Multi-License Discount Quote

Change Region

English
Threat Database Hacktool PUP.Passview

PUP.Passview

By CagedTech in Hacktool, Potentially Unwanted Programs

Analysis Report

General information

Family Name: PUP.Passview
Signature status: No Signature

Known Samples

MD5: 6567bcfb97a8c74b5589ab104898dcba
SHA1: d5bc36e063943223efbc6bd284628f5f54c43926
File Size: 382.46 KB, 382464 bytes
MD5: 678823fc26edea569d6ad3f9e644f82b
SHA1: c21d3fb829f1378aa2eccfc161a0ca1c1dbc68da
File Size: 2.98 MB, 2982819 bytes
MD5: ca859b2e567f71caeaffd0e0cbb73462
SHA1: c500b9f8aa5795150769ea80f7c81df0f407cdf1
SHA256: 1CCEA6390B007971B38A81C19472FA2E1F14F3F6A3D381CCD3EC00189BFEE4BF
File Size: 355.94 KB, 355936 bytes
MD5: b9ecda532c939060b59b00e73fefec6c
SHA1: 23a28929fffddac1fe0e5c753aa950ebfecd4187
SHA256: 02EB2283F5CA8E9025D4B3300F46B05BAFA8FA87E0309DCCE0585157A54ADDD8
File Size: 255.04 KB, 255041 bytes
MD5: 8c7c5efd914acbe64ee3cd6b131d1be5
SHA1: 22c56f11ed003ccb8f557125671e933b4d50a36f
SHA256: 83139343F7C496696E0D815C80199072F2017F909ABF3F3A35DCE633F06C4D01
File Size: 37.89 KB, 37888 bytes
Show More
MD5: 8e12f0d3811165e13fa5598403f112d6
SHA1: d237d255785295ba97544fcb39a1f95c9e6890eb
SHA256: 655FA0B8234FE3ACAF2886FFC46F06F75B09FD963F03C1623D8E1D0B8031DF17
File Size: 365.18 KB, 365177 bytes
MD5: dbda1fdc9ac4fa6a7f26ae8ce346121f
SHA1: 51116bd04e95f4955a9eab9eeaffe57015bd2b9f
SHA256: 743B0DE8AA49404A810CD3D88B176D39080FB7D6888DDB3B8021EBF9037426CE
File Size: 306.18 KB, 306176 bytes
MD5: d276d4ce4d96ad4d6a1be6d3d40286e8
SHA1: 0d831c4284e6abc27b2afd7380f969f9c883b457
SHA256: 6680567D4C211A35DC2495647BA310549320FFF6C175096E825074500350DE17
File Size: 36.35 KB, 36352 bytes
MD5: 9538df5c7a62cc2954d1ce02d991d585
SHA1: afcde72b4ef9ae81e6de673fe4fd3a46f1f88c82
SHA256: AE34A1EE0304B9D754D04D60FAED4870FCCDF14CA57A4D97AEA38EA157FE654C
File Size: 1.94 MB, 1935960 bytes
MD5: a8bd5ff2ddea9fe2ab0909dd0987e0b6
SHA1: c4fbce46dcafb98de3a0ba3f8297f5989dddd99f
SHA256: E36DD068C5DBAADA910949A26FF6460245989B1929B9416DFD7CAC871E43A3CB
File Size: 1.11 MB, 1110106 bytes
MD5: 602f503942d9f7a72c60719cffbc4c2f
SHA1: d723a49bd5738e4419150c8a19550fc619393120
SHA256: 2A68E4A3ACEE900A10A16000C31AD398E4629DA26DFB3B9AA196FEA1B380ED2A
File Size: 835.58 KB, 835584 bytes
MD5: eb6cc0cb208e5178fafe9f43b738c125
SHA1: 3bcc2a22df1ca7507173bce5c21414cc8955a6a3
SHA256: 8AF7D4215D7C784BC4E675A6E1FFAF82BF7780D3AA06D72EED6043F49024C83C
File Size: 167.09 KB, 167088 bytes
MD5: d4708c8feaafa1fa05bc67017c752c57
SHA1: a77c9ad7eefe43119521ca3ec8cb896dfd82539e
SHA256: 5CD1B74F704E514A97DCC02D351A2D22BB7DB0D9A549E35F2F2527CE87AA8E35
File Size: 248.32 KB, 248320 bytes
MD5: 32bef0ddb0cefe94ef140b95b62cc964
SHA1: 01b3ad95b988974b53d236ea69e0921c2c01dcbe
SHA256: CD1E1F4A8FB9649A74C87BEC893166FFE081CFB19CDD60CF2BAFA7469D8099B4
File Size: 2.80 MB, 2795100 bytes
MD5: 4f6881f82c48917acec7418f62cf85d4
