97b4c2e67e5e18b70949690a69820c2a

Hash

MD5: 97b4c2e67e5e18b70949690a69820c2a
SHA1: 3e019112dc00c4a1f14474ea6db68f35674a6efa
SHA256: 144f303504538fb7d65e2f103ab23381a3d8a2751207106a4537c49730ffd23a
First Seen: 2026-05-27
Last Seen: 2026-05-27
Shortcuts: Hybrid Analysis MalwareBazaar Virustotal
2

Related Reports
0

Related IOCs
Additional Information

VirusTotal
                {
    "data": {
        "id": "144f303504538fb7d65e2f103ab23381a3d8a2751207106a4537c49730ffd23a",
        "type": "file",
        "links": {
            "self": "https://www.virustotal.com/api/v3/files/144f303504538fb7d65e2f103ab23381a3d8a2751207106a4537c49730ffd23a"
        },
        "attributes": {
            "last_analysis_stats": {
                "malicious": 0,
                "suspicious": 0,
                "undetected": 66,
                "harmless": 0,
                "timeout": 0,
                "confirmed-timeout": 2,
                "failure": 0,
                "type-unsupported": 6
            },
            "sigma_analysis_summary": {
                "Sigma Integrated Rule Set (GitHub)": {
                    "critical": 0,
                    "high": 1,
                    "medium": 2,
                    "low": 0
                }
            },
            "first_submission_date": 1765260677,
            "signature_info": {
                "product": "AhnLab Safe Transaction",
                "verified": "Signed",
                "description": "AhnLab Safe Transaction Setup Program.",
                "file version": "1.16.0.1978",
                "signing date": "07:53 AM 11/24/2025",
                "x509": [
                    {
                        "valid usage": "Code Signing",
                        "thumbprint_sha256": "46011EDE1C147EB2BC731A539B7C047B7EE93E48B9D3C3BA710CE132BBDFAC6B",
                        "name": "DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1",
                        "algorithm": "sha384RSA",
                        "thumbprint_md5": "D91299E84355CD8D5A86795A0118B6E9",
                        "valid from": "2021-04-29 00:00:00",
                        "valid to": "2036-04-28 23:59:59",
                        "serial number": "08 AD 40 B2 60 D2 9C 4C 9F 5E CD A9 BD 93 AE D9",
                        "cert issuer": "DigiCert Trusted Root G4",
                        "thumbprint": "7B0F360B775F76C94A12CA48445AA2D2A875701C"
                    },
                    {
                        "valid usage": "Code Signing",
                        "thumbprint_sha256": "2812DB57B66AB08145DDFC6696258904DA043AFA3A420341FB0754B9B4D30454",
                        "name": "AhnLab, Inc.",
                        "algorithm": "sha256RSA",
                        "thumbprint_md5": "3D82B99FA20714B5BC8F09A0FB298A13",
                        "valid from": "2025-04-22 00:00:00",
                        "valid to": "2026-04-15 23:59:59",
                        "serial number": "05 AF 84 21 DC 84 4D C5 48 28 33 47 BE D9 65 F7",
                        "cert issuer": "DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1",
                        "thumbprint": "48C61F3E9D57F00E550A322DF1F7A51F98256114"
                    },
                    {
                        "valid usage": "ff",
                        "thumbprint_sha256": "4AA03FA22CD75C84C55C938F828E676B9CAECAB33FE36D269AA334F146110A33",
                        "name": "DigiCert SHA256 RSA4096 Timestamp Responder 2025 1",
                        "algorithm": "sha256RSA",
                        "thumbprint_md5": "39C1227923AB74F563D9232882A78F50",
                        "valid from": "2025-06-04 00:00:00",
                        "valid to": "2036-09-03 23:59:59",
                        "serial number": "0A 80 EF 18 4B 8D F1 05 82 D1 C4 76 A7 95 74 68",
                        "cert issuer": "DigiCert Trusted G4 TimeStamping RSA4096 SHA256 2025 CA1",
                        "thumbprint": "DD6230AC860A2D306BDA38B16879523007FB417E"
                    },
                    {
                        "valid usage": "Timestamp Signing",
                        "thumbprint_sha256": "CA0B1554ECD901EA19DCAD8749E9F2648C8D6DFCEA1ADD9D2C2109415BB82CCD",
                        "name": "DigiCert Trusted G4 TimeStamping RSA4096 SHA256 2025 CA1",
                        "algorithm": "sha256RSA",
                        "thumbprint_md5": "E845C30BA9F058B0FEA9954092E1F0C0",
                        "valid from": "2025-05-07 00:00:00",
                        "valid to": "2038-01-14 23:59:59",
                        "serial number": "0D C7 AC 57 05 FF 21 99 2E 40 43 22 0C 3A 49 86",
                        "cert issuer": "DigiCert Trusted Root G4",
                        "thumbprint": "07894D00FC194A17DB273AEB5CF8FACEF14423A4"
                    },
                    {
                        "thumbprint_sha256": "33846B545A49C9BE4903C60E01713C1BD4E4EF31EA65CD95D69E62794F30B941",
                        "name": "DigiCert Trusted Root G4",
                        "algorithm": "sha384RSA",
                        "thumbprint_md5": "8DDD0BC6D9D770EB6B2B671A862855CC",
                        "valid from": "2022-08-01 00:00:00",
                        "valid to": "2031-11-09 23:59:59",
                        "serial number": "0E 9B 18 8E F9 D0 2D E7 EF DB 50 E2 08 40 18 5A",
                        "cert issuer": "DigiCert Assured ID Root CA",
                        "thumbprint": "A99D5B79E9F1CDA59CDAB6373169D5353F5874C6"
                    }
                ],
                "signers": "AhnLab, Inc.; DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1; DigiCert Trusted Root G4; DigiCert",
                "counter signers details": [
                    {
                        "status": "Valid",
                        "valid usage": "Timestamp Signing",
                        "name": "DigiCert SHA256 RSA4096 Timestamp Responder 2025 1",
                        "algorithm": "sha256RSA",
                        "valid from": "12:00 AM 06/04/2025",
                        "valid to": "11:59 PM 09/03/2036",
                        "serial number": "0A 80 EF 18 4B 8D F1 05 82 D1 C4 76 A7 95 74 68",
                        "cert issuer": "DigiCert Trusted G4 TimeStamping RSA4096 SHA256 2025 CA1",
                        "thumbprint": "DD6230AC860A2D306BDA38B16879523007FB417E"
                    },
                    {
                        "status": "Valid",
                        "valid usage": "Timestamp Signing",
                        "name": "DigiCert Trusted G4 TimeStamping RSA4096 SHA256 2025 CA1",
                        "algorithm": "sha256RSA",
                        "valid from": "12:00 AM 05/07/2025",
                        "valid to": "11:59 PM 01/14/2038",
                        "serial number": "0D C7 AC 57 05 FF 21 99 2E 40 43 22 0C 3A 49 86",
                        "cert issuer": "DigiCert Trusted Root G4",
                        "thumbprint": "07894D00FC194A17DB273AEB5CF8FACEF14423A4"
                    },
                    {
                        "status": "Valid",
                        "valid usage": "All",
                        "name": "DigiCert Trusted Root G4",
                        "algorithm": "sha384RSA",
                        "valid from": "12:00 AM 08/01/2022",
                        "valid to": "11:59 PM 11/09/2031",
                        "serial number": "0E 9B 18 8E F9 D0 2D E7 EF DB 50 E2 08 40 18 5A",
                        "cert issuer": "DigiCert Assured ID Root CA",
                        "thumbprint": "A99D5B79E9F1CDA59CDAB6373169D5353F5874C6"
                    },
                    {
                        "status": "Valid",
                        "valid usage": "Client Auth, Code Signing, Email Protection, Server Auth, Timestamp Signing",
                        "name": "DigiCert",
                        "algorithm": "sha1RSA",
                        "valid from": "12:00 AM 11/10/2006",
                        "valid to": "12:00 AM 11/10/2031",
                        "serial number": "0C E7 E0 E5 17 D8 46 FE 8F E5 60 FC 1B F0 30 39",
                        "cert issuer": "DigiCert Assured ID Root CA",
                        "thumbprint": "0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43"
                    }
                ],
