larrytash
-
Posts
24 -
Joined
-
Last visited
Content Type
Events
Profiles
Forums
Posts posted by larrytash
-
-
VirusTotal says that "windowsupdatebg.s.llnwi.net" from the behavior tab of svchost.exe is malicious according to ForcepoinThreatseeker, for instance. So there has been some sort of swap of genuine Windows files to signed but malicious files as far as I can figure.
-
Also this svchost.exe seems to be at the root of the problem. VirusTotal says the timestamp of the file is suspicious. It appears the attack involves switching out SVCHost.exe to this version (attached). It leads to all kinds of suspicious services that can't be disabled, such as BcastDVRUserService_47d69 and they always come with that ending sequence, they all can't be turned off, they all come from svchost.exe cmd line prompts, and they all have to do with networking, screen grabbing, etc.
This svchost.ext comes up signed but if you actually look at the VirusTotal -> Behavior tab, it is resolving to these DNS locations:
fp2E7A.wpc.2BE4.phicdn.net
fp2e7a.wpc.2be4.phicdn.net
fp2e7a.wpc.phicdn.net
prda.aadg.msidentity.com
windowsupdatebg.s.llnwi.net
x1.c.lencr.orgIt mentions these IP traffic locations:
13.107.12.50:80 (TCP)
131.253.33.203:80 (TCP)
192.168.0.12:137 (UDP)
192.168.0.1:137 (UDP)
192.229.211.108:80 (TCP)
20.22.113.133:443 (TCP)
20.62.24.77:443 (TCP)
20.80.129.13:443 (TCP)
20.99.132.105:443 (TCP)
20.99.133.109:443 (TCP)
20.99.184.37:443 (TCP)
20.99.185.48:443 (TCP)
20.99.186.246:443 (TCP)
23.209.116.9:443 (TCP)
23.215.176.163:443 (TCP)
23.216.147.62:443 (TCP)
23.216.147.64:443 (TCP)
23.216.147.76:443 (TCP)
23.40.197.137:443 (TCP)
23.40.197.184:443 (TCP)
23.40.197.40:443 (TCP)
52.154.209.174:443 (TCP)
52.185.73.156:443 (TCP)
a83f:8110:0:0:0:0:2002:0:53 (UDP)
a83f:8110:0:0:0:8000:0:0:53 (UDP)
a83f:8110:0:0:100:0:0:0:53 (UDP)
a83f:8110:0:0:100:0:1800:0:53 (UDP)
a83f:8110:0:0:1400:1400:2800:3800:53 (UDP)
a83f:8110:0:0:1b00:100:2800:0:53 (UDP)
a83f:8110:0:0:2800:0:0:0:53 (UDP)
a83f:8110:0:0:4d8a:21:0:0:53 (UDP)
a83f:8110:0:0:629b:2800:0:0:53 (UDP)
a83f:8110:0:0:700:700:2800:4000:53 (UDP)
a83f:8110:0:0:e600:0:0:0:53 (UDP)
a83f:8110:0:33c0:3985:9000:0:f84:53 (UDP)
a83f:8110:1a1a:1aff:1a1a:1aff:1a1a:1aff:53 (UDP)
a83f:8110:1a1a:1aff:1b1b:1bff:1b1b:1bff:53 (UDP)
a83f:8110:2800:1800:4000:1800:1800:100:53 (UDP)
a83f:8110:4747:47ff:4747:47ff:4747:47ff:53 (UDP)
a83f:8110:508:10ff:70a:12ff:70a:12ff:53 (UDP)
a83f:8110:584a:b5b1:17cb:1ec8:0:0:53 (UDP)
a83f:8110:7300:6b00:7600:6f00:6c00:7500:53 (UDP)
a83f:8110:7600:6900:6c00:6500:6700:6500:53 (UDP)
a83f:8110:9004:200:6a00:0:5c00:6400:53 (UDP)
a83f:8110:aa01:0:0:0:0:0:53 (UDP)
a83f:8110:ffff:ffff:0:0:0:0:53 (UDP)It dropped 300 files according to VirusTotal, here are some of them:
- C:\ProgramData\Microsoft\Windows\WER\Temp\WERF9F0.tmp
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Attached are Farbar logs, Malware bytes quickscan logs, malwarebytes support logs (in the zip includes MBAM service folder with logs, mbst-check-results, setup logs, etc). So these are, indeed, your logs and FRST logs
MB Scan report.txt mbst-check-results.txt mbst-grab-results.zip Addition.txt FRST.txt
-
VirusTotal said this powershell script had 2 Mitre tactics based on Zenbox behavior analysis
-
