Persistence T1574.001 dll_hijacking: Indicators of DLL Hijacking vulnerability exploitation detected (creates a typical file)
T1574 dropper_dll: Creates DLL, which is then loaded into the process
Privilege Escalation T1574.001 dll_hijacking: Indicators of DLL Hijacking vulnerability exploitation detected (creates a typical file)
T1574 dropper_dll: Creates DLL, which is then loaded into the process
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process
Defense Evasion T1574.001 dll_hijacking: Indicators of DLL Hijacking vulnerability exploitation detected (creates a typical file)
T1036.003 ntdll_copy: Renames or copying NTDLL.dll to bypass HIPS
T1027.002 packer_upx: The executable file is compressed using UPX
T1027.002 packer_entropy: Probably contains compressed or encrypted data
T1027.002 pe_features: Executable file has PE anomalies (may be false positive)
T1574 dropper_dll: Creates DLL, which is then loaded into the process
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process
T1497 evasion_diskenum: Sandbox evasion using enumeration of partitions
Credential Access T1555.003 cookie_files: Accesses cookie files
T1552 cookie_files: Accesses cookie files
Discovery T1497 evasion_diskenum: Sandbox evasion using enumeration of partitions
Command and Control T1071.001 wininet_https: Performs HTTP/HTTPS requests using WinInet
Other yara_rules: Static rules
creates_exe: Creates executable files in the file system
dead_host: Connects to IP addresses that do not respond to requests
create_rpc_bindings: Creates RPC connection
require_administrator: Requests administrator privileges
error_drawtext: An error occured while executing the file
get_policy_info: Retrieves information about a Policy object
pe_overlay: PE file contains overlay