home

npinstall.exe

Gemius S.A.

The application npinstall.exe by Gemius S.A has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. This is a setup and installation application and has been known to bundle potentially unwanted software. It is also typically executed from an Internet Explorer cache folder. The file has been seen being downloaded from pl.megapanel.gem.pl.
Publisher:
Gemius S.A.  (signed and verified)

MD5:
1e1c39bcb2df1774f02b5004b7f228bb

SHA-1:
0cac20810398a8d40a54b4f1d4fb40c45e06d08a

SHA-256:
dd92209ecf3a6fe2f8acc69d6e33da010b525c0d3d6291238f4467c8f1d39efc

Scanner detections:
1 / 68

Status:
Potentially unwanted

Note:
Our current pool of anti-malware engines have not currently detected this file, however based on our own detection heuristics we feel that this file is unwanted.

Analysis date:
11/16/2024 9:28:03 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.GemiusSA.Installer (M)
16.5.30.10

File size:
1.5 MB (1,595,712 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\local\microsoft\windows\temporary internet files\content.ie5\{random}\npinstall.exe

Digital Signature
Signed by:
Gemius S.A.

Authority:
Thawte, Inc.

Valid from:
3/11/2013 1:00:00 AM

Valid to:
5/11/2014 1:59:59 AM

Subject:
CN=Gemius S.A., O=Gemius S.A., L=Warszawa, S=mazowieckie, C=PL

Issuer:
CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US

Serial number:
4214D27FBFEDDBBD183D1ED8DF3A9C0E

File PE Metadata
Compilation timestamp:
1/14/2003 9:27:12 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
5.0

CTPH (ssdeep):
24576:d8P7JVplpKEhlwesM5hxP2woCfvZJAjqZ9mqxy+Qpf5N67lXrkPREkRfhpE2:mVV7AELKyxOwoCXZa8S5Al7kPtRf/E2

Entry address:
0x1F150

Entry point:
60, BE, 00, 50, 41, 00, 8D, BE, 00, C0, FE, FF, 57, 83, CD, FF, EB, 10, 90, 90, 90, 90, 90, 90, 8A, 06, 46, 88, 07, 47, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 72, ED, B8, 01, 00, 00, 00, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, 01, DB, 73, EF, 75, 09, 8B, 1E, 83, EE, FC, 11, DB, 73, E4, 31, C9, 83, E8, 03, 72, 0D, C1, E0, 08, 8A, 06, 46, 83, F0, FF, 74, 74, 89, C5, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C9, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C9, 75, 20, 41, 01, DB, 75...
 
[+]

Packer / compiler:
UPX 2.90LZMA

Code size:
44 KB (45,056 bytes)

The file npinstall.exe has been seen being distributed by the following URL.

http://pl.megapanel.gem.pl/usr/.../?id=5266597&mt=9c89580f55c4bb4499353de23d45a790&lang=pl&market=PL

Remove npinstall.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.