File verdict·Decided by the MT AI Engine
Our call

Malicious

Unsigned dropper with 16/17 tier-1 engines agreeing on MalwareX family; exhibits process injection, credential dumping, and direct-IP C2 beaconing.

malwarex
Trust score8Critical
Zsrekgoixr.exe
645.0 KB
2b8e3ad0512cbadeb88144865bce
Antivirus engines
48 of 74 flagged
Code signing
Unsigned
Age
First seen 9 days ago
MT AI Engine · our arbiter

The verdict, reasoned out.

Not a rules engine. The MT AI Engine reads every signal we collected, weighs them against history, and commits to an answer.

98%Confidence
Very high
Reasoning

The evidence overwhelmingly indicates malware. The tier-1 family consensus on MalwareX is decisive: four high-trust engines independently named the same family, and 16 of 17 tier-1 engines flagged the sample malicious. The file is unsigned and rare (9 days old, 3 submitters), eliminating any legitimate-publisher defence. Sandbox behaviour confirms malicious intent: process injection into system services, LSASS memory access (credential theft), and direct-IP C2 communication without DNS resolution. The triggered heuristics (ProcessInjection, CredentialDumper, DirectIpC2, DropperNetworkProfile) form a coherent dropper/stager attack chain. The absence of external YARA/CIRCL corroboration does not override tier-1 consensus; antivirus engines are authoritative. This is malware.

Key signals · 5

Each signal cites a concrete token from the evidence the arbiter saw — engine name, MITRE technique, signer string, or an exact count.

  1. engines.tier1FamilyConsensus: malwarex family, 4 tier-1 engines (Avast, AVG, Avira, DrWeb) in strong agreement

  2. engines.tier1Malicious=16/17 tier-1 engines flagging; onlyLowTrustFlagging=false — tier-1 consensus is decisive

  3. behaviour.offensiveTechniques: T1055 (Process Injection), T1560.002 (Archive/Compression), T1620 (Reflective Code Loading) — offensive MITRE techniques only malware uses

  4. triggeredHeuristics: ProcessInjection (high), CredentialDumper (medium), DirectIpC2 (medium), DropperNetworkProfile (high) — coherent dropper/stager profile

  5. signing.verified=false, unsigned PE; prevalence.classification=rare_new; no signer history — no legitimate publisher backing

Points in its favour
  • No malicious dropped children confirmed (6 inspected, verdicts pending)
  • No contacted domains — only direct IP (suggests C2 hardcoding, not dynamic DNS)
  • No persistence indicators detected in sandbox (no registry keys, no scheduled tasks created)
Points against
  • Tier-1 family consensus (MalwareX) across 4 high-trust engines
  • Process injection into system services (svchost.exe, LSASS)
  • Credential dumping from LSASS memory (T1055, T1620)
  • Direct-IP C2 communication bypassing DNS reputation
  • Packed, unsigned executable with high-entropy code
  • Rare file (9 days old, 3 submitters) — no established legitimacy
What to do

Block and quarantine this file immediately. The tier-1 consensus on MalwareX family, combined with process injection, credential dumping, and C2 beaconing, confirms malware. If executed, assume credential compromise and initiate incident response.

Threat family attribution

msil corroborated by 2 sources

  • VT (74 engines)
    msil
  • MT AI Engine
    malwarex
Runtime behaviour

What this file did when executed

This file was detonated in 1 sandbox and its runtime behaviour was observed.

MITRE ATT&CK
16

Adversary techniques mapped to the MITRE ATT&CK framework.

