Source: Process started | Author: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: C:\Windows\SysWow64\rundll32.exe ..\besta.ocx,44532.2932256944, CommandLine: C:\Windows\SysWow64\rundll32.exe ..\besta.ocx,44532.2932256944, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 2208, ProcessCommandLine: C:\Windows\SysWow64\rundll32.exe ..\besta.ocx,44532.2932256944, ProcessId: 1724 |
Source: http://crackedshop.org/9/q080U0ARYYL/ | Avira URL Cloud: Label: malware |
Source: https://ascarya.digital/wp-content/ZH4rirU | Avira URL Cloud: Label: malware |
Source: https://ascarya.digital/wp-content/ZH4rirU/ | Avira URL Cloud: Label: malware |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process created: C:\Windows\SysWOW64\rundll32.exe |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Section loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA |
Source: global traffic | TCP traffic: 192.168.2.22:49165 -> 67.207.81.73:443 |
Source: global traffic | DNS query: name: ascarya.digital |
Source: global traffic | TCP traffic: 192.168.2.22:49165 -> 67.207.81.73:443 |
Source: global traffic | HTTP traffic detected: GET /9/q080U0ARYYL/ HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: crackedshop.orgConnection: Keep-Alive |
Source: global traffic | HTTP traffic detected: GET /cgi-sys/suspendedpage.cgi HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: crackedshop.orgConnection: Keep-Alive |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49169 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49167 |
Source: unknown | Network traffic detected: HTTP traffic on port 49165 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49165 |
Source: unknown | Network traffic detected: HTTP traffic on port 49169 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 49167 -> 443 |
Source: EXCEL.EXE, 00000000.00000003.1023489983.0000000005A45000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.1225541144.0000000005A08000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.1021276243.0000000005A42000.00000004.00000001.sdmp | String found in binary or memory: /moc.nideknil.wwwwww.linkedin.comse equals www.linkedin.com (Linkedin) |
Source: rundll32.exe, 00000004.00000002.963320714.0000000000950000.00000002.00020000.sdmp | String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail) |
Source: EXCEL.EXE, 00000000.00000003.1023489983.0000000005A45000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.1225541144.0000000005A08000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.1021276243.0000000005A42000.00000004.00000001.sdmp | String found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin) |
Source: EXCEL.EXE, 00000000.00000003.1023489983.0000000005A45000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.1225541144.0000000005A08000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.1021276243.0000000005A42000.00000004.00000001.sdmp | String found in binary or memory: http://crackedshop.org/cgi-sys/suspendedpage.cgi |
Source: EXCEL.EXE, 00000000.00000003.1023489983.0000000005A45000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.1225541144.0000000005A08000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.1021276243.0000000005A42000.00000004.00000001.sdmp | String found in binary or memory: http://crackedshop.org/cgi-sys/suspendedpage.cgi5 |
Source: rundll32.exe, 00000004.00000002.963320714.0000000000950000.00000002.00020000.sdmp | String found in binary or memory: http://investor.msn.com |
Source: rundll32.exe, 00000004.00000002.963320714.0000000000950000.00000002.00020000.sdmp | String found in binary or memory: http://investor.msn.com/ |
Source: EXCEL.EXE, 00000000.00000002.1225027533.0000000005257000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.963514761.0000000000B37000.00000002.00020000.sdmp | String found in binary or memory: http://localizability/practices/XML.asp |
