MalwareTips
File verdict·Decided by the MT AI Engine
Our call

Malicious

Unsigned keygen installer with tier-1 hacktool detection, process injection, and YARA shellcode matches; prior imphash verdicted malicious.

pseb
Trust score18High risk
MT AI confidence · 82%
setup.exe
5.2 MB
658063b9a8e4469a016efc9412b8
Antivirus engines
11 of 74 flagged
Code signing
Unsigned
Age
First seen 15 days ago
MT AI Engine · our arbiter

The verdict, reasoned out.

Not a rules engine. The MT AI Engine reads every signal we collected, weighs them against history, and commits to an answer.

82%Confidence
High
Reasoning

This unsigned setup.exe exhibits multiple malicious indicators. Four tier-1 engines (Microsoft, GData, Sophos, TrendMicro) flagged it malicious, with Microsoft explicitly labelling it a hacktool and GData naming the pseb family. The file demonstrates process injection and process hollowing techniques — evasion tactics exclusive to malware. Four community YARA rules matched, including shellcode detection, indicating external researcher consensus on suspicious patterns. A prior file with the same imphash was previously verdicted malicious with the same pseb family. The popular threat label 'trojan.crack/keygen' and Malwarebytes' 'RiskWare.Crack' classification confirm the file is a crack/keygen tool. While the sandbox did not reach a malicious verdict, the combination of tier-1 detections, offensive behaviour, and external intelligence converges on malicious classification.

Key signals · 5

Each signal cites a concrete token from the evidence the arbiter saw — engine name, MITRE technique, signer string, or an exact count.

  1. Microsoft Defender tier-1 flags 'HackTool:Win32/Keygen' (hacktool=true); GData tier-1 names 'Generic.Trojan.PSEB.MOOG6L'

  2. 4 tier-1 engines malicious (Microsoft, GData, Sophos, TrendMicro) + 7 tier-2/low-trust = 11/60 total; tier1FamilyConsensus.family='pseb' (1 engine, not strong but named)

  3. Behaviour: T1055 (Process Injection) + T1134 (Process Hollowing) observed; triggeredHeuristics 'MalwareTips.Synth.ProcessInjection' (high severity) confirms CreateRemoteThread/APC injection

  4. YARAify matched 4 community rules including 'shellcode' and 'pe_detect_tls_callbacks' — external researcher consensus on evasion patterns

  5. similarHashes: prior imphash verdict 'malicious' (9b7c34eefa6d…, ai:tier1_consensus_pseb, score=18) on same imphash; prevalence common_new (2815 submitters)

Points in its favour
  • No malicious sandbox verdict recorded
  • No malicious contacted hosts detected
  • No malicious dropped children confirmed (6 inspected, all unknown)
  • No brand mismatch detected
Points against
  • Tier-1 hacktool detection (Microsoft Defender)
  • Process injection and process hollowing techniques (T1055, T1134)
  • Four community YARA rules matched, including shellcode patterns
  • Unsigned executable with no signer history
  • Prior imphash verdict: malicious (pseb family)
  • Crack/keygen tool classification (inherently malicious)
What to do

Block and quarantine this file immediately. Do not execute or allow distribution. If encountered on a system, perform a full antivirus scan and monitor for indicators of compromise related to the pseb family and process injection techniques.

Threat family attribution

crack corroborated by 3 sources

  • 4 YARA rules
    Borland, HUNTING_SUSP_TLS_SECTION, pe_detect_tls_callbacks
  • VT (74 engines)
    crack
  • MT AI Engine
    pseb
Runtime behaviour

What this file did when executed

This file was detonated in 1 sandbox and its runtime behaviour was observed.

MITRE ATT&CK
15

Adversary techniques mapped to the MITRE ATT&CK framework.

T1012T1027T1027.002T1033T1055T1059T1071T1082T1083T1129T1134T1497.001T1529T1614T1614.001
Spawned processes
3
$(unnamed)
C:\Users\<USER>\AppData\Local\Temp\is-84C9Q.tmp\setup.tmp /SL5=$20194,4901458,140800,C:\Users\<USER>\Downloads\setup.exe
$(unnamed)
"C:\Users\user\Desktop\setup.exe"
$(unnamed)
"C:\Users\user\AppData\Local\Temp\is-B35G2.tmp\setup.tmp" /SL5="$30262,4901458,140800,C:\Users\user\Desktop\setup.exe"
Filesystem & mutexes
16
Files written14
  • C:\Users\<USER>\AppData\Local\Temp\is-84C9Q.tmp\setup.tmp
  • C:\Users\<USER>\AppData\Local\Temp\is-D6UDN.tmp\_isetup\_setup64.tmp
  • C:\Users\<USER>\AppData\Local\Temp\is-D6UDN.tmp\_isetup\_shfoldr.dll
  • C:\Users\<USER>\AppData\Local\Temp\is-D6UDN.tmp\idp.dll
  • C:\Users\<USER>\AppData\Local\Temp\is-D6UDN.tmp\innocallback.dll
+9 more
Mutexes created2
  • \Sessions\1\BaseNamedObjects\Local\RstrMgr3887CAB8-533F-4C85-B0DC-3E5639F8D511
  • \Sessions\1\BaseNamedObjects\Local\RstrMgr-3887CAB8-533F-4C85-B0DC-3E5639F8D511-Session0000
Dropped payload

Files this sample writes at runtime

This file drops 6 children at runtime. None are currently flagged malicious in our cache.

