00f957b7dafd8d210e717041add02eab
Hash
- MD5: 00f957b7dafd8d210e717041add02eab
- SHA1: ade12bc8b28984f080b799d2e9616a64c8d5856f
- SHA256: 9fd46aa45ac8539cd288b744730661b3b27b00047bbb994e6a12b8da82d2b3e3
- First Seen: 2026-05-27
- Last Seen: 2026-05-27
-
2
Related Reports
-
0
Related IOCs
Additional Information
VirusTotal
{
"data": {
"id": "9fd46aa45ac8539cd288b744730661b3b27b00047bbb994e6a12b8da82d2b3e3",
"type": "file",
"links": {
"self": "https://www.virustotal.com/api/v3/files/9fd46aa45ac8539cd288b744730661b3b27b00047bbb994e6a12b8da82d2b3e3"
},
"attributes": {
"size": 28380120,
"ssdeep": "786432:9tyBQOVVesQL1eorrEVlsWY84pW/DBCvSrjWE:TeesQharYHvmWE",
"last_analysis_results": {
"Bkav": {
"method": "blacklist",
"engine_name": "Bkav",
"engine_version": "8.2.40(8338)",
"engine_update": "20260527",
"category": "undetected",
"result": null
},
"Acronis": {
"method": "blacklist",
"engine_name": "Acronis",
"engine_version": "1.2.0.121",
"engine_update": "20240328",
"category": "undetected",
"result": null
},
"Lionic": {
"method": "blacklist",
"engine_name": "Lionic",
"engine_version": "8.16",
"engine_update": "20260527",
"category": "undetected",
"result": null
},
"tehtris": {
"method": "blacklist",
"engine_name": "tehtris",
"engine_version": "v0.1.4",
"engine_update": "20260528",
"category": "undetected",
"result": null
},
"MicroWorld-eScan": {
"method": "blacklist",
"engine_name": "MicroWorld-eScan",
"engine_version": "14.0.409.0",
"engine_update": "20260527",
"category": "undetected",
"result": null
},
"CTX": {
"method": "blacklist",
"engine_name": "CTX",
"engine_version": "2024.8.29.1",
"engine_update": "20260528",
"category": "undetected",
"result": null
},
"CAT-QuickHeal": {
"method": "blacklist",
"engine_name": "CAT-QuickHeal",
"engine_version": "22.00",
"engine_update": "20260527",
"category": "undetected",
"result": null
},
"ALYac": {
"method": "blacklist",
"engine_name": "ALYac",
"engine_version": "2.0.0.10",
"engine_update": "20260527",
"category": "undetected",
"result": null
},
"Cylance": {
"method": "blacklist",
"engine_name": "Cylance",
"engine_version": "3.0.0.0",
"engine_update": "20260521",
"category": "undetected",
"result": null
},
"VIPRE": {
"method": "blacklist",
"engine_name": "VIPRE",
"engine_version": "6.0.0.35",
"engine_update": "20260527",
"category": "undetected",
"result": null
},
"Sangfor": {
"method": "blacklist",
"engine_name": "Sangfor",
"engine_version": "2.22.3.0",
"engine_update": "20260525",
"category": "undetected",
"result": null
},
"CrowdStrike": {
"method": "blacklist",
"engine_name": "CrowdStrike",
"engine_version": "1.0",
"engine_update": "20251219",
"category": "undetected",
"result": null
},
"BitDefender": {
"method": "blacklist",
"engine_name": "BitDefender",
"engine_version": "7.2",
"engine_update": "20260527",
"category": "undetected",
"result": null
},
"K7GW": {
"method": "blacklist",
"engine_name": "K7GW",
"engine_version": "14.54.59636",
"engine_update": "20260527",
"category": "undetected",
"result": null
},
"K7AntiVirus": {
"method": "blacklist",
"engine_name": "K7AntiVirus",
"engine_version": "14.54.59636",
"engine_update": "20260527",
"category": "undetected",
"result": null
},
"Arcabit": {
"method": "blacklist",
"engine_name": "Arcabit",
"engine_version": "2025.0.0.23",
"engine_update": "20260527",
"category": "undetected",
"result": null
},
"huorong": {
"method": "blacklist",
"engine_name": "huorong",
"engine_version": "8019ebe:8019ebe:4ac772e:4ac772e",
"engine_update": "20260527",
"category": "undetected",
"result": null
},
"VirIT": {
"method": "blacklist",
"engine_name": "VirIT",
"engine_version": "9.5.1216",
"engine_update": "20260527",
"category": "undetected",
"result": null
},
"Symantec": {
"method": "blacklist",
"engine_name": "Symantec",
"engine_version": "1.22.0.0",
"engine_update": "20260527",
"category": "undetected",
"result": null
},
"Elastic": {
"method": "blacklist",
"engine_name": "Elastic",
"engine_version": "4.0.264",
"engine_update": "20260527",
"category": "undetected",
"result": null
},
"ESET-NOD32": {
"method": "blacklist",
"engine_name": "ESET-NOD32",
"engine_version": "18.2.18.0",
"engine_update": "20260527",
"category": "undetected",
"result": null
},
"APEX": {
"method": "blacklist",
"engine_name": "APEX",
"engine_version": "6.782",
"engine_update": "20260525",
"category": "undetected",
"result": null
},
"TrendMicro-HouseCall": {
"method": "blacklist",
"engine_name": "TrendMicro-HouseCall",
"engine_version": "24.550.0.1002",
"engine_update": "20260527",
"category": "undetected",
"result": null
},
"Paloalto": {
"method": "blacklist",
"engine_name": "Paloalto",
"engine_version": "0.9.0.1003",
"engine_update": "20260528",
"category": "undetected",
"result": null
},
"Cynet": {
"method": "blacklist",
"engine_name": "Cynet",
"engine_version": "4.0.3.4",
"engine_update": "20260527",
"category": "undetected",
"result": null
},
"Kaspersky": {
"method": "blacklist",
"engine_name": "Kaspersky",
"engine_version": "22.0.1.28",
"engine_update": "20260527",
"category": "undetected",
"result": null
},
"Alibaba": {
"method": "blacklist",
"engine_name": "Alibaba",
"engine_version": "0.3.0.5",
"engine_update": "20190527",
"category": "undetected",
"result": null
},
"NANO-Antivirus": {
"method": "blacklist",
"engine_name": "NANO-Antivirus",
"engine_version": "1.0.170.26895",
"engine_update": "20260527",
"category": "undetected",
"result": null
},
"ViRobot": {
"method": "blacklist",
"engine_name": "ViRobot",
"engine_version": "2014.3.20.0",
"engine_update": "20260527",
"category": "undetected",
"result": null
},
"Avast": {
"method": "blacklist",
"engine_name": "Avast",
"engine_version": "23.9.8494.0",
"engine_update": "20260527",
"category": "undetected",
"result": null
},
"Rising": {
"method": "blacklist",
"engine_name": "Rising",
"engine_version": "25.0.0.28",
"engine_update": "20260527",
"category": "undetected",
"result": null
},
"Sophos": {
"method": "blacklist",
"engine_name": "Sophos",
"engine_version": "3.5.1.0",
"engine_update": "20260527",
"category": "undetected",
"result": null
},
"F-Secure": {
"method": "blacklist",
"engine_name": "F-Secure",
"engine_version": "18.10.1547.307",
"engine_update": "20260527",
"category": "undetected",
"result": null
},
"DrWeb": {
"method": "blacklist",
"engine_name": "DrWeb",
"engine_version": "7.0.75.2070",
"engine_update": "20260527",
"category": "undetected",
"result": null
},
"Zillya": {
"method": "blacklist",
"engine_name": "Zillya",
"engine_version": "2.0.0.5609",
"engine_update": "20260527",
"category": "undetected",
"result": null
},
"TrendMicro": {
"method": "blacklist",
"engine_name": "TrendMicro",
"engine_version": "24.550.0.1002",