Source: EXCEL.EXE, 00000000.00000002.1225027533.0000000005257000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.963514761.0000000000B37000.00000002.00020000.sdmp | String found in binary or memory: http://localizability/practices/XMLConfiguration.asp |
Source: EXCEL.EXE, 00000000.00000002.1225541144.0000000005A08000.00000004.00000001.sdmp | String found in binary or memory: http://purl.or |
Source: EXCEL.EXE, 00000000.00000002.1225495153.00000000058A6000.00000004.00000001.sdmp | String found in binary or memory: http://schemas.open |
Source: EXCEL.EXE, 00000000.00000002.1225495153.00000000058A6000.00000004.00000001.sdmp | String found in binary or memory: http://schemas.openformatrg/package/2006/r |
Source: EXCEL.EXE, 00000000.00000002.1225027533.0000000005257000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.963514761.0000000000B37000.00000002.00020000.sdmp | String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check |
Source: EXCEL.EXE, 00000000.00000002.1225027533.0000000005257000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.963514761.0000000000B37000.00000002.00020000.sdmp | String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true |
Source: rundll32.exe, 00000004.00000002.963320714.0000000000950000.00000002.00020000.sdmp | String found in binary or memory: http://www.hotmail.com/oe |
Source: EXCEL.EXE, 00000000.00000002.1225027533.0000000005257000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.963514761.0000000000B37000.00000002.00020000.sdmp | String found in binary or memory: http://www.icra.org/vocabulary/. |
Source: rundll32.exe, 00000004.00000002.963320714.0000000000950000.00000002.00020000.sdmp | String found in binary or memory: http://www.msnbc.com/news/ticker.txt |
Source: rundll32.exe, 00000004.00000002.963320714.0000000000950000.00000002.00020000.sdmp | String found in binary or memory: http://www.windows.com/pctv. |
Source: EXCEL.EXE, 00000000.00000002.1225438699.000000000584A000.00000004.00000001.sdmp | String found in binary or memory: https://ascarya.dig |
Source: EXCEL.EXE, 00000000.00000002.1225438699.000000000584A000.00000004.00000001.sdmp | String found in binary or memory: https://ascarya.digit |
Source: EXCEL.EXE, 00000000.00000002.1225438699.000000000584A000.00000004.00000001.sdmp | String found in binary or memory: https://ascarya.digital |
Source: EXCEL.EXE, 00000000.00000002.1225583101.0000000005A7F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.1023508307.0000000005A7F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.1021291549.0000000005A7F000.00000004.00000001.sdmp | String found in binary or memory: https://ascarya.digital/ |
Source: EXCEL.EXE, 00000000.00000002.1225438699.000000000584A000.00000004.00000001.sdmp | String found in binary or memory: https://ascarya.digital/w |
Source: EXCEL.EXE, 00000000.00000002.1225438699.000000000584A000.00000004.00000001.sdmp | String found in binary or memory: https://ascarya.digital/wp-c |
Source: EXCEL.EXE, 00000000.00000002.1225438699.000000000584A000.00000004.00000001.sdmp | String found in binary or memory: https://ascarya.digital/wp-con |
Source: EXCEL.EXE, 00000000.00000002.1225438699.000000000584A000.00000004.00000001.sdmp | String found in binary or memory: https://ascarya.digital/wp-conte |
Source: EXCEL.EXE, 00000000.00000002.1225438699.000000000584A000.00000004.00000001.sdmp | String found in binary or memory: https://ascarya.digital/wp-content%https://ascarya.digital/wp-content/ZH&https://ascarya.digital/wp- |
Source: EXCEL.EXE, 00000000.00000002.1225438699.000000000584A000.00000004.00000001.sdmp | String found in binary or memory: https://ascarya.digital/wp-content/ZH4rirU |
