Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report Order List from Dunen Enterprise Corporation.exe

Overview

General Information

Sample Name:Order List from Dunen Enterprise Corporation.exe
Analysis ID:482788
MD5:744d832006910318b2826e4cc8db4b11
SHA1:b58f485d5153dc4cb1a608091e1174d6fc966a4a
SHA256:e015835dd69bbd384cb9b347984b648562281ba9e532ca110b6962bce9262251
Tags:exeguloader
Infos:

Most interesting Screenshot:

Detection

GuLoader FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Potential malicious icon found
Yara detected Generic Dropper
Yara detected FormBook
Malicious sample detected (through community Yara rule)
GuLoader behavior detected
Yara detected GuLoader
Hides threads from debuggers
Maps a DLL or memory area into another process
Initial sample is a PE file and has a suspicious name
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Yara signature match
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Contains functionality to call native functions
Creates processes with suspicious names
Contains functionality for execution timing, often used to detect debuggers
Abnormal high CPU Usage
Enables debug privileges
Sample file is different than original file name gathered from version info
PE file contains strange resources
Contains functionality to read the PEB
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.mx-online-service.xyz/hhse/"], "decoy": ["gujranwala.city", "peinture-san-deco.com", "disvapes.com", "tekst-sanderlei.com", "veryfastsnail.com", "yaqiong.net", "onlinebingocenter.com", "kenttreesurgery.com", "berislavic.com", "ecomemailspack.com", "drgustavoteyssier.com", "mayfieldslodge.com", "qiubaolink.com", "kevinkensik.com", "boatmanagementexpert.com", "dbylkov.com", "griffin-designs.com", "glowlikethis.com", "fuckjules.com", "lxqc6688.com", "cduyechang.com", "jintelcare.com", "abdiscountplumbing.com", "merrilllynchph.com", "yuanxinlv.com", "chinapuma.com", "covertroyalty.com", "grouphall.net", "unikpixls.com", "rbainlaw.com", "bold2x.com", "eventosav.com", "copywritermeg.com", "geeeknozoid.com", "physio-schmid.com", "bankofsavings.com", "xzttzs.com", "water-note.com", "gutter-rutter.com", "wallis-applications.com", "aurora-graphics.com", "justindoorsoccer.com", "drivly.net", "allonot.com", "splashseltzer.com", "sanctuarymarbella.com", "fossickandfind.com", "sari-2.com", "luxedesignsinc.com", "cowlickgin.com", "anothergeorgia.life", "mainstreetmarketlillington.com", "vibe-communications.com", "nextgenrs.net", "kosurvival.com", "uvinq.com", "crenate-throe.info", "weazing.net", "mydreamit.world", "shortandsweetorganizing.com", "24bitpay-trade.com", "qianniaofan.com", "thepccafe.com", "solucionesautomotrices.info"]}

Threatname: GuLoader

{"Payload URL": "https://onedrive.live.com/download?cid=3B15BFABEF8C3B9%()"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000001A.00000000.748909950.0000000006D25000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    0000001A.00000000.748909950.0000000006D25000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x5695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x5181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x5797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x590f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x43fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa787:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0xb82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    0000001A.00000000.748909950.0000000006D25000.00000040.00020000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x76b9:$sqlite3step: 68 34 1C 7B E1
    • 0x77cc:$sqlite3step: 68 34 1C 7B E1
    • 0x76e8:$sqlite3text: 68 38 2A 90 C5
    • 0x780d:$sqlite3text: 68 38 2A 90 C5
    • 0x76fb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x7823:$sqlite3blob: 68 53 D8 7F 8C
    00000000.00000002.473954904.0000000002880000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
      00000016.00000002.768114646.000000001E3D0000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
        Click to see the 6 entries

        Sigma Overview

        System Summary:

        barindex
        Sigma detected: Possible Applocker BypassShow sources
        Source: Process startedAuthor: juju4: Data: Command: C:\Windows\SysWOW64\msdt.exe, CommandLine: C:\Windows\SysWOW64\msdt.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\msdt.exe, NewProcessName: C:\Windows\SysWOW64\msdt.exe, OriginalFileName: C:\Windows\SysWOW64\msdt.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 3292, ProcessCommandLine: C:\Windows\SysWOW64\msdt.exe, ProcessId: 4780

        Jbx Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Found malware configurationShow sources
        Source: 00000000.00000002.473954904.0000000002880000.00000040.00000001.sdmpMalware Configuration Extractor: GuLoader {"Payload URL": "https://onedrive.live.com/download?cid=3B15BFABEF8C3B9%()"}
        Source: 00000016.00000002.768114646.000000001E3D0000.00000040.00020000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.mx-online-service.xyz/hhse/"], "decoy": ["gujranwala.city", "peinture-san-deco.com", "disvapes.com", "tekst-sanderlei.com", "veryfastsnail.com", "yaqiong.net", "onlinebingocenter.com", "kenttreesurgery.com", "berislavic.com", "ecomemailspack.com", "drgustavoteyssier.com", "mayfieldslodge.com", "qiubaolink.com", "kevinkensik.com", "boatmanagementexpert.com", "dbylkov.com", "griffin-designs.com", "glowlikethis.com", "fuckjules.com", "lxqc6688.com", "cduyechang.com", "jintelcare.com", "abdiscountplumbing.com", "merrilllynchph.com", "yuanxinlv.com", "chinapuma.com", "covertroyalty.com", "grouphall.net", "unikpixls.com", "rbainlaw.com", "bold2x.com", "eventosav.com", "copywritermeg.com", "geeeknozoid.com", "physio-schmid.com", "bankofsavings.com", "xzttzs.com", "water-note.com", "gutter-rutter.com", "wallis-applications.com", "aurora-graphics.com", "justindoorsoccer.com", "drivly.net", "allonot.com", "splashseltzer.com", "sanctuarymarbella.com", "fossickandfind.com", "sari-2.com", "luxedesignsinc.com", "cowlickgin.com", "anothergeorgia.life", "mainstreetmarketlillington.com", "vibe-communications.com", "nextgenrs.net", "kosurvival.com", "uvinq.com", "crenate-throe.info", "weazing.net", "mydreamit.world", "shortandsweetorganizing.com", "24bitpay-trade.com", "qianniaofan.com", "thepccafe.com", "solucionesautomotrices.info"]}
        Yara detected FormBookShow sources
        Source: Yara matchFile source: 0000001A.00000000.748909950.0000000006D25000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000002.768114646.000000001E3D0000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001A.00000000.735368674.0000000006D25000.00000040.00020000.sdmp, type: MEMORY
        Machine Learning detection for sampleShow sources
        Source: Order List from Dunen Enterprise Corporation.exeJoe Sandbox ML: detected
        Source: Order List from Dunen Enterprise Corporation.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
        Source: Binary string: msdt.pdbGCTL source: Order List from Dunen Enterprise Corporation.exe, 00000016.00000002.771036580.000000001EA40000.00000040.00020000.sdmp
        Source: Binary string: wntdll.pdbUGP source: Order List from Dunen Enterprise Corporation.exe, 00000016.00000002.769810515.000000001E82F000.00000040.00000001.sdmp
        Source: Binary string: wntdll.pdb source: Order List from Dunen Enterprise Corporation.exe
        Source: Binary string: msdt.pdb source: Order List from Dunen Enterprise Corporation.exe, 00000016.00000002.771036580.000000001EA40000.00000040.00020000.sdmp

