Edit tour

Windows Analysis Report
umpdc.dll.dll

Overview

General Information

Sample name:umpdc.dll.dll
renamed because original name is a hash value
Original sample name:umpdc.dll.exe
Analysis ID:1639896
MD5:dd5786017a7e33928a7e0920e9b36431
SHA1:bc1fa76699fb97657a54aca55322223867d1cd05
SHA256:013320e6129b955de4349b63363856c5690eb34c63bba1b419e197544302e3a5
Tags:55604504RafaelFerreiradeCarvalhoexeuser-SquiblydooBlog
Infos:

Detection

Score:80
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Joe Sandbox ML detected suspicious sample
Uses known network protocols on non-standard ports
AV process strings found (often used to terminate AV products)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected non-DNS traffic on DNS port
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Sample execution stops while process was sleeping (likely an evasion)
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64
  • loaddll64.exe (PID: 6852 cmdline: loaddll64.exe "C:\Users\user\Desktop\umpdc.dll.dll" MD5: 763455F9DCB24DFEECC2B9D9F8D46D52)
    • conhost.exe (PID: 6856 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2972 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\umpdc.dll.dll",#1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • rundll32.exe (PID: 5248 cmdline: rundll32.exe "C:\Users\user\Desktop\umpdc.dll.dll",#1 MD5: EF3179D498793BF4234F708D3BE28633)
        • WerFault.exe (PID: 2272 cmdline: C:\Windows\system32\WerFault.exe -u -p 5248 -s 404 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
umpdc.dll.dllWindows_Trojan_Donutloader_f40e3759unknownunknown
  • 0x490c28:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49
  • 0x49415e:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
SourceRuleDescriptionAuthorStrings
00000003.00000002.1238563188.00007FF9966F9000.00000008.00000001.01000000.00000003.sdmpWindows_Trojan_Donutloader_f40e3759unknownunknown
  • 0x3a9628:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49
  • 0x3acb5e:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
SourceRuleDescriptionAuthorStrings
3.2.rundll32.exe.7ff9967041c0.4.raw.unpackWindows_Trojan_Donutloader_f40e3759unknownunknown
  • 0x39e468:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49
  • 0x3a199e:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
3.2.rundll32.exe.7ff9966fe5c0.3.raw.unpackWindows_Trojan_Donutloader_f40e3759unknownunknown
  • 0x3a4068:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49
  • 0x3a759e:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
3.2.rundll32.exe.7ff996610000.0.unpackWindows_Trojan_Donutloader_f40e3759unknownunknown
  • 0x490c28:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49
  • 0x49415e:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
No Sigma rule has matched
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: umpdc.dll.dllAvira: detected
Source: umpdc.dll.dllVirustotal: Detection: 53%Perma Link
Source: umpdc.dll.dllReversingLabs: Detection: 50%
Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.8% probability
Source: rundll32.exe, 00000003.00000002.1238443435.00007FF9966C8000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_5ed5e890-a
Source: umpdc.dll.dllStatic PE information: certificate valid
Source: umpdc.dll.dllStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: C:\Users\usuario 2\Desktop\ProductsXRC\XRCService\XRCService\x64\Release\XRCService.pdb source: umpdc.dll.dll
Source: Binary string: C:\Users\usuario 2\Desktop\ProductsXRC\XRCService\XRCService\x64\Release\XRCService.pdb"" source: umpdc.dll.dll
Source: Binary string: C:\Users\usuario 2\Desktop\RESSELERS\FIVEMBYPASS\XrcBypassOnlyXRc - Copia (2)\build\xrc.pdb source: rundll32.exe, 00000003.00000002.1238443435.00007FF9966C8000.00000002.00000001.01000000.00000003.sdmp, umpdc.dll.dll
Source: Binary string: C:\Users\usuario 2\Downloads\Copy_dll_for_test\Copy dll for test\x64\Release\Copy dll for test.pdb source: rundll32.exe, 00000003.00000002.1238512883.00007FF9966F0000.00000008.00000001.01000000.00000003.sdmp, umpdc.dll.dll
Source: Binary string: C:\Users\usuario 2\Desktop\ProductsXRC\XRCService\XRCService\x64\Release\XRCRuntime.pdb source: umpdc.dll.dll
Source: Binary string: C:\Users\usuario 2\Desktop\ProductsXRC\XRCService\XRCService\Release\XRCRuntime.pdb source: umpdc.dll.dll

Networking

barindex
Source: C:\Windows\System32\rundll32.exeNetwork Connect: 3.142.247.110 3030Jump to behavior
Source: unknownNetwork traffic detected: HTTP traffic on port 49688 -> 3030
Source: unknownNetwork traffic detected: HTTP traffic on port 49691 -> 3030
Source: unknownNetwork traffic detected: HTTP traffic on port 3030 -> 49688
Source: unknownNetwork traffic detected: HTTP traffic on port 3030 -> 49691
Source: global trafficTCP traffic: 192.168.2.8:49688 -> 3.142.247.110:3030
Source: global trafficTCP traffic: 192.168.2.8:51994 -> 162.159.36.2:53
Source: Joe Sandbox ViewIP Address: 3.142.247.110 3.142.247.110
Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
Source: unknownDNS traffic detected: query: 18.31.95.13.in-addr.arpa replaycode: Name error (3)
Source: unknownTCP traffic detected without corresponding DNS query: 3.142.247.110
Source: unknownTCP traffic detected without corresponding DNS query: 3.142.247.110
Source: unknownTCP traffic detected without corresponding DNS query: 3.142.247.110
Source: unknownTCP traffic detected without corresponding DNS query: 3.142.247.110
Source: unknownTCP traffic detected without corresponding DNS query: 3.142.247.110
Source: unknownTCP traffic detected without corresponding DNS query: 3.142.247.110
Source: unknownTCP traffic detected without corresponding DNS query: 3.142.247.110
Source: unknownTCP traffic detected without corresponding DNS query: 3.142.247.110
Source: unknownTCP traffic detected without corresponding DNS query: 3.142.247.110
Source: unknownTCP traffic detected without corresponding DNS query: 3.142.247.110
Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknownTCP traffic detected without corresponding DNS query: 3.142.247.110
Source: unknownTCP traffic detected without corresponding DNS query: 3.142.247.110
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /api/init?version=2.0.0&applicationId=794350295286546433 HTTP/1.1Host: 3.142.247.110:3030Accept: */*Content-Type: application/jsonuser-agent: xrc
Source: global trafficHTTP traffic detected: GET /api/init?version=2.0.0&applicationId=794350295286546433 HTTP/1.1Host: 3.142.247.110:3030Accept: */*Content-Type: application/jsonuser-agent: xrc
Source: global trafficDNS traffic detected: DNS query: 18.31.95.13.in-addr.arpa
Source: rundll32.exe, 00000003.00000002.1238443435.00007FF9966C8000.00000002.00000001.01000000.00000003.sdmp, umpdc.dll.dllString found in binary or memory: http://3.142.247.110:3030/api/init?version=
Source: loaddll64.exe, 00000000.00000002.2036668654.000001B9655E9000.00000004.00000020.00020000.00000000.sdmp, loaddll64.exe, 00000000.00000002.2036668654.000001B9655F9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.1236234293.0000018235A40000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.1236234293.0000018235A48000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://3.142.247.110:3030/api/init?version=2.0.0&applicationId=794350295286546433
Source: loaddll64.exe, 00000000.00000002.2036668654.000001B9655E9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.1236234293.0000018235A48000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://3.142.247.110:3030/api/init?version=2.0.0&applicationId=7943502952865464333
Source: rundll32.exe, 00000003.00000002.1236234293.0000018235A40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://3.142.247.110:3030/api/init?version=2.0.0&applicationId=7943502952865464333.142.247.1103030Wi
Source: rundll32.exe, 00000003.00000002.1238443435.00007FF9966C8000.00000002.00000001.01000000.00000003.sdmp, umpdc.dll.dllString found in binary or memory: http://3.142.247.110:3030/api/init?version=auth
Source: rundll32.exe, 00000003.00000002.1238443435.00007FF9966C8000.00000002.00000001.01000000.00000003.sdmp, umpdc.dll.dllString found in binary or memory: http://3.142.247.110:3030/api/login?userId=
Source: rundll32.exe, 00000003.00000002.1238443435.00007FF9966C8000.00000002.00000001.01000000.00000003.sdmp, umpdc.dll.dllString found in binary or memory: http://3.142.247.110:3030/api/login?userId=&hwid=C:
Source: umpdc.dll.dllString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: umpdc.dll.dllString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVE36.crl0
Source: umpdc.dll.dllString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootE46.crl0
Source: umpdc.dll.dllString found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0z
Source: umpdc.dll.dllString found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0
Source: umpdc.dll.dllString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVE36.crt0#
Source: umpdc.dll.dllString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootE46.p7c0#
Source: umpdc.dll.dllString found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#
Source: umpdc.dll.dllString found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#
Source: umpdc.dll.dllString found in binary or memory: http://ocsp.comodoca.com0
Source: umpdc.dll.dllString found in binary or memory: http://ocsp.sectigo.com0
Source: umpdc.dll.dllString found in binary or memory: http://ocsp.sectigo.com0F
Source: Amcache.hve.7.drString found in binary or memory: http://upx.sf.net
Source: rundll32.exe, 00000003.00000002.1238443435.00007FF9966C8000.00000002.00000001.01000000.00000003.sdmp, umpdc.dll.dllString found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
Source: umpdc.dll.dllString found in binary or memory: https://sectigo.com/CPS0