                "counter signers": "DigiCert SHA256 RSA4096 Timestamp Responder 2025 1; DigiCert Trusted G4 TimeStamping RSA4096 SHA256 2025 CA1; DigiCert Trusted Root G4; DigiCert",
                "copyright": "(C) 2015 AhnLab, Inc. All rights reserved.",
                "signers details": [
                    {
                        "status": "This certificate or one of the certificates in the certificate chain is not time valid.",
                        "valid usage": "Code Signing",
                        "name": "AhnLab, Inc.",
                        "algorithm": "sha256RSA",
                        "valid from": "12:00 AM 04/22/2025",
                        "valid to": "11:59 PM 04/15/2026",
                        "serial number": "05 AF 84 21 DC 84 4D C5 48 28 33 47 BE D9 65 F7",
                        "cert issuer": "DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1",
                        "thumbprint": "48C61F3E9D57F00E550A322DF1F7A51F98256114"
                    },
                    {
                        "status": "Valid",
                        "valid usage": "Code Signing",
                        "name": "DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1",
                        "algorithm": "sha384RSA",
                        "valid from": "12:00 AM 04/29/2021",
                        "valid to": "11:59 PM 04/28/2036",
                        "serial number": "08 AD 40 B2 60 D2 9C 4C 9F 5E CD A9 BD 93 AE D9",
                        "cert issuer": "DigiCert Trusted Root G4",
                        "thumbprint": "7B0F360B775F76C94A12CA48445AA2D2A875701C"
                    },
                    {
                        "status": "Valid",
                        "valid usage": "All",
                        "name": "DigiCert Trusted Root G4",
                        "algorithm": "sha384RSA",
                        "valid from": "12:00 AM 08/01/2022",
                        "valid to": "11:59 PM 11/09/2031",
                        "serial number": "0E 9B 18 8E F9 D0 2D E7 EF DB 50 E2 08 40 18 5A",
                        "cert issuer": "DigiCert Assured ID Root CA",
                        "thumbprint": "A99D5B79E9F1CDA59CDAB6373169D5353F5874C6"
                    },
                    {
                        "status": "Valid",
                        "valid usage": "Client Auth, Code Signing, Email Protection, Server Auth, Timestamp Signing",
                        "name": "DigiCert",
                        "algorithm": "sha1RSA",
                        "valid from": "12:00 AM 11/10/2006",
                        "valid to": "12:00 AM 11/10/2031",
                        "serial number": "0C E7 E0 E5 17 D8 46 FE 8F E5 60 FC 1B F0 30 39",
                        "cert issuer": "DigiCert Assured ID Root CA",
                        "thumbprint": "0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43"
                    }
                ],
                "pkcs7": {
                    "opusinfo": [
                        {
                            "moreInfo": "n/a",
                            "programName": "AhnLab Safe Transaction"
                        }
                    ]
                }
            },
            "times_submitted": 57,
            "tlsh": "T1843833132671BC3FD69AC6FD055DC000EAA1096C7E397AD1A8BE3C751C7716B262B8E4",
            "last_analysis_date": 1778118056,
            "last_submission_date": 1779596337,
            "reputation": 0,
            "ssdeep": "3145728:SVAgMHibxAx1vEhv663ebGqdYM75rEMNvi9vr5I7Z:MAXC9upT6OqqdYiEOvipq9",
            "meaningful_name": "astx_setup.exe",
            "last_analysis_results": {
                "Lionic": {
                    "method": "blacklist",
                    "engine_name": "Lionic",
                    "engine_version": "8.16",
                    "engine_update": "20260506",
                    "category": "undetected",
                    "result": null
                },
                "tehtris": {
                    "method": "blacklist",
                    "engine_name": "tehtris",
                    "engine_version": "v0.1.4",
                    "engine_update": "20260507",
                    "category": "undetected",
                    "result": null
                },
                "MicroWorld-eScan": {
                    "method": "blacklist",
                    "engine_name": "MicroWorld-eScan",
                    "engine_version": "14.0.409.0",
                    "engine_update": "20260506",
                    "category": "undetected",
                    "result": null
                },
                "CMC": {
                    "method": "blacklist",
                    "engine_name": "CMC",
                    "engine_version": "2.4.2022.1",
                    "engine_update": "20260506",
                    "category": "undetected",
                    "result": null
                },
                "CAT-QuickHeal": {
                    "method": "blacklist",
                    "engine_name": "CAT-QuickHeal",
                    "engine_version": "22.00",
                    "engine_update": "20260506",
                    "category": "undetected",
                    "result": null
                },
                "ALYac": {
                    "method": "blacklist",
                    "engine_name": "ALYac",
                    "engine_version": "2.0.0.10",
                    "engine_update": "20260506",
                    "category": "undetected",
                    "result": null
                },
                "Malwarebytes": {
                    "method": "blacklist",
                    "engine_name": "Malwarebytes",
                    "engine_version": "3.1.0.234",
                    "engine_update": "20260506",
                    "category": "undetected",
                    "result": null
                },
                "VIPRE": {
                    "method": "blacklist",
                    "engine_name": "VIPRE",
                    "engine_version": "6.0.0.35",
                    "engine_update": "20260506",
                    "category": "undetected",
                    "result": null
                },
                "Sangfor": {
                    "method": "blacklist",
                    "engine_name": "Sangfor",
                    "engine_version": "2.22.3.0",
                    "engine_update": "20260504",
                    "category": "undetected",
                    "result": null
                },
                "K7AntiVirus": {
                    "method": "blacklist",
                    "engine_name": "K7AntiVirus",
                    "engine_version": "14.50.59423",
                    "engine_update": "20260506",
                    "category": "undetected",
                    "result": null
                },
                "Alibaba": {
                    "method": "blacklist",
                    "engine_name": "Alibaba",
                    "engine_version": "0.3.0.5",
                    "engine_update": "20190527",
                    "category": "undetected",
                    "result": null
                },
                "K7GW": {
                    "method": "blacklist",
                    "engine_name": "K7GW",
                    "engine_version": "14.50.59423",
                    "engine_update": "20260506",
                    "category": "undetected",
                    "result": null
                },
                "CrowdStrike": {
                    "method": "blacklist",
                    "engine_name": "CrowdStrike",
                    "engine_version": "1.0",
                    "engine_update": "20230417",
                    "category": "undetected",
                    "result": null
                },
                "Arcabit": {
                    "method": "blacklist",
                    "engine_name": "Arcabit",
                    "engine_version": "2025.0.0.23",
                    "engine_update": "20260506",
                    "category": "undetected",
                    "result": null
                },
                "VirIT": {
                    "method": "blacklist",
                    "engine_name": "VirIT",
                    "engine_version": "9.5.1201",
                    "engine_update": "20260506",
                    "category": "undetected",
                    "result": null
                },
                "Symantec": {
