Colin Cowie👨🏼💻 on Twitter: "Post-exploit #SocGholish/#FakeUpdates activity: ➡️Edge.js ↪️whoami /all ↪️nltest ↪️net group 'Domain Admins' & 'Enterprise Admins' ↪️Get-WmiObject -Class win32_service ↪️dir c:\programdata ↪️regsvr32 c:\ProgramData\VGAuthService.dll 🌐 optiontradingsignal[.]com (#CobaltStrike)" / Twitter
https://twitter.com/th3_protoCOL/status/1536788652889497600