SHA1: 4ea9645b5d9572be81a987adc0a90a719d8c0455
SHA256: 19532D3EF701E665590776E0C47D3AF17A5F34DC0D927E8169470646EF6D1009
File Size: 1.84 MB, 1836975 bytes
MD5: 04e59f24a23532175a70bdff139cc57f
SHA1: 6a0d320b0d9409a2fa1897c3fd24f7fdf2522da4
SHA256: 53880D26F1137818EF8BD2DFE2F580EA93FCA80BE50C91FF235C498971974910
File Size: 3.58 MB, 3582903 bytes
MD5: 96553c73a2dc02caf842421c474e164d
SHA1: 6d3cb8216d370d5181eec71eae981640e5b54595
SHA256: 7B55F5CB7C37B5561F55DC21D4290D3FC4FBE5EBDF3B72E52CDB6B5C07C039EF
File Size: 249.34 KB, 249344 bytes
MD5: 6fd0e5e0d0b144c29c280eaa7f7587ec
SHA1: 79cf51c60ee423da86f4356e317853c54bb4e6bd
SHA256: D447FB1A64DDBE3B6913F360B2BCFDB1E747FEA44878EE6E091B2D5A2C307447
File Size: 206.85 KB, 206848 bytes
MD5: db4be722338f22bcd4035af41f0c3681
SHA1: eeb2c60961d5d5e1694a462ed9b2a6fbbdf68761
SHA256: BB7E75BD0771F88471460ECD792D398D7991CC0C20E54E0D43F5967BB5CC9B05
File Size: 1.87 MB, 1867872 bytes
MD5: d7dc8a24941e48501fded22f9fafa04f
SHA1: 94d324c71387406dae9aae592df3e56c96b0d684
SHA256: 2CBB7C6E9FDF6FC1F597F333B562E6308737FFD38E8CA17B9DF0126CD6FCF8F2
File Size: 151.55 KB, 151552 bytes
MD5: 763c8a7f2ef9eea7a9144cebf068cdb7
SHA1: 8c8ae221b07561406e8156f20aa0474b56f56a53
SHA256: F5E2A6DBBDC7D4ABA905B511E507BAC61352E24E21BC2BB85DA17A75B029FE99
File Size: 4.71 MB, 4707328 bytes
MD5: 37ac773c73119284ff830e5cace64d5d
SHA1: 71efe3baab91ef9af7763a30a6b1a037758c98bb
SHA256: 6915BDD6876D3EB40FEA44330E7BD6ADD1EDB2BFFEAB0279E253899E885D505D
File Size: 364.64 KB, 364642 bytes
MD5: ffa39f9019fb009603a621335f1670ba
SHA1: 7ad08f5a7cc65a4adcdbafa7607a47e7040f2a75
SHA256: E63294831E9B5AF7F702A51F1ACE4432532DA9B1CD0EBB37CC8AF234D84D2891
File Size: 24.58 KB, 24576 bytes
MD5: 072e4ccfc15570b120f70b64bbccb310
SHA1: a419e5ebfcc30b5513e48cf1ec432bc02859980f
SHA256: A40D2F2F69D321354EFF16E511F4CE456C517BCBAC17147AADC51C5EE5568393
File Size: 177.66 KB, 177664 bytes
MD5: 6d1afd7b672af2847e06524f6bbfe4ca
SHA1: 5ea39648a059df5eac0059989b362d39a1188203
SHA256: 499145E76A218BF3C62F0EDCD5C31D7C678079C51C3D7E57CC7028F995476BDD
File Size: 415.56 KB, 415560 bytes
MD5: bffdc8036604f21538f6ce748d3a95bb
SHA1: b8947b9e0d50fe3f4e5f5c1afe27e94d6349b45e
SHA256: 29A0B3DE6269E0D2EAF8B68CC64F991E58DAA4A9235622F101C56B38D04A68C9
File Size: 407.58 KB, 407578 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have debug information
  • File doesn't have exports table
  • File doesn't have relocations information
  • File doesn't have security information
  • File has been packed
  • File has TLS information
  • File is .NET application
  • File is 32-bit executable
  • File is 64-bit executable
Show More
  • File is either console or GUI application
  • File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
  • File is Native application (NOT .NET application)
  • File is not packed
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Show More