                    "method": "blacklist",
                    "engine_name": "Symantec",
                    "engine_version": "1.22.0.0",
                    "engine_update": "20260506",
                    "category": "undetected",
                    "result": null
                },
                "ESET-NOD32": {
                    "method": "blacklist",
                    "engine_name": "ESET-NOD32",
                    "engine_version": "18.2.18.0",
                    "engine_update": "20260506",
                    "category": "undetected",
                    "result": null
                },
                "APEX": {
                    "method": "blacklist",
                    "engine_name": "APEX",
                    "engine_version": "6.775",
                    "engine_update": "20260501",
                    "category": "undetected",
                    "result": null
                },
                "Paloalto": {
                    "method": "blacklist",
                    "engine_name": "Paloalto",
                    "engine_version": "0.9.0.1003",
                    "engine_update": "20260507",
                    "category": "undetected",
                    "result": null
                },
                "ClamAV": {
                    "method": "blacklist",
                    "engine_name": "ClamAV",
                    "engine_version": "1.5.2.0",
                    "engine_update": "20260506",
                    "category": "undetected",
                    "result": null
                },
                "Kaspersky": {
                    "method": "blacklist",
                    "engine_name": "Kaspersky",
                    "engine_version": "22.0.1.28",
                    "engine_update": "20260506",
                    "category": "undetected",
                    "result": null
                },
                "BitDefender": {
                    "method": "blacklist",
                    "engine_name": "BitDefender",
                    "engine_version": "7.2",
                    "engine_update": "20260506",
                    "category": "undetected",
                    "result": null
                },
                "NANO-Antivirus": {
                    "method": "blacklist",
                    "engine_name": "NANO-Antivirus",
                    "engine_version": "1.0.170.26895",
                    "engine_update": "20260506",
                    "category": "undetected",
                    "result": null
                },
                "SUPERAntiSpyware": {
                    "method": "blacklist",
                    "engine_name": "SUPERAntiSpyware",
                    "engine_version": "5.6.0.1032",
                    "engine_update": "20260506",
                    "category": "undetected",
                    "result": null
                },
                "Rising": {
                    "method": "blacklist",
                    "engine_name": "Rising",
                    "engine_version": "25.0.0.28",
                    "engine_update": "20260506",
                    "category": "undetected",
                    "result": null
                },
                "Sophos": {
                    "method": "blacklist",
                    "engine_name": "Sophos",
                    "engine_version": "3.4.1.0",
                    "engine_update": "20260506",
                    "category": "undetected",
                    "result": null
                },
                "F-Secure": {
                    "method": "blacklist",
                    "engine_name": "F-Secure",
                    "engine_version": "18.10.1547.307",
                    "engine_update": "20260506",
                    "category": "undetected",
                    "result": null
                },
                "DrWeb": {
                    "method": "blacklist",
                    "engine_name": "DrWeb",
                    "engine_version": "7.0.75.2070",
                    "engine_update": "20260507",
                    "category": "undetected",
                    "result": null
                },
                "Zillya": {
                    "method": "blacklist",
                    "engine_name": "Zillya",
                    "engine_version": "2.0.0.5596",
                    "engine_update": "20260506",
                    "category": "undetected",
                    "result": null
                },
                "TrendMicro": {
                    "method": "blacklist",
                    "engine_name": "TrendMicro",
                    "engine_version": "24.550.0.1002",
                    "engine_update": "20260507",
                    "category": "undetected",
                    "result": null
                },
                "McAfeeD": {
                    "method": "blacklist",
                    "engine_name": "McAfeeD",
                    "engine_version": "1.2.0.14532",
                    "engine_update": "20260507",
                    "category": "undetected",
                    "result": null
                },
                "SentinelOne": {
                    "method": "blacklist",
                    "engine_name": "SentinelOne",
                    "engine_version": "7.6.2.19",
                    "engine_update": "20260324",
                    "category": "undetected",
                    "result": null
                },
                "Trapmine": {
                    "method": "blacklist",
                    "engine_name": "Trapmine",
                    "engine_version": "4.0.12.0",
                    "engine_update": "20260504",
                    "category": "undetected",
                    "result": null
                },
                "CTX": {
                    "method": "blacklist",
                    "engine_name": "CTX",
                    "engine_version": "2024.8.29.1",
                    "engine_update": "20260507",
                    "category": "undetected",
                    "result": null
                },
                "Emsisoft": {
                    "method": "blacklist",
                    "engine_name": "Emsisoft",
                    "engine_version": "2024.8.0.61147",
                    "engine_update": "20260506",
                    "category": "undetected",
                    "result": null
                },
                "Ikarus": {
                    "method": "blacklist",
                    "engine_name": "Ikarus",
                    "engine_version": "6.4.16.0",
                    "engine_update": "20260506",
                    "category": "undetected",
                    "result": null
                },
                "Jiangmin": {
                    "method": "blacklist",
                    "engine_name": "Jiangmin",
                    "engine_version": "16.0.100",
                    "engine_update": "20260511",
                    "category": "undetected",
                    "result": null
                },
                "Webroot": {
                    "method": "blacklist",
                    "engine_name": "Webroot",
                    "engine_version": "1.9.0.8",
                    "engine_update": "20250227",
                    "category": "undetected",
                    "result": null
                },
                "Google": {
                    "method": "blacklist",
                    "engine_name": "Google",
                    "engine_version": "1778115742",
                    "engine_update": "20260507",
                    "category": "undetected",
                    "result": null
                },
                "Avira": {
                    "method": "blacklist",
                    "engine_name": "Avira",
                    "engine_version": "8.3.3.24",
                    "engine_update": "20260506",
                    "category": "undetected",
                    "result": null
                },
                "Antiy-AVL": {
                    "method": "blacklist",
                    "engine_name": "Antiy-AVL",
                    "engine_version": "3.0",
                    "engine_update": "20260507",
                    "category": "undetected",
                    "result": null
                },
                "Kingsoft": {
                    "method": "blacklist",
                    "engine_name": "Kingsoft",