        Networking:

        barindex
        C2 URLs / IPs found in malware configurationShow sources
        Source: Malware configuration extractorURLs: www.mx-online-service.xyz/hhse/
        Source: Malware configuration extractorURLs: https://onedrive.live.com/download?cid=3B15BFABEF8C3B9%()
        Source: Order List from Dunen Enterprise Corporation.exeString found in binary or memory: http://creativecommons.org/licenses/by-nc-sa/3.0/
        Source: Order List from Dunen Enterprise Corporation.exe, 00000016.00000003.712601137.000000000088D000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
        Source: explorer.exe, 0000001A.00000000.734719256.0000000006870000.00000004.00000001.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
        Source: Order List from Dunen Enterprise Corporation.exe, 00000016.00000003.712601137.000000000088D000.00000004.00000001.sdmpString found in binary or memory: https://irbzka.bl.files.1drv.com/
        Source: Order List from Dunen Enterprise Corporation.exe, 00000016.00000003.710798103.0000000000891000.00000004.00000001.sdmpString found in binary or memory: https://irbzka.bl.files.1drv.com/HoH
        Source: Order List from Dunen Enterprise Corporation.exe, 00000016.00000003.712601137.000000000088D000.00000004.00000001.sdmpString found in binary or memory: https://irbzka.bl.files.1drv.com/jof
        Source: Order List from Dunen Enterprise Corporation.exe, 00000016.00000003.710798103.0000000000891000.00000004.00000001.sdmpString found in binary or memory: https://irbzka.bl.files.1drv.com/y4m-pJTApnf2X6X8FvkJBc3kwyxkRC7ohCVxKqzJT2oOkOsmFT9MDHML1cgc462m8Ps
        Source: Order List from Dunen Enterprise Corporation.exe, 00000016.00000003.712601137.000000000088D000.00000004.00000001.sdmp, Order List from Dunen Enterprise Corporation.exe, 00000016.00000003.712985490.000000000086C000.00000004.00000001.sdmpString found in binary or memory: https://irbzka.bl.files.1drv.com/y4mSLbAIYOtMsp6WVEtbpBOKQnS0NMIQaQctk4PpaVN9FNlyx2DdMYUi4sJgBEu1tUY
        Source: Order List from Dunen Enterprise Corporation.exe, 00000016.00000002.761567848.0000000000828000.00000004.00000020.sdmpString found in binary or memory: https://onedrive.live.com/$R
        Source: Order List from Dunen Enterprise Corporation.exe, 00000016.00000002.761567848.0000000000828000.00000004.00000020.sdmpString found in binary or memory: https://onedrive.live.com/dS;
        Source: Order List from Dunen Enterprise Corporation.exe, 00000016.00000003.712985490.000000000086C000.00000004.00000001.sdmp, Order List from Dunen Enterprise Corporation.exe, 00000016.00000003.710798103.0000000000891000.00000004.00000001.sdmpString found in binary or memory: https://onedrive.live.com/download?cid=3B15BFABEF8C3B91&resid=3B15BFABEF8C3B91%21111&authkey=AJvHyIJ
        Source: unknownDNS traffic detected: queries for: onedrive.live.com

        E-Banking Fraud:

        barindex
        Yara detected FormBookShow sources
        Source: Yara matchFile source: 0000001A.00000000.748909950.0000000006D25000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000002.768114646.000000001E3D0000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001A.00000000.735368674.0000000006D25000.00000040.00020000.sdmp, type: MEMORY

        System Summary:

