File verdict·Decided by the MT AI Engine
Our call

Suspicious

Unsigned repacked installer with process injection and direct-IP C2 contact; low engine consensus but concrete sandbox malware behaviour.

repack
Trust score58Caution
setup.exe
2.2 MB
2b7c5b24298efc43b51774860b41
Antivirus engines
2 of 75 flagged
Code signing
Unsigned
Age
First seen 15y ago
MT AI Engine · our arbiter

The verdict, reasoned out.

Not a rules engine. The MT AI Engine reads every signal we collected, weighs them against history, and commits to an answer.

68%Confidence
High
Reasoning

The sample presents conflicting signals. On one hand, only 2 engines flagged it malicious (Kingsoft tier2, Webroot low-trust), no tier-1 engines agreed, and the file is common and old (140 submitters since 2011). The 'security_tool_classifier' heuristic suggests it might be security software. On the other hand, sandbox execution revealed process injection (T1055) and process argument spoofing (T1134) — two offensive MITRE techniques — combined with direct-IP C2 contact to 10 external IPs and zero DNS domains. This direct-IP C2 pattern is a strong malware indicator because it bypasses reputation systems and domain-based blocklists. Benign installers and security tools do not exhibit this behaviour. The unsigned status and repack tag add to the risk profile. The lack of tier-1 consensus and external-intel hits prevent a confident 'malicious' verdict, but the concrete sandbox behaviour (process injection + no-DNS C2) is too specific to dismiss as a false positive.

Key signals · 5

Each signal cites a concrete token from the evidence the arbiter saw — engine name, MITRE technique, signer string, or an exact count.

  1. engines: 2/69 malicious (Kingsoft tier2, Webroot low-trust); tier1Malicious=0; no tier-1 consensus

  2. behaviour.offensiveTechniques: T1055 (Process Injection), T1134 (Process Argument Spoofing) — 2 offensive MITRE techniques observed in sandbox

  3. behaviour.contactedIps: 10 external IPs contacted, zero domains — direct-IP C2 pattern bypasses DNS reputation systems

  4. triggeredHeuristics: 'MalwareTips.Synth.ProcessInjection' (high) + 'MalwareTips.Synth.DirectIpC2' (medium) both fired; concrete sandbox evidence

  5. signing.verified=false, unsigned; prevalence=common_old (140 submitters, 166 submissions since 2011)

Points in its favour
  • No tier-1 engine consensus on malware family — suggests possible legacy or false-positive shape
  • No malicious dropped children — 10 inspected children all unknown/clean
  • No external-intel hits (CIRCL, YARAify, MalwareBazaar) — no researcher-curated corroboration
  • Common and old sample (140 submitters, 166 submissions since 2011) — long history in the wild
Points against
  • Process injection (T1055) observed in sandbox — code smuggled into legitimate process to evade AV hooks
  • Direct-IP C2 communication to 10 external addresses with zero DNS lookups — bypasses reputation systems and domain blocklists
  • Unsigned binary with repack tag — no publisher provenance or code-signing verification
  • Process argument spoofing (T1134) — obfuscates command-line intent
  • Installer hint in filename — typical delivery vector for trojans
What to do

Treat this file as suspicious and do not execute it. The sandbox-observed process injection and direct-IP C2 communication are concrete malware indicators that override the low engine consensus. If this file is part of a legitimate software distribution, request a signed, current version from the official publisher.

Threat family attribution

repack corroborated by 2 sources

  • VT (75 engines)
    repack
  • MT AI Engine
    repack
Runtime behaviour

What this file did when executed

This file was detonated in 1 sandbox and its runtime behaviour was observed.

MITRE ATT&CK
17

Adversary techniques mapped to the MITRE ATT&CK framework.

