Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
O7JFHuMXiX

Overview

General Information

Sample Name:O7JFHuMXiX (renamed file extension from none to dll)
Analysis ID:595304
MD5:ff8a5d46d17304b14dae74a2768eadf2
SHA1:6e1fbf9932042ae0b3da7f42eadd403c1c39f2a6
SHA256:7dc6fda471838428d026e3e98f9f6b113e711c837f45ffa332e61854842ced2a
Tags:Dridexexe
Infos:

Detection

Dridex
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected Dridex unpacked file
Multi AV Scanner detection for submitted file
Benign windows process drops PE files
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes memory attributes in foreign processes to executable or writable
Machine Learning detection for sample
Queues an APC in another process (thread injection)
Sigma detected: Suspicious Call by Ordinal
Machine Learning detection for dropped file
Uses Atom Bombing / ProGate to inject into other processes
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Queries the installation date of Windows
Detected potential crypto function
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to read the clipboard data
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains functionality for execution timing, often used to detect debuggers
Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Found evasive API chain checking for process token information
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Binary contains a suspicious time stamp
PE file contains more sections than normal
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Found large amount of non-executed APIs
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

  • System is w10x64
  • loaddll64.exe (PID: 3172 cmdline: loaddll64.exe "C:\Users\user\Desktop\O7JFHuMXiX.dll" MD5: 4E8A40CAD6CCC047914E3A7830A2D8AA)
    • cmd.exe (PID: 6472 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\O7JFHuMXiX.dll",#1 MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
      • rundll32.exe (PID: 6260 cmdline: rundll32.exe "C:\Users\user\Desktop\O7JFHuMXiX.dll",#1 MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 6248 cmdline: rundll32.exe C:\Users\user\Desktop\O7JFHuMXiX.dll,CloseDriver MD5: 73C519F050C20580F8A62C849D49215A)
      • explorer.exe (PID: 3688 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • BackgroundTransferHost.exe (PID: 1272 cmdline: "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1 MD5: 02BA81746B929ECC9DB6665589B68335)
        • rdpinit.exe (PID: 1072 cmdline: C:\Windows\system32\rdpinit.exe MD5: EF7C9CF6EA5B8B9C5C8320990714C35D)
        • rdpinit.exe (PID: 1936 cmdline: C:\Users\user\AppData\Local\Fbc7IGHq\rdpinit.exe MD5: EF7C9CF6EA5B8B9C5C8320990714C35D)
        • WindowsActionDialog.exe (PID: 1272 cmdline: C:\Windows\system32\WindowsActionDialog.exe MD5: 991359EE1E9C1958EB5D0F7314774123)
        • WindowsActionDialog.exe (PID: 5140 cmdline: C:\Users\user\AppData\Local\BHN\WindowsActionDialog.exe MD5: 991359EE1E9C1958EB5D0F7314774123)
        • eudcedit.exe (PID: 3284 cmdline: C:\Windows\system32\eudcedit.exe MD5: 0ED10F2F98B80FF9F95EED2B04CFA076)
        • eudcedit.exe (PID: 5528 cmdline: C:\Users\user\AppData\Local\W33A\eudcedit.exe MD5: 0ED10F2F98B80FF9F95EED2B04CFA076)
        • eudcedit.exe (PID: 1848 cmdline: C:\Windows\system32\eudcedit.exe MD5: 0ED10F2F98B80FF9F95EED2B04CFA076)
        • eudcedit.exe (PID: 2700 cmdline: C:\Users\user\AppData\Local\JZ6mZjv9\eudcedit.exe MD5: 0ED10F2F98B80FF9F95EED2B04CFA076)
        • PresentationSettings.exe (PID: 6968 cmdline: C:\Windows\system32\PresentationSettings.exe MD5: 76086DD04B6760277A2B897345A0B457)
        • PresentationSettings.exe (PID: 6324 cmdline: C:\Users\user\AppData\Local\gV1c\PresentationSettings.exe MD5: 76086DD04B6760277A2B897345A0B457)
        • wextract.exe (PID: 5980 cmdline: C:\Windows\system32\wextract.exe MD5: ED93B350C8EEFC442758A00BC3EEDE2D)
        • wextract.exe (PID: 1980 cmdline: C:\Users\user\AppData\Local\dgZMvi\wextract.exe MD5: ED93B350C8EEFC442758A00BC3EEDE2D)
        • slui.exe (PID: 7016 cmdline: C:\Windows\system32\slui.exe MD5: 96A8EF9387619D17BB30B024DDF52BF3)
        • slui.exe (PID: 6840 cmdline: C:\Users\user\AppData\Local\VJp8aBwvL\slui.exe MD5: 96A8EF9387619D17BB30B024DDF52BF3)
        • msinfo32.exe (PID: 6900 cmdline: C:\Windows\system32\msinfo32.exe MD5: C471C6B06F47EA1C66E5FAA8DFCEF108)
        • msinfo32.exe (PID: 4004 cmdline: C:\Users\user\AppData\Local\9UWfSjs\msinfo32.exe MD5: C471C6B06F47EA1C66E5FAA8DFCEF108)
        • eudcedit.exe (PID: 1844 cmdline: C:\Windows\system32\eudcedit.exe MD5: 0ED10F2F98B80FF9F95EED2B04CFA076)
    • rundll32.exe (PID: 6612 cmdline: rundll32.exe C:\Users\user\Desktop\O7JFHuMXiX.dll,DefDriverProc MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 3984 cmdline: rundll32.exe C:\Users\user\Desktop\O7JFHuMXiX.dll,DriverCallback MD5: 73C519F050C20580F8A62C849D49215A)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
00000009.00000002.378212357.00007FFF22351000.00000020.00000001.01000000.00000003.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
    00000012.00000002.526826023.00007FFF22351000.00000020.00000001.01000000.0000000A.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
      00000022.00000002.711241904.00007FFF21B81000.00000020.00000001.01000000.00000016.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
        00000003.00000002.363626973.00007FFF22351000.00000020.00000001.01000000.00000003.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
