Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
HmngBpR.exe

Overview

General Information

Sample name:HmngBpR.exe
Analysis ID:1632654
MD5:d31ae263840ea72da485bcbae6345ad3
SHA1:af475b22571cd488353bba0681e4beebdf28d17d
SHA256:d4717111251ccd87aed19d387a50770f795dda04d454a97ebe53b27ea3afe1fb
Tags:exeuser-aachum
Infos:

Detection

Score:88
Range:0 - 100
Confidence:100%

Signatures

Antivirus detection for dropped file
System process connects to network (likely due to code injection or exploit)
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Injects code into the Windows Explorer (explorer.exe)
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Query firmware table information (likely to detect VMs)
Switches to a custom stack to bypass stack traces
Writes to foreign memory regions
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains more sections than normal
PE file contains sections with non-standard names
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • HmngBpR.exe (PID: 7096 cmdline: "C:\Users\user\Desktop\HmngBpR.exe" MD5: D31AE263840EA72DA485BCBAE6345AD3)
    • SplashWin.exe (PID: 6156 cmdline: C:\Users\user\AppData\Local\Temp\archivebrowser_GD\SplashWin.exe MD5: 4D20B83562EEC3660E45027AD56FB444)
      • SplashWin.exe (PID: 6220 cmdline: C:\Users\user\AppData\Roaming\archivebrowser_GD\SplashWin.exe MD5: 4D20B83562EEC3660E45027AD56FB444)
        • cmd.exe (PID: 6300 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 6320 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • explorer.exe (PID: 3772 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: DD6597597673F72E10C9DE7901FBA0A8)
  • SplashWin.exe (PID: 2504 cmdline: "C:\Users\user\AppData\Roaming\archivebrowser_GD\SplashWin.exe" MD5: 4D20B83562EEC3660E45027AD56FB444)
    • cmd.exe (PID: 836 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3928 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • explorer.exe (PID: 828 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: DD6597597673F72E10C9DE7901FBA0A8)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: Proxy Execution Via Explorer.exe
Source: Process startedAuthor: Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative: Data: Command: C:\Windows\SysWOW64\explorer.exe, CommandLine: C:\Windows\SysWOW64\explorer.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\explorer.exe, NewProcessName: C:\Windows\SysWOW64\explorer.exe, OriginalFileName: C:\Windows\SysWOW64\explorer.exe, ParentCommandLine: C:\Windows\SysWOW64\cmd.exe, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6300, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Windows\SysWOW64\explorer.exe, ProcessId: 3772, ProcessName: explorer.exe

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\nwpcbndnAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\Temp\rghkqAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Joe Sandbox ML detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Source: Binary string: E:\workdir\vc\rbin\RCClient\SplashWin.pdb,, source: HmngBpR.exe, 00000000.00000002.944973924.000000000736F000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000002.00000000.875780450.0000000000023000.00000002.00000001.01000000.00000007.sdmp, SplashWin.exe, 00000002.00000002.884353421.0000000000023000.00000002.00000001.01000000.00000007.sdmp, SplashWin.exe, 00000003.00000002.947760588.0000000000673000.00000002.00000001.01000000.0000000B.sdmp, SplashWin.exe, 00000003.00000000.884044512.0000000000673000.00000002.00000001.01000000.0000000B.sdmp, SplashWin.exe, 00000008.00000002.1220549494.0000000000673000.00000002.00000001.01000000.0000000B.sdmp, SplashWin.exe, 00000008.00000000.1161888752.0000000000673000.00000002.00000001.01000000.0000000B.sdmp, SplashWin.exe.0.dr
Source: Binary string: E:\workdir\ProgramDatabase\DuiLib_u.pdbww3 source: HmngBpR.exe, 00000000.00000002.944973924.000000000736F000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000002.00000002.889752555.000000006DD15000.00000002.00000001.01000000.00000009.sdmp, SplashWin.exe, 00000003.00000002.961360726.000000006D8A5000.00000002.00000001.01000000.0000000D.sdmp, SplashWin.exe, 00000008.00000002.1226502350.000000006DBB5000.00000002.00000001.01000000.0000000D.sdmp, DuiLib_u.dll.0.dr, DuiLib_u.dll.2.dr
Source: Binary string: ntdll.pdb source: HmngBpR.exe, 00000000.00000002.942658607.00000000067F0000.00000004.00000800.00020000.00000000.sdmp, HmngBpR.exe, 00000000.00000002.933340011.00000000033FE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: SplashWin.exe, 00000002.00000002.889332925.0000000009D6E000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000002.00000002.889455188.000000000A0C0000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000002.953718653.0000000009900000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000002.953863668.0000000009C60000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000002.955354561.000000000A016000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.1228261440.0000000004E33000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.1228578938.0000000005360000.00000004.00001000.00020000.00000000.sdmp, SplashWin.exe, 00000008.00000002.1225414932.00000000099D4000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000008.00000002.1225920702.000000000A0ED000.00000004.00000001.00020000.00000000.sdmp, SplashWin.exe, 00000008.00000002.1225615802.0000000009D30000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.1430444170.00000000046FB000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.1430721417.0000000004C20000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: ntdll.pdbUGP source: HmngBpR.exe, 00000000.00000002.942658607.00000000067F0000.00000004.00000800.00020000.00000000.sdmp, HmngBpR.exe, 00000000.00000002.933340011.00000000033FE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: SplashWin.exe, 00000002.00000002.889332925.0000000009D6E000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000002.00000002.889455188.000000000A0C0000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000002.953718653.0000000009900000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000002.953863668.0000000009C60000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000002.955354561.000000000A016000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.1228261440.0000000004E33000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.1228578938.0000000005360000.00000004.00001000.00020000.00000000.sdmp, SplashWin.exe, 00000008.00000002.1225414932.00000000099D4000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000008.00000002.1225920702.000000000A0ED000.00000004.00000001.00020000.00000000.sdmp, SplashWin.exe, 00000008.00000002.1225615802.0000000009D30000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.1430444170.00000000046FB000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.1430721417.0000000004C20000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: E:\workdir\ProgramDatabase\DuiLib_u.pdb source: HmngBpR.exe, 00000000.00000002.944973924.000000000736F000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000002.00000002.889752555.000000006DD15000.00000002.00000001.01000000.00000009.sdmp, SplashWin.exe, 00000003.00000002.961360726.000000006D8A5000.00000002.00000001.01000000.0000000D.sdmp, SplashWin.exe, 00000008.00000002.1226502350.000000006DBB5000.00000002.00000001.01000000.0000000D.sdmp, DuiLib_u.dll.0.dr, DuiLib_u.dll.2.dr
Source: Binary string: E:\workdir\vc\rbin\RCClient\SplashWin.pdb source: HmngBpR.exe, 00000000.00000002.944973924.000000000736F000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000002.00000000.875780450.0000000000023000.00000002.00000001.01000000.00000007.sdmp, SplashWin.exe, 00000002.00000002.884353421.0000000000023000.00000002.00000001.01000000.00000007.sdmp, SplashWin.exe, 00000003.00000002.947760588.0000000000673000.00000002.00000001.01000000.0000000B.sdmp, SplashWin.exe, 00000003.00000000.884044512.0000000000673000.00000002.00000001.01000000.0000000B.sdmp, SplashWin.exe, 00000008.00000002.1220549494.0000000000673000.00000002.00000001.01000000.0000000B.sdmp, SplashWin.exe, 00000008.00000000.1161888752.0000000000673000.00000002.00000001.01000000.0000000B.sdmp, SplashWin.exe.0.dr
Source: Binary string: D:\agent\_work\20\s\\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: HmngBpR.exe, 00000000.00000002.944973924.0000000007696000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000002.00000002.892849238.000000006F3E1000.00000020.00000001.01000000.00000008.sdmp, SplashWin.exe, 00000003.00000002.961566185.000000006F3A1000.00000020.00000001.01000000.0000000C.sdmp, SplashWin.exe, 00000008.00000002.1226633509.000000006F3E1000.00000020.00000001.01000000.0000000C.sdmp, vcruntime140.dll.2.dr, vcruntime140.dll.0.dr
Source: Binary string: D:\agent\_work\20\s\\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: SplashWin.exe, SplashWin.exe, 00000003.00000002.960471161.000000006D7B1000.00000020.00000001.01000000.0000000E.sdmp, SplashWin.exe, 00000008.00000002.1226321991.000000006DAC1000.00000020.00000001.01000000.0000000E.sdmp, msvcp140.dll.2.dr, msvcp140.dll.0.dr
Source: C:\Users\user\AppData\Local\Temp\archivebrowser_GD\SplashWin.exeCode function: 2_2_6DC320D0 _Open_dir,FindFirstFileExW,__Read_dir,FindClose,2_2_6DC320D0
Source: C:\Users\user\AppData\Roaming\archivebrowser_GD\SplashWin.exeCode function: 3_2_6D7C20D0 _Open_dir,FindFirstFileExW,__Read_dir,FindClose,3_2_6D7C20D0

