Joe Sandbox Cloud Basic Analysis Report
Edit tour

Windows Analysis Report
pumpkin-2.7.3.exe

Overview

General Information

Sample name:pumpkin-2.7.3.exe
Analysis ID:1601024
MD5:c70df19686f26debc376cccd7ce301a3
SHA1:c7ab4a5b2a34bb9702f55ecedc17a9fa7debc59a
SHA256:a1b0099a0bc502993158f6bb8daf3c96506f2362418aa78c1fe9b8425376aee9
Infos:

Detection

Score:4
Range:0 - 100
Whitelisted:false
Confidence:60%

Signatures

Contains functionality to dynamically determine API calls
Detected potential crypto function
PE file contains executable resources (Code or Archives)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Process Tree

  • System is w10x64
  • pumpkin-2.7.3.exe (PID: 7672 cmdline: "C:\Users\user\Desktop\pumpkin-2.7.3.exe" MD5: C70DF19686F26DEBC376CCCD7CE301A3)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

  • Compliance
  • Networking
  • System Summary
  • Data Obfuscation
  • Boot Survival
  • Hooking and other Techniques for Hiding and Protection
  • Malware Analysis System Evasion
  • Anti Debugging
  • HIPS / PFW / Operating System Protection Evasion
  • Language, Device and Operating System Detection

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: pumpkin-2.7.3.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: C:\Users\user\Desktop\pumpkin-2.7.3.exeDirectory created: C:\Program Files\KleverJump to behavior
Source: C:\Users\user\Desktop\pumpkin-2.7.3.exeDirectory created: C:\Program Files\Klever\NothingsJump to behavior
Source: C:\Users\user\Desktop\pumpkin-2.7.3.exeDirectory created: C:\Program Files\Klever\Nothings\temp.000Jump to behavior
Source: C:\Users\user\Desktop\pumpkin-2.7.3.exeDirectory created: C:\Program Files\Klever\Nothings\temp.000Jump to behavior
Source: C:\Users\user\Desktop\pumpkin-2.7.3.exeDirectory created: C:\Program Files\Klever\Nothings\temp.000Jump to behavior
Source: C:\Users\user\Desktop\pumpkin-2.7.3.exeDirectory created: C:\Program Files\Klever\Nothings\PumpKIN.INFJump to behavior
Source: pumpkin-2.7.3.exe, 00000000.00000003.1373406773.00000000004D8000.00000004.00000020.00020000.00000000.sdmp, pumpkin-2.7.3.exe, 00000000.00000003.1373446593.00000000004D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://kin.klever.net/T42/
Source: pumpkin-2.7.3.exeString found in binary or memory: http://kin.klever.net/pumpkin/
Source: pumpkin-2.7.3.exeString found in binary or memory: http://www.klever.net/
Source: pumpkin-2.7.3.exeString found in binary or memory: http://www.klever.net/)
Source: pumpkin-2.7.3.exeString found in binary or memory: http://www.klever.net/)r%
Source: pumpkin-2.7.3.exeString found in binary or memory: http://www.klever.net/)t&
Source: pumpkin-2.7.3.exeString found in binary or memory: http://www.klever.net/http://kin.klever.net/pumpkin/2.7.3Klever
Source: pumpkin-2.7.3.exe, 00000000.00000003.1373406773.00000000004D8000.00000004.00000020.00020000.00000000.sdmp, pumpkin-2.7.3.exe, 00000000.00000003.1373446593.00000000004D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.rfc-editor.org
Source: C:\Users\user\Desktop\pumpkin-2.7.3.exeCode function: 0_2_00404C600_2_00404C60
Source: pumpkin-2.7.3.exeStatic PE information: Resource name: RT_RCDATA type: MS Compress archive data, SZDD variant, original size: 387 bytes
Source: pumpkin-2.7.3.exeStatic PE information: Resource name: RT_RCDATA type: MS Compress archive data, SZDD variant, original size: 149504 bytes
Source: pumpkin-2.7.3.exeStatic PE information: Resource name: RT_RCDATA type: MS Compress archive data, SZDD variant, original size: 17064 bytes
Source: pumpkin-2.7.3.exe, 00000000.00000000.1324969140.000000000040E000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameINSTALL.EXE0 vs pumpkin-2.7.3.exe
Source: pumpkin-2.7.3.exeBinary or memory string: OriginalFilenameINSTALL.EXE0 vs pumpkin-2.7.3.exe
Source: pumpkin-2.7.3.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: classification engineClassification label: clean4.winEXE@1/9@0/0
Source: C:\Users\user\Desktop\pumpkin-2.7.3.exeCode function: 0_2_004016E0 CoCreateInstance,MultiByteToWideChar,0_2_004016E0
Source: C:\Users\user\Desktop\pumpkin-2.7.3.exeCode function: 0_2_00401BE0 GetTempPathA,GetTempFileNameA,FindResourceA,SizeofResource,LoadResource,LockResource,CreateFileA,WriteFile,CloseHandle,VerInstallFileA,DeleteFileA,DeleteFileA,CloseHandle,0_2_00401BE0
Source: C:\Users\user\Desktop\pumpkin-2.7.3.exeFile created: C:\Program Files\KleverJump to behavior
Source: C:\Users\user\Desktop\pumpkin-2.7.3.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Klever GroupJump to behavior
Source: C:\Users\user\Desktop\pumpkin-2.7.3.exeFile created: C:\Users\user\AppData\Local\Temp\KGICAF3.tmpJump to behavior
Source: pumpkin-2.7.3.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\pumpkin-2.7.3.exeFile read: C:\Program Files\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\pumpkin-2.7.3.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\pumpkin-2.7.3.exeEvasive API call chain: GetCommandLine,DecisionNodes,ExitProcessgraph_0-2542
Source: C:\Users\user\Desktop\pumpkin-2.7.3.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\pumpkin-2.7.3.exeSection loaded: acgenral.dllJump to behavior
Source: C:\Users\user\Desktop\pumpkin-2.7.3.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\pumpkin-2.7.3.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\pumpkin-2.7.3.exeSection loaded: samcli.dllJump to behavior
Source: C:\Users\user\Desktop\pumpkin-2.7.3.exeSection loaded: msacm32.dllJump to behavior
Source: C:\Users\user\Desktop\pumpkin-2.7.3.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\pumpkin-2.7.3.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\pumpkin-2.7.3.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\Desktop\pumpkin-2.7.3.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\Desktop\pumpkin-2.7.3.exeSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\Desktop\pumpkin-2.7.3.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\pumpkin-2.7.3.exeSection loaded: winmmbase.dllJump to behavior
Source: C:\Users\user\Desktop\pumpkin-2.7.3.exeSection loaded: winmmbase.dllJump to behavior
Source: C:\Users\user\Desktop\pumpkin-2.7.3.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\Desktop\pumpkin-2.7.3.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\Desktop\pumpkin-2.7.3.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\pumpkin-2.7.3.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Users\user\Desktop\pumpkin-2.7.3.exeSection loaded: sfc.dllJump to behavior
Source: C:\Users\user\Desktop\pumpkin-2.7.3.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Users\user\Desktop\pumpkin-2.7.3.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\pumpkin-2.7.3.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\Desktop\pumpkin-2.7.3.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\Desktop\pumpkin-2.7.3.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\pumpkin-2.7.3.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\pumpkin-2.7.3.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\pumpkin-2.7.3.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\pumpkin-2.7.3.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\pumpkin-2.7.3.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\Desktop\pumpkin-2.7.3.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Users\user\Desktop\pumpkin-2.7.3.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\pumpkin-2.7.3.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\pumpkin-2.7.3.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\Desktop\pumpkin-2.7.3.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\pumpkin-2.7.3.exeSection loaded: linkinfo.dllJump to behavior
Source: C:\Users\user\Desktop\pumpkin-2.7.3.exeSection loaded: ntshrui.dllJump to behavior
Source: C:\Users\user\Desktop\pumpkin-2.7.3.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Users\user\Desktop\pumpkin-2.7.3.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00021401-0000-0000-C000-000000000046}\InProcServer32Jump to behavior
Source: PumpKIN.lnk.0.drLNK file: ..\..\..\..\..\..\..\..\..\Program Files\Klever\Nothings\PumpKIN.exe
Source: C:\Users\user\Desktop\pumpkin-2.7.3.exeAutomated click: OK
Source: C:\Users\user\Desktop\pumpkin-2.7.3.exeAutomated click: OK
Source: C:\Users\user\Desktop\pumpkin-2.7.3.exeDirectory created: C:\Program Files\KleverJump to behavior
Source: C:\Users\user\Desktop\pumpkin-2.7.3.exeDirectory created: C:\Program Files\Klever\NothingsJump to behavior
Source: C:\Users\user\Desktop\pumpkin-2.7.3.exeDirectory created: C:\Program Files\Klever\Nothings\temp.000Jump to behavior
Source: C:\Users\user\Desktop\pumpkin-2.7.3.exeDirectory created: C:\Program Files\Klever\Nothings\temp.000Jump to behavior
Source: C:\Users\user\Desktop\pumpkin-2.7.3.exeDirectory created: C:\Program Files\Klever\Nothings\temp.000Jump to behavior
Source: C:\Users\user\Desktop\pumpkin-2.7.3.exeDirectory created: C:\Program Files\Klever\Nothings\PumpKIN.INFJump to behavior
Source: C:\Users\user\Desktop\pumpkin-2.7.3.exeCode function: 0_2_00407740 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00407740
Source: C:\Users\user\Desktop\pumpkin-2.7.3.exeCode function: 0_2_00408320 push eax; ret 0_2_0040834E
Source: C:\Users\user\Desktop\pumpkin-2.7.3.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Klever GroupJump to behavior
Source: C:\Users\user\Desktop\pumpkin-2.7.3.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Klever Group\PumpKIN.lnkJump to behavior
Source: C:\Users\user\Desktop\pumpkin-2.7.3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\pumpkin-2.7.3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\pumpkin-2.7.3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\pumpkin-2.7.3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\pumpkin-2.7.3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\pumpkin-2.7.3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\pumpkin-2.7.3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\pumpkin-2.7.3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: pumpkin-2.7.3.exe, 00000000.00000003.1414295874.00000000004BB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: pumpkin-2.7.3.exe, 00000000.00000003.1414295874.00000000004BB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\3
Source: C:\Users\user\Desktop\pumpkin-2.7.3.exeCode function: 0_2_00407740 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00407740
Source: C:\Users\user\Desktop\pumpkin-2.7.3.exeCode function: 0_2_00406080 SetUnhandledExceptionFilter,0_2_00406080
Source: C:\Users\user\Desktop\pumpkin-2.7.3.exeCode function: 0_2_00406110 SetUnhandledExceptionFilter,0_2_00406110
Source: pumpkin-2.7.3.exeBinary or memory string: setup.ini, progman.groups,,"group%d=%s"
Source: pumpkin-2.7.3.exeBinary or memory string: setup.ini, progman.groups,,"group%d=%s"
Source: pumpkin-2.7.3.exe, 00000000.00000002.1415613566.0000000001F50000.00000004.00000020.00020000.00000000.sdmp, PumpKIN.INF.0.drBinary or memory string: setup.ini, progman.groups,,"group1=Klever Group"
Source: C:\Users\user\Desktop\pumpkin-2.7.3.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\pumpkin-2.7.3.exeCode function: 0_2_00402FC0 EntryPoint,GetVersion,GetCommandLineA,GetStartupInfoA,GetModuleHandleA,0_2_00402FC0

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		1
Process Injection		3
Masquerading		OS Credential Dumping1
Security Software Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts11
Native API		1
Registry Run Keys / Startup Folder		1
DLL Side-Loading		1
Process Injection		LSASS Memory1
Process Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
Registry Run Keys / Startup Folder		1
DLL Side-Loading		Security Account Manager1
File and Directory Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Obfuscated Files or Information		NTDS12
System Information Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1601024 Sample: pumpkin-2.7.3.exe Startdate: 28/01/2025 Architecture: WINDOWS Score: 4 4 pumpkin-2.7.3.exe 11 23 2->4         started       

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
pumpkin-2.7.3.exe4%VirustotalBrowse
pumpkin-2.7.3.exe0%ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://kin.klever.net/T42/0%Avira URL Cloudsafe
http://kin.klever.net/pumpkin/0%Avira URL Cloudsafe
http://www.klever.net/http://kin.klever.net/pumpkin/2.7.3Klever0%Avira URL Cloudsafe
http://www.klever.net/)r%0%Avira URL Cloudsafe
http://www.klever.net/)t&0%Avira URL Cloudsafe
http://www.klever.net/)0%Avira URL Cloudsafe
http://www.klever.net/0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
bg.microsoft.map.fastly.net
199.232.214.172
truefalse
    		high
    s-part-0017.t-0009.t-msedge.net
    		13.107.246.45
    		truefalse
      		high
      NameSourceMaliciousAntivirus DetectionReputation
      http://www.klever.net/pumpkin-2.7.3.exefalse
      • Avira URL Cloud: safe
      		unknown
      http://www.rfc-editor.orgpumpkin-2.7.3.exe, 00000000.00000003.1373406773.00000000004D8000.00000004.00000020.00020000.00000000.sdmp, pumpkin-2.7.3.exe, 00000000.00000003.1373446593.00000000004D8000.00000004.00000020.00020000.00000000.sdmpfalse
        		high
        http://kin.klever.net/T42/pumpkin-2.7.3.exe, 00000000.00000003.1373406773.00000000004D8000.00000004.00000020.00020000.00000000.sdmp, pumpkin-2.7.3.exe, 00000000.00000003.1373446593.00000000004D8000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://www.klever.net/)pumpkin-2.7.3.exefalse
        • Avira URL Cloud: safe
        		unknown
        http://www.klever.net/http://kin.klever.net/pumpkin/2.7.3Kleverpumpkin-2.7.3.exefalse
        • Avira URL Cloud: safe
        		unknown
        http://kin.klever.net/pumpkin/pumpkin-2.7.3.exefalse
        • Avira URL Cloud: safe
        		unknown
        http://www.klever.net/)t&pumpkin-2.7.3.exefalse
        • Avira URL Cloud: safe
        		unknown
        http://www.klever.net/)r%pumpkin-2.7.3.exefalse
        • Avira URL Cloud: safe
        		unknown

        World Map of Contacted IPs

        No contacted IP infos

        General Information

        Joe Sandbox version:42.0.0 Malachite
        Analysis ID:1601024
        Start date and time:2025-01-28 08:52:32 +01:00
        Joe Sandbox product:CloudBasic
        Overall analysis duration:0h 2m 30s
        Hypervisor based Inspection enabled:false
        Report type:full
        Cookbook file name:default.jbs
        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
        Number of analysed new started processes analysed:2
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • HCA enabled
        • EGA enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Timeout
        Sample name:pumpkin-2.7.3.exe
        Detection:CLEAN
        Classification:clean4.winEXE@1/9@0/0
        EGA Information:
        • Successful, ratio: 100%
        HCA Information:
        • Successful, ratio: 100%
        • Number of executed functions: 25
        • Number of non-executed functions: 9
        Cookbook Comments:
        • Found application associated with file extension: .exe
        • Stop behavior analysis, all processes terminated
        • Exclude process from analysis (whitelisted): dllhost.exe
        • Excluded IPs from analysis (whitelisted): 52.149.20.212, 13.107.246.45
        • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, otelrules.afd.azureedge.net, sls.update.microsoft.com, azureedge-t-prod.trafficmanager.net, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net
        • Report size getting too big, too many NtOpenKeyEx calls found.
        • Report size getting too big, too many NtQueryValueKey calls found.

