Execution T1047 has_wmi: Executes one or several WMI requests
Privilege Escalation T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process
Defense Evasion T1497.003 antisandbox_sleep: The process attempted to slow down analysis
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process
Credential Access T1552 infostealer_mail: Collects personal data from local email clients
T1552 cookie_files: Accesses cookie files
T1555.003 cookie_files: Accesses cookie files
T1555.004 windows_credential_manager: Acquire credentials from the Windows Credential Manager
Discovery T1083 crawls_directories: Opens a huge number of directories all over disk C: (possibly, searches for sensitive data)
T1057 process_interest: Enumerates processes
T1497.003 antisandbox_sleep: The process attempted to slow down analysis
T1518 locates_browser: Attempts to identify where browsers are installed
Collection T1114 infostealer_mail: Collects personal data from local email clients
Impact T1490 vssadmin_delete_shadows: Attempt to delete volume shadow copies
T1486 ransomware_files: Ransomware indicators detected Conti (creates keys and the instruction on how to unlock the files)
T1486 ransomware_files_2: Ransomware(s) Conti indicators detected (creates keys and the instruction on how to unlock the files)
Other yara_rules: Static rules
ransomware_shadowcopy: Removes volume shadow copies
no_graphical_activity: No graphic activity
creates_in_programdata: Creates files in the ProgramData directory
test_check_service: Starts services