Networking

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\explorer.exeNetwork Connect: 185.183.32.103 3333Jump to behavior
Source: global trafficTCP traffic: 192.168.2.8:49692 -> 185.183.32.103:3333
Source: Joe Sandbox ViewASN Name: WORLDSTREAMNL WORLDSTREAMNL
Source: unknownTCP traffic detected without corresponding DNS query: 185.183.32.103
Source: unknownTCP traffic detected without corresponding DNS query: 185.183.32.103
Source: unknownTCP traffic detected without corresponding DNS query: 185.183.32.103
Source: unknownTCP traffic detected without corresponding DNS query: 185.183.32.103
Source: unknownTCP traffic detected without corresponding DNS query: 185.183.32.103
Source: unknownTCP traffic detected without corresponding DNS query: 185.183.32.103
Source: unknownTCP traffic detected without corresponding DNS query: 185.183.32.103
Source: unknownTCP traffic detected without corresponding DNS query: 185.183.32.103
Source: unknownTCP traffic detected without corresponding DNS query: 185.183.32.103
Source: unknownTCP traffic detected without corresponding DNS query: 185.183.32.103
Source: unknownTCP traffic detected without corresponding DNS query: 185.183.32.103
Source: unknownTCP traffic detected without corresponding DNS query: 185.183.32.103
Source: unknownTCP traffic detected without corresponding DNS query: 185.183.32.103
Source: unknownTCP traffic detected without corresponding DNS query: 185.183.32.103
Source: unknownTCP traffic detected without corresponding DNS query: 185.183.32.103
Source: unknownTCP traffic detected without corresponding DNS query: 185.183.32.103
Source: unknownTCP traffic detected without corresponding DNS query: 185.183.32.103
Source: unknownTCP traffic detected without corresponding DNS query: 185.183.32.103
Source: unknownTCP traffic detected without corresponding DNS query: 185.183.32.103
Source: unknownTCP traffic detected without corresponding DNS query: 185.183.32.103
Source: unknownTCP traffic detected without corresponding DNS query: 185.183.32.103
Source: unknownTCP traffic detected without corresponding DNS query: 185.183.32.103
Source: unknownTCP traffic detected without corresponding DNS query: 185.183.32.103
Source: unknownTCP traffic detected without corresponding DNS query: 185.183.32.103
Source: unknownTCP traffic detected without corresponding DNS query: 185.183.32.103
Source: unknownTCP traffic detected without corresponding DNS query: 185.183.32.103
Source: unknownTCP traffic detected without corresponding DNS query: 185.183.32.103
Source: unknownTCP traffic detected without corresponding DNS query: 185.183.32.103
Source: unknownTCP traffic detected without corresponding DNS query: 185.183.32.103
Source: unknownTCP traffic detected without corresponding DNS query: 185.183.32.103
Source: unknownTCP traffic detected without corresponding DNS query: 185.183.32.103
Source: unknownTCP traffic detected without corresponding DNS query: 185.183.32.103
Source: unknownTCP traffic detected without corresponding DNS query: 185.183.32.103
Source: unknownTCP traffic detected without corresponding DNS query: 185.183.32.103
Source: unknownTCP traffic detected without corresponding DNS query: 185.183.32.103
Source: unknownTCP traffic detected without corresponding DNS query: 185.183.32.103
Source: unknownTCP traffic detected without corresponding DNS query: 185.183.32.103
Source: unknownTCP traffic detected without corresponding DNS query: 185.183.32.103
Source: unknownTCP traffic detected without corresponding DNS query: 185.183.32.103
Source: unknownTCP traffic detected without corresponding DNS query: 185.183.32.103
Source: unknownTCP traffic detected without corresponding DNS query: 185.183.32.103
Source: unknownTCP traffic detected without corresponding DNS query: 185.183.32.103
Source: unknownTCP traffic detected without corresponding DNS query: 185.183.32.103
Source: unknownTCP traffic detected without corresponding DNS query: 185.183.32.103
Source: unknownTCP traffic detected without corresponding DNS query: 185.183.32.103
Source: unknownTCP traffic detected without corresponding DNS query: 185.183.32.103
Source: unknownTCP traffic detected without corresponding DNS query: 185.183.32.103
Source: unknownTCP traffic detected without corresponding DNS query: 185.183.32.103
Source: unknownTCP traffic detected without corresponding DNS query: 185.183.32.103
Source: unknownTCP traffic detected without corresponding DNS query: 185.183.32.103
Source: HmngBpR.exe, 00000000.00000002.944973924.000000000771A000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000002.00000002.889170920.0000000009A9A000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000002.953583108.000000000977E000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.1228425291.00000000051E0000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 00000008.00000002.1225193518.0000000009849000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.1430569936.0000000004A9A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
Source: HmngBpR.exe, 00000000.00000002.944973924.000000000771A000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000002.00000002.889170920.0000000009A9A000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000002.953583108.000000000977E000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.1228425291.00000000051E0000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 00000008.00000002.1225193518.0000000009849000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.1430569936.0000000004A9A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
Source: HmngBpR.exe, 00000000.00000002.944973924.000000000771A000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000002.00000002.889170920.0000000009A9A000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000002.953583108.000000000977E000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.1228425291.00000000051E0000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 00000008.00000002.1225193518.0000000009849000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.1430569936.0000000004A9A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: HmngBpR.exe, 00000000.00000002.935013588.0000000006448000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: HmngBpR.exe, 00000000.00000002.935013588.0000000006448000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0K
Source: HmngBpR.exe, 00000000.00000002.944973924.000000000771A000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000002.00000002.889170920.0000000009A9A000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000002.953583108.000000000977E000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.1228425291.00000000051E0000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 00000008.00000002.1225193518.0000000009849000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.1430569936.0000000004A9A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: HmngBpR.exe, 00000000.00000002.935013588.0000000006448000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: HmngBpR.exe, 00000000.00000002.935013588.0000000006448000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: HmngBpR.exe, 00000000.00000002.935013588.0000000006448000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: HmngBpR.exe, 00000000.00000002.944973924.000000000736F000.00000004.00000020.00020000.00000000.sdmp, HmngBpR.exe, 00000000.00000002.944973924.0000000007696000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000002.00000003.883304089.0000000000DC3000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000002.00000003.882949482.0000000000DC3000.00000004.00000020.00020000.00000000.sdmp, DuiLib_u.dll.0.dr, SplashWin.exe.0.dr, DuiLib_u.dll.2.drString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: HmngBpR.exe, 00000000.00000002.944973924.000000000736F000.00000004.00000020.00020000.00000000.sdmp, HmngBpR.exe, 00000000.00000002.944973924.0000000007696000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000002.00000003.883304089.0000000000DC3000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000002.00000003.882949482.0000000000DC3000.00000004.00000020.00020000.00000000.sdmp, DuiLib_u.dll.0.dr, SplashWin.exe.0.dr, DuiLib_u.dll.2.drString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: HmngBpR.exe, 00000000.00000002.944973924.000000000736F000.00000004.00000020.00020000.00000000.sdmp, HmngBpR.exe, 00000000.00000002.944973924.0000000007696000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000002.00000003.883304089.0000000000DC3000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000002.00000003.882949482.0000000000DC3000.00000004.00000020.00020000.00000000.sdmp, DuiLib_u.dll.0.dr, SplashWin.exe.0.dr, DuiLib_u.dll.2.drString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: HmngBpR.exe, 00000000.00000002.944973924.000000000736F000.00000004.00000020.00020000.00000000.sdmp, HmngBpR.exe, 00000000.00000002.944973924.0000000007696000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000002.00000003.883304089.0000000000DC3000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000002.00000003.882949482.0000000000DC3000.00000004.00000020.00020000.00000000.sdmp, DuiLib_u.dll.0.dr, SplashWin.exe.0.dr, DuiLib_u.dll.2.drString found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: HmngBpR.exe, 00000000.00000002.944973924.000000000771A000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000002.00000002.889170920.0000000009A9A000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000002.953583108.000000000977E000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.1228425291.00000000051E0000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 00000008.00000002.1225193518.0000000009849000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.1430569936.0000000004A9A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
Source: HmngBpR.exe, 00000000.00000002.935013588.0000000006448000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: HmngBpR.exe, 00000000.00000002.944973924.000000000771A000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000002.00000002.889170920.0000000009A9A000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000002.953583108.000000000977E000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.1228425291.00000000051E0000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 00000008.00000002.1225193518.0000000009849000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.1430569936.0000000004A9A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: HmngBpR.exe, 00000000.00000002.944973924.000000000771A000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000002.00000002.889170920.0000000009A9A000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000002.953583108.000000000977E000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.1228425291.00000000051E0000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 00000008.00000002.1225193518.0000000009849000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.1430569936.0000000004A9A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: HmngBpR.exe, 00000000.00000002.935013588.0000000006448000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: HmngBpR.exe, 00000000.00000002.935013588.0000000006448000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: HmngBpR.exe, 00000000.00000002.935013588.0000000006448000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: HmngBpR.exe, 00000000.00000002.935013588.0000000006448000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: HmngBpR.exe, 00000000.00000002.944973924.000000000771A000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000002.00000002.889170920.0000000009A9A000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000002.953583108.000000000977E000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.1228425291.00000000051E0000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 00000008.00000002.1225193518.0000000009849000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.1430569936.0000000004A9A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
Source: HmngBpR.exe, 00000000.00000002.944973924.000000000771A000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000002.00000002.889170920.0000000009A9A000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000002.953583108.000000000977E000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.1228425291.00000000051E0000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 00000008.00000002.1225193518.0000000009849000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.1430569936.0000000004A9A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: HmngBpR.exe, 00000000.00000002.944973924.000000000771A000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000002.00000002.889170920.0000000009A9A000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000002.953583108.000000000977E000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.1228425291.00000000051E0000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 00000008.00000002.1225193518.0000000009849000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.1430569936.0000000004A9A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
Source: HmngBpR.exe, 00000000.00000002.944973924.000000000771A000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000002.00000002.889170920.0000000009A9A000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000002.953583108.000000000977E000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.1228425291.00000000051E0000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 00000008.00000002.1225193518.0000000009849000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.1430569936.0000000004A9A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: HmngBpR.exe, 00000000.00000002.944973924.000000000771A000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000002.00000002.889170920.0000000009A9A000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000002.953583108.000000000977E000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.1228425291.00000000051E0000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 00000008.00000002.1225193518.0000000009849000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.1430569936.0000000004A9A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: HmngBpR.exe, 00000000.00000002.935013588.0000000006448000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: HmngBpR.exe, 00000000.00000002.944973924.000000000771A000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000002.00000002.889170920.0000000009A9A000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000002.953583108.000000000977E000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.1228425291.00000000051E0000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 00000008.00000002.1225193518.0000000009849000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.1430569936.0000000004A9A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