                    "engine_version": "None",
                    "engine_update": "20260506",
                    "category": "undetected",
                    "result": null
                },
                "Gridinsoft": {
                    "method": "blacklist",
                    "engine_name": "Gridinsoft",
                    "engine_version": "1.0.245.174",
                    "engine_update": "20260506",
                    "category": "undetected",
                    "result": null
                },
                "Xcitium": {
                    "method": "blacklist",
                    "engine_name": "Xcitium",
                    "engine_version": "38627",
                    "engine_update": "20260506",
                    "category": "undetected",
                    "result": null
                },
                "Microsoft": {
                    "method": "blacklist",
                    "engine_name": "Microsoft",
                    "engine_version": "1.1.26030.3008",
                    "engine_update": "20260506",
                    "category": "undetected",
                    "result": null
                },
                "ViRobot": {
                    "method": "blacklist",
                    "engine_name": "ViRobot",
                    "engine_version": "2014.3.20.0",
                    "engine_update": "20260506",
                    "category": "undetected",
                    "result": null
                },
                "ZoneAlarm": {
                    "method": "blacklist",
                    "engine_name": "ZoneAlarm",
                    "engine_version": "6.24-114820716",
                    "engine_update": "20260506",
                    "category": "undetected",
                    "result": null
                },
                "GData": {
                    "method": "blacklist",
                    "engine_name": "GData",
                    "engine_version": "GD:27.44452AVA:64.31187",
                    "engine_update": "20260507",
                    "category": "undetected",
                    "result": null
                },
                "Varist": {
                    "method": "blacklist",
                    "engine_name": "Varist",
                    "engine_version": "6.6.1.3",
                    "engine_update": "20260507",
                    "category": "undetected",
                    "result": null
                },
                "AhnLab-V3": {
                    "method": "blacklist",
                    "engine_name": "AhnLab-V3",
                    "engine_version": "3.30.0.10666",
                    "engine_update": "20260506",
                    "category": "undetected",
                    "result": null
                },
                "Acronis": {
                    "method": "blacklist",
                    "engine_name": "Acronis",
                    "engine_version": "1.2.0.121",
                    "engine_update": "20240328",
                    "category": "undetected",
                    "result": null
                },
                "VBA32": {
                    "method": "blacklist",
                    "engine_name": "VBA32",
                    "engine_version": "5.6.0",
                    "engine_update": "20260506",
                    "category": "undetected",
                    "result": null
                },
                "TACHYON": {
                    "method": "blacklist",
                    "engine_name": "TACHYON",
                    "engine_version": "2026-05-07.01",
                    "engine_update": "20260507",
                    "category": "undetected",
                    "result": null
                },
                "DeepInstinct": {
                    "method": "blacklist",
                    "engine_name": "DeepInstinct",
                    "engine_version": "5.0.0.8",
                    "engine_update": "20260506",
                    "category": "undetected",
                    "result": null
                },
                "Cylance": {
                    "method": "blacklist",
                    "engine_name": "Cylance",
                    "engine_version": "3.0.0.0",
                    "engine_update": "20260423",
                    "category": "undetected",
                    "result": null
                },
                "Panda": {
                    "method": "blacklist",
                    "engine_name": "Panda",
                    "engine_version": "4.6.4.2",
                    "engine_update": "20260511",
                    "category": "undetected",
                    "result": null
                },
                "Zoner": {
                    "method": "blacklist",
                    "engine_name": "Zoner",
                    "engine_version": "2.2.2.0",
                    "engine_update": "20260507",
                    "category": "undetected",
                    "result": null
                },
                "TrendMicro-HouseCall": {
                    "method": "blacklist",
                    "engine_name": "TrendMicro-HouseCall",
                    "engine_version": "24.550.0.1002",
                    "engine_update": "20260506",
                    "category": "undetected",
                    "result": null
                },
                "Tencent": {
                    "method": "blacklist",
                    "engine_name": "Tencent",
                    "engine_version": "1.0.0.1",
                    "engine_update": "20260507",
                    "category": "undetected",
                    "result": null
                },
                "TrellixENS": {
                    "method": "blacklist",
                    "engine_name": "TrellixENS",
                    "engine_version": "6.0.6.653",
                    "engine_update": "20260506",
                    "category": "undetected",
                    "result": null
                },
                "huorong": {
                    "method": "blacklist",
                    "engine_name": "huorong",
                    "engine_version": "bac4b0b:bac4b0b:08be008:08be008",
                    "engine_update": "20260506",
                    "category": "undetected",
                    "result": null
                },
                "MaxSecure": {
                    "method": "blacklist",
                    "engine_name": "MaxSecure",
                    "engine_version": "1.0.0.1",
                    "engine_update": "20260506",
                    "category": "undetected",
                    "result": null
                },
                "Fortinet": {
                    "method": "blacklist",
                    "engine_name": "Fortinet",
                    "engine_version": "7.0.30.0",
                    "engine_update": "20260505",
                    "category": "undetected",
                    "result": null
                },
                "AVG": {
                    "method": "blacklist",
                    "engine_name": "AVG",
                    "engine_version": "23.9.8494.0",
                    "engine_update": "20260506",
                    "category": "undetected",
                    "result": null
                },
                "Avast": {
                    "method": "blacklist",
                    "engine_name": "Avast",
                    "engine_version": "23.9.8494.0",
                    "engine_update": "20260506",
                    "category": "undetected",
                    "result": null
                },
                "alibabacloud": {
                    "method": "blacklist",
                    "engine_name": "alibabacloud",
                    "engine_version": "2.2.0",
                    "engine_update": "20250321",
                    "category": "undetected",
                    "result": null
                },
                "Skyhigh": {
                    "method": "blacklist",
                    "engine_name": "Skyhigh",
                    "engine_version": null,
                    "engine_update": "20260511",
                    "category": "confirmed-timeout",
                    "result": null
                },
                "Yandex": {
                    "method": "blacklist",
                    "engine_name": "Yandex",
                    "engine_version": "5.5.2.24",
                    "engine_update": "20260512",
