PUP.Kuwo

Analysis Report

General information

Family Name: PUP.Kuwo
Signature status: Root Not Trusted

Known Samples

MD5: 0292864a46c1ab3a0cb72d94f04adec7
SHA1: f2cdf1f08c19eb47e48e84e2d5005a4ab7086a76
File Size: 57.50 KB, 57504 bytes
MD5: 90d19e0a9bc6a1d127cd90f4b0d29725
SHA1: 03119d57cddf6317adda0811c8b87fb99f77f12c
File Size: 148.33 KB, 148328 bytes
MD5: ff0e5a1d8dc01e18d6e9031b99a19fd1
SHA1: cf842ffb41f894a63c84359ff0582db8efdbcfe4
File Size: 57.50 KB, 57504 bytes
MD5: f6fa621d996e5d24a92fc4a58d979358
SHA1: d87137f6c8e9c8684f813eaf6a163c7b5c833bae
File Size: 101.02 KB, 101016 bytes
MD5: 3ac45161e14bc367d5cb656909e9d632
SHA1: 37bed1fc65ece165536690a90e3aa06b29e56bf9
File Size: 467.61 KB, 467608 bytes
Show More
MD5: 6746e33adbf506e539e9c37d5e550d13
SHA1: 4a5d957d7955b9df8698630145859ef5feaf25c9
SHA256: A15E8AC75B2CF55DC615109CA015959EA531AE1CEDC9C2110EB2A064E03C8838
File Size: 856.42 KB, 856416 bytes
MD5: b3518f1cd58f5e223c89ba2c5d93a3d4
SHA1: 5ad3ebe2662b615709f310eb431c7f462f3cc1f3
SHA256: 87651D92AF22CC5A0ED0B22F22E9F3AC090AFF9870CADBACC7DED46464E62F64
File Size: 57.50 KB, 57496 bytes
MD5: 87ce7144b3c569aea29f081b6949facc
SHA1: 00f0b2dfc1051c5ca59c29569212a4cf264b03b7
SHA256: CDCDD6A3256D6D1DD16E256E01962F468D9A52735599755C0C93A69A0DBECAA5
File Size: 331.93 KB, 331928 bytes
MD5: ed59f99ff5653aff54b90a271268c74c
SHA1: 8d0a6dbd22489c4e00fba680a9e432ee132550b6
SHA256: 94B98B0BA21D6152F29542FFDAB0C554D76FE75246053F2CEAF057EA0E8A6A18
File Size: 52.16 KB, 52160 bytes
MD5: 668e0ac2b92fe7bb77278bce4254e8ab
SHA1: d3245c9fb9feae61a6df013586de66afde28cdb8
SHA256: CAD17A51449AB5E3A7A30A56864B80509FCDF96E6D69A30538A12FB5F2B8F12F
File Size: 467.67 KB, 467672 bytes
MD5: 27fb87eee29e755dde7bd303395afc04
SHA1: 9cbe578c78d7f25e9ec67b9310e84d02f28dfefa
SHA256: FE970724CEECA942A432B98AD9E4436F0691391C231CA7DBCBDD46E66EE15C47
File Size: 856.61 KB, 856608 bytes
MD5: 58adcf97764d72dcd2c3220de0137667
SHA1: 66f90bc2585d9b403110d05da9e8639427407222
SHA256: 5D31D6954B599E65442A3968BF7590F4BA621911B1447D59EA4C41606FF1485B
File Size: 345.90 KB, 345904 bytes
MD5: d4d6f7d856eb3abcdbb22d35cd329d0e
SHA1: e6459b6efb6671f0cd913d9683e565bd93e40be6
SHA256: 89B02AEBFD7B4EF989FAAD32922A37DCDE8D6A0D23A0031B5276EC77462D176D
File Size: 467.62 KB, 467616 bytes
MD5: 15889839caa424cfe26544206b2e5730
SHA1: ad1be297a14f805c98f608715cf410407f5a6799
SHA256: 944DDD3A20C34481A3D4CC089BB1671D1BFB19493CD550FB1A2FB0C7CDE55027
File Size: 6.09 MB, 6089983 bytes
MD5: 57e2cbdf359d69ac56d26728ecacd11a
SHA1: b627e283f8437e0c1fe376f580286e07886e1d97
SHA256: B81CF2E9AB0B51E0DEAE176DD3F526421338DFA69A05A3E14AF765D49522629B
File Size: 331.99 KB, 331992 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have debug information
  • File doesn't have exports table
  • File doesn't have relocations information
  • File has exports table
  • File has TLS information
  • File is 32-bit executable
  • File is 64-bit executable
  • File is either console or GUI application
  • File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
Show More
  • File is Native application (NOT .NET application)
  • File is not packed
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Windows PE Version Information

