Edit tour

Windows Analysis Report
PfOHmro.exe

Overview

General Information

Sample name:	PfOHmro.exe
Analysis ID:	1632656
MD5:	74c5934b5ec8a8907aff69552dbaeaf7
SHA1:	24c6d4aa5f5b229340aba780320efc02058c059c
SHA256:	95930b643e2d7d09d9cdfb2776534744ebb101347bbfe8be84f376fa15d8033a
Tags:	exeRedLineStealeruser-aachum
Infos:

Detection

MicroClip, RedLine

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected MicroClip

Yara detected RedLine Stealer

C2 URLs / IPs found in malware configuration

Connects to many ports of the same IP (likely port scanning)

Contains functionality to inject code into remote processes

Drops PE files to the user root directory

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Uses known network protocols on non-standard ports

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected non-DNS traffic on DNS port

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the user directory

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

PE file does not import any functions

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Uses taskkill to terminate processes

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

PfOHmro.exe (PID: 7520 cmdline: "C:\Users\user\Desktop\PfOHmro.exe" MD5: 74C5934B5EC8A8907AFF69552DBAEAF7)

PfOHmro.exe (PID: 7552 cmdline: "C:\Users\user\Desktop\PfOHmro.exe" MD5: 74C5934B5EC8A8907AFF69552DBAEAF7)

PfOHmro.exe (PID: 7560 cmdline: "C:\Users\user\Desktop\PfOHmro.exe" MD5: 74C5934B5EC8A8907AFF69552DBAEAF7)

PfOHmro.exe (PID: 7568 cmdline: "C:\Users\user\Desktop\PfOHmro.exe" MD5: 74C5934B5EC8A8907AFF69552DBAEAF7)

conhost.exe (PID: 7584 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

EdgeBHO.exe (PID: 1752 cmdline: "C:\Users\user\AppData\Local\Temp\EdgeBHO.exe" MD5: 2DA66AC5ADC5CE1419C03DCB4100AA0A)

EdgeBHO.exe (PID: 1424 cmdline: "C:\Users\user\AppData\Local\Temp\EdgeBHO.exe" MD5: 2DA66AC5ADC5CE1419C03DCB4100AA0A)

cmd.exe (PID: 2296 cmdline: C:\Windows\system32\cmd.exe /c C:\Users\user\activate.bat MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7916 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7744 cmdline: taskkill /f /im "EdgeBHO.exe" MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

EdgeBHO.exe (PID: 7532 cmdline: "EdgeBHO.exe" MD5: 2DA66AC5ADC5CE1419C03DCB4100AA0A)

EdgeBHO.exe (PID: 7564 cmdline: "EdgeBHO.exe" MD5: 2DA66AC5ADC5CE1419C03DCB4100AA0A)

WerFault.exe (PID: 7724 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7520 -s 816 MD5: C31336C1EFC2CCB44B4326EA793040F2)

EdgeBHO.exe (PID: 1252 cmdline: "C:\Users\user\EdgeBHO.exe" MD5: 2DA66AC5ADC5CE1419C03DCB4100AA0A)

EdgeBHO.exe (PID: 3032 cmdline: "C:\Users\user\EdgeBHO.exe" MD5: 2DA66AC5ADC5CE1419C03DCB4100AA0A)

EdgeBHO.exe (PID: 4000 cmdline: "C:\Users\user\EdgeBHO.exe" MD5: 2DA66AC5ADC5CE1419C03DCB4100AA0A)

EdgeBHO.exe (PID: 5416 cmdline: "C:\Users\user\EdgeBHO.exe" MD5: 2DA66AC5ADC5CE1419C03DCB4100AA0A)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: RedLine

{"C2 url": ["101.99.92.190:40919"], "Bot Id": "Build 7"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_RedLine_1	Yara detected RedLine Stealer	Joe Security
dump.pcap	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
0000001B.00000002.2187512345.000001CDA0134000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_MicroClip	Yara detected MicroClip	Joe Security
00000003.00000002.1857380388.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.1857380388.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000003.00000002.1857380388.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x133ca:$a4: get_ScannedWallets 0x12228:$a5: get_ScanTelegram 0x1304e:$a6: get_ScanGeckoBrowsersPaths 0x10e6a:$a7: <Processes>k__BackingField 0xed7c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1079e:$a9: <ScanFTP>k__BackingField
00000010.00000002.1870552492.0000025A1E614000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_MicroClip	Yara detected MicroClip	Joe Security
00000015.00000002.2436678714.0000019363234000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_MicroClip	Yara detected MicroClip	Joe Security
00000019.00000002.2052012982.00000286BA1F4000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_MicroClip	Yara detected MicroClip	Joe Security
00000000.00000002.1280380254.00000000040A9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1280380254.00000000040A9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000000.00000002.1280380254.00000000040A9000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x2e73a:$a4: get_ScannedWallets 0x2d598:$a5: get_ScanTelegram 0x2e3be:$a6: get_ScanGeckoBrowsersPaths 0x2c1da:$a7: <Processes>k__BackingField 0x2a0ec:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x2bb0e:$a9: <ScanFTP>k__BackingField
Process Memory Space: PfOHmro.exe PID: 7520	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: PfOHmro.exe PID: 7520	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: PfOHmro.exe PID: 7520	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x16cb9:$a4: get_ScannedWallets 0x15c6c:$a5: get_ScanTelegram 0x1697f:$a6: get_ScanGeckoBrowsersPaths 0x14a5d:$a7: <Processes>k__BackingField 0x1200a:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x14391:$a9: <ScanFTP>k__BackingField
Process Memory Space: PfOHmro.exe PID: 7568	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: PfOHmro.exe PID: 7568	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: PfOHmro.exe PID: 7568	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x1f2d1d:$a4: get_ScannedWallets 0x1f1bc4:$a5: get_ScanTelegram 0x1f29a6:$a6: get_ScanGeckoBrowsersPaths 0x1f0857:$a7: <Processes>k__BackingField 0x1edd8a:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1f018b:$a9: <ScanFTP>k__BackingField
Process Memory Space: EdgeBHO.exe PID: 1424	JoeSecurity_MicroClip	Yara detected MicroClip	Joe Security
Process Memory Space: EdgeBHO.exe PID: 7564	JoeSecurity_MicroClip	Yara detected MicroClip	Joe Security
Process Memory Space: EdgeBHO.exe PID: 3032	JoeSecurity_MicroClip	Yara detected MicroClip	Joe Security
Process Memory Space: EdgeBHO.exe PID: 5416	JoeSecurity_MicroClip	Yara detected MicroClip	Joe Security
Click to see the 15 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.PfOHmro.exe.40c4170.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.PfOHmro.exe.40c4170.1.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.PfOHmro.exe.40c4170.1.raw.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x135ca:$a4: get_ScannedWallets 0x12428:$a5: get_ScanTelegram 0x1324e:$a6: get_ScanGeckoBrowsersPaths 0x1106a:$a7: <Processes>k__BackingField 0xef7c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1099e:$a9: <ScanFTP>k__BackingField
0.2.PfOHmro.exe.40c4170.1.raw.unpack	infostealer_win_redline_strings	Finds Redline samples based on characteristic strings	Sekoia.io	0x119cb:$gen01: ChromeGetRoamingName 0x119ff:$gen02: ChromeGetLocalName 0x11a28:$gen03: get_UserDomainName 0x13c67:$gen04: get_encrypted_key 0x131e3:$gen05: browserPaths 0x1352b:$gen06: GetBrowsers 0x12e61:$gen07: get_InstalledInputLanguages 0x1064f:$gen08: BCRYPT_INIT_AUTH_MODE_INFO_VERSION 0x8738:$spe1: [AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7} 0x9118:$spe6: windows-1251, CommandLine: 0x143c1:$spe9: wallet 0xee0c:$typ01: 359A00EF6C789FD4C18644F56C5D3F97453FFF20 0xef07:$typ02: F413CEA9BAA458730567FE47F57CC3C94DDF63C0 0xf264:$typ03: A937C899247696B6565665BE3BD09607F49A2042 0xf371:$typ04: D67333042BFFC20116BF01BC556566EC76C6F7E2 0xf4f0:$typ05: 4E3D7F188A5F5102BEC5B820632BBAEC26839E63 0xee98:$typ07: 77A9683FAF2EC9EC3DABC09D33C3BD04E8897D60 0xeec1:$typ08: A8F9B62160DF085B926D5ED70E2B0F6C95A25280 0xf05f:$typ10: 2FBDC611D3D91C142C969071EA8A7D3D10FF6301 0xf39a:$typ12: EB7EF1973CDC295B7B08FE6D82B9ECDAD1106AF2 0xf439:$typ13: 04EC68A0FC7D9B6A255684F330C28A4DCAB91F13
0.2.PfOHmro.exe.40c4170.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers 0x135ca:$v2_2: get_ScannedWallets 0x135f0:$v2_2: get_ScanWallets 0x13610:$v2_3: GetArguments 0x11cd9:$v2_4: VerifyUpdate 0x165ee:$v2_4: VerifyUpdate 0x139ca:$v2_5: VerifyScanRequest 0x130c6:$v2_6: GetUpdates 0x165cf:$v2_6: GetUpdates
0.2.PfOHmro.exe.40a9550.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.PfOHmro.exe.40a9550.0.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.PfOHmro.exe.40a9550.0.raw.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x2e1ea:$a4: get_ScannedWallets 0x2d048:$a5: get_ScanTelegram 0x2de6e:$a6: get_ScanGeckoBrowsersPaths 0x2bc8a:$a7: <Processes>k__BackingField 0x29b9c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x2b5be:$a9: <ScanFTP>k__BackingField
0.2.PfOHmro.exe.40a9550.0.raw.unpack	infostealer_win_redline_strings	Finds Redline samples based on characteristic strings	Sekoia.io	0x2c5eb:$gen01: ChromeGetRoamingName 0x2c61f:$gen02: ChromeGetLocalName 0x2c648:$gen03: get_UserDomainName 0x2e887:$gen04: get_encrypted_key 0x2de03:$gen05: browserPaths 0x2e14b:$gen06: GetBrowsers 0x2da81:$gen07: get_InstalledInputLanguages 0x2b26f:$gen08: BCRYPT_INIT_AUTH_MODE_INFO_VERSION 0x23358:$spe1: [AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7} 0x23d38:$spe6: windows-1251, CommandLine: 0x2efe1:$spe9: wallet 0x29a2c:$typ01: 359A00EF6C789FD4C18644F56C5D3F97453FFF20 0x29b27:$typ02: F413CEA9BAA458730567FE47F57CC3C94DDF63C0 0x29e84:$typ03: A937C899247696B6565665BE3BD09607F49A2042 0x29f91:$typ04: D67333042BFFC20116BF01BC556566EC76C6F7E2 0x2a110:$typ05: 4E3D7F188A5F5102BEC5B820632BBAEC26839E63 0x29ab8:$typ07: 77A9683FAF2EC9EC3DABC09D33C3BD04E8897D60 0x29ae1:$typ08: A8F9B62160DF085B926D5ED70E2B0F6C95A25280 0x29c7f:$typ10: 2FBDC611D3D91C142C969071EA8A7D3D10FF6301 0x29fba:$typ12: EB7EF1973CDC295B7B08FE6D82B9ECDAD1106AF2 0x2a059:$typ13: 04EC68A0FC7D9B6A255684F330C28A4DCAB91F13
0.2.PfOHmro.exe.40a9550.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x2b0aa:$u7: RunPE 0x2e761:$u8: DownloadAndEx 0x23d50:$pat14: , CommandLine: 0x2dc99:$v2_1: ListOfProcesses 0x2b2ab:$v2_2: get_ScanVPN 0x2b34e:$v2_2: get_ScanFTP 0x2c03e:$v2_2: get_ScanDiscord 0x2d02c:$v2_2: get_ScanSteam 0x2d048:$v2_2: get_ScanTelegram 0x2d0ee:$v2_2: get_ScanScreen 0x2de36:$v2_2: get_ScanChromeBrowsersPaths 0x2de6e:$v2_2: get_ScanGeckoBrowsersPaths 0x2e129:$v2_2: get_ScanBrowsers 0x2e1ea:$v2_2: get_ScannedWallets 0x2e210:$v2_2: get_ScanWallets 0x2e230:$v2_3: GetArguments 0x2c8f9:$v2_4: VerifyUpdate 0x3120e:$v2_4: VerifyUpdate 0x2e5ea:$v2_5: VerifyScanRequest 0x2dce6:$v2_6: GetUpdates 0x311ef:$v2_6: GetUpdates
3.2.PfOHmro.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.PfOHmro.exe.400000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
3.2.PfOHmro.exe.400000.0.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x135ca:$a4: get_ScannedWallets 0x12428:$a5: get_ScanTelegram 0x1324e:$a6: get_ScanGeckoBrowsersPaths 0x1106a:$a7: <Processes>k__BackingField 0xef7c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1099e:$a9: <ScanFTP>k__BackingField
3.2.PfOHmro.exe.400000.0.unpack	infostealer_win_redline_strings	Finds Redline samples based on characteristic strings	Sekoia.io	0x119cb:$gen01: ChromeGetRoamingName 0x119ff:$gen02: ChromeGetLocalName 0x11a28:$gen03: get_UserDomainName 0x13c67:$gen04: get_encrypted_key 0x131e3:$gen05: browserPaths 0x1352b:$gen06: GetBrowsers 0x12e61:$gen07: get_InstalledInputLanguages 0x1064f:$gen08: BCRYPT_INIT_AUTH_MODE_INFO_VERSION 0x8738:$spe1: [AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7} 0x9118:$spe6: windows-1251, CommandLine: 0x143c1:$spe9: wallet 0xee0c:$typ01: 359A00EF6C789FD4C18644F56C5D3F97453FFF20 0xef07:$typ02: F413CEA9BAA458730567FE47F57CC3C94DDF63C0 0xf264:$typ03: A937C899247696B6565665BE3BD09607F49A2042 0xf371:$typ04: D67333042BFFC20116BF01BC556566EC76C6F7E2 0xf4f0:$typ05: 4E3D7F188A5F5102BEC5B820632BBAEC26839E63 0xee98:$typ07: 77A9683FAF2EC9EC3DABC09D33C3BD04E8897D60 0xeec1:$typ08: A8F9B62160DF085B926D5ED70E2B0F6C95A25280 0xf05f:$typ10: 2FBDC611D3D91C142C969071EA8A7D3D10FF6301 0xf39a:$typ12: EB7EF1973CDC295B7B08FE6D82B9ECDAD1106AF2 0xf439:$typ13: 04EC68A0FC7D9B6A255684F330C28A4DCAB91F13
3.2.PfOHmro.exe.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers 0x135ca:$v2_2: get_ScannedWallets 0x135f0:$v2_2: get_ScanWallets 0x13610:$v2_3: GetArguments 0x11cd9:$v2_4: VerifyUpdate 0x165ee:$v2_4: VerifyUpdate 0x139ca:$v2_5: VerifyScanRequest 0x130c6:$v2_6: GetUpdates 0x165cf:$v2_6: GetUpdates
0.2.PfOHmro.exe.40c4170.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.PfOHmro.exe.40c4170.1.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.PfOHmro.exe.40c4170.1.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x117ca:$a4: get_ScannedWallets 0x10628:$a5: get_ScanTelegram 0x1144e:$a6: get_ScanGeckoBrowsersPaths 0xf26a:$a7: <Processes>k__BackingField 0xd17c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0xeb9e:$a9: <ScanFTP>k__BackingField
0.2.PfOHmro.exe.40c4170.1.unpack	infostealer_win_redline_strings	Finds Redline samples based on characteristic strings	Sekoia.io	0xfbcb:$gen01: ChromeGetRoamingName 0xfbff:$gen02: ChromeGetLocalName 0xfc28:$gen03: get_UserDomainName 0x11e67:$gen04: get_encrypted_key 0x113e3:$gen05: browserPaths 0x1172b:$gen06: GetBrowsers 0x11061:$gen07: get_InstalledInputLanguages 0xe84f:$gen08: BCRYPT_INIT_AUTH_MODE_INFO_VERSION 0x6938:$spe1: [AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7} 0x7318:$spe6: windows-1251, CommandLine: 0x125c1:$spe9: wallet 0xd00c:$typ01: 359A00EF6C789FD4C18644F56C5D3F97453FFF20 0xd107:$typ02: F413CEA9BAA458730567FE47F57CC3C94DDF63C0 0xd464:$typ03: A937C899247696B6565665BE3BD09607F49A2042 0xd571:$typ04: D67333042BFFC20116BF01BC556566EC76C6F7E2 0xd6f0:$typ05: 4E3D7F188A5F5102BEC5B820632BBAEC26839E63 0xd098:$typ07: 77A9683FAF2EC9EC3DABC09D33C3BD04E8897D60 0xd0c1:$typ08: A8F9B62160DF085B926D5ED70E2B0F6C95A25280 0xd25f:$typ10: 2FBDC611D3D91C142C969071EA8A7D3D10FF6301 0xd59a:$typ12: EB7EF1973CDC295B7B08FE6D82B9ECDAD1106AF2 0xd639:$typ13: 04EC68A0FC7D9B6A255684F330C28A4DCAB91F13
0.2.PfOHmro.exe.40c4170.1.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0xe68a:$u7: RunPE 0x11d41:$u8: DownloadAndEx 0x7330:$pat14: , CommandLine: 0x11279:$v2_1: ListOfProcesses 0xe88b:$v2_2: get_ScanVPN 0xe92e:$v2_2: get_ScanFTP 0xf61e:$v2_2: get_ScanDiscord 0x1060c:$v2_2: get_ScanSteam 0x10628:$v2_2: get_ScanTelegram 0x106ce:$v2_2: get_ScanScreen 0x11416:$v2_2: get_ScanChromeBrowsersPaths 0x1144e:$v2_2: get_ScanGeckoBrowsersPaths 0x11709:$v2_2: get_ScanBrowsers 0x117ca:$v2_2: get_ScannedWallets 0x117f0:$v2_2: get_ScanWallets 0x11810:$v2_3: GetArguments 0xfed9:$v2_4: VerifyUpdate 0x147ee:$v2_4: VerifyUpdate 0x11bca:$v2_5: VerifyScanRequest 0x112c6:$v2_6: GetUpdates 0x147cf:$v2_6: GetUpdates
Click to see the 15 entries

Sigma Signatures

System Summary

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\EdgeBHO.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\EdgeBHO.exe, ProcessId: 7564, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update64

Suricata Signatures

ET EXPLOIT_KIT DRIVEBY Likely Evil EXE with no referer from HFS webserver (used by Unknown EK)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-08T16:05:32.324556+0100	2020500	1	Exploit Kit Activity Detected	101.99.92.190	4449	192.168.2.4	49730	TCP

ET MALWARE RedLine Stealer - CheckConnect Response

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-08T16:05:21.934965+0100	2045000	1	Malware Command and Control Activity Detected	101.99.92.190	40919	192.168.2.4	49717	TCP

ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-08T16:05:27.103360+0100	2046056	1	A Network Trojan was detected	101.99.92.190	40919	192.168.2.4	49717	TCP

ET MALWARE Win32/LeftHook Stealer Browser Extension Config Inbound

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-08T16:05:27.103360+0100	2045001	1	Malware Command and Control Activity Detected	101.99.92.190	40919	192.168.2.4	49717	TCP

ETPRO MALWARE RedLine - CheckConnect Request

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-08T16:05:16.900291+0100	2849662	1	Malware Command and Control Activity Detected	192.168.2.4	49717	101.99.92.190	40919	TCP

ETPRO MALWARE RedLine - EnvironmentSettings Request

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-08T16:05:22.165954+0100	2849351	1	Malware Command and Control Activity Detected	192.168.2.4	49717	101.99.92.190	40919	TCP

ETPRO MALWARE RedLine - GetUpdates Request

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-08T16:05:29.343108+0100	2848200	1	Malware Command and Control Activity Detected	192.168.2.4	49728	101.99.92.190	40919	TCP

ETPRO MALWARE RedLine - SetEnvironment Request

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-08T16:05:27.514908+0100	2849352	1	Malware Command and Control Activity Detected	192.168.2.4	49726	101.99.92.190	40919	TCP

ETPRO MALWARE RedLine - VerifyUpdate Request

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-08T16:06:19.782593+0100	2849738	1	Malware Command and Control Activity Detected	192.168.2.4	57483	101.99.92.190	40919	TCP

Joe Security MALWARE RedLine - Initial C&C Contact - SOAP CheckConnect

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-08T16:05:16.900291+0100	1800000	1	Malware Command and Control Activity Detected	192.168.2.4	49717	101.99.92.190	40919	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: PfOHmro.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe

Avira: detection malicious, Label: TR/ClipBanker.nbegj

Found malware configuration

Source: 3.2.PfOHmro.exe.400000.0.unpack

Malware Configuration Extractor: RedLine {"C2 url": ["101.99.92.190:40919"], "Bot Id": "Build 7"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe

ReversingLabs: Detection: 28%

Multi AV Scanner detection for submitted file

Source: PfOHmro.exe	Virustotal: Detection: 62%			Perma Link
Source: PfOHmro.exe	ReversingLabs: Detection: 73%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Source: unknown

HTTPS traffic detected: 104.26.12.31:443 -> 192.168.2.4:49724 version: TLS 1.0

Source: PfOHmro.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1846777523.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1881631808.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2019536998.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2100346764.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1847383477.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1883141435.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2019895484.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2100631142.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-file-l1-2-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1841022436.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1873487738.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2016393921.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2097338826.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ucrtbase.pdb source: EdgeBHO.exe, 00000010.00000002.1873662230.00007FFCA168C000.00000002.00000001.01000000.0000000C.sdmp, EdgeBHO.exe, 00000015.00000002.2440299564.00007FFCA168C000.00000002.00000001.01000000.00000016.sdmp, EdgeBHO.exe, 00000019.00000002.2054904950.00007FFC9C65C000.00000002.00000001.01000000.0000001F.sdmp
Source:	Binary string: api-ms-win-core-memory-l1-1-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1842189370.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1875345385.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2017250591.000001BAA3D08000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2098287991.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-debug-l1-1-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1840667454.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1872625223.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2016020890.000001BAA3D08000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2096990057.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1844292763.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1877909726.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2018534751.000001BAA3D08000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2099505061.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1845961180.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1879668224.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2019318045.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2100136236.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-memory-l1-1-0.pdbGCTL source: EdgeBHO.exe, 0000000F.00000003.1842189370.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1875345385.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2017250591.000001BAA3D08000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2098287991.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1847541834.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1883395222.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2020008126.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2100786546.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: EdgeBHO.exe, 0000000F.00000003.1838528308.0000025AF4FA0000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000010.00000002.1875774155.00007FFCBB3E4000.00000002.00000001.01000000.0000000E.sdmp, EdgeBHO.exe, 00000014.00000003.1869750221.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000015.00000002.2442069207.00007FFCBB3E4000.00000002.00000001.01000000.00000018.sdmp, EdgeBHO.exe, 00000018.00000003.2013678723.000001BAA3CFF000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000002.2056569719.00007FFCB4704000.00000002.00000001.01000000.00000021.sdmp, EdgeBHO.exe, 0000001A.00000003.2095304862.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-heap-l1-1-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1841640202.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1874269759.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2016740382.000001BAA3D08000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2097781458.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Hand1\source\repos\Portals\Portals\obj\Release\Portals.pdb source: PfOHmro.exe, 00000000.00000000.1174105120.0000000000DC2000.00000002.00000001.01000000.00000003.sdmp, PfOHmro.exe, 00000000.00000002.1280380254.00000000040A9000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-util-l1-1-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1844717900.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1878527857.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2018778560.000001BAA3D08000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2099713680.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: EdgeBHO.exe, 0000000F.00000003.1838854004.0000025AF4FA0000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000010.00000002.1873956487.00007FFCBB2F5000.00000002.00000001.01000000.00000014.sdmp, EdgeBHO.exe, 00000014.00000003.1870065890.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000015.00000002.2440565210.00007FFCBB2F5000.00000002.00000001.01000000.0000001E.sdmp, EdgeBHO.exe, 00000018.00000003.2013943553.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000002.2055363994.00007FFCAD6A5000.00000002.00000001.01000000.00000027.sdmp, EdgeBHO.exe, 0000001A.00000003.2095507172.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-synch-l1-1-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1843973437.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1877455979.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2018323407.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2099294626.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-heap-l1-1-0.pdbGCTL source: EdgeBHO.exe, 0000000F.00000003.1841640202.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1874269759.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2016740382.000001BAA3D08000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2097781458.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1845394223.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1879307879.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2019208738.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2100033216.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-handle-l1-1-0.pdbGCTL source: EdgeBHO.exe, 0000000F.00000003.1841388876.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1873990925.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2016610374.000001BAA3D08000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2097651612.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_ctypes.pdb source: EdgeBHO.exe, EdgeBHO.exe, 00000019.00000002.2055936402.00007FFCB42D1000.00000040.00000001.01000000.00000022.sdmp
Source:	Binary string: api-ms-win-core-processthreads-l1-1-0.pdbGCTL source: EdgeBHO.exe, 0000000F.00000003.1842674359.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1876322759.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2017630964.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2098673279.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-errorhandling-l1-1-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1840799142.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1872892606.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2016152642.000001BAA3D08000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2097106915.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1842674359.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1876322759.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2017630964.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2098673279.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-console-l1-1-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1840444280.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1872173040.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2015729848.000001BAA3D08000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2096743379.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-file-l1-1-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1840903774.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1873242498.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2016285040.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2097235679.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-processenvironment-l1-1-0.pdbGCTL source: EdgeBHO.exe, 0000000F.00000003.1842488383.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1876066587.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2017499898.000001BAA3D08000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2098543068.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1845070058.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1879085603.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2019091727.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2099930115.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-process-l1-1-0.pdbGCTL source: EdgeBHO.exe, 0000000F.00000003.1847214203.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1882917745.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2019761162.000001BAA3D08000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2100527933.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-util-l1-1-0.pdbGCTL source: EdgeBHO.exe, 0000000F.00000003.1844717900.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1878527857.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2018778560.000001BAA3D08000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2099713680.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-datetime-l1-1-0.pdbGCTL source: EdgeBHO.exe, 0000000F.00000003.1840554181.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1872385641.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2015879685.000001BAA3D08000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2096868575.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: EdgeBHO.exe, 00000010.00000002.1874194924.00007FFCBB31B000.00000040.00000001.01000000.00000012.sdmp, EdgeBHO.exe, 00000015.00000002.2440948631.00007FFCBB31B000.00000040.00000001.01000000.0000001C.sdmp, EdgeBHO.exe, 00000019.00000002.2055093814.00007FFCABB0B000.00000040.00000001.01000000.00000025.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: EdgeBHO.exe, EdgeBHO.exe, 00000019.00000002.2055719822.00007FFCAFBA1000.00000040.00000001.01000000.00000024.sdmp
Source:	Binary string: api-ms-win-core-errorhandling-l1-1-0.pdbGCTL source: EdgeBHO.exe, 0000000F.00000003.1840799142.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1872892606.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2016152642.000001BAA3D08000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2097106915.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-profile-l1-1-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1843473939.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1876830773.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2017864453.000001BAA3D08000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2098928872.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ucrtbase.pdbUGP source: EdgeBHO.exe, 00000010.00000002.1873662230.00007FFCA168C000.00000002.00000001.01000000.0000000C.sdmp, EdgeBHO.exe, 00000015.00000002.2440299564.00007FFCA168C000.00000002.00000001.01000000.00000016.sdmp, EdgeBHO.exe, 00000019.00000002.2054904950.00007FFC9C65C000.00000002.00000001.01000000.0000001F.sdmp
Source:	Binary string: api-ms-win-core-file-l1-1-0.pdbGCTL source: EdgeBHO.exe, 0000000F.00000003.1840903774.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1873242498.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2016285040.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2097235679.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\python313.pdb source: EdgeBHO.exe, 00000010.00000002.1871702839.00007FFC9CAB9000.00000040.00000001.01000000.0000000D.sdmp, EdgeBHO.exe, 00000015.00000002.2438702214.00007FFC9CAB9000.00000040.00000001.01000000.00000017.sdmp, EdgeBHO.exe, 00000019.00000002.2053349770.00007FFC9C349000.00000040.00000001.01000000.00000020.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdbGCTL source: EdgeBHO.exe, 0000000F.00000003.1838854004.0000025AF4FA0000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000010.00000002.1873956487.00007FFCBB2F5000.00000002.00000001.01000000.00000014.sdmp, EdgeBHO.exe, 00000014.00000003.1870065890.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000015.00000002.2440565210.00007FFCBB2F5000.00000002.00000001.01000000.0000001E.sdmp, EdgeBHO.exe, 00000018.00000003.2013943553.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000002.2055363994.00007FFCAD6A5000.00000002.00000001.01000000.00000027.sdmp, EdgeBHO.exe, 0000001A.00000003.2095507172.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-time-l1-1-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1848154049.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1883754430.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2020233504.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2101102837.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-handle-l1-1-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1841388876.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1873990925.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2016610374.000001BAA3D08000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2097651612.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-sysinfo-l1-1-0.pdbGCTL source: EdgeBHO.exe, 0000000F.00000003.1844292763.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1877909726.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2018534751.000001BAA3D08000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2099505061.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-synch-l1-2-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1844159682.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1877708898.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2018431971.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2099398521.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_wmi.pdb(('GCTL source: EdgeBHO.exe, 00000010.00000002.1874771647.00007FFCBB391000.00000040.00000001.01000000.00000013.sdmp, EdgeBHO.exe, 00000015.00000002.2441419137.00007FFCBB391000.00000040.00000001.01000000.0000001D.sdmp, EdgeBHO.exe, 00000019.00000002.2055498902.00007FFCAF5E1000.00000040.00000001.01000000.00000026.sdmp
Source:	Binary string: api-ms-win-core-profile-l1-1-0.pdbGCTL source: EdgeBHO.exe, 0000000F.00000003.1843473939.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1876830773.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2017864453.000001BAA3D08000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2098928872.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1842488383.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1876066587.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2017499898.000001BAA3D08000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2098543068.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Hand1\source\repos\Portals\Portals\obj\Release\Portals.pdb<;V; H;_CorExeMainmscoree.dll source: PfOHmro.exe, 00000000.00000000.1174105120.0000000000DC2000.00000002.00000001.01000000.00000003.sdmp, PfOHmro.exe, 00000000.00000002.1280380254.00000000040A9000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-datetime-l1-1-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1840554181.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1872385641.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2015879685.000001BAA3D08000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2096868575.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1844899504.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1878874442.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2018917388.000001BAA3D08000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2099824827.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: EdgeBHO.exe, 0000000F.00000003.1838528308.0000025AF4FA0000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000010.00000002.1875774155.00007FFCBB3E4000.00000002.00000001.01000000.0000000E.sdmp, EdgeBHO.exe, 00000014.00000003.1869750221.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000015.00000002.2442069207.00007FFCBB3E4000.00000002.00000001.01000000.00000018.sdmp, EdgeBHO.exe, 00000018.00000003.2013678723.000001BAA3CFF000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000002.2056569719.00007FFCB4704000.00000002.00000001.01000000.00000021.sdmp, EdgeBHO.exe, 0000001A.00000003.2095304862.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-math-l1-1-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1846946271.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1882472597.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2019644449.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2100446698.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-localization-l1-2-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1842045762.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1875042633.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2017137169.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2098161682.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-interlocked-l1-1-0.pdbGCTL source: EdgeBHO.exe, 0000000F.00000003.1841738441.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1874518425.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2016870009.000001BAA3D08000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2097910012.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-string-l1-1-0.pdbGCTL source: EdgeBHO.exe, 0000000F.00000003.1843847302.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1877251431.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2018182031.000001BAA3D08000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2099196398.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: EdgeBHO.exe, 0000000F.00000003.1842994259.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1876585682.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2017739876.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2098810697.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-debug-l1-1-0.pdbGCTL source: EdgeBHO.exe, 0000000F.00000003.1840667454.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1872625223.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2016020890.000001BAA3D08000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2096990057.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-libraryloader-l1-1-0.pdbGCTL source: EdgeBHO.exe, 0000000F.00000003.1841905883.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1874768746.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2017004149.000001BAA3D08000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2098037187.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1842352547.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1875802095.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2017371983.000001BAA3D08000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2098415607.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-utility-l1-1-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1848640080.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1883914289.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2020354386.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2101211287.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1843707805.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1877034168.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2018002633.000001BAA3D08000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2099071239.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1844446204.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1878154496.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2018669769.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2099608160.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-string-l1-1-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1843847302.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1877251431.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2018182031.000001BAA3D08000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2099196398.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-file-l2-1-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1841155329.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1873736321.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2016505020.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2097524068.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-console-l1-1-0.pdbGCTL source: EdgeBHO.exe, 0000000F.00000003.1840444280.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1872173040.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2015729848.000001BAA3D08000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2096743379.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdbNN source: EdgeBHO.exe, 00000010.00000002.1874194924.00007FFCBB31B000.00000040.00000001.01000000.00000012.sdmp, EdgeBHO.exe, 00000015.00000002.2440948631.00007FFCBB31B000.00000040.00000001.01000000.0000001C.sdmp, EdgeBHO.exe, 00000019.00000002.2055093814.00007FFCABB0B000.00000040.00000001.01000000.00000025.sdmp
Source:	Binary string: api-ms-win-crt-process-l1-1-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1847214203.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1882917745.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2019761162.000001BAA3D08000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2100527933.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1841905883.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1874768746.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2017004149.000001BAA3D08000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2098037187.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-namedpipe-l1-1-0.pdbGCTL source: EdgeBHO.exe, 0000000F.00000003.1842352547.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1875802095.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2017371983.000001BAA3D08000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2098415607.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-synch-l1-1-0.pdbGCTL source: EdgeBHO.exe, 0000000F.00000003.1843973437.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1877455979.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2018323407.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2099294626.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-interlocked-l1-1-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1841738441.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1874518425.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2016870009.000001BAA3D08000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2097910012.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_wmi.pdb source: EdgeBHO.exe, EdgeBHO.exe, 00000019.00000002.2055498902.00007FFCAF5E1000.00000040.00000001.01000000.00000026.sdmp
Source:	Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdbGCTL source: EdgeBHO.exe, 0000000F.00000003.1843707805.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1877034168.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2018002633.000001BAA3D08000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2099071239.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1846646974.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1880638314.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2019428022.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2100241717.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-string-l1-1-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1847742380.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1883582433.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2020118947.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2100991668.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-conio-l1-1-0.pdbGCTL source: EdgeBHO.exe, 0000000F.00000003.1844899504.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1878874442.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2018917388.000001BAA3D08000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2099824827.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 15_2_00007FF6F84992F0 FindFirstFileExW,FindClose,	15_2_00007FF6F84992F0
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 15_2_00007FF6F84983B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	15_2_00007FF6F84983B0
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 15_2_00007FF6F84B1BD4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	15_2_00007FF6F84B1BD4
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FF6F84992F0 FindFirstFileExW,FindClose,	16_2_00007FF6F84992F0
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FF6F84983B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	16_2_00007FF6F84983B0
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FF6F84B1BD4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	16_2_00007FF6F84B1BD4
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCA164F118 FindFirstFileExA,FindClose,FindNextFileA,	16_2_00007FFCA164F118
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCA164F2C8 FindFirstFileExW,FindClose,FindNextFileW,	16_2_00007FFCA164F2C8
Source: C:\Users\user\EdgeBHO.exe	Code function: 20_2_00007FF6AE3592F0 FindFirstFileExW,FindClose,	20_2_00007FF6AE3592F0
Source: C:\Users\user\EdgeBHO.exe	Code function: 20_2_00007FF6AE3583B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	20_2_00007FF6AE3583B0
Source: C:\Users\user\EdgeBHO.exe	Code function: 20_2_00007FF6AE371BD4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	20_2_00007FF6AE371BD4
Source: C:\Users\user\EdgeBHO.exe	Code function: 21_2_00007FF6AE3592F0 FindFirstFileExW,FindClose,	21_2_00007FF6AE3592F0
Source: C:\Users\user\EdgeBHO.exe	Code function: 21_2_00007FF6AE3583B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	21_2_00007FF6AE3583B0
Source: C:\Users\user\EdgeBHO.exe	Code function: 21_2_00007FF6AE371BD4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	21_2_00007FF6AE371BD4
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFC9C61F118 FindFirstFileExA,FindClose,FindNextFileA,	25_2_00007FFC9C61F118
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFC9C61F2C8 FindFirstFileExW,FindClose,FindNextFileW,	25_2_00007FFC9C61F2C8