I used VirusTotal to check IP 205.171.2.65 which came out of the DNS settings flagged by FARBAR on a totally clean partition reinstall of Windows. It came back "FortinetMalware, Xcitium Verdict Cloud Malware"
So this malware has routed traffic from my computer to an IP that VirusTotal believes to contain malware at least from two sources
-
When I try to run the repair function of the MWB Support Tool it exits
-
Another 4104 Powershell script:
Creating Scriptblock text (2 of 4):
$sb = New-Object System.Text.StringBuilder $textToEscape.Length;
for($i=0; $i -lt $textToEscape.Length; $i++)
{
$curChar = $textToEscape[$i];
if($curChar -eq '\n')
{
$null = $sb.Append("\par");
}
elseif(($curChar -lt 0x20) -or ($curChar -eq '{') -or ($curChar -eq '}') -or ($curChar -eq '\\'))
{
$null = $sb.Append("\'");
$null = $sb.Append(([int]$curChar).ToString("X2", [System.Globalization.CultureInfo]::InvariantCulture));
}
elseif($curChar -lt 0x80)
{
$null = $sb.Append($curChar);
}
else
{
$null = $sb.Append("\u");
$null = $sb.Append(([int]$curChar).ToString([System.Globalization.CultureInfo]::InvariantCulture));
$null = $sb.Append('?');
}}
return $sb.ToString();
}
function IsValidURL($URL)
{
&{
$uri = [System.URI]($URL);
$scheme = $uri.scheme;
if(($scheme -eq "http" ) -or ($scheme -eq "https") -or ($scheme -eq "ftp"))
{
return $uri.ToString();
}
else
{
return $null;
}
}
trap [Exception]
{
return $null;
}
}function GetDefaultBrowser()
{
[string]$assocString = $null
$dll = "NetworkDiagnosticSnapIn.dll"try
{
RegSnapin $dll
$assocString = [Microsoft.Windows.Diagnosis.Network.AssociationInfo]::GetAssociation("http","open");
trap [Exception]
{
$assocString = $null;
}
}
finally
{
UnregSnapin $dll
}return $assocString;
}function GetWebNDFIncidentData($URL, $DefaultConnectivity)
{
#build entry point parameters
$haXML = "<HelperAttributes><HelperAttribute><Name>URL</Name><Type>AT_STRING</Type><Value><![CDATA[" + $URL + "]]></Value></HelperAttribute>"
if($DefaultConnectivity)
{
#sqm explorer as the client rather than sdiaghost.exe
$haXML += "<HelperAttribute><Name>NDFSQMCallerApplication</Name><Type>AT_STRING</Type><Value>Windows\Explorer.EXE</Value></HelperAttribute>"
$defaultBrowser = GetDefaultBrowser;
if($defaultBrowser)
{
$haXML += "<HelperAttribute><Name>AppID</Name><Type>AT_STRING</Type><Value>"+ $defaultBrowser + "</Value></HelperAttribute>"
}
}
$haXML += "</HelperAttributes>"
return @{"HelperClassName" = "WinInetHelperClass"; "HelperAttributes" =$haXML}
}function GetValidURL($CandidateURL)
{
$toReturn = $null
$url = IsValidURL $CandidateURL
if($url -eq $null)
{
if($CandidateURL.IndexOf("://") -eq -1)
{
$updatedURL = "http://" + $CandidateURL
$url = IsValidURL $updatedURL
if($url)
{
$toReturn = $url
}
}
}
else
{
$toReturn = $url
}return $toReturn
}function GetErrorRTF($Description, $Error)
{
$escapedDesc = EscapeForRTF $Description;
$escapedError = EscapeForRTF $Error;
$rtf = LoadResourceString($ERROR_MSG_RTF_RESOURCE);
return $rtf.Replace("%DESC%", $escapedDesc).Replace("%ERROR%", $escapedError);
}function WebEntry()
{
$IT_WebChoice = Get-DiagInput -ID "IT_WebChoice"
if($IT_WebChoice -eq $null)
{
#Failed retriving Web Choice
return $null
}$IT_URL = $DefaultDiagURL
if(!($IT_WebChoice -eq "Internet"))
{
$IT_URL = Get-DiagInput -ID "IT_URL"
if($IT_URL -eq $null) {
#Failed retriving URL
return $null
}#verify that it is a valid URL