System Summary

barindex
Source: umpdc.dll.dll, type: SAMPLEMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 3.2.rundll32.exe.7ff9967041c0.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 3.2.rundll32.exe.7ff9966fe5c0.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 3.2.rundll32.exe.7ff996610000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000003.00000002.1238563188.00007FF9966F9000.00000008.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5248 -s 404
Source: umpdc.dll.dll, type: SAMPLEMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 3.2.rundll32.exe.7ff9967041c0.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 3.2.rundll32.exe.7ff9966fe5c0.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 3.2.rundll32.exe.7ff996610000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000003.00000002.1238563188.00007FF9966F9000.00000008.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: classification engineClassification label: mal80.troj.evad.winDLL@7/5@1/2
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6856:120:WilError_03
Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5248
Source: C:\Windows\System32\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\a31f57b2-f7f5-4da5-81fc-8fb19fa1c7cbJump to behavior
Source: umpdc.dll.dllStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll64.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\umpdc.dll.dll",#1
Source: umpdc.dll.dllVirustotal: Detection: 53%
Source: umpdc.dll.dllReversingLabs: Detection: 50%
Source: unknownProcess created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\umpdc.dll.dll"
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\umpdc.dll.dll",#1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\umpdc.dll.dll",#1
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5248 -s 404
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\umpdc.dll.dll",#1Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\umpdc.dll.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: d3d9.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: msvcp140.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: vcruntime140_1.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: vcruntime140_1.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: d3d10warp.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: resourcepolicyclient.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: dxcore.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: winmm.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: xinput1_4.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: devobj.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: inputhost.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: msasn1.dllJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: umpdc.dll.dllStatic PE information: certificate valid
Source: umpdc.dll.dllStatic PE information: Image base 0x180000000 > 0x60000000
Source: umpdc.dll.dllStatic file information: File size 4857344 > 1048576
Source: umpdc.dll.dllStatic PE information: Raw size of .data is bigger than: 0x100000 < 0x3b9e00
Source: umpdc.dll.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: umpdc.dll.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: umpdc.dll.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: umpdc.dll.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: umpdc.dll.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: umpdc.dll.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: umpdc.dll.dllStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Source: umpdc.dll.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\Users\usuario 2\Desktop\ProductsXRC\XRCService\XRCService\x64\Release\XRCService.pdb source: umpdc.dll.dll
Source: Binary string: C:\Users\usuario 2\Desktop\ProductsXRC\XRCService\XRCService\x64\Release\XRCService.pdb"" source: umpdc.dll.dll
Source: Binary string: C:\Users\usuario 2\Desktop\RESSELERS\FIVEMBYPASS\XrcBypassOnlyXRc - Copia (2)\build\xrc.pdb source: rundll32.exe, 00000003.00000002.1238443435.00007FF9966C8000.00000002.00000001.01000000.00000003.sdmp, umpdc.dll.dll
Source: Binary string: C:\Users\usuario 2\Downloads\Copy_dll_for_test\Copy dll for test\x64\Release\Copy dll for test.pdb source: rundll32.exe, 00000003.00000002.1238512883.00007FF9966F0000.00000008.00000001.01000000.00000003.sdmp, umpdc.dll.dll
Source: Binary string: C:\Users\usuario 2\Desktop\ProductsXRC\XRCService\XRCService\x64\Release\XRCRuntime.pdb source: umpdc.dll.dll
Source: Binary string: C:\Users\usuario 2\Desktop\ProductsXRC\XRCService\XRCService\Release\XRCRuntime.pdb source: umpdc.dll.dll
Source: umpdc.dll.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: umpdc.dll.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: umpdc.dll.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: umpdc.dll.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: umpdc.dll.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Hooking and other Techniques for Hiding and Protection

barindex
Source: unknownNetwork traffic detected: HTTP traffic on port 49688 -> 3030
Source: unknownNetwork traffic detected: HTTP traffic on port 49691 -> 3030
Source: unknownNetwork traffic detected: HTTP traffic on port 3030 -> 49688
Source: unknownNetwork traffic detected: HTTP traffic on port 3030 -> 49691
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\loaddll64.exeWindow / User API: foregroundWindowGot 706Jump to behavior
Source: C:\Windows\System32\loaddll64.exeWindow / User API: foregroundWindowGot 365Jump to behavior
Source: C:\Windows\System32\loaddll64.exeWindow / User API: foregroundWindowGot 351Jump to behavior
Source: C:\Windows\System32\loaddll64.exe TID: 6880Thread sleep time: -120000s >= -30000sJump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\loaddll64.exeThread delayed: delay time: 120000Jump to behavior
Source: Amcache.hve.7.drBinary or memory string: VMware
Source: Amcache.hve.7.drBinary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.7.drBinary or memory string: vmci.syshbin
Source: Amcache.hve.7.drBinary or memory string: VMware-42 27 c5 9a 47 85 d6 84-53 49 ec ec 87 a6 6d 67
Source: Amcache.hve.7.drBinary or memory string: VMware, Inc.
Source: Amcache.hve.7.drBinary or memory string: VMware20,1hbin@
Source: rundll32.exe, 00000003.00000002.1236234293.0000018235A75000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllQ
Source: Amcache.hve.7.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.7.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.7.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.7.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.7.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.7.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.7.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: loaddll64.exe, 00000000.00000002.2036668654.000001B9655F9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.7.drBinary or memory string: vmci.sys
Source: Amcache.hve.7.drBinary or memory string: vmci.syshbin`
Source: Amcache.hve.7.drBinary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.7.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.7.drBinary or memory string: VMware20,1
Source: Amcache.hve.7.drBinary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.7.drBinary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.7.drBinary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.7.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.7.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.7.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.7.drBinary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.7.drBinary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.7.drBinary or memory string: VMware Virtual RAM
Source: Amcache.hve.7.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.7.drBinary or memory string: vmci.inf_amd64_68ed49469341f563

