It may sound a bit counterintuitive, but some very known lolbins often make it to places that no one ever thought would be possible…
Continuing the topic I started a few days earlier, today I will explore a few more ‘popular’ lolbinish executables that you may find ‘legitimately’ present in the environments:
InstallUtil
- %Program Files%\Celceo SystemAI\InstallUtil.exe
- %Program Files%\TSS\Auto Mail Sender Birthday Edition\InstallUtil.exe
- %Program Files%\TSS\Auto Mail Sender Standard Edition\InstallUtil.exe
- %Program Files%\TSS\WinExt\InstallUtil.exe
RegAsm
- %Program Files%\ApexSQL\ApexSQLDiff2012\RegAsm.exe
- %Program Files%\AUDIOzilla\RegAsm.exe
- %Program Files%\Common Files\Multilizer\NET\1.1\RegAsm.exe
- %Program Files%\Common Files\Multilizer\NET\2.0\RegAsm.exe
- %Program Files%\Common Files\Multilizer\NET\4.0\RegAsm.exe
- %Program Files%\ExeShield\regasm.exe
- %Program Files%\iOpus\iMacros\RegAsm.exe
ping
- %Program Files%\Stellar Migrator for MS Exchange\Ping.exe
- %Program Files%\Stellar Phoenix Mailbox – Exchange Desktop\Ping.exe
- %Program Files%\Stellar Phoenix Repair for SQLite\Ping.exe
- %Program Files%\Stellar Phoenix Windows Backup Recovery\Ping.exe
Update_Execute
- %Program Files%\Diashow XL\Update_Execute.exe
- %Program Files%\E-Mail-Converter\Update_Execute.exe
- %Program Files%\FotoArchiv XL\Update_Execute.exe
- %Program Files%\FotoWorksXL2013\Update_Execute.exe
- %Program Files%\FreeFotoWorks2013\Update_Execute.exe
- %Program Files%\HomepageFIX2013\Update_Execute.exe
- %Program Files%\MailFinder\Update_Execute.exe
- %Program Files%\MailOut\Update_Execute.exe
- %Program Files%\MEDIA Revolution\Update_Execute.exe
- %Program Files%\NewsletterDesigner\Update_Execute.exe
- %Program Files%\OnlineGalerie\Update_Execute.exe
- %Program Files%\profiSUBMIT\Update_Execute.exe
- %Program Files%\Slideshow XL\Update_Execute.exe
the latter allows you to execute any program of your choice via proxy f.ex.:
Update_Execute.exe c:\windows\notepad.exe
runxx.exe (same as above, plus, more persistent)
- c:\drivers\keyb\dritek2007\runxx.exe
- c:\drivers\keyboard\dritek2000\InstPack\runxx.exe
- c:\drivers\keyboard\drtk2001\runxx.exe
- c:\drivers\keyboard\dtk30005\runxx.exe
- c:\drivers\keyboard\lm2003\InstPack\runxx.exe
- c:\drivers\keyboard\lm3002\runxx.exe
- c:\drivers\keyboard\lm3003\runxx.exe
- c:\drivers\keyboard\lm3004\InstPack\runxx.exe
- c:\drivers\keyboard\lm3004\runxx.exe
- c:\drivers\keyboard\lm3005\runxx.exe
- c:\Drivers\Launch_Manager\runxx.exe
- c:\drivers\launchmanager\dritek2001\InstPack\runxx.exe
- c:\drivers\launchmanager\dt2000\InstPack\runxx.exe
- c:\drivers\launchmanager\dt2002\runxx.exe
- c:\drivers\LM\2002\InstPack\runxx.exe