Windows PE Version Information

Name Value
Assembly Version 0.0.0.0
Builder Admin 09:40:18 04/04/2024
Comments
  • dima
  • Part of recALL
  • SoftKey Revealer gives product keys to you
  • This installation was built with Inno Setup.
  • Windows Media Player
  • www.InsidePro.com
Company Name
  • ElcomSoft Co. Ltd.
  • InsidePro Software
  • keit
  • KRyLack Software
  • Microsoft Corporation
  • Mustafa Buğra AKTAŞ
  • NirSoft
  • Passware, Inc.
  • SecurityXploded
  • SX Network
Created 7z SFX Constructor v4.6.0.0 (http://usbtor.ru/viewtopic.php?t=798)
File Description
  • All-in-one Free Hash Recovery Software
  • Browser Password Recovery Software
  • Chrome Cookies Viewer
  • EFS Key
  • Free and Easy way to save your money
  • IEHistoryView
  • IM Password Recovery
  • Installer
  • Internet Explorer Password Recovery Software
  • KRyLack Password Decryptor
Show More
  • PSPR
  • recALL Setup
  • Reveals the password behind the asterisks in Internet Explorer windows
  • Run As SYSTEM User - Drag And Drop Exe File
  • SAMInside
  • WebBrowserPassView
  • Windows Media Player
File Version
  • 13.10.71.9.
  • 13.9.0.0
  • 6.0
  • 4.0
  • 4, 7, 0, 545
  • 3.1
  • 2.80.01
  • 2.70.01
  • 2.7.0.1
  • 2, 10, 0, 1
Show More
  • 1.85
  • 1.84
  • 1.83
  • 1.65
  • 1.60
  • 1.43
  • 1.35
  • 1.7
  • 1.01
  • 1.00
Internal Name
  • 1.exe
  • Advanced Windows Password Recovery
  • asterie
  • ChromeCookiesView
  • EFSKey
  • IEHistoryView
  • KLPassDecryptSetup
  • mspass
  • SAMInside
  • SoftKey Revealer
Show More
  • TJprojMain
  • WebBrowserPassView
Legal Copyright
  • (c) 2002-2013 InsidePro Software
  • Copyright (C) 2002, 2003
  • Copyright (C) KRyLack Software
  • Copyright © 2000-2006 ElcomSoft Co. Ltd.
  • Copyright © 2002 Nir Sofer
  • Copyright © 2003 - 2007 Nir Sofer
  • Copyright © 2003 - 2011 Nir Sofer
  • Copyright © 2004 - 2014 Nir Sofer
  • Copyright © 2007-2011 SecurityXploded, All rights reserved
  • Copyright © 2007-2013 SecurityXploded, All rights reserved
Show More
  • Copyright © 2007-2015, All rights reserved
  • Copyright © 2011 - 2015 Nir Sofer
  • Copyright © 2011 - 2025 Nir Sofer
  • keit.co
  • © 2008 - Mustafa Buğra AKTAŞ
  • © Microsoft Corporation. All rights reserved.
Legal Trademarks
  • FCI (c) 1993-97 Microsoft Corp.
  • Windows Media Player
Original File Name
  • KLPassDecryptSetup.exe
Original Filename
  • 1.exe
  • asterie.exe
  • efskey.exe
  • iehv.exe
  • mspass.exe
  • pspr.exe
  • rasdnd.exe
  • SAMInside.exe
  • SoftKey Revealer.exe
  • TJprojMain.exe
Show More
  • WebBrowserPassView.exe
Private Build 틎멷諒酇གྷ탛㏯킳⋤�鞟㟸+濕�홤ꏨ깩鄲ᙖ쨞ld
Product Name
  • AsterWin IE
  • BrowserPasswordDecryptor
  • ChromeCookiesView
  • EFS Key
  • HashKracker
  • IEHistoryView
  • IEPasswordDecryptor
  • KRyLack Password Decryptor
  • MessenPass
  • Proactive System Password Recovery
Show More
  • ProductKeyDecryptor
  • Project1
  • recALL
  • recALL
  • RouterPasswordDecryptor
  • SoftKey Revealer
  • WebBrowserPassView
Product Version
  • 13.10.71.9.
  • 13.9
  • 13.01
  • 6.0
  • 4.0
  • 4, 7, 0, 545
  • 3.1
  • 2.80.01
  • 2.70.01
  • 2.7.0.1
Show More
  • 2, 10, 0, 1
  • 1.85
  • 1.84
  • 1.83
  • 1.65
  • 1.60
  • 1.43
  • 1.35
  • 1.7
  • 1.01
  • 1.00

