Windows Analysis Report
PfOHmro.exe

Overview

General Information

Sample name:	PfOHmro.exe
Analysis ID:	1632656
MD5:	74c5934b5ec8a8907aff69552dbaeaf7
SHA1:	24c6d4aa5f5b229340aba780320efc02058c059c
SHA256:	95930b643e2d7d09d9cdfb2776534744ebb101347bbfe8be84f376fa15d8033a
Tags:	exeRedLineStealeruser-aachum
Infos:

Detection

MicroClip, RedLine

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected MicroClip

Yara detected RedLine Stealer

C2 URLs / IPs found in malware configuration

Connects to many ports of the same IP (likely port scanning)

Contains functionality to inject code into remote processes

Drops PE files to the user root directory

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Uses known network protocols on non-standard ports

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected non-DNS traffic on DNS port

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the user directory

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

PE file does not import any functions

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Uses taskkill to terminate processes

Yara detected Credential Stealer

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: PfOHmro.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe

Avira: detection malicious, Label: TR/ClipBanker.nbegj

Found malware configuration

Source: 3.2.PfOHmro.exe.400000.0.unpack

Malware Configuration Extractor: RedLine {"C2 url": ["101.99.92.190:40919"], "Bot Id": "Build 7"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe

ReversingLabs: Detection: 28%

Multi AV Scanner detection for submitted file

Source: PfOHmro.exe	Virustotal: Detection: 62%			Perma Link
Source: PfOHmro.exe	ReversingLabs: Detection: 73%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown

HTTPS traffic detected: 104.26.12.31:443 -> 192.168.2.4:49724 version: TLS 1.0

Source: PfOHmro.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1846777523.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1881631808.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2019536998.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2100346764.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1847383477.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1883141435.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2019895484.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2100631142.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-file-l1-2-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1841022436.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1873487738.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2016393921.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2097338826.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ucrtbase.pdb source: EdgeBHO.exe, 00000010.00000002.1873662230.00007FFCA168C000.00000002.00000001.01000000.0000000C.sdmp, EdgeBHO.exe, 00000015.00000002.2440299564.00007FFCA168C000.00000002.00000001.01000000.00000016.sdmp, EdgeBHO.exe, 00000019.00000002.2054904950.00007FFC9C65C000.00000002.00000001.01000000.0000001F.sdmp
Source:	Binary string: api-ms-win-core-memory-l1-1-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1842189370.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1875345385.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2017250591.000001BAA3D08000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2098287991.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-debug-l1-1-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1840667454.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1872625223.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2016020890.000001BAA3D08000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2096990057.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1844292763.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1877909726.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2018534751.000001BAA3D08000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2099505061.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1845961180.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1879668224.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2019318045.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2100136236.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-memory-l1-1-0.pdbGCTL source: EdgeBHO.exe, 0000000F.00000003.1842189370.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1875345385.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2017250591.000001BAA3D08000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2098287991.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1847541834.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1883395222.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2020008126.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2100786546.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: EdgeBHO.exe, 0000000F.00000003.1838528308.0000025AF4FA0000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000010.00000002.1875774155.00007FFCBB3E4000.00000002.00000001.01000000.0000000E.sdmp, EdgeBHO.exe, 00000014.00000003.1869750221.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000015.00000002.2442069207.00007FFCBB3E4000.00000002.00000001.01000000.00000018.sdmp, EdgeBHO.exe, 00000018.00000003.2013678723.000001BAA3CFF000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000002.2056569719.00007FFCB4704000.00000002.00000001.01000000.00000021.sdmp, EdgeBHO.exe, 0000001A.00000003.2095304862.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-heap-l1-1-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1841640202.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1874269759.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2016740382.000001BAA3D08000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2097781458.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Hand1\source\repos\Portals\Portals\obj\Release\Portals.pdb source: PfOHmro.exe, 00000000.00000000.1174105120.0000000000DC2000.00000002.00000001.01000000.00000003.sdmp, PfOHmro.exe, 00000000.00000002.1280380254.00000000040A9000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-util-l1-1-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1844717900.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1878527857.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2018778560.000001BAA3D08000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2099713680.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: EdgeBHO.exe, 0000000F.00000003.1838854004.0000025AF4FA0000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000010.00000002.1873956487.00007FFCBB2F5000.00000002.00000001.01000000.00000014.sdmp, EdgeBHO.exe, 00000014.00000003.1870065890.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000015.00000002.2440565210.00007FFCBB2F5000.00000002.00000001.01000000.0000001E.sdmp, EdgeBHO.exe, 00000018.00000003.2013943553.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000002.2055363994.00007FFCAD6A5000.00000002.00000001.01000000.00000027.sdmp, EdgeBHO.exe, 0000001A.00000003.2095507172.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-synch-l1-1-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1843973437.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1877455979.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2018323407.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2099294626.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-heap-l1-1-0.pdbGCTL source: EdgeBHO.exe, 0000000F.00000003.1841640202.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1874269759.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2016740382.000001BAA3D08000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2097781458.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1845394223.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1879307879.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2019208738.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2100033216.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-handle-l1-1-0.pdbGCTL source: EdgeBHO.exe, 0000000F.00000003.1841388876.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1873990925.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2016610374.000001BAA3D08000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2097651612.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_ctypes.pdb source: EdgeBHO.exe, EdgeBHO.exe, 00000019.00000002.2055936402.00007FFCB42D1000.00000040.00000001.01000000.00000022.sdmp
Source:	Binary string: api-ms-win-core-processthreads-l1-1-0.pdbGCTL source: EdgeBHO.exe, 0000000F.00000003.1842674359.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1876322759.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2017630964.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2098673279.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-errorhandling-l1-1-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1840799142.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1872892606.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2016152642.000001BAA3D08000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2097106915.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1842674359.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1876322759.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2017630964.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2098673279.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-console-l1-1-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1840444280.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1872173040.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2015729848.000001BAA3D08000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2096743379.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-file-l1-1-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1840903774.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1873242498.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2016285040.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2097235679.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-processenvironment-l1-1-0.pdbGCTL source: EdgeBHO.exe, 0000000F.00000003.1842488383.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1876066587.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2017499898.000001BAA3D08000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2098543068.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1845070058.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1879085603.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2019091727.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2099930115.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-process-l1-1-0.pdbGCTL source: EdgeBHO.exe, 0000000F.00000003.1847214203.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1882917745.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2019761162.000001BAA3D08000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2100527933.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-util-l1-1-0.pdbGCTL source: EdgeBHO.exe, 0000000F.00000003.1844717900.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1878527857.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2018778560.000001BAA3D08000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2099713680.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-datetime-l1-1-0.pdbGCTL source: EdgeBHO.exe, 0000000F.00000003.1840554181.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1872385641.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2015879685.000001BAA3D08000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2096868575.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: EdgeBHO.exe, 00000010.00000002.1874194924.00007FFCBB31B000.00000040.00000001.01000000.00000012.sdmp, EdgeBHO.exe, 00000015.00000002.2440948631.00007FFCBB31B000.00000040.00000001.01000000.0000001C.sdmp, EdgeBHO.exe, 00000019.00000002.2055093814.00007FFCABB0B000.00000040.00000001.01000000.00000025.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: EdgeBHO.exe, EdgeBHO.exe, 00000019.00000002.2055719822.00007FFCAFBA1000.00000040.00000001.01000000.00000024.sdmp
Source:	Binary string: api-ms-win-core-errorhandling-l1-1-0.pdbGCTL source: EdgeBHO.exe, 0000000F.00000003.1840799142.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1872892606.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2016152642.000001BAA3D08000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2097106915.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-profile-l1-1-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1843473939.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1876830773.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2017864453.000001BAA3D08000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2098928872.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ucrtbase.pdbUGP source: EdgeBHO.exe, 00000010.00000002.1873662230.00007FFCA168C000.00000002.00000001.01000000.0000000C.sdmp, EdgeBHO.exe, 00000015.00000002.2440299564.00007FFCA168C000.00000002.00000001.01000000.00000016.sdmp, EdgeBHO.exe, 00000019.00000002.2054904950.00007FFC9C65C000.00000002.00000001.01000000.0000001F.sdmp
Source:	Binary string: api-ms-win-core-file-l1-1-0.pdbGCTL source: EdgeBHO.exe, 0000000F.00000003.1840903774.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1873242498.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2016285040.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2097235679.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\python313.pdb source: EdgeBHO.exe, 00000010.00000002.1871702839.00007FFC9CAB9000.00000040.00000001.01000000.0000000D.sdmp, EdgeBHO.exe, 00000015.00000002.2438702214.00007FFC9CAB9000.00000040.00000001.01000000.00000017.sdmp, EdgeBHO.exe, 00000019.00000002.2053349770.00007FFC9C349000.00000040.00000001.01000000.00000020.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdbGCTL source: EdgeBHO.exe, 0000000F.00000003.1838854004.0000025AF4FA0000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000010.00000002.1873956487.00007FFCBB2F5000.00000002.00000001.01000000.00000014.sdmp, EdgeBHO.exe, 00000014.00000003.1870065890.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000015.00000002.2440565210.00007FFCBB2F5000.00000002.00000001.01000000.0000001E.sdmp, EdgeBHO.exe, 00000018.00000003.2013943553.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000002.2055363994.00007FFCAD6A5000.00000002.00000001.01000000.00000027.sdmp, EdgeBHO.exe, 0000001A.00000003.2095507172.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-time-l1-1-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1848154049.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1883754430.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2020233504.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2101102837.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-handle-l1-1-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1841388876.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1873990925.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2016610374.000001BAA3D08000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2097651612.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-sysinfo-l1-1-0.pdbGCTL source: EdgeBHO.exe, 0000000F.00000003.1844292763.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1877909726.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2018534751.000001BAA3D08000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2099505061.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-synch-l1-2-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1844159682.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1877708898.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2018431971.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2099398521.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_wmi.pdb(('GCTL source: EdgeBHO.exe, 00000010.00000002.1874771647.00007FFCBB391000.00000040.00000001.01000000.00000013.sdmp, EdgeBHO.exe, 00000015.00000002.2441419137.00007FFCBB391000.00000040.00000001.01000000.0000001D.sdmp, EdgeBHO.exe, 00000019.00000002.2055498902.00007FFCAF5E1000.00000040.00000001.01000000.00000026.sdmp
Source:	Binary string: api-ms-win-core-profile-l1-1-0.pdbGCTL source: EdgeBHO.exe, 0000000F.00000003.1843473939.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1876830773.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2017864453.000001BAA3D08000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2098928872.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1842488383.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1876066587.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2017499898.000001BAA3D08000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2098543068.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Hand1\source\repos\Portals\Portals\obj\Release\Portals.pdb<;V; H;_CorExeMainmscoree.dll source: PfOHmro.exe, 00000000.00000000.1174105120.0000000000DC2000.00000002.00000001.01000000.00000003.sdmp, PfOHmro.exe, 00000000.00000002.1280380254.00000000040A9000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-datetime-l1-1-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1840554181.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1872385641.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2015879685.000001BAA3D08000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2096868575.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1844899504.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1878874442.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2018917388.000001BAA3D08000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2099824827.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: EdgeBHO.exe, 0000000F.00000003.1838528308.0000025AF4FA0000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000010.00000002.1875774155.00007FFCBB3E4000.00000002.00000001.01000000.0000000E.sdmp, EdgeBHO.exe, 00000014.00000003.1869750221.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000015.00000002.2442069207.00007FFCBB3E4000.00000002.00000001.01000000.00000018.sdmp, EdgeBHO.exe, 00000018.00000003.2013678723.000001BAA3CFF000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000002.2056569719.00007FFCB4704000.00000002.00000001.01000000.00000021.sdmp, EdgeBHO.exe, 0000001A.00000003.2095304862.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-math-l1-1-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1846946271.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1882472597.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2019644449.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2100446698.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-localization-l1-2-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1842045762.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1875042633.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2017137169.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2098161682.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-interlocked-l1-1-0.pdbGCTL source: EdgeBHO.exe, 0000000F.00000003.1841738441.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1874518425.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2016870009.000001BAA3D08000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2097910012.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-string-l1-1-0.pdbGCTL source: EdgeBHO.exe, 0000000F.00000003.1843847302.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1877251431.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2018182031.000001BAA3D08000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2099196398.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: EdgeBHO.exe, 0000000F.00000003.1842994259.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1876585682.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2017739876.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2098810697.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-debug-l1-1-0.pdbGCTL source: EdgeBHO.exe, 0000000F.00000003.1840667454.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1872625223.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2016020890.000001BAA3D08000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2096990057.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-libraryloader-l1-1-0.pdbGCTL source: EdgeBHO.exe, 0000000F.00000003.1841905883.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1874768746.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2017004149.000001BAA3D08000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2098037187.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1842352547.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1875802095.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2017371983.000001BAA3D08000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2098415607.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-utility-l1-1-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1848640080.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1883914289.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2020354386.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2101211287.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1843707805.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1877034168.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2018002633.000001BAA3D08000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2099071239.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1844446204.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1878154496.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2018669769.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2099608160.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-string-l1-1-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1843847302.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1877251431.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2018182031.000001BAA3D08000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2099196398.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-file-l2-1-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1841155329.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1873736321.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2016505020.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2097524068.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-console-l1-1-0.pdbGCTL source: EdgeBHO.exe, 0000000F.00000003.1840444280.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1872173040.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2015729848.000001BAA3D08000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2096743379.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdbNN source: EdgeBHO.exe, 00000010.00000002.1874194924.00007FFCBB31B000.00000040.00000001.01000000.00000012.sdmp, EdgeBHO.exe, 00000015.00000002.2440948631.00007FFCBB31B000.00000040.00000001.01000000.0000001C.sdmp, EdgeBHO.exe, 00000019.00000002.2055093814.00007FFCABB0B000.00000040.00000001.01000000.00000025.sdmp
Source:	Binary string: api-ms-win-crt-process-l1-1-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1847214203.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1882917745.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2019761162.000001BAA3D08000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2100527933.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1841905883.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1874768746.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2017004149.000001BAA3D08000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2098037187.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-namedpipe-l1-1-0.pdbGCTL source: EdgeBHO.exe, 0000000F.00000003.1842352547.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1875802095.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2017371983.000001BAA3D08000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2098415607.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-synch-l1-1-0.pdbGCTL source: EdgeBHO.exe, 0000000F.00000003.1843973437.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1877455979.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2018323407.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2099294626.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-interlocked-l1-1-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1841738441.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1874518425.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2016870009.000001BAA3D08000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2097910012.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_wmi.pdb source: EdgeBHO.exe, EdgeBHO.exe, 00000019.00000002.2055498902.00007FFCAF5E1000.00000040.00000001.01000000.00000026.sdmp
Source:	Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdbGCTL source: EdgeBHO.exe, 0000000F.00000003.1843707805.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1877034168.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2018002633.000001BAA3D08000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2099071239.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1846646974.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1880638314.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2019428022.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2100241717.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-string-l1-1-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1847742380.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1883582433.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2020118947.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2100991668.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-conio-l1-1-0.pdbGCTL source: EdgeBHO.exe, 0000000F.00000003.1844899504.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1878874442.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2018917388.000001BAA3D08000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2099824827.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 15_2_00007FF6F84992F0 FindFirstFileExW,FindClose,	15_2_00007FF6F84992F0
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 15_2_00007FF6F84983B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	15_2_00007FF6F84983B0
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 15_2_00007FF6F84B1BD4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	15_2_00007FF6F84B1BD4
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FF6F84992F0 FindFirstFileExW,FindClose,	16_2_00007FF6F84992F0
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FF6F84983B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	16_2_00007FF6F84983B0
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FF6F84B1BD4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	16_2_00007FF6F84B1BD4
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCA164F118 FindFirstFileExA,FindClose,FindNextFileA,	16_2_00007FFCA164F118
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCA164F2C8 FindFirstFileExW,FindClose,FindNextFileW,	16_2_00007FFCA164F2C8
Source: C:\Users\user\EdgeBHO.exe	Code function: 20_2_00007FF6AE3592F0 FindFirstFileExW,FindClose,	20_2_00007FF6AE3592F0
Source: C:\Users\user\EdgeBHO.exe	Code function: 20_2_00007FF6AE3583B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	20_2_00007FF6AE3583B0
Source: C:\Users\user\EdgeBHO.exe	Code function: 20_2_00007FF6AE371BD4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	20_2_00007FF6AE371BD4
Source: C:\Users\user\EdgeBHO.exe	Code function: 21_2_00007FF6AE3592F0 FindFirstFileExW,FindClose,	21_2_00007FF6AE3592F0
Source: C:\Users\user\EdgeBHO.exe	Code function: 21_2_00007FF6AE3583B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	21_2_00007FF6AE3583B0
Source: C:\Users\user\EdgeBHO.exe	Code function: 21_2_00007FF6AE371BD4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	21_2_00007FF6AE371BD4
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFC9C61F118 FindFirstFileExA,FindClose,FindNextFileA,	25_2_00007FFC9C61F118
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFC9C61F2C8 FindFirstFileExW,FindClose,FindNextFileW,	25_2_00007FFC9C61F2C8

