File verdict·Decided by the MT AI Engine

Our call

Malicious

Item: fflag injector (1).exe
Rating: 1
Author: MalwareTips File Scanner

Nine tier-1 antivirus engines converge on generickd trojan; unsigned executable exhibits process injection, credential-dumping, and direct-IP C2 contact.

generickd

Trust score8Critical

MT AI confidence · 94%

fflag injector (1).exe

277.0 KB

40c6b8bec9237a1e0f…26d3fc1977

Antivirus engines

23 of 75 flagged

Code signing

Unsigned

Age

First seen 11 days ago

MT AI Engine · our arbiter

The verdict, reasoned out.

Not a rules engine. The MT AI Engine reads every signal we collected, weighs them against history, and commits to an answer.

94%Confidence

Very high

Reasoning

The evidence converges on malicious intent. Nine tier-1 engines (BitDefender, Microsoft, TrendMicro, Emsisoft, GData, Sophos, Symantec, Fortinet, and TrendMicro-HouseCall) agree on the generickd trojan family, establishing strong consensus. The file exhibits three offensive MITRE techniques: process injection (T1055) via CreateRemoteThread/APC, credential-dumping targeting LSASS (Mimikatz-shape behaviour), and direct-IP C2 contact to 11 external addresses with zero DNS queries — a hallmark of malware evading reputation-based blocklists. The file is unsigned and has no signer history, eliminating the possibility of a legitimate publisher. Community researchers flagged suspicious hacktools strings via Nextron YARA rules. The high submission volume (275 in 11 days) reflects rapid propagation, not a false positive.

Key signals · 5

Each signal cites a concrete token from the evidence the arbiter saw — engine name, MITRE technique, signer string, or an exact count.

tier1FamilyConsensus.strong=true; 9 tier-1 engines (BitDefender, Emsisoft, GData, Microsoft, Sophos, Symantec, TrendMicro, TrendMicro-HouseCall, Fortinet) agreeing on 'generickd' family
T1055 (Process Injection) + triggeredHeuristics 'MalwareTips.Synth.ProcessInjection' (high) — CreateRemoteThread/APC injection observed in sandbox
triggeredHeuristics 'MalwareTips.Synth.CredentialDumper' (medium) — LSASS memory access targeting, Mimikatz-shape behaviour
triggeredHeuristics 'MalwareTips.Synth.DirectIpC2' (medium) — 11 external IPs contacted, zero domains; direct-IP C2 bypasses reputation systems
signing.verified=false; unsigned executable; no signer history; communityComments cite Nextron YARA 'Generic_Strings_Hacktools' rule match

Points in its favour

No malicious dropped children detected
No persistence indicators (registry keys, scheduled tasks) observed in sandbox
No malicious contacted hosts in our URL cache (though direct-IP C2 bypasses this check)

Points against

Process injection (T1055) — payload smuggled into legitimate processes to evade detection
Credential dumping — LSASS targeting for password/hash theft
Direct-IP C2 contact — 11 external IPs, zero DNS, bypasses reputation systems
Unsigned executable — no legitimate publisher backing
Tier-1 consensus — 9 high-trust engines agree on generickd family
Rapid propagation — 275 submissions in 11 days suggests active distribution

What to do

Block this file immediately at the network and endpoint level. If execution is suspected, treat as a credential-compromise incident and reset all passwords. Escalate to incident response for forensic analysis and lateral-movement assessment.

Threat family attribution

tl0101fq26zy corroborated by 2 sources

VT (75 engines)
tl0101fq26zy
MT AI Engine
generickd

Runtime behaviour

What this file did when executed

This file was detonated in 1 sandbox and its runtime behaviour was observed.

MITRE ATT&CK

Adversary techniques mapped to the MITRE ATT&CK framework.

T1012T1027T1033T1055T1057T1071T1082T1083T1129T1497T1518T1539T1564.003T1574

Spawned processes

$(unnamed)

"C:\Users\<USER>\Desktop\fastflag_injector_gui_enhanced _1_.exe"

$(unnamed)

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://guns.lol/davedown

$(unnamed)

"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.92\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-chann…

$(unnamed)

C:\Windows\system32\services.exe

$(unnamed)

C:\Windows\System32\RuntimeBroker.exe -Embedding

$(unnamed)

C:\Windows\System32\svchost.exe -k NetworkService -p

$(unnamed)

C:\Windows\system32\svchost.exe -k UnistackSvcGroup

$(unnamed)

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc

+7 more processes captured.

Network activity

IP addresses12

150.171.109.183
104.18.27.243
150.171.73.13
104.18.26.243
104.18.94.41
178.162.136.155
104.16.79.73
150.171.110.195
162.159.134.233
224.0.0.251

+2 more

Filesystem & mutexes

Files written7

C:\Users\<USER>\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{1E73866B-6848-11F1-B614-028F5737F333}.dat
C:\Users\<USER>\AppData\Local\Temp\~DFA42400B7393E610B.TMP
C:\Users\<USER>\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{1E73866D-6848-11F1-B614-028F5737F333}.dat
C:\Users\<USER>\AppData\Local\Temp\~DF315D4305C2E516EC.TMP
C:\Users\user\AppData\Local\Microsoft\Windows\History

+2 more

Files deleted4

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\4d13eb44-8299-416f-8dec-fc85e8843116.tmp
C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Preferences~RF64633.TMP
C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\137c55a4-fc48-463a-997a-a4714a8ee417
C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State~RF633b5.TMP

Mutexes created8

Local\!BrowserEmulation!SharedMemory!Mutex
Local\VERMGMTBlockListFileMutex
Local\URLBLOCK_FILEMAPSWITCH_MUTEX_2184
Local\URLBLOCK_HASHFILESWITCH_MUTEX
Local\URLBLOCK_DOWNLOAD_MUTEX

+3 more

No researcher-database hits

External threat-intel sources were not collected for this scan.