HIPS / PFW / Operating System Protection Evasion

barindex
Source: C:\Windows\System32\rundll32.exeNetwork Connect: 3.142.247.110 3030Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\umpdc.dll.dll",#1Jump to behavior
Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00007FF9966C6218 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,3_2_00007FF9966C6218
Source: Amcache.hve.7.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.7.drBinary or memory string: msmpeng.exe
Source: Amcache.hve.7.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.7.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.7.drBinary or memory string: MsMpEng.exe
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading
111
Process Injection
11
Virtualization/Sandbox Evasion
OS Credential Dumping1
System Time Discovery
Remote Services1
Archive Collected Data
11
Non-Standard Port
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading
111
Process Injection
LSASS Memory11
Security Software Discovery
Remote Desktop ProtocolData from Removable Media1
Ingress Tool Transfer
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Rundll32
Security Account Manager11
Virtualization/Sandbox Evasion
SMB/Windows Admin SharesData from Network Shared Drive2
Non-Application Layer Protocol
Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
DLL Side-Loading
NTDS1
Application Window Discovery
Distributed Component Object ModelInput Capture2
Application Layer Protocol
Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets2
System Information Discovery
SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1639896 Sample: umpdc.dll.dll Startdate: 16/03/2025 Architecture: WINDOWS Score: 80 21 18.31.95.13.in-addr.arpa 2->21 29 Malicious sample detected (through community Yara rule) 2->29 31 Antivirus / Scanner detection for submitted sample 2->31 33 Multi AV Scanner detection for submitted file 2->33 35 2 other signatures 2->35 9 loaddll64.exe 1 2->9         started        signatures3 process4 dnsIp5 23 3.142.247.110, 3030, 49688, 49691 AMAZON-02US United States 9->23 25 127.0.0.1 unknown unknown 9->25 12 cmd.exe 1 9->12         started        14 conhost.exe 9->14         started        process6 process7 16 rundll32.exe 12->16         started        signatures8 27 System process connects to network (likely due to code injection or exploit) 16->27 19 WerFault.exe 23 16 16->19         started        process9

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
umpdc.dll.dll53%VirustotalBrowse
umpdc.dll.dll50%ReversingLabsWin64.Exploit.DonutMarte
umpdc.dll.dll100%AviraTR/Agent.cgvoz
No Antivirus matches
No Antivirus matches
No Antivirus matches
SourceDetectionScannerLabelLink
http://3.142.247.110:3030/api/init?version=2.0.0&applicationId=79435029528654643330%Avira URL Cloudsafe
http://3.142.247.110:3030/api/login?userId=&hwid=C:0%Avira URL Cloudsafe
http://3.142.247.110:3030/api/init?version=2.0.0&applicationId=7943502952865464330%Avira URL Cloudsafe
http://3.142.247.110:3030/api/init?version=auth0%Avira URL Cloudsafe
http://3.142.247.110:3030/api/init?version=2.0.0&applicationId=7943502952865464333.142.247.1103030Wi0%Avira URL Cloudsafe