T1027T1027.002T1033T1055T1059T1070T1070.006T1082T1083T1129T1140T1518T1560.002T1562T1574T1620
Spawned processes
15
$(unnamed)
"C:\Users\<USER>\Desktop\executable.exe"
$(unnamed)
C:\Windows\system32\services.exe
$(unnamed)
C:\Windows\System32\svchost.exe -k NetworkService -p
$(unnamed)
C:\Windows\system32\svchost.exe -k UnistackSvcGroup
$(unnamed)
C:\Windows\system32\lsass.exe
$(unnamed)
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
$(unnamed)
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s WdiSystemHost
$(unnamed)
C:\Windows\system32\svchost.exe -k LocalService -s W32Time
+7 more processes captured.
Network activity
1
IP addresses1
  • 1.1.1.1
Filesystem & mutexes
19
Files written13
  • C:\Users\<USER>\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\executable.exe.log
  • %LOCALAPPDATA%\rhtsu\.exe
  • %LOCALAPPDATA%\microsoft\clr_v4.0_32\usagelogs\kfagitaa.exe.log
  • %TEMP%\121cfa60cfcc465fbb99bffde12e26b8.xml
  • %WINDIR%\system32\tasks\{0d7e4a0e-6770-495a-921b-8dc6ef4ab8b7}
+8 more
Files deleted3
  • %TEMP%\121cfa60cfcc465fbb99bffde12e26b8.xml
  • C:\Users\Administrator\AppData\Local\Temp\b38addfe16f048ffbead62583e8212db.xml
  • C:\Users\Administrator\AppData\Local\Temp\1926e096c5584b4a9d61a903ac413152.xml
Mutexes created3
  • b07a471d77cfe06cdec2d3542b45b8ea
  • Global\OneSettingQueryMutex+compat+encapsulation
  • \Sessions\1\BaseNamedObjects\b07a471d77cfe06cdec2d3542b45b8ea
Dropped payload

Files this sample writes at runtime

This file drops 6 children at runtime. None are currently flagged malicious in our cache.

6 unseen
  • d7a5b6d946ca6ba653adf22874Never scanned
    never seen before
  • b10a9f2baf223d3dc2fb43f96aNever scanned
    never seen before
  • 2b8e3ad0512cbadeb82a865bceNever scanned
    never seen before
  • 7bcae8abc905e7629e954e8c2fNever scanned
    never seen before
  • f951aa9b987258a81301beeac5Never scanned
    never seen before
  • 40119b5a200e7bfd86888977f9Never scanned
    never seen before
No researcher-database hits
External threat-intel sources were not collected for this scan.
Signature matches

YARA + heuristic rules that fired

A researcher-curated or high-severity heuristic rule matched this sample. These rules target specific malware families and are near-definitive.

5 synthesis
MITRE ATT&CK profile
Execution× 1Defense evasion× 2Cred access× 1C2× 1
MalwareTips synthesis rules
Our heuristics on VT data + sandbox behaviour
  • ProcessInjectionhigh

    MITRE T1055 (Process Injection) observed — CreateRemoteThread / APC / reflective-DLL injection. The payload is being smuggled into a legitimate process to bypass AV hooks.

    Evidence
    C:\Windows\System32\svchost.exe -k NetworkService -p
  • PackedUnsignedLowSigmedium

    PE is packed (high-entropy code or known packer) AND unsigned AND at least one engine flagged it. Packing alone is common in legit software; packing + unsigned + signal is the malware-dropper pattern.

    Evidence
    high-entropy code section
  • CredentialDumpermedium

    Sandbox observed process activity targeting LSASS (Windows credential store). Legitimate software has no business reading LSASS memory — this is Mimikatz-shape behaviour.

    Evidence
    C:\Windows\system32\lsass.exe
  • DirectIpC2medium

    Sample contacted 1 external IP address(es) and zero domains. Benign software virtually always uses DNS; no-DNS direct-IP C2 is a strong malware indicator because it bypasses reputation systems and dodges domain-based blocklists.

    Evidence
    1.1.1.1
  • DropperNetworkProfilehigh

    Unsigned, packed PE with sandbox-observed network activity. The packing step hides the payload until execution; the network call fetches / reports for the next stage. Classic dropper / stager behaviour.

