Execution
T1059 autoit: AutoIt script execution detected
T1047 antivm_wmi: Uses WMI to detect virtual environment
T1106 susp_callbacks: Suspicious usage of some WinAPI with callbacks
T1059.006 drops_python_dll: Drops python DLL
Persistence
T1574 dropper_dll: Creates DLL, which is then loaded into the process
Privilege Escalation
T1574 dropper_dll: Creates DLL, which is then loaded into the process
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process
Defense Evasion
T1497.001 antivm_generic_cpu: Checks the CPU name, possibly for anti-virtualization
T1497.001 antisandbox_productid: Obtains Windows ProductID, probably to fingerprint a sandbox
T1027.002 unnamed_memory_regions: Code was executed in unnamed regions
T1497.001 antivm_wmi: Uses WMI to detect virtual environment
T1027.002 pe_features: Executable file has PE anomalies (may be false positive)
T1497.001 antivm_generic_productname: Checks system product name in registry, possibly for anti-virtualization
T1497.001 antivm_queries_computername: Retrieves the computer name
T1497.002 async_mouse: Watches for mouse clicks using GetAsyncKeyState to detect human activity
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process
T1574 dropper_dll: Creates DLL, which is then loaded into the process
Discovery
T1497.001 antivm_generic_cpu: Checks the CPU name, possibly for anti-virtualization
T1497.001 antisandbox_productid: Obtains Windows ProductID, probably to fingerprint a sandbox
T1518.001 antiav_detectfile: Attempts to detect installed antiviruses by a certain directory
T1497.001 antivm_wmi: Uses WMI to detect virtual environment
T1057 process_interest: Enumerates processes
T1518 locates_browser: Attempts to identify where browsers are installed
T1497.001 antivm_generic_productname: Checks system product name in registry, possibly for anti-virtualization
T1497.001 antivm_queries_computername: Retrieves the computer name
T1497.002 async_mouse: Watches for mouse clicks using GetAsyncKeyState to detect human activity
Other
yara_rules: Static rules
drops_interpreter: Creates interpreter binary file
creates_exe: Creates executable files in the file system
creates_doc: Creates (office) documents in the file system
executes_dropped_exe: Executes dropped exe files
create_rpc_bindings: Creates RPC connection
creates_suspended_process: Creates suspended process
test_check_service: Starts services
checktokenmembership: Checks user token with CheckTokenMembership call
pe_overlay: PE file contains overlay