          00000007.00000002.370220590.00007FFF22351000.00000020.00000001.01000000.00000003.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
            Click to see the 9 entries
            SourceRuleDescriptionAuthorStrings
            7.2.rundll32.exe.7fff22350000.2.unpackJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
              18.2.rdpinit.exe.7fff22350000.3.unpackJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
                32.2.PresentationSettings.exe.7fff2e820000.3.unpackJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
                  3.2.rundll32.exe.7fff22350000.2.unpackJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
                    40.2.msinfo32.exe.7fff2f1b0000.3.unpackJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
                      Click to see the 9 entries

                      System Summary

                      barindex
                      Source: Process startedAuthor: Florian Roth: Data: Command: rundll32.exe "C:\Users\user\Desktop\O7JFHuMXiX.dll",#1, CommandLine: rundll32.exe "C:\Users\user\Desktop\O7JFHuMXiX.dll",#1, CommandLine|base64offset|contains: , Image: C:\Windows\System32\rundll32.exe, NewProcessName: C:\Windows\System32\rundll32.exe, OriginalFileName: C:\Windows\System32\rundll32.exe, ParentCommandLine: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\O7JFHuMXiX.dll",#1, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6472, ProcessCommandLine: rundll32.exe "C:\Users\user\Desktop\O7JFHuMXiX.dll",#1, ProcessId: 6260
                      Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\explorer.exe, ProcessId: 3688, TargetFilename: C:\Users\user\AppData\Local\Fbc7IGHq\rdpinit.exe

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Source: O7JFHuMXiX.dllMetadefender: Detection: 60%Perma Link
                      Source: O7JFHuMXiX.dllReversingLabs: Detection: 85%
                      Source: O7JFHuMXiX.dllAvira: detected
                      Source: C:\Users\user\AppData\Local\Fbc7IGHq\WTSAPI32.dllAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
                      Source: C:\Users\user\AppData\Local\9UWfSjs\SLC.dllAvira: detection malicious, Label: TR/Crypt.XPACK.Gen7
                      Source: C:\Users\user\AppData\Local\gV1c\WINMM.dllAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
                      Source: C:\Users\user\AppData\Local\rst\UxTheme.dllAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
                      Source: C:\Users\user\AppData\Local\JZ6mZjv9\MFC42u.dllAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
                      Source: C:\Users\user\AppData\Local\JZ6mZjv9\MFC42u.dllAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
                      Source: C:\Users\user\AppData\Local\JZ6mZjv9\MFC42u.dllAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
                      Source: C:\Users\user\AppData\Local\xX5v\XmlLite.dllAvira: detection malicious, Label: TR/Crypt.XPACK.Gen7
                      Source: C:\Users\user\AppData\Local\Fbc7IGHq\WTSAPI32.dllAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
                      Source: C:\Users\user\AppData\Local\BHN\DUI70.dllAvira: detection malicious, Label: TR/Crypt.XPACK.Gen4
                      Source: C:\Users\user\AppData\Local\dgZMvi\VERSION.dllAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
                      Source: C:\Users\user\AppData\Local\9UWfSjs\SLC.dllAvira: detection malicious, Label: TR/Crypt.XPACK.Gen7
                      Source: O7JFHuMXiX.dllJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\Fbc7IGHq\WTSAPI32.dllJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\9UWfSjs\SLC.dllJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\gV1c\WINMM.dllJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\rst\UxTheme.dllJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\JZ6mZjv9\MFC42u.dllJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\JZ6mZjv9\MFC42u.dllJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\JZ6mZjv9\MFC42u.dllJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\xX5v\XmlLite.dllJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\Fbc7IGHq\WTSAPI32.dllJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\BHN\DUI70.dllJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\dgZMvi\VERSION.dllJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\9UWfSjs\SLC.dllJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\Fbc7IGHq\rdpinit.exeCode function: 18_2_00007FF7BA062D94 CryptAcquireContextW,GetLastError,CryptGenRandom,GetLastError,CryptReleaseContext,18_2_00007FF7BA062D94
                      Source: O7JFHuMXiX.dllStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                      Source: Binary string: slui.pdb source: slui.exe, 00000024.00000000.715769188.00007FF69DC9C000.00000002.00000001.01000000.00000017.sdmp, slui.exe, 00000024.00000002.739290544.00007FF69DC9C000.00000002.00000001.01000000.00000017.sdmp, slui.exe.6.dr
                      Source: Binary string: PasswordOnWakeSettingFlyout.pdb source: PasswordOnWakeSettingFlyout.exe, 00000026.00000000.744786629.00007FF7B6BB7000.00000002.00000001.01000000.00000019.sdmp, PasswordOnWakeSettingFlyout.exe, 00000026.00000002.767227577.00007FF7B6BB7000.00000002.00000001.01000000.00000019.sdmp, PasswordOnWakeSettingFlyout.exe.6.dr
