Execution T1047 has_wmi: Executes one or several WMI requests
Privilege Escalation T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process
Defense Evasion T1497.001 antivm_disk_size: Checks the amount of free disk space
T1497.001 antivm_network_adapters: Checks NIC addresses
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process
T1497 evasion_diskenum: Sandbox evasion using enumeration of partitions
Discovery T1082 recon_systeminfo: Collects system information (ipconfig, netstat, systeminfo, net)
T1083 crawls_directories: Opens a huge number of directories all over disk C: (possibly, searches for sensitive data)
T1497.001 antivm_disk_size: Checks the amount of free disk space
T1497.001 antivm_network_adapters: Checks NIC addresses
T1497 evasion_diskenum: Sandbox evasion using enumeration of partitions
Impact T1486 modifies_files2: Cryptolocker indicators detected (100 or more files are modified)
T1486 modifies_files: Cryptolocker indicators detected (renamed 100 or more files)
T1486 ransomware_message: Ransomware indicators detected (possible ransom message creation)
Other codepage: Checks the system code page
create_rpc_bindings: Creates RPC connection
get_policy_info: Retrieves information about a Policy object
test_check_service: Starts services
writes_data: Writes big amount of data to disk