"engine_update": "20260527",
"category": "undetected",
"result": null
},
"McAfeeD": {
"method": "blacklist",
"engine_name": "McAfeeD",
"engine_version": "1.2.0.14532",
"engine_update": "20260528",
"category": "undetected",
"result": null
},
"Trapmine": {
"method": "blacklist",
"engine_name": "Trapmine",
"engine_version": "4.0.12.0",
"engine_update": "20260504",
"category": "undetected",
"result": null
},
"CMC": {
"method": "blacklist",
"engine_name": "CMC",
"engine_version": "2.4.2022.1",
"engine_update": "20260527",
"category": "undetected",
"result": null
},
"Emsisoft": {
"method": "blacklist",
"engine_name": "Emsisoft",
"engine_version": "2024.8.0.61147",
"engine_update": "20260527",
"category": "undetected",
"result": null
},
"Ikarus": {
"method": "blacklist",
"engine_name": "Ikarus",
"engine_version": "6.4.16.0",
"engine_update": "20260527",
"category": "undetected",
"result": null
},
"Jiangmin": {
"method": "blacklist",
"engine_name": "Jiangmin",
"engine_version": "16.0.100",
"engine_update": "20260526",
"category": "undetected",
"result": null
},
"Webroot": {
"method": "blacklist",
"engine_name": "Webroot",
"engine_version": "1.9.0.8",
"engine_update": "20250227",
"category": "undetected",
"result": null
},
"Google": {
"method": "blacklist",
"engine_name": "Google",
"engine_version": "1779922840",
"engine_update": "20260528",
"category": "undetected",
"result": null
},
"Avira": {
"method": "blacklist",
"engine_name": "Avira",
"engine_version": "8.3.3.24",
"engine_update": "20260527",
"category": "undetected",
"result": null
},
"Antiy-AVL": {
"method": "blacklist",
"engine_name": "Antiy-AVL",
"engine_version": "3.0",
"engine_update": "20260527",
"category": "undetected",
"result": null
},
"Kingsoft": {
"method": "blacklist",
"engine_name": "Kingsoft",
"engine_version": "None",
"engine_update": "20260527",
"category": "undetected",
"result": null
},
"Gridinsoft": {
"method": "blacklist",
"engine_name": "Gridinsoft",
"engine_version": "1.0.247.174",
"engine_update": "20260527",
"category": "undetected",
"result": null
},
"Xcitium": {
"method": "blacklist",
"engine_name": "Xcitium",
"engine_version": "38681",
"engine_update": "20260527",
"category": "undetected",
"result": null
},
"Microsoft": {
"method": "blacklist",
"engine_name": "Microsoft",
"engine_version": "1.1.26040.8",
"engine_update": "20260527",
"category": "undetected",
"result": null
},
"SUPERAntiSpyware": {
"method": "blacklist",
"engine_name": "SUPERAntiSpyware",
"engine_version": "5.6.0.1032",
"engine_update": "20260527",
"category": "undetected",
"result": null
},
"ZoneAlarm": {
"method": "blacklist",
"engine_name": "ZoneAlarm",
"engine_version": "6.25-116107113",
"engine_update": "20260527",
"category": "undetected",
"result": null
},
"GData": {
"method": "blacklist",
"engine_name": "GData",
"engine_version": "GD:27.44698AVA:64.31317",
"engine_update": "20260528",
"category": "undetected",
"result": null
},
"Varist": {
"method": "blacklist",
"engine_name": "Varist",
"engine_version": "6.6.1.3",
"engine_update": "20260527",
"category": "undetected",
"result": null
},
"AhnLab-V3": {
"method": "blacklist",
"engine_name": "AhnLab-V3",
"engine_version": "3.30.0.10666",
"engine_update": "20260527",
"category": "undetected",
"result": null
},
"DeepInstinct": {
"method": "blacklist",
"engine_name": "DeepInstinct",
"engine_version": "5.0.0.8",
"engine_update": "20260527",
"category": "undetected",
"result": null
},
"VBA32": {
"method": "blacklist",
"engine_name": "VBA32",
"engine_version": "5.6.1",
"engine_update": "20260527",
"category": "undetected",
"result": null
},
"TACHYON": {
"method": "blacklist",
"engine_name": "TACHYON",
"engine_version": "2026-05-27.02",
"engine_update": "20260527",
"category": "undetected",
"result": null
},
"Malwarebytes": {
"method": "blacklist",
"engine_name": "Malwarebytes",
"engine_version": "3.1.0.235",
"engine_update": "20260527",
"category": "undetected",
"result": null
},
"Zoner": {
"method": "blacklist",
"engine_name": "Zoner",
"engine_version": "2.2.2.0",
"engine_update": "20260527",
"category": "undetected",
"result": null
},
"Tencent": {
"method": "blacklist",
"engine_name": "Tencent",
"engine_version": "1.0.0.1",
"engine_update": "20260528",
"category": "undetected",
"result": null
},
"Yandex": {
"method": "blacklist",
"engine_name": "Yandex",
"engine_version": "5.5.2.24",
"engine_update": "20260527",
"category": "undetected",
"result": null
},
"SentinelOne": {
"method": "blacklist",
"engine_name": "SentinelOne",
"engine_version": "7.6.2.19",
"engine_update": "20260324",
"category": "undetected",
"result": null
},
"MaxSecure": {
"method": "blacklist",
"engine_name": "MaxSecure",
"engine_version": "1.0.0.1",
"engine_update": "20260527",
"category": "undetected",
"result": null
},
"Fortinet": {
"method": "blacklist",
"engine_name": "Fortinet",
"engine_version": "7.0.48.0",
"engine_update": "20260527",
"category": "undetected",
"result": null
},
"AVG": {
"method": "blacklist",
"engine_name": "AVG",
"engine_version": "23.9.8494.0",
"engine_update": "20260527",
"category": "undetected",
"result": null
},
"Panda": {
"method": "blacklist",
"engine_name": "Panda",
"engine_version": "4.6.4.2",
"engine_update": "20260527",
"category": "undetected",
"result": null
},
"alibabacloud": {
"method": "blacklist",
"engine_name": "alibabacloud",
"engine_version": "2.2.0",
"engine_update": "20250321",
"category": "undetected",
"result": null
},
"Skyhigh": {
"method": "blacklist",
"engine_name": "Skyhigh",
"engine_version": null,
"engine_update": "20260527",
"category": "timeout",
"result": null
},
"ClamAV": {
"method": "blacklist",
"engine_name": "ClamAV",
"engine_version": "1.5.2.0",
"engine_update": "20260527",
"category": "timeout",
"result": null
},
"TrellixENS": {
"method": "blacklist",
"engine_name": "TrellixENS",
"engine_version": "6.0.6.653",
"engine_update": "20260527",
"category": "timeout",
"result": null
},
"Avast-Mobile": {
"method": "blacklist",
"engine_name": "Avast-Mobile",
"engine_version": "260527-02",
"engine_update": "20260527",
"category": "type-unsupported",
"result": null
},
"SymantecMobileInsight": {
"method": "blacklist",
"engine_name": "SymantecMobileInsight",
"engine_version": "2.0",
"engine_update": "20260123",
"category": "type-unsupported",
"result": null
},
"BitDefenderFalx": {
"method": "blacklist",
"engine_name": "BitDefenderFalx",
"engine_version": "2.0.936",
"engine_update": "20260525",
"category": "type-unsupported",
"result": null
},
"Trustlook": {
"method": "blacklist",
"engine_name": "Trustlook",
"engine_version": "1.0",
"engine_update": "20260528",
"category": "type-unsupported",
"result": null
}
},