$validURL = GetValidURL $IT_URL[0]
while($validURL -eq $null)
{
#build the RTF text
$replacedError = [System.String]::Format([System.Globalization.CultureInfo]::InvariantCulture, $localizationString.interaction_InvalidURL_FormatError, $IT_URL[0]);
$RTFText = GetErrorRTF ($localizationString.interaction_InvalidURL_Desc) ($replacedError);#reprompt for input
$IT_URL = Get-DiagInput -ID "IT_Invalid_URL" -p @{"URL" = $IT_URL; "RTFText" = $RTFText}
if($IT_URL -eq $null) {
#Failed retriving URL
return $null
}$validURL = GetValidURL $IT_URL[0]
}
}return GetWebNDFIncidentData $validURL $false
}function IsUNCFormat($UNC)
{
&{
$uri = [System.URI]($UNC);
$scheme = $uri.scheme;
if(($scheme -eq "file" ))
{
if($uri.IsUnc)
{
return $uri.LocalPath;
}
}
return $null;
}
trap [Exception]
{
return $null;
}
}#function assumes passed in UNC is in \\host\share form (share can be missing)
function ContainsInvalidUNCChars($UNC)
{
&{
#will return an exception if the string has invalid characters
$ignoreResult = [System.IO.Path]::IsPathRooted($UNC)#check the path for invalid characters
#remove the starting slashes
$tmp = $UNC.Substring(2)
$nextSlash = $tmp.IndexOf("\")
if(($nextSlash -lt 0) -or ($nextSlash -eq ($nextSlash.Length - 1)))
{
#string only contains hostname
#hostname is already validated in IsUNCFormat function
return $false
}
#remove host and backslash after host
$UNCPath = $tmp.Substring($nextSlash+1)#under certain circumstances some of these make it through the above check
#so we do a direct sanity check here
if(!($UNCPath.IndexOfAny(@('/',':','*','?','"','<','>','|')) -eq -1))
{
return $true;
}return $false;
}
trap [Exception]
{
return $true;
}
}function GetValidUNC($CandidateUNC)
{
$toReturn = $null#is it valid
$unc = IsUNCFormat $CandidateUNC
if($unc)
{
$invalidChars = ContainsInvalidUNCChars $unc
if($invalidChars)
{
$toReturn = -1;
}
else
{
$toReturn = $unc
}
}return $toReturn;
}
function GetUNCNDFIncidentData($UNC)
{
#build entry point parameters
$haXML = "<HelperAttributes><HelperAttribute><Name>UNCPath</Name><Type>AT_STRING</Type><Value><![CDATA[" + $UNC + "]]></Value></HelperAttribute></HelperAttributes>"
return @{"HelperClassName" = "SMBHelperClass"; "HelperAttributes" =$haXML}
}function FileSharingEntry()
{
$IT_UNC = Get-DiagInput -ID "IT_UNC"
if($IT_UNC -eq $null) {
#Failed retriving UNC path
return $null
}#assign input to non-array variable to facilitate usage and transform
$validUNC = GetValidUNC $IT_UNC[0]
while((!$validUNC) -or ($validUNC -eq -1))
{
#build the RTF text
#use original entry for re-prompt even though "file://" UNC may have been transformed
$replacedError = "";
if(!$validUNC)
{
$replacedError = [System.String]::Format([System.Globalization.CultureInfo]::InvariantCulture, $localizationString.interaction_InvalidUNC_FormatError, $IT_UNC[0]);
}
else
{
$replacedError = [System.String]::Format([System.Globalization.CultureInfo]::InvariantCulture, $localizationString.interaction_InvalidUNC_CharError, $IT_UNC[0]);
}
$RTFText = GetErrorRTF ($localizationString.interaction_InvalidUNC_Desc) ($replacedError);#reprompt for input
$IT_UNC = Get-DiagInput -ID "IT_Invalid_UNC" -p @{"UNC" = $IT_UNC; "RTFText" = $RTFText}
if($IT_UNC -eq $null) {
#Failed retriving UNC path
return $null
}$validUNC = GetValidUNC $IT_UNC[0]