Signature matches

YARA + heuristic rules that fired

A researcher-curated or high-severity heuristic rule matched this sample. These rules target specific malware families and are near-definitive.

3 synthesis

MITRE ATT&CK profile

Defense evasion× 1Cred access× 1C2× 1

MalwareTips synthesis rules

Our heuristics on VT data + sandbox behaviour

ProcessInjection
T1055
high
MITRE T1055 (Process Injection) observed — CreateRemoteThread / APC / reflective-DLL injection. The payload is being smuggled into a legitimate process to bypass AV hooks.
Evidence
C:\Windows\System32\svchost.exe -k NetworkService -p
CredentialDumper
T1003 T1003.001
medium
Sandbox observed process activity targeting LSASS (Windows credential store). Legitimate software has no business reading LSASS memory — this is Mimikatz-shape behaviour.
Evidence
C:\Windows\system32\lsass.exe
DirectIpC2
T1071
medium
Sample contacted 11 external IP address(es) and zero domains. Benign software virtually always uses DNS; no-DNS direct-IP C2 is a strong malware indicator because it bypasses reputation systems and dodges domain-based blocklists.
Evidence
150.171.109.183 · 104.18.27.243 · 150.171.73.13

Antivirus engine breakdown

23 detections across 75 engines

23 malicious0 suspicious52 clean

Tier-117 engines

9flag

Top commercial AVs (low FP rate)

Tier-238 engines

10flag

Mainstream engines with mixed FP rates

Low-trust20 engines

4flag

Heuristic / generic-AI engines (high FP rate)

alibabacloud

malicious

Suspicious

ALYac

malicious

Trojan.GenericKD.80573290

Arcabit

malicious

Trojan.Generic.D4CD736A

BitDefender

malicious

Trojan.GenericKD.80573290

Bkav

malicious

W32.Malware.F555F0F8

CTX

malicious

exe.trojan.wacatac

DeepInstinct

malicious

MALICIOUS

Elastic

malicious

malicious (moderate confidence)

Emsisoft

malicious

Trojan.GenericKD.80573290 (B)

Fortinet

malicious

W32/PossibleThreat

GData

malicious

Trojan.GenericKD.80573290

Google

malicious

Detected

Gridinsoft

malicious

Trojan.Win64.Wacatac.bot

McAfeeD

malicious

ti!40C6B8BEC923

Microsoft

malicious

Trojan:Win32/Wacatac.B!ml

MicroWorld-eScan

malicious

Trojan.GenericKD.80573290

Sophos

malicious

Mal/Generic-S

Symantec

malicious

ML.Attribute.HighConfidence

TrellixENS

malicious

Artemis!ED3913E420B2

TrendMicro

malicious

Trojan.Win64.WACATAC.TL0101FQ26ZY

TrendMicro-HouseCall

malicious

Trojan.Win64.WACATAC.TL0101FQ26ZY

Varist

malicious

W64/ABTrojan.HZEX-3104

VIPRE

malicious

Trojan.GenericKD.80573290

Hash 40c6b8bec923… cross-referenced against 75 AV engines via our AV network.

PE forensics

Section entropy & packers

Section-level entropy and packer detection from the PE header. Nothing suspicious here — entropy is within the normal range for unpacked code.

Unpacked

Section entropy5 sections

.text

5.75

.rdata

5.48

.data

3.25

.pdata

5.36

.reloc

3.12

0.0Packed threshold 7.28.0

Prevalence

How often this file shows up in the wild

Lots of people are uploading this but it's recent — typical of newly-released legitimate software. Low prior for malware.

Common & new

Unique uploaders

209

Hundreds of people have uploaded this — common.

Total submissions

275

Includes repeat uploads by the same source.

First seen by VT

10d ago

Jun 17, 2026

Prevalence quadrant

Rare · New

Targeted malware lives here

here

Common · New

Just-released software

Rare · Old

Niche or internal tooling

Common · Old

Trusted legitimate binaries

File identity

Forensic fingerprint

File biography

First seen (VT)

6/17/2026, 4:06:53 PM

First seen (MalwareBazaar)

—

Last analysis (VT)

6/27/2026, 8:11:10 PM

Scanned here

6/28/2026, 10:48:53 AM

File name: fflag injector (1).exe
Size: 277.0 KB
MIME type: (unknown)
Detected type: Win32 EXE
SHA-256: 40c6b8bec9237a1e0fadcb40c367b8efacde417e2a00cc624563b026d3fc1977
MD5: ed3913e420b237fa72fa51fc52829272
SHA-1: a06b7037f5299dd6c507f3daceb10120e1929106
PE imphash: a322b86772fc2edfcc6c176fb44d41e9
First seen (VT): 6/17/2026, 4:06:53 PM
Last analysis (VT): 6/27/2026, 8:11:10 PM
First scan (MalwareTips): 6/28/2026, 10:48:53 AM
Last scan (MalwareTips): 6/28/2026, 10:48:53 AM

Behavior tags

64bitspeexe

Community classification

Reviews & malware reports(0)

Tell the community what you saw. Tag the sample — Trojan, Adware, False Positive — and share what the file did on your system. Your report helps confirm or dispute the AV verdict.

Loading…

Loading reports…

Scan another

Check a different file

URL instead?

Check if a link is safe

Files are processed in a streaming pass-through — MalwareTips never stores the binary on its servers. Only the scan result (hash, detections, verdict) is retained so the next person who scans the same file gets an instant answer. If you ran this file on your computer and are worried, scan your system with an up-to-date antivirus and change critical passwords from a different device.