    Evidence
    1.1.1.1
Antivirus engine breakdown

48 detections across 74 engines

48 malicious0 suspicious26 clean
Tier-117 engines
16flag
Top commercial AVs (low FP rate)
Tier-240 engines
21flag
Mainstream engines with mixed FP rates
Low-trust17 engines
11flag
Heuristic / generic-AI engines (high FP rate)
Alibaba
malicious
TrojanDropper:MSIL/Dapato.f3d93842
alibabacloud
malicious
Trojan[dropper]:MSIL/Wacatac.B9nj
Antiy-AVL
malicious
Trojan[Dropper]/MSIL.Dapato
APEX
malicious
Malicious
Arcabit
malicious
Trojan.MSIL.Benin.5
Avast
malicious
Win32:MalwareX-gen [Drp]
AVG
malicious
Win32:MalwareX-gen [Drp]
Avira
malicious
DR/W32.MalwareX
BitDefender
malicious
Gen:Heur.MSIL.Benin.5
Bkav
malicious
W32.Malware.CA579584
CAT-QuickHeal
malicious
TrojanDropper.MSIL
CrowdStrike
malicious
win/malicious_confidence_100% (W)
CTX
malicious
exe.unknown.benin
Cylance
malicious
Unsafe
DrWeb
malicious
Trojan.MulDrop38.49420
Elastic
malicious
malicious (high confidence)
Emsisoft
malicious
Gen:Heur.MSIL.Benin.5 (B)
ESET-NOD32
malicious
MSIL/Kryptik.APRJ trojan
F-Secure
malicious
Dropper.DR/W32.MalwareX
Fortinet
malicious
MSIL/Kryptik.APRJ!tr
GData
malicious
Gen:Heur.MSIL.Benin.5
Google
malicious
Detected
Gridinsoft
malicious
Trojan.Win32.Kryptik.sa
huorong
malicious
Trojan/MSIL.Loader.bc
K7AntiVirus
malicious
Trojan ( 700000201 )
K7GW
malicious
Trojan ( 700000201 )
Kaspersky
malicious
HEUR:Trojan-Dropper.MSIL.Dapato.gen
Kingsoft
malicious
malware.kb.c.1000
Lionic
malicious
Trojan.Win32.Dapato.b!c
Malwarebytes
malicious
Trojan.Crypt
MaxSecure
malicious
Trojan.Malware.300983.susgen
McAfeeD
malicious
Real Protect-LS!B8648E3534D1
Microsoft
malicious
Trojan:Win32/Wacatac.B!ml
MicroWorld-eScan
malicious
Gen:Heur.MSIL.Benin.5
Paloalto
malicious
generic.ml
Rising
malicious
Malware.Obfus/MSIL@AI.92 (RDM.MSIL2:qkPtXdEHh7qfEk6Qfln7yg)
Sangfor
malicious
Suspicious.Win32.Save.a
SentinelOne
malicious
Static AI - Malicious PE
Sophos
malicious
Mal/Generic-S
Symantec
malicious
ML.Attribute.HighConfidence
tehtris
malicious
Generic.Malware
Tencent
malicious
Msil.Trojan-Dropper.Dapato.Swhl
TrellixENS
malicious
Artemis!B8648E3534D1
TrendMicro
malicious
Trojan.MSIL.BENIN.TL0101G526ZZ
TrendMicro-HouseCall
malicious
Trojan.Win32.VSX.PE04CA3
Varist
malicious
W32/MSIL_Kryptik.MYG.gen!Eldorado
VBA32
malicious
TScope.Trojan.MSIL
VIPRE
malicious
Gen:Heur.MSIL.Benin.5
Hash 2b8e3ad0512c… cross-referenced against 74 AV engines via our AV network.
PE forensics

Section entropy & packers

Executable sections have high entropy (7.2+) — the code is compressed or encrypted and only decrypted at runtime. Classic packing behaviour.

Likely packed
Section entropy3 sections
.text
7.21packed
.rsrc
3.94
.reloc
0.10
0.0Packed threshold 7.28.0
Prevalence

How often this file shows up in the wild

Barely seen in the wild and first surfaced recently. This is the footprint of targeted malware the AV industry hasn't signatured yet — extra scrutiny is warranted.

Rare & new
Unique uploaders
3
Very few people have ever uploaded this — rare.
Total submissions
3
Includes repeat uploads by the same source.
First seen by VT
9d ago
Jul 2, 2026
Prevalence quadrant
here
Rare · New
Targeted malware lives here
Common · New
Just-released software
Rare · Old
Niche or internal tooling
Common · Old
Trusted legitimate binaries
File identity