Source: HmngBpR.exe, 00000000.00000002.944973924.000000000771A000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000002.00000002.889170920.0000000009A9A000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000002.953583108.000000000977E000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.1228425291.00000000051E0000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 00000008.00000002.1225193518.0000000009849000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.1430569936.0000000004A9A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: HmngBpR.exe, 00000000.00000002.944973924.000000000736F000.00000004.00000020.00020000.00000000.sdmp, HmngBpR.exe, 00000000.00000002.944973924.0000000007696000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000002.00000003.883304089.0000000000DC3000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000002.00000003.882949482.0000000000DC3000.00000004.00000020.00020000.00000000.sdmp, DuiLib_u.dll.0.dr, SplashWin.exe.0.dr, DuiLib_u.dll.2.drString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: HmngBpR.exe, 00000000.00000002.944973924.000000000736F000.00000004.00000020.00020000.00000000.sdmp, HmngBpR.exe, 00000000.00000002.944973924.0000000007696000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000002.00000003.883304089.0000000000DC3000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000002.00000003.882949482.0000000000DC3000.00000004.00000020.00020000.00000000.sdmp, DuiLib_u.dll.0.dr, SplashWin.exe.0.dr, DuiLib_u.dll.2.drString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: HmngBpR.exe, 00000000.00000002.944973924.000000000736F000.00000004.00000020.00020000.00000000.sdmp, HmngBpR.exe, 00000000.00000002.944973924.0000000007696000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000002.00000003.883304089.0000000000DC3000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000002.00000003.882949482.0000000000DC3000.00000004.00000020.00020000.00000000.sdmp, DuiLib_u.dll.0.dr, SplashWin.exe.0.dr, DuiLib_u.dll.2.drString found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: HmngBpR.exe, 00000000.00000002.944973924.000000000736F000.00000004.00000020.00020000.00000000.sdmp, HmngBpR.exe, 00000000.00000002.944973924.0000000007696000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000002.00000003.883304089.0000000000DC3000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000002.00000003.882949482.0000000000DC3000.00000004.00000020.00020000.00000000.sdmp, DuiLib_u.dll.0.dr, SplashWin.exe.0.dr, DuiLib_u.dll.2.drString found in binary or memory: http://ocsp.comodoca.com0
Source: HmngBpR.exe, 00000000.00000002.935013588.0000000006448000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
Source: HmngBpR.exe, 00000000.00000002.935013588.0000000006448000.00000004.00000020.00020000.00000000.sdmp, HmngBpR.exe, 00000000.00000002.944973924.000000000771A000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000002.00000002.889170920.0000000009A9A000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000002.953583108.000000000977E000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.1228425291.00000000051E0000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 00000008.00000002.1225193518.0000000009849000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.1430569936.0000000004A9A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
Source: HmngBpR.exe, 00000000.00000002.935013588.0000000006448000.00000004.00000020.00020000.00000000.sdmp, HmngBpR.exe, 00000000.00000002.944973924.000000000771A000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000002.00000002.889170920.0000000009A9A000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000002.953583108.000000000977E000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.1228425291.00000000051E0000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 00000008.00000002.1225193518.0000000009849000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.1430569936.0000000004A9A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
Source: HmngBpR.exe, 00000000.00000002.935013588.0000000006448000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0I
Source: HmngBpR.exe, 00000000.00000002.944973924.000000000771A000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000002.00000002.889170920.0000000009A9A000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000002.953583108.000000000977E000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.1228425291.00000000051E0000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 00000008.00000002.1225193518.0000000009849000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.1430569936.0000000004A9A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0L
Source: HmngBpR.exe, 00000000.00000002.944973924.000000000771A000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000002.00000002.889170920.0000000009A9A000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000002.953583108.000000000977E000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.1228425291.00000000051E0000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 00000008.00000002.1225193518.0000000009849000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.1430569936.0000000004A9A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0O
Source: HmngBpR.exe, 00000000.00000002.935013588.0000000006448000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0X
Source: HmngBpR.exe, 00000000.00000002.944973924.000000000736F000.00000004.00000020.00020000.00000000.sdmp, HmngBpR.exe, 00000000.00000002.944973924.0000000007696000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000002.00000003.883304089.0000000000DC3000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000002.00000003.882949482.0000000000DC3000.00000004.00000020.00020000.00000000.sdmp, DuiLib_u.dll.0.dr, SplashWin.exe.0.dr, DuiLib_u.dll.2.drString found in binary or memory: http://ocsp.sectigo.com0
Source: HmngBpR.exe, 00000000.00000002.944973924.000000000771A000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000002.00000002.889170920.0000000009A9A000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000002.953583108.000000000977E000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.1228425291.00000000051E0000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 00000008.00000002.1225193518.0000000009849000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.1430569936.0000000004A9A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: HmngBpR.exe, 00000000.00000002.944973924.000000000771A000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000002.00000002.889170920.0000000009A9A000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000002.953583108.000000000977E000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.1228425291.00000000051E0000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 00000008.00000002.1225193518.0000000009849000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.1430569936.0000000004A9A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://s2.symcb.com0
Source: HmngBpR.exe, 00000000.00000002.944973924.000000000771A000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000002.00000002.889170920.0000000009A9A000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000002.953583108.000000000977E000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.1228425291.00000000051E0000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 00000008.00000002.1225193518.0000000009849000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.1430569936.0000000004A9A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: HmngBpR.exe, 00000000.00000002.944973924.000000000771A000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000002.00000002.889170920.0000000009A9A000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000002.953583108.000000000977E000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.1228425291.00000000051E0000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 00000008.00000002.1225193518.0000000009849000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.1430569936.0000000004A9A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://sv.symcb.com/sv.crt0
Source: HmngBpR.exe, 00000000.00000002.944973924.000000000771A000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000002.00000002.889170920.0000000009A9A000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000002.953583108.000000000977E000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.1228425291.00000000051E0000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 00000008.00000002.1225193518.0000000009849000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.1430569936.0000000004A9A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://sv.symcd.com0&
Source: HmngBpR.exe, 00000000.00000002.935013588.0000000006448000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0
Source: HmngBpR.exe, 00000000.00000002.944973924.000000000771A000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000002.00000002.889170920.0000000009A9A000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000002.953583108.000000000977E000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.1228425291.00000000051E0000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 00000008.00000002.1225193518.0000000009849000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.1430569936.0000000004A9A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: HmngBpR.exe, 00000000.00000002.944973924.0000000007696000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000002.00000002.889170920.0000000009A44000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000002.953583108.0000000009728000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.1228425291.0000000005198000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 00000008.00000002.1225193518.00000000097F3000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.1430569936.0000000004A52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.info-zip.org/
Source: HmngBpR.exe, 00000000.00000002.944973924.000000000771A000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000002.00000002.889170920.0000000009A9A000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000002.953583108.000000000977E000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.1228425291.00000000051E0000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 00000008.00000002.1225193518.0000000009849000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.1430569936.0000000004A9A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.symauth.com/cps0(
Source: HmngBpR.exe, 00000000.00000002.944973924.000000000771A000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000002.00000002.889170920.0000000009A9A000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000002.953583108.000000000977E000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.1228425291.00000000051E0000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 00000008.00000002.1225193518.0000000009849000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.1430569936.0000000004A9A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.symauth.com/rpa00
Source: HmngBpR.exe, 00000000.00000002.944973924.000000000771A000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000002.00000002.889170920.0000000009A9A000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000002.953583108.000000000977E000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.1228425291.00000000051E0000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 00000008.00000002.1225193518.0000000009849000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.1430569936.0000000004A9A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.vmware.com/0
Source: HmngBpR.exe, 00000000.00000002.944973924.000000000771A000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000002.00000002.889170920.0000000009A9A000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000002.953583108.000000000977E000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.1228425291.00000000051E0000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 00000008.00000002.1225193518.0000000009849000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.1430569936.0000000004A9A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.vmware.com/0/
Source: HmngBpR.exe, 00000000.00000002.944973924.000000000771A000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000002.00000002.889170920.0000000009A9A000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000002.953583108.000000000977E000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.1228425291.00000000051E0000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 00000008.00000002.1225193518.0000000009849000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.1430569936.0000000004A9A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://d.symcb.com/cps0%
Source: HmngBpR.exe, 00000000.00000002.944973924.000000000771A000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000002.00000002.889170920.0000000009A9A000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000002.953583108.000000000977E000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.1228425291.00000000051E0000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 00000008.00000002.1225193518.0000000009849000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.1430569936.0000000004A9A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://d.symcb.com/rpa0
Source: HmngBpR.exe, 00000000.00000002.944973924.000000000736F000.00000004.00000020.00020000.00000000.sdmp, HmngBpR.exe, 00000000.00000002.944973924.0000000007696000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000002.00000003.883304089.0000000000DC3000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000002.00000003.882949482.0000000000DC3000.00000004.00000020.00020000.00000000.sdmp, DuiLib_u.dll.0.dr, SplashWin.exe.0.dr, DuiLib_u.dll.2.drString found in binary or memory: https://sectigo.com/CPS0