- c:\drivers\hotkeys\runxx.exe
instmsia.exe
- %Program Files%\Firmware Update\All_Package\instmsia.exe
- C:\Drivers\7. Alcor CardReader Driver\instmsia.exe
- c:\drivers\Alcor Card Reader Driver\instmsia.exe
- c:\drivers\bluetooth\bc621500\Win32\instmsia.exe
- c:\drivers\bluetooth\bc621500\Win64\instmsia.exe
- c:\drivers\bluetooth\w6104600\Win32\instmsia.exe
- c:\drivers\bluetooth\w6104600\Win64\instmsia.exe
- c:\Drivers\Bluetooth\Win32\instmsia.exe
- c:\Drivers\Bluetooth\Win64\instmsia.exe
- c:\drivers\bt\6015600\Win32\instmsia.exe
- c:\drivers\bt\6015600\Win64\instmsia.exe
- c:\drivers\bt\6208500\Win32\instmsia.exe
- c:\drivers\bt\6208500\Win64\instmsia.exe
- c:\drivers\bt\bc5104500\Win32\instmsia.exe
- c:\drivers\bt\bc5104500\Win64\instmsia.exe
- c:\drivers\bt\bc6202600\Win32\instmsia.exe
- c:\drivers\bt\bc6202600\Win64\instmsia.exe
- c:\drivers\bt\bc6208800\Win32\instmsia.exe
- c:\drivers\bt\bc6208800\Win64\instmsia.exe
- c:\drivers\bt\bc6209600\Win32\instmsia.exe
- c:\drivers\bt\bc6209600\Win64\instmsia.exe
- c:\drivers\bt\bc6209700\Win32\instmsia.exe
- c:\drivers\bt\bc6209700\Win64\instmsia.exe
- c:\drivers\bt\bt520500\Win32\instmsia.exe
- c:\drivers\bt\bt520500\Win64\instmsia.exe
- c:\drivers\bt\Win32\instmsia.exe
- c:\drivers\bt\Win64\instmsia.exe
- c:\drivers\Card Reader Driver\instmsia.exe
- c:\drivers\cardreader\instmsia.exe
- c:\Drivers\Others\Bluetooth\Win32\instmsia.exe
- c:\Drivers\Others\Bluetooth\Win64\instmsia.exe
- C:\DRIVERS\WIN\MULTICARD\instmsia.exe
- c:\pnp\bluetooth\instmsia.exe
- c:\pnp\GOB\instmsia.exe
- c:\pnp\mobo\Chipset\INSTMSIA.EXE
- c:\pnp\mobo\INSTMSIA.EXE
- c:\pnp\raid\INSTMSIA.EXE
- c:\pnp\video\instmsia.exe
- C:\SWTOOLS\BLUETOOTH\7ZBV19WW\Win32\instmsia.exe
- C:\SWTOOLS\BLUETOOTH\7ZBV19WW\Win64\instmsia.exe
- C:\SWTOOLS\DRIVERS\BLUETOOTH\8m05bb36g04\Win32\instmsia.exe
- C:\SWTOOLS\DRIVERS\BLUETOOTH\8m05bb36g04\Win64\instmsia.exe
- C:\SWTOOLS\DRIVERS\LMBC\6jwa11ww\ATTplgin\instmsia.exe
- C:\SWTOOLS\DRIVERS\LMBC\7twa71ww\ATTplgin\instmsia.exe
instmsiw.exe
- %Program Files%\Droppix\Droppix Recorder 2.x\Droppix Recorder\InstMsiW.Exe
- %Program Files%\Firmware Update\All_Package\instmsiw.exe
- c:\drivers\11. TV Tuner (Geniatech,Yuan,AverMedia) for 32-bit Windows\Yuan\MC163\Win832\instmsiw.exe
- c:\drivers\11. TV Tuner (Geniatech,Yuan,AverMedia) for 32-bit Windows\Yuan\MC907\Win832\instmsiw.exe
- c:\drivers\15. TV Tuner (Geniatech, Yuan, AverMedia)\Yuan\1.0.6.8051\Win832\instmsiw.exe
- c:\drivers\15. TV Tuner (Geniatech, Yuan, AverMedia)\Yuan\1.0.6.8051\Win864\instmsiw.exe
- C:\Drivers\7. Alcor CardReader Driver\instmsiw.exe
- c:\drivers\Alcor Card Reader Driver\instmsiw.exe
- c:\drivers\bluetooth\bc621500\Win32\instmsiw.exe