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 1800000 - Severity 1 - Joe Security MALWARE RedLine - Initial C&C Contact - SOAP CheckConnect : 192.168.2.4:49717 -> 101.99.92.190:40919
Source: Network traffic	Suricata IDS: 2849662 - Severity 1 - ETPRO MALWARE RedLine - CheckConnect Request : 192.168.2.4:49717 -> 101.99.92.190:40919
Source: Network traffic	Suricata IDS: 2849352 - Severity 1 - ETPRO MALWARE RedLine - SetEnvironment Request : 192.168.2.4:49726 -> 101.99.92.190:40919
Source: Network traffic	Suricata IDS: 2848200 - Severity 1 - ETPRO MALWARE RedLine - GetUpdates Request : 192.168.2.4:49728 -> 101.99.92.190:40919
Source: Network traffic	Suricata IDS: 2045000 - Severity 1 - ET MALWARE RedLine Stealer - CheckConnect Response : 101.99.92.190:40919 -> 192.168.2.4:49717
Source: Network traffic	Suricata IDS: 2849351 - Severity 1 - ETPRO MALWARE RedLine - EnvironmentSettings Request : 192.168.2.4:49717 -> 101.99.92.190:40919
Source: Network traffic	Suricata IDS: 2020500 - Severity 1 - ET EXPLOIT_KIT DRIVEBY Likely Evil EXE with no referer from HFS webserver (used by Unknown EK) : 101.99.92.190:4449 -> 192.168.2.4:49730
Source: Network traffic	Suricata IDS: 2045001 - Severity 1 - ET MALWARE Win32/LeftHook Stealer Browser Extension Config Inbound : 101.99.92.190:40919 -> 192.168.2.4:49717
Source: Network traffic	Suricata IDS: 2046056 - Severity 1 - ET MALWARE Redline Stealer/MetaStealer Family Activity (Response) : 101.99.92.190:40919 -> 192.168.2.4:49717
Source: Network traffic	Suricata IDS: 2849738 - Severity 1 - ETPRO MALWARE RedLine - VerifyUpdate Request : 192.168.2.4:57483 -> 101.99.92.190:40919

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 101.99.92.190:40919

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 101.99.92.190 ports 0,1,4,40919,9,4449

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 40919
Source: unknown	Network traffic detected: HTTP traffic on port 40919 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 40919
Source: unknown	Network traffic detected: HTTP traffic on port 40919 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 40919 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 40919
Source: unknown	Network traffic detected: HTTP traffic on port 40919 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 40919
Source: unknown	Network traffic detected: HTTP traffic on port 40919 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 4449
Source: unknown	Network traffic detected: HTTP traffic on port 4449 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 57483 -> 40919
Source: unknown	Network traffic detected: HTTP traffic on port 40919 -> 57483

Source: global traffic

TCP traffic: 192.168.2.4:49717 -> 101.99.92.190:40919

Source: global traffic

TCP traffic: 192.168.2.4:57479 -> 162.159.36.2:53

Source: global traffic	HTTP traffic detected: GET /geoip HTTP/1.1Host: api.ip.sbConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 101.99.92.190:40919Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings"Host: 101.99.92.190:40919Content-Length: 144Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/SetEnvironment"Host: 101.99.92.190:40919Content-Length: 949742Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetUpdates"Host: 101.99.92.190:40919Content-Length: 949734Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /EdgeBHO.exe HTTP/1.1Host: 101.99.92.190:4449Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/VerifyUpdate"Host: 101.99.92.190:40919Content-Length: 949760Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive

Source: Joe Sandbox View

IP Address: 104.26.12.31 104.26.12.31

Source: Joe Sandbox View

ASN Name: SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown

HTTPS traffic detected: 104.26.12.31:443 -> 192.168.2.4:49724 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.92.190
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.92.190
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.92.190
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.92.190
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.92.190
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.92.190
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.92.190
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.92.190
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.92.190
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.92.190
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.92.190
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.92.190
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.92.190
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.92.190
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.92.190
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.92.190
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.92.190
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.92.190
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.92.190
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.92.190
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.92.190
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.92.190
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.92.190
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.92.190
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.92.190
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.92.190
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.92.190
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.92.190
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.92.190
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.92.190
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.92.190
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.92.190
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.92.190
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.92.190
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.92.190
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.92.190
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.92.190
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.92.190
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.92.190
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.92.190
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.92.190
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.92.190
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.92.190
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.92.190
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.92.190
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.92.190
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.92.190
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.92.190
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.92.190
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.92.190

Source: global traffic	HTTP traffic detected: GET /geoip HTTP/1.1Host: api.ip.sbConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /EdgeBHO.exe HTTP/1.1Host: 101.99.92.190:4449Connection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: api.ip.sb

Source: unknown

HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 101.99.92.190:40919Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive

Source: PfOHmro.exe, 00000003.00000002.1859182871.0000000003261000.00000004.00000800.00020000.00000000.sdmp, PfOHmro.exe, 00000003.00000002.1859182871.0000000003440000.00000004.00000800.00020000.00000000.sdmp, PfOHmro.exe, 00000003.00000002.1859182871.0000000003374000.00000004.00000800.00020000.00000000.sdmp, PfOHmro.exe, 00000003.00000002.1859182871.0000000003458000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://101.99.92.190:40919
Source: PfOHmro.exe, 00000003.00000002.1859182871.0000000003261000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://101.99.92.190:40919/
Source: PfOHmro.exe, 00000003.00000002.1859182871.0000000003458000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://101.99.92.190:40919t-
Source: PfOHmro.exe, 00000003.00000002.1859182871.00000000032F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://101.99.92.190:4449
Source: PfOHmro.exe, 00000003.00000002.1859182871.00000000032F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://101.99.92.190:4449/EdgeBHO.exe
Source: PfOHmro.exe, 00000003.00000002.1859182871.00000000032F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://101.99.92.190:4449t-
Source: EdgeBHO.exe, 0000000F.00000003.1851074463.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1885366703.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2021437101.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2102289563.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digi
Source: EdgeBHO.exe, 00000018.00000003.2021437101.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digiY
Source: EdgeBHO.exe, 0000000F.00000003.1851074463.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000000F.00000003.1850514054.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1884723569.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1885366703.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2021437101.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2021039069.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2101865238.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2102289563.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: EdgeBHO.exe, 0000000F.00000003.1851074463.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000000F.00000003.1850514054.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1884723569.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1885366703.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2021437101.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2021039069.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2101865238.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2102289563.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: EdgeBHO.exe, 0000000F.00000003.1851074463.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000000F.00000003.1850514054.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1884723569.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1885366703.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2021437101.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2021039069.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2101865238.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2102289563.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: EdgeBHO.exe, 0000000F.00000003.1851074463.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000000F.00000003.1850514054.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1884723569.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1885366703.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2021437101.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2021039069.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2101865238.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2102289563.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: EdgeBHO.exe, 0000000F.00000003.1851074463.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000000F.00000003.1850514054.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1884723569.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1885366703.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2021437101.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2021039069.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2101865238.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2102289563.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: EdgeBHO.exe, 0000000F.00000003.1851074463.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000000F.00000003.1850514054.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1884723569.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1885366703.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2021437101.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2021039069.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2101865238.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2102289563.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: EdgeBHO.exe, 0000000F.00000003.1851074463.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000000F.00000003.1850514054.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1884723569.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1885366703.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2021437101.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2021039069.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2101865238.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2102289563.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: EdgeBHO.exe, 0000001A.00000003.2102289563.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: EdgeBHO.exe, 0000000F.00000003.1851074463.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000000F.00000003.1850514054.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1884723569.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1885366703.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2021437101.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2021039069.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2101865238.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2102289563.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: EdgeBHO.exe, 0000000F.00000003.1851074463.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000000F.00000003.1850514054.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1884723569.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1885366703.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2021437101.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2021039069.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2101865238.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2102289563.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: EdgeBHO.exe, 0000000F.00000003.1851074463.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000000F.00000003.1850514054.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1884723569.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1885366703.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2021437101.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2021039069.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2101865238.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2102289563.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: EdgeBHO.exe, 0000000F.00000003.1851074463.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000000F.00000003.1850514054.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1884723569.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1885366703.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2021437101.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2021039069.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2101865238.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2102289563.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: EdgeBHO.exe, 0000000F.00000003.1851074463.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000000F.00000003.1850514054.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1884723569.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1885366703.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2021437101.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2021039069.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2101865238.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2102289563.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: PfOHmro.exe, 00000003.00000002.1859182871.0000000003374000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/
Source: PfOHmro.exe, 00000003.00000002.1859182871.0000000003261000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: PfOHmro.exe, 00000003.00000002.1859182871.00000000032B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: PfOHmro.exe, 00000003.00000002.1859182871.0000000003261000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: PfOHmro.exe, 00000003.00000002.1859182871.0000000003261000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultX
Source: PfOHmro.exe, 00000003.00000002.1859182871.0000000003261000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: PfOHmro.exe, 00000003.00000002.1859182871.0000000003261000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: PfOHmro.exe, 00000003.00000002.1859182871.00000000032B0000.00000004.00000800.00020000.00000000.sdmp, PfOHmro.exe, 00000003.00000002.1859182871.00000000032F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/
Source: PfOHmro.exe, 00000003.00000002.1859182871.0000000003261000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/0
Source: PfOHmro.exe, 00000003.00000002.1859182871.0000000003261000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/CheckConnect
Source: PfOHmro.exe, 00000003.00000002.1859182871.0000000003261000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/CheckConnectResponse
Source: PfOHmro.exe, 00000003.00000002.1859182871.0000000003261000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettings
Source: PfOHmro.exe, 00000003.00000002.1859182871.0000000003261000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettingsResponse
Source: PfOHmro.exe, 00000003.00000002.1859182871.0000000003440000.00000004.00000800.00020000.00000000.sdmp, PfOHmro.exe, 00000003.00000002.1859182871.00000000032B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/GetUpdates
Source: PfOHmro.exe, 00000003.00000002.1859182871.0000000003261000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/GetUpdatesResponse
Source: PfOHmro.exe, 00000003.00000002.1859182871.0000000003374000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/SetEnvironment
Source: PfOHmro.exe, 00000003.00000002.1859182871.0000000003261000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/SetEnvironmentResponse
Source: PfOHmro.exe, 00000003.00000002.1859182871.0000000003458000.00000004.00000800.00020000.00000000.sdmp, PfOHmro.exe, 00000003.00000002.1859182871.00000000032B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdate
Source: PfOHmro.exe, 00000003.00000002.1859182871.0000000003261000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdateResponse
Source: EdgeBHO.exe, 0000000F.00000003.1851074463.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000000F.00000003.1850514054.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1884723569.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1885366703.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2021437101.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2021039069.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2101865238.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2102289563.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: PfOHmro.exe, 00000003.00000002.1861820428.0000000004396000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org?q=
Source: PfOHmro.exe, PfOHmro.exe, 00000003.00000002.1857380388.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.sb/geoip%USERPEnvironmentROFILE%
Source: PfOHmro.exe, PfOHmro.exe, 00000003.00000002.1857380388.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.orgcookies//settinString.Removeg
Source: PfOHmro.exe, 00000003.00000002.1861820428.0000000004396000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: PfOHmro.exe, 00000003.00000002.1861820428.0000000004396000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: PfOHmro.exe, 00000003.00000002.1861820428.0000000004396000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: EdgeBHO.exe, 0000001B.00000003.2168680322.000001CD9FB95000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001B.00000003.2170827937.000001CD9FB97000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001B.00000003.2166877294.000001CD9FB71000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001B.00000003.2167630173.000001CD9FB88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.pyth
Source: EdgeBHO.exe, 00000010.00000002.1869638291.0000025A1E3C3000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000015.00000002.2434606489.0000019362C1D000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000003.2043555269.00000286B9C63000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000003.2040689177.00000286B9C16000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000003.2043381394.00000286B9C45000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000003.2041365193.00000286B9C19000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000003.2041472853.00000286B9C3E000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001B.00000003.2168018169.000001CD9F77B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64
Source: EdgeBHO.exe, 00000010.00000002.1868036860.0000025A1DCD0000.00000004.00001000.00020000.00000000.sdmp, EdgeBHO.exe, 00000015.00000002.2433304462.00000193629B0000.00000004.00001000.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000002.2049937002.00000286B9920000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/howto/mro.html.
Source: EdgeBHO.exe, 00000010.00000002.1868036860.0000025A1DCD0000.00000004.00001000.00020000.00000000.sdmp, EdgeBHO.exe, 00000015.00000002.2433304462.00000193629B0000.00000004.00001000.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000002.2049937002.00000286B9920000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.ExecutionLoader.get_filename
Source: EdgeBHO.exe, 00000010.00000002.1868036860.0000025A1DCD0000.00000004.00001000.00020000.00000000.sdmp, EdgeBHO.exe, 00000015.00000002.2433304462.00000193629B0000.00000004.00001000.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000002.2049937002.00000286B9920000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_code
Source: EdgeBHO.exe, 00000010.00000002.1868036860.0000025A1DD54000.00000004.00001000.00020000.00000000.sdmp, EdgeBHO.exe, 00000015.00000002.2433304462.0000019362A34000.00000004.00001000.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000002.2049937002.00000286B99A4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_source
Source: EdgeBHO.exe, 00000010.00000002.1868036860.0000025A1DCD0000.00000004.00001000.00020000.00000000.sdmp, EdgeBHO.exe, 00000015.00000002.2433304462.00000193629B0000.00000004.00001000.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000002.2049937002.00000286B9920000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.is_package
Source: EdgeBHO.exe, 00000010.00000002.1868036860.0000025A1DD54000.00000004.00001000.00020000.00000000.sdmp, EdgeBHO.exe, 00000015.00000002.2433304462.0000019362A34000.00000004.00001000.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000002.2049937002.00000286B99A4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.Loader.create_module
Source: EdgeBHO.exe, 00000010.00000002.1868036860.0000025A1DCD0000.00000004.00001000.00020000.00000000.sdmp, EdgeBHO.exe, 00000015.00000002.2433304462.00000193629B0000.00000004.00001000.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000002.2049937002.00000286B9920000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.Loader.exec_module
Source: EdgeBHO.exe, 00000010.00000002.1868036860.0000025A1DCD0000.00000004.00001000.00020000.00000000.sdmp, EdgeBHO.exe, 00000015.00000002.2433304462.00000193629B0000.00000004.00001000.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000002.2049937002.00000286B9920000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.MetaPathFinder.invalidate_caches
Source: EdgeBHO.exe, 00000010.00000002.1868036860.0000025A1DCD0000.00000004.00001000.00020000.00000000.sdmp, EdgeBHO.exe, 00000015.00000002.2433304462.00000193629B0000.00000004.00001000.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000002.2049937002.00000286B9920000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.PathEntryFinder.find_spec
Source: EdgeBHO.exe, 00000010.00000002.1869157894.0000025A1DF90000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000015.00000003.1892757641.0000019362BE2000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000015.00000003.1892047968.0000019362BE9000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000015.00000002.2434606489.0000019362BB0000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000015.00000003.1891539681.0000019362BE9000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000015.00000003.1892987645.0000019362BE7000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000002.2049796744.00000286B8058000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000003.2043997505.00000286B8057000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.ResourceLoader.get_data
Source: PfOHmro.exe, 00000003.00000002.1861820428.0000000004396000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: PfOHmro.exe, 00000003.00000002.1861820428.0000000004396000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtabv20
Source: PfOHmro.exe, 00000003.00000002.1861820428.0000000004396000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: PfOHmro.exe, 00000003.00000002.1861820428.0000000004396000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gemini.google.com/app?q=
Source: EdgeBHO.exe, 00000010.00000002.1869157894.0000025A1DF90000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000015.00000003.1892757641.0000019362BE2000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000015.00000003.1892047968.0000019362BE9000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000015.00000002.2434606489.0000019362BB0000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000015.00000003.1891539681.0000019362BE9000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000015.00000003.1892987645.0000019362BE7000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000003.2028271325.00000286B9BA2000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000003.2045514176.00000286B9BA2000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000003.2041189277.00000286B9BA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000002.2050301109.00000286B9B85000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000003.2045959527.00000286B9B85000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000003.2029510790.00000286B9BA2000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000003.2046603943.00000286B9B85000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000002.2050354652.00000286B9BA2000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000003.2044269212.00000286B9B84000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy
Source: EdgeBHO.exe, 00000015.00000002.2436368256.0000019363144000.00000004.00001000.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000002.2051907220.00000286BA104000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/asweigart/pyperclip/issues/55
Source: EdgeBHO.exe, 00000019.00000002.2051907220.00000286BA104000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/asweigart/pyperclip/issues/55po
Source: EdgeBHO.exe, 00000010.00000002.1868036860.0000025A1DD54000.00000004.00001000.00020000.00000000.sdmp, EdgeBHO.exe, 00000015.00000002.2433304462.0000019362A34000.00000004.00001000.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000002.2049937002.00000286B99A4000.00000004.00001000.00020000.00000000.sdmp, EdgeBHO.exe, 0000001B.00000002.2182758834.000001CD9F6EC000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001B.00000003.2166967541.000001CD9F6DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688
Source: EdgeBHO.exe, 00000019.00000003.2044269212.00000286B9B84000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py
Source: EdgeBHO.exe, 00000010.00000002.1869157894.0000025A1DF90000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000015.00000003.1892757641.0000019362BE2000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000015.00000003.1892047968.0000019362BE9000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000015.00000002.2434606489.0000019362BB0000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000015.00000003.1891539681.0000019362BE9000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000015.00000003.1892987645.0000019362BE7000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000003.2028271325.00000286B9BA2000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000003.2045514176.00000286B9BA2000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000003.2041189277.00000286B9BA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000002.2050301109.00000286B9B85000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000003.2045959527.00000286B9B85000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000003.2029510790.00000286B9BA2000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000003.2046603943.00000286B9B85000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000002.2050354652.00000286B9BA2000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000003.2044269212.00000286B9B84000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader
Source: EdgeBHO.exe, 00000010.00000002.1869638291.0000025A1E48C000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000010.00000002.1869638291.0000025A1E3C3000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000010.00000003.1863149520.0000025A1E48C000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000010.00000003.1862893983.0000025A1E47B000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000010.00000003.1862823991.0000025A1E472000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000015.00000003.1893596956.0000019363058000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000015.00000002.2435437723.0000019362FA4000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000003.2044460362.00000286BA065000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000003.2031243370.00000286BA31F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000003.2039794073.00000286BA31F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000003.2039930478.00000286BA055000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000003.2030953933.00000286BA31F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000002.2051643701.00000286BA055000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000003.2031381064.00000286BA058000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000002.2051643701.00000286BA074000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000003.2041777990.00000286BA055000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000003.2040751400.00000286BA055000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001B.00000003.2113090596.000001CD9FBB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/issues/86361.
Source: EdgeBHO.exe, 00000010.00000002.1870335387.0000025A1E524000.00000004.00001000.00020000.00000000.sdmp, EdgeBHO.exe, 00000015.00000002.2436368256.0000019363144000.00000004.00001000.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000002.2051907220.00000286BA104000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/importlib_metadata/wiki/Development-Methodology
Source: EdgeBHO.exe, 00000010.00000002.1869157894.0000025A1DF90000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000015.00000003.1892757641.0000019362BE2000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000015.00000003.1892047968.0000019362BE9000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000015.00000002.2434606489.0000019362BB0000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000015.00000003.1891539681.0000019362BE9000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000015.00000003.1892987645.0000019362BE7000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000003.2028271325.00000286B9BA2000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000003.2045514176.00000286B9BA2000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000003.2041189277.00000286B9BA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000002.2050301109.00000286B9B85000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000003.2045959527.00000286B9B85000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000003.2029510790.00000286B9BA2000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000003.2046603943.00000286B9B85000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000002.2050354652.00000286B9BA2000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000003.2044269212.00000286B9B84000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#
Source: PfOHmro.exe, PfOHmro.exe, 00000003.00000002.1857380388.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/ip%appdata%
Source: EdgeBHO.exe, 00000010.00000002.1870335387.0000025A1E524000.00000004.00001000.00020000.00000000.sdmp, EdgeBHO.exe, 00000010.00000003.1860536177.0000025A1E3D1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000015.00000002.2436368256.0000019363144000.00000004.00001000.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000002.2051907220.00000286BA104000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://peps.python.org/pep-0205/
Source: EdgeBHO.exe, 00000010.00000002.1871702839.00007FFC9CAB9000.00000040.00000001.01000000.0000000D.sdmp, EdgeBHO.exe, 00000015.00000002.2438702214.00007FFC9CAB9000.00000040.00000001.01000000.00000017.sdmp, EdgeBHO.exe, 00000019.00000002.2053349770.00007FFC9C349000.00000040.00000001.01000000.00000020.sdmp	String found in binary or memory: https://peps.python.org/pep-0263/
Source: EdgeBHO.exe, 0000001B.00000002.2187512345.000001CDA0134000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://pyperclip.readthedocs.io/en/latest/index.html#not-implemented-error
Source: PfOHmro.exe, 00000003.00000002.1861820428.0000000004396000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/v20
Source: PfOHmro.exe, 00000003.00000002.1861820428.0000000004396000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
Source: EdgeBHO.exe, 00000010.00000002.1871702839.00007FFC9CAB9000.00000040.00000001.01000000.0000000D.sdmp, EdgeBHO.exe, 00000015.00000002.2438702214.00007FFC9CAB9000.00000040.00000001.01000000.00000017.sdmp, EdgeBHO.exe, 00000019.00000002.2053349770.00007FFC9C349000.00000040.00000001.01000000.00000020.sdmp	String found in binary or memory: https://www.python.org/psf/license/)

Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.PfOHmro.exe.40c4170.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 0.2.PfOHmro.exe.40c4170.1.raw.unpack, type: UNPACKEDPE	Matched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
Source: 0.2.PfOHmro.exe.40c4170.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.PfOHmro.exe.40a9550.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 0.2.PfOHmro.exe.40a9550.0.raw.unpack, type: UNPACKEDPE	Matched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
Source: 0.2.PfOHmro.exe.40a9550.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 3.2.PfOHmro.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 3.2.PfOHmro.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
Source: 3.2.PfOHmro.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.PfOHmro.exe.40c4170.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 0.2.PfOHmro.exe.40c4170.1.unpack, type: UNPACKEDPE	Matched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
Source: 0.2.PfOHmro.exe.40c4170.1.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000003.00000002.1857380388.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 00000000.00000002.1280380254.00000000040A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: Process Memory Space: PfOHmro.exe PID: 7520, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: Process Memory Space: PfOHmro.exe PID: 7568, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown

Source: C:\Users\user\Desktop\PfOHmro.exe	Code function: 0_2_02F22548	0_2_02F22548
Source: C:\Users\user\Desktop\PfOHmro.exe	Code function: 3_2_0304E7B0	3_2_0304E7B0
Source: C:\Users\user\Desktop\PfOHmro.exe	Code function: 3_2_0304DC90	3_2_0304DC90
Source: C:\Users\user\Desktop\PfOHmro.exe	Code function: 3_2_06B89628	3_2_06B89628
Source: C:\Users\user\Desktop\PfOHmro.exe	Code function: 3_2_06B84468	3_2_06B84468
Source: C:\Users\user\Desktop\PfOHmro.exe	Code function: 3_2_06B83460	3_2_06B83460
Source: C:\Users\user\Desktop\PfOHmro.exe	Code function: 3_2_06B81210	3_2_06B81210
Source: C:\Users\user\Desktop\PfOHmro.exe	Code function: 3_2_06B8DD00	3_2_06B8DD00
Source: C:\Users\user\Desktop\PfOHmro.exe	Code function: 3_2_06B8D108	3_2_06B8D108
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 15_2_00007FF6F84B0C30	15_2_00007FF6F84B0C30
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 15_2_00007FF6F8498BD0	15_2_00007FF6F8498BD0
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 15_2_00007FF6F84B6DAC	15_2_00007FF6F84B6DAC
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 15_2_00007FF6F8491000	15_2_00007FF6F8491000
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 15_2_00007FF6F84A19C8	15_2_00007FF6F84A19C8
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 15_2_00007FF6F84A21E8	15_2_00007FF6F84A21E8
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 15_2_00007FF6F84B9A80	15_2_00007FF6F84B9A80
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 15_2_00007FF6F84B62B0	15_2_00007FF6F84B62B0
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 15_2_00007FF6F84A3A70	15_2_00007FF6F84A3A70
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 15_2_00007FF6F84ADAB8	15_2_00007FF6F84ADAB8
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 15_2_00007FF6F849A34B	15_2_00007FF6F849A34B
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 15_2_00007FF6F84B1BD4	15_2_00007FF6F84B1BD4
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 15_2_00007FF6F84A1BD4	15_2_00007FF6F84A1BD4
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 15_2_00007FF6F84BACA0	15_2_00007FF6F84BACA0
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 15_2_00007FF6F849AD1D	15_2_00007FF6F849AD1D
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 15_2_00007FF6F84B44BC	15_2_00007FF6F84B44BC
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 15_2_00007FF6F849A4E4	15_2_00007FF6F849A4E4
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 15_2_00007FF6F84A3600	15_2_00007FF6F84A3600
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 15_2_00007FF6F84AE5C8	15_2_00007FF6F84AE5C8
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 15_2_00007FF6F84A1DD8	15_2_00007FF6F84A1DD8
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 15_2_00007FF6F84A9E6C	15_2_00007FF6F84A9E6C
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 15_2_00007FF6F84B0C30	15_2_00007FF6F84B0C30
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 15_2_00007FF6F84A87B4	15_2_00007FF6F84A87B4
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 15_2_00007FF6F84ADF50	15_2_00007FF6F84ADF50
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 15_2_00007FF6F84B4030	15_2_00007FF6F84B4030
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 15_2_00007FF6F84B6030	15_2_00007FF6F84B6030
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 15_2_00007FF6F84A17C4	15_2_00007FF6F84A17C4
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 15_2_00007FF6F84A1FE4	15_2_00007FF6F84A1FE4
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 15_2_00007FF6F84B6854	15_2_00007FF6F84B6854
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 15_2_00007FF6F8499870	15_2_00007FF6F8499870
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 15_2_00007FF6F84A8104	15_2_00007FF6F84A8104
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FF6F84B6DAC	16_2_00007FF6F84B6DAC
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FF6F8491000	16_2_00007FF6F8491000
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FF6F84B6030	16_2_00007FF6F84B6030
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FF6F84A19C8	16_2_00007FF6F84A19C8
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FF6F84A21E8	16_2_00007FF6F84A21E8
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FF6F84B9A80	16_2_00007FF6F84B9A80
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FF6F84B62B0	16_2_00007FF6F84B62B0
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FF6F84A3A70	16_2_00007FF6F84A3A70
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FF6F84ADAB8	16_2_00007FF6F84ADAB8
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FF6F849A34B	16_2_00007FF6F849A34B
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FF6F84B0C30	16_2_00007FF6F84B0C30
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FF6F8498BD0	16_2_00007FF6F8498BD0
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FF6F84B1BD4	16_2_00007FF6F84B1BD4
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FF6F84A1BD4	16_2_00007FF6F84A1BD4
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FF6F84BACA0	16_2_00007FF6F84BACA0
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FF6F849AD1D	16_2_00007FF6F849AD1D
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FF6F84B44BC	16_2_00007FF6F84B44BC
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FF6F849A4E4	16_2_00007FF6F849A4E4
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FF6F84A3600	16_2_00007FF6F84A3600
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FF6F84AE5C8	16_2_00007FF6F84AE5C8
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FF6F84A1DD8	16_2_00007FF6F84A1DD8
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FF6F84A9E6C	16_2_00007FF6F84A9E6C
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FF6F84B0C30	16_2_00007FF6F84B0C30
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FF6F84A87B4	16_2_00007FF6F84A87B4
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FF6F84ADF50	16_2_00007FF6F84ADF50
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FF6F84B4030	16_2_00007FF6F84B4030
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FF6F84A17C4	16_2_00007FF6F84A17C4
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FF6F84A1FE4	16_2_00007FF6F84A1FE4
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FF6F84B6854	16_2_00007FF6F84B6854
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FF6F8499870	16_2_00007FF6F8499870
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FF6F84A8104	16_2_00007FF6F84A8104
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFC9CD051D0	16_2_00007FFC9CD051D0
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCA15F41C0	16_2_00007FFCA15F41C0
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCA164E0A0	16_2_00007FFCA164E0A0
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCA160E0A0	16_2_00007FFCA160E0A0
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCA15EA090	16_2_00007FFCA15EA090
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCA1609135	16_2_00007FFCA1609135
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCA164F118	16_2_00007FFCA164F118
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCA15FF470	16_2_00007FFCA15FF470
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCA160A430	16_2_00007FFCA160A430
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCA160F438	16_2_00007FFCA160F438
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCA164D400	16_2_00007FFCA164D400
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCA1607320	16_2_00007FFCA1607320
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCA15E5530	16_2_00007FFCA15E5530
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCA15FA810	16_2_00007FFCA15FA810
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCA15F8670	16_2_00007FFCA15F8670
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCA15F9744	16_2_00007FFCA15F9744
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCA15E4734	16_2_00007FFCA15E4734
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCA15FA970	16_2_00007FFCA15FA970
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCA15F9930	16_2_00007FFCA15F9930
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCA1615928	16_2_00007FFCA1615928
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCA1619910	16_2_00007FFCA1619910
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCA160AB90	16_2_00007FFCA160AB90
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCA15F9C70	16_2_00007FFCA15F9C70
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCA15E3C30	16_2_00007FFCA15E3C30
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCA15EDC00	16_2_00007FFCA15EDC00
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCA1604AFA	16_2_00007FFCA1604AFA
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCA15F2AC4	16_2_00007FFCA15F2AC4
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCA15E2ABC	16_2_00007FFCA15E2ABC
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCA15F7AB8	16_2_00007FFCA15F7AB8
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCA164EB28	16_2_00007FFCA164EB28
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCA15F5E40	16_2_00007FFCA15F5E40
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCA15F9E1C	16_2_00007FFCA15F9E1C
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCA15FAE00	16_2_00007FFCA15FAE00
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCA15F6CC0	16_2_00007FFCA15F6CC0
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCA166FC90	16_2_00007FFCA166FC90
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCA160BD40	16_2_00007FFCA160BD40
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCA164ED04	16_2_00007FFCA164ED04
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCA15FAF90	16_2_00007FFCA15FAF90
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCA1664070	16_2_00007FFCA1664070
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCA163F074	16_2_00007FFCA163F074
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCA1612050	16_2_00007FFCA1612050
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCA15F4EB0	16_2_00007FFCA15F4EB0
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCA15ECF30	16_2_00007FFCA15ECF30
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCBB3023B0	16_2_00007FFCBB3023B0
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCBB3073FC	16_2_00007FFCBB3073FC
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCBB3012B0	16_2_00007FFCBB3012B0
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCBB308F50	16_2_00007FFCBB308F50
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCBB305F00	16_2_00007FFCBB305F00
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCBB302F70	16_2_00007FFCBB302F70
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCBB3055D0	16_2_00007FFCBB3055D0
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCBB301A00	16_2_00007FFCBB301A00
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCBB304650	16_2_00007FFCBB304650
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCBB301920	16_2_00007FFCBB301920
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCBB30F524	16_2_00007FFCBB30F524
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCBB333DC0	16_2_00007FFCBB333DC0
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCBB3377E8	16_2_00007FFCBB3377E8
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCBB33C890	16_2_00007FFCBB33C890
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCBB332DA0	16_2_00007FFCBB332DA0
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCBB336060	16_2_00007FFCBB336060
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCBB333B20	16_2_00007FFCBB333B20
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCBB39C490	16_2_00007FFCBB39C490
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCBB3910C0	16_2_00007FFCBB3910C0
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCBB3916A0	16_2_00007FFCBB3916A0
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCBB3C4BE0	16_2_00007FFCBB3C4BE0
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCBB3A6264	16_2_00007FFCBB3A6264
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCBB3A3630	16_2_00007FFCBB3A3630
Source: C:\Users\user\EdgeBHO.exe	Code function: 20_2_00007FF6AE351000	20_2_00007FF6AE351000
Source: C:\Users\user\EdgeBHO.exe	Code function: 20_2_00007FF6AE376DAC	20_2_00007FF6AE376DAC
Source: C:\Users\user\EdgeBHO.exe	Code function: 20_2_00007FF6AE358BD0	20_2_00007FF6AE358BD0
Source: C:\Users\user\EdgeBHO.exe	Code function: 20_2_00007FF6AE370C30	20_2_00007FF6AE370C30
Source: C:\Users\user\EdgeBHO.exe	Code function: 20_2_00007FF6AE3687B4	20_2_00007FF6AE3687B4
Source: C:\Users\user\EdgeBHO.exe	Code function: 20_2_00007FF6AE36DF50	20_2_00007FF6AE36DF50
Source: C:\Users\user\EdgeBHO.exe	Code function: 20_2_00007FF6AE374030	20_2_00007FF6AE374030
Source: C:\Users\user\EdgeBHO.exe	Code function: 20_2_00007FF6AE376030	20_2_00007FF6AE376030
Source: C:\Users\user\EdgeBHO.exe	Code function: 20_2_00007FF6AE3617C4	20_2_00007FF6AE3617C4
Source: C:\Users\user\EdgeBHO.exe	Code function: 20_2_00007FF6AE361FE4	20_2_00007FF6AE361FE4
Source: C:\Users\user\EdgeBHO.exe	Code function: 20_2_00007FF6AE376854	20_2_00007FF6AE376854
Source: C:\Users\user\EdgeBHO.exe	Code function: 20_2_00007FF6AE359870	20_2_00007FF6AE359870
Source: C:\Users\user\EdgeBHO.exe	Code function: 20_2_00007FF6AE368104	20_2_00007FF6AE368104
Source: C:\Users\user\EdgeBHO.exe	Code function: 20_2_00007FF6AE363600	20_2_00007FF6AE363600
Source: C:\Users\user\EdgeBHO.exe	Code function: 20_2_00007FF6AE36E5C8	20_2_00007FF6AE36E5C8
Source: C:\Users\user\EdgeBHO.exe	Code function: 20_2_00007FF6AE361DD8	20_2_00007FF6AE361DD8
Source: C:\Users\user\EdgeBHO.exe	Code function: 20_2_00007FF6AE369E6C	20_2_00007FF6AE369E6C
Source: C:\Users\user\EdgeBHO.exe	Code function: 20_2_00007FF6AE35A34B	20_2_00007FF6AE35A34B
Source: C:\Users\user\EdgeBHO.exe	Code function: 20_2_00007FF6AE370C30	20_2_00007FF6AE370C30
Source: C:\Users\user\EdgeBHO.exe	Code function: 20_2_00007FF6AE371BD4	20_2_00007FF6AE371BD4
Source: C:\Users\user\EdgeBHO.exe	Code function: 20_2_00007FF6AE361BD4	20_2_00007FF6AE361BD4
Source: C:\Users\user\EdgeBHO.exe	Code function: 20_2_00007FF6AE37ACA0	20_2_00007FF6AE37ACA0
Source: C:\Users\user\EdgeBHO.exe	Code function: 20_2_00007FF6AE35AD1D	20_2_00007FF6AE35AD1D
Source: C:\Users\user\EdgeBHO.exe	Code function: 20_2_00007FF6AE3744BC	20_2_00007FF6AE3744BC
Source: C:\Users\user\EdgeBHO.exe	Code function: 20_2_00007FF6AE35A4E4	20_2_00007FF6AE35A4E4
Source: C:\Users\user\EdgeBHO.exe	Code function: 20_2_00007FF6AE3619C8	20_2_00007FF6AE3619C8
Source: C:\Users\user\EdgeBHO.exe	Code function: 20_2_00007FF6AE3621E8	20_2_00007FF6AE3621E8
Source: C:\Users\user\EdgeBHO.exe	Code function: 20_2_00007FF6AE379A80	20_2_00007FF6AE379A80
Source: C:\Users\user\EdgeBHO.exe	Code function: 20_2_00007FF6AE3762B0	20_2_00007FF6AE3762B0
Source: C:\Users\user\EdgeBHO.exe	Code function: 20_2_00007FF6AE363A70	20_2_00007FF6AE363A70
Source: C:\Users\user\EdgeBHO.exe	Code function: 20_2_00007FF6AE36DAB8	20_2_00007FF6AE36DAB8
Source: C:\Users\user\EdgeBHO.exe	Code function: 21_2_00007FF6AE351000	21_2_00007FF6AE351000
Source: C:\Users\user\EdgeBHO.exe	Code function: 21_2_00007FF6AE376030	21_2_00007FF6AE376030
Source: C:\Users\user\EdgeBHO.exe	Code function: 21_2_00007FF6AE376DAC	21_2_00007FF6AE376DAC
Source: C:\Users\user\EdgeBHO.exe	Code function: 21_2_00007FF6AE370C30	21_2_00007FF6AE370C30
Source: C:\Users\user\EdgeBHO.exe	Code function: 21_2_00007FF6AE3687B4	21_2_00007FF6AE3687B4
Source: C:\Users\user\EdgeBHO.exe	Code function: 21_2_00007FF6AE36DF50	21_2_00007FF6AE36DF50
Source: C:\Users\user\EdgeBHO.exe	Code function: 21_2_00007FF6AE374030	21_2_00007FF6AE374030
Source: C:\Users\user\EdgeBHO.exe	Code function: 21_2_00007FF6AE3617C4	21_2_00007FF6AE3617C4
Source: C:\Users\user\EdgeBHO.exe	Code function: 21_2_00007FF6AE361FE4	21_2_00007FF6AE361FE4
Source: C:\Users\user\EdgeBHO.exe	Code function: 21_2_00007FF6AE376854	21_2_00007FF6AE376854
Source: C:\Users\user\EdgeBHO.exe	Code function: 21_2_00007FF6AE359870	21_2_00007FF6AE359870
Source: C:\Users\user\EdgeBHO.exe	Code function: 21_2_00007FF6AE368104	21_2_00007FF6AE368104
Source: C:\Users\user\EdgeBHO.exe	Code function: 21_2_00007FF6AE363600	21_2_00007FF6AE363600
Source: C:\Users\user\EdgeBHO.exe	Code function: 21_2_00007FF6AE36E5C8	21_2_00007FF6AE36E5C8
Source: C:\Users\user\EdgeBHO.exe	Code function: 21_2_00007FF6AE361DD8	21_2_00007FF6AE361DD8
Source: C:\Users\user\EdgeBHO.exe	Code function: 21_2_00007FF6AE369E6C	21_2_00007FF6AE369E6C
Source: C:\Users\user\EdgeBHO.exe	Code function: 21_2_00007FF6AE35A34B	21_2_00007FF6AE35A34B
Source: C:\Users\user\EdgeBHO.exe	Code function: 21_2_00007FF6AE370C30	21_2_00007FF6AE370C30
Source: C:\Users\user\EdgeBHO.exe	Code function: 21_2_00007FF6AE371BD4	21_2_00007FF6AE371BD4
Source: C:\Users\user\EdgeBHO.exe	Code function: 21_2_00007FF6AE361BD4	21_2_00007FF6AE361BD4
Source: C:\Users\user\EdgeBHO.exe	Code function: 21_2_00007FF6AE358BD0	21_2_00007FF6AE358BD0
Source: C:\Users\user\EdgeBHO.exe	Code function: 21_2_00007FF6AE37ACA0	21_2_00007FF6AE37ACA0
Source: C:\Users\user\EdgeBHO.exe	Code function: 21_2_00007FF6AE35AD1D	21_2_00007FF6AE35AD1D
Source: C:\Users\user\EdgeBHO.exe	Code function: 21_2_00007FF6AE3744BC	21_2_00007FF6AE3744BC
Source: C:\Users\user\EdgeBHO.exe	Code function: 21_2_00007FF6AE35A4E4	21_2_00007FF6AE35A4E4
Source: C:\Users\user\EdgeBHO.exe	Code function: 21_2_00007FF6AE3619C8	21_2_00007FF6AE3619C8
Source: C:\Users\user\EdgeBHO.exe	Code function: 21_2_00007FF6AE3621E8	21_2_00007FF6AE3621E8
Source: C:\Users\user\EdgeBHO.exe	Code function: 21_2_00007FF6AE379A80	21_2_00007FF6AE379A80
Source: C:\Users\user\EdgeBHO.exe	Code function: 21_2_00007FF6AE3762B0	21_2_00007FF6AE3762B0
Source: C:\Users\user\EdgeBHO.exe	Code function: 21_2_00007FF6AE363A70	21_2_00007FF6AE363A70
Source: C:\Users\user\EdgeBHO.exe	Code function: 21_2_00007FF6AE36DAB8	21_2_00007FF6AE36DAB8
Source: C:\Users\user\EdgeBHO.exe	Code function: 21_2_00007FFCBB333B20	21_2_00007FFCBB333B20
Source: C:\Users\user\EdgeBHO.exe	Code function: 21_2_00007FFCBB33C890	21_2_00007FFCBB33C890
Source: C:\Users\user\EdgeBHO.exe	Code function: 21_2_00007FFCBB3377E8	21_2_00007FFCBB3377E8
Source: C:\Users\user\EdgeBHO.exe	Code function: 21_2_00007FFCBB336060	21_2_00007FFCBB336060
Source: C:\Users\user\EdgeBHO.exe	Code function: 21_2_00007FFCBB333DC0	21_2_00007FFCBB333DC0
Source: C:\Users\user\EdgeBHO.exe	Code function: 21_2_00007FFCBB332DA0	21_2_00007FFCBB332DA0
Source: C:\Users\user\EdgeBHO.exe	Code function: 21_2_00007FFCBB39C490	21_2_00007FFCBB39C490
Source: C:\Users\user\EdgeBHO.exe	Code function: 21_2_00007FFCBB3916A0	21_2_00007FFCBB3916A0
Source: C:\Users\user\EdgeBHO.exe	Code function: 21_2_00007FFCBB3910C0	21_2_00007FFCBB3910C0
Source: C:\Users\user\EdgeBHO.exe	Code function: 21_2_00007FFCBB3D63A0	21_2_00007FFCBB3D63A0
Source: C:\Users\user\EdgeBHO.exe	Code function: 21_2_00007FFCBB3D8300	21_2_00007FFCBB3D8300
Source: C:\Users\user\EdgeBHO.exe	Code function: 21_2_00007FFCBBBD3F50	21_2_00007FFCBBBD3F50
Source: C:\Users\user\EdgeBHO.exe	Code function: 21_2_00007FFCBBBD1F50	21_2_00007FFCBBBD1F50
Source: C:\Users\user\EdgeBHO.exe	Code function: 21_2_00007FFCBBBD2ED0	21_2_00007FFCBBBD2ED0
Source: C:\Users\user\EdgeBHO.exe	Code function: 21_2_00007FFCBBBD32E0	21_2_00007FFCBBBD32E0
Source: C:\Users\user\EdgeBHO.exe	Code function: 21_2_00007FFCBBBD39F0	21_2_00007FFCBBBD39F0
Source: C:\Users\user\EdgeBHO.exe	Code function: 21_2_00007FFCBBBD27A0	21_2_00007FFCBBBD27A0
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFC9C5951D0	25_2_00007FFC9C5951D0
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFC9C5C6CC0	25_2_00007FFC9C5C6CC0
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFC9C63FC90	25_2_00007FFC9C63FC90
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFC9C5DBD40	25_2_00007FFC9C5DBD40
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFC9C61ED04	25_2_00007FFC9C61ED04
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFC9C5C5E40	25_2_00007FFC9C5C5E40
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFC9C5C9E1C	25_2_00007FFC9C5C9E1C
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFC9C5CAE00	25_2_00007FFC9C5CAE00
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFC9C5C4EB0	25_2_00007FFC9C5C4EB0
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFC9C5BCF30	25_2_00007FFC9C5BCF30
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFC9C5CAF90	25_2_00007FFC9C5CAF90
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFC9C634070	25_2_00007FFC9C634070
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFC9C60F074	25_2_00007FFC9C60F074
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFC9C5E2050	25_2_00007FFC9C5E2050
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFC9C5CA970	25_2_00007FFC9C5CA970
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFC9C5E5928	25_2_00007FFC9C5E5928
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFC9C5C9930	25_2_00007FFC9C5C9930
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFC9C5E9910	25_2_00007FFC9C5E9910
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFC9C5D4AFA	25_2_00007FFC9C5D4AFA
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFC9C5C2AC4	25_2_00007FFC9C5C2AC4
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFC9C5B2ABC	25_2_00007FFC9C5B2ABC
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFC9C5C7AB8	25_2_00007FFC9C5C7AB8
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFC9C61EB28	25_2_00007FFC9C61EB28
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFC9C5DAB90	25_2_00007FFC9C5DAB90
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFC9C5C9C70	25_2_00007FFC9C5C9C70
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFC9C5B3C30	25_2_00007FFC9C5B3C30
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFC9C5BDC00	25_2_00007FFC9C5BDC00
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFC9C5B5530	25_2_00007FFC9C5B5530
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFC9C5C8670	25_2_00007FFC9C5C8670
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFC9C5C9744	25_2_00007FFC9C5C9744
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFC9C5B4734	25_2_00007FFC9C5B4734
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFC9C5CA810	25_2_00007FFC9C5CA810
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFC9C5DE0A0	25_2_00007FFC9C5DE0A0
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFC9C61E0A0	25_2_00007FFC9C61E0A0
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFC9C5BA090	25_2_00007FFC9C5BA090
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFC9C5D9135	25_2_00007FFC9C5D9135
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFC9C61F118	25_2_00007FFC9C61F118
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFC9C5C41C0	25_2_00007FFC9C5C41C0
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFC9C5D7320	25_2_00007FFC9C5D7320
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFC9C5CF470	25_2_00007FFC9C5CF470
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFC9C5DF438	25_2_00007FFC9C5DF438
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFC9C5DA430	25_2_00007FFC9C5DA430
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFC9C61D400	25_2_00007FFC9C61D400
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFCABAF73FC	25_2_00007FFCABAF73FC
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFCABAF23B0	25_2_00007FFCABAF23B0
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFCABAF12B0	25_2_00007FFCABAF12B0
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFCABAF1A00	25_2_00007FFCABAF1A00
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFCABAF1920	25_2_00007FFCABAF1920
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFCABAF5F00	25_2_00007FFCABAF5F00
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFCABAF2F70	25_2_00007FFCABAF2F70
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFCABAF8F50	25_2_00007FFCABAF8F50
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFCABAF4650	25_2_00007FFCABAF4650
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFCABAF55D0	25_2_00007FFCABAF55D0
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFCABAFF524	25_2_00007FFCABAFF524
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFCAF5EC490	25_2_00007FFCAF5EC490
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFCAF5E10C0	25_2_00007FFCAF5E10C0
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFCAF5E16A0	25_2_00007FFCAF5E16A0
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFCAFBA6060	25_2_00007FFCAFBA6060
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFCAFBA3B20	25_2_00007FFCAFBA3B20
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFCAFBA3DC0	25_2_00007FFCAFBA3DC0
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFCAFBA77E8	25_2_00007FFCAFBA77E8
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFCAFBAC890	25_2_00007FFCAFBAC890
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFCAFBA2DA0	25_2_00007FFCAFBA2DA0
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFCB42D3630	25_2_00007FFCB42D3630
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFCB42D6264	25_2_00007FFCB42D6264
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFCB42F4BE0	25_2_00007FFCB42F4BE0
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFCB46E39F0	25_2_00007FFCB46E39F0
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFCB46E32E0	25_2_00007FFCB46E32E0
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFCB46E2ED0	25_2_00007FFCB46E2ED0
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFCB46E27A0	25_2_00007FFCB46E27A0
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFCB46E3F50	25_2_00007FFCB46E3F50
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFCB46E1F50	25_2_00007FFCB46E1F50
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFCB46F8300	25_2_00007FFCB46F8300
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFCB46F63A0	25_2_00007FFCB46F63A0