        Simulations

        Behavior and APIs

        No simulations

        Joe Sandbox View / Context

        IPs

        No context

        Domains

        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
        s-part-0017.t-0009.t-msedge.nethttp://t.072333.xyz/Get hashmaliciousHTMLPhisherBrowse
        • 13.107.246.45
        http://cornellplans.comGet hashmaliciousUnknownBrowse
        • 13.107.246.45
        http://gcwjeysnjj.duckdns.org/en/Get hashmaliciousUnknownBrowse
        • 13.107.246.45
        http://www.barclaysbanksonline.co.uk/?urid=A85zFbleUWHq0pBBnw1LS1wNnURIBt05BSiEp9JndHkwdwTvjaZ2Al9yqky_Fvq7J6BQaSDZ21ZwRrC0HhWJzcNCw3Qjwh0AI0NwkK43DnJEfHWEt6ogD6S9nUgASUS0_oVamnHW1ezlT86&rg=WEUGet hashmaliciousUnknownBrowse
        • 13.107.246.45
        https://ighdjca.r.bh.d.sendibt3.com/tr/cl/lxfrLhd0DkWmsPicWB29gfZXC5kPB1NnPA6cUZ7Krl0pGEd_UoSwdT9TVT2cOc31Q6cPfffD9AjQcpOQQ4QMIqGgREfxh31xtWDBVvjrXj7UqOaPmqXSplYOuFhvTFZZKgcEzyIbTSya3yC2cZdGELCP0zBNmBzEkGLW06mpLAYz8-a3OiVTuPJi44Q5B3llvSbMgWXq14ZOmaPCqcrkhR9bDEQLXzkBrVeYJYSHqmkvEu9QE7BYS49lWebXDGjwy4Ka_AZXuXd7UwTfgTWmG_Yt4LHGWiwNVM-IGhI8SIHLSIxaEWr9-hovttfQEwJnnflWP3tKLViR5M8WFZdfSoc8KDJb2ns6F0wHSd23BO8cCin8Yetkxb4Znnopv4LEuxyAySJv05VL67QsewP1qGux26LYr-Cy48s1Rt8rEKywRzsnXx5QQ60-WrOfOfchajNXBFrJ1eluoW3Jn1XS-SFibd0csKmIPyqjcD8g3j07ftuGHVOfwKXcBqFv7YEJP5rnZAYJyiac9FEzA7ATVcStAv6QRhSggrJEVi-kNwGet hashmaliciousHTMLPhisherBrowse
        • 13.107.246.45
        https://sdfw.kavacikotocekici.com/dc32cx/Get hashmaliciousHTMLPhisherBrowse
        • 13.107.246.45
        https://www.dropbox.com/l/AAD5LlfMZv7ApKicOyhhf6BpFI-8CLLx1pcGet hashmaliciousUnknownBrowse
        • 13.107.246.45
        https://storage.googleapis.com/xscdsxcdsxscd/urusmansory.html#dazdaz.html?od=1syw67963ab90e83d_vl_twentyvl_15s4.20qkq6m.O0000rj86o329yy012_x11504.j86o3MHF6dWJ5LTNhNXVic2Q0x697lGet hashmaliciousPhisherBrowse
        • 13.107.246.45
        PfP7QHyd91.exeGet hashmaliciousUnknownBrowse
        • 13.107.246.45
        https://grandiose-believed-orangutan.glitch.me/Get hashmaliciousHTMLPhisherBrowse
        • 13.107.246.45
        bg.microsoft.map.fastly.net18176250492482211989.jsGet hashmaliciousStrela DownloaderBrowse
        • 199.232.210.172
        Project7-Signed(1).exeGet hashmaliciousDcRatBrowse
        • 199.232.214.172
        KY76Qf8EVn.exeGet hashmaliciousTinbaBrowse
        • 199.232.214.172
        x7ndCfYl8Q.exeGet hashmaliciousQuasarBrowse
        • 199.232.214.172
        payload2.bin.exeGet hashmaliciousUnknownBrowse
        • 199.232.214.172
        m6H6trTpqr.batGet hashmaliciousUnknownBrowse
        • 199.232.214.172
        Vdbay9Px81.batGet hashmaliciousUnknownBrowse
        • 199.232.214.172
        XfuFlpjlBk.batGet hashmaliciousUnknownBrowse
        • 199.232.214.172
        payload3.bin.exeGet hashmaliciousUnknownBrowse
        • 199.232.214.172
        PYG64.dllGet hashmaliciousUnknownBrowse
        • 199.232.210.172

        ASNs

        No context

        JA3 Fingerprints

        No context

        Dropped Files

        No context

        Created / dropped Files

        C:\Program Files\Klever\Nothings\PumpKIN.INF

        Download File
        Process:C:\Users\user\Desktop\pumpkin-2.7.3.exe
        File Type:Windows setup INFormation
        Category:dropped
        Size (bytes):1146
        Entropy (8bit):5.167911779779853
        Encrypted:false
        SSDEEP:24:BWIBPVzAI5iV5VzAjVzArVzAIsVzAFHlVzALVzAv4ZVpVJsV2ja0:B551AIA71Aj1Ar1AIs1AL1AL1Av4ZXHh
        MD5:7665936CB568C2F8A877A6466732373B
        SHA1:BF968C6F3B69575AA3B53CF6F3ED3DBE32AC4F12
        SHA-256:0BB3C0164D3774F6212036EDC2C95F106BDD8027D7D37DE4364D48C32418EC14
        SHA-512:06FF88F92E26DFC61843E0FAC3B755EDEF9C2B14614FE201631525956622C173D75B77F77DDF270C4476447A79B259608E217B240D8D895B49DCCD0CC91E1361
        Malicious:false
        Reputation:low
        Preview:[Version]..Signature="$CHICAGO$"......[Uninstall]..AddReg=kFiles..DelReg=kReg..UpdateInis=kMenu....[kFiles]..HKLM,Software\Microsoft\Windows\CurrentVersion\DeleteFiles\PumpKINFiles,,,"C:\PROGRA~1\Klever\Nothings"..HKLM,Software\Microsoft\Windows\CurrentVersion\DeleteFiles\PumpKINFiles,PumpKIN.exe,,"PumpKIN.exe"..HKLM,Software\Microsoft\Windows\CurrentVersion\DeleteFiles\PumpKINFiles,PumpKIN.hlp,,"PumpKIN.hlp"..HKLM,Software\Microsoft\Windows\CurrentVersion\DeleteFiles\PumpKINFiles,PumpKIN.cnt,,"PumpKIN.cnt"..HKLM,Software\Microsoft\Windows\CurrentVersion\DeleteFiles\PumpKINFiles,PumpKIN.GID,,"PumpKIN.GID"..HKLM,Software\Microsoft\Windows\CurrentVersion\DeleteFiles\PumpKINFiles,PumpKIN.FTS,,"PumpKIN.FTS"..HKLM,Software\Microsoft\Windows\CurrentVersion\DeleteFiles\PumpKINFiles,PumpKIN.inf,,"PumpKIN.inf"....[kReg]..HKLM,Software\Microsoft\Windows\CurrentVersion\Uninstall\PumpKIN..HKLM,Software\Microsoft\Windows\CurrentVersion\Uninstall\PumpKIN,DisplayName..HKLM,Software\Microsoft\Windows\

        C:\Program Files\Klever\Nothings\PumpKIN.cnt (copy)

        Download File
        Process:C:\Users\user\Desktop\pumpkin-2.7.3.exe
        File Type:MS Windows help file Content, based "PumpKIN.hlp", ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):387
        Entropy (8bit):5.073065676859333
        Encrypted:false
        SSDEEP:12:QdFTVS1IpnJFbHWeQmAhqq9LV7he9LGjH73epFpT:y2M5kmeY6cFpT
        MD5:685BAB4BE28BA2839D7303F1D4559504
        SHA1:C4E9B1E755A99257AA7529D40485C748CE8BCDB1
        SHA-256:C0AF4774AC5FD0B81C3C8596B906DA726A4003B0630DD7F773A66B87D1B22505
        SHA-512:AB6229E1B12967FA1CD84ACBA3AE369A8224D58C97DE473DBBEB131F1AF0374AF72922C568F6AB8068F0666080B882B5EBD85D8C88858A3FF516389848C144B7
        Malicious:false
        Reputation:low
        Preview::Base PumpKIN.hlp>Standard..:Title PumpKIN..1 PumpKIN..2 About PumpKIN=About..2 What's New=News..2 Using PumpKIN=Using..1 PumpKIN Dialogs..2 Confirm Read Request Dialog=ConfirmRRQ..2 Confirm Write Request Dialog=ConfirmWRQ..2 Request Dialog=Request..1 PumpKIN Options..2 Server Options=ServerOptions..2 Network Options=NetworkOptions..2 Sounds Options=SoundsOptions..2 Access Lists=ACL..

        C:\Program Files\Klever\Nothings\PumpKIN.exe (copy)

        Download File
        Process:C:\Users\user\Desktop\pumpkin-2.7.3.exe
        File Type:MS Windows help file Content, based "PumpKIN.hlp", ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):387
        Entropy (8bit):5.073065676859333
        Encrypted:false
        SSDEEP:12:QdFTVS1IpnJFbHWeQmAhqq9LV7he9LGjH73epFpT:y2M5kmeY6cFpT
        MD5:685BAB4BE28BA2839D7303F1D4559504
        SHA1:C4E9B1E755A99257AA7529D40485C748CE8BCDB1
        SHA-256:C0AF4774AC5FD0B81C3C8596B906DA726A4003B0630DD7F773A66B87D1B22505
        SHA-512:AB6229E1B12967FA1CD84ACBA3AE369A8224D58C97DE473DBBEB131F1AF0374AF72922C568F6AB8068F0666080B882B5EBD85D8C88858A3FF516389848C144B7
        Malicious:false
        Reputation:low
        Preview::Base PumpKIN.hlp>Standard..:Title PumpKIN..1 PumpKIN..2 About PumpKIN=About..2 What's New=News..2 Using PumpKIN=Using..1 PumpKIN Dialogs..2 Confirm Read Request Dialog=ConfirmRRQ..2 Confirm Write Request Dialog=ConfirmWRQ..2 Request Dialog=Request..1 PumpKIN Options..2 Server Options=ServerOptions..2 Network Options=NetworkOptions..2 Sounds Options=SoundsOptions..2 Access Lists=ACL..

        C:\Program Files\Klever\Nothings\PumpKIN.hlp (copy)

        Download File
        Process:C:\Users\user\Desktop\pumpkin-2.7.3.exe
        File Type:MS Windows help file Content, based "PumpKIN.hlp", ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):387
        Entropy (8bit):5.073065676859333
        Encrypted:false
        SSDEEP:12:QdFTVS1IpnJFbHWeQmAhqq9LV7he9LGjH73epFpT:y2M5kmeY6cFpT
        MD5:685BAB4BE28BA2839D7303F1D4559504
        SHA1:C4E9B1E755A99257AA7529D40485C748CE8BCDB1
        SHA-256:C0AF4774AC5FD0B81C3C8596B906DA726A4003B0630DD7F773A66B87D1B22505
        SHA-512:AB6229E1B12967FA1CD84ACBA3AE369A8224D58C97DE473DBBEB131F1AF0374AF72922C568F6AB8068F0666080B882B5EBD85D8C88858A3FF516389848C144B7
        Malicious:false
        Reputation:low
        Preview::Base PumpKIN.hlp>Standard..:Title PumpKIN..1 PumpKIN..2 About PumpKIN=About..2 What's New=News..2 Using PumpKIN=Using..1 PumpKIN Dialogs..2 Confirm Read Request Dialog=ConfirmRRQ..2 Confirm Write Request Dialog=ConfirmWRQ..2 Request Dialog=Request..1 PumpKIN Options..2 Server Options=ServerOptions..2 Network Options=NetworkOptions..2 Sounds Options=SoundsOptions..2 Access Lists=ACL..

        C:\Program Files\Klever\Nothings\temp.000

        Download File
        Process:C:\Users\user\Desktop\pumpkin-2.7.3.exe
        File Type:MS Windows help file Content, based "PumpKIN.hlp", ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):387
        Entropy (8bit):5.073065676859333
        Encrypted:false
        SSDEEP:12:QdFTVS1IpnJFbHWeQmAhqq9LV7he9LGjH73epFpT:y2M5kmeY6cFpT
        MD5:685BAB4BE28BA2839D7303F1D4559504
        SHA1:C4E9B1E755A99257AA7529D40485C748CE8BCDB1
        SHA-256:C0AF4774AC5FD0B81C3C8596B906DA726A4003B0630DD7F773A66B87D1B22505
        SHA-512:AB6229E1B12967FA1CD84ACBA3AE369A8224D58C97DE473DBBEB131F1AF0374AF72922C568F6AB8068F0666080B882B5EBD85D8C88858A3FF516389848C144B7
        Malicious:false
        Reputation:low
        Preview::Base PumpKIN.hlp>Standard..:Title PumpKIN..1 PumpKIN..2 About PumpKIN=About..2 What's New=News..2 Using PumpKIN=Using..1 PumpKIN Dialogs..2 Confirm Read Request Dialog=ConfirmRRQ..2 Confirm Write Request Dialog=ConfirmWRQ..2 Request Dialog=Request..1 PumpKIN Options..2 Server Options=ServerOptions..2 Network Options=NetworkOptions..2 Sounds Options=SoundsOptions..2 Access Lists=ACL..

        C:\Users\user\AppData\Local\Temp\KGICAF3.tmp

        Download File
        Process:C:\Users\user\Desktop\pumpkin-2.7.3.exe
        File Type:MS Compress archive data, SZDD variant, original size: 149504 bytes
        Category:dropped
        Size (bytes):85779
        Entropy (8bit):7.7270537166978075
        Encrypted:false
        SSDEEP:1536:P+g1p6mABSTo9Yg530qkmD5N+eBNNIcP7MSRp/7RjNP5L5cxq:PnP+9530FqiONtoMp/7ZNPHGq
        MD5:C2370A72343CF15E419D90C6F008021D
        SHA1:5A446AA9411FF2AA5AC1844D5F5A5D7D7EE99BC0
        SHA-256:C848B5729691B5663D621EA219C14D8D327F3505E4AC9EE16884A0515904E22B
        SHA-512:D518A4346F868E45411FE036C4F6C57811139EA35D79C8E3EA9086D5944EF951EBFED972437CB0385426DDD2E4D4FC05F288CC79905E5B766C153E2B4762853F
        Malicious:false
        Reputation:low
        Preview:SZDD..'3A..H...MZ......}............@..................!...L.!Thi.s progra.m cannot. be run .in DOS m.ode....$...PE..L.....C.M...............R..........................................p...................%.5...v.....8.X..text...J........ ...`.rdatUa*.B..D...X....@.....M.`.....:......mi..........<....rsrc............relmo. .........*......Z-j-z-.-..-.-.-.-.-.-.-.=..=*=:=J=Z=j=z=.=..=.=.=.=.=......@.........SVW3...M....u..h....wh.....@Od.].....@.E........C..@..8..A.._`. .`A.S..@Sz&@..@.E..S@...M.d....._^[..].....M...hs..@lBd.|.@...-A....0.l@.d.A...0.0.3.@P@...9.."@...;..PD..E...t..u...C.@....E.YGfJ.tG......A..C..@V..Ad..Ph......h.t$..M..Qh... R..@.^i@..wA..{..7@....0.N.P....M...0...@.E..H`..t...Mo.....A...A...@..@.P@l...u...@..u..h. .....@.p..P....|.@..AE.....3.@.;..........t.....t.....t....t'..0j.....P..y.@.p..Tk..Q. j@X....S..Q.@.x...t......]Q.@.VP.E.S.S..t/.e&j........Ey..@"B...t.`....G..wI..A.Eo.RbR.hQg...../`.jk@..i....Pj...q ....Pj..3.P.`PPP..5.>P.q@`....YM.