        barindex
        Potential malicious icon foundShow sources
        Source: initial sampleIcon embedded in PE file: bad icon match: 20047c7c70f0e004
        Malicious sample detected (through community Yara rule)Show sources
        Source: 0000001A.00000000.748909950.0000000006D25000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 0000001A.00000000.748909950.0000000006D25000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 00000016.00000002.768114646.000000001E3D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 00000016.00000002.768114646.000000001E3D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 0000001A.00000000.735368674.0000000006D25000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 0000001A.00000000.735368674.0000000006D25000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Initial sample is a PE file and has a suspicious nameShow sources
        Source: initial sampleStatic PE information: Filename: Order List from Dunen Enterprise Corporation.exe
        Source: Order List from Dunen Enterprise Corporation.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
        Source: 0000001A.00000000.748909950.0000000006D25000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 0000001A.00000000.748909950.0000000006D25000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 00000016.00000002.768114646.000000001E3D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 00000016.00000002.768114646.000000001E3D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 0000001A.00000000.735368674.0000000006D25000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 0000001A.00000000.735368674.0000000006D25000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_00401574
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_02886E8F
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_028872D8
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_02880E4A
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_0288124F
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_0288C025
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_0288093C
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_02880688
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_02886288
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_02881A8B
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_02889A81
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_02885684
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_02885A86
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_02880A9E
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_0288A694
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_0288AEA8
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_0288B2A1
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_028836C8
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_028806C2
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_02880ADE
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_0288C2D4
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_028816E4
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_028862E4
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_0288AEE4
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_02882A0A
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_02886604
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_02889A04
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_0288A618
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_0288421A
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_02885215
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_02887A16
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_0288622B
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_0288C238
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_02883A39
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_0288AA3D
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_02884A32
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_02884E34
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_02886E48
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_02884E48
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_0288064A
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_02885A4C
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_0288B242
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_02885644
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_0288165A
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_0288B652
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_0288C26B
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_0288626C
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_02885E65
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_02881278
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_02883E78
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_02889E77
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_0288038C
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_02889B85
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_02886387
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_02881399
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_02882FA0
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_02885FA0
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_0288AFA0
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_028863A3
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_02881BB0
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_028853B5
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_0288A7B5
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_028837B6
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_02885BB6
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_02886FCD
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_02883FC0
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_02883BDB
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_028813E3
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_02883BF8
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_02885F08
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_0288130E
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_0288AB18
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_02881B18
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_0288A719
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_02885B2C
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_0288572D
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_02883720
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_0288AB22
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_0288633A
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_0288BB30
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_02883F31
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_0288AF34
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_02880341
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_0288C35D
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_02885352
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_02880B6C
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_02881778
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_02885778
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_0288AB78
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_0288B888
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_0288B08C
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_0288C098
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_02887895
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_0288A4AE
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_028858A5
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_028864BA
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_0288C0BD
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_02885CC2
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_028814C4
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_028878DA
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_028848DF
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_0288A4D7
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_028860E9
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_028838EE
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_0288C0FC
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_02886409
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_0288180A
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_0288040C
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_02880C12
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_02885C13
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_02885815
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_0288B016
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_02881C2E
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_02886038
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_02889843
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_0288C058
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_02885C5C
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_02883866
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_02884066
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_02881475
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_02881876
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_02883477
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_0288AD8C
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_0288A582
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_02883990
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_0288C190
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_02884996
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_028861AE
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_028815BA
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_028829BB
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_028841BB
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_02883DBC
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_02885DBE
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_0288B1B5
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_0288C1C9
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_028819CD
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_0288B5DB
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_028859E4
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_028851F4
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_02881908
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_02882D0E
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_02884100
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_02884904
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_0288A504
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_02883D1C
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_0288B11D
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_0288152D
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_02882D24
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_0288C14A
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_02881943
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_02886544
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_02884150
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_02885954
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_0288317C
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_0288797C
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_0288AD75
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E756E30
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E76EBB0
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E74841F
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E7F1002
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E7620A0
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E74B090
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E730D20
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E754120
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E73F900
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E74D5E0
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E801D55
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E762581
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: String function: 1E73B150 appears 32 times
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_02886E8F NtWriteVirtualMemory,
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_0288BA80 NtProtectVirtualMemory,
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_028872D8 NtAllocateVirtualMemory,
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_02880E4A NtWriteVirtualMemory,LoadLibraryA,
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_0288124F NtWriteVirtualMemory,TerminateProcess,LoadLibraryA,
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_02886288 NtWriteVirtualMemory,
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_02889A81 NtWriteVirtualMemory,
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_02885684 NtWriteVirtualMemory,
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_02885A86 NtWriteVirtualMemory,
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_028866B4 NtWriteVirtualMemory,
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_0288BADC NtProtectVirtualMemory,
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_028862E4 NtWriteVirtualMemory,
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_02886604 NtWriteVirtualMemory,
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_0288622B NtWriteVirtualMemory,
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_0288BA48 NtProtectVirtualMemory,
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_0288064A NtWriteVirtualMemory,LoadLibraryA,
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_02885A4C NtWriteVirtualMemory,
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_0288626C NtWriteVirtualMemory,
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_02885E65 NtWriteVirtualMemory,
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_02886387 NtWriteVirtualMemory,
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_02885FA0 NtWriteVirtualMemory,
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_028863A3 NtWriteVirtualMemory,
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_02885BB6 NtWriteVirtualMemory,
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_02885F08 NtWriteVirtualMemory,
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_02885B2C NtWriteVirtualMemory,
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_0288572D NtWriteVirtualMemory,
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_0288633A NtWriteVirtualMemory,
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_0288BB30 NtWriteVirtualMemory,
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_02880341 NtWriteVirtualMemory,LoadLibraryA,
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_0288675A NtWriteVirtualMemory,
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_02887368 NtAllocateVirtualMemory,
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_02885778 NtWriteVirtualMemory,
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_0288A4AE NtWriteVirtualMemory,
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_028858A5 NtWriteVirtualMemory,
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_028864BA NtWriteVirtualMemory,
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_028874CC NtAllocateVirtualMemory,
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_02885CC2 NtWriteVirtualMemory,
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_028848DF NtWriteVirtualMemory,
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_028860E9 NtWriteVirtualMemory,
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_02887408 NtAllocateVirtualMemory,
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_02886409 NtWriteVirtualMemory,
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_02885C13 NtWriteVirtualMemory,
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_02885815 NtWriteVirtualMemory,
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_02886038 NtWriteVirtualMemory,
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_02885C5C NtWriteVirtualMemory,
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_0288745F NtAllocateVirtualMemory,
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_028861AE NtWriteVirtualMemory,
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_028829BB NtWriteVirtualMemory,
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_02885DBE NtWriteVirtualMemory,
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_028859E4 NtWriteVirtualMemory,
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_02886544 NtWriteVirtualMemory,
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_02885954 NtWriteVirtualMemory,
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_0288AD75 NtWriteVirtualMemory,LoadLibraryA,
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E779660 NtAllocateVirtualMemory,LdrInitializeThunk,
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E779A50 NtCreateFile,LdrInitializeThunk,
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E779A00 NtProtectVirtualMemory,LdrInitializeThunk,
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E7796E0 NtFreeVirtualMemory,LdrInitializeThunk,
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E779710 NtQueryInformationToken,LdrInitializeThunk,
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E779FE0 NtCreateMutant,LdrInitializeThunk,
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E779780 NtMapViewOfSection,LdrInitializeThunk,
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E779860 NtQuerySystemInformation,LdrInitializeThunk,
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E779840 NtDelayExecution,LdrInitializeThunk,
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E779910 NtAdjustPrivilegesToken,LdrInitializeThunk,
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E7799A0 NtCreateSection,LdrInitializeThunk,
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E779670 NtQueryInformationProcess,
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E779650 NtQueryValueKey,
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E779A20 NtResumeThread,
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E779610 NtEnumerateValueKey,
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E779A10 NtQuerySection,
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E7796D0 NtCreateKey,
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E779A80 NtOpenDirectoryObject,
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E779770 NtSetInformationFile,
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E77A770 NtOpenThread,
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E779760 NtOpenProcess,
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E779730 NtQueryVirtualMemory,
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E77A710 NtOpenProcessToken,
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E779B00 NtSetValueKey,
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E77A3B0 NtGetContextThread,
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E7797A0 NtUnmapViewOfSection,
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E77B040 NtSuspendThread,
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E779820 NtEnumerateKey,
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E7798F0 NtReadVirtualMemory,
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E7798A0 NtWriteVirtualMemory,
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E779560 NtWriteFile,
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E779950 NtQueueApcThread,
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E779540 NtReadFile,
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E77AD30 NtSetContextThread,
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E779520 NtWaitForSingleObject,
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E7795F0 NtQueryInformationFile,
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E7799D0 NtCreateProcessEx,
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E7795D0 NtClose,
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_0056C931 NtProtectVirtualMemory,
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_0056CA61 Sleep,LdrInitializeThunk,NtProtectVirtualMemory,
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_0056C8E4 NtProtectVirtualMemory,
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_0056C925 NtProtectVirtualMemory,
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_0056C989 NtProtectVirtualMemory,
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_0056CAEE NtProtectVirtualMemory,
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeProcess Stats: CPU usage > 98%
        Source: Order List from Dunen Enterprise Corporation.exe, 00000000.00000000.233689534.000000000041E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameMiry.exe vs Order List from Dunen Enterprise Corporation.exe
        Source: Order List from Dunen Enterprise Corporation.exe, 00000016.00000002.769810515.000000001E82F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Order List from Dunen Enterprise Corporation.exe
        Source: Order List from Dunen Enterprise Corporation.exe, 00000016.00000000.472475635.000000000041E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameMiry.exe vs Order List from Dunen Enterprise Corporation.exe
        Source: Order List from Dunen Enterprise Corporation.exe, 00000016.00000002.771036580.000000001EA40000.00000040.00020000.sdmpBinary or memory string: OriginalFilenamemsdt.exej% vs Order List from Dunen Enterprise Corporation.exe
        Source: Order List from Dunen Enterprise Corporation.exeBinary or memory string: OriginalFilenameMiry.exe vs Order List from Dunen Enterprise Corporation.exe
        Source: Order List from Dunen Enterprise Corporation.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: Order List from Dunen Enterprise Corporation.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
        Source: unknownProcess created: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exe 'C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exe'
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeProcess created: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exe 'C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exe'
        Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\msdt.exe C:\Windows\SysWOW64\msdt.exe
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeProcess created: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exe 'C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exe'
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32
        Source: classification engineClassification label: mal100.rans.troj.spyw.evad.winEXE@4/0@2/0
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: Binary string: msdt.pdbGCTL source: Order List from Dunen Enterprise Corporation.exe, 00000016.00000002.771036580.000000001EA40000.00000040.00020000.sdmp
        Source: Binary string: wntdll.pdbUGP source: Order List from Dunen Enterprise Corporation.exe, 00000016.00000002.769810515.000000001E82F000.00000040.00000001.sdmp
        Source: Binary string: wntdll.pdb source: Order List from Dunen Enterprise Corporation.exe
        Source: Binary string: msdt.pdb source: Order List from Dunen Enterprise Corporation.exe, 00000016.00000002.771036580.000000001EA40000.00000040.00020000.sdmp