Source: HmngBpR.exe, 00000000.00000002.944973924.000000000771A000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000002.00000002.889170920.0000000009A9A000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000002.953583108.000000000977E000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.1228425291.00000000051E0000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 00000008.00000002.1225193518.0000000009849000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.1430569936.0000000004A9A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.digicert.com/CPS0
Source: C:\Users\user\Desktop\HmngBpR.exeCode function: 0_2_0077A88F NtQuerySystemInformation,0_2_0077A88F
Source: C:\Users\user\Desktop\HmngBpR.exeCode function: 0_2_0077E57A0_2_0077E57A
Source: C:\Users\user\AppData\Local\Temp\archivebrowser_GD\SplashWin.exeCode function: 2_2_6DC21E072_2_6DC21E07
Source: C:\Users\user\AppData\Local\Temp\archivebrowser_GD\SplashWin.exeCode function: 2_2_6DC214F22_2_6DC214F2
Source: C:\Users\user\AppData\Local\Temp\archivebrowser_GD\SplashWin.exeCode function: 2_2_6DC266D42_2_6DC266D4
Source: C:\Users\user\AppData\Local\Temp\archivebrowser_GD\SplashWin.exeCode function: 2_2_6DC266E42_2_6DC266E4
Source: C:\Users\user\AppData\Roaming\archivebrowser_GD\SplashWin.exeCode function: 3_2_6D7B65EC3_2_6D7B65EC
Source: C:\Users\user\AppData\Roaming\archivebrowser_GD\SplashWin.exeCode function: 3_2_6D7B14F23_2_6D7B14F2
Source: C:\Users\user\AppData\Roaming\archivebrowser_GD\SplashWin.exeCode function: 3_2_6D7B50103_2_6D7B5010
Source: C:\Users\user\AppData\Roaming\archivebrowser_GD\SplashWin.exeCode function: 3_2_6D7B4F643_2_6D7B4F64
Source: C:\Users\user\AppData\Roaming\archivebrowser_GD\SplashWin.exeCode function: 3_2_6D7B4EA03_2_6D7B4EA0
Source: C:\Users\user\AppData\Roaming\archivebrowser_GD\SplashWin.exeCode function: 3_2_6D7B4F383_2_6D7B4F38
Source: C:\Users\user\AppData\Roaming\archivebrowser_GD\SplashWin.exeCode function: 3_2_6D7B4FD03_2_6D7B4FD0
Source: C:\Users\user\AppData\Roaming\archivebrowser_GD\SplashWin.exeCode function: 3_2_6D7B4FA03_2_6D7B4FA0
Source: C:\Users\user\AppData\Roaming\archivebrowser_GD\SplashWin.exeCode function: 3_2_6D7B66183_2_6D7B6618
Source: C:\Users\user\AppData\Roaming\archivebrowser_GD\SplashWin.exeCode function: 3_2_6D7B66E43_2_6D7B66E4
Source: C:\Users\user\AppData\Roaming\archivebrowser_GD\SplashWin.exeCode function: 3_2_6D7B66D43_2_6D7B66D4
Source: C:\Users\user\AppData\Roaming\archivebrowser_GD\SplashWin.exeCode function: 3_2_6D7B4EB03_2_6D7B4EB0
Source: C:\Users\user\AppData\Roaming\archivebrowser_GD\SplashWin.exeCode function: 3_2_6D7B4EA03_2_6D7B4EA0
Source: C:\Users\user\AppData\Roaming\archivebrowser_GD\SplashWin.exeCode function: 3_2_6D7B4FA03_2_6D7B4FA0
Source: C:\Users\user\AppData\Roaming\archivebrowser_GD\SplashWin.exeCode function: 3_2_6D7B4F383_2_6D7B4F38
Source: C:\Users\user\AppData\Roaming\archivebrowser_GD\SplashWin.exeCode function: 3_2_6D7B4F383_2_6D7B4F38
Source: C:\Users\user\AppData\Roaming\archivebrowser_GD\SplashWin.exeCode function: 3_2_6D7B505C3_2_6D7B505C
Source: C:\Users\user\AppData\Roaming\archivebrowser_GD\SplashWin.exeCode function: 3_2_6D7B4F383_2_6D7B4F38
Source: C:\Users\user\AppData\Roaming\archivebrowser_GD\SplashWin.exeCode function: 3_2_6D7B50103_2_6D7B5010
Source: C:\Users\user\AppData\Roaming\archivebrowser_GD\SplashWin.exeCode function: 3_2_6D7B50AC3_2_6D7B50AC
Source: C:\Users\user\AppData\Roaming\archivebrowser_GD\SplashWin.exeCode function: 3_2_6D7B53243_2_6D7B5324
Source: C:\Users\user\AppData\Roaming\archivebrowser_GD\SplashWin.exeCode function: 3_2_6D7B53DC3_2_6D7B53DC
Source: C:\Users\user\AppData\Roaming\archivebrowser_GD\SplashWin.exeCode function: 3_2_6D7B4F643_2_6D7B4F64
Source: C:\Users\user\AppData\Roaming\archivebrowser_GD\SplashWin.exeCode function: 3_2_6D7B4EA03_2_6D7B4EA0
Source: C:\Users\user\AppData\Roaming\archivebrowser_GD\SplashWin.exeCode function: 3_2_6D7B62D43_2_6D7B62D4
Source: C:\Users\user\AppData\Roaming\archivebrowser_GD\SplashWin.exeCode function: 3_2_6D7B62983_2_6D7B6298
Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\archivebrowser_GD\DuiLib_u.dll 5A3E6B212447ECEE8E9A215C35F56AA3A3F45340F116AD9015C87D0C9C6E21AF
Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\archivebrowser_GD\SplashWin.exe C5E650B331FA5292872FDAEDE3A75C8167A0F1280CE0CD3D58B880D23854BDB1
Source: C:\Users\user\AppData\Roaming\archivebrowser_GD\SplashWin.exeCode function: String function: 6D7EE69B appears 115 times
Source: C:\Users\user\AppData\Local\Temp\archivebrowser_GD\SplashWin.exeCode function: String function: 6DC5E69B appears 125 times
Source: C:\Users\user\AppData\Local\Temp\archivebrowser_GD\SplashWin.exeCode function: String function: 6DC5E6CF appears 39 times
Source: HmngBpR.exeStatic PE information: Number of sections : 11 > 10
Source: nwpcbndn.10.drStatic PE information: No import functions for PE file found
Source: rghkq.4.drStatic PE information: No import functions for PE file found
Source: HmngBpR.exe, 00000000.00000002.935013588.0000000005ABB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFileName vs HmngBpR.exe
Source: HmngBpR.exe, 00000000.00000002.933340011.0000000003576000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs HmngBpR.exe
Source: HmngBpR.exe, 00000000.00000002.944973924.000000000736F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemsvcp140.dllT vs HmngBpR.exe
Source: HmngBpR.exe, 00000000.00000002.944973924.0000000007696000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAnyViewer4 vs HmngBpR.exe
Source: HmngBpR.exe, 00000000.00000002.944973924.0000000007696000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamevcruntime140.dllT vs HmngBpR.exe
Source: HmngBpR.exe, 00000000.00000002.942658607.0000000006976000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs HmngBpR.exe
Source: HmngBpR.exe, 00000000.00000002.935013588.0000000006448000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameiScrEditer.exeJ vs HmngBpR.exe
Source: HmngBpR.exe, 00000000.00000002.944973924.000000000771A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamezip.exe( vs HmngBpR.exe
Source: HmngBpR.exe, 00000000.00000002.932334226.0000000002A46000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamecomctl32.DLL.MUIj% vs HmngBpR.exe
Source: HmngBpR.exe, 00000000.00000000.853569610.0000000000427000.00000020.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileName vs HmngBpR.exe
Source: HmngBpR.exeBinary or memory string: OriginalFileName vs HmngBpR.exe
Source: classification engineClassification label: mal88.evad.winEXE@16/20@0/1
Source: C:\Users\user\AppData\Local\Temp\archivebrowser_GD\SplashWin.exeCode function: 2_2_6DC32440 _Statvfs,GetDiskFreeSpaceExW,2_2_6DC32440
Source: C:\Users\user\Desktop\HmngBpR.exeFile created: C:\Users\user\AppData\Roaming\PersBackup6Jump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3928:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6320:120:WilError_03
Source: C:\Users\user\Desktop\HmngBpR.exeFile created: C:\Users\user\AppData\Local\Temp\e7a55fe5Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\explorer.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\explorer.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\archivebrowser_GD\SplashWin.exeCommand line argument: AnyViewer2_2_000219D0
Source: C:\Users\user\AppData\Roaming\archivebrowser_GD\SplashWin.exeCommand line argument: AnyViewer3_2_006719D0
Source: HmngBpR.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\HmngBpR.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\HmngBpR.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\HmngBpR.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\HmngBpR.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: HmngBpR.exeString found in binary or memory: pbe-help.chm
Source: C:\Users\user\Desktop\HmngBpR.exeFile read: C:\Users\user\Desktop\HmngBpR.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\HmngBpR.exe "C:\Users\user\Desktop\HmngBpR.exe"
Source: C:\Users\user\Desktop\HmngBpR.exeProcess created: C:\Users\user\AppData\Local\Temp\archivebrowser_GD\SplashWin.exe C:\Users\user\AppData\Local\Temp\archivebrowser_GD\SplashWin.exe
Source: C:\Users\user\AppData\Local\Temp\archivebrowser_GD\SplashWin.exeProcess created: C:\Users\user\AppData\Roaming\archivebrowser_GD\SplashWin.exe C:\Users\user\AppData\Roaming\archivebrowser_GD\SplashWin.exe
Source: C:\Users\user\AppData\Roaming\archivebrowser_GD\SplashWin.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Users\user\AppData\Roaming\archivebrowser_GD\SplashWin.exe "C:\Users\user\AppData\Roaming\archivebrowser_GD\SplashWin.exe"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Users\user\AppData\Roaming\archivebrowser_GD\SplashWin.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Users\user\Desktop\HmngBpR.exeProcess created: C:\Users\user\AppData\Local\Temp\archivebrowser_GD\SplashWin.exe C:\Users\user\AppData\Local\Temp\archivebrowser_GD\SplashWin.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\archivebrowser_GD\SplashWin.exeProcess created: C:\Users\user\AppData\Roaming\archivebrowser_GD\SplashWin.exe C:\Users\user\AppData\Roaming\archivebrowser_GD\SplashWin.exeJump to behavior
Source: C:\Users\user\AppData\Roaming\archivebrowser_GD\SplashWin.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exeJump to behavior
Source: C:\Users\user\AppData\Roaming\archivebrowser_GD\SplashWin.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exeJump to behavior
Source: C:\Users\user\Desktop\HmngBpR.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\HmngBpR.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\HmngBpR.exeSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\Desktop\HmngBpR.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Users\user\Desktop\HmngBpR.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Users\user\Desktop\HmngBpR.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Users\user\Desktop\HmngBpR.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\HmngBpR.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\HmngBpR.exeSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\Desktop\HmngBpR.exeSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\Desktop\HmngBpR.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Users\user\Desktop\HmngBpR.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Users\user\Desktop\HmngBpR.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\HmngBpR.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\HmngBpR.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\Desktop\HmngBpR.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\HmngBpR.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\Desktop\HmngBpR.exeSection loaded: portabledeviceapi.dllJump to behavior
Source: C:\Users\user\Desktop\HmngBpR.exeSection loaded: devobj.dllJump to behavior
Source: C:\Users\user\Desktop\HmngBpR.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Users\user\Desktop\HmngBpR.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\Desktop\HmngBpR.exeSection loaded: pla.dllJump to behavior
Source: C:\Users\user\Desktop\HmngBpR.exeSection loaded: pdh.dllJump to behavior
Source: C:\Users\user\Desktop\HmngBpR.exeSection loaded: tdh.dllJump to behavior
Source: C:\Users\user\Desktop\HmngBpR.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Users\user\Desktop\HmngBpR.exeSection loaded: wevtapi.dllJump to behavior
Source: C:\Users\user\Desktop\HmngBpR.exeSection loaded: shdocvw.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\archivebrowser_GD\SplashWin.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\archivebrowser_GD\SplashWin.exeSection loaded: duilib_u.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\archivebrowser_GD\SplashWin.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\archivebrowser_GD\SplashWin.exeSection loaded: msvcp140.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\archivebrowser_GD\SplashWin.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\archivebrowser_GD\SplashWin.exeSection loaded: pla.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\archivebrowser_GD\SplashWin.exeSection loaded: pdh.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\archivebrowser_GD\SplashWin.exeSection loaded: tdh.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\archivebrowser_GD\SplashWin.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\archivebrowser_GD\SplashWin.exeSection loaded: wevtapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\archivebrowser_GD\SplashWin.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\archivebrowser_GD\SplashWin.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\archivebrowser_GD\SplashWin.exeSection loaded: duilib_u.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\archivebrowser_GD\SplashWin.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\archivebrowser_GD\SplashWin.exeSection loaded: msvcp140.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\archivebrowser_GD\SplashWin.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\archivebrowser_GD\SplashWin.exeSection loaded: pla.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\archivebrowser_GD\SplashWin.exeSection loaded: pdh.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\archivebrowser_GD\SplashWin.exeSection loaded: tdh.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\archivebrowser_GD\SplashWin.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\archivebrowser_GD\SplashWin.exeSection loaded: wevtapi.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\archivebrowser_GD\SplashWin.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winbrand.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: linkinfo.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: ntshrui.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: bitsproxy.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\archivebrowser_GD\SplashWin.exeSection loaded: duilib_u.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\archivebrowser_GD\SplashWin.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\archivebrowser_GD\SplashWin.exeSection loaded: msvcp140.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\archivebrowser_GD\SplashWin.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\archivebrowser_GD\SplashWin.exeSection loaded: pla.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\archivebrowser_GD\SplashWin.exeSection loaded: pdh.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\archivebrowser_GD\SplashWin.exeSection loaded: tdh.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\archivebrowser_GD\SplashWin.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\archivebrowser_GD\SplashWin.exeSection loaded: wevtapi.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\archivebrowser_GD\SplashWin.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: aepic.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: twinapi.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dxgi.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wtsapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: shdocvw.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: d3d9.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: d3d10warp.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: resourcepolicyclient.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dxcore.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winbrand.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: aepic.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: twinapi.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dxgi.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wtsapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: shdocvw.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: d3d9.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: d3d10warp.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: resourcepolicyclient.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dxcore.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\HmngBpR.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