        C:\Users\user\AppData\Local\Temp\KGICB13.tmp

        Download File
        Process:C:\Users\user\Desktop\pumpkin-2.7.3.exe
        File Type:MS Compress archive data, SZDD variant, original size: 17064 bytes
        Category:dropped
        Size (bytes):11407
        Entropy (8bit):7.240541475148362
        Encrypted:false
        SSDEEP:192:1r6ndgAfV4PN7TjSsOuKASU52q4jh+wqs+Alj1Rnb/wtkX:1rgdgoq17T3GU56MuJRb8kX
        MD5:01BC4905C85045112238A8343C2D56A3
        SHA1:E5C60451C17DFA2E59776E44D1475FBC639EE081
        SHA-256:5616BFC4813A4D4523B2FD9011CAE6F913A374B8D1597B9009D31CFE0A6C9262
        SHA-512:A48EDF82F8ECA88400A1228B41C1BF9E81D7B1D107413A5457EB0E8550CD51B787BE4C01E971FD02D0973E9244CA94BFBD98736F3F7D1DAF664E03FFF8CAD717
        Malicious:false
        Reputation:low
        Preview:SZDD..'3A..B...?_......}...B...........(,-..abou.tAc.cessa..@.tionadd..r..llalr.e.adyand.as.Behav.ior.bloc.kbut.ton.canch.ec.kingcl.i.ck..entC.@onfirm..@a.Q.con.sist.s...t!.scusJ..mizede.c.isr.Defa..ultd.Pf.in.edden.yde scri.b..st.in.M Dialo..gdiffero...direct.?.ydoesn'.t.el..ra.tee.xp...itFeb.ru.aryfil.X..lesfoll..ow..for.fr.omhG..host.nam.eiz.i..r.m..in ...0..t.l...maym...)..network".N.0not...ic.eofon.opG..O. .s.0sORo..rn.go-.p.ar.typor.tpr ogra.m..mp........J.c.ol.PumpKI@N.remot..q..u..R.0..@e... .... @sRFC1.3D50..78.2.03.rig.htrulBe...srun..g..se..dss.el!?.sen.d. rv(er.SZ...SO.F.TWARESo..ftwa..ou.2.V....r;..p..fHie.d.PsS. .t...TFTPth..attheTH.E.th..im...|..totr.ans.. us.eusH.wa .ntwhe-.r.w.hich....w.ill..d.owW$.talk.wi.th..W.riteBw...Youy..u..'re..r"'.'..))./1.3t.h1998.200.6201.1305@12:.aAA".t....ut..ptA.m..dalso.alw.aysA.NYan.y...bebitB..."othbugb.Pybyt..a.=.a.. ch.angec.ho.oP.F.U.p......yD...one[.!X..rorF."r...FixedFO.0RgivW.[.#ng...i,..IfINi.p.IPISItiq...lfL>......g0mai.n|...ma

        C:\Users\user\AppData\Local\Temp\KGICB24.tmp

        Download File
        Process:C:\Users\user\Desktop\pumpkin-2.7.3.exe
        File Type:MS Compress archive data, SZDD variant, original size: 387 bytes
        Category:dropped
        Size (bytes):236
        Entropy (8bit):6.164144774614526
        Encrypted:false
        SSDEEP:6:gFIP45nqFQkC7WvKqKqtkM6BlhXrE4Llf5vDWJNzgy7Cg:gFIP4N4oDqKNBPjldDWLgSCg
        MD5:1D71B99090BF3373C607D8A57316621B
        SHA1:0CB3746E3DAF70CC8988CB82DF9FAC7788A24EE9
        SHA-256:37EDC94DDC0D78E4588C60F1ECCD4D8B4301BC6FFB745693B23589F4C75420A0
        SHA-512:C2B0FCA5B3D1DCA8DC2625C9A048597EBE3212F2C0A5CE4BB83FBAF5F20EE3C676E2564E984A32616C878EF7F4DE1A909845A6EAF6215E2133BBA21FB29CF633
        Malicious:false
        Reputation:low
        Preview:SZDD..'3A......:Base Pu.mpKIN.hl.p>Standa.rd..:Tit.l....1..2 _About..=)..%.What's .New=G.s%.U.sing..S... .DialogN.C.onfirm R.ead..quesutq.=}.RRQy..Write..}.W......f.Opti.onN.Serve.r..=....Net.work......o.unds..B...A.ccess Li.sts=ACL...

        C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Klever Group\PumpKIN.lnk

        Download File
        Process:C:\Users\user\Desktop\pumpkin-2.7.3.exe
        File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Archive, ctime=Tue Jan 28 06:53:36 2025, mtime=Tue Jan 28 06:53:36 2025, atime=Tue Jan 28 06:53:36 2025, length=149504, window=hide
        Category:dropped
        Size (bytes):951
        Entropy (8bit):4.575188011323708
        Encrypted:false
        SSDEEP:12:8il0RYXxjh9wTbdpF44e2OaOdrNXexKxx0fnzjAfV/Q2bdp5JSPcEhEfmV:8Agbdzcr2K3cAfV1dHFZm
        MD5:CB49794FA6BF765873CCFCBB13E68A91
        SHA1:8A071ECB655A89F9AF130B6524AE80B9E090F984
        SHA-256:66DB4A32DEB62F5D83E45967A6C441069911B2B8D2DA0B747BEE9E216E954426
        SHA-512:5D8901665CC8E04965775239048F9BACB3842C3668F678404B79A8941D627DB7B4490B110F61AFA029482E9DF701F39E22D308B16E222F404467739A664C99E3
        Malicious:false
        Reputation:low
        Preview:L..................F.... ...@.\.Yq.._B_.Yq..@.\.Yq...H...........................P.O. .:i.....+00.../C:\.....................1.....EW$O..PROGRA~1..t......O.IEW.S....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....<Z.>..Klever..>......<Z.><Z.>....J......................L..K.l.e.v.e.r.....Z.1.....<Z.>..Nothings..B......<Z.><Z.>....K.........................N.o.t.h.i.n.g.s.....b.2..H..<Z.> .PumpKIN.exe.H......<Z.><Z.>....M......................L..P.u.m.p.K.I.N...e.x.e.......[...............-.......Z...........r,.q.....C:\Program Files\Klever\Nothings\PumpKIN.exe....P.u.m.p.K.I.N.D.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.K.l.e.v.e.r.\.N.o.t.h.i.n.g.s.\.P.u.m.p.K.I.N...e.x.e.`.......X.......965543...........hT..CrF.f4... .....jc...+...E...hT..CrF.f4... .....jc...+...E..E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

        Static File Info

        General

        File type:PE32 executable (GUI) Intel 80386, for MS Windows
        Entropy (8bit):7.262668404624566
        TrID:
        • Win32 Executable (generic) a (10002005/4) 99.94%
        • Win16/32 Executable Delphi generic (2074/23) 0.02%
        • Generic Win/DOS Executable (2004/3) 0.02%
        • DOS Executable Generic (2002/1) 0.02%
        • VXD Driver (31/22) 0.00%
        File name:pumpkin-2.7.3.exe
        File size:147'968 bytes
        MD5:c70df19686f26debc376cccd7ce301a3
        SHA1:c7ab4a5b2a34bb9702f55ecedc17a9fa7debc59a
        SHA256:a1b0099a0bc502993158f6bb8daf3c96506f2362418aa78c1fe9b8425376aee9
        SHA512:0c8a0afedef47cb61ab569934d0ade02b9dde5fdced07ff9e96b9df00279d62365cee40f8f1fb28466ed8db4aa5daeb5749d1809060cb4de0205974d6ed6555e
        SSDEEP:3072:dGIjgwfvvGVnP+9530FqiONtoMp/7ZNPHGuOLR:dxjPvcG95kcNmgznPHGP
        TLSH:4BE3E07BE59A8CB1D5E6067D00B9379A8E37AF70E7254DD7D3902838DC339D0663824A
        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....C.M.................t.........../............@........................................................................

        File Icon

        Icon Hash:0b1fb7964b363b0e

        Static PE Info

        General

        Entrypoint:0x402fc0
        Entrypoint Section:.text
        Digitally signed:false
        Imagebase:0x400000
        Subsystem:windows gui
        Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
        DLL Characteristics:
        Time Stamp:0x4DB8439E [Wed Apr 27 16:26:06 2011 UTC]
        TLS Callbacks:
        CLR (.Net) Version:
        OS Version Major:4
        OS Version Minor:0
        File Version Major:4
        File Version Minor:0
        Subsystem Version Major:4
        Subsystem Version Minor:0
        Import Hash:62281f8202617fbdebbadcac219b8e81
        Instruction
        mov eax, dword ptr fs:[00000000h]
        push ebp
        mov ebp, esp
        push FFFFFFFFh
        push 00409450h
        push 00405D64h
        push eax
        mov dword ptr fs:[00000000h], esp
        sub esp, 60h
        push ebx
        push esi
        push edi
        mov dword ptr [ebp-18h], esp
        call dword ptr [0040D268h]
        mov dword ptr [0040A69Ch], eax
        xor eax, eax
        mov al, byte ptr [0040A69Dh]
        mov dword ptr [0040A6A8h], eax
        mov eax, dword ptr [0040A69Ch]
        shr dword ptr [0040A69Ch], 10h
        and eax, 000000FFh
        mov dword ptr [0040A6A4h], eax
        shl eax, 08h
        add eax, dword ptr [0040A6A8h]
        mov dword ptr [0040A6A0h], eax
        call 00007F03C0B952BFh
        test eax, eax
        jne 00007F03C0B925CCh
        push 0000001Ch
        call 00007F03C0B926F4h
        add esp, 04h
        mov dword ptr [ebp-04h], 00000000h
        call 00007F03C0B950C5h
        call 00007F03C0B950B0h
        call dword ptr [0040D264h]
        mov dword ptr [0040CC20h], eax
        call 00007F03C0B94C50h
        mov dword ptr [0040A650h], eax
        test eax, eax
        je 00007F03C0B925CBh
        cmp dword ptr [0040CC20h], 00000000h
        jne 00007F03C0B925CCh
        push FFFFFFFFh
        call 00007F03C0B945C7h
        add esp, 04h
        call 00007F03C0B949AFh
        call 00007F03C0B948BAh
        call 00007F03C0B94585h
        mov esi, dword ptr [0040CC20h]
        mov al, byte ptr [esi]
        NameVirtual AddressVirtual Size Is in Section
        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_IMPORT0xd0000x8c.idata
        IMAGE_DIRECTORY_ENTRY_RESOURCE0xe0000x18f7c.rsrc
        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
        IMAGE_DIRECTORY_ENTRY_BASERELOC0x270000x738.reloc
        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_IAT0xd1c80x13c.idata
        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

        Sections

        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
        .text0x10000x73560x74006cda577795530a6bdb8e5ac96377b65eFalse0.5414870689655172data6.378140211666413IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        .rdata0x90000xa700xc00c26d19dc65337ad5fc37f9a3f0e93f8dFalse0.310546875data3.8405315488358767IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
        .data0xa0000x2c240x1a00c6e07bbc1ea42cbac1515ac79b15f24bFalse0.193359375Matlab v4 mat-file (little endian) \200y@, numeric, rows 4219008, columns 02.6305171993722247IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
        .idata0xd0000x82c0xa00d9877bd20f29611bb50f027619bdb1cdFalse0.3984375data4.453418786815203IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
        .rsrc0xe0000x18f7c0x1900000a1a7a8089b5f9d1155b21364bb1f2aFalse0.92599609375data7.641612169076372IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
        .reloc0x270000x9da0xa00ef86229b9e53e4b6920544bb3ac7b65cFalse0.640625data5.499141507211834IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
        NameRVASizeTypeLanguageCountryZLIB Complexity
        RT_ICON0xe3580x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishUnited States0.4112903225806452
        RT_ICON0xe6400x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024EnglishUnited States0.4129061371841155
        RT_DIALOG0xe2500x108dataEnglishUnited States0.5946969696969697
        RT_RCDATA0x242000xecMS Compress archive data, SZDD variant, original size: 387 bytesEnglishUnited States1.0466101694915255
        RT_RCDATA0xf2ec0x14f13MS Compress archive data, SZDD variant, original size: 149504 bytesEnglishUnited States0.9542312220939857
        RT_RCDATA0x242ec0x2c8fMS Compress archive data, SZDD variant, original size: 17064 bytesEnglishUnited States0.9118962040852109
        RT_GROUP_ICON0xeee80x22dataEnglishUnited States1.0588235294117647
        RT_VERSION0xef0c0x3e0dataEnglishUnited States0.4153225806451613
        DLLImport
        KERNEL32.dllLockResource, LoadResource, SizeofResource, FindResourceA, GetTempFileNameA, GetTempPathA, GetShortPathNameA, CreateFileA, HeapReAlloc, ReadFile, SetEndOfFile, LoadLibraryA, GetProcAddress, SetFilePointer, FlushFileBuffers, WriteFile, DeleteFileA, CloseHandle, MultiByteToWideChar, CreateDirectoryA, SetStdHandle, VirtualAlloc, IsBadCodePtr, IsBadWritePtr, IsBadReadPtr, SetUnhandledExceptionFilter, VirtualFree, HeapCreate, HeapDestroy, GetStdHandle, RtlUnwind, GetModuleHandleA, GetStartupInfoA, GetCommandLineA, GetVersion, HeapFree, GetLastError, HeapAlloc, ExitProcess, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, GetModuleFileNameA, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, WideCharToMultiByte, GetCPInfo, GetACP, GetOEMCP, SetHandleCount, GetFileType, HeapSize
        USER32.dllSetWindowTextA, MessageBoxA, SetDlgItemTextA, EndDialog, SetWindowPos, DialogBoxParamA, GetDlgItemTextA
        ADVAPI32.dllRegSetValueExA, RegOpenKeyExA, RegQueryValueExA, RegCloseKey, RegCreateKeyExA
        SHELL32.dllSHGetPathFromIDListA, SHBrowseForFolderA
        ole32.dllCoInitialize, CoUninitialize, CoCreateInstance
        VERSION.dllVerInstallFileA

        Possible Origin

        Language of compilation systemCountry where language is spokenMap
        EnglishUnited States

        Network Behavior

        DNS Answers

        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
        Jan 28, 2025 08:53:29.968595028 CET1.1.1.1192.168.2.100x36d8No error (0)shed.dual-low.s-part-0017.t-0009.t-msedge.nets-part-0017.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
        Jan 28, 2025 08:53:29.968595028 CET1.1.1.1192.168.2.100x36d8No error (0)s-part-0017.t-0009.t-msedge.net13.107.246.45A (IP address)IN (0x0001)false
        Jan 28, 2025 08:53:49.301665068 CET1.1.1.1192.168.2.100x463bNo error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
        Jan 28, 2025 08:53:49.301665068 CET1.1.1.1192.168.2.100x463bNo error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false

        Statistics

        CPU Usage

        051015s020406080100

        Click to jump to process

        Memory Usage

        051015s0.0051015MB

        Click to jump to process

        High Level Behavior Distribution

        • File
        • Registry

        Click to dive into process behavior distribution

        System Behavior

        General

        Target ID:0
        Start time:02:53:31
        Start date:28/01/2025
        Path:C:\Users\user\Desktop\pumpkin-2.7.3.exe
        Wow64 process (32bit):true
        Commandline:"C:\Users\user\Desktop\pumpkin-2.7.3.exe"
        Imagebase:0x400000
        File size:147'968 bytes
        MD5 hash:C70DF19686F26DEBC376CCCD7CE301A3
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:low
        Has exited:true
        Show Windows behavior

        File Activities

        Show Windows behavior

        Section Activities

        Show Windows behavior

        Registry Activities

        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
        Show Windows behavior

        Process Activities

        Show Windows behavior

        Thread Activities

        Show Windows behavior

        Memory Activities

        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
        Show Windows behavior