                    "category": "confirmed-timeout",
                    "result": null
                },
                "Avast-Mobile": {
                    "method": "blacklist",
                    "engine_name": "Avast-Mobile",
                    "engine_version": "260506-08",
                    "engine_update": "20260506",
                    "category": "type-unsupported",
                    "result": null
                },
                "SymantecMobileInsight": {
                    "method": "blacklist",
                    "engine_name": "SymantecMobileInsight",
                    "engine_version": "2.0",
                    "engine_update": "20260123",
                    "category": "type-unsupported",
                    "result": null
                },
                "BitDefenderFalx": {
                    "method": "blacklist",
                    "engine_name": "BitDefenderFalx",
                    "engine_version": "2.0.936",
                    "engine_update": "20251216",
                    "category": "type-unsupported",
                    "result": null
                },
                "Elastic": {
                    "method": "blacklist",
                    "engine_name": "Elastic",
                    "engine_version": "4.0.260",
                    "engine_update": "20260506",
                    "category": "type-unsupported",
                    "result": null
                },
                "Cynet": {
                    "method": "blacklist",
                    "engine_name": "Cynet",
                    "engine_version": "4.0.3.4",
                    "engine_update": "20260506",
                    "category": "type-unsupported",
                    "result": null
                },
                "Trustlook": {
                    "method": "blacklist",
                    "engine_name": "Trustlook",
                    "engine_version": "1.0",
                    "engine_update": "20260507",
                    "category": "type-unsupported",
                    "result": null
                }
            },
            "magika": "PEBIN",
            "total_votes": {
                "harmless": 0,
                "malicious": 0
            },
            "sigma_analysis_stats": {
                "critical": 0,
                "high": 1,
                "medium": 2,
                "low": 0
            },
            "type_extension": "exe",
            "names": [
                "astx_setup.exe",
                "astx_setup (1).exe",
                "astx_setup (2).exe",
                "astx_setup (3).exe"
            ],
            "magic": "PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive",
            "pe_info": {
                "timestamp": 1620866617,
                "imphash": "25ed4ce053872020aef1006182cbb182",
                "machine_type": 332,
                "entry_point": 13608,
                "resource_details": [
                    {
                        "lang": "ENGLISH US",
                        "chi2": 2045.12,
                        "filetype": "PNG",
                        "entropy": 7.980317115783691,
                        "sha256": "c4e5638284fe394156d03c7ba0df75d0ce3ef0178117c3867e679dd81b05b1d8",
                        "type": "RT_ICON"
                    },
                    {
                        "lang": "ENGLISH US",
                        "chi2": 255594.56,
                        "filetype": "unknown",
                        "entropy": 5.5434250831604,
                        "sha256": "6b40b2c69254447715f879f4caf67006c90994227ccd736918a3fa3b8db26864",
                        "type": "RT_ICON"
                    },
                    {
                        "lang": "ENGLISH US",
                        "chi2": 212089.5,
                        "filetype": "unknown",
                        "entropy": 5.530387878417969,
                        "sha256": "24a50fbcaa4c875e5cea0e79ada8c8353de332398bd359a7d82c9a1895bb802a",
                        "type": "RT_ICON"
                    },
                    {
                        "lang": "ENGLISH US",
                        "chi2": 142077.0,
                        "filetype": "unknown",
                        "entropy": 4.941244125366211,
                        "sha256": "100daebd60ebcdd2738169a886151ab7c567e9528a303c9fee53bcbae1491a7f",
                        "type": "RT_ICON"
                    },
                    {
                        "lang": "ENGLISH US",
                        "chi2": 178559.72,
                        "filetype": "unknown",
                        "entropy": 4.8474884033203125,
                        "sha256": "03d72c127526f804a6bb8d1993b0045cf6ba212a158eaa1e01f70b128a025496",
                        "type": "RT_ICON"
                    },
                    {
                        "lang": "ENGLISH US",
                        "chi2": 86735.34,
                        "filetype": "unknown",
                        "entropy": 5.55940055847168,
                        "sha256": "ebd9577b5b454944a19d8d57639258b39466517e1ae50f545aed15b634e613b0",
                        "type": "RT_ICON"
                    },
                    {
                        "lang": "ENGLISH US",
                        "chi2": 136170.33,
                        "filetype": "unknown",
                        "entropy": 4.575496673583984,
                        "sha256": "42a84fb76153b2586177fbd5e43dda730a1684fc2b021988c9f4b55fe667de74",
                        "type": "RT_ICON"
                    },
                    {
                        "lang": "ENGLISH US",
                        "chi2": 182351.95,
                        "filetype": "unknown",
                        "entropy": 2.660417079925537,
                        "sha256": "458c56c01b97f11aa861709afe3468ddad64e2fc32a79e4fe65c646593de9390",
                        "type": "RT_ICON"
                    },
                    {
                        "lang": "ENGLISH US",
                        "chi2": 35721.01,
                        "filetype": "unknown",
                        "entropy": 4.5769476890563965,
                        "sha256": "620259715763967ac597882dc96af96aa59b648a121eddfbee850e210d265773",
                        "type": "RT_ICON"
                    },
                    {
                        "lang": "ENGLISH US",
                        "chi2": 20219.2,
                        "filetype": "unknown",
                        "entropy": 5.134588241577148,
                        "sha256": "6d6b55c6f05d9a3e496a150a7c49ad55ae075d4932b93c34cdcebf07744e09ec",
                        "type": "RT_ICON"
                    },
                    {
                        "lang": "ENGLISH US",
                        "chi2": 26260.0,
                        "filetype": "unknown",
                        "entropy": 2.6617395877838135,
                        "sha256": "fecdb955f8d7f1c219ff8167f90b64f3cb52e53337494577ff73c0ac1dafcd96",
                        "type": "RT_DIALOG"
                    },
                    {
                        "lang": "ENGLISH US",
                        "chi2": 29554.45,
                        "filetype": "unknown",
                        "entropy": 2.88094425201416,
                        "sha256": "69897c784f1491eb3024b0d52c2897196a2e245974497fda1915db5fefcf8729",
                        "type": "RT_DIALOG"
                    },
                    {
                        "lang": "ENGLISH US",
                        "chi2": 10032.01,
                        "filetype": "unknown",
                        "entropy": 2.488246202468872,
                        "sha256": "85025c8556952f6a651c2468c8a0d58853b0ba482be9ad5cd3060f216540dfc0",
                        "type": "RT_DIALOG"
                    },
                    {
                        "lang": "ENGLISH US",
                        "chi2": 10525.35,
                        "filetype": "ICO",
                        "entropy": 2.8728599548339844,
                        "sha256": "bb718bb58c3a8c5768144b56e44304c5210e51ac5cf303405f302c7c8bf2cdbf",
                        "type": "RT_GROUP_ICON"
                    },
                    {
                        "lang": "ENGLISH US",
                        "chi2": 57738.3,
                        "filetype": "unknown",