Download Network PCAP: filteredfull

NameIPActiveMaliciousAntivirus DetectionReputation
18.31.95.13.in-addr.arpa
unknown
unknownfalse
    high
    NameMaliciousAntivirus DetectionReputation
    http://3.142.247.110:3030/api/init?version=2.0.0&applicationId=794350295286546433true
    • Avira URL Cloud: safe
    unknown
    NameSourceMaliciousAntivirus DetectionReputation
    http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0umpdc.dll.dllfalse
      high
      http://crl.sectigo.com/SectigoPublicCodeSigningCAEVE36.crl0umpdc.dll.dllfalse
        high
        https://sectigo.com/CPS0umpdc.dll.dllfalse
          high
          http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#umpdc.dll.dllfalse
            high
            http://ocsp.sectigo.com0umpdc.dll.dllfalse
              high
              http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0zumpdc.dll.dllfalse
                high
                http://3.142.247.110:3030/api/login?userId=&hwid=C:rundll32.exe, 00000003.00000002.1238443435.00007FF9966C8000.00000002.00000001.01000000.00000003.sdmp, umpdc.dll.dllfalse
                • Avira URL Cloud: safe
                unknown
                http://3.142.247.110:3030/api/init?version=rundll32.exe, 00000003.00000002.1238443435.00007FF9966C8000.00000002.00000001.01000000.00000003.sdmp, umpdc.dll.dllfalse
                  high
                  http://upx.sf.netAmcache.hve.7.drfalse
                    high
                    http://3.142.247.110:3030/api/init?version=2.0.0&applicationId=7943502952865464333.142.247.1103030Wirundll32.exe, 00000003.00000002.1236234293.0000018235A40000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    unknown
                    http://crt.sectigo.com/SectigoPublicCodeSigningCAEVE36.crt0#umpdc.dll.dllfalse
                      high
                      http://3.142.247.110:3030/api/init?version=authrundll32.exe, 00000003.00000002.1238443435.00007FF9966C8000.00000002.00000001.01000000.00000003.sdmp, umpdc.dll.dllfalse
                      • Avira URL Cloud: safe
                      unknown
                      http://crl.sectigo.com/SectigoPublicCodeSigningRootE46.crl0umpdc.dll.dllfalse
                        high
                        http://crt.sectigo.com/SectigoPublicCodeSigningRootE46.p7c0#umpdc.dll.dllfalse
                          high
                          http://ocsp.sectigo.com0Fumpdc.dll.dllfalse
                            high
                            https://curl.haxx.se/docs/http-cookies.htmlrundll32.exe, 00000003.00000002.1238443435.00007FF9966C8000.00000002.00000001.01000000.00000003.sdmp, umpdc.dll.dllfalse
                              high
                              http://3.142.247.110:3030/api/login?userId=rundll32.exe, 00000003.00000002.1238443435.00007FF9966C8000.00000002.00000001.01000000.00000003.sdmp, umpdc.dll.dllfalse
                                high
                                http://3.142.247.110:3030/api/init?version=2.0.0&applicationId=7943502952865464333loaddll64.exe, 00000000.00000002.2036668654.000001B9655E9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.1236234293.0000018235A48000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                unknown
                                http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#umpdc.dll.dllfalse
                                  high
                                  • No. of IPs < 25%
                                  • 25% < No. of IPs < 50%
                                  • 50% < No. of IPs < 75%
                                  • 75% < No. of IPs
                                  IPDomainCountryFlagASNASN NameMalicious
                                  3.142.247.110
                                  unknownUnited States
                                  16509AMAZON-02UStrue
                                  IP
                                  127.0.0.1
                                  Joe Sandbox version:42.0.0 Malachite
                                  Analysis ID:1639896
                                  Start date and time:2025-03-16 14:31:13 +01:00
                                  Joe Sandbox product:CloudBasic
                                  Overall analysis duration:0h 5m 56s
                                  Hypervisor based Inspection enabled:false
                                  Report type:full
                                  Cookbook file name:default.jbs
                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                  Run name:Run with higher sleep bypass
                                  Number of analysed new started processes analysed:20
                                  Number of new started drivers analysed:0
                                  Number of existing processes analysed:0
                                  Number of existing drivers analysed:0
                                  Number of injected processes analysed:0
                                  Technologies:
                                  • HCA enabled
                                  • EGA enabled
                                  • AMSI enabled
                                  Analysis Mode:default
                                  Analysis stop reason:Timeout
                                  Sample name:umpdc.dll.dll
                                  renamed because original name is a hash value
                                  Original Sample Name:umpdc.dll.exe
                                  Detection:MAL
                                  Classification:mal80.troj.evad.winDLL@7/5@1/2
                                  EGA Information:Failed
                                  HCA Information:Failed
                                  Cookbook Comments:
                                  • Found application associated with file extension: .dll
                                  • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
                                  • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored
                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, sppsvc.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                  • Excluded IPs from analysis (whitelisted): 40.69.146.102, 20.190.160.66, 52.149.20.212, 13.95.31.18, 4.175.87.197, 23.60.203.209
                                  • Excluded domains from analysis (whitelisted): fs.microsoft.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, onedsblobvmssprdcus04.centralus.cloudapp.azure.com, c.pki.goog, fe3cr.delivery.mp.microsoft.com
                                  • Execution Graph export aborted for target rundll32.exe, PID 5248 because there are no executed function
                                  • Not all processes where analyzed, report is missing behavior information
                                  No simulations
                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  3.142.247.110umpdc.dll.dllGet hashmaliciousUnknownBrowse
                                  • 3.142.247.110:3030/api/init?version=2.0.0&applicationId=794350295286546433
                                  Spotify.exeGet hashmaliciousUnknownBrowse
                                  • 3.142.247.110:3030/api/init?version=2.0.0&applicationId=794350295286546433
                                  ExitLag.exeGet hashmaliciousUnknownBrowse
                                  • 3.142.247.110:3030/api/init?version=2.0.0&applicationId=794350295286546433
                                  umpdc.dll.dllGet hashmaliciousUnknownBrowse
                                  • 3.142.247.110:3030/api/init?version=2.0.0&applicationId=794350295286546433
                                  gY0yYzKJIm.exeGet hashmaliciousUnknownBrowse
                                  • 3.142.247.110:3030/api/init?version=2.0.0&applicationId=794350295286546433
                                  No context
                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  AMAZON-02USumpdc.dll.dllGet hashmaliciousUnknownBrowse
                                  • 3.142.247.110
                                  Spotify.exeGet hashmaliciousUnknownBrowse
                                  • 3.142.247.110
                                  ExitLag.exeGet hashmaliciousUnknownBrowse
                                  • 3.142.247.110
                                  umpdc.dll.dllGet hashmaliciousUnknownBrowse
                                  • 3.142.247.110
                                  Nyx4r.arm.elfGet hashmaliciousOkiruBrowse
                                  • 13.214.56.68
                                  e7vNXyeU1F.exeGet hashmaliciousNjrat, PureLog Stealer, zgRATBrowse