        Windows UI Activities

        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

        Disassembly

        Execution Graph

        Execution Coverage

        Dynamic/Packed Code Coverage

        Signature Coverage

        Execution Coverage:25.2%
        Dynamic/Decrypted Code Coverage:0%
        Signature Coverage:8.8%
        Total number of Nodes:749
        Total number of Limit Nodes:49
        Show Legend
        Hide Nodes/Edges
        execution_graph 2493 402fc0 GetVersion 2518 405d20 HeapCreate 2493->2518 2495 403026 2496 403031 2495->2496 2584 403160 2495->2584 2525 405b40 2496->2525 2499 403040 2539 405b30 2499->2539 2503 403055 2504 40306e 2503->2504 2590 405070 2503->2590 2593 405460 GetModuleFileNameA 2504->2593 2507 403076 2570 405370 2507->2570 2509 40307b 2510 4030d5 GetStartupInfoA 2509->2510 2514 40308c 2509->2514 2511 4030f1 2510->2511 2512 4030f9 GetModuleHandleA 2510->2512 2511->2512 2581 4028c0 CoInitialize 2512->2581 2514->2509 2514->2510 2515 40310b 2516 405070 3 API calls 2515->2516 2517 403111 2516->2517 2519 405d38 2518->2519 2520 405d3b 2518->2520 2519->2495 2599 4061a0 2520->2599 2522 405d40 2523 405d53 2522->2523 2524 405d44 HeapDestroy 2522->2524 2523->2495 2524->2495 2609 404bb0 2525->2609 2528 403160 7 API calls 2530 405b61 2528->2530 2529 405ba3 GetStartupInfoA 2535 405c8d 2529->2535 2538 405bba 2529->2538 2530->2529 2530->2530 2531 405cc2 GetStdHandle 2533 405ccc GetFileType 2531->2533 2531->2535 2532 405d04 SetHandleCount 2532->2499 2533->2535 2534 404bb0 5 API calls 2534->2538 2535->2531 2535->2532 2536 405c3b 2536->2535 2537 405c5a GetFileType 2536->2537 2537->2536 2538->2534 2538->2535 2538->2536 2632 405870 2539->2632 2541 403045 GetCommandLineA 2542 4056e0 2541->2542 2543 4056f9 GetEnvironmentStringsW 2542->2543 2544 405701 2542->2544 2543->2544 2546 40570d GetEnvironmentStrings 2543->2546 2545 40573c 2544->2545 2550 4057de 2544->2550 2548 405740 GetEnvironmentStringsW 2545->2548 2554 405752 2545->2554 2546->2544 2547 405725 2546->2547 2547->2503 2551 405748 2548->2551 2548->2554 2549 405862 2549->2503 2550->2549 2552 405801 2550->2552 2553 4057eb GetEnvironmentStrings 2550->2553 2551->2503 2559 404bb0 5 API calls 2552->2559 2553->2552 2556 4057f7 2553->2556 2554->2554 2555 40576c WideCharToMultiByte 2554->2555 2557 40578c 2555->2557 2558 4057cd FreeEnvironmentStringsW 2555->2558 2556->2503 2560 404bb0 5 API calls 2557->2560 2558->2503 2561 40581f 2559->2561 2562 405792 2560->2562 2563 40582a FreeEnvironmentStringsA 2561->2563 2564 40583b FreeEnvironmentStringsA 2561->2564 2562->2558 2565 40579b WideCharToMultiByte 2562->2565 2563->2503 2564->2503 2566 4057b1 2565->2566 2567 4057bc FreeEnvironmentStringsW 2565->2567 2643 403d40 2566->2643 2567->2503 2569 4057b7 2569->2567 2571 405384 2570->2571 2572 404bb0 5 API calls 2571->2572 2573 4053ab 2572->2573 2574 4053c0 2573->2574 2575 403160 7 API calls 2573->2575 2576 40542f 2574->2576 2579 404bb0 5 API calls 2574->2579 2580 403160 7 API calls 2574->2580 2575->2574 2577 403d40 4 API calls 2576->2577 2578 40543a 2577->2578 2578->2509 2579->2574 2580->2574 2663 401000 2581->2663 2585 403169 2584->2585 2586 40316e 2584->2586 3099 405e40 2585->3099 3105 405e80 2586->3105 2589 403178 2589->2496 3122 4050b0 2590->3122 2594 405488 2593->2594 2595 404bb0 5 API calls 2594->2595 2596 4054b6 2595->2596 2597 403160 7 API calls 2596->2597 2598 4054c6 2596->2598 2597->2598 2598->2507 2600 4061ad 2599->2600 2601 4061b2 VirtualAlloc 2600->2601 2607 406236 2600->2607 2602 4062f2 2601->2602 2603 4061d2 VirtualAlloc 2601->2603 2605 406309 2602->2605 2606 4062fa HeapFree 2602->2606 2604 4062e4 VirtualFree 2603->2604 2608 4061e9 2603->2608 2604->2602 2605->2522 2606->2605 2607->2522 2608->2522 2612 404bd0 2609->2612 2611 404bc0 2611->2528 2611->2530 2613 404bdb 2612->2613 2616 404be0 2612->2616 2613->2611 2615 404c15 2615->2611 2616->2615 2617 404c20 2616->2617 2618 404c33 2617->2618 2619 404c45 2617->2619 2622 406500 2618->2622 2619->2616 2621 404c3e 2621->2619 2623 40650e 2622->2623 2624 406600 2623->2624 2628 406664 VirtualAlloc 2623->2628 2629 406652 2623->2629 2630 406640 2623->2630 2625 4061a0 4 API calls 2624->2625 2627 406605 2625->2627 2627->2621 2631 4066bf 2628->2631 2629->2621 2630->2621 2631->2621 2638 405a50 2632->2638 2635 40588e 2635->2541 2636 4058ce GetCPInfo 2637 4058e3 2636->2637 2637->2541 2639 405a73 2638->2639 2640 405a63 GetOEMCP 2638->2640 2641 405a78 GetACP 2639->2641 2642 405881 2639->2642 2640->2639 2641->2642 2642->2635 2642->2636 2644 403d8a 2643->2644 2645 403d4c 2643->2645 2644->2569 2646 403d63 2645->2646 2647 403d7b HeapFree 2645->2647 2650 4064b0 2646->2650 2647->2644 2651 403d73 2650->2651 2652 4064dc 2650->2652 2651->2569 2652->2651 2654 406370 2652->2654 2657 40637d 2654->2657 2655 40643f 2655->2651 2656 4063a7 VirtualFree 2656->2657 2657->2655 2657->2656 2659 406310 VirtualFree 2657->2659 2660 406331 2659->2660 2661 406341 HeapFree 2660->2661 2662 406362 2660->2662 2661->2657 2662->2657 2760 401490 RegOpenKeyExA 2663->2760 2666 401490 12 API calls 2667 401051 2666->2667 2773 402040 DialogBoxParamA 2667->2773 2669 401086 2670 401096 2669->2670 2789 401630 2669->2789 2777 401466 2670->2777 2673 4010ce 2795 402810 GetShortPathNameA 2673->2795 2678 4010da 2680 401106 2678->2680 2681 4010ea MessageBoxA 2678->2681 2800 401be0 2680->2800 2683 40145e 4 API calls 2681->2683 2683->2670 2685 401119 2686 40143f MessageBoxA 2685->2686 2688 401be0 18 API calls 2685->2688 2687 40145e 4 API calls 2686->2687 2690 401459 2687->2690 2689 401137 2688->2689 2689->2686 2691 401be0 18 API calls 2689->2691 2690->2690 2692 401155 2691->2692 2692->2686 2826 4016e0 2692->2826 2694 401178 2838 4015b0 2694->2838 2696 401193 2697 4015b0 RegSetValueExA 2696->2697 2698 4011ae 2697->2698 2843 401aa0 2698->2843 2700 4011bf 2701 4011e2 2700->2701 2702 4011c8 MessageBoxA 2700->2702 2848 402c60 2701->2848 2704 40145e 4 API calls 2702->2704 2704->2701 2706 402c60 10 API calls 2707 401205 2706->2707 2708 402c60 10 API calls 2707->2708 2709 401213 2708->2709 2710 402c60 10 API calls 2709->2710 2711 401226 2710->2711 2712 402c60 10 API calls 2711->2712 2713 40123d 2712->2713 2714 402c60 10 API calls 2713->2714 2715 40125a 2714->2715 2716 402c60 10 API calls 2715->2716 2717 401277 2716->2717 2718 402c60 10 API calls 2717->2718 2719 401294 2718->2719 2720 402c60 10 API calls 2719->2720 2721 4012b1 2720->2721 2722 402c60 10 API calls 2721->2722 2723 4012ce 2722->2723 2724 402c60 10 API calls 2723->2724 2725 4012eb 2724->2725 2726 402c60 10 API calls 2725->2726 2727 4012fe 2726->2727 2728 402c60 10 API calls 2727->2728 2729 40131b 2728->2729 2730 402c60 10 API calls 2729->2730 2731 40132e 2730->2731 2732 402c60 10 API calls 2731->2732 2733 401343 2732->2733 2734 402c60 10 API calls 2733->2734 2735 401358 2734->2735 2853 402bf0 2735->2853 2737 401361 2864 402200 2737->2864 2739 401381 2873 402450 2739->2873 2743 4013ab 2888 402670 2743->2888 2745 4013bd 2894 4026d0 2745->2894 2747 4013ce 2900 402730 2747->2900 2749 4013e0 2906 402790 2749->2906 2751 4013f7 MessageBoxA 2914 40145e 2751->2914 2754 401466 4 API calls 2755 401420 2754->2755 2756 40146e 4 API calls 2755->2756 2757 401429 2756->2757 2758 401480 4 API calls 2757->2758 2759 401435 2758->2759 2759->2686 2761 401030 2760->2761 2762 4014db RegQueryValueExA 2760->2762 2761->2666 2763 401502 2762->2763 2764 401553 2762->2764 2763->2764 2918 402da0 2763->2918 2924 401592 2764->2924 2768 401527 RegQueryValueExA 2768->2764 2770 401544 2768->2770 2770->2764 2772 402d90 4 API calls 2770->2772 2772->2764 2774 4020bd 2773->2774 2776 4020ab 2773->2776 2775 402da0 5 API calls 2774->2775 2775->2776 2776->2669 2778 4015a0 2777->2778 2779 40109f 2778->2779 2780 402d90 4 API calls 2778->2780 2781 40146e 2779->2781 2780->2779 2782 4015a0 2781->2782 2783 4010a8 2782->2783 2784 402d90 4 API calls 2782->2784 2785 401480 2783->2785 2784->2783 2786 4015a0 2785->2786 2787 4010b4 CoUninitialize 2786->2787 2788 402d90 4 API calls 2786->2788 2787->2515 2788->2787 2790 402da0 5 API calls 2789->2790 2792 401664 2790->2792 2791 40169a CreateDirectoryA 2794 4016b1 2791->2794 2792->2791 2793 401684 CreateDirectoryA 2792->2793 2793->2792 2794->2673 2796 402857 2795->2796 2799 402844 2795->2799 2797 402da0 5 API calls 2796->2797 2798 402860 GetShortPathNameA 2797->2798 2798->2799 2799->2678 2801 402da0 5 API calls 2800->2801 2802 401c08 GetTempPathA 2801->2802 2803 401c47 2802->2803 2805 401c28 2802->2805 2804 402da0 5 API calls 2803->2804 2806 401c51 GetTempFileNameA 2804->2806 2805->2685 2806->2805 2807 401c7f FindResourceA 2806->2807 2807->2805 2808 401c9e SizeofResource 2807->2808 2808->2805 2809 401cbb LoadResource 2808->2809 2809->2805 2810 401cd6 LockResource 2809->2810 2810->2805 2811 401cf1 CreateFileA 2810->2811 2811->2805 2812 401d21 WriteFile 2811->2812 2813 401e71 CloseHandle 2812->2813 2814 401d3f 2812->2814 2815 401e81 2813->2815 2814->2813 2816 401d48 CloseHandle 2814->2816 2817 402da0 5 API calls 2816->2817 2818 401d63 2817->2818 2819 402da0 5 API calls 2818->2819 2820 401dcb VerInstallFileA 2819->2820 2821 401e04 DeleteFileA 2820->2821 2822 401e3b DeleteFileA 2820->2822 2928 401e61 2821->2928 2824 401e4a 2822->2824 2824->2813 2827 401490 12 API calls 2826->2827 2828 401715 2827->2828 2829 401728 2828->2829 2830 402da0 5 API calls 2828->2830 2829->2694 2831 401776 2830->2831 2832 402da0 5 API calls 2831->2832 2833 401854 2832->2833 2834 401630 7 API calls 2833->2834 2836 4018fe 2834->2836 2835 401a27 2836->2835 2837 4019fb MultiByteToWideChar 2836->2837 2837->2835 2839 4015dc 2838->2839 2840 4015e0 2839->2840 2841 4015e8 RegSetValueExA 2839->2841 2840->2696 2842 401621 2841->2842 2842->2696 2844 402da0 5 API calls 2843->2844 2845 401aed 2844->2845 2929 402f30 2845->2929 2847 401b9f 2847->2700 3054 404000 2848->3054 2850 402c6d 3058 4040a0 2850->3058 2852 4011f2 2852->2706 2854 402c02 2853->2854 2855 402c0e 2853->2855 2854->2737 2856 402c36 2855->2856 2857 403ef0 5 API calls 2855->2857 2856->2737 2858 402c18 2857->2858 3069 403e60 2858->3069 2861 403d90 3 API calls 2862 402c2f 2861->2862 2862->2856 2863 403d40 4 API calls 2862->2863 2863->2856 3073 402130 2864->3073 2866 402227 2867 402238 RegSetValueExA 2866->2867 2868 402231 2866->2868 2867->2868 2869 40226e 2867->2869 2868->2739 2870 402da0 5 API calls 2869->2870 2871 4022ae RegSetValueExA 2870->2871 2871->2868 2874 402130 10 API calls 2873->2874 2875 402477 2874->2875 2876 401399 2875->2876 2877 402da0 5 API calls 2875->2877 2882 402610 2876->2882 2878 4024c0 2877->2878 2879 402f50 10 API calls 2878->2879 2880 40257a RegSetValueExA 2879->2880 2881 4025d7 2880->2881 2883 402130 10 API calls 2882->2883 2884 40261d 2883->2884 2885 402626 2884->2885 2886 40262c RegSetValueExA 2884->2886 2885->2743 2887 402657 2886->2887 2887->2743 2889 402130 10 API calls 2888->2889 2890 40267d 2889->2890 2891 402686 2890->2891 2892 40268c RegSetValueExA 2890->2892 2891->2745 2893 4026b7 2892->2893 2893->2745 2895 402130 10 API calls 2894->2895 2896 4026dd 2895->2896 2897 4026e6 2896->2897 2898 4026ec RegSetValueExA 2896->2898 2897->2747 2899 402717 2898->2899 2899->2747 2901 402130 10 API calls 2900->2901 2902 40273d 2901->2902 2903 402746 2902->2903 2904 40274c RegSetValueExA 2902->2904 2903->2749 2905 402777 2904->2905 2905->2749 2907 402130 10 API calls 2906->2907 2908 40279e 2907->2908 2909 4027a7 2908->2909 2910 4027ae RegSetValueExA 2908->2910 2909->2751 2911 4027db 2910->2911 2912 4027dd RegSetValueExA 2910->2912 2911->2912 2913 402800 2912->2913 2913->2751 2915 4015a0 2914->2915 2916 401417 2915->2916 2917 402d90 4 API calls 2915->2917 2916->2754 2917->2916 2919 404bd0 5 API calls 2918->2919 2920 401511 2919->2920 2920->2768 2921 402d90 2920->2921 2922 403d40 4 API calls 2921->2922 2923 401524 2922->2923 2923->2768 2925 4015a0 2924->2925 2926 402d90 4 API calls 2925->2926 2927 4015ac 2925->2927 2926->2927 2927->2761 2932 402f00 2929->2932 2931 402f41 2931->2847 2938 404e70 2932->2938 2935 402f09 2935->2931 2937 402f21 2937->2931 2939 404e7e 2938->2939 2941 402f05 2938->2941 2940 404bb0 5 API calls 2939->2940 2939->2941 2940->2941 2941->2935 2942 404c60 2941->2942 2945 404c77 2942->2945 2943 404c81 2943->2937 2945->2943 2947 407210 2945->2947 2946 404dc3 2946->2937 2949 407231 2947->2949 2948 407273 2948->2946 2949->2948 2982 406a40 2949->2982 2951 407413 2952 40741a 2951->2952 2953 40743b CreateFileA 2951->2953 2952->2946 2954 407482 GetFileType 2953->2954 2955 407466 GetLastError 2953->2955 2957 4074b0 2954->2957 2958 40748d CloseHandle GetLastError 2954->2958 2956 407472 2955->2956 2956->2946 2986 406b00 2957->2986 2959 4074a0 2958->2959 2959->2946 2962 4075ba 2962->2946 2963 407513 2994 407630 2963->2994 2965 40751d 2966 407527 2965->2966 2967 40754d 2965->2967 2966->2962 3000 403d90 2966->3000 3008 407e30 2967->3008 2970 40755f 2972 407592 2970->2972 3019 407cc0 2970->3019 2971 40753d 2971->2946 2973 407630 2 API calls 2972->2973 2974 40759c 2973->2974 2974->2962 2977 403d90 3 API calls 2974->2977 2976 407574 2976->2972 2978 40757c 2976->2978 2979 4075aa 2977->2979 2980 403d90 3 API calls 2978->2980 2979->2946 2981 407582 2980->2981 2981->2946 2984 406a52 2982->2984 2983 404bb0 5 API calls 2985 406a99 2983->2985 2984->2983 2984->2985 2985->2951 2985->2985 2987 406b0f 2986->2987 2988 406b48 2986->2988 2987->2988 2989 406b4a SetStdHandle 2987->2989 2990 406b3e 2987->2990 2988->2962 2988->2963 2989->2988 2991 406b43 2990->2991 2992 406b59 SetStdHandle 2990->2992 2991->2988 2993 406b68 SetStdHandle 2991->2993 2992->2988 2993->2988 2995 407643 2994->2995 2996 407674 2994->2996 2995->2996 2997 407687 SetFilePointer 2995->2997 2996->2965 2998 4076a6 GetLastError 2997->2998 2999 4076ac 2997->2999 2998->2999 2999->2965 3001 403e39 3000->3001 3002 403da4 3000->3002 3001->2971 3002->3001 3003 403df1 CloseHandle 3002->3003 3004 403e09 3002->3004 3003->3004 3005 403dff GetLastError 3003->3005 3037 406bb0 3004->3037 3005->3004 3007 403e11 3007->2971 3009 408068 3008->3009 3010 407e47 3008->3010 3009->2970 3010->3009 3011 407eb3 ReadFile 3010->3011 3012 407ecd GetLastError 3011->3012 3017 407f19 3011->3017 3014 407ed8 3012->3014 3013 40803f 3013->2970 3014->2970 3015 407fa0 ReadFile 3016 407fc8 GetLastError 3015->3016 3015->3017 3016->3017 3017->3013 3017->3015 3018 407630 2 API calls 3017->3018 3018->3017 3021 407cca 3019->3021 3020 407e0d 3020->2976 3021->3020 3022 407630 2 API calls 3021->3022 3023 407d0a 3022->3023 3024 407dfd 3023->3024 3025 407630 2 API calls 3023->3025 3024->2976 3026 407d23 3025->3026 3026->3024 3027 407da3 3026->3027 3028 407d3e 3026->3028 3029 407630 2 API calls 3027->3029 3036 407d80 3027->3036 3028->3036 3041 406d00 3028->3041 3031 407dae 3029->3031 3030 407630 2 API calls 3032 407ded 3030->3032 3033 407db7 SetEndOfFile 3031->3033 3032->2976 3035 407dcb GetLastError 3033->3035 3033->3036 3035->3036 3036->3030 3038 406bfe 3037->3038 3040 406bbe 3037->3040 3038->3007 3039 406c10 SetStdHandle 3039->3038 3040->3038 3040->3039 3042 406d1a 3041->3042 3043 406d5c 3041->3043 3042->3043 3044 406d7a 3042->3044 3045 406d6d 3042->3045 3043->3028 3047 406e16 WriteFile 3044->3047 3051 406d8e 3044->3051 3046 407630 2 API calls 3045->3046 3050 406d77 3046->3050 3048 406e33 3047->3048 3049 406e45 GetLastError 3047->3049 3053 406e14 3048->3053 3049->3053 3050->3044 3052 406ddd WriteFile 3051->3052 3051->3053 3052->3049 3052->3051 3053->3028 3055 40400f 3054->3055 3056 404bb0 5 API calls 3055->3056 3057 404016 3055->3057 3056->3057 3057->2850 3059 4040d8 3058->3059 3060 4040ac 3058->3060 3061 4040e4 3059->3061 3063 403ef0 5 API calls 3059->3063 3060->3061 3065 403ef0 3060->3065 3061->2852 3063->3061 3066 403f06 3065->3066 3068 403f23 3065->3068 3067 406d00 5 API calls 3066->3067 3066->3068 3067->3068 3068->2852 3070 403e6c 3069->3070 3072 402c23 3069->3072 3071 403d40 4 API calls 3070->3071 3070->3072 3071->3072 3072->2861 3074 402da0 5 API calls 3073->3074 3075 402166 3074->3075 3078 402f50 3075->3078 3077 402182 3077->2866 3079 402f84 3078->3079 3080 402f8f 3079->3080 3083 404ef0 3079->3083 3080->3077 3082 402fad 3082->3077 3084 404fa4 3083->3084 3092 404f06 3083->3092 3084->3082 3085 404ff2 3087 406d00 5 API calls 3085->3087 3086 404f7d 3088 404f92 3086->3088 3089 404fb4 3086->3089 3094 404f9d 3087->3094 3091 406d00 5 API calls 3088->3091 3089->3094 3095 407630 2 API calls 3089->3095 3091->3094 3092->3084 3093 404f71 3092->3093 3096 4076f0 3092->3096 3093->3085 3093->3086 3094->3082 3095->3094 3097 404bb0 5 API calls 3096->3097 3098 407705 3097->3098 3098->3093 3100 405e4a 3099->3100 3101 405e79 3100->3101 3102 405e80 7 API calls 3100->3102 3101->2586 3103 405e61 3102->3103 3104 405e80 7 API calls 3103->3104 3104->3101 3106 405e98 3105->3106 3107 40606b 3106->3107 3108 405ede 3106->3108 3109 406027 3106->3109 3107->2589 3108->3107 3112 405eea GetModuleFileNameA 3108->3112 3110 40603d GetStdHandle 3109->3110 3111 406047 WriteFile 3109->3111 3110->3111 3111->3107 3113 405f05 3112->3113 3116 407740 3113->3116 3115 406019 3115->2589 3117 40774d LoadLibraryA 3116->3117 3120 40778f 3116->3120 3118 4077cc 3117->3118 3119 40775e GetProcAddress 3117->3119 3118->3115 3119->3118 3121 407775 GetProcAddress GetProcAddress 3119->3121 3120->3115 3121->3120 3123 4050c0 GetCurrentProcess TerminateProcess 3122->3123 3124 4050ce 3122->3124 3123->3124 3125 40513e ExitProcess 3124->3125 3126 40507e 3124->3126 3126->2504 3127 406d00 3128 406d1a 3127->3128 3129 406d5c 3127->3129 3128->3129 3130 406d7a 3128->3130 3131 406d6d 3128->3131 3133 406e16 WriteFile 3130->3133 3137 406d8e 3130->3137 3132 407630 2 API calls 3131->3132 3136 406d77 3132->3136 3134 406e33 3133->3134 3135 406e45 GetLastError 3133->3135 3139 406e14 3134->3139 3135->3139 3136->3130 3138 406ddd WriteFile 3137->3138 3137->3139 3138->3135 3138->3137 3275 407000 3281 403f60 3275->3281 3277 407013 3278 407005 3278->3277 3279 402bf0 12 API calls 3278->3279 3280 403d40 4 API calls 3278->3280 3279->3278 3280->3278 3284 403f70 3281->3284 3285 403f67 3284->3285 3287 403f87 3284->3287 3285->3278 3286 403ea0 7 API calls 3286->3287 3287->3285 3287->3286 3288 406080 3289 406090 3288->3289 3292 407960 3289->3292 3295 4078e0 3292->3295 3302 408250 3295->3302 3297 4078eb 3298 408250 HeapSize 3297->3298 3301 40609a SetUnhandledExceptionFilter 3297->3301 3299 40790c 3298->3299 3306 4080a0 3299->3306 3303 408268 3302->3303 3304 40827d HeapSize 3303->3304 3305 40826f 3303->3305 3304->3297 3305->3297 3307 4080b2 3306->3307 3308 4080c3 3306->3308 3309 404bb0 5 API calls 3307->3309 3310 4080c7 3308->3310 3318 4080de 3308->3318 3311 4080b8 3309->3311 3312 403d40 4 API calls 3310->3312 3311->3301 3313 4080d1 3312->3313 3313->3301 3314 408232 3314->3301 3315 4081f8 HeapReAlloc 3315->3318 3316 406500 5 API calls 3316->3318 3317 4064b0 VirtualFree HeapFree VirtualFree 3317->3318 3318->3314 3318->3315 3318->3316 3318->3317 3319 406180 3320 405e80 7 API calls 3319->3320 3321 406187 3320->3321 3326 4079c0 3321->3326 3327 4079d3 3326->3327 3329 406191 3326->3329 3328 405090 3 API calls 3327->3328 3327->3329 3328->3329 3330 405090 3329->3330 3331 4050b0 3 API calls 3330->3331 3332 40509e 3331->3332 3333 402b80 3334 402ba2 3333->3334 3335 402b8f 3333->3335 3336 403190 4 API calls 3334->3336 3337 402bc3 3336->3337 3338 402bd6 3337->3338 3339 402960 RtlUnwind 3337->3339 3339->3338 3340 407980 3341 404bb0 5 API calls 3340->3341 3342 40798a 3341->3342 3343 40799d 3342->3343 3344 403160 7 API calls 3342->3344 3344->3343 3160 4016c1 3161 4029c0 3160->3161 3164 403190 3161->3164 3163 4029ec 3165 40319d 3164->3165 3167 4031ac 3165->3167 3168 403250 3165->3168 3167->3163 3170 403267 3168->3170 3169 403499 3174 40347b 3169->3174 3186 4034f0 3169->3186 3170->3174 3175 4032be 3170->3175 3178 406120 IsBadReadPtr 3170->3178 3174->3167 3175->3169 3176 403317 3175->3176 3176->3174 3180 403760 3176->3180 3179 40613a 3178->3179 3179->3175 3181 40376c 3180->3181 3183 403781 3180->3183 3190 403940 3181->3190 3213 402960 RtlUnwind 3183->3213 3185 4037a0 3185->3176 3188 403500 3186->3188 3187 4034cd 3187->3167 3188->3187 3189 403760 4 API calls 3188->3189 3189->3188 3191 403974 3190->3191 3212 4039bd 3190->3212 3192 4039e4 3191->3192 3193 40399c 3191->3193 3191->3212 3195 403a51 3192->3195 3196 4039ec 3192->3196 3194 406120 IsBadReadPtr 3193->3194 3197 4039aa 3194->3197 3198 403a60 3195->3198 3199 403aa6 3195->3199 3200 406120 IsBadReadPtr 3196->3200 3197->3212 3215 406140 IsBadWritePtr 3197->3215 3202 406120 IsBadReadPtr 3198->3202 3201 406120 IsBadReadPtr 3199->3201 3203 4039fa 3200->3203 3205 403aab 3201->3205 3206 403a65 3202->3206 3207 406140 IsBadWritePtr 3203->3207 3203->3212 3208 406140 IsBadWritePtr 3205->3208 3205->3212 3209 406140 IsBadWritePtr 3206->3209 3206->3212 3207->3212 3210 403aba 3208->3210 3209->3212 3210->3212 3217 406160 IsBadCodePtr 3210->3217 3212->3183 3214 4029aa 3213->3214 3214->3185 3216 40615a 3215->3216 3216->3212 3218 406175 3217->3218 3218->3212 3223 406f47 3224 406f59 3223->3224 3231 407b90 3224->3231 3227 407b90 6 API calls 3228 406f85 3227->3228 3229 403160 7 API calls 3228->3229 3230 406f98 3228->3230 3229->3230 3232 407ba1 3231->3232 3233 406500 5 API calls 3232->3233 3234 407bf1 HeapAlloc 3232->3234 3235 406f66 3232->3235 3233->3232 3234->3232 3235->3227 3235->3230 3236 407050 3237 407061 3236->3237 3238 40705b 3236->3238 3239 407095 WideCharToMultiByte 3237->3239 3240 40706a 3237->3240 3241 4070c8 3239->3241 3357 406110 SetUnhandledExceptionFilter 3358 403113 3361 405180 3358->3361 3360 40312a 3362 40518c 3361->3362 3363 4052d1 UnhandledExceptionFilter 3362->3363 3364 4051a2 3362->3364 3363->3360 3364->3360 3242 405d5c 3243 405d64 3242->3243 3244 405df6 3243->3244 3246 402c98 RtlUnwind 3243->3246 3247 402cb0 3246->3247 3247->3243 3140 401ea0 3141 401eb0 3140->3141 3142 401ec1 SetWindowTextA SetDlgItemTextA SetDlgItemTextA SetWindowPos 3140->3142 3143 401f3a 3141->3143 3144 401f1f 3141->3144 3148 401eb7 3141->3148 3147 401f48 GetDlgItemTextA 3143->3147 3143->3148 3145 401f92 3144->3145 3146 401f24 3144->3146 3145->3148 3151 401fa0 EndDialog 3145->3151 3146->3148 3152 401fc8 SHBrowseForFolderA 3146->3152 3149 401f66 KiUserCallbackDispatcher 3147->3149 3150 401f7c EndDialog 3147->3150 3153 402006 SHGetPathFromIDListA ILFree SetDlgItemTextA 3152->3153 3154 40202a 3152->3154 3153->3154 3248 405d64 3249 405df6 3248->3249 3251 405d82 3248->3251 3250 402c98 RtlUnwind 3250->3251 3251->3249 3251->3250 3373 40312e 3374 405090 3 API calls 3373->3374 3375 40313a 3374->3375 3155 4050b0 3156 4050c0 GetCurrentProcess TerminateProcess 3155->3156 3157 4050ce 3155->3157 3156->3157 3158 40513e ExitProcess 3157->3158 3159 40514f 3157->3159 3256 402a70 3257 403190 4 API calls 3256->3257 3258 402a95 3257->3258 3259 404af0 3260 404b04 3259->3260 3261 404b1c 3260->3261 3263 404aa0 3260->3263 3264 404ac0 3263->3264 3265 404aad 3263->3265 3266 404ef0 10 API calls 3264->3266 3265->3260 3266->3265 3376 407cb0 3377 403160 7 API calls 3376->3377 3378 407cb7 3377->3378 3379 4060b0 3380 4060bf 3379->3380 3381 406160 IsBadCodePtr 3380->3381 3382 4060ce 3380->3382 3381->3382 3383 404b30 3384 404b44 3383->3384 3385 404b62 3384->3385 3386 404aa0 10 API calls 3384->3386 3386->3384 3387 406f31 3388 406f59 3387->3388 3389 407b90 6 API calls 3388->3389 3390 406f66 3389->3390 3391 407b90 6 API calls 3390->3391 3394 406f98 3390->3394 3392 406f85 3391->3392 3393 403160 7 API calls 3392->3393 3392->3394 3393->3394 3267 401476 3268 4029c0 3267->3268 3269 403190 4 API calls 3268->3269 3270 4029ec 3269->3270

