PUP.Qiyi

By CagedTech in Potentially Unwanted Programs

Table of Contents

Analysis Report

General information

Family Name:	PUP.Qiyi
Signature status:	Self Signed

Known Samples

MD5: 7822220a3646a917561312c52c15edcf

SHA1: 508ae336fa3b97b89bc20112bd88d0e9d1943649

SHA256: F0DF219975FBCA9D94377D3D4E65622640AB92EC4751E31C7B74999B1842B5F5

File Size: 2.69 MB, 2687880 bytes

MD5: ee5280bb0ebada69bbb8d8fba921d0bb

SHA1: 0b587bc057d55ebe827e5906f4146a54e5a97178

SHA256: 3CC6B0845E018D9C7A55FAF131A4812D4F82994F0A23BFA393466D7B8693020A

File Size: 4.66 MB, 4660776 bytes

MD5: b515e2ead63e82b8a2b15707a5b15deb

SHA1: 6645a307b256ce1298c7c03db6441f59dc9ad005

SHA256: 0DF0817633C7D4E97B79C91CF18D4B0C9464C5DF7B76B883907E92F3F589BF3B

File Size: 4.66 MB, 4660240 bytes

MD5: 90702feba256c01282d086de4fa0009e

SHA1: ddc7898b875e5460f540948b899cf57aaf4cbb04

SHA256: 6B24A71117B792E3A6EB513D1D4789F5E19ECAD805BC72C6F93C70C29C943458

File Size: 103.50 KB, 103496 bytes

Windows Portable Executable Attributes

File doesn't have "Rich" header
File doesn't have debug information
File doesn't have exports table
File doesn't have relocations information
File has TLS information
File is 32-bit executable
File is either console or GUI application
File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
File is Native application (NOT .NET application)
File is not packed

IMAGE_FILE_DLL is not set inside PE header (Executable)
IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Windows PE Version Information

Name	Value
Comments	2020.07.17.16.10.07 2021.01.04.15.30.06 2021.09.01.16.49.10
Company Name	爱奇艺
File Description	崩溃投递模块爱奇艺卸载程序爱奇艺安装程序
File Version	7.7.116.2047 3.3.4.38 3.3.4.27 1.0.0.3
Internal Name	GpCrashPost.exe
Legal Copyright	Copyright (C) 2018 爱奇艺 All Rights Reserved Copyright (C) 2020 爱奇艺 All Rights Reserved Copyright (C) 2021 爱奇艺 All Rights Reserved
Original Filename	GpCrashP.exe IQIYIsetup_z27s.exe QyUninst.exe
Product Name	爱奇艺爱奇艺万能播放器
Product Version	7.7.116.2047 3.3.4.38 3.3.4.27 1.0.0.3

Digital Signatures

Signer	Root	Status
BEIJING QIYI CENTURY SCIENCE&TECHNOLOGY CO.,LTD.	DigiCert Assured ID Code Signing CA-1	Self Signed
BEIJING QIYI CENTURY SCIENCE&TECHNOLOGY CO.,LTD.	DigiCert SHA2 Assured ID Code Signing CA	Self Signed
BeiJing IQIYI Science & Techonology Co.,Ltd	DigiCert SHA2 Assured ID Code Signing CA	Self Signed

File Traits

HighEntropy
x86

Block Information

Total Blocks:	247
Potentially Malicious Blocks:	6
Whitelisted Blocks:	216
Unknown Blocks:	25

Visual Map

0 0 0 ? 0 0 0 0 0 0 0 0 0 0 1 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? ? ? ? ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 x 0 x 0 0 0 0 0 ? 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? ? ? 0 0 0 0 ? ? ? ? 0 ? x 0 ? ? 0 x ? ? ? ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 2 3 1 0 0 0 0 0 0 0 0 1 1

0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Files Modified

File	Attributes
c:\programdata\iqiyi video\lstyle	Synchronize,Write Attributes
c:\programdata\iqiyi video\lstyle\unsetupinfo.ini	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\programdata\iqiyi video\lstyle\unsetupinfo.ini	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsa52f5.tmp\01.png	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsa52f5.tmp\01_100.png	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsa52f5.tmp\02.png	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsa52f5.tmp\02_100.png	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsa52f5.tmp\03.png	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsa52f5.tmp\03_100.png	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsa52f5.tmp\04.png	Generic Write,Read Attributes

