Malicious
This file is confirmed confirmed malware — abuse.ch researchers uploaded this exact sample to MalwareBazaar as known malware. Delete it and scan your system.
46e5e6ce73587216dc…43aac277e6The verdict, reasoned out.
Not a rules engine. The MT AI Engine reads every signal we collected, weighs them against history, and commits to an answer.
This file is confirmed confirmed malware — abuse.ch researchers uploaded this exact sample to MalwareBazaar as known malware. Delete it and scan your system. MalwareBazaar is a researcher-curated malware repository; hits there are ground-truth positives.
Each signal cites a concrete token from the evidence the arbiter saw — engine name, MITRE technique, signer string, or an exact count.
MalwareBazaar: confirmed malware
(no named signature)
First catalogued: 2025-08-06 19:19:30
- MalwareBazaar confirmed family: confirmed malware
- Researcher-uploaded malware sample
Delete this file and run a full-system antivirus scan.
gamehack corroborated by 3 sources
- 5 YARA rulesBorland, HUNTING_SUSP_TLS_SECTION, pe_detect_tls_callbacks
- VT (74 engines)gamehack
- MT AI Engineconfirmed malware
What this file did when executed
This file was detonated in 1 sandbox and its runtime behaviour was observed.
Adversary techniques mapped to the MITRE ATT&CK framework.
- 23.198.171.50
- 20.99.186.246
- 20.99.133.109
- 23.216.81.152
- 184.25.191.235
- 192.168.0.73
- 192.168.0.92
- 23.6.103.183
- a83f:8110:0:0:9902:0:0:0
- 192.168.0.16
- http://download.visualstudio.microsoft.com/download/pr/9565895b-35a6-434b-a881-11a6f4beec76/4A8157B2FF422C259DDAA2D0E568C0C0AFAB940E1F6E0E482EF83E90DDBAD2D6/VC_redist.x86.exe
- http://download.visualstudio.microsoft.com/download/pr/9565895b-35a6-434b-a881-11a6f4beec76/EE84FED2552E018E854D4CD2496DF4DD516F30733A27901167B8A9882119E57C/VC_redist.x64.exe
- C:\Users\<USER>\AppData\Local\Temp\is-D1SB1.tmp\software.tmp
- C:\Users\<USER>\AppData\Local\Temp\is-N0IEB.tmp\_isetup\_setup64.tmp
- C:\Users\<USER>\AppData\Local\Temp\is-N0IEB.tmp\_isetup\_shfoldr.dll
- C:\Users\<USER>\AppData\Local\Temp\is-N0IEB.tmp\idp.dll
- C:\Users\<USER>\AppData\Local\Temp\is-N0IEB.tmp\innocallback.dll
- %USERPROFILE%\AppData\Local\Microsoft\Windows\INetCache\IE\KLT1I0ZU\update50[1].xml
- C:\Windows\System32\wbem\Performance\WmiApRpl.h
- C:\Windows\System32\wbem\Performance\WmiApRpl.ini
- C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_cbbb49d6-b7ff-44ca-aba5-8a5e250d4d42
- Local\DirectSound DllMain mutex (0x00000C98)
- Local\RstrMgr3887CAB8-533F-4C85-B0DC-3E5639F8D511
- Local\RstrMgr-3887CAB8-533F-4C85-B0DC-3E5639F8D511-Session0000
- \Sessions\1\BaseNamedObjects\Local\RstrMgr3887CAB8-533F-4C85-B0DC-3E5639F8D511
- \Sessions\1\BaseNamedObjects\Local\RstrMgr-3887CAB8-533F-4C85-B0DC-3E5639F8D511-Session0000
Files this sample writes at runtime
This file drops 10 children at runtime. None are currently flagged malicious in our cache.
- 09af8004b85478e1eca0…47b449Never scannednever seen before
- d92f7c60256509f74e36…62ea29Never scannednever seen before
- 58045dfbe8eb137de53d…94d65dNever scannednever seen before
- 450b9b0ba25bf068afbc…fd0105Never scannednever seen before
- f84677643d9977aa1e8a…61f824Never scannednever seen before
- ed8a485b9984997306ea…c78ee9Never scannednever seen before
- 9884e9d1b4f8a873ccbd…360d87Never scannednever seen before
- fbbf18f351711497ef2c…43fa39Never scannednever seen before
- a1c80a60363e23d475e8…84a07cNever scannednever seen before
- da1aff62524fc3c70a78…90e235Never scannednever seen before
2 corroborating signals from researcher-curated sources
- Borlandby malware-lu
- HUNTING_SUSP_TLS_SECTIONby chaosphereDetect PE files with .tls section that can be used for anti-debugging
- pe_detect_tls_callbacks
- shellcodeby nexMatched shellcode byte patterns
- Sus_Obf_Enc_Spoof_Hide_PEby XiAnzhengCheck for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
YARA + heuristic rules that fired
A researcher-curated or high-severity heuristic rule matched this sample. These rules target specific malware families and are near-definitive.
- Borland
- HUNTING_SUSP_TLS_SECTION
- pe_detect_tls_callbacks
- shellcode
- Sus_Obf_Enc_Spoof_Hide_PE
MITRE T1055 (Process Injection) observed — CreateRemoteThread / APC / reflective-DLL injection. The payload is being smuggled into a legitimate process to bypass AV hooks.
Evidence"C:\Users\<USER>\Desktop\software.exe"Sample contacted 14 external IP address(es) and zero domains. Benign software virtually always uses DNS; no-DNS direct-IP C2 is a strong malware indicator because it bypasses reputation systems and dodges domain-based blocklists.
Evidence23.198.171.50 · 20.99.186.246 · 20.99.133.109
10 detections across 74 engines
Section entropy & packers
Section-level entropy and packer detection from the PE header. Nothing suspicious here — entropy is within the normal range for unpacked code.
How often this file shows up in the wild
Widely seen in the wild for a long time. High prior this is legitimate; isolated detections on common-old files are usually false positives.
Forensic fingerprint
- File name
- setup.exe
- Size
- 8.62 MB
- MIME type
- (unknown)
- Detected type
- Win32 EXE
- SHA-256
- 46e5e6ce73587216dc2bf5b45f0de0655451a3f401c767cfa36d4343aac277e6
- MD5
- 8365d8a59f090f0bc90d085ac3da014c
- SHA-1
- 02072c995e4ac5fb04398b7e0dbeb8c9035c1f37
- PE imphash
- 483f0c4259a9148c34961abbda6146c1
- First seen (VT)
- 6/21/2024, 3:58:53 PM
- Last analysis (VT)
- 7/3/2026, 11:41:36 PM
- First scan (MalwareTips)
- 7/4/2026, 10:35:42 PM
- Last scan (MalwareTips)
- 7/4/2026, 10:35:42 PM
- Community reputation
- -11flagged
Reviews & malware reports(0)
Tell the community what you saw. Tag the sample — Trojan, Adware, False Positive — and share what the file did on your system. Your report helps confirm or dispute the AV verdict.