Forensic fingerprint

File biography
First seen (VT)
7/2/2026, 2:15:11 PM
First seen (MalwareBazaar)
Last analysis (VT)
7/5/2026, 5:38:44 PM
Scanned here
7/11/2026, 1:20:59 PM
File name
Zsrekgoixr.exe
Size
645.0 KB
MIME type
(unknown)
Detected type
Win32 EXE
SHA-256
2b8e3ad0512cbadeb82a581dea4b35a05dd46fa5af0447fd25f69d8144865bce
MD5
b8648e3534d1c5a86a15ae017d735c09
SHA-1
9539efa1877cf8d4b355bb7f2670a5a190e83609
PE imphash
f34d5f2d4577ed6d9ceec516c1f5a744
First seen (VT)
7/2/2026, 2:15:11 PM
Last analysis (VT)
7/5/2026, 5:38:44 PM
First scan (MalwareTips)
7/11/2026, 1:20:59 PM
Last scan (MalwareTips)
7/11/2026, 1:20:59 PM
Behavior tags
spreadercalls-wmiassemblyexecutes-dropped-filepeexe
Frequently asked

Safety FAQ

Common questions about Zsrekgoixr.exe, answered from the scan data above.

  • Yes — Zsrekgoixr.exe is malicious, so do not run it, and delete it. 48 of 74 antivirus engines flag it (family: malwarex). It behaves as a downloader/dropper whose job is to pull additional malware onto the device. If you've already run it, see the removal and recovery steps below.
  • Zsrekgoixr.exe is a Windows executable program, about 645 KB. Our analysis identifies it as malicious (family: malwarex) — a downloader/dropper whose job is to pull additional malware onto the device. Because a file's name and icon can be faked, the safest way to identify it is by its cryptographic hash (below), not its filename.
  • 48 of 74 antivirus engines flagged Zsrekgoixr.exe, 48 of them as outright malicious. A detection rate at this level is a reliable signal that the file is dangerous.
  • Act quickly. 1) Disconnect the device from the internet to stop the malware communicating or spreading. 2) Run a full scan with reputable anti-malware software (such as Malwarebytes) and quarantine everything it finds. 3) Change your important passwords from a DIFFERENT, clean device — many threats log keystrokes or steal saved credentials. 4) If you bank or shop on this device, watch closely for fraud and alert your bank. 5) For a confirmed infection, the most reliable fix is to back up your personal files and reinstall the operating system for a clean start.
  • To remove Zsrekgoixr.exe: 1) restart into Safe Mode (Safe Mode with Networking if you need to download a tool) so the malware doesn't auto-start. 2) Run a full scan with reputable anti-malware software and let it quarantine or delete the detections. 3) Delete the original Zsrekgoixr.exe file and empty the Recycle Bin/Trash. 4) Check your browser extensions, startup items, and scheduled tasks for anything unfamiliar. 5) Reboot and scan again to confirm it's gone. If detections keep coming back, a clean operating-system reinstall is the most dependable cure.
  • Zsrekgoixr.exe is classified as a downloader/dropper whose job is to pull additional malware onto the device. Engines attribute it to the malwarex family. Knowing the family matters because it tells you the likely impact — data theft, remote control, file encryption, or unwanted ads — and guides the cleanup.
  • The SHA-256 hash of Zsrekgoixr.exe is 2b8e3ad0512cbadeb82a581dea4b35a05dd46fa5af0447fd25f69d8144865bce, and its MD5 is b8648e3534d1c5a86a15ae017d735c09. This hash is the file's unique fingerprint — two files with the same SHA-256 are identical. Use it to confirm you're looking at exactly this file (not just one with the same name) when comparing against antivirus databases or a download's published checksum.
  • This report reflects the scan run on July 11, 2026. Because a file's hash never changes, the identity of Zsrekgoixr.exe is fixed — but antivirus coverage improves over time, so a file that looks clean today can pick up detections later (and vice-versa). If you need the latest picture, MalwareTips staff can re-run the analysis from scratch.
Community classification

Reviews & malware reports(0)

Tell the community what you saw. Tag the sample — Trojan, Adware, False Positive — and share what the file did on your system. Your report helps confirm or dispute the AV verdict.

Loading…
Loading reports…
Files are processed in a streaming pass-through — MalwareTips never stores the binary on its servers. Only the scan result (hash, detections, verdict) is retained so the next person who scans the same file gets an instant answer. If you ran this file on your computer and are worried, scan your system with an up-to-date antivirus and change critical passwords from a different device.