Multi-License Discount Quote

Change Region

English
Threat Database Potentially Unwanted Programs PUP.PassView.BA

PUP.PassView.BA

By CagedTech in Potentially Unwanted Programs

Analysis Report

General information

Family Name: PUP.PassView.BA
Signature status: No Signature

Known Samples

MD5: 0d7c4dd2fb71b44df8d552126e6767df
SHA1: 6938178d4b61e183b3b0f779f36c6d368c443c53
File Size: 290.30 KB, 290304 bytes
MD5: 0fcd0296caead9343fcdad3584f64a18
SHA1: 22932aac0e65e2013428d5cae7cd76fb4682b012
File Size: 421.38 KB, 421376 bytes
MD5: 704c317f91ffba208da15c99ac75117a
SHA1: e3a18e589f0a8db1ebf9f62134000434f3abaf4c
SHA256: 995BA4F47B99746A2845E486CE379BA256ED6436DD5500BB5B128CEABABB54BD
File Size: 290.30 KB, 290304 bytes
MD5: cb3f675205c5c2b1aabd4cb06f08de3a
SHA1: 344c1b14a313b92e91a3e4a5baf8bd6c7b1a39ec
SHA256: BD09719BBAE115582C3734BF5002497C94795FFBCD479D3786C09EB2763B74D0
File Size: 609.55 KB, 609550 bytes
MD5: ad6822e506dd096bf5072db797766a16
SHA1: eec76eb39d288e1207934d2dd14187090f60a7cf
SHA256: 321C7CCBE874A0F3213C2038843DC8BE2D7A454420B386C11C4D699972E182B7
File Size: 466.43 KB, 466432 bytes
Show More
MD5: b70f4fc2d41b07adfb6e03b0222a506c
SHA1: ddcd3d360543aa72a6b4671720aa72ebb7ece3cc
SHA256: 83CF5FA1BC62F385A851EA18AF2D57BD5B26331A5CAB71A9FE17C41AA0C2166D
File Size: 489.98 KB, 489984 bytes
MD5: d68cbb6f0a6cee21fabb3afb32e6daa5
SHA1: e794b6c34034566ad3a7477ed48b02ff7f7566fd
SHA256: 4EDA52E3D0F3DBA155B3D89556EE0F55217BF48FF641F7A56A295DB6AAB1303F
File Size: 437.76 KB, 437760 bytes
MD5: 24f118dbfefa11a86a10f6780f8a47de
SHA1: 3a7400deb5e4bb4f4d0adef3e8d9e241adf18694
SHA256: B9D1AF3740AF74FF56D1C485E5A535BE302295AEE3528271EFF4787DAF9D4EC9
File Size: 227.85 KB, 227846 bytes
MD5: 564ee93e041a6d4ba9e69f5f50b0219f
SHA1: 7489fd2d9d0f0641b94a6a762da1d7e7cd6aa60d
SHA256: AE5AFB20BC1455322C089EED22C81FACB19195ED816BB52B0F405A62FD92DDA7
File Size: 408.06 KB, 408064 bytes
MD5: a496c308ce6cc0378f562fc338063a03
SHA1: 1d8cebcbbf6c09ff3e6d7b81b6c593accf93c764
SHA256: 1920BD3FA87475FCDE1D14121AB67355D65F689CA74476DF9A3579BFB302AB76
File Size: 385.63 KB, 385632 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have debug information
  • File doesn't have exports table
  • File doesn't have relocations information
  • File doesn't have security information
  • File has been packed
  • File is .NET application
  • File is 32-bit executable
  • File is either console or GUI application
  • File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
Show More
  • File is Native application (NOT .NET application)
  • File is not packed
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Windows PE Version Information

Name Value
Assembly Version 1.0.0.0
Builder user 12:54:32 22/06/2023
Company Name
  • NirSoft
Created 7z SFX Constructor v4.6.0.0 (http://usbtor.ru/viewtopic.php?t=798)
File Description
  • ConsoleApp2
  • External Drive Password Recovery
  • Web Browser Password Viewer
File Version
  • 2.17
  • 2.15
  • 2.13
  • 2.1.2.0
  • 2.06
  • 1.03
  • 1.02
  • 1.00
  • 1.0.0.0
Internal Name
  • ConsoleApp2.exe
  • ExtPassword!
  • TJprojMain
  • Web Browser Pass View
Legal Copyright
  • Copyright © 2011 - 2020 Nir Sofer
  • Copyright © 2011 - 2022 Nir Sofer
  • Copyright © 2011 - 2025 Nir Sofer
  • Copyright © 2019 - 2025 Nir Sofer
  • Copyright © 2025
Original Filename
  • ConsoleApp2.exe
  • ExtPassword.exe
  • TJprojMain.exe
Product Name
  • ConsoleApp2
  • ExtPassword!
  • Project1
Product Version
  • 2.17
  • 2.15
  • 2.13
  • 2.1.2.0
  • 2.06
  • 1.03
  • 1.02
  • 1.00
  • 1.0.0.0

