|Enterprise||T1059||Command and Scripting Interpreter||
FIVEHANDS can receive a command line argument to limit file encryption to specified directories.
|Enterprise||T1486||Data Encrypted for Impact||
FIVEHANDS can use an embedded NTRU public key to encrypt data for ransom.
|Enterprise||T1140||Deobfuscate/Decode Files or Information||
FIVEHANDS has the ability to decrypt its payload prior to execution.
|Enterprise||T1083||File and Directory Discovery||
FIVEHANDS has the ability to enumerate files on a compromised host in order to encrypt files with specific extensions.
|Enterprise||T1490||Inhibit System Recovery||
FIVEHANDS has the ability to delete volume shadow copies on compromised hosts.
|Enterprise||T1135||Network Share Discovery||
FIVEHANDS can enumerate network shares and mounted drives on a network.
|Enterprise||T1027||Obfuscated Files or Information|
|Enterprise||T1047||Windows Management Instrumentation||
FIVEHANDS can use WMI to delete files on a target machine.