Edit tour

Windows Analysis Report
umpdc.dll.dll

Overview

General Information

Sample name:umpdc.dll.dll
renamed because original name is a hash value
Original sample name:umpdc.dll.exe
Analysis ID:1639894
MD5:e18a45779115a6aa45c183ae15a1900d
SHA1:dc3d29129e96b17eaf8aeacba6f2788de793c937
SHA256:a36c0f2d5f32bd3831ec6336820d08c2865a2be3c25a7f3bd599ec9017f19b7d
Tags:55604504RafaelFerreiradeCarvalhoexeuser-SquiblydooBlog
Infos:

Detection

Score:72
Range:0 - 100
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Joe Sandbox ML detected suspicious sample
Uses known network protocols on non-standard ports
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64
  • loaddll64.exe (PID: 7792 cmdline: loaddll64.exe "C:\Users\user\Desktop\umpdc.dll.dll" MD5: 763455F9DCB24DFEECC2B9D9F8D46D52)
    • conhost.exe (PID: 7892 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5708 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\umpdc.dll.dll",#1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • rundll32.exe (PID: 6408 cmdline: rundll32.exe "C:\Users\user\Desktop\umpdc.dll.dll",#1 MD5: EF3179D498793BF4234F708D3BE28633)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
umpdc.dll.dllWindows_Trojan_Donutloader_f40e3759unknownunknown
  • 0x491028:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49
  • 0x49455e:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
No Sigma rule has matched
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: umpdc.dll.dllVirustotal: Detection: 36%Perma Link
Source: umpdc.dll.dllReversingLabs: Detection: 36%
Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.8% probability
Source: umpdc.dll.dllBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_f781d348-e
Source: umpdc.dll.dllStatic PE information: certificate valid
Source: umpdc.dll.dllStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: C:\Users\usuario 2\Desktop\ProductsXRC\XRCService\XRCService\x64\Release\XRCService.pdb source: umpdc.dll.dll
Source: Binary string: C:\Users\usuario 2\Desktop\ProductsXRC\XRCService\XRCService\x64\Release\XRCService.pdb"" source: umpdc.dll.dll
Source: Binary string: C:\Users\usuario 2\Desktop\RESSELERS\FIVEMBYPASS\XrcBypassOnlyXRc - Copia (2)\build\xrc.pdb source: umpdc.dll.dll
Source: Binary string: C:\Users\usuario 2\Downloads\Copy_dll_for_test\Copy dll for test\x64\Release\Copy dll for test.pdb source: umpdc.dll.dll
Source: Binary string: C:\Users\usuario 2\Desktop\ProductsXRC\XRCService\XRCService\x64\Release\XRCRuntime.pdb source: umpdc.dll.dll
Source: Binary string: C:\Users\usuario 2\Desktop\ProductsXRC\XRCService\XRCService\Release\XRCRuntime.pdb source: umpdc.dll.dll

Networking

barindex
Source: C:\Windows\System32\rundll32.exeNetwork Connect: 3.142.247.110 3030Jump to behavior
Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 3030
Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 3030
Source: unknownNetwork traffic detected: HTTP traffic on port 3030 -> 49727
Source: unknownNetwork traffic detected: HTTP traffic on port 3030 -> 49730
Source: global trafficTCP traffic: 192.168.2.5:49727 -> 3.142.247.110:3030
Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
Source: unknownTCP traffic detected without corresponding DNS query: 3.142.247.110
Source: unknownTCP traffic detected without corresponding DNS query: 3.142.247.110
Source: unknownTCP traffic detected without corresponding DNS query: 3.142.247.110
Source: unknownTCP traffic detected without corresponding DNS query: 3.142.247.110
Source: unknownTCP traffic detected without corresponding DNS query: 3.142.247.110
Source: unknownTCP traffic detected without corresponding DNS query: 3.142.247.110
Source: unknownTCP traffic detected without corresponding DNS query: 3.142.247.110
Source: unknownTCP traffic detected without corresponding DNS query: 3.142.247.110
Source: unknownTCP traffic detected without corresponding DNS query: 3.142.247.110
Source: unknownTCP traffic detected without corresponding DNS query: 3.142.247.110
Source: unknownTCP traffic detected without corresponding DNS query: 3.142.247.110
Source: unknownTCP traffic detected without corresponding DNS query: 3.142.247.110
Source: global trafficHTTP traffic detected: GET /api/init?version=2.0.0&applicationId=794350295286546433 HTTP/1.1Host: 3.142.247.110:3030Accept: */*Content-Type: application/jsonuser-agent: xrc
Source: global trafficHTTP traffic detected: GET /api/init?version=2.0.0&applicationId=794350295286546433 HTTP/1.1Host: 3.142.247.110:3030Accept: */*Content-Type: application/jsonuser-agent: xrc
Source: umpdc.dll.dllString found in binary or memory: http://3.142.247.110:3030/api/init?version=
Source: umpdc.dll.dllString found in binary or memory: http://3.142.247.110:3030/api/init?version=&applicationId=user-agent:
Source: loaddll64.exe, 00000000.00000002.2540917419.00000196DC268000.00000004.00000020.00020000.00000000.sdmp, loaddll64.exe, 00000000.00000002.2540917419.00000196DC259000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.1398017440.00000244FED08000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.1398017440.00000244FED00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://3.142.247.110:3030/api/init?version=2.0.0&applicationId=794350295286546433
Source: loaddll64.exe, 00000000.00000002.2540917419.00000196DC259000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://3.142.247.110:3030/api/init?version=2.0.0&applicationId=794350295286546433%
Source: rundll32.exe, 00000003.00000002.1398017440.00000244FED00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://3.142.247.110:3030/api/init?version=2.0.0&applicationId=794350295286546433:
Source: loaddll64.exe, 00000000.00000002.2540917419.00000196DC268000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://3.142.247.110:3030/api/init?version=2.0.0&applicationId=794350295286546433B
Source: rundll32.exe, 00000003.00000002.1398017440.00000244FED08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://3.142.247.110:3030/api/init?version=2.0.0&applicationId=794350295286546433l%
Source: umpdc.dll.dllString found in binary or memory: http://3.142.247.110:3030/api/login?userId=
Source: umpdc.dll.dllString found in binary or memory: http://3.142.247.110:3030/api/login?userId=UnknownDiskC:
Source: umpdc.dll.dllString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: umpdc.dll.dllString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVE36.crl0
Source: umpdc.dll.dllString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootE46.crl0
Source: umpdc.dll.dllString found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0z
Source: umpdc.dll.dllString found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0
Source: umpdc.dll.dllString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVE36.crt0#
Source: umpdc.dll.dllString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootE46.p7c0#
Source: umpdc.dll.dllString found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#
Source: umpdc.dll.dllString found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#
Source: umpdc.dll.dllString found in binary or memory: http://ocsp.comodoca.com0
Source: umpdc.dll.dllString found in binary or memory: http://ocsp.sectigo.com0
Source: umpdc.dll.dllString found in binary or memory: http://ocsp.sectigo.com0F
Source: umpdc.dll.dllString found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
Source: umpdc.dll.dllString found in binary or memory: https://sectigo.com/CPS0