        Data Obfuscation:

        barindex
        Yara detected GuLoaderShow sources
        Source: Yara matchFile source: 00000000.00000002.473954904.0000000002880000.00000040.00000001.sdmp, type: MEMORY
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_00417B70 push dword ptr [edi+000000BCh]; ret
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_0040646C push es; iretd
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_00404C7E push eax; iretd
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_004052CE push ebx; iretd
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_00404CE2 push eax; iretd
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_004038F6 push esi; ret
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_00405D66 push ecx; iretd
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_00403977 push ds; iretd
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_0040632C push esi; ret
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_00404FEB push ecx; iretd
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_004043F9 pushfd ; retf
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_004063A4 push esi; ret
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_0288124F push es; retn 1022h
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_028876B4 push es; retf
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_02887207 push es; retn 1022h
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_028884FF push ebp; retf
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E78D0D1 push ecx; ret
        Source: initial sampleStatic PE information: section name: .text entropy: 7.10915094479
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeFile created: \order list from dunen enterprise corporation.exe
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeFile created: \order list from dunen enterprise corporation.exe
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeProcess information set: NOOPENFILEERRORBOX

        Malware Analysis System Evasion:

        barindex
        Tries to detect Any.runShow sources
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeFile opened: C:\Program Files\qga\qga.exe
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeFile opened: C:\Program Files\qga\qga.exe
        Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
        Source: Order List from Dunen Enterprise Corporation.exe, 00000000.00000002.473946073.0000000002860000.00000004.00000001.sdmpBinary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERSHELL32ADVAPI32TEMP=WINDIR=\SYSWOW64\MSVBVM60.DLL
        Source: Order List from Dunen Enterprise Corporation.exe, 00000000.00000002.473946073.0000000002860000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
        Tries to detect virtualization through RDTSC time measurementsShow sources
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeRDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeRDTSC instruction interceptor: First address: 000000000040897E second address: 0000000000408984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_0288A229 rdtsc
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeProcess information queried: ProcessInformation
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeSystem information queried: ModuleInformation
        Source: explorer.exe, 0000001A.00000000.751896607.0000000008A32000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00dRom0
        Source: explorer.exe, 0000001A.00000000.751896607.0000000008A32000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
        Source: Order List from Dunen Enterprise Corporation.exe, 00000016.00000002.761567848.0000000000828000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAWX
        Source: explorer.exe, 0000001A.00000000.724097033.0000000008B85000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
        Source: Order List from Dunen Enterprise Corporation.exe, 00000000.00000002.473946073.0000000002860000.00000004.00000001.sdmpBinary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublishershell32advapi32TEMP=windir=\syswow64\msvbvm60.dll
        Source: explorer.exe, 0000001A.00000000.724097033.0000000008B85000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}e
        Source: explorer.exe, 0000001A.00000000.733051888.00000000048E0000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
        Source: explorer.exe, 0000001A.00000000.724097033.0000000008B85000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}C
        Source: explorer.exe, 0000001A.00000000.737829561.0000000008ACF000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000Datc
        Source: Order List from Dunen Enterprise Corporation.exe, 00000016.00000002.762004945.0000000000874000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
        Source: explorer.exe, 0000001A.00000000.737829561.0000000008ACF000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
        Source: explorer.exe, 0000001A.00000000.748324239.00000000069DE000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD002
        Source: Order List from Dunen Enterprise Corporation.exe, 00000016.00000002.762004945.0000000000874000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW,
        Source: Order List from Dunen Enterprise Corporation.exe, 00000000.00000002.473946073.0000000002860000.00000004.00000001.sdmpBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

        Anti Debugging:

