PUP.Keniu

Analysis Report

General information

Family Name: PUP.Keniu
Signature status: Self Signed

Known Samples

MD5: 1d63d99594d3e475fb67b3a8e1f04932
SHA1: a0fccdb22636802f196e373f10515aa96f4a643c
SHA256: 482C2FB8B2E0BA3170A1EFBD2374A9E8C79D3982D202A8C2875524FC06630A56
File Size: 7.36 MB, 7359904 bytes
MD5: 736d0f4a6692e3ec4fcfa9bb95660792
SHA1: 8bd29aa095920c43186110b48c1d26b351a0d4da
SHA256: 9C5C379DDC656EC19EA5CD0D457711B3AAF4FEEA0B9856F537D87160D4E4D708
File Size: 1.81 MB, 1805384 bytes
MD5: 93b7c48822f75450c692a1c9f9565c58
SHA1: fcbd860424585ca974c00059596cd95646dfa0e6
SHA256: 480A3E3A110857AFEEFC55E07697A8B3A40D23CF5A0B803FE7FA1344867ABC78
File Size: 715.34 KB, 715336 bytes
MD5: 538d6360657aa77a2b6c9cb4eedb54ac
SHA1: 4511b99e709386c21b810860fd19073c03a87fbd
SHA256: BB56E8A15B17F4650DE3F72E44DA62A94BCC0A3E8FCF0EA1AC0A2C2C65617BC4
File Size: 821.32 KB, 821320 bytes
MD5: 6af0f3d5ba0463c22d5180ec1bc56981
SHA1: ce9ec96a6e2ec38e9458a8c0a66bb40730aa35df
SHA256: 93C674BF11862C196C2DAF72612BCE33B93B0F4AC51323F6A93FFD4A46839B25
File Size: 265.58 KB, 265584 bytes
Show More
MD5: a8c35aae8a30a3a31e90bfa9e384333b
SHA1: 159e39f174364f450b1127011485bf80f242e1e6
SHA256: 23CE549E906B023AB7D317DC92A0B95F04F7192B53A0C55B2504E4DBD710AC0E
File Size: 715.24 KB, 715240 bytes
MD5: ac42d3d8988d4f84586ad2efd5ed5f27
SHA1: a4b0090a559d0ed5f470cea90dcd4d9a97085798
SHA256: 40F8791FA56A9A3F081006C0F75E03DE6538CDC8A6649DC307EE17C7898EA28F
File Size: 1.10 MB, 1098216 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have debug information
  • File doesn't have exports table
  • File doesn't have relocations information
  • File has exports table
  • File has TLS information
  • File is 32-bit executable
  • File is console application (IMAGE_SUBSYSTEM_WINDOWS_CUI)
  • File is either console or GUI application
  • File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
Show More
  • File is Native application (NOT .NET application)
  • File is not packed
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Windows PE Version Information

Name Value
Company Name
  • FFmpeg Project
  • Zhuhai Motingzhi Technology Co., Ltd.
  • 北京科德威曼科技有限公司
File Description
  • about
  • FFmpeg container format library
  • Kszzdl
  • wpsvc
  • 安装程序
File Version
  • 2024,04,14,1
  • 2024,02,19,1
  • 2023,02,06,6
  • 56.40.101
Internal Name
  • about
  • install
  • Kszzdl
  • libavformat
  • wpsvc
Legal Copyright
  • Copyright (C) 2000-2024 FFmpeg Project
  • Copyright(C) 2020-2024 Zhuhai Motingzhi Technology Co., Ltd.
  • Copyright(C) 2023-2025 北京科德威曼科技有限公司
Original Filename
  • about.exe
  • avformat-56.dll
  • install.exe
  • Kszzdl.dll
  • wpsvc.exe
Product Name
  • DLL系统修复
  • FFmpeg
  • Win实用工具
  • Win解压缩
  • 系统修复
Product Version
  • 5,0,0,1
  • 4,0,1,24
  • 2.8.22
  • 1,0,0,6

Digital Signatures

Signer Root Status
珠海市莫停之科技有限公司 Certum Extended Validation Code Signing 2021 CA Self Signed
珠海市莫停之科技有限公司 Certum Trusted Network CA 2 Root Not Trusted
北京科德威曼科技有限公司 DigiCert Trusted Root G4 Root Not Trusted

Block Information

Total Blocks: 4,812
Potentially Malicious Blocks: 189
Whitelisted Blocks: 3,746
Unknown Blocks: 877