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe F76FDE632A80C0C487FA71AC27699BDAF5D3B840ED3F1DD82448C80F4CD03FAC
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\_MEI12522\VCRUNTIME140.dll 36585912E5EAF83BA9FEA0631534F690CCDC2D7BA91537166FE53E56C221E153

Source: C:\Users\user\EdgeBHO.exe	Code function: String function: 00007FFCB42E34D8 appears 78 times
Source: C:\Users\user\EdgeBHO.exe	Code function: String function: 00007FFCB42E3278 appears 45 times
Source: C:\Users\user\EdgeBHO.exe	Code function: String function: 00007FF6AE352910 appears 34 times
Source: C:\Users\user\EdgeBHO.exe	Code function: String function: 00007FFC9C5C2FA0 appears 44 times
Source: C:\Users\user\EdgeBHO.exe	Code function: String function: 00007FF6AE352710 appears 104 times
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: String function: 00007FF6F8492910 appears 34 times
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: String function: 00007FFCBB3B3278 appears 45 times
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: String function: 00007FFCA15F2FA0 appears 44 times
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: String function: 00007FFCBB3B34D8 appears 78 times
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: String function: 00007FF6F8492710 appears 104 times

Source: C:\Users\user\Desktop\PfOHmro.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7520 -s 816

Source: ucrtbase.dll.15.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: unicodedata.pyd.15.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: ucrtbase.dll.20.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: unicodedata.pyd.20.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Source: api-ms-win-core-console-l1-1-0.dll.24.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-localization-l1-2-0.dll.15.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-conio-l1-1-0.dll.20.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-time-l1-1-0.dll.20.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-timezone-l1-1-0.dll.15.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-stdio-l1-1-0.dll.15.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-locale-l1-1-0.dll.15.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-1-0.dll.15.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-2-0.dll.15.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-convert-l1-1-0.dll.15.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-util-l1-1-0.dll.20.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-math-l1-1-0.dll.20.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-process-l1-1-0.dll.15.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-localization-l1-2-0.dll.24.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l2-1-0.dll.20.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-console-l1-1-0.dll.15.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-environment-l1-1-0.dll.20.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-heap-l1-1-0.dll.20.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-1.dll.15.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-0.dll.20.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-2-0.dll.24.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-rtlsupport-l1-1-0.dll.20.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-1-0.dll.24.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-libraryloader-l1-1-0.dll.24.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-heap-l1-1-0.dll.15.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-debug-l1-1-0.dll.20.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-sysinfo-l1-1-0.dll.15.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-profile-l1-1-0.dll.15.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-memory-l1-1-0.dll.15.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-errorhandling-l1-1-0.dll.24.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-string-l1-1-0.dll.15.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-profile-l1-1-0.dll.20.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-0.dll.15.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-heap-l1-1-0.dll.20.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-namedpipe-l1-1-0.dll.20.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-time-l1-1-0.dll.15.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-stdio-l1-1-0.dll.20.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-filesystem-l1-1-0.dll.20.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-environment-l1-1-0.dll.15.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-handle-l1-1-0.dll.24.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-1-0.dll.15.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-sysinfo-l1-1-0.dll.20.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-timezone-l1-1-0.dll.20.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-2-0.dll.15.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-processenvironment-l1-1-0.dll.20.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-memory-l1-1-0.dll.24.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-datetime-l1-1-0.dll.20.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-runtime-l1-1-0.dll.20.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-rtlsupport-l1-1-0.dll.15.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l2-1-0.dll.15.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-interlocked-l1-1-0.dll.20.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-namedpipe-l1-1-0.dll.15.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-util-l1-1-0.dll.15.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-datetime-l1-1-0.dll.15.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-console-l1-1-0.dll.20.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-localization-l1-2-0.dll.20.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-string-l1-1-0.dll.20.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l2-1-0.dll.24.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-locale-l1-1-0.dll.20.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-convert-l1-1-0.dll.20.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-handle-l1-1-0.dll.15.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-errorhandling-l1-1-0.dll.15.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-filesystem-l1-1-0.dll.15.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-debug-l1-1-0.dll.24.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-string-l1-1-0.dll.15.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-1-0.dll.20.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-libraryloader-l1-1-0.dll.20.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-2-0.dll.20.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-utility-l1-1-0.dll.15.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-errorhandling-l1-1-0.dll.20.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-runtime-l1-1-0.dll.15.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-1.dll.20.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-heap-l1-1-0.dll.24.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-interlocked-l1-1-0.dll.15.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-conio-l1-1-0.dll.15.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-processenvironment-l1-1-0.dll.15.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-handle-l1-1-0.dll.20.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-libraryloader-l1-1-0.dll.15.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-1-0.dll.20.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-datetime-l1-1-0.dll.24.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-2-0.dll.20.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-namedpipe-l1-1-0.dll.24.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-utility-l1-1-0.dll.20.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-string-l1-1-0.dll.20.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-interlocked-l1-1-0.dll.24.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-math-l1-1-0.dll.15.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-processenvironment-l1-1-0.dll.24.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-memory-l1-1-0.dll.20.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-debug-l1-1-0.dll.15.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-heap-l1-1-0.dll.15.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-process-l1-1-0.dll.20.dr	Static PE information: No import functions for PE file found

Source: PfOHmro.exe, 00000000.00000002.1279114071.000000000151E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs PfOHmro.exe
Source: PfOHmro.exe, 00000000.00000002.1280380254.00000000040A9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePortals.exe0 vs PfOHmro.exe
Source: PfOHmro.exe, 00000000.00000002.1280380254.00000000040A9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameImplosions.exe4 vs PfOHmro.exe
Source: PfOHmro.exe, 00000000.00000000.1174120676.0000000000DC6000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamePortals.exe0 vs PfOHmro.exe
Source: PfOHmro.exe, 00000003.00000002.1859182871.0000000003634000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamefirefox.exe0 vs PfOHmro.exe
Source: PfOHmro.exe, 00000003.00000002.1859182871.0000000003634000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs PfOHmro.exe
Source: PfOHmro.exe, 00000003.00000002.1859182871.0000000003634000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: q,\\StringFileInfo\\000004B0\\OriginalFilename vs PfOHmro.exe
Source: PfOHmro.exe, 00000003.00000002.1859182871.0000000003634000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamechrome.exe< vs PfOHmro.exe
Source: PfOHmro.exe, 00000003.00000002.1859182871.0000000003634000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: q,\\StringFileInfo\\040904B0\\OriginalFilename vs PfOHmro.exe
Source: PfOHmro.exe, 00000003.00000002.1859182871.0000000003634000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameIEXPLORE.EXE.MUID vs PfOHmro.exe
Source: PfOHmro.exe, 00000003.00000002.1859182871.0000000003634000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameIEXPLORE.EXED vs PfOHmro.exe
Source: PfOHmro.exe, 00000003.00000002.1859182871.0000000003634000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: q,\\StringFileInfo\\080904B0\\OriginalFilename vs PfOHmro.exe
Source: PfOHmro.exe, 00000003.00000002.1859182871.0000000003634000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemsedge.exe> vs PfOHmro.exe
Source: PfOHmro.exe, 00000003.00000002.1857380388.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameImplosions.exe4 vs PfOHmro.exe
Source: PfOHmro.exe, 00000003.00000002.1859182871.00000000032F1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs PfOHmro.exe

Source: 0.2.PfOHmro.exe.40c4170.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 0.2.PfOHmro.exe.40c4170.1.raw.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
Source: 0.2.PfOHmro.exe.40c4170.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.PfOHmro.exe.40a9550.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 0.2.PfOHmro.exe.40a9550.0.raw.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
Source: 0.2.PfOHmro.exe.40a9550.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 3.2.PfOHmro.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 3.2.PfOHmro.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
Source: 3.2.PfOHmro.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.PfOHmro.exe.40c4170.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 0.2.PfOHmro.exe.40c4170.1.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
Source: 0.2.PfOHmro.exe.40c4170.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000003.00000002.1857380388.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 00000000.00000002.1280380254.00000000040A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: Process Memory Space: PfOHmro.exe PID: 7520, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: Process Memory Space: PfOHmro.exe PID: 7568, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23

Source: PfOHmro.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: PfOHmro.exe	Static PE information: Section: .CSS ZLIB complexity 1.0003681282722514
Source: python313.dll.15.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9994185524425288
Source: libcrypto-3.dll.15.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9991990186771459
Source: unicodedata.pyd.15.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9925549591002045
Source: libcrypto-3.dll.20.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9991990186771459
Source: python313.dll.20.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9994185524425288
Source: unicodedata.pyd.20.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9925549591002045

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@29/270@1/2

Source: C:\Users\user\Desktop\PfOHmro.exe

File created: C:\Users\user\AppData\Local\Yandex

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7584:120:WilError_03
Source: C:\Users\user\Desktop\PfOHmro.exe	Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7520
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7916:120:WilError_03

Source: C:\Users\user\Desktop\PfOHmro.exe

File created: C:\Users\user\AppData\Local\Temp\tmp18C0.tmp

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe

Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\user\activate.bat

Source: PfOHmro.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: PfOHmro.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\PfOHmro.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Users\user\Desktop\PfOHmro.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\PfOHmro.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "EdgeBHO.exe")

Source: C:\Users\user\Desktop\PfOHmro.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\PfOHmro.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: PfOHmro.exe	Virustotal: Detection: 62%
Source: PfOHmro.exe	ReversingLabs: Detection: 73%

Source: EdgeBHO.exe	String found in binary or memory: can't send non-None value to a just-started coroutine
Source: EdgeBHO.exe	String found in binary or memory: various kinds of output. Setting it to 0 deactivates this behavior. PYTHON_HISTORY : the location of a .python_history file. These variables have equivalent command-line options (see --help for details): PYTHON_CPU_COUNT: override the retu
Source: EdgeBHO.exe	String found in binary or memory: various kinds of output. Setting it to 0 deactivates this behavior. PYTHON_HISTORY : the location of a .python_history file. These variables have equivalent command-line options (see --help for details): PYTHON_CPU_COUNT: override the retu
Source: EdgeBHO.exe	String found in binary or memory: can't send non-None value to a just-started async generator
Source: EdgeBHO.exe	String found in binary or memory: can't send non-None value to a just-started generator
Source: EdgeBHO.exe	String found in binary or memory: --help
Source: EdgeBHO.exe	String found in binary or memory: --help
Source: EdgeBHO.exe	String found in binary or memory: fma($module, x, y, z, /) -- Fused multiply-add operation. Compute (x * y) + z with a single round.
Source: EdgeBHO.exe	String found in binary or memory: can't send non-None value to a just-started coroutine
Source: EdgeBHO.exe	String found in binary or memory: various kinds of output. Setting it to 0 deactivates this behavior. PYTHON_HISTORY : the location of a .python_history file. These variables have equivalent command-line options (see --help for details): PYTHON_CPU_COUNT: override the retu
Source: EdgeBHO.exe	String found in binary or memory: various kinds of output. Setting it to 0 deactivates this behavior. PYTHON_HISTORY : the location of a .python_history file. These variables have equivalent command-line options (see --help for details): PYTHON_CPU_COUNT: override the retu
Source: EdgeBHO.exe	String found in binary or memory: can't send non-None value to a just-started async generator
Source: EdgeBHO.exe	String found in binary or memory: can't send non-None value to a just-started generator
Source: EdgeBHO.exe	String found in binary or memory: --help
Source: EdgeBHO.exe	String found in binary or memory: --help
Source: EdgeBHO.exe	String found in binary or memory: fma($module, x, y, z, /) -- Fused multiply-add operation. Compute (x * y) + z with a single round.