System Summary

barindex
Source: umpdc.dll.dll, type: SAMPLEMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: umpdc.dll.dll, type: SAMPLEMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: classification engineClassification label: mal72.troj.evad.winDLL@6/0@0/2
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7892:120:WilError_03
Source: umpdc.dll.dllStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll64.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\umpdc.dll.dll",#1
Source: umpdc.dll.dllVirustotal: Detection: 36%
Source: umpdc.dll.dllReversingLabs: Detection: 36%
Source: unknownProcess created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\umpdc.dll.dll"
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\umpdc.dll.dll",#1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\umpdc.dll.dll",#1
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\umpdc.dll.dll",#1Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\umpdc.dll.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: d3d9.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: msvcp140.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: vcruntime140_1.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: d3d10warp.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: resourcepolicyclient.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: dxcore.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: winmm.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: xinput1_4.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: devobj.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: inputhost.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: msasn1.dllJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: umpdc.dll.dllStatic PE information: certificate valid
Source: umpdc.dll.dllStatic PE information: Image base 0x180000000 > 0x60000000
Source: umpdc.dll.dllStatic file information: File size 4858368 > 1048576
Source: umpdc.dll.dllStatic PE information: Raw size of .data is bigger than: 0x100000 < 0x3b9e00
Source: umpdc.dll.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: umpdc.dll.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: umpdc.dll.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: umpdc.dll.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: umpdc.dll.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: umpdc.dll.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: umpdc.dll.dllStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Source: umpdc.dll.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\Users\usuario 2\Desktop\ProductsXRC\XRCService\XRCService\x64\Release\XRCService.pdb source: umpdc.dll.dll
Source: Binary string: C:\Users\usuario 2\Desktop\ProductsXRC\XRCService\XRCService\x64\Release\XRCService.pdb"" source: umpdc.dll.dll
Source: Binary string: C:\Users\usuario 2\Desktop\RESSELERS\FIVEMBYPASS\XrcBypassOnlyXRc - Copia (2)\build\xrc.pdb source: umpdc.dll.dll
Source: Binary string: C:\Users\usuario 2\Downloads\Copy_dll_for_test\Copy dll for test\x64\Release\Copy dll for test.pdb source: umpdc.dll.dll
Source: Binary string: C:\Users\usuario 2\Desktop\ProductsXRC\XRCService\XRCService\x64\Release\XRCRuntime.pdb source: umpdc.dll.dll
Source: Binary string: C:\Users\usuario 2\Desktop\ProductsXRC\XRCService\XRCService\Release\XRCRuntime.pdb source: umpdc.dll.dll
Source: umpdc.dll.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: umpdc.dll.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: umpdc.dll.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: umpdc.dll.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: umpdc.dll.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Hooking and other Techniques for Hiding and Protection

barindex
Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 3030
Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 3030
Source: unknownNetwork traffic detected: HTTP traffic on port 3030 -> 49727
Source: unknownNetwork traffic detected: HTTP traffic on port 3030 -> 49730
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\loaddll64.exeWindow / User API: foregroundWindowGot 370Jump to behavior
Source: C:\Windows\System32\loaddll64.exeWindow / User API: foregroundWindowGot 753Jump to behavior
Source: C:\Windows\System32\loaddll64.exe TID: 7772Thread sleep time: -120000s >= -30000sJump to behavior
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\loaddll64.exeThread delayed: delay time: 120000Jump to behavior
Source: umpdc.dll.dllBinary or memory string: qEmUx
Source: loaddll64.exe, 00000000.00000002.2540917419.00000196DC277000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlluux
Source: rundll32.exe, 00000003.00000002.1398017440.00000244FED34000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll]
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected

HIPS / PFW / Operating System Protection Evasion

barindex
Source: C:\Windows\System32\rundll32.exeNetwork Connect: 3.142.247.110 3030Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\umpdc.dll.dll",#1Jump to behavior
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading
111
Process Injection
1
Rundll32
OS Credential Dumping1
Security Software Discovery
Remote Services1
Archive Collected Data
11
Non-Standard Port
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading
11
Virtualization/Sandbox Evasion
LSASS Memory11
Virtualization/Sandbox Evasion
Remote Desktop ProtocolData from Removable Media1
Non-Application Layer Protocol
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)111
Process Injection
Security Account Manager1
Application Window Discovery
SMB/Windows Admin SharesData from Network Shared Drive1
Application Layer Protocol
Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
DLL Side-Loading
NTDS1
System Information Discovery
Distributed Component Object ModelInput Capture1
Ingress Tool Transfer
Traffic DuplicationData Destruction
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1639894 Sample: umpdc.dll.dll Startdate: 16/03/2025 Architecture: WINDOWS Score: 72 21 Malicious sample detected (through community Yara rule) 2->21 23 Multi AV Scanner detection for submitted file 2->23 25 Uses known network protocols on non-standard ports 2->25 27 Joe Sandbox ML detected suspicious sample 2->27 7 loaddll64.exe 1 2->7         started        process3 dnsIp4 17 3.142.247.110, 3030, 49727, 49730 AMAZON-02US United States 7->17 19 127.0.0.1 unknown unknown 7->19 10 cmd.exe 1 7->10         started        12 conhost.exe 7->12         started        process5 process6 14 rundll32.exe 10->14         started        signatures7 29 System process connects to network (likely due to code injection or exploit) 14->29

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

No bigger version
No bigger version
No bigger version
No bigger version
No bigger version
No bigger version
No bigger version
No bigger version
No bigger version
No bigger version

windows-stand
SourceDetectionScannerLabelLink
umpdc.dll.dll37%VirustotalBrowse
umpdc.dll.dll36%ReversingLabsWin64.Exploit.DonutMarte
No Antivirus matches
No Antivirus matches
No Antivirus matches
SourceDetectionScannerLabelLink
http://3.142.247.110:3030/api/init?version=2.0.0&applicationId=794350295286546433:0%Avira URL Cloudsafe
http://3.142.247.110:3030/api/init?version=2.0.0&applicationId=794350295286546433%0%Avira URL Cloudsafe
http://3.142.247.110:3030/api/init?version=2.0.0&applicationId=7943502952865464330%Avira URL Cloudsafe
http://3.142.247.110:3030/api/init?version=2.0.0&applicationId=794350295286546433l%0%Avira URL Cloudsafe
http://3.142.247.110:3030/api/init?version=2.0.0&applicationId=794350295286546433B0%Avira URL Cloudsafe