Source: ujkkoehnoxw.4.drLNK file: ..\..\Roaming\archivebrowser_GD\SplashWin.exe
Source: C:\Users\user\Desktop\HmngBpR.exeWindow found: window name: TMainFormJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: HmngBpR.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
Source: HmngBpR.exeStatic file information: File size 10120392 > 1048576
Source: HmngBpR.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x484a00
Source: HmngBpR.exeStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x42b000
Source: Binary string: E:\workdir\vc\rbin\RCClient\SplashWin.pdb,, source: HmngBpR.exe, 00000000.00000002.944973924.000000000736F000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000002.00000000.875780450.0000000000023000.00000002.00000001.01000000.00000007.sdmp, SplashWin.exe, 00000002.00000002.884353421.0000000000023000.00000002.00000001.01000000.00000007.sdmp, SplashWin.exe, 00000003.00000002.947760588.0000000000673000.00000002.00000001.01000000.0000000B.sdmp, SplashWin.exe, 00000003.00000000.884044512.0000000000673000.00000002.00000001.01000000.0000000B.sdmp, SplashWin.exe, 00000008.00000002.1220549494.0000000000673000.00000002.00000001.01000000.0000000B.sdmp, SplashWin.exe, 00000008.00000000.1161888752.0000000000673000.00000002.00000001.01000000.0000000B.sdmp, SplashWin.exe.0.dr
Source: Binary string: E:\workdir\ProgramDatabase\DuiLib_u.pdbww3 source: HmngBpR.exe, 00000000.00000002.944973924.000000000736F000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000002.00000002.889752555.000000006DD15000.00000002.00000001.01000000.00000009.sdmp, SplashWin.exe, 00000003.00000002.961360726.000000006D8A5000.00000002.00000001.01000000.0000000D.sdmp, SplashWin.exe, 00000008.00000002.1226502350.000000006DBB5000.00000002.00000001.01000000.0000000D.sdmp, DuiLib_u.dll.0.dr, DuiLib_u.dll.2.dr
Source: Binary string: ntdll.pdb source: HmngBpR.exe, 00000000.00000002.942658607.00000000067F0000.00000004.00000800.00020000.00000000.sdmp, HmngBpR.exe, 00000000.00000002.933340011.00000000033FE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: SplashWin.exe, 00000002.00000002.889332925.0000000009D6E000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000002.00000002.889455188.000000000A0C0000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000002.953718653.0000000009900000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000002.953863668.0000000009C60000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000002.955354561.000000000A016000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.1228261440.0000000004E33000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.1228578938.0000000005360000.00000004.00001000.00020000.00000000.sdmp, SplashWin.exe, 00000008.00000002.1225414932.00000000099D4000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000008.00000002.1225920702.000000000A0ED000.00000004.00000001.00020000.00000000.sdmp, SplashWin.exe, 00000008.00000002.1225615802.0000000009D30000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.1430444170.00000000046FB000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.1430721417.0000000004C20000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: ntdll.pdbUGP source: HmngBpR.exe, 00000000.00000002.942658607.00000000067F0000.00000004.00000800.00020000.00000000.sdmp, HmngBpR.exe, 00000000.00000002.933340011.00000000033FE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: SplashWin.exe, 00000002.00000002.889332925.0000000009D6E000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000002.00000002.889455188.000000000A0C0000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000002.953718653.0000000009900000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000002.953863668.0000000009C60000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000002.955354561.000000000A016000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.1228261440.0000000004E33000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.1228578938.0000000005360000.00000004.00001000.00020000.00000000.sdmp, SplashWin.exe, 00000008.00000002.1225414932.00000000099D4000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000008.00000002.1225920702.000000000A0ED000.00000004.00000001.00020000.00000000.sdmp, SplashWin.exe, 00000008.00000002.1225615802.0000000009D30000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.1430444170.00000000046FB000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.1430721417.0000000004C20000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: E:\workdir\ProgramDatabase\DuiLib_u.pdb source: HmngBpR.exe, 00000000.00000002.944973924.000000000736F000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000002.00000002.889752555.000000006DD15000.00000002.00000001.01000000.00000009.sdmp, SplashWin.exe, 00000003.00000002.961360726.000000006D8A5000.00000002.00000001.01000000.0000000D.sdmp, SplashWin.exe, 00000008.00000002.1226502350.000000006DBB5000.00000002.00000001.01000000.0000000D.sdmp, DuiLib_u.dll.0.dr, DuiLib_u.dll.2.dr
Source: Binary string: E:\workdir\vc\rbin\RCClient\SplashWin.pdb source: HmngBpR.exe, 00000000.00000002.944973924.000000000736F000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000002.00000000.875780450.0000000000023000.00000002.00000001.01000000.00000007.sdmp, SplashWin.exe, 00000002.00000002.884353421.0000000000023000.00000002.00000001.01000000.00000007.sdmp, SplashWin.exe, 00000003.00000002.947760588.0000000000673000.00000002.00000001.01000000.0000000B.sdmp, SplashWin.exe, 00000003.00000000.884044512.0000000000673000.00000002.00000001.01000000.0000000B.sdmp, SplashWin.exe, 00000008.00000002.1220549494.0000000000673000.00000002.00000001.01000000.0000000B.sdmp, SplashWin.exe, 00000008.00000000.1161888752.0000000000673000.00000002.00000001.01000000.0000000B.sdmp, SplashWin.exe.0.dr
Source: Binary string: D:\agent\_work\20\s\\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: HmngBpR.exe, 00000000.00000002.944973924.0000000007696000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000002.00000002.892849238.000000006F3E1000.00000020.00000001.01000000.00000008.sdmp, SplashWin.exe, 00000003.00000002.961566185.000000006F3A1000.00000020.00000001.01000000.0000000C.sdmp, SplashWin.exe, 00000008.00000002.1226633509.000000006F3E1000.00000020.00000001.01000000.0000000C.sdmp, vcruntime140.dll.2.dr, vcruntime140.dll.0.dr
Source: Binary string: D:\agent\_work\20\s\\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: SplashWin.exe, SplashWin.exe, 00000003.00000002.960471161.000000006D7B1000.00000020.00000001.01000000.0000000E.sdmp, SplashWin.exe, 00000008.00000002.1226321991.000000006DAC1000.00000020.00000001.01000000.0000000E.sdmp, msvcp140.dll.2.dr, msvcp140.dll.0.dr
Source: DuiLib_u.dll.2.drStatic PE information: real checksum: 0xda891 should be: 0xda31a
Source: HmngBpR.exeStatic PE information: real checksum: 0x9afed0 should be: 0x9b0cd0
Source: nwpcbndn.10.drStatic PE information: real checksum: 0x0 should be: 0x11a4af
Source: DuiLib_u.dll.0.drStatic PE information: real checksum: 0xda891 should be: 0xda31a
Source: rghkq.4.drStatic PE information: real checksum: 0x0 should be: 0x11a4af
Source: HmngBpR.exeStatic PE information: section name: .didata
Source: msvcp140.dll.0.drStatic PE information: section name: .didat
Source: msvcp140.dll.2.drStatic PE information: section name: .didat
Source: rghkq.4.drStatic PE information: section name: .xyz
Source: rghkq.4.drStatic PE information: section name: qxdg
Source: nwpcbndn.10.drStatic PE information: section name: .xyz
Source: nwpcbndn.10.drStatic PE information: section name: qxdg
Source: C:\Users\user\AppData\Local\Temp\archivebrowser_GD\SplashWin.exeCode function: 2_2_00022A26 push ecx; ret 2_2_00022A39
Source: C:\Users\user\AppData\Local\Temp\archivebrowser_GD\SplashWin.exeCode function: 2_2_6DC26C0C push esi; ret 2_2_6DC26C12
Source: C:\Users\user\AppData\Local\Temp\archivebrowser_GD\SplashWin.exeCode function: 2_2_6DC26C18 pushad ; ret 2_2_6DC26C1A
Source: C:\Users\user\AppData\Local\Temp\archivebrowser_GD\SplashWin.exeCode function: 2_2_6DC26C1D push edi; ret 2_2_6DC26C1E
Source: C:\Users\user\AppData\Local\Temp\archivebrowser_GD\SplashWin.exeCode function: 2_2_6DC27858 pushfd ; retn E06Dh2_2_6DC2786A
Source: C:\Users\user\AppData\Local\Temp\archivebrowser_GD\SplashWin.exeCode function: 2_2_6DC27860 pushfd ; retn E06Dh2_2_6DC2786A
Source: C:\Users\user\AppData\Local\Temp\archivebrowser_GD\SplashWin.exeCode function: 2_2_6DC26BD8 push esi; ret 2_2_6DC26BDE
Source: C:\Users\user\AppData\Local\Temp\archivebrowser_GD\SplashWin.exeCode function: 2_2_6DC26BE4 pushad ; ret 2_2_6DC26BE6
Source: C:\Users\user\AppData\Local\Temp\archivebrowser_GD\SplashWin.exeCode function: 2_2_6DC26BE9 push edi; ret 2_2_6DC26BEA
Source: C:\Users\user\AppData\Local\Temp\archivebrowser_GD\SplashWin.exeCode function: 2_2_6DC26BA4 push esi; ret 2_2_6DC26BAA
Source: C:\Users\user\AppData\Local\Temp\archivebrowser_GD\SplashWin.exeCode function: 2_2_6DC26BB0 pushad ; ret 2_2_6DC26BB2
Source: C:\Users\user\AppData\Local\Temp\archivebrowser_GD\SplashWin.exeCode function: 2_2_6DC26BB5 push edi; ret 2_2_6DC26BB6
Source: C:\Users\user\AppData\Local\Temp\archivebrowser_GD\SplashWin.exeCode function: 2_2_6DC265CA pushad ; ret 2_2_6DC265CE
Source: C:\Users\user\AppData\Local\Temp\archivebrowser_GD\SplashWin.exeCode function: 2_2_6DC26596 pushad ; ret 2_2_6DC2659A
Source: C:\Users\user\AppData\Local\Temp\archivebrowser_GD\SplashWin.exeCode function: 2_2_6DC264D6 pushad ; ret 2_2_6DC264DA
Source: C:\Users\user\AppData\Local\Temp\archivebrowser_GD\SplashWin.exeCode function: 2_2_6DC2640A pushad ; ret 2_2_6DC2640E
Source: C:\Users\user\AppData\Local\Temp\archivebrowser_GD\SplashWin.exeCode function: 2_2_6DC287AC push 87B46DC8h; retn 006Dh2_2_6DC287B2
Source: C:\Users\user\AppData\Local\Temp\archivebrowser_GD\SplashWin.exeCode function: 2_2_6DC2874C push 87686DC8h; retn 006Dh2_2_6DC28766
Source: C:\Users\user\AppData\Local\Temp\archivebrowser_GD\SplashWin.exeCode function: 2_2_6DC286C4 push 86E06DC8h; retn 006Dh2_2_6DC286DE
Source: C:\Users\user\AppData\Local\Temp\archivebrowser_GD\SplashWin.exeCode function: 2_2_6DC5E675 push ecx; ret 2_2_6DC5E688
Source: C:\Users\user\AppData\Local\Temp\archivebrowser_GD\SplashWin.exeCode function: 2_2_6DC251C8 push ecx; retn 006Dh2_2_6DC251CA
Source: C:\Users\user\AppData\Local\Temp\archivebrowser_GD\SplashWin.exeCode function: 2_2_6DC251E5 push edx; retn 006Dh2_2_6DC251E6
Source: C:\Users\user\AppData\Local\Temp\archivebrowser_GD\SplashWin.exeCode function: 2_2_6DC25144 push cs; ret 2_2_6DC25122
Source: C:\Users\user\AppData\Local\Temp\archivebrowser_GD\SplashWin.exeCode function: 2_2_6DC21119 pushad ; retn 0000h2_2_6DC212B0
Source: C:\Users\user\AppData\Local\Temp\archivebrowser_GD\SplashWin.exeCode function: 2_2_6DC263D6 pushad ; ret 2_2_6DC263DA
Source: C:\Users\user\AppData\Local\Temp\archivebrowser_GD\SplashWin.exeCode function: 2_2_6DC25398 push esi; ret 2_2_6DC2539E
Source: C:\Users\user\AppData\Local\Temp\archivebrowser_GD\SplashWin.exeCode function: 2_2_6DC253A9 push edi; ret 2_2_6DC253AA
Source: C:\Users\user\AppData\Local\Temp\archivebrowser_GD\SplashWin.exeCode function: 2_2_6DC25378 pushad ; ret 2_2_6DC25379
Source: C:\Users\user\AppData\Local\Temp\archivebrowser_GD\SplashWin.exeCode function: 2_2_6DC26316 pushad ; ret 2_2_6DC2631A
Source: C:\Users\user\AppData\Local\Temp\archivebrowser_GD\SplashWin.exeCode function: 2_2_6DC26284 pushfd ; ret 2_2_6DC2624E
Source: C:\Users\user\AppData\Local\Temp\archivebrowser_GD\SplashWin.exeCode function: 2_2_6DC25251 push edx; retn 006Dh2_2_6DC25252
Source: C:\Users\user\AppData\Local\Temp\archivebrowser_GD\SplashWin.exeFile created: C:\Users\user\AppData\Roaming\archivebrowser_GD\msvcp140.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\archivebrowser_GD\SplashWin.exeFile created: C:\Users\user\AppData\Roaming\archivebrowser_GD\SplashWin.exeJump to dropped file
Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\nwpcbndnJump to dropped file
Source: C:\Users\user\Desktop\HmngBpR.exeFile created: C:\Users\user\AppData\Local\Temp\archivebrowser_GD\vcruntime140.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\archivebrowser_GD\SplashWin.exeFile created: C:\Users\user\AppData\Roaming\archivebrowser_GD\vcruntime140.dllJump to dropped file
Source: C:\Users\user\Desktop\HmngBpR.exeFile created: C:\Users\user\AppData\Local\Temp\archivebrowser_GD\DuiLib_u.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\archivebrowser_GD\SplashWin.exeFile created: C:\Users\user\AppData\Roaming\archivebrowser_GD\DuiLib_u.dllJump to dropped file
Source: C:\Users\user\Desktop\HmngBpR.exeFile created: C:\Users\user\AppData\Local\Temp\archivebrowser_GD\msvcp140.dllJump to dropped file
Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\rghkqJump to dropped file
Source: C:\Users\user\Desktop\HmngBpR.exeFile created: C:\Users\user\AppData\Local\Temp\archivebrowser_GD\SplashWin.exeJump to dropped file
Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\rghkqJump to dropped file
Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\nwpcbndnJump to dropped file