Source: EXCEL.EXE, 00000000.00000002.1225438699.000000000584A000.00000004.00000001.sdmp | String found in binary or memory: https://ascarya.digital/wp-content/ZH4rirU/ |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5EEDDA76.png | Jump to behavior |
Source: unknown | DNS traffic detected: queries for: ascarya.digital |
Source: global traffic | HTTP traffic detected: GET /9/q080U0ARYYL/ HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: crackedshop.orgConnection: Keep-Alive |
Source: global traffic | HTTP traffic detected: GET /cgi-sys/suspendedpage.cgi HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: crackedshop.orgConnection: Keep-Alive |
Source: Screenshot number: 4 | Screenshot OCR: ENABLE EDITING" FROM YELLOW BAR ABOVE 5 Once you have enabled editing. please click "Enable Content |
Source: Screenshot number: 4 | Screenshot OCR: protected documents. 3 4 CLICK "ENABLE EDITING" FROM YELLOW BAR ABOVE 5 Once you have enabled edi |
Source: Screenshot number: 4 | Screenshot OCR: Enable Content" button 6 7 8 9 10 11 12 13 14 15 16 17 18 ^ |
Source: Screenshot number: 8 | Screenshot OCR: ENABLE EDITING" FROM YELLOW BAR ABOVE 5 Once you have enabled editing. please click "Enable Content |
Source: Screenshot number: 8 | Screenshot OCR: protected documents. 3 4 CLICK "ENABLE EDITING" FROM YELLOW BAR ABOVE 5 Once you have enabled edi |
Source: Screenshot number: 8 | Screenshot OCR: Enable Content" button 6 7 8 9 10 11 12 13 14 15 16 17 18 ^ |
Source: Document image extraction number: 0 | Screenshot OCR: ENABLE EDITING" FROM YELLOW BAR ABOVE Once you have enabled editing, please click "Enable Content" |
Source: Document image extraction number: 0 | Screenshot OCR: protected documents. CLICK "ENABLE EDITING" FROM YELLOW BAR ABOVE Once you have enabled editing, p |
Source: Document image extraction number: 0 | Screenshot OCR: Enable Content" button |
Source: Document image extraction number: 1 | Screenshot OCR: ENABLE EDITING" FROM YELLOW BAR ABOVE Once you have enabled editing, please click "Enable Content" |
Source: Document image extraction number: 1 | Screenshot OCR: protected documents. CLICK "ENABLE EDITING" FROM YELLOW BAR ABOVE Once you have enabled editing, p |
Source: Document image extraction number: 1 | Screenshot OCR: Enable Content" button |
Source: Invoice.xlsm | Macro extractor: Sheet name: Buk2 |
Source: Invoice.xlsm | Macro extractor: Sheet name: Buk5 |
Source: Invoice.xlsm | Macro extractor: Sheet name: Buk1 |
Source: Invoice.xlsm | Macro extractor: Sheet name: Buk7 |
Source: Invoice.xlsm | Macro extractor: Sheet name: EFEWF |
Source: Invoice.xlsm | Macro extractor: Sheet name: Buk3 |
Source: Invoice.xlsm | Macro extractor: Sheet name: Buk4 |
Source: Invoice.xlsm | Macro extractor: Sheet name: Buk6 |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Code function: 0_2_024E6743 |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Code function: 0_2_024E6340 |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Code function: 0_2_024E6753 |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Code function: 0_2_024E66E8 |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Code function: 0_2_024E66F3 |
Source: workbook.xml | Binary string: \Desktop\Fil\1d\Cir\" xmlns:x15ac="http://schemas.microsoft.com/office/spreadsheetml/2010/11/ac"/></mc:Choice></mc:AlternateContent><xr:revisionPtr revIDLastSave="0" documentId="13_ncr:1_{1D31CE62-AFF1-46C8-8AB3-51A0A09BC8BF}" xr6:coauthVersionLast="45" xr6:coauthVersionMax="45" xr10:uidLastSave="{00000000-0000-0000-0000-000000000000}"/><bookViews><workbookView xWindow="-120" yWindow="-120" windowWidth="20730" windowHeight="11160" xr2:uid="{00000000-000D-0000-FFFF-FFFF00000000}"/></bookViews><sheets><sheet name="Sheet" sheetId="1" r:id="rId1"/><sheet