"sha256": "9fd46aa45ac8539cd288b744730661b3b27b00047bbb994e6a12b8da82d2b3e3",
"type_extension": "exe",
"detectiteasy": {
"filetype": "PE32",
"values": [
{
"info": "lzma,solid",
"version": "3.04",
"type": "Installer",
"name": "Nullsoft Scriptable Install System"
},
{
"info": "C",
"version": "12.20.9044",
"type": "Compiler",
"name": "Microsoft Visual C/C++"
},
{
"version": "6.0",
"type": "Linker",
"name": "Microsoft Linker"
},
{
"type": "Tool",
"name": "Visual Studio"
}
]
},
"sigma_analysis_results": [
{
"rule_level": "high",
"rule_id": "25fc56c1bee673d7ff3edcf371e4d2a36c0af83222da348961b87735c8efa61f",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "System File Execution Location Anomaly",
"rule_description": "Detects the execution of a Windows system binary that is usually located in the system folder from an uncommon location.\n",
"rule_author": "Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali (Nextron Systems)",
"match_context": [
{
"values": {
"Hashes": "MD5=451D8BBA38D15E7F9A3EDED071C1F43B,SHA256=AF06A941B1165D1DF5A7039F7297AAD23813EBF2091122F29AE10251BEF610FB,IMPHASH=E3A088F00827D99D5FE555C4E7139852",
"CurrentDirectory": "C:\\Windows\\Downloaded Program Files\\",
"EventID": "1",
"ParentCommandLine": "\"C:\\Program Files (x86)\\INCAInternet\\nProtect Online Security\\nosstarter.npe\" /SET",
"CommandLine": "\"C:\\Program Files (x86)\\INCAInternet\\nProtect Online Security\\ncert\\certutil.exe\" -L -d sql:\"C:\\Users\\Bruno\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\1hmu7354.default-release\"",
"ParentImage": "C:\\Program Files (x86)\\INCAInternet\\nProtect Online Security\\nosstarter.npe",
"IntegrityLevel": "High",
"Image": "C:\\Program Files (x86)\\INCAInternet\\nProtect Online Security\\ncert\\certutil.exe"
}
},
{
"values": {
"Hashes": "MD5=451D8BBA38D15E7F9A3EDED071C1F43B,SHA256=AF06A941B1165D1DF5A7039F7297AAD23813EBF2091122F29AE10251BEF610FB,IMPHASH=E3A088F00827D99D5FE555C4E7139852",
"CurrentDirectory": "C:\\Windows\\Downloaded Program Files\\",
"EventID": "1",
"ParentCommandLine": "\"C:\\Program Files (x86)\\INCAInternet\\nProtect Online Security\\nosstarter.npe\" /SET",
"CommandLine": "\"C:\\Program Files (x86)\\INCAInternet\\nProtect Online Security\\ncert\\certutil.exe\" -A -d \"C:\\Users\\Bruno\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\1hmu7354.default-release\" -t \"C,,\" -n \"INCA Internet Co., Ltd. G2 - INCA Internet Co., Ltd.\" -i \"C:\\Program Files (x86)\\INCAInternet\\nProtect Online Security\\ncert\\{44D729E1-5CBC-4882-B324-F634107A03C1}\"",
"ParentImage": "C:\\Program Files (x86)\\INCAInternet\\nProtect Online Security\\nosstarter.npe",
"IntegrityLevel": "High",
"Image": "C:\\Program Files (x86)\\INCAInternet\\nProtect Online Security\\ncert\\certutil.exe"
}
},
{
"values": {
"Hashes": "MD5=451D8BBA38D15E7F9A3EDED071C1F43B,SHA256=AF06A941B1165D1DF5A7039F7297AAD23813EBF2091122F29AE10251BEF610FB,IMPHASH=E3A088F00827D99D5FE555C4E7139852",
"CurrentDirectory": "C:\\Windows\\Downloaded Program Files\\",
"EventID": "1",
"ParentCommandLine": "\"C:\\Program Files (x86)\\INCAInternet\\nProtect Online Security\\nosstarter.npe\" /SET",
"CommandLine": "\"C:\\Program Files (x86)\\INCAInternet\\nProtect Online Security\\ncert\\certutil.exe\" -L -d \"C:\\Users\\Bruno\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\1hmu7354.default-release\"",
"ParentImage": "C:\\Program Files (x86)\\INCAInternet\\nProtect Online Security\\nosstarter.npe",
"IntegrityLevel": "High",
"Image": "C:\\Program Files (x86)\\INCAInternet\\nProtect Online Security\\ncert\\certutil.exe"
}
},
{
"values": {
"Hashes": "MD5=451D8BBA38D15E7F9A3EDED071C1F43B,SHA256=AF06A941B1165D1DF5A7039F7297AAD23813EBF2091122F29AE10251BEF610FB,IMPHASH=E3A088F00827D99D5FE555C4E7139852",
"CurrentDirectory": "C:\\Windows\\Downloaded Program Files\\",
"EventID": "1",
"ParentCommandLine": "\"C:\\Program Files (x86)\\INCAInternet\\nProtect Online Security\\nosstarter.npe\" /SET",
"CommandLine": "\"C:\\Program Files (x86)\\INCAInternet\\nProtect Online Security\\ncert\\certutil.exe\" -A -d \"C:\\Users\\Bruno\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\pexxaamp.default\" -t \"C,,\" -n \"INCA Internet Co., Ltd. G2 - INCA Internet Co., Ltd.\" -i \"C:\\Program Files (x86)\\INCAInternet\\nProtect Online Security\\ncert\\{44D729E1-5CBC-4882-B324-F634107A03C1}\"",
"ParentImage": "C:\\Program Files (x86)\\INCAInternet\\nProtect Online Security\\nosstarter.npe",
"IntegrityLevel": "High",
"Image": "C:\\Program Files (x86)\\INCAInternet\\nProtect Online Security\\ncert\\certutil.exe"
}
},
{
"values": {
"Hashes": "MD5=451D8BBA38D15E7F9A3EDED071C1F43B,SHA256=AF06A941B1165D1DF5A7039F7297AAD23813EBF2091122F29AE10251BEF610FB,IMPHASH=E3A088F00827D99D5FE555C4E7139852",
"CurrentDirectory": "C:\\Windows\\Downloaded Program Files\\",
"EventID": "1",
"ParentCommandLine": "\"C:\\Program Files (x86)\\INCAInternet\\nProtect Online Security\\nosstarter.npe\" /SET",
"CommandLine": "\"C:\\Program Files (x86)\\INCAInternet\\nProtect Online Security\\ncert\\certutil.exe\" -L -d \"C:\\Users\\Bruno\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\pexxaamp.default\"",
"ParentImage": "C:\\Program Files (x86)\\INCAInternet\\nProtect Online Security\\nosstarter.npe",
"IntegrityLevel": "High",
"Image": "C:\\Program Files (x86)\\INCAInternet\\nProtect Online Security\\ncert\\certutil.exe"
}
}
]
},
{
"rule_level": "high",
"rule_id": "6dd3abd7ee97d24f91e01e6fe236e6d2b8b12c2943ed9bb875e5613bf3deb8d6",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Powershell Token Obfuscation - Process Creation",
"rule_description": "Detects TOKEN OBFUSCATION technique from Invoke-Obfuscation",
"rule_author": "frack113",
"match_context": [
{
"values": {
"Product": "nProtect",
"CurrentDirectory": "C:\\Windows\\Downloaded Program Files\\",
"OriginalFileName": "npUpdate.exe",
"Hashes": "SHA1=D98F51724C285FAAA37E487D010A6AF8A900C3E3,MD5=32D43E89EB8420EC8B31A56D32255E54,SHA256=0C0D2863111EF3BA4274E9E9E03DC24D7A4BAA5DC87BA80C6A62DC42225C598A,IMPHASH=EA1CD0C29AC3D7B5608FBC97EF7DCD12",
"Description": "nProtect Updater",
"EventID": "1",
"ParentCommandLine": "\"C:\\Program Files (x86)\\INCAInternet\\nProtect Online Security\\nosstarter.npe\" /SET",
"CommandLine": "\"C:\\Program Files (x86)\\INCAInternet\\nProtect Online Security\\npupdatec.exe\" https://supdated.nprotect.net/nprotect/nos_service/windows6/install/npsttupprm.dat`nos`p`ru:nos`",
"FileVersion": "2021, 5, 20, 2",
"ParentImage": "C:\\Program Files (x86)\\INCAInternet\\nProtect Online Security\\nosstarter.npe",
"IntegrityLevel": "High",
"Image": "C:\\Program Files (x86)\\INCAInternet\\nProtect Online Security\\npupdatec.exe",
"Company": "INCA Internet Co., Ltd."
