Often distributed via spear-phishing or via the Raspberry Robin worm.

Scans for domain names, computer names, and local accounts.

Blacklist the specific file hash and any associated C2 IPs at your firewall.

Often drops itself into %AppData% or C:\Users\Public\ .