}return GetUNCNDFIncidentData $validUNC
}function NetworkAdapterEntry()
{
#enumerate interfaces to build options list
$interfaces = get-wmiobject -class Win32_NetworkAdapter
#hash table with options
$optionList = @()
foreach($curInterface in $interfaces)
{
if($curInterface.GUID -ne $null)
{
$curHash = @{"Name"=$curInterface.NetConnectionID}
$curHash += @{"Description"=$curInterface.NetConnectionID}
$curHash += @{"Value"=$curInterface.GUID}$optionList += @($curHash)
}
}if($optionList.Count -gt 1)
{
#add zero guid entry to check all interfaces
$optionList += @(@{"Name"=$localizationString.interaction_AllAdapters; "Description"=$localizationString.interaction_AllAdapters; "Value"="{00000000-0000-0000-0000-000000000000}"; "ExtensionPoint"="<Default />"})#get interface selection from user
$IT_NetworkAdapter = Get-DiagInput -ID "IT_NetworkAdapter" -c $optionListif($IT_NetworkAdapter -eq $null) {
throw "Failed retriving Network Connetion ID from user"
}
}
elseif($optionList.Count -eq 1)
{
$IT_NetworkAdapter = $optionList[0]["Value"]
}
else
{
#No NICs, do zero GUID diag
$IT_NetworkAdapter = "{00000000-0000-0000-0000-000000000000}"
}#build entry point parameters
$haXML = "<HelperAttributes><HelperAttribute><Name>guid</Name><Type>AT_GUID</Type><Value>" + $IT_NetworkAdapter + "</Value></HelperAttribute></HelperAttributes>"
return @{"HelperClassName" = "NetConnection"; "HelperAttributes" =$haXML}
}function WinsockEntry()
{
$IT_RemoteAddress = Get-DiagInput -ID "IT_RemoteAddress"
if($IT_RemoteAddress -eq $null -or $IT_RemoteAddress[0].Length -eq 0) {
#Failed retriving Remote Address
return $null
}$IT_Protocol = Get-DiagInput -ID "IT_Protocol"
if($IT_Protocol -eq $null -or $IT_Protocol[0].Length -eq 0) {
#Failed retriving Remote Port
return $null
}$IT_ApplicationID = Get-DiagInput -ID "IT_ApplicationID"
if($IT_ApplicationID -eq $null -or $IT_ApplicationID[0].Length -eq 0) {
#Failed retriving Application ID
return $null
}#build entry point parameters
$haXML = "<HelperAttributes><HelperAttribute><Name>remoteaddr</Name><Type>AT_SOCKADDR</Type><Value>" + $IT_RemoteAddress + "</Value></HelperAttribute>";
$haXML += "<HelperAttribute><Name>protocol</Name><Type>AT_UINT32</Type><Value>" + $IT_Protocol + "</Value></HelperAttribute>";
$haXML += "<HelperAttribute><Name>localaddr</Name><Type>AT_SOCKADDR</Type><Value>0.0.0.0</Value></HelperAttribute>";
$haXML += "<HelperAttribute><Name>appid</Name><Type>AT_STRING</Type><Value>" + $IT_ApplicationID + "</Value></HelperAttribute>";
$haXML += "</HelperAttributes>";
return @{"HelperClassName" = "Winsock"; "HelperAttributes" =$haXML}
}function GroupingEntry()
{
$IT_GroupName = Get-DiagInput -ID "IT_GroupName"
if($IT_GroupName -eq $null -or $IT_GroupName[0].Length -eq 0) {
#Failed retriving Remote Address
return $null
}#build entry point parameters
$haXML = "<HelperAttributes><HelperAttribute><Name>groupname</Name><Type>AT_STRING</Type><Value>" + $IT_GroupName + "</Value></HelperAttribute></HelperAttributes>"
return @{"HelperClassName" = "GroupingHelperClass"; "HelperAttributes" =$haXML}
}function GetValidExePath($File)
{
&{
$uri = [System.URI]($File);
$scheme = $uri.scheme;
if(($scheme -eq "file" ))
{
#make sure it send in .exe
if($File.ToLower().IndexOf(".exe") -eq ($File.Length - 4))
{
return $File;
}
}
return $null;
}
trap [Exception]
{