                                  • 52.74.74.86
                                  AWB.Shipment.Document(16 Mar 2025).pdf.htmlGet hashmaliciousHTMLPhisherBrowse
                                  • 18.245.60.14
                                  picture_20250316.exe.bin.exeGet hashmaliciousUnknownBrowse
                                  • 3.5.150.157
                                  picture_20250316.exe.bin.exeGet hashmaliciousUnknownBrowse
                                  • 3.5.150.209
                                  No context
                                  No context
                                  Process:C:\Windows\System32\WerFault.exe
                                  File Type:TeX document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):65536
                                  Entropy (8bit):0.9428255629882077
                                  Encrypted:false
                                  SSDEEP:96:7J0uFiY2qiAyKyMsjt4RvsJFw26tQXIDcQhc6ncEOcw3KXaXz+HbHgSQgJjbh88G:1hTiAyM60/j0cjp6PzuiFzZ24lO8X
                                  MD5:506DDC11319012696BAB4E1710BE8F77
                                  SHA1:BAF8EC1825426D9CF3D3872A6583F93F32904308
                                  SHA-256:417B74F22E556499EAC96119B452DC796C0A4DE0C2F192F94DAC068FB4792947
                                  SHA-512:5EE31B7A30DE116487E14448BB5F971E00DEA0B51500EA92AAFD822AF18F1F5CCD314F9631C04FB780E9CC343BBAED5DE8DC03920C3321D97A4502711484DCC6
                                  Malicious:false
                                  Reputation:low
                                  Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.6.4.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.6.6.0.5.5.2.8.4.3.6.5.3.3.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.6.6.0.5.5.2.9.2.3.4.5.3.7.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.1.8.0.e.9.1.f.-.e.0.3.e.-.4.0.a.5.-.a.1.4.5.-.b.9.f.6.f.e.f.7.5.e.a.8.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.d.7.c.b.c.c.8.-.9.d.3.b.-.4.a.3.c.-.b.6.1.5.-.a.f.f.c.0.9.f.3.7.f.a.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e._.u.m.p.d.c...d.l.l...d.l.l.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.4.8.0.-.0.0.0.1.-.0.0.1.8.-.5.4.6.e.-.8.7.c.d.7.7.9.6.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.d.d.3.9.9.a.e.4.6.3.0.3.3.4.3.f.9.f.0.d.a.1.8.9.a.e.e.1.1.c.6.7.b.d.8.6.8.2.2.2.!.r.
                                  Process:C:\Windows\System32\WerFault.exe
                                  File Type:Mini DuMP crash report, 16 streams, Sun Mar 16 13:32:08 2025, 0x1205a4 type
                                  Category:dropped
                                  Size (bytes):201852
                                  Entropy (8bit):1.5135597205761384
                                  Encrypted:false
                                  SSDEEP:384:F9z7As7Sm0Akz40VqRsEt6lhOi4IRh37Lszp0pQg5sryL:XnACSm0H00UBcHT9h37Ls90pGO
                                  MD5:61EE32730687C6C17AD8E14CFBB8CA4D
                                  SHA1:B6E7DFC3DFEA5AA3B7819D8ACAFC8B639D25C798
                                  SHA-256:FA6EFD6349F0BB8CC07D6B513410EECB374D90738111355E19BD944B0487EC34
                                  SHA-512:8ECD10FB04894179B3A9568870EA9D42B82543E65E8ADF8487257B131D381A0210AB29328183F8A1D6494E5E1EEE5215DEDAC883A4C95D908C30C0D1E661EA75
                                  Malicious:false
                                  Reputation:low
                                  Preview:MDMP..a..... ..........g............t...........l...........D...............D............l..........l.......8...........T............&...........................!..............................................................................eJ......X"......Lw......................T..............g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................
                                  Process:C:\Windows\System32\WerFault.exe
                                  File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):10258
                                  Entropy (8bit):3.713296684001162
                                  Encrypted:false
                                  SSDEEP:192:R6l7wVeJm/j6Y9sp5gmfijD3pDO89b4XIWfMom:R6lXJGj6Y2XgmfijDV4Zfy
                                  MD5:BEEB6268075A80ECA7DA7BCB88BF207B
                                  SHA1:CCE303F721112DD5F99972F4840633D3AF3AF00C
                                  SHA-256:DD9A6AFDBDB56F54D902EADCDDEC9F6D16280850C4EBCB3F6EA142B087857772
                                  SHA-512:3575FBD66D9E18546C3E3CB61A3AF534ADDF94696CB939C24A73105500C08C49F42E0D22D5DC5D1F3EF7E687D9B0AA68248D192D8F9103A86F854EC57912F249
                                  Malicious:false
                                  Reputation:low
                                  Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.2.4.8.<./.P.i.
                                  Process:C:\Windows\System32\WerFault.exe
                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):4899
                                  Entropy (8bit):4.472639413256609
                                  Encrypted:false
                                  SSDEEP:48:cvIwWl8zsXJg771I9C/nWpW8VYXYm8M4JCYCWyFhYyq8vhWnptSTSvd:uIjf5I77W7V3JdW0poOvd
                                  MD5:9E623327624929E3F5C6FBCE57EEC8E0
                                  SHA1:39D5F20904C5FC6D6DAEAA3857746BFFBBE7A953
                                  SHA-256:0F27A83D937AC733CF4E4F567AACFBC81D4570D85C63B7D532BF26C7AEDB8E0E
                                  SHA-512:42A5F46F787EA3BE71021328B80C4C906D2B3F172AE07CEE82CF36741181F491A33F294FAABA6A9480A57C5FDA3C4F7B3688F03F306B2B7CB67EA3DF9B303127
                                  Malicious:false
                                  Reputation:low
                                  Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="763474" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409
                                  Process:C:\Windows\System32\WerFault.exe
                                  File Type:MS Windows registry file, NT/2000 or above
                                  Category:dropped
                                  Size (bytes):1835008
                                  Entropy (8bit):4.376089867843065
                                  Encrypted:false
                                  SSDEEP:6144:wpFVfpi6ceLP/9skLmb0ByWWSPtaJG8nAge35OlMMhA2AX4WABlRuN3iL:w/V13yWWI/glMM6kFIpq
                                  MD5:AC2709E9EE075DBDBC02E57701897744
                                  SHA1:1934417F65C571A4BBC29E7FCDEFF4FD93FF230B
                                  SHA-256:511A9D7E03AE1D5B68545358B571E1939CF5009DB7EC4FA97BC7BA1B81F49C6B
                                  SHA-512:0DDCCC76A421C2C6F3568512DB331EFC64782DF52A0F971762E89FC3C8B790EEA9D776A59BAD7C9AB0CA22B13534C4282BB20C86E56EECC04E377BBE9515FFBF
                                  Malicious:false
                                  Reputation:low
                                  Preview:regfE...E....\.Z.................... ....@......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmn...w................................................................................................................................................................................................................................................................................................................................................,..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                  File type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                  Entropy (8bit):7.862082170139248
                                  TrID:
                                  • Win64 Dynamic Link Library (generic) (102004/3) 86.43%
                                  • Win64 Executable (generic) (12005/4) 10.17%
                                  • Generic Win/DOS Executable (2004/3) 1.70%
                                  • DOS Executable Generic (2002/1) 1.70%
                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
                                  File name:umpdc.dll.dll
                                  File size:4'857'344 bytes
                                  MD5:dd5786017a7e33928a7e0920e9b36431
                                  SHA1:bc1fa76699fb97657a54aca55322223867d1cd05
                                  SHA256:013320e6129b955de4349b63363856c5690eb34c63bba1b419e197544302e3a5
                                  SHA512:00351fddb360239cc6fc122768ade964846ee45fb6456bec334899e91259ad35ac513a5cf03e5239ccb99211da02710c40d8f1a1b32853d470b0b6dc16838266