Digital Signatures

Signer Root Status
Serhiy Horobets Serhiy Horobets Self Signed
Nir Sofer UTN-USERFirst-Object Hash Mismatch

File Traits

  • .adata
  • 00 section
  • 2+ executable sections
  • 7-zip (In Overlay)
  • 7-zip Installer
  • 7zSFX
  • big overlay
  • CryptUnprotectData
  • HighEntropy
  • Inno
Show More
  • InnoSetup Installer
  • Installer Manifest
  • Installer Version
  • No CryptProtectData
  • nosig nsis
  • No Version Info
  • Nullsoft Installer
  • packed
  • PECompact v2.20
  • upx
  • vb6
  • WriteProcessMemory
  • x64
  • x86

Block Information

Total Blocks: 78
Potentially Malicious Blocks: 0
Whitelisted Blocks: 78
Unknown Blocks: 0

Visual Map

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Similar Families

  • Agent.M
  • Agent.MH
  • Agent.MI
  • Agent.MU
  • Autorun.LA
Show More
  • Banload.XG
  • Delf.AJ
  • Delf.XA
  • Emotet.AAPA
  • FakeAV.AU
  • Injector.XG
  • Lotok.J
  • MSIL.HackKMS.BC
  • PassView.BA
  • Spy.Banker.X
  • Stealer.UHBC
  • Stealer.UHM
  • Trojan.Downloader.Gen.BQ

