Suspicious
Unsigned 23 MB installer with process injection, LSASS access, and direct-IP C2 observed in sandbox.
6487b6eebf382a3dcf…77e9bdc897The verdict, reasoned out.
Not a rules engine. The MT AI Engine reads every signal we collected, weighs them against history, and commits to an answer.
The engine detections are sparse and low-trust, yet the behavioural heuristics are concrete: process injection into svchost, LSASS memory access, and direct-IP C2 without domain resolution. The file is unsigned, carries an installer hint, and has medium prevalence with no prior similar-hash verdicts. These factors together produce a borderline mixed-signals profile rather than a clean safe or decisive malicious call.
Each signal cites a concrete token from the evidence the arbiter saw — engine name, MITRE technique, signer string, or an exact count.
engines.topDetections: Bkav, Gridinsoft, Malwarebytes (3 malicious, tier1Malicious=0)
behaviour.offensiveTechniques: T1055, T1548, T1562.001 and triggeredHeuristics MalwareTips.Synth.ProcessInjection (high)
behaviour.contactedIps: 16 direct IPs with zero domains (MalwareTips.Synth.DirectIpC2)
signing.verified=false and signerStats.found=false (unsigned installer)
prevalence.classification=medium and filenameAnalysis.hasInstallerHint=true
- No tier-1 malicious consensus
- No malicious dropped children
- No known-malicious contacted hosts
- Medium prevalence
- Unsigned executable
- Process injection (T1055)
- LSASS access observed
- Direct-IP C2 to 16 hosts
- High-entropy code sections
Treat as suspicious pending further analysis or broader AV coverage; avoid running until additional verification confirms legitimacy.
What this file did when executed
This file was detonated in 1 sandbox and its runtime behaviour was observed.
Adversary techniques mapped to the MITRE ATT&CK framework.
- 203.29.60.245
- 45.94.185.87
- 36.255.79.249
- 194.164.179.33
- 203.29.60.248
- 104.166.145.86
- 88.212.232.156
- 148.113.1.241
- 156.38.206.18
- 45.94.185.85
- https://36.255.76.152/
- https://36.255.77.152/
- https://45.94.184.87/
- https://203.29.60.248/cdn/files/mt5/cdn.txt
- https://203.29.60.248/
- https://36.255.76.150/cdn/files/mt5/cdn.txt
- C:\Program Files\checkwritepermissions.exe
- C:\Users\<USER>\AppData\Roaming\MetaQuotes\dnsperf.dat
- C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
- C:\Users\user\AppData\Roaming\MetaQuotes
- C:\Users\user\AppData\Roaming\MetaQuotes\WebInstall
- C:\Users\<USER>\AppData\Roaming\MetaQuotes\WebInstall
- C:\Program Files\checkwritepermissions.exe
- C:\Users\user\AppData\Local\Temp\0013461513
- C:\Users\user\AppData\Local\Temp\0164771190
- C:\Users\user\AppData\Local\Temp\0361540775
Files this sample writes at runtime
This file drops 1 child at runtime. None are currently flagged malicious in our cache.
- 9d96c5844aa0ff4150fa…5959abNever scannednever seen before
YARA + heuristic rules that fired
A researcher-curated or high-severity heuristic rule matched this sample. These rules target specific malware families and are near-definitive.
MITRE T1055 (Process Injection) observed — CreateRemoteThread / APC / reflective-DLL injection. The payload is being smuggled into a legitimate process to bypass AV hooks.
EvidenceC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s WdiSystemHostSandbox observed process activity targeting LSASS (Windows credential store). Legitimate software has no business reading LSASS memory — this is Mimikatz-shape behaviour.
EvidenceC:\Windows\system32\lsass.exeSample contacted 20 external IP address(es) and zero domains. Benign software virtually always uses DNS; no-DNS direct-IP C2 is a strong malware indicator because it bypasses reputation systems and dodges domain-based blocklists.
Evidence203.29.60.245 · 45.94.185.87 · 36.255.79.249
3 detections across 74 engines
Section entropy & packers
Section-level entropy and packer detection from the PE header. Nothing suspicious here — entropy is within the normal range for unpacked code.
How often this file shows up in the wild
Moderate prevalence — neither rare nor common. No strong prior applies.
Forensic fingerprint
- File name
- Setup
- Size
- 22.23 MB
- MIME type
- (unknown)
- Detected type
- Win32 EXE
- SHA-256
- 6487b6eebf382a3dcf11636c37f23c4fc70af8edc006ccce49e15277e9bdc897
- MD5
- 038a343791555f281e8e6f5e5075978b
- SHA-1
- 86b2cbd1616deac523644857ca992b283a4f3f0e
- PE imphash
- a6c5eefe061fd2acc8809b096f0e1652
- First seen (VT)
- 6/18/2026, 3:11:55 AM
- Last analysis (VT)
- 7/1/2026, 10:29:17 PM
- First scan (MalwareTips)
- 7/12/2026, 6:05:45 AM
- Last scan (MalwareTips)
- 7/12/2026, 6:05:45 AM
Safety FAQ
Common questions about Setup, answered from the scan data above.
- Setup is suspicious — treat it as unsafe until you're sure. 3 of 74 antivirus engines flag it, which isn't a strong consensus but is enough to be cautious. Don't run it unless you fully trust where it came from, and prefer downloading the software fresh from its official site.
- Setup is a software installer, about 22.2 MB. We identify a file by its cryptographic hash rather than its name, because the same filename can be reused by completely different files — the hash below is the reliable fingerprint.
- 3 of 74 antivirus engines flagged Setup, 3 of them as outright malicious. A small number of detections can include false positives, so we weigh which engines flagged it and what else the file does, not just the raw count.
- Act quickly. 1) Disconnect the device from the internet to stop the malware communicating or spreading. 2) Run a full scan with reputable anti-malware software (such as Malwarebytes) and quarantine everything it finds. 3) Change your important passwords from a DIFFERENT, clean device — many threats log keystrokes or steal saved credentials. 4) If you bank or shop on this device, watch closely for fraud and alert your bank. 5) For a confirmed infection, the most reliable fix is to back up your personal files and reinstall the operating system for a clean start.
- To remove Setup: 1) restart into Safe Mode (Safe Mode with Networking if you need to download a tool) so the malware doesn't auto-start. 2) Run a full scan with reputable anti-malware software and let it quarantine or delete the detections. 3) Delete the original Setup file and empty the Recycle Bin/Trash. 4) Check your browser extensions, startup items, and scheduled tasks for anything unfamiliar. 5) Reboot and scan again to confirm it's gone. If detections keep coming back, a clean operating-system reinstall is the most dependable cure.
- The SHA-256 hash of Setup is 6487b6eebf382a3dcf11636c37f23c4fc70af8edc006ccce49e15277e9bdc897, and its MD5 is 038a343791555f281e8e6f5e5075978b. This hash is the file's unique fingerprint — two files with the same SHA-256 are identical. Use it to confirm you're looking at exactly this file (not just one with the same name) when comparing against antivirus databases or a download's published checksum.
- This report reflects the scan run on July 12, 2026. Because a file's hash never changes, the identity of Setup is fixed — but antivirus coverage improves over time, so a file that looks clean today can pick up detections later (and vice-versa). If you need the latest picture, MalwareTips staff can re-run the analysis from scratch.
Reviews & malware reports(0)
Tell the community what you saw. Tag the sample — Trojan, Adware, False Positive — and share what the file did on your system. Your report helps confirm or dispute the AV verdict.