Download Network PCAP: filteredfull

No contacted domains info
NameMaliciousAntivirus DetectionReputation
http://3.142.247.110:3030/api/init?version=2.0.0&applicationId=794350295286546433true
  • Avira URL Cloud: safe
unknown
NameSourceMaliciousAntivirus DetectionReputation
http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0umpdc.dll.dllfalse
    high
    http://crl.sectigo.com/SectigoPublicCodeSigningCAEVE36.crl0umpdc.dll.dllfalse
      high
      https://sectigo.com/CPS0umpdc.dll.dllfalse
        high
        http://3.142.247.110:3030/api/init?version=2.0.0&applicationId=794350295286546433l%rundll32.exe, 00000003.00000002.1398017440.00000244FED08000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        unknown
        http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#umpdc.dll.dllfalse
          high
          http://3.142.247.110:3030/api/init?version=2.0.0&applicationId=794350295286546433:rundll32.exe, 00000003.00000002.1398017440.00000244FED00000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          unknown
          http://ocsp.sectigo.com0umpdc.dll.dllfalse
            high
            http://3.142.247.110:3030/api/login?userId=UnknownDiskC:umpdc.dll.dllfalse
              high
              http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0zumpdc.dll.dllfalse
                high
                http://3.142.247.110:3030/api/init?version=2.0.0&applicationId=794350295286546433%loaddll64.exe, 00000000.00000002.2540917419.00000196DC259000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                http://3.142.247.110:3030/api/init?version=&applicationId=user-agent:umpdc.dll.dllfalse
                  high
                  http://3.142.247.110:3030/api/init?version=2.0.0&applicationId=794350295286546433Bloaddll64.exe, 00000000.00000002.2540917419.00000196DC268000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  http://3.142.247.110:3030/api/init?version=umpdc.dll.dllfalse
                    high
                    http://crt.sectigo.com/SectigoPublicCodeSigningCAEVE36.crt0#umpdc.dll.dllfalse
                      high
                      http://crl.sectigo.com/SectigoPublicCodeSigningRootE46.crl0umpdc.dll.dllfalse
                        high
                        http://crt.sectigo.com/SectigoPublicCodeSigningRootE46.p7c0#umpdc.dll.dllfalse
                          high
                          http://ocsp.sectigo.com0Fumpdc.dll.dllfalse
                            high
                            https://curl.haxx.se/docs/http-cookies.htmlumpdc.dll.dllfalse
                              high
                              http://3.142.247.110:3030/api/login?userId=umpdc.dll.dllfalse
                                high
                                http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#umpdc.dll.dllfalse
                                  high
                                  • No. of IPs < 25%
                                  • 25% < No. of IPs < 50%
                                  • 50% < No. of IPs < 75%
                                  • 75% < No. of IPs
                                  IPDomainCountryFlagASNASN NameMalicious
                                  3.142.247.110
                                  unknownUnited States
                                  16509AMAZON-02UStrue
                                  IP
                                  127.0.0.1
                                  Joe Sandbox version:42.0.0 Malachite
                                  Analysis ID:1639894
                                  Start date and time:2025-03-16 14:30:12 +01:00
                                  Joe Sandbox product:CloudBasic
                                  Overall analysis duration:0h 5m 33s
                                  Hypervisor based Inspection enabled:false
                                  Report type:full
                                  Cookbook file name:default.jbs
                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                  Run name:Run with higher sleep bypass
                                  Number of analysed new started processes analysed:11
                                  Number of new started drivers analysed:0
                                  Number of existing processes analysed:0
                                  Number of existing drivers analysed:0
                                  Number of injected processes analysed:0
                                  Technologies:
                                  • HCA enabled
                                  • EGA enabled
                                  • AMSI enabled
                                  Analysis Mode:default
                                  Analysis stop reason:Timeout
                                  Sample name:umpdc.dll.dll
                                  renamed because original name is a hash value
                                  Original Sample Name:umpdc.dll.exe
                                  Detection:MAL
                                  Classification:mal72.troj.evad.winDLL@6/0@0/2
                                  EGA Information:Failed
                                  HCA Information:
                                  • Successful, ratio: 100%
                                  • Number of executed functions: 0
                                  • Number of non-executed functions: 0
                                  Cookbook Comments:
                                  • Found application associated with file extension: .dll
                                  • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
                                  • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored
                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, conhost.exe
                                  • Excluded IPs from analysis (whitelisted): 52.149.20.212, 20.223.35.26, 150.171.27.10, 2.19.96.27
                                  • Excluded domains from analysis (whitelisted): www.bing.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, g.bing.com, arc.msn.com, fe3cr.delivery.mp.microsoft.com
                                  • Not all processes where analyzed, report is missing behavior information
                                  No simulations
                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  3.142.247.110Spotify.exeGet hashmaliciousUnknownBrowse
                                  • 3.142.247.110:3030/api/init?version=2.0.0&applicationId=794350295286546433
                                  ExitLag.exeGet hashmaliciousUnknownBrowse
                                  • 3.142.247.110:3030/api/init?version=2.0.0&applicationId=794350295286546433