                                  SSDEEP:98304:oNlbGgygXlDCuOGIjfzAneXbO8QyU41twFSRLfDZmfKZN8PkH:oNlbGg9DCuOG4fzmeXbOCUYRLf1Zj8P0
                                  TLSH:C1261292B3A401EDD167C13CC567A617E671749A1310DBCB23F086A92FA37E06B7B361
                                  File Content Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........-<x.LR+.LR+.LR+.4.+.LR+k..+.LR+k.V*.LR+k.Q*.LR+k.W*.LR+k.S*.LR+/<V*.LR+.4V*.LR+.4S*.LR+..)+.LR+.LS+.NR+Z.[*.LR+Z..+.LR+Z.P*.LR
                                  Icon Hash:7ae282899bbab082
                                  Entrypoint:0x1800b5d18
                                  Entrypoint Section:.text
                                  Digitally signed:true
                                  Imagebase:0x180000000
                                  Subsystem:windows gui
                                  Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, DLL
                                  DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
                                  Time Stamp:0x67D204B7 [Wed Mar 12 22:03:35 2025 UTC]
                                  TLS Callbacks:
                                  CLR (.Net) Version:
                                  OS Version Major:6
                                  OS Version Minor:0
                                  File Version Major:6
                                  File Version Minor:0
                                  Subsystem Version Major:6
                                  Subsystem Version Minor:0
                                  Import Hash:d91a08c86a4391679e7d3c08a872d715
                                  Signature Valid:true
                                  Signature Issuer:CN=Sectigo Public Code Signing CA EV E36, O=Sectigo Limited, C=GB
                                  Signature Validation Error:The operation completed successfully
                                  Error Number:0
                                  Not Before, Not After
                                  • 20/02/2025 01:00:00 31/10/2025 00:59:59
                                  Subject Chain
                                  • CN=55.604.504 Rafael Ferreira de Carvalho, O=55.604.504 Rafael Ferreira de Carvalho, S=Distrito Federal, C=BR, OID.2.5.4.15=Business Entity, OID.1.3.6.1.4.1.311.60.2.1.3=BR, SERIALNUMBER=55.604.504/0001-02
                                  Version:3
                                  Thumbprint MD5:664DD97F1F82BC95750F61E70AB0D7FE
                                  Thumbprint SHA-1:BBED9DEAE08E2CD1302C6A8D98325BC4441066AF
                                  Thumbprint SHA-256:93BD8F88FC48C6253272C2E0B49C787E4B9ADCAA3043B74A674CF08DF1F3FA05
                                  Serial:77344A8C067A2B9BB97938F227B7D39F
                                  Instruction
                                  dec eax
                                  mov dword ptr [esp+08h], ebx
                                  dec eax
                                  mov dword ptr [esp+10h], esi
                                  push edi
                                  dec eax
                                  sub esp, 20h
                                  dec ecx
                                  mov edi, eax
                                  mov ebx, edx
                                  dec eax
                                  mov esi, ecx
                                  cmp edx, 01h
                                  jne 00007F31391DB857h
                                  call 00007F31391DBD34h
                                  dec esp
                                  mov eax, edi
                                  mov edx, ebx
                                  dec eax
                                  mov ecx, esi
                                  dec eax
                                  mov ebx, dword ptr [esp+30h]
                                  dec eax
                                  mov esi, dword ptr [esp+38h]
                                  dec eax
                                  add esp, 20h
                                  pop edi
                                  jmp 00007F31391DB6E4h
                                  int3
                                  int3
                                  int3
                                  dec eax
                                  sub esp, 28h
                                  dec ebp
                                  mov eax, dword ptr [ecx+38h]
                                  dec eax
                                  mov ecx, edx
                                  dec ecx
                                  mov edx, ecx
                                  call 00007F31391DB862h
                                  mov eax, 00000001h
                                  dec eax
                                  add esp, 28h
                                  ret
                                  int3
                                  int3
                                  int3
                                  inc eax
                                  push ebx
                                  inc ebp
                                  mov ebx, dword ptr [eax]
                                  dec eax
                                  mov ebx, edx
                                  inc ecx
                                  and ebx, FFFFFFF8h
                                  dec esp
                                  mov ecx, ecx
                                  inc ecx
                                  test byte ptr [eax], 00000004h
                                  dec esp
                                  mov edx, ecx
                                  je 00007F31391DB865h
                                  inc ecx
                                  mov eax, dword ptr [eax+08h]
                                  dec ebp
                                  arpl word ptr [eax+04h], dx
                                  neg eax
                                  dec esp
                                  add edx, ecx
                                  dec eax
                                  arpl ax, cx
                                  dec esp
                                  and edx, ecx
                                  dec ecx
                                  arpl bx, ax
                                  dec edx
                                  mov edx, dword ptr [eax+edx]
                                  dec eax
                                  mov eax, dword ptr [ebx+10h]
                                  mov ecx, dword ptr [eax+08h]
                                  dec eax
                                  mov eax, dword ptr [ebx+08h]
                                  test byte ptr [ecx+eax+03h], 0000000Fh
                                  je 00007F31391DB85Dh
                                  movzx eax, byte ptr [ecx+eax+03h]
                                  and eax, FFFFFFF0h
                                  dec esp
                                  add ecx, eax
                                  dec esp
                                  xor ecx, edx
                                  dec ecx
                                  mov ecx, ecx
                                  pop ebx
                                  jmp 00007F31391DAB72h
                                  int3
                                  int3
                                  int3
                                  int3
                                  int3
                                  int3
                                  int3
                                  int3
                                  int3
                                  int3
                                  int3
                                  int3
                                  Programming Language:
                                  • [IMP] VS2008 SP1 build 30729
                                  • [IMP] VS2005 build 50727
                                  NameVirtual AddressVirtual Size Is in Section
                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IMPORT0xdb9780x21c.rdata
                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x4a50000x1e8.rsrc
                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x49d0000x795c.pdata
                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x49f8000x2600.pdata
                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x4a60000x6e4.reloc
                                  IMAGE_DIRECTORY_ENTRY_DEBUG0xcf5200x70.rdata
                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_TLS0xcf6000x28.rdata