Hooking and other Techniques for Hiding and Protection

barindex
Found hidden mapped module (file has been removed from disk)
Source: C:\Windows\SysWOW64\cmd.exeModule Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\RGHKQ
Source: C:\Windows\SysWOW64\cmd.exeModule Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\NWPCBNDN
Source: C:\Users\user\Desktop\HmngBpR.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\HmngBpR.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\HmngBpR.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\HmngBpR.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Query firmware table information (likely to detect VMs)
Source: C:\Windows\SysWOW64\explorer.exeSystem information queried: FirmwareTableInformationJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSystem information queried: FirmwareTableInformationJump to behavior
Switches to a custom stack to bypass stack traces
Source: C:\Users\user\AppData\Local\Temp\archivebrowser_GD\SplashWin.exeAPI/Special instruction interceptor: Address: 6D919364
Source: C:\Users\user\AppData\Roaming\archivebrowser_GD\SplashWin.exeAPI/Special instruction interceptor: Address: 6D919364
Source: C:\Users\user\AppData\Roaming\archivebrowser_GD\SplashWin.exeAPI/Special instruction interceptor: Address: 6D919065
Source: C:\Windows\SysWOW64\cmd.exeAPI/Special instruction interceptor: Address: 6D913B54
Source: C:\Windows\SysWOW64\explorer.exeAPI/Special instruction interceptor: Address: 5FA317
Source: C:\Windows\SysWOW64\explorer.exeAPI/Special instruction interceptor: Address: 2EB1145
Source: C:\Windows\SysWOW64\explorer.exeAPI/Special instruction interceptor: Address: 30C1145
Source: C:\Windows\SysWOW64\explorer.exeWindow / User API: foregroundWindowGot 614Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exeWindow / User API: foregroundWindowGot 593Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exeWindow / User API: foregroundWindowGot 475Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exeWindow / User API: foregroundWindowGot 497Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nwpcbndnJump to dropped file
Source: C:\Windows\SysWOW64\cmd.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\rghkqJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\archivebrowser_GD\SplashWin.exeCode function: 2_2_6DC320D0 _Open_dir,FindFirstFileExW,__Read_dir,FindClose,2_2_6DC320D0
Source: C:\Users\user\AppData\Roaming\archivebrowser_GD\SplashWin.exeCode function: 3_2_6D7C20D0 _Open_dir,FindFirstFileExW,__Read_dir,FindClose,3_2_6D7C20D0
Source: C:\Users\user\Desktop\HmngBpR.exeCode function: 0_2_00415F30 GetSystemInfo,0_2_00415F30
Source: explorer.exe, 00000012.00000003.1449338429.0000000007DDE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.1449311328.0000000007DCF000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: JZ3UZKxRlyB64ApuSSu2Soyb5UtRldV4V1zTtM02aG8uDG7TlwPLZsjao7A+hrlMkCUlXAhIWU7T+7JOAG9OfWk3jMYw2Zf9X8p+fnHHrzxxXNiKUK8OVytqduDxFXCVHNRvpb8T0f8A4S3Q/wDn9P8A35k/+Jo/4S3Q/wDn9P8A35k/+JrzyaOW2ZluIJoSoDMJYmXAJwCcjuaamZJI4o0d5JRmNFQkuOeQB16Hp6VwLLqTV+f8j1nnOITs6X5nov8Awluh/wDP6f8AvzJ/8TXJ+KdQtdT1VJ7OQyRrAqElSvIZj3A9RWUltdSzy28dndPNDjzI1gcsmemRjjNNghnunkS2t552iOJFiiZih9wBx0Na0MJSpVFUU729DDFZhiMRSdJ07X9ejuNopu794I9kgdgxClDkhc7uMdsHPpg0iurKjDO2QEoSCAwBwSPXkV6XPF7M8V05rdMfmkNFFUQHeijvQaAEooopDCiiigAoo7UUwCiiigAoopD0oAKKKKACiikoAKKKKBhSUtJQAUUUUDCkpTSUAFFFFABRRSUDCiiigYUlBooAKSlNJTAKSlooGJQaKKACkpaKBiUUUUAJRRRQMDSUUUDEooooAQ0tFJQMKKKKAEoNFBpjEoNFJQMKKKKACkpaSgYUlFFAxKKKDQAlFFFAwpKKDQMSig0lAxaSiimAGkoNFBQhooooASkpaKBiUlKaSgYUUUlAwoNHekoAKSlpKBhRQaSgYUlLSUDCkNLSUABpDQaKBiUZpaQ0DENFFFAwpO9LSd6BiGijNJQMDRQaDQMSigmkFAAaKKSgYUdaOtFAxO9FBpKBh0opO9KaBoMc5pDxRRQMPWkIpabQMM0UpP0+tN/zmgBc8cUh/Gig9KBh/WjsaO1JigAHWkpScH6UdqBgaTHrQRRn8qAAfXNHajvSdqBnaoWGpabtz/x/QZ+m8ViG5n1TQte1N32Tw2TW9yhOC7CaPZKPqoIPuuf4q2JoUuIjHIMqeoqrLo1jNGsbwgheleZisJKtPmTtoefl+YwwsOWUb6p/cXLmzmTxxM40nVo1mkuxuc5W5zC+PKPljGe3LfjWXH/osckV1b3sMUehMDp8kgW6g/0pT87lOpzuGUHBAx3Mw0SyEflhDs9M0LodgrBhDyvQ1yPLqjSXNsrfn/md0c5oxv7n9af5DVtbnUtNgt9PgvHhjuJGnt0Pmy8qnlswVRkffGcYBz0zzNdG6vXutJgaSTUoTarfRRHdJKqo24ADltp8vcBnkA9s064062ugPMTkDAIpr6as6otzPNcCJQkfmOWMajooz0HtW08FUbST0vfzOenmVJRbkne1vL5eY1xPDq2laNdNIj3ELWtyjf6xIpX/AHWQejKfmA7cUabLcahcXF0sDhGuEtoYsj92D8sa8n0Xr+dOGn5t0tpLiaS2jz5cLuSqZ64HQZ9qR9JtHRUKsAvTBxVU8LVhPnvrr+LIr4+jVp+ys7aeuiLYY7Y2ZGUShihOOcMVPT3BqK9Zls5WUZIXpTbXT4LRiYgwJ9TmrJAIwRkGvQipcvvbnkTdNTvDbzKF5b3Tz63fSJfGJsHTriEgW8qF1WOIfKQTgj5QwIKkEcGk1R3+x6hawapb3Z0tI3ht4VlDjZ8txyyBTksW4Y/dpX0axkYlos57dqk/sqy8sJ5C4HTivLWAq2S5ttv0Pe/tahq/Z6vf06kVyl6mpanrUzynSpIJxHNjEMkBjIijU9C2dg2jkEexqHUVnh0WS7Nre2wk0WzDXsx3QXGBETFGNow5x13N908DqLH9j2W7Pl/h2pF0WxV94h59O1S8uqO1pbf8H/MuGc0Y39zf/gf5DdQsNQupNQ1NWuDaOS1ncxLmEQ/wKG6DAwu3OQeMU6eeUato0sTgf2xq1vdsqH7qKRuB9P3rSf8AfAp40q1V9yqV9geKP7Js8sfLGW61pLATcVG+39f5GEc1pxnKXLv+D2/K5S0+z1HWdN0w6alzPHDCybbcFjFceY2S+PukjYQx7Ac8VN5s9/r+nzWIeWGHX5pbl4lJRFRbfzHJ7LnccnjmpH0WyZNoQp7rRLpMVzcNcXs011M2MyTOWYgdOTk1m8BV0Sa0v/mdEc3oc0puL16fJoTRHaWw8xiTvkYgnuM1Lc215qdrFbWkc8yRXMrXMNupdzlV8tioGSPvjPQHPTNWIokhjEca4UdBUF1p9vdnMqc46iu6VBulGCe1vwPIp4qKrzqNaSv8rkN5q0+mJqYkRriWBrC3v4g2TJlJg4z/AHgu3nsy+1EsNzaCysLW8El5caVL9gmVgDJuuScA9naLcMdckr1px0xZJYnuZ5rnyUCRCVy2xR0UZ6D2FB0eyLM3kjLcmvP/ALOqPVy6/pY9h5zRVlGGiSEttPuLO8s7
Source: cmd.exe, 0000000A.00000002.1430569936.0000000004A9A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: noreply@vmware.com0
Source: cmd.exe, 0000000A.00000002.1430569936.0000000004A9A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: http://www.vmware.com/0
Source: cmd.exe, 0000000A.00000002.1430569936.0000000004A9A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware, Inc.1!0