                                  umpdc.dll.dllGet hashmaliciousUnknownBrowse
                                  • 3.142.247.110:3030/api/init?version=2.0.0&applicationId=794350295286546433
                                  gY0yYzKJIm.exeGet hashmaliciousUnknownBrowse
                                  • 3.142.247.110:3030/api/init?version=2.0.0&applicationId=794350295286546433
                                  No context
                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  AMAZON-02USSpotify.exeGet hashmaliciousUnknownBrowse
                                  • 3.142.247.110
                                  ExitLag.exeGet hashmaliciousUnknownBrowse
                                  • 3.142.247.110
                                  umpdc.dll.dllGet hashmaliciousUnknownBrowse
                                  • 3.142.247.110
                                  Nyx4r.arm.elfGet hashmaliciousOkiruBrowse
                                  • 13.214.56.68
                                  e7vNXyeU1F.exeGet hashmaliciousNjrat, PureLog Stealer, zgRATBrowse
                                  • 52.74.74.86
                                  AWB.Shipment.Document(16 Mar 2025).pdf.htmlGet hashmaliciousHTMLPhisherBrowse
                                  • 18.245.60.14
                                  picture_20250316.exe.bin.exeGet hashmaliciousUnknownBrowse
                                  • 3.5.150.157
                                  picture_20250316.exe.bin.exeGet hashmaliciousUnknownBrowse
                                  • 3.5.150.209
                                  na.elfGet hashmaliciousPrometeiBrowse
                                  • 52.43.119.120
                                  No context
                                  No context
                                  No created / dropped files found
                                  File type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                  Entropy (8bit):7.861831839059265
                                  TrID:
                                  • Win64 Dynamic Link Library (generic) (102004/3) 86.43%
                                  • Win64 Executable (generic) (12005/4) 10.17%
                                  • Generic Win/DOS Executable (2004/3) 1.70%
                                  • DOS Executable Generic (2002/1) 1.70%
                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
                                  File name:umpdc.dll.dll
                                  File size:4'858'368 bytes
                                  MD5:e18a45779115a6aa45c183ae15a1900d
                                  SHA1:dc3d29129e96b17eaf8aeacba6f2788de793c937
                                  SHA256:a36c0f2d5f32bd3831ec6336820d08c2865a2be3c25a7f3bd599ec9017f19b7d
                                  SHA512:bb9a9bb78d8644d28f7a35b7c4c14a9f0ba33d89dab6f5aabeb9fc7b73edbda200e3643a1d96b6eca2ae4a46e92d805a20a429c6069766350324ded74cef4b14
                                  SSDEEP:98304:WIRGdE2aYQqJSdDkYpdR8fGQV7Cs4LR7aqqP4CEY:WIRS6bA0dmfTFSLJ0EY
                                  TLSH:9C261243B3A404E9D1A7C13DC55BA71BEB71748913109BC723E4C6692FA37E12A7B361
                                  File Content Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........-<x.LR+.LR+.LR+.4.+.LR+k..+.LR+k.V*.LR+k.Q*.LR+k.W*.LR+k.S*.LR+/<V*.LR+.4V*.LR+.4S*.LR+..)+.LR+.LS+.NR+Z.[*.LR+Z..+.LR+Z.P*.LR
                                  Icon Hash:7ae282899bbab082
                                  Entrypoint:0x1800b5d78
                                  Entrypoint Section:.text
                                  Digitally signed:true
                                  Imagebase:0x180000000
                                  Subsystem:windows gui
                                  Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, DLL
                                  DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
                                  Time Stamp:0x67D5EDD9 [Sat Mar 15 21:15:05 2025 UTC]
                                  TLS Callbacks:
                                  CLR (.Net) Version:
                                  OS Version Major:6
                                  OS Version Minor:0
                                  File Version Major:6
                                  File Version Minor:0
                                  Subsystem Version Major:6
                                  Subsystem Version Minor:0
                                  Import Hash:ed6a50300bbdf32eab85f5f7a9c9f97e
                                  Signature Valid:true
                                  Signature Issuer:CN=Sectigo Public Code Signing CA EV E36, O=Sectigo Limited, C=GB
                                  Signature Validation Error:The operation completed successfully
                                  Error Number:0
                                  Not Before, Not After
                                  • 20/02/2025 01:00:00 31/10/2025 00:59:59
                                  Subject Chain
                                  • CN=55.604.504 Rafael Ferreira de Carvalho, O=55.604.504 Rafael Ferreira de Carvalho, S=Distrito Federal, C=BR, OID.2.5.4.15=Business Entity, OID.1.3.6.1.4.1.311.60.2.1.3=BR, SERIALNUMBER=55.604.504/0001-02
                                  Version:3
                                  Thumbprint MD5:664DD97F1F82BC95750F61E70AB0D7FE
                                  Thumbprint SHA-1:BBED9DEAE08E2CD1302C6A8D98325BC4441066AF
                                  Thumbprint SHA-256:93BD8F88FC48C6253272C2E0B49C787E4B9ADCAA3043B74A674CF08DF1F3FA05
                                  Serial:77344A8C067A2B9BB97938F227B7D39F
                                  Instruction
                                  dec eax
                                  mov dword ptr [esp+08h], ebx
                                  dec eax
                                  mov dword ptr [esp+10h], esi
                                  push edi
                                  dec eax
                                  sub esp, 20h
                                  dec ecx
                                  mov edi, eax
                                  mov ebx, edx
                                  dec eax
                                  mov esi, ecx
                                  cmp edx, 01h
                                  jne 00007F7BD8DABDF7h
                                  call 00007F7BD8DAC2D4h
                                  dec esp
                                  mov eax, edi
                                  mov edx, ebx
                                  dec eax
                                  mov ecx, esi
                                  dec eax