- c:\drivers\bluetooth\bc621500\Win64\instmsiw.exe
- c:\drivers\bluetooth\w6104600\Win32\instmsiw.exe
- c:\drivers\bluetooth\w6104600\Win64\instmsiw.exe
- c:\Drivers\Bluetooth\Win32\instmsiw.exe
- c:\Drivers\Bluetooth\Win64\instmsiw.exe
- c:\drivers\bt\6015600\Win32\instmsiw.exe
- c:\drivers\bt\6015600\Win64\instmsiw.exe
- c:\drivers\bt\6208500\Win32\instmsiw.exe
- c:\drivers\bt\6208500\Win64\instmsiw.exe
- c:\drivers\bt\bc5104500\Win32\instmsiw.exe
- c:\drivers\bt\bc5104500\Win64\instmsiw.exe
- c:\drivers\bt\bc6202600\Win32\instmsiw.exe
- c:\drivers\bt\bc6202600\Win64\instmsiw.exe
- c:\drivers\bt\bc6208800\Win32\instmsiw.exe
- c:\drivers\bt\bc6208800\Win64\instmsiw.exe
- c:\drivers\bt\bc6209600\Win32\instmsiw.exe
- c:\drivers\bt\bc6209600\Win64\instmsiw.exe
- c:\drivers\bt\bc6209700\Win32\instmsiw.exe
- c:\drivers\bt\bc6209700\Win64\instmsiw.exe
- c:\drivers\bt\bt520500\Win32\instmsiw.exe
- c:\drivers\bt\bt520500\Win64\instmsiw.exe
- c:\drivers\bt\Win32\instmsiw.exe
- c:\drivers\bt\Win64\instmsiw.exe
- c:\drivers\Card Reader Driver\instmsiw.exe
- c:\drivers\cardreader\instmsiw.exe
- c:\Drivers\Others\Bluetooth\Win32\instmsiw.exe
- c:\Drivers\Others\Bluetooth\Win64\instmsiw.exe
- c:\drivers\TV Tuner (Geniatech, Yuan, AverMedia)\Yuan\MC163\Win832\instmsiw.exe
- c:\drivers\TV Tuner (Geniatech, Yuan, AverMedia)\Yuan\MC907\Win832\instmsiw.exe
- C:\DRIVERS\WIN\LANASIX\instmsiw.exe
- C:\DRIVERS\WIN\MULTICARD\instmsiw.exe
- c:\pnp\bluetooth\instmsiw.exe
- c:\pnp\Cardreader\instmsiw.exe
- c:\pnp\GOB\instmsiw.exe
- c:\pnp\mobo\Chipset\INSTMSIW.EXE
- c:\pnp\mobo\INSTMSIW.EXE
- c:\pnp\raid\INSTMSIW.EXE
- c:\pnp\video\instmsiw.exe
- C:\SWTOOLS\BLUETOOTH\7ZBV19WW\Win32\instmsiw.exe
- C:\SWTOOLS\BLUETOOTH\7ZBV19WW\Win64\instmsiw.exe
- C:\SWTOOLS\DRIVERS\BLUETOOTH\8m05bb36g04\Win32\instmsiw.exe
- C:\SWTOOLS\DRIVERS\BLUETOOTH\8m05bb36g04\Win64\instmsiw.exe
- C:\SWTOOLS\DRIVERS\FPR\LZ4GO2A2_64\instmsiw.exe
- C:\SWTOOLS\DRIVERS\LMBC\6jwa11ww\ATTplgin\instmsiw.exe
- C:\SWTOOLS\DRIVERS\LMBC\7twa71ww\ATTplgin\instmsiw.exe
regsvr32
- %Program Files%\3D Active Button Magic\REGSVR32.EXE
- %Program Files%\3D Button API\REGSVR32.EXE
- %Program Files%\Active DJ Studio\REGSVR32.EXE
- %Program Files%\Active MIDI DJ Console\REGSVR32.EXE
- %Program Files%\Active Sound Editor\REGSVR32.EXE
- %Program Files%\Active Sound Recorder\REGSVR32.EXE
- %Program Files%\Active Sound Studio\Active Sound Editor\REGSVR32.EXE
- %Program Files%\Active Sound Studio\Active Sound Recorder\REGSVR32.EXE
- %Program Files%\Active Waveform Analyzer\REGSVR32.EXE
- %Program Files%\Blue Squirrel\Spam Sleuth Lite\regsvr32.exe
- %Program Files%\Firmware Update\All_Package\program files\HP\Button Manager\Hestia\regsvr32.exe
- %Program Files%\Firmware Update\All_Package\program files\HP\Button Manager\regsvr32.exe
- %Program Files%\VoIP SIP Client SDK\files_for_redistribution\ActiveX\regsvr32.exe
ffmpeg
Not a hacking utility, but may come handy:
- %Program Files%\AnvSoft\Any Video Converter Professional\gnu\ffmpeg.exe
- %Program Files%\AnvSoft\Any Video Converter\ffmpeg.exe
- %Program Files%\AnvSoft\Any Video Converter\gnu\ffmpeg.exe
- %Program Files%\Any Video Recorder\ffmpeg.exe
- %Program Files%\Aura4You\Aura Video Converter Professional\gnu\ffmpeg.exe
- %Program Files%\BlazeVideo\BlazeDVD 6.1\ffmpeg.exe
- %Program Files%\ClipGrab\ffmpeg.exe
- %Program Files%\CodedColor\ffmpeg.exe
- %Program Files%\Convertilla\ffmpeg.exe
- %Program Files%\Diashow XL\LibAV\ffmpeg.exe
- %Program Files%\DVD Photo Slideshow Professional\gnu\ffmpeg.exe
- %Program Files%\DVD Shrink\ffmpeg.exe
- %Program Files%\DVD to iPad Converter\ffmpeg.exe
- %Program Files%\DVDVideoSoft\Free Audio Editor\ffmpeg.exe
- %Program Files%\DVDVideoSoft\Free YouTube Download\ffmpeg.exe
- %Program Files%\DVDVideoSoft\Free YouTube To MP3 Converter\ffmpeg.exe
- %Program Files%\FotoArchiv XL\LibAV\ffmpeg.exe
- %Program Files%\Freemake\COM\1.1\ffmpeg.exe
- %Program Files%\Icecream Slideshow Maker\ffmpeg.exe
- %Program Files%\Kastor Free Video Converter\ffmpeg.exe
- %Program Files%\KooRaRoo Media Free\ffmpeg.exe
- %Program Files%\MediaHuman\Audio Converter\ffmpeg.exe
- %Program Files%\Nuclear Coffee\ConvertVid\ffmpeg.exe
- %Program Files%\Nuclear Coffee\VideoGet\ffmpeg.exe
- %Program Files%\pazera-software\FLV_to_AVI_Converter\tools\FFmpeg\ffmpeg.exe
- %Program Files%\pazera-software\MKV_to_AVI_Converter_32\tools\FFmpeg\ffmpeg.exe
- %Program Files%\pazera-software\MOV_to_AVI_Converter\tools\FFmpeg\ffmpeg.exe
- %Program Files%\pazera-software\MP4_to_AVI_Converter\tools\FFmpeg\ffmpeg.exe
- %Program Files%\pazera-software\MP4_to_MP3_32bit\tools\FFmpeg\ffmpeg.exe
- %Program Files%\RadioBOSS\Plugins\ffmpeg.exe
- %Program Files%\Slideshow XL\LibAV\ffmpeg.exe
- %Program Files%\SmartDVDCreatorPro\ffmpeg.exe
- %Program Files%\SmartDVDCreator\ffmpeg.exe
- %Program Files%\Socusoft\Socusoft 3GP Photo Slideshow\gnu\ffmpeg.exe
- %Program Files%\Socusoft\Socusoft iPod Photo Slideshow\gnu\ffmpeg.exe
- %Program Files%\Sothink HD Movie Maker\Encoder\ffmpeg.exe
- %Program Files%\Sothink Movie DVD Maker\Encoder\ffmpeg.exe
- %Program Files%\Sothink Video Converter\Encoder\ffmpeg.exe
- %Program Files%\Sothink Video Encoder for Adobe Flash\Encoder\ffmpeg.exe
- %Program Files%\SourceTec\Sothink Movie DVD Maker\Encoder\ffmpeg.exe
- %Program Files%\Stellar Phoenix Video Repair\ffmpeg.exe