                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xcf3e00x140.rdata
                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IAT0xb80000xbb0.rdata
                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                  .text0x10000xb6fec0xb7000ac9d95de92e6b4fa804d0a6b8ea1701bFalse0.5448711791325137data6.459911612579529IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                  .rdata0xb80000x261c20x262003bee54cae0066e628f9bda71dfa5fe5cFalse0.43217853483606555data5.841391274269345IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                  .data0xdf0000x3bd9480x3b9e00d64e0a82062cd44ce84130dfb72fbfc8unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .pdata0x49d0000x795c0x7a0030e49ddac13006a730137047d4a0a46eFalse0.47966828893442626data5.936301151383905IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                  .rsrc0x4a50000x1e80x20093a781cdd509206d36a2fa7d237b59e9False0.5390625data4.7737068411020225IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                  .reloc0x4a60000x6e40x800055d943558256ff4ec7ec67fa572a116False0.47119140625data5.008489379338187IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                  RT_MANIFEST0x4a50600x188XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5892857142857143
                                  DLLImport
                                  d3d9.dllDirect3DCreate9
                                  KERNEL32.dllGetCurrentProcessId, GetProcessHeap, CreateRemoteThread, VirtualFreeEx, GetExitCodeProcess, GetTickCount, AcquireSRWLockExclusive, ReleaseSRWLockExclusive, GetFileSizeEx, CreateFileA, FormatMessageA, SetLastError, WaitForMultipleObjects, PeekNamedPipe, ReadFile, GetFileType, GetStdHandle, GetEnvironmentVariableA, WaitForSingleObjectEx, MoveFileExA, VerifyVersionInfoA, GetSystemDirectoryA, SleepEx, LeaveCriticalSection, EnterCriticalSection, GetVolumeInformationA, HeapSize, VirtualAllocEx, WakeAllConditionVariable, SleepConditionVariableSRW, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, IsDebuggerPresent, HeapDestroy, HeapAlloc, HeapReAlloc, WaitForSingleObject, InitializeCriticalSectionEx, RtlAddFunctionTable, HeapFree, WriteProcessMemory, CreateThread, DisableThreadLibraryCalls, QueryPerformanceCounter, VerSetConditionMask, QueryPerformanceFrequency, GlobalUnlock, WideCharToMultiByte, GlobalLock, GlobalFree, GlobalAlloc, FreeLibraryAndExitThread, Sleep, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, OutputDebugStringW, FreeLibrary, ReadProcessMemory, LocalFree, GetProcAddress, LoadLibraryA, GetModuleHandleA, VirtualProtectEx, MultiByteToWideChar, OpenProcess, CloseHandle, DeleteCriticalSection, Process32FirstW, Process32NextW, Process32Next, GetLastError, CreateToolhelp32Snapshot, GetCurrentProcess, Process32First
                                  USER32.dllMessageBoxA, SetClipboardData, GetClipboardData, EmptyClipboard, CloseClipboard, OpenClipboard, GetCursorPos, ReleaseDC, SetCursorPos, IsIconic, SetForegroundWindow, ReleaseCapture, RegisterClassExA, SetWindowLongPtrA, IsWindowUnicode, UnregisterClassA, GetClientRect, SetWindowDisplayAffinity, GetActiveWindow, SetWindowLongW, SetCursor, SetCapture, BringWindowToTop, FindWindowA, SetLayeredWindowAttributes, CreateWindowExA, DefWindowProcA, GetForegroundWindow, GetMonitorInfoA, TrackMouseEvent, IsChild, ClientToScreen, SetWindowLongA, GetCapture, ShowWindow, WindowFromPoint, SetWindowTextW, DispatchMessageA, EnumDisplayMonitors, MonitorFromWindow, SetWindowPos, GetDC, DestroyWindow, LoadCursorA, GetMessageExtraInfo, GetKeyState, AdjustWindowRectEx, MessageBoxW, SetFocus, ScreenToClient, UnregisterClassW, RegisterClassExW, TranslateMessage, PeekMessageA, GetWindowLongW, UpdateWindow
                                  GDI32.dllGetDeviceCaps
                                  ADVAPI32.dllCryptDestroyKey, CryptImportKey, CryptEncrypt, OpenProcessToken, LookupPrivilegeValueA, AdjustTokenPrivileges, GetTokenInformation, GetLengthSid, IsValidSid, CopySid, CryptDestroyHash, CryptHashData, CryptCreateHash, CryptGenRandom, CryptGetHashParam, CryptReleaseContext, CryptAcquireContextA, ConvertSidToStringSidA
                                  ole32.dllCoCreateInstance, CoUninitialize, CoInitialize
                                  OLEAUT32.dllVariantClear
                                  MSVCP140.dll??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z, ?_Throw_Cpp_error@std@@YAXH@Z, _Cnd_do_broadcast_at_thread_exit, ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ, ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ, ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z, ??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ, ?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ, ?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ, ?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ, ?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ, ?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z, ?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z, ?setbuf@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAPEAV12@PEAD_J@Z, ?sync@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ, ?imbue@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAXAEBVlocale@2@@Z, ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ, ??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ, ?_Random_device@std@@YAIXZ, _Thrd_detach, ?_Xbad_function_call@std@@YAXXZ, ?_Xlength_error@std@@YAXPEBD@Z, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@K@Z
                                  IMM32.dllImmGetContext, ImmReleaseContext, ImmSetCandidateWindow, ImmSetCompositionWindow
                                  USERENV.dllUnloadUserProfile
                                  VCRUNTIME140_1.dll__CxxFrameHandler4
                                  VCRUNTIME140.dll__std_exception_copy, __C_specific_handler, memcpy, memset, __std_exception_destroy, __std_terminate, memmove, memcmp, memchr, _CxxThrowException, strstr, __current_exception, strrchr, strchr, __std_type_info_destroy_list, __current_exception_context
                                  api-ms-win-crt-heap-l1-1-0.dllcalloc, free, malloc, realloc, _callnewh
                                  api-ms-win-crt-runtime-l1-1-0.dll_beginthreadex, _initterm, _getpid, strerror, exit, _resetstkoflw, _crt_atexit, _cexit, _invalid_parameter_noinfo, __sys_nerr, _initterm_e, _seh_filter_dll, _configure_narrow_argv, _initialize_narrow_environment, _execute_onexit_table, _initialize_onexit_table, _register_onexit_function, _errno, _invalid_parameter_noinfo_noreturn, terminate
                                  api-ms-win-crt-string-l1-1-0.dllstrncpy, strncmp, strcmp, tolower, _stricmp, isupper, _strdup, strspn, strpbrk, strcspn
                                  api-ms-win-crt-stdio-l1-1-0.dll_read, fopen, fputs, __acrt_iob_func, fputc, _write, feof, _close, __stdio_common_vfprintf, _lseeki64, __stdio_common_vsscanf, fread, _open, __stdio_common_vsprintf, _wfopen, fwrite, fgets, fseek, fclose, fflush, ftell
                                  api-ms-win-crt-time-l1-1-0.dll_gmtime64, _time64
                                  api-ms-win-crt-utility-l1-1-0.dllqsort
                                  api-ms-win-crt-convert-l1-1-0.dllstrtoll, strtod, atoi, strtol, strtoull, strtoul
                                  api-ms-win-crt-filesystem-l1-1-0.dll_stat64, _access, _unlink, _fstat64
                                  api-ms-win-crt-locale-l1-1-0.dlllocaleconv
                                  Normaliz.dllIdnToAscii
                                  WLDAP32.dll
                                  CRYPT32.dllCertGetCertificateChain, CertFreeCertificateChainEngine, CertCreateCertificateChainEngine, CryptQueryObject, CertGetNameStringA, CertFindExtension, CertAddCertificateContextToStore, CryptDecodeObjectEx, PFXImportCertStore, CryptStringToBinaryA, CertFreeCertificateContext, CertFindCertificateInStore, CertEnumCertificatesInStore, CertCloseStore, CertOpenStore, CertFreeCertificateChain
                                  WS2_32.dllsocket, setsockopt, ntohs, ntohl, gethostname, sendto, recvfrom, freeaddrinfo, getaddrinfo, WSASetLastError, select, WSAIoctl, WSAStartup, htonl, listen, closesocket, recv, send, WSAGetLastError, bind, connect, getpeername, getsockname, getsockopt, htons, WSACleanup, ioctlsocket, __WSAFDIsSet, accept
                                  api-ms-win-crt-math-l1-1-0.dllsqrtf, acosf, cosf, ceilf, fmodf, pow, sinf, sqrt, _dclass
                                  Language of compilation systemCountry where language is spokenMap
                                  EnglishUnited States