                                  mov ebx, dword ptr [esp+30h]
                                  dec eax
                                  mov esi, dword ptr [esp+38h]
                                  dec eax
                                  add esp, 20h
                                  pop edi
                                  jmp 00007F7BD8DABC84h
                                  int3
                                  int3
                                  int3
                                  dec eax
                                  sub esp, 28h
                                  dec ebp
                                  mov eax, dword ptr [ecx+38h]
                                  dec eax
                                  mov ecx, edx
                                  dec ecx
                                  mov edx, ecx
                                  call 00007F7BD8DABE02h
                                  mov eax, 00000001h
                                  dec eax
                                  add esp, 28h
                                  ret
                                  int3
                                  int3
                                  int3
                                  inc eax
                                  push ebx
                                  inc ebp
                                  mov ebx, dword ptr [eax]
                                  dec eax
                                  mov ebx, edx
                                  inc ecx
                                  and ebx, FFFFFFF8h
                                  dec esp
                                  mov ecx, ecx
                                  inc ecx
                                  test byte ptr [eax], 00000004h
                                  dec esp
                                  mov edx, ecx
                                  je 00007F7BD8DABE05h
                                  inc ecx
                                  mov eax, dword ptr [eax+08h]
                                  dec ebp
                                  arpl word ptr [eax+04h], dx
                                  neg eax
                                  dec esp
                                  add edx, ecx
                                  dec eax
                                  arpl ax, cx
                                  dec esp
                                  and edx, ecx
                                  dec ecx
                                  arpl bx, ax
                                  dec edx
                                  mov edx, dword ptr [eax+edx]
                                  dec eax
                                  mov eax, dword ptr [ebx+10h]
                                  mov ecx, dword ptr [eax+08h]
                                  dec eax
                                  mov eax, dword ptr [ebx+08h]
                                  test byte ptr [ecx+eax+03h], 0000000Fh
                                  je 00007F7BD8DABDFDh
                                  movzx eax, byte ptr [ecx+eax+03h]
                                  and eax, FFFFFFF0h
                                  dec esp
                                  add ecx, eax
                                  dec esp
                                  xor ecx, edx
                                  dec ecx
                                  mov ecx, ecx
                                  pop ebx
                                  jmp 00007F7BD8DAB112h
                                  int3
                                  int3
                                  int3
                                  int3
                                  int3
                                  int3
                                  int3
                                  int3
                                  int3
                                  int3
                                  int3
                                  int3
                                  Programming Language:
                                  • [IMP] VS2008 SP1 build 30729
                                  • [IMP] VS2005 build 50727
                                  NameVirtual AddressVirtual Size Is in Section
                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IMPORT0xdc9c80x21c.rdata
                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x4a60000x1e8.rsrc
                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x49e0000x7980.pdata
                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x49fc000x2600.pdata
                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x4a70000x6e8.reloc
                                  IMAGE_DIRECTORY_ENTRY_DEBUG0xd05200x70.rdata
                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_TLS0xd06000x28.rdata
                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xd03e00x140.rdata
                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IAT0xb90000xbb0.rdata
                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                  .text0x10000xb704c0xb72005504315416051401117b8a6b8b647825False0.5446685686860068data6.458282046610627IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                  .rdata0xb90000x262120x26400eda209864668fca3c35338fc73bd222eFalse0.431078941993464data5.837565100733321IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                  .data0xe00000x3bd7c80x3b9e00d50c13ea168772c2db9042113269c6b6unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .pdata0x49e0000x79800x7a00e899a31702aa64922455f2ee42e37349False0.4803726946721312data5.974498782946775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                  .rsrc0x4a60000x1e80x20079b1ae82c40840f62ec267f53198119dFalse0.5390625data4.7751812307546855IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                  .reloc0x4a70000x6e80x800674eb2ea826f29da2f8bd410d4915962False0.47265625data5.00514436394762IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                  RT_MANIFEST0x4a60600x188XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5892857142857143
                                  DLLImport
                                  d3d9.dllDirect3DCreate9