- %Program Files%\YouTube Song Downloader\ffmpeg.exe
and there is more VNC as well:
vncviewer
- %Program Files%\CrossLoop\vncviewer.exe
- %Program Files%\Hammer Software\MetaLAN Administrator 2\VNC\TightVNC3\vncviewer.exe
- %Program Files%\RealVNC\VNC4\vncviewer.exe
- %localappdata%\CrossLoop\vncviewer.exe
winscp
- %Program Files%\Lauyan\TOWeb V6\tools\winscp\WinSCP.exe
downloader (note, all of these may require additional analysis):
- %Program Files%\Auslogics\Driver Updater\Downloader.exe
- %Program Files%\BSC Designer\update\Downloader.exe
- %Program Files%\Defender Pro Driver Control\Downloader.exe
- %Program Files%\Download Master\downloader.exe
- %Program Files%\Fake Voice 7.0\7.0.0.0\downloader.exe
- %Program Files%\Fake Webcam 7.4\7.4.0.0\downloader.exe
- %Program Files%\IDA\downloader.exe
- %Program Files%\MurGeeMon\Downloader.exe
- %Program Files%\Virtual Webcam 8.0\8.0.0.0\downloader.exe
- %Program Files%\Webcam Screen Recorder 7.0\7.0.0.0\downloader.exe
- %localappdata%\downloader.exe
- %localappdata%\Temp\hstemp\downloader.exe
javaw
- %Program Files%\CamShot\jre\bin\javaw.exe
- %Program Files%\ChequePrinting.net\jre\bin\javaw.exe
- %Program Files%\ChequeSystem\jre\bin\javaw.exe
- %Program Files%\EasyBilling\jre\bin\javaw.exe
- %Program Files%\EditRocket\jre\bin\javaw.exe
- %Program Files%\Formatic\jre\bin\javaw.exe
- %Program Files%\OMS\OPhone Desktop Suite\jre\bin\javaw.exe
- %Program Files%\Ovis\jre7\bin\javaw.exe
- %Program Files%\PhotoPDF\jre\bin\javaw.exe
- %Program Files%\PhotoX\jre\bin\javaw.exe
- %Program Files%\RoboMail\jre\bin\javaw.exe
- %Program Files%\SmartCalendar\jre\bin\javaw.exe
- %Program Files%\Sweet Home 3D\jre6\bin\javaw.exe
java
- %Program Files%\CamShot\jre\bin\java.exe
- %Program Files%\ChequePrinting.net\jre\bin\java.exe
- %Program Files%\ChequeSystem\jre\bin\java.exe
- %Program Files%\EasyBilling\jre\bin\java.exe
- %Program Files%\EditRocket\jre\bin\java.exe
- %Program Files%\Formatic\jre\bin\java.exe
- %Program Files%\OMS\OPhone Desktop Suite\jre\bin\java.exe
- %Program Files%\Ovis\jre7\bin\java.exe
- %Program Files%\PhotoPDF\jre\bin\java.exe
- %Program Files%\PhotoX\jre\bin\java.exe
- %Program Files%\RoboMail\jre\bin\java.exe
- %Program Files%\SmartCalendar\jre\bin\java.exe
tar
- %commonappdata%\CleanMail\tar.exe
- %Program Files%\Git\usr\bin\tar.exe
- %Program Files%\Kingo ROOT\tools\tar.exe
- c:\Program Files (x86)\Common Files\DVDVideoSoft\bin\tar.exe
undelete
- %Program Files%\Advanced System Optimizer 3\Undelete.exe
- %Program Files%\CleanGenius 3\UnDelete.exe
- %Program Files%\Glary Undelete\undelete.exe
- %Program Files%\Glary Utilities\undelete.exe
- %Program Files%\LSoft Technologies\Active\@ UNDELETE\Undelete.exe