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 1800000 - Severity 1 - Joe Security MALWARE RedLine - Initial C&C Contact - SOAP CheckConnect : 192.168.2.4:49717 -> 101.99.92.190:40919
Source: Network traffic	Suricata IDS: 2849662 - Severity 1 - ETPRO MALWARE RedLine - CheckConnect Request : 192.168.2.4:49717 -> 101.99.92.190:40919
Source: Network traffic	Suricata IDS: 2849352 - Severity 1 - ETPRO MALWARE RedLine - SetEnvironment Request : 192.168.2.4:49726 -> 101.99.92.190:40919
Source: Network traffic	Suricata IDS: 2848200 - Severity 1 - ETPRO MALWARE RedLine - GetUpdates Request : 192.168.2.4:49728 -> 101.99.92.190:40919
Source: Network traffic	Suricata IDS: 2045000 - Severity 1 - ET MALWARE RedLine Stealer - CheckConnect Response : 101.99.92.190:40919 -> 192.168.2.4:49717
Source: Network traffic	Suricata IDS: 2849351 - Severity 1 - ETPRO MALWARE RedLine - EnvironmentSettings Request : 192.168.2.4:49717 -> 101.99.92.190:40919
Source: Network traffic	Suricata IDS: 2020500 - Severity 1 - ET EXPLOIT_KIT DRIVEBY Likely Evil EXE with no referer from HFS webserver (used by Unknown EK) : 101.99.92.190:4449 -> 192.168.2.4:49730
Source: Network traffic	Suricata IDS: 2045001 - Severity 1 - ET MALWARE Win32/LeftHook Stealer Browser Extension Config Inbound : 101.99.92.190:40919 -> 192.168.2.4:49717
Source: Network traffic	Suricata IDS: 2046056 - Severity 1 - ET MALWARE Redline Stealer/MetaStealer Family Activity (Response) : 101.99.92.190:40919 -> 192.168.2.4:49717
Source: Network traffic	Suricata IDS: 2849738 - Severity 1 - ETPRO MALWARE RedLine - VerifyUpdate Request : 192.168.2.4:57483 -> 101.99.92.190:40919

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 101.99.92.190:40919

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 101.99.92.190 ports 0,1,4,40919,9,4449

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 40919
Source: unknown	Network traffic detected: HTTP traffic on port 40919 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 40919
Source: unknown	Network traffic detected: HTTP traffic on port 40919 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 40919 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 40919
Source: unknown	Network traffic detected: HTTP traffic on port 40919 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 40919
Source: unknown	Network traffic detected: HTTP traffic on port 40919 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 4449
Source: unknown	Network traffic detected: HTTP traffic on port 4449 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 57483 -> 40919
Source: unknown	Network traffic detected: HTTP traffic on port 40919 -> 57483

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.4:49717 -> 101.99.92.190:40919

Detected non-DNS traffic on DNS port

Source: global traffic

TCP traffic: 192.168.2.4:57479 -> 162.159.36.2:53

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /geoip HTTP/1.1Host: api.ip.sbConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 101.99.92.190:40919Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings"Host: 101.99.92.190:40919Content-Length: 144Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/SetEnvironment"Host: 101.99.92.190:40919Content-Length: 949742Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetUpdates"Host: 101.99.92.190:40919Content-Length: 949734Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /EdgeBHO.exe HTTP/1.1Host: 101.99.92.190:4449Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/VerifyUpdate"Host: 101.99.92.190:40919Content-Length: 949760Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 104.26.12.31 104.26.12.31

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown

HTTPS traffic detected: 104.26.12.31:443 -> 192.168.2.4:49724 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.92.190
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.92.190
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.92.190
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.92.190
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.92.190
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.92.190
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.92.190
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.92.190
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.92.190
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.92.190
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.92.190
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.92.190
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.92.190
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.92.190
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.92.190
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.92.190
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.92.190
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.92.190
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.92.190
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.92.190
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.92.190
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.92.190
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.92.190
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.92.190
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.92.190
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.92.190
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.92.190
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.92.190
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.92.190
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.92.190
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.92.190
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.92.190
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.92.190
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.92.190
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.92.190
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.92.190
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.92.190
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.92.190
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.92.190
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.92.190
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.92.190
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.92.190
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.92.190
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.92.190
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.92.190
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.92.190
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.92.190
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.92.190
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.92.190
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.92.190

Source: global traffic	HTTP traffic detected: GET /geoip HTTP/1.1Host: api.ip.sbConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /EdgeBHO.exe HTTP/1.1Host: 101.99.92.190:4449Connection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: api.ip.sb

Source: unknown

HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 101.99.92.190:40919Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive

Source: PfOHmro.exe, 00000003.00000002.1859182871.0000000003261000.00000004.00000800.00020000.00000000.sdmp, PfOHmro.exe, 00000003.00000002.1859182871.0000000003440000.00000004.00000800.00020000.00000000.sdmp, PfOHmro.exe, 00000003.00000002.1859182871.0000000003374000.00000004.00000800.00020000.00000000.sdmp, PfOHmro.exe, 00000003.00000002.1859182871.0000000003458000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://101.99.92.190:40919
Source: PfOHmro.exe, 00000003.00000002.1859182871.0000000003261000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://101.99.92.190:40919/
Source: PfOHmro.exe, 00000003.00000002.1859182871.0000000003458000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://101.99.92.190:40919t-
Source: PfOHmro.exe, 00000003.00000002.1859182871.00000000032F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://101.99.92.190:4449
Source: PfOHmro.exe, 00000003.00000002.1859182871.00000000032F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://101.99.92.190:4449/EdgeBHO.exe
Source: PfOHmro.exe, 00000003.00000002.1859182871.00000000032F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://101.99.92.190:4449t-
Source: EdgeBHO.exe, 0000000F.00000003.1851074463.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1885366703.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2021437101.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2102289563.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digi
Source: EdgeBHO.exe, 00000018.00000003.2021437101.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digiY
Source: EdgeBHO.exe, 0000000F.00000003.1851074463.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000000F.00000003.1850514054.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1884723569.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1885366703.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2021437101.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2021039069.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2101865238.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2102289563.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: EdgeBHO.exe, 0000000F.00000003.1851074463.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000000F.00000003.1850514054.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1884723569.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1885366703.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2021437101.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2021039069.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2101865238.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2102289563.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: EdgeBHO.exe, 0000000F.00000003.1851074463.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000000F.00000003.1850514054.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1884723569.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1885366703.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2021437101.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2021039069.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2101865238.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2102289563.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: EdgeBHO.exe, 0000000F.00000003.1851074463.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000000F.00000003.1850514054.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1884723569.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1885366703.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2021437101.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2021039069.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2101865238.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2102289563.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: EdgeBHO.exe, 0000000F.00000003.1851074463.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000000F.00000003.1850514054.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1884723569.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1885366703.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2021437101.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2021039069.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2101865238.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2102289563.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: EdgeBHO.exe, 0000000F.00000003.1851074463.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000000F.00000003.1850514054.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1884723569.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1885366703.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2021437101.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2021039069.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2101865238.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2102289563.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: EdgeBHO.exe, 0000000F.00000003.1851074463.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000000F.00000003.1850514054.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1884723569.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1885366703.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2021437101.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2021039069.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2101865238.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2102289563.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: EdgeBHO.exe, 0000001A.00000003.2102289563.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: EdgeBHO.exe, 0000000F.00000003.1851074463.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000000F.00000003.1850514054.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1884723569.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1885366703.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2021437101.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2021039069.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2101865238.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2102289563.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: EdgeBHO.exe, 0000000F.00000003.1851074463.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000000F.00000003.1850514054.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1884723569.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1885366703.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2021437101.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2021039069.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2101865238.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2102289563.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: EdgeBHO.exe, 0000000F.00000003.1851074463.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000000F.00000003.1850514054.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1884723569.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1885366703.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2021437101.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2021039069.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2101865238.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2102289563.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: EdgeBHO.exe, 0000000F.00000003.1851074463.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000000F.00000003.1850514054.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1884723569.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1885366703.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2021437101.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2021039069.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2101865238.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2102289563.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: EdgeBHO.exe, 0000000F.00000003.1851074463.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000000F.00000003.1850514054.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1884723569.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1885366703.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2021437101.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2021039069.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2101865238.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2102289563.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: PfOHmro.exe, 00000003.00000002.1859182871.0000000003374000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/
Source: PfOHmro.exe, 00000003.00000002.1859182871.0000000003261000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: PfOHmro.exe, 00000003.00000002.1859182871.00000000032B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: PfOHmro.exe, 00000003.00000002.1859182871.0000000003261000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: PfOHmro.exe, 00000003.00000002.1859182871.0000000003261000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultX
Source: PfOHmro.exe, 00000003.00000002.1859182871.0000000003261000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: PfOHmro.exe, 00000003.00000002.1859182871.0000000003261000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: PfOHmro.exe, 00000003.00000002.1859182871.00000000032B0000.00000004.00000800.00020000.00000000.sdmp, PfOHmro.exe, 00000003.00000002.1859182871.00000000032F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/
Source: PfOHmro.exe, 00000003.00000002.1859182871.0000000003261000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/0
Source: PfOHmro.exe, 00000003.00000002.1859182871.0000000003261000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/CheckConnect
Source: PfOHmro.exe, 00000003.00000002.1859182871.0000000003261000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/CheckConnectResponse
Source: PfOHmro.exe, 00000003.00000002.1859182871.0000000003261000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettings
Source: PfOHmro.exe, 00000003.00000002.1859182871.0000000003261000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettingsResponse
Source: PfOHmro.exe, 00000003.00000002.1859182871.0000000003440000.00000004.00000800.00020000.00000000.sdmp, PfOHmro.exe, 00000003.00000002.1859182871.00000000032B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/GetUpdates
Source: PfOHmro.exe, 00000003.00000002.1859182871.0000000003261000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/GetUpdatesResponse
Source: PfOHmro.exe, 00000003.00000002.1859182871.0000000003374000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/SetEnvironment
Source: PfOHmro.exe, 00000003.00000002.1859182871.0000000003261000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/SetEnvironmentResponse
Source: PfOHmro.exe, 00000003.00000002.1859182871.0000000003458000.00000004.00000800.00020000.00000000.sdmp, PfOHmro.exe, 00000003.00000002.1859182871.00000000032B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdate
Source: PfOHmro.exe, 00000003.00000002.1859182871.0000000003261000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdateResponse
Source: EdgeBHO.exe, 0000000F.00000003.1851074463.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000000F.00000003.1850514054.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1884723569.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1885366703.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2021437101.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2021039069.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2101865238.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2102289563.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: PfOHmro.exe, 00000003.00000002.1861820428.0000000004396000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org?q=
Source: PfOHmro.exe, PfOHmro.exe, 00000003.00000002.1857380388.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.sb/geoip%USERPEnvironmentROFILE%
Source: PfOHmro.exe, PfOHmro.exe, 00000003.00000002.1857380388.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.orgcookies//settinString.Removeg
Source: PfOHmro.exe, 00000003.00000002.1861820428.0000000004396000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: PfOHmro.exe, 00000003.00000002.1861820428.0000000004396000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: PfOHmro.exe, 00000003.00000002.1861820428.0000000004396000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: EdgeBHO.exe, 0000001B.00000003.2168680322.000001CD9FB95000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001B.00000003.2170827937.000001CD9FB97000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001B.00000003.2166877294.000001CD9FB71000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001B.00000003.2167630173.000001CD9FB88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.pyth
Source: EdgeBHO.exe, 00000010.00000002.1869638291.0000025A1E3C3000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000015.00000002.2434606489.0000019362C1D000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000003.2043555269.00000286B9C63000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000003.2040689177.00000286B9C16000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000003.2043381394.00000286B9C45000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000003.2041365193.00000286B9C19000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000003.2041472853.00000286B9C3E000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001B.00000003.2168018169.000001CD9F77B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64
Source: EdgeBHO.exe, 00000010.00000002.1868036860.0000025A1DCD0000.00000004.00001000.00020000.00000000.sdmp, EdgeBHO.exe, 00000015.00000002.2433304462.00000193629B0000.00000004.00001000.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000002.2049937002.00000286B9920000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/howto/mro.html.
Source: EdgeBHO.exe, 00000010.00000002.1868036860.0000025A1DCD0000.00000004.00001000.00020000.00000000.sdmp, EdgeBHO.exe, 00000015.00000002.2433304462.00000193629B0000.00000004.00001000.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000002.2049937002.00000286B9920000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.ExecutionLoader.get_filename
Source: EdgeBHO.exe, 00000010.00000002.1868036860.0000025A1DCD0000.00000004.00001000.00020000.00000000.sdmp, EdgeBHO.exe, 00000015.00000002.2433304462.00000193629B0000.00000004.00001000.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000002.2049937002.00000286B9920000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_code
Source: EdgeBHO.exe, 00000010.00000002.1868036860.0000025A1DD54000.00000004.00001000.00020000.00000000.sdmp, EdgeBHO.exe, 00000015.00000002.2433304462.0000019362A34000.00000004.00001000.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000002.2049937002.00000286B99A4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_source
Source: EdgeBHO.exe, 00000010.00000002.1868036860.0000025A1DCD0000.00000004.00001000.00020000.00000000.sdmp, EdgeBHO.exe, 00000015.00000002.2433304462.00000193629B0000.00000004.00001000.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000002.2049937002.00000286B9920000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.is_package
Source: EdgeBHO.exe, 00000010.00000002.1868036860.0000025A1DD54000.00000004.00001000.00020000.00000000.sdmp, EdgeBHO.exe, 00000015.00000002.2433304462.0000019362A34000.00000004.00001000.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000002.2049937002.00000286B99A4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.Loader.create_module
Source: EdgeBHO.exe, 00000010.00000002.1868036860.0000025A1DCD0000.00000004.00001000.00020000.00000000.sdmp, EdgeBHO.exe, 00000015.00000002.2433304462.00000193629B0000.00000004.00001000.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000002.2049937002.00000286B9920000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.Loader.exec_module
Source: EdgeBHO.exe, 00000010.00000002.1868036860.0000025A1DCD0000.00000004.00001000.00020000.00000000.sdmp, EdgeBHO.exe, 00000015.00000002.2433304462.00000193629B0000.00000004.00001000.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000002.2049937002.00000286B9920000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.MetaPathFinder.invalidate_caches
Source: EdgeBHO.exe, 00000010.00000002.1868036860.0000025A1DCD0000.00000004.00001000.00020000.00000000.sdmp, EdgeBHO.exe, 00000015.00000002.2433304462.00000193629B0000.00000004.00001000.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000002.2049937002.00000286B9920000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.PathEntryFinder.find_spec
Source: EdgeBHO.exe, 00000010.00000002.1869157894.0000025A1DF90000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000015.00000003.1892757641.0000019362BE2000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000015.00000003.1892047968.0000019362BE9000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000015.00000002.2434606489.0000019362BB0000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000015.00000003.1891539681.0000019362BE9000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000015.00000003.1892987645.0000019362BE7000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000002.2049796744.00000286B8058000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000003.2043997505.00000286B8057000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.ResourceLoader.get_data
Source: PfOHmro.exe, 00000003.00000002.1861820428.0000000004396000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: PfOHmro.exe, 00000003.00000002.1861820428.0000000004396000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtabv20
Source: PfOHmro.exe, 00000003.00000002.1861820428.0000000004396000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: PfOHmro.exe, 00000003.00000002.1861820428.0000000004396000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gemini.google.com/app?q=
Source: EdgeBHO.exe, 00000010.00000002.1869157894.0000025A1DF90000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000015.00000003.1892757641.0000019362BE2000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000015.00000003.1892047968.0000019362BE9000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000015.00000002.2434606489.0000019362BB0000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000015.00000003.1891539681.0000019362BE9000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000015.00000003.1892987645.0000019362BE7000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000003.2028271325.00000286B9BA2000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000003.2045514176.00000286B9BA2000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000003.2041189277.00000286B9BA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000002.2050301109.00000286B9B85000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000003.2045959527.00000286B9B85000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000003.2029510790.00000286B9BA2000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000003.2046603943.00000286B9B85000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000002.2050354652.00000286B9BA2000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000003.2044269212.00000286B9B84000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy
Source: EdgeBHO.exe, 00000015.00000002.2436368256.0000019363144000.00000004.00001000.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000002.2051907220.00000286BA104000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/asweigart/pyperclip/issues/55
Source: EdgeBHO.exe, 00000019.00000002.2051907220.00000286BA104000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/asweigart/pyperclip/issues/55po
Source: EdgeBHO.exe, 00000010.00000002.1868036860.0000025A1DD54000.00000004.00001000.00020000.00000000.sdmp, EdgeBHO.exe, 00000015.00000002.2433304462.0000019362A34000.00000004.00001000.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000002.2049937002.00000286B99A4000.00000004.00001000.00020000.00000000.sdmp, EdgeBHO.exe, 0000001B.00000002.2182758834.000001CD9F6EC000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001B.00000003.2166967541.000001CD9F6DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688
Source: EdgeBHO.exe, 00000019.00000003.2044269212.00000286B9B84000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py
Source: EdgeBHO.exe, 00000010.00000002.1869157894.0000025A1DF90000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000015.00000003.1892757641.0000019362BE2000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000015.00000003.1892047968.0000019362BE9000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000015.00000002.2434606489.0000019362BB0000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000015.00000003.1891539681.0000019362BE9000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000015.00000003.1892987645.0000019362BE7000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000003.2028271325.00000286B9BA2000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000003.2045514176.00000286B9BA2000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000003.2041189277.00000286B9BA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000002.2050301109.00000286B9B85000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000003.2045959527.00000286B9B85000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000003.2029510790.00000286B9BA2000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000003.2046603943.00000286B9B85000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000002.2050354652.00000286B9BA2000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000003.2044269212.00000286B9B84000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader
Source: EdgeBHO.exe, 00000010.00000002.1869638291.0000025A1E48C000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000010.00000002.1869638291.0000025A1E3C3000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000010.00000003.1863149520.0000025A1E48C000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000010.00000003.1862893983.0000025A1E47B000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000010.00000003.1862823991.0000025A1E472000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000015.00000003.1893596956.0000019363058000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000015.00000002.2435437723.0000019362FA4000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000003.2044460362.00000286BA065000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000003.2031243370.00000286BA31F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000003.2039794073.00000286BA31F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000003.2039930478.00000286BA055000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000003.2030953933.00000286BA31F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000002.2051643701.00000286BA055000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000003.2031381064.00000286BA058000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000002.2051643701.00000286BA074000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000003.2041777990.00000286BA055000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000003.2040751400.00000286BA055000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001B.00000003.2113090596.000001CD9FBB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/issues/86361.
Source: EdgeBHO.exe, 00000010.00000002.1870335387.0000025A1E524000.00000004.00001000.00020000.00000000.sdmp, EdgeBHO.exe, 00000015.00000002.2436368256.0000019363144000.00000004.00001000.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000002.2051907220.00000286BA104000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/importlib_metadata/wiki/Development-Methodology
Source: EdgeBHO.exe, 00000010.00000002.1869157894.0000025A1DF90000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000015.00000003.1892757641.0000019362BE2000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000015.00000003.1892047968.0000019362BE9000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000015.00000002.2434606489.0000019362BB0000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000015.00000003.1891539681.0000019362BE9000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000015.00000003.1892987645.0000019362BE7000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000003.2028271325.00000286B9BA2000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000003.2045514176.00000286B9BA2000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000003.2041189277.00000286B9BA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000002.2050301109.00000286B9B85000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000003.2045959527.00000286B9B85000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000003.2029510790.00000286B9BA2000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000003.2046603943.00000286B9B85000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000002.2050354652.00000286B9BA2000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000003.2044269212.00000286B9B84000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#
Source: PfOHmro.exe, PfOHmro.exe, 00000003.00000002.1857380388.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/ip%appdata%
Source: EdgeBHO.exe, 00000010.00000002.1870335387.0000025A1E524000.00000004.00001000.00020000.00000000.sdmp, EdgeBHO.exe, 00000010.00000003.1860536177.0000025A1E3D1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000015.00000002.2436368256.0000019363144000.00000004.00001000.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000002.2051907220.00000286BA104000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://peps.python.org/pep-0205/
Source: EdgeBHO.exe, 00000010.00000002.1871702839.00007FFC9CAB9000.00000040.00000001.01000000.0000000D.sdmp, EdgeBHO.exe, 00000015.00000002.2438702214.00007FFC9CAB9000.00000040.00000001.01000000.00000017.sdmp, EdgeBHO.exe, 00000019.00000002.2053349770.00007FFC9C349000.00000040.00000001.01000000.00000020.sdmp	String found in binary or memory: https://peps.python.org/pep-0263/
Source: EdgeBHO.exe, 0000001B.00000002.2187512345.000001CDA0134000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://pyperclip.readthedocs.io/en/latest/index.html#not-implemented-error
Source: PfOHmro.exe, 00000003.00000002.1861820428.0000000004396000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/v20
Source: PfOHmro.exe, 00000003.00000002.1861820428.0000000004396000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
Source: EdgeBHO.exe, 00000010.00000002.1871702839.00007FFC9CAB9000.00000040.00000001.01000000.0000000D.sdmp, EdgeBHO.exe, 00000015.00000002.2438702214.00007FFC9CAB9000.00000040.00000001.01000000.00000017.sdmp, EdgeBHO.exe, 00000019.00000002.2053349770.00007FFC9C349000.00000040.00000001.01000000.00000020.sdmp	String found in binary or memory: https://www.python.org/psf/license/)

Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.PfOHmro.exe.40c4170.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 0.2.PfOHmro.exe.40c4170.1.raw.unpack, type: UNPACKEDPE	Matched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
Source: 0.2.PfOHmro.exe.40c4170.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.PfOHmro.exe.40a9550.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 0.2.PfOHmro.exe.40a9550.0.raw.unpack, type: UNPACKEDPE	Matched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
Source: 0.2.PfOHmro.exe.40a9550.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 3.2.PfOHmro.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 3.2.PfOHmro.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
Source: 3.2.PfOHmro.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.PfOHmro.exe.40c4170.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 0.2.PfOHmro.exe.40c4170.1.unpack, type: UNPACKEDPE	Matched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
Source: 0.2.PfOHmro.exe.40c4170.1.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000003.00000002.1857380388.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 00000000.00000002.1280380254.00000000040A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: Process Memory Space: PfOHmro.exe PID: 7520, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: Process Memory Space: PfOHmro.exe PID: 7568, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown

Detected potential crypto function

Source: C:\Users\user\Desktop\PfOHmro.exe	Code function: 0_2_02F22548	0_2_02F22548
Source: C:\Users\user\Desktop\PfOHmro.exe	Code function: 3_2_0304E7B0	3_2_0304E7B0
Source: C:\Users\user\Desktop\PfOHmro.exe	Code function: 3_2_0304DC90	3_2_0304DC90
Source: C:\Users\user\Desktop\PfOHmro.exe	Code function: 3_2_06B89628	3_2_06B89628
Source: C:\Users\user\Desktop\PfOHmro.exe	Code function: 3_2_06B84468	3_2_06B84468
Source: C:\Users\user\Desktop\PfOHmro.exe	Code function: 3_2_06B83460	3_2_06B83460
Source: C:\Users\user\Desktop\PfOHmro.exe	Code function: 3_2_06B81210	3_2_06B81210
Source: C:\Users\user\Desktop\PfOHmro.exe	Code function: 3_2_06B8DD00	3_2_06B8DD00
Source: C:\Users\user\Desktop\PfOHmro.exe	Code function: 3_2_06B8D108	3_2_06B8D108
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 15_2_00007FF6F84B0C30	15_2_00007FF6F84B0C30
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 15_2_00007FF6F8498BD0	15_2_00007FF6F8498BD0
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 15_2_00007FF6F84B6DAC	15_2_00007FF6F84B6DAC
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 15_2_00007FF6F8491000	15_2_00007FF6F8491000
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 15_2_00007FF6F84A19C8	15_2_00007FF6F84A19C8
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 15_2_00007FF6F84A21E8	15_2_00007FF6F84A21E8
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 15_2_00007FF6F84B9A80	15_2_00007FF6F84B9A80
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 15_2_00007FF6F84B62B0	15_2_00007FF6F84B62B0
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 15_2_00007FF6F84A3A70	15_2_00007FF6F84A3A70
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 15_2_00007FF6F84ADAB8	15_2_00007FF6F84ADAB8
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 15_2_00007FF6F849A34B	15_2_00007FF6F849A34B
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 15_2_00007FF6F84B1BD4	15_2_00007FF6F84B1BD4
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 15_2_00007FF6F84A1BD4	15_2_00007FF6F84A1BD4
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 15_2_00007FF6F84BACA0	15_2_00007FF6F84BACA0
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 15_2_00007FF6F849AD1D	15_2_00007FF6F849AD1D
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 15_2_00007FF6F84B44BC	15_2_00007FF6F84B44BC
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 15_2_00007FF6F849A4E4	15_2_00007FF6F849A4E4
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 15_2_00007FF6F84A3600	15_2_00007FF6F84A3600
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 15_2_00007FF6F84AE5C8	15_2_00007FF6F84AE5C8
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 15_2_00007FF6F84A1DD8	15_2_00007FF6F84A1DD8
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 15_2_00007FF6F84A9E6C	15_2_00007FF6F84A9E6C
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 15_2_00007FF6F84B0C30	15_2_00007FF6F84B0C30
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 15_2_00007FF6F84A87B4	15_2_00007FF6F84A87B4
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 15_2_00007FF6F84ADF50	15_2_00007FF6F84ADF50
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 15_2_00007FF6F84B4030	15_2_00007FF6F84B4030
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 15_2_00007FF6F84B6030	15_2_00007FF6F84B6030
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 15_2_00007FF6F84A17C4	15_2_00007FF6F84A17C4
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 15_2_00007FF6F84A1FE4	15_2_00007FF6F84A1FE4
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 15_2_00007FF6F84B6854	15_2_00007FF6F84B6854
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 15_2_00007FF6F8499870	15_2_00007FF6F8499870
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 15_2_00007FF6F84A8104	15_2_00007FF6F84A8104
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FF6F84B6DAC	16_2_00007FF6F84B6DAC
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FF6F8491000	16_2_00007FF6F8491000
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FF6F84B6030	16_2_00007FF6F84B6030
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FF6F84A19C8	16_2_00007FF6F84A19C8
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FF6F84A21E8	16_2_00007FF6F84A21E8
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FF6F84B9A80	16_2_00007FF6F84B9A80
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FF6F84B62B0	16_2_00007FF6F84B62B0
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FF6F84A3A70	16_2_00007FF6F84A3A70
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FF6F84ADAB8	16_2_00007FF6F84ADAB8
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FF6F849A34B	16_2_00007FF6F849A34B
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FF6F84B0C30	16_2_00007FF6F84B0C30
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FF6F8498BD0	16_2_00007FF6F8498BD0
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FF6F84B1BD4	16_2_00007FF6F84B1BD4
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FF6F84A1BD4	16_2_00007FF6F84A1BD4
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FF6F84BACA0	16_2_00007FF6F84BACA0
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FF6F849AD1D	16_2_00007FF6F849AD1D
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FF6F84B44BC	16_2_00007FF6F84B44BC
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FF6F849A4E4	16_2_00007FF6F849A4E4
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FF6F84A3600	16_2_00007FF6F84A3600
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FF6F84AE5C8	16_2_00007FF6F84AE5C8
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FF6F84A1DD8	16_2_00007FF6F84A1DD8
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FF6F84A9E6C	16_2_00007FF6F84A9E6C
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FF6F84B0C30	16_2_00007FF6F84B0C30
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FF6F84A87B4	16_2_00007FF6F84A87B4
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FF6F84ADF50	16_2_00007FF6F84ADF50
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FF6F84B4030	16_2_00007FF6F84B4030
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FF6F84A17C4	16_2_00007FF6F84A17C4
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FF6F84A1FE4	16_2_00007FF6F84A1FE4
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FF6F84B6854	16_2_00007FF6F84B6854
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FF6F8499870	16_2_00007FF6F8499870
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FF6F84A8104	16_2_00007FF6F84A8104
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFC9CD051D0	16_2_00007FFC9CD051D0
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCA15F41C0	16_2_00007FFCA15F41C0
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCA164E0A0	16_2_00007FFCA164E0A0
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCA160E0A0	16_2_00007FFCA160E0A0
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCA15EA090	16_2_00007FFCA15EA090
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCA1609135	16_2_00007FFCA1609135
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCA164F118	16_2_00007FFCA164F118
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCA15FF470	16_2_00007FFCA15FF470
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCA160A430	16_2_00007FFCA160A430
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCA160F438	16_2_00007FFCA160F438
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCA164D400	16_2_00007FFCA164D400
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCA1607320	16_2_00007FFCA1607320
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCA15E5530	16_2_00007FFCA15E5530
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCA15FA810	16_2_00007FFCA15FA810
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCA15F8670	16_2_00007FFCA15F8670
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCA15F9744	16_2_00007FFCA15F9744
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCA15E4734	16_2_00007FFCA15E4734
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCA15FA970	16_2_00007FFCA15FA970
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCA15F9930	16_2_00007FFCA15F9930
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCA1615928	16_2_00007FFCA1615928
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCA1619910	16_2_00007FFCA1619910
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCA160AB90	16_2_00007FFCA160AB90
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCA15F9C70	16_2_00007FFCA15F9C70
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCA15E3C30	16_2_00007FFCA15E3C30
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCA15EDC00	16_2_00007FFCA15EDC00
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCA1604AFA	16_2_00007FFCA1604AFA
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCA15F2AC4	16_2_00007FFCA15F2AC4
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCA15E2ABC	16_2_00007FFCA15E2ABC
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCA15F7AB8	16_2_00007FFCA15F7AB8
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCA164EB28	16_2_00007FFCA164EB28
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCA15F5E40	16_2_00007FFCA15F5E40
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCA15F9E1C	16_2_00007FFCA15F9E1C
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCA15FAE00	16_2_00007FFCA15FAE00
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCA15F6CC0	16_2_00007FFCA15F6CC0
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCA166FC90	16_2_00007FFCA166FC90
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCA160BD40	16_2_00007FFCA160BD40
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCA164ED04	16_2_00007FFCA164ED04
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCA15FAF90	16_2_00007FFCA15FAF90
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCA1664070	16_2_00007FFCA1664070
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCA163F074	16_2_00007FFCA163F074
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCA1612050	16_2_00007FFCA1612050
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCA15F4EB0	16_2_00007FFCA15F4EB0
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCA15ECF30	16_2_00007FFCA15ECF30
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCBB3023B0	16_2_00007FFCBB3023B0
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCBB3073FC	16_2_00007FFCBB3073FC
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCBB3012B0	16_2_00007FFCBB3012B0
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCBB308F50	16_2_00007FFCBB308F50
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCBB305F00	16_2_00007FFCBB305F00
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCBB302F70	16_2_00007FFCBB302F70
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCBB3055D0	16_2_00007FFCBB3055D0
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCBB301A00	16_2_00007FFCBB301A00
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCBB304650	16_2_00007FFCBB304650
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCBB301920	16_2_00007FFCBB301920
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCBB30F524	16_2_00007FFCBB30F524
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCBB333DC0	16_2_00007FFCBB333DC0
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCBB3377E8	16_2_00007FFCBB3377E8
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCBB33C890	16_2_00007FFCBB33C890
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCBB332DA0	16_2_00007FFCBB332DA0
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCBB336060	16_2_00007FFCBB336060
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCBB333B20	16_2_00007FFCBB333B20
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCBB39C490	16_2_00007FFCBB39C490
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCBB3910C0	16_2_00007FFCBB3910C0
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCBB3916A0	16_2_00007FFCBB3916A0
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCBB3C4BE0	16_2_00007FFCBB3C4BE0
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCBB3A6264	16_2_00007FFCBB3A6264
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCBB3A3630	16_2_00007FFCBB3A3630
Source: C:\Users\user\EdgeBHO.exe	Code function: 20_2_00007FF6AE351000	20_2_00007FF6AE351000