        Executed Functions

        Control-flow Graph

        APIs
        • GetTempPathA.KERNEL32(00000104,000000FF,?,000000FF,?,00401119,PumpKIN.ex_,00000000), ref: 00401C1E
        • GetTempFileNameA.KERNEL32(000000FF,KGI,00000000,00401119,?,?,000000FF,?,00401119,PumpKIN.ex_,00000000), ref: 00401C6A
        • FindResourceA.KERNEL32(00000000,00000000,0000000A), ref: 00401C87
        • SizeofResource.KERNEL32(00000000,00000000,?,?,000000FF,?,00401119,PumpKIN.ex_,00000000), ref: 00401CA1
        • LoadResource.KERNEL32(00000000,00000000,?,?,000000FF,?,00401119,PumpKIN.ex_,00000000), ref: 00401CBE
        • LockResource.KERNEL32(00000000,?,?,000000FF,?,00401119,PumpKIN.ex_,00000000), ref: 00401CD7
        • CreateFileA.KERNEL32(00401119,C0000000,00000003,00000000,00000002,00000100,00000000,?,?,000000FF,?,00401119,PumpKIN.ex_,00000000), ref: 00401D07
        • WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00401D31
        • CloseHandle.KERNEL32(00000000), ref: 00401D49
        • VerInstallFileA.VERSION(00000000,00401119,00401119,00401119,?,00000000,?,?), ref: 00401DF7
        • DeleteFileA.KERNEL32(?,00000000,00401119,00401119,00401119,?,00000000,?,?), ref: 00401E04
        • DeleteFileA.KERNEL32(?,00000000,00401119,00401119,00401119,?,00000000,?,?), ref: 00401E3B
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1415022295.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1414997652.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1415047297.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1415069772.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1415069772.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1415125320.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_pumpkin-2.jbxd
        Similarity
        • API ID: File$Resource$DeleteTemp$CloseCreateFindHandleInstallLoadLockNamePathSizeofWrite
        • String ID: KGI
        • API String ID: 3061520625-867605445
        • Opcode ID: 0c5ab8f4b6b0d7b0a877f74b574ea0b9c2a1fa9ce1cce76b2f54af3384662fe8
        • Instruction ID: a5a31172c7e30b159138843eafa13357e3cca2f728ab3ca88c0b9538e8145737
        • Opcode Fuzzy Hash: 0c5ab8f4b6b0d7b0a877f74b574ea0b9c2a1fa9ce1cce76b2f54af3384662fe8
        • Instruction Fuzzy Hash: B971F670944245EBEB11DBF4CE09BAEBBA4AF54314F10016AF805B73D1CBB88D0087AA

