Safe
Unsigned installer with one low-trust ML flag, clean tier-1 engines, and no sandbox or child malice.
0fc9785044a90382b6…7559f946dcThe reasoning behind this verdict
The MT AI Engine weighs every signal from this scan — antivirus detections, sandbox behaviour, code signing, prevalence and historical matches — to reach a single, evidence-based verdict.
The file is a fresh common_new installer (geode-installer-v5.8.2-win.exe) with high submission volume but zero tier-1 malicious detections. Signing is absent and one low-trust engine produced a generic ML score. Sandbox execution showed only ambient techniques plus a single direct-IP contact that triggered a medium heuristic, yet no malicious verdict or dropped malicious children. Similar-hash RAG returned no prior verdicts and external intel is silent. The combination fits the low-trust-engines-only pattern with high false-positive likelihood.
Each signal cites a concrete token from the evidence the arbiter saw — engine name, MITRE technique, signer string, or an exact count.
engines.tier1Malicious=0 and onlyLowTrustFlagging=true (Trapmine low_trust 'malicious.moderate.ml.score')
signing.signed=false and signerStats.found=false
prevalence.classification=common_new (236 uniqueSources, 263 submissions)
behaviour.hasMaliciousSandboxVerdict=false and droppedChildren.hasMaliciousChild=false
triggeredHeuristics[0].rule=MalwareTips.Synth.DirectIpC2 on IP 162.159.36.2
- Zero tier-1 malicious detections
- High submission volume (common_new)
- No malicious sandbox verdict or malicious children
- Unsigned binary
- Direct IP contact without DNS (DirectIpC2 heuristic)
Treat as low-risk installer; the single low-trust flag is typical of new unsigned installers and does not override the clean tier-1 and sandbox profile.
What to do now
This file looks safe based on everything we checked.
This file is safe to use.
Good habit: only download files from the official website or an app store.
Keep your antivirus and Windows updates switched on so you stay protected.
1 contradiction resolved by the scoring engine
What this file did when executed
This file was detonated in 1 sandbox and its runtime behaviour was observed.
Adversary techniques mapped to the MITRE ATT&CK framework.
- 162.159.36.2
- C:\Users\<USER>\AppData\Local\Temp\nswCFE3.tmp
- C:\Users\<USER>\AppData\Local\Temp\nsmCFF4.tmp\LangDLL.dll
- C:\Users\<USER>\AppData\Local\Temp\nsmCFF4.tmp\modern-wizard.bmp
- C:\Users\<USER>\AppData\Local\Temp\nsmCFF4.tmp\nsDialogs.dll
- C:\Users\<USER>\AppData\Local\Temp\nsmCFF4.tmp\System.dll
- C:\Users\<USER>\AppData\Local\Temp\nsq7B7A.tmp
- C:\Users\<USER>\AppData\Local\Temp\nsr7C67.tmp
- C:\Users\user\AppData\Local\Temp\nsn1349.tmp
- C:\Users\user\AppData\Local\Temp\nsq27EC.tmp
Files this sample writes at runtime
This file drops 4 children at runtime. None are currently flagged malicious in our cache.
- 2e08e077a0800ec39c05…6884acNever scannednever seen before
- 778b2bfbf3f4e641161f…8005abNever scannednever seen before
- 4873a57c9b2d697e4f86…56234cNever scannednever seen before
- b89448b9fd7be5ef215c…71fdf9Never scannednever seen before
YARA & heuristic rule matches
One or more medium-severity heuristic rules matched. Not definitive, but the patterns match known malware behaviour.
Sample contacted 1 external IP address(es) and zero domains. Benign software virtually always uses DNS; no-DNS direct-IP C2 is a strong malware indicator because it bypasses reputation systems and dodges domain-based blocklists.
Evidence162.159.36.2
1 detection across 74 engines
Section entropy & packers
Section-level entropy and packer detection from the PE header. Nothing suspicious here — entropy is within the normal range for unpacked code.
How widely this file has been seen
Lots of people are uploading this but it's recent — typical of newly-released legitimate software. Low prior for malware.
Forensic fingerprint
- File name
- geode-installer-v5.8.2-win.exe
- Size
- 46.48 MB
- MIME type
- (unknown)
- Detected type
- Win32 EXE
- SHA-256
- 0fc9785044a90382b6af932ddfd3f00b9f74cbb53bf53ee83797a17559f946dc
- MD5
- b52d70bb354589db610df40839ca147a
- SHA-1
- d34b6491c8f021d295469a9e6e370bff56324a3f
- PE imphash
- f4d1e4cd7416ef83f79f7c6a038875b3
- First seen (VT)
- 7/11/2026, 4:26:12 PM
- Last analysis (VT)
- 7/12/2026, 1:15:38 PM
- First scan (MalwareTips)
- 7/12/2026, 10:12:18 PM
- Last scan (MalwareTips)
- 7/12/2026, 10:12:18 PM
Safety FAQ
Common questions about geode-installer-v5.8.2-win.exe, answered from the scan data above.
- geode-installer-v5.8.2-win.exe appears safe. 73 of 74 antivirus engines report it clean, with only 1 low-confidence detection that read as false positives. As a habit, only run files you downloaded from the official source, since attackers sometimes distribute trojanised copies of legitimate software under the same name.
- geode-installer-v5.8.2-win.exe is a Windows executable program, about 46.5 MB. Our analysis found no threat indicators for it. A file's name can be reused by different files, so we identify it by its cryptographic hash (below).
- 1 of 74 antivirus engines flagged geode-installer-v5.8.2-win.exe, 1 of them as outright malicious. A small number of detections can include false positives, so we weigh which engines flagged it and what else the file does, not just the raw count.
- The SHA-256 hash of geode-installer-v5.8.2-win.exe is 0fc9785044a90382b6af932ddfd3f00b9f74cbb53bf53ee83797a17559f946dc, and its MD5 is b52d70bb354589db610df40839ca147a. This hash is the file's unique fingerprint — two files with the same SHA-256 are identical. Use it to confirm you're looking at exactly this file (not just one with the same name) when comparing against antivirus databases or a download's published checksum.
- Based on this scan, yes — geode-installer-v5.8.2-win.exe shows no threat indicators. The important caveat is source: make sure you downloaded it from the official website or a trusted store, because attackers sometimes distribute malware-laced copies under a legitimate file's name. If your own antivirus flags it while we report it clean, that is most often a false positive, but verify the source before overriding your antivirus.
- This report reflects the scan run on July 12, 2026. Because a file's hash never changes, the identity of geode-installer-v5.8.2-win.exe is fixed — but antivirus coverage improves over time, so a file that looks clean today can pick up detections later (and vice-versa). If you need the latest picture, MalwareTips staff can re-run the analysis from scratch.
Reviews & malware reports(0)
Tell the community what you saw. Tag the sample — Trojan, Adware, False Positive — and share what the file did on your system. Your report helps confirm or dispute the AV verdict.