}
}
]
},
{
"rule_level": "medium",
"rule_id": "2104d1ee1ce64e7aa3dbd368652a54ce160e6a5751019af14601fc8fd1df8086",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Execution of Suspicious File Type Extension",
"rule_description": "Detects whether the image specified in a process creation event doesn't refer to an \".exe\" (or other known executable extension) file. This can be caused by process ghosting or other unorthodox methods to start a process.\nThis rule might require some initial baselining to align with some third party tooling in the user environment.\n",
"rule_author": "Max Altgelt (Nextron Systems)",
"match_context": [
{
"values": {
"Product": "nosstarter",
"CurrentDirectory": "C:\\Windows\\Downloaded Program Files\\",
"OriginalFileName": "nosstarter.npe",
"Hashes": "MD5=1A165A86864D318FDF694928863636CD,SHA256=A5B7EDB8D4D679C9E056B8A074D144ACACF91BF46E30192645208797DFBA925A,IMPHASH=BAA93D47220682C04D92F7797D9224CE",
"Description": "nProtect Online Security Starter",
"EventID": "1",
"ParentCommandLine": "\"C:\\Users\\Bruno\\Desktop\\nos_setup.exe\" ",
"CommandLine": "\"C:\\Program Files (x86)\\INCAInternet\\nProtect Online Security\\nosstarter.npe\" /SET",
"FileVersion": "2025, 3, 4, 1",
"ParentImage": "C:\\Users\\Bruno\\Desktop\\nos_setup.exe",
"IntegrityLevel": "High",
"Image": "C:\\Program Files (x86)\\INCAInternet\\nProtect Online Security\\nosstarter.npe",
"Company": "INCA Internet Co., Ltd."
}
},
{
"values": {
"Product": "nosstarter",
"CurrentDirectory": "C:\\Windows\\Downloaded Program Files\\",
"OriginalFileName": "nosstarter.npe",
"Hashes": "SHA1=DADE6F26943CB19F2FB31B81019C16E74A9DF8A8,MD5=1A165A86864D318FDF694928863636CD,SHA256=A5B7EDB8D4D679C9E056B8A074D144ACACF91BF46E30192645208797DFBA925A,IMPHASH=BAA93D47220682C04D92F7797D9224CE",
"Description": "nProtect Online Security Starter",
"FileVersion": "2025, 3, 4, 1",
"ParentCommandLine": "\"C:\\Users\\george\\Desktop\\nos_setup.exe\"",
"CommandLine": "\"C:\\Program Files (x86)\\INCAInternet\\nProtect Online Security\\nosstarter.npe\" /SET",
"EventID": "1",
"ParentImage": "C:\\Users\\george\\Desktop\\nos_setup.exe",
"IntegrityLevel": "High",
"Image": "C:\\Program Files (x86)\\INCAInternet\\nProtect Online Security\\nosstarter.npe",
"Company": "INCA Internet Co., Ltd."
}
}
]
},
{
"rule_level": "medium",
"rule_id": "7b1f3cd9ca9b55feb5fdd5c8e1821348f2d78745282b41055af44f88df612112",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "New Firewall Rule Added Via Netsh.EXE",
"rule_description": "Detects the addition of a new rule to the Windows firewall via netsh",
"rule_author": "Markus Neis, Sander Wiebing",
"match_context": [
{
"values": {
"Hashes": "MD5=4E89A1A088BE715D6C946E55AB07C7DF,SHA256=9EFA9DAFA09AE9BA6390A8F0F6751006C18A98B6692667CA08367CDDB47AC634,IMPHASH=C8D91522FEEE1152DC40833F6A4717E7",
"CurrentDirectory": "C:\\Program Files (x86)\\INCAInternet UnInstall\\nProtect Online Security\\npx\\",
"OriginalFileName": "netsh.exe",
"Product": "Microsoft\\xae Windows\\xae Operating System",
"Description": "Network Command Shell",
"EventID": "1",
"ParentCommandLine": "\"C:\\Users\\Bruno\\Desktop\\nos_setup.exe\" ",
"CommandLine": "\"C:\\Windows\\system32\\netsh.exe\" advfirewall firewall add rule name=\"nProtect Online Security Starter\" program=\"C:\\Program Files (x86)\\INCAInternet\\nProtect Online Security\\nosstarter.npe\" description=\"nProtect Online Security Starter\" dir=in action=allow protocol=any enable=yes profile=any",
"FileVersion": "10.0.19041.1 (WinBuild.160101.0800)",
"ParentImage": "C:\\Users\\Bruno\\Desktop\\nos_setup.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\SysWOW64\\netsh.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"Product": "Microsoft\\xae Windows\\xae Operating System",
"CurrentDirectory": "C:\\Windows\\Downloaded Program Files\\",
"OriginalFileName": "netsh.exe",
"Hashes": "MD5=4E89A1A088BE715D6C946E55AB07C7DF,SHA256=9EFA9DAFA09AE9BA6390A8F0F6751006C18A98B6692667CA08367CDDB47AC634,IMPHASH=C8D91522FEEE1152DC40833F6A4717E7",
"Description": "Network Command Shell",
"FileVersion": "10.0.19041.1 (WinBuild.160101.0800)",
"ParentCommandLine": "\"C:\\Program Files (x86)\\INCAInternet\\nProtect Online Security\\nosstarter.npe\" /SET",
"CommandLine": "\"C:\\Windows\\SysWOW64\\netsh.exe\" advfirewall firewall add rule name=\"nProtect Online Security Updater\" program=\"C:\\Program Files (x86)\\INCAInternet\\nProtect Online Security\\npupdatec.exe\" description=\"nProtect Online Security Updater\" dir=Out action=allow protocol=any enable=yes profile=any",
"EventID": "1",
"ParentImage": "C:\\Program Files (x86)\\INCAInternet\\nProtect Online Security\\nosstarter.npe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\SysWOW64\\netsh.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"Hashes": "SHA1=9528147789187EB89CF66AD9CCAF9B64506DF74C,MD5=A0AA3322BB46BBFC36AB9DC1DBBBB807,SHA256=751525FF60A42609D4DFCBB9D70CEC0C0650FC2B14B04994EDE1B0159688278B,IMPHASH=C8D91522FEEE1152DC40833F6A4717E7",
"CurrentDirectory": "C:\\Program Files (x86)\\INCAInternet UnInstall\\nProtect Online Security\\npx\\",
"OriginalFileName": "netsh.exe",
"Product": "Microsoft\\xae Windows\\xae Operating System",
"Description": "Network Command Shell",
"FileVersion": "10.0.17134.1 (WinBuild.160101.0800)",
"ParentCommandLine": "\"C:\\Users\\george\\Desktop\\nos_setup.exe\"",
