admin@338 actors used the following commands following exploitation of a machine withLOWBALL malware to enumerate user accounts:net user >> %temp%\downloadnet user /domain >> %temp%\download^[1]

Following exploitation withLOWBALL malware,admin@338 actors created a file containing a list of commands to be executed on the compromised computer.^[1]

admin@338 has exploited client software vulnerabilities for execution, such as Microsoft Word CVE-2012-0158.^[1]

admin@338 actors used the following commands after exploiting a machine withLOWBALL malware to obtain information about files and directories:dir c:\ >> %temp%\downloaddir "c:\Documents and Settings" >> %temp%\downloaddir "c:\Program Files\" >> %temp%\downloaddir d:\ >> %temp%\download^[1]

admin@338 actors used the following command to rename one of their tools to a benign file name:ren "%temp%\upload" audiodg.exe^[1]

admin@338 actors used the following command following exploitation of a machine withLOWBALL malware to list local groups:net localgroup administrator >> %temp%\download^[1]

admin@338 has sent emails with malicious Microsoft Office documents attached.^[1]

admin@338 actors used the following commands after exploiting a machine withLOWBALL malware to obtain information about the OS:ver >> %temp%\downloadsysteminfo >> %temp%\download^[1]

admin@338 actors used the following command after exploiting a machine withLOWBALL malware to acquire information about local networks:ipconfig /all >> %temp%\download^[1]

admin@338 actors used the following command following exploitation of a machine withLOWBALL malware to display network connections:netstat -ano >> %temp%\download^[1]

admin@338 actors used the following command following exploitation of a machine withLOWBALL malware to obtain information about services:net start >> %temp%\download^[1]

admin@338 has attempted to get victims to launch malicious Microsoft Word attachments delivered via spearphishing emails.^[1]