Path: blob/master/payloads/library/incident_response/GoodUSB/payload.txt
2968 views
GUI r1DELAY 10002STRING notepad.exe3ENTER4DELAY 10005STRING Greetings!6ENTER7STRING You've just launched GoodUSB!8ENTER9ENTER10STRING This script will take the following actions:11ENTER12STRING 1) Download ClamAV13ENTER14STRING 2) Update ClamAV to the latest malware definitions.15ENTER16STRING 3) Scan your system memory for any malicious processes.17ENTER18STRING 4) If any are found, TERMINATE THEM!19ENTER20ENTER21STRING This process may take a very long time, about 30 minutes to an hour.22ENTER23STRING You can abort now by unplugging this device.24ENTER25STRING Otherwise, the process will begin in 5...26DELAY 300027STRING 4...28DELAY 300029STRING 3...30DELAY 300031STRING 2...32DELAY 300033STRING 1...34DELAY 300035STRING 036ENTER37STRING Away we go!38DELAY 200039ALT F440DELAY 100041ALT N42GUI r43DELAY 100044STRING powershell.exe45ENTER46DELAY 100047STRING Start-Process powershell -Verb runAs ; exit48ENTER49DELAY 400050LEFT51ENTER52DELAY 400053STRING mkdir $env:USERPROFILE\AppData\Local\Temp ; cd $env:USERPROFILE\AppData\Local\Temp ; Invoke-WebRequest -Uri https://www.clamav.net/downloads/production/clamav-1.3.0.win.x64.zip -OutFile clam.zip ; Expand-Archive -Force clam.zip ; del clam.zip ; cd clam\* ; mv .\conf_examples\freshclam.conf.sample freshclam.conf ; mv .\conf_examples\clamd.conf.sample clamd.conf ; Set-Content -Path "freshclam.conf" -Value (get-content -Path "freshclam.conf" | Select-String -Pattern 'Example' -NotMatch) ; Set-Content -Path "clamd.conf" -Value (get-content -Path "clamd.conf" | Select-String -Pattern 'Example' -NotMatch) ; Start-Process -Wait .\freshclam.exe ; Start-Process -NoNewWindow -Wait .\clamscan.exe "--memory --kill" ; cd $env:USERPROFILE\AppData\Local\Temp ; rmdir -R clam54ENTER555657