Files Modified

File Attributes
\device\namedpipe\gmdasllogger Generic Write,Read Attributes
c:\program files (x86)\common files\microsoft shared\msinfo\msinfo32.exe Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\progra~3\packag~1\{042d2~1\vcredi~1.exe Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\progra~3\packag~1\{33d1f~1\vcredi~1.exe Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\progra~3\packag~1\{47109~1\vc_red~1.exe Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\progra~3\packag~1\{5af95~1\vc_red~1.exe Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\progra~3\packag~1\{9dff3~1\vcredi~1.exe Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\progra~3\packag~1\{ca675~1\vcredi~1.exe Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\sandbo~1\__sand~1.exe Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\sandbo~1\sandbo~1.exe Generic Read,Write Data,Write Attributes,Write extended,Append data
Show More
c:\sandbo~1\sandbo~2.exe Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\sandbo~1\shsand~1.exe Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\microsoft\windows\explorer\iconcache_16.db Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\microsoft\windows\explorer\iconcache_idx.db Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\2k10\recall\languages Synchronize,Write Attributes
c:\users\user\appdata\local\temp\2k10\recall\languages\recall.ru.po Generic Write,Read Attributes
c:\users\user\appdata\local\temp\2k10\recall\languages\recall.ru.po Synchronize,Write Attributes
c:\users\user\appdata\local\temp\2k10\recall\rasdnd.exe Generic Write,Read Attributes
c:\users\user\appdata\local\temp\2k10\recall\rasdnd.exe Synchronize,Write Attributes
c:\users\user\appdata\local\temp\2k10\recall\readme.txt Generic Write,Read Attributes
c:\users\user\appdata\local\temp\2k10\recall\readme.txt Synchronize,Write Attributes
c:\users\user\appdata\local\temp\2k10\recall\recall.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\2k10\recall\recall.dll Synchronize,Write Attributes
c:\users\user\appdata\local\temp\2k10\recall\recall.exe Synchronize,Write Data
c:\users\user\appdata\local\temp\2k10\recall\sqlite3.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\2k10\recall\sqlite3.dll Synchronize,Write Attributes
c:\users\user\appdata\local\temp\3582-490\8c8ae221b07561406e8156f20aa0474b56f56a53_0004707328 Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsdaaf1.tmp\btmimg.bmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsdaaf1.tmp\confirm.ini Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsdaaf1.tmp\finish.ini Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsdaaf1.tmp\header.bmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsdaaf1.tmp\iswelcome.ini Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsdaaf1.tmp\leftimg.bmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nse5640.tmp\btmimg.bmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nse5640.tmp\confirm.ini Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nse5640.tmp\finish.ini Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nse5640.tmp\header.bmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nse5640.tmp\iswelcome.ini Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nse5640.tmp\leftimg.bmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nseba1e.tmp Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nseba1e.tmp\btmimg.bmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nseba1e.tmp\btmimg.bmp Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nseba1e.tmp\header.bmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nseba1e.tmp\header.bmp Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nseba1e.tmp\inetc.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nseba1e.tmp\inetc.dll Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nseba1e.tmp\leftimg.bmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nseba1e.tmp\leftimg.bmp Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nss399e.tmp Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nss399e.tmp\btmimg.bmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nss399e.tmp\btmimg.bmp Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nss399e.tmp\header.bmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nss399e.tmp\header.bmp Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nss399e.tmp\inetc.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nss399e.tmp\inetc.dll Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nss399e.tmp\leftimg.bmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nss399e.tmp\leftimg.bmp Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nst65a6.tmp\installoptions.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nst65a6.tmp\iospecial.ini Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\nst65a6.tmp\iospecial.ini Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nst65a6.tmp\modern-wizard.bmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsy6576.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete
c:\users\user\appdata\local\temp\setup_productkeydecryptor_101.exe Generic Write,Read Attributes
c:\users\user\appdata\local\temp\setup_routerpassworddecryptor_101.exe Generic Write,Read Attributes
c:\users\user\appdata\local\temp\~df84d59622542abe41.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\~nsu.tmp\au_.exe Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\users\user\appdata\roaming\51116bd04e95f4955a9eab9eeaffe57015bd2b9f_0000306176.il Generic Write,Read Attributes
c:\users\user\appdata\roaming\krylack password decryptor\install\2.70.01\disk1.cab Generic Write,Read Attributes
c:\users\user\appdata\roaming\krylack password decryptor\install\2.70.01\klpassdecrypt.msi Generic Write,Read Attributes
c:\users\user\appdata\roaming\krylack password decryptor\install\2.80.01\disk1.cab Generic Write,Read Attributes
c:\users\user\appdata\roaming\krylack password decryptor\install\2.80.01\klpassdecrypt.msi Generic Write,Read Attributes
c:\windows\svchost.com Generic Write,Read Attributes
c:\windows\svchost.com Synchronize,Write Attributes
c:\windows\system.ini Generic Read,Write Data,Write Attributes,Write extended,Append data