return $null;
}
}function InboundEntry()
{
$staticOptionRes = @($INBOUND_FILESHARE_RESOURCE, $INBOUND_REMOTEDESKTOP_RESOURCE, $INBOUND_DISCOVERY_RESOURCE)
$staticOptions = @($INBOUND_FILESHARE_PARAM, $INBOUND_REMOTEDESKTOP_PARAM, $INBOUND_DISCOVERY_PARAM)
# If defined for the corresponding option, the item will be filtered out if the current sku matches anything in the list
# Sku values as defined in the OperatingSystemSKU property of Win32_OperatingSystem
$SKUFilters = @($null, @(2,3,5,11), $null)#get the SKU, to filter out inappropriate static options
$SKUObject = get-wmiobject -class Win32_OperatingSystem -property "OperatingSystemSKU"
$SKU = $SKUObject.OperatingSystemSKU$optionList = @()
$curOptionIndex = 0
for($curStaticOption = 0; $curStaticOption -lt $staticOptions.Length; $curStaticOption++)
{
$SKUFilter = $SKUFilters[$curStaticOption]
if($SKUFilter)
{
if($SKUFilter -contains $SKU)
{
#should filter out this option from the list because it is not present in the SKU
continue;
}
}$curApp = LoadResourceString($staticOptionRes[$curStaticOption])
$curHash = @{}
$curHash.Add("Name",$curApp)
$curHash.Add("Value",$curOptionIndex)
$curHash.Add("Description",$curApp)
$curHash.Add("HelperAttributeName","serviceid")
$curHash.Add("HelperAttributeValue",$staticOptions[$curStaticOption])
$optionList += $curHash
$curOptionIndex++
}#add dynamic options (do not fail if call fails)
$script:ExpectingException = $true
$dll = "NetworkDiagnosticSnapIn.dll"try
{
RegSnapin $dll
$droppedApps = [Microsoft.Windows.Diagnosis.Network.FirewallApi.ManagedMethods]::GetDiagnosticAppInfo()
$script:ExpectingException = $false
if($droppedApps)
{
foreach($droppedApp in $droppedApps)
{
#omit svchosts since we cannot display a friendly name for them
if($droppedApp.Path.IndexOf("svchost") -eq -1)
{
$appEntryDisplayStr = [System.String]::Format([System.Globalization.CulScriptBlock ID: 9dde433b-59f7-43ff-9724-da85bd9a7705
Path: C:\Users\Chaz\AppData\Local\Temp\SDIAG_fc401818-2c95-4b72-9b00-d91a618105c1\UtilityFunctions.ps1 -
Powershell script run by 4104:
Creating Scriptblock text (1 of 1):
{
$script:ExpectingException = $true
$events = get-winevent -path $TraceFile -Oldest -FilterXPath "*[System[Provider[@Name='Microsoft-Windows-Diagnostics-Networking'] and (EventID=6100)]]" -ErrorAction SilentlyContinue
$script:ExpectingException = $false
foreach($event in $events)
{
#events indexed by time they were emitted
if(($event -ne $null) -and !$Global:ReportEvents.ContainsKey($event.TimeCreated))
{
#Add helper class name to title so that it's easily distinguishable in the report without having to expand it
$eventTitle = [System.String]::Format([System.Globalization.CultureInfo]::InvariantCulture, $localizationString.HelperClassEventNameWithHCName,
[System.Globalization.CultureInfo]::CurrentUICulture.TextInfo.ToTitleCase($event.Properties[0].Value));"<Objects><Object Type=""System.String""><PRE><![CDATA["+$event.Message +"]]></PRE></Object></Objects>" | Update-DiagReport -id DiagInformation -name $eventTitle
$Global:ReportEvents.Add($event.TimeCreated, $event)
}
}
}ScriptBlock ID: 98faba36-8011-4820-b876-b9a559211c51
Path: C:\Users\Chaz\AppData\Local\Temp\SDIAG_deb8d06e-bbd7-4912-9d13-83133a10a6de\UtilityFunctions.ps1 -
Logs from MWB Support Tool
-
I’ll get those logs when possible.
