Malicious
10 tier-1 antivirus engines converge on Runner/Cobalt trojan family; unsigned installer masquerading as setup.msi with offensive process-creation behaviour.
1f3f67b696ba113c3b…20c383c003The verdict, reasoned out.
Not a rules engine. The MT AI Engine reads every signal we collected, weighs them against history, and commits to an answer.
The evidence converges strongly on malicious classification. Ten tier-1 antivirus engines (BitDefender, Kaspersky, ESET-NOD32, Emsisoft, Fortinet, GData, Ikarus, Symantec, Avast, AVG) independently agree on the same trojan family (39668822 / Runner / Cobalt), meeting the threshold for tier-1 consensus. The file is unsigned with no signer history, eliminating any benign-publisher pathway. Behaviour analysis confirms offensive MITRE technique T1543.003 (Create or Modify System Process) during sandbox execution, consistent with trojan dropper functionality. The filename 'setup.msi' and installer-hint tag indicate social-engineering masquerade. Prevalence is medium (13 submitters, 16 submissions), ruling out rare-new false-positive scenarios. No external YARA or CIRCL corroboration is needed given the tier-1 consensus strength.
Each signal cites a concrete token from the evidence the arbiter saw — engine name, MITRE technique, signer string, or an exact count.
engines.tier1Malicious=10 (BitDefender, Kaspersky, Emsisoft, ESET-NOD32, Fortinet, GData, Ikarus, Symantec, Avast, AVG) with tier1FamilyConsensus.strong=true on family '39668822'
signing.verified=null, signer='', signerStats.found=false — unsigned, no publisher history
behaviour.offensiveTechniques=[T1543.003] (Create/Modify System Process); sandbox executed msiexec.exe installer; dropped 2 children
filenameAnalysis.hasInstallerHint=true, filename='setup.msi', tags=['msi','checks-usb-bus'] — masquerades as legitimate installer
prevalence.classification='medium' (13 submitters, 16 submissions); no external YARA/CIRCL corroboration but tier-1 consensus sufficient
- No malicious contacted hosts or domains detected
- Dropped children not flagged as malicious
- No persistence indicators recorded in sandbox
- Unsigned executable with no publisher reputation
- 10 tier-1 antivirus engines agree on trojan family classification
- Masquerades as legitimate Windows Installer (setup.msi)
- Exhibits offensive process-creation behaviour (T1543.003)
- Dropped 2 child executables during sandbox execution
- Medium prevalence suggests active distribution
Treat this file as malware and do not execute. If encountered, isolate the system, remove the file, and run a full antivirus scan. Verify any software downloads from official vendor websites only.
runner corroborated by 2 sources
- VT (76 engines)runner
- MT AI EngineRunner/Cobalt
What this file did when executed
This file was detonated in 1 sandbox and its runtime behaviour was observed.
Adversary techniques mapped to the MITRE ATT&CK framework.
- C:\Program Files\Google\Temp\GUM6C13.tmp
- C:\PROGRA~2\MICROS~1\OFFICE\DATA\opa12.dat
- C:\Users\ADMINI~1\AppData\Local\Temp\~DF28F76A70368B5EEC.TMP
- C:\Users\ADMINI~1\AppData\Local\Temp\~DFF020DF2FBEAE3576.TMP
- C:\Users\ADMINI~1\AppData\Local\Temp\~DFF1543F1C9C3030CE.TMP
- C:\Program Files\Google\Temp\GUM6C13.tmp
- C:\MSI3150f.tmp
- Global\_MSIExecute
- \Sessions\1\BaseNamedObjects\Global\_MSIExecute
- \BaseNamedObjects\Local\SM0:7164:304:WilStaging_02
- \BaseNamedObjects\Local\SM0:7164:120:WilError_03
Files this sample writes at runtime
This file drops 2 children at runtime. None are currently flagged malicious in our cache.
- 597678b9639c5ea035f9…675a8eNever scannednever seen before
- 09af8004b85478e1eca0…47b449Never scannednever seen before
21 detections across 76 engines
How often this file shows up in the wild
Moderate prevalence — neither rare nor common. No strong prior applies.
Forensic fingerprint
- File name
- setup.msi
- Size
- 5.30 MB
- MIME type
- (unknown)
- Detected type
- Windows Installer
- SHA-256
- 1f3f67b696ba113c3b51842381e060dab420df76f76b015f5cb64b20c383c003
- MD5
- 31c4c4c1891463d6e7eb816cb67caf5e
- SHA-1
- cf9b1d16d823d0176e6d72527091e24e7c128cd6
- First seen (VT)
- 4/3/2026, 1:02:28 AM
- Last analysis (VT)
- 4/3/2026, 5:16:33 PM
- First scan (MalwareTips)
- 7/2/2026, 1:12:48 PM
- Last scan (MalwareTips)
- 7/2/2026, 1:12:48 PM
Reviews & malware reports(0)
Tell the community what you saw. Tag the sample — Trojan, Adware, False Positive — and share what the file did on your system. Your report helps confirm or dispute the AV verdict.