Name Value
Comments
  • 酷我音乐
  • 酷我音乐盒
Company Name
  • cn.wenyu.bodian
  • The curl library, https://curl.haxx.se/
  • 酷我科技
  • 酷狗音乐
File Description
  • bodian_pc
  • libcurl Shared Library
  • 酷我音乐
  • 酷我音乐盒
  • 音频特征提取
File Version
  • 9.5.0.0
  • 9.4.0.0
  • 7.56.0
  • 5, 0, 0, 0
  • 1.1.6+18
  • 1.1.4+16
  • 1.0.0.1
  • 1, 0, 0, 1
Internal Name
  • bodian_pc
  • FeatureExtractor
  • KwMusic.exe
  • libcurl
Legal Copyright
  • ? 1996 - 2017 Daniel Stenberg, <daniel@haxx.se>.
  • Copyright (C) 2023 cn.wenyu.bodian. All rights reserved.
  • Copyright 2016 KuGou-Inc.All Rights Reserved
  • 酷我公司保留所有权利
  • 酷我公司保留所有权利。
License https://curl.haxx.se/docs/copyright.html
Original Filename
  • bodian_pc.exe
  • Encode.exe
  • FeatureExtractor
  • KwMusic.exe
  • libcurl.dll
Product Name
  • bodian_pc
  • FeatureExtractor
  • The curl library
  • 酷我音乐
  • 酷我音乐盒
Product Version
  • 7.56.0
  • 5, 0, 0, 0
  • 1.1.6+18
  • 1.1.4+16
  • 1.0.0.1
  • 1, 0, 0, 1

Digital Signatures

Signer Root Status
BEIJING KUWO TECHNOLOGY CO.,LTD. GlobalSign Code Signing Root R45 Root Not Trusted
BEIJING KUWO TECHNOLOGY CO.,LTD. GlobalSign CodeSigning CA - G3 Self Signed
BEIJING KUWO TECHNOLOGY CO.,LTD. GlobalSign CodeSigning CA - SHA256 - G3 Self Signed
BEIJING KUWO TECHNOLOGY CO.,LTD. Symantec Class 3 SHA256 Code Signing CA Self Signed
BEIJING KUWO TECHNOLOGY CO.,LTD. VeriSign Class 3 Code Signing 2010 CA Hash Mismatch

Block Information

Total Blocks: 386
Potentially Malicious Blocks: 0
Whitelisted Blocks: 356
Unknown Blocks: 30

Visual Map

0 0 0 0 0 0 ? 0 0 0 0 1 0 0 ? 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 ? 0 ? ? ? ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 ? 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? ? 0 0 0 0 0 0 0 0 0 0 0 0 0 ? ? 0 0 0 0 0 0 0 0 0 0 0 0 ? ? ? 0 ? 0 0 0 0 0 ? ? ? ? 0 ? ? 0 0 ? ? ? 1 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2 0 0 2 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Files Modified