Source: C:\Users\user\EdgeBHO.exe	Code function: 20_2_00007FF6AE376DAC	20_2_00007FF6AE376DAC
Source: C:\Users\user\EdgeBHO.exe	Code function: 20_2_00007FF6AE358BD0	20_2_00007FF6AE358BD0
Source: C:\Users\user\EdgeBHO.exe	Code function: 20_2_00007FF6AE370C30	20_2_00007FF6AE370C30
Source: C:\Users\user\EdgeBHO.exe	Code function: 20_2_00007FF6AE3687B4	20_2_00007FF6AE3687B4
Source: C:\Users\user\EdgeBHO.exe	Code function: 20_2_00007FF6AE36DF50	20_2_00007FF6AE36DF50
Source: C:\Users\user\EdgeBHO.exe	Code function: 20_2_00007FF6AE374030	20_2_00007FF6AE374030
Source: C:\Users\user\EdgeBHO.exe	Code function: 20_2_00007FF6AE376030	20_2_00007FF6AE376030
Source: C:\Users\user\EdgeBHO.exe	Code function: 20_2_00007FF6AE3617C4	20_2_00007FF6AE3617C4
Source: C:\Users\user\EdgeBHO.exe	Code function: 20_2_00007FF6AE361FE4	20_2_00007FF6AE361FE4
Source: C:\Users\user\EdgeBHO.exe	Code function: 20_2_00007FF6AE376854	20_2_00007FF6AE376854
Source: C:\Users\user\EdgeBHO.exe	Code function: 20_2_00007FF6AE359870	20_2_00007FF6AE359870
Source: C:\Users\user\EdgeBHO.exe	Code function: 20_2_00007FF6AE368104	20_2_00007FF6AE368104
Source: C:\Users\user\EdgeBHO.exe	Code function: 20_2_00007FF6AE363600	20_2_00007FF6AE363600
Source: C:\Users\user\EdgeBHO.exe	Code function: 20_2_00007FF6AE36E5C8	20_2_00007FF6AE36E5C8
Source: C:\Users\user\EdgeBHO.exe	Code function: 20_2_00007FF6AE361DD8	20_2_00007FF6AE361DD8
Source: C:\Users\user\EdgeBHO.exe	Code function: 20_2_00007FF6AE369E6C	20_2_00007FF6AE369E6C
Source: C:\Users\user\EdgeBHO.exe	Code function: 20_2_00007FF6AE35A34B	20_2_00007FF6AE35A34B
Source: C:\Users\user\EdgeBHO.exe	Code function: 20_2_00007FF6AE370C30	20_2_00007FF6AE370C30
Source: C:\Users\user\EdgeBHO.exe	Code function: 20_2_00007FF6AE371BD4	20_2_00007FF6AE371BD4
Source: C:\Users\user\EdgeBHO.exe	Code function: 20_2_00007FF6AE361BD4	20_2_00007FF6AE361BD4
Source: C:\Users\user\EdgeBHO.exe	Code function: 20_2_00007FF6AE37ACA0	20_2_00007FF6AE37ACA0
Source: C:\Users\user\EdgeBHO.exe	Code function: 20_2_00007FF6AE35AD1D	20_2_00007FF6AE35AD1D
Source: C:\Users\user\EdgeBHO.exe	Code function: 20_2_00007FF6AE3744BC	20_2_00007FF6AE3744BC
Source: C:\Users\user\EdgeBHO.exe	Code function: 20_2_00007FF6AE35A4E4	20_2_00007FF6AE35A4E4
Source: C:\Users\user\EdgeBHO.exe	Code function: 20_2_00007FF6AE3619C8	20_2_00007FF6AE3619C8
Source: C:\Users\user\EdgeBHO.exe	Code function: 20_2_00007FF6AE3621E8	20_2_00007FF6AE3621E8
Source: C:\Users\user\EdgeBHO.exe	Code function: 20_2_00007FF6AE379A80	20_2_00007FF6AE379A80
Source: C:\Users\user\EdgeBHO.exe	Code function: 20_2_00007FF6AE3762B0	20_2_00007FF6AE3762B0
Source: C:\Users\user\EdgeBHO.exe	Code function: 20_2_00007FF6AE363A70	20_2_00007FF6AE363A70
Source: C:\Users\user\EdgeBHO.exe	Code function: 20_2_00007FF6AE36DAB8	20_2_00007FF6AE36DAB8
Source: C:\Users\user\EdgeBHO.exe	Code function: 21_2_00007FF6AE351000	21_2_00007FF6AE351000
Source: C:\Users\user\EdgeBHO.exe	Code function: 21_2_00007FF6AE376030	21_2_00007FF6AE376030
Source: C:\Users\user\EdgeBHO.exe	Code function: 21_2_00007FF6AE376DAC	21_2_00007FF6AE376DAC
Source: C:\Users\user\EdgeBHO.exe	Code function: 21_2_00007FF6AE370C30	21_2_00007FF6AE370C30
Source: C:\Users\user\EdgeBHO.exe	Code function: 21_2_00007FF6AE3687B4	21_2_00007FF6AE3687B4
Source: C:\Users\user\EdgeBHO.exe	Code function: 21_2_00007FF6AE36DF50	21_2_00007FF6AE36DF50
Source: C:\Users\user\EdgeBHO.exe	Code function: 21_2_00007FF6AE374030	21_2_00007FF6AE374030
Source: C:\Users\user\EdgeBHO.exe	Code function: 21_2_00007FF6AE3617C4	21_2_00007FF6AE3617C4
Source: C:\Users\user\EdgeBHO.exe	Code function: 21_2_00007FF6AE361FE4	21_2_00007FF6AE361FE4
Source: C:\Users\user\EdgeBHO.exe	Code function: 21_2_00007FF6AE376854	21_2_00007FF6AE376854
Source: C:\Users\user\EdgeBHO.exe	Code function: 21_2_00007FF6AE359870	21_2_00007FF6AE359870
Source: C:\Users\user\EdgeBHO.exe	Code function: 21_2_00007FF6AE368104	21_2_00007FF6AE368104
Source: C:\Users\user\EdgeBHO.exe	Code function: 21_2_00007FF6AE363600	21_2_00007FF6AE363600
Source: C:\Users\user\EdgeBHO.exe	Code function: 21_2_00007FF6AE36E5C8	21_2_00007FF6AE36E5C8
Source: C:\Users\user\EdgeBHO.exe	Code function: 21_2_00007FF6AE361DD8	21_2_00007FF6AE361DD8
Source: C:\Users\user\EdgeBHO.exe	Code function: 21_2_00007FF6AE369E6C	21_2_00007FF6AE369E6C
Source: C:\Users\user\EdgeBHO.exe	Code function: 21_2_00007FF6AE35A34B	21_2_00007FF6AE35A34B
Source: C:\Users\user\EdgeBHO.exe	Code function: 21_2_00007FF6AE370C30	21_2_00007FF6AE370C30
Source: C:\Users\user\EdgeBHO.exe	Code function: 21_2_00007FF6AE371BD4	21_2_00007FF6AE371BD4
Source: C:\Users\user\EdgeBHO.exe	Code function: 21_2_00007FF6AE361BD4	21_2_00007FF6AE361BD4
Source: C:\Users\user\EdgeBHO.exe	Code function: 21_2_00007FF6AE358BD0	21_2_00007FF6AE358BD0
Source: C:\Users\user\EdgeBHO.exe	Code function: 21_2_00007FF6AE37ACA0	21_2_00007FF6AE37ACA0
Source: C:\Users\user\EdgeBHO.exe	Code function: 21_2_00007FF6AE35AD1D	21_2_00007FF6AE35AD1D
Source: C:\Users\user\EdgeBHO.exe	Code function: 21_2_00007FF6AE3744BC	21_2_00007FF6AE3744BC
Source: C:\Users\user\EdgeBHO.exe	Code function: 21_2_00007FF6AE35A4E4	21_2_00007FF6AE35A4E4
Source: C:\Users\user\EdgeBHO.exe	Code function: 21_2_00007FF6AE3619C8	21_2_00007FF6AE3619C8
Source: C:\Users\user\EdgeBHO.exe	Code function: 21_2_00007FF6AE3621E8	21_2_00007FF6AE3621E8
Source: C:\Users\user\EdgeBHO.exe	Code function: 21_2_00007FF6AE379A80	21_2_00007FF6AE379A80
Source: C:\Users\user\EdgeBHO.exe	Code function: 21_2_00007FF6AE3762B0	21_2_00007FF6AE3762B0
Source: C:\Users\user\EdgeBHO.exe	Code function: 21_2_00007FF6AE363A70	21_2_00007FF6AE363A70
Source: C:\Users\user\EdgeBHO.exe	Code function: 21_2_00007FF6AE36DAB8	21_2_00007FF6AE36DAB8
Source: C:\Users\user\EdgeBHO.exe	Code function: 21_2_00007FFCBB333B20	21_2_00007FFCBB333B20
Source: C:\Users\user\EdgeBHO.exe	Code function: 21_2_00007FFCBB33C890	21_2_00007FFCBB33C890
Source: C:\Users\user\EdgeBHO.exe	Code function: 21_2_00007FFCBB3377E8	21_2_00007FFCBB3377E8
Source: C:\Users\user\EdgeBHO.exe	Code function: 21_2_00007FFCBB336060	21_2_00007FFCBB336060
Source: C:\Users\user\EdgeBHO.exe	Code function: 21_2_00007FFCBB333DC0	21_2_00007FFCBB333DC0
Source: C:\Users\user\EdgeBHO.exe	Code function: 21_2_00007FFCBB332DA0	21_2_00007FFCBB332DA0
Source: C:\Users\user\EdgeBHO.exe	Code function: 21_2_00007FFCBB39C490	21_2_00007FFCBB39C490
Source: C:\Users\user\EdgeBHO.exe	Code function: 21_2_00007FFCBB3916A0	21_2_00007FFCBB3916A0
Source: C:\Users\user\EdgeBHO.exe	Code function: 21_2_00007FFCBB3910C0	21_2_00007FFCBB3910C0
Source: C:\Users\user\EdgeBHO.exe	Code function: 21_2_00007FFCBB3D63A0	21_2_00007FFCBB3D63A0
Source: C:\Users\user\EdgeBHO.exe	Code function: 21_2_00007FFCBB3D8300	21_2_00007FFCBB3D8300
Source: C:\Users\user\EdgeBHO.exe	Code function: 21_2_00007FFCBBBD3F50	21_2_00007FFCBBBD3F50
Source: C:\Users\user\EdgeBHO.exe	Code function: 21_2_00007FFCBBBD1F50	21_2_00007FFCBBBD1F50
Source: C:\Users\user\EdgeBHO.exe	Code function: 21_2_00007FFCBBBD2ED0	21_2_00007FFCBBBD2ED0
Source: C:\Users\user\EdgeBHO.exe	Code function: 21_2_00007FFCBBBD32E0	21_2_00007FFCBBBD32E0
Source: C:\Users\user\EdgeBHO.exe	Code function: 21_2_00007FFCBBBD39F0	21_2_00007FFCBBBD39F0
Source: C:\Users\user\EdgeBHO.exe	Code function: 21_2_00007FFCBBBD27A0	21_2_00007FFCBBBD27A0
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFC9C5951D0	25_2_00007FFC9C5951D0
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFC9C5C6CC0	25_2_00007FFC9C5C6CC0
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFC9C63FC90	25_2_00007FFC9C63FC90
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFC9C5DBD40	25_2_00007FFC9C5DBD40
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFC9C61ED04	25_2_00007FFC9C61ED04
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFC9C5C5E40	25_2_00007FFC9C5C5E40
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFC9C5C9E1C	25_2_00007FFC9C5C9E1C
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFC9C5CAE00	25_2_00007FFC9C5CAE00
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFC9C5C4EB0	25_2_00007FFC9C5C4EB0
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFC9C5BCF30	25_2_00007FFC9C5BCF30
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFC9C5CAF90	25_2_00007FFC9C5CAF90
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFC9C634070	25_2_00007FFC9C634070
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFC9C60F074	25_2_00007FFC9C60F074
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFC9C5E2050	25_2_00007FFC9C5E2050
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFC9C5CA970	25_2_00007FFC9C5CA970
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFC9C5E5928	25_2_00007FFC9C5E5928
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFC9C5C9930	25_2_00007FFC9C5C9930
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFC9C5E9910	25_2_00007FFC9C5E9910
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFC9C5D4AFA	25_2_00007FFC9C5D4AFA
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFC9C5C2AC4	25_2_00007FFC9C5C2AC4
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFC9C5B2ABC	25_2_00007FFC9C5B2ABC
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFC9C5C7AB8	25_2_00007FFC9C5C7AB8
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFC9C61EB28	25_2_00007FFC9C61EB28
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFC9C5DAB90	25_2_00007FFC9C5DAB90
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFC9C5C9C70	25_2_00007FFC9C5C9C70
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFC9C5B3C30	25_2_00007FFC9C5B3C30
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFC9C5BDC00	25_2_00007FFC9C5BDC00
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFC9C5B5530	25_2_00007FFC9C5B5530
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFC9C5C8670	25_2_00007FFC9C5C8670
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFC9C5C9744	25_2_00007FFC9C5C9744
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFC9C5B4734	25_2_00007FFC9C5B4734
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFC9C5CA810	25_2_00007FFC9C5CA810
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFC9C5DE0A0	25_2_00007FFC9C5DE0A0
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFC9C61E0A0	25_2_00007FFC9C61E0A0
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFC9C5BA090	25_2_00007FFC9C5BA090
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFC9C5D9135	25_2_00007FFC9C5D9135
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFC9C61F118	25_2_00007FFC9C61F118
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFC9C5C41C0	25_2_00007FFC9C5C41C0
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFC9C5D7320	25_2_00007FFC9C5D7320
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFC9C5CF470	25_2_00007FFC9C5CF470
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFC9C5DF438	25_2_00007FFC9C5DF438
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFC9C5DA430	25_2_00007FFC9C5DA430
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFC9C61D400	25_2_00007FFC9C61D400
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFCABAF73FC	25_2_00007FFCABAF73FC
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFCABAF23B0	25_2_00007FFCABAF23B0
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFCABAF12B0	25_2_00007FFCABAF12B0
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFCABAF1A00	25_2_00007FFCABAF1A00
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFCABAF1920	25_2_00007FFCABAF1920
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFCABAF5F00	25_2_00007FFCABAF5F00
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFCABAF2F70	25_2_00007FFCABAF2F70
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFCABAF8F50	25_2_00007FFCABAF8F50
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFCABAF4650	25_2_00007FFCABAF4650
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFCABAF55D0	25_2_00007FFCABAF55D0
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFCABAFF524	25_2_00007FFCABAFF524
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFCAF5EC490	25_2_00007FFCAF5EC490
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFCAF5E10C0	25_2_00007FFCAF5E10C0
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFCAF5E16A0	25_2_00007FFCAF5E16A0
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFCAFBA6060	25_2_00007FFCAFBA6060
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFCAFBA3B20	25_2_00007FFCAFBA3B20
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFCAFBA3DC0	25_2_00007FFCAFBA3DC0
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFCAFBA77E8	25_2_00007FFCAFBA77E8
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFCAFBAC890	25_2_00007FFCAFBAC890
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFCAFBA2DA0	25_2_00007FFCAFBA2DA0
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFCB42D3630	25_2_00007FFCB42D3630
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFCB42D6264	25_2_00007FFCB42D6264
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFCB42F4BE0	25_2_00007FFCB42F4BE0
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFCB46E39F0	25_2_00007FFCB46E39F0
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFCB46E32E0	25_2_00007FFCB46E32E0
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFCB46E2ED0	25_2_00007FFCB46E2ED0
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFCB46E27A0	25_2_00007FFCB46E27A0
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFCB46E3F50	25_2_00007FFCB46E3F50
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFCB46E1F50	25_2_00007FFCB46E1F50
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFCB46F8300	25_2_00007FFCB46F8300
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFCB46F63A0	25_2_00007FFCB46F63A0

Dropped file seen in connection with other malware

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe F76FDE632A80C0C487FA71AC27699BDAF5D3B840ED3F1DD82448C80F4CD03FAC
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\_MEI12522\VCRUNTIME140.dll 36585912E5EAF83BA9FEA0631534F690CCDC2D7BA91537166FE53E56C221E153

Found potential string decryption / allocating functions

Source: C:\Users\user\EdgeBHO.exe	Code function: String function: 00007FFCB42E34D8 appears 78 times
Source: C:\Users\user\EdgeBHO.exe	Code function: String function: 00007FFCB42E3278 appears 45 times
Source: C:\Users\user\EdgeBHO.exe	Code function: String function: 00007FF6AE352910 appears 34 times
Source: C:\Users\user\EdgeBHO.exe	Code function: String function: 00007FFC9C5C2FA0 appears 44 times
Source: C:\Users\user\EdgeBHO.exe	Code function: String function: 00007FF6AE352710 appears 104 times
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: String function: 00007FF6F8492910 appears 34 times
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: String function: 00007FFCBB3B3278 appears 45 times
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: String function: 00007FFCA15F2FA0 appears 44 times
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: String function: 00007FFCBB3B34D8 appears 78 times
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: String function: 00007FF6F8492710 appears 104 times

One or more processes crash

Source: C:\Users\user\Desktop\PfOHmro.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7520 -s 816

PE file contains executable resources (Code or Archives)

Source: ucrtbase.dll.15.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: unicodedata.pyd.15.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: ucrtbase.dll.20.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: unicodedata.pyd.20.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS

PE file does not import any functions

Source: api-ms-win-core-console-l1-1-0.dll.24.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-localization-l1-2-0.dll.15.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-conio-l1-1-0.dll.20.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-time-l1-1-0.dll.20.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-timezone-l1-1-0.dll.15.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-stdio-l1-1-0.dll.15.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-locale-l1-1-0.dll.15.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-1-0.dll.15.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-2-0.dll.15.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-convert-l1-1-0.dll.15.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-util-l1-1-0.dll.20.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-math-l1-1-0.dll.20.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-process-l1-1-0.dll.15.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-localization-l1-2-0.dll.24.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l2-1-0.dll.20.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-console-l1-1-0.dll.15.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-environment-l1-1-0.dll.20.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-heap-l1-1-0.dll.20.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-1.dll.15.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-0.dll.20.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-2-0.dll.24.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-rtlsupport-l1-1-0.dll.20.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-1-0.dll.24.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-libraryloader-l1-1-0.dll.24.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-heap-l1-1-0.dll.15.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-debug-l1-1-0.dll.20.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-sysinfo-l1-1-0.dll.15.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-profile-l1-1-0.dll.15.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-memory-l1-1-0.dll.15.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-errorhandling-l1-1-0.dll.24.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-string-l1-1-0.dll.15.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-profile-l1-1-0.dll.20.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-0.dll.15.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-heap-l1-1-0.dll.20.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-namedpipe-l1-1-0.dll.20.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-time-l1-1-0.dll.15.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-stdio-l1-1-0.dll.20.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-filesystem-l1-1-0.dll.20.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-environment-l1-1-0.dll.15.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-handle-l1-1-0.dll.24.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-1-0.dll.15.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-sysinfo-l1-1-0.dll.20.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-timezone-l1-1-0.dll.20.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-2-0.dll.15.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-processenvironment-l1-1-0.dll.20.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-memory-l1-1-0.dll.24.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-datetime-l1-1-0.dll.20.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-runtime-l1-1-0.dll.20.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-rtlsupport-l1-1-0.dll.15.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l2-1-0.dll.15.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-interlocked-l1-1-0.dll.20.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-namedpipe-l1-1-0.dll.15.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-util-l1-1-0.dll.15.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-datetime-l1-1-0.dll.15.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-console-l1-1-0.dll.20.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-localization-l1-2-0.dll.20.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-string-l1-1-0.dll.20.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l2-1-0.dll.24.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-locale-l1-1-0.dll.20.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-convert-l1-1-0.dll.20.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-handle-l1-1-0.dll.15.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-errorhandling-l1-1-0.dll.15.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-filesystem-l1-1-0.dll.15.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-debug-l1-1-0.dll.24.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-string-l1-1-0.dll.15.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-1-0.dll.20.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-libraryloader-l1-1-0.dll.20.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-2-0.dll.20.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-utility-l1-1-0.dll.15.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-errorhandling-l1-1-0.dll.20.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-runtime-l1-1-0.dll.15.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-1.dll.20.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-heap-l1-1-0.dll.24.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-interlocked-l1-1-0.dll.15.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-conio-l1-1-0.dll.15.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-processenvironment-l1-1-0.dll.15.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-handle-l1-1-0.dll.20.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-libraryloader-l1-1-0.dll.15.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-1-0.dll.20.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-datetime-l1-1-0.dll.24.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-2-0.dll.20.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-namedpipe-l1-1-0.dll.24.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-utility-l1-1-0.dll.20.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-string-l1-1-0.dll.20.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-interlocked-l1-1-0.dll.24.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-math-l1-1-0.dll.15.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-processenvironment-l1-1-0.dll.24.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-memory-l1-1-0.dll.20.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-debug-l1-1-0.dll.15.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-heap-l1-1-0.dll.15.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-process-l1-1-0.dll.20.dr	Static PE information: No import functions for PE file found

Sample file is different than original file name gathered from version info

Source: PfOHmro.exe, 00000000.00000002.1279114071.000000000151E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs PfOHmro.exe
Source: PfOHmro.exe, 00000000.00000002.1280380254.00000000040A9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePortals.exe0 vs PfOHmro.exe
Source: PfOHmro.exe, 00000000.00000002.1280380254.00000000040A9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameImplosions.exe4 vs PfOHmro.exe
Source: PfOHmro.exe, 00000000.00000000.1174120676.0000000000DC6000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamePortals.exe0 vs PfOHmro.exe
Source: PfOHmro.exe, 00000003.00000002.1859182871.0000000003634000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamefirefox.exe0 vs PfOHmro.exe
Source: PfOHmro.exe, 00000003.00000002.1859182871.0000000003634000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs PfOHmro.exe
Source: PfOHmro.exe, 00000003.00000002.1859182871.0000000003634000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: q,\\StringFileInfo\\000004B0\\OriginalFilename vs PfOHmro.exe
Source: PfOHmro.exe, 00000003.00000002.1859182871.0000000003634000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamechrome.exe< vs PfOHmro.exe
Source: PfOHmro.exe, 00000003.00000002.1859182871.0000000003634000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: q,\\StringFileInfo\\040904B0\\OriginalFilename vs PfOHmro.exe
Source: PfOHmro.exe, 00000003.00000002.1859182871.0000000003634000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameIEXPLORE.EXE.MUID vs PfOHmro.exe
Source: PfOHmro.exe, 00000003.00000002.1859182871.0000000003634000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameIEXPLORE.EXED vs PfOHmro.exe
Source: PfOHmro.exe, 00000003.00000002.1859182871.0000000003634000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: q,\\StringFileInfo\\080904B0\\OriginalFilename vs PfOHmro.exe
Source: PfOHmro.exe, 00000003.00000002.1859182871.0000000003634000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemsedge.exe> vs PfOHmro.exe
Source: PfOHmro.exe, 00000003.00000002.1857380388.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameImplosions.exe4 vs PfOHmro.exe
Source: PfOHmro.exe, 00000003.00000002.1859182871.00000000032F1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs PfOHmro.exe

Yara signature match

Source: 0.2.PfOHmro.exe.40c4170.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 0.2.PfOHmro.exe.40c4170.1.raw.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
Source: 0.2.PfOHmro.exe.40c4170.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.PfOHmro.exe.40a9550.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 0.2.PfOHmro.exe.40a9550.0.raw.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
Source: 0.2.PfOHmro.exe.40a9550.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 3.2.PfOHmro.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 3.2.PfOHmro.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
Source: 3.2.PfOHmro.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.PfOHmro.exe.40c4170.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 0.2.PfOHmro.exe.40c4170.1.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
Source: 0.2.PfOHmro.exe.40c4170.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000003.00000002.1857380388.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 00000000.00000002.1280380254.00000000040A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: Process Memory Space: PfOHmro.exe PID: 7520, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: Process Memory Space: PfOHmro.exe PID: 7568, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23

Source: PfOHmro.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: PfOHmro.exe	Static PE information: Section: .CSS ZLIB complexity 1.0003681282722514
Source: python313.dll.15.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9994185524425288
Source: libcrypto-3.dll.15.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9991990186771459
Source: unicodedata.pyd.15.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9925549591002045
Source: libcrypto-3.dll.20.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9991990186771459
Source: python313.dll.20.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9994185524425288
Source: unicodedata.pyd.20.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9925549591002045

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@29/270@1/2

Source: C:\Users\user\Desktop\PfOHmro.exe

File created: C:\Users\user\AppData\Local\Yandex

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7584:120:WilError_03
Source: C:\Users\user\Desktop\PfOHmro.exe	Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7520
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7916:120:WilError_03

Source: C:\Users\user\Desktop\PfOHmro.exe

File created: C:\Users\user\AppData\Local\Temp\tmp18C0.tmp

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe

Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\user\activate.bat

Source: PfOHmro.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: PfOHmro.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\PfOHmro.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Users\user\Desktop\PfOHmro.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\PfOHmro.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "EdgeBHO.exe")

Source: C:\Users\user\Desktop\PfOHmro.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\PfOHmro.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: PfOHmro.exe	Virustotal: Detection: 62%
Source: PfOHmro.exe	ReversingLabs: Detection: 73%

Source: EdgeBHO.exe	String found in binary or memory: can't send non-None value to a just-started coroutine
Source: EdgeBHO.exe	String found in binary or memory: various kinds of output. Setting it to 0 deactivates this behavior. PYTHON_HISTORY : the location of a .python_history file. These variables have equivalent command-line options (see --help for details): PYTHON_CPU_COUNT: override the retu
Source: EdgeBHO.exe	String found in binary or memory: various kinds of output. Setting it to 0 deactivates this behavior. PYTHON_HISTORY : the location of a .python_history file. These variables have equivalent command-line options (see --help for details): PYTHON_CPU_COUNT: override the retu
Source: EdgeBHO.exe	String found in binary or memory: can't send non-None value to a just-started async generator
Source: EdgeBHO.exe	String found in binary or memory: can't send non-None value to a just-started generator
Source: EdgeBHO.exe	String found in binary or memory: --help
Source: EdgeBHO.exe	String found in binary or memory: --help
Source: EdgeBHO.exe	String found in binary or memory: fma($module, x, y, z, /) -- Fused multiply-add operation. Compute (x * y) + z with a single round.
Source: EdgeBHO.exe	String found in binary or memory: can't send non-None value to a just-started coroutine
Source: EdgeBHO.exe	String found in binary or memory: various kinds of output. Setting it to 0 deactivates this behavior. PYTHON_HISTORY : the location of a .python_history file. These variables have equivalent command-line options (see --help for details): PYTHON_CPU_COUNT: override the retu
Source: EdgeBHO.exe	String found in binary or memory: various kinds of output. Setting it to 0 deactivates this behavior. PYTHON_HISTORY : the location of a .python_history file. These variables have equivalent command-line options (see --help for details): PYTHON_CPU_COUNT: override the retu
Source: EdgeBHO.exe	String found in binary or memory: can't send non-None value to a just-started async generator
Source: EdgeBHO.exe	String found in binary or memory: can't send non-None value to a just-started generator
Source: EdgeBHO.exe	String found in binary or memory: --help
Source: EdgeBHO.exe	String found in binary or memory: --help
Source: EdgeBHO.exe	String found in binary or memory: fma($module, x, y, z, /) -- Fused multiply-add operation. Compute (x * y) + z with a single round.

Source: C:\Users\user\Desktop\PfOHmro.exe

File read: C:\Users\user\Desktop\PfOHmro.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\PfOHmro.exe "C:\Users\user\Desktop\PfOHmro.exe"
Source: C:\Users\user\Desktop\PfOHmro.exe	Process created: C:\Users\user\Desktop\PfOHmro.exe "C:\Users\user\Desktop\PfOHmro.exe"
Source: C:\Users\user\Desktop\PfOHmro.exe	Process created: C:\Users\user\Desktop\PfOHmro.exe "C:\Users\user\Desktop\PfOHmro.exe"
Source: C:\Users\user\Desktop\PfOHmro.exe	Process created: C:\Users\user\Desktop\PfOHmro.exe "C:\Users\user\Desktop\PfOHmro.exe"
Source: C:\Users\user\Desktop\PfOHmro.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\PfOHmro.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7520 -s 816
Source: C:\Users\user\Desktop\PfOHmro.exe	Process created: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe "C:\Users\user\AppData\Local\Temp\EdgeBHO.exe"
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Process created: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe "C:\Users\user\AppData\Local\Temp\EdgeBHO.exe"
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\user\activate.bat
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im "EdgeBHO.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\EdgeBHO.exe "EdgeBHO.exe"
Source: C:\Users\user\EdgeBHO.exe	Process created: C:\Users\user\EdgeBHO.exe "EdgeBHO.exe"
Source: unknown	Process created: C:\Users\user\EdgeBHO.exe "C:\Users\user\EdgeBHO.exe"
Source: C:\Users\user\EdgeBHO.exe	Process created: C:\Users\user\EdgeBHO.exe "C:\Users\user\EdgeBHO.exe"
Source: unknown	Process created: C:\Users\user\EdgeBHO.exe "C:\Users\user\EdgeBHO.exe"
Source: C:\Users\user\EdgeBHO.exe	Process created: C:\Users\user\EdgeBHO.exe "C:\Users\user\EdgeBHO.exe"
Source: C:\Users\user\Desktop\PfOHmro.exe	Process created: C:\Users\user\Desktop\PfOHmro.exe "C:\Users\user\Desktop\PfOHmro.exe"	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process created: C:\Users\user\Desktop\PfOHmro.exe "C:\Users\user\Desktop\PfOHmro.exe"	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process created: C:\Users\user\Desktop\PfOHmro.exe "C:\Users\user\Desktop\PfOHmro.exe"	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process created: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe "C:\Users\user\AppData\Local\Temp\EdgeBHO.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Process created: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe "C:\Users\user\AppData\Local\Temp\EdgeBHO.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\user\activate.bat	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im "EdgeBHO.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\EdgeBHO.exe "EdgeBHO.exe"	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Process created: C:\Users\user\EdgeBHO.exe "EdgeBHO.exe"	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Process created: C:\Users\user\EdgeBHO.exe "C:\Users\user\EdgeBHO.exe"
Source: C:\Users\user\EdgeBHO.exe	Process created: C:\Users\user\EdgeBHO.exe "C:\Users\user\EdgeBHO.exe"

Source: C:\Users\user\Desktop\PfOHmro.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Section loaded: python3.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Section loaded: libffi-8.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Section loaded: python3.dll	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Section loaded: libffi-8.dll	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\EdgeBHO.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\EdgeBHO.exe	Section loaded: vcruntime140.dll
Source: C:\Users\user\EdgeBHO.exe	Section loaded: version.dll
Source: C:\Users\user\EdgeBHO.exe	Section loaded: python3.dll
Source: C:\Users\user\EdgeBHO.exe	Section loaded: libffi-8.dll
Source: C:\Users\user\EdgeBHO.exe	Section loaded: propsys.dll
Source: C:\Users\user\EdgeBHO.exe	Section loaded: vcruntime140_1.dll
Source: C:\Users\user\EdgeBHO.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\EdgeBHO.exe	Section loaded: textshaping.dll
Source: C:\Users\user\EdgeBHO.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\EdgeBHO.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\EdgeBHO.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\EdgeBHO.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\EdgeBHO.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\EdgeBHO.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\EdgeBHO.exe	Section loaded: wintypes.dll
Source: C:\Users\user\EdgeBHO.exe	Section loaded: wintypes.dll
Source: C:\Users\user\EdgeBHO.exe	Section loaded: wintypes.dll
Source: C:\Users\user\EdgeBHO.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\EdgeBHO.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\EdgeBHO.exe	Section loaded: vcruntime140.dll
Source: C:\Users\user\EdgeBHO.exe	Section loaded: version.dll
Source: C:\Users\user\EdgeBHO.exe	Section loaded: python3.dll
Source: C:\Users\user\EdgeBHO.exe	Section loaded: libffi-8.dll
Source: C:\Users\user\EdgeBHO.exe	Section loaded: propsys.dll
Source: C:\Users\user\EdgeBHO.exe	Section loaded: vcruntime140_1.dll
Source: C:\Users\user\EdgeBHO.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\EdgeBHO.exe	Section loaded: textshaping.dll
Source: C:\Users\user\EdgeBHO.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\EdgeBHO.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\EdgeBHO.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\EdgeBHO.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\EdgeBHO.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\EdgeBHO.exe	Section loaded: wintypes.dll
Source: C:\Users\user\EdgeBHO.exe	Section loaded: wintypes.dll
Source: C:\Users\user\EdgeBHO.exe	Section loaded: wintypes.dll

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: PfOHmro.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: PfOHmro.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: PfOHmro.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1846777523.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1881631808.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2019536998.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2100346764.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1847383477.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1883141435.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2019895484.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2100631142.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-file-l1-2-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1841022436.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1873487738.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2016393921.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2097338826.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ucrtbase.pdb source: EdgeBHO.exe, 00000010.00000002.1873662230.00007FFCA168C000.00000002.00000001.01000000.0000000C.sdmp, EdgeBHO.exe, 00000015.00000002.2440299564.00007FFCA168C000.00000002.00000001.01000000.00000016.sdmp, EdgeBHO.exe, 00000019.00000002.2054904950.00007FFC9C65C000.00000002.00000001.01000000.0000001F.sdmp
Source:	Binary string: api-ms-win-core-memory-l1-1-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1842189370.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1875345385.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2017250591.000001BAA3D08000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2098287991.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-debug-l1-1-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1840667454.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1872625223.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2016020890.000001BAA3D08000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2096990057.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1844292763.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1877909726.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2018534751.000001BAA3D08000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2099505061.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1845961180.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1879668224.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2019318045.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2100136236.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-memory-l1-1-0.pdbGCTL source: EdgeBHO.exe, 0000000F.00000003.1842189370.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1875345385.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2017250591.000001BAA3D08000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2098287991.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1847541834.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1883395222.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2020008126.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2100786546.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: EdgeBHO.exe, 0000000F.00000003.1838528308.0000025AF4FA0000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000010.00000002.1875774155.00007FFCBB3E4000.00000002.00000001.01000000.0000000E.sdmp, EdgeBHO.exe, 00000014.00000003.1869750221.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000015.00000002.2442069207.00007FFCBB3E4000.00000002.00000001.01000000.00000018.sdmp, EdgeBHO.exe, 00000018.00000003.2013678723.000001BAA3CFF000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000002.2056569719.00007FFCB4704000.00000002.00000001.01000000.00000021.sdmp, EdgeBHO.exe, 0000001A.00000003.2095304862.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-heap-l1-1-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1841640202.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1874269759.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2016740382.000001BAA3D08000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2097781458.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Hand1\source\repos\Portals\Portals\obj\Release\Portals.pdb source: PfOHmro.exe, 00000000.00000000.1174105120.0000000000DC2000.00000002.00000001.01000000.00000003.sdmp, PfOHmro.exe, 00000000.00000002.1280380254.00000000040A9000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-util-l1-1-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1844717900.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1878527857.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2018778560.000001BAA3D08000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2099713680.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: EdgeBHO.exe, 0000000F.00000003.1838854004.0000025AF4FA0000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000010.00000002.1873956487.00007FFCBB2F5000.00000002.00000001.01000000.00000014.sdmp, EdgeBHO.exe, 00000014.00000003.1870065890.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000015.00000002.2440565210.00007FFCBB2F5000.00000002.00000001.01000000.0000001E.sdmp, EdgeBHO.exe, 00000018.00000003.2013943553.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000002.2055363994.00007FFCAD6A5000.00000002.00000001.01000000.00000027.sdmp, EdgeBHO.exe, 0000001A.00000003.2095507172.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-synch-l1-1-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1843973437.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1877455979.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2018323407.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2099294626.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-heap-l1-1-0.pdbGCTL source: EdgeBHO.exe, 0000000F.00000003.1841640202.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1874269759.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2016740382.000001BAA3D08000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2097781458.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1845394223.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1879307879.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2019208738.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2100033216.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-handle-l1-1-0.pdbGCTL source: EdgeBHO.exe, 0000000F.00000003.1841388876.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1873990925.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2016610374.000001BAA3D08000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2097651612.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_ctypes.pdb source: EdgeBHO.exe, EdgeBHO.exe, 00000019.00000002.2055936402.00007FFCB42D1000.00000040.00000001.01000000.00000022.sdmp
Source:	Binary string: api-ms-win-core-processthreads-l1-1-0.pdbGCTL source: EdgeBHO.exe, 0000000F.00000003.1842674359.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1876322759.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2017630964.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2098673279.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-errorhandling-l1-1-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1840799142.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1872892606.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2016152642.000001BAA3D08000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2097106915.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1842674359.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1876322759.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2017630964.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2098673279.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-console-l1-1-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1840444280.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1872173040.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2015729848.000001BAA3D08000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2096743379.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-file-l1-1-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1840903774.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1873242498.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2016285040.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2097235679.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-processenvironment-l1-1-0.pdbGCTL source: EdgeBHO.exe, 0000000F.00000003.1842488383.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1876066587.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2017499898.000001BAA3D08000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2098543068.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1845070058.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1879085603.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2019091727.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2099930115.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-process-l1-1-0.pdbGCTL source: EdgeBHO.exe, 0000000F.00000003.1847214203.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1882917745.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2019761162.000001BAA3D08000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2100527933.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-util-l1-1-0.pdbGCTL source: EdgeBHO.exe, 0000000F.00000003.1844717900.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1878527857.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2018778560.000001BAA3D08000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2099713680.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-datetime-l1-1-0.pdbGCTL source: EdgeBHO.exe, 0000000F.00000003.1840554181.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1872385641.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2015879685.000001BAA3D08000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2096868575.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: EdgeBHO.exe, 00000010.00000002.1874194924.00007FFCBB31B000.00000040.00000001.01000000.00000012.sdmp, EdgeBHO.exe, 00000015.00000002.2440948631.00007FFCBB31B000.00000040.00000001.01000000.0000001C.sdmp, EdgeBHO.exe, 00000019.00000002.2055093814.00007FFCABB0B000.00000040.00000001.01000000.00000025.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: EdgeBHO.exe, EdgeBHO.exe, 00000019.00000002.2055719822.00007FFCAFBA1000.00000040.00000001.01000000.00000024.sdmp
Source:	Binary string: api-ms-win-core-errorhandling-l1-1-0.pdbGCTL source: EdgeBHO.exe, 0000000F.00000003.1840799142.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1872892606.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2016152642.000001BAA3D08000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2097106915.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-profile-l1-1-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1843473939.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1876830773.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2017864453.000001BAA3D08000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2098928872.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ucrtbase.pdbUGP source: EdgeBHO.exe, 00000010.00000002.1873662230.00007FFCA168C000.00000002.00000001.01000000.0000000C.sdmp, EdgeBHO.exe, 00000015.00000002.2440299564.00007FFCA168C000.00000002.00000001.01000000.00000016.sdmp, EdgeBHO.exe, 00000019.00000002.2054904950.00007FFC9C65C000.00000002.00000001.01000000.0000001F.sdmp
Source:	Binary string: api-ms-win-core-file-l1-1-0.pdbGCTL source: EdgeBHO.exe, 0000000F.00000003.1840903774.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1873242498.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2016285040.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2097235679.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\python313.pdb source: EdgeBHO.exe, 00000010.00000002.1871702839.00007FFC9CAB9000.00000040.00000001.01000000.0000000D.sdmp, EdgeBHO.exe, 00000015.00000002.2438702214.00007FFC9CAB9000.00000040.00000001.01000000.00000017.sdmp, EdgeBHO.exe, 00000019.00000002.2053349770.00007FFC9C349000.00000040.00000001.01000000.00000020.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdbGCTL source: EdgeBHO.exe, 0000000F.00000003.1838854004.0000025AF4FA0000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000010.00000002.1873956487.00007FFCBB2F5000.00000002.00000001.01000000.00000014.sdmp, EdgeBHO.exe, 00000014.00000003.1870065890.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000015.00000002.2440565210.00007FFCBB2F5000.00000002.00000001.01000000.0000001E.sdmp, EdgeBHO.exe, 00000018.00000003.2013943553.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000002.2055363994.00007FFCAD6A5000.00000002.00000001.01000000.00000027.sdmp, EdgeBHO.exe, 0000001A.00000003.2095507172.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-time-l1-1-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1848154049.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1883754430.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2020233504.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2101102837.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-handle-l1-1-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1841388876.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1873990925.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2016610374.000001BAA3D08000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2097651612.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-sysinfo-l1-1-0.pdbGCTL source: EdgeBHO.exe, 0000000F.00000003.1844292763.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1877909726.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2018534751.000001BAA3D08000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2099505061.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-synch-l1-2-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1844159682.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1877708898.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2018431971.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2099398521.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_wmi.pdb(('GCTL source: EdgeBHO.exe, 00000010.00000002.1874771647.00007FFCBB391000.00000040.00000001.01000000.00000013.sdmp, EdgeBHO.exe, 00000015.00000002.2441419137.00007FFCBB391000.00000040.00000001.01000000.0000001D.sdmp, EdgeBHO.exe, 00000019.00000002.2055498902.00007FFCAF5E1000.00000040.00000001.01000000.00000026.sdmp
Source:	Binary string: api-ms-win-core-profile-l1-1-0.pdbGCTL source: EdgeBHO.exe, 0000000F.00000003.1843473939.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1876830773.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2017864453.000001BAA3D08000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2098928872.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1842488383.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1876066587.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2017499898.000001BAA3D08000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2098543068.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Hand1\source\repos\Portals\Portals\obj\Release\Portals.pdb<;V; H;_CorExeMainmscoree.dll source: PfOHmro.exe, 00000000.00000000.1174105120.0000000000DC2000.00000002.00000001.01000000.00000003.sdmp, PfOHmro.exe, 00000000.00000002.1280380254.00000000040A9000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-datetime-l1-1-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1840554181.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1872385641.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2015879685.000001BAA3D08000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2096868575.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1844899504.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1878874442.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2018917388.000001BAA3D08000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2099824827.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: EdgeBHO.exe, 0000000F.00000003.1838528308.0000025AF4FA0000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000010.00000002.1875774155.00007FFCBB3E4000.00000002.00000001.01000000.0000000E.sdmp, EdgeBHO.exe, 00000014.00000003.1869750221.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000015.00000002.2442069207.00007FFCBB3E4000.00000002.00000001.01000000.00000018.sdmp, EdgeBHO.exe, 00000018.00000003.2013678723.000001BAA3CFF000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000002.2056569719.00007FFCB4704000.00000002.00000001.01000000.00000021.sdmp, EdgeBHO.exe, 0000001A.00000003.2095304862.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-math-l1-1-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1846946271.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1882472597.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2019644449.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2100446698.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-localization-l1-2-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1842045762.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1875042633.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2017137169.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2098161682.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-interlocked-l1-1-0.pdbGCTL source: EdgeBHO.exe, 0000000F.00000003.1841738441.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1874518425.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2016870009.000001BAA3D08000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2097910012.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-string-l1-1-0.pdbGCTL source: EdgeBHO.exe, 0000000F.00000003.1843847302.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1877251431.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2018182031.000001BAA3D08000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2099196398.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: EdgeBHO.exe, 0000000F.00000003.1842994259.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1876585682.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2017739876.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2098810697.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-debug-l1-1-0.pdbGCTL source: EdgeBHO.exe, 0000000F.00000003.1840667454.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1872625223.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2016020890.000001BAA3D08000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2096990057.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-libraryloader-l1-1-0.pdbGCTL source: EdgeBHO.exe, 0000000F.00000003.1841905883.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1874768746.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2017004149.000001BAA3D08000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2098037187.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1842352547.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1875802095.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2017371983.000001BAA3D08000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2098415607.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-utility-l1-1-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1848640080.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1883914289.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2020354386.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2101211287.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1843707805.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1877034168.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2018002633.000001BAA3D08000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2099071239.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1844446204.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1878154496.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2018669769.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2099608160.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-string-l1-1-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1843847302.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1877251431.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2018182031.000001BAA3D08000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2099196398.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-file-l2-1-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1841155329.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1873736321.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2016505020.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2097524068.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-console-l1-1-0.pdbGCTL source: EdgeBHO.exe, 0000000F.00000003.1840444280.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1872173040.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2015729848.000001BAA3D08000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2096743379.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdbNN source: EdgeBHO.exe, 00000010.00000002.1874194924.00007FFCBB31B000.00000040.00000001.01000000.00000012.sdmp, EdgeBHO.exe, 00000015.00000002.2440948631.00007FFCBB31B000.00000040.00000001.01000000.0000001C.sdmp, EdgeBHO.exe, 00000019.00000002.2055093814.00007FFCABB0B000.00000040.00000001.01000000.00000025.sdmp
Source:	Binary string: api-ms-win-crt-process-l1-1-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1847214203.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1882917745.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2019761162.000001BAA3D08000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2100527933.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1841905883.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1874768746.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2017004149.000001BAA3D08000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2098037187.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-namedpipe-l1-1-0.pdbGCTL source: EdgeBHO.exe, 0000000F.00000003.1842352547.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1875802095.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2017371983.000001BAA3D08000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2098415607.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-synch-l1-1-0.pdbGCTL source: EdgeBHO.exe, 0000000F.00000003.1843973437.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1877455979.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2018323407.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2099294626.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-interlocked-l1-1-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1841738441.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1874518425.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2016870009.000001BAA3D08000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2097910012.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_wmi.pdb source: EdgeBHO.exe, EdgeBHO.exe, 00000019.00000002.2055498902.00007FFCAF5E1000.00000040.00000001.01000000.00000026.sdmp
Source:	Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdbGCTL source: EdgeBHO.exe, 0000000F.00000003.1843707805.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1877034168.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2018002633.000001BAA3D08000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2099071239.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1846646974.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1880638314.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2019428022.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2100241717.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-string-l1-1-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1847742380.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1883582433.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2020118947.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2100991668.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-conio-l1-1-0.pdbGCTL source: EdgeBHO.exe, 0000000F.00000003.1844899504.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1878874442.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2018917388.000001BAA3D08000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2099824827.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp

Binary contains a suspicious time stamp

Source: PfOHmro.exe

Static PE information: 0xADFF511F [Mon Jul 3 22:20:15 2062 UTC]

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe

Code function: 16_2_00007FFC9CD051D0 EntryPoint,LoadLibraryA,GetProcAddress,VirtualProtect,VirtualProtect,VirtualProtect,

16_2_00007FFC9CD051D0

PE file contains sections with non-standard names

Source: PfOHmro.exe	Static PE information: section name: .CSS
Source: EdgeBHO.exe.3.dr	Static PE information: section name: .fptable
Source: libffi-8.dll.15.dr	Static PE information: section name: UPX2
Source: VCRUNTIME140.dll.15.dr	Static PE information: section name: fothk
Source: VCRUNTIME140.dll.15.dr	Static PE information: section name: _RDATA
Source: EdgeBHO.exe.16.dr	Static PE information: section name: .fptable
Source: VCRUNTIME140.dll.20.dr	Static PE information: section name: fothk
Source: VCRUNTIME140.dll.20.dr	Static PE information: section name: _RDATA
Source: libffi-8.dll.20.dr	Static PE information: section name: UPX2
Source: VCRUNTIME140.dll.24.dr	Static PE information: section name: fothk
Source: VCRUNTIME140.dll.24.dr	Static PE information: section name: _RDATA

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\PfOHmro.exe	Code function: 3_2_06B81810 push es; ret	3_2_06B81820
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCA1608522 push rdi; ret	16_2_00007FFCA1608526
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCA1602A46 push rdi; ret	16_2_00007FFCA1602A52
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCA1607E0D push rdi; ret	16_2_00007FFCA1607E14
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCA1602F65 push rdi; ret	16_2_00007FFCA1602F6B
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFC9C5D7E0D push rdi; ret	25_2_00007FFC9C5D7E14
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFC9C5D2F65 push rdi; ret	25_2_00007FFC9C5D2F6B
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFC9C5D2A46 push rdi; ret	25_2_00007FFC9C5D2A52
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFC9C5D8522 push rdi; ret	25_2_00007FFC9C5D8526

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Drops PE files

Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-crt-locale-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-core-datetime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-core-debug-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-core-libraryloader-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-core-profile-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17522\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-core-console-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-core-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-core-processenvironment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-core-processthreads-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-core-sysinfo-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-core-file-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-core-rtlsupport-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17522\VCRUNTIME140.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-core-synch-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-core-processthreads-l1-1-1.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12522\VCRUNTIME140_1.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-core-handle-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-crt-stdio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40002\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-core-processenvironment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-core-file-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-core-handle-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-core-libraryloader-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-crt-locale-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40002\_socket.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-core-datetime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-crt-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75322\select.pyd	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12522\select.pyd	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-crt-convert-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75322\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17522\ucrtbase.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-core-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40002\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-core-synch-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17522\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-core-debug-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-core-namedpipe-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-core-processenvironment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-crt-math-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75322\libffi-8.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-core-localization-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-core-processthreads-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12522\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-crt-process-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75322\VCRUNTIME140_1.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-core-interlocked-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12522\libcrypto-3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-core-libraryloader-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-core-timezone-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17522\libffi-8.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-core-file-l2-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-crt-time-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-core-localization-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-core-rtlsupport-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-core-util-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-core-namedpipe-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40002\VCRUNTIME140.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-core-memory-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75322\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75322\_socket.pyd	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-crt-math-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-crt-stdio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40002\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-core-console-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-crt-conio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-core-synch-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-crt-locale-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-crt-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12522\VCRUNTIME140.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-core-processthreads-l1-1-1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-core-synch-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75322\ucrtbase.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-crt-runtime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-core-file-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-crt-conio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12522\libffi-8.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17522\_wmi.pyd	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-crt-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-core-localization-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-crt-utility-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12522\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12522\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-core-sysinfo-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-core-libraryloader-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-core-file-l2-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-core-timezone-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-core-synch-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-core-interlocked-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-core-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12522\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-crt-math-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-core-profile-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-core-synch-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-core-processthreads-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-core-memory-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12522\_socket.pyd	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-crt-utility-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17522\select.pyd	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40002\select.pyd	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-core-util-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-core-synch-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-core-profile-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-core-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-core-console-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-core-synch-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-core-processthreads-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-crt-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-crt-utility-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40002\python313.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-crt-runtime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40002\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-crt-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-core-memory-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17522\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75322\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-crt-runtime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-crt-math-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-core-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12522\python313.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-core-datetime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-core-processenvironment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-core-file-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-crt-time-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-core-timezone-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-core-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-crt-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75322\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-core-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-core-localization-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-core-processthreads-l1-1-1.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-core-profile-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-core-rtlsupport-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-core-file-l2-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17522\VCRUNTIME140_1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17522\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-crt-conio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-crt-runtime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-core-namedpipe-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-core-datetime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-core-file-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40002\ucrtbase.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17522\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-core-file-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12522\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-core-errorhandling-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-core-interlocked-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-core-debug-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12522\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-core-console-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-crt-locale-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40002\libffi-8.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-core-file-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40002\libcrypto-3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-core-util-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17522\libcrypto-3.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-core-file-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-core-errorhandling-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-crt-process-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-core-interlocked-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-crt-stdio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75322\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-core-namedpipe-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-crt-process-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75322\python313.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-crt-time-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-core-util-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-core-sysinfo-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75322\VCRUNTIME140.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-core-sysinfo-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12522\_wmi.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-crt-process-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-crt-time-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-core-errorhandling-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\PfOHmro.exe	File created: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75322\libcrypto-3.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-core-file-l2-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-core-debug-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-crt-convert-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40002\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17522\python313.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-core-rtlsupport-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17522\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75322\_wmi.pyd	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-crt-conio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-core-memory-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-crt-utility-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40002\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-core-errorhandling-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-crt-convert-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-core-handle-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12522\ucrtbase.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-crt-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-core-processthreads-l1-1-1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17522\_socket.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	File created: C:\Users\user\EdgeBHO.exe	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-crt-stdio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75322\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-core-handle-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40002\VCRUNTIME140_1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-crt-convert-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-core-timezone-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-core-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-crt-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40002\_wmi.pyd	Jump to dropped file

Drops PE files to the user directory

Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe

File created: C:\Users\user\EdgeBHO.exe

Jump to dropped file

Boot Survival

Drops PE files to the user root directory

Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe

File created: C:\Users\user\EdgeBHO.exe

Jump to dropped file

Source: C:\Users\user\EdgeBHO.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Update64			Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Update64			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 40919
Source: unknown	Network traffic detected: HTTP traffic on port 40919 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 40919
Source: unknown	Network traffic detected: HTTP traffic on port 40919 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 40919 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 40919
Source: unknown	Network traffic detected: HTTP traffic on port 40919 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 40919
Source: unknown	Network traffic detected: HTTP traffic on port 40919 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 4449
Source: unknown	Network traffic detected: HTTP traffic on port 4449 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 57483 -> 40919
Source: unknown	Network traffic detected: HTTP traffic on port 40919 -> 57483

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe

Code function: 15_2_00007FF6F84976B0 GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,

15_2_00007FF6F84976B0

Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Users\user\Desktop\PfOHmro.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\PfOHmro.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\PfOHmro.exe	Memory allocated: 2F20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Memory allocated: 30A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Memory allocated: 50A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Memory allocated: 3040000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Memory allocated: 3260000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Memory allocated: 31A0000 memory reserve \| memory write watch	Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\PfOHmro.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\PfOHmro.exe	Window / User API: threadDelayed 1776			Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Window / User API: threadDelayed 8013			Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-crt-locale-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-core-datetime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-core-debug-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-core-libraryloader-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-core-profile-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17522\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-core-console-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-core-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-core-processenvironment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-core-processthreads-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-core-sysinfo-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-core-file-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-core-rtlsupport-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-core-synch-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-core-processthreads-l1-1-1.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-core-handle-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-crt-stdio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40002\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-core-processenvironment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-core-file-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-core-handle-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-core-libraryloader-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-crt-locale-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40002\_socket.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-core-datetime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-crt-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12522\select.pyd	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75322\select.pyd	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-crt-convert-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75322\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-core-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40002\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-core-synch-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17522\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-core-debug-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-core-namedpipe-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-core-processenvironment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-crt-math-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-core-localization-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-core-processthreads-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12522\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-crt-process-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-core-interlocked-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12522\libcrypto-3.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-core-timezone-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-core-libraryloader-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-crt-time-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-core-file-l2-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-core-localization-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-core-util-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-core-rtlsupport-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-core-namedpipe-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-core-memory-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75322\_socket.pyd	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75322\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-crt-math-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-crt-stdio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40002\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-core-console-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-crt-conio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-core-synch-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-crt-locale-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-crt-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-core-processthreads-l1-1-1.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-crt-runtime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-core-synch-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-core-file-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-crt-conio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-crt-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17522\_wmi.pyd	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-core-localization-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-crt-utility-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12522\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12522\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-core-sysinfo-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-core-libraryloader-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-core-file-l2-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-core-timezone-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-core-interlocked-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-core-synch-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-core-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12522\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-crt-math-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-core-profile-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-core-synch-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-core-processthreads-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-core-memory-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12522\_socket.pyd	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-crt-utility-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17522\select.pyd	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40002\select.pyd	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-core-util-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-core-synch-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-core-profile-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-core-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-core-console-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-core-synch-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-core-processthreads-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-crt-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-crt-utility-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40002\python313.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-crt-runtime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40002\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-crt-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-core-memory-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17522\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75322\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-crt-runtime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-crt-math-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-core-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12522\python313.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-core-datetime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-core-processenvironment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-core-file-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-crt-time-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-core-timezone-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-core-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-crt-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75322\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-core-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-core-localization-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-core-profile-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-core-processthreads-l1-1-1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-core-rtlsupport-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-core-file-l2-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17522\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-crt-conio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-core-namedpipe-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-crt-runtime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-core-datetime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-core-file-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17522\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-core-file-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12522\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-core-errorhandling-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-core-debug-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-core-interlocked-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12522\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-core-console-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-crt-locale-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-core-file-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40002\libcrypto-3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-core-util-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17522\libcrypto-3.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-core-file-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-core-errorhandling-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-crt-process-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-core-interlocked-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-crt-stdio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-core-namedpipe-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75322\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-crt-process-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75322\python313.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-crt-time-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-core-util-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-core-sysinfo-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-core-sysinfo-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12522\_wmi.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-crt-process-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-crt-time-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-core-errorhandling-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-core-file-l2-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75322\libcrypto-3.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-core-debug-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-crt-convert-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40002\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17522\python313.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-core-rtlsupport-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17522\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75322\_wmi.pyd	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-crt-conio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-core-memory-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-crt-utility-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40002\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-crt-convert-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-core-errorhandling-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-core-handle-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-crt-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-core-processthreads-l1-1-1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17522\_socket.pyd	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-crt-stdio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75322\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-core-handle-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-crt-convert-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-core-timezone-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-core-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-crt-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40002\_wmi.pyd	Jump to dropped file

Found evasive API chain checking for process token information

Source: C:\Users\user\EdgeBHO.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes

Found large amount of non-executed APIs

Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	API coverage: 4.1 %
Source: C:\Users\user\EdgeBHO.exe	API coverage: 6.2 %
Source: C:\Users\user\EdgeBHO.exe	API coverage: 1.7 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\PfOHmro.exe TID: 7348

Thread sleep time: -31359464925306218s >= -30000s

Jump to behavior

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Users\user\Desktop\PfOHmro.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 15_2_00007FF6F84992F0 FindFirstFileExW,FindClose,	15_2_00007FF6F84992F0
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 15_2_00007FF6F84983B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	15_2_00007FF6F84983B0
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 15_2_00007FF6F84B1BD4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	15_2_00007FF6F84B1BD4
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FF6F84992F0 FindFirstFileExW,FindClose,	16_2_00007FF6F84992F0
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FF6F84983B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	16_2_00007FF6F84983B0
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FF6F84B1BD4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	16_2_00007FF6F84B1BD4
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCA164F118 FindFirstFileExA,FindClose,FindNextFileA,	16_2_00007FFCA164F118
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCA164F2C8 FindFirstFileExW,FindClose,FindNextFileW,	16_2_00007FFCA164F2C8
Source: C:\Users\user\EdgeBHO.exe	Code function: 20_2_00007FF6AE3592F0 FindFirstFileExW,FindClose,	20_2_00007FF6AE3592F0
Source: C:\Users\user\EdgeBHO.exe	Code function: 20_2_00007FF6AE3583B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	20_2_00007FF6AE3583B0
Source: C:\Users\user\EdgeBHO.exe	Code function: 20_2_00007FF6AE371BD4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	20_2_00007FF6AE371BD4
Source: C:\Users\user\EdgeBHO.exe	Code function: 21_2_00007FF6AE3592F0 FindFirstFileExW,FindClose,	21_2_00007FF6AE3592F0
Source: C:\Users\user\EdgeBHO.exe	Code function: 21_2_00007FF6AE3583B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	21_2_00007FF6AE3583B0
Source: C:\Users\user\EdgeBHO.exe	Code function: 21_2_00007FF6AE371BD4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	21_2_00007FF6AE371BD4
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFC9C61F118 FindFirstFileExA,FindClose,FindNextFileA,	25_2_00007FFC9C61F118
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFC9C61F2C8 FindFirstFileExW,FindClose,FindNextFileW,	25_2_00007FFC9C61F2C8

Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe

Code function: 16_2_00007FFCBB391D1C VirtualQuery,GetSystemInfo,

16_2_00007FFCBB391D1C

Source: C:\Users\user\Desktop\PfOHmro.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: PfOHmro.exe, 00000003.00000002.1857931341.000000000169C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllF
Source: EdgeBHO.exe, 00000010.00000002.1870552492.0000025A1E614000.00000004.00001000.00020000.00000000.sdmp, EdgeBHO.exe, 00000015.00000002.2436678714.0000019363234000.00000004.00001000.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000002.2052012982.00000286BA1F4000.00000004.00001000.00020000.00000000.sdmp, EdgeBHO.exe, 0000001B.00000002.2187512345.000001CDA0134000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: ro.kernel.qemu
Source: EdgeBHO.exe, 00000015.00000002.2435437723.0000019362F0B000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000003.2032306303.00000286BA07F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000003.2031090128.00000286BA07F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000003.2040606777.00000286BA08D000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000003.2039930478.00000286BA055000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000003.2043273122.00000286BA097000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000003.2041299813.00000286BA091000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000002.2051807652.00000286BA097000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000003.2031381064.00000286BA058000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ro.kernel.qemur
Source: EdgeBHO.exe, 00000010.00000002.1870552492.0000025A1E614000.00000004.00001000.00020000.00000000.sdmp, EdgeBHO.exe, 00000015.00000002.2436678714.0000019363234000.00000004.00001000.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000002.2052012982.00000286BA1F4000.00000004.00001000.00020000.00000000.sdmp, EdgeBHO.exe, 0000001B.00000002.2187512345.000001CDA0134000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: dro.kernel.qemu

Source: C:\Users\user\Desktop\PfOHmro.exe

Process information queried: ProcessInformation

Jump to behavior

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\PfOHmro.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process queried: DebugPort			Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe

Code function: 15_2_00007FF6F849D19C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

15_2_00007FF6F849D19C

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe

Code function: 16_2_00007FFC9CD051D0 EntryPoint,LoadLibraryA,GetProcAddress,VirtualProtect,VirtualProtect,VirtualProtect,

16_2_00007FFC9CD051D0

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\PfOHmro.exe	Code function: 0_2_030A2149 mov edi, dword ptr fs:[00000030h]		0_2_030A2149
Source: C:\Users\user\Desktop\PfOHmro.exe	Code function: 0_2_030A22C6 mov edi, dword ptr fs:[00000030h]		0_2_030A22C6

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe

Code function: 15_2_00007FF6F84B3830 GetProcessHeap,

15_2_00007FF6F84B3830

Enables debug privileges

Source: C:\Users\user\Desktop\PfOHmro.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 15_2_00007FF6F849D19C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	15_2_00007FF6F849D19C
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 15_2_00007FF6F849D37C SetUnhandledExceptionFilter,	15_2_00007FF6F849D37C
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 15_2_00007FF6F84AA5C8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	15_2_00007FF6F84AA5C8
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 15_2_00007FF6F849C910 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	15_2_00007FF6F849C910
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FF6F849D19C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	16_2_00007FF6F849D19C
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FF6F849D37C SetUnhandledExceptionFilter,	16_2_00007FF6F849D37C
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FF6F84AA5C8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	16_2_00007FF6F84AA5C8
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FF6F849C910 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	16_2_00007FF6F849C910
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCA164D170 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	16_2_00007FFCA164D170
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCA1615A60 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	16_2_00007FFCA1615A60
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCA1615A20 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	16_2_00007FFCA1615A20
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCBB2F4738 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	16_2_00007FFCBB2F4738
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCBB3137D0 IsProcessorFeaturePresent,00007FFCBB3E1A90,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,00007FFCBB3E1A90,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	16_2_00007FFCBB3137D0
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCBB33A96C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	16_2_00007FFCBB33A96C
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCBB39335C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	16_2_00007FFCBB39335C
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCBB3A7184 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	16_2_00007FFCBB3A7184
Source: C:\Users\user\EdgeBHO.exe	Code function: 20_2_00007FF6AE35C910 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	20_2_00007FF6AE35C910
Source: C:\Users\user\EdgeBHO.exe	Code function: 20_2_00007FF6AE36A5C8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	20_2_00007FF6AE36A5C8
Source: C:\Users\user\EdgeBHO.exe	Code function: 20_2_00007FF6AE35D37C SetUnhandledExceptionFilter,	20_2_00007FF6AE35D37C
Source: C:\Users\user\EdgeBHO.exe	Code function: 20_2_00007FF6AE35D19C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	20_2_00007FF6AE35D19C
Source: C:\Users\user\EdgeBHO.exe	Code function: 21_2_00007FF6AE35C910 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	21_2_00007FF6AE35C910
Source: C:\Users\user\EdgeBHO.exe	Code function: 21_2_00007FF6AE36A5C8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	21_2_00007FF6AE36A5C8
Source: C:\Users\user\EdgeBHO.exe	Code function: 21_2_00007FF6AE35D37C SetUnhandledExceptionFilter,	21_2_00007FF6AE35D37C
Source: C:\Users\user\EdgeBHO.exe	Code function: 21_2_00007FF6AE35D19C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	21_2_00007FF6AE35D19C
Source: C:\Users\user\EdgeBHO.exe	Code function: 21_2_00007FFCBB33A96C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	21_2_00007FFCBB33A96C
Source: C:\Users\user\EdgeBHO.exe	Code function: 21_2_00007FFCBB39335C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	21_2_00007FFCBB39335C
Source: C:\Users\user\EdgeBHO.exe	Code function: 21_2_00007FFCBB3E0E08 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	21_2_00007FFCBB3E0E08
Source: C:\Users\user\EdgeBHO.exe	Code function: 21_2_00007FFCBBBD52F0 IsProcessorFeaturePresent,00007FFCBB3E1A90,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,00007FFCBB3E1A90,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	21_2_00007FFCBBBD52F0
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFC9C5E5A60 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	25_2_00007FFC9C5E5A60
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFC9C5E5A20 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	25_2_00007FFC9C5E5A20
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFC9C61D170 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	25_2_00007FFC9C61D170
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFCABB037D0 IsProcessorFeaturePresent,00007FFCB4701A90,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,00007FFCB4701A90,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	25_2_00007FFCABB037D0
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFCAD6A4738 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	25_2_00007FFCAD6A4738
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFCAF5E335C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	25_2_00007FFCAF5E335C
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFCAFBAA96C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	25_2_00007FFCAFBAA96C
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFCB42D7184 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	25_2_00007FFCB42D7184
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFCB46E52F0 IsProcessorFeaturePresent,00007FFCB4701A90,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,00007FFCB4701A90,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	25_2_00007FFCB46E52F0
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFCB4700E08 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	25_2_00007FFCB4700E08

Source: C:\Users\user\Desktop\PfOHmro.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\PfOHmro.exe

Code function: 0_2_030A2149 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessW,CreateProcessW,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,TerminateProcess,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,

0_2_030A2149

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\PfOHmro.exe

Memory written: C:\Users\user\Desktop\PfOHmro.exe base: 400000 value starts with: 4D5A

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\PfOHmro.exe	Process created: C:\Users\user\Desktop\PfOHmro.exe "C:\Users\user\Desktop\PfOHmro.exe"	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process created: C:\Users\user\Desktop\PfOHmro.exe "C:\Users\user\Desktop\PfOHmro.exe"	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process created: C:\Users\user\Desktop\PfOHmro.exe "C:\Users\user\Desktop\PfOHmro.exe"	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process created: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe "C:\Users\user\AppData\Local\Temp\EdgeBHO.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Process created: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe "C:\Users\user\AppData\Local\Temp\EdgeBHO.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im "EdgeBHO.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\EdgeBHO.exe "EdgeBHO.exe"	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Process created: C:\Users\user\EdgeBHO.exe "EdgeBHO.exe"	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Process created: C:\Users\user\EdgeBHO.exe "C:\Users\user\EdgeBHO.exe"
Source: C:\Users\user\EdgeBHO.exe	Process created: C:\Users\user\EdgeBHO.exe "C:\Users\user\EdgeBHO.exe"

Uses taskkill to terminate processes

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\taskkill.exe taskkill /f /im "EdgeBHO.exe"

Jump to behavior

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe

Code function: 15_2_00007FF6F84B97F0 cpuid

15_2_00007FF6F84B97F0

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	16_2_00007FFCA1649288
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: GetLocaleInfoW,	16_2_00007FFCA15F1674
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	16_2_00007FFCA1649490
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: GetPrimaryLen,EnumSystemLocalesW,	16_2_00007FFCA1648D94
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: GetPrimaryLen,EnumSystemLocalesW,	16_2_00007FFCA1648E48
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: EnterCriticalSection,EnumSystemLocalesW,LeaveCriticalSection,	16_2_00007FFCA1647D40
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: EnumSystemLocalesW,	16_2_00007FFCA1648D2C
Source: C:\Users\user\EdgeBHO.exe	Code function: EnterCriticalSection,EnumSystemLocalesW,LeaveCriticalSection,	25_2_00007FFC9C617D40
Source: C:\Users\user\EdgeBHO.exe	Code function: EnumSystemLocalesW,	25_2_00007FFC9C618D2C
Source: C:\Users\user\EdgeBHO.exe	Code function: GetPrimaryLen,EnumSystemLocalesW,	25_2_00007FFC9C618D94
Source: C:\Users\user\EdgeBHO.exe	Code function: GetPrimaryLen,EnumSystemLocalesW,	25_2_00007FFC9C618E48
Source: C:\Users\user\EdgeBHO.exe	Code function: GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	25_2_00007FFC9C619490
Source: C:\Users\user\EdgeBHO.exe	Code function: GetLocaleInfoW,	25_2_00007FFC9C5C1674
Source: C:\Users\user\EdgeBHO.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	25_2_00007FFC9C619288

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\PfOHmro.exe	Queries volume information: C:\Users\user\Desktop\PfOHmro.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Queries volume information: C:\Users\user\Desktop\PfOHmro.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17522\ucrtbase.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17522\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17522\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17522\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17522\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17522\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17522\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17522\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17522\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17522\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17522\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17522 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17522 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17522\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17522 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17522 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17522\_ctypes.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17522 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17522 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17522 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17522\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17522\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17522\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17522\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17522\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17522\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17522\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17522\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17522\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17522\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17522\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17522\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17522\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17522\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17522\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17522\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17522\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17522\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17522\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17522 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17522\_bz2.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17522 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17522\_lzma.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17522\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17522 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17522\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17522 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17522 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17522 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17522 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17522 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17522 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17522\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17522\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17522 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17522 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\activate.bat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75322\ucrtbase.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75322 VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75322 VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75322 VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75322 VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75322\_ctypes.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75322 VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75322 VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75322 VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75322\_bz2.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75322 VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75322\_lzma.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75322 VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75322 VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75322 VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75322 VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75322 VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75322 VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75322 VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75322 VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75322 VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12522\ucrtbase.dll VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12522\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12522\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12522\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12522\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12522\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12522\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12522\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12522\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12522 VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12522 VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12522\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12522 VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12522 VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12522\_ctypes.pyd VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12522 VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12522 VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12522 VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12522\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12522\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12522\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12522\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12522\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12522\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12522\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12522\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12522\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12522\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12522\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12522\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12522\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12522\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12522\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12522\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12522\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12522\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12522\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12522 VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12522\_bz2.pyd VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12522 VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12522\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12522 VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12522\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12522\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12522\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12522 VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12522 VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12522 VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12522 VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12522 VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12522 VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12522\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12522\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12522 VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12522\_wmi.pyd VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12522 VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12522\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12522\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12522 VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI40002\ucrtbase.dll VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI40002\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI40002\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI40002\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI40002\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI40002\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI40002\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI40002\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI40002\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI40002\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI40002\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI40002 VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI40002 VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI40002\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI40002 VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI40002 VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI40002\_ctypes.pyd VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI40002 VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI40002 VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI40002 VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI40002\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI40002\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI40002\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI40002\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI40002\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI40002\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI40002\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI40002\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI40002\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI40002\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI40002\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI40002\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI40002\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI40002\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI40002\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI40002\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI40002\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI40002\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI40002\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI40002\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI40002\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI40002\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI40002 VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI40002\_bz2.pyd VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI40002 VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI40002\_lzma.pyd VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI40002\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI40002\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI40002\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI40002 VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI40002\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI40002\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI40002\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI40002 VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI40002 VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI40002 VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI40002 VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI40002 VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI40002 VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI40002\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI40002\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI40002\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI40002 VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI40002\_wmi.pyd VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI40002 VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI40002\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI40002\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI40002 VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe

Code function: 15_2_00007FF6F849D080 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

15_2_00007FF6F849D080

Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe

Code function: 15_2_00007FF6F84B62B0 _get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,

15_2_00007FF6F84B62B0

Source: C:\Users\user\Desktop\PfOHmro.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Users\user\Desktop\PfOHmro.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\PfOHmro.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\PfOHmro.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\Desktop\PfOHmro.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\Desktop\PfOHmro.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Users\user\Desktop\PfOHmro.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct

Stealing of Sensitive Information

Yara detected MicroClip

Source: Yara match	File source: 0000001B.00000002.2187512345.000001CDA0134000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.1870552492.0000025A1E614000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2436678714.0000019363234000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2052012982.00000286BA1F4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: EdgeBHO.exe PID: 1424, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: EdgeBHO.exe PID: 7564, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: EdgeBHO.exe PID: 3032, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: EdgeBHO.exe PID: 5416, type: MEMORYSTR

Yara detected RedLine Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 0.2.PfOHmro.exe.40c4170.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PfOHmro.exe.40a9550.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.PfOHmro.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PfOHmro.exe.40c4170.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.1857380388.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1280380254.00000000040A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PfOHmro.exe PID: 7520, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PfOHmro.exe PID: 7568, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: PfOHmro.exe, 00000000.00000002.1280380254.00000000040A9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: [^\u0020-\u007F]ProcessIdname_on_cardencrypted_valuehttps://ipinfo.io/ip%appdata%\logins{0}\FileZilla\recentservers.xml%appdata%\discord\Local Storage\leveldb\tdataAtomicWalletv10/C \EtFile.IOhereuFile.IOm\walFile.IOletsESystem.UItherSystem.UIeumElectrum[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}profiles\Windows\valueexpiras21ation_moas21nth
Source: PfOHmro.exe, 00000003.00000002.1859182871.000000000345E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: q1C:\Users\user\AppData\Roaming\Electrum\wallets\*
Source: PfOHmro.exe, 00000000.00000002.1280380254.00000000040A9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: user.config{0}\FileZilla\sitemanager.xmlcookies.sqlite\Program Files (x86)\configRoninWalletdisplayNamehost_key\Electrum\walletsName\Exodus\exodus.walletnanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Program Data\coMANGOokies.sqMANGOlitessfnExodusDisplayVersion%localappdata%\GuildWalletOpHandlerenVPHandlerN ConHandlernect%DSK_23%YoroiWalletcmdOpera GXhttps://api.ipify.orgcookies//settinString.Removeg[@name=\PasswString.Removeord\]/valuString.RemoveeSaturnWalletWeb DataSteamPathwaasflleasft.datasfCommandLineSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallCookiesis_secureSoftware\Valve\SteamLogin DataID: isSecureNoDefrdDefVPNDefwaasflletasfMewCxv11\Program Files\Opera GX StableSELECT * FROM Win32_Process Where SessionId='nlbmnnijcnlegkjjpcfjclmcfggfefdmnkddgncdjgjfcddamfgcmfnlhccnimig\coFile.IOm.libeFile.IOrty.jFile.IOaxFile.IOxnamefnjhmkhhmkbjkkabndcnnogagogbneecfhilaheimglignddkjgofkcbgekhenbhProfile_Unknowncard_number_encrypted, Name: AppData\Roaming\TReplaceokReplaceenReplaces.tReplacext //settString.Replaceing[@name=\UString.Replacesername\]/vaString.ReplacelueNWinordVWinpn.eWinxeWinhostmoz_cookiesUser Datawindows-1251, CommandLine: \ExodusDisplayNameexpiry.vstring.ReplacedfJaxxpathBSJB
Source: PfOHmro.exe, 00000000.00000002.1280380254.00000000040A9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: user.config{0}\FileZilla\sitemanager.xmlcookies.sqlite\Program Files (x86)\configRoninWalletdisplayNamehost_key\Electrum\walletsName\Exodus\exodus.walletnanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Program Data\coMANGOokies.sqMANGOlitessfnExodusDisplayVersion%localappdata%\GuildWalletOpHandlerenVPHandlerN ConHandlernect%DSK_23%YoroiWalletcmdOpera GXhttps://api.ipify.orgcookies//settinString.Removeg[@name=\PasswString.Removeord\]/valuString.RemoveeSaturnWalletWeb DataSteamPathwaasflleasft.datasfCommandLineSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallCookiesis_secureSoftware\Valve\SteamLogin DataID: isSecureNoDefrdDefVPNDefwaasflletasfMewCxv11\Program Files\Opera GX StableSELECT * FROM Win32_Process Where SessionId='nlbmnnijcnlegkjjpcfjclmcfggfefdmnkddgncdjgjfcddamfgcmfnlhccnimig\coFile.IOm.libeFile.IOrty.jFile.IOaxFile.IOxnamefnjhmkhhmkbjkkabndcnnogagogbneecfhilaheimglignddkjgofkcbgekhenbhProfile_Unknowncard_number_encrypted, Name: AppData\Roaming\TReplaceokReplaceenReplaces.tReplacext //settString.Replaceing[@name=\UString.Replacesername\]/vaString.ReplacelueNWinordVWinpn.eWinxeWinhostmoz_cookiesUser Datawindows-1251, CommandLine: \ExodusDisplayNameexpiry.vstring.ReplacedfJaxxpathBSJB
Source: PfOHmro.exe, 00000003.00000002.1859182871.000000000345E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \Ethereum\wallets
Source: PfOHmro.exe, 00000000.00000002.1280380254.00000000040A9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: user.config{0}\FileZilla\sitemanager.xmlcookies.sqlite\Program Files (x86)\configRoninWalletdisplayNamehost_key\Electrum\walletsName\Exodus\exodus.walletnanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Program Data\coMANGOokies.sqMANGOlitessfnExodusDisplayVersion%localappdata%\GuildWalletOpHandlerenVPHandlerN ConHandlernect%DSK_23%YoroiWalletcmdOpera GXhttps://api.ipify.orgcookies//settinString.Removeg[@name=\PasswString.Removeord\]/valuString.RemoveeSaturnWalletWeb DataSteamPathwaasflleasft.datasfCommandLineSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallCookiesis_secureSoftware\Valve\SteamLogin DataID: isSecureNoDefrdDefVPNDefwaasflletasfMewCxv11\Program Files\Opera GX StableSELECT * FROM Win32_Process Where SessionId='nlbmnnijcnlegkjjpcfjclmcfggfefdmnkddgncdjgjfcddamfgcmfnlhccnimig\coFile.IOm.libeFile.IOrty.jFile.IOaxFile.IOxnamefnjhmkhhmkbjkkabndcnnogagogbneecfhilaheimglignddkjgofkcbgekhenbhProfile_Unknowncard_number_encrypted, Name: AppData\Roaming\TReplaceokReplaceenReplaces.tReplacext //settString.Replaceing[@name=\UString.Replacesername\]/vaString.ReplacelueNWinordVWinpn.eWinxeWinhostmoz_cookiesUser Datawindows-1251, CommandLine: \ExodusDisplayNameexpiry.vstring.ReplacedfJaxxpathBSJB
Source: PfOHmro.exe, 00000003.00000002.1859182871.000000000345E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Ethereum
Source: PfOHmro.exe, 00000003.00000002.1859182871.000000000345E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: q5C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\*

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\PfOHmro.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\PfOHmro.exe	File opened: C:\Users\user\AppData\Roaming\atomic\	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\	Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 0.2.PfOHmro.exe.40c4170.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PfOHmro.exe.40a9550.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.PfOHmro.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PfOHmro.exe.40c4170.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.1857380388.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1280380254.00000000040A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PfOHmro.exe PID: 7520, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PfOHmro.exe PID: 7568, type: MEMORYSTR

Remote Access Functionality

Yara detected MicroClip

Source: Yara match	File source: 0000001B.00000002.2187512345.000001CDA0134000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.1870552492.0000025A1E614000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2436678714.0000019363234000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2052012982.00000286BA1F4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: EdgeBHO.exe PID: 1424, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: EdgeBHO.exe PID: 7564, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: EdgeBHO.exe PID: 3032, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: EdgeBHO.exe PID: 5416, type: MEMORYSTR

Yara detected RedLine Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 0.2.PfOHmro.exe.40c4170.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PfOHmro.exe.40a9550.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.PfOHmro.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PfOHmro.exe.40c4170.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.1857380388.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1280380254.00000000040A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PfOHmro.exe PID: 7520, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PfOHmro.exe PID: 7568, type: MEMORYSTR

Windows Analysis Report
PfOHmro.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Windows Analysis Report PfOHmro.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Windows Analysis Report
PfOHmro.exe

Malware Threat Intel
Provided by