Source: explorer.exe, 00000009.00000003.1240910000.0000000007B11000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.1241120769.0000000007B13000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.1241178244.0000000007B22000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: JZ3UZKxRlyB64ApuSSu2Soyb5UtRldV4V1zTtM02aG8uDG7TlwPLZsjao7A+hrlMkCUlXAhIWU7T+7JOAG9OfWk3jMYw2Zf9X8p+fnHHrzxxXNiKUK8OVytqduDxFXCVHNRvpb8T0f8A4S3Q/wDn9P8A35k/+Jo/4S3Q/wDn9P8A35k/+JrzyaOW2ZluIJoSoDMJYmXAJwCcjuaamZJI4o0d5JRmNFQkuOeQB16Hp6VwLLqTV+f8j1nnOITs6X5nov8Awluh/wDP6f8AvzJ/8TXJ+KdQtdT1VJ7OQyRrAqElSvIZj3A9RWUltdSzy28dndPNDjzI1gcsmemRjjNNghnunkS2t552iOJFiiZih9wBx0Na0MJSpVFUU729DDFZhiMRSdJ07X9ejuNopu794I9kgdgxClDkhc7uMdsHPpg0iurKjDO2QEoSCAwBwSPXkV6XPF7M8V05rdMfmkNFFUQHeijvQaAEooopDCiiigAoo7UUwCiiigAoopD0oAKKKKACiikoAKKKKBhSUtJQAUUUUDCkpTSUAFFFFABRRSUDCiiigYUlBooAKSlNJTAKSlooGJQaKKACkpaKBiUUUUAJRRRQMDSUUUDEooooAQ0tFJQMKKKKAEoNFBpjEoNFJQMKKKKACkpaSgYUlFFAxKKKDQAlFFFAwpKKDQMSig0lAxaSiimAGkoNFBQhooooASkpaKBiUlKaSgYUUUlAwoNHekoAKSlpKBhRQaSgYUlLSUDCkNLSUABpDQaKBiUZpaQ0DENFFFAwpO9LSd6BiGijNJQMDRQaDQMSigmkFAAaKKSgYUdaOtFAxO9FBpKBh0opO9KaBoMc5pDxRRQMPWkIpabQMM0UpP0+tN/zmgBc8cUh/Gig9KBh/WjsaO1JigAHWkpScH6UdqBgaTHrQRRn8qAAfXNHajvSdqBnaoWGpabtz/x/QZ+m8ViG5n1TQte1N32Tw2TW9yhOC7CaPZKPqoIPuuf4q2JoUuIjHIMqeoqrLo1jNGsbwgheleZisJKtPmTtoefl+YwwsOWUb6p/cXLmzmTxxM40nVo1mkuxuc5W5zC+PKPljGe3LfjWXH/osckV1b3sMUehMDp8kgW6g/0pT87lOpzuGUHBAx3Mw0SyEflhDs9M0LodgrBhDyvQ1yPLqjSXNsrfn/md0c5oxv7n9af5DVtbnUtNgt9PgvHhjuJGnt0Pmy8qnlswVRkffGcYBz0zzNdG6vXutJgaSTUoTarfRRHdJKqo24ADltp8vcBnkA9s064062ugPMTkDAIpr6as6otzPNcCJQkfmOWMajooz0HtW08FUbST0vfzOenmVJRbkne1vL5eY1xPDq2laNdNIj3ELWtyjf6xIpX/AHWQejKfmA7cUabLcahcXF0sDhGuEtoYsj92D8sa8n0Xr+dOGn5t0tpLiaS2jz5cLuSqZ64HQZ9qR9JtHRUKsAvTBxVU8LVhPnvrr+LIr4+jVp+ys7aeuiLYY7Y2ZGUShihOOcMVPT3BqK9Zls5WUZIXpTbXT4LRiYgwJ9TmrJAIwRkGvQipcvvbnkTdNTvDbzKF5b3Tz63fSJfGJsHTriEgW8qF1WOIfKQTgj5QwIKkEcGk1R3+x6hawapb3Z0tI3ht4VlDjZ8txyyBTksW4Y/dpX0axkYlos57dqk/sqy8sJ5C4HTivLWAq2S5ttv0Pe/tahq/Z6vf06kVyl6mpanrUzynSpIJxHNjEMkBjIijU9C2dg2jkEexqHUVnh0WS7Nre2wk0WzDXsx3QXGBETFGNow5x13N908DqLH9j2W7Pl/h2pF0WxV94h59O1S8uqO1pbf8H/MuGc0Y39zf/gf5DdQsNQupNQ1NWuDaOS1ncxLmEQ/wKG6DAwu3OQeMU6eeUato0sTgf2xq1vdsqH7qKRuB9P3rSf8AfAp40q1V9yqV9geKP7Js8sfLGW61pLATcVG+39f5GEc1pxnKXLv+D2/K5S0+z1HWdN0w6alzPHDCybbcFjFceY2S+PukjYQx7Ac8VN5s9/r+nzWIeWGHX5pbl4lJRFRbfzHJ7LnccnjmpH0WyZNoQp7rRLpMVzcNcXs011M2MyTOWYgdOTk1m8BV0Sa0v/mdEc3oc0puL16fJoTRHaWw8xiTvkYgnuM1Lc215qdrFbWkc8yRXMrXMNupdzlV8tioGSPvjPQHPTNWIokhjEca4UdBUF1p9vdnMqc46iu6VBulGCe1vwPIp4qKrzqNaSv8rkN5q0+mJqYkRriWBrC3v4g2TJlJg4z/AHgu3nsy+1EsNzaCysLW8El5caVL9gmVgDJuuScA9naLcMdckr1px0xZJYnuZ5rnyUCRCVy2xR0UZ6D2FB0eyLM3kjLcmvP/ALOqPVy6/pY9h5zRVlGGiSEttPuLO8s7G5F3Al+PsssUsZVgsmBvCn0YKQfVaqQS3+rjVI7JXjmlmiWK3Tl2tUDBkXu2P3ZIHJwT2NXhpdsEKYYg9iaVtNtWhWMx/KvT1FdFTBSm+a9v+HOSlmcKceW11f8AQqXOk6m+matY2trfzTpLaEwrCzSIuJv4QMgZPcdx60+4vYZo9WF4Lm8aN9Oime2uFUtMI5Ax3FGB5GDgckZz6ubRLJm3MjFvUmpF0qzR1dYsMvQ1nLAznJtu12n+X+RtDNaUIcqi3pbUpW/2uO7067CTrZ2ulXhmlZcrHua4VAzAYyTgD1PQU6wW7t10WyvEliuIbFzNDKpVkLSyFdwPQlSDj0IqxLo1lNIZHj+Y9amtdPt7MkwpgnvVU8DONVTctL3/AD/zIr5pTqYd01HVq35f5FmiiivVPACikooAKKKKBhRRRSAKKKKYBRRRQAmaKKKACiiigBKKDRQMKDRSUAFFFFABRmikoGFFFHFAAaKKSgYUUUUAFJmg0UDCiikoAKKKKACkoooGBooooGFJS0lABSUtJTGFFGaSgAoopKBhRmiigApKKKBhSGg0UDCkoopjDNJRRQAUUUUhiUlLSUwCkooo
Source: cmd.exe, 0000000A.00000002.1430569936.0000000004A9A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: http://www.vmware.com/0/
Source: cmd.exe, 0000000A.00000002.1430569936.0000000004A9A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware, Inc.1
Source: cmd.exe, 0000000A.00000002.1430569936.0000000004A9A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware, Inc.0
Source: HmngBpR.exeBinary or memory string: BQEmu
Source: C:\Users\user\Desktop\HmngBpR.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\archivebrowser_GD\SplashWin.exeCode function: 2_2_0002264A IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_0002264A
Source: C:\Users\user\AppData\Local\Temp\archivebrowser_GD\SplashWin.exeCode function: 2_2_000214C0 GetProcessHeap,__Init_thread_footer,__Init_thread_footer,2_2_000214C0
Source: C:\Users\user\AppData\Local\Temp\archivebrowser_GD\SplashWin.exeCode function: 2_2_00022529 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_00022529
Source: C:\Users\user\AppData\Local\Temp\archivebrowser_GD\SplashWin.exeCode function: 2_2_0002264A IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_0002264A
Source: C:\Users\user\AppData\Local\Temp\archivebrowser_GD\SplashWin.exeCode function: 2_2_000227E0 SetUnhandledExceptionFilter,2_2_000227E0
Source: C:\Users\user\AppData\Local\Temp\archivebrowser_GD\SplashWin.exeCode function: 2_2_6DC5EEB8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_6DC5EEB8
Source: C:\Users\user\AppData\Local\Temp\archivebrowser_GD\SplashWin.exeCode function: 2_2_6DC5F27B IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_6DC5F27B
Source: C:\Users\user\AppData\Roaming\archivebrowser_GD\SplashWin.exeCode function: 3_2_0067264A IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_0067264A
Source: C:\Users\user\AppData\Roaming\archivebrowser_GD\SplashWin.exeCode function: 3_2_00672529 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_00672529
Source: C:\Users\user\AppData\Roaming\archivebrowser_GD\SplashWin.exeCode function: 3_2_006727E0 SetUnhandledExceptionFilter,3_2_006727E0
Source: C:\Users\user\AppData\Roaming\archivebrowser_GD\SplashWin.exeCode function: 3_2_6D7EEEB8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_6D7EEEB8
Source: C:\Users\user\AppData\Roaming\archivebrowser_GD\SplashWin.exeCode function: 3_2_6D7EF27B IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_6D7EF27B