Visual Map

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 ? 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? x x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x x 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 x 0 0 x 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 x 0 ? x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 ? x 0 ? ? ? ? ? 0 ? x ? ? 0 ? 0 0 0 0 ? 0 0 ? ? ? ? ? ? 0 0 0 ? ? ? ? 0 0 ? ? 0 0 ? 0 0 ? ? ? 0 ? 0 ? 0 0 0 ? 0 0 0 ? 0 0 x 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 ? 0 ? 0 0 0 ? 0 0 ? 0 ? 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 ? ? 0 ? x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? ? 0 0 0 ? ? 0 ? 0 0 0 0 ? ? 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 ? 0 ? ? 0 ? 0 ? ? 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 ? 0 x 0 0 ? 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? ? ? ? 0 0 0 0 0 0 ? 0 0 0 0 x ? x 0 ? ? ? ? 0 0 0 x 0 0 0 0 ? ? 0 0 0 ? 0 0 0 ? x ? ? ? 0 ? ? ? ? ? 0 0 0 ? 0 ? ? ? ? ? ? ? ? ? ? 0 ? 0 ? ? ? ? ? ? ? 0 ? ? ? 0 0 ? ? ? ? ? ? ? ? ? 0 ? ? 0 ? 0 ? ? 0 ? 0 ? ? 0 ? ? ? ? 0 ? ? ? ? ? ? ? ? 0 ? ? ? ? ? ? ? 0 ? ? ? ? x x ? ? ? ? ? ? ? ? ? x x ? ? x ? x ? ? ? ? x x ? ? ? 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 ? 0 0 ? 0 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? 0 ? ? ? ? ? ? ? ? ? ? ? ? 1 ? 0 0 0 ? 0 ? ? 0 0 ? 0 0 0 0 ? ? 0 ? ? ? ? ? ? 0 ? ? 0 ? ? ? 0 ? 0 0 0 ? 0 0 ? 0 0 0 0 0 ? ? ? ? ? ? 0 x ? 0 0 0 ? ? ? ? ? ? ? ? ? ? ? ? ? 0 ? 0 0 0 0 0 0 0 ? 0 ? 0 ? 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 ? 0 0 0 0 0 x ? 0 x ? 0 0 0 ? 0 0 0 x 0 0 0 0 0 0 0 x 0 0 0 0 ? 0 0 ? x ? 0 0 x 0 0 0 0 x ? 0 0 0 0 0 ? 0 0 0 0 0 0 0 ? ? x 0 0 0 x 0 0 ? 0 0 0 0 0 ? x 0 ? 0 0 ? 0 0 x 0 x ? x ? x x x 0 0 x 0 0 x 0 0 0 0 x x ? ? x x 0 0 0 0 0 0 0 ? ? x 0 0 x 0 0 0 x ? 0 0 0 0 0 0 0 0 0 0 0 0 x x x 0 0 x ? ? x 0 ? 0 0 0 0 0 0 ? 0 ? x ? ? 0 0 0 ? ? ? 0 0 0 0 0 0 x x x 0 x 0 ? 0 ? 0 0 0 x ? 0 0 0 x ? 0 0 0 0 0 0 0 0 0 0 0 0 0 ? ? 0 0 0 0 0 ? ? 0 0 ? ? 0 0 ? 0 ? 0 0 0 0 0 x x 0 x 0 ? 0 0 0 x ? 0 0 0 x 0 0 0 0 0 0 0 0 0 0 ? 0 0 ? ? ? ? ? ? ? ? ? ? 0 ? 0 ? 0 0 0 0 0 ? 0 0 0 0 ? ? ? ? 0 0 ? 0 x 0 0 0 0 0 0 0 0 0 ? ? 0 0 ? x 0 0 x 0 0 0 x ? 0 ? x 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 x 0 ? 0 0 0 0 ? ? 0 ? ? ? 0 0 0 0 ? 0 0 0 ? 0 0 ? ? x 0 0 0 x 0 0 0 0 x ? 0 x 0 ? 0 ? ? ? ? ? ? x ? 0 ? 0 0 0 ? 0 ? ? 0 ? 0 0 0 0 x 0 0 ? 0 0 0 ? ? ? ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x ? 0 x ? 0 x ? ? ? ? ? 0 ? ? 0 0 0 0 x x 0 0 0 ? 0 0 0 ? 0 0 0 ? 0 0 x 0 0 x ? ? x 0 ? ? ? x 0 ? 0 0 0 ? 0 0 0 ? 0 ? 0 0 0 0 x x 0 x x 0 x 0 ? 0 ? 0 0 0 0 0 0 x 0 0 0 0 0 0 0 ? x 0 ? 0 0 0 x ? 0 ? 0 ? ? ? ? 0 x 0 0 0 0 x 0 0 ? ? x 0 0 0 0 0 0 x 0 0 0 x 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 x 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? x 0 ? ? ? 0 0 ? ? 0 0 0 0 ? 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 ? 0 0 ? 0 0 x ? ? 0 ? 0 0 x x 0 0 0 0 0 0 0 0 0 x 0 x ? ? 0 0 0 0 0 0 ? 0 0 ? 0 ? 0 0 0 0 0 0 x 0 0 x 0 ? 0 0 x x 0 0 x 0 0 0 ? ? ? 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 ? ? ? 0 0 0 0 0 0 0 ? ? 0 0 0 0 0 0 x x 0 0 x 0 0 0 ? ? 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 ? 0 0 0 0 0 x ? 0 0 0 0 0 0 ? ? ? 0 0 ? x 0 x ? x x x ? ? x ? ? x 0 x ? ? 0 ? 0 0 0 x ? ? ? ? ? x x x x x 0 ? ? ? 0 ? 0 ? ? x 0 0 0 0 0 0 0 0 0 0 0 x 0 0 ? 0 0 ? ? ? ? ? ? ? ? ? 0 0 0 0 0 0 0 x x ? x ? ? ? 0 ? ? ? ? 0 0 0 ? 0 ? ? 0 0 x 0 0 ? 0 ? ? 0 ? 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? ? ? ? 0 ? 0 ? 0 0 0 ? ? 0 0 0 0 ? 0 ? 0 0 0 ? 0 ? ? ? 0 0 0 0 0 0 0 0 0 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? 0 0 ? 0 ? ? ? 0 ? ? ? ? ? 0 x ? ? 0 ? 0 0 0 0 0 0 0 ? ? ? ? ? 0 0 x ? 0 0 x 0 x x x x 0 0 0 ? 0 ? ? ? ? 0 ? 0 0 ? ? 0 0 0 0 0 0 0 0 0 0 0 x 0 ? 0 0 0 ? 0 ? ? 0 0 0 0 0 0 0 ? ? 0 ? ? 0 ? 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 ? 0 0 ? ? ? ? ? ? ? ? ? 0 0 ? ? ? ? ? ? ? ? ? ? ? x x 0 x 0 0 ? ? ? ? 0 ? 0 ? ? 0 0 0 0 ? ? ? ? ? ? ? x ? 0 0 0 0 ? 0 0 0 0 0 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
... Data truncated
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Files Modified