                                  Download Network PCAP: filteredfull

                                  • Total Packets: 17
                                  • 3030 undefined
                                  • 53 (DNS)
                                  TimestampSource PortDest PortSource IPDest IP
                                  Mar 16, 2025 14:32:03.735853910 CET496883030192.168.2.83.142.247.110
                                  Mar 16, 2025 14:32:03.740641117 CET3030496883.142.247.110192.168.2.8
                                  Mar 16, 2025 14:32:03.740712881 CET496883030192.168.2.83.142.247.110
                                  Mar 16, 2025 14:32:03.740993977 CET496883030192.168.2.83.142.247.110
                                  Mar 16, 2025 14:32:03.745649099 CET3030496883.142.247.110192.168.2.8
                                  Mar 16, 2025 14:32:03.772190094 CET496913030192.168.2.83.142.247.110
                                  Mar 16, 2025 14:32:03.776930094 CET3030496913.142.247.110192.168.2.8
                                  Mar 16, 2025 14:32:03.777024031 CET496913030192.168.2.83.142.247.110
                                  Mar 16, 2025 14:32:03.777728081 CET496913030192.168.2.83.142.247.110
                                  Mar 16, 2025 14:32:03.782411098 CET3030496913.142.247.110192.168.2.8
                                  Mar 16, 2025 14:32:04.373899937 CET3030496883.142.247.110192.168.2.8
                                  Mar 16, 2025 14:32:04.406682014 CET3030496913.142.247.110192.168.2.8
                                  Mar 16, 2025 14:32:04.419861078 CET496883030192.168.2.83.142.247.110
                                  Mar 16, 2025 14:32:04.450418949 CET496913030192.168.2.83.142.247.110
                                  Mar 16, 2025 14:32:09.374984980 CET3030496883.142.247.110192.168.2.8
                                  Mar 16, 2025 14:32:09.375039101 CET496883030192.168.2.83.142.247.110
                                  Mar 16, 2025 14:32:09.421813011 CET3030496913.142.247.110192.168.2.8
                                  Mar 16, 2025 14:32:09.422172070 CET496913030192.168.2.83.142.247.110
                                  Mar 16, 2025 14:32:34.986581087 CET5199453192.168.2.8162.159.36.2
                                  Mar 16, 2025 14:32:34.991339922 CET5351994162.159.36.2192.168.2.8
                                  Mar 16, 2025 14:32:34.991442919 CET5199453192.168.2.8162.159.36.2
                                  Mar 16, 2025 14:32:35.025506020 CET5351994162.159.36.2192.168.2.8
                                  Mar 16, 2025 14:32:35.455163956 CET5199453192.168.2.8162.159.36.2
                                  Mar 16, 2025 14:32:35.460243940 CET5351994162.159.36.2192.168.2.8
                                  Mar 16, 2025 14:32:35.460299015 CET5199453192.168.2.8162.159.36.2
                                  Mar 16, 2025 14:32:44.279208899 CET496913030192.168.2.83.142.247.110
                                  Mar 16, 2025 14:34:04.302666903 CET496883030192.168.2.83.142.247.110
                                  TimestampSource PortDest PortSource IPDest IP
                                  Mar 16, 2025 14:32:34.896785021 CET5352814162.159.36.2192.168.2.8
                                  Mar 16, 2025 14:32:35.503077984 CET5529153192.168.2.81.1.1.1
                                  Mar 16, 2025 14:32:35.509893894 CET53552911.1.1.1192.168.2.8
                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                  Mar 16, 2025 14:32:35.503077984 CET192.168.2.81.1.1.10x34caStandard query (0)18.31.95.13.in-addr.arpaPTR (Pointer record)IN (0x0001)false
                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                  Mar 16, 2025 14:32:35.509893894 CET1.1.1.1192.168.2.80x34caName error (3)18.31.95.13.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false
                                  • 3.142.247.110:3030
                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  0192.168.2.8496883.142.247.11030306852C:\Windows\System32\loaddll64.exe
                                  TimestampBytes transferredDirectionData
                                  Mar 16, 2025 14:32:03.740993977 CET161OUTGET /api/init?version=2.0.0&applicationId=794350295286546433 HTTP/1.1
                                  Host: 3.142.247.110:3030
                                  Accept: */*
                                  Content-Type: application/json
                                  user-agent: xrc
                                  Mar 16, 2025 14:32:04.373899937 CET290INHTTP/1.1 200 OK
                                  X-Powered-By: Express
                                  Content-Type: application/json; charset=utf-8
                                  Content-Length: 55
                                  ETag: W/"37-s+MY0AqOQiV4rr+v6rWU/lnQjJg"
                                  Date: Sun, 16 Mar 2025 13:32:04 GMT
                                  Connection: keep-alive
                                  Keep-Alive: timeout=5
                                  Data Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 22 49 6e 69 74 69 61 6c 69 7a 65 64 22 2c 22 6b 65 79 22 3a 22 78 72 63 22 2c 22 76 65 72 73 69 6f 6e 22 3a 22 32 2e 30 2e 30 22 7d
                                  Data Ascii: {"message":"Initialized","key":"xrc","version":"2.0.0"}


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  1192.168.2.8496913.142.247.11030305248C:\Windows\System32\rundll32.exe
                                  TimestampBytes transferredDirectionData
                                  Mar 16, 2025 14:32:03.777728081 CET161OUTGET /api/init?version=2.0.0&applicationId=794350295286546433 HTTP/1.1
                                  Host: 3.142.247.110:3030
                                  Accept: */*
                                  Content-Type: application/json
                                  user-agent: xrc
                                  Mar 16, 2025 14:32:04.406682014 CET290INHTTP/1.1 200 OK
                                  X-Powered-By: Express
                                  Content-Type: application/json; charset=utf-8
                                  Content-Length: 55
                                  ETag: W/"37-s+MY0AqOQiV4rr+v6rWU/lnQjJg"
                                  Date: Sun, 16 Mar 2025 13:32:04 GMT
                                  Connection: keep-alive
                                  Keep-Alive: timeout=5
                                  Data Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 22 49 6e 69 74 69 61 6c 69 7a 65 64 22 2c 22 6b 65 79 22 3a 22 78 72 63 22 2c 22 76 65 72 73 69 6f 6e 22 3a 22 32 2e 30 2e 30 22 7d
                                  Data Ascii: {"message":"Initialized","key":"xrc","version":"2.0.0"}


                                  Click to jump to process

                                  Click to jump to process

                                  • File
                                  • Registry
                                  • Network

                                  Click to dive into process behavior distribution

                                  Target ID:0
                                  Start time:09:32:02
                                  Start date:16/03/2025
                                  Path:C:\Windows\System32\loaddll64.exe
                                  Wow64 process (32bit):false
                                  Commandline:loaddll64.exe "C:\Users\user\Desktop\umpdc.dll.dll"
                                  Imagebase:0x7ff67f6e0000
                                  File size:165'888 bytes
                                  MD5 hash:763455F9DCB24DFEECC2B9D9F8D46D52
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true
                                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                  Target ID:1
                                  Start time:09:32:02
                                  Start date:16/03/2025
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff6e60e0000
                                  File size:862'208 bytes
                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  Target ID:2
                                  Start time:09:32:03
                                  Start date:16/03/2025
                                  Path:C:\Windows\System32\cmd.exe
                                  Wow64 process (32bit):false
                                  Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\umpdc.dll.dll",#1
                                  Imagebase:0x7ff6b3ad0000
                                  File size:289'792 bytes
                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  Target ID:3
                                  Start time:09:32:03
                                  Start date:16/03/2025
                                  Path:C:\Windows\System32\rundll32.exe
                                  Wow64 process (32bit):false
                                  Commandline:rundll32.exe "C:\Users\user\Desktop\umpdc.dll.dll",#1
                                  Imagebase:0x7ff72d8a0000
                                  File size:71'680 bytes
                                  MD5 hash:EF3179D498793BF4234F708D3BE28633
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000003.00000002.1238563188.00007FF9966F9000.00000008.00000001.01000000.00000003.sdmp, Author: unknown
                                  Reputation:high
                                  Has exited:true
                                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                  Target ID:7
                                  Start time:09:32:08
                                  Start date:16/03/2025
                                  Path:C:\Windows\System32\WerFault.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\WerFault.exe -u -p 5248 -s 404
                                  Imagebase:0x7ff6293d0000
                                  File size:570'736 bytes
                                  MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true
                                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                  Non-executed Functions

                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1238374499.00007FF996611000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF996610000, based on PE: true
                                  • Associated: 00000003.00000002.1238350895.00007FF996610000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1238443435.00007FF9966C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1238479412.00007FF9966EF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1238512883.00007FF9966F0000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1238536957.00007FF9966F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1238563188.00007FF9966F9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1238840767.00007FF996AA8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000003.00000002.1238864255.00007FF996AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_7ff996610000_rundll32.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                  • String ID:
                                  • API String ID: 2933794660-0
                                  • Opcode ID: 05f37285f377384a7389b44edb0e6922158b6e804182277812fd7b1c68089065
                                  • Instruction ID: 1f3dc6f079e9cf5c451e34441122cc291fe37c8f950a1c5a82fdcd6e1160133e
                                  • Opcode Fuzzy Hash: 05f37285f377384a7389b44edb0e6922158b6e804182277812fd7b1c68089065
                                  • Instruction Fuzzy Hash: 80114C22B14F018AEB20CB64E8543A833B8FB58758F451E35DA7D867A4DFBDE1648780