                      Source: Binary string: WindowsActionDialog.pdb source: WindowsActionDialog.exe, 00000015.00000002.570449415.00007FF69A40B000.00000002.00000001.01000000.0000000B.sdmp, WindowsActionDialog.exe, 00000015.00000000.539494248.00007FF69A40B000.00000002.00000001.01000000.0000000B.sdmp, WindowsActionDialog.exe.6.dr
                      Source: Binary string: wextract.pdb source: wextract.exe, 00000022.00000000.685837693.00007FF71E519000.00000002.00000001.01000000.00000015.sdmp, wextract.exe, 00000022.00000002.711131590.00007FF71E519000.00000002.00000001.01000000.00000015.sdmp, wextract.exe.6.dr
                      Source: Binary string: msinfo32.pdb source: msinfo32.exe, 00000028.00000000.773141767.00007FF6C2531000.00000002.00000001.01000000.0000001B.sdmp, msinfo32.exe, 00000028.00000002.797596571.00007FF6C2531000.00000002.00000001.01000000.0000001B.sdmp, msinfo32.exe.6.dr
                      Source: Binary string: wextract.pdbGCTL source: wextract.exe, 00000022.00000000.685837693.00007FF71E519000.00000002.00000001.01000000.00000015.sdmp, wextract.exe, 00000022.00000002.711131590.00007FF71E519000.00000002.00000001.01000000.00000015.sdmp, wextract.exe.6.dr
                      Source: Binary string: eudcedit.pdbGCTL source: eudcedit.exe, 0000001C.00000000.587330475.00007FF6A8F1D000.00000002.00000001.01000000.0000000F.sdmp, eudcedit.exe, 0000001C.00000002.611720186.00007FF6A8F1D000.00000002.00000001.01000000.0000000F.sdmp, eudcedit.exe, 0000001E.00000000.628548277.00007FF7FD11D000.00000002.00000001.01000000.00000011.sdmp, eudcedit.exe, 0000001E.00000002.652464601.00007FF7FD11D000.00000002.00000001.01000000.00000011.sdmp, eudcedit.exe.6.dr, eudcedit.exe1.6.dr, eudcedit.exe0.6.dr
                      Source: Binary string: PresentationSettings.pdb source: PresentationSettings.exe, 00000020.00000000.657557989.00007FF6D2F36000.00000002.00000001.01000000.00000013.sdmp, PresentationSettings.exe, 00000020.00000002.680284042.00007FF6D2F36000.00000002.00000001.01000000.00000013.sdmp, PresentationSettings.exe.6.dr
                      Source: Binary string: PasswordOnWakeSettingFlyout.pdbGCTL source: PasswordOnWakeSettingFlyout.exe, 00000026.00000000.744786629.00007FF7B6BB7000.00000002.00000001.01000000.00000019.sdmp, PasswordOnWakeSettingFlyout.exe, 00000026.00000002.767227577.00007FF7B6BB7000.00000002.00000001.01000000.00000019.sdmp, PasswordOnWakeSettingFlyout.exe.6.dr
                      Source: Binary string: rdpinit.pdb source: rdpinit.exe, 00000012.00000000.498877986.00007FF7BA09E000.00000002.00000001.01000000.00000009.sdmp, rdpinit.exe, 00000012.00000002.526686350.00007FF7BA09E000.00000002.00000001.01000000.00000009.sdmp, rdpinit.exe.6.dr
                      Source: Binary string: rdpinit.pdbGCTL source: rdpinit.exe, 00000012.00000000.498877986.00007FF7BA09E000.00000002.00000001.01000000.00000009.sdmp, rdpinit.exe, 00000012.00000002.526686350.00007FF7BA09E000.00000002.00000001.01000000.00000009.sdmp, rdpinit.exe.6.dr
                      Source: Binary string: WindowsActionDialog.pdbGCTL source: WindowsActionDialog.exe, 00000015.00000002.570449415.00007FF69A40B000.00000002.00000001.01000000.0000000B.sdmp, WindowsActionDialog.exe, 00000015.00000000.539494248.00007FF69A40B000.00000002.00000001.01000000.0000000B.sdmp, WindowsActionDialog.exe.6.dr
                      Source: Binary string: RDVGHelper.pdbGCTL source: RDVGHelper.exe.6.dr
                      Source: Binary string: eudcedit.pdb source: eudcedit.exe, 0000001C.00000000.587330475.00007FF6A8F1D000.00000002.00000001.01000000.0000000F.sdmp, eudcedit.exe, 0000001C.00000002.611720186.00007FF6A8F1D000.00000002.00000001.01000000.0000000F.sdmp, eudcedit.exe, 0000001E.00000000.628548277.00007FF7FD11D000.00000002.00000001.01000000.00000011.sdmp, eudcedit.exe, 0000001E.00000002.652464601.00007FF7FD11D000.00000002.00000001.01000000.00000011.sdmp, eudcedit.exe.6.dr, eudcedit.exe1.6.dr, eudcedit.exe0.6.dr
                      Source: Binary string: slui.pdbUGP source: slui.exe, 00000024.00000000.715769188.00007FF69DC9C000.00000002.00000001.01000000.00000017.sdmp, slui.exe, 00000024.00000002.739290544.00007FF69DC9C000.00000002.00000001.01000000.00000017.sdmp, slui.exe.6.dr
                      Source: Binary string: msinfo32.pdbGCTL source: msinfo32.exe, 00000028.00000000.773141767.00007FF6C2531000.00000002.00000001.01000000.0000001B.sdmp, msinfo32.exe, 00000028.00000002.797596571.00007FF6C2531000.00000002.00000001.01000000.0000001B.sdmp, msinfo32.exe.6.dr
                      Source: Binary string: RDVGHelper.pdb source: RDVGHelper.exe.6.dr
                      Source: Binary string: DDODiag.pdbGCTL source: ddodiag.exe.6.dr
                      Source: Binary string: PresentationSettings.pdbGCTL source: PresentationSettings.exe, 00000020.00000000.657557989.00007FF6D2F36000.00000002.00000001.01000000.00000013.sdmp, PresentationSettings.exe, 00000020.00000002.680284042.00007FF6D2F36000.00000002.00000001.01000000.00000013.sdmp, PresentationSettings.exe.6.dr
                      Source: Binary string: DDODiag.pdb source: ddodiag.exe.6.dr
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFF223AED10 FindFirstFileExW,0_2_00007FFF223AED10
                      Source: C:\Users\user\AppData\Local\BHN\WindowsActionDialog.exeCode function: 21_2_00007FFF2189ED10 FindFirstFileExW,21_2_00007FFF2189ED10