"CommandLine": "\"C:\\Windows\\system32\\netsh.exe\" advfirewall firewall add rule name=\"nProtect Online Security Starter\" program=\"C:\\Program Files (x86)\\INCAInternet\\nProtect Online Security\\nosstarter.npe\" description=\"nProtect Online Security Starter\" dir=in action=allow protocol=any enable=yes profile=any",
"EventID": "1",
"ParentImage": "C:\\Users\\george\\Desktop\\nos_setup.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\SysWOW64\\netsh.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"Product": "Microsoft\\xae Windows\\xae Operating System",
"CurrentDirectory": "C:\\Windows\\Downloaded Program Files\\",
"OriginalFileName": "netsh.exe",
"Hashes": "SHA1=9528147789187EB89CF66AD9CCAF9B64506DF74C,MD5=A0AA3322BB46BBFC36AB9DC1DBBBB807,SHA256=751525FF60A42609D4DFCBB9D70CEC0C0650FC2B14B04994EDE1B0159688278B,IMPHASH=C8D91522FEEE1152DC40833F6A4717E7",
"Description": "Network Command Shell",
"FileVersion": "10.0.17134.1 (WinBuild.160101.0800)",
"ParentCommandLine": "\"C:\\Program Files (x86)\\INCAInternet\\nProtect Online Security\\nosstarter.npe\" /SET",
"CommandLine": "\"C:\\Windows\\SysWOW64\\netsh.exe\" advfirewall firewall add rule name=\"nProtect Online Security Updater\" program=\"C:\\Program Files (x86)\\INCAInternet\\nProtect Online Security\\npupdatec.exe\" description=\"nProtect Online Security Updater\" dir=Out action=allow protocol=any enable=yes profile=any",
"EventID": "1",
"ParentImage": "C:\\Program Files (x86)\\INCAInternet\\nProtect Online Security\\nosstarter.npe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\SysWOW64\\netsh.exe",
"Company": "Microsoft Corporation"
}
}
]
},
{
"rule_level": "low",
"rule_id": "9821e08a6d71e81d42d38e95e4265f2df05a9e00e70a874249d812f403a8c789",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "New Service Creation Using Sc.EXE",
"rule_description": "Detects the creation of a new service using the \"sc.exe\" utility.",
"rule_author": "Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community",
"match_context": [
{
"values": {
"Hashes": "MD5=D9D7684B8431A0D10D0E76FE9F5FFEC8,SHA256=4FE6D9EB8109FB79FF645138DE7CFF37906867AADE589BD68AFA503A9AB3CFB2,IMPHASH=B037D0ADB81BF9CFC651DE01742089F1",
"CurrentDirectory": "C:\\Windows\\Downloaded Program Files\\",
"OriginalFileName": "sc.exe",
"Product": "Microsoft\\xae Windows\\xae Operating System",
"Description": "Service Control Manager Configuration Tool",
"FileVersion": "10.0.19041.1 (WinBuild.160101.0800)",
"ParentCommandLine": "\"C:\\Users\\Bruno\\Desktop\\nos_setup.exe\" ",
"CommandLine": "\"C:\\Windows\\system32\\sc.exe\" create \"nossvc\" binPath= \"\\\"C:\\Program Files (x86)\\INCAInternet\\nProtect Online Security\\nossvc.exe\\\" /SVC\" DisplayName= \"nProtect Online Security(PFS)\" start= auto",
"EventID": "1",
"ParentImage": "C:\\Users\\Bruno\\Desktop\\nos_setup.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\SysWOW64\\sc.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"Hashes": "SHA1=89541F4E521BAFA4CABBC8A6DF95685183E52E13,MD5=24A3E2603E63BCB9695A2935D3B24695,SHA256=3047D5C22A245D1E4294FCD547EC5FB0F2E5EF030B764424ACC74E7744FBE32E,IMPHASH=B037D0ADB81BF9CFC651DE01742089F1",
"CurrentDirectory": "C:\\Windows\\Downloaded Program Files\\",
"OriginalFileName": "sc.exe",
"Product": "Microsoft\\xae Windows\\xae Operating System",
"Description": "Service Control Manager Configuration Tool",
"FileVersion": "10.0.17134.1 (WinBuild.160101.0800)",
"ParentCommandLine": "\"C:\\Users\\george\\Desktop\\nos_setup.exe\"",
"CommandLine": "\"C:\\Windows\\system32\\sc.exe\" create \"nossvc\" binPath= \"\\\"C:\\Program Files (x86)\\INCAInternet\\nProtect Online Security\\nossvc.exe\\\" /SVC\" DisplayName= \"nProtect Online Security(PFS)\" start= auto",
"EventID": "1",
"ParentImage": "C:\\Users\\george\\Desktop\\nos_setup.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\SysWOW64\\sc.exe",
"Company": "Microsoft Corporation"
}
}
]
}
],
"unique_sources": 17,
"magika": "PEBIN",
"crowdsourced_yara_results": [
{
"ruleset_id": "00b547f930",
"ruleset_version": "00b547f930|b488c511a7c48ed6c425bf38811bf08e87b0ddbf",
"ruleset_name": "NSIS",
"rule_name": "NSIS",
"match_date": 1779930348,
"description": "NSIS Integrity Check function",
"author": "kevoreilly",
"source": "https://github.com/kevoreilly/CAPEv2"
}
],
"signature_info": {
"product": "nProtect Online Security V1.0",
"verified": "Signed",
"description": "nProtect Online Security V1.0 Installer",
"file version": "2025.3.19.1",
"signing date": "06:03 AM 03/19/2025",
"x509": [
{
"thumbprint_sha256": "33846B545A49C9BE4903C60E01713C1BD4E4EF31EA65CD95D69E62794F30B941",
"name": "DigiCert Trusted Root G4",
"algorithm": "sha384RSA",
"thumbprint_md5": "8DDD0BC6D9D770EB6B2B671A862855CC",
"valid from": "2022-08-01 00:00:00",
"valid to": "2031-11-09 23:59:59",
"serial number": "0E 9B 18 8E F9 D0 2D E7 EF DB 50 E2 08 40 18 5A",
"cert issuer": "DigiCert Assured ID Root CA",
"thumbprint": "A99D5B79E9F1CDA59CDAB6373169D5353F5874C6"
},
{
"valid usage": "Timestamp Signing",
"thumbprint_sha256": "281734D4592D1291D27190709CB510B07E22C405D5E0D6119B70E73589F98ACF",
"name": "DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA",
"algorithm": "sha256RSA",
"thumbprint_md5": "9E3E4FA44117441DBA73C28E983FC05F",
"valid from": "2022-03-23 00:00:00",
"valid to": "2037-03-22 23:59:59",
"serial number": "07 36 37 B7 24 54 7C D8 47 AC FD 28 66 2A 5E 5B",
"cert issuer": "DigiCert Trusted Root G4",