File Attributes
\device\namedpipe\gmdasllogger Generic Write,Read Attributes
c:\program files\common files\system\symsrv.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\kuwomsglog.txt Generic Write,Read Attributes
c:\users\user\appdata\local\temp\kwuninsthelper.exe Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsd2daf.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete
c:\users\user\appdata\local\temp\nse306e.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete
c:\users\user\appdata\local\temp\nsf3292.tmp Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsf3292.tmp\base64.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsf3292.tmp\base64.dll Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsf3292.tmp\inetc.dll Generic Write,Read Attributes
Show More
c:\users\user\appdata\local\temp\nsf3292.tmp\inetc.dll Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsf5f29.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete
c:\users\user\appdata\local\temp\nso5b22.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete
c:\users\user\appdata\local\temp\nsr61ca.tmp Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsr61ca.tmp\base64.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsr61ca.tmp\base64.dll Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsr61ca.tmp\inetc.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsr61ca.tmp\inetc.dll Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nss2c38.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete
c:\users\user\appdata\local\temp\nss2dbf.tmp\kuwonsis_new.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nss2dbf.tmp\kwmusicnsis.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nss2dbf.tmp\nsdialogs.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nss2dbf.tmp\nsisarray.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nss2dbf.tmp\system.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsx5882.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete
c:\users\user\appdata\local\temp\nsy5b61.tmp\kuwonsis_new.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsy5b61.tmp\kwmusicnsis.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsy5b61.tmp\nsdialogs.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsy5b61.tmp\nsisarray.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsy5b61.tmp\system.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\~nsu.tmp\au_.exe Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144

Registry Modifications

Key::Value Data API Name
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations \??\C:\Users\Dojdzduf\AppData\Local\Temp\~nsu.tmp\Au_.exe RegNtPreCreateKey
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations \??\C:\Users\Dojdzduf\AppData\Local\Temp\~nsu.tmp\Au_.exe\??\C:\Users\Dojdzduf\AppData\Local\Temp\~nsu.tmp RegNtPreCreateKey
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations \??\C:\Users\Dojdzduf\AppData\Local\Temp\~nsu.tmp\Au_.exe\??\C:\Users\Dojdzduf\AppData\Local\Temp\~nsu.tmp\??\C:\Users\Dojdz RegNtPreCreateKey
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations *1\??\C:\Windows\SystemTemp\MicrosoftEdgeUpdate.exe.old122e4*1\??\C:\Windows\SystemTemp\CopilotUpdate.exe.old12352*1\??\C:\P RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows nt\currentversion\windows::appinit_dlls C:\PROGRA~1\COMMON~1\System\symsrv.dll RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows nt\currentversion\windows::loadappinit_dlls  RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows nt\currentversion\windows::requiresignedappinit_dlls RegNtPreCreateKey