                        "entropy": 3.4503695964813232,
                        "sha256": "bb7367b0a2d6d93a2c32fe31f3956a164ec27df8d77d270aef28f62fbe4f5212",
                        "type": "RT_VERSION"
                    },
                    {
                        "lang": "ENGLISH US",
                        "chi2": 5986.38,
                        "filetype": "XML",
                        "entropy": 5.28820276260376,
                        "sha256": "d813611ff4d14742d4ea49729806b851e6d3d7a7b1e409f89acac056496d1814",
                        "type": "RT_MANIFEST"
                    }
                ],
                "resource_langs": {
                    "ENGLISH US": 16
                },
                "resource_types": {
                    "RT_ICON": 10,
                    "RT_GROUP_ICON": 1,
                    "RT_DIALOG": 3,
                    "RT_VERSION": 1,
                    "RT_MANIFEST": 1
                },
                "overlay": {
                    "chi2": 225.03,
                    "filetype": "unknown",
                    "entropy": 7.999996185302734,
                    "offset": 140288,
                    "size": 102957448,
                    "md5": "6236a1915654ad847b1a8639e21aa3fa"
                },
                "sections": [
                    {
                        "name": ".text",
                        "chi2": 169803.73,
                        "virtual_address": 4096,
                        "flags": "rx",
                        "raw_size": 25600,
                        "entropy": 6.48,
                        "virtual_size": 25559,
                        "md5": "67df0f2b52001b910e7ab0e816f4b175"
                    },
                    {
                        "name": ".rdata",
                        "chi2": 236569.12,
                        "virtual_address": 32768,
                        "flags": "r",
                        "raw_size": 6656,
                        "entropy": 4.82,
                        "virtual_size": 6200,
                        "md5": "3904e3d2c6d9d20ac0ecfb29971465d9"
                    },
                    {
                        "name": ".data",
                        "chi2": 76586.0,
                        "virtual_address": 40960,
                        "flags": "rw",
                        "raw_size": 512,
                        "entropy": 1.73,
                        "virtual_size": 130620,
                        "md5": "2a0a567af4ad858d14cbfd8a770e781d"
                    },
                    {
                        "name": ".ndata",
                        "chi2": -1.0,
                        "virtual_address": 172032,
                        "flags": "rw",
                        "raw_size": 0,
                        "entropy": 0.0,
                        "virtual_size": 69632,
                        "md5": "d41d8cd98f00b204e9800998ecf8427e"
                    },
                    {
                        "name": ".rsrc",
                        "chi2": 464655.91,
                        "virtual_address": 241664,
                        "flags": "r",
                        "raw_size": 106496,
                        "entropy": 7.41,
                        "virtual_size": 106376,
                        "md5": "fba1107fd17f8768163e0d03734854cc"
                    }
                ],
                "compiler_product_versions": [
                    "[ C ] VS2005 build 50727 count=3",
                    "[IMP] VS2005 build 50727 count=15",
                    "[---] Unmarked objects count=165",
                    "[ C ] VS2008 SP1 build 30729 count=11",
                    "[RES] VS2008 build 21022 count=1",
                    "[LNK] VS2008 SP1 build 30729 count=1"
                ],
                "rich_pe_header_hash": "1bf49fe3234f0129bd57f0ec93627cc0",
                "import_list": [
                    {
                        "library_name": "ADVAPI32.dll",
                        "imported_functions": [
                            "AdjustTokenPrivileges",
                            "LookupPrivilegeValueW",
                            "OpenProcessToken",
                            "RegCloseKey",
                            "RegCreateKeyExW",
                            "RegDeleteKeyW",
                            "RegDeleteValueW",
                            "RegEnumKeyW",
                            "RegEnumValueW",
                            "RegOpenKeyExW",
                            "RegQueryValueExW",
                            "RegSetValueExW",
                            "SetFileSecurityW"
                        ]
                    },
                    {
                        "library_name": "SHELL32.dll",
                        "imported_functions": [
                            "SHBrowseForFolderW",
                            "ShellExecuteExW",
                            "SHFileOperationW",
                            "SHGetFileInfoW",
                            "SHGetPathFromIDListW",
                            "SHGetSpecialFolderLocation"
                        ]
                    },
                    {
                        "library_name": "ole32.dll",
                        "imported_functions": [
                            "CoCreateInstance",
                            "CoTaskMemFree",
                            "IIDFromString",
                            "OleInitialize",
                            "OleUninitialize"
                        ]
                    },
                    {
                        "library_name": "COMCTL32.dll",
                        "imported_functions": [
                            "ImageList_AddMasked",
                            "ImageList_Create",
                            "ImageList_Destroy",
                            "Ord(17)"
                        ]
                    },
                    {
                        "library_name": "USER32.dll",
                        "imported_functions": [
                            "AppendMenuW",
                            "BeginPaint",
                            "CallWindowProcW",
                            "CharNextA",
                            "CharNextW",
                            "CharPrevW",
                            "CheckDlgButton",
                            "CloseClipboard",
                            "CreateDialogParamW",
                            "CreatePopupMenu",
                            "CreateWindowExW",
                            "DefWindowProcW",
                            "DestroyWindow",
                            "DialogBoxParamW",
                            "DispatchMessageW",
                            "DrawTextW",
                            "EmptyClipboard",
                            "EnableMenuItem",
                            "EnableWindow",
                            "EndDialog",
                            "EndPaint",
                            "ExitWindowsEx",
                            "FillRect",
                            "FindWindowExW",
                            "GetClassInfoW",
                            "GetClientRect",
                            "GetDC",
                            "GetDlgItem",
                            "GetDlgItemTextW",
                            "GetMessagePos",
                            "GetSysColor",
                            "GetSystemMenu",
                            "GetSystemMetrics",
                            "GetWindowLongW",
                            "GetWindowRect",
                            "InvalidateRect",
                            "IsWindow",
                            "IsWindowEnabled",
                            "IsWindowVisible",
                            "LoadCursorW",
                            "LoadImageW",
                            "MessageBoxIndirectW",
                            "OpenClipboard",
                            "PeekMessageW",
                            "PostQuitMessage",
                            "RegisterClassW",
                            "ReleaseDC",
                            "ScreenToClient",
                            "SendMessageTimeoutW",
                            "SendMessageW",
                            "SetClassLongW",
                            "SetClipboardData",
                            "SetCursor",