Registry Modifications

Key::Value Data API Name
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations \??\C:\Users\Qolrbesk\AppData\Local\Temp\~nsu.tmp\Au_.exe RegNtPreCreateKey
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations \??\C:\Users\Qolrbesk\AppData\Local\Temp\~nsu.tmp\Au_.exe\??\C:\Users\Qolrbesk\AppData\Local\Temp\~nsu.tmp RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 硝㭢䍳ǜ RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 䥸顳惁ǜ RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\explorer\advanced::hidden  RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center::antivirusoverride  RegNtPreCreateKey
Show More
HKLM\software\wow6432node\microsoft\security center::antivirusdisablenotify  RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center::firewalldisablenotify  RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center::firewalloverride  RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center::updatesdisablenotify  RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center::uacdisablenotify  RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center\svc::antivirusoverride  RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center\svc::antivirusdisablenotify  RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center\svc::firewalldisablenotify  RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center\svc::firewalloverride  RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center\svc::updatesdisablenotify  RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center\svc::uacdisablenotify  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings::globaluseroffline RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\policies\system::enablelua RegNtPreCreateKey
HKLM\system\controlset001\services\sharedaccess\parameters\firewallpolicy\standardprofile::enablefirewall RegNtPreCreateKey
HKLM\system\controlset001\services\sharedaccess\parameters\firewallpolicy\standardprofile::donotallowexceptions RegNtPreCreateKey
HKLM\system\controlset001\services\sharedaccess\parameters\firewallpolicy\standardprofile::disablenotifications  RegNtPreCreateKey
HKCU\software\apcr\1214104697::1919251317 ˆ RegNtPreCreateKey
HKCU\software\apcr\1214104697::-456464662 RegNtPreCreateKey
HKCU\software\apcr\1214104697::1462786655 RegNtPreCreateKey
HKCU\software\apcr\1214104697::-912929324 # RegNtPreCreateKey
HKCU\software\apcr\1214104697::1006321993 ċ RegNtPreCreateKey
HKCU\software\apcr\1214104697::-1369393986 http://althawry.org/images/xs.jpghttp://www.careerdesk.org/im RegNtPreCreateKey
HKCU\software\apcr\1214104697::549857331 RegNtPreCreateKey
HKCU\software\apcr::u1_0 ᅕ쒧 RegNtPreCreateKey
HKCU\software\apcr::u2_0 RegNtPreCreateKey
HKCU\software\apcr::u3_0 権ă RegNtPreCreateKey
HKCU\software\apcr::u4_0 RegNtPreCreateKey
HKLM\software\classes\exefile\shell\open\command:: C:\WINDOWS\svchost.com "%1" %* RegNtPreCreateKey
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations *1\??\C:\Windows\SystemTemp\MicrosoftEdgeUpdate.exe.old122e4*1\??\C:\Windows\SystemTemp\CopilotUpdate.exe.old12352*1\??\C:\P RegNtPreCreateKey
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations *1\??\C:\Windows\SystemTemp\MicrosoftEdgeUpdate.exe.old5af52*1\??\C:\Windows\SystemTemp\CopilotUpdate.exe.old5af62*1\??\C:\P RegNtPreCreateKey