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 205 4016e0-401726 call 401490 208 401747-4017b6 call 402da0 205->208 209 401728-401746 call 401a90 205->209 214 4017b8-4017e7 208->214 215 4017e9-401893 call 402da0 call 402db0 208->215 214->215 220 401895-4018c4 215->220 221 4018c6-401917 call 401630 215->221 220->221 224 401919-401948 221->224 225 40194a-4019cd 221->225 224->225 227 401a32-401a36 225->227 228 4019cf-4019f9 225->228 229 401a41-401a45 227->229 230 401a38-401a3c 227->230 228->227 241 4019fb-401a22 MultiByteToWideChar 228->241 231 401a50-401a6e call 401a76 call 401a7e call 401a90 229->231 232 401a47-401a4b 229->232 230->229 232->231 243 401a27-401a29 241->243 243->227 244 401a2b 243->244 244->227
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1415022295.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1414997652.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1415047297.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1415069772.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1415069772.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1415125320.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_pumpkin-2.jbxd
        Similarity
        • API ID: Open
        • String ID: .lnk$Programs$P3v$Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
        • API String ID: 71445658-3005992384
        • Opcode ID: 42c899b069ef8a41166651d29eea54dbe819894e70f8668e9e1eedbff5ed87e2
        • Instruction ID: a19e13292f8380b4f6beb8bf398723660a7fc269e39fee1f2872d4ed78cd8de9
        • Opcode Fuzzy Hash: 42c899b069ef8a41166651d29eea54dbe819894e70f8668e9e1eedbff5ed87e2
        • Instruction Fuzzy Hash: 6AB19475A005094BCB18CABD8909A6EBBA6FB84330F24432DF926E77D5DF799D04C790

        Control-flow Graph

        APIs
          • Part of subcall function 00401490: RegOpenKeyExA.KERNEL32(?,?,00000000,00000001,00401030,?,?,?,00401030,80000002,Software\Klever Group,PumpKINPath,?,00401476,000000FF), ref: 004014BE
          • Part of subcall function 00401490: RegQueryValueExA.KERNEL32(00401030,80000002,00000000,?,00000000,?,?,?,?,00401030,80000002,Software\Klever Group,PumpKINPath,?,00401476,000000FF), ref: 004014F8
          • Part of subcall function 00401490: RegQueryValueExA.KERNEL32(00401030,80000002,00000000,?,00000000,?,?,00401030,80000002,Software\Klever Group,PumpKINPath,?,00401476,000000FF,?,004028D6), ref: 0040153A
          • Part of subcall function 00401490: RegCloseKey.KERNEL32(00401030,?,?,?,00401030,80000002,Software\Klever Group,PumpKINPath,?,00401476,000000FF,?,004028D6), ref: 00401561
        • MessageBoxA.USER32(00000000,Failed to install PumpKIN 2.7.3 in specified directory,00000000,00000010), ref: 004010F5
        • MessageBoxA.USER32(00000000,Failed to install PumpKIN 2.7.3,00000000,00000010), ref: 004011D3
        • MessageBoxA.USER32(00000000,PumpKIN 2.7.3 installed successfully, you may now run it from 'Programs/Klever Group' menu or remove it using Control Panel Add/Remove Programs applet., Rejoice!,00000040), ref: 00401408
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1415022295.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1414997652.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1415047297.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1415069772.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1415069772.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1415125320.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_pumpkin-2.jbxd
        Similarity
        • API ID: Message$QueryValue$CloseOpen
        • String ID: Enter destination path:$[%s]$ PumpKIN 2.7.3$ Rejoice!$2.7.3$AddReg=kFilesDelReg=kRegUpdateInis=kMenu$C:\Program Files\Klever\Nothings$Failed to install PumpKIN 2.7.3$Failed to install PumpKIN 2.7.3 in specified directory$HKLM,Software\Microsoft\Windows\CurrentVersion\DeleteFiles\%s,%s,,"%s"$HKLM,Software\Microsoft\Windows\CurrentVersion\DeleteFiles\%s,,,"%s"$HKLM,Software\Microsoft\Windows\CurrentVersion\Uninstall\%sHKLM,Software\Microsoft\Windows\CurrentVersion\Uninstall\%s,DisplayNameHKLM,Software\Microsoft\Windows\CurrentVersion\Uninstall\%s,UninstallString$KINPath$Klever Group$Klever PumpKIN$Klever PumpKIN 2.7.3$PumpKIN$PumpKIN 2.7.3 installed successfully, you may now run it from 'Programs/Klever Group' menu or remove it using Control Panel Add/Remove Programs applet.$PumpKIN.FTS$PumpKIN.GID$PumpKIN.INF$PumpKIN.cn_$PumpKIN.cnt$PumpKIN.ex_$PumpKIN.exe$PumpKIN.hl_$PumpKIN.hlp$PumpKIN.inf$PumpKINFiles$PumpKINPath$Software\Klever Group$Uninstall$[Version]Signature="$CHICAGO$"$http://kin.klever.net/pumpkin/$http://www.klever.net/$kFiles$kMenu$kReg$setup.ini, group%d,, """%s"""$setup.ini, progman.groups,,"group%d=%s"
        • API String ID: 1983656973-2325622172
        • Opcode ID: 1df89ab57b859d41231cda8f3554915887b5722172be72b08d677eec978b3028
        • Instruction ID: f9d04117f8b8a3353a20f7c150dd9e11b95987636a2ae5ebef1128d93d694e86
        • Opcode Fuzzy Hash: 1df89ab57b859d41231cda8f3554915887b5722172be72b08d677eec978b3028
        • Instruction Fuzzy Hash: BC9179B5E84304B6E600B6A46D0FF6E76649B20B0DF24407BF805762D3E6FE162442AF

        Control-flow Graph

        APIs
        • SetWindowTextA.USER32(?, PumpKIN 2.7.3), ref: 00401ECC
        • SetDlgItemTextA.USER32(?,000003EB,Enter destination path:), ref: 00401EE4
        • SetDlgItemTextA.USER32(?,000003EC,C:\Program Files\Klever\Nothings), ref: 00401EF1
        • SetWindowPos.USER32(?,000000FF,00000000,00000000,00000000,00000000,00000003), ref: 00401F00
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1415022295.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1414997652.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1415047297.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1415069772.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1415069772.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1415125320.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_pumpkin-2.jbxd
        Similarity
        • API ID: Text$ItemWindow
        • String ID: Enter destination path:$ PumpKIN 2.7.3$C:\Program Files\Klever\Nothings$Select Folder..
        • API String ID: 2864114372-2059787556
        • Opcode ID: 6c41cf8d9eee41c1f0997096da81da1374c27bbbb29472382f982afc91cc2df4
        • Instruction ID: f9a32fa64518647f50dd01165714467cbf1937cb389841d67b18c09a35e87f14
        • Opcode Fuzzy Hash: 6c41cf8d9eee41c1f0997096da81da1374c27bbbb29472382f982afc91cc2df4
        • Instruction Fuzzy Hash: 2F4136366002212BE321A759DC96FAF7698EB84311F00453AF581F63E0C3B8D94687DE

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 189 402200-40222f call 402130 192 402231-402233 189->192 193 402238-402268 RegSetValueExA 189->193 194 402421-402431 192->194 195 402414-40241e 193->195 196 40226e-402380 call 402da0 193->196 195->194 200 402382-4023b1 196->200 201 4023b3-402406 RegSetValueExA 196->201 200->201 202 402432-402439 201->202 203 402408-40240f call 402445 201->203 202->203 203->195
        APIs
          • Part of subcall function 00402130: RegCreateKeyExA.KERNEL32(80000002,?,00000000,00000000,00000000,0002001F,00000000,00000000,?), ref: 004021AA
        • RegSetValueExA.KERNEL32(?,DisplayName,00000000,00000001,00000000,FFFFFFFF), ref: 00402264
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1415022295.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1414997652.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1415047297.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1415069772.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1415069772.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1415125320.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_pumpkin-2.jbxd
        Similarity
        • API ID: CreateValue
        • String ID: 132 $DisplayName$RunDll32 setupapi.dll,InstallHinfSection $UninstallString$`{$m`|$m
        • API String ID: 2259555733-1087366250
        • Opcode ID: 526ba95c6699b1cc3715c759eb95384972d725e573228094f40c84278d81c7d9
        • Instruction ID: b277ff3567276c6a71381190ddb86931cd96e247484ec267d56697186a957bda
        • Opcode Fuzzy Hash: 526ba95c6699b1cc3715c759eb95384972d725e573228094f40c84278d81c7d9
        • Instruction Fuzzy Hash: A9516E76B0050A4BCB18C9BD9D1966FBB96FB84330F644329B926E77C4DEB99D018680

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 245 402790-4027a5 call 402130 248 4027a7-4027ad 245->248 249 4027ae-4027d9 RegSetValueExA 245->249 250 4027db 249->250 251 4027dd-4027fe RegSetValueExA 249->251 250->251 252 402800 251->252 253 402802-40280f 251->253 252->253
        APIs
          • Part of subcall function 00402130: RegCreateKeyExA.KERNEL32(80000002,?,00000000,00000000,00000000,0002001F,00000000,00000000,?), ref: 004021AA
        • RegSetValueExA.KERNEL32(00000000,URLInfoAbout,00000000,00000001,?,FFFFFFFF,http://kin.klever.net/pumpkin/), ref: 004027D5
        • RegSetValueExA.KERNEL32(00000000,URLUpdateInfo,00000000,00000001,?,FFFFFFFF), ref: 004027FA
        • RegCloseKey.ADVAPI32(00000000), ref: 00402803
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1415022295.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1414997652.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1415047297.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1415069772.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1415069772.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1415125320.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_pumpkin-2.jbxd
        Similarity
        • API ID: Value$CloseCreate
        • String ID: URLInfoAbout$URLUpdateInfo$`{$m`|$m
        • API String ID: 390822645-2544853655
        • Opcode ID: e54ccadbd3f9fb6654a2b535b211c7ea5580a93f83f20762cf6dd3d0c0f1b1ac
        • Instruction ID: b48ee3b1db00390217ee6b0ee63d2bcfcf3b823876655c4f13726fc8b56e6ccb
        • Opcode Fuzzy Hash: e54ccadbd3f9fb6654a2b535b211c7ea5580a93f83f20762cf6dd3d0c0f1b1ac
        • Instruction Fuzzy Hash: 5A01D6B671031127E62095B9AD89F2B7B9CCBC47B1F214736BA15E72C1DEB5DC0042B8

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 255 4061a0-4061ab 256 406219-406230 255->256 257 4061ad 255->257 258 4061b2-4061cc VirtualAlloc 256->258 266 406236-40623c 256->266 257->258 259 4062f2-4062f8 258->259 260 4061d2-4061e3 VirtualAlloc 258->260 264 406309-40630f 259->264 265 4062fa-406303 HeapFree 259->265 262 4062e4-4062ec VirtualFree 260->262 263 4061e9-4061ef 260->263 262->259 267 4061f1-4061f8 263->267 268 40623d-406254 263->268 265->264 270 406204-40620b 267->270 271 4061fa 267->271 269 406256-406270 268->269 272 406277-40627d 269->272 270->269 273 40620d-406217 270->273 271->270 274 406284 272->274 275 40627f-406282 272->275 273->269 276 406287-406294 274->276 275->276 276->272 277 406296-4062ae 276->277 278 4062b0-4062b5 277->278 279 4062dd-4062e3 277->279 280 4062ba-4062db 278->280 280->279 280->280
        APIs
        • VirtualAlloc.KERNEL32(00000000,00400000,00002000,00000004,?,?,?,?,00405D40), ref: 004061C6
        • VirtualAlloc.KERNEL32(00000000,00010000,00001000,00000004,?,?,?,?,00405D40), ref: 004061DF
        • HeapAlloc.KERNEL32(?,00000000,00000814,?,?,?,?,00405D40), ref: 00406226
        • VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,?,00405D40), ref: 004062EC
        • HeapFree.KERNEL32(?,00000000,00000000,?,?,?,?,00405D40), ref: 00406303
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1415022295.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1414997652.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1415047297.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1415069772.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1415069772.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1415125320.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_pumpkin-2.jbxd
        Similarity
        • API ID: AllocVirtual$FreeHeap
        • String ID: p^dw
        • API String ID: 714016831-3819517446
        • Opcode ID: c4e506b14892004182f7901ce7895bd058e200451d11f1f1d2f8dd37e52c4cde
        • Instruction ID: 471abb98496ac7b9e01ed937088d0e2d155d4165dba6df94ac175a38f9311d0b
        • Opcode Fuzzy Hash: c4e506b14892004182f7901ce7895bd058e200451d11f1f1d2f8dd37e52c4cde
        • Instruction Fuzzy Hash: 8B31BF727403459BD720AF689E80B62B7D4EB44710F1184BEF245BB6C1C7B8A894CF9D

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 281 402450-40247e call 402130 284 402480-402492 281->284 285 402493-402503 call 402da0 281->285 288 402505-402534 285->288 289 402536-4025d5 call 402f50 RegSetValueExA 285->289 288->289 292 4025d7 289->292 293 4025de-4025f1 call 402603 289->293 292->293
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1415022295.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1414997652.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1415047297.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1415069772.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1415069772.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1415125320.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_pumpkin-2.jbxd
        Similarity
        • API ID: Create
        • String ID: ;%d$DisplayIcon$`{$m`|$m
        • API String ID: 2289755597-3540858644
        • Opcode ID: de382187d74b210d51608e7fce95f717ee2836a188bf76deafd1e4173fa524f6
        • Instruction ID: ff7d1e7f841f35fdd251f6f19e5a9dddbebf9659d804c2294d107f776ddff95c
        • Opcode Fuzzy Hash: de382187d74b210d51608e7fce95f717ee2836a188bf76deafd1e4173fa524f6
        • Instruction Fuzzy Hash: 3A41A176A005095BCB18CABC9D1966FB7A6FB84330F24432DF936A76C4DEB99D008684

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 297 401490-4014c6 RegOpenKeyExA 298 4014c8 297->298 299 4014db-401500 RegQueryValueExA 297->299 300 4014ca-4014da 298->300 301 401502-401506 299->301 302 40155d-401560 299->302 301->302 303 401508-401519 call 402da0 301->303 304 401567-401583 call 401592 302->304 309 401527-401542 RegQueryValueExA 303->309 310 40151b-401524 call 402d90 303->310 304->300 309->302 312 401544-401548 309->312 310->309 314 401556 312->314 315 40154a-401553 call 402d90 312->315 314->302 315->314
        APIs
        • RegOpenKeyExA.KERNEL32(?,?,00000000,00000001,00401030,?,?,?,00401030,80000002,Software\Klever Group,PumpKINPath,?,00401476,000000FF), ref: 004014BE
        • RegQueryValueExA.KERNEL32(00401030,80000002,00000000,?,00000000,?,?,?,?,00401030,80000002,Software\Klever Group,PumpKINPath,?,00401476,000000FF), ref: 004014F8
        • RegQueryValueExA.KERNEL32(00401030,80000002,00000000,?,00000000,?,?,00401030,80000002,Software\Klever Group,PumpKINPath,?,00401476,000000FF,?,004028D6), ref: 0040153A
        • RegCloseKey.KERNEL32(00401030,?,?,?,00401030,80000002,Software\Klever Group,PumpKINPath,?,00401476,000000FF,?,004028D6), ref: 00401561
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1415022295.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1414997652.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1415047297.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1415069772.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1415069772.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1415125320.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_pumpkin-2.jbxd
        Similarity
        • API ID: QueryValue$CloseOpen
        • String ID: `{$m`|$m
        • API String ID: 1586453840-35624363
        • Opcode ID: 3c076ff014e4a093a7f40c27f2c4ab9d8d15534f2ec80afb967b8255e8a3e8cc
        • Instruction ID: f988848c99149686ec03fc7e91ad2b81191b03d08af33ced40707c840f86ca15
        • Opcode Fuzzy Hash: 3c076ff014e4a093a7f40c27f2c4ab9d8d15534f2ec80afb967b8255e8a3e8cc
        • Instruction Fuzzy Hash: 5F3147B2D00219ABCB10DFD9DD45BAFB7B8FB48700F00462AF516B7290D7789904CBA4

