Suspicious
Unsigned 46 MB PyInstaller EXE with process injection, LSASS access, and direct-IP contact but zero tier-1 detections.
30b20bb6941cb0aea3…162aae204eThe verdict, reasoned out.
Not a rules engine. The MT AI Engine reads every signal we collected, weighs them against history, and commits to an answer.
The engine picture is classic low-trust-only with one tier-2 generic label and no tier-1 consensus, which normally leans safe. However the sandbox behaviour is decisive: high-severity process injection, credential-dumper style LSASS activity, and direct-IP C2 without DNS are strong malware indicators that outweigh the low engine count. Unsigned status removes any trusted-publisher safety net. Medium prevalence and the single prior safe RAG verdict on an imphash collision are insufficient to override the behavioural red flags.
Each signal cites a concrete token from the evidence the arbiter saw — engine name, MITRE technique, signer string, or an exact count.
engines.tier1Malicious=0 with 4 malicious (3 low_trust + 1 tier2 'Artemis')
behaviour.offensiveTechniques=["T1055","T1059.001"] and triggeredHeuristics[0].rule="MalwareTips.Synth.ProcessInjection" (high severity)
signing.signed=false and behaviour.contactedIps=["162.159.36.2"] with zero domains (DirectIpC2 heuristic)
prevalence.classification=medium and similarHashes[0].verdict=safe (imphash match, signerCoMatch=false)
- Zero tier-1 malicious detections
- No malicious sandbox verdict
- Medium prevalence across hundreds of submitters
- No dropped malicious children
- Unsigned executable
- Process injection (T1055) observed
- LSASS memory access (credential-dumper shape)
- Direct-IP C2 with no DNS resolution
- PyInstaller overlay with high entropy sections
Treat as suspicious pending further sandbox or dynamic analysis; avoid execution until additional corroborating evidence is obtained.
What this file did when executed
This file was detonated in 1 sandbox and its runtime behaviour was observed.
Adversary techniques mapped to the MITRE ATT&CK framework.
- 162.159.36.2
- C:\Users\<USER>\AppData\Local\Temp\_MEI66682\PySide6\MSVCP140.dll
- C:\Users\<USER>\AppData\Local\Temp\_MEI66682\PySide6\MSVCP140_1.dll
- C:\Users\<USER>\AppData\Local\Temp\_MEI66682\PySide6\MSVCP140_2.dll
- C:\Users\<USER>\AppData\Local\Temp\_MEI66682\PySide6\Qt6Core.dll
- C:\Users\<USER>\AppData\Local\Temp\_MEI66682\PySide6\Qt6Gui.dll
- Local\SessionImmersiveColorMutex
Files this sample writes at runtime
This file drops 10 children at runtime. None are currently flagged malicious in our cache.
- b4015c5d519b4fe93c00…2feae7Never scannednever seen before
- c585918fb1d4821a054e…ac7e8fNever scannednever seen before
- 8c98b5ee246e18397d0d…5b34deNever scannednever seen before
- f41e33e1d790bd0d3eb1…e66867Never scannednever seen before
- 81da2f88cd624097581f…542d28Never scannednever seen before
- fc9e4146f33be3d09b23…3a61a7Never scannednever seen before
- 2ec955e662407ebcd8dc…43535fNever scannednever seen before
- f73ce2be52363e6b97a7…7d68cbNever scannednever seen before
- 96ad1146eb96877eab59…87dcf7Never scannednever seen before
- d9fe875307794cfc1014…13733eNever scannednever seen before
YARA + heuristic rules that fired
A researcher-curated or high-severity heuristic rule matched this sample. These rules target specific malware families and are near-definitive.
MITRE T1055 (Process Injection) observed — CreateRemoteThread / APC / reflective-DLL injection. The payload is being smuggled into a legitimate process to bypass AV hooks.
EvidenceC:\Windows\System32\svchost.exe -k NetworkService -pSandbox observed process activity targeting LSASS (Windows credential store). Legitimate software has no business reading LSASS memory — this is Mimikatz-shape behaviour.
EvidenceC:\Windows\system32\lsass.exeSample contacted 1 external IP address(es) and zero domains. Benign software virtually always uses DNS; no-DNS direct-IP C2 is a strong malware indicator because it bypasses reputation systems and dodges domain-based blocklists.
Evidence162.159.36.2
4 detections across 73 engines
Section entropy & packers
Section-level entropy and packer detection from the PE header. Nothing suspicious here — entropy is within the normal range for unpacked code.
How often this file shows up in the wild
Moderate prevalence — neither rare nor common. No strong prior applies.
Forensic fingerprint
- File name
- LocalHost.exe
- Size
- 44.39 MB
- MIME type
- (unknown)
- Detected type
- Win32 EXE
- SHA-256
- 30b20bb6941cb0aea38108f656406768c8bc1a3f76ed001d469017162aae204e
- MD5
- e0302b6d830ca85ae7591d73cf289688
- SHA-1
- 1b805ae8d652e741dbd6f26471b10a1a74bf9247
- PE imphash
- dcaf48c1f10b0efa0a4472200f3850ed
- First seen (VT)
- 5/10/2026, 8:31:57 AM
- Last analysis (VT)
- 7/7/2026, 10:57:43 PM
- First scan (MalwareTips)
- 7/8/2026, 5:15:36 AM
- Last scan (MalwareTips)
- 7/8/2026, 5:15:36 AM
Reviews & malware reports(0)
Tell the community what you saw. Tag the sample — Trojan, Adware, False Positive — and share what the file did on your system. Your report helps confirm or dispute the AV verdict.