Windows API Usage

Category API
Syscall Use
  • ntdll.dll!NtAccessCheck
  • ntdll.dll!NtAlertThreadByThreadId
  • ntdll.dll!NtAllocateLocallyUniqueId
  • ntdll.dll!NtAlpcSendWaitReceivePort
  • ntdll.dll!NtApphelpCacheControl
  • ntdll.dll!NtClearEvent
  • ntdll.dll!NtClose
  • ntdll.dll!NtConnectPort
  • ntdll.dll!NtCreateEvent
  • ntdll.dll!NtCreateFile
Show More
  • ntdll.dll!NtCreateIoCompletion
  • ntdll.dll!NtCreateKey
  • ntdll.dll!NtCreateMutant
  • ntdll.dll!NtCreateSection
  • ntdll.dll!NtCreateSemaphore
  • ntdll.dll!NtDeviceIoControlFile
  • ntdll.dll!NtDuplicateObject
  • ntdll.dll!NtDuplicateToken
  • ntdll.dll!NtEnumerateKey
  • ntdll.dll!NtEnumerateValueKey
  • ntdll.dll!NtFreeVirtualMemory
  • ntdll.dll!NtGetCurrentProcessorNumber
  • ntdll.dll!NtLockFile
  • ntdll.dll!NtMapViewOfSection
  • ntdll.dll!NtOpenDirectoryObject
  • ntdll.dll!NtOpenEvent
  • ntdll.dll!NtOpenFile
  • ntdll.dll!NtOpenKey
  • ntdll.dll!NtOpenKeyEx
  • ntdll.dll!NtOpenProcessToken
  • ntdll.dll!NtOpenProcessTokenEx
  • ntdll.dll!NtOpenSection
  • ntdll.dll!NtOpenSemaphore
  • ntdll.dll!NtOpenThreadToken
  • ntdll.dll!NtOpenThreadTokenEx
  • ntdll.dll!NtProtectVirtualMemory
  • ntdll.dll!NtQueryAttributesFile
  • ntdll.dll!NtQueryDefaultLocale
  • ntdll.dll!NtQueryDirectoryFileEx
  • ntdll.dll!NtQueryFullAttributesFile
  • ntdll.dll!NtQueryInformationFile
  • ntdll.dll!NtQueryInformationProcess
  • ntdll.dll!NtQueryInformationThread
  • ntdll.dll!NtQueryInformationToken
  • ntdll.dll!NtQueryKey
  • ntdll.dll!NtQueryLicenseValue
  • ntdll.dll!NtQueryObject
  • ntdll.dll!NtQueryPerformanceCounter
  • ntdll.dll!NtQuerySecurityAttributesToken
  • ntdll.dll!NtQuerySecurityObject
  • ntdll.dll!NtQuerySystemInformation
  • ntdll.dll!NtQueryValueKey
  • ntdll.dll!NtQueryVirtualMemory
  • ntdll.dll!NtQueryVolumeInformationFile
  • ntdll.dll!NtQueryWnfStateData
  • ntdll.dll!NtReleaseMutant
  • ntdll.dll!NtReleaseSemaphore
  • ntdll.dll!NtReleaseWorkerFactoryWorker
  • ntdll.dll!NtRequestWaitReplyPort
  • ntdll.dll!NtSetEvent
  • ntdll.dll!NtSetInformationKey
  • ntdll.dll!NtSetInformationObject
  • ntdll.dll!NtSetInformationProcess
  • ntdll.dll!NtSetInformationThread
  • ntdll.dll!NtSetInformationVirtualMemory
  • ntdll.dll!NtSetInformationWorkerFactory
  • ntdll.dll!NtSubscribeWnfStateChange
  • ntdll.dll!NtTestAlert
  • ntdll.dll!NtTraceControl
  • ntdll.dll!NtUnlockFile
  • ntdll.dll!NtUnmapViewOfSection
  • ntdll.dll!NtUnmapViewOfSectionEx
  • ntdll.dll!NtWaitForAlertByThreadId
  • ntdll.dll!NtWaitForSingleObject
  • ntdll.dll!NtWaitForWorkViaWorkerFactory
  • ntdll.dll!NtWaitLowEventPair
  • ntdll.dll!NtWorkerFactoryWorkerReady
  • ntdll.dll!NtWriteFile
  • ntdll.dll!NtWriteVirtualMemory
  • ntdll.dll!NtYieldExecution
  • UNKNOWN
  • win32u.dll!NtGdiBitBlt
  • win32u.dll!NtGdiCombineRgn
  • win32u.dll!NtGdiCreateBitmap
  • win32u.dll!NtGdiCreateCompatibleBitmap
  • win32u.dll!NtGdiCreateCompatibleDC
  • win32u.dll!NtGdiCreateDIBitmapInternal
  • win32u.dll!NtGdiCreateDIBSection
  • win32u.dll!NtGdiCreateRectRgn
  • win32u.dll!NtGdiCreateSolidBrush
  • win32u.dll!NtGdiDeleteObjectApp
  • win32u.dll!NtGdiDoPalette
  • win32u.dll!NtGdiDrawStream
  • win32u.dll!NtGdiExcludeClipRect
  • win32u.dll!NtGdiExtGetObjectW
  • win32u.dll!NtGdiExtSelectClipRgn
  • win32u.dll!NtGdiExtTextOutW
  • win32u.dll!NtGdiFlush
  • win32u.dll!NtGdiFontIsLinked
  • win32u.dll!NtGdiGetAppClipBox