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 318 407210-40722f 319 407231-407237 318->319 320 407239-407241 318->320 321 407243-407249 319->321 320->321 322 407262-407267 321->322 323 40724b-407251 321->323 326 407294-40729c 322->326 327 407269-40726c 322->327 324 407253-40725d 323->324 325 40725f 323->325 324->322 324->325 325->322 330 4072b0-4072ba 326->330 328 40729e-4072a6 327->328 329 40726e-407271 327->329 328->330 331 407273-407293 329->331 332 4072a8 329->332 333 4072cb-4072eb 330->333 334 4072bc-4072c4 330->334 332->330 334->333 335 407300-407308 334->335 336 4072f6-4072fe 334->336 337 40730a 334->337 338 4072ec-4072f4 334->338 339 407312-40731e 335->339 336->339 337->339 338->339 340 407320 339->340 341 407328-40732d 339->341 344 407322-407324 340->344 345 407385-40738d 340->345 342 40733a-40733f 341->342 343 40732f 341->343 348 407341 342->348 349 40734c-407351 342->349 346 407331-407336 343->346 347 407399-4073a1 343->347 351 407326 344->351 352 40737b-407383 344->352 350 4073ab-4073b6 345->350 356 407338 346->356 357 40738f-407397 346->357 347->350 358 4073a3 348->358 359 407343-407348 348->359 349->357 360 407353-407358 349->360 354 4073b8-4073c5 350->354 355 4073cc-4073d2 350->355 353 40735a-40737a 351->353 352->350 354->355 361 4073c7 354->361 362 4073e2-4073e8 355->362 363 4073d4-4073dc 355->363 356->353 357->350 358->350 359->352 364 40734a 359->364 360->353 360->358 361->355 365 4073f0-4073f6 362->365 366 4073ea 362->366 363->362 364->353 367 407400-407406 365->367 368 4073f8-4073fe 365->368 366->365 369 40740e-407418 call 406a40 367->369 370 407408 367->370 368->369 373 40741a-40743a 369->373 374 40743b-407464 CreateFileA 369->374 370->369 375 407482-40748b GetFileType 374->375 376 407466-407481 GetLastError call 4069d0 374->376 378 4074b0-4074b3 375->378 379 40748d-4074af CloseHandle GetLastError call 4069d0 375->379 382 4074b5-4074b8 378->382 383 4074ba-4074bd 378->383 385 4074c2-4074f8 call 406b00 382->385 383->385 386 4074bf 383->386 389 4075ba-4075bf 385->389 390 4074fe-407501 385->390 386->385 391 4075c1-4075c7 389->391 392 4075d5-4075de 389->392 390->389 393 407507-40750d 390->393 391->392 395 4075c9-4075d0 391->395 393->389 394 407513-407525 call 407630 393->394 398 407527-407531 394->398 399 40754d-407564 call 407e30 394->399 395->392 398->389 400 407537-40754c call 403d90 398->400 405 407592-4075a2 call 407630 399->405 406 407566-40756b 399->406 405->389 411 4075a4-4075b9 call 403d90 405->411 406->405 408 40756d-40757a call 407cc0 406->408 408->405 414 40757c-407591 call 403d90 408->414
        APIs
        • CreateFileA.KERNEL32(?,?,00000005,?,00000005,00000080,00000000,?,?,00000001,00000000,00000000), ref: 0040745D
        • GetLastError.KERNEL32(?,?,00000001,00000000,00000000), ref: 00407466
        • GetFileType.KERNEL32(00000000,?,?,00000001,00000000,00000000), ref: 00407483
        • CloseHandle.KERNEL32(00000000,?,?,00000001,00000000,00000000), ref: 0040748E
        • GetLastError.KERNEL32(?,?,00000001,00000000,00000000), ref: 00407494
        Memory Dump Source
        • Source File: 00000000.00000002.1415022295.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1414997652.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1415047297.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1415069772.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1415069772.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1415125320.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_pumpkin-2.jbxd
        Similarity
        • API ID: ErrorFileLast$CloseCreateHandleType
        • String ID:
        • API String ID: 2834158390-0
        • Opcode ID: cd1ca799c3c153e2455781fc42eb290250c01b301e418b6f86acb16b7ad4c906
        • Instruction ID: 8ab95316801bed9bba2a321ec5d11fddda9a94c6f4c8f472850d20faf54e5eae
        • Opcode Fuzzy Hash: cd1ca799c3c153e2455781fc42eb290250c01b301e418b6f86acb16b7ad4c906
        • Instruction Fuzzy Hash: 38911572E0C2005AE7109A2CEC453AB7790AB81334F58063BFD54B63D2D77DA949E79B

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 418 4015b0-4015de 420 4015e0-4015e7 418->420 421 4015e8-401619 RegSetValueExA 418->421 422 401621-401628 421->422
        APIs
        • RegCreateKeyExA.KERNEL32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?,?,?,PumpKINPath,00000000), ref: 004015D6
        • RegSetValueExA.KERNEL32(FFFFFFFF,?,00000000,00000001,?,FFFFFFFF,?,?,PumpKINPath,00000000), ref: 00401609
        • RegCloseKey.ADVAPI32(?,?,?,PumpKINPath,00000000), ref: 0040161B
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1415022295.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1414997652.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1415047297.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1415069772.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1415069772.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1415125320.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_pumpkin-2.jbxd
        Similarity
        • API ID: CloseCreateValue
        • String ID: `{$m`|$m
        • API String ID: 1818849710-35624363
        • Opcode ID: 0eb8b72433b29253d3e3d74afaf2056cd1e0f962e6a5e57412abb314e70530fb
        • Instruction ID: 51f177b7ffeb216acb3c95b21dc4e52a479ba7ed0ce6c6877493d6a50e39a6b3
        • Opcode Fuzzy Hash: 0eb8b72433b29253d3e3d74afaf2056cd1e0f962e6a5e57412abb314e70530fb
        • Instruction Fuzzy Hash: 1001D6753042007BD610DB68EC85F6B77E8FBC8B11F10462CFA49DA1C0DA34D908C7A5

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 431 402670-402684 call 402130 434 402686-40268b 431->434 435 40268c-4026b5 RegSetValueExA 431->435 436 4026b7 435->436 437 4026b9-4026c5 435->437 436->437
        APIs
          • Part of subcall function 00402130: RegCreateKeyExA.KERNEL32(80000002,?,00000000,00000000,00000000,0002001F,00000000,00000000,?), ref: 004021AA
        • RegSetValueExA.KERNEL32(00000000,DisplayVersion,00000000,00000001,?,FFFFFFFF,2.7.3), ref: 004026AD
        • RegCloseKey.ADVAPI32(00000000), ref: 004026BA
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1415022295.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1414997652.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1415047297.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1415069772.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1415069772.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1415125320.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_pumpkin-2.jbxd
        Similarity
        • API ID: CloseCreateValue
        • String ID: DisplayVersion$`{$m`|$m
        • API String ID: 1818849710-1725224698
        • Opcode ID: 9f3a85d511cbb2cc63a4386df8e55c9055534d8fc06b1e3c196143f26439cd84
        • Instruction ID: 9ca4e6a378f1ce189a67497bf26d0f0a245d4e6a1fb0498a268a180cee55e2e6
        • Opcode Fuzzy Hash: 9f3a85d511cbb2cc63a4386df8e55c9055534d8fc06b1e3c196143f26439cd84
        • Instruction Fuzzy Hash: 72F0ECF670021127E21056F6AD8CE577B9CCBC0771F100536FA05E22C1DEB5DC0452B4

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 423 402610-402624 call 402130 426 402626-40262b 423->426 427 40262c-402655 RegSetValueExA 423->427 428 402657 427->428 429 402659-402665 427->429 428->429
        APIs
          • Part of subcall function 00402130: RegCreateKeyExA.KERNEL32(80000002,?,00000000,00000000,00000000,0002001F,00000000,00000000,?), ref: 004021AA
        • RegSetValueExA.KERNEL32(00000000,lComment,00000000,00000001,?,FFFFFFFF,Klever PumpKIN), ref: 0040264D
        • RegCloseKey.ADVAPI32(00000000), ref: 0040265A
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1415022295.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1414997652.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1415047297.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1415069772.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1415069772.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1415125320.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_pumpkin-2.jbxd
        Similarity
        • API ID: CloseCreateValue
        • String ID: `{$m`|$m$lComment
        • API String ID: 1818849710-2772053491
        • Opcode ID: 0c89ead952105b3193214deb6266a1bf1a8f60896cd3fd97fead6a81f1c8575f
        • Instruction ID: ba369759691c81e46a8632109d0eef22d82477deabf3543f7ac19e989f4f21e3
        • Opcode Fuzzy Hash: 0c89ead952105b3193214deb6266a1bf1a8f60896cd3fd97fead6a81f1c8575f
        • Instruction Fuzzy Hash: DBF0ECF670021127E21096F6AD8CF5B7B8CCBC0772F100536F605E22C1DAB5DC0442B5

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 439 4026d0-4026e4 call 402130 442 4026e6-4026eb 439->442 443 4026ec-402715 RegSetValueExA 439->443 444 402717 443->444 445 402719-402725 443->445 444->445
        APIs
          • Part of subcall function 00402130: RegCreateKeyExA.KERNEL32(80000002,?,00000000,00000000,00000000,0002001F,00000000,00000000,?), ref: 004021AA
        • RegSetValueExA.KERNEL32(00000000,InstallLocation,00000000,00000001,?,FFFFFFFF,00000000), ref: 0040270D
        • RegCloseKey.ADVAPI32(00000000), ref: 0040271A
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1415022295.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1414997652.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1415047297.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1415069772.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1415069772.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1415125320.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_pumpkin-2.jbxd
        Similarity
        • API ID: CloseCreateValue
        • String ID: InstallLocation$`{$m`|$m
        • API String ID: 1818849710-2833759455
        • Opcode ID: 70f2a1e188f02ba85173b24ffb3c039c3f6315a0e228bb52ba7cffca2eeb2d84
        • Instruction ID: e792602723c9e38e08aa3c3147cb5193c9fc262beee4ba93751d7a25cdbf371d
        • Opcode Fuzzy Hash: 70f2a1e188f02ba85173b24ffb3c039c3f6315a0e228bb52ba7cffca2eeb2d84
        • Instruction Fuzzy Hash: 06F0A7B670021027E62056BAAD8CE5B6A9CCBC0775F140536F605E22C1DAB5DC0442A4