                      Source: C:\Users\user\AppData\Local\W33A\eudcedit.exeCode function: 28_2_00007FFF21BCED10 FindFirstFileExW,28_2_00007FFF21BCED10
                      Source: unknownDNS traffic detected: query: canonicalizer.ucsuri.tcs replaycode: Name error (3)
                      Source: C:\Users\user\AppData\Local\W33A\eudcedit.exeCode function: 28_2_00007FF6A8EFA1F0 InvalidateRect,UpdateWindow,OpenClipboard,GetClipboardData,CloseClipboard,GetObjectW,CreateCompatibleDC,SelectObject,CreateBitmap,CreateCompatibleDC,SelectObject,BitBlt,CloseClipboard,StretchBlt,InvalidateRect,UpdateWindow,SelectObject,SelectObject,DeleteObject,DeleteDC,DeleteDC,28_2_00007FF6A8EFA1F0
                      Source: C:\Users\user\AppData\Local\W33A\eudcedit.exeCode function: 28_2_00007FF6A8EFA1F0 InvalidateRect,UpdateWindow,OpenClipboard,GetClipboardData,CloseClipboard,GetObjectW,CreateCompatibleDC,SelectObject,CreateBitmap,CreateCompatibleDC,SelectObject,BitBlt,CloseClipboard,StretchBlt,InvalidateRect,UpdateWindow,SelectObject,SelectObject,DeleteObject,DeleteDC,DeleteDC,28_2_00007FF6A8EFA1F0

                      E-Banking Fraud

                      barindex
                      Source: Yara matchFile source: 7.2.rundll32.exe.7fff22350000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.rdpinit.exe.7fff22350000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 32.2.PresentationSettings.exe.7fff2e820000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.7fff22350000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 40.2.msinfo32.exe.7fff2f1b0000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 30.2.eudcedit.exe.7fff2e810000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 36.2.slui.exe.7fff21b80000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 38.2.PasswordOnWakeSettingFlyout.exe.7fff2f1b0000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 34.2.wextract.exe.7fff21b80000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.7fff22350000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.7fff22350000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 21.2.WindowsActionDialog.exe.7fff21840000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 28.2.eudcedit.exe.7fff21b70000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll64.exe.7fff22350000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000009.00000002.378212357.00007FFF22351000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.526826023.00007FFF22351000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000002.711241904.00007FFF21B81000.00000020.00000001.01000000.00000016.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.363626973.00007FFF22351000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.370220590.00007FFF22351000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001C.00000002.611793792.00007FFF21B71000.00000020.00000001.01000000.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.384187039.00007FFF22351000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001E.00000002.652542473.00007FFF2E811000.00000020.00000001.01000000.00000012.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000024.00000002.739372222.00007FFF21B81000.00000020.00000001.01000000.00000018.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000026.00000002.767259929.00007FFF2F1B1000.00000020.00000001.01000000.0000001A.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000028.00000002.797706854.00007FFF2F1B1000.00000020.00000001.01000000.0000001C.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.486830383.00007FFF22351000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000015.00000002.570502057.00007FFF21841000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000020.00000002.680326729.00007FFF2E821000.00000020.00000001.01000000.00000014.sdmp, type: MEMORY
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFF2238AA700_2_00007FFF2238AA70
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFF2239CA500_2_00007FFF2239CA50
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFF2239A2C00_2_00007FFF2239A2C0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFF223778800_2_00007FFF22377880
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFF223850200_2_00007FFF22385020
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFF223A31500_2_00007FFF223A3150
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFF223859F00_2_00007FFF223859F0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFF223B76500_2_00007FFF223B7650
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFF223997D00_2_00007FFF223997D0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFF223BD5200_2_00007FFF223BD520
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFF223ADDC00_2_00007FFF223ADDC0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFF223BB2600_2_00007FFF223BB260
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFF22357A400_2_00007FFF22357A40
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFF2238B2500_2_00007FFF2238B250
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFF223782E00_2_00007FFF223782E0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFF2238BAE00_2_00007FFF2238BAE0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFF223B2AE00_2_00007FFF223B2AE0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFF223B7AF00_2_00007FFF223B7AF0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFF223803000_2_00007FFF22380300