                            "SetDlgItemTextW",
                            "SetForegroundWindow",
                            "SetWindowLongW",
                            "SetWindowPos",
                            "SetWindowTextW",
                            "ShowWindow",
                            "SystemParametersInfoW",
                            "TrackPopupMenu",
                            "wsprintfA",
                            "wsprintfW"
                        ]
                    },
                    {
                        "library_name": "GDI32.dll",
                        "imported_functions": [
                            "CreateBrushIndirect",
                            "CreateFontIndirectW",
                            "DeleteObject",
                            "GetDeviceCaps",
                            "SelectObject",
                            "SetBkColor",
                            "SetBkMode",
                            "SetTextColor"
                        ]
                    },
                    {
                        "library_name": "KERNEL32.dll",
                        "imported_functions": [
                            "CloseHandle",
                            "CompareFileTime",
                            "CopyFileW",
                            "CreateDirectoryW",
                            "CreateFileW",
                            "CreateProcessW",
                            "CreateThread",
                            "DeleteFileW",
                            "ExitProcess",
                            "ExpandEnvironmentStringsW",
                            "FindClose",
                            "FindFirstFileW",
                            "FindNextFileW",
                            "FreeLibrary",
                            "GetCommandLineW",
                            "GetCurrentProcess",
                            "GetDiskFreeSpaceW",
                            "GetExitCodeProcess",
                            "GetFileAttributesW",
                            "GetFileSize",
                            "GetFullPathNameW",
                            "GetLastError",
                            "GetModuleFileNameW",
                            "GetModuleHandleA",
                            "GetModuleHandleW",
                            "GetPrivateProfileStringW",
                            "GetProcAddress",
                            "GetShortPathNameW",
                            "GetSystemDirectoryW",
                            "GetTempFileNameW",
                            "GetTempPathW",
                            "GetTickCount",
                            "GetVersion",
                            "GetWindowsDirectoryW",
                            "GlobalAlloc",
                            "GlobalFree",
                            "GlobalLock",
                            "GlobalUnlock",
                            "LoadLibraryExW",
                            "lstrcatW",
                            "lstrcmpiA",
                            "lstrcmpiW",
                            "lstrcmpW",
                            "lstrcpyA",
                            "lstrcpynW",
                            "lstrlenA",
                            "lstrlenW",
                            "MoveFileExW",
                            "MoveFileW",
                            "MulDiv",
                            "MultiByteToWideChar",
                            "ReadFile",
                            "RemoveDirectoryW",
                            "SearchPathW",
                            "SetCurrentDirectoryW",
                            "SetEnvironmentVariableW",
                            "SetErrorMode",
                            "SetFileAttributesW",
                            "SetFilePointer",
                            "SetFileTime",
                            "Sleep",
                            "WaitForSingleObject",
                            "WideCharToMultiByte",
                            "WriteFile",
                            "WritePrivateProfileStringW"
                        ]
                    }
                ]
            },
            "type_tag": "peexe",
            "md5": "97b4c2e67e5e18b70949690a69820c2a",
            "detectiteasy": {
                "filetype": "PE32",
                "values": [
                    {
                        "info": "lzma,solid",
                        "version": "3.06",
                        "type": "Installer",
                        "name": "Nullsoft Scriptable Install System"
                    },
                    {
                        "info": "C",
                        "version": "15.00.30729",
                        "type": "Compiler",
                        "name": "Microsoft Visual C/C++"
                    },
                    {
                        "version": "9.00.30729",
                        "type": "Linker",
                        "name": "Microsoft Linker"
                    },
                    {
                        "version": "2008",
                        "type": "Tool",
                        "name": "Visual Studio"
                    }
                ]
            },
            "sha256": "144f303504538fb7d65e2f103ab23381a3d8a2751207106a4537c49730ffd23a",
            "authentihash": "0001e140d80111c96ac3421afdb4a900b3257ace976ba6dd900c6d43c2039d09",
            "tags": [
                "peexe",
                "overlay",
                "signed",
                "long-sleeps",
                "detect-debug-environment"
            ],
            "last_modification_date": 1779596338,
            "unique_sources": 44,
            "vhash": "018056655d1c0570d043z800417z57z62z3ffz",
            "type_description": "Win32 EXE",
            "sha1": "3e019112dc00c4a1f14474ea6db68f35674a6efa",
            "size": 103097736,
            "sigma_analysis_results": [
                {
                    "rule_level": "high",
                    "rule_id": "25fc56c1bee673d7ff3edcf371e4d2a36c0af83222da348961b87735c8efa61f",
                    "rule_source": "Sigma Integrated Rule Set (GitHub)",
                    "rule_title": "System File Execution Location Anomaly",
                    "rule_description": "Detects the execution of a Windows system binary that is usually located in the system folder from an uncommon location.\n",
                    "rule_author": "Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali (Nextron Systems)",
                    "match_context": [
                        {
                            "values": {
                                "Hashes": "MD5=18699846EBF35D128FEB935EA2F47557,SHA256=F5CD860A5F2F08F30813D042E5A8C18E1965E5750AEE168050BFFE742DCF0DD0,IMPHASH=E3A088F00827D99D5FE555C4E7139852",
                                "CurrentDirectory": "C:\\Program Files\\AhnLab\\Safe Transaction\\Cert\\nss\\",
                                "EventID": "1",
                                "ParentCommandLine": "\"C:\\Users\\Bruno\\AppData\\Local\\Temp\\nsi74B0.tmp\\SysX64.exe\"",
                                "CommandLine": "\"C:\\Program Files\\AhnLab\\Safe Transaction\\Cert\\nss\\certutil\" -A -n \"ASTxRoot2\" -d sql:\"C:\\Users\\Bruno\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\1hmu7354.default-release\" -t \"C,,\" -i \"C:\\Program Files\\AhnLab\\Safe Transaction\\Cert\\ca2.der\"",
                                "ParentImage": "C:\\Users\\Bruno\\AppData\\Local\\Temp\\nsi74B0.tmp\\SysX64.exe",
                                "IntegrityLevel": "High",
                                "Image": "C:\\Program Files\\AhnLab\\Safe Transaction\\Cert\\nss\\certutil.exe"
                            }
                        },
                        {
                            "values": {
                                "Hashes": "MD5=18699846EBF35D128FEB935EA2F47557,SHA256=F5CD860A5F2F08F30813D042E5A8C18E1965E5750AEE168050BFFE742DCF0DD0,IMPHASH=E3A088F00827D99D5FE555C4E7139852",
                                "CurrentDirectory": "C:\\Program Files\\AhnLab\\Safe Transaction\\Cert\\nss\\",
                                "EventID": "1",
                                "ParentCommandLine": "\"C:\\Users\\Bruno\\AppData\\Local\\Temp\\nsi74B0.tmp\\SysX64.exe\"",