T1012T1027T1027.002T1033T1055T1056T1059T1071T1082T1083T1129T1134T1140T1497T1529T1614T1614.001
Spawned processes
15
$(unnamed)
"C:\Users\<USER>\Desktop\software.exe"
$(unnamed)
"C:\Users\<USER>\AppData\Local\Temp\is-DA6K4.tmp\software.tmp" /SL5="$7003C,1950140,143872,C:\Users\<USER>\Desktop\software.exe"
$(unnamed)
%SAMPLEPATH%\2b7c5b24298efc43b52bc7b0803a65aa454c50a30fde5984c471001774860b41.exe
$(unnamed)
%USERPROFILE%\AppData\Local\Temp\is-LREOE.tmp\2b7c5b24298efc43b52bc7b0803a65aa454c50a30fde5984c471001774860b41.tmp
$(unnamed)
C:\Windows\System32\wuapihost.exe
$(unnamed)
%USERPROFILE%\AppData\Local\Temp\is-FN5JD.tmp\2b7c5b24298efc43b52bc7b0803a65aa454c50a30fde5984c471001774860b41.tmp
$(unnamed)
%USERPROFILE%\AppData\Local\Temp\is-5HF90.tmp\2b7c5b24298efc43b52bc7b0803a65aa454c50a30fde5984c471001774860b41.tmp
$(unnamed)
%USERPROFILE%\AppData\Local\Temp\is-NT98J.tmp\2b7c5b24298efc43b52bc7b0803a65aa454c50a30fde5984c471001774860b41.tmp
+7 more processes captured.
Network activity
13
IP addresses13
  • 20.99.184.37
  • 192.229.211.108
  • 20.99.186.246
  • 23.216.147.76
  • 192.168.0.28
  • 20.99.133.109
  • 23.216.81.152
  • 192.168.0.19
  • 192.168.0.43
  • 184.27.218.92
+3 more
Filesystem & mutexes
39
Files written15
  • C:\Users\<USER>\AppData\Local\Temp\is-DA6K4.tmp\software.tmp
  • C:\Users\<USER>\AppData\Local\Temp\is-4ECQ5.tmp\_isetup\_RegDLL.tmp
  • C:\Users\<USER>\AppData\Local\Temp\is-4ECQ5.tmp\_isetup\_setup64.tmp
  • C:\Users\<USER>\AppData\Local\Temp\is-4ECQ5.tmp\_isetup\_shfoldr.dll
  • C:\Users\<USER>\AppData\Local\Temp\is-4ECQ5.tmp\innocallback.dll
+10 more
Files deleted15
  • C:\ProgramData\Microsoft\Windows\WER\Temp\WER16D0.tmp.WERInternalMetadata.xml
  • C:\ProgramData\Microsoft\Windows\WER\Temp\WER16BF.tmp.WERInternalMetadata.xml
  • C:\ProgramData\Microsoft\Windows\WER\Temp\WER179A.tmp.csv
  • C:\ProgramData\Microsoft\Windows\WER\Temp\WER179B.tmp.csv
  • C:\ProgramData\Microsoft\Windows\WER\Temp\WER17EA.tmp.txt
+10 more
Mutexes created9
  • CTF.LBES.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
  • CTF.Compart.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
  • CTF.Asm.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
  • CTF.Layouts.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
  • CTF.TMD.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
+4 more
Dropped payload

Files this sample writes at runtime

This file drops 10 children at runtime. None are currently flagged malicious in our cache.

10 unseen
  • 1c1bb4546e59e2953bbd94bd63Never scanned
    never seen before
  • 6876d5c5bbbbc804e2185dff5aNever scanned
    never seen before
  • 2f64a8d3d7191bd39dd52ba1bfNever scanned
    never seen before
  • 4512aac6cba173f582a768041cNever scanned
    never seen before
  • a4b61626a1626fdabec764f008Never scanned
    never seen before
  • 9884e9d1b4f8a873ccbd360d87Never scanned
    never seen before
  • f6c62481bb6c87aa45a24c73afNever scanned
    never seen before
  • 11eb9c19868419f0f7f55e31eeNever scanned
    never seen before
  • 4dc09bac0613590f1fac7e74a2Never scanned
    never seen before
  • 9cc277f3cc8a2ea83abb869313Never scanned
    never seen before
No researcher-database hits
External threat-intel sources were not collected for this scan.
Signature matches

YARA + heuristic rules that fired

A researcher-curated or high-severity heuristic rule matched this sample. These rules target specific malware families and are near-definitive.

2 synthesis
MITRE ATT&CK profile
Defense evasion× 1C2× 1
MalwareTips synthesis rules
Our heuristics on VT data + sandbox behaviour
  • ProcessInjectionhigh

    MITRE T1055 (Process Injection) observed — CreateRemoteThread / APC / reflective-DLL injection. The payload is being smuggled into a legitimate process to bypass AV hooks.

    Evidence
    "C:\Users\<USER>\Desktop\software.exe"
  • DirectIpC2medium

    Sample contacted 10 external IP address(es) and zero domains. Benign software virtually always uses DNS; no-DNS direct-IP C2 is a strong malware indicator because it bypasses reputation systems and dodges domain-based blocklists.

    Evidence
    20.99.184.37 · 192.229.211.108 · 20.99.186.246
Antivirus engine breakdown

2 detections across 75 engines

2 malicious0 suspicious73 clean
Tier-117 engines
0flag
Top commercial AVs (low FP rate)
Tier-241 engines
1flag
Mainstream engines with mixed FP rates
Low-trust17 engines
1flag
Heuristic / generic-AI engines (high FP rate)
Kingsoft
malicious
malware.kb.a.702
Webroot
malicious
W32.Riskware.Repack
Hash 2b7c5b24298e… cross-referenced against 75 AV engines via our AV network.
PE forensics

Section entropy & packers

Section-level entropy and packer detection from the PE header. Nothing suspicious here — entropy is within the normal range for unpacked code.

ent 8.00Unpacked
Section entropy8 sections
CODE
6.56
DATA
2.75
BSS
0.00
.idata
4.43
.tls
0.00
.rdata
0.20
.reloc
0.00
.rsrc
6.49
0.0Packed threshold 7.28.0
Prevalence

How often this file shows up in the wild

Widely seen in the wild for a long time. High prior this is legitimate; isolated detections on common-old files are usually false positives.