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFF2237A3100_2_00007FFF2237A310
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFF2237DAA00_2_00007FFF2237DAA0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFF223B82A00_2_00007FFF223B82A0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFF223BAAA00_2_00007FFF223BAAA0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFF223792C00_2_00007FFF223792C0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFF223AF2C00_2_00007FFF223AF2C0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFF223843600_2_00007FFF22384360
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFF223B43900_2_00007FFF223B4390
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFF2235BB200_2_00007FFF2235BB20
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFF22381B300_2_00007FFF22381B30
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFF223733400_2_00007FFF22373340
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFF223683400_2_00007FFF22368340
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFF223553500_2_00007FFF22355350
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFF223B5B500_2_00007FFF223B5B50
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFF223623F00_2_00007FFF223623F0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFF223BE4000_2_00007FFF223BE400
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFF223674100_2_00007FFF22367410
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFF223B94100_2_00007FFF223B9410
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFF223A4BC00_2_00007FFF223A4BC0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFF2239F8700_2_00007FFF2239F870
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFF2238F8700_2_00007FFF2238F870
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFF2236D8900_2_00007FFF2236D890
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFF223800200_2_00007FFF22380020
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFF2237C0300_2_00007FFF2237C030
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFF223A58400_2_00007FFF223A5840
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFF223750500_2_00007FFF22375050
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFF2235B1000_2_00007FFF2235B100
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFF2236E1100_2_00007FFF2236E110
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFF223739100_2_00007FFF22373910
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFF223608B00_2_00007FFF223608B0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFF223518D00_2_00007FFF223518D0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFF223BB9600_2_00007FFF223BB960
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFF223529800_2_00007FFF22352980
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFF223899900_2_00007FFF22389990
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFF223861300_2_00007FFF22386130
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFF223741400_2_00007FFF22374140
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFF223B69500_2_00007FFF223B6950
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFF2237F1F00_2_00007FFF2237F1F0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFF223891F00_2_00007FFF223891F0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFF223889F00_2_00007FFF223889F0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFF2237E9A00_2_00007FFF2237E9A0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFF2236E9B00_2_00007FFF2236E9B0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFF223711B00_2_00007FFF223711B0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFF223769C00_2_00007FFF223769C0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFF223821D00_2_00007FFF223821D0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFF223686700_2_00007FFF22368670
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFF22357E800_2_00007FFF22357E80
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFF22356E900_2_00007FFF22356E90
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFF2235DE200_2_00007FFF2235DE20
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFF223516200_2_00007FFF22351620
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFF223A06500_2_00007FFF223A0650
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFF223806A00_2_00007FFF223806A0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFF2237F6B00_2_00007FFF2237F6B0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFF223BA6B00_2_00007FFF223BA6B0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFF223B7EC00_2_00007FFF223B7EC0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFF223B57600_2_00007FFF223B5760
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFF2236E7700_2_00007FFF2236E770
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFF223B07700_2_00007FFF223B0770
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFF223BC7800_2_00007FFF223BC780
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFF223CEF800_2_00007FFF223CEF80
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFF223567900_2_00007FFF22356790
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFF2237872B0_2_00007FFF2237872B
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFF223B0F300_2_00007FFF223B0F30
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFF22372F500_2_00007FFF22372F50