File Traits

  • HighEntropy
  • No Version Info
  • packed
  • x86

Block Information

Similar Families

  • Lamer.CA
  • PassView.BA
  • PassView.BF

Files Modified

File Attributes
c:\users\user\appdata\local\temp\tweaks\wbpw\killduplicate.cmd Generic Write,Read Attributes
c:\users\user\appdata\local\temp\tweaks\wbpw\killduplicate.cmd Synchronize,Write Attributes
c:\users\user\appdata\local\temp\tweaks\wbpw\webbrowserpassview.chm Generic Write,Read Attributes
c:\users\user\appdata\local\temp\tweaks\wbpw\webbrowserpassview.chm Synchronize,Write Attributes
c:\users\user\appdata\local\temp\tweaks\wbpw\webbrowserpassview.exe Generic Write,Read Attributes
c:\users\user\appdata\local\temp\tweaks\wbpw\webbrowserpassview.exe Synchronize,Write Attributes
c:\users\user\appdata\local\temp\tweaks\wbpw\webbrowserpassview_lng.ini Generic Write,Read Attributes
c:\users\user\appdata\local\temp\tweaks\wbpw\webbrowserpassview_lng.ini Synchronize,Write Attributes

Registry Modifications

Key::Value Data API Name
HKCU\software\microsoft\windows\currentversion\internet settings\5.0\cache\content::cacheprefix RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\5.0\cache\cookies::cacheprefix Cookie: RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\5.0\cache\history::cacheprefix Visited: RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe 勣例붔ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 뒼醴붔ǜ RegNtPreCreateKey

Windows API Usage

Category API
Anti Debug
  • IsDebuggerPresent
  • NtQuerySystemInformation
User Data Access
  • GetUserDefaultLocaleName
  • GetUserObjectInformation
Keyboard Access
  • GetKeyState
Encryption Used
  • BCryptOpenAlgorithmProvider
  • CryptAcquireContext
Other Suspicious
  • SetWindowsHookEx
Process Manipulation Evasion
  • NtUnmapViewOfSection
Process Shell Execute
  • ShellExecuteEx
  • WriteConsole
Syscall Use
  • ntdll.dll!NtAccessCheck
  • ntdll.dll!NtAlertThreadByThreadId
  • ntdll.dll!NtAlpcSendWaitReceivePort
  • ntdll.dll!NtApphelpCacheControl
  • ntdll.dll!NtClearEvent
  • ntdll.dll!NtClose
  • ntdll.dll!NtConnectPort
  • ntdll.dll!NtCreateEvent
  • ntdll.dll!NtCreateFile
  • ntdll.dll!NtCreateMutant
Show More
  • ntdll.dll!NtCreateSection
  • ntdll.dll!NtCreateSemaphore
  • ntdll.dll!NtDeviceIoControlFile
  • ntdll.dll!NtDuplicateObject
  • ntdll.dll!NtDuplicateToken
  • ntdll.dll!NtEnumerateValueKey
  • ntdll.dll!NtFreeVirtualMemory
  • ntdll.dll!NtMapViewOfSection
  • ntdll.dll!NtOpenFile
  • ntdll.dll!NtOpenKey
  • ntdll.dll!NtOpenKeyEx
  • ntdll.dll!NtOpenProcessToken
  • ntdll.dll!NtOpenProcessTokenEx
  • ntdll.dll!NtOpenSection
  • ntdll.dll!NtOpenSemaphore
  • ntdll.dll!NtOpenThread
  • ntdll.dll!NtOpenThreadTokenEx
  • ntdll.dll!NtProtectVirtualMemory
  • ntdll.dll!NtQueryAttributesFile
  • ntdll.dll!NtQueryDirectoryFileEx
  • ntdll.dll!NtQueryInformationProcess
  • ntdll.dll!NtQueryInformationThread
  • ntdll.dll!NtQueryInformationToken
  • ntdll.dll!NtQueryKey
  • ntdll.dll!NtQueryPerformanceCounter
  • ntdll.dll!NtQuerySecurityAttributesToken
  • ntdll.dll!NtQueryValueKey
  • ntdll.dll!NtQueryVirtualMemory
  • ntdll.dll!NtQueryVolumeInformationFile
  • ntdll.dll!NtQueryWnfStateData
  • ntdll.dll!NtReleaseMutant
  • ntdll.dll!NtReleaseSemaphore
  • ntdll.dll!NtReleaseWorkerFactoryWorker
  • ntdll.dll!NtRequestWaitReplyPort
  • ntdll.dll!NtSetEvent
  • ntdll.dll!NtSetInformationProcess
  • ntdll.dll!NtSetInformationVirtualMemory
  • ntdll.dll!NtSetInformationWorkerFactory
  • ntdll.dll!NtSubscribeWnfStateChange
  • ntdll.dll!NtTerminateProcess
  • ntdll.dll!NtTestAlert
  • ntdll.dll!NtTraceControl
  • ntdll.dll!NtUnmapViewOfSection
  • ntdll.dll!NtUnmapViewOfSectionEx
  • ntdll.dll!NtWaitForAlertByThreadId
  • ntdll.dll!NtWaitForSingleObject
  • ntdll.dll!NtWaitForWorkViaWorkerFactory
  • ntdll.dll!NtWaitLowEventPair
  • ntdll.dll!NtWorkerFactoryWorkerReady
  • ntdll.dll!NtWriteFile
  • UNKNOWN
Process Terminate
  • TerminateProcess

Shell Command Execution

(NULL) cmd /c ""C:\Users\Gsbgfgpm\AppData\Local\Temp\Tweaks\WBPW\KillDuplicate.cmd" "C:\Users\Gsbgfgpm\AppData\Local\Temp\Tweaks\WBPW" "1d8cebcbbf6c09ff3e6d7b81b6c593accf93c764_0000385632""
WriteConsole: The system canno
(NULL) webbrowserpassview.exe

Trending

Most Viewed

Loading...