"thumbprint": "B6C8AF834D4E53B673C76872AA8C950C7C54DF5F"
},
{
"valid usage": "Code Signing",
"thumbprint_sha256": "46011EDE1C147EB2BC731A539B7C047B7EE93E48B9D3C3BA710CE132BBDFAC6B",
"name": "DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1",
"algorithm": "sha384RSA",
"thumbprint_md5": "D91299E84355CD8D5A86795A0118B6E9",
"valid from": "2021-04-29 00:00:00",
"valid to": "2036-04-28 23:59:59",
"serial number": "08 AD 40 B2 60 D2 9C 4C 9F 5E CD A9 BD 93 AE D9",
"cert issuer": "DigiCert Trusted Root G4",
"thumbprint": "7B0F360B775F76C94A12CA48445AA2D2A875701C"
},
{
"valid usage": "ff",
"thumbprint_sha256": "76769FA8F2632F1F430B3A2330AED65675FED773DB05D665B9059398438F9ADB",
"name": "DigiCert Timestamp 2024",
"algorithm": "sha256RSA",
"thumbprint_md5": "EFF13676730E52425431E32875DBD605",
"valid from": "2024-09-26 00:00:00",
"valid to": "2035-11-25 23:59:59",
"serial number": "0B AE 66 BC 5A BA 7F 95 87 C6 F9 E9 04 E3 33 04",
"cert issuer": "DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA",
"thumbprint": "DBD385EE62DBD23E7BE4F67148508724D5865B45"
},
{
"valid usage": "Code Signing",
"thumbprint_sha256": "7BC7A19010051FAB8C5194642D0671BCFDCAA1FF401D73ED56A3B701F4D02C83",
"name": "INCA Internet Co.,Ltd.",
"algorithm": "sha256RSA",
"thumbprint_md5": "E072C4732DDF5C14D79077A322578D33",
"valid from": "2024-09-27 00:00:00",
"valid to": "2025-09-25 00:00:00",
"serial number": "03 C1 13 92 A7 0B 38 0E 30 AF E5 A9 21 B7 F6 73",
"cert issuer": "DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1",
"thumbprint": "BC30F92B6379621B59659FC2D4E4051FACEB3426"
}
],
"original name": "nProtectOnlineSecurity.exe",
"signers": "INCA Internet Co.,Ltd.; DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1; DigiCert Trusted Root G4; DigiCert",
"counter signers details": [
{
"status": "Valid",
"valid usage": "Timestamp Signing",
"name": "DigiCert Timestamp 2024",
"algorithm": "sha256RSA",
"valid from": "12:00 AM 09/26/2024",
"valid to": "11:59 PM 11/25/2035",
"serial number": "0B AE 66 BC 5A BA 7F 95 87 C6 F9 E9 04 E3 33 04",
"cert issuer": "DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA",
"thumbprint": "DBD385EE62DBD23E7BE4F67148508724D5865B45"
},
{
"status": "Valid",
"valid usage": "Timestamp Signing",
"name": "DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA",
"algorithm": "sha256RSA",
"valid from": "12:00 AM 03/23/2022",
"valid to": "11:59 PM 03/22/2037",
"serial number": "07 36 37 B7 24 54 7C D8 47 AC FD 28 66 2A 5E 5B",
"cert issuer": "DigiCert Trusted Root G4",
"thumbprint": "B6C8AF834D4E53B673C76872AA8C950C7C54DF5F"
},
{
"status": "Valid",
"valid usage": "All",
"name": "DigiCert Trusted Root G4",
"algorithm": "sha384RSA",
"valid from": "12:00 AM 08/01/2022",
"valid to": "11:59 PM 11/09/2031",
"serial number": "0E 9B 18 8E F9 D0 2D E7 EF DB 50 E2 08 40 18 5A",
"cert issuer": "DigiCert Assured ID Root CA",
"thumbprint": "A99D5B79E9F1CDA59CDAB6373169D5353F5874C6"
},
{
"status": "Valid",
"valid usage": "Client Auth, Code Signing, Email Protection, Server Auth, Timestamp Signing",
"name": "DigiCert",
"algorithm": "sha1RSA",
"valid from": "12:00 AM 11/10/2006",
"valid to": "12:00 AM 11/10/2031",
"serial number": "0C E7 E0 E5 17 D8 46 FE 8F E5 60 FC 1B F0 30 39",
"cert issuer": "DigiCert Assured ID Root CA",
"thumbprint": "0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43"
}
],
"counter signers": "DigiCert Timestamp 2024; DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA; DigiCert Trusted Root G4; DigiCert",
"copyright": "Copyright (C) INCA Internet Co., Ltd.",
"signers details": [
{
"status": "This certificate or one of the certificates in the certificate chain is not time valid.",
"valid usage": "Code Signing",
"name": "INCA Internet Co.,Ltd.",
"algorithm": "sha256RSA",
"valid from": "12:00 AM 09/27/2024",
"valid to": "12:00 AM 09/25/2025",
"serial number": "03 C1 13 92 A7 0B 38 0E 30 AF E5 A9 21 B7 F6 73",
"cert issuer": "DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1",
"thumbprint": "BC30F92B6379621B59659FC2D4E4051FACEB3426"
},
{
"status": "Valid",
"valid usage": "Code Signing",
"name": "DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1",
"algorithm": "sha384RSA",
"valid from": "12:00 AM 04/29/2021",
"valid to": "11:59 PM 04/28/2036",
"serial number": "08 AD 40 B2 60 D2 9C 4C 9F 5E CD A9 BD 93 AE D9",
"cert issuer": "DigiCert Trusted Root G4",
"thumbprint": "7B0F360B775F76C94A12CA48445AA2D2A875701C"
},
{
"status": "Valid",
"valid usage": "All",
"name": "DigiCert Trusted Root G4",
"algorithm": "sha384RSA",
"valid from": "12:00 AM 08/01/2022",
"valid to": "11:59 PM 11/09/2031",
"serial number": "0E 9B 18 8E F9 D0 2D E7 EF DB 50 E2 08 40 18 5A",
"cert issuer": "DigiCert Assured ID Root CA",
"thumbprint": "A99D5B79E9F1CDA59CDAB6373169D5353F5874C6"
},
{
"status": "Valid",
"valid usage": "Client Auth, Code Signing, Email Protection, Server Auth, Timestamp Signing",
"name": "DigiCert",
"algorithm": "sha1RSA",
"valid from": "12:00 AM 11/10/2006",
"valid to": "12:00 AM 11/10/2031",
"serial number": "0C E7 E0 E5 17 D8 46 FE 8F E5 60 FC 1B F0 30 39",
"cert issuer": "DigiCert Assured ID Root CA",
"thumbprint": "0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43"
}
],
"pkcs7": {
"opusinfo": [
{
"moreInfo": "http://www.nprotect.com ",
"programName": "nProtect Online Security V1.0"
}
]
}
},
"vhash": "027056655d1c0510d043z800417z47z62z41fz",
"sigma_analysis_stats": {
"critical": 0,