c:\users\user\appdata\local\temp\nsa52f5.tmp\04_100.png	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsa52f5.tmp\05.png	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsa52f5.tmp\05_100.png	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsa52f5.tmp\banner_normal.png	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsa52f5.tmp\banner_select.png	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsa52f5.tmp\btn.png	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsa52f5.tmp\btn2.png	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsa52f5.tmp\button.png	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsa52f5.tmp\change.png	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsa52f5.tmp\closebtn.png	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsa52f5.tmp\closebtn_125.png	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsa52f5.tmp\closebtn_150.png	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsa52f5.tmp\closebtn_175.png	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsa52f5.tmp\closebtn_200.png	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsa52f5.tmp\closebtn_225.png	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsa52f5.tmp\closebtn_250.png	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsa52f5.tmp\closebtn_300.png	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsa52f5.tmp\custombuttonclose.png	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsa52f5.tmp\custombuttonclose_125.png	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsa52f5.tmp\custombuttonclose_150.png	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsa52f5.tmp\custombuttonclose_175.png	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsa52f5.tmp\custombuttonclose_200.png	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsa52f5.tmp\custombuttonclose_225.png	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsa52f5.tmp\custombuttonclose_250.png	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsa52f5.tmp\custombuttonclose_300.png	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsa52f5.tmp\custombuttonopen.png	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsa52f5.tmp\custombuttonopen_125.png	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsa52f5.tmp\custombuttonopen_150.png	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsa52f5.tmp\custombuttonopen_175.png	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsa52f5.tmp\custombuttonopen_200.png	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsa52f5.tmp\custombuttonopen_225.png	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsa52f5.tmp\custombuttonopen_250.png	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsa52f5.tmp\custombuttonopen_300.png	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsa52f5.tmp\dialogex.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsa52f5.tmp\nsprocess.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsa52f5.tmp\stdutils.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsa52f5.tmp\system.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsda91d.tmp	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete
c:\users\user\appdata\local\temp\nsdb66b.tmp	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete
c:\users\user\appdata\local\temp\nsia93d.tmp	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsia93d.tmp\stdutils.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsia93d.tmp\stdutils.dll	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsia93d.tmp\stdutils.dll_deleted_	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsia93d.tmp\system.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsia93d.tmp\system.dll	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsia93d.tmp\system.dll_deleted_	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsib69b.tmp	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsib69b.tmp\stdutils.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsib69b.tmp\stdutils.dll	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsib69b.tmp\system.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsib69b.tmp\system.dll	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsna872.tmp	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsna872.tmp\stdutils.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsna872.tmp\stdutils.dll	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsna872.tmp\stdutils.dll_deleted_	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsna872.tmp\system.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsna872.tmp\system.dll	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsna872.tmp\system.dll_deleted_	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsrb36d.tmp	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete
c:\users\user\appdata\local\temp\nsv52d5.tmp	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete
c:\users\user\appdata\local\temp\nswb38d.tmp	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nswb38d.tmp\stdutils.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nswb38d.tmp\stdutils.dll	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nswb38d.tmp\system.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nswb38d.tmp\system.dll	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsxa861.tmp	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete
c:\users\user\appdata\roaming\iqiyi video\lstyle	Synchronize,Write Attributes
c:\users\user\appdata\roaming\iqiyi video\lstyle\qyuninst.exe	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\users\user\appdata\roaming\iqiyi video\lstyle\qyuninst.ini	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\roaming\iqiyi video\lstyle\qyuninst.ini	Synchronize,Write Attributes

Registry Modifications

Key::Value	Data	API Name
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect		RegNtPreCreateKey
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations	1\??\C:\Windows\SystemTemp\MicrosoftEdgeUpdate.exe.old122e41\??\C:\Windows\SystemTemp\CopilotUpdate.exe.old12352*1\??\C:\P	RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75		RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75		RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475		RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75		RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75		RegNtPreCreateKey

HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475

RegNtPreCreateKey

Windows API Usage

Category	API
Anti Debug	IsDebuggerPresent NtQuerySystemInformation
User Data Access	GetUserObjectInformation
Process Manipulation Evasion	NtUnmapViewOfSection ZwMapViewOfSection
Process Shell Execute	CreateProcess

Shell Command Execution


							"C:\Users\Ukakudrh\AppData\Roaming\IQIYI Video\LStyle\QyUninst.exe"


							"C:\Users\Rruprcby\AppData\Roaming\IQIYI Video\LStyle\QyUninst.exe"

EnigmaSoft’s Payment Processor Digital River GmbH Filing for Bankruptcy Does Not Impact SpyHunter Customers’ Anti-Malware Protection

Search

Change Region

PUP.Qiyi

Analysis Report

General information

Known Samples

Known Samples

Windows Portable Executable Attributes

Windows Portable Executable Attributes

File Icons

File Icons

Windows PE Version Information

Windows PE Version Information

Digital Signatures

Digital Signatures

File Traits

Block Information

Block Information

Visual Map

Files Modified

Files Modified

Registry Modifications

Registry Modifications

Windows API Usage

Windows API Usage

Shell Command Execution

Shell Command Execution

Submit Comment

Trending

PUP.Rostpay

Malicious Packagist PHP Packages

Hotel Room Upgrade Malicious Emails

Most Viewed

How To Fix 'Printer Driver is Unavailable' Error

How to Fix 'macOS cannot verify that this app is...

Discord Shows Black Screen when Sharing Screen