name="Ss1" sheetId="2" state="hidden" r:id="rId2"/><sheet name="Ss1br2" sheetId="3" state="hidden" r:id="rId3"/><sheet name="Ssbr3" sheetId="4" state="hidden" r:id="rId4"/><sheet name="EFEWF" sheetId="5" state="hidden" r:id="rId5"/><sheet name="Buk1" sheetId="6" state="hidden" r:id="rId6"/><sheet name="Buk2" sheetId="7" state="hidden" r:id="rId7"/><sheet name="Buk3" sheetId="8" state="hidden" r:id="rId8"/><sheet name="Buk4" sheetId="9" state="hidden" r:id="rId9"/><sheet name="Buk5" sheetId="10" state="hidden" r:id="rId10"/><sheet name="Buk6" sheetId="11" state="hidden" r:id="rId11"/><sheet name="Buk7" sheetId="12" state="hidden" r:id="rId12"/></sheets><definedNames><definedName name="LKLW">EFEWF!$D$3</definedName><definedName name="SASA">EFEWF!$D$17</definedName><definedName name="SASA1">EFEWF!$D$19</definedName><definedName name="SASA2">EFEWF!$D$21</definedName><definedName name="_xlnm.Auto_Open">EFEWF!$D$1</definedName></definedNames><calcPr calcId="191029"/><extLst><ext uri="{B58B0392-4F1F-4190-BB64-5DF3571DCE5F}" xmlns:xcalcf="http://schemas.microsoft.com/office/spreadsheetml/2018/calcfeatures"><xcalcf:calcFeatures><xcalcf:feature name="microsoft.com:RD"/><xcalcf:feature name="microsoft.com:FV"/></xcalcf:calcFeatures></ext></extLst></workbook> |
Source: C:\Windows\SysWOW64\rundll32.exe | Memory allocated: 76F90000 page execute and read and write |
Source: C:\Windows\SysWOW64\rundll32.exe | Memory allocated: 76E90000 page execute and read and write |
Source: 3F61.tmp.0.dr | OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false |
Source: Invoice.xlsm | Virustotal: Detection: 22% |
Source: Invoice.xlsm | ReversingLabs: Detection: 20% |
Source: C:\Windows\SysWOW64\rundll32.exe | Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWow64\rundll32.exe ..\besta.ocx,44532.2932256944 |
Source: unknown | Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWow64\rundll32.exe ..\besta.ocx,44532.2932256944 |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWow64\rundll32.exe ..\besta.ocx,44532.2932256944 |
Source: rundll32.exe, 00000004.00000002.963320714.0000000000950000.00000002.00020000.sdmp | Binary or memory string: .VBPud<_ |
Source: classification engine | Classification label: mal76.expl.winXLSM@3/6@2/2 |
Source: Window Recorder | Window detected: More than 3 window changes detected |
Source: Invoice.xlsm | Initial sample: OLE zip file path = xl/worksheets/sheet4.xml |
Source: Invoice.xlsm | Initial sample: OLE zip file path = xl/media/image1.png |
Source: Invoice.xlsm | Initial sample: OLE zip file path = xl/worksheets/_rels/sheet2.xml.rels |
Source: Invoice.xlsm | Initial sample: OLE zip file path = xl/worksheets/_rels/sheet3.xml.rels |
Source: Invoice.xlsm | Initial sample: OLE zip file path = xl/printerSettings/printerSettings2.bin |
Source: Invoice.xlsm | Initial sample: OLE zip file path = xl/printerSettings/printerSettings3.bin |
Source: Invoice.xlsm | Initial sample: OLE zip file path = xl/calcChain.xml |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll |
Source: 3F61.tmp.0.dr | Initial sample: OLE indicators vbamacros = False |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Code function: 0_2_024E6743 rdtsc |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Code function: 0_2_024E6743 rdtsc |
Source: Yara match | File source: app.xml, type: SAMPLE |
Source: EXCEL.EXE, 00000000.00000002.1221808694.0000000000820000.00000002.00020000.sdmp | Binary or memory string: Shell_TrayWnd |
Source: EXCEL.EXE, 00000000.00000002.1221808694.0000000000820000.00000002.00020000.sdmp | Binary or memory string: !Progman |
Source: EXCEL.EXE, 00000000.00000002.1221808694.0000000000820000.00000002.00020000.sdmp | Binary or memory string: Program Manager< |
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.