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFF22376FE00_2_00007FFF22376FE0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFF223C4FF00_2_00007FFF223C4FF0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFF223748000_2_00007FFF22374800
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFF223510100_2_00007FFF22351010
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFF223CB7A00_2_00007FFF223CB7A0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFF2237E7B00_2_00007FFF2237E7B0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFF22368FC00_2_00007FFF22368FC0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFF2236A7D00_2_00007FFF2236A7D0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFF2237AC800_2_00007FFF2237AC80
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFF223BE48B0_2_00007FFF223BE48B
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFF223BE49D0_2_00007FFF223BE49D
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFF223BA4900_2_00007FFF223BA490
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFF223BE4940_2_00007FFF223BE494
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFF223654200_2_00007FFF22365420
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFF22355C200_2_00007FFF22355C20
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFF22383CF00_2_00007FFF22383CF0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFF22380D100_2_00007FFF22380D10
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFF223BE4AD0_2_00007FFF223BE4AD
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFF223B2CA00_2_00007FFF223B2CA0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFF223BE4A60_2_00007FFF223BE4A6
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFF223BE4B60_2_00007FFF223BE4B6
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFF22363CD00_2_00007FFF22363CD0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFF22385CD00_2_00007FFF22385CD0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFF22369D700_2_00007FFF22369D70
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFF22381D300_2_00007FFF22381D30
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFF2237D5500_2_00007FFF2237D550
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFF22373D500_2_00007FFF22373D50
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFF223665E00_2_00007FFF223665E0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFF22382E100_2_00007FFF22382E10
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFF223736100_2_00007FFF22373610
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFF2235C5A00_2_00007FFF2235C5A0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFF223825C00_2_00007FFF223825C0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFF223695C00_2_00007FFF223695C0
                      Source: C:\Users\user\AppData\Local\Fbc7IGHq\rdpinit.exeCode function: 18_2_00007FF7BA08FC6C18_2_00007FF7BA08FC6C
                      Source: C:\Users\user\AppData\Local\Fbc7IGHq\rdpinit.exeCode function: 18_2_00007FF7BA094CD018_2_00007FF7BA094CD0
                      Source: C:\Users\user\AppData\Local\Fbc7IGHq\rdpinit.exeCode function: 18_2_00007FF7BA07FCF018_2_00007FF7BA07FCF0
                      Source: C:\Users\user\AppData\Local\Fbc7IGHq\rdpinit.exeCode function: 18_2_00007FF7BA08E12C18_2_00007FF7BA08E12C
                      Source: C:\Users\user\AppData\Local\Fbc7IGHq\rdpinit.exeCode function: 18_2_00007FF7BA09197818_2_00007FF7BA091978
                      Source: C:\Users\user\AppData\Local\Fbc7IGHq\rdpinit.exeCode function: 18_2_00007FF7BA09B1C018_2_00007FF7BA09B1C0
                      Source: C:\Users\user\AppData\Local\Fbc7IGHq\rdpinit.exeCode function: 18_2_00007FF7BA098A4018_2_00007FF7BA098A40
                      Source: C:\Users\user\AppData\Local\Fbc7IGHq\rdpinit.exeCode function: 18_2_00007FF7BA097ACC18_2_00007FF7BA097ACC
                      Source: C:\Users\user\AppData\Local\Fbc7IGHq\rdpinit.exeCode function: 18_2_00007FF7BA099B1418_2_00007FF7BA099B14
                      Source: C:\Users\user\AppData\Local\Fbc7IGHq\rdpinit.exeCode function: 18_2_00007FF7BA07178018_2_00007FF7BA071780
                      Source: C:\Users\user\AppData\Local\Fbc7IGHq\rdpinit.exeCode function: 18_2_00007FF7BA06D87C18_2_00007FF7BA06D87C
                      Source: C:\Users\user\AppData\Local\Fbc7IGHq\rdpinit.exeCode function: 18_2_00007FF7BA09A90818_2_00007FF7BA09A908
                      Source: C:\Users\user\AppData\Local\Fbc7IGHq\rdpinit.exeCode function: 18_2_00007FF7BA098E0018_2_00007FF7BA098E00
                      Source: C:\Users\user\AppData\Local\Fbc7IGHq\rdpinit.exeCode function: 18_2_00007FF7BA08E68818_2_00007FF7BA08E688
                      Source: C:\Users\user\AppData\Local\Fbc7IGHq\rdpinit.exeCode function: 18_2_00007FF7BA062EA418_2_00007FF7BA062EA4
                      Source: C:\Users\user\AppData\Local\BHN\WindowsActionDialog.exeCode function: 21_2_00007FF69A403E8C21_2_00007FF69A403E8C
                      Source: C:\Users\user\AppData\Local\BHN\WindowsActionDialog.exeCode function: 21_2_00007FF69A4046D821_2_00007FF69A4046D8
                      Source: C:\Users\user\AppData\Local\BHN\WindowsActionDialog.exeCode function: 21_2_00007FFF218759F021_2_00007FFF218759F0
                      Source: C:\Users\user\AppData\Local\BHN\WindowsActionDialog.exeCode function: 21_2_00007FFF2189315021_2_00007FFF21893150
                      Source: C:\Users\user\AppData\Local\BHN\WindowsActionDialog.exeCode function: 21_2_00007FFF2187502021_2_00007FFF21875020
                      Source: C:\Users\user\AppData\Local\BHN\WindowsActionDialog.exeCode function: 21_2_00007FFF2186788021_2_00007FFF21867880
                      Source: C:\Users\user\AppData\Local\BHN\WindowsActionDialog.exeCode function: 21_2_00007FFF2188A2C021_2_00007FFF2188A2C0
                      Source: C:\Users\user\AppData\Local\BHN\WindowsActionDialog.exeCode function: 21_2_00007FFF2187BAE021_2_00007FFF2187BAE0
                      Source: C:\Users\user\AppData\Local\BHN\WindowsActionDialog.exeCode function: 21_2_00007FFF2188CA5021_2_00007FFF2188CA50
                      Source: C:\Users\user\AppData\Local\BHN\WindowsActionDialog.exeCode function: 21_2_00007FFF2187AA7021_2_00007FFF2187AA70
                      Source: C:\Users\user\AppData\Local\BHN\WindowsActionDialog.exeCode function: 21_2_00007FFF2189DDC021_2_00007FFF2189DDC0
                      Source: C:\Users\user\AppData\Local\BHN\WindowsActionDialog.exeCode function: 21_2_00007FFF218AD52021_2_00007FFF218AD520
                      Source: C:\Users\user\AppData\Local\BHN\WindowsActionDialog.exeCode function: 21_2_00007FFF21875CD021_2_00007FFF21875CD0
                      Source: C:\Users\user\AppData\Local\BHN\WindowsActionDialog.exeCode function: 21_2_00007FFF218897D021_2_00007FFF218897D0
                      Source: C:\Users\user\AppData\Local\BHN\WindowsActionDialog.exeCode function: 21_2_00007FFF218A765021_2_00007FFF218A7650
                      Source: C:\Users\user\AppData\Local\BHN\WindowsActionDialog.exeCode function: 21_2_00007FFF2185E9B021_2_00007FFF2185E9B0
                      Source: C:\Users\user\AppData\Local\BHN\WindowsActionDialog.exeCode function: 21_2_00007FFF218611B021_2_00007FFF218611B0
                      Source: C:\Users\user\AppData\Local\BHN\WindowsActionDialog.exeCode function: 21_2_00007FFF2186E9A021_2_00007FFF2186E9A0
                      Source: C:\Users\user\AppData\Local\BHN\WindowsActionDialog.exeCode function: 21_2_00007FFF218721D021_2_00007FFF218721D0
                      Source: C:\Users\user\AppData\Local\BHN\WindowsActionDialog.exeCode function: 21_2_00007FFF218669C021_2_00007FFF218669C0
                      Source: C:\Users\user\AppData\Local\BHN\WindowsActionDialog.exeCode function: 21_2_00007FFF218791F021_2_00007FFF218791F0
                      Source: C:\Users\user\AppData\Local\BHN\WindowsActionDialog.exeCode function: 21_2_00007FFF218789F021_2_00007FFF218789F0
                      Source: C:\Users\user\AppData\Local\BHN\WindowsActionDialog.exeCode function: 21_2_00007FFF2186F1F021_2_00007FFF2186F1F0
                      Source: C:\Users\user\AppData\Local\BHN\WindowsActionDialog.exeCode function: 21_2_00007FFF2187613021_2_00007FFF21876130
                      Source: C:\Users\user\AppData\Local\BHN\WindowsActionDialog.exeCode function: 21_2_00007FFF218A695021_2_00007FFF218A6950
                      Source: C:\Users\user\AppData\Local\BHN\WindowsActionDialog.exeCode function: 21_2_00007FFF2186414021_2_00007FFF21864140
                      Source: C:\Users\user\AppData\Local\BHN\WindowsActionDialog.exeCode function: 21_2_00007FFF218AB96021_2_00007FFF218AB960
                      Source: C:\Users\user\AppData\Local\BHN\WindowsActionDialog.exeCode function: 21_2_00007FFF2187999021_2_00007FFF21879990
                      Source: C:\Users\user\AppData\Local\BHN\WindowsActionDialog.exeCode function: 21_2_00007FFF2184298021_2_00007FFF21842980
                      Source: C:\Users\user\AppData\Local\BHN\WindowsActionDialog.exeCode function: 21_2_00007FFF218508B021_2_00007FFF218508B0
                      Source: C:\Users\user\AppData\Local\BHN\WindowsActionDialog.exeCode function: 21_2_00007FFF218BC8B121_2_00007FFF218BC8B1
                      Source: C:\Users\user\AppData\Local\BHN\WindowsActionDialog.exeCode function: 21_2_00007FFF218418D021_2_00007FFF218418D0
                      Source: C:\Users\user\AppData\Local\BHN\WindowsActionDialog.exeCode function: 21_2_00007FFF218BC0EB21_2_00007FFF218BC0EB
                      Source: C:\Users\user\AppData\Local\BHN\WindowsActionDialog.exeCode function: 21_2_00007FFF2185E11021_2_00007FFF2185E110
                      Source: C:\Users\user\AppData\Local\BHN\WindowsActionDialog.exeCode function: 21_2_00007FFF2186391021_2_00007FFF21863910
                      Source: C:\Users\user\AppData\Local\BHN\WindowsActionDialog.exeCode function: 21_2_00007FFF2184B10021_2_00007FFF2184B100
                      Source: C:\Users\user\AppData\Local\BHN\WindowsActionDialog.exeCode function: 21_2_00007FFF2186C03021_2_00007FFF2186C030
                      Source: C:\Users\user\AppData\Local\BHN\WindowsActionDialog.exeCode function: 21_2_00007FFF2187002021_2_00007FFF21870020
                      Source: C:\Users\user\AppData\Local\BHN\WindowsActionDialog.exeCode function: 21_2_00007FFF218C082021_2_00007FFF218C0820
                      Source: C:\Users\user\AppData\Local\BHN\WindowsActionDialog.exeCode function: 21_2_00007FFF2186505021_2_00007FFF21865050
                      Source: C:\Users\user\AppData\Local\BHN\WindowsActionDialog.exeCode function: 21_2_00007FFF2189584021_2_00007FFF21895840
                      Source: C:\Users\user\AppData\Local\BHN\WindowsActionDialog.exeCode function: 21_2_00007FFF2187F87021_2_00007FFF2187F870
                      Source: C:\Users\user\AppData\Local\BHN\WindowsActionDialog.exeCode function: 21_2_00007FFF2188F87021_2_00007FFF2188F870
                      Source: C:\Users\user\AppData\Local\BHN\WindowsActionDialog.exeCode function: 21_2_00007FFF2185D89021_2_00007FFF2185D890
                      Source: C:\Users\user\AppData\Local\BHN\WindowsActionDialog.exeCode function: 21_2_00007FFF21894BC021_2_00007FFF21894BC0
                      Source: C:\Users\user\AppData\Local\BHN\WindowsActionDialog.exeCode function: 21_2_00007FFF218523F021_2_00007FFF218523F0
                      Source: C:\Users\user\AppData\Local\BHN\WindowsActionDialog.exeCode function: 21_2_00007FFF2185741021_2_00007FFF21857410
                      Source: C:\Users\user\AppData\Local\BHN\WindowsActionDialog.exeCode function: 21_2_00007FFF218A941021_2_00007FFF218A9410
                      Source: C:\Users\user\AppData\Local\BHN\WindowsActionDialog.exeCode function: 21_2_00007FFF218BFC0021_2_00007FFF218BFC00
                      Source: C:\Users\user\AppData\Local\BHN\WindowsActionDialog.exeCode function: 21_2_00007FFF218AE40021_2_00007FFF218AE400
                      Source: C:\Users\user\AppData\Local\BHN\WindowsActionDialog.exeCode function: 21_2_00007FFF21871B3021_2_00007FFF21871B30
                      Source: C:\Users\user\AppData\Local\BHN\WindowsActionDialog.exeCode function: 21_2_00007FFF2184BB2021_2_00007FFF2184BB20
                      Source: C:\Users\user\AppData\Local\BHN\WindowsActionDialog.exeCode function: 21_2_00007FFF2184535021_2_00007FFF21845350
                      Source: C:\Users\user\AppData\Local\BHN\WindowsActionDialog.exeCode function: 21_2_00007FFF218A5B5021_2_00007FFF218A5B50
                      Source: C:\Users\user\AppData\Local\BHN\WindowsActionDialog.exeCode function: 21_2_00007FFF2186334021_2_00007FFF21863340
                      Source: C:\Users\user\AppData\Local\BHN\WindowsActionDialog.exeCode function: 21_2_00007FFF2185834021_2_00007FFF21858340
                      Source: C:\Users\user\AppData\Local\BHN\WindowsActionDialog.exeCode function: 21_2_00007FFF2187436021_2_00007FFF21874360
                      Source: C:\Users\user\AppData\Local\BHN\WindowsActionDialog.exeCode function: 21_2_00007FFF218A439021_2_00007FFF218A4390
                      Source: C:\Users\user\AppData\Local\BHN\WindowsActionDialog.exeCode function: 21_2_00007FFF2186DAA021_2_00007FFF2186DAA0
                      Source: C:\Users\user\AppData\Local\BHN\WindowsActionDialog.exeCode function: 21_2_00007FFF218A82A021_2_00007FFF218A82A0
                      Source: C:\Users\user\AppData\Local\BHN\WindowsActionDialog.exeCode function: 21_2_00007FFF218AAAA021_2_00007FFF218AAAA0
                      Source: C:\Users\user\AppData\Local\BHN\WindowsActionDialog.exeCode function: 21_2_00007FFF218692C021_2_00007FFF218692C0
                      Source: C:\Users\user\AppData\Local\BHN\WindowsActionDialog.exeCode function: 21_2_00007FFF2189F2C021_2_00007FFF2189F2C0
                      Source: C:\Users\user\AppData\Local\BHN\WindowsActionDialog.exeCode function: 21_2_00007FFF218922C021_2_00007FFF218922C0
                      Source: C:\Users\user\AppData\Local\BHN\WindowsActionDialog.exeCode function: 21_2_00007FFF218A7AF021_2_00007FFF218A7AF0
                      Source: C:\Users\user\AppData\Local\BHN\WindowsActionDialog.exeCode function: 21_2_00007FFF218682E021_2_00007FFF218682E0
                      Source: C:\Users\user\AppData\Local\BHN\WindowsActionDialog.exeCode function: 21_2_00007FFF218A2AE021_2_00007FFF218A2AE0
                      Source: C:\Users\user\AppData\Local\BHN\WindowsActionDialog.exeCode function: 21_2_00007FFF2186A31021_2_00007FFF2186A310
                      Source: C:\Users\user\AppData\Local\BHN\WindowsActionDialog.exeCode function: 21_2_00007FFF2187030021_2_00007FFF21870300
                      Source: C:\Users\user\AppData\Local\BHN\WindowsActionDialog.exeCode function: 21_2_00007FFF2187B25021_2_00007FFF2187B250
                      Source: C:\Users\user\AppData\Local\BHN\WindowsActionDialog.exeCode function: 21_2_00007FFF21847A4021_2_00007FFF21847A40
                      Source: C:\Users\user\AppData\Local\BHN\WindowsActionDialog.exeCode function: 21_2_00007FFF218AB26021_2_00007FFF218AB260
                      Source: C:\Users\user\AppData\Local\BHN\WindowsActionDialog.exeCode function: 21_2_00007FFF2184C5A021_2_00007FFF2184C5A0
                      Source: C:\Users\user\AppData\Local\BHN\WindowsActionDialog.exeCode function: 21_2_00007FFF218595C021_2_00007FFF218595C0
                      Source: C:\Users\user\AppData\Local\BHN\WindowsActionDialog.exeCode function: 21_2_00007FFF218725C021_2_00007FFF218725C0
                      Source: C:\Users\user\AppData\Local\BHN\WindowsActionDialog.exeCode function: 21_2_00007FFF218565E021_2_00007FFF218565E0
                      Source: C:\Users\user\AppData\Local\BHN\WindowsActionDialog.exeCode function: 21_2_00007FFF2186361021_2_00007FFF21863610
                      Source: C:\Users\user\AppData\Local\BHN\WindowsActionDialog.exeCode function: 21_2_00007FFF21872E1021_2_00007FFF21872E10
                      Source: C:\Users\user\AppData\Local\BHN\WindowsActionDialog.exeCode function: 21_2_00007FFF21871D3021_2_00007FFF21871D30
                      Source: C:\Users\user\AppData\Local\BHN\WindowsActionDialog.exeCode function: 21_2_00007FFF21898D2021_2_00007FFF21898D20
                      Source: C:\Users\user\AppData\Local\BHN\WindowsActionDialog.exe