                                  KERNEL32.dllGetCurrentProcessId, GetProcessHeap, CreateRemoteThread, VirtualFreeEx, GetExitCodeProcess, GetTickCount, AcquireSRWLockExclusive, ReleaseSRWLockExclusive, GetFileSizeEx, CreateFileA, FormatMessageA, SetLastError, WaitForMultipleObjects, PeekNamedPipe, ReadFile, GetFileType, GetStdHandle, GetEnvironmentVariableA, WaitForSingleObjectEx, MoveFileExA, VerifyVersionInfoA, GetSystemDirectoryA, SleepEx, LeaveCriticalSection, EnterCriticalSection, GetVolumeInformationA, HeapSize, VirtualAllocEx, WakeAllConditionVariable, SleepConditionVariableSRW, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, IsDebuggerPresent, HeapDestroy, HeapAlloc, HeapReAlloc, WaitForSingleObject, InitializeCriticalSectionEx, RtlAddFunctionTable, HeapFree, WriteProcessMemory, CreateThread, DisableThreadLibraryCalls, QueryPerformanceCounter, VerSetConditionMask, QueryPerformanceFrequency, GlobalUnlock, WideCharToMultiByte, GlobalLock, GlobalFree, GlobalAlloc, FreeLibraryAndExitThread, Sleep, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, OutputDebugStringW, FreeLibrary, ReadProcessMemory, LocalFree, GetProcAddress, LoadLibraryA, GetModuleHandleA, VirtualProtectEx, MultiByteToWideChar, OpenProcess, CloseHandle, DeleteCriticalSection, Process32FirstW, Process32NextW, Process32Next, GetLastError, CreateToolhelp32Snapshot, GetCurrentProcess, Process32First
                                  USER32.dllMessageBoxA, SetClipboardData, GetClipboardData, EmptyClipboard, CloseClipboard, OpenClipboard, GetCursorPos, ReleaseDC, SetCursorPos, IsIconic, SetForegroundWindow, ReleaseCapture, RegisterClassExA, SetWindowLongPtrA, IsWindowUnicode, UnregisterClassA, GetClientRect, SetWindowDisplayAffinity, GetActiveWindow, SetWindowLongW, SetCursor, SetCapture, BringWindowToTop, DispatchMessageA, SetLayeredWindowAttributes, CreateWindowExA, DefWindowProcA, GetForegroundWindow, GetMonitorInfoA, TrackMouseEvent, IsChild, ClientToScreen, SetWindowLongA, GetCapture, ShowWindow, WindowFromPoint, SetWindowTextW, UnregisterClassW, EnumDisplayMonitors, MonitorFromWindow, SetWindowPos, GetDC, DestroyWindow, LoadCursorA, GetMessageExtraInfo, GetKeyState, AdjustWindowRectEx, MessageBoxW, SetFocus, ScreenToClient, RegisterClassExW, TranslateMessage, PeekMessageA, FindWindowA, GetWindowLongW, UpdateWindow
                                  GDI32.dllGetDeviceCaps
                                  ADVAPI32.dllCryptDestroyKey, CryptImportKey, CryptEncrypt, OpenProcessToken, LookupPrivilegeValueA, AdjustTokenPrivileges, GetTokenInformation, GetLengthSid, IsValidSid, CopySid, CryptDestroyHash, CryptHashData, CryptCreateHash, CryptGenRandom, CryptGetHashParam, CryptReleaseContext, CryptAcquireContextA, ConvertSidToStringSidA
                                  ole32.dllCoCreateInstance, CoUninitialize, CoInitialize
                                  OLEAUT32.dllVariantClear
                                  MSVCP140.dll??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z, ?_Throw_Cpp_error@std@@YAXH@Z, _Cnd_do_broadcast_at_thread_exit, ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ, ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ, ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z, ??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ, ?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ, ?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ, ?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ, ?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ, ?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z, ?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z, ?setbuf@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAPEAV12@PEAD_J@Z, ?sync@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ, ?imbue@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAXAEBVlocale@2@@Z, ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ, ??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ, ?_Random_device@std@@YAIXZ, _Thrd_detach, ?_Xbad_function_call@std@@YAXXZ, ?_Xlength_error@std@@YAXPEBD@Z, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@K@Z
                                  IMM32.dllImmGetContext, ImmReleaseContext, ImmSetCandidateWindow, ImmSetCompositionWindow
                                  USERENV.dllUnloadUserProfile
                                  VCRUNTIME140_1.dll__CxxFrameHandler4
                                  VCRUNTIME140.dll__std_exception_copy, __C_specific_handler, memcpy, memset, __std_exception_destroy, __std_terminate, memmove, memcmp, memchr, _CxxThrowException, strstr, __current_exception, strrchr, strchr, __std_type_info_destroy_list, __current_exception_context
                                  api-ms-win-crt-heap-l1-1-0.dllcalloc, free, malloc, realloc, _callnewh
                                  api-ms-win-crt-runtime-l1-1-0.dll_beginthreadex, _initterm, _getpid, strerror, exit, _resetstkoflw, _crt_atexit, _cexit, _invalid_parameter_noinfo, __sys_nerr, _initterm_e, _seh_filter_dll, _configure_narrow_argv, _initialize_narrow_environment, _execute_onexit_table, _initialize_onexit_table, _register_onexit_function, _errno, _invalid_parameter_noinfo_noreturn, terminate
                                  api-ms-win-crt-string-l1-1-0.dllstrncpy, strncmp, strcmp, tolower, _stricmp, isupper, _strdup, strspn, strpbrk, strcspn
                                  api-ms-win-crt-stdio-l1-1-0.dll_read, fopen, fputs, __acrt_iob_func, fputc, _write, feof, _close, __stdio_common_vfprintf, _lseeki64, __stdio_common_vsscanf, fread, _open, __stdio_common_vsprintf, _wfopen, fwrite, fgets, fseek, fclose, fflush, ftell
                                  api-ms-win-crt-time-l1-1-0.dll_gmtime64, _time64
                                  api-ms-win-crt-utility-l1-1-0.dllqsort
                                  api-ms-win-crt-convert-l1-1-0.dllstrtoll, strtod, atoi, strtol, strtoull, strtoul
                                  api-ms-win-crt-filesystem-l1-1-0.dll_stat64, _access, _unlink, _fstat64
                                  api-ms-win-crt-locale-l1-1-0.dlllocaleconv
                                  Normaliz.dllIdnToAscii
                                  WLDAP32.dll
                                  CRYPT32.dllCertGetCertificateChain, CertFreeCertificateChainEngine, CertCreateCertificateChainEngine, CryptQueryObject, CertGetNameStringA, CertFindExtension, CertAddCertificateContextToStore, CryptDecodeObjectEx, PFXImportCertStore, CryptStringToBinaryA, CertFreeCertificateContext, CertFindCertificateInStore, CertEnumCertificatesInStore, CertCloseStore, CertOpenStore, CertFreeCertificateChain
                                  WS2_32.dllsocket, setsockopt, ntohs, ntohl, gethostname, sendto, recvfrom, freeaddrinfo, getaddrinfo, WSASetLastError, select, WSAIoctl, WSAStartup, htonl, listen, closesocket, recv, send, WSAGetLastError, bind, connect, getpeername, getsockname, getsockopt, htons, WSACleanup, ioctlsocket, __WSAFDIsSet, accept
                                  api-ms-win-crt-math-l1-1-0.dllsqrtf, acosf, cosf, ceilf, fmodf, pow, sinf, sqrt, _dclass
                                  Language of compilation systemCountry where language is spokenMap
                                  EnglishUnited States