Common & old
Unique uploaders
140
Hundreds of people have uploaded this — common.
Total submissions
166
Includes repeat uploads by the same source.
First seen by VT
15y ago
Nov 18, 2011
Prevalence quadrant
Rare · New
Targeted malware lives here
Common · New
Just-released software
Rare · Old
Niche or internal tooling
here
Common · Old
Trusted legitimate binaries
File identity

Forensic fingerprint

File biography
First seen (VT)
11/18/2011, 5:57:21 PM
First seen (MalwareBazaar)
Last analysis (VT)
6/28/2026, 12:36:33 AM
Scanned here
7/10/2026, 2:57:53 PM
File name
setup.exe
Size
2.21 MB
MIME type
(unknown)
Detected type
Win32 EXE
SHA-256
2b7c5b24298efc43b52bc7b0803a65aa454c50a30fde5984c471001774860b41
MD5
fb914ef04253449bb9988ff15529d467
SHA-1
af96cab426b034fefd97c02dac03936ca16cd6c0
PE imphash
884310b1928934402ea6fec1dbd3cf5e
First seen (VT)
11/18/2011, 5:57:21 PM
Last analysis (VT)
6/28/2026, 12:36:33 AM
First scan (MalwareTips)
7/10/2026, 2:57:53 PM
Last scan (MalwareTips)
7/10/2026, 2:57:53 PM
Behavior tags
runtime-modulesoverlaypecompactdirect-cpu-clock-accesschecks-user-inputpeexe
Frequently asked

Safety FAQ

Common questions about setup.exe, answered from the scan data above.

  • setup.exe is suspicious — treat it as unsafe until you're sure. 2 of 75 antivirus engines flag it (family: repack), which isn't a strong consensus but is enough to be cautious. Don't run it unless you fully trust where it came from, and prefer downloading the software fresh from its official site.
  • setup.exe is a Windows executable program, about 2.2 MB. We identify a file by its cryptographic hash rather than its name, because the same filename can be reused by completely different files — the hash below is the reliable fingerprint.
  • 2 of 75 antivirus engines flagged setup.exe, 2 of them as outright malicious. A small number of detections can include false positives, so we weigh which engines flagged it and what else the file does, not just the raw count.
  • Act quickly. 1) Disconnect the device from the internet to stop the malware communicating or spreading. 2) Run a full scan with reputable anti-malware software (such as Malwarebytes) and quarantine everything it finds. 3) Change your important passwords from a DIFFERENT, clean device — many threats log keystrokes or steal saved credentials. 4) If you bank or shop on this device, watch closely for fraud and alert your bank. 5) For a confirmed infection, the most reliable fix is to back up your personal files and reinstall the operating system for a clean start.
  • To remove setup.exe: 1) restart into Safe Mode (Safe Mode with Networking if you need to download a tool) so the malware doesn't auto-start. 2) Run a full scan with reputable anti-malware software and let it quarantine or delete the detections. 3) Delete the original setup.exe file and empty the Recycle Bin/Trash. 4) Check your browser extensions, startup items, and scheduled tasks for anything unfamiliar. 5) Reboot and scan again to confirm it's gone. If detections keep coming back, a clean operating-system reinstall is the most dependable cure.
  • setup.exe is classified as a trojan — malware disguised as something harmless to trick you into running it. Engines attribute it to the repack family. Knowing the family matters because it tells you the likely impact — data theft, remote control, file encryption, or unwanted ads — and guides the cleanup.
  • The SHA-256 hash of setup.exe is 2b7c5b24298efc43b52bc7b0803a65aa454c50a30fde5984c471001774860b41, and its MD5 is fb914ef04253449bb9988ff15529d467. This hash is the file's unique fingerprint — two files with the same SHA-256 are identical. Use it to confirm you're looking at exactly this file (not just one with the same name) when comparing against antivirus databases or a download's published checksum.
  • This report reflects the scan run on July 10, 2026. Because a file's hash never changes, the identity of setup.exe is fixed — but antivirus coverage improves over time, so a file that looks clean today can pick up detections later (and vice-versa). If you need the latest picture, MalwareTips staff can re-run the analysis from scratch.
Community classification

Reviews & malware reports(0)

Tell the community what you saw. Tag the sample — Trojan, Adware, False Positive — and share what the file did on your system. Your report helps confirm or dispute the AV verdict.

Loading…
Loading reports…
Files are processed in a streaming pass-through — MalwareTips never stores the binary on its servers. Only the scan result (hash, detections, verdict) is retained so the next person who scans the same file gets an instant answer. If you ran this file on your computer and are worried, scan your system with an up-to-date antivirus and change critical passwords from a different device.