6 unseen
  • 09af8004b85478e1eca047b449Never scanned
    never seen before
  • a4c86fc4836ac728d7bd95fd81Never scanned
    never seen before
  • 9884e9d1b4f8a873ccbd360d87Never scanned
    never seen before
  • f4fc0187491a9cb89e23bc44bbNever scanned
    never seen before
  • 6afa2d104be6efe3d9a229809fNever scanned
    never seen before
  • c652b4b564b3c85c3991412c74Never scanned
    never seen before
External threat intelligence

1 corroborating signal from researcher-curated sources

YARAify HIT·4 community rules matchedView on YARAify
  • Borlandby malware-lu
  • HUNTING_SUSP_TLS_SECTIONby chaosphere
    Detect PE files with .tls section that can be used for anti-debugging
  • pe_detect_tls_callbacks
  • shellcodeby nex
    Matched shellcode byte patterns
Cross-referenced against MalwareBazaar (abuse.ch), YARAify, and the CIRCL hashlookup reference DB.
Signature matches

YARA + heuristic rules that fired

A researcher-curated or high-severity heuristic rule matched this sample. These rules target specific malware families and are near-definitive.

4 YARAify1 synthesis
MITRE ATT&CK profile
Defense evasion× 1
YARAify (community)
Researcher-authored rules via abuse.ch
  • Borland
  • HUNTING_SUSP_TLS_SECTION
  • pe_detect_tls_callbacks
  • shellcode
MalwareTips synthesis rules
Our heuristics on VT data + sandbox behaviour
  • ProcessInjection
    T1055
    high

    MITRE T1055 (Process Injection) observed — CreateRemoteThread / APC / reflective-DLL injection. The payload is being smuggled into a legitimate process to bypass AV hooks.

    Evidence
    C:\Users\<USER>\AppData\Local\Temp\is-84C9Q.tmp\setup.tmp /SL5=$20194,4901458,140800,C:\Users\<USER>\Downloads\setup.exe
Antivirus engine breakdown

11 detections across 74 engines

11 malicious0 suspicious63 clean
Tier-117 engines
4flag
Top commercial AVs (low FP rate)
Tier-237 engines
3flag
Mainstream engines with mixed FP rates
Low-trust20 engines
4flag
Heuristic / generic-AI engines (high FP rate)
Bkav
malicious
W32.Malware.2A0121B2
Cylance
malicious
Unsafe
GData
malicious
Generic.Trojan.PSEB.MOOG6L
Google
malicious
Detected
Malwarebytes
malicious
RiskWare.Crack
MaxSecure
malicious
Trojan.Malware.325823501.susgen
Microsoft
malicious
HackTool:Win32/Keygen
Paloalto
malicious
generic.ml
Sangfor
malicious
Trojan.Win32.Agent.Vooe
Sophos
malicious
Generic Reputation PUA (PUA)
TrendMicro-HouseCall
malicious
Trojan.Win32.Gen.TL0101FB26ZX
Hash 658063b9a8e4… cross-referenced against 74 AV engines via our AV network.
PE forensics

Section entropy & packers

Section-level entropy and packer detection from the PE header. Nothing suspicious here — entropy is within the normal range for unpacked code.

ent 8.00Unpacked
Section entropy8 sections
.text
6.48
.itext
6.02
.data
2.67
.bss
0.00
.idata
4.97
.tls
0.00
.rdata
0.19
.rsrc
4.16
0.0Packed threshold 7.28.0
Prevalence

How often this file shows up in the wild

Lots of people are uploading this but it's recent — typical of newly-released legitimate software. Low prior for malware.

Common & new
Unique uploaders
2,815
Hundreds of people have uploaded this — common.
Total submissions
3,783
Includes repeat uploads by the same source.
First seen by VT
14d ago
Jun 9, 2026
Prevalence quadrant
Rare · New
Targeted malware lives here
here
Common · New
Just-released software
Rare · Old
Niche or internal tooling
Common · Old
Trusted legitimate binaries
File identity

Forensic fingerprint

File biography
First seen (VT)
6/9/2026, 7:06:36 PM
First seen (MalwareBazaar)
Last analysis (VT)
6/24/2026, 5:44:06 AM
Scanned here
6/24/2026, 6:18:07 AM
File name
setup.exe
Size
5.23 MB
MIME type
(unknown)
Detected type
Win32 EXE
SHA-256
658063b9a8e4469a01e7d5e2146deb17f534468cd581d8d6ca62166efc9412b8
MD5
b6992eaec6dfec0e51805251c0803050
SHA-1
c575f190d7abd6a662b6e0ebe9246f7c4f211c65
PE imphash
483f0c4259a9148c34961abbda6146c1
First seen (VT)
6/9/2026, 7:06:36 PM
Last analysis (VT)
6/24/2026, 5:44:06 AM
First scan (MalwareTips)
6/24/2026, 6:18:07 AM
Last scan (MalwareTips)
6/24/2026, 6:18:07 AM
Community reputation
+3trusted
Behavior tags
overlaypeexe
Community classification

Reviews & malware reports(0)

Tell the community what you saw. Tag the sample — Trojan, Adware, False Positive — and share what the file did on your system. Your report helps confirm or dispute the AV verdict.

Loading…
Loading reports…
Scan another
Check a different file
URL instead?
Check if a link is safe
Files are processed in a streaming pass-through — MalwareTips never stores the binary on its servers. Only the scan result (hash, detections, verdict) is retained so the next person who scans the same file gets an instant answer. If you ran this file on your computer and are worried, scan your system with an up-to-date antivirus and change critical passwords from a different device.