxp3cXPpqzl_8EA6CEFF Use Tor Browser to access this address. If you have not been answered via the link within 12 hours, write to us by e-mail: [email protected] Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

[email protected]

URLs

http://zombietry4o3nzeh.onion/?ticket=6aWH6i3Gxp3cXPpqzl_8EA6CEFF

Extracted

Path

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note

All your files have been encrypted! All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail [email protected] Write this ID in the title of your message 677A96F2 In case of no answer in 24 hours write us to theese e-mails: [email protected] You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. Free decryption as guarantee Before paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) How to obtain Bitcoins The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. https://localbitcoins.com/buy_bitcoins Also you can find other places to buy Bitcoins and beginners guide here: http://www.coindesk.com/information/how-can-i-buy-bitcoins/ Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

[email protected]

Extracted

Family

netwire

fdghfghdfghjhgjkgfgjh234569.ru:6974

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
a2nw
lock_executable
false
mutex
NrPiWfVe
offline_keylogger
false
password
rdfs34df32sdf
registry_autorun
false
use_mutex
true

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note

All your files have been encrypted! All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail [email protected] Write this ID in the title of your message 44729992 In case of no answer in 24 hours write us to theese e-mails: [email protected] You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. Free decryption as guarantee Before paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) How to obtain Bitcoins The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. https://localbitcoins.com/buy_bitcoins Also you can find other places to buy Bitcoins and beginners guide here: http://www.coindesk.com/information/how-can-i-buy-bitcoins/ Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

[email protected]

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note

All your files have been encrypted! All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail [email protected] Write this ID in the title of your message 9C174CBE In case of no answer in 24 hours write us to theese e-mails: [email protected] You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. Free decryption as guarantee Before paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) How to obtain Bitcoins The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. https://localbitcoins.com/buy_bitcoins Also you can find other places to buy Bitcoins and beginners guide here: http://www.coindesk.com/information/how-can-i-buy-bitcoins/ Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

[email protected]

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note

All your files have been encrypted! All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail [email protected] Write this ID in the title of your message CD3742C0 In case of no answer in 24 hours write us to theese e-mails: [email protected] You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. Free decryption as guarantee Before paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) How to obtain Bitcoins The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. https://localbitcoins.com/buy_bitcoins Also you can find other places to buy Bitcoins and beginners guide here: http://www.coindesk.com/information/how-can-i-buy-bitcoins/ Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

[email protected]

Targets

- Target
  
  order.exe
- Size
  
  970KB
- MD5
  
  8951ea556fc0f09d34d55ae9d610ccea
- SHA1
  
  7de8815e4af9fa2ef6514c70ea53ecc4d0bbd838
- SHA256
  
  a12897e495ca61d13e95bbfd9015357debc8ce95561ffcc91d06929211763cdb
- SHA512
  
  9d1138068076830bb4eb2b2706f257321f4ac4cd37d28ee02325baa832703f570cc71f4715a074a826983af2370dac6077ddc6f3e66383cc741797150836bd4c
- SSDEEP
  
  24576:rFrCGXjsiUJU1wqGf5AjuQ5O3h3fMtb2Kv1bH:VnuJUCz7Mtb2e1bH
Score

10^/10

dharma credential_access defense_evasion discovery execution impact persistence ransomware spyware stealer upx
- Dharma
  Dharma is a ransomware that uses security software installation to hide malicious activities.
  ransomware dharma
- Dharma family
  dharma
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Renames multiple (312) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Credentials from Password Stores: Windows Credential Manager
  Suspicious access to Credentials History.
  credential_access stealer
- Drops startup file
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1
- Target
  
  UGH CRYSIS RANSOm
- Size
  
  92KB
- MD5
  
  7bf2f1187fb0f74893de4d4f54591af4
- SHA1
  
  42446f82700f819901a2e8b302c7eb32e1f99d5a
- SHA256
  
  482e5b77bf6c0c2953e2e8a456a3a072a3f9d5cb35e822e493d062d2372a1fc0
- SHA512
  
  f77d1ff98988a9d319a2bb17511a002f437029de422856f8f519376a70316e10a9594dccd6a5fed5f7fdf8d65e61d0bb5f6385b6a660b28b6c13958e6b24a814
- SSDEEP
  
  1536:mBwl+KXpsqN5vlwWYyhY9S4AO4yxgrrMjNN5Pw0Pv7i+1ZvqwaC:Qw+asqN5aW/hLU4yxgrrMjNN5Pw27XbK
Score