File Attributes
c:\users\user\downloads\~925f022\data\fileinfo.dat Generic Read,Generic Execute,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 786496
c:\users\user\downloads\~925f022\toolconfig.dat Generic Write,Read Attributes

Registry Modifications

Key::Value Data API Name
HKLM\software\wow6432node\winset::userid RegNtPreCreateKey

Windows API Usage

Category API
Network Winsock2
  • WSAStartup
Network Winsock
  • closesocket
  • connect
  • gethostbyname
  • send
  • setsockopt
  • socket
User Data Access
  • GetComputerName
Syscall Use
  • ntdll.dll!NtAlpcSendWaitReceivePort
  • ntdll.dll!NtClose
  • ntdll.dll!NtCreateFile
  • ntdll.dll!NtCreateSection
  • ntdll.dll!NtFreeVirtualMemory
  • ntdll.dll!NtMapViewOfSection
  • ntdll.dll!NtOpenFile
  • ntdll.dll!NtOpenKey
  • ntdll.dll!NtOpenProcessToken
  • ntdll.dll!NtQueryAttributesFile
Show More
  • ntdll.dll!NtQueryDebugFilterState
  • ntdll.dll!NtQueryInformationProcess
  • ntdll.dll!NtQueryInformationToken
  • ntdll.dll!NtQuerySystemInformationEx
  • ntdll.dll!NtQueryValueKey
  • ntdll.dll!NtQueryVirtualMemory
  • ntdll.dll!NtQueryVolumeInformationFile
  • ntdll.dll!NtReadFile
  • ntdll.dll!NtSetEvent
  • ntdll.dll!NtSetInformationFile
  • ntdll.dll!NtSetInformationProcess
  • ntdll.dll!NtSetInformationVirtualMemory
  • ntdll.dll!NtSetInformationWorkerFactory
  • ntdll.dll!NtTestAlert
  • ntdll.dll!NtTraceControl
  • ntdll.dll!NtUnmapViewOfSection
  • ntdll.dll!NtWriteFile
Process Manipulation Evasion
  • NtUnmapViewOfSection
Process Shell Execute
  • CreateProcess
Anti Debug
  • NtQuerySystemInformation
Service Control
  • OpenSCManager
  • OpenService
  • StartServiceCtrlDispatcher

Shell Command Execution

C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\8bd29aa095920c43186110b48c1d26b351a0d4da_0001805384.,LiQMAxHB
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\ce9ec96a6e2ec38e9458a8c0a66bb40730aa35df_0000265584.,LiQMAxHB

Trending

Most Viewed

Loading...