        barindex
        Hides threads from debuggersShow sources
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeThread information set: HideFromDebugger
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeThread information set: HideFromDebugger
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeThread information set: HideFromDebugger
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_0288A229 rdtsc
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeProcess token adjusted: Debug
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_0288AA3D mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_02886E48 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_02883BDB mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_028894CC mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_028894CE mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_028848DF mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_0288AD8C mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_02889D0C mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_02884904 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_0288AD75 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E75AE73 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E75AE73 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E75AE73 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E75AE73 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E75AE73 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E77927A mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E74766D mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E7EB260 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E7EB260 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E800EA5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E800EA5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E800EA5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E7C4257 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E739240 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E739240 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E739240 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E739240 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E747E41 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E747E41 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E747E41 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E747E41 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E747E41 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E747E41 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E7EFE3F mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E73E620 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E808ED6 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E774A2C mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E774A2C mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E73AA16 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E73AA16 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E753A1C mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E76A61C mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E76A61C mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E73C600 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E73C600 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E73C600 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E768E00 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E748A0A mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E762AE4 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E7616E0 mov ecx, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E7476E2 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E778EC7 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E7636CC mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E762ACB mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E7EFEC0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E74AAB0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E74AAB0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E76FAB0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E7352A5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E7352A5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E7352A5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E7352A5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E7352A5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E7B46A7 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E76D294 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E76D294 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E808A62 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E7CFE87 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E763B7A mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E763B7A mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E73DB60 mov ecx, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E74FF60 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E805BA5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E73F358 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E73DB40 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E74EF40 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E76E730 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E734F2E mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E734F2E mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E75F716 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E7F131B mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E7CFF10 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E7CFF10 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E76A70E mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E76A70E mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E7737F5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E80070D mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E80070D mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E7603E2 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E7603E2 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E7603E2 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E7603E2 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E7603E2 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E7603E2 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E7B53CA mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E7B53CA mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E808B58 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E764BAD mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E764BAD mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E764BAD mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E748794 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E762397 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E76B390 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E808F6A mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E7B7794 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E7B7794 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E7B7794 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E7F138A mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E741B8F mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E741B8F mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E7ED380 mov ecx, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E7F2073 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E75746D mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E750050 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E750050 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E7CC450 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E7CC450 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E76A44B mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E808CD6 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E76BC2C mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E76002D mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E76002D mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E76002D mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E76002D mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E76002D mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E74B02A mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E74B02A mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E74B02A mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E74B02A mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E7B7016 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E7B7016 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E7B7016 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E7B6C0A mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E7B6C0A mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E7B6C0A mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E7B6C0A mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E7F1C06 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E7F1C06 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E7F1C06 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E7F1C06 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E7F1C06 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E7F1C06 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E7F1C06 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E7F1C06 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E7F1C06 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E7F1C06 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E7F1C06 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E7F1C06 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E7F1C06 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E7F1C06 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E7F14FB mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E7B6CF0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E7B6CF0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E7B6CF0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E80740D mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E80740D mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E80740D mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E804015 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E804015 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E7358EC mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E7CB8D0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E7CB8D0 mov ecx, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E7CB8D0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E7CB8D0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E7CB8D0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E7CB8D0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E76F0BF mov ecx, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E76F0BF mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E76F0BF mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E7620A0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E7620A0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E7620A0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E7620A0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E7620A0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E7620A0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E7790AF mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E74849B mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E739080 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E801074 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E7B3884 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E7B3884 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E73B171 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E73B171 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E75C577 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E75C577 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E73C962 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E757D50 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E75B944 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E75B944 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E773D43 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E7B3540 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E743D34 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E743D34 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E743D34 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E743D34 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E743D34 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E743D34 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E743D34 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E743D34 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E743D34 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E743D34 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E743D34 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E743D34 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E743D34 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E73AD30 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E76513A mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E76513A mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E7BA537 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E764D3B mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E764D3B mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E764D3B mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E754120 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E754120 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E754120 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E754120 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E754120 mov ecx, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E739100 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E739100 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E739100 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E7E8DF1 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E73B1E1 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E73B1E1 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E73B1E1 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E7C41E8 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E74D5E0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E74D5E0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E808D34 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E761DB5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E761DB5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E761DB5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E7B51BE mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E7B51BE mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E7B51BE mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E7B51BE mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E7661A0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E7661A0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E7635A1 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E7B69A6 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E762990 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E76FD9B mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E76FD9B mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E76A185 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E75C182 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E762581 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E762581 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E762581 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E762581 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E732D8A mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E732D8A mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E732D8A mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E732D8A mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 22_2_1E732D8A mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeProcess queried: DebugPort
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeProcess queried: DebugPort
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeProcess queried: DebugPort
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeCode function: 0_2_028883F0 LdrInitializeThunk,

        HIPS / PFW / Operating System Protection Evasion:

        barindex
        Maps a DLL or memory area into another processShow sources
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
        Queues an APC in another process (thread injection)Show sources
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeThread APC queued: target process: C:\Windows\explorer.exe
        Modifies the context of a thread in another process (thread injection)Show sources
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeThread register set: target process: 3292
        Source: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exeProcess created: C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exe 'C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exe'
        Source: Order List from Dunen Enterprise Corporation.exe, 00000016.00000002.764018786.0000000000EB0000.00000002.00020000.sdmp, explorer.exe, 0000001A.00000002.764271707.0000000001400000.00000002.00020000.sdmpBinary or memory string: uProgram Manager
        Source: Order List from Dunen Enterprise Corporation.exe, 00000016.00000002.764018786.0000000000EB0000.00000002.00020000.sdmp, explorer.exe, 0000001A.00000002.764271707.0000000001400000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
        Source: Order List from Dunen Enterprise Corporation.exe, 00000016.00000002.764018786.0000000000EB0000.00000002.00020000.sdmp, explorer.exe, 0000001A.00000002.764271707.0000000001400000.00000002.00020000.sdmpBinary or memory string: Progman
        Source: Order List from Dunen Enterprise Corporation.exe, 00000016.00000002.764018786.0000000000EB0000.00000002.00020000.sdmp, explorer.exe, 0000001A.00000002.764271707.0000000001400000.00000002.00020000.sdmpBinary or memory string: Progmanlock
        Source: explorer.exe, 0000001A.00000000.717213239.0000000000EB8000.00000004.00000020.sdmpBinary or memory string: ProgmanX
        Source: explorer.exe, 0000001A.00000000.737829561.0000000008ACF000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWndAj

        Stealing of Sensitive Information:

        barindex
        Yara detected Generic DropperShow sources
        Source: Yara matchFile source: Process Memory Space: Order List from Dunen Enterprise Corporation.exe PID: 5796, type: MEMORYSTR
        Yara detected FormBookShow sources
        Source: Yara matchFile source: 0000001A.00000000.748909950.0000000006D25000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000002.768114646.000000001E3D0000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001A.00000000.735368674.0000000006D25000.00000040.00020000.sdmp, type: MEMORY
        GuLoader behavior detectedShow sources
        Source: Initial fileSignature Results: GuLoader behavior

        Remote Access Functionality:

        barindex
        Yara detected FormBookShow sources
        Source: Yara matchFile source: 0000001A.00000000.748909950.0000000006D25000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000002.768114646.000000001E3D0000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001A.00000000.735368674.0000000006D25000.00000040.00020000.sdmp, type: MEMORY

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection312Virtualization/Sandbox Evasion21OS Credential DumpingSecurity Software Discovery421Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection312LSASS MemoryVirtualization/Sandbox Evasion21Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Deobfuscate/Decode Files or Information1Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol11Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information3NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware Packing1LSA SecretsSystem Information Discovery12SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.