Windows API Usage

Category API
Syscall Use
  • ntdll.dll!NtAlpcSendWaitReceivePort
  • ntdll.dll!NtApphelpCacheControl
  • ntdll.dll!NtClose
  • ntdll.dll!NtCreateFile
  • ntdll.dll!NtCreateMutant
  • ntdll.dll!NtCreateSection
  • ntdll.dll!NtCreateSemaphore
  • ntdll.dll!NtFreeVirtualMemory
  • ntdll.dll!NtMapViewOfSection
  • ntdll.dll!NtOpenFile
Show More
  • ntdll.dll!NtOpenKey
  • ntdll.dll!NtOpenKeyEx
  • ntdll.dll!NtOpenProcessToken
  • ntdll.dll!NtOpenSection
  • ntdll.dll!NtOpenSemaphore
  • ntdll.dll!NtOpenThreadToken
  • ntdll.dll!NtProtectVirtualMemory
  • ntdll.dll!NtQueryAttributesFile
  • ntdll.dll!NtQueryDebugFilterState
  • ntdll.dll!NtQueryInformationProcess
  • ntdll.dll!NtQueryInformationThread
  • ntdll.dll!NtQueryInformationToken
  • ntdll.dll!NtQueryKey
  • ntdll.dll!NtQueryPerformanceCounter
  • ntdll.dll!NtQuerySecurityAttributesToken
  • ntdll.dll!NtQuerySystemInformationEx
  • ntdll.dll!NtQueryValueKey
  • ntdll.dll!NtQueryVirtualMemory
  • ntdll.dll!NtQueryVolumeInformationFile
  • ntdll.dll!NtQueryWnfStateData
  • ntdll.dll!NtReadFile
  • ntdll.dll!NtReleaseMutant
  • ntdll.dll!NtReleaseSemaphore
  • ntdll.dll!NtReleaseWorkerFactoryWorker
  • ntdll.dll!NtSetEvent
  • ntdll.dll!NtSetInformationFile
  • ntdll.dll!NtSetInformationProcess
  • ntdll.dll!NtSetInformationVirtualMemory
  • ntdll.dll!NtSetInformationWorkerFactory
  • ntdll.dll!NtSubscribeWnfStateChange
  • ntdll.dll!NtTestAlert
  • ntdll.dll!NtTraceControl
  • ntdll.dll!NtUnmapViewOfSection
  • ntdll.dll!NtWaitForSingleObject
  • ntdll.dll!NtWaitForWorkViaWorkerFactory
  • ntdll.dll!NtWriteFile
  • ntdll.dll!NtWriteVirtualMemory
  • win32u.dll!NtUserGetKeyboardLayout
  • win32u.dll!NtUserGetThreadState
Anti Debug
  • IsDebuggerPresent
  • NtQuerySystemInformation
  • OutputDebugString
User Data Access
  • GetUserObjectInformation
Process Manipulation Evasion
  • NtUnmapViewOfSection
  • ReadProcessMemory
Process Shell Execute
  • CreateProcess
Network Wininet
  • HttpOpenRequest
  • HttpQueryInfo
  • HttpSendRequest
  • InternetConnect
  • InternetOpen
  • InternetQueryOption
  • InternetReadFile

Shell Command Execution

"C:\Users\Dojdzduf\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=c:\users\user\downloads\
"C:\Users\Dojdzduf\AppData\Local\Temp\kwuninsthelper.exe" /MTD="cG9zdA==" /DAT="TWlVd09UeFRVa002VFZWVFNVTmZPUzQwTGpBdU1GOVFWSHhCUTFRNlRsTkpVMTlWVGtsT1UxUjhWRmxRUlRwU1ZVNVZUbE5VZkVOVlVrUlVPakl3TXpJd2ZFbE9VMVJFVkRwOFZWTTZNakF6TWpCOFZFTnZkVzUwT2pjNU9ETTVNSHg3UVhWZkxtVjRaWDE4VlRwOFRVRkRPakF3TURBd01EQXdNREF3TUQ0PQ==" /RES="QzpcVXNlcnNcRG9qZHpkdWZcQXBwRGF0YVxMb2NhbFxUZW1wXGt1d29tc2dsb2cudHh0" /DST="aHR0cDovL2xvZy5rdXdvLmNuL211c2ljLnls"
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\8d0a6dbd22489c4e00fba680a9e432ee132550b6_0000052160.,LiQMAxHB
"C:\Users\Yprngime\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=c:\users\user\downloads\
"C:\Users\Yprngime\AppData\Local\Temp\kwuninsthelper.exe" /MTD="cG9zdA==" /DAT="TWlVd09UeFRVa002VFZWVFNVTmZPUzQxTGpBdU1GOVhNWHhCUTFRNlRsTkpVMTlWVGtsT1UxUjhWRmxRUlRwU1ZVNVZUbE5VZkVOVlVrUlVPakl3TkRZeWZFbE9VMVJFVkRwOFZWTTZNakEwTmpKOFZFTnZkVzUwT2pNd016Z3lPVFo4ZTBGMVh5NWxlR1Y5ZkZVNmZFMUJRem93TURBd01EQXdNREF3TURBKw==" /RES="QzpcVXNlcnNcWXBybmdpbWVcQXBwRGF0YVxMb2NhbFxUZW1wXGt1d29tc2dsb2cudHh0" /DST="aHR0cDovL2xvZy5rdXdvLmNuL211c2ljLnls"
Show More
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\66f90bc2585d9b403110d05da9e8639427407222_0000345904.,LiQMAxHB

Trending

Most Viewed

Loading...