10^/10

dharma credential_access defense_evasion discovery execution impact persistence ransomware spyware stealer
- Dharma
  Dharma is a ransomware that uses security software installation to hide malicious activities.
  ransomware dharma
- Dharma family
  dharma
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Renames multiple (323) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Credentials from Password Stores: Windows Credential Manager
  Suspicious access to Credentials History.
  credential_access stealer
- Drops startup file
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Drops file in System32 directory
behavioral2
- Target
  
  crususususussu crysis
- Size
  
  118KB
- MD5
  
  3dafd3cca1edf4b51321eb019ce0196f
- SHA1
  
  d6f73449c7edc104e73b694cf8ea79869ba8b6a6
- SHA256
  
  9a5a620bf7e1eeed874d02afa8f7d2a6bb7c51ed431346f87514cf239c0d5a17
- SHA512
  
  336eaa50d1fcbbe602e1878eed578e5be7e492a77d01f05075b0c64702391a12d8cd1237d9e10905999642810f36b8a01995a614899e9f9224896d403873fda1
- SSDEEP
  
  3072:gWk1zRZTLPwwD04+KsdH8xwkA2YYoN1dMtIyI6eqvu6u:Dk1zRJzwZrMA4tpc
Score

6^/10

discovery
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of SetThreadContext
behavioral3
- Target
  
  crysisisis
- Size
  
  4.3MB
- MD5
  
  70c00b229ef625c6823fb7e499350b65
- SHA1
  
  adcde6250040d3d713f770c2c9fd39c767cfc71d
- SHA256
  
  8f26f91d2e4adb37d9c20e4bb09c8a896a15339e6021d289f4785696cc0c6e27
- SHA512
  
  c6bbbbfee20e00ae048edad5187a34088079b9acf7c694ecf3f3ebba8eea93be44409ad9879e2f07c7b8b49c818d9c828bc29a419101fb8ebda01e91072e46a3
- SSDEEP
  
  98304:1BBBJfpyobtKZ4XzeiA8m88S1AxNcYZGfgPSUBclP6SEcfX:HRfpyJeXzeIm3S1AxNccGfWKZfEcf
Score

9^/10

discovery evasion spyware stealer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral4
- Target
  
  encrypt da ct
- Size
  
  496KB
- MD5
  
  d04bd9640cf05c1d8ec150b8ec3dea9d
- SHA1
  
  9f1d2b477e072b993144df959e46bff88885d161
- SHA256
  
  7b3e28d2f4946196b60ac5feb807984cc6ea82ef7ab535dbc291707c19e8eb69
- SHA512
  
  806ccb9ab75e0b0fd41bc6d1b9de3be1e58f75a8af3db1bffbb9c1137a40e49587c6fad8eb8c1dfae89aef5b23a90e2bbadfb02ff9600557e398d67407730542
- SSDEEP
  
  6144:wYiWcGsEld6itHpoNu6HwcDK1668T1wGTtE2hmDnVBjrvNtwNoI:wYSEj6itHp6JHwMc6/+2oDnXe1
Score

10^/10

dharma credential_access defense_evasion discovery execution impact persistence ransomware spyware stealer
- Dharma
  Dharma is a ransomware that uses security software installation to hide malicious activities.
  ransomware dharma
- Dharma family
  dharma
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Renames multiple (316) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Credentials from Password Stores: Windows Credential Manager
  Suspicious access to Credentials History.
  credential_access stealer
- Drops startup file
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral5
- Target
  
  i dunno i think its crysis ransom
- Size
  
  382KB
- MD5
  
  c552a3083cae175ce2cf1b272236ee52
- SHA1
  
  4fbbaed1224d55a19aa8a2993ae6d567478f77cb
- SHA256
  
  310b24120390c6b8d7dac7cfe94259aa7bb03f75b2bea08b8c62fe78efcbe2e0
- SHA512
  
  40cabef46fcf76b1eb2aa510fd77c129bb1d67d0e87da273c03abb91c631545e193522dd393da8563d3654562b02d14fd991eb1ec00f8b570336f9b9da4668e5
- SSDEEP
  
  6144:uCdYss/E7IOEE39kr9HC/CRNkqq3S8213/jMtdH/pDhXdrAV16V0olOWyQw:ts/E8Oj39y9HC/Ab82mtdfpFxAbstlzZ
Score