        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        Order List from Dunen Enterprise Corporation.exe100%Joe Sandbox ML

        Dropped Files

        No Antivirus matches

        Unpacked PE Files

        No Antivirus matches

        Domains

        No Antivirus matches

        URLs

        SourceDetectionScannerLabelLink
        www.mx-online-service.xyz/hhse/0%Avira URL Cloudsafe

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        onedrive.live.com
        		unknown
        		unknownfalse
          		high
          irbzka.bl.files.1drv.com
          		unknown
          		unknownfalse
            		high

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            www.mx-online-service.xyz/hhse/true
            • Avira URL Cloud: safe
            		low
            https://onedrive.live.com/download?cid=3B15BFABEF8C3B9%()false
              		high

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://www.autoitscript.com/autoit3/Jexplorer.exe, 0000001A.00000000.734719256.0000000006870000.00000004.00000001.sdmpfalse
                		high
                http://creativecommons.org/licenses/by-nc-sa/3.0/Order List from Dunen Enterprise Corporation.exefalse
                  		high
                  https://onedrive.live.com/dS;Order List from Dunen Enterprise Corporation.exe, 00000016.00000002.761567848.0000000000828000.00000004.00000020.sdmpfalse
                    		high
                    https://irbzka.bl.files.1drv.com/y4mSLbAIYOtMsp6WVEtbpBOKQnS0NMIQaQctk4PpaVN9FNlyx2DdMYUi4sJgBEu1tUYOrder List from Dunen Enterprise Corporation.exe, 00000016.00000003.712601137.000000000088D000.00000004.00000001.sdmp, Order List from Dunen Enterprise Corporation.exe, 00000016.00000003.712985490.000000000086C000.00000004.00000001.sdmpfalse
                      		high
                      https://irbzka.bl.files.1drv.com/Order List from Dunen Enterprise Corporation.exe, 00000016.00000003.712601137.000000000088D000.00000004.00000001.sdmpfalse
                        		high
                        https://onedrive.live.com/$ROrder List from Dunen Enterprise Corporation.exe, 00000016.00000002.761567848.0000000000828000.00000004.00000020.sdmpfalse
                          		high
                          https://onedrive.live.com/download?cid=3B15BFABEF8C3B91&resid=3B15BFABEF8C3B91%21111&authkey=AJvHyIJOrder List from Dunen Enterprise Corporation.exe, 00000016.00000003.712985490.000000000086C000.00000004.00000001.sdmp, Order List from Dunen Enterprise Corporation.exe, 00000016.00000003.710798103.0000000000891000.00000004.00000001.sdmpfalse
                            		high
                            https://irbzka.bl.files.1drv.com/jofOrder List from Dunen Enterprise Corporation.exe, 00000016.00000003.712601137.000000000088D000.00000004.00000001.sdmpfalse
                              		high
                              https://irbzka.bl.files.1drv.com/y4m-pJTApnf2X6X8FvkJBc3kwyxkRC7ohCVxKqzJT2oOkOsmFT9MDHML1cgc462m8PsOrder List from Dunen Enterprise Corporation.exe, 00000016.00000003.710798103.0000000000891000.00000004.00000001.sdmpfalse
                                		high
                                https://irbzka.bl.files.1drv.com/HoHOrder List from Dunen Enterprise Corporation.exe, 00000016.00000003.710798103.0000000000891000.00000004.00000001.sdmpfalse
                                  		high

                                  Contacted IPs

                                  No contacted IP infos

                                  General Information

                                  Joe Sandbox Version:33.0.0 White Diamond
                                  Analysis ID:482788
                                  Start date:14.09.2021
                                  Start time:06:27:44
                                  Joe Sandbox Product:CloudBasic
                                  Overall analysis duration:0h 9m 5s
                                  Hypervisor based Inspection enabled:false
                                  Report type:light
                                  Sample file name:Order List from Dunen Enterprise Corporation.exe
                                  Cookbook file name:default.jbs
                                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                  Number of analysed new started processes analysed:27
                                  Number of new started drivers analysed:0
                                  Number of existing processes analysed:0
                                  Number of existing drivers analysed:0
                                  Number of injected processes analysed:0
                                  Technologies:
                                  • HCA enabled
                                  • EGA enabled
                                  • HDC enabled
                                  • AMSI enabled
                                  Analysis Mode:default
                                  Analysis stop reason:Timeout
                                  Detection:MAL
                                  Classification:mal100.rans.troj.spyw.evad.winEXE@4/0@2/0
                                  EGA Information:Failed
                                  HDC Information:
                                  • Successful, ratio: 52.5% (good quality ratio 42.6%)
                                  • Quality average: 65.3%
                                  • Quality standard deviation: 37%
                                  HCA Information:Failed
                                  Cookbook Comments:
                                  • Adjust boot time
                                  • Enable AMSI
                                  • Found application associated with file extension: .exe
                                  • Override analysis time to 240s for sample files taking high CPU consumption
                                  Warnings:
                                  Show All
                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
                                  • Excluded IPs from analysis (whitelisted): 23.211.4.86, 20.82.210.154, 20.54.110.249, 40.112.88.60, 80.67.82.211, 80.67.82.235, 13.107.42.13, 13.107.42.12
                                  • Excluded domains from analysis (whitelisted): odc-web-brs.onedrive.akadns.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, l-0004.l-msedge.net, odwebpl.trafficmanager.net.l-0004.dc-msedge.net.l-0004.l-msedge.net, l-0003.l-msedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, odc-bl-files-brs.onedrive.akadns.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, odc-bl-files-geo.onedrive.akadns.net, fs.microsoft.com, odc-web-geo.onedrive.akadns.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, bl-files.ha.1drv.com.l-0003.dc-msedge.net.l-0003.l-msedge.net, neu-displaycatalogrp.useroor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, e1723.g.akamaiedge.net, ris.api.iris.microsoft.com, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                  • Not all processes where analyzed, report is missing behavior information
                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                  • Report size getting too big, too many NtQueryValueKey calls found.

                                  Simulations

                                  Behavior and APIs

                                  No simulations

                                  Joe Sandbox View / Context

                                  IPs

                                  No context

                                  Domains

                                  No context

                                  ASN

                                  No context

                                  JA3 Fingerprints

                                  No context

                                  Dropped Files

                                  No context

                                  Created / dropped Files

                                  No created / dropped files found

                                  Static File Info

                                  General

                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                  Entropy (8bit):6.852738656529827
                                  TrID:
                                  • Win32 Executable (generic) a (10002005/4) 99.15%
                                  • Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81%
                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                  • DOS Executable Generic (2002/1) 0.02%
                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                  File name:Order List from Dunen Enterprise Corporation.exe
                                  File size:131072
                                  MD5:744d832006910318b2826e4cc8db4b11
                                  SHA1:b58f485d5153dc4cb1a608091e1174d6fc966a4a
                                  SHA256:e015835dd69bbd384cb9b347984b648562281ba9e532ca110b6962bce9262251
                                  SHA512:2ef7a81389e03fe8cdaa42e39e9df842d811b87b97d50e915e01d8fa35e3eaa49f7aaa03aa5a534e3413a636d3bf011ff9774a4b5b2553fbecef24aa8425deb4
                                  SSDEEP:3072:CwbDzFr9RfmrBv2ubFB2NNq1KvyFwZddImz:CwbDzFrnfmrUWD2/6wpIm
                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......O.......................D.......=.......Rich............PE..L...f7.Y.....................P......t.............@................