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 447 402730-402744 call 402130 450 402746-40274b 447->450 451 40274c-402775 RegSetValueExA 447->451 452 402777 451->452 453 402779-402785 451->453 452->453
        APIs
          • Part of subcall function 00402130: RegCreateKeyExA.KERNEL32(80000002,?,00000000,00000000,00000000,0002001F,00000000,00000000,?), ref: 004021AA
        • RegSetValueExA.KERNEL32(00000000,Publisher,00000000,00000001,?,FFFFFFFF,Klever Group), ref: 0040276D
        • RegCloseKey.ADVAPI32(00000000), ref: 0040277A
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1415022295.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1414997652.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1415047297.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1415069772.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1415069772.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1415125320.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_pumpkin-2.jbxd
        Similarity
        • API ID: CloseCreateValue
        • String ID: Publisher$`{$m`|$m
        • API String ID: 1818849710-3136358734
        • Opcode ID: a4afef3e9ffdc5363a9a34c4fc2b1ac1829803d414c6fec4ead757605f63e29d
        • Instruction ID: f8a3f46e792d981a1668698b61e020b5c35b3f16fe9d1a2e66969c8053fb5809
        • Opcode Fuzzy Hash: a4afef3e9ffdc5363a9a34c4fc2b1ac1829803d414c6fec4ead757605f63e29d
        • Instruction Fuzzy Hash: 80F0A7B670021027E21056B6AD8CE576A9CCBC0771F14053AF605E32C1DAB5DC0442B5
        APIs
        • RegCreateKeyExA.KERNEL32(80000002,?,00000000,00000000,00000000,0002001F,00000000,00000000,?), ref: 004021AA
        Strings
        • Software\Microsoft\Windows\CurrentVersion\Uninstall\%s, xrefs: 00402177
        • `|$m, xrefs: 004021AA
        Memory Dump Source
        • Source File: 00000000.00000002.1415022295.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1414997652.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1415047297.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1415069772.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1415069772.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1415125320.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_pumpkin-2.jbxd
        Similarity
        • API ID: Create
        • String ID: Software\Microsoft\Windows\CurrentVersion\Uninstall\%s$`|$m
        • API String ID: 2289755597-1470019634
        • Opcode ID: e570cd58400c47476fe9e10dc912bc06b2038d0fd5bc485a8c356f12ce73de2a
        • Instruction ID: ee7226439d5c1a375b89a70a6c518c21839f7003acd1478df9da6352888a82f2
        • Opcode Fuzzy Hash: e570cd58400c47476fe9e10dc912bc06b2038d0fd5bc485a8c356f12ce73de2a
        • Instruction Fuzzy Hash: 47119BB1D40309ABD710DFA9CD45F6EB7B8FB04724F20032DB625B72C1D7B859009655
        APIs
        • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00406DFE
        Memory Dump Source
        • Source File: 00000000.00000002.1415022295.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1414997652.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1415047297.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1415069772.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1415069772.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1415125320.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_pumpkin-2.jbxd
        Similarity
        • API ID: FileWrite
        • String ID:
        • API String ID: 3934441357-0
        • Opcode ID: 2fb6d83714dd2151b6a8864ad3a9edda2d88eb123c928b67a22aa7f7beab37b8
        • Instruction ID: 78d06d817b93117ff1dba56e36b9eca9ebbca9c738babefc5adf26bb9b6c59bb
        • Opcode Fuzzy Hash: 2fb6d83714dd2151b6a8864ad3a9edda2d88eb123c928b67a22aa7f7beab37b8
        • Instruction Fuzzy Hash: C051AF752043458BD320CF28E944B6AB7E4EBC4324F440A3EE995963D0D739E959CB9A
        APIs
        • GetCurrentProcess.KERNEL32(?,?,?,?,0040507E,?,00000000,00000000,0040306E,000000FF), ref: 004050C1
        • TerminateProcess.KERNEL32(00000000,?,?,?,0040507E,?,00000000,00000000,0040306E,000000FF), ref: 004050C8
        • ExitProcess.KERNEL32 ref: 00405149
        Memory Dump Source
        • Source File: 00000000.00000002.1415022295.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1414997652.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1415047297.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1415069772.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1415069772.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1415125320.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_pumpkin-2.jbxd
        Similarity
        • API ID: Process$CurrentExitTerminate
        • String ID:
        • API String ID: 1703294689-0
        • Opcode ID: a0215b4209a51d86edf58e8f11469e38761df04bb7ab8f2dda1ffa77d775265e
        • Instruction ID: a360a94979c53dad6c146a79ab96522bd1adce5db21e39b798b817b905eaeb63
        • Opcode Fuzzy Hash: a0215b4209a51d86edf58e8f11469e38761df04bb7ab8f2dda1ffa77d775265e
        • Instruction Fuzzy Hash: 6501DE31E05700DBEA10AF68FF8870B3764E785349F14003AE801372D0C77A98988BAF
        APIs
        • DialogBoxParamA.USER32(00000000,00000066,00000000,00401EA0,00000000), ref: 004020A0
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1415022295.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1414997652.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1415047297.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1415069772.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1415069772.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1415125320.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_pumpkin-2.jbxd
        Similarity
        • API ID: DialogParam
        • String ID: C:\Program Files\Klever\Nothings
        • API String ID: 665744214-2429716587
        • Opcode ID: b536eda7ec05d3311a8045e14dec1f43f0f3d904d8ddea4c13352007d3490dce
        • Instruction ID: 95241a8fa88a58c06565326be84eb28460a8677c16cf20aa15131f7e171f6f93
        • Opcode Fuzzy Hash: b536eda7ec05d3311a8045e14dec1f43f0f3d904d8ddea4c13352007d3490dce
        • Instruction Fuzzy Hash: 24216072A005095BCB18DE789E0576EB7A6FB84720F64833AF925A77D0DBB49D008684
        APIs
        • RtlAllocateHeap.NTDLL(?,00000000,?,?,00404BFD,?,?,?,00404BC0,?,00000000,00405B51,00000100), ref: 00404C4E
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1415022295.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1414997652.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1415047297.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1415069772.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1415069772.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1415125320.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_pumpkin-2.jbxd
        Similarity
        • API ID: AllocateHeap
        • String ID: p^dw
        • API String ID: 1279760036-3819517446
        • Opcode ID: 77eae6f8545295dd8f820e25a0f5a261e9ee120baa0c81d09a16c725fabd4790
        • Instruction ID: 2bb2cbecfa1e8b3c15963ab8cdca3382bf4836f3ee711693de4740be58067e73
        • Opcode Fuzzy Hash: 77eae6f8545295dd8f820e25a0f5a261e9ee120baa0c81d09a16c725fabd4790
        • Instruction Fuzzy Hash: 7FD0C2A2D0112063FA1077287E08B4A73589B40318F070232FE11F73D5D234EC5086CC
        APIs
        • CreateDirectoryA.KERNEL32(?,00000000), ref: 0040168D
        • CreateDirectoryA.KERNEL32(?,00000000), ref: 004016A3
        Memory Dump Source
        • Source File: 00000000.00000002.1415022295.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1414997652.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1415047297.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1415069772.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1415069772.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1415125320.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_pumpkin-2.jbxd
        Similarity
        • API ID: CreateDirectory
        • String ID:
        • API String ID: 4241100979-0
        • Opcode ID: 918c7217770bd766bb22cc00c6c1ec9b608bfe85ecff9ca5761408f0ef84ec81
        • Instruction ID: d287d8b94738db8f98db2e7ef85a50928d724c91a991b4627ffccd70ffbf6202
        • Opcode Fuzzy Hash: 918c7217770bd766bb22cc00c6c1ec9b608bfe85ecff9ca5761408f0ef84ec81
        • Instruction Fuzzy Hash: CB11A571D04295AFEB11CBB8CD45B6ABFE8EB06720F1807AAF460A72D1C7B958008791
        APIs
        • GetShortPathNameA.KERNEL32(004010DA,?,00000001), ref: 0040283E
        • GetShortPathNameA.KERNEL32(004010DA,00000001,00000001), ref: 00402873
        Memory Dump Source
        • Source File: 00000000.00000002.1415022295.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1414997652.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1415047297.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1415069772.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1415069772.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1415125320.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_pumpkin-2.jbxd
        Similarity
        • API ID: NamePathShort
        • String ID:
        • API String ID: 1295925010-0
        • Opcode ID: 1b4b34e89a39ff3c899d49461a160ad463037dee599248c2ae871b5cd359c383
        • Instruction ID: 3f03a869f7b47edafb3253a695d00ffadeea8ea170fc991b846cce0f808ca4c0
        • Opcode Fuzzy Hash: 1b4b34e89a39ff3c899d49461a160ad463037dee599248c2ae871b5cd359c383
        • Instruction Fuzzy Hash: 4B11A9B6D00249EBDB10EF99CE45FAEBBB8EF44724F10432AE514B32C0D779590187A5
        APIs
        • HeapCreate.KERNEL32(00000001,00001000,00000000,00403026), ref: 00405D29
        • HeapDestroy.KERNEL32(?), ref: 00405D4A
        Memory Dump Source
        • Source File: 00000000.00000002.1415022295.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1414997652.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1415047297.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1415069772.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1415069772.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1415125320.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_pumpkin-2.jbxd
        Similarity
        • API ID: Heap$CreateDestroy
        • String ID:
        • API String ID: 3296620671-0
        • Opcode ID: cb904c20e2e2e58eb887ffc19ca0d50f88b307cc91d82a7a9c12a30983b916c6
        • Instruction ID: c7a5dc37bada3cdcb4e9746cfe8a5475a95ad98962ac91e88dc5231bded4be14
        • Opcode Fuzzy Hash: cb904c20e2e2e58eb887ffc19ca0d50f88b307cc91d82a7a9c12a30983b916c6
        • Instruction Fuzzy Hash: 22D05B7070120157EB1057745E097073294DB44746F504576B600F51D4FABCD4409D0C
        APIs
        • CloseHandle.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,00000001,?,?,?,?,00000000,00000109), ref: 00403DF5
        • GetLastError.KERNEL32(?,?,00000000,?,?,?,?,?,00000001,?,?,?,?,00000000,00000109,?), ref: 00403DFF
        Memory Dump Source
        • Source File: 00000000.00000002.1415022295.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1414997652.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1415047297.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1415069772.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1415069772.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1415125320.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_pumpkin-2.jbxd
        Similarity
        • API ID: CloseErrorHandleLast
        • String ID:
        • API String ID: 918212764-0
        • Opcode ID: 58f19a03bd8c7bc64d957a26a5c289d251621b4c0467712f052b88a2e4097b7c
        • Instruction ID: 2338c4cafc0ffd4b4d374d5c0e3681221deae974cf1105acdd4040d848257187
        • Opcode Fuzzy Hash: 58f19a03bd8c7bc64d957a26a5c289d251621b4c0467712f052b88a2e4097b7c
        • Instruction Fuzzy Hash: D6112CB27042044BD610AFA9FC4976B3B58C741326F08027BF515A63D3E77AD9558196
        APIs
        Memory Dump Source
        • Source File: 00000000.00000002.1415022295.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1414997652.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1415047297.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1415069772.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1415069772.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1415125320.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_pumpkin-2.jbxd
        Similarity
        • API ID: InitializeUninitialize
        • String ID:
        • API String ID: 3442037557-0
        • Opcode ID: 41779b7680d7788bb62ab96d6e5518771f16c3f7f4e132b0fc61d37ecb15df16
        • Instruction ID: 320d0e5a8169cfe7f19aca99a545d4b903b1b7e3ef661626ffd7d458d85561dd
        • Opcode Fuzzy Hash: 41779b7680d7788bb62ab96d6e5518771f16c3f7f4e132b0fc61d37ecb15df16
        • Instruction Fuzzy Hash: A2C04C719042419BC304BBB0DE4D70A77E4EB44746F018C7AF145E54B5DB74C444AB59

        Non-executed Functions

        APIs
        • LoadLibraryA.KERNEL32(user32.dll,?,?,?,00406019,?,Microsoft Visual C++ Runtime Library,00012010,?,?,00000000), ref: 00407752
        • GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 0040776A
        • GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 0040777B
        • GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 00407788
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1415022295.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1414997652.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1415047297.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1415069772.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1415069772.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1415125320.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_pumpkin-2.jbxd
        Similarity
        • API ID: AddressProc$LibraryLoad
        • String ID: GetActiveWindow$GetLastActivePopup$MessageBoxA$user32.dll
        • API String ID: 2238633743-4044615076
        • Opcode ID: 9c51da0ddf403730dcba4ab9aedc071ba558d4d64a954dc3e65a0cdbe68aa713
        • Instruction ID: 10fb7629c377900b30fa279e69d3601a99ca2bb83e52827eb1a37b000ff1e974
        • Opcode Fuzzy Hash: 9c51da0ddf403730dcba4ab9aedc071ba558d4d64a954dc3e65a0cdbe68aa713
        • Instruction Fuzzy Hash: 55014873A152115BD711AB65DD85A3B77E8E785B9171C803AE808F33A1D738EC018ABD
        APIs
        • GetVersion.KERNEL32 ref: 00402FE6
          • Part of subcall function 00405D20: HeapCreate.KERNEL32(00000001,00001000,00000000,00403026), ref: 00405D29
        • GetCommandLineA.KERNEL32 ref: 00403045
        • GetStartupInfoA.KERNEL32(?), ref: 004030E0
        • GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 004030FF
        Memory Dump Source
        • Source File: 00000000.00000002.1415022295.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1414997652.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1415047297.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1415069772.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1415069772.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1415125320.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_pumpkin-2.jbxd
        Similarity
        • API ID: CommandCreateHandleHeapInfoLineModuleStartupVersion
        • String ID:
        • API String ID: 2148641432-0
        • Opcode ID: 7294db93a2bd4ebd030d58668f0d7ba808433bd32b29ce46e40923227a057910
        • Instruction ID: 97f48933e41d6aca574c2ef85dd53701109bcb0e75d5c056859eb576dee1c966
        • Opcode Fuzzy Hash: 7294db93a2bd4ebd030d58668f0d7ba808433bd32b29ce46e40923227a057910
        • Instruction Fuzzy Hash: 774101B08053849EE721AFB59D0975ABFE8EB05315F18093BE4C4B32C2D73D55418B4E
        APIs
        • SetUnhandledExceptionFilter.KERNEL32(004060B0), ref: 004060A2
        Memory Dump Source
        • Source File: 00000000.00000002.1415022295.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1414997652.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1415047297.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1415069772.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1415069772.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1415125320.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_pumpkin-2.jbxd
        Similarity
        • API ID: ExceptionFilterUnhandled
        • String ID:
        • API String ID: 3192549508-0
        • Opcode ID: 672c449ea4487d501dd7956fc27ba63b561b8abf2970c4f28318d7a097b0dba0
        • Instruction ID: 9ef4bc77c925ca9e0e442dc5814e78ebfd798392a800d86c3345d90042cced7d
        • Opcode Fuzzy Hash: 672c449ea4487d501dd7956fc27ba63b561b8abf2970c4f28318d7a097b0dba0
        • Instruction Fuzzy Hash: CAB092F5EC020096DA00EBB16E47B063554E58471A722807BF807742D3EAB860255E6F
        APIs
        • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00406116
        Memory Dump Source
        • Source File: 00000000.00000002.1415022295.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1414997652.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1415047297.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1415069772.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1415069772.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1415125320.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_pumpkin-2.jbxd
        Similarity
        • API ID: ExceptionFilterUnhandled
        • String ID:
        • API String ID: 3192549508-0
        • Opcode ID: 101a24b13129c36c86b309163fe0b80fd108dfa814054d0a9abe095d13b65fe3
        • Instruction ID: f5521ed53a89aabbdcb57b04b78d5009b38f1a3dcf3909ce7587918347d48519
        • Opcode Fuzzy Hash: 101a24b13129c36c86b309163fe0b80fd108dfa814054d0a9abe095d13b65fe3
        • Instruction Fuzzy Hash: E4A002B2F001019BCE00EBE5EF4CA06376CE78431130044A4B515E2820D774D405CF5C
        Memory Dump Source
        • Source File: 00000000.00000002.1415022295.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1414997652.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1415047297.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1415069772.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1415069772.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1415125320.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_pumpkin-2.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: cec34a30c8e37676e0eb1607913a208b78648f157e8683c3ba8669583b65feb0
        • Instruction ID: da4672b4e74258261bfd62ae703f6ce0706db961ed166ff6d625fc7780de6d9a
        • Opcode Fuzzy Hash: cec34a30c8e37676e0eb1607913a208b78648f157e8683c3ba8669583b65feb0
        • Instruction Fuzzy Hash: 8641E5F190C6448AF3A48AA9D94833377D1EFC1310F2941BBCB55762D1D6FD8826928E
        APIs
        • GetEnvironmentStringsW.KERNEL32 ref: 004056F9
        • GetEnvironmentStrings.KERNEL32 ref: 0040570D
        • GetEnvironmentStringsW.KERNEL32 ref: 00405740
        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 00405780
        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 004057A7
        • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 004057BD
        • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 004057CE
        Memory Dump Source
        • Source File: 00000000.00000002.1415022295.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1414997652.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1415047297.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1415069772.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1415069772.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1415125320.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_pumpkin-2.jbxd
        Similarity
        • API ID: EnvironmentStrings$ByteCharFreeMultiWide
        • String ID:
        • API String ID: 1823725401-0
        • Opcode ID: 57f32da9eeb01da3946acf8057520a12f5ccabc493bc433ef90f31c9412e2fd4
        • Instruction ID: da93de553f1e045db8b5b6714970d826d4f1a08d92e765ae69d809291c686063
        • Opcode Fuzzy Hash: 57f32da9eeb01da3946acf8057520a12f5ccabc493bc433ef90f31c9412e2fd4
        • Instruction Fuzzy Hash: 13413A77B007045BE7206AA57C4576777A4E780336F44007BEE05B3380EB7ED80D95AA
        APIs
        • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?,00000000), ref: 00405EFF
        • GetStdHandle.KERNEL32(000000F4,?,?,00000000), ref: 0040603F
        • WriteFile.KERNEL32(00000000,?,FFFFFFFE,00000000,00000000,?,?,00000000), ref: 00406065
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1415022295.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1414997652.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1415047297.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1415069772.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1415069772.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1415125320.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_pumpkin-2.jbxd
        Similarity
        • API ID: File$HandleModuleNameWrite
        • String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
        • API String ID: 3784150691-4022980321
        • Opcode ID: 4ef69a6ffab1e0c34d651987e632d2ca4c0ea0f0ffaac2d0cdaef8ac9b66d9a4
        • Instruction ID: 220d9c9c4d0d41ea2cf3faa183e5c79207d39fa8494070ef8b2f6a2df0806c9a
        • Opcode Fuzzy Hash: 4ef69a6ffab1e0c34d651987e632d2ca4c0ea0f0ffaac2d0cdaef8ac9b66d9a4
        • Instruction Fuzzy Hash: AA4133367406044BD728DA38A90476B73D2EBC4330F55473AF922B73D1DBB99E18C69A
        APIs
        • GetStartupInfoA.KERNEL32(?), ref: 00405BA8
        • GetFileType.KERNEL32 ref: 00405C5B
        • GetStdHandle.KERNEL32(FFFFFFF6), ref: 00405CC3
        • GetFileType.KERNEL32(00000000), ref: 00405CCD
        • SetHandleCount.KERNEL32(?), ref: 00405D0A
        Memory Dump Source
        • Source File: 00000000.00000002.1415022295.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1414997652.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1415047297.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1415069772.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1415069772.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1415125320.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_pumpkin-2.jbxd
        Similarity
        • API ID: FileHandleType$CountInfoStartup
        • String ID:
        • API String ID: 1710529072-0
        • Opcode ID: 59be93767b3d312d6e123cb1a93bdf0262dba04fa3d0e802177b7d66213de7ae
        • Instruction ID: f0d47f932bf069e577f9d626c2ddd0efdc39b4c02efe964a6abb1a39e6f96375
        • Opcode Fuzzy Hash: 59be93767b3d312d6e123cb1a93bdf0262dba04fa3d0e802177b7d66213de7ae
        • Instruction Fuzzy Hash: EA515C70908B458BE7209B28DD8472B7B60FB41364F08477AD866BB3D1D378E885CB89
        APIs
        • ReadFile.KERNEL32(?,?,?,?,00000000), ref: 00407EC3
        • GetLastError.KERNEL32 ref: 00407ECD
        Memory Dump Source
        • Source File: 00000000.00000002.1415022295.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1414997652.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1415047297.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1415069772.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1415069772.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1415125320.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_pumpkin-2.jbxd
        Similarity
        • API ID: ErrorFileLastRead
        • String ID:
        • API String ID: 1948546556-0
        • Opcode ID: a6ab58d6243c546f77e9e78d8b2fd6412fb45ba4f7dc37b77d664356ddf4c18e
        • Instruction ID: 22f599ad31f8e034efe06565ed8b20690e0af1fdc9d42106dd79ea600289d2c5
        • Opcode Fuzzy Hash: a6ab58d6243c546f77e9e78d8b2fd6412fb45ba4f7dc37b77d664356ddf4c18e
        • Instruction Fuzzy Hash: 96710370A083418FD710CF18D94476ABBE4AB91364F5845AEE8D4AB3D2C739984DC76B