"high": 2,
"medium": 2,
"low": 1
},
"last_analysis_date": 1779926515,
"magic": "PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive",
"trid": [
{
"file_type": "Win64 Executable (generic)",
"probability": 27.0
},
{
"file_type": "Win16 NE executable (generic)",
"probability": 20.8
},
{
"file_type": "Win32 Executable (generic)",
"probability": 18.6
},
{
"file_type": "Windows Icons Library (generic)",
"probability": 8.5
},
{
"file_type": "OS/2 Executable (generic)",
"probability": 8.4
}
],
"last_submission_date": 1779243851,
"pe_info": {
"timestamp": 1544912676,
"imphash": "1f23f452093b5c1ff091a2f9fb4fa3e9",
"machine_type": 332,
"entry_point": 13477,
"resource_details": [
{
"lang": "ENGLISH US",
"chi2": 261120.89,
"filetype": "unknown",
"entropy": 5.419590950012207,
"sha256": "0ec8f73222e75f4517932659c27f37acc01d9d700f0cda5df5552584019a6fd0",
"type": "RT_ICON"
},
{
"lang": "ENGLISH US",
"chi2": 114132.25,
"filetype": "unknown",
"entropy": 5.489309310913086,
"sha256": "202684cd65f43c60c659ea6b3beda32503bbeae9ce49ca00999d501a5095939c",
"type": "RT_ICON"
},
{
"lang": "ENGLISH US",
"chi2": 214239.59,
"filetype": "unknown",
"entropy": 2.883920907974243,
"sha256": "9cd2bc55a9bd8440ca702a999a1fbf2174a344186756fa333bdf47c3f09493b4",
"type": "RT_ICON"
},
{
"lang": "ENGLISH US",
"chi2": 352920.0,
"filetype": "unknown",
"entropy": 0.0,
"sha256": "e253c6a87bdd62e771c0ef1b9850dbc9523c51408ca282f994d3530dbbad9b11",
"type": "RT_ICON"
},
{
"lang": "ENGLISH US",
"chi2": 287640.0,
"filetype": "unknown",
"entropy": 0.0,
"sha256": "3731b0a75ab19d96b774da62d37eccacd517c6593af20aa66525dc0b951cdba9",
"type": "RT_ICON"
},
{
"lang": "ENGLISH US",
"chi2": 189720.0,
"filetype": "unknown",
"entropy": 0.0,
"sha256": "1b66520d471367f736d50c070a2e2bba8ad88ac58743394a764b888e9cb6f6be",
"type": "RT_ICON"
},
{
"lang": "ENGLISH US",
"chi2": 75480.0,
"filetype": "unknown",
"entropy": 0.0,
"sha256": "250f52cb2d6f1966a29f6ac771fa1cd185b8f8531396c8a4026c0fe635617e0c",
"type": "RT_ICON"
},
{
"lang": "ENGLISH US",
"chi2": 52568.7,
"filetype": "unknown",
"entropy": 2.7389302253723145,
"sha256": "425b8270f7ca42a927eae6bea468acf414a3e4b58b5ba2c56aaae4d1b2c11014",
"type": "RT_DIALOG"
},
{
"lang": "ENGLISH US",
"chi2": 24856.54,
"filetype": "unknown",
"entropy": 2.9114809036254883,
"sha256": "4a55bd714f5d50cd8eabba10e57f0618f1842717dcfa582d73a917b1933cd1d4",
"type": "RT_DIALOG"
},
{
"lang": "ENGLISH US",
"chi2": 22210.42,
"filetype": "unknown",
"entropy": 2.8988661766052246,
"sha256": "cb3c86cbcb579244a6f819f9c1807a7e89b6e600982ec6ea0841fcdcb16a9efd",
"type": "RT_DIALOG"
},
{
"lang": "ENGLISH US",
"chi2": 50785.86,
"filetype": "unknown",
"entropy": 2.6817572116851807,
"sha256": "d542230218a67392c3e8d2c61f29f66f8724d837e83e9c0a49f30bdf02d722d7",
"type": "RT_DIALOG"
},
{
"lang": "ENGLISH US",
"chi2": 23036.58,
"filetype": "unknown",
"entropy": 2.8629515171051025,
"sha256": "ab1e3ad5b5d87630cb0f6a6671c10fe49d9c33839be0d5daeba89ec053dda92c",
"type": "RT_DIALOG"
},
{
"lang": "ENGLISH US",
"chi2": 20344.19,
"filetype": "unknown",
"entropy": 2.9269375801086426,
"sha256": "4677979c1665998318fcb65b9a0c0b3dd9204c12dbddbd5e76df8822ed6e347a",
"type": "RT_DIALOG"
},
{
"lang": "ENGLISH US",
"chi2": 49987.77,
"filetype": "unknown",
"entropy": 2.7857394218444824,
"sha256": "1382f1e9260b7e203ceafc6936ef1dae48898fcf8fb04a446cd27a4384bc40c3",
"type": "RT_DIALOG"
},
{
"lang": "ENGLISH US",
"chi2": 22245.33,
"filetype": "unknown",
"entropy": 3.0469632148742676,
"sha256": "012557f58e68234d4a88df0b713c59800f798ecce19dfd589d326b458dddcbd8",
"type": "RT_DIALOG"
},
{
"lang": "ENGLISH US",
"chi2": 19680.14,
"filetype": "unknown",
"entropy": 3.0967416763305664,
"sha256": "8c64a2341dc473a7d8ab4956af589e9a7257c4f05a8dc229f862c16d49ba37e5",
"type": "RT_DIALOG"
},
{
"lang": "ENGLISH US",
"chi2": 7635.08,
"filetype": "ICO",
"entropy": 2.960989236831665,
"sha256": "4a66c864416fdf8b968f0921d4e3b188243eb889056d664c07540ab3288baef4",
"type": "RT_GROUP_ICON"
},
{
"lang": "KOREAN",
"chi2": 65102.37,
"filetype": "unknown",
"entropy": 3.4415080547332764,
"sha256": "37026b110366d564a1348bd5f51e0f16a074abce33b3168c5eb5c54e5ceb9d40",
"type": "RT_VERSION"
},
{
"lang": "ENGLISH US",
"chi2": 7854.59,
"filetype": "XML",
"entropy": 5.287941932678223,
"sha256": "97d9168ab7ed15bc99cd4a0a3ef30197cc1c0d2613f2c8bb136aa0ac6e266270",
"type": "RT_MANIFEST"
}
],
"resource_langs": {
"KOREAN": 1,
"ENGLISH US": 18
},
"resource_types": {
"RT_ICON": 7,
"RT_GROUP_ICON": 1,
"RT_DIALOG": 9,
"RT_VERSION": 1,
"RT_MANIFEST": 1
},
"overlay": {
"chi2": 258.24,
"filetype": "unknown",
"entropy": 7.999993801116943,
"offset": 59904,
"size": 28320216,
"md5": "9cdfc75a36f3d7de31d1b1d70cb9b9e5"
},
"sections": [
{
"name": ".text",
"chi2": 212471.95,
"virtual_address": 4096,
"flags": "rx",
"raw_size": 26112,
"entropy": 6.42,
"virtual_size": 25609,
"md5": "bfe2b726d49cbd922b87bad5eea65e61"
},
{
"name": ".rdata",
"chi2": 131592.56,
"virtual_address": 32768,
"flags": "r",
"raw_size": 5120,
"entropy": 5.15,
"virtual_size": 5014,
"md5": "d45dcba8ca646543f7e339e20089687e"
},
{
"name": ".data",
"chi2": 87228.48,
"virtual_address": 40960,
"flags": "rw",
"raw_size": 1536,
"entropy": 4.0,
"virtual_size": 131928,
"md5": "8575fc5e872ca789611c386779287649"
},
{
"name": ".ndata",
"chi2": -1.0,
"virtual_address": 176128,
"flags": "rw",
"raw_size": 0,
"entropy": 0.0,
"virtual_size": 147456,
"md5": "d41d8cd98f00b204e9800998ecf8427e"