                                  File Icon

                                  Icon Hash:20047c7c70f0e004

                                  Static PE Info

                                  General

                                  Entrypoint:0x401574
                                  Entrypoint Section:.text
                                  Digitally signed:false
                                  Imagebase:0x400000
                                  Subsystem:windows gui
                                  Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                                  DLL Characteristics:
                                  Time Stamp:0x59B03766 [Wed Sep 6 17:59:02 2017 UTC]
                                  TLS Callbacks:
                                  CLR (.Net) Version:
                                  OS Version Major:4
                                  OS Version Minor:0
                                  File Version Major:4
                                  File Version Minor:0
                                  Subsystem Version Major:4
                                  Subsystem Version Minor:0
                                  Import Hash:44cde914d1969d7de2a52adae7c22460

                                  Entrypoint Preview

                                  Instruction
                                  push 00401850h
                                  call 00007F6DA10E5493h
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  xor byte ptr [eax], al
                                  add byte ptr [eax], al
                                  inc eax
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add bl, ch
                                  inc eax
                                  popfd
                                  mov ecx, 4D9BD50Eh
                                  mov ecx, FE14EB4Dh
                                  jc 00007F6DA10E5492h
                                  les eax, fword ptr [eax]
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [ecx], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], ah
                                  cmp eax, 0A0D3120h
                                  push eax
                                  inc ecx
                                  dec esi
                                  inc ebx
                                  dec edi
                                  push ebx
                                  dec ebp
                                  dec ecx
                                  push ebx
                                  dec ebp
                                  add byte ptr [esi+6Fh], ah
                                  jc 00007F6DA10E550Ah
                                  popad
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  dec esp
                                  xor dword ptr [eax], eax
                                  or al, C2h
                                  push esp
                                  pop edx
                                  popad
                                  pop ebp
                                  cmc
                                  inc ecx
                                  cwde
                                  out dx, eax
                                  add al, 4Dh
                                  sti
                                  clc
                                  inc edi
                                  xlatb
                                  test byte ptr [ecx+3258D138h], ah
                                  insd
                                  inc ebx
                                  xchg eax, edx
                                  popfd
                                  mov eax, 9B12C5B6h
                                  xor eax, 33AD4F3Ah
                                  cdq
                                  iretw
                                  adc dword ptr [edi+00AA000Ch], esi
                                  pushad
                                  rcl dword ptr [ebx+00000000h], cl
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  adc al, byte ptr [edx]
                                  add byte ptr [eax], al
                                  insd
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  adc eax, 524F4600h
                                  push ebx
                                  dec ecx
                                  dec ebx
                                  push edx
                                  dec ecx
                                  dec esi
                                  inc edi
                                  push ebx
                                  inc ecx
                                  inc esi
                                  push esp
                                  inc ecx
                                  dec esp
                                  inc ebp
                                  dec esp
                                  dec edi

                                  Data Directories

                                  NameVirtual AddressVirtual Size Is in Section
                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x1b8240x28.text
                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x1e0000x296b.rsrc
                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x2280x20
                                  IMAGE_DIRECTORY_ENTRY_IAT0x10000x130.text
                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                  Sections

                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                  .text0x10000x1ad440x1b000False0.581353081597data7.10915094479IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                  .data0x1c0000x19100x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                  .rsrc0x1e0000x296b0x3000False0.702962239583data6.62180270851IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                  Resources

                                  NameRVASizeTypeLanguageCountry
                                  10x1e9840x102dPNG image data, 48 x 48, 8-bit/color RGBA, non-interlacedEnglishUnited States
                                  10x1f9b10xfbaPNG image data, 48 x 48, 8-bit/color RGBA, non-interlacedEnglishUnited States
                                  RT_ICON0x1e8540x130data
                                  RT_ICON0x1e56c0x2e8data
                                  RT_ICON0x1e4440x128GLS_BINARY_LSB_FIRST
                                  RT_GROUP_ICON0x1e4140x30data
                                  RT_VERSION0x1e1d00x244dataEnglishUnited States

                                  Imports

                                  DLLImport
                                  MSVBVM60.DLL_CIcos, _adj_fptan, __vbaHresultCheck, __vbaVarMove, __vbaFreeVar, __vbaStrVarMove, __vbaFreeVarList, __vbaEnd, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaSetSystemError, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaAryDestruct, __vbaObjSet, __vbaOnError, _adj_fdiv_m16i, _adj_fdivr_m16i, __vbaVarTstLt, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaGenerateBoundsError, __vbaStrCmp, __vbaAryConstruct2, DllFunctionCall, _adj_fpatan, EVENT_SINK_Release, __vbaUI1I2, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, __vbaStrVarVal, _CIlog, __vbaErrorOverflow, __vbaNew2, __vbaInStr, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaVarAdd, __vbaVarDup, __vbaStrToAnsi, _CIatan, __vbaStrMove, __vbaCastObj, _allmul, _CItan, _CIexp, __vbaFreeObj, __vbaFreeStr

                                  Version Infos

                                  DescriptionData
                                  Translation0x0409 0x04b0
                                  InternalNameMiry
                                  FileVersion1.04
                                  CompanyNameCLubbing
                                  ProductNameCLubbing
                                  ProductVersion1.04
                                  FileDescriptionCLubbing
                                  OriginalFilenameMiry.exe

                                  Possible Origin

                                  Language of compilation systemCountry where language is spokenMap
                                  EnglishUnited States

                                  Network Behavior

                                  Network Port Distribution

                                  UDP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Sep 14, 2021 06:28:53.715106964 CEST5659053192.168.2.78.8.8.8
                                  Sep 14, 2021 06:28:53.765547991 CEST53565908.8.8.8192.168.2.7
                                  Sep 14, 2021 06:29:04.784931898 CEST6050153192.168.2.78.8.8.8
                                  Sep 14, 2021 06:29:04.818628073 CEST53605018.8.8.8192.168.2.7
                                  Sep 14, 2021 06:29:29.316883087 CEST5377553192.168.2.78.8.8.8
                                  Sep 14, 2021 06:29:29.350336075 CEST53537758.8.8.8192.168.2.7
                                  Sep 14, 2021 06:29:29.854748011 CEST5183753192.168.2.78.8.8.8
                                  Sep 14, 2021 06:29:29.887799025 CEST53518378.8.8.8192.168.2.7
                                  Sep 14, 2021 06:29:30.442681074 CEST5541153192.168.2.78.8.8.8
                                  Sep 14, 2021 06:29:30.477857113 CEST53554118.8.8.8192.168.2.7
                                  Sep 14, 2021 06:29:30.830192089 CEST6366853192.168.2.78.8.8.8
                                  Sep 14, 2021 06:29:30.866046906 CEST53636688.8.8.8192.168.2.7
                                  Sep 14, 2021 06:29:31.393935919 CEST5464053192.168.2.78.8.8.8
                                  Sep 14, 2021 06:29:31.422043085 CEST53546408.8.8.8192.168.2.7
                                  Sep 14, 2021 06:29:31.871407986 CEST5873953192.168.2.78.8.8.8
                                  Sep 14, 2021 06:29:31.890599966 CEST6033853192.168.2.78.8.8.8
                                  Sep 14, 2021 06:29:31.906333923 CEST53587398.8.8.8192.168.2.7
                                  Sep 14, 2021 06:29:31.936532974 CEST53603388.8.8.8192.168.2.7
                                  Sep 14, 2021 06:29:32.535634995 CEST5871753192.168.2.78.8.8.8
                                  Sep 14, 2021 06:29:32.571222067 CEST53587178.8.8.8192.168.2.7
                                  Sep 14, 2021 06:29:33.446578979 CEST5976253192.168.2.78.8.8.8
                                  Sep 14, 2021 06:29:33.483500957 CEST53597628.8.8.8192.168.2.7
                                  Sep 14, 2021 06:29:34.269368887 CEST5432953192.168.2.78.8.8.8
                                  Sep 14, 2021 06:29:34.302221060 CEST53543298.8.8.8192.168.2.7
                                  Sep 14, 2021 06:29:34.731061935 CEST5805253192.168.2.78.8.8.8
                                  Sep 14, 2021 06:29:34.763693094 CEST53580528.8.8.8192.168.2.7
                                  Sep 14, 2021 06:29:44.485860109 CEST5400853192.168.2.78.8.8.8
                                  Sep 14, 2021 06:29:44.518845081 CEST53540088.8.8.8192.168.2.7
                                  Sep 14, 2021 06:29:49.846677065 CEST5945153192.168.2.78.8.8.8
                                  Sep 14, 2021 06:29:49.884701967 CEST53594518.8.8.8192.168.2.7
                                  Sep 14, 2021 06:30:17.715082884 CEST5291453192.168.2.78.8.8.8
                                  Sep 14, 2021 06:30:17.766839981 CEST53529148.8.8.8192.168.2.7
                                  Sep 14, 2021 06:30:20.567739010 CEST6456953192.168.2.78.8.8.8
                                  Sep 14, 2021 06:30:20.600615025 CEST53645698.8.8.8192.168.2.7
                                  Sep 14, 2021 06:32:19.164278030 CEST5281653192.168.2.78.8.8.8
                                  Sep 14, 2021 06:32:19.222822905 CEST53528168.8.8.8192.168.2.7
                                  Sep 14, 2021 06:32:20.294226885 CEST5078153192.168.2.78.8.8.8
                                  Sep 14, 2021 06:32:20.403966904 CEST53507818.8.8.8192.168.2.7

                                  DNS Queries

                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                  Sep 14, 2021 06:32:19.164278030 CEST192.168.2.78.8.8.80xf90eStandard query (0)onedrive.live.comA (IP address)IN (0x0001)
                                  Sep 14, 2021 06:32:20.294226885 CEST192.168.2.78.8.8.80x1ed8Standard query (0)irbzka.bl.files.1drv.comA (IP address)IN (0x0001)

                                  DNS Answers

                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                  Sep 14, 2021 06:32:19.222822905 CEST8.8.8.8192.168.2.70xf90eNo error (0)onedrive.live.comodc-web-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)
                                  Sep 14, 2021 06:32:20.403966904 CEST8.8.8.8192.168.2.70x1ed8No error (0)irbzka.bl.files.1drv.combl-files.fe.1drv.comCNAME (Canonical name)IN (0x0001)
                                  Sep 14, 2021 06:32:20.403966904 CEST8.8.8.8192.168.2.70x1ed8No error (0)bl-files.fe.1drv.comodc-bl-files-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)

                                  Code Manipulations

                                  Statistics

                                  Behavior

                                  Click to jump to process

                                  System Behavior

                                  Analysis Process: Order List from Dunen Enterprise Corporation.exe PID: 2968 Parent PID: 5428

                                  General

                                  Start time:06:28:36
                                  Start date:14/09/2021
                                  Path:C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exe
                                  Wow64 process (32bit):true
                                  Commandline:'C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exe'
                                  Imagebase:0x400000
                                  File size:131072 bytes
                                  MD5 hash:744D832006910318B2826E4CC8DB4B11
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:Visual Basic
                                  Yara matches:
                                  • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.473954904.0000000002880000.00000040.00000001.sdmp, Author: Joe Security
                                  Reputation:low

                                  Analysis Process: Order List from Dunen Enterprise Corporation.exe PID: 5796 Parent PID: 2968

                                  General

                                  Start time:06:30:28
                                  Start date:14/09/2021
                                  Path:C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exe
                                  Wow64 process (32bit):true
                                  Commandline:'C:\Users\user\Desktop\Order List from Dunen Enterprise Corporation.exe'
                                  Imagebase:0x400000
                                  File size:131072 bytes
                                  MD5 hash:744D832006910318B2826E4CC8DB4B11
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000016.00000002.768114646.000000001E3D0000.00000040.00020000.sdmp, Author: Joe Security
                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000016.00000002.768114646.000000001E3D0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000016.00000002.768114646.000000001E3D0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                  Reputation:low

                                  Analysis Process: explorer.exe PID: 3292 Parent PID: 5796

                                  General

                                  Start time:06:32:22
                                  Start date:14/09/2021
                                  Path:C:\Windows\explorer.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\Explorer.EXE
                                  Imagebase:0x7ff662bf0000
                                  File size:3933184 bytes
                                  MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000001A.00000000.748909950.0000000006D25000.00000040.00020000.sdmp, Author: Joe Security
                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000001A.00000000.748909950.0000000006D25000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 0000001A.00000000.748909950.0000000006D25000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000001A.00000000.735368674.0000000006D25000.00000040.00020000.sdmp, Author: Joe Security
                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000001A.00000000.735368674.0000000006D25000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 0000001A.00000000.735368674.0000000006D25000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                  Reputation:high

                                  Analysis Process: msdt.exe PID: 4780 Parent PID: 3292

                                  General

                                  Start time:06:32:42
                                  Start date:14/09/2021
                                  Path:C:\Windows\SysWOW64\msdt.exe
                                  Wow64 process (32bit):
                                  Commandline:C:\Windows\SysWOW64\msdt.exe
                                  Imagebase:
                                  File size:1508352 bytes
                                  MD5 hash:7F0C51DBA69B9DE5DDF6AA04CE3A69F4
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:moderate

                                  Disassembly

                                  Code Analysis

                                  Reset < >