Source: C:\Users\user\Desktop\PfOHmro.exe

File read: C:\Users\user\Desktop\PfOHmro.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\PfOHmro.exe "C:\Users\user\Desktop\PfOHmro.exe"
Source: C:\Users\user\Desktop\PfOHmro.exe	Process created: C:\Users\user\Desktop\PfOHmro.exe "C:\Users\user\Desktop\PfOHmro.exe"
Source: C:\Users\user\Desktop\PfOHmro.exe	Process created: C:\Users\user\Desktop\PfOHmro.exe "C:\Users\user\Desktop\PfOHmro.exe"
Source: C:\Users\user\Desktop\PfOHmro.exe	Process created: C:\Users\user\Desktop\PfOHmro.exe "C:\Users\user\Desktop\PfOHmro.exe"
Source: C:\Users\user\Desktop\PfOHmro.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\PfOHmro.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7520 -s 816
Source: C:\Users\user\Desktop\PfOHmro.exe	Process created: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe "C:\Users\user\AppData\Local\Temp\EdgeBHO.exe"
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Process created: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe "C:\Users\user\AppData\Local\Temp\EdgeBHO.exe"
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\user\activate.bat
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im "EdgeBHO.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\EdgeBHO.exe "EdgeBHO.exe"
Source: C:\Users\user\EdgeBHO.exe	Process created: C:\Users\user\EdgeBHO.exe "EdgeBHO.exe"
Source: unknown	Process created: C:\Users\user\EdgeBHO.exe "C:\Users\user\EdgeBHO.exe"
Source: C:\Users\user\EdgeBHO.exe	Process created: C:\Users\user\EdgeBHO.exe "C:\Users\user\EdgeBHO.exe"
Source: unknown	Process created: C:\Users\user\EdgeBHO.exe "C:\Users\user\EdgeBHO.exe"
Source: C:\Users\user\EdgeBHO.exe	Process created: C:\Users\user\EdgeBHO.exe "C:\Users\user\EdgeBHO.exe"
Source: C:\Users\user\Desktop\PfOHmro.exe	Process created: C:\Users\user\Desktop\PfOHmro.exe "C:\Users\user\Desktop\PfOHmro.exe"	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process created: C:\Users\user\Desktop\PfOHmro.exe "C:\Users\user\Desktop\PfOHmro.exe"	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process created: C:\Users\user\Desktop\PfOHmro.exe "C:\Users\user\Desktop\PfOHmro.exe"	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process created: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe "C:\Users\user\AppData\Local\Temp\EdgeBHO.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Process created: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe "C:\Users\user\AppData\Local\Temp\EdgeBHO.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\user\activate.bat	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im "EdgeBHO.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\EdgeBHO.exe "EdgeBHO.exe"	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Process created: C:\Users\user\EdgeBHO.exe "EdgeBHO.exe"	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Process created: C:\Users\user\EdgeBHO.exe "C:\Users\user\EdgeBHO.exe"
Source: C:\Users\user\EdgeBHO.exe	Process created: C:\Users\user\EdgeBHO.exe "C:\Users\user\EdgeBHO.exe"

Source: C:\Users\user\Desktop\PfOHmro.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Section loaded: python3.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Section loaded: libffi-8.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Section loaded: python3.dll	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Section loaded: libffi-8.dll	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\EdgeBHO.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\EdgeBHO.exe	Section loaded: vcruntime140.dll
Source: C:\Users\user\EdgeBHO.exe	Section loaded: version.dll
Source: C:\Users\user\EdgeBHO.exe	Section loaded: python3.dll
Source: C:\Users\user\EdgeBHO.exe	Section loaded: libffi-8.dll
Source: C:\Users\user\EdgeBHO.exe	Section loaded: propsys.dll
Source: C:\Users\user\EdgeBHO.exe	Section loaded: vcruntime140_1.dll
Source: C:\Users\user\EdgeBHO.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\EdgeBHO.exe	Section loaded: textshaping.dll
Source: C:\Users\user\EdgeBHO.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\EdgeBHO.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\EdgeBHO.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\EdgeBHO.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\EdgeBHO.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\EdgeBHO.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\EdgeBHO.exe	Section loaded: wintypes.dll
Source: C:\Users\user\EdgeBHO.exe	Section loaded: wintypes.dll
Source: C:\Users\user\EdgeBHO.exe	Section loaded: wintypes.dll
Source: C:\Users\user\EdgeBHO.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\EdgeBHO.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\EdgeBHO.exe	Section loaded: vcruntime140.dll
Source: C:\Users\user\EdgeBHO.exe	Section loaded: version.dll
Source: C:\Users\user\EdgeBHO.exe	Section loaded: python3.dll
Source: C:\Users\user\EdgeBHO.exe	Section loaded: libffi-8.dll
Source: C:\Users\user\EdgeBHO.exe	Section loaded: propsys.dll
Source: C:\Users\user\EdgeBHO.exe	Section loaded: vcruntime140_1.dll
Source: C:\Users\user\EdgeBHO.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\EdgeBHO.exe	Section loaded: textshaping.dll
Source: C:\Users\user\EdgeBHO.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\EdgeBHO.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\EdgeBHO.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\EdgeBHO.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\EdgeBHO.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\EdgeBHO.exe	Section loaded: wintypes.dll
Source: C:\Users\user\EdgeBHO.exe	Section loaded: wintypes.dll
Source: C:\Users\user\EdgeBHO.exe	Section loaded: wintypes.dll

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: PfOHmro.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: PfOHmro.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: PfOHmro.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1846777523.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1881631808.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2019536998.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2100346764.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1847383477.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1883141435.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2019895484.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2100631142.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-file-l1-2-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1841022436.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1873487738.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2016393921.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2097338826.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ucrtbase.pdb source: EdgeBHO.exe, 00000010.00000002.1873662230.00007FFCA168C000.00000002.00000001.01000000.0000000C.sdmp, EdgeBHO.exe, 00000015.00000002.2440299564.00007FFCA168C000.00000002.00000001.01000000.00000016.sdmp, EdgeBHO.exe, 00000019.00000002.2054904950.00007FFC9C65C000.00000002.00000001.01000000.0000001F.sdmp
Source:	Binary string: api-ms-win-core-memory-l1-1-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1842189370.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1875345385.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2017250591.000001BAA3D08000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2098287991.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-debug-l1-1-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1840667454.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1872625223.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2016020890.000001BAA3D08000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2096990057.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1844292763.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1877909726.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2018534751.000001BAA3D08000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2099505061.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1845961180.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1879668224.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2019318045.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2100136236.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-memory-l1-1-0.pdbGCTL source: EdgeBHO.exe, 0000000F.00000003.1842189370.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1875345385.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2017250591.000001BAA3D08000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2098287991.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1847541834.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1883395222.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2020008126.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2100786546.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: EdgeBHO.exe, 0000000F.00000003.1838528308.0000025AF4FA0000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000010.00000002.1875774155.00007FFCBB3E4000.00000002.00000001.01000000.0000000E.sdmp, EdgeBHO.exe, 00000014.00000003.1869750221.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000015.00000002.2442069207.00007FFCBB3E4000.00000002.00000001.01000000.00000018.sdmp, EdgeBHO.exe, 00000018.00000003.2013678723.000001BAA3CFF000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000002.2056569719.00007FFCB4704000.00000002.00000001.01000000.00000021.sdmp, EdgeBHO.exe, 0000001A.00000003.2095304862.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-heap-l1-1-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1841640202.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1874269759.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2016740382.000001BAA3D08000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2097781458.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Hand1\source\repos\Portals\Portals\obj\Release\Portals.pdb source: PfOHmro.exe, 00000000.00000000.1174105120.0000000000DC2000.00000002.00000001.01000000.00000003.sdmp, PfOHmro.exe, 00000000.00000002.1280380254.00000000040A9000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-util-l1-1-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1844717900.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1878527857.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2018778560.000001BAA3D08000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2099713680.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: EdgeBHO.exe, 0000000F.00000003.1838854004.0000025AF4FA0000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000010.00000002.1873956487.00007FFCBB2F5000.00000002.00000001.01000000.00000014.sdmp, EdgeBHO.exe, 00000014.00000003.1870065890.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000015.00000002.2440565210.00007FFCBB2F5000.00000002.00000001.01000000.0000001E.sdmp, EdgeBHO.exe, 00000018.00000003.2013943553.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000002.2055363994.00007FFCAD6A5000.00000002.00000001.01000000.00000027.sdmp, EdgeBHO.exe, 0000001A.00000003.2095507172.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-synch-l1-1-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1843973437.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1877455979.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2018323407.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2099294626.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-heap-l1-1-0.pdbGCTL source: EdgeBHO.exe, 0000000F.00000003.1841640202.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1874269759.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2016740382.000001BAA3D08000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2097781458.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1845394223.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1879307879.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2019208738.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2100033216.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-handle-l1-1-0.pdbGCTL source: EdgeBHO.exe, 0000000F.00000003.1841388876.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1873990925.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2016610374.000001BAA3D08000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2097651612.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_ctypes.pdb source: EdgeBHO.exe, EdgeBHO.exe, 00000019.00000002.2055936402.00007FFCB42D1000.00000040.00000001.01000000.00000022.sdmp
Source:	Binary string: api-ms-win-core-processthreads-l1-1-0.pdbGCTL source: EdgeBHO.exe, 0000000F.00000003.1842674359.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1876322759.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2017630964.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2098673279.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-errorhandling-l1-1-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1840799142.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1872892606.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2016152642.000001BAA3D08000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2097106915.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1842674359.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1876322759.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2017630964.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2098673279.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-console-l1-1-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1840444280.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1872173040.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2015729848.000001BAA3D08000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2096743379.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-file-l1-1-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1840903774.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1873242498.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2016285040.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2097235679.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-processenvironment-l1-1-0.pdbGCTL source: EdgeBHO.exe, 0000000F.00000003.1842488383.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1876066587.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2017499898.000001BAA3D08000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2098543068.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1845070058.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1879085603.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2019091727.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2099930115.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-process-l1-1-0.pdbGCTL source: EdgeBHO.exe, 0000000F.00000003.1847214203.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1882917745.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2019761162.000001BAA3D08000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2100527933.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-util-l1-1-0.pdbGCTL source: EdgeBHO.exe, 0000000F.00000003.1844717900.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1878527857.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2018778560.000001BAA3D08000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2099713680.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-datetime-l1-1-0.pdbGCTL source: EdgeBHO.exe, 0000000F.00000003.1840554181.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1872385641.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2015879685.000001BAA3D08000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2096868575.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: EdgeBHO.exe, 00000010.00000002.1874194924.00007FFCBB31B000.00000040.00000001.01000000.00000012.sdmp, EdgeBHO.exe, 00000015.00000002.2440948631.00007FFCBB31B000.00000040.00000001.01000000.0000001C.sdmp, EdgeBHO.exe, 00000019.00000002.2055093814.00007FFCABB0B000.00000040.00000001.01000000.00000025.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: EdgeBHO.exe, EdgeBHO.exe, 00000019.00000002.2055719822.00007FFCAFBA1000.00000040.00000001.01000000.00000024.sdmp
Source:	Binary string: api-ms-win-core-errorhandling-l1-1-0.pdbGCTL source: EdgeBHO.exe, 0000000F.00000003.1840799142.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1872892606.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2016152642.000001BAA3D08000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2097106915.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-profile-l1-1-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1843473939.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1876830773.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2017864453.000001BAA3D08000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2098928872.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ucrtbase.pdbUGP source: EdgeBHO.exe, 00000010.00000002.1873662230.00007FFCA168C000.00000002.00000001.01000000.0000000C.sdmp, EdgeBHO.exe, 00000015.00000002.2440299564.00007FFCA168C000.00000002.00000001.01000000.00000016.sdmp, EdgeBHO.exe, 00000019.00000002.2054904950.00007FFC9C65C000.00000002.00000001.01000000.0000001F.sdmp
Source:	Binary string: api-ms-win-core-file-l1-1-0.pdbGCTL source: EdgeBHO.exe, 0000000F.00000003.1840903774.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1873242498.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2016285040.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2097235679.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\python313.pdb source: EdgeBHO.exe, 00000010.00000002.1871702839.00007FFC9CAB9000.00000040.00000001.01000000.0000000D.sdmp, EdgeBHO.exe, 00000015.00000002.2438702214.00007FFC9CAB9000.00000040.00000001.01000000.00000017.sdmp, EdgeBHO.exe, 00000019.00000002.2053349770.00007FFC9C349000.00000040.00000001.01000000.00000020.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdbGCTL source: EdgeBHO.exe, 0000000F.00000003.1838854004.0000025AF4FA0000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000010.00000002.1873956487.00007FFCBB2F5000.00000002.00000001.01000000.00000014.sdmp, EdgeBHO.exe, 00000014.00000003.1870065890.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000015.00000002.2440565210.00007FFCBB2F5000.00000002.00000001.01000000.0000001E.sdmp, EdgeBHO.exe, 00000018.00000003.2013943553.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000002.2055363994.00007FFCAD6A5000.00000002.00000001.01000000.00000027.sdmp, EdgeBHO.exe, 0000001A.00000003.2095507172.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-time-l1-1-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1848154049.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1883754430.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2020233504.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2101102837.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-handle-l1-1-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1841388876.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1873990925.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2016610374.000001BAA3D08000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2097651612.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-sysinfo-l1-1-0.pdbGCTL source: EdgeBHO.exe, 0000000F.00000003.1844292763.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1877909726.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2018534751.000001BAA3D08000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2099505061.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-synch-l1-2-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1844159682.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1877708898.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2018431971.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2099398521.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_wmi.pdb(('GCTL source: EdgeBHO.exe, 00000010.00000002.1874771647.00007FFCBB391000.00000040.00000001.01000000.00000013.sdmp, EdgeBHO.exe, 00000015.00000002.2441419137.00007FFCBB391000.00000040.00000001.01000000.0000001D.sdmp, EdgeBHO.exe, 00000019.00000002.2055498902.00007FFCAF5E1000.00000040.00000001.01000000.00000026.sdmp
Source:	Binary string: api-ms-win-core-profile-l1-1-0.pdbGCTL source: EdgeBHO.exe, 0000000F.00000003.1843473939.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1876830773.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2017864453.000001BAA3D08000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2098928872.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1842488383.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1876066587.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2017499898.000001BAA3D08000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2098543068.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Hand1\source\repos\Portals\Portals\obj\Release\Portals.pdb<;V; H;_CorExeMainmscoree.dll source: PfOHmro.exe, 00000000.00000000.1174105120.0000000000DC2000.00000002.00000001.01000000.00000003.sdmp, PfOHmro.exe, 00000000.00000002.1280380254.00000000040A9000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-datetime-l1-1-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1840554181.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1872385641.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2015879685.000001BAA3D08000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2096868575.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1844899504.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1878874442.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2018917388.000001BAA3D08000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2099824827.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: EdgeBHO.exe, 0000000F.00000003.1838528308.0000025AF4FA0000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000010.00000002.1875774155.00007FFCBB3E4000.00000002.00000001.01000000.0000000E.sdmp, EdgeBHO.exe, 00000014.00000003.1869750221.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000015.00000002.2442069207.00007FFCBB3E4000.00000002.00000001.01000000.00000018.sdmp, EdgeBHO.exe, 00000018.00000003.2013678723.000001BAA3CFF000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000002.2056569719.00007FFCB4704000.00000002.00000001.01000000.00000021.sdmp, EdgeBHO.exe, 0000001A.00000003.2095304862.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-math-l1-1-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1846946271.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1882472597.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2019644449.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2100446698.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-localization-l1-2-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1842045762.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1875042633.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2017137169.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2098161682.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-interlocked-l1-1-0.pdbGCTL source: EdgeBHO.exe, 0000000F.00000003.1841738441.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1874518425.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2016870009.000001BAA3D08000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2097910012.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-string-l1-1-0.pdbGCTL source: EdgeBHO.exe, 0000000F.00000003.1843847302.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1877251431.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2018182031.000001BAA3D08000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2099196398.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: EdgeBHO.exe, 0000000F.00000003.1842994259.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1876585682.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2017739876.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2098810697.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-debug-l1-1-0.pdbGCTL source: EdgeBHO.exe, 0000000F.00000003.1840667454.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1872625223.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2016020890.000001BAA3D08000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2096990057.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-libraryloader-l1-1-0.pdbGCTL source: EdgeBHO.exe, 0000000F.00000003.1841905883.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1874768746.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2017004149.000001BAA3D08000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2098037187.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1842352547.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1875802095.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2017371983.000001BAA3D08000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2098415607.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-utility-l1-1-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1848640080.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1883914289.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2020354386.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2101211287.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1843707805.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1877034168.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2018002633.000001BAA3D08000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2099071239.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1844446204.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1878154496.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2018669769.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2099608160.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-string-l1-1-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1843847302.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1877251431.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2018182031.000001BAA3D08000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2099196398.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-file-l2-1-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1841155329.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1873736321.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2016505020.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2097524068.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-console-l1-1-0.pdbGCTL source: EdgeBHO.exe, 0000000F.00000003.1840444280.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1872173040.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2015729848.000001BAA3D08000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2096743379.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdbNN source: EdgeBHO.exe, 00000010.00000002.1874194924.00007FFCBB31B000.00000040.00000001.01000000.00000012.sdmp, EdgeBHO.exe, 00000015.00000002.2440948631.00007FFCBB31B000.00000040.00000001.01000000.0000001C.sdmp, EdgeBHO.exe, 00000019.00000002.2055093814.00007FFCABB0B000.00000040.00000001.01000000.00000025.sdmp
Source:	Binary string: api-ms-win-crt-process-l1-1-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1847214203.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1882917745.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2019761162.000001BAA3D08000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2100527933.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1841905883.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1874768746.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2017004149.000001BAA3D08000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2098037187.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-namedpipe-l1-1-0.pdbGCTL source: EdgeBHO.exe, 0000000F.00000003.1842352547.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1875802095.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2017371983.000001BAA3D08000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2098415607.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-synch-l1-1-0.pdbGCTL source: EdgeBHO.exe, 0000000F.00000003.1843973437.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1877455979.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2018323407.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2099294626.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-interlocked-l1-1-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1841738441.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1874518425.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2016870009.000001BAA3D08000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2097910012.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_wmi.pdb source: EdgeBHO.exe, EdgeBHO.exe, 00000019.00000002.2055498902.00007FFCAF5E1000.00000040.00000001.01000000.00000026.sdmp
Source:	Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdbGCTL source: EdgeBHO.exe, 0000000F.00000003.1843707805.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1877034168.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2018002633.000001BAA3D08000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2099071239.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1846646974.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1880638314.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2019428022.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2100241717.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-string-l1-1-0.pdb source: EdgeBHO.exe, 0000000F.00000003.1847742380.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1883582433.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2020118947.000001BAA3D01000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2100991668.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-conio-l1-1-0.pdbGCTL source: EdgeBHO.exe, 0000000F.00000003.1844899504.0000025AF4FA1000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000014.00000003.1878874442.000002782B06F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000018.00000003.2018917388.000001BAA3D08000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 0000001A.00000003.2099824827.000001F0F6F82000.00000004.00000020.00020000.00000000.sdmp