},
{
"name": ".rsrc",
"chi2": 1548402.12,
"virtual_address": 323584,
"flags": "r",
"raw_size": 26112,
"entropy": 4.53,
"virtual_size": 25680,
"md5": "71a6383881f54a0321684dca8eaa0d3f"
}
],
"compiler_product_versions": [
"[ C ] Windows Server 2003 SP1 DDK build 4035 count=2",
"[---] Unmarked objects count=165",
"[IMP] Windows Server 2003 SP1 DDK build 4035 count=15",
"[RES] VS98 (6.0) SP6 cvtres build 1736 count=1",
"id: 0x30, version: 9044 count=10"
],
"rich_pe_header_hash": "f05a488cd83d3aa2b72c1ddefe58cfce",
"import_list": [
{
"library_name": "KERNEL32.dll",
"imported_functions": [
"CloseHandle",
"CompareFileTime",
"CopyFileW",
"CreateDirectoryW",
"CreateFileW",
"CreateProcessW",
"CreateThread",
"DeleteFileW",
"ExitProcess",
"ExpandEnvironmentStringsW",
"FindClose",
"FindFirstFileW",
"FindNextFileW",
"FreeLibrary",
"GetCommandLineW",
"GetCurrentProcess",
"GetDiskFreeSpaceW",
"GetExitCodeProcess",
"GetFileAttributesW",
"GetFileSize",
"GetFullPathNameW",
"GetLastError",
"GetModuleFileNameW",
"GetModuleHandleA",
"GetModuleHandleW",
"GetPrivateProfileStringW",
"GetProcAddress",
"GetShortPathNameW",
"GetSystemDirectoryW",
"GetTempFileNameW",
"GetTempPathW",
"GetTickCount",
"GetVersion",
"GetWindowsDirectoryW",
"GlobalAlloc",
"GlobalFree",
"GlobalLock",
"GlobalUnlock",
"LoadLibraryExW",
"lstrcatW",
"lstrcmpiA",
"lstrcmpiW",
"lstrcmpW",
"lstrcpyA",
"lstrcpynW",
"lstrlenA",
"lstrlenW",
"MoveFileExW",
"MoveFileW",
"MulDiv",
"MultiByteToWideChar",
"ReadFile",
"RemoveDirectoryW",
"SearchPathW",
"SetCurrentDirectoryW",
"SetEnvironmentVariableW",
"SetErrorMode",
"SetFileAttributesW",
"SetFilePointer",
"SetFileTime",
"Sleep",
"WaitForSingleObject",
"WideCharToMultiByte",
"WriteFile",
"WritePrivateProfileStringW"
]
},
{
"library_name": "USER32.dll",
"imported_functions": [
"AppendMenuW",
"BeginPaint",
"CallWindowProcW",
"CharNextA",
"CharNextW",
"CharPrevW",
"CheckDlgButton",
"CloseClipboard",
"CreateDialogParamW",
"CreatePopupMenu",
"CreateWindowExW",
"DefWindowProcW",
"DestroyWindow",
"DialogBoxParamW",
"DispatchMessageW",
"DrawTextW",
"EmptyClipboard",
"EnableMenuItem",
"EnableWindow",
"EndDialog",
"EndPaint",
"ExitWindowsEx",
"FillRect",
"FindWindowExW",
"GetClassInfoW",
"GetClientRect",
"GetDC",
"GetDlgItem",
"GetDlgItemTextW",
"GetMessagePos",
"GetSysColor",
"GetSystemMenu",
"GetSystemMetrics",
"GetWindowLongW",
"GetWindowRect",
"InvalidateRect",
"IsWindow",
"IsWindowEnabled",
"IsWindowVisible",
"LoadBitmapW",
"LoadCursorW",
"LoadImageW",
"MessageBoxIndirectW",
"OpenClipboard",
"PeekMessageW",
"PostQuitMessage",
"RegisterClassW",
"ReleaseDC",
"ScreenToClient",
"SendMessageTimeoutW",
"SendMessageW",
"SetClassLongW",
"SetClipboardData",
"SetCursor",
"SetDlgItemTextW",
"SetForegroundWindow",
"SetTimer",
"SetWindowLongW",
"SetWindowPos",
"SetWindowTextW",
"ShowWindow",
"SystemParametersInfoW",
"TrackPopupMenu",
"wsprintfA",
"wsprintfW"
]
},
{
"library_name": "GDI32.dll",
"imported_functions": [
"CreateBrushIndirect",
"CreateFontIndirectW",
"DeleteObject",
"GetDeviceCaps",
"SelectObject",
"SetBkColor",
"SetBkMode",
"SetTextColor"
]
},
{
"library_name": "SHELL32.dll",
"imported_functions": [
"SHBrowseForFolderW",
"ShellExecuteExW",
"SHFileOperationW",
"SHGetFileInfoW",
"SHGetPathFromIDListW",
"SHGetSpecialFolderLocation"
]
},
{
"library_name": "ADVAPI32.dll",
"imported_functions": [
"AdjustTokenPrivileges",
"LookupPrivilegeValueW",
"OpenProcessToken",
"RegCloseKey",
"RegCreateKeyExW",
"RegDeleteKeyW",
"RegDeleteValueW",
"RegEnumKeyW",
"RegEnumValueW",
"RegOpenKeyExW",
"RegQueryValueExW",
"RegSetValueExW",
"SetFileSecurityW"
]
},
{
"library_name": "COMCTL32.dll",
"imported_functions": [
"ImageList_AddMasked",
"ImageList_Create",
"ImageList_Destroy",
"Ord(17)"
]
},
{
"library_name": "ole32.dll",
"imported_functions": [
"CoCreateInstance",
"CoTaskMemFree",
"OleInitialize",
"OleUninitialize"
]
}
]
},
"filecondis": {
"raw_md5": "62d7dbbb2ca4cea5068c30e19586d57c",
"dhash": "000000000c0d0400"
},
"first_submission_date": 1742443461,
"md5": "00f957b7dafd8d210e717041add02eab",
"sigma_analysis_summary": {
"Sigma Integrated Rule Set (GitHub)": {
"critical": 0,
"high": 2,
"medium": 2,
"low": 1
}
},
"creation_date": 1544912676,
"last_modification_date": 1779933803,
"type_description": "Win32 EXE",
"sandbox_verdicts": {
"Zenbox": {
"category": "malicious",
"malware_classification": [
"MALWARE",
"STEALER",
"RANSOM",
"PHISHING",
"TROJAN",
"EVADER"
],
"sandbox_name": "Zenbox",
"confidence": 84
}
},
"type_tags": [
"executable",
"windows",
"win32",
"pe",
"peexe"
],
"reputation": 0,
"tags": [
"calls-wmi",
"hosts-modifier",
"checks-bios",
"checks-disk-space",
"checks-cpu-name",
"detect-debug-environment",
"persistence",
"peexe",
"signed",
"overlay",
"long-sleeps"
],
"total_votes": {
"harmless": 0,
"malicious": 0
},
"meaningful_name": "nProtectOnlineSecurity.exe",
"names": [
"nos_setup.exe",
"nProtectOnlineSecurity.exe",
"nos_setup (1).exe",
"nos_setup (5).exe",
"79F4640344.tmp",
"nos_setup (2).exe"
],
"type_tag": "peexe",
"sha1": "ade12bc8b28984f080b799d2e9616a64c8d5856f",
"tlsh": "T16857337690AD6062E44351723C2A345FF0BB6561FA14C6A1DCD72BF9A8F7CA3393A143",
"times_submitted": 18,
"authentihash": "92011bbdfb7f01968f0d81729c32b2f3f502c3ca6cde8a3675fb945ef2a17fcc",
"last_analysis_stats": {
"malicious": 0,
"suspicious": 0,
"undetected": 68,
"harmless": 0,
"timeout": 3,
"confirmed-timeout": 0,
"failure": 0,
"type-unsupported": 4
}
}
}
}