71 additional items are not displayed above.

Anti Debug
  • IsDebuggerPresent
  • NtQuerySystemInformation
User Data Access
  • GetComputerName
  • GetComputerNameEx
  • GetUserName
  • GetUserObjectInformation
Keyboard Access
  • GetKeyState
Other Suspicious
  • AdjustTokenPrivileges
  • SetWindowsHookEx
Process Manipulation Evasion
  • NtUnmapViewOfSection
  • ReadProcessMemory
Process Shell Execute
  • CreateProcess
  • ShellExecute
  • ShellExecuteEx
  • WriteConsole
Encryption Used
  • BCryptOpenAlgorithmProvider
  • CryptAcquireContext
Network Info Queried
  • GetAdaptersAddresses
  • GetNetworkParams
Network Winsock2
  • WSAConnect
  • WSASocket
  • WSAStartup
  • WSAttemptAutodialName
Network Winsock
  • closesocket
  • freeaddrinfo
  • getaddrinfo
  • inet_addr
  • recv
  • setsockopt
Process Terminate
  • TerminateProcess
Service Control
  • OpenSCManager
  • OpenService
Network Wininet
  • HttpOpenRequest
  • HttpQueryInfo
  • HttpSendRequest
  • InternetConnect
  • InternetOpen
  • InternetQueryOption

Shell Command Execution

"C:\Users\Qolrbesk\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=c:\users\user\downloads\
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe "C:\Users\Qykednqt\AppData\Roaming\51116bd04e95f4955a9eab9eeaffe57015bd2b9f_0000306176.il"
C:\WINDOWS\system32\msiexec.exe /i "C:\Users\Keppvkhm\AppData\Roaming\KRyLack Password Decryptor\install\2.80.01\KLPassDecrypt.msi" AI_SETUPEXEPATH="c:\users\user\downloads\afcde72b4ef9ae81e6de673fe4fd3a46f1f88c82_0001935960" SETUPEXEDIR="c:\users\user\downloads\"
(NULL) cmd.exe /c move recall.dll recall.exe
WriteConsole: 1 file(s
Show More
(NULL) cmd.exe /c (C:\WINDOWS\system32\Runscanner.cmd ReCall.exe)||(C:\WINDOWS\system32\Runscanner.exe /ac /m+ /sd /ec /y /t 0 ReCall.exe)||ReCall.exe
C:\WINDOWS\system32\msiexec.exe /i "C:\Users\Nixxewag\AppData\Roaming\KRyLack Password Decryptor\install\2.70.01\KLPassDecrypt.msi" AI_SETUPEXEPATH="c:\users\user\downloads\eeb2c60961d5d5e1694a462ed9b2a6fbbdf68761_0001867872" SETUPEXEDIR="c:\users\user\downloads\"
open C:\Users\Iuxrcyoq\AppData\Local\Temp\3582-490\8c8ae221b07561406e8156f20aa0474b56f56a53_0004707328
"C:\Users\Jqccuybr\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=c:\users\user\downloads\
C:\Users\Rrwysumf\AppData\Local\Temp\Setup_RouterPasswordDecryptor_101.exe
C:\Users\Tmvkjtie\AppData\Local\Temp\Setup_ProductKeyDecryptor_101.exe

Related Posts

Trending

Most Viewed

Loading...