10^/10

netwire botnet defense_evasion discovery persistence rat stealer
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- Netwire family
  netwire
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral6
- Target
  
  i no crysis dis shit
- Size
  
  654KB
- MD5
  
  d02e4dc2873794442422e9e7ab984629
- SHA1
  
  33fe022ead73e2cab2afbd57ed5a43babb3b0833
- SHA256
  
  6518ea1cc077c71291c07ddfe744ea7c8f65b6578a63f6a9e56db2af143bdd71
- SHA512
  
  ef0efac29a348e95ec370e27555ad40fccb49afc4461f2791618a7d58417064482912e39c33aaa8115ac727977067ecb1fdee25428846523541020742320c289
- SSDEEP
  
  12288:WLnPggwTd/e544UcwZvSJ/YGGquZGnVXt+v/9LzjERf:gMTd/ea4qZ2QGG9ZKX8v1v
Score

10^/10

dharma defense_evasion discovery execution impact persistence ransomware spyware stealer upx
- Dharma
  Dharma is a ransomware that uses security software installation to hide malicious activities.
  ransomware dharma
- Dharma family
  dharma
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Renames multiple (180) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Drops startup file
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral7
- Target
  
  im gonna cry sis
- Size
  
  390KB
- MD5
  
  55930ef259fa602f9bbe266a6e8dd158
- SHA1
  
  f54af827410eb2ad8a85538e56280a3e191a58e5
- SHA256
  
  eb4168396a082431fa7083533e14c6422aadba6c5ca76119cd855d40289b5aab
- SHA512
  
  acbba2a00e5f4f1c75128df64577623fce7d4146127a850aea8edb6949283d39487fdef30ac749ad29fcc0ed8b0f89abe4b8c1576720d5529a9556e764ba64ff
- SSDEEP
  
  12288:vW10ZHF+GKhI6mPGHM3ZH7KV4luGqR7MOXf1e0/V:vlHFiW3uVqo7MOP1egV
Score

10^/10

dharma credential_access defense_evasion discovery execution impact persistence ransomware spyware stealer
- Dharma
  Dharma is a ransomware that uses security software installation to hide malicious activities.
  ransomware dharma
- Dharma family
  dharma
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Renames multiple (312) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Credentials from Password Stores: Windows Credential Manager
  Suspicious access to Credentials History.
  credential_access stealer
- Drops startup file
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral8
- Target
  
  omg its fucking CRYSIS
- Size
  
  420KB
- MD5
  
  859553e76bcfb7c19bbf1ad1290b360c
- SHA1
  
  6a71def09b4b0058ca6f0b077a93c22b4eb63082
- SHA256
  
  970959bc3aef1c6198b105a4983599ea566f29ca26f307258f86d0a6585502f4
- SHA512
  
  100dc319e1082da1f4a2d779642c785a89b2e00272ee85390c4cdcaa589ed0091eacdda5fc06ac9a87ea025b4fe0be62323ba51bd34b7968d96d8859f0676d2b
- SSDEEP
  
  12288:YLcVB4j5CW1p3vE1eqFs5WkdsvG9iCNY5:YQVioWX/E1e59s+9iCNk
Score

10^/10

dharma credential_access defense_evasion discovery execution impact persistence ransomware spyware stealer upx
- Dharma
  Dharma is a ransomware that uses security software installation to hide malicious activities.
  ransomware dharma
- Dharma family
  dharma
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Renames multiple (313) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Credentials from Password Stores: Windows Credential Manager
  Suspicious access to Credentials History.
  credential_access stealer
- Drops startup file
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral9
- Target
  
  why crysis go raas
- Size
  
  867KB
- MD5
  
  611951ee8ab1f66bace29d81d40fdeb3
- SHA1
  
  7769f65c969bcc8f6e677b42fcbd9d8516117437
- SHA256
  
  425e4f08a31dc3c68a1a3a2518322531a4b9043ce66a683184d4d0b6e0ae6913
- SHA512
  
  a62c7b2b44084bc284ae5b57e27b2ef9375832871dcfb6863a78ebfb4a474457c5693a94566e2b37fab8e91f757a868a9615e6f09c15762934726c840d36113e
- SSDEEP
  
  12288:GDpXyEqeOf43Fg0xyNrlEyJH3Z6CkZTIvbIVssletMv8uYZzJhLttkr:jeOfExyF3sCaTIvtKF8/zJ1kr
Score

10^/10

dharma credential_access defense_evasion discovery execution impact persistence ransomware spyware stealer
- Dharma
  Dharma is a ransomware that uses security software installation to hide malicious activities.
  ransomware dharma
- Dharma family
  dharma
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Renames multiple (312) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Credentials from Password Stores: Windows Credential Manager
  Suspicious access to Credentials History.
  credential_access stealer
- Drops startup file
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral10