[Willish42]

> cmd /c "whoami&&tasklist&&systeminfo&&netstat -ano" > a.txt

Naive question, but isn't this relatively safe information to expose for this level of attack? I guess the idea is to find systems vulnerable to 0-day exploits and similar based on this info? Still, that seems like a lot of effort just to get this data.

[gruez]

>I guess the idea is to find systems vulnerable to 0-day exploits and similar based on this info?

You don't need 0days when you already have RCE on an unsandboxed system.

[thatfunkymunki]

it's not "just to get that data", it's to confirm level of access, check for potential other exploiters or security software, identify the machine you have access to, identify what the machine has network connectivity to, etc. The attacker then maintains the c2 channel and can then perform their actual objective with the help of the data they have obtained.