There’s a log in windows\Panther including “[svchost.exe] Enter WinReIsWimBootEnabled” … “[RelPost.exe] Enter WinReSetTriggerFile”
So it would seem they are using Wimboot to create a background environment from early in the boot, possibly storing it in the windows recovery partition. There is some trigger file that causes it to turn on, then it starts opening MoUsoCoreWorker, mstsc.exe, osk.exe etc to take over the computer for powershell scripting
When possible I’ll get the MWB support logs
-
I am sorry I don’t have the setupact.log as it really shows every step but it didn’t zip
I ran multiple 4104 powershell scripts through chatgpt to see what they did and they were changing permissions, changing defender and MWB settings, t taking various ownership, etc etc
-
https://blog.360totalsecurity.com/en/panther-ransomware-strikes-again/
-
Again, I’m not asking for my computer to be fixed. I’m asking malwarebytes to take it seriously that someone figured out how to use almost all Native windows functions to fully take over computers. I didn’t know I had a game bar, but they appear to have used Xbox game bar to get in, then planted a Trojan which executes the steps down in the .dat file among others, taking over mstsc.exe and osk.exe and multiple other files. Then running powershell commands.. and you’ve got the whole thing
I grabbed a number of powershell files to run on virustotal against the AI system but have no public Ethernet to do it on currently
-
It is responsible. Open the .dat file
The xbox gamebar token was used at one point to get in through Microsoft Live
-
You’re right, providing Remote Desktop control to whoever planted the code, granting full remote powershell scripting rights which are then used to log all files and activity for remote copying, allowing enabling and accessing the guest account even if it is disabled, taking file and folder ownership, injecting the base code into fresh Windows installs from firmware (apparently Nvidia and Realtek device firmware), and rerouting the DNS to the hacker’s computer in Nebraska… that’s not malware because no one else’s software hits on it and it’s doing it through genuine windows files.
360 Global Security has a report on an “oldpanther” ransomware that appears to be the same thing plus encrypting files. Available on Google
You can open and read the .dat easily to see its playbook. It’s scripting the file distribution right there
When I can find a public Ethernet to plug into I’ll use the MWB support tools and upload. But since this can’t be Removed I can’t plug it into any of my networks currently
-
Nope- I want Malwarebytes to detect this severe Trojan from now on. That’s NOT what I need to read. Clearly malwarebytes has zero interest in actually stopping new threats
-
If I plug my computer into any network long enough to do something like that 4104 powershell commands start irreversibly changing all kinds of settings and opening back doors and then I have to reinstall again at best. I’m trying to help identify something that appears sophisticated, which I was under the impression you guys Would be excited about. But if not my apologies
There is the FARBAR detection strafed which should substitute
-
Firmware deploys this trojan that allows complete remote control of a system using almost entirely genuine windows components to avoid detection.
1- There should be a "setupact.log" in here that describes how the file comes out of Firmware and gets around the Windows setup process to infect the machine. It seems that zipping the file may have removed it and the only way I could create a new one would be to reinstall windows
-If you can't get this file out of the zip it's very unfortunate as it shows the entire strategy the system deployed with, but it seems the Zipping process may have removed the .log
2- Look through "RunExeActionAllowedList.dat" which is the code that seems to deploy the system for using genuine windows products to take over the machine
3- FRST - Copy.txt are all the detections from FARBAR Run Scan Tool which show a list of what the trojan had done (though some of it was removed in a first-round "Fix" by that tool)
4- The "KnownGameList.Bin" appears to be an access method used in concert with Xbox GameBarThe system seems to change the DNS to a different IP and repeatedly triggers (and copies over if you delete it) mstsc.exe. There are dozens of copies of this file in different folders that it uses to restore itself
I have previously uploaded more files but apparently that wasn't preferred. Please use these to ask me if you'd like a specific file
Firmware replying trojan that uses genuine windows remoting to take over
in Resolved Malware Removal Logs
Posted
My msdt.exe file also reports from VirusTotal as not being detected, but again if you switch to the "Behavior" tab you find it's copying the clipboard, keystroke logging, and all kinds of other malicious behavior. I also found one suspicious log with Chinese wording in it, but it could be from a vendor:
accept command line arguments
PowerShell T1059.001
run PowerShell expression
Shared Modules T1129
parse PE header
link function at runtime on Windows
Defense Evasion TA0005
Obfuscated Files or Information T1027
encode data using XOR
File and Directory Permissions Modification T1222
set file attributes
Credential Access TA0006
Keylogging T1056.001
log keystrokes via polling
Discovery TA0007
Query Registry T1012
query or enumerate registry value
System Owner/User Discovery T1033
get session user name
get token membership
System Information Discovery T1082
query environment variable
Reads software policies
File and Directory Discovery T1083
check if file exists
enumerate files on windows
enumerate files recursively
get common file path
get file size
enumerate files on Windows
Account Discovery T1087
get session user name
Collection TA0009
Keylogging T1056.001
log keystrokes via polling
Clipboard Data T1115
open clipboard
mdst exe.zip