                                "CommandLine": "\"C:\\Program Files\\AhnLab\\Safe Transaction\\Cert\\nss\\certutil\" -A -n \"ASTxRoot2\" -d sql:\"C:\\MozillaProfile\" -t \"C,,\" -i \"C:\\Program Files\\AhnLab\\Safe Transaction\\Cert\\ca2.der\"",
                                "ParentImage": "C:\\Users\\Bruno\\AppData\\Local\\Temp\\nsi74B0.tmp\\SysX64.exe",
                                "IntegrityLevel": "High",
                                "Image": "C:\\Program Files\\AhnLab\\Safe Transaction\\Cert\\nss\\certutil.exe"
                            }
                        },
                        {
                            "values": {
                                "Hashes": "MD5=18699846EBF35D128FEB935EA2F47557,SHA256=F5CD860A5F2F08F30813D042E5A8C18E1965E5750AEE168050BFFE742DCF0DD0,IMPHASH=E3A088F00827D99D5FE555C4E7139852",
                                "CurrentDirectory": "C:\\Program Files\\AhnLab\\Safe Transaction\\Cert\\nss\\",
                                "EventID": "1",
                                "ParentCommandLine": "\"C:\\Users\\Bruno\\AppData\\Local\\Temp\\nss69F2.tmp\\SysX64.exe\"",
                                "CommandLine": "\"C:\\Program Files\\AhnLab\\Safe Transaction\\Cert\\nss\\certutil\" -A -n \"ASTxRoot2\" -d sql:\"C:\\Users\\Bruno\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\1hmu7354.default-release\" -t \"C,,\" -i \"C:\\Program Files\\AhnLab\\Safe Transaction\\Cert\\ca2.der\"",
                                "ParentImage": "C:\\Users\\Bruno\\AppData\\Local\\Temp\\nss69F2.tmp\\SysX64.exe",
                                "IntegrityLevel": "High",
                                "Image": "C:\\Program Files\\AhnLab\\Safe Transaction\\Cert\\nss\\certutil.exe"
                            }
                        }
                    ]
                },
                {
                    "rule_level": "medium",
                    "rule_id": "0db9fba426142aca003830de31e38a7318ed0a3a299852f6bc4cbe8bc905515f",
                    "rule_source": "Sigma Integrated Rule Set (GitHub)",
                    "rule_title": "Read Contents From Stdin Via Cmd.EXE",
                    "rule_description": "Detect the use of \"<\" to read and potentially execute a file via cmd.exe",
                    "rule_author": "frack113, Nasreddine Bencherchali (Nextron Systems)",
                    "match_context": [
                        {
                            "values": {
                                "CommandLine": "C:\\Windows\\system32\\cmd.exe /C ECHO Y| cacls C:\\Users\\<USER>\\AppData\\Local\\Temp\\asfDF0A.tmp /s:D:PAI(A;;FA;;;BA)",
                                "Image": "C:\\Windows\\system32\\cmd.exe",
                                "EventID": "1"
                            }
                        }
                    ]
                },
                {
                    "rule_level": "medium",
                    "rule_id": "7e27ad096cfe35b247261a88a0082eb1feb9c110817bfc4774f404f8f2958328",
                    "rule_source": "Sigma Integrated Rule Set (GitHub)",
                    "rule_title": "New Root Certificate Installed Via Certutil.EXE",
                    "rule_description": "Detects execution of \"certutil\" with the \"addstore\" flag in order to install a new certificate on the system.\nAdversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.\n",
                    "rule_author": "oscd.community, @redcanary, Zach Stanford @svch0st",
                    "match_context": [
                        {
                            "values": {
                                "Hashes": "MD5=BD8D9943A9B1DEF98EB83E0FA48796C2,SHA256=8DE7B4EB1301D6CBE4EA2C8D13B83280453EB64E3B3C80756BBD1560D65CA4D2,IMPHASH=7B7F7ED372C027216AE5100589C424EA",
                                "CurrentDirectory": "C:\\Program Files\\AhnLab\\Safe Transaction\\Cert\\",
                                "OriginalFileName": "CertUtil.exe",
                                "Product": "Microsoft\\xae Windows\\xae Operating System",
                                "Description": "CertUtil.exe",
                                "FileVersion": "10.0.19041.1 (WinBuild.160101.0800)",
                                "ParentCommandLine": "\"C:\\Users\\Bruno\\AppData\\Local\\Temp\\nsi74B0.tmp\\SysX64.exe\"",
                                "CommandLine": "certutil -addstore -f root \"C:\\Program Files\\AhnLab\\Safe Transaction\\Cert\\ca2.der\"",
                                "EventID": "1",
                                "ParentImage": "C:\\Users\\Bruno\\AppData\\Local\\Temp\\nsi74B0.tmp\\SysX64.exe",
                                "IntegrityLevel": "High",
                                "Image": "C:\\Windows\\System32\\certutil.exe",
                                "Company": "Microsoft Corporation"
                            }
                        },
                        {
                            "values": {
                                "Product": "Microsoft\\xae Windows\\xae Operating System",
                                "CurrentDirectory": "C:\\Program Files\\AhnLab\\Safe Transaction\\Cert\\",
                                "OriginalFileName": "CertUtil.exe",
                                "Hashes": "MD5=BD8D9943A9B1DEF98EB83E0FA48796C2,SHA256=8DE7B4EB1301D6CBE4EA2C8D13B83280453EB64E3B3C80756BBD1560D65CA4D2,IMPHASH=7B7F7ED372C027216AE5100589C424EA",
                                "Description": "CertUtil.exe",
                                "EventID": "1",
                                "ParentCommandLine": "\"C:\\Users\\Bruno\\AppData\\Local\\Temp\\nss69F2.tmp\\SysX64.exe\"",
                                "CommandLine": "certutil -addstore -f root \"C:\\Program Files\\AhnLab\\Safe Transaction\\Cert\\ca2.der\"",
                                "FileVersion": "10.0.19041.1 (WinBuild.160101.0800)",
                                "ParentImage": "C:\\Users\\Bruno\\AppData\\Local\\Temp\\nss69F2.tmp\\SysX64.exe",
                                "IntegrityLevel": "High",
                                "Image": "C:\\Windows\\System32\\certutil.exe",
                                "Company": "Microsoft Corporation"
                            }
                        }
                    ]
                }
            ],
            "creation_date": 1620866617,
            "sandbox_verdicts": {
                "Zenbox": {
                    "category": "harmless",
                    "malware_classification": [
                        "CLEAN"
                    ],
                    "sandbox_name": "Zenbox",
                    "confidence": 97
                }
            },
            "trid": [
                {
                    "file_type": "Win64 Executable (generic)",
                    "probability": 27.0
                },
                {
                    "file_type": "Win16 NE executable (generic)",
                    "probability": 20.8
                },
                {
                    "file_type": "Win32 Executable (generic)",
                    "probability": 18.6
                },
                {
                    "file_type": "Windows Icons Library (generic)",
                    "probability": 8.5
                },
                {
                    "file_type": "OS/2 Executable (generic)",
                    "probability": 8.4
                }
            ],
            "type_tags": [
                "executable",
                "windows",
                "win32",
                "pe",
                "peexe"
            ],
            "filecondis": {
                "dhash": "000000000c0d0400",
                "raw_md5": "7da0351140a415c758e7dd0eca7b0b0e"
            }
        }
    }
}
Related Reports

2026-05-27
ENKI
Kimsuky의 고도화된 공격 기법 분석: JSONPing, Webex 사칭, 그리고 새로운 HttpSpy 변종

#HttpSpy #JSONPing #Kimsuky #T1566 #T1059.007 #T1204.002 #T1547.001 #T1053.005 #T1027.009 #T1027.010 #T1027.013 #T1140 #T1620 #T1497.001 #T1055.001 #T1071.001 #T1132.001 #T1573.001 #T1113 #T1041 #T1636.004
2026-05-27
ENKI
Kimsuky's Advanced Attack Techniques: JSONPing, Webex Spoofing, and a New HttpSpy Variant

#Kimsuky #JSONPing #HttpSpy #T1566 #T1059.003 #T1059.007 #T1204.002 #T1547.001 #T1053.005 #T1027 #T1140 #T1620 #T1497.001 #T1055.001 #T1070.004 #T1070.006 #T1071.001 #T1132.001 #T1573.001 #T1090 #T1636.004 #T1027.013
« Back
⚠ These IoCs were automatically extracted using regular expressions or an LLM and may include non-malicious data.