                                  Download Network PCAP: filteredfull

                                  TimestampSource PortDest PortSource IPDest IP
                                  Mar 16, 2025 14:31:08.504292011 CET497273030192.168.2.53.142.247.110
                                  Mar 16, 2025 14:31:08.509063959 CET3030497273.142.247.110192.168.2.5
                                  Mar 16, 2025 14:31:08.509135008 CET497273030192.168.2.53.142.247.110
                                  Mar 16, 2025 14:31:08.509406090 CET497273030192.168.2.53.142.247.110
                                  Mar 16, 2025 14:31:08.514065981 CET3030497273.142.247.110192.168.2.5
                                  Mar 16, 2025 14:31:08.590935946 CET497303030192.168.2.53.142.247.110
                                  Mar 16, 2025 14:31:08.595653057 CET3030497303.142.247.110192.168.2.5
                                  Mar 16, 2025 14:31:08.595721960 CET497303030192.168.2.53.142.247.110
                                  Mar 16, 2025 14:31:08.596909046 CET497303030192.168.2.53.142.247.110
                                  Mar 16, 2025 14:31:08.601574898 CET3030497303.142.247.110192.168.2.5
                                  Mar 16, 2025 14:31:09.122129917 CET3030497273.142.247.110192.168.2.5
                                  Mar 16, 2025 14:31:09.163378000 CET497273030192.168.2.53.142.247.110
                                  Mar 16, 2025 14:31:09.211451054 CET3030497303.142.247.110192.168.2.5
                                  Mar 16, 2025 14:31:09.257941961 CET497303030192.168.2.53.142.247.110
                                  Mar 16, 2025 14:31:14.138504982 CET3030497273.142.247.110192.168.2.5
                                  Mar 16, 2025 14:31:14.138576031 CET497273030192.168.2.53.142.247.110
                                  Mar 16, 2025 14:31:14.217003107 CET3030497303.142.247.110192.168.2.5
                                  Mar 16, 2025 14:31:14.217170954 CET497303030192.168.2.53.142.247.110
                                  Mar 16, 2025 14:31:14.707845926 CET497303030192.168.2.53.142.247.110
                                  Mar 16, 2025 14:33:09.036485910 CET497273030192.168.2.53.142.247.110
                                  • 3.142.247.110:3030
                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  0192.168.2.5497273.142.247.11030307792C:\Windows\System32\loaddll64.exe
                                  TimestampBytes transferredDirectionData
                                  Mar 16, 2025 14:31:08.509406090 CET161OUTGET /api/init?version=2.0.0&applicationId=794350295286546433 HTTP/1.1
                                  Host: 3.142.247.110:3030
                                  Accept: */*
                                  Content-Type: application/json
                                  user-agent: xrc
                                  Mar 16, 2025 14:31:09.122129917 CET290INHTTP/1.1 200 OK
                                  X-Powered-By: Express
                                  Content-Type: application/json; charset=utf-8
                                  Content-Length: 55
                                  ETag: W/"37-s+MY0AqOQiV4rr+v6rWU/lnQjJg"
                                  Date: Sun, 16 Mar 2025 13:31:09 GMT
                                  Connection: keep-alive
                                  Keep-Alive: timeout=5
                                  Data Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 22 49 6e 69 74 69 61 6c 69 7a 65 64 22 2c 22 6b 65 79 22 3a 22 78 72 63 22 2c 22 76 65 72 73 69 6f 6e 22 3a 22 32 2e 30 2e 30 22 7d
                                  Data Ascii: {"message":"Initialized","key":"xrc","version":"2.0.0"}


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  1192.168.2.5497303.142.247.11030306408C:\Windows\System32\rundll32.exe
                                  TimestampBytes transferredDirectionData
                                  Mar 16, 2025 14:31:08.596909046 CET161OUTGET /api/init?version=2.0.0&applicationId=794350295286546433 HTTP/1.1
                                  Host: 3.142.247.110:3030
                                  Accept: */*
                                  Content-Type: application/json
                                  user-agent: xrc
                                  Mar 16, 2025 14:31:09.211451054 CET290INHTTP/1.1 200 OK
                                  X-Powered-By: Express
                                  Content-Type: application/json; charset=utf-8
                                  Content-Length: 55
                                  ETag: W/"37-s+MY0AqOQiV4rr+v6rWU/lnQjJg"
                                  Date: Sun, 16 Mar 2025 13:31:09 GMT
                                  Connection: keep-alive
                                  Keep-Alive: timeout=5
                                  Data Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 22 49 6e 69 74 69 61 6c 69 7a 65 64 22 2c 22 6b 65 79 22 3a 22 78 72 63 22 2c 22 76 65 72 73 69 6f 6e 22 3a 22 32 2e 30 2e 30 22 7d
                                  Data Ascii: {"message":"Initialized","key":"xrc","version":"2.0.0"}


                                  050100150s020406080100

                                  Click to jump to process

                                  050100150s0.001020MB

                                  Click to jump to process

                                  • File
                                  • Network

                                  Click to dive into process behavior distribution

                                  Target ID:0
                                  Start time:09:31:07
                                  Start date:16/03/2025
                                  Path:C:\Windows\System32\loaddll64.exe
                                  Wow64 process (32bit):false
                                  Commandline:loaddll64.exe "C:\Users\user\Desktop\umpdc.dll.dll"
                                  Imagebase:0x7ff720fc0000
                                  File size:165'888 bytes
                                  MD5 hash:763455F9DCB24DFEECC2B9D9F8D46D52
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true
                                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                  Target ID:1
                                  Start time:09:31:07
                                  Start date:16/03/2025
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff7e2000000
                                  File size:862'208 bytes
                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  Target ID:2
                                  Start time:09:31:08
                                  Start date:16/03/2025
                                  Path:C:\Windows\System32\cmd.exe
                                  Wow64 process (32bit):false
                                  Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\umpdc.dll.dll",#1
                                  Imagebase:0x7ff715cd0000
                                  File size:289'792 bytes
                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  Target ID:3
                                  Start time:09:31:08
                                  Start date:16/03/2025
                                  Path:C:\Windows\System32\rundll32.exe
                                  Wow64 process (32bit):false
                                  Commandline:rundll32.exe "C:\Users\user\Desktop\umpdc.dll.dll",#1
                                  Imagebase:0x7ff634fe0000
                                  File size:71'680 bytes
                                  MD5 hash:EF3179D498793BF4234F708D3BE28633
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true
                                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                  No disassembly