HIPS / PFW / Operating System Protection Evasion

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\explorer.exeNetwork Connect: 185.183.32.103 3333Jump to behavior
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Users\user\AppData\Local\Temp\archivebrowser_GD\SplashWin.exeNtQuerySystemInformation: Direct from: 0x6DCA7625Jump to behavior
Source: C:\Users\user\Desktop\HmngBpR.exeNtProtectVirtualMemory: Direct from: 0x7FF996FF94F5Jump to behavior
Source: C:\Users\user\Desktop\HmngBpR.exeNtProtectVirtualMemory: Direct from: 0x7FF996FF973AJump to behavior
Source: C:\Users\user\Desktop\HmngBpR.exeNtAllocateVirtualMemory: Direct from: 0xA0A76ACBJump to behavior
Source: C:\Users\user\Desktop\HmngBpR.exeNtCreateFile: Direct from: 0x7FF996FF97E6Jump to behavior
Source: C:\Users\user\AppData\Roaming\archivebrowser_GD\SplashWin.exeNtProtectVirtualMemory: Direct from: 0x76895C59Jump to behavior
Source: C:\Users\user\Desktop\HmngBpR.exeNtClose: Direct from: 0x7FF996FF982C
Source: C:\Users\user\Desktop\HmngBpR.exeNtAllocateVirtualMemory: Direct from: 0x7FF996FF8E14Jump to behavior
Source: C:\Users\user\Desktop\HmngBpR.exeNtQuerySystemInformation: Direct from: 0x7FF996FE6118Jump to behavior
Source: C:\Users\user\Desktop\HmngBpR.exeNtClose: Direct from: 0x1C
Source: C:\Users\user\AppData\Roaming\archivebrowser_GD\SplashWin.exeNtQuerySystemInformation: Direct from: 0x6D837625Jump to behavior
Source: C:\Users\user\Desktop\HmngBpR.exeNtQuerySystemInformation: Direct from: 0x6C006CJump to behavior
Source: C:\Users\user\AppData\Roaming\archivebrowser_GD\SplashWin.exeNtProtectVirtualMemory: Direct from: 0x768971D5Jump to behavior
Source: C:\Users\user\Desktop\HmngBpR.exeNtAllocateVirtualMemory: Direct from: 0x7FF996FE60D4Jump to behavior
Source: C:\Users\user\Desktop\HmngBpR.exeNtWriteFile: Direct from: 0x7FF996FF9822Jump to behavior
Source: C:\Users\user\Desktop\HmngBpR.exeNtAllocateVirtualMemory: Direct from: 0x7FF996FF9635Jump to behavior
Source: C:\Users\user\Desktop\HmngBpR.exeNtClose: Direct from: 0x29E0300
Source: C:\Users\user\AppData\Roaming\archivebrowser_GD\SplashWin.exeNtQuerySystemInformation: Direct from: 0x6DB47625Jump to behavior
Injects code into the Windows Explorer (explorer.exe)
Source: C:\Windows\SysWOW64\cmd.exeMemory written: PID: 3772 base: 5F79C0 value: 55Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeMemory written: PID: 828 base: 5F79C0 value: 55Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\AppData\Roaming\archivebrowser_GD\SplashWin.exeSection loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read writeJump to behavior
Source: C:\Users\user\AppData\Roaming\archivebrowser_GD\SplashWin.exeSection loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read writeJump to behavior
Writes to foreign memory regions
Source: C:\Windows\SysWOW64\cmd.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 5F79C0Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 5F79C0Jump to behavior
Source: C:\Users\user\Desktop\HmngBpR.exeProcess created: C:\Users\user\AppData\Local\Temp\archivebrowser_GD\SplashWin.exe C:\Users\user\AppData\Local\Temp\archivebrowser_GD\SplashWin.exeJump to behavior
Source: C:\Users\user\AppData\Roaming\archivebrowser_GD\SplashWin.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exeJump to behavior
Source: C:\Users\user\AppData\Roaming\archivebrowser_GD\SplashWin.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\archivebrowser_GD\SplashWin.exeCode function: 2_2_00022835 cpuid 2_2_00022835
Source: C:\Users\user\AppData\Local\Temp\archivebrowser_GD\SplashWin.exeCode function: _Getdateorder,___lc_locale_name_func,__crtGetLocaleInfoEx,2_2_6DC47770
Source: C:\Users\user\AppData\Local\Temp\archivebrowser_GD\SplashWin.exeCode function: __crtGetLocaleInfoEx,GetLocaleInfoEx,?isfx@?$basic_istream@_WU?$char_traits@_W@std@@@std@@QAEXXZ,GetLocaleInfoEx,GetLocaleInfoW,2_2_6DC2C160
Source: C:\Users\user\AppData\Roaming\archivebrowser_GD\SplashWin.exeCode function: _Getdateorder,___lc_locale_name_func,__crtGetLocaleInfoEx,3_2_6D7D7770
Source: C:\Users\user\AppData\Roaming\archivebrowser_GD\SplashWin.exeCode function: __crtGetLocaleInfoEx,GetLocaleInfoEx,?isfx@?$basic_istream@_WU?$char_traits@_W@std@@@std@@QAEXXZ,GetLocaleInfoEx,GetLocaleInfoW,3_2_6D7BC160
Source: C:\Users\user\Desktop\HmngBpR.exeQueries volume information: C:\Users\user\AppData\Local\Temp\e7a55fe5 VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\archivebrowser_GD\SplashWin.exeCode function: 2_2_00022B75 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,2_2_00022B75
Source: C:\Windows\SysWOW64\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: C:\Users\user\AppData\Local\Temp\archivebrowser_GD\SplashWin.exeCode function: 2_2_000213A0 __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ,2_2_000213A0
Source: C:\Users\user\AppData\Roaming\archivebrowser_GD\SplashWin.exeCode function: 3_2_006713A0 __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ,3_2_006713A0

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts3
Command and Scripting Interpreter		11
DLL Side-Loading		411
Process Injection		11
Masquerading		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
Abuse Elevation Control Mechanism		1
Virtualization/Sandbox Evasion		LSASS Memory221
Security Software Discovery		Remote Desktop ProtocolData from Removable Media1
Non-Standard Port		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)11
DLL Side-Loading		411
Process Injection		Security Account Manager1
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Deobfuscate/Decode Files or Information		NTDS1
Process Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Abuse Elevation Control Mechanism		LSA Secrets1
Application Window Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
Obfuscated Files or Information		Cached Domain Credentials2
File and Directory Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items11
DLL Side-Loading		DCSync135
System Information Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1632654 Sample: HmngBpR.exe Startdate: 08/03/2025 Architecture: WINDOWS Score: 88 72 Antivirus detection for dropped file 2->72 74 Joe Sandbox ML detected suspicious sample 2->74 9 HmngBpR.exe 12 2->9         started        13 SplashWin.exe 1 2->13         started        process3 file4 38 C:\Users\user\AppData\...\vcruntime140.dll, PE32 9->38 dropped 40 C:\Users\user\AppData\Local\...\msvcp140.dll, PE32 9->40 dropped 42 C:\Users\user\AppData\Local\...\SplashWin.exe, PE32 9->42 dropped 44 C:\Users\user\AppData\Local\...\DuiLib_u.dll, PE32 9->44 dropped 86 Found direct / indirect Syscall (likely to bypass EDR) 9->86 15 SplashWin.exe 7 9->15         started        88 Maps a DLL or memory area into another process 13->88 19 cmd.exe 2 13->19         started        signatures5 process6 file7 48 C:\Users\user\AppData\...\vcruntime140.dll, PE32 15->48 dropped 50 C:\Users\user\AppData\...\msvcp140.dll, PE32 15->50 dropped 52 C:\Users\user\AppData\...\SplashWin.exe, PE32 15->52 dropped 54 C:\Users\user\AppData\...\DuiLib_u.dll, PE32 15->54 dropped 60 Switches to a custom stack to bypass stack traces 15->60 62 Found direct / indirect Syscall (likely to bypass EDR) 15->62 21 SplashWin.exe 1 15->21         started        56 C:\Users\user\AppData\Local\Temp\nwpcbndn, PE32 19->56 dropped 64 Injects code into the Windows Explorer (explorer.exe) 19->64 66 Writes to foreign memory regions 19->66 24 explorer.exe 1 19->24         started        26 conhost.exe 19->26         started        signatures8 process9 signatures10 76 Maps a DLL or memory area into another process 21->76 78 Switches to a custom stack to bypass stack traces 21->78 80 Found direct / indirect Syscall (likely to bypass EDR) 21->80 28 cmd.exe 4 21->28         started        82 System process connects to network (likely due to code injection or exploit) 24->82 84 Query firmware table information (likely to detect VMs) 24->84 process11 file12 46 C:\Users\user\AppData\Local\Temp\rghkq, PE32 28->46 dropped 90 Injects code into the Windows Explorer (explorer.exe) 28->90 92 Writes to foreign memory regions 28->92 94 Found hidden mapped module (file has been removed from disk) 28->94 96 Switches to a custom stack to bypass stack traces 28->96 32 explorer.exe 5 28->32         started        36 conhost.exe 28->36         started        signatures13 process14 dnsIp15 58 185.183.32.103, 3333, 49692, 49694 WORLDSTREAMNL Netherlands 32->58 68 Query firmware table information (likely to detect VMs) 32->68 70 Switches to a custom stack to bypass stack traces 32->70 signatures16

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.