Source: PfOHmro.exe

Static PE information: 0xADFF511F [Mon Jul 3 22:20:15 2062 UTC]

Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe

Code function: 16_2_00007FFC9CD051D0 EntryPoint,LoadLibraryA,GetProcAddress,VirtualProtect,VirtualProtect,VirtualProtect,

16_2_00007FFC9CD051D0

Source: PfOHmro.exe	Static PE information: section name: .CSS
Source: EdgeBHO.exe.3.dr	Static PE information: section name: .fptable
Source: libffi-8.dll.15.dr	Static PE information: section name: UPX2
Source: VCRUNTIME140.dll.15.dr	Static PE information: section name: fothk
Source: VCRUNTIME140.dll.15.dr	Static PE information: section name: _RDATA
Source: EdgeBHO.exe.16.dr	Static PE information: section name: .fptable
Source: VCRUNTIME140.dll.20.dr	Static PE information: section name: fothk
Source: VCRUNTIME140.dll.20.dr	Static PE information: section name: _RDATA
Source: libffi-8.dll.20.dr	Static PE information: section name: UPX2
Source: VCRUNTIME140.dll.24.dr	Static PE information: section name: fothk
Source: VCRUNTIME140.dll.24.dr	Static PE information: section name: _RDATA

Source: C:\Users\user\Desktop\PfOHmro.exe	Code function: 3_2_06B81810 push es; ret	3_2_06B81820
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCA1608522 push rdi; ret	16_2_00007FFCA1608526
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCA1602A46 push rdi; ret	16_2_00007FFCA1602A52
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCA1607E0D push rdi; ret	16_2_00007FFCA1607E14
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCA1602F65 push rdi; ret	16_2_00007FFCA1602F6B
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFC9C5D7E0D push rdi; ret	25_2_00007FFC9C5D7E14
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFC9C5D2F65 push rdi; ret	25_2_00007FFC9C5D2F6B
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFC9C5D2A46 push rdi; ret	25_2_00007FFC9C5D2A52
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFC9C5D8522 push rdi; ret	25_2_00007FFC9C5D8526

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-crt-locale-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-core-datetime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-core-debug-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-core-libraryloader-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-core-profile-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17522\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-core-console-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-core-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-core-processenvironment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-core-processthreads-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-core-sysinfo-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-core-file-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-core-rtlsupport-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17522\VCRUNTIME140.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-core-synch-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-core-processthreads-l1-1-1.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12522\VCRUNTIME140_1.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-core-handle-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-crt-stdio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40002\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-core-processenvironment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-core-file-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-core-handle-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-core-libraryloader-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-crt-locale-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40002\_socket.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-core-datetime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-crt-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75322\select.pyd	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12522\select.pyd	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-crt-convert-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75322\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17522\ucrtbase.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-core-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40002\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-core-synch-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17522\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-core-debug-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-core-namedpipe-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-core-processenvironment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-crt-math-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75322\libffi-8.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-core-localization-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-core-processthreads-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12522\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-crt-process-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75322\VCRUNTIME140_1.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-core-interlocked-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12522\libcrypto-3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-core-libraryloader-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-core-timezone-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17522\libffi-8.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-core-file-l2-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-crt-time-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-core-localization-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-core-rtlsupport-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-core-util-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-core-namedpipe-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40002\VCRUNTIME140.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-core-memory-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75322\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75322\_socket.pyd	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-crt-math-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-crt-stdio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40002\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-core-console-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-crt-conio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-core-synch-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-crt-locale-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-crt-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12522\VCRUNTIME140.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-core-processthreads-l1-1-1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-core-synch-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75322\ucrtbase.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-crt-runtime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-core-file-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-crt-conio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12522\libffi-8.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17522\_wmi.pyd	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-crt-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-core-localization-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-crt-utility-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12522\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12522\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-core-sysinfo-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-core-libraryloader-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-core-file-l2-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-core-timezone-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-core-synch-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-core-interlocked-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-core-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12522\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-crt-math-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-core-profile-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-core-synch-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-core-processthreads-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-core-memory-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12522\_socket.pyd	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-crt-utility-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17522\select.pyd	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40002\select.pyd	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-core-util-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-core-synch-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-core-profile-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-core-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-core-console-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-core-synch-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-core-processthreads-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-crt-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-crt-utility-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40002\python313.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-crt-runtime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40002\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-crt-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-core-memory-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17522\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75322\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-crt-runtime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-crt-math-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-core-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12522\python313.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-core-datetime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-core-processenvironment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-core-file-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-crt-time-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-core-timezone-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-core-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-crt-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75322\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-core-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-core-localization-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-core-processthreads-l1-1-1.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-core-profile-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-core-rtlsupport-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-core-file-l2-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17522\VCRUNTIME140_1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17522\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-crt-conio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-crt-runtime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-core-namedpipe-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-core-datetime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-core-file-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40002\ucrtbase.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17522\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-core-file-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12522\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-core-errorhandling-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-core-interlocked-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-core-debug-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12522\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-core-console-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-crt-locale-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40002\libffi-8.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-core-file-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40002\libcrypto-3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-core-util-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17522\libcrypto-3.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-core-file-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-core-errorhandling-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-crt-process-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-core-interlocked-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-crt-stdio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75322\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-core-namedpipe-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-crt-process-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75322\python313.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-crt-time-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-core-util-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-core-sysinfo-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75322\VCRUNTIME140.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-core-sysinfo-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12522\_wmi.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-crt-process-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-crt-time-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-core-errorhandling-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\PfOHmro.exe	File created: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75322\libcrypto-3.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-core-file-l2-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-core-debug-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-crt-convert-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40002\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17522\python313.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-core-rtlsupport-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17522\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75322\_wmi.pyd	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-crt-conio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-core-memory-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-crt-utility-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40002\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-core-errorhandling-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-crt-convert-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-core-handle-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12522\ucrtbase.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-crt-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-core-processthreads-l1-1-1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17522\_socket.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	File created: C:\Users\user\EdgeBHO.exe	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-crt-stdio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75322\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-core-handle-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40002\VCRUNTIME140_1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-crt-convert-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-core-timezone-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-core-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-crt-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40002\_wmi.pyd	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe

File created: C:\Users\user\EdgeBHO.exe

Jump to dropped file

Boot Survival

Drops PE files to the user root directory

Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe

File created: C:\Users\user\EdgeBHO.exe

Jump to dropped file

Source: C:\Users\user\EdgeBHO.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Update64			Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Update64			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 40919
Source: unknown	Network traffic detected: HTTP traffic on port 40919 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 40919
Source: unknown	Network traffic detected: HTTP traffic on port 40919 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 40919 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 40919
Source: unknown	Network traffic detected: HTTP traffic on port 40919 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 40919
Source: unknown	Network traffic detected: HTTP traffic on port 40919 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 4449
Source: unknown	Network traffic detected: HTTP traffic on port 4449 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 57483 -> 40919
Source: unknown	Network traffic detected: HTTP traffic on port 40919 -> 57483

Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe

Code function: 15_2_00007FF6F84976B0 GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,

15_2_00007FF6F84976B0

Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Users\user\Desktop\PfOHmro.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\PfOHmro.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Source: C:\Users\user\Desktop\PfOHmro.exe	Memory allocated: 2F20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Memory allocated: 30A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Memory allocated: 50A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Memory allocated: 3040000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Memory allocated: 3260000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Memory allocated: 31A0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\PfOHmro.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\PfOHmro.exe	Window / User API: threadDelayed 1776			Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Window / User API: threadDelayed 8013			Jump to behavior

Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-crt-locale-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-core-datetime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-core-debug-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-core-libraryloader-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-core-profile-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17522\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-core-console-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-core-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-core-processenvironment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-core-processthreads-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-core-sysinfo-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-core-file-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-core-rtlsupport-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-core-synch-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-core-processthreads-l1-1-1.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-core-handle-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-crt-stdio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40002\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-core-processenvironment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-core-file-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-core-handle-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-core-libraryloader-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-crt-locale-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40002\_socket.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-core-datetime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-crt-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12522\select.pyd	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75322\select.pyd	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-crt-convert-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75322\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-core-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40002\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-core-synch-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17522\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-core-debug-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-core-namedpipe-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-core-processenvironment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-crt-math-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-core-localization-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-core-processthreads-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12522\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-crt-process-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-core-interlocked-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12522\libcrypto-3.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-core-timezone-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-core-libraryloader-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-crt-time-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-core-file-l2-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-core-localization-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-core-util-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-core-rtlsupport-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-core-namedpipe-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-core-memory-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75322\_socket.pyd	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75322\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-crt-math-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-crt-stdio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40002\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-core-console-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-crt-conio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-core-synch-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-crt-locale-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-crt-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-core-processthreads-l1-1-1.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-crt-runtime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-core-synch-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-core-file-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-crt-conio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-crt-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17522\_wmi.pyd	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-core-localization-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-crt-utility-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12522\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12522\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-core-sysinfo-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-core-libraryloader-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-core-file-l2-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-core-timezone-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-core-interlocked-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-core-synch-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-core-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12522\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-crt-math-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-core-profile-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-core-synch-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-core-processthreads-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-core-memory-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12522\_socket.pyd	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-crt-utility-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17522\select.pyd	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40002\select.pyd	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-core-util-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-core-synch-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-core-profile-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-core-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-core-console-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-core-synch-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-core-processthreads-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-crt-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-crt-utility-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40002\python313.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-crt-runtime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40002\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-crt-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-core-memory-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17522\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75322\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-crt-runtime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-crt-math-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-core-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12522\python313.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-core-datetime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-core-processenvironment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-core-file-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-crt-time-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-core-timezone-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-core-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-crt-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75322\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-core-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-core-localization-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-core-profile-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-core-processthreads-l1-1-1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-core-rtlsupport-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-core-file-l2-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17522\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-crt-conio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-core-namedpipe-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-crt-runtime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-core-datetime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-core-file-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17522\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-core-file-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12522\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-core-errorhandling-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-core-debug-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-core-interlocked-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12522\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-core-console-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-crt-locale-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-core-file-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40002\libcrypto-3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-core-util-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17522\libcrypto-3.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-core-file-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-core-errorhandling-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-crt-process-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-core-interlocked-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-crt-stdio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-core-namedpipe-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75322\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-crt-process-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75322\python313.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-crt-time-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-core-util-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-core-sysinfo-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-core-sysinfo-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12522\_wmi.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-crt-process-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-crt-time-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-core-errorhandling-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-core-file-l2-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75322\libcrypto-3.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-core-debug-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-crt-convert-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40002\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17522\python313.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-core-rtlsupport-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17522\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75322\_wmi.pyd	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-crt-conio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-core-memory-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-crt-utility-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40002\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-crt-convert-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-core-errorhandling-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-core-handle-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-crt-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-core-processthreads-l1-1-1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17522\_socket.pyd	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-crt-stdio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75322\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12522\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-core-handle-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-crt-convert-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75322\api-ms-win-core-timezone-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40002\api-ms-win-core-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17522\api-ms-win-crt-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\EdgeBHO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40002\_wmi.pyd	Jump to dropped file

Source: C:\Users\user\EdgeBHO.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes			graph_15-18210

Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	API coverage: 4.1 %
Source: C:\Users\user\EdgeBHO.exe	API coverage: 6.2 %
Source: C:\Users\user\EdgeBHO.exe	API coverage: 1.7 %

Source: C:\Users\user\Desktop\PfOHmro.exe TID: 7348

Thread sleep time: -31359464925306218s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\PfOHmro.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 15_2_00007FF6F84992F0 FindFirstFileExW,FindClose,	15_2_00007FF6F84992F0
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 15_2_00007FF6F84983B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	15_2_00007FF6F84983B0
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 15_2_00007FF6F84B1BD4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	15_2_00007FF6F84B1BD4
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FF6F84992F0 FindFirstFileExW,FindClose,	16_2_00007FF6F84992F0
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FF6F84983B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	16_2_00007FF6F84983B0
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FF6F84B1BD4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	16_2_00007FF6F84B1BD4
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCA164F118 FindFirstFileExA,FindClose,FindNextFileA,	16_2_00007FFCA164F118
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCA164F2C8 FindFirstFileExW,FindClose,FindNextFileW,	16_2_00007FFCA164F2C8
Source: C:\Users\user\EdgeBHO.exe	Code function: 20_2_00007FF6AE3592F0 FindFirstFileExW,FindClose,	20_2_00007FF6AE3592F0
Source: C:\Users\user\EdgeBHO.exe	Code function: 20_2_00007FF6AE3583B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	20_2_00007FF6AE3583B0
Source: C:\Users\user\EdgeBHO.exe	Code function: 20_2_00007FF6AE371BD4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	20_2_00007FF6AE371BD4
Source: C:\Users\user\EdgeBHO.exe	Code function: 21_2_00007FF6AE3592F0 FindFirstFileExW,FindClose,	21_2_00007FF6AE3592F0
Source: C:\Users\user\EdgeBHO.exe	Code function: 21_2_00007FF6AE3583B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	21_2_00007FF6AE3583B0
Source: C:\Users\user\EdgeBHO.exe	Code function: 21_2_00007FF6AE371BD4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	21_2_00007FF6AE371BD4
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFC9C61F118 FindFirstFileExA,FindClose,FindNextFileA,	25_2_00007FFC9C61F118
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFC9C61F2C8 FindFirstFileExW,FindClose,FindNextFileW,	25_2_00007FFC9C61F2C8

Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe

Code function: 16_2_00007FFCBB391D1C VirtualQuery,GetSystemInfo,

16_2_00007FFCBB391D1C

Source: C:\Users\user\Desktop\PfOHmro.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: PfOHmro.exe, 00000003.00000002.1857931341.000000000169C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllF
Source: EdgeBHO.exe, 00000010.00000002.1870552492.0000025A1E614000.00000004.00001000.00020000.00000000.sdmp, EdgeBHO.exe, 00000015.00000002.2436678714.0000019363234000.00000004.00001000.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000002.2052012982.00000286BA1F4000.00000004.00001000.00020000.00000000.sdmp, EdgeBHO.exe, 0000001B.00000002.2187512345.000001CDA0134000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: ro.kernel.qemu
Source: EdgeBHO.exe, 00000015.00000002.2435437723.0000019362F0B000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000003.2032306303.00000286BA07F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000003.2031090128.00000286BA07F000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000003.2040606777.00000286BA08D000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000003.2039930478.00000286BA055000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000003.2043273122.00000286BA097000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000003.2041299813.00000286BA091000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000002.2051807652.00000286BA097000.00000004.00000020.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000003.2031381064.00000286BA058000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ro.kernel.qemur
Source: EdgeBHO.exe, 00000010.00000002.1870552492.0000025A1E614000.00000004.00001000.00020000.00000000.sdmp, EdgeBHO.exe, 00000015.00000002.2436678714.0000019363234000.00000004.00001000.00020000.00000000.sdmp, EdgeBHO.exe, 00000019.00000002.2052012982.00000286BA1F4000.00000004.00001000.00020000.00000000.sdmp, EdgeBHO.exe, 0000001B.00000002.2187512345.000001CDA0134000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: dro.kernel.qemu

Source: C:\Users\user\Desktop\PfOHmro.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\PfOHmro.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe

Code function: 15_2_00007FF6F849D19C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

15_2_00007FF6F849D19C

Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe

Code function: 16_2_00007FFC9CD051D0 EntryPoint,LoadLibraryA,GetProcAddress,VirtualProtect,VirtualProtect,VirtualProtect,

16_2_00007FFC9CD051D0

Source: C:\Users\user\Desktop\PfOHmro.exe	Code function: 0_2_030A2149 mov edi, dword ptr fs:[00000030h]		0_2_030A2149
Source: C:\Users\user\Desktop\PfOHmro.exe	Code function: 0_2_030A22C6 mov edi, dword ptr fs:[00000030h]		0_2_030A22C6

Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe

Code function: 15_2_00007FF6F84B3830 GetProcessHeap,

15_2_00007FF6F84B3830

Source: C:\Users\user\Desktop\PfOHmro.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 15_2_00007FF6F849D19C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	15_2_00007FF6F849D19C
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 15_2_00007FF6F849D37C SetUnhandledExceptionFilter,	15_2_00007FF6F849D37C
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 15_2_00007FF6F84AA5C8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	15_2_00007FF6F84AA5C8
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 15_2_00007FF6F849C910 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	15_2_00007FF6F849C910
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FF6F849D19C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	16_2_00007FF6F849D19C
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FF6F849D37C SetUnhandledExceptionFilter,	16_2_00007FF6F849D37C
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FF6F84AA5C8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	16_2_00007FF6F84AA5C8
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FF6F849C910 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	16_2_00007FF6F849C910
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCA164D170 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	16_2_00007FFCA164D170
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCA1615A60 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	16_2_00007FFCA1615A60
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCA1615A20 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	16_2_00007FFCA1615A20
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCBB2F4738 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	16_2_00007FFCBB2F4738
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCBB3137D0 IsProcessorFeaturePresent,00007FFCBB3E1A90,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,00007FFCBB3E1A90,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	16_2_00007FFCBB3137D0
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCBB33A96C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	16_2_00007FFCBB33A96C
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCBB39335C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	16_2_00007FFCBB39335C
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: 16_2_00007FFCBB3A7184 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	16_2_00007FFCBB3A7184
Source: C:\Users\user\EdgeBHO.exe	Code function: 20_2_00007FF6AE35C910 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	20_2_00007FF6AE35C910
Source: C:\Users\user\EdgeBHO.exe	Code function: 20_2_00007FF6AE36A5C8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	20_2_00007FF6AE36A5C8
Source: C:\Users\user\EdgeBHO.exe	Code function: 20_2_00007FF6AE35D37C SetUnhandledExceptionFilter,	20_2_00007FF6AE35D37C
Source: C:\Users\user\EdgeBHO.exe	Code function: 20_2_00007FF6AE35D19C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	20_2_00007FF6AE35D19C
Source: C:\Users\user\EdgeBHO.exe	Code function: 21_2_00007FF6AE35C910 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	21_2_00007FF6AE35C910
Source: C:\Users\user\EdgeBHO.exe	Code function: 21_2_00007FF6AE36A5C8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	21_2_00007FF6AE36A5C8
Source: C:\Users\user\EdgeBHO.exe	Code function: 21_2_00007FF6AE35D37C SetUnhandledExceptionFilter,	21_2_00007FF6AE35D37C
Source: C:\Users\user\EdgeBHO.exe	Code function: 21_2_00007FF6AE35D19C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	21_2_00007FF6AE35D19C
Source: C:\Users\user\EdgeBHO.exe	Code function: 21_2_00007FFCBB33A96C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	21_2_00007FFCBB33A96C
Source: C:\Users\user\EdgeBHO.exe	Code function: 21_2_00007FFCBB39335C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	21_2_00007FFCBB39335C
Source: C:\Users\user\EdgeBHO.exe	Code function: 21_2_00007FFCBB3E0E08 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	21_2_00007FFCBB3E0E08
Source: C:\Users\user\EdgeBHO.exe	Code function: 21_2_00007FFCBBBD52F0 IsProcessorFeaturePresent,00007FFCBB3E1A90,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,00007FFCBB3E1A90,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	21_2_00007FFCBBBD52F0
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFC9C5E5A60 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	25_2_00007FFC9C5E5A60
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFC9C5E5A20 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	25_2_00007FFC9C5E5A20
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFC9C61D170 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	25_2_00007FFC9C61D170
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFCABB037D0 IsProcessorFeaturePresent,00007FFCB4701A90,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,00007FFCB4701A90,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	25_2_00007FFCABB037D0
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFCAD6A4738 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	25_2_00007FFCAD6A4738
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFCAF5E335C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	25_2_00007FFCAF5E335C
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFCAFBAA96C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	25_2_00007FFCAFBAA96C
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFCB42D7184 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	25_2_00007FFCB42D7184
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFCB46E52F0 IsProcessorFeaturePresent,00007FFCB4701A90,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,00007FFCB4701A90,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	25_2_00007FFCB46E52F0
Source: C:\Users\user\EdgeBHO.exe	Code function: 25_2_00007FFCB4700E08 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	25_2_00007FFCB4700E08

Source: C:\Users\user\Desktop\PfOHmro.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\PfOHmro.exe

Code function: 0_2_030A2149 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessW,CreateProcessW,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,TerminateProcess,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,

0_2_030A2149

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\PfOHmro.exe

Memory written: C:\Users\user\Desktop\PfOHmro.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\PfOHmro.exe	Process created: C:\Users\user\Desktop\PfOHmro.exe "C:\Users\user\Desktop\PfOHmro.exe"	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process created: C:\Users\user\Desktop\PfOHmro.exe "C:\Users\user\Desktop\PfOHmro.exe"	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process created: C:\Users\user\Desktop\PfOHmro.exe "C:\Users\user\Desktop\PfOHmro.exe"	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Process created: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe "C:\Users\user\AppData\Local\Temp\EdgeBHO.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Process created: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe "C:\Users\user\AppData\Local\Temp\EdgeBHO.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im "EdgeBHO.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\EdgeBHO.exe "EdgeBHO.exe"	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Process created: C:\Users\user\EdgeBHO.exe "EdgeBHO.exe"	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Process created: C:\Users\user\EdgeBHO.exe "C:\Users\user\EdgeBHO.exe"
Source: C:\Users\user\EdgeBHO.exe	Process created: C:\Users\user\EdgeBHO.exe "C:\Users\user\EdgeBHO.exe"

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\taskkill.exe taskkill /f /im "EdgeBHO.exe"

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe

Code function: 15_2_00007FF6F84B97F0 cpuid

15_2_00007FF6F84B97F0

Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	16_2_00007FFCA1649288
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: GetLocaleInfoW,	16_2_00007FFCA15F1674
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	16_2_00007FFCA1649490
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: GetPrimaryLen,EnumSystemLocalesW,	16_2_00007FFCA1648D94
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: GetPrimaryLen,EnumSystemLocalesW,	16_2_00007FFCA1648E48
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: EnterCriticalSection,EnumSystemLocalesW,LeaveCriticalSection,	16_2_00007FFCA1647D40
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Code function: EnumSystemLocalesW,	16_2_00007FFCA1648D2C
Source: C:\Users\user\EdgeBHO.exe	Code function: EnterCriticalSection,EnumSystemLocalesW,LeaveCriticalSection,	25_2_00007FFC9C617D40
Source: C:\Users\user\EdgeBHO.exe	Code function: EnumSystemLocalesW,	25_2_00007FFC9C618D2C
Source: C:\Users\user\EdgeBHO.exe	Code function: GetPrimaryLen,EnumSystemLocalesW,	25_2_00007FFC9C618D94
Source: C:\Users\user\EdgeBHO.exe	Code function: GetPrimaryLen,EnumSystemLocalesW,	25_2_00007FFC9C618E48
Source: C:\Users\user\EdgeBHO.exe	Code function: GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	25_2_00007FFC9C619490
Source: C:\Users\user\EdgeBHO.exe	Code function: GetLocaleInfoW,	25_2_00007FFC9C5C1674
Source: C:\Users\user\EdgeBHO.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	25_2_00007FFC9C619288

Source: C:\Users\user\Desktop\PfOHmro.exe	Queries volume information: C:\Users\user\Desktop\PfOHmro.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Queries volume information: C:\Users\user\Desktop\PfOHmro.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17522\ucrtbase.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17522\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17522\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17522\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17522\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17522\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17522\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17522\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17522\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17522\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17522\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17522 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17522 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17522\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17522 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17522 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17522\_ctypes.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17522 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17522 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17522 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17522\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17522\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17522\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17522\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17522\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17522\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17522\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17522\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17522\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17522\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17522\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17522\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17522\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17522\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17522\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17522\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17522\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17522\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17522\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17522 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17522\_bz2.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17522 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17522\_lzma.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17522\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17522 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17522\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17522 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17522 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17522 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17522 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17522 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17522 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17522\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17522\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17522 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17522 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe	Queries volume information: C:\Users\user\activate.bat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75322\ucrtbase.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75322 VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75322 VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75322 VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75322 VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75322\_ctypes.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75322 VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75322 VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75322 VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75322\_bz2.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75322 VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75322\_lzma.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75322 VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75322 VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75322 VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75322 VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75322 VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75322 VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75322 VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75322 VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75322 VolumeInformation	Jump to behavior
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12522\ucrtbase.dll VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12522\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12522\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12522\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12522\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12522\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12522\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12522\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12522\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12522 VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12522 VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12522\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12522 VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12522 VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12522\_ctypes.pyd VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12522 VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12522 VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12522 VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12522\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12522\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12522\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12522\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12522\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12522\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12522\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12522\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12522\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12522\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12522\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12522\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12522\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12522\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12522\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12522\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12522\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12522\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12522\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12522 VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12522\_bz2.pyd VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12522 VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12522\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12522 VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12522\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12522\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12522\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12522 VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12522 VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12522 VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12522 VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12522 VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12522 VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12522\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12522\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12522 VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12522\_wmi.pyd VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12522 VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12522\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12522\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12522 VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI40002\ucrtbase.dll VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI40002\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI40002\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI40002\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI40002\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI40002\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI40002\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI40002\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI40002\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI40002\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI40002\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI40002 VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI40002 VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI40002\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI40002 VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI40002 VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI40002\_ctypes.pyd VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI40002 VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI40002 VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI40002 VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI40002\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI40002\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI40002\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI40002\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI40002\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI40002\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI40002\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI40002\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI40002\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI40002\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI40002\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI40002\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI40002\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI40002\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI40002\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI40002\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI40002\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI40002\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI40002\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI40002\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI40002\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI40002\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI40002 VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI40002\_bz2.pyd VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI40002 VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI40002\_lzma.pyd VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI40002\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI40002\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI40002\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI40002 VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI40002\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI40002\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI40002\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI40002 VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI40002 VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI40002 VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI40002 VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI40002 VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI40002 VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI40002\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI40002\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI40002\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI40002 VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI40002\_wmi.pyd VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI40002 VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI40002\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI40002\base_library.zip VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\EdgeBHO.exe VolumeInformation
Source: C:\Users\user\EdgeBHO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI40002 VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe

Code function: 15_2_00007FF6F849D080 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

15_2_00007FF6F849D080

Source: C:\Users\user\AppData\Local\Temp\EdgeBHO.exe

Code function: 15_2_00007FF6F84B62B0 _get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,

15_2_00007FF6F84B62B0

Source: C:\Users\user\Desktop\PfOHmro.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\PfOHmro.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\PfOHmro.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\PfOHmro.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\Desktop\PfOHmro.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\Desktop\PfOHmro.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Users\user\Desktop\PfOHmro.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct

Stealing of Sensitive Information

Yara detected MicroClip

Source: Yara match	File source: 0000001B.00000002.2187512345.000001CDA0134000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.1870552492.0000025A1E614000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2436678714.0000019363234000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2052012982.00000286BA1F4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: EdgeBHO.exe PID: 1424, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: EdgeBHO.exe PID: 7564, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: EdgeBHO.exe PID: 3032, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: EdgeBHO.exe PID: 5416, type: MEMORYSTR

Yara detected RedLine Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 0.2.PfOHmro.exe.40c4170.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PfOHmro.exe.40a9550.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.PfOHmro.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PfOHmro.exe.40c4170.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.1857380388.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1280380254.00000000040A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PfOHmro.exe PID: 7520, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PfOHmro.exe PID: 7568, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: PfOHmro.exe, 00000000.00000002.1280380254.00000000040A9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: [^\u0020-\u007F]ProcessIdname_on_cardencrypted_valuehttps://ipinfo.io/ip%appdata%\logins{0}\FileZilla\recentservers.xml%appdata%\discord\Local Storage\leveldb\tdataAtomicWalletv10/C \EtFile.IOhereuFile.IOm\walFile.IOletsESystem.UItherSystem.UIeumElectrum[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}profiles\Windows\valueexpiras21ation_moas21nth
Source: PfOHmro.exe, 00000003.00000002.1859182871.000000000345E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: q1C:\Users\user\AppData\Roaming\Electrum\wallets\*
Source: PfOHmro.exe, 00000000.00000002.1280380254.00000000040A9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: user.config{0}\FileZilla\sitemanager.xmlcookies.sqlite\Program Files (x86)\configRoninWalletdisplayNamehost_key\Electrum\walletsName\Exodus\exodus.walletnanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Program Data\coMANGOokies.sqMANGOlitessfnExodusDisplayVersion%localappdata%\GuildWalletOpHandlerenVPHandlerN ConHandlernect%DSK_23%YoroiWalletcmdOpera GXhttps://api.ipify.orgcookies//settinString.Removeg[@name=\PasswString.Removeord\]/valuString.RemoveeSaturnWalletWeb DataSteamPathwaasflleasft.datasfCommandLineSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallCookiesis_secureSoftware\Valve\SteamLogin DataID: isSecureNoDefrdDefVPNDefwaasflletasfMewCxv11\Program Files\Opera GX StableSELECT * FROM Win32_Process Where SessionId='nlbmnnijcnlegkjjpcfjclmcfggfefdmnkddgncdjgjfcddamfgcmfnlhccnimig\coFile.IOm.libeFile.IOrty.jFile.IOaxFile.IOxnamefnjhmkhhmkbjkkabndcnnogagogbneecfhilaheimglignddkjgofkcbgekhenbhProfile_Unknowncard_number_encrypted, Name: AppData\Roaming\TReplaceokReplaceenReplaces.tReplacext //settString.Replaceing[@name=\UString.Replacesername\]/vaString.ReplacelueNWinordVWinpn.eWinxeWinhostmoz_cookiesUser Datawindows-1251, CommandLine: \ExodusDisplayNameexpiry.vstring.ReplacedfJaxxpathBSJB
Source: PfOHmro.exe, 00000000.00000002.1280380254.00000000040A9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: user.config{0}\FileZilla\sitemanager.xmlcookies.sqlite\Program Files (x86)\configRoninWalletdisplayNamehost_key\Electrum\walletsName\Exodus\exodus.walletnanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Program Data\coMANGOokies.sqMANGOlitessfnExodusDisplayVersion%localappdata%\GuildWalletOpHandlerenVPHandlerN ConHandlernect%DSK_23%YoroiWalletcmdOpera GXhttps://api.ipify.orgcookies//settinString.Removeg[@name=\PasswString.Removeord\]/valuString.RemoveeSaturnWalletWeb DataSteamPathwaasflleasft.datasfCommandLineSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallCookiesis_secureSoftware\Valve\SteamLogin DataID: isSecureNoDefrdDefVPNDefwaasflletasfMewCxv11\Program Files\Opera GX StableSELECT * FROM Win32_Process Where SessionId='nlbmnnijcnlegkjjpcfjclmcfggfefdmnkddgncdjgjfcddamfgcmfnlhccnimig\coFile.IOm.libeFile.IOrty.jFile.IOaxFile.IOxnamefnjhmkhhmkbjkkabndcnnogagogbneecfhilaheimglignddkjgofkcbgekhenbhProfile_Unknowncard_number_encrypted, Name: AppData\Roaming\TReplaceokReplaceenReplaces.tReplacext //settString.Replaceing[@name=\UString.Replacesername\]/vaString.ReplacelueNWinordVWinpn.eWinxeWinhostmoz_cookiesUser Datawindows-1251, CommandLine: \ExodusDisplayNameexpiry.vstring.ReplacedfJaxxpathBSJB
Source: PfOHmro.exe, 00000003.00000002.1859182871.000000000345E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \Ethereum\wallets
Source: PfOHmro.exe, 00000000.00000002.1280380254.00000000040A9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: user.config{0}\FileZilla\sitemanager.xmlcookies.sqlite\Program Files (x86)\configRoninWalletdisplayNamehost_key\Electrum\walletsName\Exodus\exodus.walletnanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Program Data\coMANGOokies.sqMANGOlitessfnExodusDisplayVersion%localappdata%\GuildWalletOpHandlerenVPHandlerN ConHandlernect%DSK_23%YoroiWalletcmdOpera GXhttps://api.ipify.orgcookies//settinString.Removeg[@name=\PasswString.Removeord\]/valuString.RemoveeSaturnWalletWeb DataSteamPathwaasflleasft.datasfCommandLineSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallCookiesis_secureSoftware\Valve\SteamLogin DataID: isSecureNoDefrdDefVPNDefwaasflletasfMewCxv11\Program Files\Opera GX StableSELECT * FROM Win32_Process Where SessionId='nlbmnnijcnlegkjjpcfjclmcfggfefdmnkddgncdjgjfcddamfgcmfnlhccnimig\coFile.IOm.libeFile.IOrty.jFile.IOaxFile.IOxnamefnjhmkhhmkbjkkabndcnnogagogbneecfhilaheimglignddkjgofkcbgekhenbhProfile_Unknowncard_number_encrypted, Name: AppData\Roaming\TReplaceokReplaceenReplaces.tReplacext //settString.Replaceing[@name=\UString.Replacesername\]/vaString.ReplacelueNWinordVWinpn.eWinxeWinhostmoz_cookiesUser Datawindows-1251, CommandLine: \ExodusDisplayNameexpiry.vstring.ReplacedfJaxxpathBSJB
Source: PfOHmro.exe, 00000003.00000002.1859182871.000000000345E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Ethereum
Source: PfOHmro.exe, 00000003.00000002.1859182871.000000000345E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: q5C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\*

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\PfOHmro.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\PfOHmro.exe	File opened: C:\Users\user\AppData\Roaming\atomic\	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\	Jump to behavior
Source: C:\Users\user\Desktop\PfOHmro.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\	Jump to behavior

Source: Yara match	File source: 0.2.PfOHmro.exe.40c4170.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PfOHmro.exe.40a9550.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.PfOHmro.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PfOHmro.exe.40c4170.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.1857380388.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1280380254.00000000040A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PfOHmro.exe PID: 7520, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PfOHmro.exe PID: 7568, type: MEMORYSTR

Remote Access Functionality

Yara detected MicroClip

Source: Yara match	File source: 0000001B.00000002.2187512345.000001CDA0134000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.1870552492.0000025A1E614000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2436678714.0000019363234000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2052012982.00000286BA1F4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: EdgeBHO.exe PID: 1424, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: EdgeBHO.exe PID: 7564, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: EdgeBHO.exe PID: 3032, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: EdgeBHO.exe PID: 5416, type: MEMORYSTR

Yara detected RedLine Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 0.2.PfOHmro.exe.40c4170.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PfOHmro.exe.40a9550.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.PfOHmro.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PfOHmro.exe.40c4170.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.1857380388.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1280380254.00000000040A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PfOHmro.exe PID: 7520, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PfOHmro.exe PID: 7568, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	221 Windows Management Instrumentation	1 Scripting	1 DLL Side-Loading	11 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Native API	1 DLL Side-Loading	211 Process Injection	1 Deobfuscate/Decode Files or Information	LSASS Memory	2 File and Directory Discovery	Remote Desktop Protocol	3 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Command and Scripting Interpreter	1 Registry Run Keys / Startup Folder	1 Registry Run Keys / Startup Folder	21 Obfuscated Files or Information	Security Account Manager	135 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	11 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	21 Software Packing	NTDS	351 Security Software Discovery	Distributed Component Object Model	Input Capture	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	1 Process Discovery	SSH	Keylogging	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	251 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	111 Masquerading	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	251 Virtualization/Sandbox Evasion	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	211 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report PfOHmro.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: RedLine

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
PfOHmro.exe